Edit tour

Windows Analysis Report
4a9OE5cKJo.exe

Overview

General Information

Sample Name:	4a9OE5cKJo.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	84cc4306c04df6e4d2f0431f538e6612c2bf72ee57d0bac23ed3a19936b3ed73
Analysis ID:	1299135
MD5:	9652452e6863bfcb4fb2c1c20702ca7f
SHA1:	698dce4f4d06fafa486a0ac8c4d3913c249e429c
SHA256:	84cc4306c04df6e4d2f0431f538e6612c2bf72ee57d0bac23ed3a19936b3ed73
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	32
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to get notified if a device is plugged in / out

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

EXE planting / hijacking vulnerabilities found

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

DLL planting / hijacking vulnerabilities found

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Found evasive API chain checking for process token information

Installs a global mouse hook

Potential key logger detected (key state polling based)

Found large amount of non-executed APIs

Classification

Process Tree

System is w10x64

4a9OE5cKJo.exe (PID: 5260 cmdline: C:\Users\user\Desktop\4a9OE5cKJo.exe MD5: 9652452E6863BFCB4FB2C1C20702CA7F)

zlogger.exe (PID: 5284 cmdline: C:\Users\Public\Pictures\Picture\zlogger.exe --version MD5: BB63FD178AFFCCAAB180BCE1689157CE)

conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 5912 cmdline: C:\Windows\system32\WerFault.exe -u -p 5260 -s 940 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.643032727.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x65d06:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000001.00000002.643032727.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_5c38878d	unknown	unknown	0x6645d:$a: 24 48 03 C2 48 89 44 24 28 41 8A 00 84 C0 74 14 33 D2 FF C1
00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x65926:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_5c38878d	unknown	unknown	0x6607d:$a: 24 48 03 C2 48 89 44 24 28 41 8A 00 84 C0 74 14 33 D2 FF C1

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\Public\Pictures\Picture\libwim-15.dll

Avira: detection malicious, Label: TR/Rozena.rxfwi

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Pictures\Picture\libwim-15.dll

ReversingLabs: Detection: 25%

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

EXE: C:\Users\Public\Pictures\Picture\zlogger.exe

Jump to behavior

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: C:\Users\Public\Pictures\Picture\libwim-15.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: bcrypt.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: wldp.DLL	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: WINMM.DLL	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: SspiCli.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: mscoree.DLL	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: amsi.DLL	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: WINMMBASE.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: WININET.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: USERENV.dll	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: xinput1_4.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: CRYPTSP.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: winnlsres.dll	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: DEVOBJ.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: CRYPTBASE.DLL	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: DPAPI.DLL	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: HID.DLL	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

EXE: C:\Users\Public\Pictures\Picture\zlogger.exe

Jump to behavior

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: C:\Users\Public\Pictures\Picture\libwim-15.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: bcrypt.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: wldp.DLL	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: WINMM.DLL	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: SspiCli.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: mscoree.DLL	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: amsi.DLL	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: WINMMBASE.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: WININET.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: USERENV.dll	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: xinput1_4.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: CRYPTSP.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: winnlsres.dll	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: DEVOBJ.dll	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: CRYPTBASE.DLL	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	DLL: DPAPI.DLL	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	DLL: HID.DLL	Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 82.156.94.47:443 -> 192.168.2.3:49720 version: TLS 1.2

PE / OLE file has a valid certificate

Source: 4a9OE5cKJo.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 4a9OE5cKJo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spreading

Contains functionality to get notified if a device is plugged in / out

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Code function: 0_2_00007FF62A3EFE20 SystemParametersInfoW,SystemParametersInfoW,MapVirtualKeyW,ToUnicode,ToUnicode,WideCharToMultiByte,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,RtlVerifyVersionInfo,SetProcessDPIAware,SetProcessDPIAware,CreateWindowExW,ShowWindow,RegisterDeviceNotificationW,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,

0_2_00007FF62A3EFE20

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3EDDF0 GetVersionExA,SetProcessMitigationPolicy,RtlAdjustPrivilege,GetCurrentProcess,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,NtQueryInformationProcess,NtSetInformationProcess,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,FindClose,CoTaskMemFree,CreateProcessA,MessageBoxA,MessageBoxA,_invalid_parameter_noinfo_noreturn,		0_2_00007FF62A3EDDF0
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A40D078 FindFirstFileExW,		0_2_00007FF62A40D078

Networking

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52
Source: unknown	TCP traffic detected without corresponding DNS query: 62.234.23.52

Source: 4a9OE5cKJo.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 4a9OE5cKJo.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: zlogger.exe, 00000001.00000003.399019248.000000000078B000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 4a9OE5cKJo.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 4a9OE5cKJo.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 4a9OE5cKJo.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000000.369695921.0000000000417000.00000002.00000001.01000000.00000004.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://gnu.org/licenses/gpl.html
Source: 4a9OE5cKJo.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 4a9OE5cKJo.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: 4a9OE5cKJo.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642958779.0000000003B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52/
Source: zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52/LU(
Source: zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.000000000077E000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.000000000075C000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.0000000000710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52/api/v1/nsquery
Source: zlogger.exe, 00000001.00000002.642649000.0000000000710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52/api/v1/nsquerydN
Source: zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52/api/v1/nsquerye
Source: zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52/ngs
Source: zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52/ngss~
Source: zlogger.exe, 00000001.00000002.642649000.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52:443
Source: zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642958779.0000000003B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52:443/api/v1/nsquery
Source: zlogger.exe, 00000001.00000002.642958779.0000000003B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52:443/api/v1/nsquery&
Source: zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52:443/api/v1/nsquery8
Source: zlogger.exe, 00000001.00000002.642649000.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52:443/api/v1/nsqueryA
Source: zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52:443/api/v1/nsqueryom
Source: zlogger.exe, 00000001.00000002.642649000.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52:443/api/v1/nsreport
Source: zlogger.exe, 00000001.00000002.642649000.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52:443/api/v1/nsreportE
Source: zlogger.exe, 00000001.00000002.642649000.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://62.234.23.52:44343loud.com
Source: 4a9OE5cKJo.exe	String found in binary or memory: https://baidu.com/x/2/page
Source: zlogger.exe, 00000001.00000002.642649000.0000000000738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-1319693778.cos.ap-beijing.myqcloud.com/
Source: zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000003.399019248.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000003.399019248.000000000078B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.log
Source: zlogger.exe, 00000001.00000003.399019248.000000000078B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.log(
Source: zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.log9
Source: 4a9OE5cKJo.exe, 00000000.00000003.369724082.000002A435781000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.643635419.00007FFC1B9DA000.00000002.00000001.01000000.00000005.sdmp, libwim-15.dll.0.dr	String found in binary or memory: https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.logMyAppRtlEnterCriticalSectionRtlLeaveCr
Source: zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.logk
Source: zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.logl
Source: 4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000000.369695921.0000000000417000.00000002.00000001.01000000.00000004.sdmp, zlogger.exe.0.dr	String found in binary or memory: https://wimlib.net/forums/.
Source: zlogger.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

DNS traffic detected: queries for: cdn-1319693778.cos.ap-beijing.myqcloud.com

Source: global traffic

HTTP traffic detected: GET /service.log HTTP/1.1User-Agent: MyAppHost: cdn-1319693778.cos.ap-beijing.myqcloud.comCache-Control: no-cache

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 82.156.94.47:443 -> 192.168.2.3:49720 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a DirectInput object (often for capturing keystrokes)

Source: 4a9OE5cKJo.exe

Binary or memory string: DirectInput8Create

Installs a raw input device (often for capturing keystrokes)

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Code function: 0_2_00007FF62A3F3520 GetPropW,EnableNonClientDpiScaling,DefWindowProcW,GetRawInputData,GetRawInputData,DefWindowProcW,

0_2_00007FF62A3F3520

Installs a global mouse hook

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\dinput8.dll

Jump to behavior

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Code function: 0_2_00007FF62A3F31E0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_00007FF62A3F31E0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.643032727.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000001.00000002.643032727.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown

Yara signature match

Source: 00000001.00000002.643032727.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000001.00000002.643032727.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13

One or more processes crash

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5260 -s 940

Detected potential crypto function

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3EFE20	0_2_00007FF62A3EFE20
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3EDDF0	0_2_00007FF62A3EDDF0
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A40EB64	0_2_00007FF62A40EB64
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3F4C30	0_2_00007FF62A3F4C30
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A402438	0_2_00007FF62A402438
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A404C6C	0_2_00007FF62A404C6C
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A408504	0_2_00007FF62A408504
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A40197C	0_2_00007FF62A40197C
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3FD140	0_2_00007FF62A3FD140
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A405B34	0_2_00007FF62A405B34
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A411AD0	0_2_00007FF62A411AD0
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A4097BC	0_2_00007FF62A4097BC
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3F1080	0_2_00007FF62A3F1080
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A40D078	0_2_00007FF62A40D078
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A4100B4	0_2_00007FF62A4100B4
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A40A054	0_2_00007FF62A40A054
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3F15A0	0_2_00007FF62A3F15A0
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A40C55C	0_2_00007FF62A40C55C
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A401DD4	0_2_00007FF62A401DD4
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A40BDC4	0_2_00007FF62A40BDC4
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A4136AC	0_2_00007FF62A4136AC
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A40CE6C	0_2_00007FF62A40CE6C
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3FEEF4	0_2_00007FF62A3FEEF4
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_00403C40	1_2_00403C40
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_00412050	1_2_00412050
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_00413DC0	1_2_00413DC0
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_0040F5B0	1_2_0040F5B0
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_00411B80	1_2_00411B80
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_004147B0	1_2_004147B0
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_03B271D2	1_2_03B271D2
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_03B2697A	1_2_03B2697A
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_03B26D9A	1_2_03B26D9A
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_03B25D52	1_2_03B25D52
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_03B2765A	1_2_03B2765A
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042C0716	1_2_042C0716
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042D502C	1_2_042D502C
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042B9D60	1_2_042B9D60
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042B9550	1_2_042B9550
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042B9990	1_2_042B9990
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042B2200	1_2_042B2200
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042C0E02	1_2_042C0E02
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042BC248	1_2_042BC248
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042D52B0	1_2_042D52B0
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042B86F0	1_2_042B86F0
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042B5720	1_2_042B5720
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042B1F50	1_2_042B1F50
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_042E07F0	1_2_042E07F0

Found potential string decryption / allocating functions

Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: String function: 00401650 appears 45 times
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: String function: 004023A0 appears 45 times
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: String function: 004024D0 appears 82 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Code function: 0_2_00007FF62A3EDDF0 GetVersionExA,SetProcessMitigationPolicy,RtlAdjustPrivilege,GetCurrentProcess,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,NtQueryInformationProcess,NtSetInformationProcess,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,FindClose,CoTaskMemFree,CreateProcessA,MessageBoxA,MessageBoxA,_invalid_parameter_noinfo_noreturn,

0_2_00007FF62A3EDDF0

Sample file is different than original file name gathered from version info

Source: 4a9OE5cKJo.exe	Binary or memory string: OriginalFilename vs 4a9OE5cKJo.exe
Source: 4a9OE5cKJo.exe, 00000000.00000000.369114042.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstalle.exe> vs 4a9OE5cKJo.exe
Source: 4a9OE5cKJo.exe, 00000000.00000003.369724082.000002A4357C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibwim-15.dll4 vs 4a9OE5cKJo.exe
Source: 4a9OE5cKJo.exe	Binary or memory string: OriginalFilenameInstalle.exe> vs 4a9OE5cKJo.exe

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

File read: C:\Users\user\Desktop\4a9OE5cKJo.exe

Jump to behavior

Source: 4a9OE5cKJo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4a9OE5cKJo.exe C:\Users\user\Desktop\4a9OE5cKJo.exe
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Process created: C:\Users\Public\Pictures\Picture\zlogger.exe C:\Users\Public\Pictures\Picture\zlogger.exe --version
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5260 -s 940
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Process created: C:\Users\Public\Pictures\Picture\zlogger.exe C:\Users\Public\Pictures\Picture\zlogger.exe --version	Jump to behavior

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25E609E4-B259-11CF-BFC7-444553540000}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

File created: C:\Users\Public\Pictures\Picture

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER69D2.tmp

Jump to behavior

Source: classification engine

Classification label: mal64.winEXE@5/8@1/2

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Code function: 0_2_00007FF62A3EFB90 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF62A3EFB90

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5260
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01

Source: zlogger.exe	String found in binary or memory: %ls --help %ls --version
Source: zlogger.exe	String found in binary or memory: %ls --help %ls --version
Source: zlogger.exe	String found in binary or memory: %ls --help %ls --version
Source: zlogger.exe	String found in binary or memory: %ls --help %ls --version

Source: C:\Users\Public\Pictures\Picture\zlogger.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

PE file has a high image base, often used for DLLs

Source: 4a9OE5cKJo.exe

Static PE information: Image base 0x140000000 > 0x60000000

Submission file is bigger than most known malware samples

Source: 4a9OE5cKJo.exe

Static file information: File size 1084632 > 1048576

PE / OLE file has a valid certificate

Source: 4a9OE5cKJo.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: 4a9OE5cKJo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4a9OE5cKJo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4a9OE5cKJo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4a9OE5cKJo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4a9OE5cKJo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4a9OE5cKJo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 4a9OE5cKJo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: 4a9OE5cKJo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

PE file contains a valid data directory to section mapping

Source: 4a9OE5cKJo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4a9OE5cKJo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4a9OE5cKJo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4a9OE5cKJo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4a9OE5cKJo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\Pictures\Picture\zlogger.exe

Code function: 1_2_042B82E1 push ebp; iretd

1_2_042B82E2

PE file contains sections with non-standard names

Source: 4a9OE5cKJo.exe	Static PE information: section name: _RDATA
Source: zlogger.exe.0.dr	Static PE information: section name: /4
Source: zlogger.exe.0.dr	Static PE information: section name: .xdata
Source: libwim-15.dll.0.dr	Static PE information: section name: _RDATA

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Code function: 0_2_00007FF62A3F0890 GetModuleHandleExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_00007FF62A3F0890

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	File created: C:\Users\Public\Pictures\Picture\libwim-15.dll			Jump to dropped file
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	File created: C:\Users\Public\Pictures\Picture\zlogger.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

0_2_00007FF62A3F0890

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for process token information

Source: C:\Users\Public\Pictures\Picture\zlogger.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-24989

Found large amount of non-executed APIs

Source: C:\Users\Public\Pictures\Picture\zlogger.exe

API coverage: 2.0 %

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3EDDF0 GetVersionExA,SetProcessMitigationPolicy,RtlAdjustPrivilege,GetCurrentProcess,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,NtQueryInformationProcess,NtSetInformationProcess,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,FindClose,CoTaskMemFree,CreateProcessA,MessageBoxA,MessageBoxA,_invalid_parameter_noinfo_noreturn,		0_2_00007FF62A3EDDF0
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A40D078 FindFirstFileExW,		0_2_00007FF62A40D078

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: zlogger.exe, 00000001.00000002.642649000.0000000000768000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: zlogger.exe, 00000001.00000002.642649000.0000000000768000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.0000000000710000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Code function: 0_2_00007FF62A3FCB74 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF62A3FCB74

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

0_2_00007FF62A3F0890

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Code function: 0_2_00007FF62A40E2EC GetProcessHeap,

0_2_00007FF62A40E2EC

Enables debug privileges

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Pictures\Picture\zlogger.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3F6914 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	0_2_00007FF62A3F6914
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3FCB74 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF62A3FCB74
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3F6F44 SetUnhandledExceptionFilter,	0_2_00007FF62A3F6F44
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3F7128 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF62A3F7128
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: 0_2_00007FF62A3F6D60 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF62A3F6D60
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_00401190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,malloc,memcpy,_initterm,GetStartupInfoW,exit,	1_2_00401190
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_00415551 SetUnhandledExceptionFilter,	1_2_00415551
Source: C:\Users\Public\Pictures\Picture\zlogger.exe	Code function: 1_2_0042567C SetUnhandledExceptionFilter,	1_2_0042567C

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: EnumSystemLocalesW,	0_2_00007FF62A4109A4
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: EnumSystemLocalesW,	0_2_00007FF62A410A74
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF62A410B0C
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: try_get_function,GetLocaleInfoW,	0_2_00007FF62A40AAF8
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: GetLocaleInfoW,	0_2_00007FF62A410F60
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF62A41108C
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: GetLocaleInfoW,	0_2_00007FF62A410D58
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF62A410EB0
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: EnumSystemLocalesW,	0_2_00007FF62A40A654
Source: C:\Users\user\Desktop\4a9OE5cKJo.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF62A410658

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Code function: 0_2_00007FF62A40B430 cpuid

0_2_00007FF62A40B430

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

Code function: 0_2_00007FF62A40AB7C try_get_function,GetSystemTimeAsFileTime,

0_2_00007FF62A40AB7C

Source: C:\Users\user\Desktop\4a9OE5cKJo.exe

0_2_00007FF62A3EDDF0

Source: C:\Users\Public\Pictures\Picture\zlogger.exe

Code function: 1_2_042CA8D0 GetUserNameA,

1_2_042CA8D0

Lowering of HIPS / PFW / Operating System Security Settings

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	2 DLL Search Order Hijacking	1 Process Injection	1 Masquerading	41 Input Capture	1 System Time Discovery	Remote Services	41 Input Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	2 DLL Search Order Hijacking	1 Disable or Modify Tools	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 DLL Search Order Hijacking	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	23 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4a9OE5cKJo.exe	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Pictures\Picture\libwim-15.dll	100%	Avira	TR/Rozena.rxfwi
C:\Users\Public\Pictures\Picture\libwim-15.dll	25%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Pictures\Picture\zlogger.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://62.234.23.52:44343loud.com	0%	Avira URL Cloud	safe
https://62.234.23.52/	0%	Avira URL Cloud	safe
https://62.234.23.52:443/api/v1/nsreportE	0%	Avira URL Cloud	safe
https://62.234.23.52/api/v1/nsquerye	0%	Avira URL Cloud	safe
https://62.234.23.52/api/v1/nsquery	0%	Avira URL Cloud	safe
https://62.234.23.52:443/api/v1/nsqueryom	0%	Avira URL Cloud	safe
https://62.234.23.52:443/api/v1/nsquery&	0%	Avira URL Cloud	safe
https://62.234.23.52/ngs	0%	Avira URL Cloud	safe
https://62.234.23.52:443	0%	Avira URL Cloud	safe
https://62.234.23.52/ngss~	0%	Avira URL Cloud	safe
https://62.234.23.52:443/api/v1/nsquery8	0%	Avira URL Cloud	safe
https://62.234.23.52:443/api/v1/nsreport	0%	Avira URL Cloud	safe
https://62.234.23.52/api/v1/nsquerydN	0%	Avira URL Cloud	safe
https://62.234.23.52:443/api/v1/nsqueryA	0%	Avira URL Cloud	safe
https://62.234.23.52/LU(	0%	Avira URL Cloud	safe
https://62.234.23.52:443/api/v1/nsquery	0%	Avira URL Cloud	safe
https://wimlib.net/forums/.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bj.file.myqcloud.com	82.156.94.47	true	false		high
cdn-1319693778.cos.ap-beijing.myqcloud.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.log	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://62.234.23.52/api/v1/nsquerye	zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://62.234.23.52:443	zlogger.exe, 00000001.00000002.642649000.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://62.234.23.52:443/api/v1/nsreportE	zlogger.exe, 00000001.00000002.642649000.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://baidu.com/x/2/page	4a9OE5cKJo.exe	false		high
https://62.234.23.52/ngss~	zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://62.234.23.52/api/v1/nsquery	zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.000000000077E000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.000000000075C000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.0000000000710000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.log9	zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://62.234.23.52:443/api/v1/nsqueryom	zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://62.234.23.52/	zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642958779.0000000003B38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://62.234.23.52/ngs	zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://62.234.23.52:44343loud.com	zlogger.exe, 00000001.00000002.642649000.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://62.234.23.52:443/api/v1/nsquery&	zlogger.exe, 00000001.00000002.642958779.0000000003B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.logMyAppRtlEnterCriticalSectionRtlLeaveCr	4a9OE5cKJo.exe, 00000000.00000003.369724082.000002A435781000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.643635419.00007FFC1B9DA000.00000002.00000001.01000000.00000005.sdmp, libwim-15.dll.0.dr	false		high
https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.log(	zlogger.exe, 00000001.00000003.399019248.000000000078B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://62.234.23.52:443/api/v1/nsquery8	zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-1319693778.cos.ap-beijing.myqcloud.com/	zlogger.exe, 00000001.00000002.642649000.0000000000738000.00000004.00000020.00020000.00000000.sdmp	false		high
https://62.234.23.52:443/api/v1/nsreport	zlogger.exe, 00000001.00000002.642649000.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://62.234.23.52:443/api/v1/nsqueryA	zlogger.exe, 00000001.00000002.642649000.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://gnu.org/licenses/gpl.html	4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000000.369695921.0000000000417000.00000002.00000001.01000000.00000004.sdmp, zlogger.exe.0.dr	false		high
https://wimlib.net/forums/.	4a9OE5cKJo.exe, 00000000.00000003.369464268.000002A433F2A000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000000.369695921.0000000000417000.00000002.00000001.01000000.00000004.sdmp, zlogger.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://62.234.23.52:443/api/v1/nsquery	zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642649000.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, zlogger.exe, 00000001.00000002.642958779.0000000003B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://62.234.23.52/api/v1/nsquerydN	zlogger.exe, 00000001.00000002.642649000.0000000000710000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://62.234.23.52/LU(	zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.logl	zlogger.exe, 00000001.00000002.642649000.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn-1319693778.cos.ap-beijing.myqcloud.com/service.logk	zlogger.exe, 00000001.00000002.642649000.000000000074D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.234.23.52	unknown	China		45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
82.156.94.47	bj.file.myqcloud.com	China		12513	ECLIPSEGB	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1299135
Start date and time:	2023-08-29 07:40:32 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	4a9OE5cKJo.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	84cc4306c04df6e4d2f0431f538e6612c2bf72ee57d0bac23ed3a19936b3ed73
Detection:	MAL
Classification:	mal64.winEXE@5/8@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 11.9% (good quality ratio 10.4%) Quality average: 56.5% Quality standard deviation: 35.8%
HCA Information:	Successful, ratio: 62% Number of executed functions: 43 Number of non-executed functions: 153

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, login.live.com, eudb.ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, g.bing.com, watson.telemetry.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 4a9OE5cKJo.exe

Simulations

Behavior and APIs

Time	Type	Description
07:41:36	API Interceptor	1x Sleep call for process: WerFault.exe modified
07:41:52	API Interceptor	1x Sleep call for process: zlogger.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bj.file.myqcloud.com	1q3HnZAcnJ.exe	Get hash	malicious	Unknown	Browse	82.156.94.45
	word.exe	Get hash	malicious	Unknown	Browse	82.156.94.48
	182cv6Y090.dll	Get hash	malicious	Unknown	Browse	120.53.180.27

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	gHYcrExhwJ.elf	Get hash	malicious	Mirai	Browse	81.70.216.102
	Qz4IsYZanw.elf	Get hash	malicious	Mirai	Browse	188.131.185.106
	cgdDrNG7A1.elf	Get hash	malicious	Mirai	Browse	150.158.255.158
	xSoP4QsJLl.elf	Get hash	malicious	Mirai	Browse	175.26.73.199
	sora.arm.elf	Get hash	malicious	Mirai	Browse	150.158.191.49
	UGCjB3A6fH.elf	Get hash	malicious	Mirai	Browse	118.30.175.244
	kK2ah63zl1.elf	Get hash	malicious	Mirai	Browse	118.89.249.200
	R0a3TfNKXN.elf	Get hash	malicious	Mirai	Browse	150.158.255.152
	sora.arm.elf	Get hash	malicious	Mirai	Browse	152.140.56.220
	z0r0.x86.elf	Get hash	malicious	Mirai	Browse	121.51.1.19
	yourbiggestnightmare.arm7.elf	Get hash	malicious	Mirai	Browse	109.244.173.150
	sora.arm.elf	Get hash	malicious	Mirai	Browse	81.71.190.182
	t0OQ6isTUe.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	118.89.133.137
	d722wDMYzv.elf	Get hash	malicious	Mirai	Browse	94.191.53.147
	M6gGkxJFKz.exe	Get hash	malicious	CobaltStrike	Browse	81.69.249.203
	4E2rcYG9jo.elf	Get hash	malicious	Mirai	Browse	118.89.162.154
	jL1EOxRcVy.elf	Get hash	malicious	Mirai	Browse	94.191.99.66
	ciOC7M8KQB.elf	Get hash	malicious	Mirai	Browse	106.53.12.97
	sora.arm.elf	Get hash	malicious	Mirai	Browse	118.28.71.38
	jNxuWLBlxF.elf	Get hash	malicious	Mirai	Browse	109.244.173.174
ECLIPSEGB	A4gnWDbVX7.elf	Get hash	malicious	Mirai	Browse	82.153.67.168
	NkjSuNWpdT.exe	Get hash	malicious	Nitol	Browse	82.157.254.217
	erEA8f5wbZ.exe	Get hash	malicious	Nitol	Browse	82.157.254.217
	rYEcnN6a6J.elf	Get hash	malicious	Mirai	Browse	213.152.62.185
	5KWp5aDWo8.elf	Get hash	malicious	Mirai	Browse	82.156.253.73
	AEdoxVr3bi.elf	Get hash	malicious	Mirai	Browse	82.153.19.200
	5eXMILb1xn.elf	Get hash	malicious	Mirai	Browse	213.152.62.174
	VRx86.elf	Get hash	malicious	Mirai	Browse	82.156.253.68
	uheiWy8pyD.elf	Get hash	malicious	Mirai	Browse	213.152.62.164
	To7ayMa8sh.elf	Get hash	malicious	Unknown	Browse	91.85.78.216
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	82.156.253.58
	UG2cG1AZz4.elf	Get hash	malicious	Mirai	Browse	91.84.192.4
	aXpsGG2XaP.elf	Get hash	malicious	Mirai	Browse	91.85.31.232
	1q3HnZAcnJ.exe	Get hash	malicious	Unknown	Browse	82.156.94.45
	kTYmDw3kL2.elf	Get hash	malicious	Mirai	Browse	82.157.226.252
	armv6l-20230706-1258.elf	Get hash	malicious	Unknown	Browse	82.156.253.90
	nmUm7F53fC.elf	Get hash	malicious	Mirai	Browse	91.85.78.217
	14MBT6vPRP.elf	Get hash	malicious	Mirai	Browse	82.156.253.98
	Qq18sG6NYz.elf	Get hash	malicious	Mirai	Browse	82.156.253.92
	qy3KRnuJrA.elf	Get hash	malicious	Mirai	Browse	213.152.62.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	PDFViewer_44882564 (1).msi	Get hash	malicious	Unknown	Browse	82.156.94.47
	3 cahier Ile bleue 2023.xlsx	Get hash	malicious	Unknown	Browse	82.156.94.47
	3 cahier Ile bleue 2023.xlsx	Get hash	malicious	Unknown	Browse	82.156.94.47
	3 cahier Ile bleue 2023.xlsx	Get hash	malicious	Unknown	Browse	82.156.94.47
	Orden_de_compra_-_P06672_PDF.exe	Get hash	malicious	GuLoader	Browse	82.156.94.47
	download (17).vbs	Get hash	malicious	Unknown	Browse	82.156.94.47
	N94307_251628_2023-08-28_BC8976924pdf.exe	Get hash	malicious	GuLoader	Browse	82.156.94.47
	CC1eNsOCDq.exe	Get hash	malicious	Fabookie	Browse	82.156.94.47
	OYGuDyAvhG.exe	Get hash	malicious	Fabookie	Browse	82.156.94.47
	CC1eNsOCDq.exe	Get hash	malicious	Fabookie	Browse	82.156.94.47
	cMBkG9Nme3.exe	Get hash	malicious	Unknown	Browse	82.156.94.47
	CVj3khKqLB.exe	Get hash	malicious	Fabookie	Browse	82.156.94.47
	eB6bGbNNSH.exe	Get hash	malicious	Fabookie	Browse	82.156.94.47
	CVj3khKqLB.exe	Get hash	malicious	Fabookie	Browse	82.156.94.47
	cMBkG9Nme3.exe	Get hash	malicious	Fabookie	Browse	82.156.94.47
	6srcaz6D6M.exe	Get hash	malicious	Fabookie	Browse	82.156.94.47
	eB6bGbNNSH.exe	Get hash	malicious	Fabookie	Browse	82.156.94.47
	INV.PDF.exe	Get hash	malicious	DarkCloud	Browse	82.156.94.47
	mp3studios_6.exe	Get hash	malicious	Socelars	Browse	82.156.94.47
	mp3studios_92.exe	Get hash	malicious	Socelars	Browse	82.156.94.47

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4a9OE5cKJo.exe_5d821032eba26e5e17f9a2465f70afed96fa7875_98ba9ed1_17787116\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	TeX document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.947726454220246
Encrypted:	false
SSDEEP:	192:b6hoS7D/43HU4Tt/jwW5/u7s1S274ltZ:eho+DgXU4Tt/jp/u7s1X4ltZ
MD5:	B27289D8D73D49F73E238AC30BA239C2
SHA1:	BA3C12FE6D0288F80CCD295A92CE36D967495108
SHA-256:	9CE288793EDD082AE7EF4AE9A4F80CA6F31C4158BBC816F9F7FEBC62A1CD2D25
SHA-512:	88EB4F3F591222782C9E37E8E7934ABB6CBCF31813BE2CEC079F863666600EA88ED4D01786DB547DFC473B733AFF60B3A6FAD48D45566ACE6DE9FA6A0866F442
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.7.9.3.6.9.4.4.3.2.8.9.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.7.7.9.3.6.9.5.2.1.4.1.4.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.d.2.5.b.e.6.-.b.f.9.b.-.4.4.d.9.-.9.5.5.2.-.c.5.3.f.c.9.0.2.0.2.9.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.7.d.2.d.d.d.-.b.8.3.9.-.4.d.0.1.-.b.6.0.8.-.e.b.6.1.1.5.8.7.6.6.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.4.a.9.O.E.5.c.K.J.o...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.n.s.t.a.l.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.c.-.0.0.0.1.-.0.0.2.7.-.4.c.7.a.-.a.d.e.4.8.6.d.a.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.3.9.3.6.3.e.1.b.a.7.c.b.7.f.f.a.5.e.8.5.f.0.2.8.1.7.b.4.0.f.0.0.0.0.0.4.0.8.!.0.0.0.0.6.9.8.d.c.e.4.f.4.d.0.6.f.a.f.a.4.8.6.a.0.a.c.8.c.4.d.3.9.1.3.c.2.4.9.e.4.2.9.c.!.4.a.9.O.E.5.c.K.J.o...e.x.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69D2.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Aug 29 14:41:34 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	110404
Entropy (8bit):	1.5022459496143399
Encrypted:	false
SSDEEP:	192:IHmF3EpwR+UcoOcCGwwgg2/po7a0aI8Un4NaK7mIgDNeZDbRfhrLiJNNju:F8dfvnGwZpo+0h8UnGaOE6bhFi7Ni
MD5:	3EFC4D914AAC991D4DC827FC67FAF493
SHA1:	4660B45A7D07C77BB63A90039B40E47794F7EA55
SHA-256:	6BD2B6FB1045FB295D5F1210F1F572954C66D9607C866C4ABB6DB80D9ED9B868
SHA-512:	FC42341EDC233241833FBDBB38E5BBB4409E3F8082280D3376E368B91C826206ECE4A4823A4BAD66F271A179EC90E9393595711FBAF02F4B308C40666AECF0DD
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........d............T...........D...\...........NK..........T.......8...........T............#...............................................................................................U...........B......$.......Lw................k.>...T..............d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B6A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10010
Entropy (8bit):	3.713550547340601
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi+BDH6Yyx3QrMzEGgmfamSivCpDw89bV7JPSpCSDomNkgfT7Hm:RrlsNiAj6YE3QrqgmfamSi6VlPqCoom0
MD5:	CD2FDE0B87172C3D5A3012C565DA650A
SHA1:	6E0C8EEA6B581804E6A52018D7CF208C5691AE85
SHA-256:	4F2A9174B26D5474FDCB56ACAD01E9761C97CF9F00C5077312A2F3606A5B50DF
SHA-512:	2E25EAE323DB22BE825342C00FB2897808DE788957C5FC928DAD33B46FD8434B64A06B840C23C483E1504D39FF03F6D4E1791DA5386AA3BCA667A48A42CD6A4E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BC8.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4816
Entropy (8bit):	4.461713180629362
Encrypted:	false
SSDEEP:	48:cvIwSD8zsqJgtBI957hWgc8sqYjb8fm8M4J1Ajeh7Fnsyq8vbehh+0dAuJNuTd:uITf4rMgrsqY8J1IW+ndN2Td
MD5:	F199C933AA46BE791E4824A66B003B80
SHA1:	11AF8DFD65DC3002EE649B8100B425BE9FFCCE4E
SHA-256:	685293227FC85DC6680C396FEB485299E4350021BD338C963E9797E0CB560388
SHA-512:	C3F793AE43C4A698C5F8594E7C778F514F78C557C75B28F616D889BEDD109700A9756569B01742140F79077195F1684289A5B05D0D0A3E5FC0BCAE8CDE66B4A7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2194552" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\Public\Pictures\Picture\libwim-15.dll

Download File

Process:	C:\Users\user\Desktop\4a9OE5cKJo.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	281088
Entropy (8bit):	6.181911083064269
Encrypted:	false
SSDEEP:	3072:lY+s9O8ItYzq6s236F6t6Sr0yWYbBMSXK+BCOMJg0OSOrmUkoY46pveyzbCibH/R:bsJItUqn28N6dWYbOJ9EOohjy67K
MD5:	40F57EFDE162ABC926C6B0C9C9025E7E
SHA1:	FEDEBC1AB39CD9BB6895A7B3F8407FF4FE17AB94
SHA-256:	251CFA2A6DC4F9C9258F5AC6679AAC24CEB82CA6841A790E97458CCC17DDFE13
SHA-512:	C134DD93321AAC8D10F0FA40DEB279675AE91429EE583421A2E6BBBC1AC91179843865CB0837B439D2891BD9AE636EB9FB6FF07BC9DBE45CB76BD85849D1BA80
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../q.Q/q.Q/q.Qt..P%q.Qt..P=q.Qt..P.q.Q...P!q.Q...P%q.Q...Pcq.Qt..P.q.Qt..P"q.Q/q.Q.q.Q...P-q.Q...P.q.Q..AQ.q.Q/q)Q.q.Q...P.q.QRich/q.Q................PE..d...a..d.........." ...#......&.....d.........................................)...........`.........................................P.................).H....P).."............).T.......8.......................(.......@............................................text...p........................... ..`.rdata..:Q.......R..................@..@.data...<A%......2..................@....pdata..."...P)..$..................@..@_RDATA..\.....)......:..............@..@.rsrc...H.....)......<..............@..@.reloc..T.....)......@..............@..B................................................................................................................................................................................

C:\Users\Public\Pictures\Picture\zlogger.exe

Download File

Process:	C:\Users\user\Desktop\4a9OE5cKJo.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	152080
Entropy (8bit):	6.033340834736862
Encrypted:	false
SSDEEP:	3072:eNScv9gt7ElprSiZgmUs1qbrsErX71wLOp:eNSB7E3rwmXOsErXpwk
MD5:	BB63FD178AFFCCAAB180BCE1689157CE
SHA1:	5F9270D357E366622D4DA1589A31BEBDD2D01AE4
SHA-256:	3B510C14FF2ADF730F796EF534E0B1138EF430E0B1390F31D17A7820E4C4AB8E
SHA-512:	A54EE92E762C8D52382577DB6F6D0AB67705EEBD61C0C302761E35493E503E71DF4DD4E3533B523CE2B1DB079842C437DE634361636B751CF4A19AFEE768A55A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./....#.H....................@............................................... ..............................................P............... ...........:......................................(....................T..8............................text...(F.......H..................`.P`.data........`.......L..............@.P..rdata......p.......N..............@.`@/4..................................@.0..pdata....... ......................@.0@.xdata.......0......................@.0@.bss.........@........................`..idata.......P......................@.0..CRT....h....p......................@.@..tls................................@.@.................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\service[1].log

Download File

Process:	C:\Users\Public\Pictures\Picture\zlogger.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2836039
Entropy (8bit):	4.18810933759387
Encrypted:	false
SSDEEP:	12288:rif5ocg8XFiqhoHEqhFaS28NPUczWO3xhd58SyR5sLLs7yWQfcdkO3jM6EqelKMR:kGDzjItMXb+bL8AWruZ/SS9NmBEuXx
MD5:	563F073B851A36041C5433B18BD08501
SHA1:	BD39CB9339C3C20F97D2C51DE0FC24D6CDFE381F
SHA-256:	E7A4AEF1D59F611B7AB5D4B08F8B60943DB01E342CA0B1CE869A166B09CDCBB9
SHA-512:	DC284E11C91B21C58410AC19BADEEED63A2430E9848652FBF90BC6E28BE5E372654E74DED9DCF2C0289630F49C330E1E5BEC2F2E630511A9E9AF8E08269C1F73
Malicious:	false
Reputation:	low
Preview:	kick..blue..picture..egg..eye..blue..picture..egg..eye..judge..fall..yesterday..man..school..ocean..camera..wind..work..animal..land..rain..func..ghost..guest..sugar..music..usually..life..yearn..java..yesterday..blue..understand..night..oil..king..judge..yard..alone..room..hat..eye..eye..eye..eye..map..kick..voice..pizza..value..fire..ghost..hair..wind..ment..Kanthan..hit..beach..rabbit..land..green..fire..train..face..rest..hope..white..visitor..cloud..jump..cloud..cow..victory..quarter..joy..information..picture..joke..zebra..jacket..joke..offer..nature..top..east..yes..color..issue..while..yellow..question..talk..university..nature..jump..java..book..char..int..friend..oil..taste..day..yellow..boy..boy..unsigned..young..green..machine..order..head..high..array..energy..monkey..kiss..king..queen..kind..visitor..day..short..short..note..order..icon..school..test..person..question..room..key..keep..laugh..winter..one..meal..plant..map..red..easy..warn..test..victory..dog..university..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.374435776167339
Encrypted:	false
SSDEEP:	12288:HlcTQC4Lh9c+g1Ep7yMZK8yrWzte7y/5rmZrmQ0ithr7+i+invToDdp+:FcTQC4Lh9c+g1Eagz
MD5:	CB2EEA63350EA0BA587200EC4832ED7B
SHA1:	7C70A1F535B19103C843A0BC0E5D7BD63DCE8AA1
SHA-256:	4D5FB938A3E944B0A8E982B60ADB56C5209E5D857C2B441991C2145DCD9A065C
SHA-512:	2759626FAE79D9613371691A94E23C1D5F35F3AEC012E3DEE434EB6B43F9EE832EA66469886D989827BF2BEA41F89110AC1296982A80B9C6FE2996B4B74ED5D3
Malicious:	false
Reputation:	low
Preview:	regf........p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.8N................................................................................................................................................................................................................................................................................................................................................H.G.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.106702138127371
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4a9OE5cKJo.exe
File size:	1'084'632 bytes
MD5:	9652452e6863bfcb4fb2c1c20702ca7f
SHA1:	698dce4f4d06fafa486a0ac8c4d3913c249e429c
SHA256:	84cc4306c04df6e4d2f0431f538e6612c2bf72ee57d0bac23ed3a19936b3ed73
SHA512:	94c2e873e8c41ce73de756be3354db4bb1bbf615b4a331afa592332f5ef1f4b38d033840558ebc3f2551e7535238fdf71bede61df61a0e604a8ee75f4895a916
SSDEEP:	24576:trVMSqfnuFiD4GQg2JmTedvip7V+3bNmgKtoKm6v0G1a:trVxsnm3+SAsN/BJka
TLSH:	7D354B9432E3E4C7F513E83AC456F560E564F42CABE13D6F1B88EAA45B11DE00E1F692
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n...............g.......g.......g..t...{s......{s......{s.......g.......g..............Ot.......r.......r8.......P......r.....

File Icon


Icon Hash:	c0d4d5afab636949

Static PE Info

General

Entrypoint:	0x140046aa4
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64D9D3CA [Mon Aug 14 07:12:10 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	17f1c6a7e23412a1437c57618bb9a6ad

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	8/23/2021 5:00:00 PM 8/29/2023 4:59:59 PM
Subject Chain	CN=\u6f33\u5dde\u5927\u76db\u8f6f\u4ef6\u6709\u9650\u516c\u53f8, O=\u6f33\u5dde\u5927\u76db\u8f6f\u4ef6\u6709\u9650\u516c\u53f8, L=\u6f33\u5dde\u5e02, S=\u798f\u5efa\u7701, C=CN
Version:	3
Thumbprint MD5:	A41028D4292D0CBC86D5E8A47172E987
Thumbprint SHA-1:	0E1E3A020F05ECDCA98CFB4410A7755645059DF3
Thumbprint SHA-256:	93C99C42C6E76151B128605E542748121434D430CEE40B7AD7459DE5EA8CEE6F
Serial:	0782044CA401E93EDD4C5B52B1CDF68B

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FC8C4C9FAC8h
dec eax
add esp, 28h
jmp 00007FC8C4C9F43Fh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FC8C4C9F5D2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FC8C4C9F5D5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FC8C4C9F5CDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FC8C4C9F5E2h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [000BC581h]
jne 00007FC8C4C9F5D2h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FC8C4C9F5C3h
ret
dec eax
ror ecx, 10h
jmp 00007FC8C4C9FBB3h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1004dc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10d000	0x18b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x109000	0x28f8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x107c00	0x10d8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10f000	0xc64	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfc2a0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xfc300	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfc160	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x68000	0x4f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66ae4	0x66c00	False	0.2889009276155718	data	6.140154330547015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x68000	0x9958e	0x99600	False	0.5697919850244498	data	7.2097235661698775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x102000	0x650c	0x2200	False	0.22047334558823528	data	3.408757123703961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x109000	0x28f8	0x2a00	False	0.4760044642857143	data	5.542765320264992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x10c000	0x15c	0x200	False	0.404296875	data	3.3446944364441142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x10d000	0x18b8	0x1a00	False	0.8192608173076923	data	7.249844587471112	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10f000	0xc64	0xe00	False	0.45005580357142855	data	5.177955843960203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x10d130	0x139a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9489836588282184
RT_GROUP_ICON	0x10e4d0	0x14	data	Chinese	China	1.05
RT_VERSION	0x10e4e8	0x24c	data	Chinese	China	0.5034013605442177
RT_MANIFEST	0x10e738	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetACP, VerSetConditionMask, FreeLibrary, GetModuleHandleExW, LoadLibraryA, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, QueryPerformanceCounter, QueryPerformanceFrequency, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetThreadExecutionState, SetEndOfFile, HeapSize, ReadConsoleW, ReadFile, FlushFileBuffers, CreateFileW, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExW, HeapReAlloc, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, GetFileType, SetFilePointerEx, GetFileSizeEx, GetConsoleMode, GetConsoleCP, HeapAlloc, HeapFree, WriteFile, GetStdHandle, GetModuleFileNameW, ExitProcess, RtlUnwind, LoadLibraryExW, SetLastError, RtlUnwindEx, RaiseException, RtlPcToFileHeader, TerminateProcess, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, CreateEventW, InitializeCriticalSectionAndSpinCount, CloseHandle, GetCPInfo, GetStringTypeW, LCMapStringEx, WriteConsoleW, DecodePointer, EncodePointer, InitializeCriticalSectionEx, GetVersionExA, SetProcessMitigationPolicy, CreateProcessA, GetCurrentProcess, GetLastError, FindNextFileW, FindFirstFileW, FindClose, CreateFileA, CreateDirectoryA
USER32.dll	GetRawInputDeviceInfoA, GetRawInputDeviceList, RegisterRawInputDevices, GetRawInputData, MessageBoxA, MonitorFromWindow, LoadImageW, DestroyIcon, LoadCursorW, GetWindowLongW, PtInRect, SetRect, ClipCursor, WindowFromPoint, ScreenToClient, ClientToScreen, GetCursorPos, SetCursor, SetCursorPos, AdjustWindowRectEx, GetClientRect, RemovePropW, GetPropW, ReleaseCapture, SetCapture, GetKeyState, SetWindowLongW, SetWindowPos, RegisterClassExW, UnregisterClassW, DefWindowProcW, GetMessageTime, TrackMouseEvent, EnumDisplayMonitors, GetMonitorInfoW, EnumDisplayDevicesW, EnumDisplaySettingsW, ChangeDisplaySettingsExW, SystemParametersInfoW, MapVirtualKeyW, ToUnicode, ShowWindow, DestroyWindow, CreateWindowExW, UnregisterDeviceNotification, RegisterDeviceNotificationW, PeekMessageW, DispatchMessageW, TranslateMessage
GDI32.dll	CreateRectRgn, SetDeviceGammaRamp, GetDeviceCaps, DeleteDC, CreateDCW, DeleteObject
SHELL32.dll	DragFinish, DragQueryPoint, DragQueryFileW, SHGetKnownFolderPath
ole32.dll	CoTaskMemFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2023 07:41:29.775847912 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:29.775923967 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:29.776029110 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:29.795273066 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:29.795327902 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:33.180545092 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:33.180768967 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:33.183520079 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:33.183655977 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:33.422229052 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:33.422287941 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:33.422894955 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:33.422990084 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:33.425391912 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:33.471482992 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:40.768261909 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:40.768321991 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:40.768363953 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:40.768524885 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:40.768524885 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:40.768580914 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:40.768682003 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:41.391427040 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:41.391520977 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:41.391685009 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:41.391731977 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:41.391774893 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:41.391872883 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:41.391901016 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:41.391926050 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:41.392039061 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.017071009 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.017100096 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.017222881 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.017272949 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.017369032 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.641613960 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.641649961 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.641746998 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.641746044 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.641793013 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.641808033 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.641832113 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.641855955 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.641896963 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.642046928 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.642091036 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.642136097 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.642158985 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.642198086 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.642249107 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.642476082 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.642525911 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.642582893 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.642597914 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:42.642642975 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:42.642682076 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.265489101 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265510082 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265582085 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265712976 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.265743971 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265762091 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.265769958 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265780926 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265815020 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265841961 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.265847921 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265916109 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.265923023 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265948057 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265983105 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.265983105 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.265995979 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.266031981 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.266091108 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.890352011 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.890372992 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.890458107 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.890552044 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.890569925 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.890609026 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.890640020 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.890814066 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.890851021 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.890907049 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.890928030 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.890948057 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.890981913 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.891375065 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.891405106 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.891479015 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.891494036 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:43.891520023 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:43.894069910 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.516633987 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.516690969 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.516817093 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.516885042 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.516922951 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.516952038 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.516966105 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.516993046 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.517013073 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.517050982 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.517072916 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.517151117 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.517174006 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.517185926 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.517251968 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.517271042 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.517518997 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.517568111 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.517623901 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.517641068 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.517666101 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.517704010 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.518013954 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.518059969 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.518106937 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.518119097 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.518157005 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.518182993 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.518580914 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.518631935 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.518687963 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.518702984 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.518738985 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.518754959 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.519076109 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.519119978 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.519169092 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.519181967 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.519231081 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.519251108 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.519579887 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.519627094 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.519686937 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.519707918 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:44.519741058 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:44.519763947 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.143533945 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.143572092 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.143647909 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.143737078 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.143757105 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.143796921 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.143838882 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.144078970 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.144103050 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.144145966 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.144153118 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.144175053 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.144201040 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.144670963 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.144705057 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.144731045 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.144736052 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.144767046 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.144793034 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.145221949 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.145245075 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.145288944 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.145296097 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.145339966 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.145833015 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.145854950 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.145905972 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.145912886 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.145961046 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.145977020 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.146445036 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.146466970 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.146517992 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.146523952 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.146572113 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.146589994 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.147053003 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.147078037 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.147133112 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.147140026 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.147176981 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.147197008 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.147635937 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.147656918 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.147705078 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.147710085 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.147751093 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.147773027 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.148247004 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.148267984 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.148315907 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.148323059 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.148358107 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.148379087 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.148884058 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.148905993 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.148955107 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.148961067 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.149013996 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.773988008 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.774050951 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.774131060 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.774218082 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.774247885 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.774307013 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.774322987 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.774347067 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.774357080 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.774393082 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.774427891 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.774801016 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.774852037 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.774921894 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.774939060 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.774976969 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.774991035 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.775302887 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.775347948 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.775408030 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.775422096 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.775477886 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.775477886 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.775907993 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.775953054 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.776004076 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.776020050 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.776057959 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.776092052 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.776417017 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.776467085 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.776515007 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.776530027 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.776555061 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.776582003 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.776962996 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.777009964 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.777070999 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.777089119 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.777117014 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.777137995 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.777513981 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.777580023 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.777612925 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.777627945 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.777648926 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.777676105 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.777991056 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.778038025 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.778074026 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.778105021 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.778140068 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.778153896 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.778517962 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.778564930 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.778604031 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.778620005 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.778649092 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.778669119 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.779083967 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.779133081 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.779165030 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.779181004 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:45.779206991 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.779241085 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.833240986 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:45.833647013 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.662308931 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.662373066 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.662552118 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.662585020 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.662674904 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.662681103 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.662744999 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.662789106 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.662834883 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.662844896 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.662883043 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.662904024 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.662913084 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.662947893 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.662956953 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.662991047 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663000107 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663038969 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663089037 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663089037 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663115025 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663156033 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663163900 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663202047 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663213015 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663234949 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663281918 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663326025 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663374901 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663414955 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663427114 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663480997 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663501978 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663520098 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663568020 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663611889 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663626909 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663652897 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663695097 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663703918 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663727999 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663785934 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663816929 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663827896 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663887024 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.663893938 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663918018 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.663966894 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664014101 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664026976 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664076090 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664091110 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664103031 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664135933 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664154053 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664223909 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664236069 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664257050 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664259911 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664299965 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664311886 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664340019 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664376020 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664385080 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664407969 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664462090 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664500952 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664566994 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664612055 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664666891 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664685011 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664720058 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664742947 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664760113 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664773941 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664822102 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664848089 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664880037 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664894104 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664920092 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664961100 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.664966106 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.664989948 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665026903 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665043116 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665071964 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665086031 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665118933 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665158033 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665164948 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665180922 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665235996 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665239096 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665268898 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665287018 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665364981 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665427923 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665498018 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665539026 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665551901 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665575027 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665620089 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665715933 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665780067 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665822029 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665848017 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.665875912 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665915012 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.665965080 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666026115 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666059971 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666074038 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666131973 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666152954 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666261911 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666323900 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666358948 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666376114 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666418076 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666450024 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666544914 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666601896 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666635990 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666651964 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666682005 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666723013 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666790009 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666840076 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666882038 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666894913 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.666958094 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666977882 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.666999102 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667042971 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667087078 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667100906 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667135954 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667172909 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667196989 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667239904 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667288065 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667299986 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667339087 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667371035 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667399883 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667443037 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667486906 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667499065 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667531967 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667551994 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667623043 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667685032 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667706013 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667716026 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667766094 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667798996 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667802095 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667826891 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667886972 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667905092 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667922974 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.667932034 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.667967081 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668005943 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668015957 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668030977 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668076992 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668097973 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668127060 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668142080 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668175936 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668183088 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668236971 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668241024 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668255091 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668270111 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668409109 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668457031 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668554068 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668555021 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668555021 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668555021 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668587923 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668615103 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668653965 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668672085 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668689966 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668698072 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668759108 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668803930 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668842077 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668848991 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668889999 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668939114 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.668956995 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.668984890 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669024944 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669045925 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669090033 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669137001 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669154882 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669188976 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669229031 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669230938 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669250965 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669296980 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669307947 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669333935 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669348955 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669378996 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669415951 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669440985 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669481993 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669526100 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669540882 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669567108 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669608116 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669616938 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669637918 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669689894 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669693947 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669739008 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669750929 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669781923 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669825077 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669826984 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669847965 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669888020 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669905901 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669929028 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.669938087 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.669977903 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670017004 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670022964 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670044899 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670094967 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670106888 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670159101 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670171976 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670197010 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670226097 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670227051 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670248985 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670295954 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670310020 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670340061 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670348883 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670402050 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670427084 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670428038 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670449972 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670500994 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670501947 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670537949 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670555115 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670581102 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670623064 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670639038 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670684099 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670725107 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670737982 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670768023 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670792103 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670814991 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670874119 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670897961 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670912981 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670943022 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.670958996 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670981884 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.670986891 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.671009064 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:47.671031952 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.671077967 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:47.674791098 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.287755966 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.287767887 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.287831068 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.287863970 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.287879944 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.287905931 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.287970066 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.287987947 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.288018942 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.288086891 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.288094044 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.288115978 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.288147926 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.288162947 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.288187027 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.288233995 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.288240910 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.288285017 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.288304090 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.288394928 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.288419008 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.288458109 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.288464069 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.288499117 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.288522959 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.291412115 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.291438103 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.291506052 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.291513920 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.291539907 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.291582108 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.291687965 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.291709900 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.291781902 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.291790009 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.291846037 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.291963100 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292015076 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292045116 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.292052031 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292093992 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.292114019 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.292220116 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292243004 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292289019 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.292295933 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292331934 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.292366028 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.292510986 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292534113 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292577028 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.292583942 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292618036 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.292637110 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.292776108 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292800903 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292856932 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.292864084 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.292912006 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293041945 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293066025 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293109894 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293116093 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293147087 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293170929 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293279886 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293303013 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293345928 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293350935 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293400049 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293544054 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293567896 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293611050 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293616056 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293654919 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293678999 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293807983 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293831110 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293904066 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293909073 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.293939114 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.293973923 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.334762096 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.334830046 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.334866047 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.334877968 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.334949017 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.911523104 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.911542892 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.911638021 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.911724091 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.911752939 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.911775112 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.911791086 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.911811113 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.911827087 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.911838055 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.911864042 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.911900043 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.911940098 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.912091017 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.912111998 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.912192106 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.912205935 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.912290096 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.912379026 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.912400007 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.912456036 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.912468910 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.912503004 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.912540913 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.913502932 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.913527012 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.913614035 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.913644075 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.913707018 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.916589975 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.916611910 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.916671038 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.916699886 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.916740894 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.916759968 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.916862011 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.916883945 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.916950941 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.916971922 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917004108 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917025089 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917171955 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917227030 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917256117 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917278051 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917309046 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917330980 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917433977 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917457104 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917505026 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917522907 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917557955 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917587042 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917757034 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917778969 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917838097 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917864084 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917896986 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917918921 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.917956114 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.917980909 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918023109 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918035984 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918061972 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918082952 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918169975 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918191910 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918237925 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918255091 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918282986 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918303967 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918361902 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918382883 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918436050 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918451071 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918482065 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918504000 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918593884 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918615103 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918656111 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918670893 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918697119 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918711901 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918812037 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918833017 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918876886 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918893099 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.918917894 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.918937922 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.958036900 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.958163023 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.958225012 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.958271027 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.958295107 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:48.958321095 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:48.958362103 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.536993980 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.537010908 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.537122965 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.537159920 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.537194014 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.537219048 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.537277937 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.537516117 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.537542105 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.537616014 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.537642002 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.537664890 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.537702084 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.538037062 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.538058043 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.538120985 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.538139105 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.538167953 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.538187981 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.538508892 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.538532972 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.538588047 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.538603067 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.538634062 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.538654089 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.539025068 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.539048910 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.539114952 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.539134979 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.539165974 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.539187908 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.539587975 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.539614916 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.539685965 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.539704084 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.539726973 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.539764881 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.543178082 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.543278933 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.543335915 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.543355942 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.543379068 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.543418884 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.543674946 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.543697119 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.543781042 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.543806076 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.543831110 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.543874025 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.544209003 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.544230938 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.544302940 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.544322968 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.544349909 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.544378996 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.544723988 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.544747114 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.544836998 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.544851065 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.544877052 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.544934034 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.545248985 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.545270920 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.545345068 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.545361042 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.545391083 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.545420885 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.545742035 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.545767069 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.545825958 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.545842886 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.545871019 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.545892954 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.546221018 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.546245098 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.546329975 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.546343088 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.546377897 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.546391964 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.546658039 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.546681881 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.546737909 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.546756983 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.546823025 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.546844959 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.547127962 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.547182083 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.547220945 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.547234058 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.547269106 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.547300100 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.547326088 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.547353029 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.547411919 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.547435045 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.547502995 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.547502995 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.547543049 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.547565937 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.547646999 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.547669888 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.547714949 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.547926903 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.582581997 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.582609892 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.582705975 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.582745075 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:49.582783937 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:49.582814932 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.163597107 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.163614035 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.163717985 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.163827896 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.163857937 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.163893938 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.163922071 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.163996935 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.164021969 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.164100885 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.164115906 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.164143085 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.164201021 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.164468050 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.164494038 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.164565086 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.164582014 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.164628983 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.164648056 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.164889097 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.164912939 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.164988041 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.165000916 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.165031910 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.165060043 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.165357113 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.165421009 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.165479898 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.165493011 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.165616035 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.165798903 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.165823936 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.165973902 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.165991068 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.166071892 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.166232109 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.166260004 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.166332960 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.166349888 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.166373014 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.166428089 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.170917034 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.170949936 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.171035051 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.171063900 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.171096087 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.171127081 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.171305895 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.171341896 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.171380997 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.171394110 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.171427011 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.171468019 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.171639919 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.171667099 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.171740055 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.171756029 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.171789885 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.171811104 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.171989918 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.172012091 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.172056913 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.172072887 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.172094107 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.172122955 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.172346115 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.172369957 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.172415972 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.172427893 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.172455072 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.172482014 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.172717094 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.172776937 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.172800064 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.172811031 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.172849894 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.172878027 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.173017979 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.173038960 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.173084974 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.173099995 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.173129082 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.173157930 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.173392057 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.173418045 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.173475981 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.173489094 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.173518896 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.173540115 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.173717976 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.173767090 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.173813105 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.173825026 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:50.173852921 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:50.173897982 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416326046 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416342974 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416424036 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416507959 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416529894 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416560888 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416568995 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416579962 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416615009 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416621923 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416656971 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416667938 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416707039 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416724920 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416743994 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416754961 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416769028 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416785955 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416821957 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416851044 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416872025 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416930914 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416944981 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416958094 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416959047 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416980982 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.416991949 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.416997910 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417030096 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417049885 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417063951 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417078018 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417124987 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417143106 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417149067 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417165041 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417181015 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417187929 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417195082 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417201996 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417247057 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417262077 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417278051 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417279005 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417288065 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417319059 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417341948 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417350054 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417356014 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417397976 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417409897 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417432070 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417438030 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417460918 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417460918 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417479038 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417480946 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417493105 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417526007 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417563915 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417565107 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417576075 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417624950 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417642117 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417648077 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417665958 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417686939 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417701960 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417710066 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417742014 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417746067 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417776108 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417778969 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417788982 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417818069 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417848110 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417854071 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417865038 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417898893 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417922020 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417943001 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417946100 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417956114 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.417978048 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.417982101 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418014050 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418045998 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418051004 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418056965 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418091059 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418114901 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418114901 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418126106 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418147087 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418154001 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418168068 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418205023 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418211937 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418222904 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418241978 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418256044 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418256044 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418266058 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418298006 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418304920 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418322086 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418348074 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418355942 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.418373108 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.418399096 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.419348955 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.425242901 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.425268888 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.425339937 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.425354958 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.425384045 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.425410986 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.425631046 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.425656080 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.425692081 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.425700903 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.425724983 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.425746918 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.426320076 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.426347971 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.426390886 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.426399946 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.426433086 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.426455021 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.426918030 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.426944971 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.426980972 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.426990032 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.427001953 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.427015066 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.427030087 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.427036047 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.427077055 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.427100897 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:51.427108049 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.427182913 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.444314957 CEST	49720	443	192.168.2.3	82.156.94.47
Aug 29, 2023 07:41:51.444338083 CEST	443	49720	82.156.94.47	192.168.2.3
Aug 29, 2023 07:41:53.256598949 CEST	49731	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:53.256706953 CEST	443	49731	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:53.257174969 CEST	49731	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:53.257616997 CEST	49731	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:53.257657051 CEST	443	49731	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:54.013717890 CEST	443	49731	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:54.015372992 CEST	49733	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:54.015444994 CEST	443	49733	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:54.015619040 CEST	49733	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:54.017045975 CEST	49733	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:54.017076969 CEST	443	49733	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:54.777215004 CEST	443	49733	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:54.778558016 CEST	49734	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:54.778637886 CEST	443	49734	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:54.778781891 CEST	49734	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:54.779409885 CEST	49734	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:54.779443979 CEST	443	49734	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:55.398612022 CEST	443	49734	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:55.407999992 CEST	49735	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:55.408090115 CEST	443	49735	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:55.408216953 CEST	49735	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:55.408871889 CEST	49735	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:55.408907890 CEST	443	49735	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:59.247021914 CEST	443	49735	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:59.252299070 CEST	49744	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:59.252367973 CEST	443	49744	62.234.23.52	192.168.2.3
Aug 29, 2023 07:41:59.252463102 CEST	49744	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:59.252826929 CEST	49744	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:41:59.252855062 CEST	443	49744	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:00.015225887 CEST	443	49744	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:00.016431093 CEST	49749	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:00.016499043 CEST	443	49749	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:00.016602993 CEST	49749	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:00.017635107 CEST	49749	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:00.017656088 CEST	443	49749	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:00.779946089 CEST	443	49749	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:00.781785965 CEST	49753	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:00.781856060 CEST	443	49753	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:00.782025099 CEST	49753	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:00.783966064 CEST	49753	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:00.783999920 CEST	443	49753	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:01.403990984 CEST	443	49753	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:01.497867107 CEST	49755	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:01.497944117 CEST	443	49755	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:01.498049021 CEST	49755	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:01.498764038 CEST	49755	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:01.498785019 CEST	443	49755	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:05.293802023 CEST	443	49755	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:05.299565077 CEST	49761	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:05.299623966 CEST	443	49761	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:05.299814939 CEST	49761	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:05.300658941 CEST	49761	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:05.300681114 CEST	443	49761	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:06.073863983 CEST	443	49761	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:06.074589014 CEST	49762	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:06.074647903 CEST	443	49762	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:06.074805021 CEST	49762	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:06.075232029 CEST	49762	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:06.075265884 CEST	443	49762	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:37.259602070 CEST	49762	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:37.265358925 CEST	49785	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:37.265430927 CEST	443	49785	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:37.265532017 CEST	49785	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:37.266164064 CEST	49785	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:37.266181946 CEST	443	49785	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:38.062602043 CEST	443	49785	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:38.067325115 CEST	49786	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:38.067409992 CEST	443	49786	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:38.067519903 CEST	49786	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:38.070154905 CEST	49786	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:38.070203066 CEST	443	49786	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:45.955054045 CEST	443	49786	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:45.959971905 CEST	49788	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:45.960027933 CEST	443	49788	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:45.960174084 CEST	49788	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:45.961993933 CEST	49788	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:45.962018013 CEST	443	49788	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:46.588077068 CEST	443	49788	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:46.589262962 CEST	49789	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:46.589349031 CEST	443	49789	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:46.589509964 CEST	49789	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:46.590190887 CEST	49789	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:46.590224981 CEST	443	49789	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:48.373603106 CEST	443	49789	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:48.379249096 CEST	49790	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:48.379318953 CEST	443	49790	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:48.379427910 CEST	49790	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:48.380033970 CEST	49790	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:48.380053997 CEST	443	49790	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:52.029869080 CEST	443	49790	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:52.037234068 CEST	49791	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:52.037313938 CEST	443	49791	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:52.037622929 CEST	49791	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:52.038132906 CEST	49791	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:52.038152933 CEST	443	49791	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:55.815701962 CEST	443	49791	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:56.015405893 CEST	49793	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:56.015494108 CEST	443	49793	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:56.015918970 CEST	49793	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:56.016683102 CEST	49793	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:56.016715050 CEST	443	49793	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:56.796669006 CEST	443	49793	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:56.798054934 CEST	49794	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:56.798100948 CEST	443	49794	62.234.23.52	192.168.2.3
Aug 29, 2023 07:42:56.798187971 CEST	49794	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:56.798775911 CEST	49794	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:42:56.798794985 CEST	443	49794	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:02.432965994 CEST	443	49794	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:02.439785004 CEST	49795	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:02.439867973 CEST	443	49795	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:02.439996004 CEST	49795	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:02.440607071 CEST	49795	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:02.440635920 CEST	443	49795	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:03.217156887 CEST	443	49795	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:03.218097925 CEST	49796	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:03.218156099 CEST	443	49796	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:03.218250036 CEST	49796	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:03.219546080 CEST	49796	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:03.219578028 CEST	443	49796	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:03.987315893 CEST	443	49796	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:03.988568068 CEST	49797	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:03.988615036 CEST	443	49797	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:03.988703966 CEST	49797	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:03.989773989 CEST	49797	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:03.989787102 CEST	443	49797	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:04.609766960 CEST	443	49797	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:04.611191988 CEST	49798	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:04.611244917 CEST	443	49798	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:04.611356974 CEST	49798	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:04.612425089 CEST	49798	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:04.612449884 CEST	443	49798	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:12.483647108 CEST	443	49798	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:12.496516943 CEST	49800	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:12.496577978 CEST	443	49800	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:12.496680021 CEST	49800	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:12.497570992 CEST	49800	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:12.497586012 CEST	443	49800	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:16.292881966 CEST	443	49800	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:16.295380116 CEST	49801	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:16.295423985 CEST	443	49801	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:16.295603991 CEST	49801	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:16.298582077 CEST	49801	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:16.298602104 CEST	443	49801	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:17.099481106 CEST	443	49801	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:17.100603104 CEST	49802	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:17.100663900 CEST	443	49802	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:17.100784063 CEST	49802	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:17.101500988 CEST	49802	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:17.101517916 CEST	443	49802	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:18.892785072 CEST	443	49802	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:18.893932104 CEST	49803	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:18.894001961 CEST	443	49803	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:18.894104958 CEST	49803	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:18.894718885 CEST	49803	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:18.894731998 CEST	443	49803	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:19.520294905 CEST	443	49803	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:19.527292967 CEST	49804	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:19.527363062 CEST	443	49804	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:19.527508974 CEST	49804	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:19.528451920 CEST	49804	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:19.528470993 CEST	443	49804	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:20.150316000 CEST	443	49804	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:20.151520967 CEST	49805	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:20.151606083 CEST	443	49805	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:20.151736021 CEST	49805	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:20.152852058 CEST	49805	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:20.152903080 CEST	443	49805	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:21.969393969 CEST	443	49805	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:21.970781088 CEST	49806	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:21.970875978 CEST	443	49806	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:21.971029043 CEST	49806	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:21.972070932 CEST	49806	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:21.972119093 CEST	443	49806	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:23.785499096 CEST	443	49806	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:23.787409067 CEST	49807	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:23.787484884 CEST	443	49807	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:23.787658930 CEST	49807	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:23.789407969 CEST	49807	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:23.789434910 CEST	443	49807	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:24.552741051 CEST	443	49807	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:24.564330101 CEST	49808	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:24.564445972 CEST	443	49808	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:24.564620018 CEST	49808	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:24.565593958 CEST	49808	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:24.565639973 CEST	443	49808	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:25.322194099 CEST	443	49808	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:25.323333025 CEST	49809	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:25.323386908 CEST	443	49809	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:25.323482037 CEST	49809	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:25.324706078 CEST	49809	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:25.324729919 CEST	443	49809	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:26.094701052 CEST	443	49809	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:26.095769882 CEST	49810	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:26.095827103 CEST	443	49810	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:26.095941067 CEST	49810	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:26.096832037 CEST	49810	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:26.096849918 CEST	443	49810	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:27.579727888 CEST	443	49810	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:27.580867052 CEST	49811	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:27.581007004 CEST	443	49811	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:27.581142902 CEST	49811	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:27.581892014 CEST	49811	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:27.581921101 CEST	443	49811	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:29.208425045 CEST	443	49811	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:29.214396000 CEST	49812	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:29.214467049 CEST	443	49812	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:29.214596987 CEST	49812	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:29.215171099 CEST	49812	443	192.168.2.3	62.234.23.52
Aug 29, 2023 07:43:29.215188026 CEST	443	49812	62.234.23.52	192.168.2.3
Aug 29, 2023 07:43:38.318409920 CEST	49812	443	192.168.2.3	62.234.23.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2023 07:41:29.465276957 CEST	61261	53	192.168.2.3	8.8.8.8
Aug 29, 2023 07:41:29.764486074 CEST	53	61261	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 29, 2023 07:42:27.623109102 CEST	192.168.2.3	8.8.8.8	d034	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2023 07:41:29.465276957 CEST	192.168.2.3	8.8.8.8	0xe627	Standard query (0)	cdn-1319693778.cos.ap-beijing.myqcloud.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2023 07:41:29.764486074 CEST	8.8.8.8	192.168.2.3	0xe627	No error (0)	cdn-1319693778.cos.ap-beijing.myqcloud.com	bj.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2023 07:41:29.764486074 CEST	8.8.8.8	192.168.2.3	0xe627	No error (0)	bj.file.myqcloud.com		82.156.94.47	A (IP address)	IN (0x0001)	false
Aug 29, 2023 07:41:29.764486074 CEST	8.8.8.8	192.168.2.3	0xe627	No error (0)	bj.file.myqcloud.com		82.156.94.48	A (IP address)	IN (0x0001)	false
Aug 29, 2023 07:41:29.764486074 CEST	8.8.8.8	192.168.2.3	0xe627	No error (0)	bj.file.myqcloud.com		82.156.94.13	A (IP address)	IN (0x0001)	false
Aug 29, 2023 07:41:29.764486074 CEST	8.8.8.8	192.168.2.3	0xe627	No error (0)	bj.file.myqcloud.com		82.156.94.17	A (IP address)	IN (0x0001)	false
Aug 29, 2023 07:41:29.764486074 CEST	8.8.8.8	192.168.2.3	0xe627	No error (0)	bj.file.myqcloud.com		82.156.94.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cdn-1319693778.cos.ap-beijing.myqcloud.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49720	82.156.94.47	443	C:\Users\Public\Pictures\Picture\zlogger.exe

Timestamp	kBytes transferred	Direction	Data
2023-08-29 05:41:33 UTC	0	OUT	GET /service.log HTTP/1.1 User-Agent: MyApp Host: cdn-1319693778.cos.ap-beijing.myqcloud.com Cache-Control: no-cache
2023-08-29 05:41:40 UTC	0	IN	HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 2836039 Connection: close Accept-Ranges: bytes Date: Tue, 29 Aug 2023 05:41:40 GMT ETag: "563f073b851a36041c5433b18bd08501" Last-Modified: Sun, 13 Aug 2023 15:17:13 GMT Server: tencent-cos x-cos-hash-crc64ecma: 7122124251954580654 x-cos-request-id: NjRlZDg1MTNfNTVjZjM4MGJfMmQ1ODJfMmRlYzgy
2023-08-29 05:41:40 UTC	0	IN	Data Raw: 6b 69 63 6b 0d 0a 62 6c 75 65 0d 0a 70 69 63 74 75 72 65 0d 0a 65 67 67 0d 0a 65 79 65 0d 0a 62 6c 75 65 0d 0a 70 69 63 74 75 72 65 0d 0a 65 67 67 0d 0a 65 79 65 0d 0a 6a 75 64 67 65 0d 0a 66 61 6c 6c 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 6d 61 6e 0d 0a 73 63 68 6f 6f 6c 0d 0a 6f 63 65 61 6e 0d 0a 63 61 6d 65 72 61 0d 0a 77 69 6e 64 0d 0a 77 6f 72 6b 0d 0a 61 6e 69 6d 61 6c 0d 0a 6c 61 6e 64 0d 0a 72 61 69 6e 0d 0a 66 75 6e 63 0d 0a 67 68 6f 73 74 0d 0a 67 75 65 73 74 0d 0a 73 75 67 61 72 0d 0a 6d 75 73 69 63 0d 0a 75 73 75 61 6c 6c 79 0d 0a 6c 69 66 65 0d 0a 79 65 61 72 6e 0d 0a 6a 61 76 61 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 62 6c 75 65 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 6e 69 67 68 74 0d 0a 6f 69 6c 0d 0a 6b 69 6e 67 0d 0a 6a 75 64 67 65 0d Data Ascii: kickbluepictureeggeyebluepictureeggeyejudgefallyesterdaymanschooloceancamerawindworkanimallandrainfuncghostguestsugarmusicusuallylifeyearnjavayesterdayblueunderstandnightoilkingjudge
2023-08-29 05:41:41 UTC	16	IN	Data Raw: 69 74 6f 72 0d 0a 68 69 67 68 0d 0a 6f 66 66 69 63 65 0d 0a 73 65 61 0d 0a 77 61 72 6e 0d 0a 6a 6f 6b 65 0d 0a 6d 61 63 68 69 6e 65 0d 0a 7a 69 70 70 65 72 0d 0a 66 61 6c 6c 0d 0a 67 75 65 73 74 0d 0a 6c 61 6e 64 0d 0a 74 61 73 74 65 0d 0a 72 69 76 65 72 0d 0a 6c 69 6f 6e 0d 0a 71 75 61 72 74 65 72 0d 0a 77 6f 6d 61 6e 0d 0a 6a 61 72 0d 0a 6f 72 64 65 72 0d 0a 6d 61 70 0d 0a 69 73 6c 61 6e 64 0d 0a 72 75 6e 0d 0a 77 69 6e 74 65 72 0d 0a 61 6e 69 6d 61 6c 0d 0a 77 6f 72 6c 64 0d 0a 6c 61 6e 64 0d 0a 6c 6f 6e 67 0d 0a 6b 69 63 6b 0d 0a 79 65 73 0d 0a 71 75 61 6c 69 66 79 0d 0a 6e 75 72 73 65 0d 0a 71 75 69 63 6b 0d 0a 70 6c 61 6e 74 0d 0a 79 65 61 72 6e 0d 0a 69 73 6c 61 6e 64 0d 0a 70 61 70 65 72 0d 0a 70 69 7a 7a 61 0d 0a 6b 69 6e 64 0d 0a 6c 69 66 65 0d Data Ascii: itorhighofficeseawarnjokemachinezipperfallguestlandtasteriverlionquarterwomanjarordermapislandrunwinteranimalworldlandlongkickyesqualifynursequickplantyearnislandpaperpizzakindlife
2023-08-29 05:41:41 UTC	32	IN	Data Raw: 65 64 0d 0a 71 75 69 65 74 0d 0a 74 69 67 65 72 0d 0a 64 6f 6f 72 0d 0a 79 61 77 6e 0d 0a 6f 62 6a 65 63 74 0d 0a 69 73 73 75 65 0d 0a 6e 65 65 64 0d 0a 71 75 61 6c 69 66 79 0d 0a 72 6f 6f 6d 0d 0a 64 65 65 72 0d 0a 7a 69 70 70 65 72 0d 0a 64 61 79 0d 0a 76 61 6e 0d 0a 63 61 6b 65 0d 0a 69 6e 74 0d 0a 6f 70 65 6e 0d 0a 70 6f 77 65 72 0d 0a 6e 6f 72 74 68 0d 0a 65 64 67 65 0d 0a 70 6f 77 65 72 0d 0a 61 6e 69 6d 61 6c 0d 0a 6e 61 74 75 72 65 0d 0a 63 61 72 0d 0a 78 79 6c 65 6d 0d 0a 6f 62 6a 65 63 74 0d 0a 74 65 73 74 0d 0a 79 65 6c 6c 6f 77 0d 0a 6a 61 63 6b 65 74 0d 0a 67 69 72 6c 0d 0a 74 65 61 63 68 65 72 0d 0a 67 72 61 73 73 0d 0a 6e 75 6d 62 65 72 0d 0a 62 61 6e 6b 0d 0a 79 61 72 64 0d 0a 65 69 67 68 74 0d 0a 7a 6f 6d 62 69 65 0d 0a 6e 6f 74 65 0d 0a Data Ascii: edquiettigerdooryawnobjectissueneedqualifyroomdeerzipperdayvancakeintopenpowernorthedgepoweranimalnaturecarxylemobjecttestyellowjacketgirlteachergrassnumberbankyardeightzombienote
2023-08-29 05:41:42 UTC	48	IN	Data Raw: 64 65 73 6b 0d 0a 6a 61 72 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 73 6e 6f 77 0d 0a 6d 6f 6f 6e 0d 0a 63 61 6b 65 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 6e 6f 73 65 0d 0a 6f 72 61 6e 67 65 0d 0a 71 75 69 63 6b 0d 0a 65 69 67 68 74 0d 0a 72 6f 61 64 0d 0a 75 72 67 65 0d 0a 7a 65 61 6c 0d 0a 77 65 73 74 0d 0a 6b 65 65 70 0d 0a 6f 72 61 6e 67 65 0d 0a 73 68 6f 72 74 0d 0a 78 79 6c 65 6d 0d 0a 70 69 7a 7a 61 0d 0a 70 6c 61 6e 74 0d 0a 68 61 74 0d 0a 77 61 74 65 72 0d 0a 64 61 6e 63 65 0d 0a 6c 61 6e 64 0d 0a 6d 61 70 0d 0a 67 69 72 6c 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 70 65 72 73 6f 6e 0d 0a 69 6e 73 69 64 65 0d 0a 7a 69 70 70 65 72 0d 0a 70 65 61 72 0d 0a 77 61 74 65 72 0d 0a 72 65 73 74 0d 0a 6e 61 74 75 72 65 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 69 Data Ascii: deskjarunderstandsnowmooncakeunsignednoseorangequickeightroadurgezealwestkeeporangeshortxylempizzaplanthatwaterdancelandmapgirlvacationpersoninsidezipperpearwaterrestnatureunderstandi
2023-08-29 05:41:42 UTC	64	IN	Data Raw: 0d 0a 77 68 69 74 65 0d 0a 63 6f 61 74 0d 0a 67 72 61 73 73 0d 0a 77 6f 72 6b 0d 0a 73 68 6f 72 74 0d 0a 73 6e 6f 77 0d 0a 70 68 6f 6e 65 0d 0a 6c 69 66 65 0d 0a 6a 6f 6b 65 0d 0a 72 6f 6f 6d 0d 0a 72 69 76 65 72 0d 0a 70 65 61 72 0d 0a 70 65 6e 0d 0a 75 6e 69 74 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 6c 61 6e 64 0d 0a 6c 65 74 74 65 72 0d 0a 61 77 61 72 64 0d 0a 73 74 72 69 6e 67 0d 0a 61 6e 74 0d 0a 69 63 6f 6e 0d 0a 66 6f 72 0d 0a 77 69 6e 74 65 72 0d 0a 62 75 73 0d 0a 61 77 61 72 64 0d 0a 67 72 61 73 73 0d 0a 76 61 6e 0d 0a 6f 70 65 6e 0d 0a 6a 6f 79 0d 0a 6e 61 6d 65 0d 0a 61 6e 69 6d 61 6c 0d 0a 6a 75 6d 70 0d 0a 65 61 73 74 0d 0a 6c 61 6e 64 0d 0a 67 61 6d 65 0d 0a 69 73 6c 61 6e 64 0d 0a 68 61 69 72 0d 0a 69 6e 63 6f 6d 65 0d 0a 77 65 65 6b 0d Data Ascii: whitecoatgrassworkshortsnowphonelifejokeroomriverpearpenunitunderstandlandletterawardstringanticonforwinterbusawardgrassvanopenjoynameanimaljumpeastlandgameislandhairincomeweek
2023-08-29 05:41:42 UTC	80	IN	Data Raw: 0d 0a 68 69 74 0d 0a 75 6e 63 6c 65 0d 0a 6f 6e 65 0d 0a 73 74 6f 6e 65 0d 0a 68 69 67 68 0d 0a 65 72 72 6f 72 0d 0a 66 69 73 68 0d 0a 68 69 74 0d 0a 64 6f 6f 72 0d 0a 65 61 74 0d 0a 6b 69 63 6b 0d 0a 7a 65 62 72 61 0d 0a 68 69 74 0d 0a 64 6f 67 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 70 65 6e 0d 0a 6d 61 63 68 69 6e 65 0d 0a 6d 6f 74 68 65 72 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 68 65 61 72 74 0d 0a 77 61 74 65 72 0d 0a 6b 69 6e 64 0d 0a 65 64 67 65 0d 0a 6a 6f 79 0d 0a 74 65 73 74 0d 0a 79 61 77 6e 0d 0a 74 69 67 65 72 0d 0a 76 69 65 77 0d 0a 6a 61 72 0d 0a 7a 65 62 72 61 0d 0a 79 65 61 72 0d 0a 77 6f 72 6c 64 0d 0a 6f 62 6a 65 63 74 0d 0a 76 69 65 77 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 69 6e 63 6f 6d 65 0d 0a 67 75 65 73 74 0d 0a 66 6f 6f 74 0d Data Ascii: hituncleonestonehigherrorfishhitdooreatkickzebrahitdogvegetablepenmachinemotherknowledgeheartwaterkindedgejoytestyawntigerviewjarzebrayearworldobjectviewunderstandincomeguestfoot
2023-08-29 05:41:42 UTC	96	IN	Data Raw: 0d 0a 62 65 61 63 68 0d 0a 67 72 6f 75 70 0d 0a 61 6e 74 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 66 61 63 65 0d 0a 66 6f 6f 74 0d 0a 67 72 61 73 73 0d 0a 76 6f 69 63 65 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 64 72 65 61 6d 0d 0a 6a 61 76 61 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 6a 61 63 6b 65 74 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 76 69 73 69 74 6f 72 0d 0a 73 6b 79 0d 0a 72 65 64 0d 0a 66 69 73 68 0d 0a 77 61 72 6e 0d 0a 70 65 72 73 6f 6e 0d 0a 63 68 61 72 0d 0a 65 72 72 6f 72 0d 0a 79 65 61 72 0d 0a 6b 69 6e 67 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 68 6f 75 73 65 0d 0a 6c 69 66 65 0d 0a 68 65 61 64 0d 0a 73 74 72 69 6e 67 0d 0a 76 69 65 77 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 67 72 6f 75 70 0d 0a 72 6f 61 64 0d 0a 74 69 67 65 72 0d 0a 71 75 69 63 6b 0d 0a 73 74 Data Ascii: beachgroupantknowledgefacefootgrassvoiceunsigneddreamjavaknowledgejacketunsignedvisitorskyredfishwarnpersoncharerroryearkingvacationhouselifeheadstringviewjourneygrouproadtigerquickst
2023-08-29 05:41:43 UTC	112	IN	Data Raw: 6a 61 72 0d 0a 77 6f 72 6c 64 0d 0a 68 69 67 68 0d 0a 65 79 65 0d 0a 6a 6f 6b 65 0d 0a 6b 69 63 6b 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 6f 6e 65 0d 0a 6c 61 6e 64 0d 0a 6c 69 6f 6e 0d 0a 65 64 67 65 0d 0a 64 61 74 61 0d 0a 65 61 73 79 0d 0a 66 6f 72 0d 0a 68 69 74 0d 0a 75 73 65 0d 0a 66 6f 72 0d 0a 77 65 73 74 0d 0a 6e 61 6d 65 0d 0a 73 6b 79 0d 0a 73 65 76 65 6e 0d 0a 61 6e 74 0d 0a 6c 6f 6e 67 0d 0a 64 61 74 61 0d 0a 6e 6f 73 65 0d 0a 6f 70 65 6e 0d 0a 68 65 6c 70 0d 0a 68 6f 70 65 0d 0a 6d 65 6e 74 0d 0a 73 74 6f 6e 65 0d 0a 6d 65 61 6c 0d 0a 68 69 74 0d 0a 63 6f 61 74 0d 0a 76 69 63 74 6f 72 79 0d 0a 6c 65 74 74 65 72 0d 0a 74 69 67 65 72 0d 0a 67 75 65 73 74 0d 0a 6b 65 79 0d 0a 76 69 65 77 0d 0a 77 68 69 6c 65 0d 0a 79 6f 75 6e 67 0d 0a 6b Data Ascii: jarworldhigheyejokekickinformationonelandlionedgedataeasyforhituseforwestnameskysevenantlongdatanoseopenhelphopementstonemealhitcoatvictorylettertigerguestkeyviewwhileyoungk
2023-08-29 05:41:43 UTC	128	IN	Data Raw: 66 6f 6f 64 0d 0a 73 6f 6e 67 0d 0a 64 75 63 6b 0d 0a 66 69 72 65 0d 0a 6c 65 67 0d 0a 6d 75 73 69 63 0d 0a 6c 65 67 0d 0a 76 6f 69 63 65 0d 0a 76 69 73 69 74 6f 72 0d 0a 62 6f 79 0d 0a 66 69 72 65 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 70 6f 77 65 72 0d 0a 79 61 72 64 0d 0a 67 68 6f 73 74 0d 0a 74 61 6c 6b 0d 0a 7a 6f 6e 65 0d 0a 63 6c 69 70 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 67 6c 61 73 73 0d 0a 6c 61 6e 64 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 77 65 73 74 0d 0a 63 61 72 0d 0a 72 75 6e 0d 0a 66 72 69 65 6e 64 0d 0a 62 6f 6f 6b 0d 0a 62 61 6e 61 6e 61 0d 0a 7a 69 70 70 65 72 0d 0a 6a 6f 6b 65 0d 0a 64 6f 67 0d 0a 6b 69 6e 67 0d 0a 64 61 74 61 0d 0a 68 6f 75 73 65 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 6c 69 6f 6e 0d 0a 64 72 65 61 6d 0d 0a Data Ascii: foodsongduckfirelegmusiclegvoicevisitorboyfireundergroundpoweryardghosttalkzoneclipknowledgeglasslandunderstandwestcarrunfriendbookbananazipperjokedogkingdatahouseknowledgeliondream
2023-08-29 05:41:43 UTC	144	IN	Data Raw: 6e 67 0d 0a 62 69 72 64 0d 0a 6c 6f 76 65 0d 0a 74 69 6d 65 0d 0a 6f 69 6c 0d 0a 6b 69 74 63 68 65 6e 0d 0a 62 6f 6f 6b 0d 0a 72 75 6e 0d 0a 67 6f 6c 64 0d 0a 73 74 61 72 0d 0a 6f 63 65 61 6e 0d 0a 61 72 72 6f 77 0d 0a 6f 6e 65 0d 0a 6a 6f 6b 65 0d 0a 65 6e 65 72 67 79 0d 0a 72 65 64 0d 0a 61 70 70 6c 65 0d 0a 70 65 6e 0d 0a 6d 6f 6e 6b 65 79 0d 0a 74 72 61 69 6e 0d 0a 64 72 65 61 6d 0d 0a 6b 69 73 73 0d 0a 79 65 61 72 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 6e 69 67 68 74 0d 0a 67 72 61 73 73 0d 0a 6b 69 6e 67 0d 0a 73 74 61 72 0d 0a 65 67 67 0d 0a 61 69 72 0d 0a 77 6f 72 6b 0d 0a 63 6f 6c 6f 72 0d 0a 73 68 6f 72 74 0d 0a 77 69 6e 74 65 72 0d 0a 6e 6f 73 65 0d 0a 63 61 74 0d 0a 77 69 6e 64 0d 0a 68 69 74 0d 0a 61 77 61 72 64 0d 0a 79 65 73 0d 0a 6e 6f 73 65 Data Ascii: ngbirdlovetimeoilkitchenbookrungoldstaroceanarrowonejokeenergyredapplepenmonkeytraindreamkissyearunsignednightgrasskingstareggairworkcolorshortwinternosecatwindhitawardyesnose
2023-08-29 05:41:43 UTC	160	IN	Data Raw: 64 65 65 72 0d 0a 77 6f 6d 61 6e 0d 0a 6c 69 6f 6e 0d 0a 74 72 65 65 0d 0a 71 75 69 63 6b 0d 0a 7a 6f 6f 0d 0a 74 69 67 65 72 0d 0a 76 61 6e 0d 0a 72 61 69 6e 0d 0a 67 61 6d 65 0d 0a 69 6e 74 0d 0a 6d 6f 6f 6e 0d 0a 6c 61 6d 70 0d 0a 6c 69 6f 6e 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 66 72 69 65 6e 64 0d 0a 78 79 6c 65 6d 0d 0a 76 69 65 77 0d 0a 74 69 6d 65 0d 0a 69 73 73 75 65 0d 0a 76 61 6e 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 65 61 72 0d 0a 72 69 76 65 72 0d 0a 78 79 6c 65 6d 0d 0a 63 61 72 0d 0a 6b 69 64 0d 0a 6e 61 6d 65 0d 0a 6d 61 6e 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 76 6f 69 63 65 0d 0a 72 65 73 74 0d 0a 65 61 73 74 0d 0a 72 61 69 6e 0d 0a 74 65 61 63 68 65 72 0d 0a 69 6e 63 6f 6d 65 0d Data Ascii: deerwomanliontreequickzootigervanraingameintmoonlamplionquestionunderstandfriendxylemviewtimeissuevanjourneyunsignedearriverxylemcarkidnamemanquestionvoiceresteastrainteacherincome
2023-08-29 05:41:43 UTC	176	IN	Data Raw: 77 61 79 0d 0a 6f 63 65 61 6e 0d 0a 6d 61 63 68 69 6e 65 0d 0a 73 63 68 6f 6f 6c 0d 0a 63 68 61 72 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 67 72 6f 75 70 0d 0a 70 69 63 74 75 72 65 0d 0a 73 65 76 65 6e 0d 0a 68 65 61 72 74 0d 0a 6e 69 67 68 74 0d 0a 68 65 61 72 74 0d 0a 6f 62 6a 65 63 74 0d 0a 6a 6f 79 0d 0a 69 63 65 0d 0a 76 6f 69 63 65 0d 0a 6f 70 65 6e 0d 0a 76 69 64 65 6f 0d 0a 71 75 69 63 6b 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 65 69 67 68 74 0d 0a 65 61 74 0d 0a 63 69 74 79 0d 0a 73 75 6e 0d 0a 6d 6f 6f 6e 0d 0a 71 75 61 6c 69 74 79 0d 0a 76 6f 69 63 65 0d 0a 79 65 6c 6c 6f 77 0d 0a 64 61 6e 63 65 0d 0a 70 61 70 65 72 0d 0a 79 65 6c 6c 6f 77 0d 0a 6d 61 6e 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 73 63 68 6f 6f 6c 0d 0a 61 6e 69 6d 61 6c 0d 0a 75 6e 64 Data Ascii: wayoceanmachineschoolcharKanthangrouppicturesevenheartnightheartobjectjoyicevoiceopenvideoquickvegetableeighteatcitysunmoonqualityvoiceyellowdancepaperyellowmanuniversityschoolanimalund
2023-08-29 05:41:43 UTC	192	IN	Data Raw: 0d 0a 75 6e 69 74 0d 0a 77 6f 6d 61 6e 0d 0a 6a 61 72 0d 0a 74 65 73 74 0d 0a 77 65 65 6b 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 6b 69 6e 67 0d 0a 7a 6f 6d 62 69 65 0d 0a 6e 6f 74 65 0d 0a 61 6e 74 0d 0a 67 68 6f 73 74 0d 0a 64 72 65 61 6d 0d 0a 72 65 73 74 0d 0a 62 61 6e 61 6e 61 0d 0a 74 61 6c 6b 0d 0a 64 72 65 61 6d 0d 0a 67 69 72 6c 0d 0a 65 67 67 0d 0a 71 75 65 65 6e 0d 0a 61 72 72 61 79 0d 0a 6d 75 73 69 63 0d 0a 64 72 65 61 6d 0d 0a 66 61 72 6d 0d 0a 64 61 79 0d 0a 6b 69 6e 67 0d 0a 75 73 65 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 79 65 73 0d 0a 63 6f 77 0d 0a 6d 65 6e 74 0d 0a 69 63 6f 6e 0d 0a 6d 69 6c 6b 0d 0a 62 61 6c 6c 0d 0a 69 6e 74 0d 0a 62 69 72 64 0d 0a 64 61 74 61 0d 0a 64 6f 6f 72 0d 0a 6c 61 6d 70 0d 0a 62 6f 78 0d 0a 71 75 69 63 6b 0d 0a Data Ascii: unitwomanjartestweekyesterdaykingzombienoteantghostdreamrestbananatalkdreamgirleggqueenarraymusicdreamfarmdaykingusequantityyescowmenticonmilkballintbirddatadoorlampboxquick
2023-08-29 05:41:43 UTC	208	IN	Data Raw: 0d 0a 71 75 69 63 6b 0d 0a 6e 75 6d 62 65 72 0d 0a 62 61 6e 61 6e 61 0d 0a 73 68 6f 72 74 0d 0a 76 69 64 65 6f 0d 0a 70 65 72 73 6f 6e 0d 0a 69 6e 73 69 64 65 0d 0a 71 75 69 63 6b 0d 0a 63 6c 69 70 0d 0a 6e 69 67 68 74 0d 0a 66 61 63 65 0d 0a 6c 61 6e 64 0d 0a 61 72 72 61 79 0d 0a 69 6e 6b 0d 0a 79 65 6c 6c 6f 77 0d 0a 70 65 72 73 6f 6e 0d 0a 74 72 61 69 6e 0d 0a 6c 75 6e 63 68 0d 0a 64 75 63 6b 0d 0a 6f 66 66 69 63 65 0d 0a 6a 75 6d 70 0d 0a 74 6f 70 0d 0a 6d 69 6c 6b 0d 0a 6b 69 74 65 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 70 61 70 65 72 0d 0a 66 6f 72 0d 0a 67 6c 61 73 73 0d 0a 69 73 73 75 65 0d 0a 72 75 6e 0d 0a 67 6c 61 73 73 0d 0a 64 72 65 61 6d 0d 0a 6a 75 64 67 65 0d 0a 77 6f 72 6c 64 0d 0a 74 61 73 74 65 0d 0a 63 69 74 79 0d 0a 6e 75 72 73 65 Data Ascii: quicknumberbananashortvideopersoninsidequickclipnightfacelandarrayinkyellowpersontrainlunchduckofficejumptopmilkkiteunderstandpaperforglassissuerunglassdreamjudgeworldtastecitynurse
2023-08-29 05:41:44 UTC	224	IN	Data Raw: 6e 65 0d 0a 73 6f 6e 67 0d 0a 6a 75 64 67 65 0d 0a 68 6f 70 65 0d 0a 65 6e 64 0d 0a 70 6c 61 6e 74 0d 0a 6c 61 6e 64 0d 0a 77 61 74 65 72 0d 0a 71 75 6f 74 65 0d 0a 67 6c 61 73 73 0d 0a 76 69 64 65 6f 0d 0a 6c 65 74 74 65 72 0d 0a 68 61 69 72 0d 0a 6e 65 65 64 0d 0a 67 72 61 73 73 0d 0a 64 72 65 61 6d 0d 0a 65 6e 64 0d 0a 6b 69 63 6b 0d 0a 73 68 6f 72 74 0d 0a 6e 6f 74 65 0d 0a 6b 69 6e 64 0d 0a 63 61 6b 65 0d 0a 72 61 62 62 69 74 0d 0a 62 6f 6f 6b 0d 0a 76 69 73 69 74 6f 72 0d 0a 7a 65 62 72 61 0d 0a 61 6c 6f 6e 65 0d 0a 6d 6f 76 69 65 0d 0a 76 61 6c 75 65 0d 0a 62 6c 75 65 0d 0a 69 73 73 75 65 0d 0a 62 75 73 0d 0a 6c 6f 76 65 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 65 61 72 74 68 0d 0a 7a 65 62 72 61 0d 0a 6d 61 70 0d 0a 62 6f 78 0d 0a 63 6c 6f 75 Data Ascii: nesongjudgehopeendplantlandwaterquoteglassvideoletterhairneedgrassdreamendkickshortnotekindcakerabbitbookvisitorzebraalonemovievalueblueissuebusloveinformationearthzebramapboxclou
2023-08-29 05:41:44 UTC	240	IN	Data Raw: 6c 69 74 79 0d 0a 73 65 61 0d 0a 6f 72 61 6e 67 65 0d 0a 61 6c 6f 6e 65 0d 0a 68 69 67 68 0d 0a 68 61 74 0d 0a 71 75 61 6c 69 74 79 0d 0a 64 61 79 0d 0a 6a 61 76 61 0d 0a 6c 65 74 74 65 72 0d 0a 6c 65 74 74 65 72 0d 0a 70 65 6e 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 6b 69 63 6b 0d 0a 63 61 6b 65 0d 0a 6a 75 6d 70 0d 0a 66 69 72 65 0d 0a 77 61 74 65 72 0d 0a 62 61 6e 61 6e 61 0d 0a 76 61 6e 0d 0a 76 69 64 65 6f 0d 0a 6a 75 64 67 65 0d 0a 66 61 74 68 65 72 0d 0a 65 6e 65 72 67 79 0d 0a 69 73 73 75 65 0d 0a 69 63 6f 6e 0d 0a 6d 61 63 68 69 6e 65 0d 0a 68 61 69 72 0d 0a 62 69 72 64 0d 0a 6c 65 67 0d 0a 68 69 67 68 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 72 61 62 62 69 74 0d 0a 69 6e 74 0d 0a 77 61 74 65 72 0d 0a 68 61 74 0d 0a 70 65 61 72 0d 0a 72 69 73 65 0d Data Ascii: lityseaorangealonehighhatqualitydayjavaletterletterpenKanthankickcakejumpfirewaterbananavanvideojudgefatherenergyissueiconmachinehairbirdleghighinformationrabbitintwaterhatpearrise
2023-08-29 05:41:44 UTC	255	IN	Data Raw: 6e 0d 0a 6e 75 6d 62 65 72 0d 0a 65 79 65 0d 0a 63 6f 61 74 0d 0a 70 65 72 73 6f 6e 0d 0a 6c 75 6e 63 68 0d 0a 61 77 61 72 64 0d 0a 6f 70 65 6e 0d 0a 73 6f 6e 67 0d 0a 6b 65 65 70 0d 0a 71 75 65 65 6e 0d 0a 65 61 72 74 68 0d 0a 66 61 72 6d 0d 0a 6d 6f 76 69 65 0d 0a 63 6f 77 0d 0a 6f 72 61 6e 67 65 0d 0a 6f 66 66 65 72 0d 0a 6f 6e 65 0d 0a 6c 61 6b 65 0d 0a 63 6c 6f 75 64 0d 0a 72 65 73 74 0d 0a 66 69 73 68 0d 0a 76 69 63 74 6f 72 79 0d 0a 73 65 76 65 6e 0d 0a 65 79 65 0d 0a 74 65 73 74 0d 0a 62 6f 78 0d 0a 64 6f 67 0d 0a 6b 69 73 73 0d 0a 62 6f 6f 6b 0d 0a 73 65 76 65 6e 0d 0a 6e 69 67 68 74 0d 0a 62 6f 6f 6b 0d 0a 61 6e 74 0d 0a 72 6f 6f 6d 0d 0a 64 61 72 6b 0d 0a 70 6f 77 65 72 0d 0a 72 69 76 65 72 0d 0a 72 69 76 65 72 0d 0a 66 69 73 68 0d 0a 72 75 6e Data Ascii: nnumbereyecoatpersonlunchawardopensongkeepqueenearthfarmmoviecoworangeofferonelakecloudrestfishvictoryseveneyetestboxdogkissbooksevennightbookantroomdarkpowerriverriverfishrun
2023-08-29 05:41:44 UTC	271	IN	Data Raw: 0a 7a 6f 6d 62 69 65 0d 0a 73 75 67 61 72 0d 0a 6f 66 66 69 63 65 0d 0a 73 6b 79 0d 0a 73 65 61 0d 0a 73 65 61 0d 0a 73 74 61 72 0d 0a 62 75 73 0d 0a 62 69 72 64 0d 0a 63 6c 6f 75 64 0d 0a 62 69 72 64 0d 0a 6b 69 64 0d 0a 66 75 6e 63 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 66 61 6c 6c 0d 0a 74 61 6c 6b 0d 0a 70 65 72 73 6f 6e 0d 0a 73 74 61 72 0d 0a 79 65 6c 6c 6f 77 0d 0a 79 65 73 0d 0a 6e 61 74 75 72 65 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 79 65 61 72 6e 0d 0a 74 65 73 74 0d 0a 68 65 61 64 0d 0a 66 75 6e 63 0d 0a 6d 61 70 0d 0a 6f 72 64 65 72 0d 0a 62 61 6e 61 6e 61 0d 0a 6d 61 70 0d 0a 62 75 73 0d 0a 79 65 61 72 0d 0a 62 61 6c 6c 0d 0a 61 6c 6f 6e 65 0d 0a 63 61 6d 65 72 61 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 69 6e 6b 0d 0a 64 61 6e 63 65 0d 0a 6b Data Ascii: zombiesugarofficeskyseaseastarbusbirdcloudbirdkidfuncKanthanfalltalkpersonstaryellowyesnaturevegetableyearntestheadfuncmaporderbananamapbusyearballalonecameraundergroundinkdancek
2023-08-29 05:41:44 UTC	287	IN	Data Raw: 0a 76 6f 69 63 65 0d 0a 6c 69 66 65 0d 0a 68 6f 70 65 0d 0a 61 69 72 0d 0a 6a 61 63 6b 65 74 0d 0a 62 6f 6f 6b 0d 0a 77 69 6e 64 0d 0a 67 72 6f 75 70 0d 0a 65 73 63 61 70 65 0d 0a 65 61 74 0d 0a 61 69 72 0d 0a 61 72 74 0d 0a 77 69 6e 74 65 72 0d 0a 68 61 74 0d 0a 77 65 65 6b 0d 0a 6c 69 6f 6e 0d 0a 6b 69 73 73 0d 0a 65 61 74 0d 0a 6e 75 72 73 65 0d 0a 62 65 61 63 68 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 66 6c 6f 77 65 72 0d 0a 63 6f 61 74 0d 0a 61 69 72 0d 0a 6a 6f 79 0d 0a 66 61 74 68 65 72 0d 0a 66 6f 6f 64 0d 0a 63 61 74 0d 0a 74 6f 70 0d 0a 63 6c 69 70 0d 0a 70 65 72 73 6f 6e 0d 0a 66 61 63 65 0d 0a 76 61 6e 0d 0a 73 63 68 6f 6f 6c 0d 0a 73 68 6f 72 74 0d 0a 6c 69 66 65 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 68 69 74 Data Ascii: voicelifehopeairjacketbookwindgroupescapeeatairartwinterhatweeklionkisseatnursebeachundergroundflowercoatairjoyfatherfoodcattopclippersonfacevanschoolshortlifequantityquantityhit
2023-08-29 05:41:44 UTC	303	IN	Data Raw: 65 61 0d 0a 6c 65 74 74 65 72 0d 0a 64 61 74 61 0d 0a 6d 6f 6f 6e 0d 0a 61 72 72 61 79 0d 0a 63 6f 6c 6f 72 0d 0a 67 61 6d 65 0d 0a 62 61 6c 6c 0d 0a 77 61 72 6e 0d 0a 6e 61 74 75 72 65 0d 0a 75 6e 63 6c 65 0d 0a 79 6f 75 6e 67 0d 0a 79 61 77 6e 0d 0a 71 75 61 6c 69 74 79 0d 0a 79 6f 75 6e 67 0d 0a 72 75 6e 0d 0a 6c 6f 6e 67 0d 0a 74 6f 77 6e 0d 0a 6a 61 72 0d 0a 73 74 6f 6e 65 0d 0a 66 69 72 65 0d 0a 73 65 61 0d 0a 6e 6f 74 65 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 66 61 6c 6c 0d 0a 75 73 75 61 6c 6c 79 0d 0a 72 6f 6f 6d 0d 0a 61 63 65 0d 0a 65 72 72 6f 72 0d 0a 71 75 61 6c 69 74 79 0d 0a 75 72 67 65 0d 0a 6e 65 65 64 0d 0a 65 73 63 61 70 65 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 70 65 72 73 6f 6e 0d 0a 73 6f 6e 67 0d 0a 67 68 6f 73 74 0d 0a 66 6f 6f 64 Data Ascii: ealetterdatamoonarraycolorgameballwarnnatureuncleyoungyawnqualityyoungrunlongtownjarstonefireseanotequestionfallusuallyroomaceerrorqualityurgeneedescapeunderstandpersonsongghostfood
2023-08-29 05:41:44 UTC	319	IN	Data Raw: 6c 0d 0a 62 6c 75 65 0d 0a 69 6e 74 0d 0a 61 63 65 0d 0a 65 72 72 6f 72 0d 0a 66 6f 6f 64 0d 0a 66 69 72 65 0d 0a 74 65 73 74 0d 0a 6c 65 67 0d 0a 77 69 6e 64 0d 0a 75 72 67 65 0d 0a 77 69 6e 74 65 72 0d 0a 6e 6f 73 65 0d 0a 67 69 72 6c 0d 0a 61 77 61 72 64 0d 0a 6d 6f 74 68 65 72 0d 0a 66 6f 72 0d 0a 74 72 61 69 6e 0d 0a 77 68 69 6c 65 0d 0a 76 69 73 69 74 6f 72 0d 0a 62 6f 79 0d 0a 6b 69 73 73 0d 0a 62 61 6e 61 6e 61 0d 0a 6b 65 65 70 0d 0a 68 61 69 72 0d 0a 63 6f 6c 6f 72 0d 0a 73 75 6e 0d 0a 77 69 6e 64 0d 0a 6f 72 64 65 72 0d 0a 6e 6f 74 65 0d 0a 66 61 6c 6c 0d 0a 73 74 72 69 6e 67 0d 0a 70 69 7a 7a 61 0d 0a 74 65 73 74 0d 0a 77 65 73 74 0d 0a 6a 65 6c 6c 79 0d 0a 76 69 64 65 6f 0d 0a 77 61 72 6e 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 63 6c 69 70 0d Data Ascii: lblueintaceerrorfoodfiretestlegwindurgewinternosegirlawardmotherfortrainwhilevisitorboykissbananakeephaircolorsunwindordernotefallstringpizzatestwestjellyvideowarnknowledgeclip
2023-08-29 05:41:45 UTC	335	IN	Data Raw: 0d 0a 71 75 61 6c 69 74 79 0d 0a 79 65 61 72 6e 0d 0a 62 61 6c 6c 0d 0a 69 6e 63 6f 6d 65 0d 0a 6b 69 74 65 0d 0a 63 61 74 0d 0a 7a 69 70 70 65 72 0d 0a 64 72 65 61 6d 0d 0a 6b 65 79 0d 0a 71 75 61 6c 69 74 79 0d 0a 71 75 65 65 6e 0d 0a 74 6f 70 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 6d 61 70 0d 0a 71 75 6f 74 65 0d 0a 63 69 74 79 0d 0a 71 75 65 65 6e 0d 0a 6d 69 6c 6b 0d 0a 63 61 74 0d 0a 69 73 6c 61 6e 64 0d 0a 70 69 7a 7a 61 0d 0a 6d 6f 74 68 65 72 0d 0a 65 64 67 65 0d 0a 69 6e 73 69 64 65 0d 0a 63 6f 6c 6f 72 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 70 6f 77 65 72 0d 0a 67 72 61 73 73 0d 0a 75 73 75 61 6c 6c 79 0d 0a 63 6c 6f 75 64 0d 0a 70 69 63 74 75 72 65 0d 0a 67 61 6d 65 0d 0a 72 69 76 65 72 0d 0a 67 69 72 6c 0d 0a 6b 65 79 0d 0a 63 61 6d 65 72 61 0d 0a Data Ascii: qualityyearnballincomekitecatzipperdreamkeyqualityqueentopunsignedmapquotecityqueenmilkcatislandpizzamotheredgeinsidecolorunsignedpowergrassusuallycloudpicturegamerivergirlkeycamera
2023-08-29 05:41:45 UTC	351	IN	Data Raw: 71 75 61 72 74 65 72 0d 0a 62 61 6e 6b 0d 0a 6e 61 74 75 72 65 0d 0a 61 72 74 0d 0a 69 64 65 61 0d 0a 66 6f 6f 74 0d 0a 65 72 72 6f 72 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 6d 6f 6e 6b 65 79 0d 0a 62 75 73 0d 0a 74 72 65 65 0d 0a 66 61 63 65 0d 0a 69 6e 63 6f 6d 65 0d 0a 65 61 72 74 68 0d 0a 75 73 65 0d 0a 77 61 79 0d 0a 6b 65 65 70 0d 0a 77 69 6e 74 65 72 0d 0a 68 61 74 0d 0a 68 65 61 64 0d 0a 66 69 73 68 0d 0a 6a 65 6c 6c 79 0d 0a 64 61 74 61 0d 0a 6c 61 75 67 68 0d 0a 73 65 76 65 6e 0d 0a 6b 69 6e 67 0d 0a 77 65 73 74 0d 0a 6c 65 74 74 65 72 0d 0a 67 6f 6c 64 0d 0a 66 69 73 68 0d 0a 69 6e 63 6f 6d 65 0d 0a 77 61 74 65 72 0d 0a 66 61 6c 6c 0d 0a 66 69 73 68 0d 0a 64 75 63 6b 0d 0a 79 65 61 72 6e 0d 0a 63 61 6d 65 72 61 0d 0a 69 63 65 0d 0a 70 65 61 72 Data Ascii: quarterbanknatureartideafooterroryesterdaymonkeybustreefaceincomeearthusewaykeepwinterhatheadfishjellydatalaughsevenkingwestlettergoldfishincomewaterfallfishduckyearncameraicepear
2023-08-29 05:41:45 UTC	367	IN	Data Raw: 61 72 74 0d 0a 6e 75 6d 62 65 72 0d 0a 67 6f 61 74 0d 0a 6f 72 61 6e 67 65 0d 0a 69 6e 74 0d 0a 73 6e 61 6b 65 0d 0a 77 6f 72 6c 64 0d 0a 6a 75 6d 70 0d 0a 63 61 6d 65 72 61 0d 0a 72 65 73 74 0d 0a 65 61 74 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 64 61 74 61 0d 0a 63 61 72 0d 0a 64 65 65 72 0d 0a 77 68 69 74 65 0d 0a 77 61 72 6e 0d 0a 66 61 63 65 0d 0a 6f 66 66 65 72 0d 0a 6b 69 64 0d 0a 65 61 72 74 68 0d 0a 62 61 6e 61 6e 61 0d 0a 68 6f 70 65 0d 0a 70 69 63 74 75 72 65 0d 0a 70 69 7a 7a 61 0d 0a 6c 69 6f 6e 0d 0a 72 65 64 0d 0a 6a 6f 79 0d 0a 71 75 69 63 6b 0d 0a 64 61 72 6b 0d 0a 62 6f 6f 6b 0d 0a 63 6f 77 0d 0a 62 61 6c 6c 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 6d 61 63 68 69 6e 65 0d 0a 67 75 65 73 74 0d 0a 6c 69 Data Ascii: artnumbergoatorangeintsnakeworldjumpcameraresteatunderstanddatacardeerwhitewarnfaceofferkidearthbananahopepicturepizzalionredjoyquickdarkbookcowballyesterdayunderstandmachineguestli
2023-08-29 05:41:45 UTC	383	IN	Data Raw: 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 63 6f 77 0d 0a 6e 69 67 68 74 0d 0a 61 72 72 61 79 0d 0a 65 61 72 74 68 0d 0a 77 65 65 6b 0d 0a 6f 66 66 69 63 65 0d 0a 68 69 67 68 0d 0a 68 61 69 72 0d 0a 61 72 72 6f 77 0d 0a 6f 6e 65 0d 0a 64 72 65 61 6d 0d 0a 65 61 73 79 0d 0a 79 61 77 6e 0d 0a 69 63 6f 6e 0d 0a 63 61 6d 65 72 61 0d 0a 62 65 61 63 68 0d 0a 61 72 72 6f 77 0d 0a 6d 6f 6f 6e 0d 0a 72 61 69 6e 0d 0a 70 65 61 72 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 6c 65 67 0d 0a 6c 65 74 74 65 72 0d 0a 63 61 74 0d 0a 68 6f 75 73 65 0d 0a 6c 65 67 0d 0a 72 61 62 62 69 74 0d 0a 63 61 72 0d 0a 6c 6f 76 65 0d 0a 73 65 61 0d 0a 65 73 63 61 70 65 0d 0a 62 61 6e 6b 0d 0a 71 75 6f 74 65 0d 0a 70 65 72 73 6f 6e 0d 0a 68 61 6e 64 0d 0a 66 69 73 68 0d 0a 6b 69 74 63 68 65 6e Data Ascii: informationcownightarrayearthweekofficehighhairarrowonedreameasyyawniconcamerabeacharrowmoonrainpearvacationleglettercathouselegrabbitcarloveseaescapebankquotepersonhandfishkitchen
2023-08-29 05:41:45 UTC	399	IN	Data Raw: 75 70 0d 0a 70 65 6e 0d 0a 62 61 6c 6c 0d 0a 7a 65 61 6c 0d 0a 69 63 6f 6e 0d 0a 79 61 77 6e 0d 0a 6d 69 6c 6b 0d 0a 6c 61 6e 64 0d 0a 77 68 69 74 65 0d 0a 77 6f 72 6c 64 0d 0a 69 63 65 0d 0a 6f 70 65 6e 0d 0a 66 69 72 65 0d 0a 6b 69 73 73 0d 0a 71 75 61 6c 69 66 79 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 72 75 6e 0d 0a 62 75 73 0d 0a 70 68 6f 6e 65 0d 0a 64 65 73 6b 0d 0a 61 72 63 68 0d 0a 6c 65 74 74 65 72 0d 0a 6d 6f 6f 6e 0d 0a 7a 6f 6d 62 69 65 0d 0a 6e 61 74 75 72 65 0d 0a 70 69 7a 7a 61 0d 0a 62 6f 6f 6b 0d 0a 63 6f 77 0d 0a 79 6f 75 6e 67 0d 0a 68 69 67 68 0d 0a 73 75 6e 0d 0a 6c 61 6e 64 0d 0a 71 75 61 6c 69 66 79 0d 0a 70 69 7a 7a 61 0d 0a 6b 69 74 65 0d 0a 71 75 69 65 74 0d 0a 70 65 6e 0d 0a 68 69 67 68 0d 0a 73 75 6e 0d 0a 69 6e 74 0d 0a 6e 75 6d Data Ascii: uppenballzealiconyawnmilklandwhiteworldiceopenfirekissqualifyquestionrunbusphonedeskarchlettermoonzombienaturepizzabookcowyounghighsunlandqualifypizzakitequietpenhighsunintnum
2023-08-29 05:41:45 UTC	415	IN	Data Raw: 6e 64 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 73 75 6e 0d 0a 6e 6f 74 65 0d 0a 6a 61 72 0d 0a 6d 61 63 68 69 6e 65 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 76 69 73 69 74 6f 72 0d 0a 6a 75 6d 70 0d 0a 77 65 65 6b 0d 0a 69 6e 73 69 64 65 0d 0a 70 69 6e 6b 0d 0a 72 6f 63 6b 0d 0a 73 65 61 0d 0a 64 65 73 6b 0d 0a 74 65 73 74 0d 0a 70 65 72 73 6f 6e 0d 0a 61 72 63 68 0d 0a 6d 6f 6f 6e 0d 0a 6e 6f 72 74 68 0d 0a 69 6e 73 69 64 65 0d 0a 6d 75 73 69 63 0d 0a 6d 6f 74 68 65 72 0d 0a 6b 69 64 0d 0a 6e 61 74 75 72 65 0d 0a 65 61 72 0d 0a 6b 69 63 6b 0d 0a 69 73 6c 61 6e 64 0d 0a 75 72 67 65 0d 0a 6a 61 76 61 0d 0a 6c 61 75 67 68 0d 0a 6a 75 64 67 65 0d 0a 70 6f 77 65 72 0d 0a 7a 65 61 6c 0d 0a 6d 6f 6f 6e 0d 0a 6b 69 64 0d 0a 66 69 73 68 0d 0a 72 65 64 0d 0a 76 61 63 61 74 69 Data Ascii: ndquantitysunnotejarmachinejourneyvisitorjumpweekinsidepinkrockseadesktestpersonarchmoonnorthinsidemusicmotherkidnatureearkickislandurgejavalaughjudgepowerzealmoonkidfishredvacati
2023-08-29 05:41:45 UTC	431	IN	Data Raw: 0d 0a 64 6f 0d 0a 6e 61 6d 65 0d 0a 62 6f 6f 6b 0d 0a 72 65 73 74 0d 0a 77 6f 72 6c 64 0d 0a 73 65 76 65 6e 0d 0a 69 6e 63 6f 6d 65 0d 0a 70 6c 61 6e 74 0d 0a 67 61 6d 65 0d 0a 6e 75 6d 62 65 72 0d 0a 73 6e 6f 77 0d 0a 65 61 73 79 0d 0a 63 61 74 0d 0a 77 61 74 65 72 0d 0a 77 6f 72 6b 0d 0a 62 69 72 64 0d 0a 70 65 72 73 6f 6e 0d 0a 6a 6f 79 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 67 72 61 73 73 0d 0a 6c 6f 76 65 0d 0a 7a 6f 6d 62 69 65 0d 0a 6c 69 66 65 0d 0a 68 65 61 72 74 0d 0a 6b 65 79 0d 0a 65 61 72 74 68 0d 0a 70 65 72 73 6f 6e 0d 0a 61 6e 69 6d 61 6c 0d 0a 66 61 6c 6c 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 69 63 65 0d 0a 63 61 6b 65 0d 0a 66 61 63 65 0d 0a 71 75 6f 74 65 0d 0a 69 73 6c 61 6e 64 0d 0a 65 61 73 74 0d 0a 6f 63 65 61 6e 0d 0a 67 6f 6c Data Ascii: donamebookrestworldsevenincomeplantgamenumbersnoweasycatwaterworkbirdpersonjoyuniversitygrasslovezombielifeheartkeyearthpersonanimalfallvegetableicecakefacequoteislandeastoceangol
2023-08-29 05:41:45 UTC	447	IN	Data Raw: 0a 61 72 72 61 79 0d 0a 76 69 73 69 74 6f 72 0d 0a 6b 69 6e 67 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 64 72 65 61 6d 0d 0a 65 72 72 6f 72 0d 0a 6c 6f 6e 67 0d 0a 7a 6f 6f 0d 0a 6d 65 61 6c 0d 0a 77 61 72 6e 0d 0a 6b 69 74 63 68 65 6e 0d 0a 62 75 73 0d 0a 76 69 65 77 0d 0a 6a 6f 6b 65 0d 0a 62 61 6c 6c 0d 0a 6c 69 6f 6e 0d 0a 64 65 65 72 0d 0a 7a 6f 6d 62 69 65 0d 0a 6d 6f 6e 6b 65 79 0d 0a 61 6e 74 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 74 61 73 74 65 0d 0a 75 73 65 0d 0a 65 64 67 65 0d 0a 6c 6f 76 65 0d 0a 71 75 61 72 74 65 72 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 6e 75 72 73 65 0d 0a 71 75 69 63 6b 0d 0a 69 63 6f 6e 0d 0a 79 65 61 72 0d 0a 73 63 68 6f 6f 6c 0d 0a 6c 6f 6e 67 0d 0a 6a 61 76 61 0d 0a 77 6f 6d 61 6e 0d 0a 72 65 64 0d 0a 72 69 73 65 0d 0a 61 72 Data Ascii: arrayvisitorkingquestiondreamerrorlongzoomealwarnkitchenbusviewjokeballliondeerzombiemonkeyantknowledgetasteuseedgelovequarterunsignednursequickiconyearschoollongjavawomanredrisear
2023-08-29 05:41:45 UTC	463	IN	Data Raw: 64 0d 0a 65 6e 65 72 67 79 0d 0a 65 61 73 79 0d 0a 70 68 6f 6e 65 0d 0a 68 65 61 72 74 0d 0a 79 65 61 72 0d 0a 65 67 67 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 76 61 6e 0d 0a 72 61 69 6e 0d 0a 6f 66 66 69 63 65 0d 0a 66 61 74 68 65 72 0d 0a 63 6c 69 70 0d 0a 6f 66 66 69 63 65 0d 0a 62 61 6c 6c 0d 0a 79 65 61 72 0d 0a 71 75 69 63 6b 0d 0a 67 72 6f 75 70 0d 0a 62 6f 78 0d 0a 61 72 74 0d 0a 79 65 73 0d 0a 68 69 74 0d 0a 62 6f 79 0d 0a 7a 6f 6f 0d 0a 6e 61 6d 65 0d 0a 73 65 76 65 6e 0d 0a 6e 6f 74 65 0d 0a 65 69 67 68 74 0d 0a 77 61 74 65 72 0d 0a 67 72 65 65 6e 0d 0a 62 6c 75 65 0d 0a 77 68 69 6c 65 0d 0a 6f 69 6c 0d 0a 65 61 72 0d 0a 6a 65 6c 6c 79 0d 0a 6f 72 61 6e 67 65 0d 0a 6e 6f 73 65 0d 0a 63 69 74 79 0d 0a 67 72 6f 75 70 0d 0a 66 6f 6f 74 0d 0a 71 75 65 65 Data Ascii: denergyeasyphoneheartyeareggKanthanvanrainofficefatherclipofficeballyearquickgroupboxartyeshitboyzoonamesevennoteeightwatergreenbluewhileoilearjellyorangenosecitygroupfootquee
2023-08-29 05:41:45 UTC	479	IN	Data Raw: 0d 0a 6a 6f 6b 65 0d 0a 66 61 63 65 0d 0a 6e 61 74 75 72 65 0d 0a 74 61 6c 6b 0d 0a 67 72 61 73 73 0d 0a 6c 75 6e 63 68 0d 0a 63 68 61 72 0d 0a 62 6c 75 65 0d 0a 6c 61 6e 64 0d 0a 68 65 61 64 0d 0a 7a 6f 6e 65 0d 0a 6a 6f 79 0d 0a 77 69 6e 64 0d 0a 71 75 61 6c 69 74 79 0d 0a 70 68 6f 6e 65 0d 0a 72 61 69 6e 0d 0a 74 6f 70 0d 0a 63 61 72 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 64 65 73 6b 0d 0a 6b 65 65 70 0d 0a 76 6f 69 63 65 0d 0a 68 69 67 68 0d 0a 69 6e 63 6f 6d 65 0d 0a 77 69 6e 74 65 72 0d 0a 6d 61 63 68 69 6e 65 0d 0a 64 61 6e 63 65 0d 0a 69 6e 6b 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 62 6f 79 0d 0a 6f 6e 65 0d 0a 69 63 65 0d 0a 73 68 6f 72 74 0d 0a 63 6f 77 0d 0a 7a 65 72 6f 0d 0a 61 72 72 6f 77 0d 0a 72 65 73 74 0d 0a 67 72 6f 75 70 0d 0a 68 69 74 Data Ascii: jokefacenaturetalkgrasslunchcharbluelandheadzonejoywindqualityphoneraintopcaruniversitydeskkeepvoicehighincomewintermachinedanceinkquantityboyoneiceshortcowzeroarrowrestgrouphit
2023-08-29 05:41:45 UTC	495	IN	Data Raw: 74 65 72 0d 0a 6e 6f 72 74 68 0d 0a 64 61 72 6b 0d 0a 70 65 72 73 6f 6e 0d 0a 6b 69 74 63 68 65 6e 0d 0a 66 6f 6f 64 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 77 68 69 74 65 0d 0a 66 61 72 6d 0d 0a 67 69 72 6c 0d 0a 6e 6f 72 74 68 0d 0a 74 61 6c 6b 0d 0a 6b 69 6e 64 0d 0a 67 6c 61 73 73 0d 0a 63 6f 61 74 0d 0a 65 6e 65 72 67 79 0d 0a 6a 61 72 0d 0a 6b 65 79 0d 0a 79 65 73 0d 0a 68 65 6c 70 0d 0a 65 6e 65 72 67 79 0d 0a 71 75 61 6c 69 66 79 0d 0a 76 69 64 65 6f 0d 0a 73 6b 79 0d 0a 6d 6f 6e 6b 65 79 0d 0a 6b 69 6e 67 0d 0a 73 65 76 65 6e 0d 0a 67 69 72 6c 0d 0a 74 69 67 65 72 0d 0a 65 69 67 68 74 0d 0a 70 61 70 65 72 0d 0a 61 72 63 68 0d 0a 6d 61 63 68 69 6e 65 0d 0a 70 61 70 65 72 0d 0a 6a 6f 79 0d 0a 70 65 72 73 6f 6e 0d 0a 67 68 6f 73 74 0d 0a 74 61 73 74 Data Ascii: ternorthdarkpersonkitchenfoodknowledgewhitefarmgirlnorthtalkkindglasscoatenergyjarkeyyeshelpenergyqualifyvideoskymonkeykingsevengirltigereightpaperarchmachinepaperjoypersonghosttast
2023-08-29 05:41:45 UTC	511	IN	Data Raw: 68 6f 6e 65 0d 0a 66 6f 72 0d 0a 6b 65 65 70 0d 0a 72 65 73 74 0d 0a 63 61 6b 65 0d 0a 6b 69 73 73 0d 0a 6e 65 65 64 0d 0a 7a 69 70 70 65 72 0d 0a 67 6c 61 73 73 0d 0a 61 77 61 72 64 0d 0a 64 61 79 0d 0a 63 6f 77 0d 0a 6a 75 64 67 65 0d 0a 74 61 73 74 65 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 77 6f 6d 61 6e 0d 0a 61 6e 74 0d 0a 70 65 6e 0d 0a 77 69 6e 74 65 72 0d 0a 77 69 6e 74 65 72 0d 0a 72 65 73 74 0d 0a 67 6f 6c 64 0d 0a 6e 69 67 68 74 0d 0a 63 6c 6f 75 64 0d 0a 6c 6f 6e 67 0d 0a 70 6c 61 6e 74 0d 0a 6c 61 6d 70 0d 0a 7a 65 72 6f 0d 0a 65 69 67 68 74 0d 0a 61 6e 69 6d 61 6c 0d 0a 77 6f 72 6c 64 0d 0a 65 61 74 0d 0a 74 72 61 69 6e 0d 0a 74 6f 77 6e 0d 0a 67 6f 6c 64 0d 0a 77 69 6e 64 0d 0a 73 6f 6e 67 0d 0a 66 6f 72 0d 0a 7a 65 61 6c 0d 0a 6e 6f 73 65 Data Ascii: honeforkeeprestcakekissneedzipperglassawarddaycowjudgetasteyesterdaywomanantpenwinterwinterrestgoldnightcloudlongplantlampzeroeightanimalworldeattraintowngoldwindsongforzealnose
2023-08-29 05:41:45 UTC	527	IN	Data Raw: 61 77 61 72 64 0d 0a 72 65 73 74 0d 0a 77 68 69 74 65 0d 0a 6c 61 6e 64 0d 0a 77 61 74 65 72 0d 0a 6d 6f 76 69 65 0d 0a 63 6f 6c 6f 72 0d 0a 63 6f 77 0d 0a 61 70 70 6c 65 0d 0a 69 6e 6b 0d 0a 72 69 73 65 0d 0a 61 72 72 6f 77 0d 0a 64 6f 6f 72 0d 0a 69 6e 63 6f 6d 65 0d 0a 68 6f 70 65 0d 0a 7a 69 70 70 65 72 0d 0a 6a 75 6d 70 0d 0a 66 6f 6f 74 0d 0a 68 61 6e 64 0d 0a 64 65 73 6b 0d 0a 62 69 72 64 0d 0a 66 61 63 65 0d 0a 61 70 70 6c 65 0d 0a 62 61 6e 6b 0d 0a 70 65 72 73 6f 6e 0d 0a 63 6c 6f 75 64 0d 0a 71 75 69 65 74 0d 0a 6c 61 6e 64 0d 0a 71 75 61 6c 69 66 79 0d 0a 73 68 6f 72 74 0d 0a 68 6f 75 73 65 0d 0a 6c 69 66 65 0d 0a 77 68 69 74 65 0d 0a 65 69 67 68 74 0d 0a 66 6c 6f 77 65 72 0d 0a 67 72 6f 75 70 0d 0a 67 6c 61 73 73 0d 0a 68 65 61 64 0d 0a 6a 6f Data Ascii: awardrestwhitelandwatermoviecolorcowappleinkrisearrowdoorincomehopezipperjumpfoothanddeskbirdfaceapplebankpersoncloudquietlandqualifyshorthouselifewhiteeightflowergroupglassheadjo
2023-08-29 05:41:45 UTC	543	IN	Data Raw: 6e 61 6d 65 0d 0a 71 75 61 6c 69 74 79 0d 0a 6e 75 72 73 65 0d 0a 61 77 61 72 64 0d 0a 6b 69 6e 67 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 74 6f 70 0d 0a 70 65 61 72 0d 0a 6f 69 6c 0d 0a 6f 72 64 65 72 0d 0a 68 69 74 0d 0a 69 6e 73 69 64 65 0d 0a 6a 75 64 67 65 0d 0a 6f 66 66 65 72 0d 0a 6d 75 73 69 63 0d 0a 66 69 72 65 0d 0a 62 61 6e 6b 0d 0a 75 73 75 61 6c 6c 79 0d 0a 78 79 6c 65 6d 0d 0a 70 65 61 72 0d 0a 66 69 72 65 0d 0a 73 74 6f 6e 65 0d 0a 6c 6f 76 65 0d 0a 65 64 67 65 0d 0a 77 6f 6d 61 6e 0d 0a 69 6e 63 6f 6d 65 0d 0a 74 65 73 74 0d 0a 70 68 6f 6e 65 0d 0a 78 79 6c 65 6d 0d 0a 73 74 72 69 6e 67 0d 0a 75 6e 63 6c 65 0d 0a 67 72 65 65 6e 0d 0a 76 69 64 65 6f 0d 0a 6b 69 73 73 0d 0a 73 68 6f 72 74 0d 0a 70 6c 61 6e 74 0d 0a 69 63 65 0d 0a 6c 61 75 67 68 Data Ascii: namequalitynurseawardkingunsignedtoppearoilorderhitinsidejudgeoffermusicfirebankusuallyxylempearfirestoneloveedgewomanincometestphonexylemstringunclegreenvideokissshortplanticelaugh
2023-08-29 05:41:45 UTC	559	IN	Data Raw: 69 6d 61 6c 0d 0a 73 63 68 6f 6f 6c 0d 0a 77 65 65 6b 0d 0a 6b 69 63 6b 0d 0a 76 61 6c 75 65 0d 0a 62 6f 6f 6b 0d 0a 69 6e 63 6f 6d 65 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 61 69 72 0d 0a 77 61 74 65 72 0d 0a 70 68 6f 6e 65 0d 0a 66 69 72 65 0d 0a 6f 66 66 65 72 0d 0a 70 65 6e 0d 0a 63 69 74 79 0d 0a 6c 61 6e 64 0d 0a 62 6f 6f 6b 0d 0a 71 75 6f 74 65 0d 0a 76 61 6e 0d 0a 73 74 6f 6e 65 0d 0a 70 6c 61 6e 74 0d 0a 7a 6f 6d 62 69 65 0d 0a 6b 65 79 0d 0a 73 75 6e 0d 0a 73 75 6e 0d 0a 77 61 74 65 72 0d 0a 66 61 72 6d 0d 0a 71 75 65 65 6e 0d 0a 68 61 74 0d 0a 6a 61 63 6b 65 74 0d 0a 68 61 6e 64 0d 0a 6a 61 76 61 0d 0a 64 6f 67 0d 0a 6f 62 6a 65 63 74 0d 0a 62 69 72 64 0d 0a 75 6e 63 6c 65 0d 0a 61 72 74 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 6c 6f 6e 67 0d 0a Data Ascii: imalschoolweekkickvaluebookincomeknowledgeairwaterphonefireofferpencitylandbookquotevanstoneplantzombiekeysunsunwaterfarmqueenhatjackethandjavadogobjectbirduncleartvegetablelong
2023-08-29 05:41:45 UTC	575	IN	Data Raw: 6e 0d 0a 65 61 72 0d 0a 6c 61 6d 70 0d 0a 72 65 64 0d 0a 66 75 6e 63 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 61 6c 6f 6e 65 0d 0a 6c 69 66 65 0d 0a 64 65 65 72 0d 0a 65 64 67 65 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 76 6f 69 63 65 0d 0a 66 61 74 68 65 72 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 6d 75 73 69 63 0d 0a 74 69 6d 65 0d 0a 66 61 63 65 0d 0a 77 69 6e 64 0d 0a 72 69 76 65 72 0d 0a 77 65 73 74 0d 0a 6b 69 74 65 0d 0a 67 69 72 6c 0d 0a 64 61 6e 63 65 0d 0a 7a 65 61 6c 0d 0a 77 69 6e 74 65 72 0d 0a 71 75 65 65 6e 0d 0a 62 61 6e 61 6e 61 0d 0a 66 6f 72 0d 0a 61 72 74 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 72 69 76 65 72 0d 0a 6f 63 65 61 6e 0d 0a 68 61 6e 64 0d 0a 77 65 73 74 0d 0a 6a 61 63 6b 65 74 0d 0a 71 75 61 72 74 65 72 0d 0a 75 6e 64 65 72 67 Data Ascii: nearlampredfuncuniversityalonelifedeeredgeunsignedvoicefatherinformationmusictimefacewindriverwestkitegirldancezealwinterqueenbananaforartunsignedriveroceanhandwestjacketquarterunderg
2023-08-29 05:41:45 UTC	591	IN	Data Raw: 0a 73 6e 6f 77 0d 0a 72 75 6e 0d 0a 7a 6f 6f 0d 0a 63 61 72 0d 0a 73 74 61 72 0d 0a 68 69 67 68 0d 0a 6b 65 65 70 0d 0a 72 61 69 6e 0d 0a 6e 61 74 75 72 65 0d 0a 62 6c 75 65 0d 0a 68 65 61 72 74 0d 0a 7a 6f 6e 65 0d 0a 73 74 6f 6e 65 0d 0a 65 61 73 79 0d 0a 64 61 72 6b 0d 0a 71 75 69 65 74 0d 0a 76 69 73 69 74 6f 72 0d 0a 73 6e 61 6b 65 0d 0a 63 6c 69 70 0d 0a 67 6f 6c 64 0d 0a 61 63 65 0d 0a 76 69 73 69 74 6f 72 0d 0a 66 6f 6f 64 0d 0a 61 63 65 0d 0a 7a 65 62 72 61 0d 0a 73 6e 6f 77 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 6c 61 6e 64 0d 0a 6f 70 65 6e 0d 0a 65 67 67 0d 0a 69 64 65 61 0d 0a 70 69 7a 7a 61 0d 0a 6a 61 72 0d 0a 79 65 61 72 6e 0d 0a 6d 6f 76 69 65 0d 0a 77 69 6e 64 0d 0a 68 69 74 0d 0a 6a 75 6d 70 0d 0a 6d 61 70 0d 0a 70 68 6f 6e 65 0d 0a Data Ascii: snowrunzoocarstarhighkeeprainnatureblueheartzonestoneeasydarkquietvisitorsnakeclipgoldacevisitorfoodacezebrasnowuniversitylandopeneggideapizzajaryearnmoviewindhitjumpmapphone
2023-08-29 05:41:45 UTC	607	IN	Data Raw: 61 74 65 72 0d 0a 6d 65 6e 74 0d 0a 63 6c 6f 75 64 0d 0a 63 6f 61 74 0d 0a 66 61 63 65 0d 0a 76 61 6e 0d 0a 77 61 72 6e 0d 0a 62 65 61 63 68 0d 0a 65 72 72 6f 72 0d 0a 70 68 6f 6e 65 0d 0a 77 65 65 6b 0d 0a 6d 6f 74 68 65 72 0d 0a 69 63 6f 6e 0d 0a 65 69 67 68 74 0d 0a 63 6c 69 70 0d 0a 79 61 77 6e 0d 0a 72 65 73 74 0d 0a 68 61 69 72 0d 0a 67 69 72 6c 0d 0a 6a 75 64 67 65 0d 0a 69 73 6c 61 6e 64 0d 0a 73 6b 79 0d 0a 6d 61 70 0d 0a 71 75 69 63 6b 0d 0a 7a 6f 6d 62 69 65 0d 0a 61 72 72 61 79 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 77 69 6e 64 0d 0a 74 72 65 65 0d 0a 79 65 6c 6c 6f 77 0d 0a 61 6e 69 6d 61 6c 0d 0a 6b 69 6e 67 0d 0a 6c 65 67 0d 0a 68 6f 75 73 65 0d 0a 6f 72 61 6e 67 65 0d 0a 6e 6f 73 65 0d 0a 6f 70 65 6e 0d 0a 65 6e 64 0d 0a 6e 6f 72 74 68 0d Data Ascii: atermentcloudcoatfacevanwarnbeacherrorphoneweekmothericoneightclipyawnresthairgirljudgeislandskymapquickzombiearrayknowledgewindtreeyellowanimalkingleghouseorangenoseopenendnorth
2023-08-29 05:41:45 UTC	623	IN	Data Raw: 6e 0d 0a 6d 75 73 69 63 0d 0a 67 6f 6c 64 0d 0a 6c 65 67 0d 0a 62 6f 6f 6b 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 68 61 6e 64 0d 0a 77 65 65 6b 0d 0a 6f 66 66 65 72 0d 0a 76 61 6e 0d 0a 76 69 65 77 0d 0a 67 61 6d 65 0d 0a 65 61 74 0d 0a 67 72 65 65 6e 0d 0a 74 69 6d 65 0d 0a 6b 69 74 65 0d 0a 63 68 61 72 0d 0a 75 6e 63 6c 65 0d 0a 6f 72 64 65 72 0d 0a 70 68 6f 6e 65 0d 0a 62 65 61 63 68 0d 0a 72 69 76 65 72 0d 0a 6f 72 61 6e 67 65 0d 0a 74 6f 77 6e 0d 0a 6d 75 73 69 63 0d 0a 62 69 72 64 0d 0a 79 6f 75 6e 67 0d 0a 7a 6f 6e 65 0d 0a 71 75 6f 74 65 0d 0a 65 69 67 68 74 0d 0a 6d 65 61 6c 0d 0a 66 6c 6f 77 65 72 0d 0a 6c 75 6e 63 68 0d 0a 72 6f 63 6b 0d 0a 68 69 74 0d 0a 6c 6f 76 65 0d 0a 61 69 72 0d 0a 76 69 65 77 0d 0a 66 6f 6f 74 0d 0a 66 61 63 65 0d 0a Data Ascii: nmusicgoldlegbookunderstandhandweekoffervanviewgameeatgreentimekitecharuncleorderphonebeachriverorangetownmusicbirdyoungzonequoteeightmealflowerlunchrockhitloveairviewfootface
2023-08-29 05:41:45 UTC	639	IN	Data Raw: 62 6f 78 0d 0a 68 65 61 64 0d 0a 6f 69 6c 0d 0a 63 69 74 79 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 77 61 79 0d 0a 79 6f 75 6e 67 0d 0a 62 6f 79 0d 0a 65 72 72 6f 72 0d 0a 6c 69 6f 6e 0d 0a 66 69 73 68 0d 0a 64 61 74 61 0d 0a 72 6f 61 64 0d 0a 72 65 73 74 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 77 65 73 74 0d 0a 6b 69 73 73 0d 0a 62 69 72 64 0d 0a 6e 6f 73 65 0d 0a 64 6f 6f 72 0d 0a 67 61 6d 65 0d 0a 72 6f 6f 6d 0d 0a 64 61 72 6b 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 62 65 61 63 68 0d 0a 77 69 6e 64 0d 0a 63 61 74 0d 0a 63 6f 77 0d 0a 6b 69 74 63 68 65 6e 0d 0a 67 6f 6c 64 0d 0a 62 61 6c 6c 0d 0a 6f 70 65 6e 0d 0a 6e 6f 74 65 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 62 69 72 64 0d 0a 74 6f 70 0d 0a 6e 6f 74 65 0d 0a 68 6f 70 65 0d 0a 6c 6f 76 65 0d 0a Data Ascii: boxheadoilcityyesterdaywayyoungboyerrorlionfishdataroadrestunderstandwestkissbirdnosedoorgameroomdarkinformationbeachwindcatcowkitchengoldballopennotequestionbirdtopnotehopelove
2023-08-29 05:41:45 UTC	655	IN	Data Raw: 0a 74 61 6c 6b 0d 0a 79 65 61 72 6e 0d 0a 61 6e 74 0d 0a 79 61 72 64 0d 0a 6f 66 66 65 72 0d 0a 63 6f 61 74 0d 0a 6b 69 73 73 0d 0a 65 6e 64 0d 0a 76 69 64 65 6f 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 77 68 69 74 65 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 6b 69 74 63 68 65 6e 0d 0a 6d 6f 6f 6e 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 66 61 6c 6c 0d 0a 66 6c 6f 77 65 72 0d 0a 62 75 73 0d 0a 76 69 63 74 6f 72 79 0d 0a 6a 61 76 61 0d 0a 6e 75 72 73 65 0d 0a 64 61 6e 63 65 0d 0a 79 61 72 64 0d 0a 65 61 73 74 0d 0a 6d 61 63 68 69 6e 65 0d 0a 6c 65 74 74 65 72 0d 0a 6d 65 61 6c 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 68 61 6e 64 0d 0a 76 61 6c 75 65 0d 0a 67 6c 61 73 73 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 74 65 61 63 68 65 72 0d 0a 6a 75 6d 70 0d 0a Data Ascii: talkyearnantyardoffercoatkissendvideounsignedwhiteundergroundkitchenmoonunderstandfallflowerbusvictoryjavanursedanceyardeastmachinelettermealinformationhandvalueglassknowledgeteacherjump
2023-08-29 05:41:47 UTC	671	IN	Data Raw: 68 0d 0a 61 6e 69 6d 61 6c 0d 0a 61 72 74 0d 0a 69 63 6f 6e 0d 0a 69 6e 74 0d 0a 63 61 6b 65 0d 0a 71 75 61 6c 69 74 79 0d 0a 61 72 72 61 79 0d 0a 72 61 62 62 69 74 0d 0a 79 65 6c 6c 6f 77 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 6f 70 65 6e 0d 0a 7a 6f 6d 62 69 65 0d 0a 68 6f 70 65 0d 0a 6e 65 65 64 0d 0a 6f 72 61 6e 67 65 0d 0a 63 6f 61 74 0d 0a 70 65 61 72 0d 0a 6a 6f 6b 65 0d 0a 6d 65 61 6c 0d 0a 66 6f 6f 64 0d 0a 6c 69 6f 6e 0d 0a 64 72 65 61 6d 0d 0a 66 6c 6f 77 65 72 0d 0a 68 6f 70 65 0d 0a 71 75 61 6c 69 66 79 0d 0a 7a 65 72 6f 0d 0a 6a 75 6d 70 0d 0a 72 75 6e 0d 0a 77 69 6e 64 0d 0a 64 61 72 6b 0d 0a 66 6f 72 0d 0a 79 65 61 72 0d 0a 65 67 67 0d 0a 6b 69 6e 67 0d 0a 6f 72 61 6e 67 65 0d 0a 63 6f 77 0d 0a 70 69 63 74 75 72 65 0d 0a 77 65 73 74 0d 0a Data Ascii: hanimalarticonintcakequalityarrayrabbityellowvegetableopenzombiehopeneedorangecoatpearjokemealfoodliondreamflowerhopequalifyzerojumprunwinddarkforyeareggkingorangecowpicturewest
2023-08-29 05:41:47 UTC	679	IN	Data Raw: 6e 75 6d 62 65 72 0d 0a 68 61 74 0d 0a 77 69 6e 64 0d 0a 64 61 72 6b 0d 0a 74 6f 70 0d 0a 75 6e 63 6c 65 0d 0a 61 70 70 6c 65 0d 0a 61 72 72 6f 77 0d 0a 72 6f 6f 6d 0d 0a 72 6f 63 6b 0d 0a 64 61 74 61 0d 0a 6c 61 75 67 68 0d 0a 79 61 77 6e 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 63 6f 77 0d 0a 72 69 73 65 0d 0a 6f 63 65 61 6e 0d 0a 64 72 65 61 6d 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 68 69 74 0d 0a 6c 61 6e 64 0d 0a 69 73 6c 61 6e 64 0d 0a 74 65 61 63 68 65 72 0d 0a 63 61 6d 65 72 61 0d 0a 74 69 6d 65 0d 0a 73 68 6f 72 74 0d 0a 72 65 73 74 0d 0a 6b 69 6e 64 0d 0a 74 61 73 74 65 0d 0a 74 69 67 65 72 0d 0a 6d 61 70 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 65 61 73 79 0d 0a 66 6c 6f 77 65 72 0d 0a 6d 6f 74 68 65 72 0d 0a 69 6e 6b 0d 0a 72 65 64 0d 0a 7a 65 61 Data Ascii: numberhatwinddarktopuncleapplearrowroomrockdatalaughyawnknowledgecowriseoceandreamuniversityhitlandislandteachercameratimeshortrestkindtastetigermapquestioneasyflowermotherinkredzea
2023-08-29 05:41:47 UTC	687	IN	Data Raw: 65 61 6c 0d 0a 71 75 69 65 74 0d 0a 7a 69 70 70 65 72 0d 0a 64 61 6e 63 65 0d 0a 68 61 6e 64 0d 0a 6d 6f 74 68 65 72 0d 0a 65 6e 65 72 67 79 0d 0a 68 65 6c 70 0d 0a 79 65 61 72 6e 0d 0a 79 61 72 64 0d 0a 6d 61 6e 0d 0a 62 61 6e 6b 0d 0a 6e 61 74 75 72 65 0d 0a 65 61 74 0d 0a 70 69 7a 7a 61 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 62 61 6e 61 6e 61 0d 0a 74 69 67 65 72 0d 0a 77 61 79 0d 0a 77 61 79 0d 0a 74 6f 77 6e 0d 0a 63 6f 77 0d 0a 6e 6f 74 65 0d 0a 67 72 6f 75 70 0d 0a 73 63 68 6f 6f 6c 0d 0a 76 61 6c 75 65 0d 0a 66 61 6c 6c 0d 0a 6d 6f 76 69 65 0d 0a 78 79 6c 65 6d 0d 0a 74 61 6c 6b 0d 0a 70 69 6e 6b 0d 0a 6b 69 6e 64 0d 0a 65 61 73 79 0d 0a 63 6c 69 70 0d 0a 66 6c 6f 77 65 72 0d 0a 6c 6f 76 65 0d 0a 68 65 61 72 74 0d 0a 63 69 74 79 0d 0a 63 68 61 Data Ascii: ealquietzipperdancehandmotherenergyhelpyearnyardmanbanknatureeatpizzauniversitybananatigerwaywaytowncownotegroupschoolvaluefallmoviexylemtalkpinkkindeasyclipflowerloveheartcitycha
2023-08-29 05:41:47 UTC	703	IN	Data Raw: 6e 64 0d 0a 64 6f 0d 0a 77 6f 72 6b 0d 0a 6e 75 6d 62 65 72 0d 0a 67 6f 6c 64 0d 0a 73 74 6f 6e 65 0d 0a 79 65 61 72 0d 0a 70 68 6f 6e 65 0d 0a 6d 6f 6e 6b 65 79 0d 0a 62 69 72 64 0d 0a 65 6e 64 0d 0a 6d 61 70 0d 0a 69 6e 6b 0d 0a 6c 65 74 74 65 72 0d 0a 6c 6f 6e 67 0d 0a 6b 69 6e 64 0d 0a 62 75 73 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 6a 75 6d 70 0d 0a 6b 65 65 70 0d 0a 70 69 6e 6b 0d 0a 6f 66 66 65 72 0d 0a 68 65 61 64 0d 0a 6a 75 6d 70 0d 0a 76 69 73 69 74 6f 72 0d 0a 73 6b 79 0d 0a 69 63 65 0d 0a 6b 69 64 0d 0a 69 64 65 61 0d 0a 61 72 72 6f 77 0d 0a 76 69 73 69 74 6f 72 0d 0a 6a 6f 79 0d 0a 7a 65 61 6c 0d 0a 66 61 6c 6c 0d 0a 62 75 73 0d 0a 62 65 61 63 68 0d 0a 64 61 72 6b 0d 0a 6e 61 6d 65 0d 0a 77 6f 72 6c 64 0d 0a 71 75 61 6c 69 74 79 0d 0a 70 Data Ascii: nddoworknumbergoldstoneyearphonemonkeybirdendmapinkletterlongkindbusunderstandjumpkeeppinkofferheadjumpvisitorskyicekidideaarrowvisitorjoyzealfallbusbeachdarknameworldqualityp
2023-08-29 05:41:47 UTC	719	IN	Data Raw: 0a 6c 61 6d 70 0d 0a 7a 65 72 6f 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 61 72 63 68 0d 0a 68 6f 70 65 0d 0a 61 69 72 0d 0a 70 61 70 65 72 0d 0a 79 6f 75 6e 67 0d 0a 66 6c 6f 77 65 72 0d 0a 67 75 65 73 74 0d 0a 62 6f 6f 6b 0d 0a 61 69 72 0d 0a 65 61 72 0d 0a 6d 6f 6e 6b 65 79 0d 0a 71 75 61 6c 69 66 79 0d 0a 70 65 61 72 0d 0a 6c 6f 76 65 0d 0a 76 6f 69 63 65 0d 0a 6e 75 72 73 65 0d 0a 77 61 79 0d 0a 64 75 63 6b 0d 0a 65 6e 64 0d 0a 6e 61 6d 65 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 6a 6f 6b 65 0d 0a 61 6e 74 0d 0a 79 65 61 72 6e 0d 0a 63 6f 61 74 0d 0a 70 6c 61 6e 74 0d 0a 70 65 6e 0d 0a 6a 75 64 67 65 0d 0a 74 61 6c 6b 0d 0a 66 6f 72 0d 0a 70 61 70 65 72 0d 0a 62 6f 79 0d 0a 70 69 7a 7a 61 0d 0a 72 69 73 65 0d 0a 77 61 79 0d 0a 67 6c 61 73 73 0d 0a 66 6f 6f Data Ascii: lampzerovegetablearchhopeairpaperyoungflowerguestbookairearmonkeyqualifypearlovevoicenursewayduckendnamequestionjokeantyearncoatplantpenjudgetalkforpaperboypizzarisewayglassfoo
2023-08-29 05:41:47 UTC	735	IN	Data Raw: 61 70 0d 0a 66 61 63 65 0d 0a 70 6f 77 65 72 0d 0a 69 73 73 75 65 0d 0a 67 72 61 73 73 0d 0a 73 6b 79 0d 0a 74 61 73 74 65 0d 0a 73 63 68 6f 6f 6c 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 67 6c 61 73 73 0d 0a 6a 6f 6b 65 0d 0a 6c 69 66 65 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 68 69 74 0d 0a 66 61 6c 6c 0d 0a 79 6f 75 6e 67 0d 0a 6d 6f 6e 6b 65 79 0d 0a 68 65 61 64 0d 0a 69 73 73 75 65 0d 0a 76 61 6e 0d 0a 6d 69 6c 6b 0d 0a 70 68 6f 6e 65 0d 0a 65 6e 65 72 67 79 0d 0a 6d 75 73 69 63 0d 0a 66 6c 6f 77 65 72 0d 0a 68 65 61 72 74 0d 0a 68 61 69 72 0d 0a 70 69 7a 7a 61 0d 0a 74 65 73 74 0d 0a 67 61 6d 65 0d 0a 70 65 72 73 6f 6e 0d 0a 79 6f 75 6e 67 0d 0a 6f 69 6c 0d 0a 77 65 73 74 0d 0a 65 61 72 74 68 0d 0a 70 6f 77 65 72 0d 0a 63 61 72 0d 0a 76 69 65 77 0d 0a 72 Data Ascii: apfacepowerissuegrassskytasteschoolvacationglassjokelifeknowledgehitfallyoungmonkeyheadissuevanmilkphoneenergymusicflowerhearthairpizzatestgamepersonyoungoilwestearthpowercarviewr
2023-08-29 05:41:47 UTC	751	IN	Data Raw: 6f 76 69 65 0d 0a 6b 69 63 6b 0d 0a 6f 72 64 65 72 0d 0a 69 73 73 75 65 0d 0a 70 68 6f 6e 65 0d 0a 74 61 6c 6b 0d 0a 65 61 72 74 68 0d 0a 63 61 74 0d 0a 76 61 6e 0d 0a 70 68 6f 6e 65 0d 0a 6f 6e 65 0d 0a 73 65 61 0d 0a 63 6f 61 74 0d 0a 63 61 6d 65 72 61 0d 0a 69 6e 73 69 64 65 0d 0a 6a 65 6c 6c 79 0d 0a 61 72 72 6f 77 0d 0a 66 69 73 68 0d 0a 6c 75 6e 63 68 0d 0a 74 65 61 63 68 65 72 0d 0a 65 61 73 79 0d 0a 6b 69 73 73 0d 0a 68 69 74 0d 0a 6e 61 74 75 72 65 0d 0a 64 61 72 6b 0d 0a 65 64 67 65 0d 0a 74 6f 77 6e 0d 0a 6a 61 63 6b 65 74 0d 0a 66 61 74 68 65 72 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 66 6f 6f 64 0d 0a 71 75 69 65 74 0d 0a 68 6f 70 65 0d 0a 6e 75 6d 62 65 72 0d 0a 66 72 69 65 6e 64 0d 0a 61 6e 69 6d 61 6c 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a Data Ascii: oviekickorderissuephonetalkearthcatvanphoneoneseacoatcamerainsidejellyarrowfishlunchteachereasykisshitnaturedarkedgetownjacketfatherKanthanfoodquiethopenumberfriendanimalinformation
2023-08-29 05:41:47 UTC	759	IN	Data Raw: 68 65 72 0d 0a 6d 6f 6e 6b 65 79 0d 0a 76 6f 69 63 65 0d 0a 69 73 73 75 65 0d 0a 66 6c 6f 77 65 72 0d 0a 74 69 6d 65 0d 0a 73 6f 6e 67 0d 0a 65 79 65 0d 0a 71 75 61 6c 69 66 79 0d 0a 78 79 6c 65 6d 0d 0a 6b 69 64 0d 0a 79 6f 75 6e 67 0d 0a 68 65 61 72 74 0d 0a 61 69 72 0d 0a 6a 6f 79 0d 0a 72 6f 6f 6d 0d 0a 7a 6f 6f 0d 0a 66 6c 6f 77 65 72 0d 0a 62 61 6e 61 6e 61 0d 0a 65 73 63 61 70 65 0d 0a 79 61 77 6e 0d 0a 6d 65 6e 74 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 62 6f 6f 6b 0d 0a 65 72 72 6f 72 0d 0a 70 65 72 73 6f 6e 0d 0a 6c 69 6f 6e 0d 0a 72 61 69 6e 0d 0a 6e 6f 73 65 0d 0a 62 61 6e 6b 0d 0a 61 72 72 6f 77 0d 0a 64 65 65 72 0d 0a 73 74 6f 6e 65 0d 0a 68 6f 70 65 0d 0a 6f 72 61 6e 67 65 0d 0a 62 61 6e 61 6e 61 0d 0a 69 6e 6b 0d 0a 63 6c 69 70 0d 0a 72 61 69 Data Ascii: hermonkeyvoiceissueflowertimesongeyequalifyxylemkidyoungheartairjoyroomzooflowerbananaescapeyawnmentvacationbookerrorpersonlionrainnosebankarrowdeerstonehopeorangebananainkcliprai
2023-08-29 05:41:47 UTC	767	IN	Data Raw: 69 63 74 6f 72 79 0d 0a 6d 61 63 68 69 6e 65 0d 0a 61 6c 6f 6e 65 0d 0a 6c 6f 6e 67 0d 0a 69 6e 73 69 64 65 0d 0a 65 67 67 0d 0a 63 61 6b 65 0d 0a 65 61 73 74 0d 0a 6b 69 64 0d 0a 6c 61 6e 64 0d 0a 73 75 6e 0d 0a 71 75 65 65 6e 0d 0a 6e 69 67 68 74 0d 0a 75 6e 63 6c 65 0d 0a 67 69 72 6c 0d 0a 71 75 61 6c 69 74 79 0d 0a 63 61 6b 65 0d 0a 61 63 65 0d 0a 78 79 6c 65 6d 0d 0a 6b 69 63 6b 0d 0a 66 6f 72 0d 0a 6e 6f 72 74 68 0d 0a 77 61 79 0d 0a 74 61 6c 6b 0d 0a 68 65 61 72 74 0d 0a 6a 6f 6b 65 0d 0a 6e 75 6d 62 65 72 0d 0a 6d 65 6e 74 0d 0a 73 74 72 69 6e 67 0d 0a 65 61 73 74 0d 0a 6d 6f 6f 6e 0d 0a 64 61 6e 63 65 0d 0a 6c 65 67 0d 0a 66 61 63 65 0d 0a 62 61 6e 61 6e 61 0d 0a 66 61 72 6d 0d 0a 6f 63 65 61 6e 0d 0a 68 69 67 68 0d 0a 68 65 61 64 0d 0a 6c 61 75 Data Ascii: ictorymachinealonelonginsideeggcakeeastkidlandsunqueennightunclegirlqualitycakeacexylemkickfornorthwaytalkheartjokenumbermentstringeastmoondancelegfacebananafarmoceanhighheadlau
2023-08-29 05:41:47 UTC	783	IN	Data Raw: 6d 65 0d 0a 6b 69 63 6b 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 6a 6f 79 0d 0a 78 79 6c 65 6d 0d 0a 68 65 6c 70 0d 0a 77 61 74 65 72 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 61 72 74 0d 0a 77 65 65 6b 0d 0a 6f 6e 65 0d 0a 61 72 72 61 79 0d 0a 65 79 65 0d 0a 76 69 65 77 0d 0a 66 6f 6f 74 0d 0a 6d 61 70 0d 0a 70 69 6e 6b 0d 0a 65 69 67 68 74 0d 0a 6e 75 6d 62 65 72 0d 0a 61 72 74 0d 0a 65 6e 64 0d 0a 70 65 61 72 0d 0a 73 74 6f 6e 65 0d 0a 65 69 67 68 74 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 62 6c 75 65 0d 0a 65 72 72 6f 72 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 62 61 6e 6b 0d 0a 6b 65 65 70 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 74 69 6d 65 0d 0a 61 72 74 0d 0a 67 72 65 65 6e 0d 0a 73 74 6f 6e 65 0d 0a 79 65 6c 6c 6f 77 0d 0a 6d 61 63 68 69 6e 65 0d 0a 66 6f 6f 74 0d 0a 72 Data Ascii: mekickjourneyjoyxylemhelpwatervacationartweekonearrayeyeviewfootmappinkeightnumberartendpearstoneeightquestionblueerrorunderstandbankkeepKanthantimeartgreenstoneyellowmachinefootr
2023-08-29 05:41:47 UTC	799	IN	Data Raw: 63 6f 6c 6f 72 0d 0a 6f 70 65 6e 0d 0a 6e 75 6d 62 65 72 0d 0a 71 75 69 65 74 0d 0a 65 61 73 74 0d 0a 61 72 74 0d 0a 64 65 65 72 0d 0a 62 65 61 63 68 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 6d 65 61 6c 0d 0a 73 63 68 6f 6f 6c 0d 0a 61 6e 69 6d 61 6c 0d 0a 77 68 69 74 65 0d 0a 63 6f 6c 6f 72 0d 0a 6d 65 61 6c 0d 0a 79 65 6c 6c 6f 77 0d 0a 72 65 73 74 0d 0a 6d 61 63 68 69 6e 65 0d 0a 73 74 61 72 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 62 65 61 63 68 0d 0a 72 6f 63 6b 0d 0a 6a 65 6c 6c 79 0d 0a 6d 69 6c 6b 0d 0a 61 6e 74 0d 0a 65 61 72 0d 0a 66 72 69 65 6e 64 0d 0a 68 61 74 0d 0a 65 61 72 74 68 0d 0a 77 69 6e 64 0d 0a 63 69 74 79 0d 0a 65 73 63 61 70 65 0d 0a 76 69 64 65 6f 0d 0a 65 61 72 0d 0a 72 65 64 0d 0a 70 69 63 74 75 72 65 0d 0a 62 61 6e 61 6e 61 0d Data Ascii: coloropennumberquieteastartdeerbeachinformationmealschoolanimalwhitecolormealyellowrestmachinestarvacationbeachrockjellymilkantearfriendhatearthwindcityescapevideoearredpicturebanana
2023-08-29 05:41:47 UTC	815	IN	Data Raw: 0d 0a 6d 75 73 69 63 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 72 65 64 0d 0a 61 63 65 0d 0a 77 69 6e 64 0d 0a 64 6f 6f 72 0d 0a 77 61 79 0d 0a 69 6e 6b 0d 0a 69 73 73 75 65 0d 0a 6c 69 66 65 0d 0a 65 67 67 0d 0a 6d 65 61 6c 0d 0a 64 72 65 61 6d 0d 0a 6b 69 6e 64 0d 0a 7a 6f 6d 62 69 65 0d 0a 62 6c 75 65 0d 0a 6b 69 63 6b 0d 0a 65 72 72 6f 72 0d 0a 62 61 6e 61 6e 61 0d 0a 68 65 6c 70 0d 0a 61 70 70 6c 65 0d 0a 76 61 6c 75 65 0d 0a 66 6f 6f 64 0d 0a 77 69 6e 74 65 72 0d 0a 63 61 6b 65 0d 0a 62 69 72 64 0d 0a 74 61 6c 6b 0d 0a 74 6f 77 6e 0d 0a 72 61 69 6e 0d 0a 70 65 6e 0d 0a 79 65 6c 6c 6f 77 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 77 69 6e 74 65 72 0d 0a 74 61 6c 6b 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 6f 70 65 6e 0d 0a 63 61 6d 65 72 61 0d 0a 69 64 65 61 0d 0a Data Ascii: musicvacationredacewinddoorwayinkissuelifeeggmealdreamkindzombiebluekickerrorbananahelpapplevaluefoodwintercakebirdtalktownrainpenyellowyesterdaywintertalkunsignedopencameraidea
2023-08-29 05:41:47 UTC	831	IN	Data Raw: 6e 74 69 74 79 0d 0a 65 61 72 0d 0a 6e 65 65 64 0d 0a 6a 61 63 6b 65 74 0d 0a 65 69 67 68 74 0d 0a 62 6f 6f 6b 0d 0a 76 61 6c 75 65 0d 0a 6c 61 6e 64 0d 0a 62 69 72 64 0d 0a 6f 62 6a 65 63 74 0d 0a 6b 65 79 0d 0a 68 61 74 0d 0a 6e 65 65 64 0d 0a 6d 65 6e 74 0d 0a 61 6c 6f 6e 65 0d 0a 62 69 72 64 0d 0a 70 6f 77 65 72 0d 0a 6c 65 74 74 65 72 0d 0a 66 61 72 6d 0d 0a 6e 69 67 68 74 0d 0a 6c 75 6e 63 68 0d 0a 69 63 6f 6e 0d 0a 69 6e 63 6f 6d 65 0d 0a 76 69 64 65 6f 0d 0a 70 69 6e 6b 0d 0a 62 6c 75 65 0d 0a 6c 65 74 74 65 72 0d 0a 68 61 74 0d 0a 65 61 73 74 0d 0a 6b 69 74 65 0d 0a 70 65 72 73 6f 6e 0d 0a 77 69 6e 64 0d 0a 74 61 6c 6b 0d 0a 64 75 63 6b 0d 0a 6c 69 66 65 0d 0a 68 65 61 72 74 0d 0a 75 6e 63 6c 65 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 61 63 65 Data Ascii: ntityearneedjacketeightbookvaluelandbirdobjectkeyhatneedmentalonebirdpowerletterfarmnightlunchiconincomevideopinkblueletterhateastkitepersonwindtalkducklifeheartuncleunderstandace
2023-08-29 05:41:47 UTC	847	IN	Data Raw: 6c 6c 0d 0a 72 6f 63 6b 0d 0a 62 61 6c 6c 0d 0a 73 74 61 72 0d 0a 79 6f 75 6e 67 0d 0a 78 79 6c 65 6d 0d 0a 6c 69 6f 6e 0d 0a 6c 75 6e 63 68 0d 0a 6d 65 61 6c 0d 0a 6b 69 6e 67 0d 0a 6a 75 6d 70 0d 0a 6c 6f 76 65 0d 0a 67 72 61 73 73 0d 0a 6d 6f 6e 6b 65 79 0d 0a 68 61 69 72 0d 0a 74 6f 77 6e 0d 0a 65 72 72 6f 72 0d 0a 68 61 6e 64 0d 0a 6a 61 72 0d 0a 70 6c 61 6e 74 0d 0a 77 6f 72 6b 0d 0a 6a 61 63 6b 65 74 0d 0a 6e 6f 74 65 0d 0a 72 61 69 6e 0d 0a 6b 69 6e 64 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 74 72 65 65 0d 0a 61 72 74 0d 0a 71 75 69 65 74 0d 0a 79 65 6c 6c 6f 77 0d 0a 62 6c 75 65 0d 0a 79 65 61 72 6e 0d 0a 6e 61 74 75 72 65 0d 0a 79 65 61 72 0d 0a 67 75 65 73 74 0d 0a 75 6e 63 6c 65 0d 0a 67 6f 6c 64 0d 0a 61 72 72 6f 77 0d 0a 71 75 69 65 74 0d 0a 6f 72 Data Ascii: llrockballstaryoungxylemlionlunchmealkingjumplovegrassmonkeyhairtownerrorhandjarplantworkjacketnoterainkindjourneytreeartquietyellowblueyearnnatureyearguestunclegoldarrowquietor
2023-08-29 05:41:47 UTC	863	IN	Data Raw: 0d 0a 6d 6f 76 69 65 0d 0a 63 61 6d 65 72 61 0d 0a 69 63 6f 6e 0d 0a 63 6f 6c 6f 72 0d 0a 73 6e 6f 77 0d 0a 65 6e 65 72 67 79 0d 0a 6a 61 72 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 72 6f 61 64 0d 0a 72 75 6e 0d 0a 72 69 73 65 0d 0a 65 61 72 0d 0a 6b 65 65 70 0d 0a 6b 69 73 73 0d 0a 6e 75 72 73 65 0d 0a 65 6e 64 0d 0a 6b 65 65 70 0d 0a 77 68 69 74 65 0d 0a 64 75 63 6b 0d 0a 61 6c 6f 6e 65 0d 0a 77 65 65 6b 0d 0a 61 6e 74 0d 0a 63 61 72 0d 0a 71 75 69 63 6b 0d 0a 74 69 67 65 72 0d 0a 64 72 65 61 6d 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 65 61 72 74 68 0d 0a 64 75 63 6b 0d 0a 64 61 74 61 0d 0a 64 61 72 6b 0d 0a 6c 61 6d 70 0d 0a 69 6e 63 6f 6d 65 0d 0a 78 79 6c 65 6d 0d 0a 66 61 72 6d 0d 0a 68 6f 75 73 65 0d 0a 72 75 6e 0d 0a 74 65 73 74 0d 0a 75 6e 69 74 0d Data Ascii: moviecameraiconcolorsnowenergyjarvegetableroadrunriseearkeepkissnurseendkeepwhiteduckaloneweekantcarquicktigerdreamyesterdayearthduckdatadarklampincomexylemfarmhouseruntestunit
2023-08-29 05:41:47 UTC	879	IN	Data Raw: 6e 69 76 65 72 73 69 74 79 0d 0a 69 6e 73 69 64 65 0d 0a 68 6f 75 73 65 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 62 61 6e 61 6e 61 0d 0a 6b 69 64 0d 0a 73 65 76 65 6e 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 77 61 72 6e 0d 0a 67 61 6d 65 0d 0a 75 6e 69 74 0d 0a 74 72 65 65 0d 0a 68 61 6e 64 0d 0a 6a 6f 6b 65 0d 0a 70 65 72 73 6f 6e 0d 0a 77 6f 72 6b 0d 0a 6f 6e 65 0d 0a 65 61 72 74 68 0d 0a 75 6e 63 6c 65 0d 0a 71 75 6f 74 65 0d 0a 62 6c 75 65 0d 0a 66 61 63 65 0d 0a 62 61 6e 6b 0d 0a 61 6e 74 0d 0a 66 6f 6f 64 0d 0a 6d 65 61 6c 0d 0a 6b 69 63 6b 0d 0a 6f 70 65 6e 0d 0a 6d 61 63 68 69 6e 65 0d 0a 63 69 74 79 0d 0a 71 75 69 63 6b 0d 0a 74 65 73 74 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 73 63 68 6f 6f 6c 0d 0a 75 73 65 0d 0a 6b 69 63 6b 0d 0a 61 77 61 72 64 0d 0a 75 73 65 Data Ascii: niversityinsidehousevacationbananakidsevenunsignedwarngameunittreehandjokepersonworkoneearthunclequotebluefacebankantfoodmealkickopenmachinecityquicktestjourneyschoolusekickawarduse
2023-08-29 05:41:47 UTC	895	IN	Data Raw: 0d 0a 6d 61 70 0d 0a 70 65 61 72 0d 0a 6d 6f 74 68 65 72 0d 0a 65 61 73 79 0d 0a 76 69 65 77 0d 0a 64 6f 0d 0a 72 61 62 62 69 74 0d 0a 63 61 6d 65 72 61 0d 0a 61 6e 69 6d 61 6c 0d 0a 6a 65 6c 6c 79 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 66 6f 72 0d 0a 61 72 74 0d 0a 74 6f 77 6e 0d 0a 74 72 61 69 6e 0d 0a 6c 61 6d 70 0d 0a 6f 66 66 69 63 65 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 6b 69 64 0d 0a 79 65 61 72 6e 0d 0a 62 6f 6f 6b 0d 0a 6e 75 6d 62 65 72 0d 0a 68 65 61 64 0d 0a 68 6f 75 73 65 0d 0a 66 61 74 68 65 72 0d 0a 7a 65 72 6f 0d 0a 66 61 74 68 65 72 0d 0a 68 61 69 72 0d 0a 61 72 63 68 0d 0a 77 61 74 65 72 0d 0a 67 68 6f 73 74 0d 0a 63 61 74 0d 0a 72 65 73 74 0d 0a 63 69 74 79 0d 0a 77 68 69 74 65 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 6b 69 73 73 0d 0a 72 69 73 65 Data Ascii: mappearmothereasyviewdorabbitcameraanimaljellyquantityforarttowntrainlampofficeKanthankidyearnbooknumberheadhousefatherzerofatherhairarchwaterghostcatrestcitywhitequantitykissrise
2023-08-29 05:41:47 UTC	911	IN	Data Raw: 0a 6f 72 64 65 72 0d 0a 64 61 74 61 0d 0a 70 65 6e 0d 0a 67 6c 61 73 73 0d 0a 73 75 6e 0d 0a 70 69 6e 6b 0d 0a 77 68 69 74 65 0d 0a 73 6b 79 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 62 61 6c 6c 0d 0a 67 72 65 65 6e 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 76 69 64 65 6f 0d 0a 6b 69 64 0d 0a 71 75 69 65 74 0d 0a 67 6f 61 74 0d 0a 6f 66 66 69 63 65 0d 0a 68 65 61 64 0d 0a 71 75 69 63 6b 0d 0a 61 70 70 6c 65 0d 0a 73 6b 79 0d 0a 75 6e 69 74 0d 0a 6e 75 6d 62 65 72 0d 0a 78 79 6c 65 6d 0d 0a 7a 6f 6e 65 0d 0a 73 6e 61 6b 65 0d 0a 76 69 64 65 6f 0d 0a 73 75 6e 0d 0a 6f 66 66 69 63 65 0d 0a 6f 69 6c 0d 0a 74 72 65 65 0d 0a 67 61 6d 65 0d 0a 75 6e 69 74 0d 0a 6a 6f 79 0d 0a 67 6c 61 73 73 0d 0a 7a 65 72 6f 0d 0a 6e 65 65 64 0d 0a 6c 6f 76 65 0d 0a 73 75 67 61 72 0d 0a Data Ascii: orderdatapenglasssunpinkwhiteskyvacationballgreenyesterdayvideokidquietgoatofficeheadquickappleskyunitnumberxylemzonesnakevideosunofficeoiltreegameunitjoyglasszeroneedlovesugar
2023-08-29 05:41:47 UTC	927	IN	Data Raw: 67 65 0d 0a 6e 61 6d 65 0d 0a 71 75 61 6c 69 66 79 0d 0a 77 65 65 6b 0d 0a 73 75 6e 0d 0a 6b 65 65 70 0d 0a 63 6f 61 74 0d 0a 79 65 61 72 6e 0d 0a 77 69 6e 64 0d 0a 66 69 73 68 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 65 69 67 68 74 0d 0a 66 69 73 68 0d 0a 65 61 72 0d 0a 6f 62 6a 65 63 74 0d 0a 63 68 61 72 0d 0a 67 72 65 65 6e 0d 0a 76 6f 69 63 65 0d 0a 64 65 73 6b 0d 0a 64 6f 67 0d 0a 62 61 6e 61 6e 61 0d 0a 66 61 74 68 65 72 0d 0a 67 72 6f 75 70 0d 0a 70 61 70 65 72 0d 0a 6c 61 6b 65 0d 0a 74 61 6c 6b 0d 0a 71 75 61 6c 69 74 79 0d 0a 79 65 61 72 0d 0a 64 61 72 6b 0d 0a 6b 69 64 0d 0a 66 6f 6f 74 0d 0a 68 61 69 72 0d 0a 6d 61 63 68 69 6e 65 0d 0a 79 65 73 0d 0a 6d 6f 6f 6e 0d 0a 7a 6f 6d 62 69 65 0d 0a 73 68 6f 72 74 0d 0a 73 74 72 69 6e 67 0d 0a 6f Data Ascii: genamequalifyweeksunkeepcoatyearnwindfishundergroundeightfishearobjectchargreenvoicedeskdogbananafathergrouppaperlaketalkqualityyeardarkkidfoothairmachineyesmoonzombieshortstringo
2023-08-29 05:41:47 UTC	943	IN	Data Raw: 75 65 65 6e 0d 0a 69 6e 73 69 64 65 0d 0a 75 6e 63 6c 65 0d 0a 71 75 61 6c 69 66 79 0d 0a 79 65 6c 6c 6f 77 0d 0a 66 61 63 65 0d 0a 61 69 72 0d 0a 72 65 73 74 0d 0a 6e 61 6d 65 0d 0a 6e 61 6d 65 0d 0a 77 65 73 74 0d 0a 64 61 72 6b 0d 0a 63 6c 69 70 0d 0a 65 6e 65 72 67 79 0d 0a 73 6f 6e 67 0d 0a 6f 70 65 6e 0d 0a 65 79 65 0d 0a 64 61 6e 63 65 0d 0a 74 69 67 65 72 0d 0a 61 72 74 0d 0a 70 6f 77 65 72 0d 0a 62 6c 75 65 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 76 69 63 74 6f 72 79 0d 0a 63 68 61 72 0d 0a 64 75 63 6b 0d 0a 62 75 73 0d 0a 6d 65 61 6c 0d 0a 6c 69 66 65 0d 0a 76 69 63 74 6f 72 79 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 63 61 6d 65 72 61 0d 0a 70 65 72 73 6f 6e 0d 0a 72 65 64 0d 0a 65 61 74 0d 0a 62 6f 6f 6b 0d 0a 63 6c 6f 75 64 0d 0a 6c 61 6e 64 Data Ascii: ueeninsideunclequalifyyellowfaceairrestnamenamewestdarkclipenergysongopeneyedancetigerartpowerbluevegetablevictorycharduckbusmeallifevictoryuniversitycamerapersonredeatbookcloudland
2023-08-29 05:41:47 UTC	959	IN	Data Raw: 0d 0a 6b 69 63 6b 0d 0a 73 75 67 61 72 0d 0a 71 75 69 63 6b 0d 0a 6c 61 6b 65 0d 0a 65 61 72 0d 0a 62 65 61 63 68 0d 0a 63 61 6b 65 0d 0a 77 61 72 6e 0d 0a 62 6f 6f 6b 0d 0a 69 63 6f 6e 0d 0a 66 72 69 65 6e 64 0d 0a 72 6f 63 6b 0d 0a 79 61 77 6e 0d 0a 79 61 77 6e 0d 0a 73 74 61 72 0d 0a 72 6f 63 6b 0d 0a 76 69 65 77 0d 0a 61 72 72 6f 77 0d 0a 65 6e 65 72 67 79 0d 0a 6a 75 64 67 65 0d 0a 75 6e 63 6c 65 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 70 6f 77 65 72 0d 0a 6d 6f 76 69 65 0d 0a 72 69 73 65 0d 0a 73 74 72 69 6e 67 0d 0a 72 75 6e 0d 0a 72 65 73 74 0d 0a 66 75 6e 63 0d 0a 62 6f 6f 6b 0d 0a 65 72 72 6f 72 0d 0a 68 69 74 0d 0a 76 69 65 77 0d 0a 66 61 74 68 65 72 0d 0a 6a 65 6c 6c 79 0d 0a 79 65 6c 6c 6f 77 0d 0a 72 61 69 6e 0d 0a 73 65 61 0d 0a 75 6e 73 Data Ascii: kicksugarquicklakeearbeachcakewarnbookiconfriendrockyawnyawnstarrockviewarrowenergyjudgeuncleuniversitypowermovierisestringrunrestfuncbookerrorhitviewfatherjellyyellowrainseauns
2023-08-29 05:41:47 UTC	975	IN	Data Raw: 63 6f 77 0d 0a 66 61 72 6d 0d 0a 6b 65 79 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 61 72 72 61 79 0d 0a 70 69 63 74 75 72 65 0d 0a 64 61 6e 63 65 0d 0a 74 72 61 69 6e 0d 0a 6a 61 72 0d 0a 66 61 6c 6c 0d 0a 75 73 75 61 6c 6c 79 0d 0a 6f 66 66 65 72 0d 0a 73 68 6f 72 74 0d 0a 69 64 65 61 0d 0a 69 6e 6b 0d 0a 6a 61 72 0d 0a 6c 65 74 74 65 72 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 64 61 74 61 0d 0a 64 72 65 61 6d 0d 0a 65 67 67 0d 0a 77 6f 6d 61 6e 0d 0a 69 63 65 0d 0a 6f 63 65 61 6e 0d 0a 64 61 6e 63 65 0d 0a 6d 6f 6e 6b 65 79 0d 0a 67 68 6f 73 74 0d 0a 66 61 6c 6c 0d 0a 62 65 61 63 68 0d 0a 76 69 63 74 6f 72 79 0d 0a 66 6f 6f 74 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 72 75 6e 0d 0a 64 75 63 6b 0d 0a 67 72 65 65 6e 0d 0a 67 72 65 65 6e 0d 0a 6e 61 74 75 72 Data Ascii: cowfarmkeyunderstandarraypicturedancetrainjarfallusuallyoffershortideainkjarletteryesterdaydatadreameggwomaniceoceandancemonkeyghostfallbeachvictoryfootvegetablerunduckgreengreennatur
2023-08-29 05:41:47 UTC	991	IN	Data Raw: 0d 0a 72 69 76 65 72 0d 0a 65 61 72 74 68 0d 0a 65 61 72 0d 0a 72 6f 6f 6d 0d 0a 63 61 6d 65 72 61 0d 0a 62 75 73 0d 0a 70 69 7a 7a 61 0d 0a 74 65 61 63 68 65 72 0d 0a 77 69 6e 64 0d 0a 64 61 79 0d 0a 66 75 6e 63 0d 0a 68 69 67 68 0d 0a 6f 69 6c 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 65 6e 64 0d 0a 61 63 65 0d 0a 70 68 6f 6e 65 0d 0a 6b 69 74 63 68 65 6e 0d 0a 64 72 65 61 6d 0d 0a 72 69 73 65 0d 0a 6c 61 6e 64 0d 0a 6f 63 65 61 6e 0d 0a 63 61 6b 65 0d 0a 6f 66 66 65 72 0d 0a 67 6f 61 74 0d 0a 74 72 65 65 0d 0a 72 65 73 74 0d 0a 76 61 6e 0d 0a 73 75 67 61 72 0d 0a 6f 70 65 6e 0d 0a 73 68 6f 72 74 0d 0a 6e 75 6d 62 65 72 0d 0a 62 61 6e 6b 0d 0a 69 6e 6b 0d 0a 70 69 6e 6b 0d 0a 66 6f 6f 74 0d 0a 63 6c 6f 75 64 0d 0a 6e 6f 73 65 0d 0a 6d 6f 6e 6b 65 79 0d Data Ascii: riverearthearroomcamerabuspizzateacherwinddayfunchighoilunderstandendacephonekitchendreamriselandoceancakeoffergoattreerestvansugaropenshortnumberbankinkpinkfootcloudnosemonkey
2023-08-29 05:41:47 UTC	1007	IN	Data Raw: 61 6e 0d 0a 6a 61 72 0d 0a 62 6f 6f 6b 0d 0a 6f 72 61 6e 67 65 0d 0a 64 72 65 61 6d 0d 0a 62 6f 79 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 64 65 73 6b 0d 0a 6e 61 74 75 72 65 0d 0a 68 61 69 72 0d 0a 72 65 64 0d 0a 79 61 72 64 0d 0a 74 69 67 65 72 0d 0a 61 6c 6f 6e 65 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 73 74 72 69 6e 67 0d 0a 69 73 6c 61 6e 64 0d 0a 6a 61 76 61 0d 0a 70 65 72 73 6f 6e 0d 0a 6e 61 6d 65 0d 0a 67 6f 61 74 0d 0a 69 6e 73 69 64 65 0d 0a 65 67 67 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 6d 65 61 6c 0d 0a 69 73 6c 61 6e 64 0d 0a 6e 61 74 75 72 65 0d 0a 7a 6f 6d 62 69 65 0d 0a 71 75 69 63 6b 0d 0a 71 75 61 6c 69 66 79 0d 0a 73 6f 6e 67 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 64 72 65 61 6d 0d 0a 73 6f 6e 67 0d 0a 75 6e 63 6c 65 0d 0a 6b 69 Data Ascii: anjarbookorangedreamboyuniversitydesknaturehairredyardtigeraloneuniversitystringislandjavapersonnamegoatinsideeggvacationmealislandnaturezombiequickqualifysongunderstanddreamsonguncleki
2023-08-29 05:41:47 UTC	1023	IN	Data Raw: 69 67 65 72 0d 0a 6f 62 6a 65 63 74 0d 0a 76 6f 69 63 65 0d 0a 67 72 65 65 6e 0d 0a 67 6c 61 73 73 0d 0a 64 65 73 6b 0d 0a 62 6f 6f 6b 0d 0a 6d 61 63 68 69 6e 65 0d 0a 72 6f 6f 6d 0d 0a 6b 69 6e 64 0d 0a 6e 6f 72 74 68 0d 0a 6a 61 63 6b 65 74 0d 0a 69 73 6c 61 6e 64 0d 0a 65 61 72 0d 0a 67 6f 61 74 0d 0a 6c 75 6e 63 68 0d 0a 6d 6f 6f 6e 0d 0a 6f 62 6a 65 63 74 0d 0a 6c 75 6e 63 68 0d 0a 6c 6f 6e 67 0d 0a 76 6f 69 63 65 0d 0a 62 69 72 64 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 65 72 72 6f 72 0d 0a 72 69 76 65 72 0d 0a 64 61 79 0d 0a 72 75 6e 0d 0a 6c 75 6e 63 68 0d 0a 68 69 67 68 0d 0a 72 6f 61 64 0d 0a 63 6f 6c 6f 72 0d 0a 61 77 61 72 64 0d 0a 77 65 73 74 0d 0a 61 63 65 0d 0a 69 64 65 61 0d 0a 6c 61 75 67 68 0d 0a 66 61 63 65 0d 0a 65 69 67 68 74 0d 0a 73 6e 61 Data Ascii: igerobjectvoicegreenglassdeskbookmachineroomkindnorthjacketislandeargoatlunchmoonobjectlunchlongvoicebirdKanthanerrorriverdayrunlunchhighroadcolorawardwestaceidealaughfaceeightsna
2023-08-29 05:41:47 UTC	1039	IN	Data Raw: 0a 63 6c 6f 75 64 0d 0a 6f 72 64 65 72 0d 0a 6b 69 73 73 0d 0a 72 69 73 65 0d 0a 72 69 73 65 0d 0a 67 6f 6c 64 0d 0a 6d 6f 6e 6b 65 79 0d 0a 73 6e 61 6b 65 0d 0a 6a 61 76 61 0d 0a 66 6c 6f 77 65 72 0d 0a 76 69 63 74 6f 72 79 0d 0a 6e 75 6d 62 65 72 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 62 6f 78 0d 0a 6c 65 74 74 65 72 0d 0a 6f 62 6a 65 63 74 0d 0a 73 75 67 61 72 0d 0a 62 69 72 64 0d 0a 69 6e 74 0d 0a 6b 69 73 73 0d 0a 69 63 6f 6e 0d 0a 6b 69 6e 64 0d 0a 67 72 6f 75 70 0d 0a 65 72 72 6f 72 0d 0a 66 61 74 68 65 72 0d 0a 66 61 63 65 0d 0a 6f 66 66 65 72 0d 0a 6a 75 64 67 65 0d 0a 65 6e 64 0d 0a 64 61 72 6b 0d 0a 70 61 70 65 72 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 70 69 6e 6b 0d 0a 6d 75 73 69 63 0d 0a 69 6e 63 6f 6d 65 0d 0a 77 69 6e 74 65 72 0d 0a 79 65 61 Data Ascii: cloudorderkissriserisegoldmonkeysnakejavaflowervictorynumberunderstandboxletterobjectsugarbirdintkissiconkindgrouperrorfatherfaceofferjudgeenddarkpaperKanthanpinkmusicincomewinteryea
2023-08-29 05:41:47 UTC	1055	IN	Data Raw: 69 64 65 61 0d 0a 74 61 6c 6b 0d 0a 62 61 6e 61 6e 61 0d 0a 69 63 6f 6e 0d 0a 77 61 79 0d 0a 72 6f 6f 6d 0d 0a 61 70 70 6c 65 0d 0a 63 6f 6c 6f 72 0d 0a 67 69 72 6c 0d 0a 75 6e 69 74 0d 0a 63 61 6d 65 72 61 0d 0a 69 6e 6b 0d 0a 61 6e 74 0d 0a 77 61 74 65 72 0d 0a 6c 61 6b 65 0d 0a 71 75 61 6c 69 66 79 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 67 75 65 73 74 0d 0a 64 61 72 6b 0d 0a 70 65 72 73 6f 6e 0d 0a 6e 6f 74 65 0d 0a 6f 66 66 65 72 0d 0a 61 72 72 61 79 0d 0a 73 63 68 6f 6f 6c 0d 0a 71 75 69 63 6b 0d 0a 73 6f 6e 67 0d 0a 6d 6f 76 69 65 0d 0a 77 68 69 6c 65 0d 0a 6c 61 6e 64 0d 0a 72 65 73 74 0d 0a 61 72 72 61 79 0d 0a 77 6f 6d 61 6e 0d 0a 75 6e 63 6c 65 0d 0a 70 69 7a 7a 61 0d 0a 66 61 6c 6c 0d 0a 79 65 6c 6c 6f 77 0d 0a 72 61 62 62 69 74 0d 0a 67 6f 61 Data Ascii: ideatalkbananaiconwayroomapplecolorgirlunitcamerainkantwaterlakequalifyyesterdayguestdarkpersonnoteofferarrayschoolquicksongmoviewhilelandrestarraywomanunclepizzafallyellowrabbitgoa
2023-08-29 05:41:47 UTC	1071	IN	Data Raw: 65 0d 0a 77 6f 6d 61 6e 0d 0a 61 69 72 0d 0a 6b 65 79 0d 0a 66 61 74 68 65 72 0d 0a 69 63 6f 6e 0d 0a 68 69 74 0d 0a 6e 6f 73 65 0d 0a 6e 69 67 68 74 0d 0a 73 68 6f 72 74 0d 0a 77 61 79 0d 0a 6c 69 66 65 0d 0a 69 6e 6b 0d 0a 71 75 6f 74 65 0d 0a 6c 69 6f 6e 0d 0a 61 6e 69 6d 61 6c 0d 0a 67 6f 61 74 0d 0a 65 64 67 65 0d 0a 66 61 63 65 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 64 6f 0d 0a 69 6e 63 6f 6d 65 0d 0a 7a 65 62 72 61 0d 0a 77 65 73 74 0d 0a 79 6f 75 6e 67 0d 0a 6c 65 74 74 65 72 0d 0a 74 72 65 65 0d 0a 6c 6f 6e 67 0d 0a 61 72 72 61 79 0d 0a 67 6c 61 73 73 0d 0a 67 61 6d 65 0d 0a 79 61 77 6e 0d 0a 61 72 72 61 79 0d 0a 67 6f 61 74 0d 0a 64 6f 6f 72 0d 0a 66 61 6c 6c 0d 0a 65 72 72 6f 72 0d 0a 61 70 70 6c 65 0d 0a 6f 72 64 65 72 0d 0a 64 75 63 6b 0d 0a Data Ascii: ewomanairkeyfathericonhitnosenightshortwaylifeinkquotelionanimalgoatedgefaceknowledgedoincomezebrawestyounglettertreelongarrayglassgameyawnarraygoatdoorfallerrorappleorderduck
2023-08-29 05:41:47 UTC	1087	IN	Data Raw: 74 79 0d 0a 62 61 6e 6b 0d 0a 69 6e 6b 0d 0a 61 6e 74 0d 0a 67 72 6f 75 70 0d 0a 6c 61 6b 65 0d 0a 71 75 6f 74 65 0d 0a 68 65 6c 70 0d 0a 62 6c 75 65 0d 0a 6c 61 6d 70 0d 0a 6e 61 74 75 72 65 0d 0a 62 65 61 63 68 0d 0a 64 61 6e 63 65 0d 0a 77 68 69 74 65 0d 0a 63 6c 6f 75 64 0d 0a 71 75 61 6c 69 74 79 0d 0a 6c 69 66 65 0d 0a 6f 72 61 6e 67 65 0d 0a 77 65 73 74 0d 0a 66 69 73 68 0d 0a 6a 6f 6b 65 0d 0a 6c 6f 6e 67 0d 0a 67 72 6f 75 70 0d 0a 62 75 73 0d 0a 61 6e 74 0d 0a 76 69 64 65 6f 0d 0a 63 6c 6f 75 64 0d 0a 6a 75 6d 70 0d 0a 62 6c 75 65 0d 0a 6b 69 64 0d 0a 65 69 67 68 74 0d 0a 67 61 6d 65 0d 0a 63 6c 69 70 0d 0a 66 69 73 68 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 6d 6f 6f 6e 0d 0a 6c 61 6d 70 0d 0a 77 61 74 65 72 0d 0a 6b 69 6e 64 0d 0a 6e 61 6d 65 Data Ascii: tybankinkantgrouplakequotehelpbluelampnaturebeachdancewhitecloudqualitylifeorangewestfishjokelonggroupbusantvideocloudjumpbluekideightgameclipfishuniversitymoonlampwaterkindname
2023-08-29 05:41:47 UTC	1103	IN	Data Raw: 6a 75 6d 70 0d 0a 65 61 72 74 68 0d 0a 7a 65 72 6f 0d 0a 74 69 67 65 72 0d 0a 71 75 69 63 6b 0d 0a 76 69 64 65 6f 0d 0a 6e 65 65 64 0d 0a 65 79 65 0d 0a 6e 61 6d 65 0d 0a 66 75 6e 63 0d 0a 64 6f 6f 72 0d 0a 61 69 72 0d 0a 6d 61 6e 0d 0a 6a 61 72 0d 0a 6d 61 63 68 69 6e 65 0d 0a 78 79 6c 65 6d 0d 0a 65 73 63 61 70 65 0d 0a 68 61 69 72 0d 0a 75 6e 63 6c 65 0d 0a 62 6f 79 0d 0a 6c 6f 76 65 0d 0a 77 68 69 6c 65 0d 0a 65 6e 65 72 67 79 0d 0a 7a 69 70 70 65 72 0d 0a 66 6f 72 0d 0a 77 61 79 0d 0a 75 73 75 61 6c 6c 79 0d 0a 79 6f 75 6e 67 0d 0a 72 61 62 62 69 74 0d 0a 67 6c 61 73 73 0d 0a 73 6b 79 0d 0a 63 61 72 0d 0a 67 6f 6c 64 0d 0a 77 68 69 74 65 0d 0a 6d 69 6c 6b 0d 0a 65 69 67 68 74 0d 0a 6b 69 63 6b 0d 0a 7a 6f 6f 0d 0a 74 6f 70 0d 0a 75 6e 64 65 72 67 72 Data Ascii: jumpearthzerotigerquickvideoneedeyenamefuncdoorairmanjarmachinexylemescapehairuncleboylovewhileenergyzipperforwayusuallyyoungrabbitglassskycargoldwhitemilkeightkickzootopundergr
2023-08-29 05:41:47 UTC	1119	IN	Data Raw: 0d 0a 64 61 72 6b 0d 0a 61 72 72 6f 77 0d 0a 74 61 73 74 65 0d 0a 61 69 72 0d 0a 71 75 69 65 74 0d 0a 6e 61 74 75 72 65 0d 0a 72 69 73 65 0d 0a 6c 61 75 67 68 0d 0a 70 65 72 73 6f 6e 0d 0a 77 61 79 0d 0a 62 6f 78 0d 0a 70 61 70 65 72 0d 0a 66 6f 6f 64 0d 0a 67 61 6d 65 0d 0a 73 74 72 69 6e 67 0d 0a 62 6c 75 65 0d 0a 6a 6f 6b 65 0d 0a 70 65 61 72 0d 0a 69 6e 6b 0d 0a 79 65 61 72 0d 0a 6b 65 65 70 0d 0a 74 72 65 65 0d 0a 67 6f 61 74 0d 0a 6c 6f 6e 67 0d 0a 66 61 6c 6c 0d 0a 6c 65 67 0d 0a 66 61 74 68 65 72 0d 0a 6f 70 65 6e 0d 0a 6f 72 64 65 72 0d 0a 66 61 6c 6c 0d 0a 68 61 69 72 0d 0a 62 69 72 64 0d 0a 66 6f 6f 64 0d 0a 6b 69 64 0d 0a 64 61 6e 63 65 0d 0a 67 75 65 73 74 0d 0a 66 6f 6f 74 0d 0a 63 61 74 0d 0a 65 73 63 61 70 65 0d 0a 74 61 73 74 65 0d 0a 7a Data Ascii: darkarrowtasteairquietnatureriselaughpersonwayboxpaperfoodgamestringbluejokepearinkyearkeeptreegoatlongfalllegfatheropenorderfallhairbirdfoodkiddanceguestfootcatescapetastez
2023-08-29 05:41:47 UTC	1135	IN	Data Raw: 61 72 0d 0a 6d 6f 6f 6e 0d 0a 70 69 7a 7a 61 0d 0a 68 6f 70 65 0d 0a 65 69 67 68 74 0d 0a 65 61 74 0d 0a 77 69 6e 74 65 72 0d 0a 65 73 63 61 70 65 0d 0a 64 61 74 61 0d 0a 63 69 74 79 0d 0a 6e 6f 73 65 0d 0a 69 6e 6b 0d 0a 72 65 73 74 0d 0a 70 61 70 65 72 0d 0a 69 73 6c 61 6e 64 0d 0a 63 6c 69 70 0d 0a 68 65 6c 70 0d 0a 6a 61 63 6b 65 74 0d 0a 6e 6f 73 65 0d 0a 77 69 6e 64 0d 0a 76 69 63 74 6f 72 79 0d 0a 69 73 73 75 65 0d 0a 6d 61 63 68 69 6e 65 0d 0a 77 6f 72 6c 64 0d 0a 69 63 6f 6e 0d 0a 63 6f 61 74 0d 0a 68 65 6c 70 0d 0a 76 69 64 65 6f 0d 0a 6d 65 61 6c 0d 0a 70 69 6e 6b 0d 0a 6f 72 64 65 72 0d 0a 65 67 67 0d 0a 65 61 72 0d 0a 65 67 67 0d 0a 75 73 65 0d 0a 67 69 72 6c 0d 0a 78 79 6c 65 6d 0d 0a 7a 65 61 6c 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 73 65 Data Ascii: armoonpizzahopeeighteatwinterescapedatacitynoseinkrestpaperislandcliphelpjacketnosewindvictoryissuemachineworldiconcoathelpvideomealpinkordereggeareggusegirlxylemzealvegetablese
2023-08-29 05:41:47 UTC	1151	IN	Data Raw: 6f 67 0d 0a 70 65 72 73 6f 6e 0d 0a 74 6f 77 6e 0d 0a 70 68 6f 6e 65 0d 0a 63 61 72 0d 0a 64 61 79 0d 0a 69 63 65 0d 0a 70 61 70 65 72 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 70 65 6e 0d 0a 70 65 6e 0d 0a 64 61 72 6b 0d 0a 73 65 76 65 6e 0d 0a 74 6f 70 0d 0a 77 61 79 0d 0a 68 69 74 0d 0a 74 69 6d 65 0d 0a 64 61 79 0d 0a 61 6c 6f 6e 65 0d 0a 66 69 73 68 0d 0a 7a 65 61 6c 0d 0a 66 69 72 65 0d 0a 6f 66 66 69 63 65 0d 0a 70 6c 61 6e 74 0d 0a 62 61 6e 61 6e 61 0d 0a 6e 6f 74 65 0d 0a 64 61 72 6b 0d 0a 6b 69 63 6b 0d 0a 74 65 61 63 68 65 72 0d 0a 79 6f 75 6e 67 0d 0a 63 6c 6f 75 64 0d 0a 69 6e 73 69 64 65 0d 0a 63 61 72 0d 0a 68 65 61 72 74 0d 0a 66 61 74 68 65 72 0d 0a 69 6e 6b 0d 0a 73 74 61 72 0d 0a 64 65 73 6b 0d 0a 70 61 70 65 72 0d 0a 6b 69 74 65 0d 0a 62 Data Ascii: ogpersontownphonecardayicepaperknowledgepenpendarkseventopwayhittimedayalonefishzealfireofficeplantbanananotedarkkickteacheryoungcloudinsidecarheartfatherinkstardeskpaperkiteb
2023-08-29 05:41:47 UTC	1167	IN	Data Raw: 6f 77 0d 0a 64 75 63 6b 0d 0a 71 75 6f 74 65 0d 0a 68 6f 70 65 0d 0a 61 72 72 6f 77 0d 0a 63 6f 6c 6f 72 0d 0a 69 64 65 61 0d 0a 65 64 67 65 0d 0a 6d 6f 6f 6e 0d 0a 67 72 61 73 73 0d 0a 6b 69 6e 67 0d 0a 68 61 6e 64 0d 0a 64 6f 6f 72 0d 0a 73 6b 79 0d 0a 6f 66 66 65 72 0d 0a 6d 69 6c 6b 0d 0a 7a 65 72 6f 0d 0a 77 6f 72 6b 0d 0a 75 73 65 0d 0a 72 69 73 65 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 6a 65 6c 6c 79 0d 0a 6d 61 63 68 69 6e 65 0d 0a 66 61 72 6d 0d 0a 7a 6f 6e 65 0d 0a 79 6f 75 6e 67 0d 0a 64 65 65 72 0d 0a 76 69 73 69 74 6f 72 0d 0a 70 69 7a 7a 61 0d 0a 6d 75 73 69 63 0d 0a 74 69 67 65 72 0d 0a 77 69 6e 74 65 72 0d 0a 7a 65 61 6c 0d 0a 68 65 61 72 74 0d 0a 61 63 65 0d 0a 67 6f 6c 64 0d 0a 76 69 64 65 6f 0d 0a 67 6f 6c 64 0d 0a 75 6e 69 76 65 72 Data Ascii: owduckquotehopearrowcolorideaedgemoongrasskinghanddoorskyoffermilkzeroworkuseriseunderstandjellymachinefarmzoneyoungdeervisitorpizzamusictigerwinterzealheartacegoldvideogolduniver
2023-08-29 05:41:47 UTC	1183	IN	Data Raw: 0a 63 61 6d 65 72 61 0d 0a 73 6e 6f 77 0d 0a 74 6f 77 6e 0d 0a 65 64 67 65 0d 0a 63 6f 61 74 0d 0a 6f 72 61 6e 67 65 0d 0a 76 61 6c 75 65 0d 0a 65 61 74 0d 0a 68 6f 75 73 65 0d 0a 67 6f 6c 64 0d 0a 65 61 73 79 0d 0a 67 6f 6c 64 0d 0a 66 69 73 68 0d 0a 70 69 63 74 75 72 65 0d 0a 64 6f 6f 72 0d 0a 63 69 74 79 0d 0a 72 6f 61 64 0d 0a 66 6c 6f 77 65 72 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 6b 69 74 65 0d 0a 67 6f 6c 64 0d 0a 73 6e 6f 77 0d 0a 6c 61 6d 70 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 67 68 6f 73 74 0d 0a 6f 66 66 65 72 0d 0a 6b 69 64 0d 0a 6d 61 6e 0d 0a 76 61 6c 75 65 0d 0a 6d 6f 6e 6b 65 79 0d 0a 64 6f 0d 0a 6f 62 6a 65 63 74 0d 0a 7a 6f 6d 62 69 65 0d 0a 73 6b 79 0d 0a 61 72 72 61 79 0d 0a 61 6e 74 0d 0a 70 69 6e 6b 0d 0a 6f 62 6a 65 63 74 0d 0a 76 Data Ascii: camerasnowtownedgecoatorangevalueeathousegoldeasygoldfishpicturedoorcityroadfloweryesterdaykitegoldsnowlampunsignedghostofferkidmanvaluemonkeydoobjectzombieskyarrayantpinkobjectv
2023-08-29 05:41:47 UTC	1199	IN	Data Raw: 0d 0a 79 65 73 0d 0a 61 63 65 0d 0a 6f 62 6a 65 63 74 0d 0a 61 72 72 6f 77 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 71 75 61 6c 69 66 79 0d 0a 69 6e 63 6f 6d 65 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 76 69 73 69 74 6f 72 0d 0a 75 73 65 0d 0a 69 6e 74 0d 0a 70 69 6e 6b 0d 0a 73 75 6e 0d 0a 6a 75 64 67 65 0d 0a 72 6f 63 6b 0d 0a 79 6f 75 6e 67 0d 0a 64 65 65 72 0d 0a 6b 69 6e 64 0d 0a 77 69 6e 64 0d 0a 67 72 61 73 73 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 6f 70 65 6e 0d 0a 72 69 73 65 0d 0a 63 6f 77 0d 0a 6b 65 65 70 0d 0a 63 61 74 0d 0a 6a 61 72 0d 0a 6f 72 64 65 72 0d 0a 61 63 65 0d 0a 65 61 74 0d 0a 68 61 69 72 0d 0a 72 65 64 0d 0a 79 6f 75 6e 67 0d 0a 6c 69 6f 6e 0d 0a 7a 65 72 6f 0d 0a Data Ascii: yesaceobjectarrowknowledgeinformationinformationqualifyincomequantityvisitoruseintpinksunjudgerockyoungdeerkindwindgrassKanthanopenrisecowkeepcatjarorderaceeathairredyounglionzero
2023-08-29 05:41:47 UTC	1215	IN	Data Raw: 69 6e 73 69 64 65 0d 0a 6b 69 64 0d 0a 6b 69 6e 64 0d 0a 66 69 73 68 0d 0a 72 6f 6f 6d 0d 0a 67 72 65 65 6e 0d 0a 77 68 69 6c 65 0d 0a 61 6e 69 6d 61 6c 0d 0a 75 6e 63 6c 65 0d 0a 62 6f 6f 6b 0d 0a 67 72 6f 75 70 0d 0a 63 69 74 79 0d 0a 73 74 72 69 6e 67 0d 0a 66 6f 72 0d 0a 68 6f 70 65 0d 0a 70 65 72 73 6f 6e 0d 0a 79 65 61 72 0d 0a 63 61 74 0d 0a 74 72 65 65 0d 0a 68 61 69 72 0d 0a 73 65 76 65 6e 0d 0a 6a 61 63 6b 65 74 0d 0a 6a 6f 6b 65 0d 0a 70 69 7a 7a 61 0d 0a 62 65 61 63 68 0d 0a 79 61 77 6e 0d 0a 77 6f 6d 61 6e 0d 0a 72 61 69 6e 0d 0a 77 68 69 74 65 0d 0a 76 6f 69 63 65 0d 0a 62 75 73 0d 0a 76 69 64 65 6f 0d 0a 6d 6f 6e 6b 65 79 0d 0a 61 6e 74 0d 0a 74 61 6c 6b 0d 0a 73 75 67 61 72 0d 0a 6b 65 79 0d 0a 72 6f 63 6b 0d 0a 74 65 73 74 0d 0a 6b 69 74 Data Ascii: insidekidkindfishroomgreenwhileanimalunclebookgroupcitystringforhopepersonyearcattreehairsevenjacketjokepizzabeachyawnwomanrainwhitevoicebusvideomonkeyanttalksugarkeyrocktestkit
2023-08-29 05:41:47 UTC	1231	IN	Data Raw: 0d 0a 66 69 72 65 0d 0a 72 6f 63 6b 0d 0a 6c 61 6b 65 0d 0a 6b 69 74 63 68 65 6e 0d 0a 6c 69 66 65 0d 0a 6e 6f 74 65 0d 0a 72 6f 6f 6d 0d 0a 61 77 61 72 64 0d 0a 6b 69 74 65 0d 0a 69 6e 74 0d 0a 64 61 74 61 0d 0a 7a 69 70 70 65 72 0d 0a 6f 69 6c 0d 0a 72 69 73 65 0d 0a 6a 65 6c 6c 79 0d 0a 79 65 61 72 0d 0a 6d 61 6e 0d 0a 6b 69 64 0d 0a 71 75 61 72 74 65 72 0d 0a 63 6f 61 74 0d 0a 67 6c 61 73 73 0d 0a 72 6f 6f 6d 0d 0a 6d 75 73 69 63 0d 0a 79 65 61 72 0d 0a 79 61 77 6e 0d 0a 63 61 6b 65 0d 0a 76 6f 69 63 65 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 77 6f 6d 61 6e 0d 0a 6d 61 6e 0d 0a 6d 61 6e 0d 0a 6c 6f 76 65 0d 0a 74 72 61 69 6e 0d 0a 72 65 64 0d 0a 63 6f 77 0d 0a 6f 62 6a 65 63 74 0d 0a 73 6f 6e 67 0d 0a 65 64 67 65 0d 0a 76 6f 69 63 65 0d 0a 78 79 6c 65 6d 0d Data Ascii: firerocklakekitchenlifenoteroomawardkiteintdatazipperoilrisejellyyearmankidquartercoatglassroommusicyearyawncakevoicejourneywomanmanmanlovetrainredcowobjectsongedgevoicexylem
2023-08-29 05:41:47 UTC	1247	IN	Data Raw: 69 65 77 0d 0a 73 74 61 72 0d 0a 67 68 6f 73 74 0d 0a 61 6e 74 0d 0a 70 65 72 73 6f 6e 0d 0a 64 75 63 6b 0d 0a 64 65 65 72 0d 0a 6c 65 67 0d 0a 70 69 7a 7a 61 0d 0a 77 6f 72 6c 64 0d 0a 62 6f 78 0d 0a 68 65 6c 70 0d 0a 65 79 65 0d 0a 68 6f 75 73 65 0d 0a 64 75 63 6b 0d 0a 77 6f 6d 61 6e 0d 0a 6e 6f 73 65 0d 0a 6d 61 6e 0d 0a 7a 6f 6e 65 0d 0a 7a 69 70 70 65 72 0d 0a 61 69 72 0d 0a 64 61 6e 63 65 0d 0a 65 61 74 0d 0a 64 61 74 61 0d 0a 66 61 74 68 65 72 0d 0a 64 75 63 6b 0d 0a 65 79 65 0d 0a 7a 65 61 6c 0d 0a 62 61 6e 61 6e 61 0d 0a 6d 61 70 0d 0a 6e 6f 73 65 0d 0a 6a 61 76 61 0d 0a 71 75 69 63 6b 0d 0a 73 75 6e 0d 0a 74 6f 70 0d 0a 6b 65 79 0d 0a 6a 61 72 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 6d 6f 6f 6e 0d 0a 69 73 6c 61 6e 64 0d 0a 66 61 72 6d 0d 0a Data Ascii: iewstarghostantpersonduckdeerlegpizzaworldboxhelpeyehouseduckwomannosemanzonezipperairdanceeatdatafatherduckeyezealbananamapnosejavaquicksuntopkeyjarunderstandmoonislandfarm
2023-08-29 05:41:47 UTC	1263	IN	Data Raw: 73 65 76 65 6e 0d 0a 6e 65 65 64 0d 0a 69 6e 6b 0d 0a 67 72 61 73 73 0d 0a 74 61 6c 6b 0d 0a 65 6e 65 72 67 79 0d 0a 75 6e 63 6c 65 0d 0a 6a 61 63 6b 65 74 0d 0a 66 61 6c 6c 0d 0a 6f 66 66 65 72 0d 0a 72 61 62 62 69 74 0d 0a 70 6c 61 6e 74 0d 0a 6a 61 63 6b 65 74 0d 0a 6b 69 73 73 0d 0a 6e 75 6d 62 65 72 0d 0a 6f 62 6a 65 63 74 0d 0a 6d 61 70 0d 0a 77 6f 72 6b 0d 0a 6f 66 66 65 72 0d 0a 69 6e 63 6f 6d 65 0d 0a 69 6e 6b 0d 0a 6b 69 74 65 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 73 74 6f 6e 65 0d 0a 6d 69 6c 6b 0d 0a 67 6f 6c 64 0d 0a 68 69 74 0d 0a 76 69 73 69 74 6f 72 0d 0a 6d 69 6c 6b 0d 0a 66 61 63 65 0d 0a 6b 69 6e 64 0d 0a 67 6f 61 74 0d 0a 72 69 73 65 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 6c 6f 76 65 0d 0a 62 6c 75 65 0d 0a 77 61 79 0d 0a 6a 61 72 Data Ascii: sevenneedinkgrasstalkenergyunclejacketfallofferrabbitplantjacketkissnumberobjectmapworkofferincomeinkkiteunderstandstonemilkgoldhitvisitormilkfacekindgoatriseknowledgelovebluewayjar
2023-08-29 05:41:47 UTC	1278	IN	Data Raw: 0a 6a 6f 79 0d 0a 6c 6f 6e 67 0d 0a 62 6c 75 65 0d 0a 6c 69 6f 6e 0d 0a 69 73 6c 61 6e 64 0d 0a 62 6f 78 0d 0a 64 61 74 61 0d 0a 69 73 73 75 65 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 69 73 73 75 65 0d 0a 73 75 6e 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 6a 75 6d 70 0d 0a 75 73 65 0d 0a 6a 75 64 67 65 0d 0a 63 6f 77 0d 0a 70 68 6f 6e 65 0d 0a 6c 61 75 67 68 0d 0a 69 6e 63 6f 6d 65 0d 0a 73 75 67 61 72 0d 0a 6d 6f 6e 6b 65 79 0d 0a 69 6e 63 6f 6d 65 0d 0a 68 65 61 72 74 0d 0a 65 64 67 65 0d 0a 6d 6f 74 68 65 72 0d 0a 76 69 64 65 6f 0d 0a 65 79 65 0d 0a 6c 61 75 67 68 0d 0a 62 6c 75 65 0d 0a 68 69 74 0d 0a 72 69 76 65 72 0d 0a 6f 6e 65 0d 0a 77 61 74 65 72 0d 0a 6e 61 74 75 72 65 0d 0a 6b 69 64 0d 0a 6b 69 73 73 0d 0a 66 6c 6f 77 65 72 0d 0a 72 75 6e 0d 0a 6d 6f 74 68 Data Ascii: joylongbluelionislandboxdataissuevacationissuesunjourneyjumpusejudgecowphonelaughincomesugarmonkeyincomeheartedgemothervideoeyelaughbluehitriveronewaternaturekidkissflowerrunmoth
2023-08-29 05:41:48 UTC	1294	IN	Data Raw: 69 74 0d 0a 74 69 6d 65 0d 0a 77 61 72 6e 0d 0a 77 6f 6d 61 6e 0d 0a 69 6e 63 6f 6d 65 0d 0a 66 6f 6f 64 0d 0a 63 61 6d 65 72 61 0d 0a 62 6c 75 65 0d 0a 66 61 74 68 65 72 0d 0a 63 61 74 0d 0a 68 65 61 72 74 0d 0a 65 67 67 0d 0a 79 65 73 0d 0a 62 6f 6f 6b 0d 0a 68 61 6e 64 0d 0a 66 6c 6f 77 65 72 0d 0a 61 70 70 6c 65 0d 0a 6d 6f 6f 6e 0d 0a 74 6f 77 6e 0d 0a 62 61 6e 61 6e 61 0d 0a 79 61 77 6e 0d 0a 6b 69 74 63 68 65 6e 0d 0a 78 79 6c 65 6d 0d 0a 6d 6f 74 68 65 72 0d 0a 79 65 61 72 6e 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 63 61 6d 65 72 61 0d 0a 62 75 73 0d 0a 65 79 65 0d 0a 6d 6f 74 68 65 72 0d 0a 64 61 6e 63 65 0d 0a 70 65 6e 0d 0a 6c 69 6f 6e 0d 0a 75 6e 69 74 0d 0a 74 6f 70 0d 0a 76 69 73 69 74 6f 72 0d 0a 75 72 67 65 0d 0a 64 61 74 61 0d 0a 6e Data Ascii: ittimewarnwomanincomefoodcamerabluefathercathearteggyesbookhandflowerapplemoontownbananayawnkitchenxylemmotheryearnundergroundcamerabuseyemotherdancepenlionunittopvisitorurgedatan
2023-08-29 05:41:48 UTC	1310	IN	Data Raw: 74 65 72 0d 0a 63 6f 77 0d 0a 6c 69 66 65 0d 0a 62 61 6e 6b 0d 0a 72 6f 6f 6d 0d 0a 66 61 63 65 0d 0a 6b 69 74 65 0d 0a 77 6f 72 6c 64 0d 0a 66 61 63 65 0d 0a 77 65 73 74 0d 0a 65 61 73 74 0d 0a 77 6f 72 6c 64 0d 0a 79 61 72 64 0d 0a 6c 65 74 74 65 72 0d 0a 63 6c 69 70 0d 0a 74 72 61 69 6e 0d 0a 6e 75 6d 62 65 72 0d 0a 61 63 65 0d 0a 6a 65 6c 6c 79 0d 0a 65 61 74 0d 0a 67 6c 61 73 73 0d 0a 65 64 67 65 0d 0a 63 68 61 72 0d 0a 63 68 61 72 0d 0a 67 6f 6c 64 0d 0a 76 61 6e 0d 0a 6b 69 74 63 68 65 6e 0d 0a 70 65 72 73 6f 6e 0d 0a 6b 69 6e 64 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 77 68 69 6c 65 0d 0a 66 69 72 65 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 68 69 74 0d 0a 6e 6f 72 74 68 0d 0a 69 63 65 0d 0a 65 6e 64 0d 0a 7a 6f 6d 62 69 65 0d 0a 61 72 74 0d 0a 69 63 Data Ascii: tercowlifebankroomfacekiteworldfacewesteastworldyardlettercliptrainnumberacejellyeatglassedgecharchargoldvankitchenpersonkindknowledgewhilefirevegetablehitnorthiceendzombieartic
2023-08-29 05:41:48 UTC	1326	IN	Data Raw: 74 0d 0a 77 6f 72 6b 0d 0a 77 61 79 0d 0a 62 69 72 64 0d 0a 61 6e 74 0d 0a 72 69 76 65 72 0d 0a 73 65 76 65 6e 0d 0a 72 61 62 62 69 74 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 66 6f 72 0d 0a 69 6e 63 6f 6d 65 0d 0a 65 61 73 79 0d 0a 71 75 6f 74 65 0d 0a 66 75 6e 63 0d 0a 64 61 74 61 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 74 72 61 69 6e 0d 0a 66 61 72 6d 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 77 61 74 65 72 0d 0a 68 69 74 0d 0a 79 65 61 72 0d 0a 62 61 6e 6b 0d 0a 77 65 73 74 0d 0a 70 68 6f 6e 65 0d 0a 67 68 6f 73 74 0d 0a 66 6f 6f 64 0d 0a 63 61 6d 65 72 61 0d 0a 68 61 69 72 0d 0a 6c 6f 76 65 0d 0a 70 65 72 73 6f 6e 0d 0a 67 75 65 73 74 0d 0a 71 75 69 63 6b 0d 0a 6b 65 79 0d 0a 6b 69 73 73 0d 0a 6d 61 6e 0d 0a 70 65 6e Data Ascii: tworkwaybirdantriversevenrabbitvegetableforincomeeasyquotefuncdataknowledgetrainfarmyesterdayundergroundwaterhityearbankwestphoneghostfoodcamerahairlovepersonguestquickkeykissmanpen
2023-08-29 05:41:48 UTC	1342	IN	Data Raw: 68 74 0d 0a 73 75 6e 0d 0a 67 72 61 73 73 0d 0a 73 6e 61 6b 65 0d 0a 62 65 61 63 68 0d 0a 6e 61 6d 65 0d 0a 74 61 73 74 65 0d 0a 6d 75 73 69 63 0d 0a 6f 63 65 61 6e 0d 0a 73 75 6e 0d 0a 63 6f 61 74 0d 0a 74 69 6d 65 0d 0a 79 61 77 6e 0d 0a 66 6f 6f 74 0d 0a 75 6e 63 6c 65 0d 0a 6c 61 6d 70 0d 0a 73 74 61 72 0d 0a 6f 72 64 65 72 0d 0a 67 72 61 73 73 0d 0a 6d 65 61 6c 0d 0a 70 65 61 72 0d 0a 62 6c 75 65 0d 0a 69 6e 74 0d 0a 6d 6f 74 68 65 72 0d 0a 65 61 72 0d 0a 62 61 6e 6b 0d 0a 79 6f 75 6e 67 0d 0a 77 61 79 0d 0a 79 61 77 6e 0d 0a 76 6f 69 63 65 0d 0a 77 68 69 6c 65 0d 0a 69 63 65 0d 0a 78 79 6c 65 6d 0d 0a 6e 75 6d 62 65 72 0d 0a 6c 69 6f 6e 0d 0a 64 6f 6f 72 0d 0a 72 61 62 62 69 74 0d 0a 63 68 61 72 0d 0a 75 73 65 0d 0a 62 6f 79 0d 0a 67 6f 6c 64 0d 0a Data Ascii: htsungrasssnakebeachnametastemusicoceansuncoattimeyawnfootunclelampstarordergrassmealpearblueintmotherearbankyoungwayyawnvoicewhileicexylemnumberliondoorrabbitcharuseboygold
2023-08-29 05:41:48 UTC	1358	IN	Data Raw: 6f 77 0d 0a 77 69 6e 74 65 72 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 70 61 70 65 72 0d 0a 76 6f 69 63 65 0d 0a 63 6f 61 74 0d 0a 67 6f 6c 64 0d 0a 65 61 72 0d 0a 72 6f 61 64 0d 0a 65 67 67 0d 0a 6c 61 75 67 68 0d 0a 6a 6f 79 0d 0a 6f 63 65 61 6e 0d 0a 62 6f 78 0d 0a 65 61 74 0d 0a 6c 65 67 0d 0a 65 61 73 74 0d 0a 75 6e 69 74 0d 0a 61 72 63 68 0d 0a 76 69 65 77 0d 0a 76 69 73 69 74 6f 72 0d 0a 74 72 61 69 6e 0d 0a 6b 69 6e 64 0d 0a 73 6e 61 6b 65 0d 0a 75 73 75 61 6c 6c 79 0d 0a 6f 70 65 6e 0d 0a 67 72 6f 75 70 0d 0a 73 63 68 6f 6f 6c 0d 0a 76 61 6c 75 65 0d 0a 71 75 61 6c 69 74 79 0d 0a 70 68 6f 6e 65 0d 0a 6f 6e 65 0d 0a 67 75 65 73 74 0d 0a 6e 6f 72 74 68 0d 0a 68 65 61 72 74 0d 0a 61 69 72 0d 0a 6f 69 6c 0d 0a 65 6e 64 0d 0a 61 6c 6f 6e 65 0d 0a 72 69 Data Ascii: owwinterknowledgepapervoicecoatgoldearroadegglaughjoyoceanboxeatlegeastunitarchviewvisitortrainkindsnakeusuallyopengroupschoolvaluequalityphoneoneguestnorthheartairoilendaloneri
2023-08-29 05:41:48 UTC	1374	IN	Data Raw: 67 61 6d 65 0d 0a 65 61 72 74 68 0d 0a 68 6f 70 65 0d 0a 75 73 65 0d 0a 62 6f 79 0d 0a 6f 70 65 6e 0d 0a 68 65 61 64 0d 0a 62 6c 75 65 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 67 69 72 6c 0d 0a 6b 69 74 65 0d 0a 63 61 72 0d 0a 6f 66 66 69 63 65 0d 0a 64 72 65 61 6d 0d 0a 70 69 6e 6b 0d 0a 75 73 75 61 6c 6c 79 0d 0a 65 73 63 61 70 65 0d 0a 75 6e 69 74 0d 0a 77 61 74 65 72 0d 0a 6e 65 65 64 0d 0a 78 79 6c 65 6d 0d 0a 61 69 72 0d 0a 68 6f 70 65 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 6b 69 64 0d 0a 76 6f 69 63 65 0d 0a 68 69 74 0d 0a 77 61 79 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 74 6f 70 0d 0a 73 75 67 61 72 0d 0a 68 69 74 0d 0a 79 6f 75 6e 67 0d 0a 6e 61 6d 65 0d 0a 64 61 72 6b 0d 0a 67 72 65 65 6e 0d 0a 64 61 6e 63 65 0d 0a 6a 61 76 61 0d 0a 6c 65 Data Ascii: gameearthhopeuseboyopenheadbluevegetablegirlkitecarofficedreampinkusuallyescapeunitwaterneedxylemairhopeundergroundkidvoicehitwayunderstandtopsugarhityoungnamedarkgreendancejavale
2023-08-29 05:41:48 UTC	1390	IN	Data Raw: 67 72 6f 75 6e 64 0d 0a 69 6e 73 69 64 65 0d 0a 77 69 6e 74 65 72 0d 0a 75 73 75 61 6c 6c 79 0d 0a 76 6f 69 63 65 0d 0a 61 6e 74 0d 0a 7a 6f 6e 65 0d 0a 62 61 6c 6c 0d 0a 6f 63 65 61 6e 0d 0a 61 6e 69 6d 61 6c 0d 0a 76 61 6c 75 65 0d 0a 66 6c 6f 77 65 72 0d 0a 61 63 65 0d 0a 6c 69 6f 6e 0d 0a 6d 65 6e 74 0d 0a 63 68 61 72 0d 0a 6c 61 6b 65 0d 0a 7a 65 62 72 61 0d 0a 67 61 6d 65 0d 0a 6e 6f 73 65 0d 0a 6d 61 70 0d 0a 72 6f 61 64 0d 0a 6d 6f 76 69 65 0d 0a 6b 65 79 0d 0a 62 6f 79 0d 0a 73 74 72 69 6e 67 0d 0a 6f 63 65 61 6e 0d 0a 69 63 65 0d 0a 66 6f 6f 74 0d 0a 6c 65 74 74 65 72 0d 0a 63 69 74 79 0d 0a 62 6f 79 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 63 69 74 79 0d 0a 64 65 73 6b 0d 0a 67 6f 61 74 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 67 75 65 73 74 0d 0a 6c 65 74 Data Ascii: groundinsidewinterusuallyvoiceantzoneballoceananimalvaluefloweracelionmentcharlakezebragamenosemaproadmoviekeyboystringoceanicefootlettercityboyunsignedcitydeskgoatjourneyguestlet
2023-08-29 05:41:48 UTC	1406	IN	Data Raw: 65 73 74 0d 0a 6e 75 72 73 65 0d 0a 72 65 73 74 0d 0a 74 72 61 69 6e 0d 0a 69 73 73 75 65 0d 0a 72 65 73 74 0d 0a 76 69 65 77 0d 0a 77 65 65 6b 0d 0a 72 61 62 62 69 74 0d 0a 62 61 6c 6c 0d 0a 6f 66 66 69 63 65 0d 0a 6b 69 63 6b 0d 0a 61 6e 69 6d 61 6c 0d 0a 6b 65 65 70 0d 0a 63 69 74 79 0d 0a 6e 6f 73 65 0d 0a 6c 61 6d 70 0d 0a 6a 75 6d 70 0d 0a 67 72 6f 75 70 0d 0a 67 72 61 73 73 0d 0a 72 75 6e 0d 0a 71 75 61 6c 69 74 79 0d 0a 61 72 74 0d 0a 65 61 73 79 0d 0a 65 61 72 0d 0a 76 6f 69 63 65 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 77 68 69 6c 65 0d 0a 62 6f 6f 6b 0d 0a 6e 6f 72 74 68 0d 0a 74 6f 70 0d 0a 77 6f 6d 61 6e 0d 0a 6c 61 6d 70 0d 0a 7a 6f 6d 62 69 65 0d 0a 63 6f 6c 6f 72 0d 0a 76 6f 69 63 65 0d 0a 63 6f 77 0d 0a 68 6f 75 73 65 0d 0a 73 75 6e 0d 0a 65 Data Ascii: estnurseresttrainissuerestviewweekrabbitballofficekickanimalkeepcitynoselampjumpgroupgrassrunqualityarteasyearvoicequestionwhilebooknorthtopwomanlampzombiecolorvoicecowhousesune
2023-08-29 05:41:48 UTC	1422	IN	Data Raw: 0a 6a 65 6c 6c 79 0d 0a 7a 65 62 72 61 0d 0a 7a 65 62 72 61 0d 0a 6f 6e 65 0d 0a 66 61 72 6d 0d 0a 66 6c 6f 77 65 72 0d 0a 79 61 77 6e 0d 0a 6b 69 64 0d 0a 7a 6f 6f 0d 0a 6f 62 6a 65 63 74 0d 0a 73 6b 79 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 6c 61 6d 70 0d 0a 6a 65 6c 6c 79 0d 0a 7a 69 70 70 65 72 0d 0a 66 61 72 6d 0d 0a 76 69 73 69 74 6f 72 0d 0a 6d 61 63 68 69 6e 65 0d 0a 6c 61 6e 64 0d 0a 69 6e 6b 0d 0a 6f 66 66 69 63 65 0d 0a 74 65 61 63 68 65 72 0d 0a 66 61 74 68 65 72 0d 0a 6d 6f 6f 6e 0d 0a 65 73 63 61 70 65 0d 0a 70 65 72 73 6f 6e 0d 0a 69 6e 6b 0d 0a 6e 6f 74 65 0d 0a 62 6f 6f 6b 0d 0a 63 68 61 72 0d 0a 77 65 65 6b 0d 0a 6d 6f 76 69 65 0d 0a 6d 69 6c 6b 0d 0a 70 6c 61 6e 74 0d 0a 6e 75 6d 62 65 72 0d 0a 77 61 74 65 72 0d 0a 75 6e 69 74 0d 0a 71 75 Data Ascii: jellyzebrazebraonefarmfloweryawnkidzooobjectskyquantitylampjellyzipperfarmvisitormachinelandinkofficeteacherfathermoonescapepersoninknotebookcharweekmoviemilkplantnumberwaterunitqu
2023-08-29 05:41:48 UTC	1438	IN	Data Raw: 65 72 0d 0a 69 64 65 61 0d 0a 6b 65 79 0d 0a 79 65 73 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 6e 6f 73 65 0d 0a 72 69 73 65 0d 0a 6d 61 70 0d 0a 71 75 61 72 74 65 72 0d 0a 61 77 61 72 64 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 6b 69 74 65 0d 0a 67 6c 61 73 73 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 64 6f 6f 72 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 61 72 74 0d 0a 64 65 73 6b 0d 0a 7a 65 72 6f 0d 0a 6f 6e 65 0d 0a 73 65 76 65 6e 0d 0a 68 61 74 0d 0a 64 6f 6f 72 0d 0a 6f 72 64 65 72 0d 0a 64 6f 6f 72 0d 0a 6b 69 64 0d 0a 73 75 67 61 72 0d 0a 68 61 69 72 0d 0a 72 6f 63 6b 0d 0a 7a 65 62 72 61 0d 0a 6d 65 61 6c 0d 0a 6c 61 6e 64 0d 0a 6c 61 6b 65 0d 0a 68 6f 75 73 65 0d 0a 70 61 70 65 72 0d 0a 79 6f 75 6e 67 0d 0a 6c 65 67 0d 0a 74 69 6d 65 0d 0a 6b 65 79 0d 0a 6b Data Ascii: erideakeyyesunderstandnoserisemapquarterawarduniversitykiteglassjourneydoorunsignedartdeskzeroonesevenhatdoororderdoorkidsugarhairrockzebrameallandlakehousepaperyounglegtimekeyk
2023-08-29 05:41:48 UTC	1454	IN	Data Raw: 6e 74 68 61 6e 0d 0a 75 72 67 65 0d 0a 63 6f 61 74 0d 0a 7a 6f 6f 0d 0a 70 68 6f 6e 65 0d 0a 6f 66 66 69 63 65 0d 0a 68 69 74 0d 0a 6c 69 6f 6e 0d 0a 6f 66 66 69 63 65 0d 0a 64 61 79 0d 0a 68 69 74 0d 0a 7a 65 61 6c 0d 0a 74 72 65 65 0d 0a 6b 69 6e 64 0d 0a 7a 6f 6d 62 69 65 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 70 6c 61 6e 74 0d 0a 63 61 72 0d 0a 68 65 61 72 74 0d 0a 73 68 6f 72 74 0d 0a 7a 69 70 70 65 72 0d 0a 64 75 63 6b 0d 0a 63 61 6d 65 72 61 0d 0a 72 75 6e 0d 0a 71 75 69 65 74 0d 0a 70 6f 77 65 72 0d 0a 66 72 69 65 6e 64 0d 0a 6a 6f 6b 65 0d 0a 6c 75 6e 63 68 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 70 6f 77 65 72 0d 0a 6c 61 6d 70 0d 0a 66 61 72 6d 0d 0a 65 61 72 74 68 0d 0a 62 6f 79 0d 0a 67 72 65 65 6e 0d 0a 77 65 65 6b 0d 0a 74 72 65 65 0d 0a 61 72 72 Data Ascii: nthanurgecoatzoophoneofficehitlionofficedayhitzealtreekindzombievacationplantcarheartshortzipperduckcamerarunquietpowerfriendjokelunchunsignedpowerlampfarmearthboygreenweektreearr
2023-08-29 05:41:48 UTC	1470	IN	Data Raw: 65 65 6b 0d 0a 73 65 61 0d 0a 75 73 65 0d 0a 62 65 61 63 68 0d 0a 62 61 6e 6b 0d 0a 6b 69 64 0d 0a 65 6e 64 0d 0a 68 61 69 72 0d 0a 6a 61 72 0d 0a 67 68 6f 73 74 0d 0a 72 6f 6f 6d 0d 0a 64 75 63 6b 0d 0a 66 6f 72 0d 0a 77 61 74 65 72 0d 0a 73 68 6f 72 74 0d 0a 79 65 73 0d 0a 6b 69 74 63 68 65 6e 0d 0a 67 6c 61 73 73 0d 0a 6f 72 64 65 72 0d 0a 70 6f 77 65 72 0d 0a 62 6f 6f 6b 0d 0a 66 6f 72 0d 0a 66 61 72 6d 0d 0a 71 75 6f 74 65 0d 0a 7a 69 70 70 65 72 0d 0a 6e 69 67 68 74 0d 0a 69 73 73 75 65 0d 0a 6f 62 6a 65 63 74 0d 0a 71 75 61 6c 69 74 79 0d 0a 6d 65 6e 74 0d 0a 64 6f 0d 0a 71 75 61 6c 69 74 79 0d 0a 73 74 61 72 0d 0a 73 65 76 65 6e 0d 0a 74 72 65 65 0d 0a 70 68 6f 6e 65 0d 0a 62 6f 78 0d 0a 77 61 72 6e 0d 0a 6d 6f 6f 6e 0d 0a 70 61 70 65 72 0d 0a 64 Data Ascii: eekseausebeachbankkidendhairjarghostroomduckforwatershortyeskitchenglassorderpowerbookforfarmquotezippernightissueobjectqualitymentdoqualitystarseventreephoneboxwarnmoonpaperd
2023-08-29 05:41:48 UTC	1486	IN	Data Raw: 0d 0a 6d 69 6c 6b 0d 0a 65 67 67 0d 0a 7a 6f 6e 65 0d 0a 70 65 72 73 6f 6e 0d 0a 70 61 70 65 72 0d 0a 69 6e 6b 0d 0a 6f 62 6a 65 63 74 0d 0a 72 61 62 62 69 74 0d 0a 6b 65 65 70 0d 0a 62 61 6c 6c 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 6e 75 72 73 65 0d 0a 63 68 61 72 0d 0a 6c 69 66 65 0d 0a 64 6f 67 0d 0a 77 6f 6d 61 6e 0d 0a 66 69 72 65 0d 0a 65 6e 64 0d 0a 6a 61 76 61 0d 0a 6b 69 6e 64 0d 0a 6f 72 64 65 72 0d 0a 68 61 6e 64 0d 0a 64 65 73 6b 0d 0a 6d 75 73 69 63 0d 0a 79 65 6c 6c 6f 77 0d 0a 74 69 67 65 72 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 6c 75 6e 63 68 0d 0a 77 68 69 74 65 0d 0a 65 61 73 79 0d 0a 6d 75 73 69 63 0d 0a 6c 75 6e 63 68 0d 0a 76 69 73 69 74 6f 72 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 6d 6f 76 69 65 0d 0a 6b 69 63 6b 0d 0a 68 65 6c 70 0d Data Ascii: milkeggzonepersonpaperinkobjectrabbitkeepballvacationnursecharlifedogwomanfireendjavakindorderhanddeskmusicyellowtigerknowledgelunchwhiteeasymusiclunchvisitorknowledgemoviekickhelp
2023-08-29 05:41:48 UTC	1502	IN	Data Raw: 0d 0a 69 63 65 0d 0a 7a 6f 6f 0d 0a 72 69 76 65 72 0d 0a 69 63 65 0d 0a 73 74 6f 6e 65 0d 0a 63 61 72 0d 0a 62 6f 6f 6b 0d 0a 70 69 7a 7a 61 0d 0a 64 6f 6f 72 0d 0a 62 69 72 64 0d 0a 6b 69 64 0d 0a 77 65 73 74 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 6b 69 6e 64 0d 0a 77 6f 72 6b 0d 0a 6f 62 6a 65 63 74 0d 0a 63 68 61 72 0d 0a 6d 61 6e 0d 0a 7a 69 70 70 65 72 0d 0a 63 6f 6c 6f 72 0d 0a 68 65 61 64 0d 0a 67 75 65 73 74 0d 0a 65 72 72 6f 72 0d 0a 6f 63 65 61 6e 0d 0a 6a 75 6d 70 0d 0a 6d 61 70 0d 0a 66 61 72 6d 0d 0a 79 65 73 0d 0a 69 73 73 75 65 0d 0a 72 6f 61 64 0d 0a 73 74 61 72 0d 0a 6c 75 6e 63 68 0d 0a 7a 6f 6f 0d 0a 6f 62 6a 65 63 74 0d 0a 69 73 73 75 65 0d 0a 74 6f 70 0d 0a 6b 69 74 63 68 65 6e 0d 0a 61 6e 69 6d 61 6c 0d 0a 62 65 61 63 68 0d 0a 65 72 72 6f Data Ascii: icezoorivericestonecarbookpizzadoorbirdkidwestKanthankindworkobjectcharmanzippercolorheadguesterroroceanjumpmapfarmyesissueroadstarlunchzooobjectissuetopkitchenanimalbeacherro
2023-08-29 05:41:48 UTC	1518	IN	Data Raw: 73 63 68 6f 6f 6c 0d 0a 6c 69 6f 6e 0d 0a 70 61 70 65 72 0d 0a 6b 69 73 73 0d 0a 6b 69 6e 67 0d 0a 6c 6f 6e 67 0d 0a 72 69 76 65 72 0d 0a 74 61 6c 6b 0d 0a 73 63 68 6f 6f 6c 0d 0a 74 6f 70 0d 0a 70 65 61 72 0d 0a 67 6f 61 74 0d 0a 62 6f 78 0d 0a 76 69 63 74 6f 72 79 0d 0a 74 61 73 74 65 0d 0a 63 61 74 0d 0a 73 74 72 69 6e 67 0d 0a 65 64 67 65 0d 0a 6d 69 6c 6b 0d 0a 6e 6f 74 65 0d 0a 66 61 6c 6c 0d 0a 7a 6f 6e 65 0d 0a 74 61 6c 6b 0d 0a 69 6e 73 69 64 65 0d 0a 71 75 61 6c 69 74 79 0d 0a 65 6e 65 72 67 79 0d 0a 79 6f 75 6e 67 0d 0a 66 6f 6f 74 0d 0a 65 67 67 0d 0a 63 69 74 79 0d 0a 67 6f 6c 64 0d 0a 6c 69 66 65 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 73 6f 6e 67 0d 0a 68 69 67 68 0d 0a 63 6f 77 0d 0a 76 69 73 69 74 6f 72 0d 0a 61 6c 6f 6e 65 0d 0a 71 75 65 73 Data Ascii: schoollionpaperkisskinglongrivertalkschooltoppeargoatboxvictorytastecatstringedgemilknotefallzonetalkinsidequalityenergyyoungfooteggcitygoldlifequantitysonghighcowvisitoraloneques
2023-08-29 05:41:48 UTC	1534	IN	Data Raw: 0a 73 68 6f 72 74 0d 0a 61 69 72 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 6a 6f 79 0d 0a 67 6c 61 73 73 0d 0a 65 61 74 0d 0a 65 61 72 0d 0a 7a 69 70 70 65 72 0d 0a 76 69 73 69 74 6f 72 0d 0a 66 69 72 65 0d 0a 6e 6f 72 74 68 0d 0a 6c 69 6f 6e 0d 0a 65 61 73 74 0d 0a 63 68 61 72 0d 0a 62 6f 78 0d 0a 66 6f 72 0d 0a 68 61 74 0d 0a 6f 72 64 65 72 0d 0a 67 72 61 73 73 0d 0a 67 61 6d 65 0d 0a 62 61 6e 61 6e 61 0d 0a 77 61 79 0d 0a 6e 75 72 73 65 0d 0a 66 61 63 65 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 65 61 72 0d 0a 72 6f 6f 6d 0d 0a 72 69 76 65 72 0d 0a 67 6c 61 73 73 0d 0a 69 64 65 61 0d 0a 66 6f 72 0d 0a 77 61 72 6e 0d 0a 6f 66 66 65 72 0d 0a 6a 6f 79 0d 0a 77 68 69 6c 65 0d 0a 71 75 61 72 74 65 72 0d 0a 62 61 6e 61 6e 61 0d 0a 72 6f 61 64 0d 0a 76 65 67 65 74 Data Ascii: shortairknowledgejoyglasseatearzippervisitorfirenorthlioneastcharboxforhatordergrassgamebananawaynursefaceyesterdayearroomriverglassideaforwarnofferjoywhilequarterbananaroadveget
2023-08-29 05:41:48 UTC	1550	IN	Data Raw: 65 0d 0a 6e 69 67 68 74 0d 0a 6c 75 6e 63 68 0d 0a 66 61 6c 6c 0d 0a 77 61 79 0d 0a 6c 65 67 0d 0a 66 6f 6f 74 0d 0a 72 6f 63 6b 0d 0a 67 75 65 73 74 0d 0a 63 6f 77 0d 0a 77 69 6e 74 65 72 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 65 61 72 0d 0a 68 65 61 64 0d 0a 6a 75 64 67 65 0d 0a 6e 75 72 73 65 0d 0a 65 64 67 65 0d 0a 65 69 67 68 74 0d 0a 66 69 72 65 0d 0a 77 65 65 6b 0d 0a 65 61 74 0d 0a 64 61 6e 63 65 0d 0a 79 65 61 72 0d 0a 6c 69 66 65 0d 0a 6d 6f 74 68 65 72 0d 0a 68 65 6c 70 0d 0a 71 75 61 6c 69 66 79 0d 0a 6b 69 74 65 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 64 61 6e 63 65 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 66 69 72 65 0d 0a 76 69 73 69 74 6f 72 0d 0a 66 61 6c 6c 0d 0a 6b 69 74 65 0d 0a 77 65 73 74 0d 0a 74 61 73 74 65 0d 0a 6f 72 61 6e 67 65 0d Data Ascii: enightlunchfallwaylegfootrockguestcowwinteryesterdayearheadjudgenurseedgeeightfireweekeatdanceyearlifemotherhelpqualifykitequantitydanceunderstandfirevisitorfallkitewesttasteorange
2023-08-29 05:41:48 UTC	1566	IN	Data Raw: 6e 0d 0a 63 61 74 0d 0a 73 68 6f 72 74 0d 0a 61 6c 6f 6e 65 0d 0a 6f 72 64 65 72 0d 0a 67 72 6f 75 70 0d 0a 6d 6f 74 68 65 72 0d 0a 6c 69 66 65 0d 0a 69 63 6f 6e 0d 0a 6f 72 61 6e 67 65 0d 0a 61 72 74 0d 0a 6f 6e 65 0d 0a 72 65 64 0d 0a 73 75 6e 0d 0a 6c 61 75 67 68 0d 0a 74 6f 77 6e 0d 0a 69 6e 73 69 64 65 0d 0a 69 63 6f 6e 0d 0a 79 61 77 6e 0d 0a 64 65 65 72 0d 0a 6b 69 6e 64 0d 0a 6e 6f 73 65 0d 0a 65 6e 64 0d 0a 6a 6f 79 0d 0a 67 6f 61 74 0d 0a 79 65 73 0d 0a 64 61 72 6b 0d 0a 69 6e 74 0d 0a 63 6c 69 70 0d 0a 61 6e 69 6d 61 6c 0d 0a 70 65 72 73 6f 6e 0d 0a 79 65 6c 6c 6f 77 0d 0a 62 6f 6f 6b 0d 0a 64 65 73 6b 0d 0a 76 61 6e 0d 0a 70 69 6e 6b 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 6e 75 72 73 65 0d 0a 6e 6f 74 65 0d 0a 63 6c 69 70 0d 0a 61 77 61 72 64 0d Data Ascii: ncatshortaloneordergroupmotherlifeiconorangeartoneredsunlaughtowninsideiconyawndeerkindnoseendjoygoatyesdarkintclipanimalpersonyellowbookdeskvanpinkunsignednursenoteclipaward
2023-08-29 05:41:48 UTC	1582	IN	Data Raw: 0d 0a 6f 72 61 6e 67 65 0d 0a 6d 65 61 6c 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 6a 6f 79 0d 0a 69 64 65 61 0d 0a 67 75 65 73 74 0d 0a 6d 61 63 68 69 6e 65 0d 0a 62 61 6e 61 6e 61 0d 0a 69 64 65 61 0d 0a 67 6f 6c 64 0d 0a 6d 6f 74 68 65 72 0d 0a 79 61 77 6e 0d 0a 6f 66 66 65 72 0d 0a 71 75 69 63 6b 0d 0a 62 61 6c 6c 0d 0a 79 61 77 6e 0d 0a 62 6c 75 65 0d 0a 6e 65 65 64 0d 0a 79 6f 75 6e 67 0d 0a 6b 69 74 65 0d 0a 69 6e 74 0d 0a 6d 6f 6f 6e 0d 0a 70 69 7a 7a 61 0d 0a 79 65 6c 6c 6f 77 0d 0a 71 75 61 6c 69 66 79 0d 0a 6c 69 66 65 0d 0a 6e 6f 74 65 0d 0a 72 75 6e 0d 0a 6c 61 6e 64 0d 0a 62 6f 79 0d 0a 65 6e 65 72 67 79 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 6e 75 6d 62 65 72 0d 0a 69 63 6f 6e 0d 0a 6f 63 65 61 6e 0d 0a 73 74 6f 6e 65 0d 0a 70 65 61 72 0d 0a 6e 75 72 Data Ascii: orangemealunsignedjoyideaguestmachinebananaideagoldmotheryawnofferquickballyawnblueneedyoungkiteintmoonpizzayellowqualifylifenoterunlandboyenergyjourneynumbericonoceanstonepearnur
2023-08-29 05:41:48 UTC	1598	IN	Data Raw: 79 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 77 69 6e 74 65 72 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 75 6e 69 74 0d 0a 61 6e 74 0d 0a 7a 65 72 6f 0d 0a 6f 72 61 6e 67 65 0d 0a 69 73 73 75 65 0d 0a 69 6e 63 6f 6d 65 0d 0a 70 65 6e 0d 0a 6d 6f 6f 6e 0d 0a 61 6e 69 6d 61 6c 0d 0a 6e 75 6d 62 65 72 0d 0a 6d 61 70 0d 0a 63 6c 69 70 0d 0a 61 6c 6f 6e 65 0d 0a 79 65 6c 6c 6f 77 0d 0a 75 72 67 65 0d 0a 64 61 6e 63 65 0d 0a 65 69 67 68 74 0d 0a 68 6f 70 65 0d 0a 67 72 6f 75 70 0d 0a 66 61 72 6d 0d 0a 66 6c 6f 77 65 72 0d 0a 64 61 79 0d 0a 67 6c 61 73 73 0d 0a 6f 6e 65 0d 0a 68 69 74 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 71 75 69 65 74 0d 0a 6d 69 6c 6b 0d 0a 66 61 74 68 65 72 0d 0a 72 69 76 65 72 0d 0a 6c 61 6d 70 0d 0a 6e 6f 72 74 68 0d 0a 70 61 70 65 72 0d 0a Data Ascii: yuniversitywintervegetableunitantzeroorangeissueincomepenmoonanimalnumbermapclipaloneyellowurgedanceeighthopegroupfarmflowerdayglassonehityesterdayquietmilkfatherriverlampnorthpaper
2023-08-29 05:41:48 UTC	1614	IN	Data Raw: 0d 0a 67 6f 6c 64 0d 0a 71 75 61 6c 69 74 79 0d 0a 72 61 69 6e 0d 0a 6e 75 72 73 65 0d 0a 73 74 61 72 0d 0a 6a 65 6c 6c 79 0d 0a 6d 61 63 68 69 6e 65 0d 0a 63 6c 6f 75 64 0d 0a 73 75 67 61 72 0d 0a 62 61 6e 61 6e 61 0d 0a 73 75 67 61 72 0d 0a 73 74 61 72 0d 0a 77 6f 72 6b 0d 0a 67 72 61 73 73 0d 0a 75 73 75 61 6c 6c 79 0d 0a 61 72 72 6f 77 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 77 6f 6d 61 6e 0d 0a 74 6f 70 0d 0a 70 65 72 73 6f 6e 0d 0a 64 65 73 6b 0d 0a 64 6f 6f 72 0d 0a 7a 69 70 70 65 72 0d 0a 63 6f 6c 6f 72 0d 0a 62 61 6c 6c 0d 0a 73 74 6f 6e 65 0d 0a 6f 6e 65 0d 0a 6e 65 65 64 0d 0a 77 61 79 0d 0a 69 73 73 75 65 0d 0a 75 6e 63 6c 65 0d 0a 69 63 6f 6e 0d 0a 79 65 61 72 0d 0a 72 69 76 65 72 0d 0a 6f 6e 65 0d 0a 62 6f 78 0d 0a 6b 69 74 63 68 65 6e Data Ascii: goldqualityrainnursestarjellymachinecloudsugarbananasugarstarworkgrassusuallyarrowinformationwomantoppersondeskdoorzippercolorballstoneoneneedwayissueuncleiconyearriveroneboxkitchen
2023-08-29 05:41:48 UTC	1630	IN	Data Raw: 6e 63 6f 6d 65 0d 0a 65 6e 64 0d 0a 6a 6f 6b 65 0d 0a 69 63 65 0d 0a 77 61 72 6e 0d 0a 6a 61 63 6b 65 74 0d 0a 66 6f 6f 64 0d 0a 62 61 6e 61 6e 61 0d 0a 6e 75 72 73 65 0d 0a 64 61 79 0d 0a 6c 6f 76 65 0d 0a 65 72 72 6f 72 0d 0a 76 6f 69 63 65 0d 0a 70 65 6e 0d 0a 6d 61 6e 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 6c 69 66 65 0d 0a 65 61 72 0d 0a 73 75 6e 0d 0a 72 6f 61 64 0d 0a 63 61 72 0d 0a 6c 69 6f 6e 0d 0a 68 61 74 0d 0a 62 65 61 63 68 0d 0a 62 61 6c 6c 0d 0a 76 6f 69 63 65 0d 0a 68 61 74 0d 0a 6e 75 6d 62 65 72 0d 0a 73 68 6f 72 74 0d 0a 65 61 73 74 0d 0a 78 79 6c 65 6d 0d 0a 6e 75 6d 62 65 72 0d 0a 74 69 6d 65 0d 0a 63 6f 77 0d 0a 73 65 76 65 6e 0d 0a 65 6e 64 0d 0a 7a 6f 6e 65 0d 0a 73 65 61 0d 0a 69 6e 73 69 64 65 0d 0a 75 73 65 0d 0a 6f 66 66 Data Ascii: ncomeendjokeicewarnjacketfoodbanananursedayloveerrorvoicepenmaninformationlifeearsunroadcarlionhatbeachballvoicehatnumbershorteastxylemnumbertimecowsevenendzoneseainsideuseoff
2023-08-29 05:41:48 UTC	1646	IN	Data Raw: 6f 72 0d 0a 72 65 64 0d 0a 76 69 73 69 74 6f 72 0d 0a 69 73 6c 61 6e 64 0d 0a 62 6f 79 0d 0a 76 61 6e 0d 0a 65 61 72 0d 0a 71 75 61 72 74 65 72 0d 0a 65 67 67 0d 0a 70 68 6f 6e 65 0d 0a 79 65 6c 6c 6f 77 0d 0a 7a 6f 6d 62 69 65 0d 0a 79 65 61 72 6e 0d 0a 6c 6f 76 65 0d 0a 72 6f 61 64 0d 0a 6e 61 74 75 72 65 0d 0a 64 61 72 6b 0d 0a 6c 61 6e 64 0d 0a 6f 72 61 6e 67 65 0d 0a 67 72 65 65 6e 0d 0a 61 72 72 61 79 0d 0a 7a 65 72 6f 0d 0a 73 68 6f 72 74 0d 0a 61 69 72 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 67 72 65 65 6e 0d 0a 6e 75 72 73 65 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 77 61 79 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 63 61 72 0d 0a 77 69 6e 74 65 72 0d 0a 6d 75 73 69 63 0d 0a 76 6f 69 63 65 0d 0a 7a 69 70 70 65 72 0d 0a 64 61 6e 63 65 0d 0a 6d 6f 6f 6e 0d 0a 64 Data Ascii: orredvisitorislandboyvanearquartereggphoneyellowzombieyearnloveroadnaturedarklandorangegreenarrayzeroshortairyesterdaygreennurseKanthanwayquantitycarwintermusicvoicezipperdancemoond
2023-08-29 05:41:48 UTC	1662	IN	Data Raw: 6f 6f 74 0d 0a 68 6f 70 65 0d 0a 68 69 74 0d 0a 68 6f 75 73 65 0d 0a 62 65 61 63 68 0d 0a 6b 69 73 73 0d 0a 74 65 73 74 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 77 6f 72 6b 0d 0a 6b 65 79 0d 0a 65 73 63 61 70 65 0d 0a 64 6f 0d 0a 6c 69 6f 6e 0d 0a 6d 65 6e 74 0d 0a 77 65 65 6b 0d 0a 79 65 73 0d 0a 7a 65 72 6f 0d 0a 79 65 61 72 0d 0a 62 6f 79 0d 0a 62 69 72 64 0d 0a 65 72 72 6f 72 0d 0a 61 77 61 72 64 0d 0a 6f 62 6a 65 63 74 0d 0a 79 65 6c 6c 6f 77 0d 0a 70 68 6f 6e 65 0d 0a 62 6f 79 0d 0a 76 69 64 65 6f 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 65 73 63 61 70 65 0d 0a 6c 69 66 65 0d 0a 7a 65 61 6c 0d 0a 62 75 73 0d 0a 61 63 65 0d 0a 61 69 72 0d 0a 6a 75 6d 70 0d 0a 73 6b 79 0d 0a 65 69 67 68 74 0d 0a 72 65 64 0d 0a 79 65 61 72 0d 0a 69 6e 6b 0d 0a 68 61 6e 64 0d Data Ascii: oothopehithousebeachkisstestvegetableworkkeyescapedolionmentweekyeszeroyearboybirderrorawardobjectyellowphoneboyvideoquestionescapelifezealbusaceairjumpskyeightredyearinkhand
2023-08-29 05:41:48 UTC	1678	IN	Data Raw: 69 74 0d 0a 76 69 73 69 74 6f 72 0d 0a 7a 65 61 6c 0d 0a 6f 63 65 61 6e 0d 0a 6d 61 70 0d 0a 75 73 75 61 6c 6c 79 0d 0a 71 75 61 6c 69 74 79 0d 0a 63 61 74 0d 0a 7a 65 72 6f 0d 0a 73 6e 6f 77 0d 0a 65 73 63 61 70 65 0d 0a 77 6f 6d 61 6e 0d 0a 70 69 63 74 75 72 65 0d 0a 6a 61 76 61 0d 0a 73 74 61 72 0d 0a 76 69 65 77 0d 0a 70 61 70 65 72 0d 0a 76 61 6e 0d 0a 67 72 6f 75 70 0d 0a 6c 69 66 65 0d 0a 6a 61 76 61 0d 0a 6c 75 6e 63 68 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 6e 6f 72 74 68 0d 0a 67 68 6f 73 74 0d 0a 64 65 73 6b 0d 0a 75 6e 69 74 0d 0a 62 69 72 64 0d 0a 6b 69 6e 67 0d 0a 6c 61 6b 65 0d 0a 73 6f 6e 67 0d 0a 79 61 77 6e 0d 0a 6a 65 6c 6c 79 0d 0a 68 61 69 72 0d 0a 69 6e 73 69 64 65 0d 0a 72 69 73 65 0d 0a 75 6e 63 6c 65 0d 0a 6e 61 74 75 72 65 0d 0a 76 Data Ascii: itvisitorzealoceanmapusuallyqualitycatzerosnowescapewomanpicturejavastarviewpapervangrouplifejavalunchquantitynorthghostdeskunitbirdkinglakesongyawnjellyhairinsideriseunclenaturev
2023-08-29 05:41:48 UTC	1694	IN	Data Raw: 6e 74 0d 0a 62 6f 6f 6b 0d 0a 68 69 67 68 0d 0a 6f 62 6a 65 63 74 0d 0a 6a 61 63 6b 65 74 0d 0a 70 61 70 65 72 0d 0a 6d 65 61 6c 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 71 75 65 65 6e 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 77 68 69 74 65 0d 0a 68 65 6c 70 0d 0a 68 65 61 64 0d 0a 70 69 7a 7a 61 0d 0a 76 6f 69 63 65 0d 0a 64 65 73 6b 0d 0a 6b 69 74 63 68 65 6e 0d 0a 63 61 74 0d 0a 7a 6f 6f 0d 0a 68 69 67 68 0d 0a 63 61 74 0d 0a 64 61 6e 63 65 0d 0a 62 69 72 64 0d 0a 7a 65 61 6c 0d 0a 70 68 6f 6e 65 0d 0a 6a 75 6d 70 0d 0a 67 6c 61 73 73 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 6d 6f 6e 6b 65 79 0d 0a 69 6e 63 6f 6d 65 0d 0a 73 6e 61 6b 65 0d 0a 6d 61 70 0d 0a 70 69 6e 6b 0d 0a 6d 69 6c 6b 0d 0a 68 61 69 72 0d 0a 62 61 6c 6c 0d 0a 6f 63 65 61 6e 0d 0a 63 69 74 79 Data Ascii: ntbookhighobjectjacketpapermealyesterdayqueenvacationwhitehelpheadpizzavoicedeskkitchencatzoohighcatdancebirdzealphonejumpglassvegetablemonkeyincomesnakemappinkmilkhairballoceancity
2023-08-29 05:41:48 UTC	1710	IN	Data Raw: 61 75 67 68 0d 0a 76 69 64 65 6f 0d 0a 66 6f 72 0d 0a 74 61 6c 6b 0d 0a 63 6f 6c 6f 72 0d 0a 64 61 79 0d 0a 66 61 6c 6c 0d 0a 6b 69 64 0d 0a 61 72 63 68 0d 0a 7a 65 62 72 61 0d 0a 6a 61 63 6b 65 74 0d 0a 71 75 65 65 6e 0d 0a 66 61 63 65 0d 0a 77 61 74 65 72 0d 0a 6a 61 63 6b 65 74 0d 0a 6f 72 61 6e 67 65 0d 0a 6a 61 76 61 0d 0a 76 69 63 74 6f 72 79 0d 0a 73 74 6f 6e 65 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 6f 72 61 6e 67 65 0d 0a 6c 6f 6e 67 0d 0a 62 65 61 63 68 0d 0a 6e 69 67 68 74 0d 0a 6f 6e 65 0d 0a 64 6f 6f 72 0d 0a 79 65 61 72 0d 0a 66 6f 6f 64 0d 0a 6c 69 6f 6e 0d 0a 6e 69 67 68 74 0d 0a 62 6f 6f 6b 0d 0a 76 69 63 74 6f 72 79 0d 0a 74 6f 70 0d 0a 61 63 65 0d 0a 67 72 61 73 73 0d 0a 68 65 61 64 0d 0a 76 69 65 77 0d 0a 76 61 6c 75 65 0d 0a 72 69 Data Ascii: aughvideofortalkcolordayfallkidarchzebrajacketqueenfacewaterjacketorangejavavictorystoneuniversityorangelongbeachnightonedooryearfoodlionnightbookvictorytopacegrassheadviewvalueri
2023-08-29 05:41:48 UTC	1726	IN	Data Raw: 0a 66 69 73 68 0d 0a 74 61 6c 6b 0d 0a 66 69 73 68 0d 0a 68 61 74 0d 0a 6e 75 6d 62 65 72 0d 0a 74 6f 77 6e 0d 0a 72 6f 61 64 0d 0a 70 65 72 73 6f 6e 0d 0a 67 75 65 73 74 0d 0a 6f 70 65 6e 0d 0a 68 65 61 64 0d 0a 69 6e 6b 0d 0a 75 72 67 65 0d 0a 72 6f 63 6b 0d 0a 74 65 73 74 0d 0a 6f 62 6a 65 63 74 0d 0a 6f 72 61 6e 67 65 0d 0a 77 61 79 0d 0a 70 61 70 65 72 0d 0a 65 61 73 74 0d 0a 67 6f 6c 64 0d 0a 75 6e 69 74 0d 0a 66 69 72 65 0d 0a 6d 65 6e 74 0d 0a 6c 65 74 74 65 72 0d 0a 63 61 6b 65 0d 0a 67 6c 61 73 73 0d 0a 66 6c 6f 77 65 72 0d 0a 74 65 61 63 68 65 72 0d 0a 77 68 69 6c 65 0d 0a 6d 69 6c 6b 0d 0a 6d 61 6e 0d 0a 67 72 6f 75 70 0d 0a 70 65 6e 0d 0a 7a 6f 6e 65 0d 0a 65 69 67 68 74 0d 0a 6c 61 6e 64 0d 0a 6c 6f 6e 67 0d 0a 7a 6f 6f 0d 0a 78 79 6c 65 6d Data Ascii: fishtalkfishhatnumbertownroadpersonguestopenheadinkurgerocktestobjectorangewaypapereastgoldunitfirementlettercakeglassflowerteacherwhilemilkmangrouppenzoneeightlandlongzooxylem
2023-08-29 05:41:48 UTC	1742	IN	Data Raw: 0d 0a 61 72 63 68 0d 0a 6c 75 6e 63 68 0d 0a 77 68 69 74 65 0d 0a 61 63 65 0d 0a 77 69 6e 74 65 72 0d 0a 65 69 67 68 74 0d 0a 70 65 72 73 6f 6e 0d 0a 6c 61 75 67 68 0d 0a 6d 61 6e 0d 0a 79 65 6c 6c 6f 77 0d 0a 77 6f 72 6b 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 6e 65 65 64 0d 0a 73 74 6f 6e 65 0d 0a 73 65 61 0d 0a 61 69 72 0d 0a 61 63 65 0d 0a 6d 65 61 6c 0d 0a 6f 63 65 61 6e 0d 0a 6c 61 75 67 68 0d 0a 67 6f 6c 64 0d 0a 75 6e 63 6c 65 0d 0a 61 72 63 68 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 63 6f 6c 6f 72 0d 0a 77 69 6e 64 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 61 72 72 61 79 0d 0a 73 6e 61 6b 65 0d 0a 73 74 61 72 0d 0a 65 61 72 0d 0a 6d 6f 6e 6b 65 79 0d 0a 79 61 77 6e 0d 0a 79 61 77 6e 0d 0a 72 61 62 62 69 74 0d 0a 79 65 61 72 6e 0d 0a 6f 70 65 6e Data Ascii: archlunchwhiteacewintereightpersonlaughmanyellowworkuniversityneedstoneseaairacemealoceanlaughgoldunclearchvegetablecolorwindunderstandarraysnakestarearmonkeyyawnyawnrabbityearnopen
2023-08-29 05:41:48 UTC	1758	IN	Data Raw: 0d 0a 61 63 65 0d 0a 74 72 61 69 6e 0d 0a 76 69 64 65 6f 0d 0a 69 6e 6b 0d 0a 69 73 6c 61 6e 64 0d 0a 72 75 6e 0d 0a 6c 6f 76 65 0d 0a 6f 66 66 65 72 0d 0a 6e 6f 74 65 0d 0a 72 6f 63 6b 0d 0a 71 75 6f 74 65 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 66 6f 6f 74 0d 0a 73 74 61 72 0d 0a 6d 6f 6e 6b 65 79 0d 0a 68 65 6c 70 0d 0a 77 69 6e 64 0d 0a 78 79 6c 65 6d 0d 0a 64 72 65 61 6d 0d 0a 75 6e 69 74 0d 0a 73 65 76 65 6e 0d 0a 6b 69 74 63 68 65 6e 0d 0a 75 72 67 65 0d 0a 6f 70 65 6e 0d 0a 6b 69 74 63 68 65 6e 0d 0a 63 6c 69 70 0d 0a 77 61 74 65 72 0d 0a 6f 6e 65 0d 0a 79 65 73 0d 0a 6d 6f 6f 6e 0d 0a 68 61 69 72 0d 0a 67 72 61 73 73 0d 0a 6e 6f 72 74 68 0d 0a 69 6e 6b 0d 0a 6d 61 70 0d 0a 64 72 65 61 6d 0d 0a 6c 69 6f 6e 0d 0a 68 6f 75 73 65 0d 0a 79 65 61 Data Ascii: acetrainvideoinkislandrunloveoffernoterockquoteinformationfootstarmonkeyhelpwindxylemdreamunitsevenkitchenurgeopenkitchenclipwateroneyesmoonhairgrassnorthinkmapdreamlionhouseyea
2023-08-29 05:41:48 UTC	1774	IN	Data Raw: 6f 72 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 6d 6f 76 69 65 0d 0a 66 61 63 65 0d 0a 65 61 73 74 0d 0a 6f 66 66 69 63 65 0d 0a 64 72 65 61 6d 0d 0a 74 72 65 65 0d 0a 73 74 61 72 0d 0a 73 65 61 0d 0a 62 75 73 0d 0a 65 6e 65 72 67 79 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 63 68 61 72 0d 0a 6d 61 70 0d 0a 77 69 6e 64 0d 0a 6b 65 65 70 0d 0a 68 6f 75 73 65 0d 0a 6b 69 73 73 0d 0a 6f 72 61 6e 67 65 0d 0a 66 6f 6f 74 0d 0a 72 6f 61 64 0d 0a 73 68 6f 72 74 0d 0a 68 69 67 68 0d 0a 65 61 74 0d 0a 6d 69 6c 6b 0d 0a 65 61 73 74 0d 0a 64 61 6e 63 65 0d 0a 68 61 6e 64 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 6d 61 70 0d 0a 62 65 61 63 68 0d 0a 67 68 6f 73 74 0d 0a 65 6e 64 0d 0a 65 69 67 68 74 0d 0a 6a 75 64 67 65 0d 0a 76 69 65 77 0d 0a 6d 6f 6f 6e 0d 0a 6a 75 64 67 65 Data Ascii: orjourneymoviefaceeastofficedreamtreestarseabusenergyknowledgecharmapwindkeephousekissorangefootroadshorthigheatmilkeastdancehandundergroundmapbeachghostendeightjudgeviewmoonjudge
2023-08-29 05:41:48 UTC	1790	IN	Data Raw: 0d 0a 6c 61 6b 65 0d 0a 63 6f 6c 6f 72 0d 0a 61 69 72 0d 0a 6d 6f 6e 6b 65 79 0d 0a 72 69 76 65 72 0d 0a 76 61 6c 75 65 0d 0a 74 6f 70 0d 0a 6b 69 6e 67 0d 0a 6b 69 6e 67 0d 0a 75 6e 69 74 0d 0a 68 69 67 68 0d 0a 70 61 70 65 72 0d 0a 6f 62 6a 65 63 74 0d 0a 6c 69 66 65 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 77 6f 72 6b 0d 0a 70 68 6f 6e 65 0d 0a 6a 65 6c 6c 79 0d 0a 6b 69 63 6b 0d 0a 65 64 67 65 0d 0a 72 65 64 0d 0a 65 72 72 6f 72 0d 0a 6a 75 64 67 65 0d 0a 77 61 79 0d 0a 63 6c 69 70 0d 0a 73 6e 61 6b 65 0d 0a 68 69 67 68 0d 0a 77 61 74 65 72 0d 0a 79 61 77 6e 0d 0a 62 65 61 63 68 0d 0a 63 61 6d 65 72 61 0d 0a 74 72 65 65 0d 0a 62 61 6e 61 6e 61 0d 0a 69 73 73 75 65 0d 0a 7a 65 72 6f 0d 0a 6f 66 66 69 63 65 0d 0a 6a 75 64 67 65 0d 0a 74 69 67 65 72 Data Ascii: lakecolorairmonkeyrivervaluetopkingkingunithighpaperobjectlifeundergroundworkphonejellykickedgerederrorjudgewayclipsnakehighwateryawnbeachcameratreebananaissuezeroofficejudgetiger
2023-08-29 05:41:49 UTC	1806	IN	Data Raw: 0d 0a 73 65 76 65 6e 0d 0a 6e 65 65 64 0d 0a 68 61 69 72 0d 0a 67 72 6f 75 70 0d 0a 70 69 63 74 75 72 65 0d 0a 63 68 61 72 0d 0a 61 6e 74 0d 0a 73 6b 79 0d 0a 62 61 6c 6c 0d 0a 68 61 6e 64 0d 0a 6c 75 6e 63 68 0d 0a 65 61 72 74 68 0d 0a 66 6f 6f 74 0d 0a 73 75 6e 0d 0a 62 6c 75 65 0d 0a 6f 70 65 6e 0d 0a 65 61 74 0d 0a 61 63 65 0d 0a 73 74 6f 6e 65 0d 0a 63 6c 6f 75 64 0d 0a 6c 69 66 65 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 72 6f 61 64 0d 0a 73 65 76 65 6e 0d 0a 74 72 65 65 0d 0a 6b 69 63 6b 0d 0a 73 65 61 0d 0a 65 61 73 74 0d 0a 6a 6f 6b 65 0d 0a 79 65 6c 6c 6f 77 0d 0a 74 61 6c 6b 0d 0a 79 65 73 0d 0a 69 73 73 75 65 0d 0a 65 73 63 61 70 65 0d 0a 61 70 70 6c 65 0d 0a 65 64 67 65 0d 0a 70 61 70 65 72 0d 0a 77 6f 72 6b 0d 0a 75 6e 69 76 65 72 73 69 74 Data Ascii: sevenneedhairgrouppicturecharantskyballhandlunchearthfootsunblueopeneatacestonecloudlifeuniversityroadseventreekickseaeastjokeyellowtalkyesissueescapeappleedgepaperworkuniversit
2023-08-29 05:41:49 UTC	1822	IN	Data Raw: 72 65 61 6d 0d 0a 79 65 73 0d 0a 67 69 72 6c 0d 0a 73 74 61 72 0d 0a 6c 61 6b 65 0d 0a 6f 6e 65 0d 0a 61 72 72 6f 77 0d 0a 65 61 72 74 68 0d 0a 74 6f 77 6e 0d 0a 64 65 65 72 0d 0a 76 69 64 65 6f 0d 0a 66 69 73 68 0d 0a 7a 6f 6e 65 0d 0a 79 65 73 0d 0a 63 6c 69 70 0d 0a 7a 65 61 6c 0d 0a 71 75 61 6c 69 66 79 0d 0a 67 61 6d 65 0d 0a 69 6e 74 0d 0a 67 72 6f 75 70 0d 0a 71 75 61 72 74 65 72 0d 0a 65 6e 64 0d 0a 66 61 74 68 65 72 0d 0a 62 6f 78 0d 0a 6a 61 72 0d 0a 77 68 69 6c 65 0d 0a 73 6e 61 6b 65 0d 0a 68 6f 75 73 65 0d 0a 76 61 6e 0d 0a 61 72 74 0d 0a 77 6f 72 6b 0d 0a 77 6f 72 6b 0d 0a 77 65 65 6b 0d 0a 6c 6f 76 65 0d 0a 6b 69 6e 64 0d 0a 66 6f 6f 64 0d 0a 65 61 73 74 0d 0a 74 61 6c 6b 0d 0a 74 65 61 63 68 65 72 0d 0a 79 65 61 72 6e 0d 0a 74 69 6d 65 0d Data Ascii: reamyesgirlstarlakeonearrowearthtowndeervideofishzoneyesclipzealqualifygameintgroupquarterendfatherboxjarwhilesnakehousevanartworkworkweeklovekindfoodeasttalkteacheryearntime
2023-08-29 05:41:49 UTC	1838	IN	Data Raw: 61 6e 61 0d 0a 67 75 65 73 74 0d 0a 74 6f 77 6e 0d 0a 74 72 65 65 0d 0a 72 6f 6f 6d 0d 0a 66 6c 6f 77 65 72 0d 0a 75 72 67 65 0d 0a 63 6f 61 74 0d 0a 6c 6f 6e 67 0d 0a 70 6f 77 65 72 0d 0a 65 61 73 74 0d 0a 64 61 79 0d 0a 72 61 62 62 69 74 0d 0a 63 6c 69 70 0d 0a 72 65 73 74 0d 0a 6b 69 74 63 68 65 6e 0d 0a 6f 62 6a 65 63 74 0d 0a 64 6f 0d 0a 6f 63 65 61 6e 0d 0a 62 61 6e 61 6e 61 0d 0a 6c 6f 76 65 0d 0a 73 65 76 65 6e 0d 0a 64 65 73 6b 0d 0a 72 75 6e 0d 0a 61 63 65 0d 0a 6c 61 6e 64 0d 0a 69 6e 63 6f 6d 65 0d 0a 7a 65 72 6f 0d 0a 70 6f 77 65 72 0d 0a 74 65 73 74 0d 0a 6f 6e 65 0d 0a 67 75 65 73 74 0d 0a 61 70 70 6c 65 0d 0a 73 6b 79 0d 0a 73 68 6f 72 74 0d 0a 6c 61 6e 64 0d 0a 65 79 65 0d 0a 71 75 61 72 74 65 72 0d 0a 67 61 6d 65 0d 0a 77 6f 6d 61 6e 0d Data Ascii: anaguesttowntreeroomflowerurgecoatlongpowereastdayrabbitcliprestkitchenobjectdooceanbananalovesevendeskrunacelandincomezeropowertestoneguestappleskyshortlandeyequartergamewoman
2023-08-29 05:41:49 UTC	1854	IN	Data Raw: 0d 0a 65 69 67 68 74 0d 0a 72 69 73 65 0d 0a 74 72 65 65 0d 0a 6a 6f 6b 65 0d 0a 76 69 73 69 74 6f 72 0d 0a 64 72 65 61 6d 0d 0a 64 6f 0d 0a 77 61 72 6e 0d 0a 65 61 74 0d 0a 66 6f 6f 64 0d 0a 7a 65 72 6f 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 73 6e 61 6b 65 0d 0a 6c 61 6d 70 0d 0a 72 65 73 74 0d 0a 66 6c 6f 77 65 72 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 65 67 67 0d 0a 61 6e 74 0d 0a 66 6f 6f 74 0d 0a 71 75 69 65 74 0d 0a 6c 61 6b 65 0d 0a 62 6f 79 0d 0a 65 61 72 0d 0a 69 63 65 0d 0a 65 67 67 0d 0a 6b 69 6e 67 0d 0a 70 69 63 74 75 72 65 0d 0a 70 6c 61 6e 74 0d 0a 61 63 65 0d 0a 67 72 6f 75 70 0d 0a 68 6f 70 65 0d 0a 77 61 72 6e 0d 0a 6b 69 63 6b 0d 0a 61 72 72 6f 77 0d 0a 7a 6f 6d 62 69 65 0d 0a 66 61 72 6d 0d 0a 74 Data Ascii: eightrisetreejokevisitordreamdowarneatfoodzeroquestionunderstandsnakelamprestflowerundergroundeggantfootquietlakeboyeariceeggkingpictureplantacegrouphopewarnkickarrowzombiefarmt
2023-08-29 05:41:49 UTC	1870	IN	Data Raw: 69 6f 6e 0d 0a 72 69 76 65 72 0d 0a 63 61 74 0d 0a 61 63 65 0d 0a 70 69 6e 6b 0d 0a 77 68 69 6c 65 0d 0a 6c 61 6d 70 0d 0a 69 73 6c 61 6e 64 0d 0a 66 6c 6f 77 65 72 0d 0a 63 6f 61 74 0d 0a 77 65 65 6b 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 70 69 7a 7a 61 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 75 72 67 65 0d 0a 64 72 65 61 6d 0d 0a 7a 65 72 6f 0d 0a 67 6f 6c 64 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 6c 69 6f 6e 0d 0a 6a 75 6d 70 0d 0a 73 74 61 72 0d 0a 71 75 61 6c 69 74 79 0d 0a 75 72 67 65 0d 0a 66 6c 6f 77 65 72 0d 0a 72 69 73 65 0d 0a 77 61 79 0d 0a 77 61 79 0d 0a 6e 61 74 75 72 65 0d 0a 72 75 6e 0d 0a 76 69 73 69 74 6f 72 0d 0a 67 61 6d 65 0d 0a 64 6f 0d 0a 74 61 73 74 65 0d 0a 63 6f 77 0d 0a 62 65 61 63 68 0d 0a 6c 65 67 0d 0a 76 6f 69 63 65 0d 0a 68 65 61 72 74 0d Data Ascii: ionrivercatacepinkwhilelampislandflowercoatweekjourneypizzavacationurgedreamzerogoldjourneylionjumpstarqualityurgeflowerrisewaywaynaturerunvisitorgamedotastecowbeachlegvoiceheart
2023-08-29 05:41:49 UTC	1886	IN	Data Raw: 61 63 68 0d 0a 6a 61 63 6b 65 74 0d 0a 72 6f 61 64 0d 0a 6d 6f 76 69 65 0d 0a 6a 61 72 0d 0a 77 68 69 6c 65 0d 0a 66 61 63 65 0d 0a 63 69 74 79 0d 0a 6a 6f 6b 65 0d 0a 66 61 63 65 0d 0a 75 72 67 65 0d 0a 62 61 6c 6c 0d 0a 70 69 7a 7a 61 0d 0a 72 69 76 65 72 0d 0a 67 72 6f 75 70 0d 0a 72 75 6e 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 70 65 6e 0d 0a 63 6c 69 70 0d 0a 63 6f 77 0d 0a 6e 61 6d 65 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 74 61 73 74 65 0d 0a 65 73 63 61 70 65 0d 0a 79 65 6c 6c 6f 77 0d 0a 66 6f 6f 74 0d 0a 62 61 6c 6c 0d 0a 67 68 6f 73 74 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 61 63 65 0d 0a 6f 72 64 65 72 0d 0a 6a 6f 6b 65 0d 0a 74 6f 77 6e 0d 0a 62 61 6e 6b 0d 0a 71 75 61 6c 69 74 79 0d 0a 68 69 67 68 0d 0a 6f 72 64 65 72 0d 0a 79 61 77 6e 0d 0a 65 Data Ascii: achjacketroadmoviejarwhilefacecityjokefaceurgeballpizzarivergrouprunvegetablepenclipcownamejourneytasteescapeyellowfootballghostunderstandaceorderjoketownbankqualityhighorderyawne
2023-08-29 05:41:49 UTC	1902	IN	Data Raw: 6e 0d 0a 6d 75 73 69 63 0d 0a 68 69 74 0d 0a 77 61 79 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 66 61 63 65 0d 0a 71 75 65 65 6e 0d 0a 6d 61 6e 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 75 73 65 0d 0a 72 6f 61 64 0d 0a 77 65 73 74 0d 0a 75 6e 63 6c 65 0d 0a 66 75 6e 63 0d 0a 6b 65 65 70 0d 0a 6e 65 65 64 0d 0a 70 61 70 65 72 0d 0a 68 65 61 72 74 0d 0a 64 6f 6f 72 0d 0a 61 69 72 0d 0a 6c 61 6d 70 0d 0a 72 61 62 62 69 74 0d 0a 7a 6f 6f 0d 0a 71 75 69 65 74 0d 0a 73 65 76 65 6e 0d 0a 7a 69 70 70 65 72 0d 0a 6e 6f 72 74 68 0d 0a 6d 75 73 69 63 0d 0a 74 69 6d 65 0d 0a 71 75 69 63 6b 0d 0a 63 6f 61 74 0d 0a 6a 6f 79 0d 0a 61 72 74 0d 0a 6a 65 6c 6c 79 0d 0a 62 6f 78 0d 0a 61 69 72 0d 0a 6c 69 6f 6e 0d 0a 67 6f 61 74 0d 0a 61 69 72 0d 0a 6c 65 74 74 65 72 0d 0a 6d 69 6c 6b Data Ascii: nmusichitwayKanthanfacequeenmanvegetableuseroadwestunclefunckeepneedpaperheartdoorairlamprabbitzooquietsevenzippernorthmusictimequickcoatjoyartjellyboxairliongoatairlettermilk
2023-08-29 05:41:49 UTC	1918	IN	Data Raw: 74 61 6c 6b 0d 0a 68 65 6c 70 0d 0a 76 61 6c 75 65 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 73 6b 79 0d 0a 70 65 6e 0d 0a 74 72 65 65 0d 0a 79 65 6c 6c 6f 77 0d 0a 73 65 61 0d 0a 72 75 6e 0d 0a 75 6e 63 6c 65 0d 0a 66 69 73 68 0d 0a 66 69 72 65 0d 0a 6e 6f 73 65 0d 0a 63 61 74 0d 0a 76 69 73 69 74 6f 72 0d 0a 64 6f 67 0d 0a 6f 72 61 6e 67 65 0d 0a 67 6f 61 74 0d 0a 71 75 65 65 6e 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 6c 61 6e 64 0d 0a 77 69 6e 74 65 72 0d 0a 66 6f 72 0d 0a 7a 6f 6f 0d 0a 66 6f 6f 74 0d 0a 67 6c 61 73 73 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 62 6f 78 0d 0a 73 68 6f 72 74 0d 0a 6f 66 66 65 72 0d 0a 70 65 6e 0d 0a 64 61 79 0d 0a 74 65 61 63 68 65 72 0d 0a 6c 61 75 67 68 0d 0a 68 65 61 72 74 0d 0a 6e 61 6d 65 0d 0a 61 72 72 61 79 0d 0a 67 75 65 Data Ascii: talkhelpvaluequantityskypentreeyellowsearununclefishfirenosecatvisitordogorangegoatqueenjourneylandwinterforzoofootglassinformationboxshortofferpendayteacherlaughheartnamearraygue
2023-08-29 05:41:49 UTC	1934	IN	Data Raw: 0d 0a 64 61 6e 63 65 0d 0a 62 6f 79 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 74 72 61 69 6e 0d 0a 65 61 73 74 0d 0a 64 65 65 72 0d 0a 66 61 74 68 65 72 0d 0a 68 65 61 64 0d 0a 74 6f 77 6e 0d 0a 68 61 6e 64 0d 0a 6c 75 6e 63 68 0d 0a 6f 72 61 6e 67 65 0d 0a 6d 75 73 69 63 0d 0a 7a 6f 6e 65 0d 0a 73 6e 6f 77 0d 0a 64 61 79 0d 0a 6d 6f 6e 6b 65 79 0d 0a 71 75 6f 74 65 0d 0a 68 6f 70 65 0d 0a 77 61 79 0d 0a 65 6e 64 0d 0a 69 6e 74 0d 0a 68 6f 75 73 65 0d 0a 76 61 6e 0d 0a 67 69 72 6c 0d 0a 69 73 73 75 65 0d 0a 69 6e 74 0d 0a 73 6e 6f 77 0d 0a 73 6e 61 6b 65 0d 0a 72 69 73 65 0d 0a 65 61 73 79 0d 0a 64 75 63 6b 0d 0a 69 64 65 61 0d 0a 6c 69 6f 6e 0d 0a 67 61 6d 65 0d 0a 73 68 6f 72 74 0d 0a 70 65 72 73 6f 6e 0d 0a 7a 6f 6f 0d 0a 71 75 61 6c 69 74 79 0d 0a 6d 65 6e Data Ascii: danceboyquestiontraineastdeerfatherheadtownhandlunchorangemusiczonesnowdaymonkeyquotehopewayendinthousevangirlissueintsnowsnakeriseeasyduckidealiongameshortpersonzooqualitymen
2023-08-29 05:41:49 UTC	1950	IN	Data Raw: 72 0d 0a 77 69 6e 74 65 72 0d 0a 65 61 74 0d 0a 66 6f 6f 64 0d 0a 64 6f 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 75 6e 63 6c 65 0d 0a 6d 6f 6e 6b 65 79 0d 0a 70 69 63 74 75 72 65 0d 0a 6c 69 6f 6e 0d 0a 6f 69 6c 0d 0a 73 6e 61 6b 65 0d 0a 61 63 65 0d 0a 73 74 61 72 0d 0a 74 65 73 74 0d 0a 63 61 6d 65 72 61 0d 0a 75 6e 69 74 0d 0a 77 61 74 65 72 0d 0a 6d 69 6c 6b 0d 0a 6b 69 73 73 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 68 6f 70 65 0d 0a 61 69 72 0d 0a 74 65 61 63 68 65 72 0d 0a 6e 61 6d 65 0d 0a 77 68 69 6c 65 0d 0a 6c 75 6e 63 68 0d 0a 76 69 65 77 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 66 61 63 65 0d 0a 6d 6f 76 69 65 0d 0a 6c 61 6e 64 0d 0a 72 61 62 62 69 74 0d 0a 6e 6f 72 74 68 0d 0a 6d 69 6c 6b 0d 0a 74 61 73 74 65 0d 0a 67 6f 61 74 0d 0a 73 65 Data Ascii: rwintereatfooddovacationunclemonkeypicturelionoilsnakeacestartestcameraunitwatermilkkissinformationhopeairteachernamewhilelunchviewundergroundfacemovielandrabbitnorthmilktastegoatse
2023-08-29 05:41:49 UTC	1966	IN	Data Raw: 6e 0d 0a 67 69 72 6c 0d 0a 70 68 6f 6e 65 0d 0a 6c 61 6d 70 0d 0a 66 69 73 68 0d 0a 79 6f 75 6e 67 0d 0a 71 75 69 65 74 0d 0a 75 6e 63 6c 65 0d 0a 64 65 73 6b 0d 0a 6e 75 6d 62 65 72 0d 0a 71 75 65 65 6e 0d 0a 65 64 67 65 0d 0a 71 75 69 65 74 0d 0a 73 68 6f 72 74 0d 0a 62 61 6e 61 6e 61 0d 0a 6e 6f 74 65 0d 0a 79 65 61 72 6e 0d 0a 62 61 6c 6c 0d 0a 63 6f 61 74 0d 0a 6c 69 6f 6e 0d 0a 6a 75 6d 70 0d 0a 62 61 6c 6c 0d 0a 6e 6f 73 65 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 61 72 72 61 79 0d 0a 65 6e 64 0d 0a 64 6f 0d 0a 73 74 6f 6e 65 0d 0a 76 69 73 69 74 6f 72 0d 0a 79 65 6c 6c 6f 77 0d 0a 77 68 69 6c 65 0d 0a 70 68 6f 6e 65 0d 0a 72 61 62 62 69 74 0d 0a 6e 75 6d 62 65 72 0d 0a 6d 61 70 0d 0a 6c 61 6e 64 0d 0a 61 69 72 0d 0a 61 72 63 68 0d 0a 70 69 63 74 Data Ascii: ngirlphonelampfishyoungquietuncledesknumberqueenedgequietshortbanananoteyearnballcoatlionjumpballnoseuniversityarrayenddostonevisitoryellowwhilephonerabbitnumbermaplandairarchpict
2023-08-29 05:41:49 UTC	1982	IN	Data Raw: 65 67 0d 0a 77 6f 72 6b 0d 0a 6f 63 65 61 6e 0d 0a 63 6c 6f 75 64 0d 0a 70 61 70 65 72 0d 0a 6d 6f 6f 6e 0d 0a 63 61 74 0d 0a 64 65 65 72 0d 0a 64 61 6e 63 65 0d 0a 63 6c 6f 75 64 0d 0a 62 6f 78 0d 0a 70 65 6e 0d 0a 6f 70 65 6e 0d 0a 73 75 67 61 72 0d 0a 6d 61 70 0d 0a 6c 61 6b 65 0d 0a 62 61 6c 6c 0d 0a 63 6f 61 74 0d 0a 77 68 69 6c 65 0d 0a 64 61 6e 63 65 0d 0a 69 64 65 61 0d 0a 61 6c 6f 6e 65 0d 0a 6f 66 66 65 72 0d 0a 6a 75 6d 70 0d 0a 72 6f 63 6b 0d 0a 75 6e 69 74 0d 0a 6b 69 63 6b 0d 0a 6a 75 64 67 65 0d 0a 6e 69 67 68 74 0d 0a 63 6f 6c 6f 72 0d 0a 72 75 6e 0d 0a 73 75 67 61 72 0d 0a 66 69 72 65 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 72 75 6e 0d 0a 73 74 72 69 6e 67 0d 0a 73 65 76 65 6e 0d 0a 61 72 63 68 0d 0a 73 74 6f 6e 65 0d 0a 6e 61 6d 65 0d 0a Data Ascii: egworkoceancloudpapermooncatdeerdancecloudboxpenopensugarmaplakeballcoatwhiledanceideaaloneofferjumprockunitkickjudgenightcolorrunsugarfireknowledgerunstringsevenarchstonename
2023-08-29 05:41:49 UTC	1998	IN	Data Raw: 0a 64 61 6e 63 65 0d 0a 6b 65 79 0d 0a 6a 6f 6b 65 0d 0a 71 75 61 72 74 65 72 0d 0a 75 73 65 0d 0a 6f 66 66 65 72 0d 0a 6d 6f 6e 6b 65 79 0d 0a 68 6f 70 65 0d 0a 66 75 6e 63 0d 0a 70 61 70 65 72 0d 0a 6e 69 67 68 74 0d 0a 64 61 72 6b 0d 0a 66 72 69 65 6e 64 0d 0a 6c 69 6f 6e 0d 0a 66 61 6c 6c 0d 0a 64 61 72 6b 0d 0a 69 6e 6b 0d 0a 74 65 61 63 68 65 72 0d 0a 64 75 63 6b 0d 0a 72 69 73 65 0d 0a 77 61 74 65 72 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 65 79 65 0d 0a 76 69 65 77 0d 0a 62 69 72 64 0d 0a 6a 6f 6b 65 0d 0a 71 75 6f 74 65 0d 0a 65 72 72 6f 72 0d 0a 63 6c 6f 75 64 0d 0a 62 69 72 64 0d 0a 71 75 65 65 6e 0d 0a 6c 61 6d 70 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 76 61 6e 0d 0a 71 75 61 6c 69 74 79 0d 0a 65 67 67 0d 0a 69 63 65 0d 0a 65 61 73 79 0d 0a 71 75 Data Ascii: dancekeyjokequarteruseoffermonkeyhopefuncpapernightdarkfriendlionfalldarkinkteacherduckrisewaterunsignedeyeviewbirdjokequoteerrorcloudbirdqueenlampyesterdayvanqualityeggiceeasyqu
2023-08-29 05:41:49 UTC	2014	IN	Data Raw: 6c 6c 0d 0a 64 61 74 61 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 67 6f 61 74 0d 0a 72 61 62 62 69 74 0d 0a 63 61 6b 65 0d 0a 64 61 74 61 0d 0a 74 65 73 74 0d 0a 6d 69 6c 6b 0d 0a 6b 65 79 0d 0a 77 6f 72 6c 64 0d 0a 72 6f 61 64 0d 0a 70 6f 77 65 72 0d 0a 63 61 72 0d 0a 73 75 67 61 72 0d 0a 73 6f 6e 67 0d 0a 67 6f 6c 64 0d 0a 77 6f 6d 61 6e 0d 0a 73 74 72 69 6e 67 0d 0a 64 65 73 6b 0d 0a 71 75 6f 74 65 0d 0a 65 61 72 74 68 0d 0a 69 6e 73 69 64 65 0d 0a 71 75 65 65 6e 0d 0a 6b 69 64 0d 0a 6d 61 63 68 69 6e 65 0d 0a 7a 65 62 72 61 0d 0a 72 6f 63 6b 0d 0a 6c 6f 6e 67 0d 0a 7a 65 72 6f 0d 0a 70 69 63 74 75 72 65 0d 0a 6b 69 63 6b 0d 0a 71 75 65 65 6e 0d 0a 75 6e 63 6c 65 0d 0a 6d 6f 6e 6b 65 79 0d 0a 6f 72 61 6e 67 65 0d 0a 71 75 6f 74 65 0d 0a 6c 6f 6e 67 0d 0a 73 6e Data Ascii: lldataKanthangoatrabbitcakedatatestmilkkeyworldroadpowercarsugarsonggoldwomanstringdeskquoteearthinsidequeenkidmachinezebrarocklongzeropicturekickqueenunclemonkeyorangequotelongsn
2023-08-29 05:41:49 UTC	2030	IN	Data Raw: 0d 0a 72 61 69 6e 0d 0a 72 6f 63 6b 0d 0a 74 6f 70 0d 0a 63 69 74 79 0d 0a 75 73 65 0d 0a 79 65 73 0d 0a 6e 6f 74 65 0d 0a 67 6f 6c 64 0d 0a 6d 69 6c 6b 0d 0a 6e 6f 74 65 0d 0a 73 6f 6e 67 0d 0a 73 6e 6f 77 0d 0a 6d 6f 6f 6e 0d 0a 73 6e 61 6b 65 0d 0a 6a 61 63 6b 65 74 0d 0a 70 65 6e 0d 0a 79 65 6c 6c 6f 77 0d 0a 73 74 72 69 6e 67 0d 0a 6d 6f 74 68 65 72 0d 0a 6f 66 66 65 72 0d 0a 6e 75 72 73 65 0d 0a 7a 65 72 6f 0d 0a 75 73 65 0d 0a 6d 61 63 68 69 6e 65 0d 0a 76 69 65 77 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 73 63 68 6f 6f 6c 0d 0a 6f 72 64 65 72 0d 0a 66 6c 6f 77 65 72 0d 0a 6d 69 6c 6b 0d 0a 70 65 61 72 0d 0a 76 61 6e 0d 0a 6c 61 75 67 68 0d 0a 63 6c 69 70 0d 0a 6a 65 6c 6c 79 0d 0a 68 69 74 0d 0a 72 75 6e 0d 0a 6f 70 65 6e 0d 0a 74 61 73 74 65 Data Ascii: rainrocktopcityuseyesnotegoldmilknotesongsnowmoonsnakejacketpenyellowstringmotheroffernursezerousemachineviewundergroundschoolorderflowermilkpearvanlaughclipjellyhitrunopentaste
2023-08-29 05:41:49 UTC	2046	IN	Data Raw: 66 6c 6f 77 65 72 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 70 65 61 72 0d 0a 70 69 6e 6b 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 73 75 6e 0d 0a 65 67 67 0d 0a 6f 70 65 6e 0d 0a 64 6f 67 0d 0a 63 61 6d 65 72 61 0d 0a 69 73 73 75 65 0d 0a 70 6f 77 65 72 0d 0a 74 61 6c 6b 0d 0a 61 77 61 72 64 0d 0a 64 65 65 72 0d 0a 71 75 61 72 74 65 72 0d 0a 6e 61 74 75 72 65 0d 0a 73 74 61 72 0d 0a 6c 61 Data Ascii: flowervacationpearpinkknowledgesuneggopendogcameraissuepowertalkawarddeerquarternaturestarla
2023-08-29 05:41:49 UTC	2046	IN	Data Raw: 6b 65 0d 0a 73 68 6f 72 74 0d 0a 63 61 72 0d 0a 62 61 6e 61 6e 61 0d 0a 6b 65 79 0d 0a 79 65 61 72 6e 0d 0a 64 65 73 6b 0d 0a 74 69 67 65 72 0d 0a 6a 61 76 61 0d 0a 65 61 73 74 0d 0a 63 68 61 72 0d 0a 62 61 6e 61 6e 61 0d 0a 73 75 6e 0d 0a 6c 61 6e 64 0d 0a 6c 69 66 65 0d 0a 6a 6f 6b 65 0d 0a 73 65 76 65 6e 0d 0a 79 65 61 72 0d 0a 75 6e 69 74 0d 0a 64 61 79 0d 0a 73 6b 79 0d 0a 72 65 64 0d 0a 6c 6f 6e 67 0d 0a 77 69 6e 64 0d 0a 63 68 61 72 0d 0a 6e 6f 74 65 0d 0a 6c 61 6d 70 0d 0a 76 6f 69 63 65 0d 0a 67 75 65 73 74 0d 0a 69 6e 6b 0d 0a 76 69 64 65 6f 0d 0a 64 61 6e 63 65 0d 0a 6d 6f 74 68 65 72 0d 0a 74 6f 70 0d 0a 65 61 73 74 0d 0a 74 69 67 65 72 0d 0a 7a 6f 6e 65 0d 0a 66 75 6e 63 0d 0a 63 61 6b 65 0d 0a 64 65 65 72 0d 0a 64 61 72 6b 0d 0a 72 61 69 6e Data Ascii: keshortcarbananakeyyearndesktigerjavaeastcharbananasunlandlifejokesevenyearunitdayskyredlongwindcharnotelampvoiceguestinkvideodancemothertopeasttigerzonefunccakedeerdarkrain
2023-08-29 05:41:49 UTC	2062	IN	Data Raw: 0a 67 61 6d 65 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 6b 69 6e 64 0d 0a 6e 75 6d 62 65 72 0d 0a 72 65 64 0d 0a 73 6e 6f 77 0d 0a 6d 61 63 68 69 6e 65 0d 0a 77 69 6e 64 0d 0a 6e 6f 73 65 0d 0a 6b 65 79 0d 0a 75 73 65 0d 0a 77 65 73 74 0d 0a 6f 66 66 65 72 0d 0a 6a 75 6d 70 0d 0a 63 61 6b 65 0d 0a 6e 6f 74 65 0d 0a 77 69 6e 64 0d 0a 65 61 74 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 68 69 67 68 0d 0a 72 6f 61 64 0d 0a 61 77 61 72 64 0d 0a 76 6f 69 63 65 0d 0a 71 75 61 6c 69 74 79 0d 0a 74 61 6c 6b 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 62 61 6c 6c 0d 0a 71 75 69 65 74 0d 0a 65 61 74 0d 0a 70 6f 77 65 72 0d 0a 65 6e 64 0d 0a 77 61 74 65 72 0d 0a 67 72 61 73 73 0d 0a 66 75 6e 63 0d 0a 6c 6f 6e 67 0d 0a 74 72 61 69 6e 0d 0a 73 6e 61 6b 65 0d 0a 77 6f 72 6c 64 0d Data Ascii: gameundergroundkindnumberredsnowmachinewindnosekeyusewestofferjumpcakenotewindeatvacationhighroadawardvoicequalitytalkunsignedballquieteatpowerendwatergrassfunclongtrainsnakeworld
2023-08-29 05:41:49 UTC	2078	IN	Data Raw: 0a 6e 75 6d 62 65 72 0d 0a 62 61 6e 61 6e 61 0d 0a 68 69 67 68 0d 0a 66 61 74 68 65 72 0d 0a 6f 72 64 65 72 0d 0a 65 61 74 0d 0a 79 65 61 72 6e 0d 0a 6f 6e 65 0d 0a 69 6e 6b 0d 0a 70 61 70 65 72 0d 0a 69 63 65 0d 0a 6c 61 6b 65 0d 0a 6f 63 65 61 6e 0d 0a 72 6f 61 64 0d 0a 68 61 69 72 0d 0a 6c 61 6e 64 0d 0a 75 6e 69 74 0d 0a 73 6e 61 6b 65 0d 0a 73 65 76 65 6e 0d 0a 7a 6f 6d 62 69 65 0d 0a 75 73 65 0d 0a 61 6e 74 0d 0a 7a 6f 6f 0d 0a 72 69 76 65 72 0d 0a 66 69 73 68 0d 0a 7a 65 72 6f 0d 0a 69 63 6f 6e 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 69 73 6c 61 6e 64 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 6f 72 64 65 72 0d 0a 61 70 70 6c 65 0d 0a 76 61 6c 75 65 0d 0a 61 69 72 0d 0a 7a 65 61 6c 0d 0a 70 69 7a 7a 61 0d 0a 6b 69 74 63 68 65 6e 0d 0a 74 69 6d 65 0d 0a Data Ascii: numberbananahighfatherordereatyearnoneinkpapericelakeoceanroadhairlandunitsnakesevenzombieuseantzooriverfishzeroiconundergroundislandKanthanorderapplevalueairzealpizzakitchentime
2023-08-29 05:41:50 UTC	2094	IN	Data Raw: 76 61 6e 0d 0a 72 69 73 65 0d 0a 79 65 61 72 6e 0d 0a 79 6f 75 6e 67 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 61 77 61 72 64 0d 0a 6a 6f 79 0d 0a 68 6f 75 73 65 0d 0a 72 75 6e 0d 0a 73 63 68 6f 6f 6c 0d 0a 6c 61 75 67 68 0d 0a 65 67 67 0d 0a 79 61 77 6e 0d 0a 73 75 67 61 72 0d 0a 70 69 6e 6b 0d 0a 69 63 6f 6e 0d 0a 67 75 65 73 74 0d 0a 6d 65 6e 74 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 72 6f 6f 6d 0d 0a 68 61 6e 64 0d 0a 7a 69 70 70 65 72 0d 0a 6e 6f 73 65 0d 0a 74 65 61 63 68 65 72 0d 0a 63 69 74 79 0d 0a 66 6c 6f 77 65 72 0d 0a 64 65 73 6b 0d 0a 76 69 64 65 6f 0d 0a 75 73 75 61 6c 6c 79 0d 0a 72 65 73 74 0d 0a 72 69 76 65 72 0d 0a 6b 69 73 73 0d 0a 76 61 6e 0d 0a 76 69 64 65 6f 0d 0a 66 69 73 68 0d 0a 76 69 64 65 6f 0d 0a 6b 69 6e 64 0d 0a 75 6e 69 76 65 72 73 69 74 Data Ascii: vanriseyearnyoungjourneyawardjoyhouserunschoollaugheggyawnsugarpinkiconguestmentjourneyroomhandzippernoseteachercityflowerdeskvideousuallyrestriverkissvanvideofishvideokinduniversit
2023-08-29 05:41:50 UTC	2110	IN	Data Raw: 0a 6b 69 74 65 0d 0a 64 61 74 61 0d 0a 74 61 6c 6b 0d 0a 68 61 6e 64 0d 0a 73 68 6f 72 74 0d 0a 6a 6f 6b 65 0d 0a 61 77 61 72 64 0d 0a 71 75 69 63 6b 0d 0a 67 61 6d 65 0d 0a 6c 6f 6e 67 0d 0a 6b 69 6e 67 0d 0a 75 6e 69 74 0d 0a 6c 65 67 0d 0a 75 6e 63 6c 65 0d 0a 61 6c 6f 6e 65 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 73 6b 79 0d 0a 66 72 69 65 6e 64 0d 0a 6f 63 65 61 6e 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 77 61 79 0d 0a 61 6e 69 6d 61 6c 0d 0a 73 75 67 61 72 0d 0a 74 61 73 74 65 0d 0a 72 6f 63 6b 0d 0a 68 69 74 0d 0a 64 61 74 61 0d 0a 73 74 6f 6e 65 0d 0a 76 61 6c 75 65 0d 0a 6b 69 74 65 0d 0a 66 6f 72 0d 0a 6f 62 6a 65 63 74 0d 0a 65 69 67 68 74 0d 0a 68 6f 70 65 0d 0a 77 65 73 74 0d 0a 6c 61 6b 65 0d 0a 64 61 74 61 0d 0a 68 6f 70 65 0d 0a 6c 69 6f 6e Data Ascii: kitedatatalkhandshortjokeawardquickgamelongkingunitlegunclealoneunderstandskyfriendoceanunsignedwayanimalsugartasterockhitdatastonevaluekiteforobjecteighthopewestlakedatahopelion
2023-08-29 05:41:50 UTC	2126	IN	Data Raw: 69 63 74 6f 72 79 0d 0a 70 69 63 74 75 72 65 0d 0a 79 61 77 6e 0d 0a 70 68 6f 6e 65 0d 0a 66 69 72 65 0d 0a 77 68 69 74 65 0d 0a 68 61 74 0d 0a 6d 61 63 68 69 6e 65 0d 0a 73 6b 79 0d 0a 77 6f 6d 61 6e 0d 0a 62 6c 75 65 0d 0a 6c 75 6e 63 68 0d 0a 70 69 63 74 75 72 65 0d 0a 68 6f 75 73 65 0d 0a 61 6c 6f 6e 65 0d 0a 61 72 72 6f 77 0d 0a 71 75 69 63 6b 0d 0a 63 69 74 79 0d 0a 68 69 67 68 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 77 68 69 6c 65 0d 0a 69 73 73 75 65 0d 0a 77 6f 6d 61 6e 0d 0a 6b 69 73 73 0d 0a 72 65 73 74 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 70 6c 61 6e 74 0d 0a 70 65 72 73 6f 6e 0d 0a 70 6f 77 65 72 0d 0a 76 61 6e 0d 0a 67 68 6f 73 74 0d 0a 6c 75 6e 63 68 0d 0a 6d 69 6c 6b 0d 0a 69 63 6f 6e 0d 0a 77 6f 72 6b 0d Data Ascii: ictorypictureyawnphonefirewhitehatmachineskywomanbluelunchpicturehousealonearrowquickcityhighunsignedwhileissuewomankissrestknowledgeuniversityplantpersonpowervanghostlunchmilkiconwork
2023-08-29 05:41:50 UTC	2142	IN	Data Raw: 0a 77 61 72 6e 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 65 6e 64 0d 0a 63 6c 6f 75 64 0d 0a 74 61 6c 6b 0d 0a 6a 65 6c 6c 79 0d 0a 63 61 74 0d 0a 6c 6f 6e 67 0d 0a 7a 6f 6d 62 69 65 0d 0a 6d 6f 6e 6b 65 79 0d 0a 6a 65 6c 6c 79 0d 0a 69 6e 73 69 64 65 0d 0a 65 67 67 0d 0a 6f 69 6c 0d 0a 77 61 79 0d 0a 6c 65 67 0d 0a 6e 75 72 73 65 0d 0a 68 6f 70 65 0d 0a 74 72 61 69 6e 0d 0a 6c 61 6e 64 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 63 68 61 72 0d 0a 68 65 61 72 74 0d 0a 66 69 73 68 0d 0a 65 72 72 6f 72 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 6a 61 63 6b 65 74 0d 0a 70 6f 77 65 72 0d 0a 69 63 65 0d 0a 6c 61 6e 64 0d 0a 67 72 61 73 73 0d 0a 63 6f 77 0d 0a 74 69 6d 65 0d 0a 69 63 6f 6e 0d 0a 6d 61 63 68 69 6e 65 0d 0a 77 68 69 6c 65 0d 0a 68 61 69 72 0d 0a 7a 69 70 70 65 72 Data Ascii: warnknowledgeendcloudtalkjellycatlongzombiemonkeyjellyinsideeggoilwaylegnursehopetrainlandKanthancharheartfisherrorvegetablejacketpowericelandgrasscowtimeiconmachinewhilehairzipper
2023-08-29 05:41:50 UTC	2158	IN	Data Raw: 0d 0a 79 6f 75 6e 67 0d 0a 64 61 74 61 0d 0a 66 61 72 6d 0d 0a 61 70 70 6c 65 0d 0a 6b 65 65 70 0d 0a 77 69 6e 64 0d 0a 62 75 73 0d 0a 77 6f 72 6c 64 0d 0a 74 65 61 63 68 65 72 0d 0a 6a 6f 6b 65 0d 0a 68 65 6c 70 0d 0a 70 6c 61 6e 74 0d 0a 73 65 76 65 6e 0d 0a 66 61 72 6d 0d 0a 76 69 63 74 6f 72 79 0d 0a 70 65 61 72 0d 0a 6a 75 6d 70 0d 0a 66 6f 6f 74 0d 0a 61 63 65 0d 0a 79 6f 75 6e 67 0d 0a 65 6e 64 0d 0a 6f 72 64 65 72 0d 0a 79 65 61 72 0d 0a 79 65 6c 6c 6f 77 0d 0a 63 61 6b 65 0d 0a 74 65 61 63 68 65 72 0d 0a 66 61 74 68 65 72 0d 0a 68 6f 75 73 65 0d 0a 71 75 6f 74 65 0d 0a 77 65 65 6b 0d 0a 6f 72 61 6e 67 65 0d 0a 66 61 74 68 65 72 0d 0a 68 6f 75 73 65 0d 0a 73 6f 6e 67 0d 0a 66 75 6e 63 0d 0a 73 68 6f 72 74 0d 0a 7a 6f 6f 0d 0a 63 61 72 0d 0a 76 65 Data Ascii: youngdatafarmapplekeepwindbusworldteacherjokehelpplantsevenfarmvictorypearjumpfootaceyoungendorderyearyellowcaketeacherfatherhousequoteweekorangefatherhousesongfuncshortzoocarve
2023-08-29 05:41:50 UTC	2174	IN	Data Raw: 61 69 72 0d 0a 61 6e 69 6d 61 6c 0d 0a 6a 6f 6b 65 0d 0a 75 72 67 65 0d 0a 77 6f 72 6b 0d 0a 66 61 6c 6c 0d 0a 68 61 6e 64 0d 0a 6d 61 70 0d 0a 61 6e 74 0d 0a 65 61 72 0d 0a 77 68 69 6c 65 0d 0a 79 61 77 6e 0d 0a 74 6f 70 0d 0a 6e 75 72 73 65 0d 0a 69 63 65 0d 0a 61 69 72 0d 0a 6d 61 63 68 69 6e 65 0d 0a 6e 6f 74 65 0d 0a 72 65 64 0d 0a 72 75 6e 0d 0a 79 6f 75 6e 67 0d 0a 63 61 74 0d 0a 6a 61 72 0d 0a 75 73 65 0d 0a 77 6f 6d 61 6e 0d 0a 63 6f 77 0d 0a 70 6f 77 65 72 0d 0a 62 6f 6f 6b 0d 0a 64 6f 6f 72 0d 0a 63 61 72 0d 0a 61 72 72 61 79 0d 0a 6a 61 76 61 0d 0a 64 6f 67 0d 0a 6c 65 67 0d 0a 6e 61 6d 65 0d 0a 6d 61 6e 0d 0a 67 6c 61 73 73 0d 0a 6d 61 70 0d 0a 73 6f 6e 67 0d 0a 6e 6f 73 65 0d 0a 76 69 73 69 74 6f 72 0d 0a 7a 69 70 70 65 72 0d 0a 66 72 69 65 Data Ascii: airanimaljokeurgeworkfallhandmapantearwhileyawntopnurseiceairmachinenoteredrunyoungcatjarusewomancowpowerbookdoorcararrayjavadoglegnamemanglassmapsongnosevisitorzipperfrie
2023-08-29 05:41:50 UTC	2190	IN	Data Raw: 0d 0a 69 6e 6b 0d 0a 6f 72 64 65 72 0d 0a 70 65 61 72 0d 0a 6b 65 79 0d 0a 77 6f 72 6b 0d 0a 63 69 74 79 0d 0a 63 61 72 0d 0a 6d 61 63 68 69 6e 65 0d 0a 68 69 74 0d 0a 79 61 72 64 0d 0a 68 61 69 72 0d 0a 75 72 67 65 0d 0a 6d 6f 74 68 65 72 0d 0a 6f 66 66 69 63 65 0d 0a 65 69 67 68 74 0d 0a 68 69 67 68 0d 0a 67 75 65 73 74 0d 0a 6e 6f 74 65 0d 0a 62 61 6e 6b 0d 0a 6a 65 6c 6c 79 0d 0a 64 61 6e 63 65 0d 0a 62 61 6e 61 6e 61 0d 0a 64 6f 0d 0a 74 65 61 63 68 65 72 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 73 65 76 65 6e 0d 0a 77 61 79 0d 0a 67 72 61 73 73 0d 0a 67 69 72 6c 0d 0a 6d 65 6e 74 0d 0a 63 6c 69 70 0d 0a 61 70 70 6c 65 0d 0a 73 6b 79 0d 0a 66 69 73 68 0d 0a 76 69 64 65 6f 0d 0a 69 6e 74 0d 0a 79 61 77 6e 0d 0a 73 65 76 65 6e 0d 0a 79 65 73 74 65 72 64 61 Data Ascii: inkorderpearkeyworkcitycarmachinehityardhairurgemotherofficeeighthighguestnotebankjellydancebananadoteacherquestionsevenwaygrassgirlmentclipappleskyfishvideointyawnsevenyesterda
2023-08-29 05:41:50 UTC	2206	IN	Data Raw: 6f 75 64 0d 0a 6b 69 63 6b 0d 0a 6a 75 6d 70 0d 0a 7a 65 61 6c 0d 0a 6b 69 6e 67 0d 0a 73 74 6f 6e 65 0d 0a 68 6f 70 65 0d 0a 67 72 6f 75 70 0d 0a 68 69 74 0d 0a 65 67 67 0d 0a 62 6f 6f 6b 0d 0a 71 75 65 65 6e 0d 0a 66 6c 6f 77 65 72 0d 0a 65 6e 64 0d 0a 69 6e 6b 0d 0a 61 72 72 6f 77 0d 0a 77 6f 72 6c 64 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 6b 69 74 63 68 65 6e 0d 0a 69 6e 73 69 64 65 0d 0a 73 6e 61 6b 65 0d 0a 66 72 69 65 6e 64 0d 0a 71 75 61 72 74 65 72 0d 0a 70 69 63 74 75 72 65 0d 0a 66 61 72 6d 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 63 61 6d 65 72 61 0d 0a 68 65 6c 70 0d 0a 70 69 7a 7a 61 0d 0a 6d 6f 74 68 65 72 0d 0a 74 6f 70 0d 0a 67 72 6f 75 70 0d 0a 7a 65 62 72 61 0d 0a 66 61 72 6d 0d 0a 64 61 72 6b 0d 0a 68 69 67 68 0d 0a 65 73 63 61 70 65 Data Ascii: oudkickjumpzealkingstonehopegrouphiteggbookqueenflowerendinkarrowworldunderstandkitcheninsidesnakefriendquarterpicturefarmyesterdaycamerahelppizzamothertopgroupzebrafarmdarkhighescape
2023-08-29 05:41:50 UTC	2222	IN	Data Raw: 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 6d 61 63 68 69 6e 65 0d 0a 72 69 73 65 0d 0a 74 65 73 74 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 76 69 64 65 6f 0d 0a 7a 69 70 70 65 72 0d 0a 62 6f 6f 6b 0d 0a 76 6f 69 63 65 0d 0a 69 6e 6b 0d 0a 63 6f 6c 6f 72 0d 0a 67 69 72 6c 0d 0a 62 6f 79 0d 0a 74 65 73 74 0d 0a 62 61 6c 6c 0d 0a 66 75 6e 63 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 71 75 65 65 6e 0d 0a 67 6f 61 74 0d 0a 6a 61 63 6b 65 74 0d 0a 6d 75 73 69 63 0d 0a 66 61 74 68 65 72 0d 0a 67 6f 61 74 0d 0a 77 61 79 0d 0a 77 61 72 6e 0d 0a 77 61 74 65 72 0d 0a 65 6e 65 72 67 79 0d 0a 61 6c 6f 6e 65 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 77 65 73 74 0d 0a 71 75 61 6c 69 66 79 0d 0a 6b 69 74 63 68 65 6e 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 6c 6f 76 65 0d 0a 61 Data Ascii: knowledgemachinerisetestinformationvideozipperbookvoiceinkcolorgirlboytestballfuncinformationqueengoatjacketmusicfathergoatwaywarnwaterenergyaloneunsignedwestqualifykitchenquestionlovea
2023-08-29 05:41:50 UTC	2238	IN	Data Raw: 0a 6d 61 63 68 69 6e 65 0d 0a 6a 75 64 67 65 0d 0a 66 61 74 68 65 72 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 73 6b 79 0d 0a 6d 6f 74 68 65 72 0d 0a 66 69 73 68 0d 0a 6b 69 74 65 0d 0a 68 61 6e 64 0d 0a 71 75 65 65 6e 0d 0a 66 6c 6f 77 65 72 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 70 65 6e 0d 0a 75 73 75 61 6c 6c 79 0d 0a 74 61 73 74 65 0d 0a 77 6f 6d 61 6e 0d 0a 6f 70 65 6e 0d 0a 75 6e 69 74 0d 0a 6e 6f 73 65 0d 0a 7a 6f 6d 62 69 65 0d 0a 72 69 76 65 72 0d 0a 68 6f 70 65 0d 0a 63 6f 77 0d 0a 67 72 65 65 6e 0d 0a 6f 66 66 69 63 65 0d 0a 62 6f 78 0d 0a 67 72 65 65 6e 0d 0a 67 75 65 73 74 0d 0a 6e 61 74 75 72 65 0d 0a 6c 61 6d 70 0d 0a 74 6f 70 0d 0a 69 6e 74 0d 0a 68 65 61 64 0d 0a 65 6e 64 0d 0a 61 6c 6f 6e 65 0d 0a 77 68 69 6c 65 0d 0a 65 61 74 0d 0a 74 65 61 Data Ascii: machinejudgefatheryesterdayskymotherfishkitehandqueenflowerunsignedpenusuallytastewomanopenunitnosezombieriverhopecowgreenofficeboxgreenguestnaturelamptopintheadendalonewhileeattea
2023-08-29 05:41:50 UTC	2254	IN	Data Raw: 74 0d 0a 70 69 6e 6b 0d 0a 6f 69 6c 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 62 6f 6f 6b 0d 0a 6c 65 67 0d 0a 67 72 6f 75 70 0d 0a 79 61 77 6e 0d 0a 6e 6f 74 65 0d 0a 63 6c 6f 75 64 0d 0a 6f 72 61 6e 67 65 0d 0a 77 61 72 6e 0d 0a 6c 65 67 0d 0a 63 6f 61 74 0d 0a 6c 61 6e 64 0d 0a 61 69 72 0d 0a 66 61 6c 6c 0d 0a 62 6f 79 0d 0a 74 69 67 65 72 0d 0a 75 73 65 0d 0a 73 74 6f 6e 65 0d 0a 71 75 69 65 74 0d 0a 76 69 63 74 6f 72 79 0d 0a 66 61 74 68 65 72 0d 0a 6e 6f 73 65 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 64 61 79 0d 0a 61 77 61 72 64 0d 0a 6f 72 61 6e 67 65 0d 0a 73 6f 6e 67 0d 0a 7a 6f 6d 62 69 65 0d 0a 76 61 6e 0d 0a 70 69 6e 6b 0d 0a 74 69 67 65 72 0d 0a 72 69 76 65 72 0d 0a 69 73 6c 61 6e 64 0d 0a 63 6f 61 74 0d 0a 63 6f 61 74 0d 0a 63 6f 61 74 0d 0a 69 6e Data Ascii: tpinkoilvegetablebookleggroupyawnnotecloudorangewarnlegcoatlandairfallboytigerusestonequietvictoryfathernoseunsigneddayawardorangesongzombievanpinktigerriverislandcoatcoatcoatin
2023-08-29 05:41:50 UTC	2270	IN	Data Raw: 65 0d 0a 66 61 63 65 0d 0a 70 61 70 65 72 0d 0a 79 65 73 0d 0a 63 69 74 79 0d 0a 79 61 72 64 0d 0a 6c 75 6e 63 68 0d 0a 73 65 76 65 6e 0d 0a 66 69 73 68 0d 0a 6d 6f 6e 6b 65 79 0d 0a 77 65 73 74 0d 0a 74 61 6c 6b 0d 0a 6a 61 72 0d 0a 6b 69 64 0d 0a 65 73 63 61 70 65 0d 0a 68 69 67 68 0d 0a 73 6f 6e 67 0d 0a 79 61 77 6e 0d 0a 65 64 67 65 0d 0a 65 61 74 0d 0a 73 74 61 72 0d 0a 6d 75 73 69 63 0d 0a 65 61 73 74 0d 0a 63 6c 6f 75 64 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 73 6e 61 6b 65 0d 0a 63 6c 69 70 0d 0a 67 72 61 73 73 0d 0a 64 72 65 61 6d 0d 0a 62 61 6c 6c 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 6d 6f 76 69 65 0d 0a 77 69 6e 64 0d 0a 6d 69 6c 6b 0d 0a 75 73 65 0d 0a 62 61 6e 61 6e 61 0d 0a 6b 69 73 73 0d 0a 67 72 61 73 73 0d 0a 6c 6f 6e 67 0d 0a 66 61 72 6d 0d Data Ascii: efacepaperyescityyardlunchsevenfishmonkeywesttalkjarkidescapehighsongyawnedgeeatstarmusiceastcloudquestionsnakeclipgrassdreamballunsignedmoviewindmilkusebananakissgrasslongfarm
2023-08-29 05:41:50 UTC	2286	IN	Data Raw: 65 72 0d 0a 6a 61 76 61 0d 0a 7a 6f 6d 62 69 65 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 74 65 73 74 0d 0a 6a 61 63 6b 65 74 0d 0a 6f 6e 65 0d 0a 63 69 74 79 0d 0a 63 61 6d 65 72 61 0d 0a 70 65 61 72 0d 0a 65 61 73 74 0d 0a 6d 65 61 6c 0d 0a 69 6e 73 69 64 65 0d 0a 63 61 72 0d 0a 6d 69 6c 6b 0d 0a 67 6c 61 73 73 0d 0a 69 73 6c 61 6e 64 0d 0a 76 61 6c 75 65 0d 0a 66 69 72 65 0d 0a 6e 61 74 75 72 65 0d 0a 6e 6f 72 74 68 0d 0a 67 72 65 65 6e 0d 0a 79 65 6c 6c 6f 77 0d 0a 65 72 72 6f 72 0d 0a 65 69 67 68 74 0d 0a 72 61 62 62 69 74 0d 0a 6d 61 63 68 69 6e 65 0d 0a 64 65 65 72 0d 0a 71 75 69 65 74 0d 0a 69 63 6f 6e 0d 0a 69 6e 63 6f 6d 65 0d 0a 77 61 74 65 72 0d 0a 62 75 73 0d 0a 61 70 70 6c 65 0d 0a 71 75 61 72 74 65 72 0d 0a 6b 69 74 65 0d 0a 73 63 68 6f 6f Data Ascii: erjavazombieuniversitytestjacketonecitycamerapeareastmealinsidecarmilkglassislandvaluefirenaturenorthgreenyellowerroreightrabbitmachinedeerquieticonincomewaterbusapplequarterkiteschoo
2023-08-29 05:41:50 UTC	2301	IN	Data Raw: 65 0d 0a 66 61 63 65 0d 0a 6b 69 74 63 68 65 6e 0d 0a 6c 61 75 67 68 0d 0a 65 67 67 0d 0a 73 74 6f 6e 65 0d 0a 62 6f 79 0d 0a 7a 6f 6f 0d 0a 6d 61 63 68 69 6e 65 0d 0a 71 75 61 6c 69 66 79 0d 0a 64 65 73 6b 0d 0a 74 6f 77 6e 0d 0a 62 6f 79 0d 0a 6f 72 61 6e 67 65 0d 0a 76 61 6e 0d 0a 72 61 62 62 69 74 0d 0a 6e 61 74 75 72 65 0d 0a 63 69 74 79 0d 0a 70 69 6e 6b 0d 0a 62 65 61 63 68 0d 0a 65 73 63 61 70 65 0d 0a 69 73 73 75 65 0d 0a 6d 65 6e 74 0d 0a 6c 61 75 67 68 0d 0a 67 72 65 65 6e 0d 0a 6d 61 6e 0d 0a 70 65 61 72 0d 0a 72 6f 61 64 0d 0a 79 61 72 64 0d 0a 70 69 6e 6b 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 65 79 65 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 63 68 61 72 0d 0a 7a 65 62 72 61 0d 0a 6d 61 70 0d 0a 63 61 6d 65 72 61 0d 0a 69 6e 73 69 64 Data Ascii: efacekitchenlaugheggstoneboyzoomachinequalifydesktownboyorangevanrabbitnaturecitypinkbeachescapeissuementlaughgreenmanpearroadyardpinkuniversityeyeundergroundcharzebramapcamerainsid
2023-08-29 05:41:50 UTC	2317	IN	Data Raw: 65 73 74 0d 0a 6a 61 63 6b 65 74 0d 0a 6a 61 63 6b 65 74 0d 0a 67 61 6d 65 0d 0a 68 65 6c 70 0d 0a 64 6f 6f 72 0d 0a 70 6f 77 65 72 0d 0a 74 72 65 65 0d 0a 6b 69 64 0d 0a 77 61 72 6e 0d 0a 6b 69 73 73 0d 0a 61 77 61 72 64 0d 0a 6e 75 72 73 65 0d 0a 67 6c 61 73 73 0d 0a 65 73 63 61 70 65 0d 0a 65 69 67 68 74 0d 0a 6e 69 67 68 74 0d 0a 74 6f 77 6e 0d 0a 77 65 65 6b 0d 0a 65 73 63 61 70 65 0d 0a 73 68 6f 72 74 0d 0a 61 72 63 68 0d 0a 73 6f 6e 67 0d 0a 63 61 72 0d 0a 6d 65 6e 74 0d 0a 6b 65 79 0d 0a 71 75 61 72 74 65 72 0d 0a 63 6f 6c 6f 72 0d 0a 6a 61 72 0d 0a 6a 61 72 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 74 72 65 65 0d 0a 76 69 64 65 6f 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 75 6e 69 74 0d 0a 64 75 63 6b 0d 0a 65 73 63 61 70 65 0d 0a 64 61 79 0d 0a Data Ascii: estjacketjacketgamehelpdoorpowertreekidwarnkissawardnurseglassescapeeightnighttownweekescapeshortarchsongcarmentkeyquartercolorjarjarunderstandtreevideouniversityunitduckescapeday
2023-08-29 05:41:50 UTC	2333	IN	Data Raw: 6f 75 72 6e 65 79 0d 0a 66 75 6e 63 0d 0a 77 68 69 6c 65 0d 0a 77 61 72 6e 0d 0a 62 61 6c 6c 0d 0a 69 64 65 61 0d 0a 73 6f 6e 67 0d 0a 68 61 69 72 0d 0a 74 69 67 65 72 0d 0a 7a 6f 6f 0d 0a 63 61 6b 65 0d 0a 73 63 68 6f 6f 6c 0d 0a 77 68 69 6c 65 0d 0a 76 6f 69 63 65 0d 0a 6b 65 65 70 0d 0a 63 68 61 72 0d 0a 6e 75 6d 62 65 72 0d 0a 61 70 70 6c 65 0d 0a 7a 6f 6e 65 0d 0a 6e 75 6d 62 65 72 0d 0a 65 6e 65 72 67 79 0d 0a 6b 69 73 73 0d 0a 6e 75 72 73 65 0d 0a 63 6f 61 74 0d 0a 66 6f 6f 64 0d 0a 65 61 72 0d 0a 79 65 61 72 0d 0a 70 65 72 73 6f 6e 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 65 64 67 65 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 6d 61 63 68 69 6e 65 0d 0a 6b 69 73 73 0d 0a 6e 61 74 75 72 65 0d 0a 6c 6f 6e 67 0d 0a 63 6c 69 70 0d 0a 77 61 74 65 72 0d 0a Data Ascii: ourneyfuncwhilewarnballideasonghairtigerzoocakeschoolwhilevoicekeepcharnumberapplezonenumberenergykissnursecoatfoodearyearpersonvegetableedgeunderstandmachinekissnaturelongclipwater
2023-08-29 05:41:51 UTC	2349	IN	Data Raw: 75 72 65 0d 0a 6f 72 64 65 72 0d 0a 73 65 76 65 6e 0d 0a 6d 61 63 68 69 6e 65 0d 0a 6f 6e 65 0d 0a 6c 69 66 65 0d 0a 62 61 6e 61 6e 61 0d 0a 6e 65 65 64 0d 0a 6a 61 72 0d 0a 76 61 6e 0d 0a 6b 69 64 0d 0a 75 73 75 61 6c 6c 79 0d 0a 63 6c 69 70 0d 0a 71 75 69 63 6b 0d 0a 7a 6f 6e 65 0d 0a 65 69 67 68 74 0d 0a 63 61 6d 65 72 61 0d 0a 66 69 73 68 0d 0a 66 61 6c 6c 0d 0a 67 61 6d 65 0d 0a 62 6f 6f 6b 0d 0a 67 61 6d 65 0d 0a 6f 66 66 69 63 65 0d 0a 73 6e 61 6b 65 0d 0a 62 6f 79 0d 0a 73 74 6f 6e 65 0d 0a 72 6f 6f 6d 0d 0a 61 69 72 0d 0a 6b 69 6e 64 0d 0a 66 6c 6f 77 65 72 0d 0a 6c 65 67 0d 0a 74 72 65 65 0d 0a 73 6e 61 6b 65 0d 0a 6b 65 65 70 0d 0a 7a 65 61 6c 0d 0a 72 6f 6f 6d 0d 0a 79 61 77 6e 0d 0a 76 61 6c 75 65 0d 0a 6f 70 65 6e 0d 0a 6d 6f 6f 6e 0d 0a 61 Data Ascii: ureordersevenmachineonelifebanananeedjarvankidusuallyclipquickzoneeightcamerafishfallgamebookgameofficesnakeboystoneroomairkindflowerlegtreesnakekeepzealroomyawnvalueopenmoona
2023-08-29 05:41:51 UTC	2365	IN	Data Raw: 61 6c 6b 0d 0a 61 72 63 68 0d 0a 71 75 69 63 6b 0d 0a 73 65 76 65 6e 0d 0a 63 6f 6c 6f 72 0d 0a 68 65 61 72 74 0d 0a 73 6f 6e 67 0d 0a 6a 75 64 67 65 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 75 73 75 61 6c 6c 79 0d 0a 70 68 6f 6e 65 0d 0a 68 69 67 68 0d 0a 76 69 63 74 6f 72 79 0d 0a 70 65 61 72 0d 0a 79 65 6c 6c 6f 77 0d 0a 6f 69 6c 0d 0a 6d 6f 6f 6e 0d 0a 76 69 64 65 6f 0d 0a 77 6f 6d 61 6e 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 77 68 69 6c 65 0d 0a 65 61 73 79 0d 0a 73 6b 79 0d 0a 69 63 65 0d 0a 77 69 6e 64 0d 0a 6f 63 65 61 6e 0d 0a 6d 65 6e 74 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 61 6e 69 6d 61 6c 0d 0a 74 61 73 74 65 0d 0a 65 69 67 68 74 0d 0a 63 61 74 0d 0a 76 69 65 77 0d 0a 64 6f 0d 0a 6c 69 66 65 0d 0a 67 72 65 65 6e 0d 0a 67 6c 61 73 73 0d Data Ascii: alkarchquicksevencolorheartsongjudgeinformationusuallyphonehighvictorypearyellowoilmoonvideowomanKanthanwhileeasyskyicewindoceanmentundergroundanimaltasteeightcatviewdolifegreenglass
2023-08-29 05:41:51 UTC	2381	IN	Data Raw: 0a 67 72 61 73 73 0d 0a 65 72 72 6f 72 0d 0a 67 72 61 73 73 0d 0a 66 75 6e 63 0d 0a 6f 66 66 65 72 0d 0a 6b 69 6e 67 0d 0a 79 65 61 72 6e 0d 0a 6f 66 66 69 63 65 0d 0a 76 61 6c 75 65 0d 0a 61 63 65 0d 0a 69 6e 6b 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 67 68 6f 73 74 0d 0a 65 61 73 79 0d 0a 62 75 73 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 6b 65 79 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 79 65 73 0d 0a 6f 62 6a 65 63 74 0d 0a 62 69 72 64 0d 0a 79 6f 75 6e 67 0d 0a 6d 75 73 69 63 0d 0a 75 6e 69 74 0d 0a 74 65 73 74 0d 0a 61 77 61 72 64 0d 0a 77 69 6e 64 0d 0a 64 61 72 6b 0d 0a 75 72 67 65 0d 0a 72 6f 6f 6d 0d 0a 6e 6f 74 65 0d 0a 64 61 74 61 0d 0a 75 73 65 0d 0a 6f 62 6a 65 63 74 0d 0a 65 67 67 0d 0a 66 6f 72 0d 0a 63 61 72 0d 0a 63 6c 6f 75 64 0d 0a 70 65 6e Data Ascii: grasserrorgrassfuncofferkingyearnofficevalueaceinkvacationghosteasybusquestionkeyundergroundyesobjectbirdyoungmusicunittestawardwinddarkurgeroomnotedatauseobjecteggforcarcloudpen
2023-08-29 05:41:51 UTC	2397	IN	Data Raw: 61 72 0d 0a 66 6f 72 0d 0a 68 61 6e 64 0d 0a 68 61 69 72 0d 0a 72 65 64 0d 0a 70 61 70 65 72 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 6c 65 67 0d 0a 72 6f 61 64 0d 0a 75 6e 63 6c 65 0d 0a 6d 6f 76 69 65 0d 0a 74 65 61 63 68 65 72 0d 0a 6a 61 63 6b 65 74 0d 0a 66 69 73 68 0d 0a 62 65 61 63 68 0d 0a 68 65 6c 70 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 70 65 72 73 6f 6e 0d 0a 6f 69 6c 0d 0a 65 6e 64 0d 0a 77 69 6e 64 0d 0a 6b 69 6e 67 0d 0a 72 65 64 0d 0a 64 61 6e 63 65 0d 0a 73 6b 79 0d 0a 61 6c 6f 6e 65 0d 0a 67 68 6f 73 74 0d 0a 74 6f 70 0d 0a 77 61 79 0d 0a 6f 66 66 65 72 0d 0a 63 69 74 79 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 63 6f 6c 6f 72 0d 0a 61 72 72 61 79 0d 0a 63 61 6d 65 72 61 0d 0a 63 61 74 0d 0a 7a 65 61 6c 0d 0a 77 65 73 74 0d 0a 68 61 69 Data Ascii: arforhandhairredpaperquantitylegroadunclemovieteacherjacketfishbeachhelpundergroundpersonoilendwindkingreddanceskyaloneghosttopwayoffercityunderstandcolorarraycameracatzealwesthai
2023-08-29 05:41:51 UTC	2413	IN	Data Raw: 63 6b 0d 0a 68 6f 75 73 65 0d 0a 72 65 73 74 0d 0a 70 65 6e 0d 0a 73 65 61 0d 0a 73 74 61 72 0d 0a 73 65 76 65 6e 0d 0a 70 68 6f 6e 65 0d 0a 73 74 72 69 6e 67 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 61 77 61 72 64 0d 0a 70 6f 77 65 72 0d 0a 61 6c 6f 6e 65 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 61 77 61 72 64 0d 0a 64 75 63 6b 0d 0a 6d 61 70 0d 0a 6c 65 67 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 6d 61 63 68 69 6e 65 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 65 61 74 0d 0a 67 6f 61 74 0d 0a 6a 61 63 6b 65 74 0d 0a 6d 65 61 6c 0d 0a 67 61 6d 65 0d 0a 79 65 61 72 0d 0a 62 6f 6f 6b 0d 0a 6e 61 74 75 72 65 0d 0a 74 61 6c 6b 0d 0a 73 75 67 61 72 0d 0a 63 6c 69 70 0d 0a 64 6f 6f 72 0d 0a 66 75 6e 63 0d 0a 74 72 65 65 0d 0a 74 6f 70 0d 0a 6d 6f 6f 6e 0d 0a 77 68 69 74 Data Ascii: ckhouserestpenseastarsevenphonestringinformationawardpoweralonequestionawardduckmapleguniversitymachinejourneyeatgoatjacketmealgameyearbooknaturetalksugarclipdoorfunctreetopmoonwhit
2023-08-29 05:41:51 UTC	2429	IN	Data Raw: 61 6c 6b 0d 0a 65 61 73 79 0d 0a 67 6c 61 73 73 0d 0a 7a 69 70 70 65 72 0d 0a 63 6f 61 74 0d 0a 6e 6f 74 65 0d 0a 68 61 69 72 0d 0a 6e 65 65 64 0d 0a 63 6c 6f 75 64 0d 0a 62 61 6e 61 6e 61 0d 0a 6b 69 6e 67 0d 0a 6c 61 6e 64 0d 0a 76 61 6e 0d 0a 70 65 61 72 0d 0a 6b 65 79 0d 0a 61 6e 69 6d 61 6c 0d 0a 69 6e 73 69 64 65 0d 0a 7a 6f 6e 65 0d 0a 69 6e 74 0d 0a 79 65 61 72 6e 0d 0a 7a 6f 6f 0d 0a 70 61 70 65 72 0d 0a 6b 65 65 70 0d 0a 70 69 63 74 75 72 65 0d 0a 65 61 72 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 70 65 72 73 6f 6e 0d 0a 70 68 6f 6e 65 0d 0a 7a 65 62 72 61 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 75 73 75 61 6c 6c 79 0d 0a 75 6e 69 74 0d 0a 66 75 6e 63 0d 0a 6c 61 6e 64 0d 0a 70 6f 77 65 72 0d 0a 74 6f 77 6e 0d 0a 62 65 61 63 68 0d 0a 6a 61 72 0d 0a 6a Data Ascii: alkeasyglasszippercoatnotehairneedcloudbananakinglandvanpearkeyanimalinsidezoneintyearnzoopaperkeeppictureearvacationpersonphonezebravegetableusuallyunitfunclandpowertownbeachjarj
2023-08-29 05:41:51 UTC	2445	IN	Data Raw: 68 61 6e 0d 0a 70 69 6e 6b 0d 0a 7a 6f 6e 65 0d 0a 72 6f 61 64 0d 0a 69 63 6f 6e 0d 0a 6d 6f 74 68 65 72 0d 0a 77 68 69 74 65 0d 0a 70 69 6e 6b 0d 0a 6e 6f 73 65 0d 0a 6d 61 70 0d 0a 6c 65 67 0d 0a 63 6c 69 70 0d 0a 63 6c 6f 75 64 0d 0a 6f 6e 65 0d 0a 79 61 77 6e 0d 0a 68 6f 70 65 0d 0a 71 75 65 65 6e 0d 0a 68 61 74 0d 0a 66 69 73 68 0d 0a 73 65 76 65 6e 0d 0a 68 69 67 68 0d 0a 75 73 65 0d 0a 68 65 61 64 0d 0a 70 65 61 72 0d 0a 66 61 74 68 65 72 0d 0a 75 73 65 0d 0a 6b 69 6e 67 0d 0a 77 6f 72 6b 0d 0a 6f 62 6a 65 63 74 0d 0a 72 61 69 6e 0d 0a 68 6f 70 65 0d 0a 6f 62 6a 65 63 74 0d 0a 78 79 6c 65 6d 0d 0a 66 6f 72 0d 0a 6e 6f 74 65 0d 0a 70 69 6e 6b 0d 0a 6e 65 65 64 0d 0a 6c 6f 6e 67 0d 0a 70 6f 77 65 72 0d 0a 67 72 61 73 73 0d 0a 77 65 73 74 0d 0a 70 69 Data Ascii: hanpinkzoneroadiconmotherwhitepinknosemaplegclipcloudoneyawnhopequeenhatfishsevenhighuseheadpearfatherusekingworkobjectrainhopeobjectxylemfornotepinkneedlongpowergrasswestpi
2023-08-29 05:41:51 UTC	2461	IN	Data Raw: 65 0d 0a 64 6f 0d 0a 64 75 63 6b 0d 0a 61 69 72 0d 0a 6a 61 63 6b 65 74 0d 0a 63 6f 6c 6f 72 0d 0a 6d 6f 76 69 65 0d 0a 63 61 6d 65 72 61 0d 0a 70 61 70 65 72 0d 0a 6d 69 6c 6b 0d 0a 66 6f 72 0d 0a 6e 6f 73 65 0d 0a 66 6f 6f 74 0d 0a 68 61 69 72 0d 0a 66 61 74 68 65 72 0d 0a 74 6f 70 0d 0a 73 6f 6e 67 0d 0a 74 65 61 63 68 65 72 0d 0a 73 6e 61 6b 65 0d 0a 62 61 6e 6b 0d 0a 66 61 72 6d 0d 0a 66 6c 6f 77 65 72 0d 0a 6e 65 65 64 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 68 65 6c 70 0d 0a 73 65 61 0d 0a 75 73 65 0d 0a 66 75 6e 63 0d 0a 66 6f 72 0d 0a 62 6f 79 0d 0a 64 61 79 0d 0a 61 72 74 0d 0a 70 65 61 72 0d 0a 63 6f 61 74 0d 0a 65 64 67 65 0d 0a 77 69 6e 74 65 72 0d 0a 6c 65 67 0d 0a 70 65 61 72 0d 0a 74 69 67 65 72 0d 0a 70 61 70 65 72 0d 0a 67 75 65 73 74 0d 0a 79 Data Ascii: edoduckairjacketcolormoviecamerapapermilkfornosefoothairfathertopsongteachersnakebankfarmflowerneedKanthanhelpseausefuncforboydayartpearcoatedgewinterlegpeartigerpaperguesty
2023-08-29 05:41:51 UTC	2477	IN	Data Raw: 76 65 72 0d 0a 6b 65 79 0d 0a 6b 69 6e 67 0d 0a 71 75 69 65 74 0d 0a 77 65 65 6b 0d 0a 76 69 73 69 74 6f 72 0d 0a 64 72 65 61 6d 0d 0a 65 69 67 68 74 0d 0a 74 69 67 65 72 0d 0a 68 69 67 68 0d 0a 6c 61 75 67 68 0d 0a 70 65 61 72 0d 0a 74 6f 70 0d 0a 6e 61 74 75 72 65 0d 0a 6d 61 63 68 69 6e 65 0d 0a 7a 65 62 72 61 0d 0a 74 6f 70 0d 0a 6a 6f 79 0d 0a 6d 65 61 6c 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 64 75 63 6b 0d 0a 64 6f 6f 72 0d 0a 6c 61 6e 64 0d 0a 68 61 74 0d 0a 74 65 61 63 68 65 72 0d 0a 61 69 72 0d 0a 61 72 74 0d 0a 77 6f 6d 61 6e 0d 0a 61 63 65 0d 0a 79 65 73 0d 0a 75 72 67 65 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 65 61 72 74 68 0d 0a 63 6f 61 74 0d 0a 65 79 65 0d 0a 72 61 69 6e 0d 0a 73 68 6f 72 74 0d 0a 6b 65 65 70 0d 0a 6b 69 63 6b 0d 0a Data Ascii: verkeykingquietweekvisitordreameighttigerhighlaughpeartopnaturemachinezebratopjoymealinformationduckdoorlandhatteacherairartwomanaceyesurgeknowledgeearthcoateyerainshortkeepkick
2023-08-29 05:41:51 UTC	2493	IN	Data Raw: 6b 69 64 0d 0a 74 69 6d 65 0d 0a 70 65 6e 0d 0a 6a 65 6c 6c 79 0d 0a 61 6e 69 6d 61 6c 0d 0a 67 72 65 65 6e 0d 0a 65 6e 64 0d 0a 6b 69 64 0d 0a 64 75 63 6b 0d 0a 74 65 73 74 0d 0a 72 6f 63 6b 0d 0a 6c 61 6b 65 0d 0a 6b 69 74 63 68 65 6e 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 61 63 65 0d 0a 72 69 76 65 72 0d 0a 6f 62 6a 65 63 74 0d 0a 72 65 73 74 0d 0a 79 65 6c 6c 6f 77 0d 0a 66 69 73 68 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 65 61 72 74 68 0d 0a 67 72 61 73 73 0d 0a 61 6c 6f 6e 65 0d 0a 66 61 72 6d 0d 0a 77 69 6e 74 65 72 0d 0a 69 73 6c 61 6e 64 0d 0a 67 72 6f 75 70 0d 0a 69 63 65 0d 0a 6c 6f 76 65 0d 0a 67 6c 61 73 73 0d 0a 66 6c 6f 77 65 72 0d 0a 6d 6f 74 68 65 72 0d 0a 67 6f 61 74 0d 0a 67 61 6d 65 0d 0a 77 65 73 74 0d 0a 79 65 6c 6c 6f 77 0d 0a 65 6e 64 0d Data Ascii: kidtimepenjellyanimalgreenendkidducktestrocklakekitchenKanthanaceriverobjectrestyellowfishvegetableearthgrassalonefarmwinterislandgroupiceloveglassflowermothergoatgamewestyellowend
2023-08-29 05:41:51 UTC	2509	IN	Data Raw: 0d 0a 68 65 61 64 0d 0a 73 74 61 72 0d 0a 6c 61 6e 64 0d 0a 73 74 6f 6e 65 0d 0a 76 69 63 74 6f 72 79 0d 0a 73 65 61 0d 0a 69 73 73 75 65 0d 0a 6b 69 73 73 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 63 61 6b 65 0d 0a 64 61 74 61 0d 0a 73 68 6f 72 74 0d 0a 6c 61 6e 64 0d 0a 71 75 65 65 6e 0d 0a 6b 69 6e 64 0d 0a 70 65 61 72 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 63 61 74 0d 0a 7a 65 62 72 61 0d 0a 63 69 74 79 0d 0a 6c 61 75 67 68 0d 0a 77 68 69 6c 65 0d 0a 75 72 67 65 0d 0a 6e 65 65 64 0d 0a 73 65 61 0d 0a 6f 66 66 65 72 0d 0a 69 6e 73 69 64 65 0d 0a 62 61 6e 61 6e 61 0d 0a 79 65 61 72 0d 0a 6d 61 70 0d 0a 64 6f 0d 0a 62 61 6e 61 6e 61 0d 0a 66 6f 72 0d 0a 77 69 6e 64 0d 0a 6a 61 76 61 0d 0a 76 69 73 69 74 6f 72 0d 0a 66 6f Data Ascii: headstarlandstonevictoryseaissuekissundergroundquantitycakedatashortlandqueenkindpearknowledgecatzebracitylaughwhileurgeneedseaofferinsidebananayearmapdobananaforwindjavavisitorfo
2023-08-29 05:41:51 UTC	2525	IN	Data Raw: 65 72 67 72 6f 75 6e 64 0d 0a 66 61 74 68 65 72 0d 0a 6f 66 66 65 72 0d 0a 6e 61 74 75 72 65 0d 0a 6b 65 65 70 0d 0a 72 75 6e 0d 0a 79 61 72 64 0d 0a 69 6e 63 6f 6d 65 0d 0a 72 6f 63 6b 0d 0a 6f 70 65 6e 0d 0a 70 65 72 73 6f 6e 0d 0a 67 6f 61 74 0d 0a 7a 65 61 6c 0d 0a 7a 6f 6e 65 0d 0a 6c 65 74 74 65 72 0d 0a 74 65 61 63 68 65 72 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 69 73 6c 61 6e 64 0d 0a 69 64 65 61 0d 0a 75 72 67 65 0d 0a 65 73 63 61 70 65 0d 0a 64 61 6e 63 65 0d 0a 64 6f 0d 0a 7a 6f 6f 0d 0a 74 72 65 65 0d 0a 72 65 73 74 0d 0a 70 6c 61 6e 74 0d 0a 7a 65 62 72 61 0d 0a 6c 75 6e 63 68 0d 0a 6b 69 64 0d 0a 65 61 74 0d 0a 69 64 65 61 0d 0a 6e 6f 72 74 68 0d 0a 79 61 77 6e 0d 0a 6d 6f 76 69 65 0d 0a 6d 6f 6f 6e 0d 0a 72 69 73 65 0d 0a 62 69 72 64 0d 0a Data Ascii: ergroundfatheroffernaturekeeprunyardincomerockopenpersongoatzealzoneletterteachervegetableislandideaurgeescapedancedozootreerestplantzebralunchkideatideanorthyawnmoviemoonrisebird
2023-08-29 05:41:51 UTC	2541	IN	Data Raw: 75 72 6e 65 79 0d 0a 66 6f 72 0d 0a 66 69 73 68 0d 0a 73 6e 61 6b 65 0d 0a 67 72 61 73 73 0d 0a 71 75 6f 74 65 0d 0a 73 65 76 65 6e 0d 0a 65 69 67 68 74 0d 0a 65 61 73 74 0d 0a 63 68 61 72 0d 0a 77 68 69 74 65 0d 0a 62 61 6e 6b 0d 0a 6c 6f 76 65 0d 0a 72 61 69 6e 0d 0a 76 69 65 77 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 61 6e 69 6d 61 6c 0d 0a 6f 69 6c 0d 0a 76 61 6e 0d 0a 77 6f 72 6b 0d 0a 6d 6f 6f 6e 0d 0a 66 61 74 68 65 72 0d 0a 63 61 6d 65 72 61 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 72 69 76 65 72 0d 0a 6c 69 66 65 0d 0a 63 69 74 79 0d 0a 75 73 75 61 6c 6c 79 0d 0a 71 75 61 6e 74 69 74 79 0d 0a 63 61 74 0d 0a 77 65 73 74 0d 0a 64 72 65 61 6d 0d 0a 71 75 69 65 74 0d 0a 61 72 72 61 79 0d 0a 75 73 65 0d 0a 64 6f 67 0d 0a 7a 69 70 70 65 72 0d 0a 6d 61 6e 0d 0a 67 68 Data Ascii: urneyforfishsnakegrassquoteseveneighteastcharwhitebankloverainviewjourneyanimaloilvanworkmoonfathercamerajourneyriverlifecityusuallyquantitycatwestdreamquietarrayusedogzippermangh
2023-08-29 05:41:51 UTC	2557	IN	Data Raw: 6c 69 70 0d 0a 6e 6f 74 65 0d 0a 63 6f 77 0d 0a 6c 6f 6e 67 0d 0a 64 61 74 61 0d 0a 66 61 74 68 65 72 0d 0a 69 6e 63 6f 6d 65 0d 0a 63 6c 69 70 0d 0a 6c 75 6e 63 68 0d 0a 65 79 65 0d 0a 6e 61 74 75 72 65 0d 0a 62 61 6c 6c 0d 0a 66 61 6c 6c 0d 0a 64 75 63 6b 0d 0a 6b 69 6e 64 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 65 61 73 79 0d 0a 6c 65 67 0d 0a 63 6c 6f 75 64 0d 0a 71 75 6f 74 65 0d 0a 6e 61 6d 65 0d 0a 77 69 6e 64 0d 0a 79 61 77 6e 0d 0a 67 68 6f 73 74 0d 0a 61 6e 74 0d 0a 6c 6f 76 65 0d 0a 65 72 72 6f 72 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 6d 69 6c 6b 0d 0a 75 6e 69 74 0d 0a 79 6f 75 6e 67 0d 0a 67 68 6f 73 74 0d 0a 6f 72 64 65 72 0d 0a 66 61 6c 6c 0d 0a 73 75 6e 0d 0a 61 72 63 68 0d 0a 65 67 67 0d 0a 63 69 74 79 0d 0a 6f 69 6c 0d 0a 77 65 73 74 0d Data Ascii: lipnotecowlongdatafatherincomeclipluncheyenatureballfallduckkindKanthaneasylegcloudquotenamewindyawnghostantloveerrorundergroundmilkunityoungghostorderfallsunarcheggcityoilwest
2023-08-29 05:41:51 UTC	2573	IN	Data Raw: 61 62 62 69 74 0d 0a 6c 75 6e 63 68 0d 0a 6b 69 64 0d 0a 6d 6f 6e 6b 65 79 0d 0a 66 61 74 68 65 72 0d 0a 65 73 63 61 70 65 0d 0a 70 6c 61 6e 74 0d 0a 72 6f 63 6b 0d 0a 6b 69 6e 67 0d 0a 7a 6f 6f 0d 0a 69 63 65 0d 0a 6e 6f 73 65 0d 0a 61 77 61 72 64 0d 0a 6c 6f 76 65 0d 0a 63 61 6d 65 72 61 0d 0a 70 69 7a 7a 61 0d 0a 79 65 73 0d 0a 63 6f 77 0d 0a 7a 69 70 70 65 72 0d 0a 66 61 6c 6c 0d 0a 74 6f 70 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 67 72 61 73 73 0d 0a 6c 61 6b 65 0d 0a 75 6e 69 74 0d 0a 63 6c 6f 75 64 0d 0a 79 65 6c 6c 6f 77 0d 0a 77 6f 72 6c 64 0d 0a 73 65 76 65 6e 0d 0a 62 6f 78 0d 0a 6a 6f 79 0d 0a 77 69 6e 74 65 72 0d 0a 70 6f 77 65 72 0d 0a 76 6f 69 63 65 0d 0a 66 6f 6f 64 0d 0a 71 75 61 72 74 65 72 0d 0a 6a 61 76 61 0d 0a 64 61 79 0d 0a 76 69 73 69 Data Ascii: abbitlunchkidmonkeyfatherescapeplantrockkingzooicenoseawardlovecamerapizzayescowzipperfalltopvacationgrasslakeunitcloudyellowworldsevenboxjoywinterpowervoicefoodquarterjavadayvisi
2023-08-29 05:41:51 UTC	2589	IN	Data Raw: 70 0d 0a 66 69 73 68 0d 0a 69 63 6f 6e 0d 0a 73 6f 6e 67 0d 0a 75 73 75 61 6c 6c 79 0d 0a 6e 75 72 73 65 0d 0a 6f 62 6a 65 63 74 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 62 6f 78 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 72 6f 6f 6d 0d 0a 67 75 65 73 74 0d 0a 79 61 72 64 0d 0a 7a 65 62 72 61 0d 0a 71 75 69 65 74 0d 0a 6c 6f 76 65 0d 0a 7a 69 70 70 65 72 0d 0a 64 6f 6f 72 0d 0a 6b 65 65 70 0d 0a 70 69 7a 7a 61 0d 0a 62 6f 79 0d 0a 71 75 69 65 74 0d 0a 79 65 73 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 6a 61 72 0d 0a 79 65 61 72 6e 0d 0a 75 73 75 61 6c 6c 79 0d 0a 6d 6f 6e 6b 65 79 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 7a 6f 6d 62 69 65 0d 0a 6a 6f 6b 65 0d 0a 6b 69 6e 64 0d 0a 79 61 77 6e 0d 0a 6f 72 64 65 72 0d 0a 61 72 74 0d 0a 68 61 6e 64 0d 0a 64 65 73 6b 0d Data Ascii: pfishiconsongusuallynurseobjectvegetableboxunderstandroomguestyardzebraquietlovezipperdoorkeeppizzaboyquietyesunsignedjaryearnusuallymonkeyvegetablezombiejokekindyawnorderarthanddesk
2023-08-29 05:41:51 UTC	2605	IN	Data Raw: 0d 0a 74 61 6c 6b 0d 0a 79 61 72 64 0d 0a 61 72 72 6f 77 0d 0a 77 65 65 6b 0d 0a 61 72 74 0d 0a 74 65 61 63 68 65 72 0d 0a 66 6f 72 0d 0a 79 61 77 6e 0d 0a 61 72 63 68 0d 0a 74 6f 77 6e 0d 0a 69 64 65 61 0d 0a 62 6c 75 65 0d 0a 70 65 61 72 0d 0a 72 6f 61 64 0d 0a 6c 75 6e 63 68 0d 0a 6f 63 65 61 6e 0d 0a 74 61 73 74 65 0d 0a 6e 61 6d 65 0d 0a 6b 65 65 70 0d 0a 70 6c 61 6e 74 0d 0a 70 68 6f 6e 65 0d 0a 66 6f 72 0d 0a 6c 75 6e 63 68 0d 0a 65 61 74 0d 0a 62 69 72 64 0d 0a 6c 6f 76 65 0d 0a 77 61 72 6e 0d 0a 67 61 6d 65 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 67 6f 6c 64 0d 0a 73 75 67 61 72 0d 0a 65 64 67 65 0d 0a 64 6f 0d 0a 66 61 74 68 65 72 0d 0a 72 6f 61 64 0d 0a 74 72 61 69 6e 0d 0a 73 74 61 72 0d 0a 6e 6f 73 65 0d 0a 69 73 6c 61 6e 64 0d 0a 71 75 61 6c 69 Data Ascii: talkyardarrowweekartteacherforyawnarchtownideabluepearroadlunchoceantastenamekeepplantphoneforluncheatbirdlovewarngameunsignedgoldsugaredgedofatherroadtrainstarnoseislandquali
2023-08-29 05:41:51 UTC	2621	IN	Data Raw: 64 0d 0a 65 69 67 68 74 0d 0a 68 61 74 0d 0a 7a 6f 6d 62 69 65 0d 0a 65 6e 65 72 67 79 0d 0a 65 61 73 79 0d 0a 76 69 63 74 6f 72 79 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 70 61 70 65 72 0d 0a 6e 6f 74 65 0d 0a 65 61 72 0d 0a 6d 6f 6e 6b 65 79 0d 0a 74 61 6c 6b 0d 0a 76 6f 69 63 65 0d 0a 65 61 73 74 0d 0a 61 69 72 0d 0a 69 6e 66 6f 72 6d 61 74 69 6f 6e 0d 0a 62 69 72 64 0d 0a 76 61 6c 75 65 0d 0a 6e 6f 73 65 0d 0a 65 67 67 0d 0a 79 61 72 64 0d 0a 6d 6f 6e 6b 65 79 0d 0a 68 69 67 68 0d 0a 76 6f 69 63 65 0d 0a 63 6f 6c 6f 72 0d 0a 71 75 61 6c 69 66 79 0d 0a 74 6f 70 0d 0a 6c 61 6d 70 0d 0a 72 61 69 6e 0d 0a 65 6e 64 0d 0a 6c 69 6f 6e 0d 0a 65 6e 64 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 65 61 72 0d 0a 6b 69 6e 64 0d 0a 6e 65 65 64 0d 0a 6e 61 6d 65 0d 0a 65 61 Data Ascii: deighthatzombieenergyeasyvictoryjourneypapernoteearmonkeytalkvoiceeastairinformationbirdvaluenoseeggyardmonkeyhighvoicecolorqualifytoplamprainendlionenduniversityearkindneednameea
2023-08-29 05:41:51 UTC	2637	IN	Data Raw: 79 0d 0a 63 6f 77 0d 0a 61 63 65 0d 0a 6b 6e 6f 77 6c 65 64 67 65 0d 0a 75 6e 63 6c 65 0d 0a 6d 6f 76 69 65 0d 0a 77 6f 72 6c 64 0d 0a 79 65 6c 6c 6f 77 0d 0a 6b 69 74 65 0d 0a 76 69 65 77 0d 0a 62 65 61 63 68 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 76 69 73 69 74 6f 72 0d 0a 72 65 64 0d 0a 79 65 73 74 65 72 64 61 79 0d 0a 70 65 6e 0d 0a 61 63 65 0d 0a 62 6c 75 65 0d 0a 6b 65 65 70 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 79 65 6c 6c 6f 77 0d 0a 75 6e 69 74 0d 0a 66 72 69 65 6e 64 0d 0a 76 69 73 69 74 6f 72 0d 0a 61 6e 74 0d 0a 6a 6f 75 72 6e 65 79 0d 0a 72 6f 61 64 0d 0a 64 6f 67 0d 0a 71 75 69 65 74 0d 0a 69 6e 6b 0d 0a 65 61 73 74 0d 0a 7a 6f 6d 62 69 65 0d 0a 65 61 73 79 0d 0a 6f 6e 65 0d 0a 6f 66 66 69 63 65 0d 0a 67 69 72 6c 0d 0a 70 61 70 65 72 0d 0a 6c 65 Data Ascii: ycowaceknowledgeunclemovieworldyellowkiteviewbeachunsignedvisitorredyesterdaypenacebluekeepvacationyellowunitfriendvisitorantjourneyroaddogquietinkeastzombieeasyoneofficegirlpaperle
2023-08-29 05:41:51 UTC	2653	IN	Data Raw: 0a 68 61 74 0d 0a 73 68 6f 72 74 0d 0a 6c 65 74 74 65 72 0d 0a 64 75 63 6b 0d 0a 6f 66 66 69 63 65 0d 0a 68 65 61 72 74 0d 0a 70 69 6e 6b 0d 0a 67 6c 61 73 73 0d 0a 68 61 74 0d 0a 7a 65 61 6c 0d 0a 71 75 61 6c 69 66 79 0d 0a 73 6b 79 0d 0a 70 69 6e 6b 0d 0a 61 6e 74 0d 0a 6e 61 74 75 72 65 0d 0a 63 61 74 0d 0a 73 65 76 65 6e 0d 0a 6b 69 64 0d 0a 72 6f 61 64 0d 0a 64 65 73 6b 0d 0a 6b 69 74 63 68 65 6e 0d 0a 62 6c 75 65 0d 0a 77 65 65 6b 0d 0a 7a 6f 6f 0d 0a 76 6f 69 63 65 0d 0a 62 65 61 63 68 0d 0a 6d 61 70 0d 0a 63 69 74 79 0d 0a 67 61 6d 65 0d 0a 70 6f 77 65 72 0d 0a 6b 69 6e 67 0d 0a 77 6f 72 6b 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 62 75 73 0d 0a 6d 6f 6e 6b 65 79 0d 0a 6a 61 72 0d 0a 67 72 6f 75 70 0d 0a 66 69 72 65 0d 0a 66 75 6e 63 0d 0a 72 65 64 0d Data Ascii: hatshortletterduckofficeheartpinkglasshatzealqualifyskypinkantnaturecatsevenkidroaddeskkitchenblueweekzoovoicebeachmapcitygamepowerkingworkquestionbusmonkeyjargroupfirefuncred
2023-08-29 05:41:51 UTC	2669	IN	Data Raw: 65 6e 0d 0a 72 6f 63 6b 0d 0a 6a 61 63 6b 65 74 0d 0a 6b 69 64 0d 0a 69 73 73 75 65 0d 0a 6b 69 74 65 0d 0a 67 61 6d 65 0d 0a 6d 6f 6f 6e 0d 0a 74 61 6c 6b 0d 0a 61 72 74 0d 0a 61 6c 6f 6e 65 0d 0a 79 65 6c 6c 6f 77 0d 0a 70 6c 61 6e 74 0d 0a 68 69 74 0d 0a 66 61 6c 6c 0d 0a 7a 6f 6d 62 69 65 0d 0a 6c 65 74 74 65 72 0d 0a 6c 6f 76 65 0d 0a 6c 65 67 0d 0a 74 65 61 63 68 65 72 0d 0a 68 6f 75 73 65 0d 0a 69 6e 6b 0d 0a 76 61 6c 75 65 0d 0a 75 6e 73 69 67 6e 65 64 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 76 69 63 74 6f 72 79 0d 0a 7a 6f 6d 62 69 65 0d 0a 64 6f 67 0d 0a 6d 6f 74 68 65 72 0d 0a 76 61 63 61 74 69 6f 6e 0d 0a 74 69 67 65 72 0d 0a 75 6e 64 65 72 67 72 6f 75 6e 64 0d 0a 63 6c 69 70 0d 0a 74 6f 70 0d 0a 66 72 69 65 6e 64 0d 0a 67 72 6f 75 70 0d 0a 6b 69 Data Ascii: enrockjacketkidissuekitegamemoontalkartaloneyellowplanthitfallzombieletterlovelegteacherhouseinkvalueunsignedvacationvictoryzombiedogmothervacationtigerundergroundcliptopfriendgroupki
2023-08-29 05:41:51 UTC	2685	IN	Data Raw: 61 72 64 0d 0a 6d 69 6c 6b 0d 0a 73 63 68 6f 6f 6c 0d 0a 62 6c 75 65 0d 0a 6c 61 6d 70 0d 0a 63 6f 61 74 0d 0a 75 6e 63 6c 65 0d 0a 73 6e 6f 77 0d 0a 62 6c 75 65 0d 0a 79 61 72 64 0d 0a 79 61 72 64 0d 0a 73 75 6e 0d 0a 67 68 6f 73 74 0d 0a 75 6e 63 6c 65 0d 0a 64 61 72 6b 0d 0a 6c 69 6f 6e 0d 0a 6f 66 66 69 63 65 0d 0a 62 69 72 64 0d 0a 68 61 6e 64 0d 0a 69 6e 63 6f 6d 65 0d 0a 70 65 72 73 6f 6e 0d 0a 6e 75 6d 62 65 72 0d 0a 67 6c 61 73 73 0d 0a 6d 61 70 0d 0a 66 6f 72 0d 0a 79 65 6c 6c 6f 77 0d 0a 6d 61 70 0d 0a 71 75 6f 74 65 0d 0a 66 61 74 68 65 72 0d 0a 72 69 73 65 0d 0a 64 6f 67 0d 0a 70 68 6f 6e 65 0d 0a 62 69 72 64 0d 0a 6c 61 6b 65 0d 0a 61 6e 69 6d 61 6c 0d 0a 66 6f 6f 74 0d 0a 70 61 70 65 72 0d 0a 63 61 72 0d 0a 7a 6f 6f 0d 0a 62 61 6e 61 6e 61 Data Ascii: ardmilkschoolbluelampcoatunclesnowblueyardyardsunghostuncledarklionofficebirdhandincomepersonnumberglassmapforyellowmapquotefatherrisedogphonebirdlakeanimalfootpapercarzoobanana
2023-08-29 05:41:51 UTC	2701	IN	Data Raw: 69 74 79 0d 0a 76 69 64 65 6f 0d 0a 62 6f 6f 6b 0d 0a 6c 61 6d 70 0d 0a 68 6f 75 73 65 0d 0a 73 74 61 72 0d 0a 71 75 61 6c 69 66 79 0d 0a 76 69 63 74 6f 72 79 0d 0a 62 6f 6f 6b 0d 0a 74 61 73 74 65 0d 0a 72 75 6e 0d 0a 6a 61 63 6b 65 74 0d 0a 73 74 72 69 6e 67 0d 0a 72 69 76 65 72 0d 0a 6b 69 64 0d 0a 75 6e 64 65 72 73 74 61 6e 64 0d 0a 6f 69 6c 0d 0a 6a 65 6c 6c 79 0d 0a 61 6c 6f 6e 65 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 69 6e 63 6f 6d 65 0d 0a 65 61 72 74 68 0d 0a 71 75 69 63 6b 0d 0a 71 75 6f 74 65 0d 0a 63 6c 6f 75 64 0d 0a 79 65 73 0d 0a 69 6e 6b 0d 0a 77 65 73 74 0d 0a 66 72 69 65 6e 64 0d 0a 73 75 67 61 72 0d 0a 75 73 75 61 6c 6c 79 0d 0a 63 6c 69 70 0d 0a 6a 6f 6b 65 0d 0a 70 69 63 74 75 72 65 0d 0a 66 6f 72 0d 0a 6b 69 73 73 0d 0a 65 67 67 0d Data Ascii: ityvideobooklamphousestarqualifyvictorybooktasterunjacketstringriverkidunderstandoiljellyalonevegetableincomeearthquickquotecloudyesinkwestfriendsugarusuallyclipjokepictureforkissegg
2023-08-29 05:41:51 UTC	2717	IN	Data Raw: 6f 0d 0a 74 61 6c 6b 0d 0a 73 6b 79 0d 0a 71 75 61 72 74 65 72 0d 0a 72 6f 61 64 0d 0a 70 61 70 65 72 0d 0a 61 69 72 0d 0a 73 6b 79 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 74 72 65 65 0d 0a 62 6c 75 65 0d 0a 73 6b 79 0d 0a 7a 65 72 6f 0d 0a 65 61 72 74 68 0d 0a 65 72 72 6f 72 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 72 69 73 65 0d 0a 64 6f 0d 0a 61 63 65 0d 0a 6c 61 75 67 68 0d 0a 7a 65 72 6f 0d 0a 72 6f 61 64 0d 0a 72 61 69 6e 0d 0a 66 69 73 68 0d 0a 6c 61 75 67 68 0d 0a 7a 65 72 6f 0d 0a 74 61 73 74 65 0d 0a 76 6f 69 63 65 0d 0a 7a 65 72 6f 0d 0a 72 6f 61 64 0d 0a 71 75 61 6c 69 74 79 0d 0a 6a 65 6c 6c 79 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 6c 6f 6e 67 0d 0a 6f 70 65 6e 0d 0a 73 6b Data Ascii: otalkskyquarterroadpaperairskyKanthantreeblueskyzeroeartherroruniversityrisedoacelaughzeroroadrainfishlaughzerotastevoicezeroroadqualityjellyuniversityuniversityuniversitylongopensk
2023-08-29 05:41:51 UTC	2733	IN	Data Raw: 73 6e 6f 77 0d 0a 65 79 65 0d 0a 65 79 65 0d 0a 65 72 72 6f 72 0d 0a 65 64 67 65 0d 0a 6c 69 66 65 0d 0a 70 61 70 65 72 0d 0a 6c 65 74 74 65 72 0d 0a 73 6b 79 0d 0a 7a 65 72 6f 0d 0a 71 75 65 73 74 69 6f 6e 0d 0a 64 6f 0d 0a 77 6f 72 6c 64 0d 0a 62 61 6e 61 6e 61 0d 0a 65 79 65 0d 0a 65 79 65 0d 0a 7a 65 62 72 61 0d 0a 6e 61 74 75 72 65 0d 0a 61 6e 69 6d 61 6c 0d 0a 6e 75 72 73 65 0d 0a 63 6f 6c 6f 72 0d 0a 65 79 65 0d 0a 65 79 65 0d 0a 70 61 70 65 72 0d 0a 65 69 67 68 74 0d 0a 73 6b 79 0d 0a 7a 65 72 6f 0d 0a 63 6f 77 0d 0a 6b 69 63 6b 0d 0a 69 6e 74 0d 0a 79 65 61 72 6e 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 71 75 61 72 74 65 72 0d 0a 72 6f 61 64 0d 0a 77 6f 72 6b 0d 0a 6b 69 73 73 0d 0a 70 6f 77 65 72 0d 0a 6d 6f Data Ascii: snoweyeeyeerroredgelifepaperletterskyzeroquestiondoworldbananaeyeeyezebranatureanimalnursecoloreyeeyepapereightskyzerocowkickintyearnuniversityuniversityquarterroadworkkisspowermo
2023-08-29 05:41:51 UTC	2749	IN	Data Raw: 72 6f 0d 0a 77 61 74 65 72 0d 0a 64 6f 0d 0a 6f 6e 65 0d 0a 6e 69 67 68 74 0d 0a 65 79 65 0d 0a 65 79 65 0d 0a 73 6b 79 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 71 75 65 65 6e 0d 0a 77 68 69 6c 65 0d 0a 77 65 73 74 0d 0a 65 79 65 0d 0a 65 79 65 0d 0a 62 6c 75 65 0d 0a 68 61 69 72 0d 0a 65 79 65 0d 0a 70 61 70 65 72 0d 0a 79 65 6c 6c 6f 77 0d 0a 7a 65 72 6f 0d 0a 71 75 61 72 74 65 72 0d 0a 77 68 69 6c 65 0d 0a 63 6f 6c 6f 72 0d 0a 65 79 65 0d 0a 65 79 65 0d 0a 71 75 61 72 74 65 72 0d 0a 72 6f 61 64 0d 0a 70 61 70 65 72 0d 0a 79 61 77 6e 0d 0a 73 6b 79 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 7a 65 62 72 61 0d 0a 64 6f 0d 0a 6c 6f 6e 67 0d 0a 68 6f 75 73 65 0d 0a 7a 65 62 72 61 0d 0a 64 6f 0d 0a 76 69 73 69 74 6f 72 0d 0a 65 79 65 0d 0a 62 61 6e 61 6e 61 0d 0a 65 79 65 0d Data Ascii: rowaterdoonenighteyeeyeskyKanthanqueenwhilewesteyeeyebluehaireyepaperyellowzeroquarterwhilecoloreyeeyequarterroadpaperyawnskyKanthanzebradolonghousezebradovisitoreyebananaeye
2023-08-29 05:41:51 UTC	2765	IN	Data Raw: 65 72 0d 0a 61 72 72 61 79 0d 0a 64 61 79 0d 0a 65 79 65 0d 0a 6b 69 6e 67 0d 0a 63 6f 61 74 0d 0a 6a 61 72 0d 0a 76 65 67 65 74 61 62 6c 65 0d 0a 6e 69 67 68 74 0d 0a 63 6f 61 74 0d 0a 75 6e 69 76 65 72 73 69 74 79 0d 0a 73 6b 79 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 69 6e 73 69 64 65 0d 0a 62 61 6e 61 6e 61 0d 0a 73 6b 79 0d 0a 7a 65 72 6f 0d 0a 6d 6f 76 69 65 0d 0a 73 6b 79 0d 0a 73 68 6f 72 74 0d 0a 6b 69 6e 67 0d 0a 6b 69 63 6b 0d 0a 6b 69 6e 67 0d 0a 7a 65 72 6f 0d 0a 67 68 6f 73 74 0d 0a 73 6b 79 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 65 72 72 6f 72 0d 0a 62 61 6e 61 6e 61 0d 0a 73 6b 79 0d 0a 73 68 6f 72 74 0d 0a 6b 69 6e 67 0d 0a 77 65 65 6b 0d 0a 4b 61 6e 74 68 61 6e 0d 0a 72 65 73 74 0d 0a 62 61 6e 61 6e 61 0d 0a 73 6b 79 0d 0a 4b 61 6e 74 68 61 6e 0d 0a Data Ascii: erarraydayeyekingcoatjarvegetablenightcoatuniversityskyKanthaninsidebananaskyzeromovieskyshortkingkickkingzeroghostskyKanthanerrorbananaskyshortkingweekKanthanrestbananaskyKanthan

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 4a9OE5cKJo.exePID: 5260, Parent PID: 3524

General

Target ID:	0
Start time:	07:41:28
Start date:	29/08/2023
Path:	C:\Users\user\Desktop\4a9OE5cKJo.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\4a9OE5cKJo.exe
Imagebase:	0x7ff62a3b0000
File size:	1'084'632 bytes
MD5 hash:	9652452E6863BFCB4FB2C1C20702CA7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: zlogger.exePID: 5284, Parent PID: 5260

General

Target ID:	1
Start time:	07:41:28
Start date:	29/08/2023
Path:	C:\Users\Public\Pictures\Picture\zlogger.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Pictures\Picture\zlogger.exe --version
Imagebase:	0x400000
File size:	152'080 bytes
MD5 hash:	BB63FD178AFFCCAAB180BCE1689157CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000001.00000002.643032727.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000001.00000002.643032727.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6704, Parent PID: 5284

General

Target ID:	2
Start time:	07:41:28
Start date:	29/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff766460000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5912, Parent PID: 5260

General

Target ID:	5
Start time:	07:41:34
Start date:	29/08/2023
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5260 -s 940
Imagebase:	0x7ff6141a0000
File size:	494'488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 4a9OE5cKJo.exePID: 5260, Parent PID: 3524COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.3%
Total number of Nodes:	797
Total number of Limit Nodes:	18

Executed Functions

Function 00007FF62A3F0890 Relevance: 92.9, APIs: 24, Strings: 29, Instructions: 151
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E00007FF67FF62A3F0890(void* __eax) {
				signed int _v24;
				signed long long _t11;
				void* _t13;
				signed long long _t18;

				_t11 =  *0x2a4b30d8; // 0xe5c70e37496b
				_v24 = _t11 ^ _t18;
				__imp__GetModuleHandleExW();
				if (__eax != 0) goto 0x2a3f08e5;
				E00007FF67FF62A3EFB90(0x10008, __eax, _t13, "Win32: Failed to retrieve own module handle");
				return E00007FF67FF62A3F6B50(0, 0x10008, _v24 ^ _t18);
			}

0x7ff62a3f0894
0x7ff62a3f089e
0x7ff62a3f08b6
0x7ff62a3f08be
0x7ff62a3f08cc
0x7ff62a3f08e4

APIs

GetModuleHandleExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF62A3EFE76), ref: 00007FF62A3F08B6
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF62A3EFE76), ref: 00007FF62A3F08EC

Part of subcall function 00007FF62A3EFB90: GetLastError.KERNEL32 ref: 00007FF62A3EFBDB
Part of subcall function 00007FF62A3EFB90: FormatMessageW.KERNEL32 ref: 00007FF62A3EFC10
Part of subcall function 00007FF62A3EFB90: WideCharToMultiByte.KERNEL32 ref: 00007FF62A3EFC4F

Strings

AdjustWindowRectExForDpi, xrefs: 00007FF62A3F09AB
shcore.dll, xrefs: 00007FF62A3F0B30
xinput9_1_0.dll, xrefs: 00007FF62A3F0A26
XInputGetState, xrefs: 00007FF62A3F0A8F
EnableNonClientDpiScaling, xrefs: 00007FF62A3F095A
GetSystemMetricsForDpi, xrefs: 00007FF62A3F09C6
DirectInput8Create, xrefs: 00007FF62A3F09FA
GetDpiForWindow, xrefs: 00007FF62A3F0990
dwmapi.dll, xrefs: 00007FF62A3F0AAA
Win32: Failed to load user32.dll, xrefs: 00007FF62A3F08FE
ChangeWindowMessageFilterEx, xrefs: 00007FF62A3F093F
SetProcessDpiAwareness, xrefs: 00007FF62A3F0B49
user32.dll, xrefs: 00007FF62A3F08E5
dinput8.dll, xrefs: 00007FF62A3F09DA
GetDpiForMonitor, xrefs: 00007FF62A3F0B60
Win32: Failed to retrieve own module handle, xrefs: 00007FF62A3F08C0
xinput1_4.dll, xrefs: 00007FF62A3F0A1F
xinput1_1.dll, xrefs: 00007FF62A3F0A43
SetProcessDpiAwarenessContext, xrefs: 00007FF62A3F0975
RtlVerifyVersionInfo, xrefs: 00007FF62A3F0B94
DwmGetColorizationColor, xrefs: 00007FF62A3F0B15
ntdll.dll, xrefs: 00007FF62A3F0B7B
DwmFlush, xrefs: 00007FF62A3F0ADF
XInputGetCapabilities, xrefs: 00007FF62A3F0A78
DwmIsCompositionEnabled, xrefs: 00007FF62A3F0AC8
xinput1_2.dll, xrefs: 00007FF62A3F0A37
DwmEnableBlurBehindWindow, xrefs: 00007FF62A3F0AFA
SetProcessDPIAware, xrefs: 00007FF62A3F0923
xinput1_3.dll, xrefs: 00007FF62A3F0A11

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ByteCharErrorFormatHandleLastLibraryLoadMessageModuleMultiWide
String ID: AdjustWindowRectExForDpi$ChangeWindowMessageFilterEx$DirectInput8Create$DwmEnableBlurBehindWindow$DwmFlush$DwmGetColorizationColor$DwmIsCompositionEnabled$EnableNonClientDpiScaling$GetDpiForMonitor$GetDpiForWindow$GetSystemMetricsForDpi$RtlVerifyVersionInfo$SetProcessDPIAware$SetProcessDpiAwareness$SetProcessDpiAwarenessContext$Win32: Failed to load user32.dll$Win32: Failed to retrieve own module handle$XInputGetCapabilities$XInputGetState$dinput8.dll$dwmapi.dll$ntdll.dll$shcore.dll$user32.dll$xinput1_1.dll$xinput1_2.dll$xinput1_3.dll$xinput1_4.dll$xinput9_1_0.dll
API String ID: 1648301694-1088760994
Opcode ID: 511412ed3d2e6a6a6d7b745dcfd560206b107f865f9b9d58446667d78d2323e9
Instruction ID: f7279837ebfe3795afe842d8fbce9ab4d54502277ca873ad025247e752d81414
Opcode Fuzzy Hash: 511412ed3d2e6a6a6d7b745dcfd560206b107f865f9b9d58446667d78d2323e9
Instruction Fuzzy Hash: 5D917D64E09B0791EF009B15FE9517877A5FF49740B805ABAC84EC2368EFBCE168C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3EDDF0 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 288
libraryfilenativeCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E00007FF67FF62A3EDDF0(void* __edi, void* __rax, long long __rbx, long long __rsi, void* __r8, void* __r13, long long __r14) {
				void* __rdi;
				void* __rbp;
				int _t87;
				intOrPtr _t88;
				long _t95;
				long _t96;
				int _t100;
				void* _t110;
				int _t134;
				struct _OSVERSIONINFOA* _t138;
				void* _t180;
				signed long long _t183;
				void* _t187;
				intOrPtr _t188;
				intOrPtr _t191;
				void* _t212;
				signed long long _t247;
				void* _t262;
				long _t263;
				char _t276;
				void* _t277;
				void* _t279;
				void* _t280;
				void* _t294;
				struct _OSVERSIONINFOA* _t302;

				_t180 = __rax;
				 *((long long*)(_t279 + 0x10)) = __rbx;
				 *((long long*)(_t279 + 0x18)) = __rsi;
				_t277 = _t279 - 0x2c0;
				_t280 = _t279 - 0x3c0;
				 *((intOrPtr*)(_t277 + 0x70)) = 0x94;
				_t87 = GetVersionExA(_t302);
				r15d = 0;
				if (_t87 == 0) goto 0x2a3edeff;
				_t88 =  *((intOrPtr*)(_t277 + 0x74));
				if (_t88 != 0xa) goto 0x2a3ede50;
				_t7 =  &(_t302->dwMajorVersion); // 0x4
				r8d = _t7;
				 *((intOrPtr*)(_t280 + 0x58)) = 1;
				__imp__SetProcessMitigationPolicy();
				goto 0x2a3edeff;
				if (_t88 - 6 < 0) goto 0x2a3edeff;
				r8d = 0;
				RtlAdjustPrivilege(_t263, _t276); // executed
				GetCurrentProcess();
				GetModuleHandleA(??);
				GetProcAddress(??, ??);
				_t273 = __rax;
				if (__rax == 0) goto 0x2a3edeff;
				GetModuleHandleA(??);
				GetProcAddress(??, ??);
				_t187 = __rax;
				if (__rax == 0) goto 0x2a3edeff;
				r9d = 8;
				 *(_t280 + 0x50) = 8;
				 *(_t280 + 0x20) = _t302;
				_t95 = NtQueryInformationProcess(??, ??, ??, ??, ??); // executed
				if (_t95 < 0) goto 0x2a3edeff;
				 *(_t280 + 0x54) =  *(_t280 + 0x54) | 0x00000001;
				r9d = 8;
				_t96 = NtSetInformationProcess(??, ??, ??, ??); // executed
				 *(_t280 + 0x50) = _t302;
				r8d = 0;
				_t138 = r15d; // executed
				0x2a3f5456(); // executed
				if (_t96 < 0) goto 0x2a3ee23a;
				asm("xorps xmm0, xmm0");
				asm("xorps xmm1, xmm1");
				asm("movups [esp+0x60], xmm0");
				asm("movdqu [esp+0x70], xmm1");
				if ( *((intOrPtr*)( *(_t280 + 0x50) + 0xfffffffffffffffe)) != _t138) goto 0x2a3edf42;
				E00007FF67FF62A3B1D30(__rax, _t280 + 0x60,  *(_t280 + 0x50), __rax, __rax, _t277, 0);
				r8d = 4;
				E00007FF67FF62A3B4140(_t187, _t280 + 0x60, L"\\*.*", _t277, 0, __r13);
				_t212 =  >=  ?  *((void*)(_t280 + 0x60)) : _t280 + 0x60;
				FindFirstFileW(??, ??); // executed
				if (_t180 == 0xffffffff) goto 0x2a3edfc6;
				asm("o16 nop [eax+eax]");
				_t36 = _t187 + 1; // 0x1
				_t143 =  !=  ? _t138 : _t36;
				_t139 =  !=  ? _t138 : _t36;
				_t100 = FindNextFileW(??, ??); // executed
				if (_t100 != 0) goto 0x2a3edfa0;
				FindClose(??); // executed
				__imp__CoTaskMemFree();
				_t247 =  *((intOrPtr*)(_t280 + 0x78));
				if (_t247 - 8 < 0) goto 0x2a3ee013;
				if (2 + _t247 * 2 - 0x1000 < 0) goto 0x2a3ee00e;
				_t183 =  *((intOrPtr*)(_t280 + 0x60)) -  *((intOrPtr*)( *((intOrPtr*)(_t280 + 0x60)) - 8)) + 0xfffffff8;
				if (_t183 - 0x1f > 0) goto 0x2a3ee2c8;
				0x2a3f6464();
				_t174 = ( !=  ? _t138 : _t36) - 6;
				if (( !=  ? _t138 : _t36) - 6 <= 0) goto 0x2a3ee23a;
				E00007FF67FF62A3FF9F8(( !=  ? _t138 : _t36) - 6, _t183,  *((intOrPtr*)( *((intOrPtr*)(_t280 + 0x60)) - 8)));
				E00007FF67FF62A3FD070(0, _t183);
				_t188 =  *0x2a4b42b0; // 0x2a433eeb500
				E00007FF67FF62A3FD044(_t183);
				_t191 =  *0x2a4b4300; // 0x2a433eed1a0
				E00007FF67FF62A3FD044(_t183);
				_t110 = E00007FF67FF62A3B36B0( !=  ? _t138 : _t36, 0, _t183, (_t183 % (_t191 -  *0x2a4b42f8 >> 5) << 5) +  *0x2a4b42f8, (_t183 % (_t188 -  *0x2a4b42a8 >> 5) << 5) +  *0x2a4b42a8, (_t183 % (_t191 -  *0x2a4b42f8 >> 5) << 5) +  *0x2a4b42f8, (_t183 % (_t188 -  *0x2a4b42a8 >> 5) << 5) +  *0x2a4b42a8, _t273); // executed
				if (_t110 == 0) goto 0x2a3ee274;
				 *((long long*)(_t280 + 0x3e0)) = __r14;
				E00007FF67FF62A3B1C00(_t277 - 0x48, (_t183 % (_t188 -  *0x2a4b42a8 >> 5) << 5) +  *0x2a4b42a8, 0x2a41c138);
				E00007FF67FF62A3B1AB0((_t183 % (_t191 -  *0x2a4b42f8 >> 5) << 5) +  *0x2a4b42f8, _t280 + 0x60, _t183, (_t183 % (_t191 -  *0x2a4b42f8 >> 5) << 5) +  *0x2a4b42f8);
				E00007FF67FF62A3EDBA0(E00007FF67FF62A3B3100(E00007FF67FF62A3B2EC0(E00007FF67FF62A3B2EC0(E00007FF67FF62A3B1B20((_t183 % (_t191 -  *0x2a4b42f8 >> 5) << 5) +  *0x2a4b42f8, _t277 - 0x68, _t183, 0x2a41bf38), _t280 + 0x60), _t277 - 0x48), 0x2a4b42e0, _t183), 0x2a4b42c8);
				E00007FF67FF62A3FD044(_t183);
				E00007FF67FF62A3B4420(E00007FF67FF62A3B4420(E00007FF67FF62A3B4420(E00007FF67FF62A3B3100(_t183 / _t183, 0x2a4b42c8, _t183 % _t183), _t277 - 0x68), _t183), _t183);
				E00007FF67FF62A3B3A90(_t183, _t183, _t183, _t183, _t183, _t280 + 0x50); // executed
				E00007FF67FF62A3B3B60(_t183, _t183, _t183, _t183, _t183, _t280 + 0x50); // executed
				asm("xorps xmm1, xmm1");
				 *((intOrPtr*)(_t277 - 0x20)) = 0x68;
				asm("xorps xmm0, xmm0");
				 *(_t277 - 0x70) = _t183;
				 *((intOrPtr*)(_t277 + 0x44)) = 0;
				asm("movups [ebp-0x80], xmm0");
				asm("movups [ebp-0x1c], xmm1");
				asm("movups [ebp-0xc], xmm1");
				asm("movups [ebp+0x4], xmm1");
				asm("movups [ebp+0x14], xmm1");
				asm("movups [ebp+0x24], xmm1");
				asm("movups [ebp+0x34], xmm1");
				E00007FF67FF62A3B24B0(_t183, _t277 - 0x48, " --version");
				E00007FF67FF62A3B1B90(_t280 + 0x60, _t277 - 0x68, _t183);
				E00007FF67FF62A3B4420(E00007FF67FF62A3B4420(E00007FF67FF62A3B2EC0(E00007FF67FF62A3B1AB0(_t183, _t277 + 0x50, _t183, _t277 - 0x48), _t280 + 0x60), _t277 - 0x68), _t277 + 0x50);
				 *((long long*)(_t280 + 0x48)) = _t277 - 0x80;
				r9d = 0;
				 *((long long*)(_t280 + 0x40)) = _t277 - 0x20;
				r8d = 0;
				 *(_t280 + 0x38) = _t183;
				 *(_t280 + 0x30) = _t302;
				 *((intOrPtr*)(_t280 + 0x28)) = 0x8000000;
				 *(_t280 + 0x20) = r15d;
				_t134 = CreateProcessA(??, ??, ??, ??, ??, ??, ??, ??, ??, ??); // executed
				if (_t134 != 0) goto 0x2a3ee28e;
				E00007FF67FF62A3B4420(_t134, 0x2a4b2088);
				goto 0x2a3ee2ac;
				_t294 =  >=  ?  *0x2a4b20c8 : 0x2a4b20c8;
				_t262 =  >=  ?  *0x2a4b2048 : 0x2a4b2048;
				r9d = 0x7ff62a4b20c8;
				MessageBoxA(??, ??, ??, ??);
				return 0;
			}

0x7ff62a3eddf0
0x7ff62a3eddf0
0x7ff62a3eddf5
0x7ff62a3eddfe
0x7ff62a3ede06
0x7ff62a3ede11
0x7ff62a3ede18
0x7ff62a3ede1e
0x7ff62a3ede23
0x7ff62a3ede29
0x7ff62a3ede2f
0x7ff62a3ede31
0x7ff62a3ede31
0x7ff62a3ede35
0x7ff62a3ede45
0x7ff62a3ede4b
0x7ff62a3ede53
0x7ff62a3ede59
0x7ff62a3ede68
0x7ff62a3ede6e
0x7ff62a3ede7e
0x7ff62a3ede8e
0x7ff62a3ede94
0x7ff62a3ede9a
0x7ff62a3edea3
0x7ff62a3edeb3
0x7ff62a3edeb9
0x7ff62a3edebf
0x7ff62a3edec1
0x7ff62a3edec7
0x7ff62a3eded4
0x7ff62a3edee0
0x7ff62a3edee4
0x7ff62a3edee6
0x7ff62a3edef0
0x7ff62a3edefd
0x7ff62a3edf04
0x7ff62a3edf09
0x7ff62a3edf15
0x7ff62a3edf18
0x7ff62a3edf1f
0x7ff62a3edf2a
0x7ff62a3edf2d
0x7ff62a3edf37
0x7ff62a3edf3c
0x7ff62a3edf4a
0x7ff62a3edf51
0x7ff62a3edf56
0x7ff62a3edf68
0x7ff62a3edf7c
0x7ff62a3edf82
0x7ff62a3edf8f
0x7ff62a3edf95
0x7ff62a3edfa4
0x7ff62a3edfab
0x7ff62a3edfae
0x7ff62a3edfb3
0x7ff62a3edfbb
0x7ff62a3edfc0
0x7ff62a3edfcb
0x7ff62a3edfd1
0x7ff62a3edfda
0x7ff62a3edff3
0x7ff62a3ee000
0x7ff62a3ee008
0x7ff62a3ee00e
0x7ff62a3ee013
0x7ff62a3ee016
0x7ff62a3ee01e
0x7ff62a3ee026
0x7ff62a3ee02b
0x7ff62a3ee03d
0x7ff62a3ee049
0x7ff62a3ee069
0x7ff62a3ee089
0x7ff62a3ee090
0x7ff62a3ee09d
0x7ff62a3ee0ac
0x7ff62a3ee0bc
0x7ff62a3ee0ff
0x7ff62a3ee107
0x7ff62a3ee13f
0x7ff62a3ee14d
0x7ff62a3ee158
0x7ff62a3ee15d
0x7ff62a3ee160
0x7ff62a3ee170
0x7ff62a3ee173
0x7ff62a3ee17b
0x7ff62a3ee17e
0x7ff62a3ee182
0x7ff62a3ee186
0x7ff62a3ee18a
0x7ff62a3ee18e
0x7ff62a3ee192
0x7ff62a3ee196
0x7ff62a3ee19a
0x7ff62a3ee1ab
0x7ff62a3ee1da
0x7ff62a3ee1e6
0x7ff62a3ee1ef
0x7ff62a3ee1f2
0x7ff62a3ee1f7
0x7ff62a3ee1fa
0x7ff62a3ee201
0x7ff62a3ee206
0x7ff62a3ee20e
0x7ff62a3ee213
0x7ff62a3ee223
0x7ff62a3ee22c
0x7ff62a3ee238
0x7ff62a3ee250
0x7ff62a3ee260
0x7ff62a3ee26a
0x7ff62a3ee26e
0x7ff62a3ee28d

APIs

GetVersionExA.KERNEL32 ref: 00007FF62A3EDE18
SetProcessMitigationPolicy.KERNEL32 ref: 00007FF62A3EDE45
RtlAdjustPrivilege.NTDLL ref: 00007FF62A3EDE68
GetCurrentProcess.KERNEL32 ref: 00007FF62A3EDE6E
GetModuleHandleA.KERNEL32 ref: 00007FF62A3EDE7E
GetProcAddress.KERNEL32 ref: 00007FF62A3EDE8E
GetModuleHandleA.KERNEL32 ref: 00007FF62A3EDEA3
GetProcAddress.KERNEL32 ref: 00007FF62A3EDEB3
NtQueryInformationProcess.NTDLL ref: 00007FF62A3EDEE0
NtSetInformationProcess.NTDLL ref: 00007FF62A3EDEFD
SHGetKnownFolderPath.SHELL32 ref: 00007FF62A3EDF18
FindFirstFileW.KERNELBASE ref: 00007FF62A3EDF82
FindNextFileW.KERNELBASE ref: 00007FF62A3EDFB3
FindClose.KERNELBASE ref: 00007FF62A3EDFC0
CoTaskMemFree.OLE32 ref: 00007FF62A3EDFCB
CreateProcessA.KERNELBASE ref: 00007FF62A3EE213
MessageBoxA.USER32 ref: 00007FF62A3EE2B7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A3EE2C8

Strings

NtQueryInformationProcess, xrefs: 00007FF62A3EDE87
NtDll.dll, xrefs: 00007FF62A3EDE9C
NtDll.dll, xrefs: 00007FF62A3EDE74
error, xrefs: 00007FF62A3EE231
NtSetInformationProcess, xrefs: 00007FF62A3EDEAC
\*.*, xrefs: 00007FF62A3EDF5C
--version, xrefs: 00007FF62A3EE169

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Process$Find$AddressFileHandleInformationModuleProc$AdjustCloseCreateCurrentFirstFolderFreeKnownMessageMitigationNextPathPolicyPrivilegeQueryTaskVersion_invalid_parameter_noinfo_noreturn
String ID: --version$NtDll.dll$NtDll.dll$NtQueryInformationProcess$NtSetInformationProcess$\*.*$error
API String ID: 2737874586-3560420863
Opcode ID: eca46af476edba916224732ae4741b43618f52c47bf5f053b9777a96be7e4e0f
Instruction ID: 1153d47c67a64799c8f5a8e9c463d32a6f356e879a3a0b69fb2eaa275a6a5855
Opcode Fuzzy Hash: eca46af476edba916224732ae4741b43618f52c47bf5f053b9777a96be7e4e0f
Instruction Fuzzy Hash: E7D17E21E18A4282EF00DB65ED841FD63A2FF947D4F404675EA0DC6AA5DFBCE549C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3EFE20 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 222
windowkeyboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32 ref: 00007FF62A3EFE55
SystemParametersInfoW.USER32 ref: 00007FF62A3EFE6B

Part of subcall function 00007FF62A3F0890: GetModuleHandleExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF62A3EFE76), ref: 00007FF62A3F08B6

MapVirtualKeyW.USER32 ref: 00007FF62A3EFFC7
ToUnicode.USER32 ref: 00007FF62A3EFFEC
ToUnicode.USER32 ref: 00007FF62A3F0014
WideCharToMultiByte.KERNEL32 ref: 00007FF62A3F004A
VerSetConditionMask.KERNEL32 ref: 00007FF62A3F009F
VerSetConditionMask.KERNEL32 ref: 00007FF62A3F00B0
VerSetConditionMask.KERNEL32 ref: 00007FF62A3F00C1
RtlVerifyVersionInfo.NTDLL ref: 00007FF62A3F00D4
SetProcessDPIAware.USER32 ref: 00007FF62A3F0115
SetProcessDPIAware.USER32 ref: 00007FF62A3F014E
CreateWindowExW.USER32 ref: 00007FF62A3F01AB
ShowWindow.USER32 ref: 00007FF62A3F01EF
RegisterDeviceNotificationW.USER32 ref: 00007FF62A3F0230
PeekMessageW.USER32 ref: 00007FF62A3F0259
TranslateMessage.USER32 ref: 00007FF62A3F026A
DispatchMessageW.USER32 ref: 00007FF62A3F0277
PeekMessageW.USER32 ref: 00007FF62A3F0299

Strings

GLFW30, xrefs: 00007FF62A3F0170
GLFW message window, xrefs: 00007FF62A3F0164
Win32: Failed to create helper window, xrefs: 00007FF62A3F01BD

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Message$ConditionInfoMask$AwareParametersPeekProcessSystemUnicodeWindow$ByteCharCreateDeviceDispatchHandleModuleMultiNotificationRegisterShowTranslateVerifyVersionVirtualWide
String ID: GLFW message window$GLFW30$Win32: Failed to create helper window
API String ID: 1073997163-594211362
Opcode ID: d7f35a74974983d7244fa1ac2972b03a362dbe9c52f97fc476129fca5d1db966
Instruction ID: 6dc05eb2b20c489ea1f243a4bdba6baa9fd40554db36ecdf75fd3eb7af91769e
Opcode Fuzzy Hash: d7f35a74974983d7244fa1ac2972b03a362dbe9c52f97fc476129fca5d1db966
Instruction Fuzzy Hash: 45B1B432A1878286FB609F20EC447EA77A1FB85748F004179CA4DC7A95DFBDE559CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F3520 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPropW.USER32 ref: 00007FF62A3F3559
EnableNonClientDpiScaling.USER32 ref: 00007FF62A3F35D7
DefWindowProcW.USER32 ref: 00007FF62A3F35EF

Strings

GLFW, xrefs: 00007FF62A3F3549
Win32: Failed to retrieve raw input data, xrefs: 00007FF62A3F3A25

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ClientEnableProcPropScalingWindow
String ID: GLFW$Win32: Failed to retrieve raw input data
API String ID: 439044783-2352637977
Opcode ID: 92b5fe2ca1ba1bdea4699f74b8f4d33814fc5997f98ec20bdb5c9f0ed48a3f62
Instruction ID: 8e9597f1e77d8954e07d8c8e82828b1abcdb778456ec4041106d4afec77d2dfc
Opcode Fuzzy Hash: 92b5fe2ca1ba1bdea4699f74b8f4d33814fc5997f98ec20bdb5c9f0ed48a3f62
Instruction Fuzzy Hash: 0A91CE32E286828AFF648B25EC843BC72A4BF44758F5445BADE1DD2690CFBCE545C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F6914 Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF62A3F691D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A406D98

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: d85dde4f9a7d39774fd595a5593eed77bebc784d2c34c533e815ed72882958ee
Instruction ID: 5030633d380bd41ae97483771856be2239abd7580d9cb8fe4c22c8f310ef0d40
Opcode Fuzzy Hash: d85dde4f9a7d39774fd595a5593eed77bebc784d2c34c533e815ed72882958ee
Instruction Fuzzy Hash: 73E0B630E5E25386EF2837654C921BC15906F55320F6006B9E51EC52C2CEECA5925753

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F66C4 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E00007FF67FF62A3F66C4(long long __rax, struct _CRITICAL_SECTION* __rbx, void* __r9, void* _a8) {

				InitializeCriticalSectionAndSpinCount(__rbx);
				GetModuleHandleW(??); // executed
				if (__rax != 0) goto 0x2a3f670a;
				GetModuleHandleW(??);
				if (__rax == 0) goto 0x2a3f6789;
				GetProcAddress(??, ??);
				GetProcAddress(??, ??);
				if (__rax == 0) goto 0x2a3f6747;
				if (__rax == 0) goto 0x2a3f6747;
				 *0x2a4b7280 = __rax;
				 *0x2a4b7288 = __rax;
				goto 0x2a3f6765;
				r9d = 0;
				r8d = 0;
				CreateEventW(??, ??, ??, ??);
				 *0x2a4b7250 = __rax;
				if (__rax == 0) goto 0x2a3f6789;
				if (E00007FF67FF62A3F64FC(0, __rax) == 0) goto 0x2a3f6789;
				E00007FF67FF62A3F66AC(E00007FF67FF62A3F64FC(0, __rax), __rax);
				return 0;
			}

0x7ff62a3f66da
0x7ff62a3f66e7
0x7ff62a3f66f3
0x7ff62a3f66fc
0x7ff62a3f6708
0x7ff62a3f6714
0x7ff62a3f6727
0x7ff62a3f6730
0x7ff62a3f6735
0x7ff62a3f6737
0x7ff62a3f673e
0x7ff62a3f6745
0x7ff62a3f6747
0x7ff62a3f674a
0x7ff62a3f6753
0x7ff62a3f6759
0x7ff62a3f6763
0x7ff62a3f676e
0x7ff62a3f6777
0x7ff62a3f6788

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF62A3F66DA
GetModuleHandleW.KERNELBASE ref: 00007FF62A3F66E7
GetModuleHandleW.KERNEL32 ref: 00007FF62A3F66FC
GetProcAddress.KERNEL32 ref: 00007FF62A3F6714
GetProcAddress.KERNEL32 ref: 00007FF62A3F6727
CreateEventW.KERNEL32 ref: 00007FF62A3F6753
DeleteCriticalSection.KERNEL32 ref: 00007FF62A3F679F
CloseHandle.KERNEL32 ref: 00007FF62A3F67B1

Strings

kernel32.dll, xrefs: 00007FF62A3F66F5
SleepConditionVariableCS, xrefs: 00007FF62A3F670A
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF62A3F66E0
WakeAllConditionVariable, xrefs: 00007FF62A3F671A

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 3c0a4179882d312a10002faa4d7cf0e8f19c57dc9d112eb0d0cc45f5f940d466
Instruction ID: 226f00f9981d6debfcfe3b0712b17590537cefcb36ba59d6796dacad75810a58
Opcode Fuzzy Hash: 3c0a4179882d312a10002faa4d7cf0e8f19c57dc9d112eb0d0cc45f5f940d466
Instruction Fuzzy Hash: 59212F20E1AA47D1FF599B20FD9457833A1AF58740F4445B9DD0EC2AA1EFBCE469C302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A412180 Relevance: 13.8, APIs: 9, Instructions: 273
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62A411D64: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A411DA5
Part of subcall function 00007FF62A411D64: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A411E25
Part of subcall function 00007FF62A411D64: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A411E79
Part of subcall function 00007FF62A411D64: _get_daylight.LIBCMT ref: 00007FF62A411ED1

CreateFileW.KERNELBASE ref: 00007FF62A412286
CreateFileW.KERNEL32 ref: 00007FF62A4122D6
GetLastError.KERNEL32 ref: 00007FF62A412306
GetFileType.KERNELBASE ref: 00007FF62A41231B
GetLastError.KERNEL32 ref: 00007FF62A412325
CloseHandle.KERNEL32 ref: 00007FF62A412358
CloseHandle.KERNEL32 ref: 00007FF62A4124B3
CreateFileW.KERNEL32 ref: 00007FF62A4124E8
GetLastError.KERNEL32 ref: 00007FF62A4124F7

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: 1ec794c6caa5a56ca22219668622e1969aba9d1c7c6d232f74062584279e366c
Instruction ID: e97d4317adf02960fe3bb8b480d31d5af93647a9dda3195951fe915eef2b7e40
Opcode Fuzzy Hash: 1ec794c6caa5a56ca22219668622e1969aba9d1c7c6d232f74062584279e366c
Instruction Fuzzy Hash: 46C19A32B24A4686EF10CF68C8902BC7761FB59B98B100279DE2ED7798DF78E021C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A408E50 Relevance: 7.7, APIs: 5, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A408E91
GetConsoleMode.KERNEL32 ref: 00007FF62A408F50
GetLastError.KERNEL32 ref: 00007FF62A408FD0

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 2c0159935363e0c6623ccffb36355c0f1d2abf12ab2c81bc3d61a2736295bbba
Instruction ID: a20f4670f14b1b0de3ea916ce1ac48ad36044e78d0e228bb79f27214155e6d97
Opcode Fuzzy Hash: 2c0159935363e0c6623ccffb36355c0f1d2abf12ab2c81bc3d61a2736295bbba
Instruction Fuzzy Hash: 1A81BE22E1861285FF689B748D802BD76A1BF64B84F4401B6DE0ED3796DFBCE445E312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F6930 Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF62A3F693F

Part of subcall function 00007FF62A3F64B0: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF62A3F64D2

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF62A3F6954
__scrt_release_startup_lock.LIBCMT ref: 00007FF62A3F69C2
__scrt_get_show_window_mode.LIBCMT ref: 00007FF62A3F6A15

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: ef2ccd5201982756bac760afed489aa714dfc5164bd047c73faf5d1f3ea967c5
Instruction ID: e7b9f7c6d7a9ef288e284e0616f2cd77dba3ba46827b752154c28188244fd3b6
Opcode Fuzzy Hash: ef2ccd5201982756bac760afed489aa714dfc5164bd047c73faf5d1f3ea967c5
Instruction Fuzzy Hash: EA313D61E2928385FF28AB649D913B91291AF51784F4444BDE94DCB2D3DFECE8049343

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3B3B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62A3FCEF8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FCF1D

Part of subcall function 00007FF62A3FCF58: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FCF80

CreateFileA.KERNELBASE ref: 00007FF62A3B3BCC
MessageBoxA.USER32 ref: 00007FF62A3B3C14

Strings

error, xrefs: 00007FF62A3B3C03

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo$CreateFileMessage
String ID: error
API String ID: 1011835292-1574812785
Opcode ID: e57e0228bae49d9b9c69dc3c426df4c283c62fa0f2a936f8eb02681a48b03481
Instruction ID: 137a13948e7758f9d2b2df2ac96f9c9186d9ef8885afe3cf3a9f37625211afae
Opcode Fuzzy Hash: e57e0228bae49d9b9c69dc3c426df4c283c62fa0f2a936f8eb02681a48b03481
Instruction Fuzzy Hash: BA118B71A08A8282EF108B11EC443AA6361FB88780F9049B5DE4CD7B99DFBDD549C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3B3A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62A3FCEF8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FCF1D

Part of subcall function 00007FF62A3FCF58: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FCF80

CreateFileA.KERNELBASE ref: 00007FF62A3B3AFC
MessageBoxA.USER32 ref: 00007FF62A3B3B44

Strings

error, xrefs: 00007FF62A3B3B33

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo$CreateFileMessage
String ID: error
API String ID: 1011835292-1574812785
Opcode ID: 323f20145ed762962f373e3328f59e3f06667911fc6fb34285090196f6630c77
Instruction ID: 2bbbdf7eeaa2c41600fe4c666afc2da40a800768bd602ac92c7cbefbb1b7d0db
Opcode Fuzzy Hash: 323f20145ed762962f373e3328f59e3f06667911fc6fb34285090196f6630c77
Instruction Fuzzy Hash: B4118B71B08A8282EF10CB11E8443AA6361FB99780F9449B5DE4CD7B89DFBDD509C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3B36B0 Relevance: 4.6, APIs: 3, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE ref: 00007FF62A3B37D0
GetLastError.KERNEL32 ref: 00007FF62A3B3818
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A3B384D

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: CreateDirectoryErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1363081247-0
Opcode ID: 74c1e074a4f534358484545de6773e6bf928b1d31ab6858ed1638abeaa59dbef
Instruction ID: 949d646ba5aed02ea565b7f5733baa50e6e09d99f8347cb9b7e9897222ca5014
Opcode Fuzzy Hash: 74c1e074a4f534358484545de6773e6bf928b1d31ab6858ed1638abeaa59dbef
Instruction Fuzzy Hash: 1F41D4A6E18F8581EF10CB65D8952BE6362FB84BC0F504A72EE4DC7A99DFBCD0448341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F5888 Relevance: 4.6, APIs: 3, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62A3F58A5
std::locale::_Setgloballocale.LIBCPMT ref: 00007FF62A3F58C8
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62A3F595D

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_Setgloballocalestd::locale::_
String ID:
API String ID: 2016263034-0
Opcode ID: ef8fe9146ca14f22f59af206ae272b17371f41c0f837a45c8350363b9dfb276c
Instruction ID: 5a8b88b50e59aecb81105bbeeafbd7c9cdb5bd7f272c7cec14945ca907d08070
Opcode Fuzzy Hash: ef8fe9146ca14f22f59af206ae272b17371f41c0f837a45c8350363b9dfb276c
Instruction Fuzzy Hash: C4218E22A19A4685EF249F22DC9027967A0EF44F94F5841B9CE0DC33A5CFBCE451C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40E150 Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF62A4049E7), ref: 00007FF62A40E169
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF62A4049E7), ref: 00007FF62A40E22D

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: a2f951431a6640b15e76040717af8b28e3513de93e48dbdf4895488bac4734c4
Instruction ID: 5a288ef0a35607131f2b108363e0bf9db4720679a58ca30fff7c514c460cdf69
Opcode Fuzzy Hash: a2f951431a6640b15e76040717af8b28e3513de93e48dbdf4895488bac4734c4
Instruction Fuzzy Hash: 9721B931F1875185EF288F11684102976A4FFA8BD0B4842B8DE8DA7BD9DF7CE4629701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F684C Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

_set_fmode.LIBCMT ref: 00007FF62A3F6863
_RTC_Initialize.LIBCMT ref: 00007FF62A3F6884

Part of subcall function 00007FF62A40483C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A40486E

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: 5a49cdc73d11755e6532bcf4c9cfea960e06602780bcc4135ab124cf8d894c67
Instruction ID: aca0fea221619f6123f8c8110ea93c95d9e3f3e22097354a9aa25f109cb44d1a
Opcode Fuzzy Hash: 5a49cdc73d11755e6532bcf4c9cfea960e06602780bcc4135ab124cf8d894c67
Instruction Fuzzy Hash: 22119B45E2828782FF5877B15D962BA52958FA4340F4014FCEA0ECA2C3EEEDB9415623

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A408130 Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF62A4123F6), ref: 00007FF62A408196
GetLastError.KERNEL32(?,?,?,00007FF62A4123F6), ref: 00007FF62A4081A0

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: b6c3ad1864da4fc903e4ee8714b9a5b710aa1d92daed93d14babf9df6703bea7
Instruction ID: 74032565178b0ecd42d7e72d03509b496e66be2740522b7e70c80b4b5f79bbdd
Opcode Fuzzy Hash: b6c3ad1864da4fc903e4ee8714b9a5b710aa1d92daed93d14babf9df6703bea7
Instruction Fuzzy Hash: 9911B911F1864241FF9857649D923BD22925F747A4F1406B9DA2DCB3C2CEECE454A343

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A407430 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlReleasePrivilege.NTDLL(?,?,0B33A42583480000,00007FF62A40F428,?,?,?,00007FF62A40F7AB,?,?,0000E5C70E37496B,00007FF62A40FCF0,?,?,00007FF62A404FEA,00007FF62A40FC23), ref: 00007FF62A407446
GetLastError.KERNEL32(?,?,0B33A42583480000,00007FF62A40F428,?,?,?,00007FF62A40F7AB,?,?,0000E5C70E37496B,00007FF62A40FCF0,?,?,00007FF62A404FEA,00007FF62A40FC23), ref: 00007FF62A407458

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorLastPrivilegeRelease
String ID:
API String ID: 1334314998-0
Opcode ID: 37d4fc302b688b4f9abb6a4751a7692922be9ede30c41b9f780b1f9b95c665d1
Instruction ID: cd875ec2a8ecf3ab2bdfa37c9dc4e123fee22dd7565de6e446359d9190c8a51a
Opcode Fuzzy Hash: 37d4fc302b688b4f9abb6a4751a7692922be9ede30c41b9f780b1f9b95c665d1
Instruction Fuzzy Hash: F1E0C211F19A0382FF196BF2AC841B926916FA8B41F0440B4CC0DC7392EEACE4504743

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FE314 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FE356

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2493e3b16022e6c71619bac0b296dd5b915e8ecbf206b7583dc74a39c13b7c68
Instruction ID: 97d7c85b6f49c572f21798bd9f4933ff34dd14b158640dc6898fbe7caa8e7793
Opcode Fuzzy Hash: 2493e3b16022e6c71619bac0b296dd5b915e8ecbf206b7583dc74a39c13b7c68
Instruction Fuzzy Hash: F341F561B282418AEF68DD265D8523972D1AF44FE0F28427CED6DC77D5CEBCE8414B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A408D64 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7714d0573e63f25507b2be8489397c71a0c19a763208cba6fd3206eff11542
Instruction ID: c3121e2413b549951ad04b62c6223bd1cf6122803dfe34e7317ba788767bcc83
Opcode Fuzzy Hash: 1e7714d0573e63f25507b2be8489397c71a0c19a763208cba6fd3206eff11542
Instruction Fuzzy Hash: 1121AC32E5824242EF956F119D8137D3650AFA0BA1F5445B9ED1DC73D3CEBCE8418742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A411A0C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A411A2F

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 63989578f4481a657dfebc99918e79b9b86268c6d850b5c01b735cfb9afc51c3
Instruction ID: b2fbd75db06c60cfb22d670add67e30942bff289a4f6176a5d7336fafb0b5068
Opcode Fuzzy Hash: 63989578f4481a657dfebc99918e79b9b86268c6d850b5c01b735cfb9afc51c3
Instruction Fuzzy Hash: 6A21A432A1868187DF618F18D8403797BA0FB84B94F644238EA5DC76D9DFBCD4158B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FE074 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FE09C

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 81d6a40524d096a1626041ed73ad73b7a7d85405b898a5e3dcaee59ef9f1c0d6
Instruction ID: a02676aa32e2f8046d88b1f278d4c95b421b9404bee3c2f4c63c397e0768f5c5
Opcode Fuzzy Hash: 81d6a40524d096a1626041ed73ad73b7a7d85405b898a5e3dcaee59ef9f1c0d6
Instruction Fuzzy Hash: 0D118921A2C68685FF619F12DC5037DA6E0AF55B84F6440B5EE8CC7786DFACD4408B53

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40808C Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4565368ae485d7ef13361c82a3cf8d407a1a8a5e839cace3bd1673ee8c5215ba
Instruction ID: f8977042b85869a2e01943e4038fab4555258001ff08cc25589ccf64faa93aa6
Opcode Fuzzy Hash: 4565368ae485d7ef13361c82a3cf8d407a1a8a5e839cace3bd1673ee8c5215ba
Instruction Fuzzy Hash: 1511587291864686EF199B54DD802BC7760EFA0791F904276E64D862AACFFCE144CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FE188 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FE1A5

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c3b92a5f1f2e0aa284cb794e6fd54520bbf5e79f590d6cbac3a701ccc2d8f961
Instruction ID: 780f6f4d4af2b12e09fc15d7ebc07faf6da3f3a55f0ee66c30c141e6d146709e
Opcode Fuzzy Hash: c3b92a5f1f2e0aa284cb794e6fd54520bbf5e79f590d6cbac3a701ccc2d8f961
Instruction Fuzzy Hash: C701A731E2854241FF28AA769D9137921A05F65764F3407B4ED2DC72D3DEACE8419783

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FE4C0 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FE4F5

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5b575e67002d2dedee6967ee5440534dd775457cc11eeebf968f3320105c5400
Instruction ID: 6b8a3f8130572faef67e5bedc2846e8de3a2f55b0a42e137a61b77e34604cc79
Opcode Fuzzy Hash: 5b575e67002d2dedee6967ee5440534dd775457cc11eeebf968f3320105c5400
Instruction Fuzzy Hash: 27013972A20B1A98EF00DFA0E8814EC37F8FB24748B500169EE4C93758EF74D2A5C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40B084 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF62A407361,?,?,0000E5C70E37496B,00007FF62A3FCEE1,?,?,?,?,00007FF62A40B132,?,?,00000000), ref: 00007FF62A40B0D9

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 59adfd6addcb3c78acf6b710494132aa3448c3ac84dbe37c1f7944313cad5359
Instruction ID: 45e3d416133638935c95a9a46cf18e5a22f50a5381d3c715b65f9bf4cf0054fa
Opcode Fuzzy Hash: 59adfd6addcb3c78acf6b710494132aa3448c3ac84dbe37c1f7944313cad5359
Instruction Fuzzy Hash: CBF06D44B0960745FF5C5762AD903B912905FB8B80F4C84B4CE2EC63C1FFADE482A31A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FE20C Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FE22E

Part of subcall function 00007FF62A3FE188: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FE1A5

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bda713a2d4e3bb9f3d3c9588b0f0069bab27d1bdc244728914fd3543b377c4c9
Instruction ID: 01e19c0a06acdc954631d02c67fe1af29c96f598893829d6f899d123636598f4
Opcode Fuzzy Hash: bda713a2d4e3bb9f3d3c9588b0f0069bab27d1bdc244728914fd3543b377c4c9
Instruction Fuzzy Hash: F0F0B421A5C64295FF14B764BD8117D22905F51354F2401B4FD5DC62C3DEACE4015B53

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A407470 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF62A40B119,?,?,00000000,00007FF62A40E2B3,?,?,?,00007FF62A404D23,?,?,?,00007FF62A404C19), ref: 00007FF62A4074AE

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa583f48bcd9da3eb2c85f5f7ad190b6a3caafe8286a2039598b6ec46cf98300
Instruction ID: dcf51be66dd0991e90c2bc13b39cb2e6ccf24f50a75d6524e11a6096c27f7aac
Opcode Fuzzy Hash: fa583f48bcd9da3eb2c85f5f7ad190b6a3caafe8286a2039598b6ec46cf98300
Instruction Fuzzy Hash: BFF08241F19A0685FF586B615C40A7915905FA87A0F2807B4DC2EC63C1DDECE840A723

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FE130 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FE154

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7cd1be37ee043298a6be58b6f7db199c370753a47522793cb02e85c40be44c5b
Instruction ID: e60221b51d85d94229ca7fdf21e66e4aef4f4ba0e3a2038b61a5ea929dccfc18
Opcode Fuzzy Hash: 7cd1be37ee043298a6be58b6f7db199c370753a47522793cb02e85c40be44c5b
Instruction Fuzzy Hash: 03F08232B6970285EF64AF67D9D197861906F18BC0F504078EE4DC3386DE6CA4544B42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F6024 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(?,?,?,?,00007FF62A3F5AD5,?,?,00000000,00007FF62A3F58CD,?,?,00000000,00007FF62A3C789D), ref: 00007FF62A3F6032

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: d841d635b4541f26f61ace2fa429ef51cea82accc7e9989e18c2cf73379f1839
Instruction ID: 5621926866249ba15acd95b5e8bdabb02b244c2cffd02f6c196bf07029b49db0
Opcode Fuzzy Hash: d841d635b4541f26f61ace2fa429ef51cea82accc7e9989e18c2cf73379f1839
Instruction Fuzzy Hash: 80E0E264D1DA07A5EF046B42BC8473826A0AF58708F500AF5D50DC26A58FBCF0AA8302

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF62A3F4C30 Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 42%

			E00007FF67FF62A3F4C30(void* __eax, void* __rcx, long long __rdi, long long __rsi, void* __r8, long long __r14, long long __r15) {
				void* __rbx;
				void* __rbp;
				void* _t132;
				signed int _t133;
				void* _t171;
				unsigned int _t197;
				signed long long _t229;
				intOrPtr _t232;
				long long _t240;
				intOrPtr _t244;
				void* _t247;
				intOrPtr* _t256;
				intOrPtr _t274;
				intOrPtr _t291;
				void* _t301;
				void* _t302;
				signed long long _t303;
				void* _t316;
				void* _t317;
				signed int _t318;

				_t296 = __rdi;
				_t317 = _t302;
				_t301 = _t317 - 0x278;
				_t303 = _t302 - 0x360;
				_t229 =  *0x2a4b30d8; // 0xe5c70e37496b
				 *(_t301 + 0x240) = _t229 ^ _t303;
				 *((long long*)(_t317 + 0x10)) = __rsi;
				 *((long long*)(_t317 + 0x18)) = __rdi;
				r12d = 0;
				 *((long long*)(_t317 - 0x20)) = __r14;
				_t247 = __rcx;
				 *((long long*)(_t317 - 0x28)) = __r15;
				r8d = r12d;
				if ( *0x7FF62A4B472C == r12d) goto 0x2a3f4c96;
				if ( *0x2a4b4834 !=  *((intOrPtr*)(__rcx + 4))) goto 0x2a3f4c96;
				_t232 =  *0x7FF62A4B483C;
				if (_t232 ==  *((intOrPtr*)(__rcx + 0xc))) goto 0x2a3f5102;
				if (__r8 + 0x120 - 0x10e0 <= 0) goto 0x2a3f4c76;
				r8d = 0x10;
				 *(_t303 + 0x78) = r12d;
				r15d = r12d;
				__imp__GetRawInputDeviceList();
				if (__eax != 0) goto 0x2a3f4df0;
				0x2a3ffad0();
				r8d = 0x10;
				__imp__GetRawInputDeviceList();
				if (__eax != 0xffffffff) goto 0x2a3f4d05;
				_t132 = E00007FF67FF62A3FCFD0(_t232, __r8 + 0x120);
				goto 0x2a3f4df0;
				if ( *(_t303 + 0x78) == 0) goto 0x2a3f4ddf;
				_t299 = __rsi + __rsi;
				if ( *((intOrPtr*)(_t232 + 8 + (__rsi + __rsi) * 8)) != 2) goto 0x2a3f4dcd;
				asm("xorps xmm0, xmm0");
				 *(_t303 + 0x7c) = 0x20;
				asm("movups [ebp-0x58], xmm0");
				 *(_t301 - 0x58) = 0x20;
				asm("movups [ebp-0x48], xmm0");
				__imp__GetRawInputDeviceInfoA();
				if (_t132 == 0xffffffff) goto 0x2a3f4dc9;
				_t133 =  *(_t301 - 0x50) & 0x0000ffff;
				if ((( *(_t301 - 0x4c) & 0x0000ffff) << 0x00000010 | _t133) !=  *((intOrPtr*)(__rcx + 0x14))) goto 0x2a3f4dc9;
				r8d = 0x100;
				E00007FF67FF62A3F8BD0();
				 *(_t303 + 0x7c) = 0x100;
				__imp__GetRawInputDeviceInfoA();
				if (_t133 == 0xffffffff) goto 0x2a3f4ddf;
				 *((intOrPtr*)(_t301 + 0x23f)) = r12b;
				E00007FF67FF62A3F8F58(_t133, __rcx, _t301 + 0x140, "IG_", __rdi, __rsi + __rsi, _t316, _t317);
				if (_t232 != 0) goto 0x2a3f4dd9;
				if (r12d + 1 -  *(_t303 + 0x78) < 0) goto 0x2a3f4d14;
				goto 0x2a3f4ddf;
				r15d = 1;
				E00007FF67FF62A3FCFD0(_t232, _t301 + 0x140);
				if (r15d != 0) goto 0x2a3f5102;
				_t256 =  *0x2a4b67c0; // 0x2a4357af7e8
				_t323 = __rcx + 4;
				r9d = 0;
				if ( *((intOrPtr*)( *_t256 + 0x18))() >= 0) goto 0x2a3f4e26;
				E00007FF67FF62A3EE2E0(0x10008, "Win32: Failed to create device", _t296, _t299, _t303 + 0x70, _t303 + 0x7c);
				goto 0x2a3f5102;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t303 + 0x70)))) + 0x58))() >= 0) goto 0x2a3f4e5d;
				E00007FF67FF62A3EE2E0(0x10008, "Win32: Failed to set device data format", _t296, _t299, _t303 + 0x70, _t303 + 0x7c);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t303 + 0x70)))) + 0x10))();
				goto 0x2a3f5102;
				asm("xorps xmm0, xmm0");
				 *(_t301 - 0x14) = _t318;
				asm("xorps xmm1, xmm1");
				 *((intOrPtr*)(_t301 - 0x38)) = 0x2c;
				asm("movdqu [ebp-0x34], xmm0");
				asm("movdqu [ebp-0x24], xmm1");
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t303 + 0x70)))) + 0x18))() >= 0) goto 0x2a3f4eac;
				E00007FF67FF62A3EE2E0(0x10008, "Win32: Failed to query device capabilities", _t296, _t299, _t303 + 0x70, _t303 + 0x7c);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t303 + 0x70)))) + 0x10))();
				goto 0x2a3f5102;
				 *((long long*)(_t301 - 4)) = 0x10;
				 *((intOrPtr*)(_t301 - 8)) = 0x14;
				 *(_t301 + 4) = _t318;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t303 + 0x70)))) + 0x30))() >= 0) goto 0x2a3f4ef8;
				E00007FF67FF62A3EE2E0(0x10008, "Win32: Failed to set device axis mode", _t296, _t299, _t301 - 8, _t303 + 0x7c);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t303 + 0x70)))) + 0x10))();
				goto 0x2a3f5102;
				_t240 =  *((intOrPtr*)(_t303 + 0x70));
				asm("xorps xmm0, xmm0");
				 *((long long*)(_t301 - 0x80)) = _t240;
				 *(_t301 - 0x60) = _t318;
				asm("movdqu [ebp-0x70], xmm0");
				0x2a3ffad0();
				 *((long long*)(_t301 - 0x78)) = _t240;
				r9d = 0x1f;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t303 + 0x70)))) + 0x20))() >= 0) goto 0x2a3f4f74;
				E00007FF67FF62A3EE2E0(0x10008, "Win32: Failed to enumerate device objects", _t296, _t299, _t301 - 0x80, _t303 + 0x7c);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t303 + 0x70)))) + 0x10))();
				E00007FF67FF62A3FCFD0( *((intOrPtr*)( *((intOrPtr*)(_t303 + 0x70)))), _t301 - 0x80);
				goto 0x2a3f5102;
				_t291 =  *((intOrPtr*)(_t301 - 0x70));
				r8d = 8;
				E00007FF67FF62A400560(_t247,  *((intOrPtr*)(_t301 - 0x78)), _t291, _t296, _t299, _t301, _t301 - 0x80, 0x7ff62a3f4c10, _t323);
				 *(_t303 + 0x38) = _t318;
				 *(_t303 + 0x30) = _t318;
				 *(_t303 + 0x28) = 0x100;
				 *(_t303 + 0x20) = _t301 + 0x40;
				_t82 = _t291 - 1; // -1
				r9d = _t82;
				if (WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??) != 0) goto 0x2a3f4fee;
				E00007FF67FF62A3EE2E0(0x10008, "Win32: Failed to convert joystick name to UTF-8", _t296, _t299, _t247 + 0x28, 0x7ff62a3f4c10);
				_t244 =  *((intOrPtr*)( *((intOrPtr*)(_t303 + 0x70))));
				 *((intOrPtr*)(_t244 + 0x10))();
				E00007FF67FF62A3FCFD0(_t244, _t247 + 0x28);
				goto 0x2a3f5107;
				if ( *((intOrPtr*)(_t247 + 0x1e)) != 0x56444950) goto 0x2a3f5039;
				if ( *((short*)(_t247 + 0x22)) != 0x4449) goto 0x2a3f5039;
				_t197 =  *(_t247 + 0x14);
				r10d = _t197;
				r10d = r10d >> 0x18;
				 *(_t303 + 0x28) = r10d;
				r8d = _t197 & 0x000000ff;
				 *(_t303 + 0x20) = _t197 >> 0x00000010 & 0x000000ff;
				r9d = _t197 >> 0x00000008 & 0x000000ff;
				E00007FF67FF62A3F5360(_t171, _t244, _t301 + 0x10, "03000000%02x%02x0000%02x%02x000000000000", _t247 + 0x28, 0x7ff62a3f4c10);
				goto 0x2a3f50a1;
				r10d =  *((char*)(_t301 + 0x47));
				r11d =  *((char*)(_t301 + 0x46));
				r14d =  *((char*)(_t301 + 0x42));
				r9d =  *((char*)(_t301 + 0x41));
				r8d =  *((char*)(_t301 + 0x40));
				 *((intOrPtr*)(_t303 + 0x60)) =  *((char*)(_t301 + 0x4a));
				 *((intOrPtr*)(_t303 + 0x58)) =  *((char*)(_t301 + 0x49));
				 *((intOrPtr*)(_t303 + 0x50)) =  *((char*)(_t301 + 0x48));
				 *(_t303 + 0x48) = r10d;
				 *((intOrPtr*)(_t303 + 0x40)) = r11d;
				 *(_t303 + 0x38) =  *((char*)(_t301 + 0x45));
				 *(_t303 + 0x30) =  *((char*)(_t301 + 0x44));
				 *(_t303 + 0x28) =  *((char*)(_t301 + 0x43));
				 *(_t303 + 0x20) = r14d;
				E00007FF67FF62A3F5360( *((char*)(_t301 + 0x45)), _t244, _t301 + 0x10, "05000000%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x00", _t247 + 0x28, 0x7ff62a3f4c10);
				r8d =  *(_t301 - 0x68);
				r8d = r8d +  *((intOrPtr*)(_t301 - 0x6c));
				r9d =  *(_t301 - 0x64);
				 *(_t303 + 0x20) =  *(_t301 - 0x60);
				E00007FF67FF62A3EEB80(_t301 + 0x40, _t301 + 0x10);
				_t274 = _t244;
				if (_t244 == 0) goto 0x2a3f4fd3;
				 *((long long*)(_t274 + 0x100)) =  *((intOrPtr*)(_t303 + 0x70));
				asm("inc ecx");
				asm("movups [ecx+0x10c], xmm0");
				 *((long long*)(_t274 + 0xf0)) =  *((intOrPtr*)(_t301 - 0x78));
				 *((intOrPtr*)(_t274 + 0xf8)) =  *((intOrPtr*)(_t301 - 0x70));
				E00007FF67FF62A3EEF80();
				return E00007FF67FF62A3F6B50(1,  *((char*)(_t301 + 0x49)),  *(_t301 + 0x240) ^ _t303);
			}

0x7ff62a3f4c30
0x7ff62a3f4c30
0x7ff62a3f4c37
0x7ff62a3f4c3e
0x7ff62a3f4c45
0x7ff62a3f4c4f
0x7ff62a3f4c56
0x7ff62a3f4c61
0x7ff62a3f4c65
0x7ff62a3f4c68
0x7ff62a3f4c6c
0x7ff62a3f4c6f
0x7ff62a3f4c73
0x7ff62a3f4c7d
0x7ff62a3f4c86
0x7ff62a3f4c88
0x7ff62a3f4c90
0x7ff62a3f4cab
0x7ff62a3f4cad
0x7ff62a3f4cb3
0x7ff62a3f4cbf
0x7ff62a3f4cc2
0x7ff62a3f4cca
0x7ff62a3f4cd7
0x7ff62a3f4cdc
0x7ff62a3f4ced
0x7ff62a3f4cf6
0x7ff62a3f4cfb
0x7ff62a3f4d00
0x7ff62a3f4d0e
0x7ff62a3f4d16
0x7ff62a3f4d1f
0x7ff62a3f4d2e
0x7ff62a3f4d31
0x7ff62a3f4d39
0x7ff62a3f4d41
0x7ff62a3f4d4d
0x7ff62a3f4d51
0x7ff62a3f4d5a
0x7ff62a3f4d60
0x7ff62a3f4d6c
0x7ff62a3f4d77
0x7ff62a3f4d7d
0x7ff62a3f4d92
0x7ff62a3f4d9f
0x7ff62a3f4da8
0x7ff62a3f4db1
0x7ff62a3f4dbf
0x7ff62a3f4dc7
0x7ff62a3f4dd1
0x7ff62a3f4dd7
0x7ff62a3f4dd9
0x7ff62a3f4de2
0x7ff62a3f4dea
0x7ff62a3f4df0
0x7ff62a3f4df7
0x7ff62a3f4dfb
0x7ff62a3f4e0e
0x7ff62a3f4e1c
0x7ff62a3f4e21
0x7ff62a3f4e3a
0x7ff62a3f4e48
0x7ff62a3f4e55
0x7ff62a3f4e58
0x7ff62a3f4e66
0x7ff62a3f4e69
0x7ff62a3f4e6d
0x7ff62a3f4e70
0x7ff62a3f4e77
0x7ff62a3f4e7c
0x7ff62a3f4e89
0x7ff62a3f4e97
0x7ff62a3f4ea4
0x7ff62a3f4ea7
0x7ff62a3f4eb5
0x7ff62a3f4ec2
0x7ff62a3f4ec9
0x7ff62a3f4ed5
0x7ff62a3f4ee3
0x7ff62a3f4ef0
0x7ff62a3f4ef3
0x7ff62a3f4ef8
0x7ff62a3f4efd
0x7ff62a3f4f08
0x7ff62a3f4f12
0x7ff62a3f4f1c
0x7ff62a3f4f21
0x7ff62a3f4f2f
0x7ff62a3f4f3a
0x7ff62a3f4f48
0x7ff62a3f4f56
0x7ff62a3f4f63
0x7ff62a3f4f6a
0x7ff62a3f4f6f
0x7ff62a3f4f74
0x7ff62a3f4f83
0x7ff62a3f4f89
0x7ff62a3f4f8e
0x7ff62a3f4f99
0x7ff62a3f4fa2
0x7ff62a3f4faf
0x7ff62a3f4fb4
0x7ff62a3f4fb4
0x7ff62a3f4fc0
0x7ff62a3f4fce
0x7ff62a3f4fd8
0x7ff62a3f4fdb
0x7ff62a3f4fe2
0x7ff62a3f4fe9
0x7ff62a3f4ff5
0x7ff62a3f4ffd
0x7ff62a3f4fff
0x7ff62a3f5007
0x7ff62a3f500f
0x7ff62a3f5016
0x7ff62a3f501b
0x7ff62a3f5026
0x7ff62a3f502e
0x7ff62a3f5032
0x7ff62a3f5037
0x7ff62a3f5045
0x7ff62a3f504a
0x7ff62a3f505b
0x7ff62a3f5060
0x7ff62a3f5065
0x7ff62a3f506a
0x7ff62a3f506e
0x7ff62a3f5076
0x7ff62a3f5081
0x7ff62a3f5086
0x7ff62a3f508b
0x7ff62a3f508f
0x7ff62a3f5093
0x7ff62a3f5097
0x7ff62a3f509c
0x7ff62a3f50a1
0x7ff62a3f50b0
0x7ff62a3f50b4
0x7ff62a3f50b8
0x7ff62a3f50bc
0x7ff62a3f50c1
0x7ff62a3f50c7
0x7ff62a3f50d7
0x7ff62a3f50de
0x7ff62a3f50e2
0x7ff62a3f50ed
0x7ff62a3f50f7
0x7ff62a3f50fd
0x7ff62a3f5141

APIs

GetRawInputDeviceList.USER32 ref: 00007FF62A3F4CC2
GetRawInputDeviceList.USER32 ref: 00007FF62A3F4CED
GetRawInputDeviceInfoA.USER32 ref: 00007FF62A3F4D51
GetRawInputDeviceInfoA.USER32 ref: 00007FF62A3F4D9F

Strings

05000000%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x00, xrefs: 00007FF62A3F507A
Win32: Failed to enumerate device objects, xrefs: 00007FF62A3F4F4A
Win32: Failed to create device, xrefs: 00007FF62A3F4E10
, xrefs: 00007FF62A3F4D31
PIDV, xrefs: 00007FF62A3F4FEE
Win32: Failed to convert joystick name to UTF-8, xrefs: 00007FF62A3F4FC2
ID, xrefs: 00007FF62A3F4FF7
Win32: Failed to set device axis mode, xrefs: 00007FF62A3F4ED7
03000000%02x%02x0000%02x%02x000000000000, xrefs: 00007FF62A3F501F
Win32: Failed to set device data format, xrefs: 00007FF62A3F4E3C
IG_, xrefs: 00007FF62A3F4DAA
Win32: Failed to query device capabilities, xrefs: 00007FF62A3F4E8B

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: DeviceInput$InfoList
String ID: $03000000%02x%02x0000%02x%02x000000000000$05000000%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x00$ID$IG_$PIDV$Win32: Failed to convert joystick name to UTF-8$Win32: Failed to create device$Win32: Failed to enumerate device objects$Win32: Failed to query device capabilities$Win32: Failed to set device axis mode$Win32: Failed to set device data format
API String ID: 3907109775-326256626
Opcode ID: f6e73abe3da0aef0b08487b3daa8c0e649e9dbadc1c12b06a72de865ad50697a
Instruction ID: ec41bb2564588c718213e3765cbedcd39ddff6dff48d679b9034cb4857439935
Opcode Fuzzy Hash: f6e73abe3da0aef0b08487b3daa8c0e649e9dbadc1c12b06a72de865ad50697a
Instruction Fuzzy Hash: A1E18E72A18B8286EB10CF25D8802AD77A1FB84758F20417AEE4DC7B69DFBDD545CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A4136AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1208
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E00007FF67FF62A4136AC(void* __edx, signed int __rcx, long long __r8, signed int __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __r13;
				void* _t507;
				void* _t519;
				void* _t527;
				signed long long _t536;
				signed int _t557;
				intOrPtr _t562;
				signed long long _t588;
				signed int _t596;
				intOrPtr _t602;
				signed long long _t627;
				void* _t635;
				signed int _t659;
				intOrPtr _t663;
				signed int _t710;
				signed int _t718;
				intOrPtr _t720;
				signed int _t725;
				signed long long _t727;
				signed long long _t733;
				signed long long _t739;
				intOrPtr _t768;
				signed int _t793;
				signed int _t795;
				signed int _t798;
				signed int _t799;
				void* _t800;
				void* _t804;
				void* _t806;
				void* _t811;
				void* _t841;
				void* _t847;
				signed long long _t957;
				signed long long _t959;
				intOrPtr _t964;
				signed long long _t965;
				void* _t967;
				signed long long _t969;
				signed long long _t970;
				signed long long _t971;
				signed long long _t972;
				void* _t977;
				intOrPtr* _t978;
				signed long long _t989;
				long long _t1020;
				void* _t1036;
				signed long long _t1044;
				signed long long _t1045;
				long long _t1052;
				signed long long _t1056;
				long long _t1066;
				signed long long _t1070;
				signed long long _t1074;
				void* _t1075;
				signed long long _t1076;
				signed long long _t1081;
				signed long long _t1082;
				char* _t1083;
				void* _t1084;
				void* _t1088;
				void* _t1089;
				signed long long _t1090;
				signed long long _t1095;
				signed long long _t1097;
				signed long long _t1108;
				signed long long _t1109;
				signed long long _t1124;
				signed long long _t1125;
				signed long long _t1136;
				void* _t1138;
				long long _t1151;
				void* _t1152;

				_t1137 = __r9;
				_t1088 = _t1089 - 0x6d8;
				_t1090 = _t1089 - 0x7d8;
				_t957 =  *0x2a4b30d8; // 0xe5c70e37496b
				 *(_t1088 + 0x6c0) = _t957 ^ _t1090;
				 *(_t1090 + 0x38) = __rcx;
				 *((long long*)(_t1090 + 0x68)) = __r9;
				_t1151 = __r8;
				 *((long long*)(_t1090 + 0x78)) = __r8;
				E00007FF67FF62A415CC0(_t800, _t1090 + 0x58, _t1138);
				r12d = 0;
				if (( *(_t1090 + 0x58) & 0x0000001f) != 0x1f) goto 0x2a41370f;
				 *((intOrPtr*)(_t1090 + 0x60)) = r12b;
				goto 0x2a41371e;
				_t507 = E00007FF67FF62A415D2C(( *(_t1090 + 0x58) & 0x0000001f) - 0x1f, _t1090 + 0x58, _t1076, __r9);
				 *((char*)(_t1090 + 0x60)) = 1;
				_t959 =  *(_t1090 + 0x38);
				 *((long long*)(__r8 + 8)) = __r9;
				r9d = 0x7ff;
				_t13 = _t969 + 0xd; // 0x2d
				_t725 = _t13;
				_t667 =  <  ? _t725 : 0x20;
				 *((intOrPtr*)(__r8)) =  <  ? _t725 : 0x20;
				if (_t959 != 0) goto 0x2a41376b;
				if ((0xffffffff & _t959) != 0) goto 0x2a41376b;
				 *(__r8 + 4) = r12d;
				goto 0x2a4148aa;
				_t804 = (_t959 >> 0x00000034 & __r9) - __r9;
				if (_t804 == 0) goto 0x2a413775;
				goto 0x2a4137b6;
				if (_t804 != 0) goto 0x2a413784;
				goto 0x2a4137ae;
				if (_t959 >= 0) goto 0x2a41379f;
				_t806 = (_t959 & 0xffffffff) - 0;
				if (_t806 != 0) goto 0x2a41379f;
				goto 0x2a4137ae;
				 *(__r8 + 4) = 1;
				if (_t806 == 0) goto 0x2a4148bf;
				if (_t806 == 0) goto 0x2a4148a3;
				if (_t806 == 0) goto 0x2a41489a;
				if (0 == 1) goto 0x2a414891;
				 *(_t1090 + 0x38) = _t959 & 0xffffffff;
				_t768 = __edx + 1;
				asm("movsd xmm0, [esp+0x38]");
				 *((intOrPtr*)(_t1090 + 0x50)) = _t768;
				asm("movsd [esp+0x48], xmm0");
				_t1044 =  *((intOrPtr*)(_t1090 + 0x48));
				_t1095 = _t1044 >> 0x34;
				asm("dec eax");
				_t1045 = _t1044 & 0xffffffff;
				_t989 =  ~(_t1095 & __r9);
				asm("sbb eax, eax");
				r8d = r8d & r9d;
				r15d = __r9 + 0;
				r15d = r15d + r8d;
				0x2a415e40();
				E00007FF67FF62A415D7C(_t507, _t1095);
				asm("cvttsd2si ecx, xmm0");
				 *((intOrPtr*)(_t1088 - 0x7c)) = _t768;
				asm("inc ebp");
				r13d = r13d & 0;
				 *((intOrPtr*)(_t1088 - 0x78)) = _t768;
				 *(_t1090 + 0x40) = r13d;
				asm("sbb edx, edx");
				_t727 =  ~_t725 + 1;
				 *(_t1088 - 0x80) = _t727;
				if (r15d - 0x434 < 0) goto 0x2a413b0d;
				 *(_t1088 + 0x328) = 0x100000;
				 *((intOrPtr*)(_t1088 + 0x324)) = 0;
				 *(_t1088 + 0x320) = 2;
				if (_t768 == 0) goto 0x2a4139ea;
				r8d = r12d;
				if ( *((intOrPtr*)(_t1088 + 0x324 + _t989 * 4)) !=  *(_t1088 + _t989 * 4 - 0x7c)) goto 0x2a4139ea;
				r8d = r8d + 1;
				_t811 = r8d - 2;
				if (_t811 != 0) goto 0x2a4138ab;
				r11d = _t1152 - 0x432;
				 *(_t1090 + 0x38) = r12d;
				r8d = r11d;
				r11d = r11d & 0x0000001f;
				r8d = r8d >> 5;
				asm("bsr eax, [ebp+eax*4-0x7c]");
				r15d = 1;
				r15d =  !r15d;
				if (_t811 == 0) goto 0x2a413905;
				goto 0x2a413908;
				_t519 = _t1045 + _t1095;
				if (_t519 != 0x73) goto 0x2a41391a;
				if (r11d - 0x20 > 0) goto 0x2a41391d;
				r12d = r12d | 0xffffffff;
				if (_t519 - 0x73 > 0) goto 0x2a4139b6;
				if (r12b != 0) goto 0x2a4139b6;
				r14d = 0x72;
				r14d =  <  ? _t519 : r14d;
				r10d = r14d;
				if (r14d == r12d) goto 0x2a413996;
				if (r10d - r8d < 0) goto 0x2a413996;
				if (r10d - r8d - _t727 >= 0) goto 0x2a413960;
				r9d =  *(_t1088 + 0x3fffffffffff84);
				goto 0x2a413963;
				r9d = 0;
				if (0xfffffffffffff - _t727 >= 0) goto 0x2a41396d;
				goto 0x2a41396f;
				r9d = r9d & 0;
				r10d = r10d + r12d;
				r9d = r9d << r11d;
				 *(_t1088 + 0x3fffffffffff84) = (0 & r15d) >> 0x00000020 - r11d | r9d;
				if (r10d == r12d) goto 0x2a413996;
				_t733 =  *(_t1088 - 0x80);
				goto 0x2a413947;
				if (r8d == 0) goto 0x2a4139a9;
				 *(_t1088 + _t989 * 4 - 0x7c) =  *(_t1088 + _t989 * 4 - 0x7c) & 0x00000000;
				if (1 != r8d) goto 0x2a41399d;
				r14d =  >  ? __r8 + 1 : r14d;
				goto 0x2a4139b9;
				r14d = 0;
				 *(_t1088 + 0x328) =  *(_t1088 + 0x328) & 0x00000000;
				r15d = 1;
				 *(_t1088 + 0x150) = r15d;
				 *(_t1088 - 0x80) = r14d;
				 *(_t1088 + 0x320) = 1;
				 *(_t1088 + 0x154) = 4;
				goto 0x2a413d0c;
				r11d = _t1152 - 0x433;
				 *(_t1090 + 0x38) = r12d;
				r8d = r11d;
				r11d = r11d & 0x0000001f;
				r8d = r8d >> 5;
				_t1081 = (_t1076 & 0x00000000) + _t1045 >> 0x20 << 0x20 << 0x20;
				asm("bsr eax, [ebp+eax*4-0x7c]");
				r15d = 1;
				r15d =  !r15d;
				if (r11d == 0x20) goto 0x2a413a28;
				goto 0x2a413a2b;
				_t527 = _t1045 + _t1095;
				if (_t527 != 0x73) goto 0x2a413a3d;
				if (r11d - 0x20 > 0) goto 0x2a413a40;
				r12d = r12d | 0xffffffff;
				if (_t527 - 0x73 > 0) goto 0x2a413ad9;
				if (r12b != 0) goto 0x2a413ad9;
				r14d = 0x72;
				r14d =  <  ? _t527 : r14d;
				r10d = r14d;
				if (r14d == r12d) goto 0x2a413ab9;
				if (r10d - r8d < 0) goto 0x2a413ab9;
				if (r10d - r8d - _t733 >= 0) goto 0x2a413a83;
				r9d =  *(_t1088 + 0x3fffffffffff84);
				goto 0x2a413a86;
				r9d = 0;
				if (0xfffffffffffff - _t733 >= 0) goto 0x2a413a90;
				goto 0x2a413a92;
				r9d = r9d & 0x00000001;
				r10d = r10d + r12d;
				r9d = r9d << r11d;
				 *(_t1088 + 0x3fffffffffff84) = (0 & r15d) >> 0x00000020 | r9d;
				if (r10d == r12d) goto 0x2a413ab9;
				_t739 =  *(_t1088 - 0x80);
				goto 0x2a413a6a;
				if (r8d == 0) goto 0x2a413acc;
				 *(_t1088 + _t989 * 4 - 0x7c) =  *(_t1088 + _t989 * 4 - 0x7c) & 0x00000000;
				if (1 != r8d) goto 0x2a413ac0;
				r14d =  >  ? __r8 + 1 : r14d;
				goto 0x2a413adc;
				r14d = 0;
				 *(_t1088 + 0x328) =  *(_t1088 + 0x328) & 0x00000000;
				r15d = 1;
				 *(_t1088 + 0x150) = r15d;
				 *(_t1088 - 0x80) = r14d;
				 *(_t1088 + 0x320) = 1;
				 *(_t1088 + 0x154) = 2;
				goto 0x2a413d0c;
				if (r15d == 0x36) goto 0x2a413c40;
				 *(_t1088 + 0x328) = 0x100000;
				 *((intOrPtr*)(_t1088 + 0x324)) = 0;
				 *(_t1088 + 0x320) = 0x20;
				if (0 == 0) goto 0x2a413c40;
				r8d = r12d;
				if ( *((intOrPtr*)(_t1088 + 0x324 + _t989 * 4)) !=  *(_t1088 + _t989 * 4 - 0x7c)) goto 0x2a413c40;
				r8d = r8d + 1;
				_t841 = r8d - 0x20;
				if (_t841 != 0) goto 0x2a413b3a;
				asm("bsr eax, edi");
				 *(_t1090 + 0x38) = r12d;
				if (_t841 == 0) goto 0x2a413b64;
				goto 0x2a413b67;
				r14d = _t739;
				r12d = r12d | 0xffffffff;
				_t536 = _t739;
				r10d = _t536;
				r8d = 0xfffffffffffff;
				if (_t536 - _t739 >= 0) goto 0x2a413b84;
				r9d =  *(_t1088 + 0x3fffffffffff80);
				goto 0x2a413b87;
				r9d = 0;
				if (r8d - _t739 >= 0) goto 0x2a413b93;
				goto 0x2a413b95;
				 *(_t1088 + 0x3fffffffffff80) = 0 >> 0x0000001e | r9d << 0x00000002;
				if (r8d == r12d) goto 0x2a413bb2;
				goto 0x2a413b72;
				r14d =  <  ? __r8 + 1 : r14d;
				 *(_t1088 - 0x80) = r14d;
				_t970 = _t969 << 2;
				E00007FF67FF62A3F8BD0();
				 *(_t1088 + _t970 + 0x324) = 1 << sil;
				_t118 = _t1081 + 1; // 0x437
				r15d = _t118;
				r8d = r15d;
				_t1097 = _t970 << 2;
				 *(_t1088 + 0x320) = r15d;
				 *(_t1088 + 0x150) = r15d;
				if (_t1097 == 0) goto 0x2a413d0c;
				_t847 = _t1097 - _t970;
				if (_t847 > 0) goto 0x2a413ceb;
				E00007FF67FF62A3F8520();
				goto 0x2a413d05;
				 *(_t1090 + 0x38) = r12d;
				asm("bsr eax, [ebp+eax*4-0x7c]");
				if (_t847 == 0) goto 0x2a413c53;
				goto 0x2a413c56;
				r14d = 0;
				r12d = r12d | 0xffffffff;
				r10d = 0;
				r8d = 0xfffffffffffff;
				if (0 >= 0) goto 0x2a413c73;
				r9d =  *(_t1088 + 0x3fffffffffff80);
				goto 0x2a413c76;
				r9d = 0;
				if (r8d >= 0) goto 0x2a413c82;
				goto 0x2a413c84;
				 *(_t1088 + 0x3fffffffffff80) = 0 >> 0x0000001f | __r9 + __r9;
				if (r8d == r12d) goto 0x2a413c9f;
				goto 0x2a413c61;
				r14d =  <  ? __r8 + 1 : r14d;
				 *(_t1088 - 0x80) = r14d;
				_t971 = _t970 << 2;
				E00007FF67FF62A3F8BD0();
				 *(_t1088 + _t971 + 0x324) = 1 << sil;
				goto 0x2a413bf8;
				E00007FF67FF62A3F8BD0();
				E00007FF67FF62A3FCED8(0);
				 *0 = 0x22;
				E00007FF67FF62A3FCD88();
				r15d =  *(_t1088 + 0x150);
				if (r13d < 0) goto 0x2a41420a;
				_t557 = 0xcccccccd * r13d >> 0x20 >> 3;
				 *(_t1090 + 0x38) = _t557;
				r12d = _t557;
				 *(_t1090 + 0x30) = _t557;
				if (_t557 == 0) goto 0x2a41410d;
				r13d = r12d;
				r13d =  >  ? 0x26 : r13d;
				 *(_t1090 + 0x44) = r13d;
				_t972 = _t971 << 2;
				 *(_t1088 + 0x320) = __r9 + _t1088 + 0x324;
				E00007FF67FF62A3F8BD0();
				_t1086 = __r9 << 2;
				E00007FF67FF62A3F8520();
				r10d =  *(_t1088 + 0x320);
				if (r10d - 1 > 0) goto 0x2a413e69;
				_t562 =  *((intOrPtr*)(_t1088 + 0x324));
				if (_t562 != 0) goto 0x2a413de0;
				r15d = 0;
				 *(_t1088 + 0x150) = r15d;
				goto 0x2a4140e0;
				if (_t562 == 1) goto 0x2a4140e0;
				if (r15d == 0) goto 0x2a4140e0;
				r8d = 0;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r15d) goto 0x2a413dfb;
				if (r8d == 0) goto 0x2a413e5d;
				if ( *(_t1088 + 0x150) - 0x73 >= 0) goto 0x2a413e4c;
				 *(_t1088 + 0x40000000000154) = r8d;
				r15d =  *(_t1088 + 0x150);
				r15d = r15d + 1;
				goto 0x2a413dd4;
				r15d = 0;
				 *(_t1088 + 0x150) = r15d;
				goto 0x2a4140e2;
				r15d =  *(_t1088 + 0x150);
				goto 0x2a4140e0;
				if (r15d - 1 > 0) goto 0x2a413f20;
				_t659 =  *(_t1088 + 0x154);
				r15d = r10d;
				 *(_t1088 + 0x150) = r10d;
				if (0 << 2 == 0) goto 0x2a413ecf;
				if (0 << 2 - 0 > 0) goto 0x2a413eae;
				E00007FF67FF62A3F8520();
				goto 0x2a413ec8;
				E00007FF67FF62A3F8BD0();
				E00007FF67FF62A3FCED8(0);
				 *0 = 0x22;
				E00007FF67FF62A3FCD88();
				r15d =  *(_t1088 + 0x150);
				if (_t659 == 0) goto 0x2a413dd1;
				if (_t659 == 1) goto 0x2a4140e0;
				if (r15d == 0) goto 0x2a4140e0;
				r8d = 0;
				r9d = 0;
				_t1108 = (_t1088 + 0x154) * _t972 + 0 >> 0x20;
				r9d = r9d + 1;
				if (r9d != r15d) goto 0x2a413ef2;
				goto 0x2a413e24;
				r12d = r15d;
				_t1150 =  >=  ? _t1088 + 0x154 : _t1088 + 0x324;
				r12d =  <  ? r10d : r12d;
				_t1052 =  >=  ? _t1088 + 0x324 : _t1088 + 0x154;
				 *((long long*)(_t1090 + 0x48)) = _t1052;
				r10d =  !=  ? r15d : r10d;
				r15d = 0;
				r9d = 0;
				 *(_t1088 + 0x4f0) = r15d;
				if (r12d == 0) goto 0x2a414083;
				_t793 =  *(( >=  ? _t1088 + 0x154 : _t1088 + 0x324) + __r9 * 4);
				if (_t793 != 0) goto 0x2a413f9f;
				if (r9d != r15d) goto 0x2a414077;
				 *(_t1088 + 0x4f4 + __r9 * 4) =  *(_t1088 + 0x4f4 + __r9 * 4) & _t793;
				_t213 = _t1137 + 1; // 0x1
				r15d = _t213;
				 *(_t1088 + 0x4f0) = r15d;
				goto 0x2a414077;
				r11d = 0;
				r8d = r9d;
				if (r10d == 0) goto 0x2a414068;
				if (r8d == 0x73) goto 0x2a414016;
				if (r8d != r15d) goto 0x2a413fd3;
				 *(_t1088 + 0x4f4 + _t1081 * 4) =  *(_t1088 + 0x4f4 + _t1081 * 4) & 0x00000000;
				_t221 = _t1108 + 1; // 0x1
				 *(_t1088 + 0x4f0) = _t221;
				r8d = r8d + 1;
				 *(_t1088 + 0x4f4 + _t1081 * 4) =  *(_t1052 + 0x40000000000000);
				r15d =  *(_t1088 + 0x4f0);
				if (_t1108 + _t972 == r10d) goto 0x2a414016;
				_t1056 =  *((intOrPtr*)(_t1090 + 0x48));
				goto 0x2a413fb3;
				if (r11d == 0) goto 0x2a414068;
				if (r8d == 0x73) goto 0x2a4141fe;
				if (r8d != r15d) goto 0x2a41403f;
				 *(_t1088 + 0x4f4 + _t1056 * 4) =  *(_t1088 + 0x4f4 + _t1056 * 4) & 0x00000000;
				_t241 = _t1108 + 1; // 0x1
				 *(_t1088 + 0x4f0) = _t241;
				r8d = r8d + 1;
				_t710 = r11d;
				 *(_t1088 + 0x4f4 + _t1056 * 4) = _t710;
				r15d =  *(_t1088 + 0x4f0);
				r11d = _t710;
				if (_t710 != 0) goto 0x2a41401b;
				if (r8d == 0x73) goto 0x2a4141fe;
				r9d = r9d + 1;
				if (r9d != r12d) goto 0x2a413f72;
				r8d = r15d;
				_t1109 = _t1108 << 2;
				 *(_t1088 + 0x150) = r15d;
				if (_t1109 == 0) goto 0x2a4140d6;
				if (_t1109 - 0 > 0) goto 0x2a4140b5;
				E00007FF67FF62A3F8520();
				goto 0x2a4140cf;
				E00007FF67FF62A3F8BD0();
				E00007FF67FF62A3FCED8(0);
				 *0 = 0x22;
				E00007FF67FF62A3FCD88();
				r15d =  *(_t1088 + 0x150);
				r12d =  *(_t1090 + 0x30);
				r13d =  *(_t1090 + 0x44);
				if (1 == 0) goto 0x2a4141fe;
				r12d = r12d - r13d;
				 *(_t1090 + 0x30) = r12d;
				if (1 != 0) goto 0x2a413d41;
				r13d =  *(_t1090 + 0x40);
				if (1 == 0) goto 0x2a41419e;
				_t588 =  *0x407FF62A4A14F8;
				if (_t588 == 0) goto 0x2a4141fe;
				if (_t588 == 1) goto 0x2a41419e;
				if (r15d == 0) goto 0x2a41419e;
				r8d = 0;
				r10d = _t588;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r15d) goto 0x2a414142;
				if (r8d == 0) goto 0x2a414197;
				if ( *(_t1088 + 0x150) - 0x73 >= 0) goto 0x2a4141fe;
				 *(_t1088 + 0x40000000000154) = r8d;
				r15d =  *(_t1088 + 0x150);
				r15d = r15d + 1;
				goto 0x2a414201;
				r15d =  *(_t1088 + 0x150);
				_t1082 =  *((intOrPtr*)(_t1090 + 0x68));
				r12d = 0;
				if (r14d == 0) goto 0x2a41467c;
				r8d = r12d;
				r9d = r12d;
				r9d = r9d + 1;
				 *(_t1088 + 0x1ffd8a8ebff84) = r8d;
				if (r9d != r14d) goto 0x2a4141b8;
				if (r8d == 0) goto 0x2a41467c;
				if ( *(_t1088 - 0x80) - 0x73 >= 0) goto 0x2a414659;
				 *(_t1088 + 0x3fffffffffff84) = r8d;
				 *(_t1088 - 0x80) =  *(_t1088 - 0x80) + 1;
				goto 0x2a41467c;
				r15d = 0;
				 *(_t1088 + 0x150) = r15d;
				goto 0x2a41419e;
				r13d =  ~r13d;
				_t596 =  *(_t1088 - 0x80) * r13d >> 0x20 >> 3;
				 *(_t1090 + 0x44) = _t596;
				r12d = _t596;
				 *(_t1090 + 0x30) = _t596;
				if (_t596 == 0) goto 0x2a4145c1;
				_t598 =  >  ? 0x26 : r12d;
				 *(_t1090 + 0x38) =  >  ? 0x26 : r12d;
				_t974 = _t1082 << 2;
				 *(_t1088 + 0x320) = (__r9 << 2) + 0x50000000000000;
				E00007FF67FF62A3F8BD0();
				E00007FF67FF62A3F8520();
				r10d =  *(_t1088 + 0x320);
				if (r10d - 1 > 0) goto 0x2a41433d;
				_t602 =  *((intOrPtr*)(_t1088 + 0x324));
				if (_t602 != 0) goto 0x2a4142cc;
				r14d = 0;
				 *(_t1088 - 0x80) = r14d;
				goto 0x2a414597;
				if (_t602 == 1) goto 0x2a414597;
				if (r14d == 0) goto 0x2a414597;
				r8d = 0;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r14d) goto 0x2a4142e7;
				if (r8d == 0) goto 0x2a414334;
				if ( *(_t1088 - 0x80) - 0x73 >= 0) goto 0x2a414326;
				 *(_t1088 + 0x3fffffffffff84) = r8d;
				r14d =  *(_t1088 - 0x80);
				r14d = r14d + 1;
				goto 0x2a4142c3;
				r14d = 0;
				 *(_t1088 - 0x80) = r14d;
				goto 0x2a414599;
				r14d =  *(_t1088 - 0x80);
				goto 0x2a414597;
				if (r14d - 1 > 0) goto 0x2a4143e2;
				_t663 =  *((intOrPtr*)(_t1088 - 0x7c));
				r14d = r10d;
				 *(_t1088 - 0x80) = r10d;
				if (0 << 2 == 0) goto 0x2a414397;
				if (0 << 2 - 0 > 0) goto 0x2a414379;
				E00007FF67FF62A3F8520();
				goto 0x2a414393;
				E00007FF67FF62A3F8BD0();
				E00007FF67FF62A3FCED8(0);
				 *0 = 0x22;
				E00007FF67FF62A3FCD88();
				r14d =  *(_t1088 - 0x80);
				if (_t663 == 0) goto 0x2a4142c0;
				if (_t663 == 1) goto 0x2a414597;
				if (r14d == 0) goto 0x2a414597;
				r8d = 0;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r14d) goto 0x2a4143ba;
				goto 0x2a41430a;
				r12d = r14d;
				_t1020 =  >=  ? _t1088 - 0x7c : _t1088 + 0x324;
				_t1124 = _t1088 + 0x324;
				r12d =  <  ? r10d : r12d;
				 *((long long*)(_t1090 + 0x70)) = _t1020;
				_t1066 =  >=  ? _t1124 : _t1088 - 0x7c;
				 *((long long*)(_t1090 + 0x48)) = _t1066;
				r10d =  !=  ? r14d : r10d;
				r14d = 0;
				r9d = 0;
				 *(_t1088 + 0x4f0) = r14d;
				if (r12d == 0) goto 0x2a414548;
				_t795 =  *(_t1020 + __r9 * 4);
				if (_t795 != 0) goto 0x2a41445f;
				if (r9d != r14d) goto 0x2a41453c;
				 *(_t1088 + 0x4f4 + __r9 * 4) =  *(_t1088 + 0x4f4 + __r9 * 4) & _t795;
				_t369 = _t1137 + 1; // 0x1
				r14d = _t369;
				 *(_t1088 + 0x4f0) = r14d;
				goto 0x2a41453c;
				r11d = 0;
				r8d = r9d;
				if (r10d == 0) goto 0x2a414528;
				if (r8d == 0x73) goto 0x2a4144d6;
				if (r8d != r14d) goto 0x2a414493;
				 *(_t1088 + 0x4f4 + _t1082 * 4) =  *(_t1088 + 0x4f4 + _t1082 * 4) & 0x00000000;
				_t377 = _t1124 + 1; // 0x1
				 *(_t1088 + 0x4f0) = _t377;
				r8d = r8d + 1;
				 *(_t1088 + 0x4f4 + _t1082 * 4) =  *(_t1066 + 0x40000000000000);
				r14d =  *(_t1088 + 0x4f0);
				if ((_t1082 << 2) + _t1124 == r10d) goto 0x2a4144d6;
				_t1070 =  *((intOrPtr*)(_t1090 + 0x48));
				goto 0x2a414473;
				if (r11d == 0) goto 0x2a414528;
				if (r8d == 0x73) goto 0x2a414648;
				if (r8d != r14d) goto 0x2a4144ff;
				 *(_t1088 + 0x4f4 + _t1070 * 4) =  *(_t1088 + 0x4f4 + _t1070 * 4) & 0x00000000;
				_t397 = _t1124 + 1; // 0x1
				 *(_t1088 + 0x4f0) = _t397;
				_t718 =  *(_t1088 + 0x4f4 + _t1070 * 4);
				r8d = r8d + 1;
				 *(_t1088 + 0x4f4 + _t1070 * 4) = _t718;
				r14d =  *(_t1088 + 0x4f0);
				r11d = _t718;
				if (_t718 != 0) goto 0x2a4144db;
				if (r8d == 0x73) goto 0x2a414648;
				r9d = r9d + 1;
				if (r9d != r12d) goto 0x2a414433;
				r8d = r14d;
				_t1125 = _t1124 << 2;
				 *(_t1088 - 0x80) = r14d;
				if (_t1125 == 0) goto 0x2a414592;
				if (_t1125 - 0 > 0) goto 0x2a414574;
				E00007FF67FF62A3F8520();
				goto 0x2a41458e;
				E00007FF67FF62A3F8BD0();
				E00007FF67FF62A3FCED8(0);
				 *0 = 0x22;
				E00007FF67FF62A3FCD88();
				r14d =  *(_t1088 - 0x80);
				r12d =  *(_t1090 + 0x30);
				if (1 == 0) goto 0x2a414648;
				r12d = r12d -  *(_t1090 + 0x38);
				 *(_t1090 + 0x30) = r12d;
				if (1 != 0) goto 0x2a414234;
				r13d = r13d - 0xa0000000000000;
				if (1 == 0) goto 0x2a41419e;
				_t627 =  *0x407FF62A4A14F8;
				if (_t627 == 0) goto 0x2a414648;
				if (_t627 == 1) goto 0x2a41419e;
				if (r14d == 0) goto 0x2a41419e;
				r8d = 0;
				r10d = _t627;
				r9d = 0;
				_t720 =  *((intOrPtr*)(_t1088 + __r9 * 4 - 0x7c));
				 *((intOrPtr*)(_t1088 + __r9 * 4 - 0x7c)) = _t720;
				r9d = r9d + 1;
				if (r9d != r14d) goto 0x2a4145f9;
				if (r8d == 0) goto 0x2a41463f;
				if ( *(_t1088 - 0x80) - 0x73 >= 0) goto 0x2a414648;
				 *(_t1088 + 0x3fffffffffff84) = r8d;
				r14d =  *(_t1088 - 0x80);
				r14d = r14d + 1;
				 *(_t1088 - 0x80) = r14d;
				goto 0x2a41419e;
				r14d =  *(_t1088 - 0x80);
				goto 0x2a41419e;
				 *(_t1088 - 0x80) =  *(_t1088 - 0x80) & 0x00000000;
				_t1083 =  *((intOrPtr*)(_t1090 + 0x68));
				r12d = 0;
				goto 0x2a41467c;
				r9d = 0;
				 *(_t1088 + 0x320) = r12d;
				 *(_t1088 - 0x80) = r12d;
				E00007FF67FF62A3FD5E4(0, _t1083, _t1088 - 0x7c, 0x7ff62a3b0000, _t1086 << 2, _t1088 + 0x324, __r9);
				_t1074 = _t1088 + 0x150;
				if (E00007FF67FF62A3FD140(_t720, 0, _t1088 - 0x80, _t1074, _t1082 << 2,  >=  ? _t1088 + 0x154 : _t1088 + 0x324) != 0xa) goto 0x2a414729;
				 *_t1083 = 0x31;
				if (r15d == 0) goto 0x2a414739;
				r8d = r12d;
				r9d = r12d;
				r9d = r9d + 1;
				 *(_t1088 + 0x154 + _t1074 * 4) = r8d;
				if (r9d != r15d) goto 0x2a4146b1;
				if (r8d == 0) goto 0x2a414739;
				if ( *(_t1088 + 0x150) - 0x73 >= 0) goto 0x2a4146fe;
				 *(_t1088 + 0x40000000000154) = r8d;
				 *(_t1088 + 0x150) =  *(_t1088 + 0x150) + 1;
				goto 0x2a414739;
				r9d = 0;
				 *(_t1088 + 0x320) = r12d;
				 *(_t1088 + 0x150) = r12d;
				_t635 = E00007FF67FF62A3FD5E4(0, _t1083 + 1, _t1088 + 0x154, _t1074, _t1086 << 2, _t1088 + 0x324, _t1137);
				goto 0x2a414739;
				if (_t635 != 0) goto 0x2a414731;
				_t798 =  *(_t1090 + 0x40) + 1 - 1;
				goto 0x2a414739;
				_t977 = _t1083 + 1;
				 *_t1083 = 1;
				_t964 =  *((intOrPtr*)(_t1090 + 0x78));
				 *(_t964 + 4) = _t798;
				if (_t798 < 0) goto 0x2a414753;
				if ( *((intOrPtr*)(_t1090 + 0x50)) - 0x7fffffff > 0) goto 0x2a414753;
				_t965 =  <  ?  *((intOrPtr*)(_t1088 + 0x740)) - 1 : _t964;
				_t1084 = _t1083 + _t965;
				if (_t977 == _t1084) goto 0x2a41485a;
				r14d = 9;
				_t799 = _t798 | 0xffffffff;
				r10d =  *(_t1088 - 0x80);
				if (r10d == 0) goto 0x2a41485a;
				r8d = r12d;
				r9d = r12d;
				r9d = r9d + 1;
				 *((intOrPtr*)(_t1088 + _t1074 * 4 - 0x7c)) = _t720;
				if (r9d != r10d) goto 0x2a41478e;
				if (r8d == 0) goto 0x2a4147f0;
				if ( *(_t1088 - 0x80) - 0x73 >= 0) goto 0x2a4147cd;
				 *(_t1088 + _t965 * 4 - 0x7c) = r8d;
				 *(_t1088 - 0x80) =  *(_t1088 - 0x80) + 1;
				goto 0x2a4147f0;
				r9d = 0;
				 *(_t1088 + 0x320) = r12d;
				 *(_t1088 - 0x80) = r12d;
				E00007FF67FF62A3FD5E4(_t965, _t977, _t1088 - 0x7c, _t1074, _t1086 << 2, _t1088 + 0x324, _t1137);
				_t1075 = _t1088 + 0x150;
				_t1036 = _t1088 - 0x80;
				E00007FF67FF62A3FD140(_t720, _t965, _t1036, _t1075, _t974,  >=  ? _t1088 + 0x154 : _t1088 + 0x324);
				r10d = r8d;
				_t1136 = _t965;
				r10d = r10d -  ~r9d;
				r9d = 8;
				r8b = r8b - _t1036 + _t1075 + _t1036 + _t1075;
				_t499 = _t1136 + 0x30; // 0x30
				r8d = 0xcccccccd * r8d >> 0x20 >> 3;
				if (r10d - r9d < 0) goto 0x2a414839;
				 *((char*)(_t965 + _t977)) = _t499;
				r9d = r9d + _t799;
				if (r9d != _t799) goto 0x2a41480f;
				_t967 = _t1084 - _t977;
				_t968 =  >  ? _t1151 : _t967;
				_t978 = _t977 + ( >  ? _t1151 : _t967);
				if (_t978 != _t1084) goto 0x2a41477b;
				 *_t978 = r12b;
				if ( *((intOrPtr*)(_t1090 + 0x60)) == r12b) goto 0x2a41486e;
				return E00007FF67FF62A3F6B50(E00007FF67FF62A415CE0( *((intOrPtr*)(_t1090 + 0x60)) - r12b, _t1090 + 0x58, _t1084, _t1086 << 2, _t974), _t499,  *(_t1088 + 0x6c0) ^ _t1090);
			}

0x7ff62a4136ac
0x7ff62a4136b9
0x7ff62a4136c1
0x7ff62a4136c8
0x7ff62a4136d2
0x7ff62a4136d9
0x7ff62a4136e6
0x7ff62a4136eb
0x7ff62a4136ee
0x7ff62a4136f5
0x7ff62a4136fe
0x7ff62a413706
0x7ff62a413708
0x7ff62a41370d
0x7ff62a413714
0x7ff62a413719
0x7ff62a41371e
0x7ff62a41372b
0x7ff62a413731
0x7ff62a413741
0x7ff62a413741
0x7ff62a413744
0x7ff62a41374e
0x7ff62a413754
0x7ff62a413759
0x7ff62a41375b
0x7ff62a413766
0x7ff62a41376b
0x7ff62a41376e
0x7ff62a413773
0x7ff62a41377b
0x7ff62a413782
0x7ff62a413787
0x7ff62a413793
0x7ff62a413796
0x7ff62a41379d
0x7ff62a4137ae
0x7ff62a4137b9
0x7ff62a4137c2
0x7ff62a4137cb
0x7ff62a4137d4
0x7ff62a4137ec
0x7ff62a4137f1
0x7ff62a4137f3
0x7ff62a4137f9
0x7ff62a4137fd
0x7ff62a413803
0x7ff62a41380b
0x7ff62a413825
0x7ff62a413828
0x7ff62a413831
0x7ff62a413834
0x7ff62a413836
0x7ff62a413839
0x7ff62a41383d
0x7ff62a413840
0x7ff62a413845
0x7ff62a41384a
0x7ff62a41384e
0x7ff62a41385c
0x7ff62a413863
0x7ff62a413866
0x7ff62a41386b
0x7ff62a413872
0x7ff62a413876
0x7ff62a413878
0x7ff62a413882
0x7ff62a41388a
0x7ff62a413894
0x7ff62a41389a
0x7ff62a4138a2
0x7ff62a4138a8
0x7ff62a4138b9
0x7ff62a4138bf
0x7ff62a4138c2
0x7ff62a4138c5
0x7ff62a4138c7
0x7ff62a4138ce
0x7ff62a4138d3
0x7ff62a4138d9
0x7ff62a4138dd
0x7ff62a4138f4
0x7ff62a4138f9
0x7ff62a4138fc
0x7ff62a4138ff
0x7ff62a413903
0x7ff62a41390a
0x7ff62a413911
0x7ff62a413918
0x7ff62a41391d
0x7ff62a413924
0x7ff62a41392c
0x7ff62a413932
0x7ff62a41393b
0x7ff62a41393f
0x7ff62a413945
0x7ff62a41394a
0x7ff62a413957
0x7ff62a413959
0x7ff62a41395e
0x7ff62a413960
0x7ff62a413965
0x7ff62a41396b
0x7ff62a413977
0x7ff62a41397c
0x7ff62a413982
0x7ff62a413988
0x7ff62a41398f
0x7ff62a413991
0x7ff62a413994
0x7ff62a41399b
0x7ff62a41399d
0x7ff62a4139a7
0x7ff62a4139b0
0x7ff62a4139b4
0x7ff62a4139b6
0x7ff62a4139b9
0x7ff62a4139c0
0x7ff62a4139c6
0x7ff62a4139cd
0x7ff62a4139d1
0x7ff62a4139db
0x7ff62a4139e5
0x7ff62a4139ea
0x7ff62a4139f1
0x7ff62a4139f6
0x7ff62a4139fc
0x7ff62a413a00
0x7ff62a413a10
0x7ff62a413a17
0x7ff62a413a1c
0x7ff62a413a1f
0x7ff62a413a22
0x7ff62a413a26
0x7ff62a413a2d
0x7ff62a413a34
0x7ff62a413a3b
0x7ff62a413a40
0x7ff62a413a47
0x7ff62a413a4f
0x7ff62a413a55
0x7ff62a413a5e
0x7ff62a413a62
0x7ff62a413a68
0x7ff62a413a6d
0x7ff62a413a7a
0x7ff62a413a7c
0x7ff62a413a81
0x7ff62a413a83
0x7ff62a413a88
0x7ff62a413a8e
0x7ff62a413a9a
0x7ff62a413a9f
0x7ff62a413aa5
0x7ff62a413aab
0x7ff62a413ab2
0x7ff62a413ab4
0x7ff62a413ab7
0x7ff62a413abe
0x7ff62a413ac0
0x7ff62a413aca
0x7ff62a413ad3
0x7ff62a413ad7
0x7ff62a413ad9
0x7ff62a413adc
0x7ff62a413ae3
0x7ff62a413ae9
0x7ff62a413af0
0x7ff62a413af4
0x7ff62a413afe
0x7ff62a413b08
0x7ff62a413b11
0x7ff62a413b19
0x7ff62a413b23
0x7ff62a413b29
0x7ff62a413b31
0x7ff62a413b37
0x7ff62a413b48
0x7ff62a413b4e
0x7ff62a413b51
0x7ff62a413b54
0x7ff62a413b56
0x7ff62a413b59
0x7ff62a413b5e
0x7ff62a413b62
0x7ff62a413b69
0x7ff62a413b6c
0x7ff62a413b70
0x7ff62a413b72
0x7ff62a413b75
0x7ff62a413b7b
0x7ff62a413b7d
0x7ff62a413b82
0x7ff62a413b84
0x7ff62a413b8a
0x7ff62a413b91
0x7ff62a413ba3
0x7ff62a413bab
0x7ff62a413bb0
0x7ff62a413bc4
0x7ff62a413bcd
0x7ff62a413bd8
0x7ff62a413bdf
0x7ff62a413bf1
0x7ff62a413bf8
0x7ff62a413bf8
0x7ff62a413bfc
0x7ff62a413bff
0x7ff62a413c03
0x7ff62a413c0a
0x7ff62a413c14
0x7ff62a413c26
0x7ff62a413c29
0x7ff62a413c36
0x7ff62a413c3b
0x7ff62a413c43
0x7ff62a413c48
0x7ff62a413c4d
0x7ff62a413c51
0x7ff62a413c58
0x7ff62a413c5b
0x7ff62a413c61
0x7ff62a413c64
0x7ff62a413c6a
0x7ff62a413c6c
0x7ff62a413c71
0x7ff62a413c73
0x7ff62a413c79
0x7ff62a413c80
0x7ff62a413c90
0x7ff62a413c98
0x7ff62a413c9d
0x7ff62a413cb2
0x7ff62a413cbb
0x7ff62a413cc6
0x7ff62a413ccd
0x7ff62a413cdf
0x7ff62a413ce6
0x7ff62a413cf0
0x7ff62a413cf5
0x7ff62a413cfa
0x7ff62a413d00
0x7ff62a413d05
0x7ff62a413d14
0x7ff62a413d26
0x7ff62a413d29
0x7ff62a413d2d
0x7ff62a413d30
0x7ff62a413d36
0x7ff62a413d44
0x7ff62a413d47
0x7ff62a413d4b
0x7ff62a413d6a
0x7ff62a413d7b
0x7ff62a413d81
0x7ff62a413d8d
0x7ff62a413db1
0x7ff62a413db6
0x7ff62a413dc1
0x7ff62a413dc7
0x7ff62a413dcf
0x7ff62a413dd1
0x7ff62a413dd4
0x7ff62a413ddb
0x7ff62a413de3
0x7ff62a413dec
0x7ff62a413df2
0x7ff62a413df8
0x7ff62a413e1c
0x7ff62a413e22
0x7ff62a413e27
0x7ff62a413e30
0x7ff62a413e38
0x7ff62a413e40
0x7ff62a413e47
0x7ff62a413e4a
0x7ff62a413e4c
0x7ff62a413e4f
0x7ff62a413e58
0x7ff62a413e5d
0x7ff62a413e64
0x7ff62a413e6d
0x7ff62a413e73
0x7ff62a413e80
0x7ff62a413e83
0x7ff62a413e8d
0x7ff62a413e9e
0x7ff62a413ea7
0x7ff62a413eac
0x7ff62a413eb3
0x7ff62a413eb8
0x7ff62a413ebd
0x7ff62a413ec3
0x7ff62a413ec8
0x7ff62a413ed1
0x7ff62a413eda
0x7ff62a413ee3
0x7ff62a413ee9
0x7ff62a413eef
0x7ff62a413f0f
0x7ff62a413f13
0x7ff62a413f19
0x7ff62a413f1b
0x7ff62a413f2a
0x7ff62a413f34
0x7ff62a413f3f
0x7ff62a413f4a
0x7ff62a413f53
0x7ff62a413f58
0x7ff62a413f5c
0x7ff62a413f5f
0x7ff62a413f62
0x7ff62a413f6c
0x7ff62a413f72
0x7ff62a413f7c
0x7ff62a413f81
0x7ff62a413f87
0x7ff62a413f8f
0x7ff62a413f8f
0x7ff62a413f93
0x7ff62a413f9a
0x7ff62a413f9f
0x7ff62a413fa2
0x7ff62a413fa8
0x7ff62a413fb7
0x7ff62a413fbf
0x7ff62a413fc1
0x7ff62a413fc9
0x7ff62a413fcd
0x7ff62a413fd7
0x7ff62a413ff8
0x7ff62a413fff
0x7ff62a41400d
0x7ff62a41400f
0x7ff62a414014
0x7ff62a414019
0x7ff62a41401f
0x7ff62a41402b
0x7ff62a41402d
0x7ff62a414035
0x7ff62a414039
0x7ff62a414046
0x7ff62a414049
0x7ff62a41404f
0x7ff62a414056
0x7ff62a414061
0x7ff62a414066
0x7ff62a41406c
0x7ff62a414077
0x7ff62a41407d
0x7ff62a414083
0x7ff62a414086
0x7ff62a41408a
0x7ff62a414094
0x7ff62a4140a5
0x7ff62a4140ae
0x7ff62a4140b3
0x7ff62a4140ba
0x7ff62a4140bf
0x7ff62a4140c4
0x7ff62a4140ca
0x7ff62a4140cf
0x7ff62a4140d6
0x7ff62a4140db
0x7ff62a4140e4
0x7ff62a4140ea
0x7ff62a4140f4
0x7ff62a4140fe
0x7ff62a414108
0x7ff62a414117
0x7ff62a414120
0x7ff62a414129
0x7ff62a414132
0x7ff62a414137
0x7ff62a414139
0x7ff62a41413c
0x7ff62a41413f
0x7ff62a414163
0x7ff62a414169
0x7ff62a41416e
0x7ff62a414177
0x7ff62a414183
0x7ff62a41418b
0x7ff62a414192
0x7ff62a414195
0x7ff62a414197
0x7ff62a41419e
0x7ff62a4141a3
0x7ff62a4141ac
0x7ff62a4141b2
0x7ff62a4141b5
0x7ff62a4141bb
0x7ff62a4141cd
0x7ff62a4141d9
0x7ff62a4141de
0x7ff62a4141e8
0x7ff62a4141f1
0x7ff62a4141f6
0x7ff62a4141f9
0x7ff62a4141fe
0x7ff62a414201
0x7ff62a414208
0x7ff62a41420a
0x7ff62a414219
0x7ff62a41421c
0x7ff62a414220
0x7ff62a414223
0x7ff62a414229
0x7ff62a41423a
0x7ff62a41423d
0x7ff62a414257
0x7ff62a41426a
0x7ff62a414270
0x7ff62a4142a0
0x7ff62a4142a5
0x7ff62a4142b0
0x7ff62a4142b6
0x7ff62a4142be
0x7ff62a4142c0
0x7ff62a4142c3
0x7ff62a4142c7
0x7ff62a4142cf
0x7ff62a4142d8
0x7ff62a4142de
0x7ff62a4142e4
0x7ff62a414302
0x7ff62a414308
0x7ff62a41430d
0x7ff62a414313
0x7ff62a414318
0x7ff62a41431d
0x7ff62a414321
0x7ff62a414324
0x7ff62a414326
0x7ff62a414329
0x7ff62a41432f
0x7ff62a414334
0x7ff62a414338
0x7ff62a414341
0x7ff62a414347
0x7ff62a414351
0x7ff62a414354
0x7ff62a41435b
0x7ff62a414369
0x7ff62a414372
0x7ff62a414377
0x7ff62a41437e
0x7ff62a414383
0x7ff62a414388
0x7ff62a41438e
0x7ff62a414393
0x7ff62a414399
0x7ff62a4143a2
0x7ff62a4143ab
0x7ff62a4143b1
0x7ff62a4143b7
0x7ff62a4143d5
0x7ff62a4143db
0x7ff62a4143dd
0x7ff62a4143e9
0x7ff62a4143f3
0x7ff62a4143f7
0x7ff62a4143fe
0x7ff62a414402
0x7ff62a41440e
0x7ff62a414414
0x7ff62a414419
0x7ff62a41441d
0x7ff62a414420
0x7ff62a414423
0x7ff62a41442d
0x7ff62a414433
0x7ff62a41443c
0x7ff62a414441
0x7ff62a414447
0x7ff62a41444f
0x7ff62a41444f
0x7ff62a414453
0x7ff62a41445a
0x7ff62a41445f
0x7ff62a414462
0x7ff62a414468
0x7ff62a414477
0x7ff62a41447f
0x7ff62a414481
0x7ff62a414489
0x7ff62a41448d
0x7ff62a414497
0x7ff62a4144b8
0x7ff62a4144bf
0x7ff62a4144cd
0x7ff62a4144cf
0x7ff62a4144d4
0x7ff62a4144d9
0x7ff62a4144df
0x7ff62a4144eb
0x7ff62a4144ed
0x7ff62a4144f5
0x7ff62a4144f9
0x7ff62a4144ff
0x7ff62a414506
0x7ff62a41450f
0x7ff62a414516
0x7ff62a414521
0x7ff62a414526
0x7ff62a41452c
0x7ff62a41453c
0x7ff62a414542
0x7ff62a414548
0x7ff62a41454b
0x7ff62a41454f
0x7ff62a414556
0x7ff62a414564
0x7ff62a41456d
0x7ff62a414572
0x7ff62a414579
0x7ff62a41457e
0x7ff62a414583
0x7ff62a414589
0x7ff62a41458e
0x7ff62a414592
0x7ff62a41459b
0x7ff62a4145a1
0x7ff62a4145ad
0x7ff62a4145b7
0x7ff62a4145c6
0x7ff62a4145c9
0x7ff62a4145d3
0x7ff62a4145dc
0x7ff62a4145e1
0x7ff62a4145ea
0x7ff62a4145f0
0x7ff62a4145f3
0x7ff62a4145f6
0x7ff62a4145f9
0x7ff62a41460b
0x7ff62a414614
0x7ff62a41461a
0x7ff62a41461f
0x7ff62a414625
0x7ff62a41462a
0x7ff62a41462f
0x7ff62a414633
0x7ff62a414636
0x7ff62a41463a
0x7ff62a41463f
0x7ff62a414643
0x7ff62a414648
0x7ff62a41464c
0x7ff62a414651
0x7ff62a414657
0x7ff62a414659
0x7ff62a41465c
0x7ff62a41466a
0x7ff62a414677
0x7ff62a41467c
0x7ff62a414693
0x7ff62a41469b
0x7ff62a4146a5
0x7ff62a4146ab
0x7ff62a4146ae
0x7ff62a4146b4
0x7ff62a4146c9
0x7ff62a4146d8
0x7ff62a4146dd
0x7ff62a4146e6
0x7ff62a4146ee
0x7ff62a4146f6
0x7ff62a4146fc
0x7ff62a4146fe
0x7ff62a414701
0x7ff62a41470f
0x7ff62a414722
0x7ff62a414727
0x7ff62a41472b
0x7ff62a41472d
0x7ff62a41472f
0x7ff62a414733
0x7ff62a414737
0x7ff62a414739
0x7ff62a414742
0x7ff62a414747
0x7ff62a41474f
0x7ff62a414762
0x7ff62a414766
0x7ff62a41476c
0x7ff62a414772
0x7ff62a414778
0x7ff62a41477b
0x7ff62a414782
0x7ff62a414788
0x7ff62a41478b
0x7ff62a414791
0x7ff62a4147a8
0x7ff62a4147b3
0x7ff62a4147b8
0x7ff62a4147be
0x7ff62a4147c3
0x7ff62a4147c8
0x7ff62a4147cb
0x7ff62a4147cd
0x7ff62a4147d0
0x7ff62a4147de
0x7ff62a4147eb
0x7ff62a4147f0
0x7ff62a4147f7
0x7ff62a4147fb
0x7ff62a414800
0x7ff62a414803
0x7ff62a414806
0x7ff62a414809
0x7ff62a414824
0x7ff62a414827
0x7ff62a41482b
0x7ff62a414831
0x7ff62a414836
0x7ff62a414839
0x7ff62a41483f
0x7ff62a414844
0x7ff62a41484a
0x7ff62a41484e
0x7ff62a414854
0x7ff62a41485a
0x7ff62a414862
0x7ff62a414890

APIs

fegetenv.LIBCMT ref: 00007FF62A4136F5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A413D00
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A413EC3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A4140CA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A41438E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A414589
memcpy_s.LIBCPMT ref: 00007FF62A414677
memcpy_s.LIBCPMT ref: 00007FF62A414722
memcpy_s.LIBCPMT ref: 00007FF62A4147EB

Strings

1#QNAN, xrefs: 00007FF62A4148A3
1#SNAN, xrefs: 00007FF62A41489A
1#IND, xrefs: 00007FF62A414891
1#INF, xrefs: 00007FF62A4148BF

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: fca0e562e9e15603af03b6e27d759be691a563fb95d99ee9af36a5cf707214e8
Instruction ID: b66d232848dc301222ffc7385ce615f147574a1847a813bcae8dafb6870038dc
Opcode Fuzzy Hash: fca0e562e9e15603af03b6e27d759be691a563fb95d99ee9af36a5cf707214e8
Instruction Fuzzy Hash: 8BB218B2A182828BEF658E65D9407FD37A1FB4438CF905175DA1AD7B84DFB8E910CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F15A0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62A3EFAB0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF62A3F15D7), ref: 00007FF62A3EFAE5

EnumDisplaySettingsW.USER32 ref: 00007FF62A3F1630
CreateDCW.GDI32 ref: 00007FF62A3F1646

Part of subcall function 00007FF62A3EFD40: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFDB3
Part of subcall function 00007FF62A3EFD40: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFDC2
Part of subcall function 00007FF62A3EFD40: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFDD1
Part of subcall function 00007FF62A3EFD40: RtlVerifyVersionInfo.NTDLL ref: 00007FF62A3EFDE2

GetDeviceCaps.GDI32 ref: 00007FF62A3F166A
GetDeviceCaps.GDI32 ref: 00007FF62A3F167B
GetDeviceCaps.GDI32 ref: 00007FF62A3F16AA
GetDeviceCaps.GDI32 ref: 00007FF62A3F16DF
DeleteDC.GDI32 ref: 00007FF62A3F1700
WideCharToMultiByte.KERNEL32 ref: 00007FF62A3F1792
WideCharToMultiByte.KERNEL32 ref: 00007FF62A3F17FE
EnumDisplayMonitors.USER32 ref: 00007FF62A3F1843

Strings

DISPLAY, xrefs: 00007FF62A3F1639
, xrefs: 00007FF62A3F17E8

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: CapsDevice$ByteCharConditionMaskMultiWide$DisplayEnum$CreateDeleteInfoMonitorsSettingsVerifyVersion
String ID: $DISPLAY
API String ID: 2931716912-3074206054
Opcode ID: 003df35f5adfbe1ba27007e2fa3b1b71770f73f1cb2e1e379afd2fa997e78d6b
Instruction ID: e392f16669f16b000966cab664d8aee7d5cf441fdea373177dd32e386802d2e0
Opcode Fuzzy Hash: 003df35f5adfbe1ba27007e2fa3b1b71770f73f1cb2e1e379afd2fa997e78d6b
Instruction Fuzzy Hash: 3561B131618A8186EB21CB21E9547EAB3A1FF89B84F458135DE4D87B58EF7CD458CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A410658 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF62A407188: GetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407197
Part of subcall function 00007FF62A407188: SetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407235

TranslateName.LIBCMT ref: 00007FF62A4106C5
TranslateName.LIBCMT ref: 00007FF62A410700
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF62A405CEC), ref: 00007FF62A410745
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF62A405CEC), ref: 00007FF62A41076D

Strings

utf8, xrefs: 00007FF62A410851

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValid
String ID: utf8
API String ID: 2136749100-905460609
Opcode ID: aceb53ba850a0aa104f2f5188a62bb4ec46045bf13d2158e341261e65184212b
Instruction ID: 9c68efaa077b57effb84538b6b0657d135bf0049b24907f82988eebd34ed504b
Opcode Fuzzy Hash: aceb53ba850a0aa104f2f5188a62bb4ec46045bf13d2158e341261e65184212b
Instruction Fuzzy Hash: 41918C32A0874281EF649B21DC512B933A5EF84B80F4441B1DA5DE7B86DFBCF961C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A41108C Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF62A407188: GetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407197
Part of subcall function 00007FF62A407188: SetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407235

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF62A405CE5), ref: 00007FF62A4111E3
GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF62A4111FC
ProcessCodePage.LIBCMT ref: 00007FF62A411226
IsValidCodePage.KERNEL32 ref: 00007FF62A411238
IsValidLocale.KERNEL32 ref: 00007FF62A41124E
GetLocaleInfoW.KERNEL32 ref: 00007FF62A4112AA
GetLocaleInfoW.KERNEL32 ref: 00007FF62A4112C6

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 3939093798-0
Opcode ID: 1d4bf47ae231a4ee700d3952a5d5f306dbba80a13a1e1485f6eed50f8bdaeace
Instruction ID: 7efc39eb3603eef38243dc3ef613145d7006b8986700114f602ea4ef36c3f915
Opcode Fuzzy Hash: 1d4bf47ae231a4ee700d3952a5d5f306dbba80a13a1e1485f6eed50f8bdaeace
Instruction Fuzzy Hash: E4715922F1860289FF549B68DC506BD63A0BF48744F4441B9CE1DE7685EFBCE869C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F6D60 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF62A3F6D7C
RtlCaptureContext.KERNEL32 ref: 00007FF62A3F6DA9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF62A3F6DC3
RtlVirtualUnwind.KERNEL32 ref: 00007FF62A3F6E04
IsDebuggerPresent.KERNEL32 ref: 00007FF62A3F6E58
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF62A3F6E79
UnhandledExceptionFilter.KERNEL32 ref: 00007FF62A3F6E84

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 7d0b6e7a7f7dfebdd5d7c942e2c8fe65d3814bb21ecac594fed4ae4115783204
Instruction ID: fc994c48ae3a9135c379cdb6c6d217f09305c5cdc0cd9826cf03c2e1729d0ca8
Opcode Fuzzy Hash: 7d0b6e7a7f7dfebdd5d7c942e2c8fe65d3814bb21ecac594fed4ae4115783204
Instruction Fuzzy Hash: 56313A72619B818AEF609F60E8903EA7360FB94748F44447ADA4EC7A98DFBCD548C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F31E0 Relevance: 10.5, APIs: 7, Instructions: 49keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 00007FF62A3F31F4
GetKeyState.USER32 ref: 00007FF62A3F3205
GetKeyState.USER32 ref: 00007FF62A3F3220
GetKeyState.USER32 ref: 00007FF62A3F3239
GetKeyState.USER32 ref: 00007FF62A3F3247
GetKeyState.USER32 ref: 00007FF62A3F325D
GetKeyState.USER32 ref: 00007FF62A3F3272

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: a23f62ef7c8a0b370de0dd8f5c81347d758617228c4f1c15f3fd31a142edb6fc
Instruction ID: e82f53299401f9c192bd156851eee3cd6478140fb54f25ca3709277e37d728f8
Opcode Fuzzy Hash: a23f62ef7c8a0b370de0dd8f5c81347d758617228c4f1c15f3fd31a142edb6fc
Instruction Fuzzy Hash: B501C076F04B6183FB081B61A8803782251EBC8B61F554078DE8F83390CFBCE89257A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FCB74 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF62A3FCBED
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF62A3FCC05
RtlVirtualUnwind.KERNEL32 ref: 00007FF62A3FCC40
IsDebuggerPresent.KERNEL32 ref: 00007FF62A3FCC79
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF62A3FCC83
UnhandledExceptionFilter.KERNEL32 ref: 00007FF62A3FCC8E

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5e01dc71bfc560a3fefad802f7766588dfccd59f379dde6ae71a323ab51a21a7
Instruction ID: 70609dcbe486d7feb77a6708064a2f576efa9ffea8bd4d3a64fcadab631fefe4
Opcode Fuzzy Hash: 5e01dc71bfc560a3fefad802f7766588dfccd59f379dde6ae71a323ab51a21a7
Instruction Fuzzy Hash: 5C315E36618F8186DB608B25EC902AE73A0FB98754F500179EE8DC3B58DF7CD5568B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A408504 Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00007FF62A408573
WriteFile.KERNEL32 ref: 00007FF62A40881D
WriteFile.KERNEL32 ref: 00007FF62A40886F
GetLastError.KERNEL32 ref: 00007FF62A4089B1
GetLastError.KERNEL32 ref: 00007FF62A4089C3

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorFileLastWrite$Console
String ID:
API String ID: 786612050-0
Opcode ID: 4b132c94b2897b12c36b38dd0b7e6f5be107ec47b5c7e1dc2ba7b2ccd8c74df6
Instruction ID: cf1ac8395f6b213faad12e3dec98ff67529b1e22b592faea35371d1f780baf93
Opcode Fuzzy Hash: 4b132c94b2897b12c36b38dd0b7e6f5be107ec47b5c7e1dc2ba7b2ccd8c74df6
Instruction Fuzzy Hash: D1D10432B08A8189EB05CF64DA401ED7BB1FB547D8F540176DE8E87B99DEB8D116D301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F1080 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

EnumDisplayDevicesW.USER32 ref: 00007FF62A3F111C
EnumDisplayDevicesW.USER32 ref: 00007FF62A3F1181
EnumDisplayMonitors.USER32 ref: 00007FF62A3F1210
EnumDisplayDevicesW.USER32 ref: 00007FF62A3F1280
EnumDisplayDevicesW.USER32 ref: 00007FF62A3F1338

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: DisplayEnum$Devices$Monitors
String ID:
API String ID: 1432082543-0
Opcode ID: 3caa1640e10026ccfe25d1a170fbd6dce769566d3495b69305adbc7a48976e25
Instruction ID: a2eec7988b686ae5d6469dcecf6b90cbdf568a49c844682d60a5e40a0f6afcf7
Opcode Fuzzy Hash: 3caa1640e10026ccfe25d1a170fbd6dce769566d3495b69305adbc7a48976e25
Instruction Fuzzy Hash: 1981A262A2C68281FF758B52B9907BA6290FB84B44F50417ADF4EC2785EFBCE509C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3EFB90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF62A3EFBDB
FormatMessageW.KERNEL32 ref: 00007FF62A3EFC10
WideCharToMultiByte.KERNEL32 ref: 00007FF62A3EFC4F

Strings

%s: %s, xrefs: 00007FF62A3EFC5D

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ByteCharErrorFormatLastMessageMultiWide
String ID: %s: %s
API String ID: 1653872744-3740598653
Opcode ID: cebd72e04c220dd515101dc4bb9e86700e3997b09168ccdb637093c38b911448
Instruction ID: ada4206ce8ee6744c644be24feb93ff47215f32ec339568de40e12ab040508ab
Opcode Fuzzy Hash: cebd72e04c220dd515101dc4bb9e86700e3997b09168ccdb637093c38b911448
Instruction Fuzzy Hash: 8D21A276618A8182FB24DB11F8507AA7361FBC8348F544235EB8D83B98CF7CD119CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40AAF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF62A40AB31
GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF62A405EBF), ref: 00007FF62A40AB5F

Strings

GetLocaleInfoEx, xrefs: 00007FF62A40AB14, 00007FF62A40AB25

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: InfoLocaletry_get_function
String ID: GetLocaleInfoEx
API String ID: 2200034068-2904428671
Opcode ID: 7f73a96da5bc58cf4c55b8a9d1b5cedb8b15eae4e83b280ab2222118bf962ad1
Instruction ID: 6964bd8bffb0b3fc03f192cee18b31ec03829885558cf6c2427445cc54cd084c
Opcode Fuzzy Hash: 7f73a96da5bc58cf4c55b8a9d1b5cedb8b15eae4e83b280ab2222118bf962ad1
Instruction Fuzzy Hash: A5018626B08B4181EB149F12BC400AAB661FF94BC0F984076DF4C87B5ACE7CE5518382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FD140 Relevance: 4.8, APIs: 3, Instructions: 317COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF62A3FD1A6
memcpy_s.LIBCPMT ref: 00007FF62A3FD1D1

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 3c01bc3cfaabc0848e057379f965f684204250ad0697696e4cf5be0a3dfe7d28
Instruction ID: 7f384d51e73aa8b7eb19893c7c196750b2cc154fa950300156b1029814833dbd
Opcode Fuzzy Hash: 3c01bc3cfaabc0848e057379f965f684204250ad0697696e4cf5be0a3dfe7d28
Instruction Fuzzy Hash: 0FC19F72A2828687DB25CF19A588A6AB7A1F78478CF448139DF4EC7744DF7DE841CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A410B0C Relevance: 4.7, APIs: 3, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62A407188: GetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407197
Part of subcall function 00007FF62A407188: SetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407235

GetLocaleInfoW.KERNEL32 ref: 00007FF62A410B78

Part of subcall function 00007FF62A40CAD4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A40CAF1

GetLocaleInfoW.KERNEL32 ref: 00007FF62A410BC1

Part of subcall function 00007FF62A40CAD4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A40CB4A

GetLocaleInfoW.KERNEL32 ref: 00007FF62A410C8C

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: InfoLocale$ErrorLast_invalid_parameter_noinfo
String ID:
API String ID: 3644580040-0
Opcode ID: e20b69ae3b86d3d0d441511c57647be6661957071d572af1a6077074e4c9ca30
Instruction ID: 248f780f2692722c748f7a38d0f121d5b8ca1bb2b8494543954076d91d1086d8
Opcode Fuzzy Hash: e20b69ae3b86d3d0d441511c57647be6661957071d572af1a6077074e4c9ca30
Instruction Fuzzy Hash: B6618C32A08646C6EF388F15E94027973A1FB94740F008175DB9EE7691EFBCF5628B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A4097BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A409820

Strings

gfffffff, xrefs: 00007FF62A409ABD

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: bdaaec7a9a5bb17207b0583f102de7e6eb8492ba3e6d57968f4719cacfeae12e
Instruction ID: 05d4da3d0b336cb7bd2f2f6cacfe19e28c4eb15c5c0b67e0c47862afd733cf4d
Opcode Fuzzy Hash: bdaaec7a9a5bb17207b0583f102de7e6eb8492ba3e6d57968f4719cacfeae12e
Instruction Fuzzy Hash: 62915963B097C586EF19CB2A98403BD7794AB75B80F058072CE4D87396EEBDE506D702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40A054 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A40A085

Part of subcall function 00007FF62A3FCDD8: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF62A3FCD85), ref: 00007FF62A3FCDE1
Part of subcall function 00007FF62A3FCDD8: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF62A3FCD85), ref: 00007FF62A3FCE06

Strings

-, xrefs: 00007FF62A40A260

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: -
API String ID: 4036615347-2547889144
Opcode ID: 49aa4f593c5d8cd55dd28db2e3c23343db94bacfae65c031bf94b3cfa1c653a8
Instruction ID: 54fe631e1fa45fba196acd844ff116f631b00f89e91d69ef29e810d3df3a804a
Opcode Fuzzy Hash: 49aa4f593c5d8cd55dd28db2e3c23343db94bacfae65c031bf94b3cfa1c653a8
Instruction Fuzzy Hash: 96812532A0878585EF688B25A90077EB690FB757D4F444276EA9D87BD9CFBCD4009702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40CE6C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A40CE9C

Part of subcall function 00007FF62A3FCDD8: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF62A3FCD85), ref: 00007FF62A3FCDE1
Part of subcall function 00007FF62A3FCDD8: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF62A3FCD85), ref: 00007FF62A3FCE06

Strings

*?, xrefs: 00007FF62A40CEC3

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: *?
API String ID: 4036615347-2564092906
Opcode ID: 7fbdc28fea9a2793212ac24c61bbf86df00e4b3a5903a8daa4b1bec39a393b63
Instruction ID: 7ce702f7b977942bc76c950c96031b9cc52be4f7527fc855caeedba4d9ce34c1
Opcode Fuzzy Hash: 7fbdc28fea9a2793212ac24c61bbf86df00e4b3a5903a8daa4b1bec39a393b63
Instruction Fuzzy Hash: 2B512362B14B9585EF18DFA29C004BD27A1FF68BD8B844536EE0D87B85DFBCD0069342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40AB7C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF62A40AB9F

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00007FF62A40AB98

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: try_get_function
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2742660187-595813830
Opcode ID: 40fe724b05e151adcb1b20ad06cbcb93f9aa388c4a05bdb7120ed14bd6088b8a
Instruction ID: 9441a78cb8cdc9cbddff3d92a34f136ad1c857890702ec7ea1205e7bef7a4f94
Opcode Fuzzy Hash: 40fe724b05e151adcb1b20ad06cbcb93f9aa388c4a05bdb7120ed14bd6088b8a
Instruction Fuzzy Hash: 2CE0E656E19906C1FF194B91AC612B46361DF18745F8414B3CE1D862A1DEFCE599C343

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40C55C Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF62A40C7AB
RaiseException.KERNEL32 ref: 00007FF62A40C7BC

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 0c7cc15ba213292a0fb95d4baab63a484f4a38f40f58be3e414b4674e2b70eb9
Instruction ID: 5fe680ee56d1436e62e7749b7498b66aa60c8c12179d7dfb3e592f153d3563fc
Opcode Fuzzy Hash: 0c7cc15ba213292a0fb95d4baab63a484f4a38f40f58be3e414b4674e2b70eb9
Instruction Fuzzy Hash: 4CB16977A00B85CBEB59CF29C88236C3BA0F784B48F158822DA5D837A4CF79D455DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40197C Relevance: 3.2, APIs: 2, Instructions: 208COMMONLIBRARYCODE

Download Yara Rule

APIs

_Wcsftime.LIBCMT ref: 00007FF62A401A2E
_Wcsftime.LIBCMT ref: 00007FF62A4019CF

Part of subcall function 00007FF62A40601C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A406047

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Wcsftime$_invalid_parameter_noinfo
String ID:
API String ID: 4239037671-0
Opcode ID: 4df43edcf285c82df981edd31497bcb2401c7a7291faa1d44e9c2f906d383dcc
Instruction ID: 9051e4e19305079611142fa0d7d930383bfda11f6ae0780e0d3ce2d1a87b0959
Opcode Fuzzy Hash: 4df43edcf285c82df981edd31497bcb2401c7a7291faa1d44e9c2f906d383dcc
Instruction Fuzzy Hash: 5381D132A04A5186EF28CE29C8813BD27A0FB54B98F144676EF6EC7795DF78D045D301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A401DD4 Relevance: 1.9, APIs: 1, Instructions: 371COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF62A401F1C

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 9009e0b22040db2fd2366a0fe8b9ba2d9f605059bd629f84f645f6608b9c57a9
Instruction ID: 67e32fafac290b8c7631647d473916ffa056f12ac94105403ebd875fe29ea4c4
Opcode Fuzzy Hash: 9009e0b22040db2fd2366a0fe8b9ba2d9f605059bd629f84f645f6608b9c57a9
Instruction Fuzzy Hash: C512CE22A08BC186EB55CF3898046FD77A4FB68748F559235EF8C87692EF78E185D301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40EB64 Relevance: 1.8, APIs: 1, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00dc93668d165944c481d832bb9c9d87521f1902626f4fd4245b59388269b20f
Instruction ID: 04b5c152673999a150940d42e3754520d8c6487bbd1a2fba99798434d23d5d0d
Opcode Fuzzy Hash: 00dc93668d165944c481d832bb9c9d87521f1902626f4fd4245b59388269b20f
Instruction Fuzzy Hash: 0BE1E332A08B8285EB24CB61E8416FE37A4FBA4788F414671DF9D97792EF78D245D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A411AD0 Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF62A411B34

Part of subcall function 00007FF62A40530C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A405320

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo
String ID:
API String ID: 474895018-0
Opcode ID: 44ee56f0e2cd30669e10f5a6761f18742765cb202870f160ce76364bb269b459
Instruction ID: 7bd88ab6a34f8352f8f85d52f18e7d0caa56699a3b5163c2cf7def091c4a3634
Opcode Fuzzy Hash: 44ee56f0e2cd30669e10f5a6761f18742765cb202870f160ce76364bb269b459
Instruction Fuzzy Hash: 3E71D932E1C28385FF644B2D9C8067D6291AF80360F5446BDDA5DC76D5EEFCE8A98702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40D078 Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b946bf694bc4bff0ea559fb9d27d4b9fb1fdfe44dd0ce3d0ed8f8d44f9730cd
Instruction ID: bbfa0af7d9614610bf39d6f19cdb59a0faa8ed03fcbb4686fdf7989b37a551e6
Opcode Fuzzy Hash: 1b946bf694bc4bff0ea559fb9d27d4b9fb1fdfe44dd0ce3d0ed8f8d44f9730cd
Instruction Fuzzy Hash: 7A511322B0879188FB248B76AD001AE7BE4BB50BD8F144274EE9C87B85CFBDD106D701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A410D58 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62A407188: GetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407197
Part of subcall function 00007FF62A407188: SetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407235

GetLocaleInfoW.KERNEL32 ref: 00007FF62A410DC0

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 664bc09a71b8255941ff0ac20851ad82556c08487716faafd30a9bdf3df4213f
Instruction ID: ee792efb6d1441a16eaf8a230f69e9609c5b25cbc27425acf9488ff380411ae3
Opcode Fuzzy Hash: 664bc09a71b8255941ff0ac20851ad82556c08487716faafd30a9bdf3df4213f
Instruction Fuzzy Hash: CC31A432A0878282EF68CB22E9417BE73A1FB98740F4080B5DA4DD7685DFBCF4118701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A4109A4 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF62A407188: GetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407197
Part of subcall function 00007FF62A407188: SetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407235

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF62A41118F,?,00000000,00000092,?,?,00000000,?,00007FF62A405CE5), ref: 00007FF62A410A42

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8a421a8fecfac3c210c6e2fb235cff22ae0a58ed75363f0f3e95db244025157b
Instruction ID: affa077c78e2d8fad2d6ef8dd399673a7716595d67ff15641a87f998bc559fcb
Opcode Fuzzy Hash: 8a421a8fecfac3c210c6e2fb235cff22ae0a58ed75363f0f3e95db244025157b
Instruction Fuzzy Hash: A7110663E186458AEF148F15D8806BD77A0FBA0FE0F448135C669933C4DEB8EAE1C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A410F60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62A407188: GetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407197
Part of subcall function 00007FF62A407188: SetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407235

GetLocaleInfoW.KERNEL32(?,?,?,00007FF62A410D09), ref: 00007FF62A410F97

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 479e7f5b8e330f39fc9b6ca23880652ef9e9ad54cd971a4d5fe81d15f7161388
Instruction ID: e920cf583cf6f81d01ee77b3db09fe88783e1f4e97f2c040505aca5252f771f0
Opcode Fuzzy Hash: 479e7f5b8e330f39fc9b6ca23880652ef9e9ad54cd971a4d5fe81d15f7161388
Instruction Fuzzy Hash: 60115C33A1C15682EFB4D712D80267D2250EB80764F144231EB2DA76C4CEFDF8A18381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A410A74 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF62A407188: GetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407197
Part of subcall function 00007FF62A407188: SetLastError.KERNEL32(?,?,?,00007FF62A3FD0C7,?,?,00000000,00007FF62A40B6F8), ref: 00007FF62A407235

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF62A41114B,?,00000000,00000092,?,?,00000000,?,00007FF62A405CE5), ref: 00007FF62A410AF2

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 642fc3a8862f9deeb53f6e00cf84ce6db81454dd65df4ae041651667e89db893
Instruction ID: b1858dfc9d1c5d983eb87fd9c6bfc441343b812c8bea9b480169aaa6f3b76a50
Opcode Fuzzy Hash: 642fc3a8862f9deeb53f6e00cf84ce6db81454dd65df4ae041651667e89db893
Instruction Fuzzy Hash: F701F572F082828AEF144F15E8407B976A1EBA07A4F448271C668A72C4DFFCE890C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40A654 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF62A40A9B9,?,?,?,?,?,?,?,?,00000000,00007FF62A40FFF0), ref: 00007FF62A40A6A3

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a09491fd34d3b7c1f966940e3604538867cbea06eff74889c2ff2bccf457454f
Instruction ID: 78caf0de795da9a42954ab0e6d886574f2f60026cb3dbafed89c405c3bd82719
Opcode Fuzzy Hash: a09491fd34d3b7c1f966940e3604538867cbea06eff74889c2ff2bccf457454f
Instruction Fuzzy Hash: 16F08C72B08B4183EB04DB29FC401AA7361EB98784F548176EA4DC3364DF7CE565D301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FEEF4 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF62A3FF08D

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 792c9db8fd442290b49b9662d080509b94e146d3cbba5330794a207da8253a0b
Instruction ID: 18ff5e38bf0c320e931cd2de17164687077785d71ca646e8a3e6158b252bf709
Opcode Fuzzy Hash: 792c9db8fd442290b49b9662d080509b94e146d3cbba5330794a207da8253a0b
Instruction Fuzzy Hash: 6561C412A2C68346FF744A2958803BA57D29F41B48F6401BBDD4DD7399CEEDE8478B43

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40BDC4 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF62A40BE69

Part of subcall function 00007FF62A40B084: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF62A407361,?,?,0000E5C70E37496B,00007FF62A3FCEE1,?,?,?,?,00007FF62A40B132,?,?,00000000), ref: 00007FF62A40B0D9

Part of subcall function 00007FF62A407430: RtlReleasePrivilege.NTDLL(?,?,0B33A42583480000,00007FF62A40F428,?,?,?,00007FF62A40F7AB,?,?,0000E5C70E37496B,00007FF62A40FCF0,?,?,00007FF62A404FEA,00007FF62A40FC23), ref: 00007FF62A407446
Part of subcall function 00007FF62A407430: GetLastError.KERNEL32(?,?,0B33A42583480000,00007FF62A40F428,?,?,?,00007FF62A40F7AB,?,?,0000E5C70E37496B,00007FF62A40FCF0,?,?,00007FF62A404FEA,00007FF62A40FC23), ref: 00007FF62A407458

Part of subcall function 00007FF62A4148E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A41490E

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorLast$AllocateHeapPrivilegeRelease_invalid_parameter_noinfo
String ID:
API String ID: 1202329670-0
Opcode ID: f8168297aef9c88f658184d5aaa62aa071e258a7c8f477c7200dd435624e7c03
Instruction ID: 1b91379b5573aa059ddeb99cade808d5a90dd50e2d21c73b22f3ba1962b4cc4d
Opcode Fuzzy Hash: f8168297aef9c88f658184d5aaa62aa071e258a7c8f477c7200dd435624e7c03
Instruction Fuzzy Hash: 4D41F621B0D64341FF68AA226C5177AA2807FA57C0F444175EF9DC7785FEBCE402A70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40E2EC Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF62A40E2F0

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 930ee8c6a81b77e9cf88896d329b3e62b1f168b9e79422aa60e5729f54af1aa4
Instruction ID: 9152223ed5355f8d46004d1402ac90dbf37a5311037600b0cde474ea3056c212
Opcode Fuzzy Hash: 930ee8c6a81b77e9cf88896d329b3e62b1f168b9e79422aa60e5729f54af1aa4
Instruction Fuzzy Hash: 63B01220F07B06C2EF082B216C4222833A67F4C700FA442B8C04CC2320EF7C64B55702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A402438 Relevance: .6, Instructions: 626COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b1b25cfb2c7a4ce73a35449066f5a3b57f2f710efc3eae90201ed970baa9b1
Instruction ID: 3feab710793ce34ff35369dd534a83543b6b96419e6feef02fa24f7876be96c1
Opcode Fuzzy Hash: b4b1b25cfb2c7a4ce73a35449066f5a3b57f2f710efc3eae90201ed970baa9b1
Instruction Fuzzy Hash: B562A561D1DE4685EB538F359C21532A365BF653C0F1083B3ED0EA6A62DFACE542A703

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A405B34 Relevance: .3, Instructions: 307COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorLastNameTranslatetry_get_function$CodePageValid_invalid_parameter_noinfo
String ID:
API String ID: 3827717455-0
Opcode ID: ff0a83ad3cab01762035816433837df46ca30b1d79086703253cb03cd84a6ae5
Instruction ID: 5e01250f6ecc89f854773ce3c3c5f0b1e6f87f066b5d78d7cf8474da3e86bdfd
Opcode Fuzzy Hash: ff0a83ad3cab01762035816433837df46ca30b1d79086703253cb03cd84a6ae5
Instruction Fuzzy Hash: 7FC1D636B0868285EF68DB219C103BA27A5FBA4788F408076DE8DC7685DFBCE545D703

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A4100B4 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorLast$CurrentFeatureInfoLocalePresentProcessProcessortry_get_function
String ID:
API String ID: 959782435-0
Opcode ID: 814db8cf35e5d42e587c686734611564929a673ae4ae94c1822595c4cf6c2452
Instruction ID: 733e454faaf362ee99992ebca601af7aeabc4c98860f35c3eb3a8d58b0aa47b3
Opcode Fuzzy Hash: 814db8cf35e5d42e587c686734611564929a673ae4ae94c1822595c4cf6c2452
Instruction Fuzzy Hash: 1CB1E322A1864A82EF649F21DC116BA33A0FB94B88F404175DE5DD36C9DFBCF661C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A404C6C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorLastPrivilegeRelease
String ID:
API String ID: 1334314998-0
Opcode ID: 6d46568e3c1df61006c0e766108dfbbbd438c9345f302ea0b9ac6e0acc76b998
Instruction ID: 18430f618a7e256417d2d076acfeb583d4077dc8a3d8ee50383f0a27b91e9610
Opcode Fuzzy Hash: 6d46568e3c1df61006c0e766108dfbbbd438c9345f302ea0b9ac6e0acc76b998
Instruction Fuzzy Hash: 7C412332B18A5482EF08CF2AED141A9B3A1BB58FD4B489136EE0DC7B58DF7CE0459301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40B430 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a885a3ea0688eef3c447f2d4950da36731ca7a80aa47536aeaa56d2d5ff9dd63
Instruction ID: 1751570af984c6f3276417b68fb139cc908be861197615db63ec41720b38fcae
Opcode Fuzzy Hash: a885a3ea0688eef3c447f2d4950da36731ca7a80aa47536aeaa56d2d5ff9dd63
Instruction Fuzzy Hash: 32F06871B182558AEF95CF38A84266977D0E708380F608579D6CDC3B04DA7CD4518F15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F6F44 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624222d9b87b4f252a1eae4fe19be4a7a7c09af63cf1901e1983ae149288acb3
Instruction ID: fd7fa58708538b46f8ea054d54af5a89b0f9fa60df395537875fd829ec356b8e
Opcode Fuzzy Hash: 624222d9b87b4f252a1eae4fe19be4a7a7c09af63cf1901e1983ae149288acb3
Instruction Fuzzy Hash: 14A0022195CD42D0EF058B00EDA40707330FBA4300B4108B6C40DC10609FBCED14C302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40AEB0 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00007FF67FF62A40AEB0(void* __edi, void* __esp, void* __eflags, void* __rcx, long long __rdi, long long _a8) {
				void* _v4;
				int _t13;
				void* _t38;
				void* _t55;

				E00007FF67FF62A40A6D0(0, _t38, "AreFileApisANSI", _t55, 0x2a4a4aa8, 0x2a4a4aac);
				E00007FF67FF62A40A6D0(1, _t38, "CompareStringEx", _t55, 0x2a4a4ac0, "CompareStringEx");
				E00007FF67FF62A40A6D0(2, _t38, "EnumSystemLocalesEx", _t55, 0x2a4a4ad8, "EnumSystemLocalesEx");
				E00007FF67FF62A40A6D0(8, _t38, "GetDateFormatEx", _t55, 0x2a4a4b18, "GetDateFormatEx");
				E00007FF67FF62A40A6D0(0xb, _t38, "GetLocaleInfoEx", _t55, 0x2a4a4b30, "GetLocaleInfoEx");
				E00007FF67FF62A40A6D0(0xe, _t38, "GetTimeFormatEx", _t55, 0x2a4a4b70, "GetTimeFormatEx");
				E00007FF67FF62A40A6D0(0xf, _t38, "GetUserDefaultLocaleName", _t55, 0x2a4a4b88, "GetUserDefaultLocaleName");
				E00007FF67FF62A40A6D0(0x13, _t38, "IsValidLocaleName", _t55, 0x2a4a4bb8, "IsValidLocaleName");
				E00007FF67FF62A40A6D0(0x14, _t38, "LCMapStringEx", _t55, 0x2a4a4bd8, "LCMapStringEx");
				_t13 = E00007FF67FF62A40A6D0(0x15, _t38, "LCIDToLocaleName", _t55, 0x2a4a4bf0, "LCIDToLocaleName");
				goto E00007FF67FF62A40A6D0;
				asm("int3");
				asm("int3");
				_a8 = __rdi;
				asm("dec eax");
				memset(__edi, _t13, 0x16 << 0);
				return 1;
			}

0x7ff62a40aecb
0x7ff62a40aeea
0x7ff62a40af09
0x7ff62a40af28
0x7ff62a40af47
0x7ff62a40af66
0x7ff62a40af85
0x7ff62a40afa4
0x7ff62a40afc3
0x7ff62a40afe2
0x7ff62a40b005
0x7ff62a40b00a
0x7ff62a40b00b
0x7ff62a40b00c
0x7ff62a40b029
0x7ff62a40b032
0x7ff62a40b03c

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF62A40AECB
try_get_function.LIBVCRUNTIME ref: 00007FF62A40AEEA

Part of subcall function 00007FF62A40A6D0: GetProcAddress.KERNEL32(?,?,00000006,00007FF62A40AAD2,?,?,0000E5C70E37496B,00007FF62A40734E,?,?,0000E5C70E37496B,00007FF62A3FCEE1), ref: 00007FF62A40A828

try_get_function.LIBVCRUNTIME ref: 00007FF62A40AF09

Part of subcall function 00007FF62A40A6D0: LoadLibraryExW.KERNEL32(?,?,00000006,00007FF62A40AAD2,?,?,0000E5C70E37496B,00007FF62A40734E,?,?,0000E5C70E37496B,00007FF62A3FCEE1), ref: 00007FF62A40A773
Part of subcall function 00007FF62A40A6D0: GetLastError.KERNEL32(?,?,00000006,00007FF62A40AAD2,?,?,0000E5C70E37496B,00007FF62A40734E,?,?,0000E5C70E37496B,00007FF62A3FCEE1), ref: 00007FF62A40A781
Part of subcall function 00007FF62A40A6D0: LoadLibraryExW.KERNEL32(?,?,00000006,00007FF62A40AAD2,?,?,0000E5C70E37496B,00007FF62A40734E,?,?,0000E5C70E37496B,00007FF62A3FCEE1), ref: 00007FF62A40A7C3

try_get_function.LIBVCRUNTIME ref: 00007FF62A40AF28

Part of subcall function 00007FF62A40A6D0: FreeLibrary.KERNEL32(?,?,00000006,00007FF62A40AAD2,?,?,0000E5C70E37496B,00007FF62A40734E,?,?,0000E5C70E37496B,00007FF62A3FCEE1), ref: 00007FF62A40A7FC

try_get_function.LIBVCRUNTIME ref: 00007FF62A40AF47
try_get_function.LIBVCRUNTIME ref: 00007FF62A40AF66
try_get_function.LIBVCRUNTIME ref: 00007FF62A40AF85
try_get_function.LIBVCRUNTIME ref: 00007FF62A40AFA4
try_get_function.LIBVCRUNTIME ref: 00007FF62A40AFC3
try_get_function.LIBVCRUNTIME ref: 00007FF62A40AFE2

Strings

EnumSystemLocalesEx, xrefs: 00007FF62A40AEEF, 00007FF62A40AF02
LocaleNameToLCID, xrefs: 00007FF62A40AFE7, 00007FF62A40AFFA
AreFileApisANSI, xrefs: 00007FF62A40AEC4
GetLocaleInfoEx, xrefs: 00007FF62A40AF2D, 00007FF62A40AF40
GetUserDefaultLocaleName, xrefs: 00007FF62A40AF6B, 00007FF62A40AF7E
GetTimeFormatEx, xrefs: 00007FF62A40AF4C, 00007FF62A40AF5F
CompareStringEx, xrefs: 00007FF62A40AED0, 00007FF62A40AEE3
LCMapStringEx, xrefs: 00007FF62A40AFA9, 00007FF62A40AFBC
GetDateFormatEx, xrefs: 00007FF62A40AF0E, 00007FF62A40AF21
IsValidLocaleName, xrefs: 00007FF62A40AF8A, 00007FF62A40AF9D
LCIDToLocaleName, xrefs: 00007FF62A40AFC8, 00007FF62A40AFDB

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 3255926029-3252031757
Opcode ID: ee47d4c7914acba16260231c55cc4c4359673417597f83d4d957aab5cc980962
Instruction ID: bcf303d41dd3b204262fed6a2a56786a71f5e576f92702daef78d2a38879b8ca
Opcode Fuzzy Hash: ee47d4c7914acba16260231c55cc4c4359673417597f83d4d957aab5cc980962
Instruction Fuzzy Hash: 093192A5D18A07A1EF04DB94EC616E82322EB44341FC204B7D90E875A39FFCE689D353

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F03B0 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 102
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00007FF67FF62A3F03B0(long long __rbx, long long __rdi, long long __rsi) {
				int _t44;
				signed long long _t68;
				int _t80;
				void* _t83;
				signed long long _t84;
				BYTE* _t92;
				int _t96;
				int _t98;
				int _t103;

				 *((long long*)(_t83 + 0x10)) = __rbx;
				 *((long long*)(_t83 + 0x18)) = __rsi;
				_t84 = _t83 - 0x1b0;
				_t68 =  *0x2a4b30d8; // 0xe5c70e37496b
				 *(_t83 - 0xb0 + 0xa0) = _t68 ^ _t84;
				r8d = 0x100;
				E00007FF67FF62A3F8BD0();
				r8d = 0x6d1;
				E00007FF67FF62A3F8BD0();
				 *((long long*)(_t84 + 0x1e0)) = __rdi;
				r13d = 0;
				if ( *0x2a4b5e38 == 0xffffffff) goto 0x2a3f0555;
				if (0x20 - 0x140 < 0) goto 0x2a3f04d0;
				if (0x20 - 0x14e > 0) goto 0x2a3f04d0;
				 *((intOrPtr*)(_t84 + 0x40)) = 0x60;
				 *((intOrPtr*)(_t84 + 0x44)) = 0x61;
				 *((intOrPtr*)(_t84 + 0x48)) = 0x62;
				 *((intOrPtr*)(_t84 + 0x4c)) = 0x63;
				 *((intOrPtr*)(_t84 + 0x50)) = 0x64;
				 *((intOrPtr*)(_t84 + 0x54)) = 0x65;
				 *((intOrPtr*)(_t84 + 0x58)) = 0x66;
				 *((intOrPtr*)(_t84 + 0x5c)) = 0x67;
				 *((intOrPtr*)(_t84 + 0x60)) = 0x68;
				 *((intOrPtr*)(_t84 + 0x64)) = 0x69;
				 *((intOrPtr*)(_t84 + 0x68)) = 0x6e;
				 *((intOrPtr*)(_t84 + 0x6c)) = 0x6f;
				 *((intOrPtr*)(_t84 + 0x70)) = 0x6a;
				 *((intOrPtr*)(_t84 + 0x74)) = 0x6d;
				 *((intOrPtr*)(_t84 + 0x78)) = 0x6b;
				goto 0x2a3f04df;
				MapVirtualKeyW(_t103);
				 *((intOrPtr*)(_t84 + 0x28)) = r13d;
				 *((intOrPtr*)(_t84 + 0x20)) = 0x10;
				if (ToUnicode(_t98, _t96, _t92) != 0xffffffff) goto 0x2a3f0522;
				 *((intOrPtr*)(_t84 + 0x28)) = r13d;
				 *((intOrPtr*)(_t84 + 0x20)) = 0x10;
				if (ToUnicode(_t80, ??, ??, ??, ??) - 1 < 0) goto 0x2a3f0555;
				 *(_t84 + 0x38) = _t96;
				 *(_t84 + 0x30) = _t96;
				r9d = 1;
				 *((intOrPtr*)(_t84 + 0x28)) = 5;
				 *((long long*)(_t84 + 0x20)) = 0x2a4b6152;
				_t44 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				if (0x21 - 0x15c <= 0) goto 0x2a3f0432;
				return E00007FF67FF62A3F6B50(_t44, 0xfde9,  *(_t83 - 0xb0 + 0xa0) ^ _t84);
			}

0x7ff62a3f03b0
0x7ff62a3f03b5
0x7ff62a3f03cb
0x7ff62a3f03d2
0x7ff62a3f03dc
0x7ff62a3f03e9
0x7ff62a3f03ef
0x7ff62a3f03fd
0x7ff62a3f0403
0x7ff62a3f040d
0x7ff62a3f0423
0x7ff62a3f0439
0x7ff62a3f0445
0x7ff62a3f0451
0x7ff62a3f0453
0x7ff62a3f045b
0x7ff62a3f0463
0x7ff62a3f046b
0x7ff62a3f0473
0x7ff62a3f047b
0x7ff62a3f0483
0x7ff62a3f048b
0x7ff62a3f0493
0x7ff62a3f049b
0x7ff62a3f04a3
0x7ff62a3f04ab
0x7ff62a3f04b3
0x7ff62a3f04bb
0x7ff62a3f04c3
0x7ff62a3f04ce
0x7ff62a3f04d7
0x7ff62a3f04df
0x7ff62a3f04ec
0x7ff62a3f0501
0x7ff62a3f0503
0x7ff62a3f0510
0x7ff62a3f0525
0x7ff62a3f0527
0x7ff62a3f0530
0x7ff62a3f0535
0x7ff62a3f053b
0x7ff62a3f054a
0x7ff62a3f054f
0x7ff62a3f0569
0x7ff62a3f05a2

APIs

MapVirtualKeyW.USER32 ref: 00007FF62A3F04D7
ToUnicode.USER32 ref: 00007FF62A3F04F8
ToUnicode.USER32 ref: 00007FF62A3F051C
WideCharToMultiByte.KERNEL32 ref: 00007FF62A3F054F

Strings

c, xrefs: 00007FF62A3F046B
k, xrefs: 00007FF62A3F04C3
h, xrefs: 00007FF62A3F0493
`, xrefs: 00007FF62A3F0453
o, xrefs: 00007FF62A3F04AB
j, xrefs: 00007FF62A3F04B3
g, xrefs: 00007FF62A3F048B
f, xrefs: 00007FF62A3F0483
b, xrefs: 00007FF62A3F0463
m, xrefs: 00007FF62A3F04BB
a, xrefs: 00007FF62A3F045B
d, xrefs: 00007FF62A3F0473
i, xrefs: 00007FF62A3F049B
e, xrefs: 00007FF62A3F047B
n, xrefs: 00007FF62A3F04A3

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Unicode$ByteCharMultiVirtualWide
String ID: `$a$b$c$d$e$f$g$h$i$j$k$m$n$o
API String ID: 4148918737-2028020120
Opcode ID: 256a9e672cacaa79bfe46b357a00232667d17f45f9ad6cabdf60b8551c0f37d2
Instruction ID: 387305db037b7bcf7aff60b79501ccd051f8644af4dbcafba0e5f50d1e1c6b9e
Opcode Fuzzy Hash: 256a9e672cacaa79bfe46b357a00232667d17f45f9ad6cabdf60b8551c0f37d2
Instruction Fuzzy Hash: DD419F72A1874086E720CF15E8443AEBBA2F785718F540169DE8C87B98CFBED559CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F25F0 Relevance: 21.3, APIs: 14, Instructions: 264COMMON

Download Yara Rule

APIs

GetDpiForWindow.USER32 ref: 00007FF62A3F26BF
AdjustWindowRectExForDpi.USER32 ref: 00007FF62A3F26D5
SetWindowPos.USER32 ref: 00007FF62A3F2757

Part of subcall function 00007FF62A3F2C50: SetThreadExecutionState.KERNEL32 ref: 00007FF62A3F2C67
Part of subcall function 00007FF62A3F2C50: SystemParametersInfoW.USER32 ref: 00007FF62A3F2C8F
Part of subcall function 00007FF62A3F2C50: SystemParametersInfoW.USER32 ref: 00007FF62A3F2CA0

Part of subcall function 00007FF62A3F3140: GetMonitorInfoW.USER32 ref: 00007FF62A3F3183
Part of subcall function 00007FF62A3F3140: SetWindowPos.USER32 ref: 00007FF62A3F31BF

GetWindowLongW.USER32 ref: 00007FF62A3F27AD
SetWindowLongW.USER32 ref: 00007FF62A3F27F7
GetMonitorInfoW.USER32 ref: 00007FF62A3F2819
SetWindowPos.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00007FF62A3F284D

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Window$Info$LongMonitorParametersSystem$AdjustExecutionRectStateThread
String ID:
API String ID: 1786379111-0
Opcode ID: fcee42252e15ac79c8f8b0a62055d707779743cfb6f3f99a59736666311a5002
Instruction ID: 40c6a6675fb27a1581ddb3b45480cd9ee1854380b40250af62f4bc16ca1364e3
Opcode Fuzzy Hash: fcee42252e15ac79c8f8b0a62055d707779743cfb6f3f99a59736666311a5002
Instruction Fuzzy Hash: 84C16E72B28641CBEF648FA5D99077D63A0FB48748F004179DE0AD3A94CFBCA854CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F1400 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62A3F0BD0: EnumDisplaySettingsW.USER32 ref: 00007FF62A3F0C24

ChangeDisplaySettingsExW.USER32 ref: 00007FF62A3F14DB

Strings

Win32: Failed to set video mode: %s, xrefs: 00007FF62A3F1562
Computer restart required, xrefs: 00007FF62A3F1557
Graphics mode not supported, xrefs: 00007FF62A3F1521
Unknown error, xrefs: 00007FF62A3F14F9
Failed to write to registry, xrefs: 00007FF62A3F154B
Invalid flags, xrefs: 00007FF62A3F1513
The system uses DualView, xrefs: 00007FF62A3F1505
Invalid parameter, xrefs: 00007FF62A3F152F
Graphics mode failed, xrefs: 00007FF62A3F153D

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: DisplaySettings$ChangeEnum
String ID: Computer restart required$Failed to write to registry$Graphics mode failed$Graphics mode not supported$Invalid flags$Invalid parameter$The system uses DualView$Unknown error$Win32: Failed to set video mode: %s
API String ID: 1333101904-2112259362
Opcode ID: 3ac518c952b6e5b191105663621dc596ba716aec520c499abe03c5400a76b139
Instruction ID: a3cb31b0d024f8f4d10a951ca0ddf1ca24e2e1dc5c2cadca1353e77a17143f3c
Opcode Fuzzy Hash: 3ac518c952b6e5b191105663621dc596ba716aec520c499abe03c5400a76b139
Instruction Fuzzy Hash: 6C414D71928682D2EF60CB15EA807E973A0FB84350F50467ADB5EC66D4DFBCE458CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F2B30 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 55registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 00007FF62A3F2B82
GetModuleHandleW.KERNEL32 ref: 00007FF62A3F2B9B
LoadImageW.USER32 ref: 00007FF62A3F2BBE
LoadImageW.USER32 ref: 00007FF62A3F2BE8
RegisterClassExW.USER32 ref: 00007FF62A3F2BF8

Strings

GLFW30, xrefs: 00007FF62A3F2B8F
P, xrefs: 00007FF62A3F2B3B
GLFW_ICON, xrefs: 00007FF62A3F2BB7
#, xrefs: 00007FF62A3F2B7A
Win32: Failed to register window class, xrefs: 00007FF62A3F2C03

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Load$Image$ClassCursorHandleModuleRegister
String ID: #$GLFW30$GLFW_ICON$P$Win32: Failed to register window class
API String ID: 3866263799-113273589
Opcode ID: 2b0a5cd9938dba765774209787f0cca975b8e363227543e9a10029a05618c83f
Instruction ID: 3ea35732c4763d4dc8a78bce464ccebedf2570a39814806f112b3a54532bd770
Opcode Fuzzy Hash: 2b0a5cd9938dba765774209787f0cca975b8e363227543e9a10029a05618c83f
Instruction Fuzzy Hash: ED21747291CB8287EB508F60F94132AB7A0FB88344F544179EACD82B58EFBCD158CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A4174E0 Relevance: 16.9, APIs: 11, Instructions: 370COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A41753D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A4175AD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A41761D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A41768D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A4176FD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A41776D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A4177DD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A417869
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A4178E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A417969
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A4179E9

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: ecc9d415acbced1cc8ff78dbb20ee971ffae2bc3d2bbaa02bb5b5ddb683ad041
Instruction ID: 7736d1ecb599cbca1b0118d7332ec6331c2e2b92bcbe026da43c7a8016de0244
Opcode Fuzzy Hash: ecc9d415acbced1cc8ff78dbb20ee971ffae2bc3d2bbaa02bb5b5ddb683ad041
Instruction Fuzzy Hash: 2BC19260E1968380FF089729AC8537C6312AF55BE4F904BB5D96DC62E6EFDCE0D48706

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F2F30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF62A3F2F50
ScreenToClient.USER32 ref: 00007FF62A3F2F62
SetCursor.USER32 ref: 00007FF62A3F2FA2
LoadCursorW.USER32 ref: 00007FF62A3F2FB8
SetCursor.USER32 ref: 00007FF62A3F2FC1
RegisterRawInputDevices.USER32 ref: 00007FF62A3F3010

Strings

Win32: Failed to register raw input device, xrefs: 00007FF62A3F301A

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Cursor$ClientDevicesInputLoadRegisterScreen
String ID: Win32: Failed to register raw input device
API String ID: 1305090692-3523228969
Opcode ID: c2f604192a00893441f91f1de6cdd4a8817e9fe0e1f887510bc0f3ea248acca0
Instruction ID: 2fc838311d27d69bdf10773bf88cafd2369f07f5606cdc8e10942b571f67194e
Opcode Fuzzy Hash: c2f604192a00893441f91f1de6cdd4a8817e9fe0e1f887510bc0f3ea248acca0
Instruction Fuzzy Hash: C4214D31A18B4682EF149F20EC5427AB360FF84B84F54467AEA0EC62A5CFBDE5958701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F9EC0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF62A3F9F1D

Part of subcall function 00007FF62A3FC214: __GetUnwindTryBlock.LIBCMT ref: 00007FF62A3FC257
Part of subcall function 00007FF62A3FC214: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF62A3FC27C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF62A3F9FF5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF62A3FA24A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF62A3FA356

Strings

csm, xrefs: 00007FF62A3FA018
csm, xrefs: 00007FF62A3F9F37
csm, xrefs: 00007FF62A3F9F9E

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 27748219adec5a4d565cfbfff52e97fe0acfdaa60eee0a089269169b9202abc4
Instruction ID: eaacb4cd1fcbec4b944199f81af12e6dc2d42c0eab5c19d3b46eee12487822b9
Opcode Fuzzy Hash: 27748219adec5a4d565cfbfff52e97fe0acfdaa60eee0a089269169b9202abc4
Instruction Fuzzy Hash: 24E18332E187428AEF249F65D8802AD77A0FB45798F10417AEE4DD7BA5CF78E590C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F381C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 00007FF62A3F4308

Part of subcall function 00007FF62A3EFC90: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCDF
Part of subcall function 00007FF62A3EFC90: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCEE
Part of subcall function 00007FF62A3EFC90: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCFD
Part of subcall function 00007FF62A3EFC90: RtlVerifyVersionInfo.NTDLL ref: 00007FF62A3EFD0E

GetDpiForWindow.USER32 ref: 00007FF62A3F383D
AdjustWindowRectExForDpi.USER32 ref: 00007FF62A3F3890
AdjustWindowRectEx.USER32 ref: 00007FF62A3F3898
MonitorFromWindow.USER32 ref: 00007FF62A3F38FA
GetMonitorInfoW.USER32 ref: 00007FF62A3F391F

Strings

(, xrefs: 00007FF62A3F3914

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Window$ConditionMask$AdjustInfoMonitorRect$FromProcVerifyVersion
String ID: (
API String ID: 3794753354-3887548279
Opcode ID: 0d08f120231f254d20723e55a7b59fda0683c8efef6f67081974c1392d66e6d1
Instruction ID: ed20d007879f68072c34f84ff565f3445d09d71295c6abd4e6961646bce5f231
Opcode Fuzzy Hash: 0d08f120231f254d20723e55a7b59fda0683c8efef6f67081974c1392d66e6d1
Instruction Fuzzy Hash: E9417B32F142418FEB64CFB9E88476D33A1EB44768F104279DE1AD2A84DF7CE4598B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F02C0 Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Download Yara Rule

APIs

UnregisterDeviceNotification.USER32 ref: 00007FF62A3F02D0
DestroyWindow.USER32(?,?,?,?,00007FF62A3EE7DE,?,?,?,?,00007FF62A3EE6DC), ref: 00007FF62A3F02E2
SystemParametersInfoW.USER32 ref: 00007FF62A3F02FF
FreeLibrary.KERNEL32(?,?,?,?,00007FF62A3EE7DE,?,?,?,?,00007FF62A3EE6DC), ref: 00007FF62A3F033D
FreeLibrary.KERNEL32(?,?,?,?,00007FF62A3EE7DE,?,?,?,?,00007FF62A3EE6DC), ref: 00007FF62A3F034F
FreeLibrary.KERNEL32(?,?,?,?,00007FF62A3EE7DE,?,?,?,?,00007FF62A3EE6DC), ref: 00007FF62A3F0361
FreeLibrary.KERNEL32(?,?,?,?,00007FF62A3EE7DE,?,?,?,?,00007FF62A3EE6DC), ref: 00007FF62A3F0373
FreeLibrary.KERNEL32(?,?,?,?,00007FF62A3EE7DE,?,?,?,?,00007FF62A3EE6DC), ref: 00007FF62A3F0385

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: FreeLibrary$DestroyDeviceInfoNotificationParametersSystemUnregisterWindow
String ID:
API String ID: 4127398244-0
Opcode ID: 3af1d21eb0bb8f00c2d0d5d161bef78ced57c5eef3c189ddd076fde6f7cee703
Instruction ID: e466c13e75a66a7e60d8c3fb75e5ffbb41bd74419e243d1cd364c6d981530e7b
Opcode Fuzzy Hash: 3af1d21eb0bb8f00c2d0d5d161bef78ced57c5eef3c189ddd076fde6f7cee703
Instruction Fuzzy Hash: F421F924E6E60789FF14EB95ACA12386660BF95B40F440ABADC0ED2261DFFCF5148313

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A41304C Relevance: 10.8, APIs: 7, Instructions: 291COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A413482

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c1696935f3682c15b414d5ed7a6c45705d34fa9eb4de2fc748c8075fca211361
Instruction ID: 2751acb0f2d00a830f98c09dbcfeaf10820544068d1141952ebc204d354704a9
Opcode Fuzzy Hash: c1696935f3682c15b414d5ed7a6c45705d34fa9eb4de2fc748c8075fca211361
Instruction Fuzzy Hash: 36C1E222A1CA8681EFA19B1598402BD7B90FB90B88F5501F5DA4EC3795CFFCF865C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FC75C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF62A3FCA0E,?,?,?,00007FF62A3FC700,?,?,00000001,00007FF62A3F9371), ref: 00007FF62A3FC7E1
GetLastError.KERNEL32(?,?,?,00007FF62A3FCA0E,?,?,?,00007FF62A3FC700,?,?,00000001,00007FF62A3F9371), ref: 00007FF62A3FC7EF
LoadLibraryExW.KERNEL32(?,?,?,00007FF62A3FCA0E,?,?,?,00007FF62A3FC700,?,?,00000001,00007FF62A3F9371), ref: 00007FF62A3FC819
FreeLibrary.KERNEL32(?,?,?,00007FF62A3FCA0E,?,?,?,00007FF62A3FC700,?,?,00000001,00007FF62A3F9371), ref: 00007FF62A3FC85F
GetProcAddress.KERNEL32(?,?,?,00007FF62A3FCA0E,?,?,?,00007FF62A3FC700,?,?,00000001,00007FF62A3F9371), ref: 00007FF62A3FC86B

Strings

api-ms-, xrefs: 00007FF62A3FC801

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 80e122c1517e9d56216cb50d760bd727917aca71ef8a2bc2915187e309d1ae53
Instruction ID: 13f7301b533c3c35091539d89cb3f2e098ca299943282f6fbe8354a0071fdabe
Opcode Fuzzy Hash: 80e122c1517e9d56216cb50d760bd727917aca71ef8a2bc2915187e309d1ae53
Instruction Fuzzy Hash: 2031EF21E2AB42C1EF659B06AC809742394BF48BA4F090679DD1DCB781EFBCE404C342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A415C00 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,00000000,00007FF62A412A5E), ref: 00007FF62A415C31
GetLastError.KERNEL32(?,00000000,00007FF62A412A5E), ref: 00007FF62A415C3D
CloseHandle.KERNEL32(?,00000000,00007FF62A412A5E), ref: 00007FF62A415C55
CreateFileW.KERNEL32 ref: 00007FF62A415C80
WriteConsoleW.KERNEL32 ref: 00007FF62A415C9F

Strings

CONOUT$, xrefs: 00007FF62A415C61

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 6579eae0f7e0c80b70a12399cf2c2c5abbbf634f945d1ba5270f1513971657da
Instruction ID: 0b5e9071a678b985af9069abdbdcc8b89eaab48f6bb92a99bd694c115e4642f2
Opcode Fuzzy Hash: 6579eae0f7e0c80b70a12399cf2c2c5abbbf634f945d1ba5270f1513971657da
Instruction Fuzzy Hash: 5E119021B18E4186EB508B52EC5433977A0FB98BE4F000274EA1EC7B94DFBCD4148746

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F6060 Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF62A3F60D2
MultiByteToWideChar.KERNEL32 ref: 00007FF62A3F617A
LCMapStringEx.KERNEL32 ref: 00007FF62A3F61B1
LCMapStringEx.KERNEL32 ref: 00007FF62A3F620A
LCMapStringEx.KERNEL32 ref: 00007FF62A3F62B7
WideCharToMultiByte.KERNEL32 ref: 00007FF62A3F62F9

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 7c38958ae06f5ef2402babd565d4181b62d867ae31e0a9f85c230880cc384d4c
Instruction ID: 7c6ec6e094f57c06e3186180199cd70f2dee2b1fb12dce85a331d5bd424b0b00
Opcode Fuzzy Hash: 7c38958ae06f5ef2402babd565d4181b62d867ae31e0a9f85c230880cc384d4c
Instruction Fuzzy Hash: 6D819232A187C186EF208F51A880379A695FF457A8F14027AEE5DD7BD4DFBCE4458701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3B22D0 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62A3B22E5
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62A3B230A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62A3B2334
std::_Facet_Register.LIBCPMT ref: 00007FF62A3B23AB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62A3B23C5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62A3B23D8

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 0a9f2b95ce9d8f155ee33930d056ec64c37ef3c238b9b1fa5f0d8cc6e27726cd
Instruction ID: 279d5ed96620690841a42d8ccd8817d33f3995668ef5977ec0100f77af82eb2b
Opcode Fuzzy Hash: 0a9f2b95ce9d8f155ee33930d056ec64c37ef3c238b9b1fa5f0d8cc6e27726cd
Instruction Fuzzy Hash: 9F317022F18E4281EF159B55DC801BDA762FB44BA0F481BB2EE5DC76D5DEBCE4428312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FA398 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF62A3FA536
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF62A3FA859

Strings

csm, xrefs: 00007FF62A3FA47D
csm, xrefs: 00007FF62A3FA55D
csm, xrefs: 00007FF62A3FA4DF

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 1d349cf17dc0299ca045e9b14ea901ea8c8cef2e2a101a36b2660e30a1c478d4
Instruction ID: d765eaf06c87292edf37f2f2fef7e57647f954f850ea053b3870b8013396ded1
Opcode Fuzzy Hash: 1d349cf17dc0299ca045e9b14ea901ea8c8cef2e2a101a36b2660e30a1c478d4
Instruction Fuzzy Hash: 1DE1A172D186828AEB109F68D8C42BD3BA0FB44748F15417ADE8DD77A5DE78E485C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F2E90 Relevance: 9.0, APIs: 6, Instructions: 37COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?,?,?,?,?,?,00000000,00007FF62A3F253E,?,?,00000000,00007FF62A3EF28C,?,?,00000000,00007FF62A3EE73C), ref: 00007FF62A3F2EB1
WindowFromPoint.USER32(?,?,?,?,?,?,00000000,00007FF62A3F253E,?,?,00000000,00007FF62A3EF28C,?,?,00000000,00007FF62A3EE73C), ref: 00007FF62A3F2EC7
GetClientRect.USER32 ref: 00007FF62A3F2EDA
ClientToScreen.USER32 ref: 00007FF62A3F2EEC
ClientToScreen.USER32 ref: 00007FF62A3F2EFE
PtInRect.USER32 ref: 00007FF62A3F2F0E

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Client$RectScreen$CursorFromPointWindow
String ID:
API String ID: 3638364385-0
Opcode ID: f76d4b5ab5769b8a1d5556a1f682c16c7477128e2e08ae4c687b38609cc177a9
Instruction ID: 435d8f9958687610206d8e1d45bd1dddd59c1b8309b8568e7744f8b3b14a8334
Opcode Fuzzy Hash: f76d4b5ab5769b8a1d5556a1f682c16c7477128e2e08ae4c687b38609cc177a9
Instruction Fuzzy Hash: 44113022628A46C2EF508B11EC9017AB370FB88BD4F881172EE4EC7668DF7CD655CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F9170 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF62A3F919B
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF62A3F9230
RtlUnwindEx.KERNEL32 ref: 00007FF62A3F927F

Strings

csm, xrefs: 00007FF62A3F9216
f, xrefs: 00007FF62A3F91AE

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: c956270e5e75b1406440b9605611ada995cf7cab332135a871939f15098f3043
Instruction ID: dc7ad92f1abe3148d1534501b3555d219cf043d4603a65bdabd7947369f42552
Opcode Fuzzy Hash: c956270e5e75b1406440b9605611ada995cf7cab332135a871939f15098f3043
Instruction Fuzzy Hash: 0C51F132A29602C6EF54CF15EC84A6D3395FB44B88F5581B9EE0AC3788DFB8E841C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3B3C40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF62A3B3CC0
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF62A3B3D08
_Getctype.LIBCPMT ref: 00007FF62A3B3D25
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF62A3B3DC0

Strings

bad locale name, xrefs: 00007FF62A3B3DE8

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2967684691-1405518554
Opcode ID: 37b24dc187511f9d8c50d9ab3c820f93ce5054b56bd5b896fe2fad3aa36a0144
Instruction ID: 5684f674262832e2a1306e6dcccea1de45d0f79a0bc8349ff79c608f53ae88dc
Opcode Fuzzy Hash: 37b24dc187511f9d8c50d9ab3c820f93ce5054b56bd5b896fe2fad3aa36a0144
Instruction Fuzzy Hash: 8D518B23B5AB4189EF11CFA0D8902AD23A5AF40B48F4449B9DE4DD3E89DFB8E515C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F3B7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118windowkeyboardtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62A3F31E0: GetKeyState.USER32 ref: 00007FF62A3F31F4
Part of subcall function 00007FF62A3F31E0: GetKeyState.USER32 ref: 00007FF62A3F3205
Part of subcall function 00007FF62A3F31E0: GetKeyState.USER32 ref: 00007FF62A3F3220
Part of subcall function 00007FF62A3F31E0: GetKeyState.USER32 ref: 00007FF62A3F3239
Part of subcall function 00007FF62A3F31E0: GetKeyState.USER32 ref: 00007FF62A3F3247
Part of subcall function 00007FF62A3F31E0: GetKeyState.USER32 ref: 00007FF62A3F325D
Part of subcall function 00007FF62A3F31E0: GetKeyState.USER32 ref: 00007FF62A3F3272

MapVirtualKeyW.USER32 ref: 00007FF62A3F3BAE
GetMessageTime.USER32 ref: 00007FF62A3F3C13
PeekMessageW.USER32 ref: 00007FF62A3F3C2D
DefWindowProcW.USER32 ref: 00007FF62A3F4308

Strings

E, xrefs: 00007FF62A3F3BCE

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: State$Message$PeekProcTimeVirtualWindow
String ID: E
API String ID: 776232839-3568589458
Opcode ID: 3087213c0bf794ada5c0a97a606096feac0605e6e9c925fad5792e2de349719f
Instruction ID: 6ed5d1aaa6c8e85dcc0c17eb5bf4875359ea4c3c1fc909887687d8fc7c8bc9ca
Opcode Fuzzy Hash: 3087213c0bf794ada5c0a97a606096feac0605e6e9c925fad5792e2de349719f
Instruction Fuzzy Hash: D2418E35F285428BFF608B79D8907BD26A1BB48798F1004B9DE1ED7784DEBC9845DB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F0EA0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

CreateDCW.GDI32 ref: 00007FF62A3F1038
SetDeviceGammaRamp.GDI32 ref: 00007FF62A3F1049
DeleteDC.GDI32 ref: 00007FF62A3F1052

Strings

DISPLAY, xrefs: 00007FF62A3F1031
Win32: Gamma ramp size must be 256, xrefs: 00007FF62A3F0EC8

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: CreateDeleteDeviceGammaRamp
String ID: DISPLAY$Win32: Gamma ramp size must be 256
API String ID: 790129706-1165277357
Opcode ID: 393227a744a2fd6068a294b32f3c15d7af3df41d6275f7d3125d5f430cf725b4
Instruction ID: e10e6dc59c7da5a98797531fcdffdf6a0cb22821d5a1e79dfab0c577c82dd6aa
Opcode Fuzzy Hash: 393227a744a2fd6068a294b32f3c15d7af3df41d6275f7d3125d5f430cf725b4
Instruction Fuzzy Hash: BA51EA16E19BC581EA11CB2CD6593BC2360F7E9B48F55A325DF8C52213EF65A2D8C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F3040 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegisterRawInputDevices.USER32 ref: 00007FF62A3F3075
ClientToScreen.USER32 ref: 00007FF62A3F30D2
SetCursorPos.USER32 ref: 00007FF62A3F30E0
LoadCursorW.USER32 ref: 00007FF62A3F310F

Part of subcall function 00007FF62A3EFB90: GetLastError.KERNEL32 ref: 00007FF62A3EFBDB
Part of subcall function 00007FF62A3EFB90: FormatMessageW.KERNEL32 ref: 00007FF62A3EFC10
Part of subcall function 00007FF62A3EFB90: WideCharToMultiByte.KERNEL32 ref: 00007FF62A3EFC4F

Strings

Win32: Failed to remove raw input device, xrefs: 00007FF62A3F307F

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Cursor$ByteCharClientDevicesErrorFormatInputLastLoadMessageMultiRegisterScreenWide
String ID: Win32: Failed to remove raw input device
API String ID: 628836682-53561655
Opcode ID: 57fa9460ff3e87e1bfa137c48fd01e915ff265d7ed5e202e4e3343235ced6b14
Instruction ID: 36d2574ef0238e0c75ab51f93d07ccddf66d1d72ea9abf2ce8bf9316408f5241
Opcode Fuzzy Hash: 57fa9460ff3e87e1bfa137c48fd01e915ff265d7ed5e202e4e3343235ced6b14
Instruction Fuzzy Hash: 5221B071A1C602C6EF548F20E86037AB3A1FB84B08F1405B9DA4DC6364CFBEE984CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F2260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

RemovePropW.USER32 ref: 00007FF62A3F22B4
DestroyWindow.USER32(?,?,00000000,00007FF62A3EEB30,?,?,00000000,00007FF62A3EE71C,?,?,?,?,00007FF62A3EE6DC), ref: 00007FF62A3F22C1
DestroyIcon.USER32(?,?,00000000,00007FF62A3EEB30,?,?,00000000,00007FF62A3EE71C,?,?,?,?,00007FF62A3EE6DC), ref: 00007FF62A3F22DA
DestroyIcon.USER32(?,?,00000000,00007FF62A3EEB30,?,?,00000000,00007FF62A3EE71C,?,?,?,?,00007FF62A3EE6DC), ref: 00007FF62A3F22EC

Part of subcall function 00007FF62A3F32D0: SetThreadExecutionState.KERNEL32 ref: 00007FF62A3F32F4
Part of subcall function 00007FF62A3F32D0: SystemParametersInfoW.USER32 ref: 00007FF62A3F331D

Strings

GLFW, xrefs: 00007FF62A3F22AD

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Destroy$Icon$ExecutionInfoParametersPropRemoveStateSystemThreadWindow
String ID: GLFW
API String ID: 1815938153-220981224
Opcode ID: df072145ec3cb0bbce167e466810c0063b0ab9bfdd94869edefe918b57f825ea
Instruction ID: 92be2f23e8172c301c5521f463b97f92c07311bd3f4b00ef5cc4fb09cf2fb981
Opcode Fuzzy Hash: df072145ec3cb0bbce167e466810c0063b0ab9bfdd94869edefe918b57f825ea
Instruction Fuzzy Hash: E5010521A19A4691EF858FA1ED9037863A4FF48F84F0C45B9DD0EC6264CEBDE4918312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A404540 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF62A40455C
GetProcAddress.KERNEL32 ref: 00007FF62A404572
FreeLibrary.KERNEL32 ref: 00007FF62A40458F

Strings

mscoree.dll, xrefs: 00007FF62A404553
CorExitProcess, xrefs: 00007FF62A40456B

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b6d762ac0b012c3fe5d72ad9a3639368b8856cb342460f434e8939f033bf257d
Instruction ID: 46c451ef6ce1ba69813f60490fca2926f500318fbbceb4e632de9a47fb720d34
Opcode Fuzzy Hash: b6d762ac0b012c3fe5d72ad9a3639368b8856cb342460f434e8939f033bf257d
Instruction Fuzzy Hash: F9F0A7A5B1964A91FF588F50EC903782761EF88751F4414B9D90FC5561EFBCE59CC302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F9790 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF62A3F98B3
__AdjustPointer.LIBCMT ref: 00007FF62A3F98FE

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: d825f48dea577d5a90ab2e924f74496608a7c1384c70d85fa8ad637be010af57
Instruction ID: 1b1ea2319ed3b7aa7dc03740ffe4408bf556a5ff1ea505509136f4aa086f4e42
Opcode Fuzzy Hash: d825f48dea577d5a90ab2e924f74496608a7c1384c70d85fa8ad637be010af57
Instruction Fuzzy Hash: 9EB1A122A2E64281EF65DF119CC067967A0EF44B84F1988BEDE4DC7795DEBCE8518302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F2310 Relevance: 7.6, APIs: 5, Instructions: 115COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00007FF62A3F2364
SetRect.USER32 ref: 00007FF62A3F2383

Part of subcall function 00007FF62A3EFC90: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCDF
Part of subcall function 00007FF62A3EFC90: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCEE
Part of subcall function 00007FF62A3EFC90: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCFD
Part of subcall function 00007FF62A3EFC90: RtlVerifyVersionInfo.NTDLL ref: 00007FF62A3EFD0E

GetDpiForWindow.USER32 ref: 00007FF62A3F23E0
AdjustWindowRectExForDpi.USER32 ref: 00007FF62A3F23F7
AdjustWindowRectEx.USER32 ref: 00007FF62A3F2445

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Rect$ConditionMaskWindow$Adjust$ClientInfoVerifyVersion
String ID:
API String ID: 2961500858-0
Opcode ID: 552427f5a4076393b288427043aefbb6ccbb851601efa5b1ac54d40f950ba7be
Instruction ID: 81d7b0c7c7837350279c607046c933e31e0db0cbcac096add4c171ff63bef499
Opcode Fuzzy Hash: 552427f5a4076393b288427043aefbb6ccbb851601efa5b1ac54d40f950ba7be
Instruction Fuzzy Hash: AE516D32728642CAEB60CF55E89072AB3A0FB88744F544179EE4EC7B54CFBDE8458B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F41E2 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

DragQueryFileW.SHELL32 ref: 00007FF62A3F41F0
DragQueryPoint.SHELL32 ref: 00007FF62A3F4214
DragQueryFileW.SHELL32 ref: 00007FF62A3F425E
DragQueryFileW.SHELL32 ref: 00007FF62A3F4283

Part of subcall function 00007FF62A3EFAB0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF62A3F15D7), ref: 00007FF62A3EFAE5

DragFinish.SHELL32 ref: 00007FF62A3F42EC

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Drag$Query$File$ByteCharFinishMultiPointWide
String ID:
API String ID: 2870031500-0
Opcode ID: 139d758f49e8211658b5a35d2f9b0de15fe1bfdfbb77347247059a745f2d3942
Instruction ID: 526a3dca58fdc5fc964ebf8b27fcfcec6d0a83a3b0b0742e54afcd1121c402d2
Opcode Fuzzy Hash: 139d758f49e8211658b5a35d2f9b0de15fe1bfdfbb77347247059a745f2d3942
Instruction Fuzzy Hash: BB31CA35F296424AFF00EB71A9616BD2361BF85BD4F008576DD0ED7B4ACEBC94168701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A414BC0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF62A414BE8
_set_statfp.LIBCMT ref: 00007FF62A414C03
_set_statfp.LIBCMT ref: 00007FF62A414C1F
_set_statfp.LIBCMT ref: 00007FF62A414C5B

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 81707765467665a64026fe50aca45b235a01160f10b463acd2fa1bd67648dc38
Instruction ID: 6626ed294cb8518fcf91282f0b0066260376d72ae90dac3f77d3e7f54ad99618
Opcode Fuzzy Hash: 81707765467665a64026fe50aca45b235a01160f10b463acd2fa1bd67648dc38
Instruction Fuzzy Hash: 0211A7A2E1CA13C1FF5C1178ED863B911406F64370F8A46B4E67E976DAAEDCE8525302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A407CBC Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A407F62

Part of subcall function 00007FF62A41190C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62A411929

Strings

ccs, xrefs: 00007FF62A407EAE
UTF-16LEUNICODE, xrefs: 00007FF62A407F06
UTF-8, xrefs: 00007FF62A407EE5

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 765d2b851b3fe89b8fdad15e491785742e3832cdecd169bf7a169785e41db606
Instruction ID: d34088e0068a720ec5d11cd04d15a0605bf1a67bab294ee8cfaff65946f502aa
Opcode Fuzzy Hash: 765d2b851b3fe89b8fdad15e491785742e3832cdecd169bf7a169785e41db606
Instruction Fuzzy Hash: 1581A332D0DA46C5FFAD5A388E54B382A909F31B44F6590B5CA0EC6295DEDDED01A383

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FAAB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF62A3FAB20
_CallSETranslator.LIBVCRUNTIME ref: 00007FF62A3FAB6B

Strings

RCC, xrefs: 00007FF62A3FAB3C
MOC, xrefs: 00007FF62A3FAB34

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 3c626d7a97cafbbad6b8c08fc4748eec2d5243c384ebdef893a4fde067a45408
Instruction ID: d50697f379b8daab84109237249369da2d3964ae21a8a394dea4fff43f7234d8
Opcode Fuzzy Hash: 3c626d7a97cafbbad6b8c08fc4748eec2d5243c384ebdef893a4fde067a45408
Instruction Fuzzy Hash: 8391BF73A18B828AEB10CB65E8802AD7BA0F744788F14413AEE8DD7765DF7CD195C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FEA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FEA8D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A3FEC59

Strings

, xrefs: 00007FF62A3FEBE2
*, xrefs: 00007FF62A3FEB8D

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: dea924dcd5f7616679a874c203ac1c923b6f58dcd7703d7370670d5fa7a90785
Instruction ID: 30298fa4ca306a1105c46cae7716df0d2ad6f6c8fcdec0214da5b152e9ab8c4a
Opcode Fuzzy Hash: dea924dcd5f7616679a874c203ac1c923b6f58dcd7703d7370670d5fa7a90785
Instruction Fuzzy Hash: AA61467292D6568AEF644E2888C437C3BE1EB05719F3411BDDE4EC1295CFACD8859B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FA894 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF62A3FA8E0
_CallSETranslator.LIBVCRUNTIME ref: 00007FF62A3FA92F

Strings

MOC, xrefs: 00007FF62A3FA8F4
RCC, xrefs: 00007FF62A3FA8FD

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 62565ff6f76f4329084405539a57fb056105bbc4edb143fbfec4e935c06c12fe
Instruction ID: d7aa9f6109958d1c42e5512b69c9d14bd207ea2db776742600aa1d6a6a17374f
Opcode Fuzzy Hash: 62565ff6f76f4329084405539a57fb056105bbc4edb143fbfec4e935c06c12fe
Instruction Fuzzy Hash: 73614C32A18B858AEB10CF65D8803AD77A0FB44B88F14427AEE5DD7BA4CF78E155C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FB024 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF62A3FB04C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF62A3FB134

Strings

csm, xrefs: 00007FF62A3FB06E
csm, xrefs: 00007FF62A3FB186

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 0bda89c1c474226a29a6159f1c8001ccca3156b417f1938975b9ec5068ee005c
Instruction ID: d633c44e695605adb3de9230e91396933bf8ba3430d7b25e39b834b8845a5dee
Opcode Fuzzy Hash: 0bda89c1c474226a29a6159f1c8001ccca3156b417f1938975b9ec5068ee005c
Instruction Fuzzy Hash: C051AF729282828AEF648F15ADC43A976A0FB45B84F184179DF9CC7B95CFBCE450C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3B1030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF62A3B103B
GetProcAddress.KERNEL32 ref: 00007FF62A3B104B

Strings

ntdll.dll, xrefs: 00007FF62A3B1034
RtlAdjustPrivilege, xrefs: 00007FF62A3B1044

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlAdjustPrivilege$ntdll.dll
API String ID: 1646373207-64178277
Opcode ID: 44610894ece071f3450c6f0e06a7f2209c201c748daf7f016e0df0c2fe412239
Instruction ID: 4923c7a03ea4fdf36b9537271b974fa70eb0eb75b479dee6b32e44fed65173a8
Opcode Fuzzy Hash: 44610894ece071f3450c6f0e06a7f2209c201c748daf7f016e0df0c2fe412239
Instruction Fuzzy Hash: 22D0C928E4AA02C1EF089B01EC840793360BF54740F8005B1C40D81321AFBCE1AAC302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A411D64 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A411DA5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A411E25
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A411E79
_get_daylight.LIBCMT ref: 00007FF62A411ED1

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 3fdf1a0d571e053fe8fa19e5d548205560761c24186fb861f9ab51dd56bbd728
Instruction ID: 28950ef24c40cd395c99d57058d3cb7cb50ba1e187a0cf06b945ed0077a6d442
Opcode Fuzzy Hash: 3fdf1a0d571e053fe8fa19e5d548205560761c24186fb861f9ab51dd56bbd728
Instruction Fuzzy Hash: 8451CF36E0C30282FFA95B6C9C5577D6A80AF40714F1944BDDA4EC62D6CFACE8688743

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F2A00 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62A3EFC90: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCDF
Part of subcall function 00007FF62A3EFC90: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCEE
Part of subcall function 00007FF62A3EFC90: VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCFD
Part of subcall function 00007FF62A3EFC90: RtlVerifyVersionInfo.NTDLL ref: 00007FF62A3EFD0E

GetDpiForWindow.USER32 ref: 00007FF62A3F2A83
AdjustWindowRectExForDpi.USER32 ref: 00007FF62A3F2A9A
AdjustWindowRectEx.USER32 ref: 00007FF62A3F2AE8
SetWindowPos.USER32 ref: 00007FF62A3F2B13

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Window$ConditionMask$AdjustRect$InfoVerifyVersion
String ID:
API String ID: 402204090-0
Opcode ID: b034f9cacb0b9f34c6233249cbdafb291a4917715b997a95ecfa28b0de6c3a29
Instruction ID: aba0d0be33af43bb6d2ab5859a544ef13e9a749292ce29edc4aebf272607a738
Opcode Fuzzy Hash: b034f9cacb0b9f34c6233249cbdafb291a4917715b997a95ecfa28b0de6c3a29
Instruction Fuzzy Hash: 3B318E72B18641C7EF748B55A99033AA2A0FF88745F10447ADF0EC7A44DFBDE8508B42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3EFD40 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFDB3
VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFDC2
VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFDD1
RtlVerifyVersionInfo.NTDLL ref: 00007FF62A3EFDE2

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 429d319824c7e070642cdb34a65a07d366f67fe1f4ef6a4e95e1f907020daee3
Instruction ID: 698086a81c5c838a5ee8e456c5262eb2c01e1e49f1b9710505c0fc7f9e4e14fb
Opcode Fuzzy Hash: 429d319824c7e070642cdb34a65a07d366f67fe1f4ef6a4e95e1f907020daee3
Instruction Fuzzy Hash: 87112E3260968186DB34CF22E9513EBB3A1FB88744F404635DA9DC7B58EF7CE2198B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3EFC90 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCDF
VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCEE
VerSetConditionMask.KERNEL32 ref: 00007FF62A3EFCFD
RtlVerifyVersionInfo.NTDLL ref: 00007FF62A3EFD0E

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: eeb1df69a67e7593011410af4fe5e9b54c1d1657c523b51506144c4d32310c13
Instruction ID: 88413f2ba5e083e6c193bdb2072028f816d2cfd2d8b345c85ed043b028dd2a30
Opcode Fuzzy Hash: eeb1df69a67e7593011410af4fe5e9b54c1d1657c523b51506144c4d32310c13
Instruction Fuzzy Hash: 79018036A0878586EB20CF32EC543AA73A0EB89B08F444535DA4DCB758DFBCD10D8B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F3350 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00007FF62A3F3379
ClientToScreen.USER32 ref: 00007FF62A3F338B
ClientToScreen.USER32 ref: 00007FF62A3F339D
ClipCursor.USER32 ref: 00007FF62A3F33A8

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Client$Screen$ClipCursorRect
String ID:
API String ID: 327882252-0
Opcode ID: f4c1c9174649328522895ec1cf2d3faa729afaf4cfce29e680d23fe495a814db
Instruction ID: 559dbbdabaa3e401b8f197fd09d73beb43a39cc181f5d80a09400a51c926c754
Opcode Fuzzy Hash: f4c1c9174649328522895ec1cf2d3faa729afaf4cfce29e680d23fe495a814db
Instruction Fuzzy Hash: 99F01266628E4682EF10DB15ECA40797330FF88B99F481172ED4E8B638DF6DD655C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FB25C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF62A3FB286

Strings

csm, xrefs: 00007FF62A3FB2AB
csm, xrefs: 00007FF62A3FB41A

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 1ac15d1d0a54add5732d1d2cae4e67889ae12a3e21d487a8c7d1b98f3638d132
Instruction ID: 16dde4b6f8275e0c26e37f23aea1a9c2981eb072218d6ccd13c3faebc7c40d0d
Opcode Fuzzy Hash: 1ac15d1d0a54add5732d1d2cae4e67889ae12a3e21d487a8c7d1b98f3638d132
Instruction Fuzzy Hash: 4371A1B2A186828ADB608F25D9D06BD7BA0FB45B88F14817ADF4CC7A85CE7CD451C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A409C08 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62A409C4B

Strings

gfff, xrefs: 00007FF62A409D6D
e+000, xrefs: 00007FF62A409CF0

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 119e03e3d6cdb3dee1b91ee2165f7cc9f414b0440d8de11754203a7774f60ead
Instruction ID: 5722cc0cdbeaf87d67207844d92f8c0b7cc9f65b9d402651e2e532476b77c387
Opcode Fuzzy Hash: 119e03e3d6cdb3dee1b91ee2165f7cc9f414b0440d8de11754203a7774f60ead
Instruction Fuzzy Hash: C6514962B187C686EB698F359C403697B91EBA1B90F488275CB9CC7BD6CF6CD444C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3FB8F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF62A3FB99A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF62A3FB9C6

Strings

csm, xrefs: 00007FF62A3FBAC6

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: b393df5c8bc8244175b64eb3df6bac1f8fe666e8b5a5f27488fdac3918bfff30
Instruction ID: 743e663ef391c33d6cee87d9a22f11b46b1e0bd86a2cb1840b3033842fa2544c
Opcode Fuzzy Hash: b393df5c8bc8244175b64eb3df6bac1f8fe666e8b5a5f27488fdac3918bfff30
Instruction Fuzzy Hash: 3F513F7262878186DF20DF16A8842AE77A4FB88B94F140179EF8DC7B55CF78D461CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A408BF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,?,00000000,?,00007FF62A409049), ref: 00007FF62A408D0B
GetLastError.KERNEL32(00000000,00000000,?,00000000,?,00007FF62A409049), ref: 00007FF62A408D2D

Strings

U, xrefs: 00007FF62A408CB7

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: d4bc8ca20eb49a5b01ba9bd2b68cf0c157e35c7aed703e70d4e19256e0568c2e
Instruction ID: 4f0bac271a9d9495e218e9367b7a64361c21a24a30f9770bf14fb79d91004d3a
Opcode Fuzzy Hash: d4bc8ca20eb49a5b01ba9bd2b68cf0c157e35c7aed703e70d4e19256e0568c2e
Instruction Fuzzy Hash: 9441CE72A19A8582EB208F25E8443BA77A1FBA8784F414131EE4DC7788DFBCE441DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40B2A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FF62A40B416

Strings

", xrefs: 00007FF62A40B3C1
powf, xrefs: 00007FF62A40B40F

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: 80357ba98e11a9aa478f8630a8e9599de279360b627e52533e91df0c10b6a963
Instruction ID: d5533dc77bafd75f65b5b7ac43503828a5a482f3a3bb29bbfceda540ae813ad3
Opcode Fuzzy Hash: 80357ba98e11a9aa478f8630a8e9599de279360b627e52533e91df0c10b6a963
Instruction Fuzzy Hash: E1414273D28A80DAD770CF22E4847BAB6A0F7E9348F202325F74942994DFBDC551AB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40B180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF62A40B292

Strings

", xrefs: 00007FF62A40B26B
pow, xrefs: 00007FF62A40B281

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: 244e0eee8b56cbd68100b2b60dfad2724f7e682842a492b595bc85b065f3f130
Instruction ID: 5655d1766dcefa1e52ba023eb3dd3e440177f62c21f157e10be092edb256ed5c
Opcode Fuzzy Hash: 244e0eee8b56cbd68100b2b60dfad2724f7e682842a492b595bc85b065f3f130
Instruction Fuzzy Hash: 98316272D1CA8587DB70CF10E84476EBAA0FBEA384F201329F78946954DFBDD5829B05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3EFAB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF62A3F15D7), ref: 00007FF62A3EFAE5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF62A3F15D7), ref: 00007FF62A3EFB4D

Part of subcall function 00007FF62A3EFB90: GetLastError.KERNEL32 ref: 00007FF62A3EFBDB
Part of subcall function 00007FF62A3EFB90: FormatMessageW.KERNEL32 ref: 00007FF62A3EFC10
Part of subcall function 00007FF62A3EFB90: WideCharToMultiByte.KERNEL32 ref: 00007FF62A3EFC4F

Strings

Win32: Failed to convert string to UTF-8, xrefs: 00007FF62A3EFAF2, 00007FF62A3EFB57

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFormatLastMessage
String ID: Win32: Failed to convert string to UTF-8
API String ID: 3944349251-2776438994
Opcode ID: 40fd7b7cdbf2bc7b87696dcc1fbffc06279e54faf433a152b6e64725cd394338
Instruction ID: 5bbe5118b355d3fb3d7c4cfd4aea1525be7ff00500a4d6bcf4f72e7e68362129
Opcode Fuzzy Hash: 40fd7b7cdbf2bc7b87696dcc1fbffc06279e54faf433a152b6e64725cd394338
Instruction Fuzzy Hash: 1D21C931B0CB4286D7509F56BD5006AB7A1FB847D0F444175EA8DC3B99DFBCD5508701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40AD54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF62A40AD8D
LCMapStringW.KERNEL32 ref: 00007FF62A40AE15

Strings

LCMapStringEx, xrefs: 00007FF62A40AD70, 00007FF62A40AD81

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: d40070dcae1d23937b40427719efcaa05d4d26c73cefc6ba482b271d3e48e0c1
Instruction ID: a3fc42fc83a4e15a5d8ac863a9aefbebb9aaa5bee67a8efbcb91a490d24156ae
Opcode Fuzzy Hash: d40070dcae1d23937b40427719efcaa05d4d26c73cefc6ba482b271d3e48e0c1
Instruction Fuzzy Hash: 1F113636A08B8186DB64CB06B8502AAB7A1FBC9B80F544136EE8D83B19DF3CD5508B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3B3FC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00007FF62A3B3FCB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF62A3B4032

Strings

string too long, xrefs: 00007FF62A3B3FC4

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Xinvalid_argument_invalid_parameter_noinfo_noreturnstd::_
String ID: string too long
API String ID: 1132134225-2556327735
Opcode ID: 5b2190d3ee7e29c2ec33caa50643c83f319f03fad1a7018b49602b95dc8e8757
Instruction ID: ea6c28f19eab7a2c44658fd303e39ad0ada73c67ec1b08eb30e0b3479f916eef
Opcode Fuzzy Hash: 5b2190d3ee7e29c2ec33caa50643c83f319f03fad1a7018b49602b95dc8e8757
Instruction Fuzzy Hash: 0FE06D51F1AA0340EE08B3609CC637C40925F683B0F900FB4E63DC16D6EE9CA4954702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F7614 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF62A3B3F2F), ref: 00007FF62A3F7658
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF62A3B3F2F), ref: 00007FF62A3F769E

Strings

csm, xrefs: 00007FF62A3F768B

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 7b46b8f324e57b4910620f0caa7e8228f833dcc9c0f6d6cc932d327ab33c52c6
Instruction ID: 4f4c0ba9c29192ef0fa1b447970f57be7a0ed90b55cf788a33cdb4874f9f195a
Opcode Fuzzy Hash: 7b46b8f324e57b4910620f0caa7e8228f833dcc9c0f6d6cc932d327ab33c52c6
Instruction Fuzzy Hash: 9F115E32A18B8182EF618F15F84026977A0FB88B88F184274DF8D87B64DF7CD551CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A3F3140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32 ref: 00007FF62A3F3183
SetWindowPos.USER32 ref: 00007FF62A3F31BF

Strings

(, xrefs: 00007FF62A3F3158

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: InfoMonitorWindow
String ID: (
API String ID: 1000336858-3887548279
Opcode ID: 98033777b4d7f8f772021d6ef62dc3912a3f2af7b865bc2e4849d49f6b6d525c
Instruction ID: 82ffdb5849d130d1a0654141b1dbbccf3df5b6f0c9701627c9c8671e990f3d63
Opcode Fuzzy Hash: 98033777b4d7f8f772021d6ef62dc3912a3f2af7b865bc2e4849d49f6b6d525c
Instruction Fuzzy Hash: C4011272A1868086DB10CF25E85416EB770F7D9BA4F205325EA9C87B68DF7DE485CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40ABC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF62A40ABED
GetUserDefaultLCID.KERNEL32(?,?,000000A0,00007FF62A40FEDC), ref: 00007FF62A40AC04

Strings

GetUserDefaultLocaleName, xrefs: 00007FF62A40ABD0, 00007FF62A40ABDA

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: DefaultUsertry_get_function
String ID: GetUserDefaultLocaleName
API String ID: 3217810228-151340334
Opcode ID: 3053f714f302b3b93c437ddab2a0bb83ac4a2c0628910f9eb5592084d4df2296
Instruction ID: a1b5a1f3ff9ed85b46b70a118d5faba1fd6eabc31789ab4f6d3027d572f428d6
Opcode Fuzzy Hash: 3053f714f302b3b93c437ddab2a0bb83ac4a2c0628910f9eb5592084d4df2296
Instruction Fuzzy Hash: DEF08211B0C54283EF189F95BE546B92262BF487C4F854076DA0D87656DFACE445D303

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40AC28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF62A40AC59
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,000002A433F03658,00007FF62A407C86,?,?,?,00007FF62A407B7E,?,?,00000080,00007FF62A3FE0D9), ref: 00007FF62A40AC73

Strings

InitializeCriticalSectionEx, xrefs: 00007FF62A40AC4D

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 41148a255deed3f099d9b59750151888df09d292735b3848e26d1491e9f6b49d
Instruction ID: 3956080469e7fcfcc69a77fb8b7f3343cff087c2b9957f07566e774d34892cc8
Opcode Fuzzy Hash: 41148a255deed3f099d9b59750151888df09d292735b3848e26d1491e9f6b49d
Instruction Fuzzy Hash: 2CF05E26B0CB8582EF488B41B8404B92261AF58B80F4940B6E94E87B55CEBCE5959742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF62A40AAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF62A40AACD
TlsSetValue.KERNEL32(?,?,0000E5C70E37496B,00007FF62A40734E,?,?,0000E5C70E37496B,00007FF62A3FCEE1,?,?,?,?,00007FF62A40B132,?,?,00000000), ref: 00007FF62A40AAE4

Strings

FlsSetValue, xrefs: 00007FF62A40AABA

Memory Dump Source

Source File: 00000000.00000002.386695866.00007FF62A3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62A3B0000, based on PE: true

Associated: 00000000.00000002.386691635.00007FF62A3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386740653.00007FF62A418000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386801040.00007FF62A4B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.386841327.00007FF62A4B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62a3b0000_4a9OE5cKJo.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 394a72498a06d0591151de0a82450a6e6af41c416f27c72c24d6ea0b6deb5b07
Instruction ID: af845bcf58e48c80b11ad738b462d02fa5c115f2d849b22e6ce58efb6a135202
Opcode Fuzzy Hash: 394a72498a06d0591151de0a82450a6e6af41c416f27c72c24d6ea0b6deb5b07
Instruction Fuzzy Hash: 82E06D62A0860282EF088B55FC105BA3222AF58780F8840B2D91D86695CEFCE8948743

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: zlogger.exePID: 5284, Parent PID: 5260COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	41.2%
Signature Coverage:	2%
Total number of Nodes:	153
Total number of Limit Nodes:	13

Executed Functions

Function 00401190 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 209
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00401190(signed int __ebx, void* __edi, void* __esi, void* __esp, void* __rbx, void* __rcx, void* __rdx, void* __rdi, void* __rsi, void* __rbp, void* __r9, void* __r12, void* __r13, void* __r14, void* __r15) {
				signed short _v116;
				signed char _v120;
				char _v168;
				_Unknown_base(*)()* _t31;
				void* _t33;
				intOrPtr _t37;
				signed int _t42;
				signed int _t44;
				signed short _t46;
				signed int _t47;
				signed int _t52;
				void* _t58;
				void* _t59;
				signed int _t61;
				void* _t63;
				void* _t82;
				intOrPtr* _t83;
				long long _t84;
				intOrPtr* _t85;
				signed short* _t86;
				intOrPtr* _t87;
				signed int* _t89;
				signed long long _t90;
				signed long long _t93;
				signed long long _t102;
				intOrPtr _t105;
				long long* _t106;
				intOrPtr _t111;
				signed int* _t112;
				signed short* _t113;
				signed long long _t117;
				void* _t120;
				signed short* _t121;
				signed long long _t130;
				void* _t132;
				void* _t134;
				intOrPtr _t135;
				signed long long _t140;
				void* _t143;
				void* _t144;

				_t144 = __r15;
				_t143 = __r14;
				_t138 = __r13;
				_t132 = __r9;
				_t120 = __rbp;
				_t59 = __esi;
				_t44 = __ebx;
				_push(__r13);
				_push(__r12);
				_push(__rbp);
				_push(__rdi);
				_push(__rsi);
				_push(__rbx);
				_t117 =  *0x420160; // 0x424220
				r9d =  *_t117;
				_t130 =  &_v168;
				memset(__edi, 0, 0xd << 0);
				_t63 = __esp + 0xc;
				_t58 = __edi + 0xd;
				_t46 = 0;
				if(r9d != 0) {
					GetStartupInfoW();
				}
				_t93 =  *0x420080; // 0x4241d0
				_t111 =  *((intOrPtr*)( *[gs:0x30] + 8));
				_t134 = Sleep;
				while(1) {
					_t82 = _t120;
					asm("lock dec eax");
					if(_t82 == 0) {
						break;
					}
					if(_t111 == _t82) {
						_t112 =  *0x420090; // 0x4241d8
						_t61 = 1;
						if( *_t112 != 1) {
							L6:
							if( *_t112 == 0) {
								_t105 =  *0x4200f0; // 0x427030
								 *_t112 = 1;
								L00409270();
							} else {
								 *0x42401c = 1;
							}
							_t29 =  *_t112;
							if( *_t112 == 1) {
								L42:
								_t105 =  *0x4200d0; // 0x427010
								L00409270(); // executed
								 *_t112 = 2;
								if(_t61 != 0) {
									goto L10;
								}
								goto L43;
							} else {
								L9:
								if(_t61 == 0) {
									L43:
									_t29 = 0;
									 *_t93 = _t82;
								}
								L10:
								_t83 =  *0x420000; // 0x41f5a0
								_t84 =  *_t83;
								if(_t84 != 0) {
									r8d = 0;
									_t46 = 0;
									_t29 =  *_t84();
								}
								E00409970(_t29, _t44, _t46, _t84, _t93, _t105, _t112, _t117, _t132, _t134, _t138, _t143, _t144);
								_t31 = SetUnhandledExceptionFilter(??);
								_t106 =  *0x420070; // 0x424260
								 *_t106 = _t84;
								_t33 = E00409780(E004092E0(_t31, 0x401000));
								_t85 =  *0x420020; // 0x400000
								 *0x424010 = _t85;
								E004094A0(_t33);
								_t47 = 0;
								_t86 =  *_t85;
								if(_t86 != 0) {
									while(1) {
										_t52 =  *_t86 & 0x0000ffff;
										if(_t52 <= 0x20) {
											goto L14;
										}
										r8d = _t47;
										r8d = r8d ^ 0x00000001;
										_t47 =  ==  ? r8d : _t47;
										L17:
										_t86 =  &(_t86[1]);
										continue;
										L14:
										if(_t52 == 0 || (_t47 & 0x00000001) == 0) {
											if(_t52 - 1 > 0x1f) {
												L23:
												 *0x424008 = _t86;
												goto L24;
											}
											asm("o16 nop [cs:eax+eax]");
											do {
												_t44 = _t86[1] & 0x0000ffff;
												_t86 =  &(_t86[1]);
											} while (_t93 - 1 <= 0x1f);
											goto L23;
										} else {
											_t47 = 1;
											goto L17;
										}
									}
								} else {
									L24:
									r8d =  *_t117;
									if(r8d != 0) {
										_t42 = 0xa;
										if((_v120 & 0x00000001) != 0) {
											_t42 = _v116 & 0x0000ffff;
										}
										 *0x416000 = _t42;
									}
									_t135 =  *0x424038;
									_t10 = _t135 + 1; // 0x7ffc400d3ca1
									r13d = _t10;
									_t140 = r13d << 3;
									_t102 = _t140;
									malloc(??);
									_t113 =  *0x424030;
									_t121 = _t86;
									if(r12d <= 0) {
										L35:
										 *_t86 = 0;
										 *0x424030 = _t121;
										E00409570(_t102, _t130);
										_t87 =  *0x420030; // 0x4256f4
										 *((long long*)( *_t87)) =  *0x424028;
										_t107 =  *0x424030; // executed
										_t37 = E00407AD0( *0x424038,  *0x424030,  *0x424028); // executed
										 *0x424024 = _t37;
										if( *0x424020 == 0) {
											exit();
											asm("o16 nop [eax+eax]");
											_t89 =  *0x420160; // 0x424220
											 *_t89 = 1;
											return E00401190(_t44, _t58, _t59, _t63, _t93, _t102, _t107, _t113, _t117, _t121, _t132, _t135, _t140, _t143, _t144);
										} else {
											if( *0x42401c == 0) {
												L00409280();
												return  *0x424024;
											} else {
												return _t37;
											}
										}
									} else {
										_t59 = 0;
										asm("o16 nop [eax+eax]");
										do {
											_t90 =  *((intOrPtr*)(_t113 + _t117 * 8));
											if( *_t90 == 0) {
												_t44 = 2;
												goto L33;
											}
											r8d = 1;
											do {
												_t130 = _t130 + 1;
											} while ( *((short*)(_t90 + _t130 * 2 - 2)) != 0);
											_t93 = _t130 + _t130;
											L33:
											malloc();
											_t130 = _t93;
											 *(_t121 + _t117 * 8) = _t90;
											_t102 = _t90;
											_t117 = _t117 + 1;
											memcpy(??, ??, ??);
										} while (_t135 != _t117);
										_t22 = _t140 - 8; // -8
										_t86 = _t121 + _t22;
										goto L35;
									}
								}
							}
						}
						L41:
						_t46 = 0x1f;
						L00409288();
						_t29 =  *_t112;
						if( *_t112 != 1) {
							goto L9;
						}
						goto L42;
					} else {
						_t46 = 0x3e8;
						Sleep(??);
						continue;
					}
				}
				_t112 =  *0x420090; // 0x4241d8
				_t61 = 0;
				if( *_t112 == 1) {
					goto L41;
				}
				goto L6;
			}

0x00401190
0x00401190
0x00401190
0x00401190
0x00401190
0x00401190
0x00401190
0x00401190
0x00401192
0x00401194
0x00401195
0x00401196
0x00401197
0x0040119f
0x004011ad
0x004011b0
0x004011b8
0x004011b8
0x004011b8
0x004011b8
0x004011be
0x0040148e
0x0040148e
0x004011cd
0x004011d4
0x004011da
0x004011f9
0x004011f9
0x004011fc
0x00401204
0x00000000
0x00000000
0x004011eb
0x00401434
0x0040143b
0x00401445
0x0040121a
0x0040121e
0x004014b4
0x004014c2
0x004014c8
0x00401224
0x00401224
0x00401224
0x0040122e
0x00401233
0x00401460
0x00401460
0x0040146e
0x00401473
0x0040147b
0x00000000
0x00000000
0x00000000
0x00401239
0x00401239
0x0040123b
0x00401481
0x00401481
0x00401483
0x00401483
0x00401241
0x00401241
0x00401248
0x0040124e
0x00401250
0x00401258
0x0040125a
0x0040125a
0x0040125c
0x00401268
0x0040126e
0x0040127c
0x00401284
0x00401289
0x00401290
0x00401297
0x0040129c
0x0040129e
0x004012a4
0x004012c3
0x004012c3
0x004012ca
0x00000000
0x00000000
0x004012cc
0x004012cf
0x004012d7
0x004012bf
0x004012bf
0x00000000
0x004012b0
0x004012b3
0x004012e4
0x00401301
0x00401301
0x00000000
0x00401301
0x004012e6
0x004012f0
0x004012f0
0x004012f4
0x004012fb
0x00000000
0x004012ba
0x004012ba
0x00000000
0x004012ba
0x004012b3
0x004012a6
0x00401308
0x00401308
0x0040130e
0x00401310
0x0040131a
0x0040142a
0x0040142a
0x00401320
0x00401320
0x00401326
0x0040132d
0x0040132d
0x00401335
0x00401339
0x0040133c
0x00401341
0x00401348
0x0040134e
0x004013ab
0x004013ab
0x004013b2
0x004013b9
0x004013be
0x004013d5
0x004013d8
0x004013df
0x004013ea
0x004013f2
0x004014d4
0x004014da
0x004014e4
0x004014eb
0x004014fc
0x004013f8
0x00401400
0x00401499
0x004014b3
0x00401406
0x00401415
0x00401415
0x00401400
0x00401350
0x00401350
0x00401352
0x00401358
0x00401358
0x00401360
0x00401420
0x00000000
0x00401420
0x00401366
0x00401370
0x00401370
0x00401374
0x0040137d
0x00401381
0x00401384
0x00401389
0x0040138c
0x00401395
0x00401398
0x0040139c
0x004013a1
0x004013a6
0x004013a6
0x00000000
0x004013a6
0x0040134e
0x004012a4
0x00401233
0x0040144b
0x0040144b
0x00401450
0x00401455
0x0040145a
0x00000000
0x00000000
0x00000000
0x004011f1
0x004011f1
0x004011f6
0x00000000
0x004011f6
0x004011eb
0x00401206
0x0040120d
0x00401214
0x00000000
0x00000000
0x00000000

APIs

Sleep.KERNEL32 ref: 004011F6
SetUnhandledExceptionFilter.KERNEL32 ref: 00401268
malloc.MSVCRT ref: 0040133C
malloc.MSVCRT ref: 00401384
memcpy.MSVCRT ref: 0040139C
GetStartupInfoW.KERNEL32 ref: 0040148E

Strings

0pB, xrefs: 004014B4
BB, xrefs: 0040119F, 004014E4
`BB, xrefs: 0040126E

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpy
String ID: BB$0pB$`BB
API String ID: 772431862-1181020995
Opcode ID: 38015976cb09cd11ad34a48d63c92b1229232705b8ee252726c048b9d100ba9e
Instruction ID: 04cb549e0474e4be109dcf6d943baecd97e3c77fe01e65db1e17dca3bdd3f765
Opcode Fuzzy Hash: 38015976cb09cd11ad34a48d63c92b1229232705b8ee252726c048b9d100ba9e
Instruction Fuzzy Hash: 68818DB270170485EB25DF56E850B6A37A1F789B84F84803BEF09677A2DB3CC891C748

Uniqueness

Uniqueness Score: -1.00%

Function 042C0716 Relevance: 19.3, APIs: 7, Strings: 3, Instructions: 1823COMMON

Download Yara Rule

Strings

y, xrefs: 042C08B2
o, xrefs: 042C0BBC
e, xrefs: 042C08C6

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID:
String ID: e$o$y
API String ID: 0-872455156
Opcode ID: 37ba36260c6dc4331a6f698ba0a7c451673a61aaba07607eb23c441f7c34c136
Instruction ID: c826af6fcc567980db6da495ba11d06a18a5741c34a0cf8a52707aef39759aef
Opcode Fuzzy Hash: 37ba36260c6dc4331a6f698ba0a7c451673a61aaba07607eb23c441f7c34c136
Instruction Fuzzy Hash: 1FC28030728A4D8FDB29EF28C8897AAB3E1FB98305F54471DE48AC7251DB34E585CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03B2697A Relevance: 3.4, APIs: 2, Instructions: 406
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 03B269EF
LoadLibraryA.KERNEL32 ref: 03B26AF4

Memory Dump Source

Source File: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3ac0000_zlogger.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: fe28ec89fccc7c30a97a41b99cb39f37780980cf65fc522e14c47b80859a8ba4
Instruction ID: 03729aa51cdc2dcd6fa055d088fea616a2c329afe824606579e4a58e03f0e67a
Opcode Fuzzy Hash: fe28ec89fccc7c30a97a41b99cb39f37780980cf65fc522e14c47b80859a8ba4
Instruction Fuzzy Hash: 7AC1A530714A184BDB68EB28C4957AABBD5FB89308F1846BDD48FC7146DE70E9468A81

Uniqueness

Uniqueness Score: -1.00%

Function 03B271D2 Relevance: 1.8, APIs: 1, Instructions: 500
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 03B2724F

Memory Dump Source

Source File: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3ac0000_zlogger.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f79c8a23afe56d11b94332f0aa4a683b06ab6a29ecf11af3662490c09a5fc48f
Instruction ID: 363e37713e265ab4b15e9438d5e6151dbf944adf01e309ec9bc6f63df899e13e
Opcode Fuzzy Hash: f79c8a23afe56d11b94332f0aa4a683b06ab6a29ecf11af3662490c09a5fc48f
Instruction Fuzzy Hash: 29E1A430618A198BCB28DF28C8866B6B7D5FB84319F54477DD89EC3252EF34E902C785

Uniqueness

Uniqueness Score: -1.00%

Function 042CA8D0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 042CA936

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: f0ee922a743b7d96a5a25618478022a0099b4373d23e49d29d8ca8a71e09c114
Instruction ID: 82983b06a6798700ff118cfa9472cdaab81e41525a6485e45a4c2a12fd4b63d3
Opcode Fuzzy Hash: f0ee922a743b7d96a5a25618478022a0099b4373d23e49d29d8ca8a71e09c114
Instruction Fuzzy Hash: 8411A970228B488FD745EF28C4487EA77D1FBA9309F4007AEA08DC71A1DB74D545C746

Uniqueness

Uniqueness Score: -1.00%

Function 00407AD0 Relevance: 59.7, APIs: 18, Strings: 16, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E00407AD0(signed int __ecx, signed long long __rdx, signed long long __r8) {
				signed long long _v80;
				signed long long _v84;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __r12;
				void* __r13;
				void* _t23;
				signed long long _t24;
				int _t35;
				signed long long _t36;
				signed int _t58;
				signed long long _t76;
				signed long long _t81;
				signed long long _t82;
				signed long long _t111;
				void* _t121;
				void* _t122;
				void* _t128;
				signed long long _t129;
				short* _t130;
				signed long long _t131;

				_t124 = __r8;
				_t76 =  *0x416040;
				_t131 = __rdx;
				_v80 = _t76;
				r12d = __ecx;
				_t23 =  *_t76();
				 *0x424178 = _t76;
				_t24 = E00402DF0(_t23, _t76,  *((intOrPtr*)(__rdx)));
				 *0x424108 = _t76;
				__imp___wgetenv();
				_v84 = 0;
				_t129 = _t76;
				if(_t76 == 0) {
					L3:
					r8d = 3;
					_t110 = L"wim";
					L00409178();
					r13d = _t24;
					if(_t24 == 0) {
						_t110 = L"wimlib-imagex";
						L00409198();
						__eflags = _t24;
						if(__eflags == 0) {
							goto L4;
						}
						_t81 = 0x41d4d0;
						_t110 = L"append";
						while(1) {
							_t76 =  *0x424108;
							L00409198();
							__eflags = _t24;
							if(_t24 == 0) {
								break;
							}
							r13d = r13d + 1;
							__eflags = r13d - 0xd;
							if(__eflags == 0) {
								goto L4;
							}
							_t110 =  *_t81;
							_t81 = _t81 + 0x10;
							__eflags = _t81;
						}
						 *0x416020 = r13d;
						L28:
						__eflags = r12d - 1;
						if(__eflags > 0) {
							L10:
							_t58 = 1;
							do {
								_t81 = _t58 << 3;
								_t130 =  *((intOrPtr*)(_t131 + _t81));
								if( *_t130 != 0x2d ||  *((short*)(_t130 + 2)) != 0x2d) {
									L11:
									_t58 = _t58 + 1;
									__eflags = _t58;
								} else {
									_t121 = _t130 + 4;
									L00409198();
									if(_t24 == 0) {
										_t76 = _v80;
										__eflags = r13d - 0xffffffff;
										if(r13d == 0xffffffff) {
											 *_t76();
											_t24 = E00403B00(_t76, _t81, _t76, _t121, _t122, _t124, 0x41d4c0, _t128);
										} else {
											 *_t76();
											_t24 = E00403630(r13d, _t76, _t76, _t124, 0x41d4c0, _t128, _t129);
										}
										L47:
										__eflags = 0;
										exit(??);
										L48:
										L00409198();
										__eflags = _t24;
										if(__eflags == 0) {
											L43:
											_v84 = 0x20;
											goto L3;
										}
										_t76 = _v80;
										 *_t76();
										_t24 = E004033B0(_t124, 0x41d4c0);
										goto L3;
									}
									L00409198();
									if(_t24 == 0) {
										L004090E8(); // executed
										_t81 = _t76;
										_t76 = _v80;
										 *_t76();
										_t124 = _t81;
										_t24 = E00401650(_t81, 0x41d4c0);
										goto L47;
									}
									_t111 = L"quiet";
									L00409198();
									if(_t24 == 0) {
										r8d = r12d;
										_t111 = _t131 + _t81 + 8;
										 *0x424178 = 0;
										r8d = r8d - _t58;
										r12d = r12d - 1;
										_t124 = r8d << 3;
										L004091B8();
										goto L12;
									}
									if( *((short*)(_t130 + 4)) != 0) {
										goto L11;
									}
									asm("o16 nop [eax+eax]");
									break;
								}
								L12:
								__eflags = r12d - _t58;
							} while (__eflags > 0);
							if(r13d == 0xffffffff) {
								_t110 =  *(_t131 + 8);
								E004024D0(L"Unrecognized command: `%ls\'\n",  *(_t131 + 8), _t124, 0x41d4c0);
								L53:
								 *_v80();
								E00403B00(_v80, _t81, _v80, _t121, _t122, _t124, 0x41d4c0, _t128);
								exit(??);
								L54:
								E004024D0(L"No command specified!\n", _t110, _t124, 0x41d4c0);
								goto L53;
							}
							L21:
							L00409030();
							L004090D0();
							r14d = _t24;
							if(_t24 != 0) {
								L24:
								if(r14d > 0) {
									L004090F8();
									_t125 = _t76;
									E004024D0(L"Exiting with error code %d:\n       %ls.", _t111, _t76, 0x41d4c0);
									__eflags = r14d - 0x2e;
									if(r14d == 0x2e) {
										__imp___errno();
										__eflags =  *_t76;
										if(__eflags != 0) {
											E004031C0(__eflags, _t76, L"errno", _t111, _t125, 0x41d4c0);
										}
									}
								}
								L25:
								L004090D8();
								return r14d;
							}
							r8d = r13d;
							_t111 = _t131;
							r14d =  *((intOrPtr*)(0x41d4c0 + (r13d << 4) + 8))();
							 *_v80();
							_t35 = ferror(??);
							_t73 = _t35;
							if(_t35 == 0) {
								_t76 = _v80;
								_t36 =  *_t76();
								L00409218();
								__eflags = _t36;
								if(__eflags != 0) {
									goto L23;
								}
								goto L24;
							}
							L23:
							E004031C0(_t73, _t76, L"error writing to standard output", _t111, _t124, 0x41d4c0);
							if(r14d == 0) {
								r14d = 0xffffffff;
								goto L25;
							}
							goto L24;
						}
						goto L21;
					}
					L4:
					if(r12d <= 1) {
						goto L54;
					} else {
						_t82 = 0x41d4d0;
						_t111 = L"append";
						r13d = 0;
						while(1) {
							L00409198();
							if(_t24 == 0) {
								break;
							}
							r13d = r13d + 1;
							if(r13d != 0xd) {
								_t111 =  *_t82;
								_t82 = _t82 + 0x10;
								__eflags = _t82;
								continue;
							} else {
								r13d = 0xffffffff;
								goto L10;
							}
						}
						r12d = r12d - 1;
						_t131 = _t131 + 8;
						__eflags = _t131;
						goto L28;
					}
				}
				L00409198();
				if(_t24 != 0) {
					L00409198();
					__eflags = _t24;
					if(__eflags == 0) {
						goto L2;
					}
					L00409198();
					__eflags = _t24;
					if(__eflags != 0) {
						goto L48;
					}
					goto L43;
				}
				L2:
				_v84 = 0x10;
				goto L3;
			}

0x00407ad0
0x00407ae0
0x00407ae7
0x00407aea
0x00407aef
0x00407af7
0x00407afc
0x00407b03
0x00407b0f
0x00407b16
0x00407b1c
0x00407b24
0x00407b2a
0x00407b4b
0x00407b52
0x00407b58
0x00407b5f
0x00407b64
0x00407b69
0x00407da7
0x00407dae
0x00407db3
0x00407db5
0x00000000
0x00000000
0x00407dbb
0x00407dc2
0x00407de5
0x00407de5
0x00407df0
0x00407df5
0x00407df7
0x00000000
0x00000000
0x00407dd0
0x00407dd4
0x00407dd8
0x00000000
0x00000000
0x00407dde
0x00407de1
0x00407de1
0x00407de1
0x00407df9
0x00407d18
0x00407d18
0x00407d1c
0x00407bb8
0x00407bb8
0x00407bc8
0x00407bcb
0x00407bd3
0x00407bdc
0x00407bc0
0x00407bc0
0x00407bc0
0x00407be6
0x00407be6
0x00407bf4
0x00407bfb
0x00407e3c
0x00407e46
0x00407e4a
0x00407ebb
0x00407ec0
0x00407e4c
0x00407e4c
0x00407e54
0x00407e54
0x00407e81
0x00407e81
0x00407e83
0x00407e88
0x00407e92
0x00407e97
0x00407e99
0x00407e2f
0x00407e2f
0x00000000
0x00407e2f
0x00407e9b
0x00407ea5
0x00407eb1
0x00000000
0x00407eb1
0x00407c0b
0x00407c12
0x00407e5b
0x00407e65
0x00407e68
0x00407e6d
0x00407e6f
0x00407e7c
0x00000000
0x00407e7c
0x00407c18
0x00407c22
0x00407c29
0x00407ce0
0x00407ce3
0x00407ceb
0x00407cf6
0x00407cf9
0x00407d00
0x00407d04
0x00000000
0x00407d04
0x00407c35
0x00000000
0x00000000
0x00407c37
0x00000000
0x00407c37
0x00407bc3
0x00407bc3
0x00407bc3
0x00407c44
0x00407ed2
0x00407edd
0x00407ee2
0x00407eec
0x00407ef1
0x00407efb
0x00407f00
0x00407f07
0x00000000
0x00407f07
0x00407c4a
0x00407c4f
0x00407c58
0x00407c5d
0x00407c62
0x00407cb4
0x00407cb7
0x00407d5b
0x00407d6a
0x00407d6d
0x00407d72
0x00407d76
0x00407d7c
0x00407d84
0x00407d86
0x00407d93
0x00407d93
0x00407d86
0x00407d76
0x00407cbd
0x00407cbd
0x00407cd5
0x00407cd5
0x00407c6e
0x00407c71
0x00407c85
0x00407c8d
0x00407c92
0x00407c97
0x00407c99
0x00407d35
0x00407d3a
0x00407d3f
0x00407d44
0x00407d46
0x00000000
0x00000000
0x00000000
0x00407d4c
0x00407c9f
0x00407ca6
0x00407cae
0x00407ec7
0x00000000
0x00407ec7
0x00000000
0x00407cae
0x00000000
0x00407d22
0x00407b6f
0x00407b73
0x00000000
0x00407b79
0x00407b79
0x00407b80
0x00407b87
0x00407b97
0x00407b9b
0x00407ba2
0x00000000
0x00000000
0x00407ba8
0x00407bb0
0x00407b90
0x00407b93
0x00407b93
0x00000000
0x00407bb2
0x00407bb2
0x00000000
0x00407bb2
0x00407bb0
0x00407d10
0x00407d14
0x00407d14
0x00000000
0x00407d14
0x00407b73
0x00407b36
0x00407b3d
0x00407e0f
0x00407e14
0x00407e16
0x00000000
0x00000000
0x00407e26
0x00407e2b
0x00407e2d
0x00000000
0x00000000
0x00000000
0x00407e2d
0x00407b43
0x00407b43
0x00000000

APIs

_wgetenv.MSVCRT ref: 00407B16
wcscmp.MSVCRT ref: 00407B36
wcsncmp.MSVCRT ref: 00407B5F
wcscmp.MSVCRT ref: 00407B9B
wcscmp.MSVCRT ref: 00407BF4
wcscmp.MSVCRT ref: 00407C0B
wcscmp.MSVCRT ref: 00407C22
wimlib_add_image_multisource.LIBWIM-15 ref: 00407C4F
wimlib_add_image_multisource.LIBWIM-15 ref: 00407C58
ferror.MSVCRT ref: 00407C92
wimlib_add_image_multisource.LIBWIM-15 ref: 00407CBD
wcscmp.MSVCRT ref: 00407E0F
wcscmp.MSVCRT ref: 00407E26

Strings

wimlib-imagex 1.13.4 (using wimlib %ls)Copyright (C) 2012-2021 Eric BiggersLicense GPLv3+; GNU GPL version 3 or later <http://gn, xrefs: 00407E72
WIMLIB_IMAGEX_IGNORE_CASE, xrefs: 00407B08
help, xrefs: 00407BEA
Exiting with error code %d: %ls., xrefs: 00407D63
wim, xrefs: 00407B58
wimlib-imagex, xrefs: 00407DA7
WARNING: Ignoring unknown setting of WIMLIB_IMAGEX_IGNORE_CASE, xrefs: 00407EA7
Unrecognized command: `%ls', xrefs: 00407ED6
, xrefs: 00407E2F
version, xrefs: 00407C01
error writing to standard output, xrefs: 00407C9F
errno, xrefs: 00407D8C
append, xrefs: 00407B80, 00407DC2
yes, xrefs: 00407E1C
No command specified!, xrefs: 00407F00
quiet, xrefs: 00407C18

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wcscmp$wimlib_add_image_multisource$_wgetenvferrorwcsncmp
String ID: $Exiting with error code %d: %ls.$No command specified!$Unrecognized command: `%ls'$WARNING: Ignoring unknown setting of WIMLIB_IMAGEX_IGNORE_CASE$WIMLIB_IMAGEX_IGNORE_CASE$append$errno$error writing to standard output$help$quiet$version$wim$wimlib-imagex$wimlib-imagex 1.13.4 (using wimlib %ls)Copyright (C) 2012-2021 Eric BiggersLicense GPLv3+; GNU GPL version 3 or later <http://gn$yes
API String ID: 3614735478-3904026371
Opcode ID: 15c662463b53c77f58d0a4082813601e3907aa32a5d7c0f7a694bfb0a244d763
Instruction ID: ff44718508ce0649e9f990faaadb8875705e224b93ddf986c4cf46110e52e09e
Opcode Fuzzy Hash: 15c662463b53c77f58d0a4082813601e3907aa32a5d7c0f7a694bfb0a244d763
Instruction Fuzzy Hash: 2991C771B0860180EA14EB22E8553AA2764FB8479CF44503BDE0E677E5EF7CE985C34E

Uniqueness

Uniqueness Score: -1.00%

Function 03B25C3A Relevance: 7.6, APIs: 5, Instructions: 125
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 03B25C54
VirtualProtect.KERNEL32 ref: 03B25CAC
VirtualProtect.KERNEL32 ref: 03B25CD5
VirtualProtect.KERNEL32 ref: 03B25D12
VirtualProtect.KERNEL32 ref: 03B25D36

Memory Dump Source

Source File: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3ac0000_zlogger.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 1e619bdf4bf7d8a1f72fe11a15149652bafd81afc1c25810297ea3c6b5571fd2
Instruction ID: 6937df343f0ffa8dbd3cceba4d256ac8f0024fb2f781dd64d441dd12c0b16947
Opcode Fuzzy Hash: 1e619bdf4bf7d8a1f72fe11a15149652bafd81afc1c25810297ea3c6b5571fd2
Instruction Fuzzy Hash: 4331C43130CA184FDB18EA68E84966AB7D5FBC8350B0416AAEC4FC7285DE60DD4687C2

Uniqueness

Uniqueness Score: -1.00%

Function 03B25B2F Relevance: 7.6, APIs: 5, Instructions: 115
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 03B25B3C
VirtualProtect.KERNEL32 ref: 03B25B94
VirtualProtect.KERNEL32 ref: 03B25BBD
VirtualProtect.KERNEL32 ref: 03B25BFA
VirtualProtect.KERNEL32 ref: 03B25C1E

Memory Dump Source

Source File: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3ac0000_zlogger.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: cb0b48a04ba6d100bcb83f194f8859affeb3638fd54d705697e528f09cea4154
Instruction ID: fe33faa1dfafbb689c3f6dd2283a683677475f4e0f526f77e3b8514b93f4969b
Opcode Fuzzy Hash: cb0b48a04ba6d100bcb83f194f8859affeb3638fd54d705697e528f09cea4154
Instruction Fuzzy Hash: 1A31843130CA184F9B58FA5CD855269B7D6F7D8321B0407AAEC4FC7285ED60DD4687C1

Uniqueness

Uniqueness Score: -1.00%

Function 042CA480 Relevance: 6.2, APIs: 4, Instructions: 212
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gethostname.WS2_32 ref: 042CA52D
gethostbyname.WS2_32 ref: 042CA58B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042CA69F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042CA6A5

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$gethostbynamegethostname
String ID:
API String ID: 2067056451-0
Opcode ID: dc4753650f7071aa8680986263f06eb7f16eb4ca3fdd3767a205333cb17a99b7
Instruction ID: bf8dbbb071c5e254f651a52791afa23dba10b57572e875d05d1ade54f9b234d7
Opcode Fuzzy Hash: dc4753650f7071aa8680986263f06eb7f16eb4ca3fdd3767a205333cb17a99b7
Instruction Fuzzy Hash: A951A330628E8C8FDBA4EF28C88876A77D1FB99315F504B6DE09AC71A4DB34D545CB42

Uniqueness

Uniqueness Score: -1.00%

Function 042CA720 Relevance: 1.6, APIs: 1, Instructions: 82
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gethostname.WS2_32 ref: 042CA7A0

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: be99039dbe071a3069742d9559582be3b698ec99848f99023ab3a30cdb4c572c
Instruction ID: 673a51aecc7a96d694315a15f7eabbcc4963afe242895d64c4dd757bb476928c
Opcode Fuzzy Hash: be99039dbe071a3069742d9559582be3b698ec99848f99023ab3a30cdb4c572c
Instruction Fuzzy Hash: 1A21D870324B484FE766DF38C88877636E0FB59301F40066E945AC72A6DF348845C742

Uniqueness

Uniqueness Score: -1.00%

Function 042CA9D0 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 042CAA24

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: d65498d66351f69c7b2f13640577373e47cbd9f2c78fd8868ae2898f6ffac4c3
Instruction ID: e61e46b3d2784ba37abae57e660a78bdb6a1e846fc32f2119659b1acd0a0d200
Opcode Fuzzy Hash: d65498d66351f69c7b2f13640577373e47cbd9f2c78fd8868ae2898f6ffac4c3
Instruction Fuzzy Hash: 1801D130218A498FEB18EB65C9587ABB7F4FB81341F00092DE886C21A0DBB8D605CB02

Uniqueness

Uniqueness Score: -1.00%

Function 042E5D98 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 042E5DD6

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e35b832faf4368ea70c4ff160aea6e0d018fb60d87e6e91accf7f074044e7ead
Instruction ID: b2ea17eb416af6e4b7f842069957a1bee96455f571218a64e8ef5e1462ac48e6
Opcode Fuzzy Hash: e35b832faf4368ea70c4ff160aea6e0d018fb60d87e6e91accf7f074044e7ead
Instruction Fuzzy Hash: 14F01C20734E0B5AFB6877FB5CAC7392195EB58259FC405B5A816C22D0EEA4E8C09225

Uniqueness

Uniqueness Score: -1.00%

Function 03B25B22 Relevance: 1.5, APIs: 1, Instructions: 35
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 03B25B3C
VirtualProtect.KERNEL32 ref: 03B25B94
VirtualProtect.KERNEL32 ref: 03B25BBD
VirtualProtect.KERNEL32 ref: 03B25BFA
VirtualProtect.KERNEL32 ref: 03B25C1E

Memory Dump Source

Source File: 00000001.00000002.642909792.0000000003AC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3ac0000_zlogger.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
Instruction ID: 46d64433081b168cb986575158f3a7ae47b972834fe07c8614d651de176499df
Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
Instruction Fuzzy Hash: D5E0D83120CA1D1FE758D99DD84A6B26AD8D786275F00017FF54DC2101F045D8914391

Uniqueness

Uniqueness Score: -1.00%

Function 042CA990 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32 ref: 042CA9AF

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 316bb0c3a8a49ea694236808b0027a2f6ca78a1ce9228b4f91f615e04a34737d
Instruction ID: a576f2cb61458bc73cb16240e167db852caa6e10aad89f22dcf75fe818d11007
Opcode Fuzzy Hash: 316bb0c3a8a49ea694236808b0027a2f6ca78a1ce9228b4f91f615e04a34737d
Instruction Fuzzy Hash: D5E08661C4878447E70497208A541B673F1FBF6209F50670EF8C8A1051EF6956D48246

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 042B86F0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B8B79
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B8B7F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B8B85
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B8B8B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B8B91
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B8B97

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: bc8bf945b23a225c0df79873cb59277c8907ef4427313e96b9d2052687f1ff13
Instruction ID: e586d9a59a8a7fb2bc1fad958d8fb3100963e0c462d7715d0f4fb1afee32ebd5
Opcode Fuzzy Hash: bc8bf945b23a225c0df79873cb59277c8907ef4427313e96b9d2052687f1ff13
Instruction Fuzzy Hash: 3BE19530634E4D8FDB58FF28C888BDA77E1FBA9345F544A1AE489C7254DA74E580CB81

Uniqueness

Uniqueness Score: -1.00%

Function 004051B0 Relevance: 105.5, APIs: 25, Strings: 35, Instructions: 468
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004051B0(void* __ecx, signed long long __rax, void* __rdx) {
				void* __r12;
				void* __r13;
				void* _t132;
				signed int _t133;
				signed int _t140;
				signed char _t156;
				signed char _t157;
				signed int _t158;
				void* _t172;
				signed int _t173;
				signed short _t174;
				void* _t197;
				signed int _t199;
				signed int* _t203;
				signed long long _t204;
				void* _t208;
				void* _t209;
				signed int _t254;
				char* _t280;
				intOrPtr _t312;
				void* _t313;
				intOrPtr* _t315;
				long long* _t316;
				signed int* _t317;
				signed int* _t318;
				void* _t319;
				void* _t320;
				void* _t323;
				void* _t332;
				signed int* _t334;
				void* _t335;

				_t202 = __rax;
				_t320 = _t319 - 0x2d8;
				_t318 = _t320 + 0x80;
				r12d = 0;
				r13d = 1;
				 *((long long*)(_t318 - 0x20)) = 0;
				 *(_t318 - 0x18) = 0;
				 *((intOrPtr*)(_t318 - 0x40)) = 0;
				 *((long long*)(_t318 - 0x38)) = 0;
				 *((char*)(_t318 - 0x3a)) = 0;
				 *((char*)(_t318 - 0x39)) = 0;
				 *((char*)(_t318 - 0x3c)) = 0;
				 *((char*)(_t318 - 0x3b)) = 0;
				asm("o16 nop [cs:eax+eax]");
				 *((long long*)(_t320 + 0x20)) = 0;
				_t132 = E00408FE0();
				if(_t132 == 0xffffffff) {
					_t203 =  *0x4201c0; // 0x416038
					_t202 =  *_t203;
					_t172 = __ecx - _t132;
					_t315 = __rdx +  *_t203 * 8;
					_t133 = _t208 - 1;
					__eflags = _t133 - 3;
					if(_t133 > 3) {
						L4:
						r15d = 0xffffffff;
						 *0x416040();
						E00403630(7, _t202, _t202, 0x41717e, 0x41e020, _t332, _t335);
						L5:
						free();
						return r15d;
					}
					_t312 =  *_t315;
					__eflags = _t172 - 1;
					if(_t172 == 1) {
						_t204 = L"all";
						 *(_t318 - 0x48) = _t204;
						L13:
						 *((long long*)(_t320 + 0x20)) = 0;
						_t33 = _t318 - 0x28; // -39
						_t323 = _t33;
						L004090A8();
						r15d = _t133;
						__eflags = _t133;
						if(_t133 != 0) {
							goto L5;
						}
						_t36 = _t318 - 0x10; // -15
						_t209 = _t36;
						L004090E0();
						_t280 =  *(_t318 - 0x48);
						L00409068();
						r14d = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							_t280 = "0";
							L00409198();
							__eflags = _t133;
							if(_t133 != 0) {
								_t281 = _t312;
								E00403BB0( *(_t318 - 0x48), _t312, 0x401890);
								__eflags =  *((char*)(_t318 - 0x3b));
								if( *((char*)(_t318 - 0x3b)) != 0) {
									E004024D0(L"If you would like to set the boot index to 0, specify image \"0\" with the --boot flag.", _t281, _t323, 0x401890);
								}
								r15d = 0x12;
								L18:
								L00409108();
								goto L5;
							}
							__eflags =  *((char*)(_t318 - 0x3b));
							if( *((char*)(_t318 - 0x3b)) != 0) {
								L16:
								r10d =  *_t318;
								__eflags = r10d;
								if(r10d != 0) {
									L20:
									__eflags = r14d - 0xffffffff;
									if(r14d == 0xffffffff) {
										__eflags =  *_t318 - 1;
										if( *_t318 <= 1) {
											__eflags =  *(_t318 - 0x18);
											if( *(_t318 - 0x18) == 0) {
												__eflags =  *((char*)(_t318 - 0x3b));
												if( *((char*)(_t318 - 0x3b)) == 0) {
													L24:
													__eflags = r14d - 0xffffffff;
													if(r14d != 0xffffffff) {
														L37:
														__eflags =  *((char*)(_t318 - 0x3c));
														if( *((char*)(_t318 - 0x3c)) != 0) {
															L00409090();
														}
														__eflags =  *((char*)(_t318 - 0x39));
														if( *((char*)(_t318 - 0x39)) != 0) {
															_t174 = _t318[4] & 0x0000ffff;
															__eflags = _t174 - 1;
															if(_t174 != 1) {
																 *0x416040();
																r9d = _t174 & 0x0000ffff;
																r8d = _t318[4] & 0x0000ffff;
																_t133 = E00401650(_t323, 0x401890);
															}
															r9d = 0;
															_t323 = 0x403460;
															__eflags = 0;
															L004090B8();
														}
														__eflags =  *((char*)(_t318 - 0x3a));
														if( *((char*)(_t318 - 0x3a)) != 0) {
															_t133 =  *0x416040();
															L00409110();
															__eflags = _t133;
															if(_t133 == 0) {
																goto L43;
															}
															r15d = _t133;
															goto L18;
														} else {
															L43:
															__eflags =  *((long long*)(_t318 - 0x38));
															if( *((long long*)(_t318 - 0x38)) == 0) {
																L47:
																__eflags = r13b;
																if(r13b != 0) {
																	L00409098();
																}
																goto L18;
															}
															__imp___wfopen();
															__eflags = _t204;
															if(__eflags == 0) {
																r15d = 0xffffffff;
																E004031C0(__eflags, _t204, L"Failed to open the file \"%ls\" for writing",  *((intOrPtr*)(_t318 - 0x38)), _t323, 0x401890);
																goto L18;
															}
															L00409110();
															_t173 = _t133;
															_t140 = fclose(??);
															__eflags = _t140;
															if(_t140 != 0) {
																r15d = 0xffffffff;
																E004024D0(L"Failed to close the file \"%ls\"",  *((intOrPtr*)(_t318 - 0x38)), _t323, 0x401890);
																goto L18;
															}
															__eflags = _t173;
															if(_t173 != 0) {
																r15d = _t173;
																goto L18;
															}
															goto L47;
														}
													}
													__eflags = r13b;
													if(r13b == 0) {
														goto L37;
													}
													_t316 = __imp___putws;
													 *_t316();
													 *_t316();
													_t288 = _t312;
													_t313 = _t209;
													E004023A0(_t204, L"Path:           %ls\n", _t312, _t323, 0x401890);
													_t317 = _t318;
													E004023A0(_t204, L"GUID:           0x", _t312, _t323, 0x401890);
													do {
														_t313 = _t313 + 1;
														E004023A0(_t204, L"%02hhx", _t288, _t323, 0x401890);
														__eflags = _t313 - _t317;
													} while (_t313 != _t317);
													_t44 =  &(_t318[0x14]); // 0x51
													_t334 = _t44;
													 *0x416040();
													L004091F8();
													E004023A0(_t204, L"Version:        %u\n", _t204, _t323, 0x401890);
													E004023A0(_t204, L"Image Count:    %d\n", _t204, _t323, 0x401890);
													L00409100();
													E004023A0(_t204, L"Compression:    %ls\n", _t204, _t323, 0x401890);
													E004023A0(_t204, L"Chunk Size:     %u bytes\n", _t204, _t323, 0x401890);
													r8d = _t318[4] & 0x0000ffff;
													E004023A0(_t204, L"Part Number:    %d/%d\n", _t204, _t323, 0x401890);
													E004023A0(_t204, L"Boot Index:     %d\n", _t204, _t323, 0x401890);
													E004023A0(_t204, L"Size:           %llu bytes\n", _t318[6], _t323, 0x401890);
													r8d = 0;
													_t318[0x14] = r8w;
													__eflags = _t318[8] & 0x00000002;
													if((_t318[8] & 0x00000002) != 0) {
														L004091A8();
													}
													_t156 = _t318[8] & 0x000000ff;
													__eflags = _t156 & 0x00000001;
													if((_t156 & 0x00000001) != 0) {
														L004091A8();
														_t156 = _t318[8] & 0x000000ff;
													}
													__eflags = _t156 & 0x00000008;
													if((_t156 & 0x00000008) != 0) {
														L004091A8();
													}
													__eflags = _t318[8] & 0x00000001;
													if((_t318[8] & 0x00000001) != 0) {
														L004091A8();
													}
													_t157 = _t318[8] & 0x000000ff;
													__eflags = _t157;
													if(_t157 < 0) {
														L004091A8();
														_t157 = _t318[8] & 0x000000ff;
													}
													__eflags = _t157 & 0x00000010;
													if((_t157 & 0x00000010) != 0) {
														L004091A8();
													}
													L004091A0();
													_t67 =  &(_t318[0x15]); // 0x55
													__eflags = _t204 - _t67;
													if(_t204 >= _t67) {
														__eflags =  *((short*)(_t204 - 2)) - 0x20;
														if( *((short*)(_t204 - 2)) == 0x20) {
															__eflags =  *((short*)(_t204 - 4)) - 0x2c;
															if( *((short*)(_t204 - 4)) == 0x2c) {
																 *((short*)(_t204 - 4)) = 0;
															}
														}
													}
													_t133 = E004023A0(_t204, L"Attributes:     %ls\n\n", _t334, _t323, 0x401890);
													goto L37;
												}
												_t199 = 1;
												r14d = 1;
												L59:
												_t254 =  *0x424178;
												__eflags = _t199 - _t318[1];
												if(_t199 == _t318[1]) {
													__eflags = _t254;
													if(_t254 != 0) {
														r8d = r14d;
														E00401650(_t323, 0x401890);
													}
													L67:
													_t97 = _t318 - 0x20; // -31
													_t98 =  &(_t318[0x14]); // 0x51
													_t330 = _t98;
													r8d = r14d;
													_t158 = E004030A0(_t204, _t97,  *((intOrPtr*)(_t318 - 0x28)), _t98);
													r15d = _t158;
													__eflags = _t158;
													if(_t158 != 0) {
														L57:
														goto L18;
													}
													__eflags = _t318[0x14];
													if(_t318[0x14] != 0) {
														L64:
														r8d = 1;
														L004090A0();
														r15d = _t158;
														goto L57;
													}
													__eflags = r12b & 0x00000001;
													if((r12b & 0x00000001) == 0) {
														__eflags = r12b & 0x00000002;
														if((r12b & 0x00000002) == 0) {
															L72:
															__eflags =  *0x424178;
															if( *0x424178 != 0) {
																E00401650(_t312, _t330);
															}
															goto L57;
														}
														__eflags = _t318[8] & 0x00000001;
														if((_t318[8] & 0x00000001) == 0) {
															goto L72;
														}
														goto L64;
													}
													__eflags = _t318[8] & 0x00000001;
													if((_t318[8] & 0x00000001) == 0) {
														goto L64;
													}
													__eflags = r12b & 0x00000002;
													if((r12b & 0x00000002) != 0) {
														goto L64;
													}
													goto L72;
												}
												__eflags = _t254;
												if(_t254 != 0) {
													r8d = r14d;
													_t133 = E00401650(_t323, 0x401890);
												}
												r8d = 4;
												_t318[1] = _t199;
												L00409028();
												r15d = _t133;
												__eflags = _t133;
												if(_t133 != 0) {
													goto L57;
												} else {
													_t92 = _t318 - 0x20; // -31
													_t93 =  &(_t318[0x14]); // 0x51
													r8d = r14d;
													_t158 = E004030A0(_t204, _t92,  *((intOrPtr*)(_t318 - 0x28)), _t93);
													r15d = _t158;
													__eflags = _t158;
													if(_t158 != 0) {
														goto L57;
													}
													goto L64;
												}
											}
											r14d = 1;
											L66:
											__eflags =  *((char*)(_t318 - 0x3b));
											if( *((char*)(_t318 - 0x3b)) != 0) {
												L58:
												_t199 = r14d;
												goto L59;
											}
											goto L67;
										}
										__eflags =  *((char*)(_t318 - 0x3b));
										if( *((char*)(_t318 - 0x3b)) != 0) {
											r15d = 0x12;
											E004024D0(L"Cannot specify the --boot flag without specifying a specific image in a multi-image WIM", _t280, _t323, 0x401890);
											goto L18;
										}
										r9d =  *(_t318 - 0x18);
										__eflags = r9d;
										if(r9d == 0) {
											goto L24;
										}
										r15d = 0x12;
										E004024D0(L"Can\'t change image properties without specifying a specific image in a multi-image WIM", _t280, _t323, 0x401890);
										goto L18;
									}
									__eflags =  *(_t318 - 0x18);
									if( *(_t318 - 0x18) != 0) {
										__eflags = r14d;
										if(r14d == 0) {
											L56:
											r15d = 0xffffffff;
											E004024D0(L"Cannot change image properties when using image 0", _t280, _t323, 0x401890);
											goto L57;
										}
										goto L66;
									}
									__eflags =  *((char*)(_t318 - 0x3b));
									if( *((char*)(_t318 - 0x3b)) != 0) {
										goto L58;
									}
									__eflags = r14d;
									if(r14d == 0) {
										L90:
										r15d = 0x12;
										E004024D0(L"\"%ls\" is not a valid image in \"%ls\"",  *(_t318 - 0x48), _t312, 0x401890);
										goto L18;
									}
									goto L24;
								}
								r15d = 0x12;
								E004024D0(L"--boot is meaningless on a WIM with no images", _t280, _t323, 0x401890);
								goto L18;
							}
							__eflags =  *(_t318 - 0x18);
							if( *(_t318 - 0x18) == 0) {
								goto L90;
							}
							goto L56;
						}
						__eflags =  *((char*)(_t318 - 0x3b));
						if( *((char*)(_t318 - 0x3b)) == 0) {
							goto L20;
						}
						goto L16;
					}
					_t204 =  *((intOrPtr*)(_t315 + 8));
					 *(_t318 - 0x48) = _t204;
					__eflags = _t172 - 2;
					if(_t172 == 2) {
						goto L13;
					}
					L00409180();
					_t204 = _t204 + _t204 + 0x0000001b & 0xfffffff0;
					E0040A470(_t133);
					_t320 = _t320 - _t204;
					_t24 = _t318 - 0x20; // -31
					_t337 = _t24;
					E0040A630(_t320 + 0x30, L"NAME=%ls",  *((intOrPtr*)(_t315 + 0x10)), 0x41e020);
					_t133 = E00402550(_t197, _t204, _t24, _t320 + 0x30);
					r15d = _t133;
					__eflags = _t133;
					if(_t133 != 0) {
						goto L5;
					}
					__eflags = _t172 - 4;
					if(_t172 != 4) {
						goto L13;
					}
					L00409180();
					_t204 = _t204 + _t204 + 0x00000029 & 0xfffffff0;
					E0040A470(_t133);
					_t320 = _t320 - _t204;
					E0040A630(_t320 + 0x30, L"DESCRIPTION=%ls",  *((intOrPtr*)(_t315 + 0x18)), 0x41e020);
					_t133 = E00402550(_t197, _t204, _t337, _t320 + 0x30);
					r15d = _t133;
					__eflags = _t133;
					if(_t133 != 0) {
						goto L5;
					} else {
						asm("o16 nop [eax+eax]");
						goto L13;
					}
				} else {
					if(_t132 > 0x3e) {
						goto L4;
					} else {
						_t202 =  *((intOrPtr*)(0x41a5f0 + _t202 * 4)) + 0x41a5f0;
						goto __rax;
					}
				}
			}

0x004051b0
0x004051bc
0x004051c3
0x004051d2
0x004051d5
0x004051e2
0x004051ef
0x004051f7
0x004051fe
0x00405206
0x0040520a
0x0040520e
0x00405212
0x00405216
0x00405220
0x0040523c
0x00405244
0x00405320
0x00405327
0x0040532a
0x0040532c
0x00405330
0x00405333
0x00405336
0x00405260
0x00405265
0x0040526b
0x00405279
0x0040527e
0x00405282
0x0040529d
0x0040529d
0x0040533c
0x0040533f
0x00405342
0x004054a0
0x004054a7
0x004053f8
0x004053f8
0x00405404
0x00405404
0x00405412
0x00405417
0x0040541a
0x0040541c
0x00000000
0x00000000
0x00405426
0x00405426
0x0040542d
0x00405432
0x0040543a
0x0040543f
0x00405442
0x00405444
0x00405754
0x0040575b
0x00405760
0x00405762
0x004058af
0x004058b2
0x004058b7
0x004058bb
0x004059a0
0x004059a0
0x004058c5
0x00405470
0x00405470
0x00000000
0x00405470
0x00405768
0x0040576c
0x00405450
0x00405450
0x00405454
0x00405457
0x004054b0
0x004054b0
0x004054b4
0x0040570f
0x00405713
0x00405898
0x0040589a
0x00405946
0x0040594a
0x004054d8
0x004054d8
0x004054dc
0x00405645
0x00405645
0x00405649
0x004058dd
0x004058dd
0x0040564f
0x00405653
0x00405655
0x00405659
0x0040565d
0x00405668
0x0040566e
0x0040567c
0x0040567f
0x0040567f
0x00405688
0x0040568b
0x00405692
0x00405694
0x00405694
0x00405699
0x0040569d
0x00405905
0x00405912
0x00405917
0x00405919
0x00000000
0x00000000
0x00405923
0x00000000
0x004056a3
0x004056a3
0x004056a3
0x004056a8
0x004056f5
0x004056f5
0x004056f8
0x00405701
0x00405706
0x00000000
0x004056f8
0x004056b9
0x004056c2
0x004056c5
0x004059dc
0x004059e2
0x00000000
0x004059e7
0x004056d2
0x004056da
0x004056dc
0x004056e1
0x004056e3
0x004059bd
0x004059c3
0x00000000
0x004059c8
0x004056ed
0x004056ef
0x004059aa
0x00000000
0x004059aa
0x00000000
0x004056ef
0x0040569d
0x004054e2
0x004054e5
0x00000000
0x00000000
0x004054eb
0x004054f9
0x00405502
0x00405504
0x0040550e
0x00405511
0x0040551d
0x00405527
0x0040552c
0x0040552f
0x00405536
0x0040553b
0x0040553b
0x00405545
0x00405545
0x00405549
0x00405557
0x00405566
0x00405575
0x0040557d
0x0040558c
0x0040559b
0x004055a0
0x004055b0
0x004055bf
0x004055cf
0x004055d4
0x004055d7
0x004055dc
0x004055e0
0x00405a26
0x00405a26
0x004055e6
0x004055ea
0x004055ec
0x00405a0e
0x00405a13
0x00405a13
0x004055f2
0x004055f4
0x004059fa
0x004059fa
0x004055fa
0x004055fe
0x00405a52
0x00405a52
0x00405604
0x00405608
0x0040560a
0x00405a3a
0x00405a3f
0x00405a3f
0x00405610
0x00405612
0x00405a66
0x00405a66
0x0040561d
0x00405622
0x00405626
0x00405629
0x0040562b
0x00405630
0x00405a70
0x00405a75
0x00405a7b
0x00405a7b
0x00405a75
0x00405630
0x00405640
0x00000000
0x00405640
0x00405950
0x00405955
0x0040579b
0x0040579b
0x004057a2
0x004057a5
0x0040587f
0x00405882
0x00405884
0x0040588e
0x0040588e
0x00405820
0x00405824
0x00405828
0x00405828
0x0040582c
0x0040582f
0x00405834
0x00405837
0x00405839
0x0040578f
0x00000000
0x0040578f
0x0040583f
0x00405843
0x004057f6
0x004057fa
0x00405803
0x00405808
0x00000000
0x00405808
0x00405845
0x00405849
0x004058e7
0x004058eb
0x0040585b
0x00405862
0x00405865
0x00405875
0x00405875
0x00000000
0x00405865
0x004058f1
0x004058f5
0x00000000
0x00000000
0x00000000
0x004058fb
0x0040584f
0x00405853
0x00000000
0x00000000
0x00405855
0x00405859
0x00000000
0x00000000
0x00000000
0x00405859
0x004057ab
0x004057ae
0x004057b0
0x004057ba
0x004057ba
0x004057c3
0x004057cc
0x004057cf
0x004057d4
0x004057d7
0x004057d9
0x00000000
0x004057db
0x004057df
0x004057e3
0x004057e7
0x004057ea
0x004057ef
0x004057f2
0x004057f4
0x00000000
0x00000000
0x00000000
0x004057f4
0x004057d9
0x004058a0
0x00405816
0x00405816
0x0040581a
0x00405798
0x00405798
0x00000000
0x00405798
0x00000000
0x0040581a
0x00405719
0x0040571d
0x00405932
0x00405938
0x00000000
0x0040593d
0x00405723
0x00405727
0x0040572a
0x00000000
0x00000000
0x00405737
0x0040573d
0x00000000
0x00405742
0x004054bd
0x004054bf
0x0040580d
0x00405810
0x0040577d
0x00405784
0x0040578a
0x00000000
0x0040578a
0x00000000
0x00405810
0x004054c5
0x004054c9
0x00000000
0x00000000
0x004054cf
0x004054d2
0x00405960
0x0040596e
0x00405974
0x00000000
0x00405979
0x00000000
0x004054d2
0x00405460
0x00405466
0x00000000
0x0040546b
0x00405775
0x00405777
0x00000000
0x00000000
0x00000000
0x00405777
0x0040544a
0x0040544e
0x00000000
0x00000000
0x00000000
0x0040544e
0x00405348
0x0040534c
0x00405350
0x00405353
0x00000000
0x00000000
0x0040535d
0x00405367
0x0040536b
0x0040537b
0x0040537e
0x0040537e
0x0040538a
0x00405395
0x0040539a
0x0040539d
0x0040539f
0x00000000
0x00000000
0x004053a5
0x004053a8
0x00000000
0x00000000
0x004053ae
0x004053b8
0x004053bc
0x004053cc
0x004053d7
0x004053e2
0x004053e7
0x004053ea
0x004053ec
0x00000000
0x004053f2
0x004053f2
0x00000000
0x004053f2
0x0040524a
0x0040524d
0x00000000
0x00405251
0x00405255
0x00405258
0x00405258
0x0040524d

APIs

free.MSVCRT ref: 00405282
wcslen.MSVCRT ref: 0040535D
wcslen.MSVCRT ref: 004053AE
wimlib_add_image_multisource.LIBWIM-15 ref: 00405412
wimlib_add_image_multisource.LIBWIM-15 ref: 0040542D
wimlib_add_image_multisource.LIBWIM-15 ref: 0040543A
wimlib_add_image_multisource.LIBWIM-15 ref: 00405470

Strings

8`A, xrefs: 00405320
Path: %ls, xrefs: 00405507
Resource only, , xrefs: 00405A48
Attributes: %ls, xrefs: 00405639
Chunk Size: %u bytes, xrefs: 00405594
Failed to close the file "%ls", xrefs: 004059B6
If you would like to set the boot index to 0, specify image "0" with the --boot flag., xrefs: 00405999
Metadata only, , xrefs: 00405A30
Cannot change image properties when using image 0, xrefs: 0040577D
Part Number: %d/%d, xrefs: 004055A9
--boot is meaningless on a WIM with no images, xrefs: 00405459
Integrity info, , xrefs: 00405A04
----------------, xrefs: 004054FB
Size: %llu bytes, xrefs: 004055C8
Boot Index: %d, xrefs: 004055B8
all, xrefs: 004054A0
Version: %u, xrefs: 0040555F
Failed to open the file "%ls" for writing, xrefs: 004059D5
The file "%ls" was not modified because nothing needed to be done., xrefs: 0040586E
Cannot specify the --boot flag without specifying a specific image in a multi-image WIM, xrefs: 0040592B
Relative path junction, , xrefs: 004059F0
Compression: %ls, xrefs: 00405582
GUID: 0x, xrefs: 00405516
Warning: Only showing the blobs for part %d of a %d-part WIM., xrefs: 00405672
Readonly, , xrefs: 00405A5C
NAME=%ls, xrefs: 00405370
DESCRIPTION=%ls, xrefs: 004053C1
"%ls" is not a valid image in "%ls", xrefs: 00405964
Marking image %d as bootable., xrefs: 004057B3
Can't change image properties without specifying a specific image in a multi-image WIM, xrefs: 00405730
%02hhx, xrefs: 00405520
Image Count: %d, xrefs: 0040556E
WIM Information:, xrefs: 004054F2
Image %d is already marked as bootable., xrefs: 00405887
Pipable, , xrefs: 00405A1C

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wimlib_add_image_multisource$wcslen$free
String ID: "%ls" is not a valid image in "%ls"$%02hhx$----------------$--boot is meaningless on a WIM with no images$8`A$Attributes: %ls$Boot Index: %d$Can't change image properties without specifying a specific image in a multi-image WIM$Cannot change image properties when using image 0$Cannot specify the --boot flag without specifying a specific image in a multi-image WIM$Chunk Size: %u bytes$Compression: %ls$DESCRIPTION=%ls$Failed to close the file "%ls"$Failed to open the file "%ls" for writing$GUID: 0x$If you would like to set the boot index to 0, specify image "0" with the --boot flag.$Image %d is already marked as bootable.$Image Count: %d$Integrity info, $Marking image %d as bootable.$Metadata only, $NAME=%ls$Part Number: %d/%d$Path: %ls$Pipable, $Readonly, $Relative path junction, $Resource only, $Size: %llu bytes$The file "%ls" was not modified because nothing needed to be done.$Version: %u$WIM Information:$Warning: Only showing the blobs for part %d of a %d-part WIM.$all
API String ID: 1016351787-91234022
Opcode ID: b6211759eb43bb335f75545e9ae3b53865fb3919a9b3b8bd58be2b9369086f26
Instruction ID: 88a3f0e4424c65e5f5a1b5e274b89d5711ada9b55dba5f1d41207f9abf58df46
Opcode Fuzzy Hash: b6211759eb43bb335f75545e9ae3b53865fb3919a9b3b8bd58be2b9369086f26
Instruction Fuzzy Hash: 7012AC72700A4199EB10EB62D8583EF2760E7847ACF84512BDE0A777D9DB7CC885CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: 70.4, APIs: 30, Strings: 10, Instructions: 363
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00406CA0(void* __ecx, signed long long __rax, void* __rdx) {
				intOrPtr _v132;
				char _v168;
				signed int _v228;
				short _v230;
				short _v232;
				void* _v236;
				signed int _v244;
				void* _v264;
				signed short _v322;
				char _v328;
				signed int _v336;
				long long _v344;
				char _v352;
				char _v360;
				long long _v368;
				long long _v376;
				signed long long _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				intOrPtr _v416;
				signed int _v424;
				void* __r12;
				void* __r13;
				signed int _t103;
				signed int _t107;
				signed int _t108;
				signed int _t115;
				signed int _t118;
				signed int _t123;
				void* _t127;
				signed int _t137;
				signed int _t152;
				signed long long _t156;
				signed int* _t157;
				long long* _t163;
				char* _t201;
				intOrPtr _t216;
				void* _t217;
				signed int _t218;
				intOrPtr _t222;
				intOrPtr _t225;
				void* _t226;
				void* _t227;

				_t156 = __rax;
				r14d = 0xffffffff;
				_t152 = 0xffffffff;
				r12d = 0;
				r13d = 8;
				_v344 = 0;
				_v336 = 0;
				_v392 = 0xffffffff;
				_v396 = 0xffffffff;
				_v400 = 0;
				_v388 = 0;
				_v424 = 0;
				_t103 = E00408FE0();
				if(_t103 == 0xffffffff) {
					_t157 =  *0x4201c0; // 0x416038
					_t156 = __rdx +  *_t157 * 8;
					_t127 = __ecx - _t103;
					__eflags = _t217 - 3 - 2;
					if(_t217 - 3 > 2) {
						L4:
						 *0x416040();
						E00403630(5, _t156, _t156, 0x41717e, 0x41e520, _t226, _t227);
						r15d = 0xffffffff;
						L6:
						free();
						return r15d;
					}
					_t216 =  *_t156;
					_t218 =  *((intOrPtr*)(_t156 + 0x10));
					_v376 =  *((intOrPtr*)(_t156 + 8));
					__eflags = _t127 - 3;
					if(_t127 == 3) {
						_v368 = 0;
						_v384 = 0;
					} else {
						_v384 = 0;
						_v368 =  *((intOrPtr*)(_t156 + 0x18));
						__eflags = _t127 - 5;
						if(_t127 == 5) {
							_t156 =  *((intOrPtr*)(_t156 + 0x20));
							_v384 = _t156;
						}
					}
					_v424 = 0;
					_t137 = _v388;
					_t221 =  &_v360;
					_t224 = 0x401890;
					L004090A8();
					r15d = _t103;
					__eflags = _t103;
					if(_t103 != 0) {
						goto L6;
					} else {
						L004090E0();
						_t201 = "-";
						L00409198();
						__eflags = _t103;
						if(_t103 != 0) {
							_t163 = __imp___errno;
							_t107 =  *_t163();
							 *_t156 = 2;
							__eflags = _t218;
							if(_t218 == 0) {
								goto L16;
							}
							_t201 =  &_v328;
							__imp___wstat64();
							__eflags = _t107;
							if(_t107 != 0) {
								goto L16;
							}
							_t118 = _v322 & 0xf000;
							_t118 - 0x8000 = _t118 - 0x3000;
							_t108 = _t118 & 0xffffff00 | _t118 != 0x00003000;
							_t123 = (_t137 & 0xffffff00 | _t118 != 0x00008000) & _t108;
							__eflags = _t123;
							if(_t123 != 0) {
								r15d = 0xffffffff;
								E004024D0(L"\"%ls\" is not a regular file or block device", _t218,  &_v360, 0x401890);
								goto L47;
							}
							_t224 = 0x401890;
							_t221 =  &_v352;
							_v424 = 0;
							L004090A8();
							r15d = _t108;
							__eflags = _t108;
							if(_t108 != 0) {
								goto L47;
							}
							__eflags = _t152 - 0xffffffff;
							if(_t152 == 0xffffffff) {
								goto L33;
							}
							L004090E0();
							__eflags = _v132 - _t152;
							if(_v132 != _t152) {
								r15d = 0xffffffff;
								E004024D0(L"Cannot specify a compression type that is not the same as that used in the destination WIM",  &_v168,  &_v352, 0x401890);
								goto L46;
							}
							goto L33;
						} else {
							r12d = r12d | 0x00000004;
							__eflags =  *0x424178;
							if( *0x424178 != 0) {
								 *0x416040();
								 *0x424178 = _t156;
							}
							__eflags = 0;
							E004080C0();
							_t163 = __imp___errno;
							 *_t163();
							 *_t156 = 2;
							L16:
							_t108 =  *_t163();
							__eflags =  *_t156 - 2;
							if(__eflags != 0) {
								r15d = 0xffffffff;
								E004031C0(__eflags, _t156, L"Cannot stat file \"%ls\"", _t218, _t221, _t224);
								L47:
								L00409108();
								goto L6;
							}
							__eflags = r12d & 0x00008000;
							if((r12d & 0x00008000) != 0) {
								r15d = 0xffffffff;
								E004024D0(L"\'--unsafe-compact\' is only valid when exporting to an existing WIM file!", _t201, _t221, _t224);
								goto L47;
							}
							__eflags = _t152 - 0xffffffff;
							if(_t152 == 0xffffffff) {
								__eflags = r12d & 0x00001000;
								if((r12d & 0x00001000) != 0) {
									_t152 = 3;
									L54:
									L00409148();
									r15d = _t108;
									__eflags = _t108;
									if(_t108 != 0) {
										goto L47;
									}
									r8d = 0;
									L00409070();
									L22:
									_t123 = 1;
									__eflags = _v228 - _t152;
									if(_v228 != _t152) {
										L33:
										__eflags = r14d - 0xffffffff;
										if(r14d != 0xffffffff) {
											L24:
											L00409050();
											r15d = _t108;
											__eflags = _t108;
											if(_t108 == 0) {
												goto L34;
											}
											L46:
											L00409108();
											goto L47;
										}
										L34:
										__eflags = _v392 - 0xffffffff;
										if(_v392 == 0xffffffff) {
											L36:
											__eflags = _v396 - 0xffffffff;
											if(_v396 == 0xffffffff) {
												L38:
												_t205 = _v376;
												L00409068();
												r14d = _t108;
												__eflags = _t108;
												if(_t108 == 0) {
													_t205 = _t216;
													_t108 = E00403BB0(_v376, _t216, _t224);
													r15d = _t108;
													__eflags = _t108;
													if(_t108 != 0) {
														goto L46;
													}
													r8d = _v336;
													__eflags = r8d;
													if(r8d == 0) {
														L42:
														_v416 = r13d;
														_t225 = _v368;
														_t222 = _v352;
														_v424 = _v384;
														L00409138();
														r15d = _t108;
														__eflags = _t108;
														if(_t108 != 0) {
															__eflags = _t108 - 0x37;
															if(_t108 == 0x37) {
																__eflags = _v230 - 1;
																if(_v230 <= 1) {
																	E004024D0(L"If this is a delta WIM, use the --ref argument to specify the WIM(s) on which it is based.", _t205, _t222, _t225);
																} else {
																	__eflags = _v336;
																	if(_v336 != 0) {
																		E004024D0(L"Perhaps the \'--ref\' argument did not specify all other parts of the split WIM?", _t205, _t222, _t225);
																	} else {
																		E004024D0(L"\"%ls\" is part of a split WIM. Use --ref to specify the other parts.", _t216, _t222, _t225);
																	}
																}
															} else {
																__eflags = _t108 - 0x24;
																if(_t108 == 0x24) {
																	__eflags = _v232 - 1;
																	if(_v232 != 1) {
																		E004024D0(L"\"%ls\" is not the first part of the split WIM.\n       You must specify the first part.", _t216, _t222, _t225);
																	}
																}
															}
														} else {
															__eflags = _t123;
															if(_t123 == 0) {
																r8d = _v400;
																L004090A0();
																r15d = _t108;
															} else {
																_t115 = _v400;
																r9d = r12d;
																r8d = 0xffffffff;
																_v424 = _t115;
																__eflags = _t218;
																if(_t218 == 0) {
																	L00409000();
																	r15d = _t115;
																} else {
																	L00409008();
																	r15d = _t115;
																}
															}
														}
														goto L46;
													}
													_t108 = _v388;
													_t205 = _v344;
													r9d = 1;
													_v424 = _t108;
													L00409088();
													r15d = _t108;
													__eflags = _t108;
													if(_t108 == 0) {
														goto L42;
													}
													goto L46;
												}
												r8d = _v336;
												__eflags = r8d;
												if(r8d != 0) {
													_t108 = _v388;
													_t205 = _v344;
													r9d = 1;
													_v424 = _t108;
													L00409088();
													r15d = _t108;
													__eflags = _t108;
													if(_t108 == 0) {
														goto L40;
													}
													goto L46;
												}
												L40:
												__eflags = r14d - 0xffffffff;
												if(r14d != 0xffffffff) {
													goto L42;
												}
												__eflags = r13b & 0x00000001;
												if((r13b & 0x00000001) != 0) {
													_t108 = _v244;
													__eflags = _t108;
													if(_t108 != 0) {
														goto L42;
													}
													r15d = r15d | 0xffffffff;
													E004024D0(L"--boot specified for all-images export, but source WIM has no bootable image.", _t205, _t221, _t224);
													goto L46;
												}
												goto L42;
											}
											L00409040();
											r15d = _t108;
											__eflags = _t108;
											if(_t108 != 0) {
												goto L46;
											}
											goto L38;
										}
										L00409038();
										r15d = _t108;
										__eflags = _t108;
										if(_t108 != 0) {
											goto L46;
										}
										goto L36;
									}
									__eflags = r14d - 0xffffffff;
									if(r14d == 0xffffffff) {
										L00409050();
										goto L34;
									}
									goto L24;
								}
								__eflags = r13b & 0x00000010;
								if((r13b & 0x00000010) != 0) {
									L00409148();
									r15d = _t108;
									__eflags = _t108;
									if(_t108 != 0) {
										goto L47;
									}
									r8d = 0;
									__eflags = r8d;
									L00409070();
									L69:
									_t123 = 1;
									L00409050();
									goto L33;
								}
								_t152 = _v228;
								goto L54;
							}
							L00409148();
							r15d = _t108;
							__eflags = _t108;
							if(_t108 != 0) {
								goto L47;
							}
							r8d = 0;
							L00409070();
							__eflags = r13b & 0x00000010;
							if((r13b & 0x00000010) == 0) {
								goto L22;
							}
							__eflags = _t152 - 1;
							if(_t152 == 1) {
								goto L69;
							}
							goto L22;
						}
					}
				} else {
					if(_t103 > 0x3d) {
						goto L4;
					} else {
						_t156 =  *((intOrPtr*)(0x41b72c + _t156 * 4)) + 0x41b72c;
						goto __rax;
					}
				}
			}

0x00406ca0
0x00406cb3
0x00406cb9
0x00406cbe
0x00406cc1
0x00406cce
0x00406cdc
0x00406ce5
0x00406ced
0x00406cf5
0x00406cfd
0x00406d08
0x00406d24
0x00406d2c
0x00406f70
0x00406f7c
0x00406f83
0x00406f85
0x00406f88
0x00406d48
0x00406d4d
0x00406d5b
0x00406d60
0x00406d66
0x00406d6b
0x00406d86
0x00406d86
0x00406f92
0x00406f95
0x00406f99
0x00406f9e
0x00406fa1
0x004070f0
0x004070f9
0x00406fa7
0x00406fa7
0x00406fb4
0x00406fb9
0x00406fbc
0x00406fbe
0x00406fc2
0x00406fc2
0x00406fbc
0x00406fc7
0x00406fd0
0x00406fd4
0x00406fdc
0x00406fe3
0x00406fe8
0x00406feb
0x00406fed
0x00000000
0x00406ff3
0x00407000
0x00407005
0x0040700f
0x00407014
0x00407016
0x00407107
0x0040710e
0x00407110
0x00407116
0x00407119
0x00000000
0x00000000
0x0040711f
0x0040712a
0x00407130
0x00407132
0x00000000
0x00000000
0x00407140
0x0040714d
0x00407152
0x00407157
0x00407157
0x00407159
0x004072e5
0x004072eb
0x00000000
0x004072eb
0x00407163
0x0040716a
0x00407172
0x0040717e
0x00407183
0x00407186
0x00407188
0x00000000
0x00000000
0x0040718e
0x00407191
0x00000000
0x00000000
0x004071a0
0x004071a5
0x004071ac
0x004074a1
0x004074a7
0x00000000
0x004074a7
0x00000000
0x0040701c
0x0040701c
0x00407020
0x00407028
0x0040702f
0x00407035
0x00407035
0x00407041
0x00407043
0x00407048
0x0040704f
0x00407051
0x00407057
0x00407057
0x00407059
0x0040705c
0x004072ce
0x004072d4
0x004072a1
0x004072a6
0x00000000
0x004072a6
0x00407062
0x00407069
0x004072b7
0x004072bd
0x00000000
0x004072bd
0x0040706f
0x00407072
0x004072f2
0x004072f9
0x00407347
0x0040730e
0x00407313
0x00407318
0x0040731b
0x0040731d
0x00000000
0x00000000
0x00407324
0x0040732e
0x004070b2
0x004070b2
0x004070b7
0x004070be
0x004071b2
0x004071b2
0x004071b6
0x004070d3
0x004070d6
0x004070db
0x004070de
0x004070e0
0x00000000
0x00000000
0x00407297
0x0040729c
0x00000000
0x0040729c
0x004071bc
0x004071bc
0x004071c1
0x004071dc
0x004071dc
0x004071e1
0x004071fc
0x004071fc
0x00407206
0x0040720b
0x0040720e
0x00407210
0x00407435
0x00407438
0x0040743d
0x00407440
0x00407442
0x00000000
0x00000000
0x00407448
0x0040744d
0x00407450
0x00407234
0x00407239
0x00407241
0x00407246
0x0040724b
0x00407255
0x0040725a
0x0040725d
0x0040725f
0x0040737b
0x0040737e
0x004074c2
0x004074cb
0x004074ef
0x004074cd
0x004074cd
0x004074d2
0x00407500
0x004074d4
0x004074de
0x004074de
0x004074d2
0x00407384
0x00407384
0x00407387
0x0040738d
0x00407396
0x004073a6
0x004073a6
0x00407396
0x00407387
0x00407265
0x0040726a
0x0040726c
0x004073b0
0x004073b8
0x004073bd
0x00407272
0x00407272
0x00407276
0x00407279
0x0040727f
0x00407283
0x00407286
0x0040748d
0x00407492
0x0040728c
0x0040728f
0x00407294
0x00407294
0x00407286
0x0040726c
0x00000000
0x0040725f
0x00407456
0x0040745a
0x0040745f
0x0040746a
0x0040746e
0x00407473
0x00407476
0x00407478
0x00000000
0x00000000
0x00000000
0x0040747e
0x00407216
0x0040721b
0x0040721e
0x0040734e
0x00407352
0x00407357
0x00407362
0x00407366
0x0040736b
0x0040736e
0x00407370
0x00000000
0x00000000
0x00000000
0x00407376
0x00407224
0x00407224
0x00407228
0x00000000
0x00000000
0x0040722a
0x0040722e
0x004073c5
0x004073cc
0x004073ce
0x00000000
0x00000000
0x004073db
0x004073df
0x00000000
0x004073df
0x00000000
0x0040722e
0x004071ec
0x004071f1
0x004071f4
0x004071f6
0x00000000
0x00000000
0x00000000
0x004071f6
0x004071cc
0x004071d1
0x004071d4
0x004071d6
0x00000000
0x00000000
0x00000000
0x004071d6
0x004070c9
0x004070cd
0x004074b8
0x00000000
0x004074b8
0x00000000
0x004070cd
0x004072fb
0x004072ff
0x004073f3
0x004073f8
0x004073fb
0x004073fd
0x00000000
0x00000000
0x00407408
0x00407408
0x00407412
0x00407417
0x00407421
0x00407426
0x00000000
0x00407426
0x00407305
0x00000000
0x0040730c
0x0040707f
0x00407084
0x00407087
0x00407089
0x00000000
0x00000000
0x00407094
0x0040709e
0x004070a3
0x004070a7
0x00000000
0x00000000
0x004070a9
0x004070ac
0x00000000
0x00000000
0x00000000
0x004070ac
0x00407016
0x00406d32
0x00406d35
0x00000000
0x00406d39
0x00406d3d
0x00406d40
0x00406d40
0x00406d35

APIs

free.MSVCRT ref: 00406D6B
wimlib_add_image_multisource.LIBWIM-15 ref: 00406FE3
wimlib_add_image_multisource.LIBWIM-15 ref: 00407000
wcscmp.MSVCRT ref: 0040700F
_errno.MSVCRT ref: 0040704F
_errno.MSVCRT ref: 00407057
wimlib_add_image_multisource.LIBWIM-15 ref: 0040707F
wimlib_add_image_multisource.LIBWIM-15 ref: 0040709E
wimlib_add_image_multisource.LIBWIM-15 ref: 004070D6
wimlib_add_image_multisource.LIBWIM-15 ref: 0040729C
wimlib_add_image_multisource.LIBWIM-15 ref: 004072A6

Strings

"%ls" is part of a split WIM. Use --ref to specify the other parts., xrefs: 004074D7
8`A, xrefs: 00406F70
Cannot specify a compression type that is not the same as that used in the destination WIM, xrefs: 0040749A
--boot specified for all-images export, but source WIM has no bootable image., xrefs: 004073D4
"%ls" is not a regular file or block device, xrefs: 004072DE
Cannot stat file "%ls", xrefs: 004072C7
'--unsafe-compact' is only valid when exporting to an existing WIM file!, xrefs: 004072B0
Perhaps the '--ref' argument did not specify all other parts of the split WIM?, xrefs: 004074F9
If this is a delta WIM, use the --ref argument to specify the WIM(s) on which it is based., xrefs: 004074E8
"%ls" is not the first part of the split WIM. You must specify the first part., xrefs: 0040739F

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wimlib_add_image_multisource$_errno$freewcscmp
String ID: "%ls" is not a regular file or block device$"%ls" is not the first part of the split WIM. You must specify the first part.$"%ls" is part of a split WIM. Use --ref to specify the other parts.$'--unsafe-compact' is only valid when exporting to an existing WIM file!$--boot specified for all-images export, but source WIM has no bootable image.$8`A$Cannot specify a compression type that is not the same as that used in the destination WIM$Cannot stat file "%ls"$If this is a delta WIM, use the --ref argument to specify the WIM(s) on which it is based.$Perhaps the '--ref' argument did not specify all other parts of the split WIM?
API String ID: 3600674920-2224219681
Opcode ID: 70445b96d3605e6459c0d5cd5b8331f62739a27eaba7c8fde9e255afc73f8482
Instruction ID: 002dd784966e38ee53cbf4488f4dee12bebdf03fd4dd1950f77b0a0e3cc0869f
Opcode Fuzzy Hash: 70445b96d3605e6459c0d5cd5b8331f62739a27eaba7c8fde9e255afc73f8482
Instruction Fuzzy Hash: 21E12A71608B4181EB20AB26E84036F7760F7857A4F50423BEE5A67BE5DF3CD845CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00402780 Relevance: 54.5, APIs: 14, Strings: 17, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00402780(void* __ebx, void* __ecx, long long __rax, void* __rcx, long long __rdx, long long __r8, void* _a16, void* _a24) {
				char _v80;
				void* _v88;
				char _v96;
				CHAR* _v104;
				char _v112;
				signed int _v120;
				CHAR* _v128;
				void* _v136;
				char _v144;
				void* _v152;
				_Unknown_base(*)()* _v168;
				CHAR* __rbx;
				char __rdi;
				char __rsi;
				char* __rbp;
				CHAR* __r12;
				void* __r13;
				_Unknown_base(*)()* __r14;
				char __r15;
				void* _t103;
				signed int _t104;
				long long _t113;

				_t113 = __rax;
				_a16 = __rdx;
				_a24 = __r8;
				_t104 = E004025C0(_t103, __rcx,  &_a16);
				_v136 = _t113;
				if(_t113 < 0) {
					_v128 = 0;
					goto L20;
				} else {
					if(__eflags == 0) {
						L00409228();
						_v128 = __rax;
						__eflags = __rax;
						if(__rax != 0) {
							_v120 = 0;
							goto L17;
						} else {
							goto L19;
						}
						goto L20;
					} else {
						__rcx = __rax;
						__eax = calloc(??, ??);
						_v128 = __rax;
						__eflags = __rax;
						if(__rax == 0) {
							L19:
							__rcx = L"out of memory";
							__eax = E004024D0(L"out of memory", __rdx, __r8, __r9);
							_v128 = 0;
							goto L20;
						} else {
							_v120 = 0;
							__rbx =  *__rbx;
							__r13 = 0x41d7b0;
							_v152 = 0;
							while(1) {
								__rax = _a16;
								__eflags = __rbx;
								if(__rbx == 0) {
									break;
								}
								__eflags = __rax;
								if(__rax == 0) {
									break;
								} else {
									__r15 = __rbx;
									while(1) {
										__eflags =  *__r15 - 0xa;
										if( *__r15 == 0xa) {
											break;
										}
										__r15 = 2 + __r15;
										__rax = __rax - 1;
										__eflags = __rax;
										if(__rax == 0) {
											goto L68;
										} else {
											continue;
										}
										goto L70;
									}
									__rsi = __r15;
									__eax = 0;
									__rcx = __rbx;
									__rsi = __r15 - __rbx;
									 *__r15 = __ax;
									__rsi = __r15 - __rbx >> 1;
									__rsi = 1 + (__r15 - __rbx >> 1);
									__rdx = __rsi;
									__eax = E00402470(0, __rbx, __rsi);
									_v152 = _v152 + 1;
									__eflags = __al;
									if(__al == 0) {
										_v96 = __rsi;
										__rdi =  &_v96;
										__rsi =  &_v104;
										__r8 =  &_v88;
										__rdx = __rdi;
										__rcx = __rsi;
										_v104 = __rbx;
										__eax = E00402670(__eax, __rsi, __rdi,  &_v88);
										__eflags = __eax;
										if(__eax == 0) {
											__rcx = _v88;
											__rdx = L"add";
											__imp___wcsicmp();
											__rbx = __eax;
											__eax = 0;
											__eflags = __ebx;
											if(__ebx != 0) {
												__rcx = _v88;
												__rdx = L"delete";
												__ebx = 1;
												__imp___wcsicmp();
												r8d = 0;
												__eax = 1;
												__eflags = r8d;
												if(r8d == 0) {
													goto L24;
												} else {
													__rcx = _v88;
													__rdx = L"rename";
													__imp___wcsicmp();
													__eflags = 1;
													if(1 != 0) {
														__r8 = _v152;
														__rdx = _v88;
														__rcx = L"Unknown update command \"%ls\" on line %zu";
														__eax = E004024D0(L"Unknown update command \"%ls\" on line %zu", _v88, _v152, __r9);
														goto L22;
													} else {
														__eax = 2;
														__ebx = 2;
														goto L24;
													}
												}
											} else {
												L24:
												__rcx = _v120;
												r14d = 0;
												__rbp =  &_v80;
												__r12 = __ebx;
												__rdx = _v120 + _v120 * 4;
												__rcx = _v128;
												__rdx = _v128 + (_v120 + _v120 * 4) * 8;
												_v144 = __rdx;
												 *__rdx = __eax;
												while(1) {
													__r8 = __rbp;
													__rdx = __rdi;
													__rcx = __rsi;
													__eax = E00402670(__eax, __rsi, __rdi, __rbp);
													__eflags = __eax - 2;
													if(__eax == 2) {
														break;
													}
													__eflags = __eax;
													if(__eax != 0) {
														goto L22;
													} else {
														__r11 = _v80;
														__eflags =  *__r11 - 0x2d;
														if( *__r11 != 0x2d) {
															L25:
															__eax =  *(__r13 + __r12 * 4);
															__eflags = __rax - __r14;
															if(__rax == __r14) {
																_v168 = __r14;
																__r9 = _v88;
																__rdx = __r11;
																__rcx = L"Unexpected argument \"%ls\" in update command on line %zu\n       (The \"%ls\" command only takes %zu nonoption arguments!)\n";
																__r8 = _v152;
																__eax = E004024D0(L"Unexpected argument \"%ls\" in update command on line %zu\n       (The \"%ls\" command only takes %zu nonoption arguments!)\n", __r11, _v152, _v88);
																goto L22;
															} else {
																__eflags = __ebx - 1;
																if(__ebx == 1) {
																	__rax = _v144;
																	goto L38;
																} else {
																	__eflags = r14d;
																	__rax = _v144;
																	if(r14d == 0) {
																		L38:
																		__rax[8] = __r11;
																	} else {
																		__rax[0x10] = __r11;
																	}
																}
																__r14 = __r14 + 1;
																__eflags = __r14;
																continue;
															}
														} else {
															__eflags =  *((short*)(2 + __r11)) - 0x2d;
															if( *((short*)(2 + __r11)) != 0x2d) {
																goto L25;
															} else {
																__eflags = __ebx;
																if(__ebx == 0) {
																	__rcx = __r11;
																	__rdx = L"--verbose";
																	_v112 = __r11;
																	L00409198();
																	__r11 = _v112;
																	__eflags = __eax;
																	if(__eax != 0) {
																		__rcx = __r11;
																		__rdx = L"--unix-data";
																		_v112 = __r11;
																		L00409198();
																		__r11 = _v112;
																		__eflags = __eax;
																		if(__eax != 0) {
																			__rcx = __r11;
																			__rdx = L"--no-acls";
																			_v112 = __r11;
																			L00409198();
																			__r11 = _v112;
																			__eflags = __eax;
																			if(__eax != 0) {
																				__rcx = __r11;
																				__rdx = L"--noacls";
																				_v112 = __r11;
																				L00409198();
																				__r11 = _v112;
																				__eflags = __eax;
																				if(__eax == 0) {
																					goto L57;
																				} else {
																					__rcx = __r11;
																					__rdx = L"--strict-acls";
																					L00409198();
																					__r11 = _v112;
																					__eflags = __eax;
																					if(__eax != 0) {
																						__rcx = __r11;
																						__rdx = L"--dereference";
																						_v112 = __r11;
																						L00409198();
																						__r11 = _v112;
																						__eflags = __eax;
																						if(__eax != 0) {
																							__rdx = L"--no-replace";
																							__rcx = __r11;
																							L00409198();
																							__eflags = __eax;
																							if(__eax != 0) {
																								goto L51;
																							} else {
																								__rax = _v144;
																								 *(_v144 + 0x20) =  *(_v144 + 0x20) | 0x00002000;
																								continue;
																							}
																						} else {
																							__rax = _v144;
																							 *(_v144 + 0x20) =  *(_v144 + 0x20) | 0x00000002;
																							continue;
																						}
																					} else {
																						__rax = _v144;
																						 *(_v144 + 0x20) =  *(_v144 + 0x20) | 0x00000040;
																						continue;
																					}
																				}
																			} else {
																				L57:
																				__rax = _v144;
																				 *(_v144 + 0x20) =  *(_v144 + 0x20) | 0x00000020;
																				continue;
																			}
																		} else {
																			__rax = _v144;
																			 *(_v144 + 0x20) =  *(_v144 + 0x20) | 0x00000010;
																			continue;
																		}
																	} else {
																		__rax = _v144;
																		 *(_v144 + 0x20) =  *(_v144 + 0x20) | 0x00000004;
																		continue;
																	}
																} else {
																	__eflags = __ebx - 1;
																	if(__ebx == 1) {
																		__rcx = __r11;
																		__rdx = L"--force";
																		_v112 = __r11;
																		L00409198();
																		__r11 = _v112;
																		__eflags = __eax;
																		if(__eax != 0) {
																			__rdx = L"--recursive";
																			__rcx = __r11;
																			L00409198();
																			__eflags = __eax;
																			if(__eax == 0) {
																				__rax = _v144;
																				 *(_v144 + 0x10) =  *(_v144 + 0x10) | 0x00000002;
																				continue;
																			} else {
																				L51:
																				__r11 = _v80;
																				goto L36;
																			}
																		} else {
																			__rax = _v144;
																			 *(_v144 + 0x10) =  *(_v144 + 0x10) | 0x00000001;
																			continue;
																		}
																	} else {
																		L36:
																		__r9 = _v152;
																		__r8 = _v88;
																		__rdx = __r11;
																		__rcx = L"Unrecognized option \"%ls\" to update command \"%ls\" on line %zu";
																		__eax = E004024D0(L"Unrecognized option \"%ls\" to update command \"%ls\" on line %zu", __r11, _v88, _v152);
																		goto L22;
																	}
																}
															}
														}
													}
													goto L70;
												}
												__eax =  *(__r13 + __rbx * 4);
												__eflags = __r14 - __rax;
												if(__r14 != __rax) {
													__r8 = _v152;
													__rdx = _v88;
													__rcx = L"Not enough arguments to update command \"%ls\" on line %zu";
													__eax = E004024D0(L"Not enough arguments to update command \"%ls\" on line %zu", _v88, _v152, __r9);
													goto L22;
												} else {
													_v120 = 1 + _v120;
													goto L16;
												}
											}
										} else {
											L22:
											__rcx = _v128;
											free(??);
											_v128 = 0;
											goto L20;
										}
									} else {
										L16:
										__rdi = _v136;
										__rbx = 2 + __r15;
										__eflags = _v152 - _v136;
										if(_v152 != _v136) {
											continue;
										} else {
											L17:
											__rax = _a24;
											__rdi = _v120;
											 *_a24 = _v120;
											L20:
											return _t104;
										}
									}
								}
								goto L70;
							}
							L68:
							 *0 = 0;
							asm("ud2");
							 *0 = 0;
							asm("ud2");
							0;
							_push(__rbp);
							_push(__r12);
							_push(__rsi);
							__rsp = __rsp - 0x28;
							__rbp =  &_v144;
							__rcx = "libgcc_s_dw2-1.dll";
							__eax = GetModuleHandleA(__rbx);
							__r12 = __rax;
							__eflags = __rax;
							if(__rax == 0) {
								__rax = 0x401550;
								__rbx = 0x401540;
								 *0x416010 = 0x401550;
								goto L6;
							} else {
								__rcx = "libgcc_s_dw2-1.dll";
								__eax = LoadLibraryA(??);
								__rsi = GetProcAddress;
								__rdx = "__register_frame_info";
								__rcx = __r12;
								 *0x424040 = __rax;
								__eax = GetProcAddress(??, ??);
								__rdx = "__deregister_frame_info";
								__rcx = __r12;
								__rbx = __rax;
								__eax = GetProcAddress(??, ??);
								 *0x416010 = __rax;
								__eflags = __rbx;
								if(__rbx != 0) {
									L6:
									__rdx = 0x424060;
									__rcx = 0x421000;
									__eax =  *__rbx();
								}
							}
							__rcx = 0x401610;
							__rsp = __rsp + 0x28;
							_pop(__rbx);
							_pop(__rsi);
							_pop(__r12);
							_pop(__rbp);
							L00409268();
							return  ~((_t104 & 0xffffff00 | _t113 == 0x00000000) & 0x000000ff);
						}
					}
				}
				L70:
			}

0x00402780
0x00402793
0x004027a6
0x004027ae
0x004027b3
0x004027bb
0x00402b29
0x00000000
0x004027c1
0x004027c6
0x00402884
0x00402889
0x0040288e
0x00402891
0x00402bd0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004027cc
0x004027cc
0x004027cf
0x004027d4
0x004027d9
0x004027dc
0x00402897
0x00402897
0x0040289e
0x004028a3
0x00000000
0x004027e2
0x004027e2
0x004027eb
0x004027ee
0x004027f5
0x00402800
0x00402800
0x00402808
0x0040280b
0x00000000
0x00000000
0x00402811
0x00402814
0x00000000
0x0040281a
0x0040281a
0x0040282e
0x0040282e
0x00402833
0x00000000
0x00000000
0x00402820
0x00402824
0x00402824
0x00402828
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402828
0x00402835
0x00402838
0x0040283a
0x0040283d
0x00402840
0x00402844
0x00402847
0x0040284b
0x0040284e
0x00402853
0x00402859
0x0040285b
0x004028c8
0x004028cd
0x004028d2
0x004028d7
0x004028dc
0x004028df
0x004028e2
0x004028e7
0x004028ec
0x004028ee
0x00402908
0x0040290d
0x00402914
0x0040291a
0x0040291d
0x0040291f
0x00402921
0x004029fc
0x00402a01
0x00402a08
0x00402a0d
0x00402a13
0x00402a16
0x00402a1b
0x00402a1e
0x00000000
0x00402a24
0x00402a24
0x00402a29
0x00402a30
0x00402a36
0x00402a38
0x00402b70
0x00402b75
0x00402b7a
0x00402b81
0x00000000
0x00402a3e
0x00402a3e
0x00402a43
0x00000000
0x00402a43
0x00402a38
0x00402927
0x00402927
0x00402927
0x0040292c
0x0040292f
0x00402934
0x00402937
0x0040293b
0x00402940
0x00402944
0x00402949
0x00402975
0x00402975
0x00402978
0x0040297b
0x0040297e
0x00402983
0x00402986
0x00000000
0x00000000
0x00402988
0x0040298a
0x00000000
0x00402990
0x00402990
0x00402995
0x0040299a
0x00402950
0x00402950
0x00402955
0x00402958
0x00402a4d
0x00402a52
0x00402a57
0x00402a5a
0x00402a61
0x00402a66
0x00000000
0x0040295e
0x0040295e
0x00402961
0x004029d8
0x00000000
0x00402963
0x00402963
0x00402966
0x0040296b
0x004029dd
0x004029dd
0x0040296d
0x0040296d
0x0040296d
0x0040296b
0x00402971
0x00402971
0x00000000
0x00402971
0x0040299c
0x0040299c
0x004029a2
0x00000000
0x004029a4
0x004029a4
0x004029a6
0x00402a9b
0x00402a9e
0x00402aa5
0x00402aaa
0x00402aaf
0x00402ab4
0x00402ab6
0x00402afe
0x00402b01
0x00402b08
0x00402b0d
0x00402b12
0x00402b17
0x00402b19
0x00402b45
0x00402b48
0x00402b4f
0x00402b54
0x00402b59
0x00402b5e
0x00402b60
0x00402b8b
0x00402b8e
0x00402b95
0x00402b9a
0x00402b9f
0x00402ba4
0x00402ba6
0x00000000
0x00402ba8
0x00402ba8
0x00402bab
0x00402bb2
0x00402bb7
0x00402bbc
0x00402bbe
0x00402bde
0x00402be1
0x00402be8
0x00402bed
0x00402bf2
0x00402bf7
0x00402bf9
0x00402c09
0x00402c10
0x00402c13
0x00402c18
0x00402c1a
0x00000000
0x00402c20
0x00402c20
0x00402c25
0x00000000
0x00402c25
0x00402bfb
0x00402bfb
0x00402c00
0x00000000
0x00402c00
0x00402bc0
0x00402bc0
0x00402bc5
0x00000000
0x00402bc5
0x00402bbe
0x00402b62
0x00402b62
0x00402b62
0x00402b67
0x00000000
0x00402b67
0x00402b1b
0x00402b1b
0x00402b20
0x00000000
0x00402b20
0x00402ab8
0x00402ab8
0x00402abd
0x00000000
0x00402abd
0x004029ac
0x004029ac
0x004029af
0x00402a70
0x00402a73
0x00402a7a
0x00402a7f
0x00402a84
0x00402a89
0x00402a8b
0x00402ae1
0x00402ae8
0x00402aeb
0x00402af0
0x00402af2
0x00402b37
0x00402b3c
0x00000000
0x00402af4
0x00402af4
0x00402af4
0x00000000
0x00402af4
0x00402a8d
0x00402a8d
0x00402a92
0x00000000
0x00402a92
0x004029b5
0x004029b5
0x004029b5
0x004029ba
0x004029bf
0x004029c2
0x004029c9
0x00000000
0x004029c9
0x004029af
0x004029a6
0x004029a2
0x0040299a
0x00000000
0x0040298a
0x004029e3
0x004029e8
0x004029eb
0x00402ac6
0x00402acb
0x00402ad0
0x00402ad7
0x00000000
0x004029f1
0x004029f1
0x00000000
0x004029f1
0x004029eb
0x004028f0
0x004028f0
0x004028f0
0x004028f5
0x004028fa
0x00000000
0x004028fa
0x0040285d
0x0040285d
0x0040285d
0x00402862
0x00402866
0x0040286b
0x00000000
0x0040286d
0x0040286d
0x0040286d
0x00402875
0x0040287a
0x004028ac
0x004028c4
0x004028c4
0x0040286b
0x0040285b
0x00000000
0x00402814
0x004155d0
0x004155d0
0x004155da
0x004155dc
0x004155e6
0x004155ee
0x00401560
0x00401561
0x00401563
0x00401565
0x00401569
0x00401571
0x00401578
0x0040157e
0x00401581
0x00401584
0x004015e0
0x004015e7
0x004015ee
0x00000000
0x00401586
0x00401586
0x0040158d
0x00401593
0x0040159a
0x004015a1
0x004015a4
0x004015ab
0x004015ad
0x004015b4
0x004015b7
0x004015ba
0x004015bc
0x004015c3
0x004015c6
0x004015f5
0x004015f5
0x004015fc
0x00401603
0x00401603
0x004015c6
0x004015c8
0x004015cf
0x004015d3
0x004015d4
0x004015d5
0x004015d7
0x00401524
0x00401538
0x00401538
0x004027dc
0x004027c6
0x00000000

APIs

calloc.MSVCRT ref: 004027CF

Strings

--verbose, xrefs: 00402A9E
--no-replace, xrefs: 00402C09
--noacls, xrefs: 00402B8E
rename, xrefs: 00402A29
Unrecognized option "%ls" to update command "%ls" on line %zu, xrefs: 004029C2
--no-acls, xrefs: 00402B48
out of memory, xrefs: 00402897
Unknown update command "%ls" on line %zu, xrefs: 00402B7A
Not enough arguments to update command "%ls" on line %zu, xrefs: 00402AD0
add, xrefs: 0040290D
--recursive, xrefs: 00402AE1
--dereference, xrefs: 00402BE1
--force, xrefs: 00402A73
--unix-data, xrefs: 00402B01
--strict-acls, xrefs: 00402BAB
Unexpected argument "%ls" in update command on line %zu (The "%ls" command only takes %zu nonoption arguments!), xrefs: 00402A5A
delete, xrefs: 00402A01

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: calloc
String ID: --dereference$--force$--no-acls$--no-replace$--noacls$--recursive$--strict-acls$--unix-data$--verbose$Not enough arguments to update command "%ls" on line %zu$Unexpected argument "%ls" in update command on line %zu (The "%ls" command only takes %zu nonoption arguments!)$Unknown update command "%ls" on line %zu$Unrecognized option "%ls" to update command "%ls" on line %zu$add$delete$out of memory$rename
API String ID: 2635317215-602251839
Opcode ID: 37925039b4cdec35214b79f0126d7de88d58a953e78bf41a8606e6467021410d
Instruction ID: 0b38c8cb8558b4f77ac3d4a7ad918d7a13d2e88639abad55f6d817ede89e1084
Opcode Fuzzy Hash: 37925039b4cdec35214b79f0126d7de88d58a953e78bf41a8606e6467021410d
Instruction Fuzzy Hash: 82B16172308B8181EA509F16E54875BB764F7857C4F504127EE8A6BBE9DFBCC885C708

Uniqueness

Uniqueness Score: -1.00%

Function 00402E70 Relevance: 47.4, APIs: 15, Strings: 12, Instructions: 140COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00402E85
wcstoul.MSVCRT ref: 00402EAA
_wcsicmp.MSVCRT ref: 00402EE7
wimlib_add_image_multisource.LIBWIM-15 ref: 00402EFA
_wcsicmp.MSVCRT ref: 00402F1A
_wcsicmp.MSVCRT ref: 00402F2B
_wcsicmp.MSVCRT ref: 00402F3C
_wcsicmp.MSVCRT ref: 00402F71
_wcsicmp.MSVCRT ref: 00403021
_wcsicmp.MSVCRT ref: 00403032
fputws.MSVCRT ref: 00403068

Strings

xpress, xrefs: 00402FC0
Available compression types: none xpress (alias: "fast") lzx (alias: "maximum") (default for capture) lzms (, xrefs: 0040305E
Warning: use of '--compress=recovery' is discouraged because it behaves differently from DISM. Instead, you typically want to , xrefs: 0040307D
max, xrefs: 00402F21, 00402FA1
none, xrefs: 00403028
Compression level must be a positive integer! e.g. --compress=lzx:80, xrefs: 00403000
Invalid compression type "%ls"!, xrefs: 00403043
maximum, xrefs: 00402EDD, 00402F67
recovery, xrefs: 00402FD5
lzx, xrefs: 00402F10, 00402F90
fast, xrefs: 00402F32
lzms, xrefs: 00403017

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: _wcsicmp$fputwswcschrwcstoulwimlib_add_image_multisource
String ID: Available compression types: none xpress (alias: "fast") lzx (alias: "maximum") (default for capture) lzms ($Compression level must be a positive integer! e.g. --compress=lzx:80$Invalid compression type "%ls"!$Warning: use of '--compress=recovery' is discouraged because it behaves differently from DISM. Instead, you typically want to $fast$lzms$lzx$max$maximum$none$recovery$xpress
API String ID: 460991057-1681143936
Opcode ID: 64073d8e03de2dfd0af20601232ccf15e4a4d612e4c8a2a5d73f609ad90e38c8
Instruction ID: 0e1996f8404ea9924bc50b81a661de5b9007a7278e6f3d7a97eb52b48c7c0307
Opcode Fuzzy Hash: 64073d8e03de2dfd0af20601232ccf15e4a4d612e4c8a2a5d73f609ad90e38c8
Instruction Fuzzy Hash: 3041D66130064250EE14DB26FD183A72765BB557D8F94902BDD1AAB3E4EFBCCA86D308

Uniqueness

Uniqueness Score: -1.00%

Function 00405A90 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00405A90(void* __ecx, void* __rax, void* __rcx, char* __rdx, void* __r8, void* __r9) {
				short _v66;
				char _v264;
				char _v312;
				long long _v320;
				intOrPtr _v344;
				signed int _t51;
				signed char _t72;
				void* _t91;
				signed long long _t101;
				intOrPtr* _t102;
				signed long long _t103;
				intOrPtr _t155;
				char* _t157;
				long long* _t158;
				char* _t159;
				char* _t161;
				char* _t162;
				void* _t170;
				char* _t176;
				void* _t177;

				_t171 = __r9;
				_t163 = __r8;
				_t94 = __rax;
				_t177 = __rcx;
				if( *__rdx != 0) {
					E004023A0(__rax, L"----------------------------------------------------------------------------\n", __rdx, __r8, __r9);
					E004023A0(__rax, L"Full Path           = \"%ls\"\n",  *((intOrPtr*)(_t177 + 0x10)), _t163, __r9);
					_t138 =  *((intOrPtr*)(_t177 + 8));
					if( *((intOrPtr*)(_t177 + 8)) != 0) {
						E004023A0(__rax, L"Short Name          = \"%ls\"\n", _t138, _t163, __r9);
					}
					_t102 = 0x41d6c8;
					_t157 = L"    FILE_ATTRIBUTE_%ls is set\n";
					E004023A0(_t94, L"Attributes          = 0x%08x\n", _t138, _t163, _t171);
					_t51 = 1;
					L8:
					while(1) {
						if((_t51 &  *(_t177 + 0x30)) == 0) {
							_t102 = _t102 + 0x10;
							if(_t102 == 0x41d7b8) {
								L10:
								if( *((intOrPtr*)(_t177 + 0x20)) != 0) {
									L004080D0();
								}
								_t161 =  &_v312;
								_t103 =  &_v264;
								_t158 =  *0x416060;
								_v320 =  *((intOrPtr*)(_t177 + 0x48));
								 *_t158();
								L00409188();
								_v66 = 0;
								E004023A0( *((intOrPtr*)(_t177 + 0x48)), L"%-20ls= %ls\n", L"Creation Time", _t103, _t161);
								_v320 =  *((intOrPtr*)(_t177 + 0x58));
								 *_t158();
								L00409188();
								_v66 = 0;
								E004023A0( *((intOrPtr*)(_t177 + 0x58)), L"%-20ls= %ls\n", L"Last Write Time", _t103, _t161);
								_t97 =  *((intOrPtr*)(_t177 + 0x68));
								_v320 =  *((intOrPtr*)(_t177 + 0x68));
								 *_t158();
								_t174 = _t161;
								L00409188();
								_t169 = _t103;
								_v66 = 0;
								E004023A0( *((intOrPtr*)(_t177 + 0x68)), L"%-20ls= %ls\n", L"Last Access Time", _t103, _t161);
								if(( *(_t177 + 0x31) & 0x00000004) != 0) {
									E004023A0(_t97, L"Reparse Tag         = 0x%x\n", L"Last Access Time", _t169, _t174);
								}
								_t145 =  *((intOrPtr*)(_t177 + 0x40));
								E004023A0(_t97, L"Link Group ID       = 0x%016llx\n",  *((intOrPtr*)(_t177 + 0x40)), _t169, _t174);
								E004023A0(_t97, L"Link Count          = %u\n",  *((intOrPtr*)(_t177 + 0x40)), _t169, _t174);
								r9d =  *((intOrPtr*)(_t177 + 0x80));
								if(r9d != 0) {
									r8d =  *((intOrPtr*)(_t177 + 0x7c));
									_v344 =  *((intOrPtr*)(_t177 + 0x84));
									E004023A0(_t97, L"UNIX Data           = uid:%u gid:%u mode:0%o rdev:0x%x\n", _t145, _t169, _t174);
								}
								_t170 = _t177 + 0x88;
								if(( *(_t177 + 0x90) ^  *0x41bf68 |  *(_t177 + 0x88) ^  *0x41bf60) != 0) {
									E004033E0(_t170);
									E004033E0(_t177 + 0x98);
									E004033E0(_t177 + 0xa8);
									E004033E0(_t177 + 0xb8);
								}
								_t91 = 0;
								_t162 = L"\tUnnamed data stream:\n";
								_t159 = L"\tReparse point stream:\n";
								_t176 = L"\tRaw encrypted data stream:\n";
								do {
									_t101 = _t103 << 7;
									_t153 =  *((intOrPtr*)(_t177 + _t101 + 0xf8));
									if( *((intOrPtr*)(_t177 + _t101 + 0xf8)) != 0) {
										E004023A0(_t101, L"\tNamed data stream \"%ls\":\n", _t153, _t170, _t174);
									} else {
										_t72 =  *(_t177 + 0x30);
										if((_t72 & 0x00000040) != 0) {
											E004023A0(_t101, _t176, _t153, _t170, _t174);
										} else {
											if((_t72 & 0x00000004) == 0) {
												E004023A0(_t101, _t162, _t153, _t170, _t174);
											} else {
												E004023A0(_t101, _t159, _t153, _t170, _t174);
											}
										}
									}
									_t31 = _t103 + 2; // 0x2
									_t91 = _t91 + 1;
									E00403460(0, _t101, (_t31 << 7) + _t177, _t153, _t170, _t174);
								} while (_t91 <=  *((intOrPtr*)(_t177 + 0x3c)));
								goto L2;
							}
							L7:
							_t51 =  *(_t102 - 8);
							continue;
						}
						_t155 =  *_t102;
						_t102 = _t102 + 0x10;
						E004023A0(_t94, _t157, _t155, _t163, _t171);
						if(_t102 != 0x41d7b8) {
							goto L7;
						}
						goto L10;
					}
				} else {
					E004023A0(__rax, L"%ls\n",  *((intOrPtr*)(__rcx + 0x10)), __r8, __r9);
					L2:
					return 0;
				}
			}

0x00405a90
0x00405a90
0x00405a90
0x00405aa2
0x00405aa5
0x00405ad7
0x00405ae7
0x00405aec
0x00405af3
0x00405afc
0x00405afc
0x00405b0c
0x00405b1a
0x00405b21
0x00405b26
0x00000000
0x00405b3c
0x00405b40
0x00405b30
0x00405b37
0x00405b56
0x00405b5d
0x00405b63
0x00405b63
0x00405b6c
0x00405b71
0x00405b76
0x00405b88
0x00405b8d
0x00405ba1
0x00405bb9
0x00405bc1
0x00405bd0
0x00405bd5
0x00405be9
0x00405bfa
0x00405c09
0x00405c0e
0x00405c18
0x00405c1d
0x00405c29
0x00405c31
0x00405c38
0x00405c42
0x00405c51
0x00405c5b
0x00405de3
0x00405de3
0x00405c61
0x00405c6c
0x00405c7c
0x00405c81
0x00405c8b
0x00405dc2
0x00405dc6
0x00405dca
0x00405dca
0x00405c9f
0x00405cb7
0x00405d6a
0x00405d7d
0x00405d90
0x00405da3
0x00405da3
0x00405cbd
0x00405cbf
0x00405cc6
0x00405ccd
0x00405d0b
0x00405d10
0x00405d14
0x00405d1f
0x00405ce7
0x00405d21
0x00405d21
0x00405d28
0x00405d53
0x00405d2a
0x00405d2d
0x00405d43
0x00405d2f
0x00405d32
0x00405d32
0x00405d2d
0x00405d28
0x00405cec
0x00405cf2
0x00405cfc
0x00405d01
0x00000000
0x00405d0b
0x00405b39
0x00405b39
0x00000000
0x00405b39
0x00405b42
0x00405b48
0x00405b4c
0x00405b54
0x00000000
0x00000000
0x00000000
0x00405b54
0x00405aa7
0x00405ab2
0x00405ab7
0x00405ac8
0x00405ac8

APIs

wcsftime.MSVCRT ref: 00405BA1
wcsftime.MSVCRT ref: 00405BE9
wcsftime.MSVCRT ref: 00405C31

Strings

Attributes = 0x%08x, xrefs: 00405B05
Short Name = "%ls", xrefs: 00405AF5
Object ID, xrefs: 00405D63
Unnamed data stream:, xrefs: 00405CBF
Last Access Time, xrefs: 00405C3B
%ls, xrefs: 00405AAB
Link Count = %u, xrefs: 00405C75
Birth Object ID, xrefs: 00405D89
FILE_ATTRIBUTE_%ls is set, xrefs: 00405B1A
Birth Volume ID, xrefs: 00405D76
Link Group ID = 0x%016llx, xrefs: 00405C65
Reparse Tag = 0x%x, xrefs: 00405DDC
Last Write Time, xrefs: 00405C02
Raw encrypted data stream:, xrefs: 00405CCD
UNIX Data = uid:%u gid:%u mode:0%o rdev:0x%x, xrefs: 00405DBB
Domain ID, xrefs: 00405D9C
Reparse point stream:, xrefs: 00405CC6
Full Path = "%ls", xrefs: 00405AE0
%-20ls= %ls, xrefs: 00405BB2, 00405BF3, 00405C4A
----------------------------------------------------------------------------, xrefs: 00405AD0
%a %b %d %H:%M:%S %Y UTC, xrefs: 00405B92, 00405BDA, 00405C1F
Named data stream "%ls":, xrefs: 00405CE0
Creation Time, xrefs: 00405BAB

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wcsftime
String ID: Named data stream "%ls":$Raw encrypted data stream:$Reparse point stream:$Unnamed data stream:$ FILE_ATTRIBUTE_%ls is set$%-20ls= %ls$%a %b %d %H:%M:%S %Y UTC$%ls$----------------------------------------------------------------------------$Attributes = 0x%08x$Birth Object ID$Birth Volume ID$Creation Time$Domain ID$Full Path = "%ls"$Last Access Time$Last Write Time$Link Count = %u$Link Group ID = 0x%016llx$Object ID$Reparse Tag = 0x%x$Short Name = "%ls"$UNIX Data = uid:%u gid:%u mode:0%o rdev:0x%x
API String ID: 2902305603-2407676844
Opcode ID: a2ea38f65d45ec3a439eb7b4af610e3436febe92c180c813618b6eee624da672
Instruction ID: 6fedbc05f0e744cfc5631b63d3cad02f25b5a7c514b64c1241e7966fe8af6274
Opcode Fuzzy Hash: a2ea38f65d45ec3a439eb7b4af610e3436febe92c180c813618b6eee624da672
Instruction Fuzzy Hash: 1B81B7B1311A85A1EE44EB26E9887DB2369FB407C8F854037DE0D676A4DE3CC586C749

Uniqueness

Uniqueness Score: -1.00%

Function 00407510 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00407510(void* __ecx, void* __rdx) {
				short _v134;
				short _v136;
				char _v168;
				long long _v176;
				long long _v184;
				signed long long _v192;
				char _v200;
				signed int _v204;
				signed long long _v224;
				signed int _v240;
				signed long long _v248;
				void* __r12;
				void* __r13;
				signed long long _t53;
				void* _t75;
				void* _t76;
				signed int* _t93;
				signed long long _t94;
				long long* _t96;
				void* _t119;
				intOrPtr _t126;
				intOrPtr* _t142;
				intOrPtr* _t143;
				void* _t146;
				void* _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				void* _t156;
				void* _t157;
				intOrPtr _t159;

				_t92 = "\\";
				r12d = 0;
				_v204 = 0xc0200;
				_t156 = __rdx;
				_v184 = 0;
				_v176 = 0;
				_v192 = _t92;
				_v248 = 0;
				_t53 = E00408FE0();
				r14d = _t53;
				if(_t53 == 0xffffffff) {
					_t93 =  *0x4201c0; // 0x416038
					_t92 =  *_t93;
					_t75 = __ecx - _t53;
					_t142 = __rdx +  *_t93 * 8;
					if(_t75 <= 1) {
						L4:
						r14d = 0xffffffff;
						 *0x416040();
						E00403630(6, _t92, _t92, 0x41717e, 0x41e2c0, _t153, _t156);
						L5:
						free();
						return r14d;
					}
					if((_v204 & 0x000c0000) == 0) {
						E004024D0(L"Can\'t combine --no-globs and --nullglob!", __rdx, 0x41717e, 0x41e2c0);
						goto L5;
					}
					_t94 =  *_t142;
					_t159 =  *((intOrPtr*)(_t142 + 8));
					_v248 = 0;
					_v224 = _t94;
					L004090A8();
					r14d = _t53;
					if(_t53 != 0) {
						goto L5;
					}
					_t126 = _t159;
					L00409068();
					r13d = _t53;
					if(_t53 == 0) {
						_t53 = E00403BB0(_t159, _v224, 0x401890);
						r14d = _t53;
						if(_t53 != 0) {
							L36:
							L27:
							L00409108();
							goto L5;
						}
						L11:
						r8d = _v176;
						if(r8d != 0) {
							_v248 = r12d;
							r9d = 1;
							L00409088();
							r14d = _t53;
							if(_t53 == 0) {
								goto L12;
							}
							goto L36;
						}
						L12:
						_t76 = _t75 - 2;
						if(_t76 != 0) {
							_t143 = _t142 + 0x10;
						} else {
							_v204 = _v204 & 0xfffbffff;
							_t76 = 1;
							_t143 =  &_v192;
						}
						do {
							if(_t76 <= 0) {
								L19:
								_t94 =  *_t143;
								_t26 = _t94 + 2; // 0x1
								_t154 = _t26;
								L00409198();
								if(_t53 == 0) {
									r12d = 0;
									__imp___putws();
								}
								_t53 = _v204;
								_t152 = _t154;
								_t146 = 0x41b824;
								_t76 = _t76 - 1;
								_t143 = _t143 + 8;
								_v248 = _t53;
								L00409120();
								r14d = _t53;
								L21:
								if(_t76 == 0) {
									if(r14d != 0) {
										break;
									}
									if( *0x424178 == 0) {
										goto L36;
									}
									E00401650(_t146, _t152);
									goto L27;
								}
								goto L22;
							}
							_t155 = _t143;
							_t119 = _t76;
							_t53 = 0;
							while(1) {
								r15d = _t53;
								if( *((short*)( *_t155)) == 0x40) {
									break;
								}
								_t25 = _t94 + 1; // 0x1
								r15d = _t25;
								_t94 = _t94 + 1;
								_t155 = _t155 + 8;
								if(_t94 == _t119) {
									_t94 = r15d;
									_t155 = _t143 + _t94 * 8;
									L29:
									_v248 = _t94;
									_t152 = _t143;
									_t146 = 0x41b824;
									_t76 = _t76 - r15d;
									_t143 = _t155;
									_v240 = _v204 | 0x00200000;
									L00409118();
									r14d = _t53;
									goto L21;
								}
							}
							if(_t53 != 0) {
								goto L29;
							}
							goto L19;
							L22:
						} while (r14d == 0);
						if(r14d == 0x31) {
							_t96 =  *0x416040;
							if((_v204 & 0x000c0000) == 0xc0000) {
								 *_t96();
								E00401650(_t146, _t152);
							}
							if( *0x416020 == 0xffffffff) {
								_t152 = L"dir";
								E0040A630(0x4240a0, L"%ls %ls",  *0x424108, L"dir");
							} else {
								E0040A630(0x4240a0, L"wim%ls", L"dir", _t152);
							}
							 *_t96();
							E00401650(0x4240a0, _t152);
							goto L27;
						}
						if(r14d == 0x37) {
							L004090E0();
							if(_v134 <= 1) {
								E004024D0(L"If this is a delta WIM, use the --ref argument to specify the WIM(s) on which it is based.",  &_v168, _t146, _t152);
							} else {
								if(_v176 != 0) {
									E004024D0(L"Perhaps the \'--ref\' argument did not specify all other parts of the split WIM?",  &_v168, _t146, _t152);
								} else {
									E004024D0(L"\"%ls\" is part of a split WIM. Use --ref to specify the other parts.", _v224, _t146, _t152);
								}
							}
							goto L36;
						}
						if(r14d == 0x24) {
							L004090E0();
							if(_v136 != 1) {
								E004024D0(L"\"%ls\" is not the first part of the split WIM.\n       You must specify the first part.", _v224, _t146, _t152);
							}
							goto L36;
						}
						goto L27;
					}
					if(_t53 == 0xffffffff) {
						r14d = 0x12;
						E004024D0(L"Cannot specify all images for this action!", _t126,  &_v200, 0x401890);
						goto L27;
					}
					goto L11;
				} else {
					_t6 = _t157 - 3; // -3
					if(_t6 > 0x3a) {
						goto L4;
					} else {
						_t92 =  *((intOrPtr*)(0x41ba50 + _t92 * 4)) + 0x41ba50;
						goto __rax;
					}
				}
			}

0x00407523
0x0040752f
0x00407547
0x00407551
0x00407554
0x0040755d
0x00407566
0x00407570
0x0040758c
0x00407591
0x00407597
0x00407710
0x00407717
0x0040771a
0x0040771c
0x00407724
0x004075b0
0x004075b5
0x004075bb
0x004075c9
0x004075ce
0x004075d3
0x004075ee
0x004075ee
0x00407732
0x00407a57
0x00000000
0x00407a57
0x00407738
0x0040773b
0x00407747
0x0040775a
0x0040775f
0x00407764
0x00407769
0x00000000
0x00000000
0x00407774
0x00407777
0x0040777c
0x00407781
0x00407950
0x00407955
0x0040795a
0x0040793e
0x00407878
0x00407878
0x00000000
0x00407878
0x00407790
0x00407790
0x00407798
0x00407919
0x00407923
0x0040792e
0x00407933
0x00407938
0x00000000
0x00000000
0x00000000
0x00407938
0x0040779e
0x0040779e
0x004077a1
0x004078e5
0x004077a7
0x004077a7
0x004077af
0x004077b4
0x004077b4
0x004077c0
0x004077c2
0x004077fa
0x004077fa
0x00407804
0x00407804
0x0040780b
0x00407812
0x004078d7
0x004078da
0x004078da
0x00407818
0x00407821
0x00407824
0x0040782a
0x0040782d
0x00407831
0x00407835
0x0040783a
0x0040783d
0x0040783f
0x004078f1
0x00000000
0x00000000
0x00407901
0x00000000
0x00000000
0x0040790a
0x00000000
0x0040790f
0x00000000
0x0040783f
0x004077c4
0x004077c7
0x004077ca
0x004077e5
0x004077e9
0x004077f0
0x00000000
0x00000000
0x004077d0
0x004077d0
0x004077d4
0x004077d8
0x004077df
0x00407898
0x0040789b
0x0040789f
0x004078a3
0x004078a8
0x004078ab
0x004078b3
0x004078b6
0x004078bb
0x004078c2
0x004078c7
0x00000000
0x004078c7
0x004077df
0x004077f4
0x00000000
0x00000000
0x00000000
0x00407845
0x00407845
0x00407852
0x00407965
0x00407976
0x00407a8c
0x00407a98
0x00407a98
0x00407983
0x00407a68
0x00407a7d
0x00407989
0x0040799e
0x0040799e
0x004079a8
0x004079bb
0x00000000
0x004079c0
0x00407861
0x004079eb
0x004079f9
0x00407aba
0x004079ff
0x00407a05
0x00407aa9
0x00407a0b
0x00407a17
0x00407a17
0x00407a05
0x00000000
0x004079f9
0x0040786b
0x00407a26
0x00407a34
0x00407a46
0x00407a46
0x00000000
0x00407a34
0x00000000
0x0040786b
0x0040778a
0x004079d1
0x004079d7
0x00000000
0x004079dc
0x00000000
0x0040759d
0x0040759d
0x004075a4
0x00000000
0x004075a6
0x004075aa
0x004075ad
0x004075ad
0x004075a4

APIs

free.MSVCRT ref: 004075D3
wimlib_add_image_multisource.LIBWIM-15 ref: 0040775F
wimlib_add_image_multisource.LIBWIM-15 ref: 00407777
wcscmp.MSVCRT ref: 0040780B
wimlib_add_image_multisource.LIBWIM-15 ref: 00407835
wimlib_add_image_multisource.LIBWIM-15 ref: 00407878

Strings

Reading pathlist file from standard input..., xrefs: 004078D0
8`A, xrefs: 00407710
Can't combine --no-globs and --nullglob!, xrefs: 00407A50
Cannot specify all images for this action!, xrefs: 004079CA
dir, xrefs: 00407989, 00407A68
Done extracting files., xrefs: 00407903
"%ls" is not the first part of the split WIM. You must specify the first part., xrefs: 00407A3F
"%ls" is part of a split WIM. Use --ref to specify the other parts., xrefs: 00407A10
wim%ls, xrefs: 00407990
Note: You can use `%ls' to see what files and directories are in the WIM image., xrefs: 004079B1
Perhaps the '--ref' argument did not specify all other parts of the split WIM?, xrefs: 00407AA2
Note: You can use the '--nullglob' option to ignore missing files., xrefs: 00407A8E
%ls %ls, xrefs: 00407A6F
If this is a delta WIM, use the --ref argument to specify the WIM(s) on which it is based., xrefs: 00407AB3

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wimlib_add_image_multisource$freewcscmp
String ID: "%ls" is not the first part of the split WIM. You must specify the first part.$"%ls" is part of a split WIM. Use --ref to specify the other parts.$%ls %ls$8`A$Can't combine --no-globs and --nullglob!$Cannot specify all images for this action!$Done extracting files.$If this is a delta WIM, use the --ref argument to specify the WIM(s) on which it is based.$Note: You can use `%ls' to see what files and directories are in the WIM image.$Note: You can use the '--nullglob' option to ignore missing files.$Perhaps the '--ref' argument did not specify all other parts of the split WIM?$Reading pathlist file from standard input...$dir$wim%ls
API String ID: 2185311064-1946456860
Opcode ID: 44fd3a11541b01dce2cbbbce06196e5f1d44d50af26e4622d9e05b64f2b51ba8
Instruction ID: 7189937cf0ab187ef8f922c126a49e3a56d9e9a994ffb4d52cea50f5dfe6db86
Opcode Fuzzy Hash: 44fd3a11541b01dce2cbbbce06196e5f1d44d50af26e4622d9e05b64f2b51ba8
Instruction Fuzzy Hash: 0FA1037270864181EB10EF26E8443AA7760F784798F90803BEA4E673E5DF7CD446C74A

Uniqueness

Uniqueness Score: -1.00%

Function 004066E0 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004066E0(void* __ecx, void* __edx, signed long long __rax, void* __rdx) {
				signed long long _v136;
				long long _v144;
				long long _v152;
				long long _v160;
				void* _v168;
				char _v176;
				char _v184;
				char _v192;
				signed long long _v200;
				char _v208;
				long long _v224;
				long long _v232;
				long long _v240;
				long long _v264;
				void* __r12;
				void* __r13;
				void* _t68;
				intOrPtr _t69;
				void* _t82;
				intOrPtr _t83;
				void* _t85;
				intOrPtr _t88;
				void* _t94;
				intOrPtr _t96;
				signed long long _t100;
				signed long long _t103;
				void* _t105;
				signed long long _t114;
				void* _t122;
				intOrPtr _t134;
				signed long long _t158;
				long long _t159;
				long long _t160;
				intOrPtr _t161;
				void* _t162;
				void* _t163;
				long long _t164;

				_t100 = __rax;
				r15d = 0;
				r14d = 0;
				r13d = 0;
				r12d = 0;
				_t145 = 0x41b3cc;
				_v176 = 0;
				_v240 = 0;
				_v232 = 4;
				asm("o16 nop [eax+eax]");
				_v264 = 0;
				_t157 = 0x41d9a0;
				_t85 = __ecx;
				_t149 = 0x41717e;
				_t68 = E00408FE0();
				if(_t68 == 0xffffffff) {
					_t100 =  *0x4201c0; // 0x416038
					_t82 = __ecx - __edx;
					_t159 = __rdx +  *_t100 * 8;
					_t69 = _t105 - 1;
					if(_t69 > 1) {
						goto L5;
					}
					_t145 =  *_t159;
					_t149 =  &_v208;
					_v264 = 0;
					_t157 = 0x401890;
					_v224 = _t159;
					L004090A8();
					_t96 = _t69;
					if(_t69 != 0) {
						goto L6;
					}
					_t160 = _v224;
					if(_t82 == 2) {
						_t134 =  *((intOrPtr*)(_t160 + 8));
						_v232 = _t160;
						L00409068();
						_t161 = _v232;
						_t83 = _t69;
						if(_t69 == 0) {
							_t69 = E00403BB0( *((intOrPtr*)(_t161 + 8)), _t145, 0x401890);
							_t96 = _t69;
							if(_t69 == 0) {
								L12:
								_t146 = _v176;
								if(_v176 == 0) {
									if(_v240 == 0) {
										_t88 = 0;
										L00409158();
										if(_t69 != 0) {
											__imp___putws();
											_t88 = 1;
											 *0x416040();
											E0040A630(0x4240a0, L"wim%ls", L"update", _t157);
											E00401650(0x4240a0, _t157);
										}
										E00403260(_t100,  &_v168);
										_t114 = _t100;
										if(_t100 == 0) {
											_v200 = 0;
											_t96 = 0xffffffff;
											L26:
											L00409108();
											goto L6;
										}
										E004023F0(_t100, _t114, _v168,  &_v192);
										_v200 = _t100;
										if(_t100 == 0) {
											_t96 = 0xffffffff;
											goto L26;
										}
										_t69 = E00402780(_t83, _t88, _t100,  &_v200, _v192,  &_v184);
										_t146 = _t100;
										if(_t100 != 0) {
											L14:
											_t158 = _v184;
											if(_t158 == 0) {
												L21:
												_v264 = 1;
												L00409018();
												_t96 = _t69;
												if(_t69 != 0) {
													L24:
													free();
													L25:
													free();
													goto L26;
												}
												if(_v240 != 0) {
													L29:
													r9d = 1;
													_v264 = 1;
													_v168 = 0;
													_v160 = _v240;
													_v152 = L"/Windows/System32/WimBootCompress.ini";
													_v144 = 0;
													_v136 = 0;
													L00409018();
													_t96 = _t69;
													if(_t69 == 0) {
														goto L23;
													}
													goto L24;
												}
												L23:
												r8d = r14d;
												L004090A0();
												_t96 = _t69;
												goto L24;
											}
											_t103 = _t146;
											_t122 = _t146 + (_t158 + _t158 * 4) * 8;
											while(1) {
												L19:
												_t94 =  *_t103;
												if(_t94 == 0) {
													break;
												}
												if(_t94 == 1) {
													 *(_t103 + 0x10) =  *(_t103 + 0x10) | r13d;
												}
												_t103 = _t103 + 0x28;
												if(_t103 == _t122) {
													goto L21;
												}
											}
											 *(_t103 + 0x20) =  *(_t103 + 0x20) | 0x00000884;
											_t103 = _t103 + 0x28;
											 *((long long*)(_t103 - 0x10)) = _t164;
											if(_t103 != _t122) {
												goto L19;
											}
											goto L21;
										}
										L38:
										_t96 = 0xffffffff;
										goto L25;
									}
									_v264 = 1;
									r9d = 0;
									r8d = 0;
									_v200 = 0;
									_v184 = 0;
									L00409018();
									_t96 = _t69;
									if(_t69 != 0) {
										goto L24;
									}
									goto L29;
								}
								_v200 = 0;
								L00409180();
								_t69 = E00402780(_t83, _t85, _t100,  &_v176, _t100,  &_v184);
								_t146 = _t100;
								if(_t100 == 0) {
									goto L38;
								}
								goto L14;
							}
							goto L26;
						}
						if(_t69 != 0xffffffff) {
							goto L12;
						}
						_t96 = 0x12;
						E004024D0(L"Cannot specify all images for this action!", _t134,  &_v208, 0x401890);
						goto L26;
					}
					L004090E0();
					r8d = _v152;
					if(r8d != 1) {
						E004024D0(L"\"%ls\" contains %d images; Please select one.", _t145,  &_v208, 0x401890);
						L00409108();
						goto L5;
					}
					_t83 = 1;
					goto L12;
				} else {
					if(_t68 - 3 > 0x39) {
						L5:
						_t96 = 0xffffffff;
						 *0x416040();
						E00403630(0xb, _t100, _t100, _t149, _t157, _t162, _t163);
						L6:
						free();
						return _t96;
					}
					_t100 =  *((intOrPtr*)(0x41b3cc + _t100 * 4)) + 0x41b3cc;
					goto __rax;
				}
			}

0x004066e0
0x004066f3
0x004066f6
0x004066f9
0x00406701
0x00406704
0x0040670b
0x00406719
0x00406722
0x0040672a
0x00406730
0x00406739
0x00406743
0x00406745
0x0040674c
0x00406754
0x00406940
0x0040694a
0x0040694c
0x00406950
0x00406956
0x00000000
0x00000000
0x0040695c
0x00406963
0x00406968
0x00406971
0x00406978
0x00406980
0x00406985
0x00406989
0x00000000
0x00000000
0x00406997
0x0040699c
0x00406b52
0x00406b56
0x00406b5b
0x00406b60
0x00406b67
0x00406b69
0x00406c19
0x00406c1e
0x00406c22
0x004069c6
0x004069c6
0x004069ce
0x00406aa6
0x00406ba4
0x00406ba6
0x00406bad
0x00406c34
0x00406c3a
0x00406c3f
0x00406c5d
0x00406c73
0x00406c73
0x00406bb7
0x00406bbc
0x00406bc2
0x00406c7d
0x00406c86
0x00406a91
0x00406a96
0x00000000
0x00406a96
0x00406bd5
0x00406bda
0x00406be2
0x00406c90
0x00000000
0x00406c90
0x00406bf7
0x00406bfc
0x00406c02
0x00406a03
0x00406a03
0x00406a0b
0x00406a48
0x00406a48
0x00406a5a
0x00406a5f
0x00406a63
0x00406a7f
0x00406a82
0x00406a87
0x00406a8c
0x00000000
0x00406a8c
0x00406a70
0x00406ae3
0x00406ae8
0x00406af0
0x00406b00
0x00406b0b
0x00406b1a
0x00406b22
0x00406b2e
0x00406b39
0x00406b43
0x00406b47
0x00000000
0x00000000
0x00000000
0x00406b4d
0x00406a72
0x00406a72
0x00406a78
0x00406a7d
0x00000000
0x00406a7d
0x00406a11
0x00406a14
0x00406a32
0x00406a32
0x00406a32
0x00406a36
0x00000000
0x00000000
0x00406a23
0x00406a25
0x00406a25
0x00406a29
0x00406a30
0x00000000
0x00000000
0x00406a30
0x00406a38
0x00406a3b
0x00406a3f
0x00406a46
0x00000000
0x00000000
0x00000000
0x00406a46
0x00406c08
0x00406c08
0x00000000
0x00406c08
0x00406aac
0x00406ab4
0x00406ab7
0x00406abc
0x00406aca
0x00406ad3
0x00406add
0x00406ae1
0x00000000
0x00000000
0x00000000
0x00406ae1
0x004069d4
0x004069e0
0x004069f2
0x004069f7
0x004069fd
0x00000000
0x00000000
0x00000000
0x004069fd
0x00000000
0x00406c28
0x00406b72
0x00000000
0x00000000
0x00406b7f
0x00406b84
0x00000000
0x00406b84
0x004069aa
0x004069af
0x004069bb
0x00406775
0x0040677f
0x00000000
0x0040677f
0x004069c1
0x00000000
0x0040675a
0x00406760
0x00406788
0x0040678d
0x00406792
0x004067a0
0x004067a5
0x004067aa
0x004067c4
0x004067c4
0x00406766
0x00406769
0x00406769

APIs

free.MSVCRT ref: 004067AA
wimlib_add_image_multisource.LIBWIM-15 ref: 00406980
wimlib_add_image_multisource.LIBWIM-15 ref: 004069AA
wcslen.MSVCRT ref: 004069E0
wimlib_add_image_multisource.LIBWIM-15 ref: 00406A5A
wimlib_add_image_multisource.LIBWIM-15 ref: 00406A78
free.MSVCRT ref: 00406A82
free.MSVCRT ref: 00406A8C
wimlib_add_image_multisource.LIBWIM-15 ref: 00406A96

Strings

update, xrefs: 00406C45
8`A, xrefs: 00406940
Some uncommon options are not listed;See %ls.pdf in the doc directory for more details., xrefs: 00406C69
/Windows/System32/WimBootCompress.ini, xrefs: 00406B13
wim%ls, xrefs: 00406C4C
Cannot specify all images for this action!, xrefs: 00406B78
"%ls" contains %d images; Please select one., xrefs: 0040676B
Reading update commands from standard input..., xrefs: 00406C2D

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wimlib_add_image_multisource$free$wcslen
String ID: "%ls" contains %d images; Please select one.$/Windows/System32/WimBootCompress.ini$8`A$Cannot specify all images for this action!$Reading update commands from standard input...$Some uncommon options are not listed;See %ls.pdf in the doc directory for more details.$update$wim%ls
API String ID: 2446247102-2767876732
Opcode ID: ccb5319d891cb4380bfc23315296452613700f627b5a4912244ccfc1fd075ce4
Instruction ID: 7e3f1bc8a46ca9745f0129ab02a4bb36e088f0e0425f346822cb4a0234ac646f
Opcode Fuzzy Hash: ccb5319d891cb4380bfc23315296452613700f627b5a4912244ccfc1fd075ce4
Instruction Fuzzy Hash: 67A1B172304A8182EB20EB15E45039B6760F7C5798F51413BEE8A677D9DF7CC94ACB48

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF0 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 182COMMON

Download Yara Rule

APIs

wimlib_add_image_multisource.LIBWIM-15 ref: 0040607B
wimlib_add_image_multisource.LIBWIM-15 ref: 004060B5
wimlib_add_image_multisource.LIBWIM-15 ref: 004060DA
_wstat64.MSVCRT ref: 004060FB
wimlib_add_image_multisource.LIBWIM-15 ref: 00406143
_wstat64.MSVCRT ref: 00406158
fputws.MSVCRT ref: 004061A8
wimlib_add_image_multisource.LIBWIM-15 ref: 004061DD

Strings

8`A, xrefs: 00406040
Optimization of "%ls" failed., xrefs: 00406272
Space saved: , xrefs: 0040619E, 00406252
Unknown, xrefs: 0040620F, 00406237, 00406261
"%ls" optimized size: , xrefs: 0040616A, 0040622B
"%ls" original size: , xrefs: 0040610D, 00406203
%llu KiB, xrefs: 00406126, 00406183
@, xrefs: 00405E1A
%lld KiB, xrefs: 004061C1

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wimlib_add_image_multisource$_wstat64$fputws
String ID: "%ls" optimized size: $"%ls" original size: $%lld KiB$%llu KiB$8`A$@$Optimization of "%ls" failed.$Space saved: $Unknown
API String ID: 4201218009-1591724075
Opcode ID: 69de60b603370e71c812634086c3519631db66244f19b4ac6a028aea6afaca81
Instruction ID: 40d2f62137930401acd4276341f6e4df3fe24ac29b4dd5eeb264ccf7580196a1
Opcode Fuzzy Hash: 69de60b603370e71c812634086c3519631db66244f19b4ac6a028aea6afaca81
Instruction Fuzzy Hash: 0C61B3B1301A0191DA10EB2AE9543AA6361A7857F4F844337DE3A6B3E6EF3DC855C349

Uniqueness

Uniqueness Score: -1.00%

Function 00406290 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00406290(void* __ecx, signed long long __rax, void* __rdx) {
				short _v134;
				short _v136;
				intOrPtr _v152;
				void* _v168;
				long long _v176;
				long long _v184;
				long long _v192;
				long long _v196;
				long long _v208;
				long long _v216;
				void* __r12;
				void* __r13;
				void* _t47;
				void* _t48;
				void* _t63;
				signed int* _t78;
				void* _t81;
				long long _t88;
				long long _t89;
				intOrPtr _t117;
				intOrPtr* _t119;
				intOrPtr _t123;
				void* _t125;
				void* _t126;
				intOrPtr _t127;
				intOrPtr _t128;

				_t77 = __rax;
				r12d = 0;
				_v196 = 0;
				_v184 = 0;
				_v176 = 0;
				_v216 = 0;
				_t124 = 0x41ee20;
				_t122 = 0x41717e;
				_t47 = E00408FE0();
				if(_t47 == 0xffffffff) {
					_t78 =  *0x4201c0; // 0x416038
					_t77 =  *_t78;
					_t63 = __ecx - _t47;
					_t119 = __rdx +  *_t78 * 8;
					_t48 = _t81 - 2;
					if(_t48 > 1) {
						goto L5;
					}
					_t127 =  *_t119;
					L00409198();
					if(_t48 != 0) {
						_v216 = 0;
						_t124 = 0x401890;
						_t122 =  &_v192;
						L004090A8();
						r13d = _t48;
						if(_t48 != 0) {
							goto L6;
						}
						L004090E0();
						if(_t63 == 3) {
							_t128 =  *((intOrPtr*)(_t119 + 8));
							_t111 = _t128;
							L00409068();
							if(_t48 == 0) {
								_t111 = _t127;
								_t48 = E00403BB0(_t128, _t127, 0x401890);
								r13d = _t48;
								if(_t48 == 0) {
									goto L39;
								}
								L31:
								L16:
								L00409108();
								goto L6;
							}
							L39:
							_t117 =  *((intOrPtr*)(_t119 + 0x10));
							L21:
							r8d = _v176;
							_t88 = _v192;
							if(r8d == 0) {
								L24:
								if(_t88 == 0) {
									L12:
									E004080C0();
									r9d = _v196;
									_t123 = _t117;
									_t111 = _t128;
									_v208 = 0;
									_v216 = 0x401890;
									L00409128();
									r13d = _t48;
									L13:
									if(r13d != 0) {
										_t89 = _v192;
										if(r13d == 0x37) {
											if(_t89 == 0) {
												E004024D0(L"If you are applying an image from a split pipable WIM,\n       make sure you have concatenated together all parts.", _t111, _t123, _t124);
											} else {
												if(_v134 <= 1) {
													E004024D0(L"If this is a delta WIM, use the --ref argument to specify the WIM(s) on which it is based.", _t111, _t123, _t124);
												} else {
													if(_v176 != 0) {
														E004024D0(L"Perhaps the \'--ref\' argument did not specify all other parts of the split WIM?", _t111, _t123, _t124);
													} else {
														E004024D0(L"\"%ls\" is part of a split WIM. Use --ref to specify the other parts.", _t127, _t123, _t124);
													}
												}
											}
											goto L16;
										}
										if(r13d != 0x24 || _t89 == 0 || _v136 == 1) {
											goto L16;
										} else {
											E004024D0(L"\"%ls\" is not the first part of the split WIM.\n       You must specify the first part.", _t127, _t123, _t124);
											goto L31;
										}
									}
									if( *0x424178 == 0) {
										goto L31;
									}
									E00401650(_t123, _t124);
									goto L16;
								}
								r9d = _v196;
								_t123 = _t117;
								L00409130();
								r13d = _t48;
								goto L13;
							}
							if(_t88 == 0) {
								L36:
								r13d = 0xffffffff;
								E004024D0(L"Can\'t specify --ref when applying from stdin!", _t111, _t122, _t124);
								goto L16;
							}
							_v216 = r12d;
							_t111 = _v184;
							r9d = 1;
							L00409088();
							_t88 = _v192;
							r13d = _t48;
							if(_t48 != 0) {
								goto L16;
							}
							goto L24;
						}
						r8d = _v152;
						if(r8d != 1) {
							E004024D0(L"\"%ls\" contains %d images; Please select one (or all).", _t127,  &_v192, 0x401890);
							L00409108();
							goto L5;
						}
						_t117 =  *((intOrPtr*)(_t119 + 8));
						r15d = 0;
						goto L21;
					}
					_t117 =  *((intOrPtr*)(_t119 + 8));
					r15d = 0;
					if(_t63 != 2) {
						_t128 = _t117;
						_t117 =  *((intOrPtr*)(_t119 + 0x10));
					}
					_v192 = 0;
					if(_v176 != 0) {
						goto L36;
					} else {
						goto L12;
					}
				} else {
					if(_t47 - 3 <= 0x3a) {
						_t77 =  *((intOrPtr*)(0x41b0e4 + _t77 * 4)) + 0x41b0e4;
						goto __rax;
					}
					L5:
					r13d = 0xffffffff;
					 *0x416040();
					E00403630(1, _t77, _t77, _t122, _t124, _t125, _t126);
					L6:
					free();
					return r13d;
				}
			}

0x00406290
0x004062aa
0x004062b4
0x004062c1
0x004062ca
0x004062d8
0x004062e1
0x004062ed
0x004062f4
0x004062fc
0x00406440
0x00406447
0x0040644a
0x0040644c
0x00406450
0x00406456
0x00000000
0x00000000
0x0040645c
0x00406469
0x00406470
0x00406513
0x0040651c
0x00406529
0x0040652e
0x00406533
0x00406538
0x00000000
0x00000000
0x00406548
0x00406550
0x00406675
0x0040667e
0x00406681
0x0040668a
0x004066c1
0x004066c7
0x004066cc
0x004066d1
0x00000000
0x00000000
0x00406607
0x004064f9
0x004064f9
0x00000000
0x004064f9
0x0040668c
0x0040668c
0x00406571
0x00406571
0x00406576
0x0040657e
0x004065ae
0x004065b1
0x0040649e
0x004064a0
0x004064a5
0x004064aa
0x004064ad
0x004064b9
0x004064c2
0x004064c7
0x004064cc
0x004064cf
0x004064d2
0x004065ce
0x004065d7
0x00406614
0x00406666
0x00406616
0x0040661c
0x004066b2
0x00406622
0x00406628
0x0040669c
0x0040662a
0x00406634
0x00406639
0x00406628
0x0040661c
0x00000000
0x00406614
0x004065dd
0x00000000
0x004065f8
0x00406602
0x00000000
0x00406602
0x004065dd
0x004064e2
0x00000000
0x00000000
0x004064ef
0x00000000
0x004064f4
0x004065b7
0x004065bc
0x004065c1
0x004065c6
0x00000000
0x004065c6
0x00406583
0x00406643
0x0040664a
0x00406650
0x00000000
0x00406655
0x00406589
0x0040658e
0x00406593
0x00406599
0x0040659e
0x004065a3
0x004065a8
0x00000000
0x00000000
0x00000000
0x004065a8
0x00406556
0x0040655f
0x0040631d
0x00406327
0x00000000
0x00406327
0x00406565
0x00406569
0x00000000
0x0040656c
0x00406476
0x0040647a
0x00406480
0x00406482
0x00406485
0x00406485
0x00406489
0x00406498
0x00000000
0x00000000
0x00000000
0x00000000
0x00406302
0x00406308
0x0040630e
0x00406311
0x00406311
0x00406330
0x00406335
0x0040633b
0x00406349
0x0040634e
0x00406353
0x0040636e
0x0040636e

APIs

free.MSVCRT ref: 00406353
wcscmp.MSVCRT ref: 00406469
wimlib_add_image_multisource.LIBWIM-15 ref: 004064C7
wimlib_add_image_multisource.LIBWIM-15 ref: 004064F9

Strings

"%ls" is part of a split WIM. Use --ref to specify the other parts., xrefs: 0040662A
8`A, xrefs: 00406440
If you are applying an image from a split pipable WIM, make sure you have concatenated together all parts., xrefs: 0040665F
Done applying WIM image., xrefs: 004064E8
Can't specify --ref when applying from stdin!, xrefs: 00406643
"%ls" contains %d images; Please select one (or all)., xrefs: 00406313
Perhaps the '--ref' argument did not specify all other parts of the split WIM?, xrefs: 00406695
If this is a delta WIM, use the --ref argument to specify the WIM(s) on which it is based., xrefs: 004066AB
"%ls" is not the first part of the split WIM. You must specify the first part., xrefs: 004065FB

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wimlib_add_image_multisource$freewcscmp
String ID: "%ls" contains %d images; Please select one (or all).$"%ls" is not the first part of the split WIM. You must specify the first part.$"%ls" is part of a split WIM. Use --ref to specify the other parts.$8`A$Can't specify --ref when applying from stdin!$Done applying WIM image.$If this is a delta WIM, use the --ref argument to specify the WIM(s) on which it is based.$If you are applying an image from a split pipable WIM, make sure you have concatenated together all parts.$Perhaps the '--ref' argument did not specify all other parts of the split WIM?
API String ID: 2185311064-383427211
Opcode ID: 65cf2f736e134467be7fabb9f8acdc2f766d0bad7f0e927e69c988d4b1608ed3
Instruction ID: 4e4d2f4ac0e0cd7c861715299ef40271c42ba309713b072af7949f0486573b08
Opcode Fuzzy Hash: 65cf2f736e134467be7fabb9f8acdc2f766d0bad7f0e927e69c988d4b1608ed3
Instruction Fuzzy Hash: 0671BD71314A4181DA20DB22E85036B6760FB847C8F81543BEE4B6BBE9CF7DC8958748

Uniqueness

Uniqueness Score: -1.00%

Function 00403460 Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00403460(void* __ecx, void* __rax, intOrPtr* __rcx, void* __rdx, intOrPtr __r8, intOrPtr __r9) {
				signed char _t41;
				void* _t65;
				void* _t66;
				long long* _t67;
				void* _t92;
				intOrPtr* _t94;

				_t96 = __r9;
				_t95 = __r8;
				_t84 = __rdx;
				_t65 = __rax;
				_t94 = __rcx;
				E004023A0(__rax, L"Hash              = 0x", __rdx, __r8, __r9);
				_t66 = _t94 + 0x18;
				_t92 = _t94 + 0x2c;
				asm("o16 nop [cs:eax+eax]");
				do {
					_t66 = _t66 + 1;
					E004023A0(__rax, L"%02hhx", _t84, _t95, __r9);
				} while (_t66 != _t92);
				_t67 =  *0x416040;
				 *_t67();
				L004091F8();
				if(( *(_t94 + 0x34) & 0x00000010) == 0) {
					E004023A0(__rax, L"Uncompressed size = %llu bytes\n",  *_t94, _t95, __r9);
					if(( *(_t94 + 0x34) & 0x00000020) != 0) {
						_t96 =  *((intOrPtr*)(_t94 + 0x38));
						_t95 =  *((intOrPtr*)(_t94 + 0x40));
						E004023A0(__rax, L"Solid resource    = %llu => %llu bytes @ offset %llu\n",  *((intOrPtr*)(_t94 + 0x48)),  *((intOrPtr*)(_t94 + 0x40)),  *((intOrPtr*)(_t94 + 0x38)));
						_t88 =  *((intOrPtr*)(_t94 + 0x10));
						E004023A0(__rax, L"Solid offset      = %llu bytes\n",  *((intOrPtr*)(_t94 + 0x10)),  *((intOrPtr*)(_t94 + 0x40)),  *((intOrPtr*)(_t94 + 0x38)));
					} else {
						E004023A0(__rax, L"Compressed size   = %llu bytes\n",  *((intOrPtr*)(_t94 + 8)), _t95, _t96);
						_t88 =  *((intOrPtr*)(_t94 + 0x10));
						E004023A0(__rax, L"Offset in WIM     = %llu bytes\n",  *((intOrPtr*)(_t94 + 0x10)), _t95, _t96);
					}
					E004023A0(_t65, L"Part Number       = %u\n", _t88, _t95, _t96);
					E004023A0(_t65, L"Reference Count   = %u\n", _t88, _t95, _t96);
					E004023A0(_t65, L"Flags             = ", _t88, _t95, _t96);
					_t41 =  *(_t94 + 0x34) & 0x000000ff;
					if((_t41 & 0x00000001) != 0) {
						E004023A0(_t65, L"WIM_RESHDR_FLAG_COMPRESSED  ", _t88, _t95, _t96);
						_t41 =  *(_t94 + 0x34) & 0x000000ff;
					}
					if((_t41 & 0x00000002) != 0) {
						E004023A0(_t65, L"WIM_RESHDR_FLAG_METADATA  ", _t88, _t95, _t96);
						_t41 =  *(_t94 + 0x34) & 0x000000ff;
					}
					if((_t41 & 0x00000004) != 0) {
						E004023A0(_t65, L"WIM_RESHDR_FLAG_FREE  ", _t88, _t95, _t96);
						_t41 =  *(_t94 + 0x34) & 0x000000ff;
					}
					if((_t41 & 0x00000008) != 0) {
						E004023A0(_t65, L"WIM_RESHDR_FLAG_SPANNED  ", _t88, _t95, _t96);
						_t41 =  *(_t94 + 0x34) & 0x000000ff;
					}
					if((_t41 & 0x00000020) != 0) {
						E004023A0(_t65, L"WIM_RESHDR_FLAG_SOLID  ", _t88, _t95, _t96);
					}
					 *_t67();
					L004091F8();
				}
				 *_t67();
				L004091F8();
				return 0;
			}

0x00403460
0x00403460
0x00403460
0x00403460
0x0040346f
0x00403479
0x0040347e
0x00403482
0x00403486
0x00403490
0x00403493
0x0040349a
0x0040349f
0x004034a9
0x004034b0
0x004034ba
0x004034c3
0x004034f3
0x004034fc
0x00403594
0x0040359f
0x004035a3
0x004035a8
0x004035b3
0x00403502
0x0040350d
0x00403512
0x0040351d
0x0040351d
0x0040352c
0x0040353b
0x00403547
0x0040354c
0x00403552
0x0040361f
0x00403624
0x00403624
0x0040355a
0x00403607
0x0040360c
0x0040360c
0x00403562
0x004035ef
0x004035f4
0x004035f4
0x0040356a
0x004035d7
0x004035dc
0x004035dc
0x0040356e
0x004035c7
0x004035c7
0x00403575
0x0040357f
0x0040357f
0x004034ca
0x004034d4
0x004034e3

APIs

fputwc.MSVCRT ref: 004034BA
fputwc.MSVCRT ref: 004034D4

Strings

Solid offset = %llu bytes, xrefs: 004035AC
WIM_RESHDR_FLAG_METADATA , xrefs: 00403600
WIM_RESHDR_FLAG_COMPRESSED , xrefs: 00403618
Part Number = %u, xrefs: 00403525
Offset in WIM = %llu bytes, xrefs: 00403516
Reference Count = %u, xrefs: 00403534
WIM_RESHDR_FLAG_FREE , xrefs: 004035E8
WIM_RESHDR_FLAG_SOLID , xrefs: 004035C0
Compressed size = %llu bytes, xrefs: 00403506
WIM_RESHDR_FLAG_SPANNED , xrefs: 004035D0
, xrefs: 004034F8
Hash = 0x, xrefs: 00403472
Flags = , xrefs: 00403540
%02hhx, xrefs: 00403468
Uncompressed size = %llu bytes, xrefs: 004034EC
Solid resource = %llu => %llu bytes @ offset %llu, xrefs: 00403598

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fputwc
String ID: $%02hhx$Compressed size = %llu bytes$Flags = $Hash = 0x$Offset in WIM = %llu bytes$Part Number = %u$Reference Count = %u$Solid offset = %llu bytes$Solid resource = %llu => %llu bytes @ offset %llu$Uncompressed size = %llu bytes$WIM_RESHDR_FLAG_COMPRESSED $WIM_RESHDR_FLAG_FREE $WIM_RESHDR_FLAG_METADATA $WIM_RESHDR_FLAG_SOLID $WIM_RESHDR_FLAG_SPANNED
API String ID: 761389786-1431644030
Opcode ID: 4751f3257954c7c2b875fecf179c57a326d94cb9013498906e198f32a0fe153d
Instruction ID: 0da95b2e0da90e93d5c7dd8ac88121edd22b615af9933b2e7969dfe1a90a10f1
Opcode Fuzzy Hash: 4751f3257954c7c2b875fecf179c57a326d94cb9013498906e198f32a0fe153d
Instruction Fuzzy Hash: C6418B71211550A5DB04EF32DD543E92B24EB9138DF84003BEE0E6B6E5DE7CCA86C348

Uniqueness

Uniqueness Score: -1.00%

Function 00404D40 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00404D40(void* __ecx, void* __esi, signed int __rax, void* __rcx, void* __rdx) {
				short _v136;
				intOrPtr _v152;
				void* _v168;
				long long _v176;
				long long _v184;
				char _v192;
				char _v193;
				long long _v208;
				long long _v216;
				void* __r12;
				void* __r13;
				char _t32;
				char _t40;
				void* _t41;
				void* _t42;
				char _t49;
				void* _t50;
				void* _t52;
				signed int* _t55;
				void* _t74;
				void* _t84;
				intOrPtr* _t85;
				intOrPtr* _t86;
				char* _t89;
				char* _t91;
				char* _t92;

				_t54 = __rax;
				_t50 = __esi;
				_t86 =  *0x4201b0; // 0x424188
				_t49 = 1;
				_t91 = "\\";
				_v193 = 0;
				_t41 = __ecx;
				_t84 = __rdx;
				_t92 =  &_v184;
				_v192 = 0;
				_v184 = 0;
				_v176 = 0;
				while(1) {
					_v216 = 0;
					_t90 = 0x41e7e0;
					_t74 = _t84;
					_t88 = 0x41717e;
					_t32 = E00408FE0();
					if(_t32 == 0xffffffff) {
						break;
					}
					_t52 = _t32 - 0x24;
					if(_t52 == 0) {
						_t91 =  *_t86;
						continue;
					}
					if(_t52 > 0) {
						if(_t32 != 0x2b) {
							L12:
							r14d = 0xffffffff;
							 *0x416040();
							E00403630(4, _t54, _t54, _t88, _t90, _t91, _t92);
							L10:
							free();
							return r14d;
						}
						_t40 = E00402550(_t50, _t54, _t92,  *_t86);
						r14d = _t40;
						if(_t40 == 0) {
							continue;
						}
						goto L10;
					}
					if(_t32 != 0xf) {
						if(_t32 != 0x23) {
							goto L12;
						} else {
							_t49 = 0;
							continue;
						}
					}
					_v193 = 1;
				}
				_t55 =  *0x4201c0; // 0x416038
				_t54 =  *_t55;
				_t42 = _t41 - _t32;
				_t85 = _t84 +  *_t55 * 8;
				if(_t42 <= 0) {
					E004024D0(L"Must specify a WIM file", _t74, 0x41717e, 0x41e7e0);
					goto L12;
				}
				if(_t42 > 2) {
					E004024D0(L"Too many arguments", _t74, 0x41717e, 0x41e7e0);
					goto L12;
				}
				_t92 =  *_t85;
				_t90 = 0x401890;
				_t88 =  &_v192;
				_v216 = 0;
				L004090A8();
				r14d = _t32;
				if(_t32 != 0) {
					goto L10;
				}
				if(_t42 == 2) {
					L00409068();
					r15d = _t32;
					if(_t32 != 0) {
						L20:
						r8d = _v176;
						if(r8d == 0) {
							L23:
							r9d = _t49;
							_t89 = _t91;
							_v208 =  &_v193;
							_v216 = E00405A90;
							L004090C0();
							r14d = _t32;
							if(_t32 == 0x24) {
								L004090E0();
								if(_v136 != 1) {
									E004024D0(L"\"%ls\" is not the first part of the split WIM.\n       You must specify the first part.", _t92, _t89, _t90);
								}
							}
							L24:
							L00409108();
							goto L10;
						}
						_v216 = 0;
						r9d = 1;
						L00409088();
						r14d = _t32;
						if(_t32 != 0) {
							goto L24;
						}
						goto L23;
					}
					_t32 = E00403BB0( *((intOrPtr*)(_t85 + 8)), _t92, 0x401890);
					r15d = _t32;
					r14d = _t32;
					if(_t32 == 0) {
						goto L20;
					}
					goto L24;
				}
				L004090E0();
				r8d = _v152;
				if(r8d != 1) {
					E004024D0(L"\"%ls\" contains %d images; Please select one (or all).", _t92,  &_v192, 0x401890);
					L00409108();
					goto L12;
				}
				r15d = 1;
				goto L20;
			}

0x00404d40
0x00404d40
0x00404d53
0x00404d5a
0x00404d5f
0x00404d66
0x00404d6b
0x00404d6d
0x00404d70
0x00404d75
0x00404d7e
0x00404d87
0x00404da3
0x00404da3
0x00404dac
0x00404db3
0x00404db8
0x00404dbf
0x00404dc7
0x00000000
0x00000000
0x00404dcd
0x00404dd0
0x00404e50
0x00000000
0x00404e50
0x00404dd2
0x00404de3
0x00404e28
0x00404e2d
0x00404e33
0x00404e41
0x00404df8
0x00404dfd
0x00404e18
0x00404e18
0x00404dec
0x00404df1
0x00404df6
0x00000000
0x00000000
0x00000000
0x00404df6
0x00404dd7
0x00404d9b
0x00000000
0x00404da1
0x00404da1
0x00000000
0x00404da1
0x00404d9b
0x00404dd9
0x00404dd9
0x00404e60
0x00404e67
0x00404e6a
0x00404e6c
0x00404e72
0x00404fc5
0x00000000
0x00404fc5
0x00404e7b
0x00404e20
0x00000000
0x00404e20
0x00404e7d
0x00404e80
0x00404e87
0x00404e8e
0x00404e9a
0x00404e9f
0x00404ea4
0x00000000
0x00000000
0x00404eb2
0x00404f49
0x00404f4e
0x00404f53
0x00404ed7
0x00404ed7
0x00404ee4
0x00404f0a
0x00404f0f
0x00404f12
0x00404f18
0x00404f24
0x00404f29
0x00404f2e
0x00404f34
0x00404f82
0x00404f8d
0x00404f99
0x00404f99
0x00404f8d
0x00404f36
0x00404f3b
0x00000000
0x00404f3b
0x00404ee6
0x00404ef3
0x00404ef9
0x00404efe
0x00404f03
0x00000000
0x00000000
0x00000000
0x00404f05
0x00404f5c
0x00404f61
0x00404f64
0x00404f69
0x00000000
0x00000000
0x00000000
0x00404f6f
0x00404ebd
0x00404ec2
0x00404ecb
0x00404faa
0x00404fb4
0x00000000
0x00404fb4
0x00404ed1
0x00000000

APIs

free.MSVCRT ref: 00404DFD
wimlib_add_image_multisource.LIBWIM-15 ref: 00404E9A
wimlib_add_image_multisource.LIBWIM-15 ref: 00404EBD
wimlib_add_image_multisource.LIBWIM-15 ref: 00404EF9
wimlib_add_image_multisource.LIBWIM-15 ref: 00404F29
wimlib_add_image_multisource.LIBWIM-15 ref: 00404F3B

Strings

8`A, xrefs: 00404E60
Too many arguments, xrefs: 00404E19
"%ls" contains %d images; Please select one (or all)., xrefs: 00404FA3
"%ls" is not the first part of the split WIM. You must specify the first part., xrefs: 00404F92
Must specify a WIM file, xrefs: 00404FBE

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wimlib_add_image_multisource$free
String ID: "%ls" contains %d images; Please select one (or all).$"%ls" is not the first part of the split WIM. You must specify the first part.$8`A$Must specify a WIM file$Too many arguments
API String ID: 4253307414-1440947552
Opcode ID: 1ec3a305309757c5d5792feafa8c62440c360dab95b875b7fefcc0a3161fe9d1
Instruction ID: ba33f6bb5eef38001b29ea87e4992bcbafc59f1eae6751a4b3d6877ad06e2319
Opcode Fuzzy Hash: 1ec3a305309757c5d5792feafa8c62440c360dab95b875b7fefcc0a3161fe9d1
Instruction Fuzzy Hash: 6451A0B2214A4191EB20AB26E45436B6760F7C5788F904037FF4AA77E5DF7DC885C709

Uniqueness

Uniqueness Score: -1.00%

Function 00404FD0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00404FD0(void* __ecx, intOrPtr* __rax, void* __rcx, void* __rdx) {
				char _v80;
				intOrPtr _v92;
				long long _v120;
				void* __r12;
				void* __r13;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				void* _t38;
				intOrPtr* _t41;
				signed int* _t42;
				void* _t56;
				void* _t63;
				char* _t66;
				void* _t69;
				void* _t70;
				intOrPtr _t71;
				intOrPtr _t72;

				_t41 = __rax;
				r12d = 0;
				r13d = 4;
				_t27 = __ecx;
				_t63 = __rdx;
				while(1) {
					_t56 = _t63;
					_v120 = 0;
					_t18 = E00408FE0();
					if(_t18 == 0xffffffff) {
						break;
					}
					_t38 = _t18 - 0x2e;
					if(_t38 == 0) {
						r12b = r12b | 0x00000080;
						continue;
					}
					if(_t38 > 0) {
						if(_t18 != 0x39) {
							L13:
							 *0x416040();
							E00403630(3, _t41, _t41, 0x41717e, 0x41e8a0, _t69, _t70);
							return 0xffffffff;
						} else {
							r12d = r12d | 0x00008000;
							continue;
						}
					}
					if(_t18 == 3) {
						r13d = 5;
						L6:
						r12d = r12d | 0x00000001;
						continue;
					}
					if(_t18 != 0x15) {
						goto L13;
					}
					goto L6;
				}
				_t42 =  *0x4201c0; // 0x416038
				_t28 = _t27 - _t18;
				_t41 = _t63 +  *_t42 * 8;
				if(_t28 != 2) {
					if(_t28 <= 0) {
						E004024D0(L"Must specify a WIM file", _t56, 0x41717e, 0x41e8a0);
						L12:
						E004024D0(L"Must specify an image", _t56, 0x41717e, 0x41e8a0);
						goto L13;
					}
					if(_t28 != 1) {
						goto L13;
					}
					goto L12;
				}
				_t71 =  *_t41;
				_t72 =  *((intOrPtr*)(_t41 + 8));
				_t66 =  &_v80;
				_v120 = 0;
				L004090A8();
				if(_t18 != 0) {
					return _t18;
				}
				L00409068();
				r13d = _t18;
				if(_t18 == 0) {
					_t18 = E00403BB0(_t72, _t71, 0x401890);
					if(_t18 == 0) {
						goto L19;
					}
					L21:
					_v92 = _t18;
					L00409108();
					return _v92;
				}
				L19:
				L00409140();
				if(_t18 != 0) {
					_v92 = _t18;
					E004024D0(L"Failed to delete image from \"%ls\"", _t71, _t66, 0x401890);
					_t18 = _v92;
				} else {
					r8d = 0;
					L004090A0();
					if(_t18 != 0) {
						_v92 = _t18;
						E004024D0(L"Failed to write the file \"%ls\" with image deleted", _t71, _t66, 0x401890);
						_t18 = _v92;
					}
				}
				goto L21;
			}

0x00404fd0
0x00404fe0
0x00404fe3
0x00404ff7
0x00404ff9
0x00404ffc
0x00405002
0x00405007
0x00405010
0x00405018
0x00000000
0x00000000
0x0040501e
0x00405021
0x004050b0
0x00000000
0x004050b0
0x00405027
0x00405043
0x00405078
0x0040507d
0x0040508b
0x00000000
0x00405045
0x00405045
0x00000000
0x00405045
0x00405043
0x0040502c
0x00405050
0x00405033
0x00405033
0x00000000
0x00405033
0x00405031
0x00000000
0x00000000
0x00000000
0x00405031
0x004050c0
0x004050ca
0x004050cc
0x004050d3
0x0040505a
0x0040519a
0x00405065
0x0040506c
0x00000000
0x0040506c
0x00405063
0x00000000
0x00000000
0x00000000
0x00405063
0x004050d5
0x004050d8
0x004050dc
0x004050e4
0x004050f7
0x004050fe
0x004050a5
0x004050a5
0x00405108
0x0040510d
0x00405112
0x00405188
0x0040518f
0x00000000
0x00000000
0x00405139
0x0040513e
0x00405142
0x00000000
0x00405147
0x00405114
0x0040511c
0x00405123
0x00405173
0x00405177
0x0040517c
0x00405125
0x0040512a
0x00405130
0x00405137
0x0040515a
0x0040515e
0x00405163
0x00405163
0x00405137
0x00000000

APIs

wimlib_add_image_multisource.LIBWIM-15 ref: 004050F7
wimlib_add_image_multisource.LIBWIM-15 ref: 00405108
wimlib_add_image_multisource.LIBWIM-15 ref: 0040511C
wimlib_add_image_multisource.LIBWIM-15 ref: 00405130
wimlib_add_image_multisource.LIBWIM-15 ref: 00405142

Strings

8`A, xrefs: 004050C0
Failed to write the file "%ls" with image deleted, xrefs: 00405153
Failed to delete image from "%ls", xrefs: 0040516C
Must specify an image, xrefs: 00405065
Must specify a WIM file, xrefs: 00405193

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wimlib_add_image_multisource
String ID: 8`A$Failed to delete image from "%ls"$Failed to write the file "%ls" with image deleted$Must specify a WIM file$Must specify an image
API String ID: 1578821148-18479086
Opcode ID: 2971e145c90e24b00dbd623a9b8c1d3e514a5f4b19ad6254d732a4f122a741a1
Instruction ID: 60b2f983705e0bf16d07f19b4c2d2645d6c82a5b982d977b935392a5743dfa20
Opcode Fuzzy Hash: 2971e145c90e24b00dbd623a9b8c1d3e514a5f4b19ad6254d732a4f122a741a1
Instruction Fuzzy Hash: F9412371604A0181DB10AB26A85436F6760FB85798F904037EF4AAB3E5DF7DC946CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004036B0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E004036B0(void* __ecx, void* __esi, void* __rdx) {
				long long _v64;
				char _v72;
				char _v80;
				long long _v104;
				void* __r12;
				void* __r13;
				void* _t18;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t40;
				signed long long _t45;
				intOrPtr* _t46;
				signed long long _t60;
				intOrPtr* _t61;
				void* _t70;
				void* _t78;
				void* _t79;
				intOrPtr _t80;

				_t40 = __esi;
				r13d = 1;
				_v72 = 0;
				_t30 = __ecx;
				_t70 = __rdx;
				_v64 = 0;
				while(1) {
					_v104 = 0;
					_t18 = E00408FE0();
					if(_t18 == 0xffffffff) {
						break;
					}
					if(_t18 == 0x1a) {
						r13d = 0;
						continue;
					}
					if(_t18 != 0x2b) {
						L8:
						r12d = 0xffffffff;
						 *0x416040();
						E00403630(0xc, _t45, _t45, 0x41717e, 0x41d7e0, _t78, _t79);
						L5:
						free();
						return r12d;
					}
					_t45 =  *0x4201b0; // 0x424188
					_t29 = E00402550(_t40, _t45,  &_v72,  *_t45);
					r12d = _t29;
					if(_t29 == 0) {
						continue;
					}
					goto L5;
				}
				_t46 =  *0x4201c0; // 0x416038
				_t60 =  *_t46;
				_t45 = _t60;
				_t61 = _t70 + _t60 * 8;
				_t31 = _t30 - _t18;
				if(_t31 != 1) {
					if(_t31 != 0) {
						E004024D0(L"At most one WIM file can be specified!", _t61, 0x41717e, 0x41d7e0);
					} else {
						E004024D0(L"Must specify a WIM file!", _t61, 0x41717e, 0x41d7e0);
					}
					goto L8;
				}
				_t80 =  *_t61;
				_v104 = 0;
				L004090A8();
				r12d = _t18;
				if(_t18 != 0) {
					goto L5;
				}
				_v104 = r13d;
				r8d = _v64;
				r9d = 1;
				L00409088();
				r12d = _t18;
				if(_t18 == 0) {
					L00409010();
					r12d = _t18;
					if(_t18 != 0) {
						 *0x416040();
						L004091F8();
						E004024D0(L"\"%ls\" failed verification!", _t80,  &_v80, 0x401890);
						if(r12d == 0x37 && _v64 == 0 &&  *0x424178 != 0) {
							E00401650( &_v80, 0x401890);
						}
					} else {
						if( *0x424178 != 0) {
							E00401650(_t80, 0x401890);
							asm("o16 nop [eax+eax]");
						}
					}
				}
				L00409108();
				goto L5;
			}

0x004036b0
0x004036be
0x004036d2
0x004036db
0x004036dd
0x004036e0
0x004036e9
0x004036f4
0x004036fd
0x00403705
0x00000000
0x00000000
0x0040370e
0x00403780
0x00000000
0x00403780
0x00403713
0x00403760
0x00403765
0x0040376b
0x00403779
0x00403730
0x00403735
0x0040374b
0x0040374b
0x00403715
0x00403724
0x00403729
0x0040372e
0x00000000
0x00000000
0x00000000
0x0040372e
0x00403790
0x00403797
0x0040379a
0x0040379d
0x004037a1
0x004037a6
0x0040374e
0x00403895
0x00403754
0x0040375b
0x0040375b
0x00000000
0x0040374e
0x004037a8
0x004037ba
0x004037c6
0x004037cb
0x004037d0
0x00000000
0x00000000
0x004037d6
0x004037db
0x004037e0
0x004037f0
0x004037f5
0x004037fa
0x00403803
0x00403808
0x0040380d
0x00403844
0x00403852
0x00403861
0x0040386a
0x00403887
0x00403887
0x0040380f
0x00403819
0x00403825
0x0040382a
0x0040382a
0x00403819
0x0040380d
0x00403835
0x00000000

APIs

free.MSVCRT ref: 00403735
wimlib_add_image_multisource.LIBWIM-15 ref: 00403835

Strings

At most one WIM file can be specified!, xrefs: 0040388E
8`A, xrefs: 00403790
Must specify a WIM file!, xrefs: 00403754
Note: if this WIM file is not standalone, use the --ref option to specify the other parts., xrefs: 00403880
"%ls" failed verification!, xrefs: 0040385A
"%ls" was successfully verified., xrefs: 0040381E

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: freewimlib_add_image_multisource
String ID: "%ls" was successfully verified.$"%ls" failed verification!$8`A$At most one WIM file can be specified!$Must specify a WIM file!$Note: if this WIM file is not standalone, use the --ref option to specify the other parts.
API String ID: 2585769228-660379883
Opcode ID: d3916768ce4856acb949d10cfd2901a9648d8e5eb63190c8a141ad8b5c23d8a5
Instruction ID: 4c0aa2923cd759b3be3c92cfff7a75938cef0058e69e0185cfac1da487bc76d3
Opcode Fuzzy Hash: d3916768ce4856acb949d10cfd2901a9648d8e5eb63190c8a141ad8b5c23d8a5
Instruction Fuzzy Hash: 4941C5B1310A4191EB10AF26E85436B6765FB84BC8F40913BEE4A673E5DF7DC985C308

Uniqueness

Uniqueness Score: -1.00%

Function 00402D50 Relevance: 13.5, APIs: 4, Strings: 5, Instructions: 46COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00402D6C
_wcsicmp.MSVCRT ref: 00402D9A
_wcsicmp.MSVCRT ref: 00402DB3
_wcsicmp.MSVCRT ref: 00402DCC

Strings

"%ls" is not a recognized System Compression format. The options are: --compact=xpress4k --compact=xpress8k --compact, xrefs: 00402DDC
xpress8k, xrefs: 00402D90
xpress4k, xrefs: 00402D65
lzx, xrefs: 00402DC2
xpress16k, xrefs: 00402DA9

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: _wcsicmp
String ID: "%ls" is not a recognized System Compression format. The options are: --compact=xpress4k --compact=xpress8k --compact$lzx$xpress16k$xpress4k$xpress8k
API String ID: 2081463915-2434718225
Opcode ID: 0cf7f0bf64ed6b5f163de66a1cb4750f4dba3682dd85f03fe96b2c63eac4803d
Instruction ID: 9eeb8270561d7a6b3e3defea4f6f7e51640eacd7ee5208fcd6f573a2017308f7
Opcode Fuzzy Hash: 0cf7f0bf64ed6b5f163de66a1cb4750f4dba3682dd85f03fe96b2c63eac4803d
Instruction Fuzzy Hash: 1901866432492484FA25D73AF944FD266516F487D5F849123AD199B7D4FA7CCC82C708

Uniqueness

Uniqueness Score: -1.00%

Function 00409790 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00409790(int __ebx, void* __eflags, void* __rbx, void* __rcx, long long __rdx, void* __rdi, void* __rsi, long long __r8, long long __r9, void* __r12, intOrPtr __r13, signed long long __r14, intOrPtr __r15) {
				void* _t47;
				void* _t48;
				int _t49;
				void* _t50;
				int _t51;
				void* _t54;
				int _t63;
				int _t66;
				void* _t68;
				int _t70;
				signed int _t72;
				int _t82;
				signed long long _t95;
				intOrPtr* _t101;
				long long* _t104;
				int* _t106;
				intOrPtr* _t108;
				signed long long _t110;
				signed long long _t111;
				int* _t112;
				signed long long _t118;
				signed long long _t119;
				signed long long _t137;
				void* _t144;
				intOrPtr _t146;
				void* _t148;
				signed long long _t151;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t164;
				signed long long _t172;
				signed long long _t176;
				intOrPtr _t177;
				intOrPtr _t181;
				signed long long _t183;
				intOrPtr _t185;
				intOrPtr _t186;

				_t186 = __r15;
				_t183 = __r14;
				_t181 = __r13;
				_t148 = __rdi;
				_t63 = __ebx;
				_push(__r12);
				_push(__rbx);
				_t159 = _t158 - 0x38;
				_t95 = _t159 + 0x58;
				 *((long long*)(_t159 + 0x58)) = __rdx;
				 *((long long*)(_t159 + 0x60)) = __r8;
				 *((long long*)(_t159 + 0x68)) = __r9;
				 *(_t159 + 0x28) = _t95;
				_t48 = E004092B0(_t47, 2, _t95, __rcx);
				r8d = 0x1b;
				_t172 = _t95;
				L00414EB8();
				_t110 =  *(_t159 + 0x28);
				_t66 = 2;
				_t49 = E004092B0(_t48, 2, _t95, "Mingw-w64 runtime failure:\n");
				_t118 = _t95;
				_t168 = _t110;
				L00414E80();
				L00414ED0();
				asm("o16 nop [eax+eax]");
				_push(__rcx);
				_push(__rsi);
				_push(_t110);
				_t160 = _t159 - 0x50;
				_t111 =  *0x424234;
				_t176 = _t118;
				if(_t63 <= 0) {
					L14:
					_t63 = 0;
					goto L6;
				} else {
					_t68 = 0;
					_t108 =  *0x424238 + 0x18;
					asm("o16 nop [eax+eax]");
					do {
						_t146 =  *_t108;
						if(_t146 > _t176) {
							goto L5;
						} else {
							_t168 =  *((intOrPtr*)(_t108 + 8));
							r8d =  *(_t168 + 8);
							if(_t176 < _t146 + _t168) {
								L11:
								return _t49;
							} else {
								goto L5;
							}
						}
						goto L55;
						L5:
						_t68 = _t68 + 1;
						_t108 = _t108 + 0x28;
					} while (_t68 != _t63);
					L6:
					_t119 = _t176;
					_t50 = E0040A1B0(_t95, _t119);
					_t151 = _t95;
					if(_t95 == 0) {
						L16:
						_t137 = _t176;
						_t51 = E00409790(_t63, __eflags, _t111, "Address %p has no image-section", _t137, _t148, _t151, _t168, _t172, _t176, _t181, _t183, _t186);
						asm("o16 nop [cs:eax+eax]");
						_push(_t186);
						_push(_t183);
						_push(_t181);
						_push(_t176);
						_push(_t148);
						_push(_t151);
						_push(_t111);
						_t161 = _t160 - 0x38;
						_t82 =  *0x424230;
						__eflags = _t82;
						if(_t82 == 0) {
							 *0x424230 = 1;
							E0040A230();
							_t51 = E0040A470(_t95);
							_t177 =  *0x41ffd0; // 0x4208f0
							_t112 =  *0x41ffe0; // 0x4208f0
							 *0x424234 = 0;
							_t162 = _t161 - (0x0000000f + (_t95 + _t95 * 0x00000004) * 0x00000008 & 0xfffffff0);
							 *0x424238 = _t162 + 0x20;
							_t101 = _t177 - _t112;
							__eflags = _t101 - 7;
							if(_t101 <= 7) {
								goto L18;
							} else {
								_t70 =  *_t112;
								__eflags = _t101 - 0xb;
								if(_t101 > 0xb) {
									__eflags = _t70;
									if(_t70 != 0) {
										goto L47;
									} else {
										_t40 =  &(_t112[1]); // 0x0
										_t51 =  *_t40;
										_t41 =  &(_t112[2]); // 0x0
										_t66 = _t51 |  *_t41;
										__eflags = _t66;
										if(_t66 != 0) {
											goto L23;
										} else {
											_t42 =  &(_t112[3]); // 0x0
											_t70 =  *_t42;
											_t112 =  &(_t112[3]);
											goto L21;
										}
									}
								} else {
									L21:
									__eflags = _t70;
									if(_t70 != 0) {
										L47:
										__eflags = _t112 - _t177;
										if(_t112 < _t177) {
											_t185 =  *0x420020; // 0x400000
											do {
												r13d =  *_t112;
												_t112 =  &(_t112[2]);
												_t151 = _t151 + _t185;
												r13d = r13d +  *_t151;
												L1();
												 *_t151 = r13d;
												__eflags = _t112 - _t177;
											} while (_t112 < _t177);
											goto L35;
										}
										goto L18;
									} else {
										_t33 =  &(_t112[1]); // 0x0
										_t51 =  *_t33;
										L23:
										__eflags = _t51;
										if(_t51 != 0) {
											goto L47;
										} else {
											_t34 =  &(_t112[2]); // 0x0
											__eflags =  *_t34 - 1;
											if(__eflags != 0) {
												L52:
												_t54 = E00409790(_t63, __eflags, _t112, "  Unknown pseudo relocation protocol version %d.\n", _t137, _t148, _t151, _t168, _t172, _t177, _t181, _t183, _t186);
												_t164 = _t162 - 0x58;
												_t104 =  *0x424240;
												__eflags = _t104;
												if(_t104 != 0) {
													asm("movsd xmm0, [esp+0x80]");
													 *(_t164 + 0x20) = _t66;
													 *(_t164 + 0x28) = _t137;
													asm("movsd [esp+0x30], xmm2");
													asm("movsd [esp+0x38], xmm3");
													asm("movsd [esp+0x40], xmm0");
													_t54 =  *_t104();
												}
												return _t54;
											} else {
												_t112 =  &(_t112[3]);
												__eflags = _t112 - _t177;
												if(_t112 < _t177) {
													_t181 =  *0x420020; // 0x400000
													_t183 = 0;
													goto L29;
													do {
														while(1) {
															L29:
															_t36 =  &(_t112[2]); // 0x30
															_t72 =  *_t36 & 0x000000ff;
															_t101 = _t101 + _t181;
															_t151 = _t151 + _t181;
															_t186 =  *_t101;
															__eflags = _t72 - 0x20;
															if(__eflags == 0) {
																break;
															}
															if(__eflags > 0) {
																__eflags = _t72 - 0x40;
																if(__eflags != 0) {
																	goto L51;
																} else {
																	_t137 =  *_t151 - _t101;
																	L1();
																	 *_t151 = _t186 + _t137;
																	goto L28;
																}
															} else {
																__eflags = _t72 - 8;
																if(_t72 == 8) {
																	_t168 = _t137 | 0xffffff00;
																	__eflags =  *_t151 & 0x000000ff;
																	_t142 =  <  ? _t137 | 0xffffff00 : _t137;
																	_t137 = ( <  ? _t137 | 0xffffff00 : _t137) - _t101;
																	__eflags = _t186 + _t137;
																	L1();
																	 *_t151 = r15b;
																	goto L28;
																} else {
																	__eflags = _t72 - 0x10;
																	if(__eflags != 0) {
																		L51:
																		E00409790(_t63, __eflags, _t112, "  Unknown pseudo relocation bit size %d.\n", _t137, _t148, _t151, _t168, _t172, _t177, _t181, _t183, _t186);
																		goto L52;
																	} else {
																		_t168 = _t137 | 0xffff0000;
																		__eflags =  *_t151 & 0x0000ffff;
																		_t143 =  <  ? _t137 | 0xffff0000 : _t137;
																		_t112 =  &(_t112[3]);
																		_t137 = ( <  ? _t137 | 0xffff0000 : _t137) - _t101;
																		L1();
																		 *_t151 = r15w;
																		__eflags = _t112 - _t177;
																		if(_t112 < _t177) {
																			continue;
																		} else {
																			goto L35;
																		}
																	}
																}
															}
															goto L55;
														}
														__eflags = _t66;
														_t140 =  >=  ? _t137 : _t137 | _t183;
														_t137 = ( >=  ? _t137 : _t137 | _t183) - _t101;
														L1();
														 *_t151 = r15d;
														L28:
														_t112 =  &(_t112[3]);
														__eflags = _t112 - _t177;
													} while (_t112 < _t177);
													L35:
													_t51 =  *0x424234;
													__eflags = _t51;
													if(_t51 > 0) {
														__eflags = 0;
														do {
															r8d =  *( *0x424238 + _t112);
															__eflags = r8d;
															if(r8d != 0) {
																_t51 = VirtualProtect();
															}
															_t82 = _t82 + 1;
															_t112 =  &(_t112[0xa]);
															__eflags = _t82 -  *0x424234;
														} while (_t82 <  *0x424234);
													}
												}
												goto L18;
											}
										}
									}
								}
							}
						} else {
							L18:
							return _t51;
						}
					} else {
						_t111 = _t111 + _t111 * 4 << 3;
						_t106 =  *0x424238 + _t111;
						_t106[8] = _t151;
						 *_t106 = 0;
						E0040A2E0(_t50, _t168);
						_t66 =  *(_t151 + 0xc);
						_t144 = _t160 + 0x20;
						r8d = 0x30;
						_t95 =  *0x424238;
						 *((long long*)(_t95 + _t111 + 0x18)) = _t106 + _t119;
						VirtualQuery(??, ??, ??);
						if(_t95 == 0) {
							_t95 =  *0x424238;
							_t168 =  *((intOrPtr*)(_t95 + _t111 + 0x18));
							E00409790(_t63, __eflags, _t111, "  VirtualQuery failed for %d bytes at address %p", _t144, _t148, _t151,  *((intOrPtr*)(_t95 + _t111 + 0x18)), _t172, _t176, _t181, _t183, _t186);
							goto L16;
						} else {
							_t49 =  *(_t160 + 0x44);
							if((_t95 - 0x00000040 & 0xffffffbf) == 0 || (_t95 - 0x00000004 & 0xfffffffb) == 0) {
								L10:
								 *0x424234 =  *0x424234 + 1;
								goto L11;
							} else {
								__eflags = _t49 - 2;
								_t145 =  *((intOrPtr*)(_t160 + 0x38));
								r8d = 4;
								r8d =  !=  ? 0x40 : r8d;
								_t111 = _t111 +  *0x424238;
								 *((long long*)(_t111 + 8)) =  *((intOrPtr*)(_t160 + 0x20));
								_t172 = _t111;
								 *((long long*)(_t111 + 0x10)) =  *((intOrPtr*)(_t160 + 0x38));
								_t49 = VirtualProtect(??, ??, ??, ??);
								__eflags = _t49;
								if(__eflags != 0) {
									goto L10;
								} else {
									GetLastError();
									E00409790(_t63, __eflags, _t111, "  VirtualProtect failed with code 0x%x", _t145, _t148, _t151, _t168, _t172, _t176, _t181, _t183, _t186);
									goto L14;
								}
							}
						}
					}
				}
				L55:
			}

0x00409790
0x00409790
0x00409790
0x00409790
0x00409790
0x00409790
0x00409792
0x00409793
0x0040979a
0x004097a4
0x004097a9
0x004097ae
0x004097b3
0x004097b8
0x004097bd
0x004097cf
0x004097d2
0x004097d7
0x004097dc
0x004097e1
0x004097e9
0x004097ec
0x004097ef
0x004097f4
0x004097fa
0x00409800
0x00409802
0x00409803
0x00409804
0x00409808
0x0040980f
0x00409814
0x00409930
0x00409930
0x00000000
0x0040981a
0x00409821
0x00409823
0x00409827
0x00409830
0x00409830
0x00409836
0x00000000
0x00409838
0x00409838
0x0040983c
0x00409846
0x004098d3
0x004098db
0x00000000
0x00000000
0x00000000
0x00409846
0x00000000
0x0040984c
0x0040984c
0x0040984f
0x00409853
0x00409857
0x00409857
0x0040985a
0x0040985f
0x00409865
0x00409952
0x00409952
0x0040995c
0x00409962
0x00409971
0x00409973
0x00409975
0x00409977
0x00409979
0x0040997a
0x0040997b
0x0040997c
0x00409988
0x0040998e
0x00409990
0x004099a8
0x004099b2
0x004099c9
0x004099ce
0x004099d5
0x004099dc
0x004099e6
0x004099ee
0x004099f8
0x004099fb
0x004099ff
0x00000000
0x00409a01
0x00409a01
0x00409a03
0x00409a07
0x00409b38
0x00409b3a
0x00000000
0x00409b3c
0x00409b3c
0x00409b3c
0x00409b41
0x00409b41
0x00409b41
0x00409b44
0x00000000
0x00409b4a
0x00409b4a
0x00409b4a
0x00409b4d
0x00000000
0x00409b4d
0x00409b44
0x00409a0d
0x00409a0d
0x00409a0d
0x00409a0f
0x00409bb0
0x00409bb0
0x00409bb3
0x00409bb9
0x00409bc0
0x00409bc3
0x00409bc6
0x00409bca
0x00409bcd
0x00409bd3
0x00409bd8
0x00409bdb
0x00409bdb
0x00000000
0x00409be0
0x00000000
0x00409a15
0x00409a15
0x00409a15
0x00409a18
0x00409a18
0x00409a1a
0x00000000
0x00409a20
0x00409a20
0x00409a23
0x00409a26
0x00409bf1
0x00409bf8
0x00409c00
0x00409c04
0x00409c0b
0x00409c0e
0x00409c10
0x00409c19
0x00409c22
0x00409c27
0x00409c2d
0x00409c33
0x00409c39
0x00409c39
0x00409c40
0x00409a2c
0x00409a2c
0x00409a30
0x00409a33
0x00409a39
0x00409a40
0x00409a4a
0x00409a7d
0x00409a7d
0x00409a7d
0x00409a82
0x00409a82
0x00409a86
0x00409a89
0x00409a8c
0x00409a8f
0x00409a92
0x00000000
0x00000000
0x00409a98
0x00409b60
0x00409b63
0x00000000
0x00409b69
0x00409b6f
0x00409b75
0x00409b7a
0x00000000
0x00409b7a
0x00409a9e
0x00409a9e
0x00409aa1
0x00409a59
0x00409a60
0x00409a62
0x00409a66
0x00409a69
0x00409a6c
0x00409a71
0x00000000
0x00409aa3
0x00409aa3
0x00409aa6
0x00409be5
0x00409bec
0x00000000
0x00409aac
0x00409ab5
0x00409abc
0x00409abf
0x00409ac3
0x00409ac7
0x00409acd
0x00409ad2
0x00409ad6
0x00409ad9
0x00000000
0x00000000
0x00000000
0x00000000
0x00409ad9
0x00409aa6
0x00409aa1
0x00000000
0x00409a98
0x00409b90
0x00409b92
0x00409b99
0x00409b9f
0x00409ba4
0x00409a74
0x00409a74
0x00409a78
0x00409a78
0x00409ae0
0x00409ae0
0x00409ae6
0x00409ae8
0x00409af5
0x00409b00
0x00409b0a
0x00409b0d
0x00409b10
0x00409b1d
0x00409b1d
0x00409b1f
0x00409b22
0x00409b26
0x00409b26
0x00409b2e
0x00409ae8
0x00000000
0x00409a33
0x00409a26
0x00409a1a
0x00409a0f
0x00409a07
0x00409992
0x00409992
0x004099a2
0x004099a2
0x0040986b
0x00409876
0x0040987a
0x0040987d
0x00409881
0x00409887
0x0040988c
0x0040988f
0x00409894
0x0040989d
0x004098a4
0x004098a9
0x004098b2
0x00409937
0x00409948
0x0040994d
0x00000000
0x004098b8
0x004098b8
0x004098c2
0x004098cc
0x004098cc
0x00000000
0x004098e0
0x004098e0
0x004098e8
0x004098ed
0x004098f8
0x004098fc
0x00409903
0x00409907
0x0040990a
0x0040990e
0x00409914
0x00409916
0x00000000
0x00409918
0x00409918
0x00409927
0x00000000
0x00409927
0x00409916
0x004098c2
0x004098b2
0x00409865
0x00000000

APIs

VirtualQuery.KERNEL32 ref: 004098A9

Strings

VirtualProtect failed with code 0x%x, xrefs: 0040991E
VirtualQuery failed for %d bytes at address %p, xrefs: 00409941
Mingw-w64 runtime failure:, xrefs: 004097C8
Address %p has no image-section, xrefs: 00409800, 00409955

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 0daa08e627f663a73a63859cdc661da97dbe882279bd02199a707486a349577c
Instruction ID: 6ca0c93d34be3a9fe0f20fd0aecc3e7c7cbd3bbfbd2e8e23a9aaf0efa858993e
Opcode Fuzzy Hash: 0daa08e627f663a73a63859cdc661da97dbe882279bd02199a707486a349577c
Instruction Fuzzy Hash: 635193B2711B4181DB10AF52E84179A77A0F789B98F88813AEF4D17395DB3CC946C748

Uniqueness

Uniqueness Score: -1.00%

Function 042B8D20 Relevance: 12.4, APIs: 8, Instructions: 377COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B906A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B9070
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B9076
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B907C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B9082
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B9088
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B908E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B9094

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 81295606ededc7508276f80509d52cb69c040a7621a29d65a924176669704457
Instruction ID: 7f2be8e39551179941dc912cb9653d483ac971b6a8130fcf880069531b476d1b
Opcode Fuzzy Hash: 81295606ededc7508276f80509d52cb69c040a7621a29d65a924176669704457
Instruction Fuzzy Hash: A6A18F30678D4C4EDB48EB6CC888B9DB7E2FBA9355F644A19E09DC32A5C674A4C0C781

Uniqueness

Uniqueness Score: -1.00%

Function 0040D250 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D250(signed char __edx, signed long long __rax, signed short* __rcx, intOrPtr* __r8) {
				signed short* _v40;
				intOrPtr _t43;
				signed char _t44;
				signed int _t47;
				signed char _t55;
				signed char _t57;
				signed long long _t66;
				intOrPtr* _t67;
				signed long long _t73;
				signed long long _t75;
				signed short* _t78;
				intOrPtr _t80;
				intOrPtr _t81;

				_t66 = __rax;
				_t43 =  *((intOrPtr*)(__r8 + 0x10));
				_t78 = __rcx;
				_t60 = __edx;
				_t67 = __r8;
				if(_t43 >= 0) {
					_t60 =  >  ? _t43 : __edx;
				}
				_t44 =  *(_t67 + 8);
				r8d =  *(_t67 + 0xc);
				if((_t44 & 0x00006000) == 0x6000) {
					if(r8d <= _t60) {
						r8d = _t60;
						L00414ED8();
					} else {
						_v40 = _t78;
						r9d = _t60;
						if((_t44 & 0x00000004) != 0) {
							L00414ED8();
						} else {
							L00414ED8();
						}
					}
					if(_t44 > 0) {
						 *(_t67 + 0x24) =  *(_t67 + 0x24) + _t44;
					}
					 *(_t67 + 0xc) = 0xffffffff;
					return _t44;
				} else {
					if(r8d > _t60) {
						r8d = r8d - _t60;
						 *(_t67 + 0xc) = r8d;
						if((_t44 & 0x00000004) != 0) {
							if(_t60 > 0) {
								goto L9;
							}
							r8d = r8d - 1;
							 *(_t67 + 0xc) = r8d;
							goto L21;
						}
						r8d = r8d - 1;
						 *(_t67 + 0xc) = r8d;
						do {
							E0040CDC0(0x20, _t67);
							_t44 =  *(_t67 + 0xc);
							 *(_t67 + 0xc) = _t66 - 1;
						} while (_t44 != 0);
						goto L5;
					} else {
						 *(_t67 + 0xc) = 0xffffffff;
						L5:
						if(_t60 > 0) {
							while(1) {
								L9:
								_t47 =  *_t78 & 0x0000ffff;
								if(_t47 == 0) {
									break;
								}
								_t57 =  *(_t67 + 8);
								_t78 =  &(_t78[1]);
								if((_t57 & 0x00000040) != 0) {
									L12:
									_t81 =  *_t67;
									if((_t57 & 0x00000020) == 0) {
										_t75 =  *(_t67 + 0x24);
										 *(_t81 + _t75 * 2) = _t47;
										_t66 = _t75;
									} else {
										L004091F8();
										_t44 =  *(_t67 + 0x24);
									}
									L8:
									_t44 = _t44 + 1;
									 *(_t67 + 0x24) = _t44;
									_t60 = _t60 - 1;
									if(_t60 == 0) {
										break;
									}
									continue;
								}
								_t44 =  *(_t67 + 0x24);
								if( *((intOrPtr*)(_t67 + 0x28)) <= _t44) {
									goto L8;
								}
								goto L12;
							}
							L20:
							_t44 =  *(_t67 + 0xc);
							 *(_t67 + 0xc) = _t66 - 1;
							if(_t44 <= 0) {
								return _t44;
							}
							L21:
							_t55 =  *(_t67 + 8);
							if((_t55 & 0x00000040) != 0) {
								L23:
								_t80 =  *_t67;
								if((_t55 & 0x00000020) == 0) {
									_t73 =  *(_t67 + 0x24);
									 *((short*)(_t80 + _t73 * 2)) = 0x20;
									_t66 = _t73;
								} else {
									L004091F8();
									_t44 =  *(_t67 + 0x24);
								}
								L19:
								 *(_t67 + 0x24) = _t44 + 1;
								goto L20;
							}
							_t44 =  *(_t67 + 0x24);
							if( *((intOrPtr*)(_t67 + 0x28)) <= _t44) {
								goto L19;
							}
							goto L23;
						}
						 *(_t67 + 0xc) = 0xfffffffe;
						return _t44;
					}
				}
			}

0x0040d250
0x0040d257
0x0040d25b
0x0040d25e
0x0040d260
0x0040d265
0x0040d269
0x0040d269
0x0040d26c
0x0040d26f
0x0040d281
0x0040d386
0x0040d3d5
0x0040d3df
0x0040d388
0x0040d388
0x0040d38d
0x0040d393
0x0040d3ed
0x0040d395
0x0040d39c
0x0040d39c
0x0040d393
0x0040d3a3
0x0040d3a5
0x0040d3a5
0x0040d3a8
0x00000000
0x0040d287
0x0040d28a
0x0040d2f0
0x0040d2f3
0x0040d2fa
0x0040d3c2
0x00000000
0x00000000
0x0040d3c8
0x0040d3cc
0x00000000
0x0040d3cc
0x0040d300
0x0040d304
0x0040d310
0x0040d318
0x0040d31d
0x0040d323
0x0040d326
0x00000000
0x0040d28c
0x0040d28c
0x0040d293
0x0040d295
0x0040d2bb
0x0040d2bb
0x0040d2bb
0x0040d2c1
0x00000000
0x00000000
0x0040d2c7
0x0040d2ca
0x0040d2d1
0x0040d2db
0x0040d2db
0x0040d2e1
0x0040d2a0
0x0040d2a4
0x0040d2a9
0x0040d2e3
0x0040d2e6
0x0040d2eb
0x0040d2eb
0x0040d2ac
0x0040d2ac
0x0040d2af
0x0040d2b2
0x0040d2b5
0x00000000
0x00000000
0x00000000
0x0040d2b5
0x0040d2d3
0x0040d2d9
0x00000000
0x00000000
0x00000000
0x0040d2d9
0x0040d347
0x0040d347
0x0040d34d
0x0040d352
0x0040d3b6
0x0040d3b6
0x0040d354
0x0040d354
0x0040d35a
0x0040d364
0x0040d364
0x0040d36a
0x0040d330
0x0040d339
0x0040d33e
0x0040d36c
0x0040d374
0x0040d379
0x0040d379
0x0040d341
0x0040d344
0x00000000
0x0040d344
0x0040d35c
0x0040d362
0x00000000
0x00000000
0x00000000
0x0040d362
0x0040d3f4
0x00000000
0x0040d3f4
0x0040d28a

Strings

%.*s, xrefs: 0040D3D8
%*.*s, xrefs: 0040D395
%-*.*s, xrefs: 0040D3E6

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID:
String ID: %*.*s$%-*.*s$%.*s
API String ID: 0-4054516066
Opcode ID: 7a797622adb1d086b96de76755a23541eeaaf9f5380c40fde809bd6ca33bccf8
Instruction ID: 76f92c1356cd3d06a3b6374b5dc6b6f222f2859e34eda59daedd7dff03e92bd2
Opcode Fuzzy Hash: 7a797622adb1d086b96de76755a23541eeaaf9f5380c40fde809bd6ca33bccf8
Instruction Fuzzy Hash: 2D418CB2B1065186D7209FA9C54475E77A1EB44FA8F14C23ADE08AB7C8C73DD849CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE20 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040CE20(signed int __edx, signed int __rax, char* __rcx, void* __r8) {
				signed int _v72;
				char _v80;
				long long _v104;
				intOrPtr _t25;
				signed char _t26;
				signed int _t29;
				signed int _t51;
				void* _t52;
				char* _t64;
				long long* _t65;
				signed short* _t70;

				_t51 = __rax;
				_t25 =  *((intOrPtr*)(__r8 + 0x10));
				_t64 = __rcx;
				_t44 = __edx;
				_t52 = __r8;
				if(_t25 >= 0) {
					_t44 =  >  ? _t25 : __edx;
				}
				_t26 =  *(_t52 + 8);
				r8d =  *(_t52 + 0xc);
				if((_t26 & 0x00006000) == 0x6000) {
					__eflags = r8d - _t44;
					if(r8d <= _t44) {
						r8d = _t44;
						L00414ED8();
					} else {
						_v104 = _t64;
						r9d = _t44;
						__eflags = _t26 & 0x00000004;
						if((_t26 & 0x00000004) != 0) {
							L00414ED8();
						} else {
							L00414ED8();
						}
					}
					__eflags = _t26;
					if(_t26 > 0) {
						_t22 = _t52 + 0x24;
						 *_t22 =  *(_t52 + 0x24) + _t26;
						__eflags =  *_t22;
					}
					 *(_t52 + 0xc) = 0xffffffff;
					return _t26;
				} else {
					if(r8d > _t44) {
						r8d = r8d - _t44;
						 *(_t52 + 0xc) = r8d;
						__eflags = _t26 & 0x00000004;
						if((_t26 & 0x00000004) == 0) {
							r8d = r8d - 1;
							__eflags = r8d;
							 *(_t52 + 0xc) = r8d;
							do {
								E0040CDC0(0x20, _t52);
								 *(_t52 + 0xc) = _t51 - 1;
								__eflags =  *(_t52 + 0xc);
							} while ( *(_t52 + 0xc) != 0);
						}
						goto L5;
						L18:
						return _t29;
						goto L27;
					} else {
						 *(_t52 + 0xc) = 0xffffffff;
					}
					L5:
					_t65 =  &_v80;
					_t70 =  &_v72;
					if(_t44 > 0) {
						while(1) {
							 *_t65 = 0;
							_t44 = _t44 - 1;
							strlen(??);
							E00415070(_t70, _t64, _t51, _t65);
							__eflags = _t51;
							if(__eflags == 0) {
								goto L17;
							}
							if(__eflags >= 0) {
								_t36 = _v72 & 0x0000ffff;
							} else {
								_t36 =  *_t64;
								_v72 =  *_t64;
							}
							_t64 = _t64 + _t51;
							E0040CDC0(_t36 & 0x0000ffff, _t52);
							__eflags = _t44;
							if(_t44 != 0) {
								continue;
							}
							goto L17;
						}
					} else {
						while(1) {
							L17:
							_t29 =  *(_t52 + 0xc);
							 *(_t52 + 0xc) = _t51 - 1;
							if(_t29 <= 0) {
								goto L18;
							}
							E0040CDC0(0x20, _t52);
						}
						goto L18;
					}
					goto L17;
				}
				L27:
			}

0x0040ce20
0x0040ce2a
0x0040ce2e
0x0040ce31
0x0040ce33
0x0040ce38
0x0040ce3c
0x0040ce3c
0x0040ce3f
0x0040ce42
0x0040ce54
0x0040cf4b
0x0040cf4e
0x0040cf85
0x0040cf8f
0x0040cf50
0x0040cf50
0x0040cf55
0x0040cf58
0x0040cf5b
0x0040cf9d
0x0040cf5d
0x0040cf64
0x0040cf64
0x0040cf5b
0x0040cf69
0x0040cf6b
0x0040cf6d
0x0040cf6d
0x0040cf6d
0x0040cf6d
0x0040cf70
0x0040cf81
0x0040ce5a
0x0040ce5d
0x0040cee0
0x0040cee3
0x0040cee7
0x0040ceea
0x0040cef0
0x0040cef0
0x0040cef4
0x0040cf00
0x0040cf08
0x0040cf13
0x0040cf16
0x0040cf16
0x0040cf1a
0x00000000
0x0040cf44
0x0040cf44
0x00000000
0x0040ce63
0x0040ce63
0x0040ce63
0x0040ce6a
0x0040ce6a
0x0040ce6f
0x0040ce76
0x0040ce9b
0x0040ce9e
0x0040cea6
0x0040cea9
0x0040ceba
0x0040cebf
0x0040cec2
0x00000000
0x00000000
0x0040cec4
0x0040ce80
0x0040cec6
0x0040cec6
0x0040cecf
0x0040cecf
0x0040ce8b
0x0040ce8e
0x0040ce93
0x0040ce95
0x00000000
0x00000000
0x00000000
0x0040ce95
0x0040ce78
0x0040cf2d
0x0040cf2d
0x0040cf2d
0x0040cf33
0x0040cf38
0x00000000
0x00000000
0x0040cf28
0x0040cf28
0x00000000
0x0040cf2d
0x00000000
0x0040ce76
0x00000000

Strings

%*.*S, xrefs: 0040CF5D
%.*S, xrefs: 0040CF88
%-*.*S, xrefs: 0040CF96

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID:
String ID: %*.*S$%-*.*S$%.*S
API String ID: 0-2115465065
Opcode ID: dad0347ec67f5794da4a6d8fc76f4fe1b6cd43a7292eaf67df468db9194bceed
Instruction ID: 8ec9b0c159eb4337206ff08faf36ac2ad669e2e6ac23e9a1201355e5d05c7c7d
Opcode Fuzzy Hash: dad0347ec67f5794da4a6d8fc76f4fe1b6cd43a7292eaf67df468db9194bceed
Instruction Fuzzy Hash: 6431A2B3710642C6D7209B26E88075AB692E784BD8F18C336EF48577C8DA3DC585CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00401C70 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00401C70(void* __r9, void* __r12, unsigned long long _a32, long long _a40, signed int _a48) {
				void* _t16;
				void* _t26;
				intOrPtr _t28;
				void* _t34;
				void* _t35;

				_t35 = __r9;
				if( *0x424120 != 0) {
					E004017A0(_t16,  *((intOrPtr*)(__r12 + 0x30)));
					_t28 =  *0x424178;
					goto L4;
				} else {
					__r11 =  *0x424178;
					if( *0x424104 != 0) {
						L12:
						__r10 =  *__r12;
						__r8 =  *((intOrPtr*)(__r12 + 0x10));
						__rax = 0x540be3ff;
						if(__r10 > 0x540be3ff) {
							__r9 = L"GiB";
							L21:
							__rax = __r8 + __r8 * 4;
							__r8 + __r8 * 4 + (__r8 + __r8 * 4) * 4 = __r8 + __r8 * 4 + (__r8 + __r8 * 4) * 4 << 2;
							__eax = __eax / __r10;
							L16:
							if(__r11 == 0) {
								L6:
								return 0;
							}
							__r10 = __r10 >> __cl;
							_a48 = __eax;
							__r8 = __r8 >> __cl;
							__rcx = __r11;
							_a40 = __r9;
							_a32 = __r10;
							__eax = E00401650(__r8, __r9);
							__rcx =  *0x424178;
							__rax =  *__r12;
							if( *((intOrPtr*)(__r12 + 0x10)) <  *__r12) {
								L4:
								if(_t28 != 0) {
									fflush();
								}
								goto L6;
							}
							goto L1;
						}
						if(__r10 > 0x98967f) {
							__r9 = L"MiB";
							L15:
							__eax = 0;
							if(__r10 != 0) {
								goto L21;
							}
							goto L16;
						}
						__r9 = L"bytes";
						if(__r10 > 0x270f) {
							__r9 = L"KiB";
							goto L21;
						}
						goto L15;
					}
					if( *((intOrPtr*)(__r12 + 0x24)) != 0 && __r11 != 0) {
						__rax = "s";
						__rbx =  !=  ? __rax : 0x41717e;
						L00409100();
						__rcx =  *0x424178;
						r9d =  *((intOrPtr*)(__r12 + 0x20));
						_a32 =  !=  ? __rax : 0x41717e;
						__r8 = __rax;
						__eax = E00401650(__rax, __r9);
						__r11 =  *0x424178;
					}
					 *0x424104 = 1;
					goto L12;
				}
				L1:
				if(_t26 == 0) {
					goto L6;
				}
				E00401650(_t34, _t35);
				_t28 =  *0x424178;
				goto L4;
			}

0x00401c70
0x00401c78
0x004021c5
0x004021ca
0x00000000
0x00401c7e
0x00401c85
0x00401c8c
0x00401ce7
0x00401ce7
0x00401ceb
0x00401cf0
0x00401cfd
0x00402267
0x00402273
0x00402273
0x0040227d
0x00402281
0x00401d31
0x00401d34
0x00401981
0x0040198c
0x0040198c
0x00401d3a
0x00401d3d
0x00401d41
0x00401d44
0x00401d47
0x00401d53
0x00401d58
0x00401d5d
0x00401d64
0x00401d6d
0x00401977
0x0040197a
0x0040197c
0x0040197c
0x00000000
0x0040197a
0x00000000
0x00401d73
0x00401d0a
0x00402375
0x00401d26
0x00401d26
0x00401d2b
0x00000000
0x00000000
0x00000000
0x00401d2b
0x00401d10
0x00401d20
0x00402364
0x00000000
0x0040236b
0x00000000
0x00401d20
0x00401c95
0x00401ca1
0x00401cb2
0x00401cb6
0x00401cbb
0x00401cc2
0x00401ccc
0x00401cd1
0x00401cd4
0x00401cd9
0x00401cd9
0x00401ce0
0x00000000
0x00401ce0
0x00401958
0x0040195b
0x00000000
0x00000000
0x00401964
0x00401970
0x00000000

Strings

KiB, xrefs: 00402364
GiB, xrefs: 00402267
Archiving file data: %llu %ls of %llu %ls (%u%%) done, xrefs: 00401D4C
bytes, xrefs: 00401D10
MiB, xrefs: 00402375
Using %ls compression with %u thread%ls, xrefs: 00401CC5

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID:
String ID: Archiving file data: %llu %ls of %llu %ls (%u%%) done$GiB$KiB$MiB$Using %ls compression with %u thread%ls$bytes
API String ID: 0-829042426
Opcode ID: 65ffe6d2d61c5d671bb63e3ef258d98866aff2602f9a5989fd71adf220eec2ec
Instruction ID: 5d179143940cff15f60169afbc1925701f22ed008fefb763889c2b2c91b0b5cf
Opcode Fuzzy Hash: 65ffe6d2d61c5d671bb63e3ef258d98866aff2602f9a5989fd71adf220eec2ec
Instruction Fuzzy Hash: E13137B1708B0496EB14CB61E858BAA2364F398784F850137EE4E633A0DB7CC595C34C

Uniqueness

Uniqueness Score: -1.00%

Function 00401560 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00401578
LoadLibraryA.KERNEL32 ref: 0040158D
GetProcAddress.KERNEL32 ref: 004015AB
GetProcAddress.KERNEL32 ref: 004015BA

Strings

__deregister_frame_info, xrefs: 004015AD
__register_frame_info, xrefs: 0040159A
libgcc_s_dw2-1.dll, xrefs: 00401571, 00401586

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: f8ced96382eabce680b73a676b673300398fe8d5e500dc106b0868b6cf86dce7
Instruction ID: 78fe966581bf46e89f722872e322ef5bcd8051b9b8e69b33802c57285b0baf56
Opcode Fuzzy Hash: f8ced96382eabce680b73a676b673300398fe8d5e500dc106b0868b6cf86dce7
Instruction Fuzzy Hash: CD01A2B1716E09A0EE11DB15FC5079467A4BB98784F880522EF4E563B4EF3CC58AD708

Uniqueness

Uniqueness Score: -1.00%

Function 004038A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E004038A0(void* __ecx, void* __edx, void* __fp0, signed int* __rax, void* __rcx, void* __rdx) {
				char _v80;
				void* _v88;
				long long _v104;
				void* __r12;
				void* __r13;
				void* _t14;
				void* _t18;
				void* _t22;
				void* _t28;
				void* _t30;
				void* _t35;
				signed int* _t36;
				short* _t37;
				void* _t55;
				intOrPtr* _t56;
				void* _t58;
				void* _t60;
				void* _t62;
				void* _t63;

				_t36 = __rax;
				_t35 = __fp0;
				_t28 = __edx;
				asm("movaps [esp+0x40], xmm6");
				_t30 = 0;
				r13d = 0;
				_t22 = __ecx;
				_t55 = __rdx;
				while(1) {
					_t60 = 0x41dbe0;
					_t58 = 0x41717e;
					_v104 = 0;
					_t14 = E00408FE0();
					r12d = _t14;
					if(_t14 == 0xffffffff) {
						break;
					}
					if(r12d == 3) {
						r13d = 1;
						L7:
						_t30 = 1;
						continue;
					}
					if(r12d == 0x15) {
						goto L7;
					}
					L4:
					r12d = 0xffffffff;
					 *0x416040();
					E00403630(0xa, _t36, _t36, _t58, _t60, _t62, _t63);
					L5:
					asm("movaps xmm6, [esp+0x40]");
					return r12d;
				}
				_t36 =  *0x4201c0; // 0x416038
				_t56 = _t55 +  *_t36 * 8;
				if(_t22 - _t28 != 3) {
					goto L4;
				}
				_t18 = E0040A4B0(_t35,  *((intOrPtr*)(_t56 + 0x10)),  &_v88);
				_t51 =  *((intOrPtr*)(_t56 + 0x10));
				_t37 = _v88;
				asm("movapd xmm6, xmm0");
				if( *((intOrPtr*)(_t56 + 0x10)) == _t37 ||  *_t37 != 0) {
					E004024D0(L"Invalid part size \"%ls\"", _t51, _t58, _t60);
					E004024D0(L"The part size must be an integer or floating-point number of megabytes.", _t51, _t58, _t60);
				} else {
					_v104 = 0;
					L004090A8();
					r12d = _t18;
					if(_t18 == 0) {
						asm("mulsd xmm6, [0x1b652]");
						r9d = _t30;
						asm("repne dec esp");
						L00409020();
						r12d = _t18;
						E004023A0(_t37, L"\nFinished splitting \"%ls\"\n",  *_t56,  &_v80, 0x401890);
						L00409108();
					}
				}
				goto L5;
			}

0x004038a0
0x004038a0
0x004038a0
0x004038ae
0x004038b3
0x004038b5
0x004038c6
0x004038c8
0x004038cb
0x004038cb
0x004038ce
0x004038d6
0x004038df
0x004038e4
0x004038ea
0x00000000
0x00000000
0x004038f0
0x00403930
0x00403936
0x00403936
0x00000000
0x00403936
0x004038f6
0x00000000
0x00000000
0x004038f8
0x004038fd
0x00403903
0x00403911
0x00403917
0x00403917
0x0040392d
0x0040392d
0x00403940
0x0040394c
0x00403953
0x00000000
0x00000000
0x0040395e
0x00403963
0x00403967
0x0040396c
0x00403973
0x004039ef
0x004039fb
0x0040397b
0x0040398a
0x00403996
0x0040399b
0x004039a0
0x004039a6
0x004039b2
0x004039ba
0x004039c2
0x004039d1
0x004039d4
0x004039de
0x004039de
0x004039a0
0x00000000

APIs

wimlib_add_image_multisource.LIBWIM-15 ref: 00403996
wimlib_add_image_multisource.LIBWIM-15 ref: 004039DE

Strings

8`A, xrefs: 00403940
The part size must be an integer or floating-point number of megabytes., xrefs: 004039F4
Finished splitting "%ls", xrefs: 004039CA
Invalid part size "%ls", xrefs: 004039E8

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wimlib_add_image_multisource
String ID: Finished splitting "%ls"$8`A$Invalid part size "%ls"$The part size must be an integer or floating-point number of megabytes.
API String ID: 1578821148-3593460420
Opcode ID: 47cf9bc5e6b0aa68ac9b7225f7600fbbe33311981d9e70543fac23ff9242d9cd
Instruction ID: 83878e3c3884a32e8de5d90eb66646991ae976c9bab819e0dfdb066f059236b0
Opcode Fuzzy Hash: 47cf9bc5e6b0aa68ac9b7225f7600fbbe33311981d9e70543fac23ff9242d9cd
Instruction Fuzzy Hash: 1C31E4B2214A4151DB209B26E8443AB6764B784BD8F405227EF4E677E5DFBDC986C308

Uniqueness

Uniqueness Score: -1.00%

Function 004030A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004030A0(signed long long __rax, intOrPtr* __rcx, void* __rdx, long long __r9) {
				void* _t14;
				void* _t20;
				signed long long _t27;
				long long _t41;
				intOrPtr* _t42;
				void* _t43;
				intOrPtr _t51;

				_t48 = __r9;
				_t27 = __rax;
				_t42 = __rcx;
				_t20 = r8d;
				 *((long long*)(_t43 + 0x98)) = __r9;
				if( *((intOrPtr*)(__rcx + 8)) == 0) {
					r13d = 0;
					goto L11;
				} else {
					_t14 = 0;
					r13d = 0;
					goto L6;
					do {
						while(1) {
							L6:
							_t12 = _t14;
							_t51 =  *((intOrPtr*)( *_t42 + _t27 * 8));
							L004091A0();
							 *_t27 = 0;
							_t7 = _t27 + 2; // 0x2
							_t41 = _t7;
							L004090F0();
							if(_t27 == 0) {
								break;
							}
							L00409198();
							if(_t12 != 0) {
								break;
							} else {
								if( *0x424178 != 0) {
									 *((long long*)(_t43 + 0x20)) = _t41;
									r9d = _t20;
									E00401650(_t51, _t48);
								}
								_t14 = _t14 + 1;
								if( *((intOrPtr*)(_t42 + 8)) <= _t14) {
									goto L11;
								} else {
									continue;
								}
							}
							goto L13;
						}
						if( *0x424178 != 0) {
							 *((long long*)(_t43 + 0x20)) = _t41;
							r9d = _t20;
							_t12 = E00401650(_t51, _t48);
						}
						_t48 = _t41;
						L00409058();
						if(_t12 == 0) {
							goto L10;
						}
						goto L13;
						L10:
						r13d = 1;
						_t14 = _t14 + 1;
					} while ( *((intOrPtr*)(_t42 + 8)) > _t14);
					L11:
					_t12 = 0;
					if( *((long long*)(_t43 + 0x98)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t43 + 0x98)))) = r13b;
						return 0;
					}
				}
				L13:
				return _t12;
			}

0x004030a0
0x004030a0
0x004030b0
0x004030b9
0x004030bc
0x004030c6
0x004031b6
0x00000000
0x004030cc
0x004030cc
0x004030ce
0x004030d8
0x00403117
0x00403117
0x00403117
0x0040311b
0x0040311d
0x00403129
0x00403136
0x0040313b
0x0040313b
0x0040313f
0x0040314a
0x00000000
0x00000000
0x004030e3
0x004030ea
0x00000000
0x004030ec
0x004030f6
0x004030f8
0x004030fd
0x0040310a
0x0040310a
0x0040310f
0x00403115
0x00000000
0x00000000
0x00000000
0x00000000
0x00403115
0x00000000
0x004030ea
0x00403156
0x00403158
0x0040315d
0x00403166
0x00403166
0x0040316b
0x00403176
0x0040317d
0x00000000
0x00000000
0x00000000
0x0040317f
0x0040317f
0x00403185
0x00403188
0x0040318d
0x0040318d
0x00403198
0x004031a2
0x00000000
0x004031a2
0x00403198
0x004031b5
0x004031b5

APIs

wcscmp.MSVCRT ref: 004030E3
wcschr.MSVCRT ref: 00403129
wimlib_add_image_multisource.LIBWIM-15 ref: 0040313F
wimlib_add_image_multisource.LIBWIM-15 ref: 00403176

Strings

Setting the %ls property of image %d to "%ls"., xrefs: 004030D1
The %ls property of image %d already has value "%ls"., xrefs: 00403103

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: wimlib_add_image_multisource$wcschrwcscmp
String ID: Setting the %ls property of image %d to "%ls".$The %ls property of image %d already has value "%ls".
API String ID: 4233608177-537554600
Opcode ID: fbdc7c8f605ea163405bcc4d532bd3df9434eead2f15ba7ea1b608b174f14f85
Instruction ID: 0bbe192b331c958278586b9224fc57870e830b6fdf78e152a54004230fee9c75
Opcode Fuzzy Hash: fbdc7c8f605ea163405bcc4d532bd3df9434eead2f15ba7ea1b608b174f14f85
Instruction Fuzzy Hash: BE210B72305A8045E721DF27AC407976A59B799FC9F48843BAE0D6B795DE3CCA82C308

Uniqueness

Uniqueness Score: -1.00%

Function 00403260 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 004032A3
fread.MSVCRT ref: 004032C9
feof.MSVCRT ref: 004032DD
free.MSVCRT ref: 00403312

Strings

error reading stdin, xrefs: 00403300
out of memory while reading stdin, xrefs: 00403319

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: feoffreadfreerealloc
String ID: error reading stdin$out of memory while reading stdin
API String ID: 1166608578-2254877540
Opcode ID: 76533965038960bf2aa180062b2d547b2ef283f29ddfb266491c6ac5a14d4d29
Instruction ID: 5c0f754348fd6594c1bc83c33a954f0aad35533595692d0342a20ffc6d00ad00
Opcode Fuzzy Hash: 76533965038960bf2aa180062b2d547b2ef283f29ddfb266491c6ac5a14d4d29
Instruction Fuzzy Hash: 1E012B6230151451EA14AB63AD597BB1B486B58BD8F48043F9E0A677C1FD3CC583C30C

Uniqueness

Uniqueness Score: -1.00%

Function 004018C0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E004018C0(intOrPtr* __r12, long long _a32, unsigned long long _a40, long long _a48, signed int _a56) {
				signed int _t16;
				signed char _t21;
				intOrPtr _t41;
				unsigned long long _t48;
				long long _t51;
				intOrPtr* _t55;

				_t55 = __r12;
				_t48 =  *__r12;
				if(_t48 > 0x540be3ff) {
					_t51 = L"GiB";
					_t21 = 0x1e;
					goto L14;
				} else {
					if(_t48 > 0x98967f) {
						_t51 = L"MiB";
						_t21 = 0x14;
						goto L3;
					} else {
						_t51 = L"bytes";
						_t21 = 0;
						if(_t48 > 0x270f) {
							_t51 = L"KiB";
							_t21 = 0xa;
							goto L14;
						} else {
							L3:
							if(_t48 != 0) {
								L14:
								_t16 = 0 / _t48;
							}
						}
					}
				}
				if( *0x424178 != 0) {
					_a48 = _t51;
					_a40 = _t48 >> _t21;
					_t50 =  *((intOrPtr*)(_t55 + 0x20));
					_a32 = _t51;
					_a56 = _t16;
					_t53 =  *(_t55 + 8) >> _t21;
					E00401650( *((intOrPtr*)(_t55 + 0x20)),  *(_t55 + 8) >> _t21);
					_t41 =  *0x424178;
					if( *(_t55 + 8) !=  *_t55) {
						L10:
						if(_t41 != 0) {
							fflush();
						}
					} else {
						if(_t41 != 0) {
							E00401650(_t50, _t53);
							_t41 =  *0x424178;
							goto L10;
						}
					}
				}
				return 0;
			}

0x004018c0
0x004018ca
0x004018d1
0x00402210
0x00402217
0x00000000
0x004018d7
0x004018de
0x00402343
0x0040234a
0x00000000
0x004018e4
0x004018e4
0x004018eb
0x004018f4
0x004022f8
0x004022ff
0x00000000
0x004018fa
0x004018fa
0x004018ff
0x0040221c
0x0040222f
0x0040222f
0x004018ff
0x004018f4
0x004018de
0x0040190f
0x00401914
0x00401920
0x00401925
0x0040192a
0x00401934
0x00401938
0x0040193e
0x00401943
0x00401953
0x00401977
0x0040197a
0x0040197c
0x0040197c
0x00401958
0x0040195b
0x00401964
0x00401970
0x00000000
0x00401970
0x0040195b
0x00401953
0x0040198c

APIs

fflush.MSVCRT ref: 0040197C

Strings

KiB, xrefs: 004022F8
Verifying integrity of "%ls": %llu %ls of %llu %ls (%u%%) done, xrefs: 00401919
GiB, xrefs: 00402210
bytes, xrefs: 004018E4
MiB, xrefs: 00402343

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fflush
String ID: Verifying integrity of "%ls": %llu %ls of %llu %ls (%u%%) done$GiB$KiB$MiB$bytes
API String ID: 497872470-3734933048
Opcode ID: 4173576c873890b88c02bda3bbc3a80de3dc6b7890c0080e901e720b39a614b4
Instruction ID: c1e12124bf1c5b8adc4bbca27e843d80fbf49527d2693edc90bbce6b99a89a6d
Opcode Fuzzy Hash: 4173576c873890b88c02bda3bbc3a80de3dc6b7890c0080e901e720b39a614b4
Instruction Fuzzy Hash: 92214CB6205B8885EB14CBA5E458BE97760F395B90F85413BEE4E233E0DB7CC194C708

Uniqueness

Uniqueness Score: -1.00%

Function 00401D80 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00401D80(void* __eax, void* __r12, unsigned long long _a32, long long _a40, intOrPtr _a48) {
				intOrPtr _t29;
				unsigned long long _t37;
				long long _t38;
				unsigned long long _t39;
				void* _t42;

				_t42 = __r12;
				_t39 =  *((intOrPtr*)(__r12 + 0x28));
				_t37 =  *((intOrPtr*)(__r12 + 0x30));
				if(_t39 == 0) {
					_t38 = L"bytes";
				} else {
					__r9 = L"GiB";
					__eax = __eax / __r10;
					if(__r10 <= 0x540be3ff) {
						__r9 = L"MiB";
						if(__r10 <= 0x98967f) {
							__r9 = L"KiB";
							__r9 =  <=  ? L"bytes" : L"KiB";
							asm("sbb ecx, ecx");
						}
					}
				}
				if( *0x424178 == 0) {
					L6:
					return 0;
				} else {
					_a48 = 0;
					_t37 = _t37 >> 0;
					_a40 = _t38;
					_a32 = _t39 >> 0;
					E00401650(_t37, _t38);
					_t29 =  *0x424178;
					if( *((intOrPtr*)(_t42 + 0x30)) >=  *((intOrPtr*)(_t42 + 0x28))) {
						goto L1;
					}
					L4:
					if(_t29 != 0) {
						fflush();
					}
					goto L6;
				}
				L1:
				if(_t29 == 0) {
					goto L6;
				} else {
					E00401650(_t37, _t38);
					_t29 =  *0x424178;
					goto L4;
				}
			}

0x00401d80
0x00401d80
0x00401d85
0x00401d8d
0x00402042
0x00401d93
0x00401da2
0x00401dad
0x00401dbd
0x00401dc3
0x00401dd6
0x00401de3
0x00401df1
0x00401dfc
0x00401e00
0x00401dd6
0x00401dbd
0x00402055
0x00401981
0x0040198c
0x0040205b
0x0040205e
0x00402062
0x00402068
0x00402074
0x00402079
0x00402083
0x0040208f
0x00000000
0x00000000
0x00401977
0x0040197a
0x0040197c
0x0040197c
0x00000000
0x0040197a
0x00401958
0x0040195b
0x00000000
0x0040195d
0x00401964
0x00401970
0x00000000
0x00401970

APIs

fflush.MSVCRT ref: 0040197C

Strings

Extracting file data: %llu %ls of %llu %ls (%u%%) done, xrefs: 0040206D
KiB, xrefs: 00401DE3
GiB, xrefs: 00401DA2
bytes, xrefs: 00401DEA, 00402042
MiB, xrefs: 00401DC3

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fflush
String ID: Extracting file data: %llu %ls of %llu %ls (%u%%) done$GiB$KiB$MiB$bytes
API String ID: 497872470-3722678368
Opcode ID: b257d7ede31905746a7b6f3f96161e7b33066cdc0853ebbc7078651683df471e
Instruction ID: 75c0a73b273446fbd05aba8a274ae9b9e52c344955c9cfd8870e8cab57902adc
Opcode Fuzzy Hash: b257d7ede31905746a7b6f3f96161e7b33066cdc0853ebbc7078651683df471e
Instruction Fuzzy Hash: EB215BB2305A0486EB18CB65E868BEA3760F348784F85453BAE0E527E1DF7CC589C30C

Uniqueness

Uniqueness Score: -1.00%

Function 004019C0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E004019C0(intOrPtr* __r12, unsigned long long _a32, long long _a40, signed int _a48) {
				signed int _t13;
				signed int _t14;
				intOrPtr _t33;
				long long _t44;
				intOrPtr* _t46;

				_t46 = __r12;
				_t41 =  *__r12;
				if(_t41 > 0x540be3ff) {
					_t44 = L"GiB";
					goto L14;
				} else {
					if(__r8 > 0x98967f) {
						__r9 = L"MiB";
						goto L9;
					} else {
						__r9 = L"bytes";
						if(__r8 > 0x270f) {
							__r9 = L"KiB";
							goto L14;
						} else {
							L9:
							if(__r8 != 0) {
								L14:
								_t14 = _t13 / _t41;
							}
						}
					}
				}
				if( *0x424178 != 0) {
					_a48 = _t14;
					_a32 = _t41 >> 0x1e;
					_a40 = _t44;
					_t41 =  *(_t46 + 8) >> 0x1e;
					E00401650( *(_t46 + 8) >> 0x1e, _t44);
					_t33 =  *0x424178;
					if( *(_t46 + 8) !=  *_t46) {
						L4:
						if(_t33 != 0) {
							fflush();
						}
					} else {
						if(_t33 != 0) {
							E00401650(_t41, _t44);
							_t33 =  *0x424178;
							goto L4;
						}
					}
				}
				return 0;
			}

0x004019c0
0x004019ca
0x004019d1
0x00402240
0x00000000
0x004019d7
0x004019de
0x00402332
0x00000000
0x004019e4
0x004019e4
0x004019f4
0x004022e0
0x00000000
0x004019fa
0x004019fa
0x004019ff
0x0040224c
0x0040225f
0x0040225f
0x004019ff
0x004019f4
0x004019de
0x00401a0f
0x00401a18
0x00401a23
0x00401a2d
0x00401a32
0x00401a38
0x00401a3d
0x00401a4d
0x00401977
0x0040197a
0x0040197c
0x0040197c
0x00401a53
0x0040195b
0x00401964
0x00401970
0x00000000
0x00401970
0x0040195b
0x00401a4d
0x0040198c

APIs

fflush.MSVCRT ref: 0040197C

Strings

KiB, xrefs: 004022E0
GiB, xrefs: 00402240
bytes, xrefs: 004019E4
MiB, xrefs: 00402332
Calculating integrity table for WIM: %llu %ls of %llu %ls (%u%%) done, xrefs: 00401A1C

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fflush
String ID: Calculating integrity table for WIM: %llu %ls of %llu %ls (%u%%) done$GiB$KiB$MiB$bytes
API String ID: 497872470-3668557735
Opcode ID: a1d2d1736db9b5036067edc71767c656012c346a40bf27e5e472dd8f9045c7d6
Instruction ID: f7c79ae686fe6af3faa14e44f75740de3e1626a10c350c1faf1f779aaa5df93d
Opcode Fuzzy Hash: a1d2d1736db9b5036067edc71767c656012c346a40bf27e5e472dd8f9045c7d6
Instruction Fuzzy Hash: 132136B2205B8485EB18CBA5E4587EA3760E399780F85453BEA0E227E0DB7CC585D70C

Uniqueness

Uniqueness Score: -1.00%

Function 00401B68 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00401B68(void* __eax, void* __r12, unsigned long long _a32, long long _a40, intOrPtr _a48) {
				intOrPtr _t29;
				unsigned long long _t37;
				long long _t38;
				unsigned long long _t39;
				void* _t42;

				_t42 = __r12;
				_t39 =  *((intOrPtr*)(__r12 + 0x10));
				_t37 =  *((intOrPtr*)(__r12 + 0x20));
				if(_t39 == 0) {
					_t38 = L"bytes";
				} else {
					__r9 = L"GiB";
					__eax = __eax / __r10;
					if(__r10 <= 0x540be3ff) {
						__r9 = L"MiB";
						if(__r10 <= 0x98967f) {
							__r9 = L"KiB";
							__r9 =  <=  ? L"bytes" : L"KiB";
							asm("sbb ecx, ecx");
						}
					}
				}
				if( *0x424178 == 0) {
					L6:
					return 0;
				} else {
					_a48 = 0;
					_t37 = _t37 >> 0;
					_a40 = _t38;
					_a32 = _t39 >> 0;
					E00401650(_t37, _t38);
					_t29 =  *0x424178;
					if( *((intOrPtr*)(_t42 + 0x20)) !=  *((intOrPtr*)(_t42 + 0x10))) {
						L4:
						if(_t29 != 0) {
							fflush();
						}
						goto L6;
					}
					if(_t29 == 0) {
						goto L6;
					} else {
						E00401650(_t37, _t38);
						_t29 =  *0x424178;
						goto L4;
					}
				}
			}

0x00401b68
0x00401b68
0x00401b6d
0x00401b75
0x004020a2
0x00401b7b
0x00401b8a
0x00401b95
0x00401ba5
0x00401bab
0x00401bbe
0x00401bcb
0x00401bd9
0x00401be4
0x00401be8
0x00401bbe
0x00401ba5
0x004020b5
0x00401981
0x0040198c
0x004020bb
0x004020be
0x004020c2
0x004020c8
0x004020d4
0x004020d9
0x004020de
0x004020ef
0x00401977
0x0040197a
0x0040197c
0x0040197c
0x00000000
0x0040197a
0x0040195b
0x00000000
0x0040195d
0x00401964
0x00401970
0x00000000
0x00401970
0x0040195b

Strings

Verifying file data: %llu %ls of %llu %ls (%u%%) done, xrefs: 004020CD
KiB, xrefs: 00401BCB
GiB, xrefs: 00401B8A
bytes, xrefs: 00401BD2, 004020A2
MiB, xrefs: 00401BAB

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID:
String ID: Verifying file data: %llu %ls of %llu %ls (%u%%) done$GiB$KiB$MiB$bytes
API String ID: 0-217642830
Opcode ID: 23edecfd5d391f2a98f70048e78784b1938bc847399c139772da97936a713f55
Instruction ID: d4cc1725faeebfb01ba316b042eacfe84777155a34aa2b393c9ba6394b61edb8
Opcode Fuzzy Hash: 23edecfd5d391f2a98f70048e78784b1938bc847399c139772da97936a713f55
Instruction Fuzzy Hash: 1E115EB2314B0492EB14CB65E858BEA2764F358784F85453BAE4E523E0DF7CC589C30D

Uniqueness

Uniqueness Score: -1.00%

Function 00407F90 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00407FFD
malloc.MSVCRT ref: 0040800D
MultiByteToWideChar.KERNEL32 ref: 00408030

Strings

ERROR: too much data (%zu bytes)!, xrefs: 00408081
ERROR: out of memory!, xrefs: 004080A0
ERROR: Invalid multi-byte string in the text file you provided as input! Maybe try converting your text file to UTF-16LE?, xrefs: 00408056

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: ByteCharMultiWide$malloc
String ID: ERROR: Invalid multi-byte string in the text file you provided as input! Maybe try converting your text file to UTF-16LE?$ERROR: out of memory!$ERROR: too much data (%zu bytes)!
API String ID: 1811578439-1293987992
Opcode ID: 4f853d5e21fa4d2221cf58dbdd23c3d405790181fcdb317980f1f4cba2719215
Instruction ID: a068e4925605278294436b360811e87e69664c16a5c79f3c7d28a02f9a3bc9fe
Opcode Fuzzy Hash: 4f853d5e21fa4d2221cf58dbdd23c3d405790181fcdb317980f1f4cba2719215
Instruction Fuzzy Hash: E3218BB170860241EB24DB16F91476A6A81BB487D8F40853FEE4E6B3C6EE3CC449C309

Uniqueness

Uniqueness Score: -1.00%

Function 004031C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 004031DC
fputws.MSVCRT ref: 00403207
_wcserror.MSVCRT ref: 00403229

Strings

: %ls, xrefs: 0040323C
ERROR: , xrefs: 004031FD

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: _errno_wcserrorfputws
String ID: : %ls$ERROR:
API String ID: 3089782697-2470117166
Opcode ID: c032ebdbecb0167f0600dd5c411c2d8ef86cb6149d41d0046cdcf7b14489bcd1
Instruction ID: 76ed61f3ed5eb3273cb6b509df7e86a3884476202aed73b3ddccbf2953777d93
Opcode Fuzzy Hash: c032ebdbecb0167f0600dd5c411c2d8ef86cb6149d41d0046cdcf7b14489bcd1
Instruction Fuzzy Hash: C6018FB1600B0581EA00EB52F84939A67A5F7897D4F44003AAF4A173A5DE3CC041C704

Uniqueness

Uniqueness Score: -1.00%

Function 042B6080 Relevance: 8.0, APIs: 5, Instructions: 472COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B646B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B6471
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B6477
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B647D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B6483

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 30b34bfc52453d5ff660477592df7c2a93500b66f1a98a88ba5b7d6f969ffee2
Instruction ID: 23c5c201e5dabc258abbaf4e9df4677552c43482f00e4e8b72da2b63a4afbcc4
Opcode Fuzzy Hash: 30b34bfc52453d5ff660477592df7c2a93500b66f1a98a88ba5b7d6f969ffee2
Instruction Fuzzy Hash: 8CD1C230B34E1D8FDB18EF68D8897A973E1FB58341B54461AD849D7299DA70F881C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 00409C59 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00409CFA

Strings

CCG , xrefs: 00409C76

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: c75b79cc0ba044434e57489e1930b301e123fbb47112206801e5abcf27b66e08
Instruction ID: fc76618b0d027ad374409ed45c38ce2b7487395df75b4d7d93c693437ee9f3a7
Opcode Fuzzy Hash: c75b79cc0ba044434e57489e1930b301e123fbb47112206801e5abcf27b66e08
Instruction Fuzzy Hash: 712192B1B5850446FB785679949137A1581AF89378F684B3BD63D973E2DA3CCCC2830E

Uniqueness

Uniqueness Score: -1.00%

Function 00401010 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401010() {
				void* _t12;
				signed int _t17;
				signed int _t24;
				intOrPtr* _t31;
				intOrPtr* _t32;
				intOrPtr* _t33;
				intOrPtr* _t34;
				short* _t35;
				intOrPtr* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr* _t40;
				intOrPtr* _t41;

				_t31 =  *0x420180; // 0x424208
				_t17 = 0;
				 *_t31 = 1;
				_t32 =  *0x420190; // 0x424204
				 *_t32 = 1;
				_t33 =  *0x4201a0; // 0x424200
				 *_t33 = 1;
				_t34 =  *0x420170; // 0x4241e0
				 *_t34 = 1;
				_t35 =  *0x420020; // 0x400000
				if( *_t35 == 0x5a4d) {
					_t1 = _t35 + 0x3c; // 0xeba1f0e00000080
					_t38 = _t35 +  *_t1;
					if( *_t38 == 0x4550) {
						_t2 = _t38 + 0x18; // 0x40
						_t24 =  *_t2 & 0x0000ffff;
						if(_t24 == 0x10b) {
							if( *((intOrPtr*)(_t38 + 0x74)) > 0xe) {
								_t8 = _t38 + 0xe8; // 0x1000
								r8d =  *_t8;
								_t17 = 0 | r8d != 0x00000000;
							}
						} else {
							if(_t24 == 0x20b &&  *((intOrPtr*)(_t38 + 0x84)) > 0xe) {
								_t4 = _t38 + 0xf8; // 0x1000
								_t17 = 0 |  *_t4 != 0x00000000;
							}
						}
					}
				}
				_t36 =  *0x420160; // 0x424220
				 *0x424020 = _t17;
				_t11 =  *_t36;
				if( *_t36 == 0) {
					L00409298();
				} else {
					L00409298();
				}
				_t12 = E00409490(_t11);
				_t40 =  *0x420120; // 0x424250
				 *_t36 =  *_t40;
				E00409480(_t12);
				_t41 =  *0x420100; // 0x424210
				 *_t36 =  *_t41;
				E00409770();
				_t37 =  *0x41ffb0; // 0x4160f0
				if( *_t37 == 1) {
					L00409C50();
					return 0;
				} else {
					return 0;
				}
			}

0x00401014
0x0040101b
0x0040101d
0x00401023
0x0040102a
0x00401030
0x00401037
0x0040103d
0x00401044
0x0040104a
0x00401056
0x00401058
0x0040105c
0x00401065
0x004010d0
0x004010d0
0x004010d9
0x00401124
0x0040112a
0x0040112a
0x00401136
0x00401136
0x004010db
0x004010e0
0x004010ef
0x004010f9
0x004010f9
0x004010e0
0x004010d9
0x00401065
0x00401067
0x0040106e
0x00401074
0x00401078
0x004010c5
0x0040107a
0x0040107f
0x0040107f
0x00401084
0x00401089
0x00401092
0x00401094
0x00401099
0x004010a2
0x004010a4
0x004010a9
0x004010b3
0x0040110f
0x0040111a
0x004010b5
0x004010bb
0x004010bb

APIs

__set_app_type.MSVCRT ref: 0040107F

Strings

AB, xrefs: 0040103D
BB, xrefs: 00401067
PBB, xrefs: 00401089

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: __set_app_type
String ID: BB$PBB$AB
API String ID: 1108511539-2904604019
Opcode ID: 68730ea85796befe5fb465e178c039c480b432673663430f81e2548b1e4d787f
Instruction ID: 6adb2652bc7d6ce0888929b503afbc77f8abb846ac86c12595dfeba70ca8f7cc
Opcode Fuzzy Hash: 68730ea85796befe5fb465e178c039c480b432673663430f81e2548b1e4d787f
Instruction Fuzzy Hash: B5217CB5700644C6D7159F26D84136A33A1B789B48FC1803AEB4967BA6CB7ECC81CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00403E00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00403E00(signed int __eax, void* __ecx, void* __esi, void* __r8, void* __r9) {
				signed int _t240;
				intOrPtr _t251;
				void* _t257;
				void* _t260;
				void* _t266;
				void* _t267;

				_t267 = __r9;
				_t266 = __r8;
				_t240 = __eax;
				_t251 =  *0x4201b0; // 0x424188
				_t257 = _t260 + 0x70;
				r8d = 0xa;
				L00409168();
				 *((intOrPtr*)(_t260 - 8)) = __eax;
				if(__eax == 0xffffffff) {
					L16:
					r15d = 0xffffffff;
					E004024D0(L"Number of threads must be a non-negative integer!", _t257, _t266, _t267);
					goto L13;
				} else {
					__rax =  *(__rbp + 0x70);
					__eflags =  *__rax;
					if( *__rax != 0) {
						goto L16;
					} else {
						__eflags = __r15 - __rax;
						if(__r15 != __rax) {
							 *(__rsp + 0x20) = 0;
							__r9 = 0x41e9e0;
							__rdx = __rdi;
							__ecx = __esi;
							__r8 = 0x41717e;
							__eax = E00408FE0();
							__eflags = __eax - 0xffffffff;
							if(__eax == 0xffffffff) {
								__rax =  *0x4201c0; // 0x416038
								__rax =  *__rax;
								__esi = __esi - __eax;
								__rbx = __rdi + __rax * 8;
								__eax = __rsi - 2;
								r15d = __esi;
								__eflags = __eax - 2;
								if(__eax > 2) {
									L12:
									__ecx = 2;
									r15d = 0xffffffff;
									__eax =  *0x416040();
									__ecx = r14d;
									__rdx = __rax;
									__eax = E00403630(r14d, __rax, __rax, __r8, __r9, __r12, __r13);
									goto L13;
								} else {
									__rax = __rbx[8];
									__eflags =  *(__rbp + 0x14) - 0xffffffff;
									__rsi =  *__rbx;
									 *(__rbp - 0x20) = __rax;
									if( *(__rbp + 0x14) == 0xffffffff) {
										 *(__rbp + 0x14) = 1;
										__eflags = r13d & 0x00001000;
										if((r13d & 0x00001000) == 0) {
											__eax = 0;
											__eflags = r12d & 0x00001000;
											__eax = 0 | __eflags != 0x00000000;
											__eax = (__eflags != 0) + 2;
											 *(__rbp + 0x14) = __eax;
										}
									}
									_t21 = __rbp - 0x20; // 0x0
									__rcx =  *_t21;
									__rdx = "-";
									L00409198();
									__eflags = __eax;
									if(__eax == 0) {
										__eax = r12d;
										__eax = r12d | 0x00000004;
										__eflags =  *((char*)(__rbp + 0x12));
										 *(__rbp - 0x18) = __eax;
										if( *((char*)(__rbp + 0x12)) != 0) {
											L71:
											__eflags =  *0x424178;
											if( *0x424178 != 0) {
												__ecx = 2;
												__eax =  *0x416040();
												 *0x424178 = __rax;
											}
											__ecx = 1;
											E004080C0();
											r12d = r12d & 0x00008000;
											__eflags = r12d;
											if(r12d != 0) {
												goto L175;
											} else {
												 *(__rbp - 0x20) = 0;
												 *((char*)(__rbp + 0x12)) = 0;
												goto L25;
											}
										} else {
											__eflags = r14d;
											if(r14d == 0) {
												__rcx = L"Using standard output for append does not make sense.";
												r15d = r15d | 0xffffffff;
												__eax = E004024D0(L"Using standard output for append does not make sense.", "-", __r8, __r9);
												goto L13;
											} else {
												goto L71;
											}
										}
									} else {
										__edi = r12d;
										__edi = r12d & 0x00008000;
										__eflags =  *((char*)(__rbp + 0x12));
										if( *((char*)(__rbp + 0x12)) != 0) {
											_t173 = __rbp - 0x20; // 0x0
											__rcx =  *_t173;
											_t174 = __rbp + 0x70; // 0x108f4
											__rdx = _t174;
											__imp___wstat64();
											__eflags = __eax;
											if(__eax == 0) {
												goto L22;
											} else {
												__imp___errno();
												__eflags =  *__rax - 2;
												if( *__rax != 2) {
													goto L22;
												} else {
													__eflags =  *((long long*)(__rbp + 0x18));
													if( *((long long*)(__rbp + 0x18)) == 0) {
														L173:
														__eflags = __edi;
														if(__edi != 0) {
															goto L175;
														} else {
															 *(__rbp - 0x18) = r12d;
															 *((char*)(__rbp + 0x12)) = 0;
															goto L30;
														}
													} else {
														__eflags =  *(__rbp + 8);
														if( *(__rbp + 8) == 0) {
															__eflags = __edi;
															if(__edi != 0) {
																goto L175;
															} else {
																 *((long long*)(__rbp + 0x18)) = 0;
																 *(__rbp - 0x18) = r12d;
																 *((char*)(__rbp + 0x12)) = 0;
																goto L30;
															}
														} else {
															_t177 = __rbp - 0x20; // 0x0
															__rdx =  *_t177;
															_t178 = __rbp + 8; // 0x0
															__rcx =  *_t178;
															L00409198();
															__eflags = __eax;
															if(__eax != 0) {
																goto L173;
															} else {
																__eflags = __edi;
																if(__edi != 0) {
																	goto L175;
																} else {
																	 *(__rbp - 0x18) = r12d;
																	 *((long long*)(__rbp + 0x18)) = 0;
																	 *((char*)(__rbp + 0x12)) = 0;
																	 *(__rbp + 8) = 0;
																	goto L30;
																}
															}
														}
													}
												}
											}
										} else {
											L22:
											__eflags = __edi;
											if(__edi == 0) {
												__eflags = r14d;
												 *(__rbp - 0x18) = r12d;
												_t239 = __rbp + 0x12; // 0x0
												 *_t239 = r14d == 0;
												goto L25;
											} else {
												__eflags = r14d;
												if(r14d != 0) {
													L175:
													__rcx = L"\'--unsafe-compact\' is only valid for append!";
													r15d = 0xffffffff;
													__eax = E004024D0(L"\'--unsafe-compact\' is only valid for append!", __rdx, __r8, __r9);
													goto L13;
												} else {
													 *(__rbp - 0x18) = r12d;
													 *((char*)(__rbp + 0x12)) = 1;
													L25:
													__eflags =  *((long long*)(__rbp + 0x18));
													if( *((long long*)(__rbp + 0x18)) == 0) {
														L30:
														__eflags = r15d - 2;
														if(r15d == 2) {
															__rcx = __rsi;
															L00409180();
															__rax = __rax + __rax + 0x43;
															__rax = __rax & 0xfffffff0;
															__eax = E0040A470(__eax);
															__rsp = __rsp - __rax;
															__rdx = __rsi;
															__rcx = __rsp + 0x30;
															L00409190();
															__rcx = __rax;
															__eax = E00402DF0(__eax, __rax, __rax);
															 *((char*)(__rbp + 0x11)) = 1;
															 *(__rbp - 0x48) = __rax;
															goto L33;
														} else {
															__rax = __rbx[0x10];
															 *(__rbp - 0x48) = __rax;
															__eflags = r15d - 4;
															if(r15d == 4) {
																__rcx = __rbx[0x18];
																L00409180();
																__rax = __rax + __rax + 0x29;
																__rax = __rax & 0xfffffff0;
																__eax = E0040A470(__eax);
																__rdx = L"DESCRIPTION=%ls";
																__r8 = __rbx[0x18];
																__rsp = __rsp - __rax;
																__r12 = __rsp + 0x30;
																__rcx = __r12;
																__eax = E0040A630(__r12, L"DESCRIPTION=%ls", __r8, __r9);
																_t165 = __rbp + 0x50; // 0x108d4
																__rcx = _t165;
																__rdx = __r12;
																__eax = E00402550(__esi, __rax, _t165, __rdx);
																r15d = __eax;
																__eflags = __eax;
																if(__eax == 0) {
																	goto L32;
																} else {
																	goto L13;
																}
															} else {
																L32:
																 *((char*)(__rbp + 0x11)) = 0;
																L33:
																__eflags =  *((char*)(__rbp + 0x13));
																if( *((char*)(__rbp + 0x13)) == 0) {
																	__rsp = __rsp - 0x20;
																	__rax = "\\";
																	__eflags =  *((char*)(__rbp + 0x12));
																	 *(__rbp + 0x38) = 0;
																	 *((long long*)(__rsp + 0x38)) = "\\";
																	_t138 = __rbp + 0x40; // 0x108c4
																	__rax = _t138;
																	__r12 = __rsp + 0x30;
																	 *__r12 = __rsi;
																	__esi = 1;
																	 *(__rbp - 0x40) = __rax;
																	 *(__r12 + 0x10) = 0;
																	if( *((char*)(__rbp + 0x12)) != 0) {
																		goto L55;
																	} else {
																		goto L110;
																	}
																	goto L102;
																} else {
																	__eflags =  *__rsi - 0x2d;
																	_t35 = __rbp + 0x70; // 0x108f4
																	__rdi = _t35;
																	if( *__rsi != 0x2d) {
																		L36:
																		__rdx = __rdi;
																		__rcx = __rsi;
																		__imp___wstat64();
																		__eflags = __eax;
																		if(__eflags != 0) {
																			__rdx = __rsi;
																			__rcx = L"Failed to stat the file \"%ls\"";
																			__eax = E004031C0(__eflags, __rax, L"Failed to stat the file \"%ls\"", __rsi, __r8, __r9);
																			goto L17;
																		} else {
																			_t37 = __rbp + 0x88; // 0x30
																			__r12 =  *_t37;
																			__rdx = L"rb";
																			__rcx = __rsi;
																			__imp___wfopen();
																			__r14 = __rax;
																			__eflags = __rax;
																			if(__eflags == 0) {
																				__rdx = __rsi;
																				__rcx = L"Failed to open the file \"%ls\"";
																				__eax = E004031C0(__eflags, __rax, L"Failed to open the file \"%ls\"", __rsi, __r8, __r9);
																				goto L17;
																			} else {
																				__eflags = __r12;
																				__ecx = 1;
																				__rcx =  !=  ? __r12 : __rcx;
																				__eax = malloc(??);
																				__r15 = __rax;
																				__eflags = __rax;
																				if(__rax == 0) {
																					__r8 = __rsi;
																					__rdx = __r12;
																					__rcx = L"Failed to allocate buffer of %zu bytes to hold contents of file \"%ls\"";
																					__eax = E004024D0(L"Failed to allocate buffer of %zu bytes to hold contents of file \"%ls\"", __r12, __rsi, __r9);
																					__rcx = __r14;
																					__eax = fclose(??);
																					goto L17;
																				} else {
																					__r9 = __r14;
																					__r8 = __r12;
																					__edx = 1;
																					__rcx = __rax;
																					__eax = fread(??, ??, ??, ??);
																					__eflags = __r12 - __rax;
																					if(__eflags != 0) {
																						__r8 = __rsi;
																						__rdx = __r12;
																						__rcx = L"Failed to read %zu bytes from the file \"%ls\"";
																						__eax = E004031C0(__eflags, __rax, L"Failed to read %zu bytes from the file \"%ls\"", __r12, __rsi, __r9);
																						__rcx = __r15;
																						free(??);
																						__rcx = __r14;
																						__eax = fclose(??);
																						goto L17;
																					} else {
																						__rcx = __r14;
																						__eax = fclose(??);
																						_t38 = __rbp + 0x30; // 0x108b4
																						__r8 = _t38;
																						__rdx = __r12;
																						__rcx = __r15;
																						__eax = E004023F0(__rax, __r15, __r12, _t38);
																						 *(__rbp + 0x38) = __rax;
																						goto L41;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *((short*)(__rsi + 2));
																		if( *((short*)(__rsi + 2)) == 0) {
																			__rcx = __rdi;
																			__eax = E00403260(__rax, __rdi);
																			__rcx = __rax;
																			__eflags = __rax;
																			if(__rax == 0) {
																				L17:
																				r15d = 0xffffffff;
																				goto L13;
																			} else {
																				_t199 = __rbp + 0x70; // 0x2e
																				__rdx =  *_t199;
																				_t200 = __rbp + 0x30; // 0x108b4
																				__r8 = _t200;
																				__eax = E004023F0(__rax, __rcx,  *_t199, _t200);
																				 *(__rbp + 0x38) = __rax;
																				L41:
																				__eflags = __rax;
																				if(__rax == 0) {
																					goto L17;
																				} else {
																					_t40 = __rbp + 0x30; // 0x1000000000000
																					__rax =  *_t40;
																					_t41 = __rbp + 0x38; // 0x108bc
																					__rcx = _t41;
																					 *((long long*)(__rbp + 0x40)) =  *_t40;
																					_t43 = __rbp + 0x40; // 0x108c4
																					__rax = _t43;
																					__rdx = __rax;
																					 *(__rbp - 0x40) = __rax;
																					__eax = E004025C0(__eax, _t41, __rdx);
																					__rbx = __rax;
																					__eflags = __rax;
																					if(__eflags < 0) {
																						L122:
																						r15d = 0xffffffff;
																						goto L103;
																					} else {
																						__edx = 0x18;
																						if(__eflags == 0) {
																							__ecx = 1;
																							__esi = 0;
																							__eax = calloc(??, ??);
																							__r12 = __rax;
																							__eflags = __rax;
																							if(__rax != 0) {
																								goto L54;
																							} else {
																								goto L121;
																							}
																							goto L103;
																						} else {
																							__rcx = __rax;
																							__eax = calloc(??, ??);
																							__r12 = __rax;
																							__eflags = __rax;
																							if(__rax == 0) {
																								L121:
																								__rcx = L"out of memory";
																								__eax = E004024D0(L"out of memory", __rdx, __r8, __r9);
																								goto L122;
																							} else {
																								_t45 = __rbp + 0x48; // 0x108cc
																								__rax = _t45;
																								_t46 = __rbp + 0x38; // 0x2c
																								__rcx =  *_t46;
																								__esi = 0;
																								 *(__rbp - 0x4c) = r13d;
																								 *((long long*)(__rbp - 0x38)) = _t45;
																								 *(__rbp - 0x30) = __r12;
																								__r13 =  *_t46;
																								__r12 = __rsi;
																								asm("o16 nop [eax+eax]");
																								while(1) {
																									_t50 = __rbp + 0x40; // 0x30003b00330003
																									__rax =  *_t50;
																									__eflags = __r13;
																									if(__r13 == 0) {
																										break;
																									}
																									__eflags = __rax;
																									if(__rax == 0) {
																										break;
																									} else {
																										__r14 = __r13;
																										while(1) {
																											__eflags =  *__r14 - 0xa;
																											if( *__r14 == 0xa) {
																												break;
																											}
																											__r14 = __r14 + 2;
																											__rax = __rax - 1;
																											__eflags = __rax;
																											if(__rax == 0) {
																												goto L186;
																											} else {
																												continue;
																											}
																											goto L187;
																										}
																										__rdx = __r14;
																										__ecx = 0;
																										__rdx = __r14 - __r13;
																										 *__r14 = __cx;
																										__rcx = __r13;
																										_t51 = 1 + (__r14 - __r13 >> 1); // 0x2d
																										__r15 = _t51;
																										__rdx = __r15;
																										__eax = E00402470(__eax, __r13, __rdx);
																										__eflags = __al;
																										if(__al == 0) {
																											_t122 = 1 + __r12; // 0x1
																											__rax = _t122;
																											_t123 = __rbp - 0x30; // 0x0
																											__rdx =  *_t123;
																											 *(__rbp + 0x70) = __r15;
																											 *((long long*)(__rbp - 0x28)) = _t122;
																											_t126 = __rbp - 0x38; // 0x0
																											__r15 =  *_t126;
																											__rax = __r12 + __r12 * 2;
																											__r12 =  *_t123 + (__r12 + __r12 * 2) * 8;
																											__rdx = __rdi;
																											 *(__rbp + 0x48) = __r13;
																											__r8 = __r12;
																											__rcx = __r15;
																											__eax = E00402670(__eax, __r15, __rdi, __r12);
																											__eflags = __eax;
																											if(__eax == 0) {
																												_t133 = 8 + __r12; // 0x8
																												__r8 = _t133;
																												__rdx = __rdi;
																												__rcx = __r15;
																												__eax = E00402670(__eax, __r15, __rdx, __r8);
																												__eflags = __eax - 2;
																												if(__eax == 2) {
																													__rax =  *__r12;
																													 *(8 + __r12) = __rax;
																													_t155 = __rbp - 0x28; // 0x0
																													__r12 =  *_t155;
																													goto L52;
																												} else {
																													__eflags = __eax - 1;
																													if(__eax == 1) {
																														goto L105;
																													} else {
																														_t134 = __rbp - 0x28; // 0x0
																														__r12 =  *_t134;
																														goto L52;
																													}
																												}
																											} else {
																												L105:
																												_t132 = __rbp - 0x30; // 0x0
																												__r12 =  *_t132;
																												r15d = 0xffffffff;
																												__rcx =  *_t132;
																												free(??);
																												goto L103;
																											}
																										} else {
																											L52:
																											__rsi = 1 + __rsi;
																											_t52 = __r14 + 2; // 0x2e
																											__r13 = _t52;
																											__eflags = __rbx - __rsi;
																											if(__rbx != __rsi) {
																												continue;
																											} else {
																												__rsi = __r12;
																												_t53 = __rbp - 0x4c; // 0x0
																												r13d =  *_t53;
																												_t54 = __rbp - 0x30; // 0x0
																												__r12 =  *_t54;
																												L54:
																												__eflags =  *((char*)(__rbp + 0x12));
																												if( *((char*)(__rbp + 0x12)) == 0) {
																													L110:
																													_t142 = __rbp - 0x40; // 0x0
																													__rdx =  *_t142;
																													_t143 = __rbp + 0x14; // 0x0
																													__ecx =  *_t143;
																													L00409148();
																													r15d = __eax;
																													__eflags = __eax;
																													if(__eax == 0) {
																														_t144 = __rbp + 0x40; // 0x30003b00330003
																														__rcx =  *_t144;
																														r8d = 0;
																														__rdx = 0x401890;
																														L00409070();
																														goto L56;
																													}
																												} else {
																													L55:
																													_t56 = __rbp - 0x14; // 0x0
																													__edx =  *_t56;
																													_t57 = __rbp - 0x40; // 0x0
																													__r8 =  *_t57;
																													 *(__rsp + 0x20) = 0;
																													__r9 = 0x401890;
																													_t60 = __rbp - 0x20; // 0x0
																													__rcx =  *_t60;
																													__edx =  *_t56 | 0x00000004;
																													L004090A8();
																													r15d = __eax;
																													__eflags = __eax;
																													if(__eax == 0) {
																														L56:
																														__edx =  *__rbp;
																														__eflags = __edx - 0xffffffff;
																														if(__edx == 0xffffffff) {
																															__eflags = r13d & 0x00001000;
																															if((r13d & 0x00001000) == 0) {
																																goto L58;
																															} else {
																																__eflags =  *((char*)(__rbp + 0x12));
																																if( *((char*)(__rbp + 0x12)) != 0) {
																																	_t212 = __rbp + 0x40; // 0x30003b00330003
																																	__rcx =  *_t212;
																																	_t213 = __rbp + 0x70; // 0x108f4
																																	__rdx = _t213;
																																	L004090E0();
																																	_t214 = __rbp + 0x94; // 0x0
																																	__eax =  *_t214;
																																	 *(__rbp + 0x14) = __eax;
																																}
																																__eflags =  *(__rbp + 0x14) - 1;
																																__edx = 0x1000;
																																if( *(__rbp + 0x14) != 1) {
																																	goto L58;
																																} else {
																																	goto L57;
																																}
																															}
																															goto L103;
																														} else {
																															L57:
																															_t61 = __rbp + 0x40; // 0x30003b00330003
																															__rcx =  *_t61;
																															L00409050();
																															r15d = __eax;
																															__eflags = __eax;
																															if(__eax == 0) {
																																L58:
																																__eflags =  *(__rbp + 4) - 0xffffffff;
																																if( *(__rbp + 4) == 0xffffffff) {
																																	L60:
																																	__eflags =  *(__rbp - 4) - 0xffffffff;
																																	if( *(__rbp - 4) == 0xffffffff) {
																																		L62:
																																		__eflags =  *((char*)(__rbp + 0x11));
																																		if( *((char*)(__rbp + 0x11)) != 0) {
																																			__eflags =  *((char*)(__rbp + 0x12));
																																			if( *((char*)(__rbp + 0x12)) != 0) {
																																				_t183 = __rbp - 0x48; // 0x0
																																				__r15 =  *_t183;
																																				__edx = 0;
																																				__ebx = 1;
																																				__r14 = L" (%lu)";
																																				__rcx = __r15;
																																				L004091A0();
																																				__rdi = __rax;
																																				while(1) {
																																					_t184 = __rbp + 0x40; // 0x30003b00330003
																																					__rcx =  *_t184;
																																					__rdx = __r15;
																																					L004090C8();
																																					__eflags = __al;
																																					if(__al == 0) {
																																						break;
																																					}
																																					r8d = __ebx;
																																					__rdx = __r14;
																																					__rcx = __rdi;
																																					__ebx = __ebx + 1;
																																					__eflags = __ebx;
																																					__eax = E0040A630(__rdi, __r14, __r8, __r9);
																																				}
																																			}
																																		}
																																		_t70 = __rbp + 0x68; // 0x1000000390038
																																		__eax =  *_t70;
																																		r14d = 0;
																																		__eflags = __eax;
																																		if(__eax != 0) {
																																			__ecx = __eax;
																																			__edx = 8;
																																			__eax = calloc(??, ??);
																																			__r14 = __rax;
																																			__eflags = __rax;
																																			if(__rax == 0) {
																																				__rcx = L"Out of memory!";
																																				r15d = r15d | 0xffffffff;
																																				__eax = E004024D0(L"Out of memory!", __rdx, __r8, __r9);
																																				goto L101;
																																			} else {
																																				_t190 = __rbp - 0x14; // 0x0
																																				r15d =  *_t190;
																																				__rdi = __rax;
																																				__ebx = 0;
																																				__r9 = 0x401890;
																																				while(1) {
																																					_t193 = __rbp + 0x60; // 0x37003600350034
																																					__rax =  *_t193;
																																					__r8 = __rdi;
																																					__edx = r15d;
																																					__rcx =  *((intOrPtr*)(__rax + __rbx * 8));
																																					 *(__rsp + 0x20) = 0;
																																					L004090A8();
																																					__r9 = 0x401890;
																																					__eflags = __eax;
																																					if(__eax != 0) {
																																						break;
																																					}
																																					_t192 = __rbp + 0x68; // 0x1000000390038
																																					__eax =  *_t192;
																																					__rbx =  &(__rbx[1]);
																																					__rdi = 8 + __rdi;
																																					__r8 = __rax;
																																					__eflags = __rax - __rbx;
																																					if(__rax <= __rbx) {
																																						_t210 = __rbp + 0x40; // 0x30003b00330003
																																						__rcx =  *_t210;
																																						r9d = 0;
																																						__rdx = __r14;
																																						L00409080();
																																						r15d = __eax;
																																						__eflags = __eax;
																																						if(__eax != 0) {
																																							goto L141;
																																						} else {
																																							_t211 = __rbp + 0x68; // 0x1000000390038
																																							r8d =  *_t211;
																																							__rcx =  *0x424178;
																																							__eflags = r8d - 1;
																																							if(r8d == 1) {
																																								__eflags = __rcx;
																																								if(__rcx != 0) {
																																									_t234 = __rbp + 0x60; // 0x37003600350034
																																									__rax =  *_t234;
																																									__rdx = L"Capturing delta WIM based on \"%ls\"\n";
																																									__r8 =  *__rax;
																																									__eax = E00401650(__r8, 0x401890);
																																								}
																																							} else {
																																								__eflags = __rcx;
																																								if(__rcx != 0) {
																																									__rdx = L"Capturing delta WIM based on %u WIMs\n";
																																									__eax = E00401650(__r8, 0x401890);
																																								}
																																							}
																																							goto L65;
																																						}
																																					} else {
																																						continue;
																																					}
																																					goto L102;
																																				}
																																				_t198 = __rbp + 0x68; // 0x1000000390038
																																				__edx =  *_t198;
																																				r15d = __eax;
																																				goto L142;
																																			}
																																			goto L103;
																																		} else {
																																			L65:
																																			__eflags =  *((long long*)(__rbp + 0x18));
																																			if( *((long long*)(__rbp + 0x18)) == 0) {
																																				L156:
																																				__ebx = 0;
																																				goto L82;
																																			} else {
																																				__eflags =  *((char*)(__rbp + 0x12));
																																				if( *((char*)(__rbp + 0x12)) != 0) {
																																					_t185 = __rbp - 0x20; // 0x0
																																					__rdx =  *_t185;
																																					_t186 = __rbp + 8; // 0x0
																																					__rcx =  *_t186;
																																					L00409198();
																																					__eflags = __eax;
																																					if(__eax != 0) {
																																						goto L67;
																																					} else {
																																						_t187 = __rbp + 0x40; // 0x30003b00330003
																																						__rcx =  *_t187;
																																						 *(__rbp + 0x28) = __rcx;
																																						goto L78;
																																					}
																																					L103:
																																					_t121 = __rbp + 0x38; // 0x2c
																																					__rcx =  *_t121;
																																					free(??);
																																					L13:
																																					free();
																																					free(??);
																																					return r15d;
																																					goto L187;
																																				} else {
																																					L67:
																																					_t73 = __rbp + 0x68; // 0x1000000390038
																																					__edx =  *_t73;
																																					_t74 = __rbp + 8; // 0x0
																																					__r15 =  *_t74;
																																					__edi = 0;
																																					__eflags = __edx;
																																					if(__edx != 0) {
																																						while(1) {
																																							_t81 = __rbp + 0x60; // 0x37003600350034
																																							__rax =  *_t81;
																																							__rcx = __r15;
																																							__rbx = __rdi * 8;
																																							__rdx =  *((intOrPtr*)(__rax + __rdi * 8));
																																							L00409198();
																																							__eflags = __eax;
																																							if(__eax == 0) {
																																								break;
																																							}
																																							_t80 = __rbp + 0x68; // 0x1000000390038
																																							__eax =  *_t80;
																																							__rdi = 1 + __rdi;
																																							__eflags = __rax - __rdi;
																																							if(__rax <= __rdi) {
																																								goto L68;
																																							} else {
																																								continue;
																																							}
																																							goto L78;
																																						}
																																						__rcx = __rbx[__r14];
																																						 *(__rbp + 0x28) = __rcx;
																																					} else {
																																						L68:
																																						_t75 = __rbp + 0x28; // 0x2e000100000000
																																						__rcx =  *_t75;
																																					}
																																				}
																																				L78:
																																				__eflags = __rcx;
																																				if(__rcx == 0) {
																																					 *(__rsp + 0x20) = 0;
																																					_t203 = __rbp + 8; // 0x0
																																					__rcx =  *_t203;
																																					_t204 = __rbp + 0x28; // 0x108ac
																																					__r8 = _t204;
																																					__r9 = 0x401890;
																																					_t206 = __rbp - 0x14; // 0x0
																																					__edx =  *_t206;
																																					L004090A8();
																																					_t207 = __rbp + 0x28; // 0x2e000100000000
																																					__rcx =  *_t207;
																																					r15d = __eax;
																																					__eflags = __eax;
																																					if(__eax == 0) {
																																						goto L79;
																																					} else {
																																						goto L141;
																																					}
																																					goto L102;
																																				} else {
																																					L79:
																																					_t87 = __rbp + 0x18; // 0x0
																																					__rdi =  *_t87;
																																					__rdx = __rdi;
																																					L00409068();
																																					__eflags =  *__rdi - 0x2d;
																																					__ebx = __eax;
																																					if( *__rdi == 0x2d) {
																																						_t216 = __rbp + 0x28; // 0x2e000100000000
																																						__rcx =  *_t216;
																																						_t217 = __rbp + 0x70; // 0x108f4
																																						__rdx = _t217;
																																						L004090E0();
																																						_t218 = __rbp + 0x18; // 0x0
																																						__rax =  *_t218;
																																						_t219 = __rbp + 0x48; // 0x108cc
																																						__rdx = _t219;
																																						r8d = 0xa;
																																						_t220 = __rax + 2; // 0xc
																																						__rdi = _t220;
																																						__rcx = __rdi;
																																						L00409168();
																																						__edx = __eax;
																																						__eflags = __eax;
																																						if(__eax != 0) {
																																							_t221 = __rbp + 0x80; // 0x3b003300030000
																																							__eax =  *_t221;
																																							__eflags = __eax - __edx;
																																							if(__eax >= __edx) {
																																								_t222 = __rbp + 0x48; // 0x0
																																								__rcx =  *_t222;
																																								__eflags =  *__rcx;
																																								if( *__rcx == 0) {
																																									__eflags = __rdi - __rcx;
																																									__ecx = __ecx & 0xffffff00 | __rdi != __rcx;
																																									__eax = __eax + 1;
																																									__eax = __eax - __edx;
																																									__eflags = __cl;
																																									__ebx =  !=  ? __eax : __ebx;
																																								}
																																							}
																																						}
																																					}
																																					__eflags = __ebx;
																																					if(__ebx == 0) {
																																						_t208 = __rbp + 8; // 0x0
																																						__rdx =  *_t208;
																																						_t209 = __rbp + 0x18; // 0x0
																																						__rcx =  *_t209;
																																						__eax = E00403BB0( *_t209,  *_t208, __r9);
																																						r15d = __eax;
																																						__eflags = __eax;
																																						if(__eax != 0) {
																																							goto L93;
																																						} else {
																																							goto L156;
																																						}
																																						goto L103;
																																					} else {
																																						__eflags = __ebx - 0xffffffff;
																																						if(__ebx == 0xffffffff) {
																																							__rcx = L"Cannot specify all images for this action!";
																																							r15d = 0x12;
																																							__eax = E004024D0(L"Cannot specify all images for this action!", __rdx, __r8, __r9);
																																						} else {
																																							L82:
																																							_t88 = __rbp - 0x10; // 0x0
																																							__rax =  *_t88;
																																							 *(__rsp + 0x28) = r13d;
																																							__r8 = __rsi;
																																							__rdx = __r12;
																																							_t90 = __rbp - 0x48; // 0x0
																																							__r9 =  *_t90;
																																							_t91 = __rbp + 0x40; // 0x30003b00330003
																																							__rcx =  *_t91;
																																							 *(__rsp + 0x20) = __rax;
																																							L00409150();
																																							r15d = __eax;
																																							__eflags = __eax;
																																							if(__eax == 0) {
																																								_t93 = __rbp + 0x58; // 0x33003200310030
																																								__eax =  *_t93;
																																								_t94 = __rbp + 0x40; // 0x30003b00330003
																																								__rcx =  *_t94;
																																								__eflags = __eax;
																																								if(__eax != 0) {
																																									_t225 = __rbp + 0x70; // 0x108f4
																																									__rdx = _t225;
																																									L004090E0();
																																									_t226 = __rbp + 0x40; // 0x30003b00330003
																																									__rdx =  *_t226;
																																									_t227 = __rbp + 0x50; // 0x108d4
																																									__rcx = _t227;
																																									r9d = 0;
																																									_t228 = __rbp + 0x80; // 0x3b003300030000
																																									r8d =  *_t228;
																																									__eax = E004030A0(__rax, _t227,  *_t226, __r9);
																																									r15d = __eax;
																																									__eflags = __eax;
																																									if(__eax != 0) {
																																										goto L93;
																																									} else {
																																										__eflags =  *((long long*)(__rbp + 0x18));
																																										if( *((long long*)(__rbp + 0x18)) == 0) {
																																											goto L89;
																																										} else {
																																											goto L86;
																																										}
																																									}
																																									goto L103;
																																								} else {
																																									__eflags =  *((long long*)(__rbp + 0x18));
																																									if( *((long long*)(__rbp + 0x18)) == 0) {
																																										L90:
																																										__eflags =  *((char*)(__rbp + 0x12));
																																										if( *((char*)(__rbp + 0x12)) != 0) {
																																											_t230 = __rbp - 8; // 0x0
																																											r8d =  *_t230;
																																											_t231 = __rbp - 0x18; // 0x0
																																											__edx =  *_t231;
																																											L004090A0();
																																											r15d = __eax;
																																										} else {
																																											_t107 = __rbp - 8; // 0x0
																																											__eax =  *_t107;
																																											_t108 = __rbp - 0x20; // 0x0
																																											__rdx =  *_t108;
																																											r8d = 0xffffffff;
																																											_t109 = __rbp - 0x18; // 0x0
																																											r9d =  *_t109;
																																											 *(__rsp + 0x20) = __eax;
																																											__eflags =  *_t108;
																																											if( *_t108 == 0) {
																																												__edx = 1;
																																												L00409000();
																																												r15d = __eax;
																																											} else {
																																												L00409008();
																																												r15d = __eax;
																																											}
																																										}
																																									} else {
																																										_t96 = __rbp + 0x70; // 0x108f4
																																										__rdx = _t96;
																																										L004090E0();
																																										_t97 = __rbp + 0x40; // 0x30003b00330003
																																										__rdx =  *_t97;
																																										_t98 = __rbp + 0x50; // 0x108d4
																																										__rcx = _t98;
																																										r9d = 0;
																																										_t99 = __rbp + 0x80; // 0x3b003300030000
																																										r8d =  *_t99;
																																										__eax = E004030A0(__rax, _t98,  *_t97, __r9);
																																										r15d = __eax;
																																										__eflags = __eax;
																																										if(__eax == 0) {
																																											L86:
																																											__rcx =  *0x424178;
																																											__eflags =  *0x424178;
																																											if( *0x424178 != 0) {
																																												_t100 = __rbp + 8; // 0x0
																																												__r9 =  *_t100;
																																												r8d = __ebx;
																																												__rdx = L"Using image %d from \"%ls\" as template\n";
																																												__eax = E00401650(__r8,  *_t100);
																																											}
																																											 *(__rsp + 0x20) = 0;
																																											_t102 = __rbp + 0x28; // 0x2e000100000000
																																											__r8 =  *_t102;
																																											r9d = __ebx;
																																											_t103 = __rbp + 0x80; // 0x3b003300030000
																																											__edx =  *_t103;
																																											_t104 = __rbp + 0x40; // 0x30003b00330003
																																											__rcx =  *_t104;
																																											L00409078();
																																											r15d = __eax;
																																											__eflags = __eax;
																																											if(__eax == 0) {
																																												L89:
																																												_t105 = __rbp + 0x40; // 0x30003b00330003
																																												__rcx =  *_t105;
																																												goto L90;
																																											}
																																										}
																																									}
																																								}
																																							}
																																						}
																																					}
																																					L93:
																																					_t111 = __rbp + 0x68; // 0x1000000390038
																																					r8d =  *_t111;
																																					_t112 = __rbp + 0x28; // 0x2e000100000000
																																					__rcx =  *_t112;
																																					__rdx = __r8;
																																					_t113 = __rbp + 0x40; // 0x30003b00330003
																																					__eflags = __rcx -  *_t113;
																																					if(__rcx ==  *_t113) {
																																						L142:
																																						__eflags = __edx;
																																						if(__edx != 0) {
																																							goto L98;
																																						} else {
																																							goto L100;
																																						}
																																						goto L102;
																																					} else {
																																						__eflags = __r8;
																																						if(__r8 == 0) {
																																							L140:
																																							L00409108();
																																							L141:
																																							_t189 = __rbp + 0x68; // 0x1000000390038
																																							__edx =  *_t189;
																																							goto L142;
																																						} else {
																																							__edx = 0;
																																							while(1) {
																																								__eflags = __rcx -  *((intOrPtr*)(__r14 + __rdx * 8));
																																								if(__rcx ==  *((intOrPtr*)(__r14 + __rdx * 8))) {
																																									break;
																																								}
																																								__rdx = 1 + __rdx;
																																								__eflags = __rdx - __r8;
																																								if(__rdx == __r8) {
																																									goto L140;
																																								} else {
																																									continue;
																																								}
																																								goto L100;
																																							}
																																							L98:
																																							__ebx = 0;
																																							__eflags = 0;
																																							do {
																																								__rcx =  *((intOrPtr*)(__r14 + __rbx * 8));
																																								__rbx =  &(__rbx[1]);
																																								L00409108();
																																								_t118 = __rbp + 0x68; // 0x1000000390038
																																								__eax =  *_t118;
																																								__eflags = __rax - __rbx;
																																							} while (__rax > __rbx);
																																						}
																																					}
																																				}
																																			}
																																			L100:
																																			__rcx = __r14;
																																			free(??);
																																		}
																																	} else {
																																		_t66 = __rbp - 4; // 0x0
																																		__edx =  *_t66;
																																		_t67 = __rbp + 0x40; // 0x30003b00330003
																																		__rcx =  *_t67;
																																		L00409040();
																																		r15d = __eax;
																																		__eflags = __eax;
																																		if(__eax == 0) {
																																			goto L62;
																																		}
																																	}
																																} else {
																																	_t63 = __rbp + 4; // 0x0
																																	__edx =  *_t63;
																																	_t64 = __rbp + 0x40; // 0x30003b00330003
																																	__rcx =  *_t64;
																																	L00409038();
																																	r15d = __eax;
																																	__eflags = __eax;
																																	if(__eax == 0) {
																																		goto L60;
																																	}
																																}
																															}
																														}
																														L101:
																														_t119 = __rbp + 0x40; // 0x30003b00330003
																														__rcx =  *_t119;
																														L00409108();
																													}
																												}
																												L102:
																												__eflags =  *((char*)(__rbp + 0x13));
																												if( *((char*)(__rbp + 0x13)) != 0) {
																													__rcx = __r12;
																													free(??);
																												}
																												goto L103;
																											}
																										}
																									}
																									goto L187;
																								}
																								L186:
																								 *0 = 0;
																								asm("ud2");
																								0;
																								_push(__rbp);
																								_push(__r12);
																								_push(__rsi);
																								__rsp = __rsp - 0x28;
																								__rbp = __rsp + 0x80;
																								__rcx = "libgcc_s_dw2-1.dll";
																								__eax = GetModuleHandleA(__rbx);
																								__r12 = __rax;
																								__eflags = __rax;
																								if(__rax == 0) {
																									__rax = 0x401550;
																									__rbx = 0x401540;
																									 *0x416010 = 0x401550;
																									L6:
																									__rdx = 0x424060;
																									__rcx = 0x421000;
																									__eax =  *__rbx();
																								} else {
																									__rcx = "libgcc_s_dw2-1.dll";
																									__eax = LoadLibraryA(??);
																									__rsi = GetProcAddress;
																									__rdx = "__register_frame_info";
																									__rcx = __r12;
																									 *0x424040 = __rax;
																									__eax = GetProcAddress(??, ??);
																									__rdx = "__deregister_frame_info";
																									__rcx = __r12;
																									__rbx = __rax;
																									__eax = GetProcAddress(??, ??);
																									 *0x416010 = __rax;
																									__eflags = __rbx;
																									if(__rbx != 0) {
																										goto L6;
																									}
																								}
																								__rcx = 0x401610;
																								__rsp = __rsp + 0x28;
																								_pop(__rbx);
																								_pop(__rsi);
																								_pop(__r12);
																								_pop(__rbp);
																								L00409268();
																								return  ~((_t240 & 0xffffff00 | _t251 == 0x00000000) & 0x000000ff);
																							}
																						}
																					}
																				}
																			}
																		} else {
																			goto L36;
																		}
																	}
																}
															}
														}
													} else {
														__eflags =  *(__rbp + 8);
														if( *(__rbp + 8) != 0) {
															goto L30;
														} else {
															_t27 = __rbp + 0x68; // 0x1000000390038
															__eax =  *_t27;
															__eflags = __eax - 1;
															if(__eax == 1) {
																_t171 = __rbp + 0x60; // 0x37003600350034
																__rax =  *_t171;
																__rax =  *((intOrPtr*)( *_t171));
																 *(__rbp + 8) = __rax;
																goto L30;
															} else {
																__eflags =  *((char*)(__rbp + 0x12));
																if( *((char*)(__rbp + 0x12)) == 0) {
																	__eflags = __eax - 1;
																	if(__eax <= 1) {
																		__rcx = L"For capture of non-delta WIM, \'--update-of\' must specify WIMFILE:IMAGE!";
																		__eax = E004024D0(L"For capture of non-delta WIM, \'--update-of\' must specify WIMFILE:IMAGE!", __rdx, __r8, __r9);
																	} else {
																		__rcx = L"For capture of delta WIM based on multiple existing WIMs,\n      \'--update-of\' must specify WIMFILE:IMAGE!";
																		__eax = E004024D0(L"For capture of delta WIM based on multiple existing WIMs,\n      \'--update-of\' must specify WIMFILE:IMAGE!", __rdx, __r8, __r9);
																	}
																	goto L12;
																} else {
																	_t29 = __rbp - 0x20; // 0x0
																	__rax =  *_t29;
																	 *(__rbp + 8) = __rax;
																	goto L30;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = __eax - 0x3d;
								if(__eax > 0x3d) {
									goto L12;
								} else {
									__rax =  *((intOrPtr*)(__rbx + __rax * 4));
									goto __rax;
								}
							}
						} else {
							goto L16;
						}
					}
				}
				L187:
			}

0x00403e00
0x00403e00
0x00403e00
0x00403e00
0x00403e07
0x00403e0b
0x00403e17
0x00403e1c
0x00403e22
0x00403e37
0x00403e3e
0x00403e44
0x00000000
0x00403e24
0x00403e24
0x00403e28
0x00403e2c
0x00000000
0x00403e2e
0x00403e2e
0x00403e31
0x00403cf0
0x00403cf9
0x00403d00
0x00403d03
0x00403d05
0x00403d0c
0x00403d11
0x00403d14
0x00404110
0x00404117
0x0040411a
0x0040411c
0x00404120
0x00404123
0x00404126
0x00404129
0x00403d40
0x00403d40
0x00403d45
0x00403d4b
0x00403d51
0x00403d54
0x00403d57
0x00000000
0x0040412f
0x0040412f
0x00404133
0x00404137
0x0040413a
0x0040413e
0x00404777
0x0040477e
0x00404785
0x0040478b
0x0040478d
0x00404794
0x00404797
0x0040479a
0x0040479a
0x00404785
0x00404144
0x00404144
0x00404148
0x0040414f
0x00404154
0x00404156
0x00404442
0x00404445
0x00404448
0x0040444c
0x0040444f
0x0040445a
0x0040445a
0x00404462
0x00404464
0x00404469
0x0040446f
0x0040446f
0x00404476
0x0040447b
0x00404480
0x00404480
0x00404487
0x00000000
0x0040448d
0x0040448d
0x00404495
0x00000000
0x00404495
0x00404451
0x00404451
0x00404454
0x00404d12
0x00404d19
0x00404d1d
0x00000000
0x00000000
0x00000000
0x00000000
0x00404454
0x0040415c
0x0040415c
0x0040415f
0x00404165
0x00404169
0x004048b4
0x004048b4
0x004048b8
0x004048b8
0x004048bc
0x004048c2
0x004048c4
0x00000000
0x004048ca
0x004048ca
0x004048d0
0x004048d3
0x00000000
0x004048d9
0x004048d9
0x004048de
0x00404c5a
0x00404c5a
0x00404c5c
0x00000000
0x00404c5e
0x00404c5e
0x00404c62
0x00000000
0x00404c62
0x004048e4
0x004048e4
0x004048e9
0x00404ca3
0x00404ca5
0x00000000
0x00404ca7
0x00404ca7
0x00404caf
0x00404cb3
0x00000000
0x00404cb3
0x004048ef
0x004048ef
0x004048ef
0x004048f3
0x004048f3
0x004048f7
0x004048fc
0x004048fe
0x00000000
0x00404904
0x00404904
0x00404906
0x00000000
0x0040490c
0x0040490c
0x00404910
0x00404918
0x0040491c
0x00000000
0x0040491c
0x00404906
0x004048fe
0x004048e9
0x004048de
0x004048d3
0x0040416f
0x0040416f
0x0040416f
0x00404171
0x00404d27
0x00404d2a
0x00404d2e
0x00404d2e
0x00000000
0x00404177
0x00404177
0x0040417a
0x00404c6b
0x00404c6b
0x00404c72
0x00404c78
0x00000000
0x00404180
0x00404180
0x00404184
0x00404188
0x00404188
0x0040418d
0x004041b4
0x004041b4
0x004041b8
0x00404869
0x0040486c
0x00404871
0x00404876
0x0040487a
0x0040487f
0x00404882
0x00404885
0x0040488a
0x0040488f
0x00404892
0x00404897
0x0040489b
0x00000000
0x004041be
0x004041be
0x004041c2
0x004041c6
0x004041ca
0x0040481b
0x0040481f
0x00404824
0x00404829
0x0040482d
0x00404832
0x00404839
0x0040483d
0x00404840
0x00404845
0x00404848
0x0040484d
0x0040484d
0x00404851
0x00404854
0x00404859
0x0040485c
0x0040485e
0x00000000
0x00404864
0x00000000
0x00404864
0x004041d0
0x004041d0
0x004041d0
0x004041d4
0x004041d4
0x004041d8
0x00404707
0x0040470b
0x00404712
0x00404716
0x0040471e
0x00404723
0x00404723
0x00404727
0x0040472c
0x00404730
0x00404735
0x00404739
0x00404742
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004041de
0x004041de
0x004041e2
0x004041e2
0x004041e6
0x004041f3
0x004041f3
0x004041f6
0x004041f9
0x004041ff
0x00404201
0x00404a73
0x00404a76
0x00404a7d
0x00000000
0x00404207
0x00404207
0x00404207
0x0040420e
0x00404215
0x00404218
0x0040421e
0x00404221
0x00404224
0x00404c09
0x00404c0c
0x00404c13
0x00000000
0x0040422a
0x0040422a
0x0040422d
0x00404232
0x00404236
0x0040423b
0x0040423e
0x00404241
0x00404ccd
0x00404cd0
0x00404cd3
0x00404cda
0x00404cdf
0x00404ce2
0x00000000
0x00404247
0x00404247
0x0040424a
0x0040424d
0x00404252
0x00404255
0x0040425a
0x0040425d
0x004049ad
0x004049b0
0x004049b3
0x004049ba
0x004049bf
0x004049c2
0x004049c7
0x004049ca
0x00000000
0x00404263
0x00404263
0x00404266
0x0040426b
0x0040426b
0x0040426f
0x00404272
0x00404275
0x0040427a
0x00000000
0x0040427a
0x0040425d
0x00404241
0x00404224
0x004041e8
0x004041e8
0x004041ed
0x00404a49
0x00404a4c
0x00404a51
0x00404a54
0x00404a57
0x00403e90
0x00403e90
0x00000000
0x00404a5d
0x00404a5d
0x00404a5d
0x00404a61
0x00404a61
0x00404a65
0x00404a6a
0x0040427e
0x0040427e
0x00404281
0x00000000
0x00404287
0x00404287
0x00404287
0x0040428b
0x0040428b
0x0040428f
0x00404293
0x00404293
0x00404297
0x0040429a
0x0040429e
0x004042a3
0x004042a6
0x004042a9
0x00404810
0x00404810
0x00000000
0x004042af
0x004042af
0x004042b4
0x004047ec
0x004047f1
0x004047f3
0x004047f8
0x004047fb
0x004047fe
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004042ba
0x004042ba
0x004042bd
0x004042c2
0x004042c5
0x004042c8
0x00404804
0x00404804
0x0040480b
0x00000000
0x004042ce
0x004042ce
0x004042ce
0x004042d2
0x004042d2
0x004042d6
0x004042d8
0x004042dc
0x004042e0
0x004042e4
0x004042e7
0x004042ea
0x004042f0
0x004042f0
0x004042f0
0x004042f4
0x004042f7
0x00000000
0x00000000
0x004042fd
0x00404300
0x00000000
0x00404306
0x00404306
0x0040431e
0x0040431e
0x00404323
0x00000000
0x00000000
0x00404310
0x00404314
0x00404314
0x00404318
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404318
0x00404325
0x00404328
0x0040432a
0x0040432d
0x00404331
0x00404337
0x00404337
0x0040433b
0x0040433e
0x00404343
0x00404345
0x00404690
0x00404690
0x00404695
0x00404695
0x00404699
0x0040469d
0x004046a1
0x004046a1
0x004046a5
0x004046a9
0x004046ad
0x004046b0
0x004046b4
0x004046b7
0x004046ba
0x004046bf
0x004046c1
0x004046e0
0x004046e0
0x004046e5
0x004046e8
0x004046eb
0x004046f0
0x004046f3
0x004047a2
0x004047a6
0x004047ab
0x004047ab
0x00000000
0x004046f9
0x004046f9
0x004046fc
0x00000000
0x004046fe
0x004046fe
0x004046fe
0x00000000
0x004046fe
0x004046fc
0x004046c3
0x004046c3
0x004046c3
0x004046c3
0x004046c7
0x004046cd
0x004046d0
0x00000000
0x004046d0
0x0040434b
0x0040434b
0x0040434b
0x0040434f
0x0040434f
0x00404353
0x00404356
0x00000000
0x00404358
0x00404358
0x0040435b
0x0040435b
0x0040435f
0x0040435f
0x00404363
0x00404363
0x00404367
0x00404748
0x00404748
0x00404748
0x0040474c
0x0040474c
0x0040474f
0x00404754
0x00404757
0x00404759
0x0040475f
0x0040475f
0x00404763
0x00404766
0x0040476d
0x00000000
0x0040476d
0x0040436d
0x0040436d
0x0040436d
0x0040436d
0x00404370
0x00404370
0x00404374
0x0040437d
0x00404384
0x00404384
0x00404388
0x0040438b
0x00404390
0x00404393
0x00404395
0x0040439b
0x0040439b
0x0040439e
0x004043a1
0x004047c1
0x004047c8
0x00000000
0x004047ce
0x004047ce
0x004047d2
0x00404b23
0x00404b23
0x00404b27
0x00404b27
0x00404b2b
0x00404b30
0x00404b30
0x00404b36
0x00404b36
0x004047d8
0x004047dc
0x004047e1
0x00000000
0x004047e7
0x00000000
0x004047e7
0x004047e1
0x00000000
0x004043a7
0x004043a7
0x004043a7
0x004043a7
0x004043ab
0x004043b0
0x004043b3
0x004043b5
0x004043bb
0x004043bb
0x004043bf
0x004043d8
0x004043d8
0x004043dc
0x004043f5
0x004043f5
0x004043f9
0x004043fb
0x004043ff
0x00404930
0x00404930
0x00404934
0x00404936
0x0040493b
0x00404942
0x00404945
0x0040494a
0x00404961
0x00404961
0x00404961
0x00404965
0x00404968
0x0040496d
0x0040496f
0x00000000
0x00000000
0x00404950
0x00404953
0x00404956
0x00404959
0x00404959
0x0040495c
0x0040495c
0x00404971
0x004043ff
0x00404405
0x00404405
0x00404408
0x0040440b
0x0040440d
0x004049d4
0x004049d6
0x004049db
0x004049e0
0x004049e3
0x004049e6
0x00404cec
0x00404cf3
0x00404cf7
0x00000000
0x004049ec
0x004049ec
0x004049ec
0x004049f0
0x004049f3
0x004049f5
0x00404a17
0x00404a17
0x00404a17
0x00404a1b
0x00404a1e
0x00404a21
0x00404a25
0x00404a2e
0x00404a33
0x00404a3a
0x00404a3c
0x00000000
0x00000000
0x00404a00
0x00404a00
0x00404a03
0x00404a07
0x00404a0b
0x00404a0e
0x00404a11
0x00404ada
0x00404ada
0x00404ade
0x00404ae1
0x00404ae4
0x00404ae9
0x00404aec
0x00404aee
0x00000000
0x00404af4
0x00404af4
0x00404af4
0x00404af8
0x00404aff
0x00404b03
0x00404c82
0x00404c85
0x00404c8b
0x00404c8b
0x00404c8f
0x00404c96
0x00404c99
0x00404c99
0x00404b09
0x00404b09
0x00404b0c
0x00404b12
0x00404b19
0x00404b19
0x00404b0c
0x00000000
0x00404b03
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a11
0x00404a3e
0x00404a3e
0x00404a41
0x00000000
0x00404a41
0x00000000
0x00404413
0x00404413
0x00404413
0x00404418
0x00404ad3
0x00404ad3
0x00000000
0x0040441e
0x0040441e
0x00404422
0x00404976
0x00404976
0x0040497a
0x0040497a
0x0040497e
0x00404983
0x00404985
0x00000000
0x0040498b
0x0040498b
0x0040498b
0x0040498f
0x00000000
0x0040498f
0x00404678
0x00404678
0x00404678
0x0040467c
0x00403d5c
0x00403d60
0x00403d69
0x00403d84
0x00000000
0x00404428
0x00404428
0x00404428
0x00404428
0x0040442b
0x0040442b
0x0040442f
0x00404431
0x00404433
0x004044d0
0x004044d0
0x004044d0
0x004044d4
0x004044d7
0x004044df
0x004044e3
0x004044e8
0x004044ea
0x00000000
0x00000000
0x004044c0
0x004044c0
0x004044c3
0x004044c7
0x004044ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004044ca
0x004044ec
0x004044f0
0x00404439
0x00404439
0x00404439
0x00404439
0x00404439
0x00404433
0x004044f4
0x004044f4
0x004044f7
0x00404a87
0x00404a90
0x00404a90
0x00404a94
0x00404a94
0x00404a98
0x00404a9f
0x00404a9f
0x00404aa2
0x00404aa7
0x00404aa7
0x00404aab
0x00404aae
0x00404ab0
0x00000000
0x00404ab6
0x00000000
0x00404ab6
0x00000000
0x004044fd
0x004044fd
0x004044fd
0x004044fd
0x00404501
0x00404504
0x00404509
0x0040450d
0x0040450f
0x00404b3e
0x00404b3e
0x00404b42
0x00404b42
0x00404b46
0x00404b4b
0x00404b4b
0x00404b4f
0x00404b4f
0x00404b53
0x00404b59
0x00404b59
0x00404b5d
0x00404b60
0x00404b65
0x00404b67
0x00404b69
0x00404b6f
0x00404b6f
0x00404b75
0x00404b77
0x00404b7d
0x00404b7d
0x00404b81
0x00404b85
0x00404b8b
0x00404b8e
0x00404b91
0x00404b94
0x00404b96
0x00404b98
0x00404b98
0x00404b85
0x00404b77
0x00404b69
0x00404515
0x00404517
0x00404abb
0x00404abb
0x00404abf
0x00404abf
0x00404ac3
0x00404ac8
0x00404acb
0x00404acd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040451d
0x0040451d
0x00404520
0x00404c31
0x00404c38
0x00404c3e
0x00404526
0x00404526
0x00404526
0x00404526
0x0040452a
0x0040452f
0x00404532
0x00404535
0x00404535
0x00404539
0x00404539
0x0040453d
0x00404542
0x00404547
0x0040454a
0x0040454c
0x00404552
0x00404552
0x00404555
0x00404555
0x00404559
0x0040455b
0x00404bce
0x00404bce
0x00404bd2
0x00404bd7
0x00404bd7
0x00404bdb
0x00404bdb
0x00404bdf
0x00404be2
0x00404be2
0x00404be9
0x00404bee
0x00404bf1
0x00404bf3
0x00000000
0x00404bf9
0x00404bf9
0x00404bfe
0x00000000
0x00404c04
0x00000000
0x00404c04
0x00404bfe
0x00000000
0x00404561
0x00404561
0x00404566
0x004045d7
0x004045d7
0x004045db
0x00404c1d
0x00404c1d
0x00404c21
0x00404c21
0x00404c24
0x00404c29
0x004045e1
0x004045e1
0x004045e1
0x004045e4
0x004045e4
0x004045e8
0x004045ee
0x004045ee
0x004045f2
0x004045f6
0x004045f9
0x00404c48
0x00404c4d
0x00404c52
0x004045ff
0x004045ff
0x00404604
0x00404604
0x004045f9
0x00404568
0x00404568
0x00404568
0x0040456c
0x00404571
0x00404571
0x00404575
0x00404575
0x00404579
0x0040457c
0x0040457c
0x00404583
0x00404588
0x0040458b
0x0040458d
0x0040458f
0x0040458f
0x00404596
0x00404599
0x0040459b
0x0040459b
0x0040459f
0x004045a2
0x004045a9
0x004045a9
0x004045ae
0x004045b6
0x004045b6
0x004045ba
0x004045bd
0x004045bd
0x004045c3
0x004045c3
0x004045c7
0x004045cc
0x004045cf
0x004045d1
0x004045d3
0x004045d3
0x004045d3
0x00000000
0x004045d3
0x004045d1
0x0040458d
0x00404566
0x0040455b
0x0040454c
0x00404520
0x00404607
0x00404607
0x00404607
0x0040460b
0x0040460b
0x0040460f
0x00404612
0x00404612
0x00404616
0x004049a0
0x004049a0
0x004049a2
0x00000000
0x004049a8
0x00000000
0x004049a8
0x00000000
0x0040461c
0x0040461c
0x0040461f
0x00404998
0x00404998
0x0040499d
0x0040499d
0x0040499d
0x00000000
0x00404625
0x00404625
0x0040463d
0x0040463d
0x00404641
0x00000000
0x00000000
0x00404630
0x00404634
0x00404637
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404637
0x00404643
0x00404643
0x00404643
0x00404648
0x00404648
0x0040464c
0x00404650
0x00404655
0x00404655
0x00404658
0x00404658
0x00404648
0x0040461f
0x00404616
0x004044f7
0x0040465d
0x0040465d
0x00404660
0x00404660
0x004043de
0x004043de
0x004043de
0x004043e1
0x004043e1
0x004043e5
0x004043ea
0x004043ed
0x004043ef
0x00000000
0x00000000
0x004043ef
0x004043c1
0x004043c1
0x004043c1
0x004043c4
0x004043c4
0x004043c8
0x004043cd
0x004043d0
0x004043d2
0x00000000
0x00000000
0x004043d2
0x004043bf
0x004043b5
0x00404665
0x00404665
0x00404665
0x00404669
0x00404669
0x00404395
0x0040466e
0x0040466e
0x00404672
0x004047b4
0x004047b7
0x004047b7
0x00000000
0x00404672
0x00404356
0x00404345
0x00000000
0x00404300
0x004155dc
0x004155dc
0x004155e6
0x004155ee
0x00401560
0x00401561
0x00401563
0x00401565
0x00401569
0x00401571
0x00401578
0x0040157e
0x00401581
0x00401584
0x004015e0
0x004015e7
0x004015ee
0x004015f5
0x004015f5
0x004015fc
0x00401603
0x00401586
0x00401586
0x0040158d
0x00401593
0x0040159a
0x004015a1
0x004015a4
0x004015ab
0x004015ad
0x004015b4
0x004015b7
0x004015ba
0x004015bc
0x004015c3
0x004015c6
0x00000000
0x00000000
0x004015c6
0x004015c8
0x004015cf
0x004015d3
0x004015d4
0x004015d5
0x004015d7
0x00401524
0x00401538
0x00401538
0x004042c8
0x004042b4
0x004042a9
0x00404281
0x00000000
0x00000000
0x00000000
0x004041ed
0x004041e6
0x004041d8
0x004041ca
0x0040418f
0x0040418f
0x00404194
0x00000000
0x00404196
0x00404196
0x00404196
0x00404199
0x0040419c
0x004048a4
0x004048a4
0x004048a8
0x004048ab
0x00000000
0x004041a2
0x004041a2
0x004041a6
0x00403d2a
0x00403d2d
0x00404d01
0x00404d08
0x00403d33
0x00403d33
0x00403d3a
0x00403d3a
0x00000000
0x004041ac
0x004041ac
0x004041ac
0x004041b0
0x00000000
0x004041b0
0x004041a6
0x0040419c
0x00404194
0x0040418d
0x0040417a
0x00404171
0x00404169
0x00404156
0x00403d1a
0x00403d1a
0x00403d1d
0x00000000
0x00403d21
0x00403d21
0x00403d28
0x00403d28
0x00403d1d
0x00000000
0x00000000
0x00000000
0x00403e31
0x00403e2c
0x00000000

APIs

free.MSVCRT ref: 00403D60
free.MSVCRT ref: 00403D69
wcstoul.MSVCRT ref: 00403E17

Strings

Number of threads must be a non-negative integer!, xrefs: 00403E37

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: free$wcstoul
String ID: Number of threads must be a non-negative integer!
API String ID: 4004876702-3844074275
Opcode ID: 2969e85e22a5a5a23aa6ddb0b74d1f5cee911b7e101995561b9a549e26d1c0a6
Instruction ID: 8f4e445ffa375ed658149eb25e51f4218fbca56692324cf9836b1baa334c8c8f
Opcode Fuzzy Hash: 2969e85e22a5a5a23aa6ddb0b74d1f5cee911b7e101995561b9a549e26d1c0a6
Instruction Fuzzy Hash: 1A01A172300A4085DB10DF39D8453992764F744BB9F800627EA1D977E4CF3CCA86C304

Uniqueness

Uniqueness Score: -1.00%

Function 00403DA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00403DA0(void* __esi, void* __rax) {
				signed int _t238;
				void* _t249;
				void* _t255;
				void* _t264;
				void* _t265;

				_t249 = __rax;
				L004091A0();
				if(__rax == 0) {
					E004024D0(L"\'--image-property\' argument must be in the form NAME=VALUE", _t255, _t264, _t265);
					goto L16;
				} else {
					__rdx =  *__r15;
					__rcx = __rbp + 0x50;
					__eax = E00402550(__esi, __rax, __rbp + 0x50,  *__r15);
					__eflags = __eax;
					if(__eax == 0) {
						 *(__rsp + 0x20) = 0;
						__r9 = 0x41e9e0;
						__rdx = __rdi;
						__ecx = __esi;
						__r8 = 0x41717e;
						__eax = E00408FE0();
						__eflags = __eax - 0xffffffff;
						if(__eax == 0xffffffff) {
							__rax =  *0x4201c0; // 0x416038
							__rax =  *__rax;
							__esi = __esi - __eax;
							__rbx = __rdi + __rax * 8;
							__eax = __rsi - 2;
							r15d = __esi;
							__eflags = __eax - 2;
							if(__eax > 2) {
								L12:
								__ecx = 2;
								r15d = 0xffffffff;
								__eax =  *0x416040();
								__ecx = r14d;
								__rdx = __rax;
								__eax = E00403630(r14d, __rax, __rax, __r8, __r9, __r12, __r13);
								goto L13;
							} else {
								__rax = __rbx[8];
								__eflags =  *(__rbp + 0x14) - 0xffffffff;
								__rsi =  *__rbx;
								 *(__rbp - 0x20) = __rax;
								if( *(__rbp + 0x14) == 0xffffffff) {
									 *(__rbp + 0x14) = 1;
									__eflags = r13d & 0x00001000;
									if((r13d & 0x00001000) == 0) {
										__eax = 0;
										__eflags = r12d & 0x00001000;
										__eax = 0 | __eflags != 0x00000000;
										__eax = (__eflags != 0) + 2;
										 *(__rbp + 0x14) = __eax;
									}
								}
								_t19 = __rbp - 0x20; // 0x0
								__rcx =  *_t19;
								__rdx = "-";
								L00409198();
								__eflags = __eax;
								if(__eax == 0) {
									__eax = r12d;
									__eax = r12d | 0x00000004;
									__eflags =  *((char*)(__rbp + 0x12));
									 *(__rbp - 0x18) = __eax;
									if( *((char*)(__rbp + 0x12)) != 0) {
										L70:
										__eflags =  *0x424178;
										if( *0x424178 != 0) {
											__ecx = 2;
											__eax =  *0x416040();
											 *0x424178 = __rax;
										}
										__ecx = 1;
										E004080C0();
										r12d = r12d & 0x00008000;
										__eflags = r12d;
										if(r12d != 0) {
											goto L174;
										} else {
											 *(__rbp - 0x20) = 0;
											 *((char*)(__rbp + 0x12)) = 0;
											goto L24;
										}
									} else {
										__eflags = r14d;
										if(r14d == 0) {
											__rcx = L"Using standard output for append does not make sense.";
											r15d = r15d | 0xffffffff;
											__eax = E004024D0(L"Using standard output for append does not make sense.", "-", __r8, __r9);
											goto L13;
										} else {
											goto L70;
										}
									}
								} else {
									__edi = r12d;
									__edi = r12d & 0x00008000;
									__eflags =  *((char*)(__rbp + 0x12));
									if( *((char*)(__rbp + 0x12)) != 0) {
										_t171 = __rbp - 0x20; // 0x0
										__rcx =  *_t171;
										_t172 = __rbp + 0x70; // 0x108f4
										__rdx = _t172;
										__imp___wstat64();
										__eflags = __eax;
										if(__eax == 0) {
											goto L21;
										} else {
											__imp___errno();
											__eflags =  *__rax - 2;
											if( *__rax != 2) {
												goto L21;
											} else {
												__eflags =  *((long long*)(__rbp + 0x18));
												if( *((long long*)(__rbp + 0x18)) == 0) {
													L172:
													__eflags = __edi;
													if(__edi != 0) {
														goto L174;
													} else {
														 *(__rbp - 0x18) = r12d;
														 *((char*)(__rbp + 0x12)) = 0;
														goto L29;
													}
												} else {
													__eflags =  *(__rbp + 8);
													if( *(__rbp + 8) == 0) {
														__eflags = __edi;
														if(__edi != 0) {
															goto L174;
														} else {
															 *((long long*)(__rbp + 0x18)) = 0;
															 *(__rbp - 0x18) = r12d;
															 *((char*)(__rbp + 0x12)) = 0;
															goto L29;
														}
													} else {
														_t175 = __rbp - 0x20; // 0x0
														__rdx =  *_t175;
														_t176 = __rbp + 8; // 0x0
														__rcx =  *_t176;
														L00409198();
														__eflags = __eax;
														if(__eax != 0) {
															goto L172;
														} else {
															__eflags = __edi;
															if(__edi != 0) {
																goto L174;
															} else {
																 *(__rbp - 0x18) = r12d;
																 *((long long*)(__rbp + 0x18)) = 0;
																 *((char*)(__rbp + 0x12)) = 0;
																 *(__rbp + 8) = 0;
																goto L29;
															}
														}
													}
												}
											}
										}
									} else {
										L21:
										__eflags = __edi;
										if(__edi == 0) {
											__eflags = r14d;
											 *(__rbp - 0x18) = r12d;
											_t237 = __rbp + 0x12; // 0x0
											 *_t237 = r14d == 0;
											goto L24;
										} else {
											__eflags = r14d;
											if(r14d != 0) {
												L174:
												__rcx = L"\'--unsafe-compact\' is only valid for append!";
												r15d = 0xffffffff;
												__eax = E004024D0(L"\'--unsafe-compact\' is only valid for append!", __rdx, __r8, __r9);
												goto L13;
											} else {
												 *(__rbp - 0x18) = r12d;
												 *((char*)(__rbp + 0x12)) = 1;
												L24:
												__eflags =  *((long long*)(__rbp + 0x18));
												if( *((long long*)(__rbp + 0x18)) == 0) {
													L29:
													__eflags = r15d - 2;
													if(r15d == 2) {
														__rcx = __rsi;
														L00409180();
														__rax = __rax + __rax + 0x43;
														__rax = __rax & 0xfffffff0;
														__eax = E0040A470(__eax);
														__rsp = __rsp - __rax;
														__rdx = __rsi;
														__rcx = __rsp + 0x30;
														L00409190();
														__rcx = __rax;
														__eax = E00402DF0(__eax, __rax, __rax);
														 *((char*)(__rbp + 0x11)) = 1;
														 *(__rbp - 0x48) = __rax;
														goto L32;
													} else {
														__rax = __rbx[0x10];
														 *(__rbp - 0x48) = __rax;
														__eflags = r15d - 4;
														if(r15d == 4) {
															__rcx = __rbx[0x18];
															L00409180();
															__rax = __rax + __rax + 0x29;
															__rax = __rax & 0xfffffff0;
															__eax = E0040A470(__eax);
															__rdx = L"DESCRIPTION=%ls";
															__r8 = __rbx[0x18];
															__rsp = __rsp - __rax;
															__r12 = __rsp + 0x30;
															__rcx = __r12;
															__eax = E0040A630(__r12, L"DESCRIPTION=%ls", __r8, __r9);
															_t163 = __rbp + 0x50; // 0x108d4
															__rcx = _t163;
															__rdx = __r12;
															__eax = E00402550(__esi, __rax, _t163, __rdx);
															r15d = __eax;
															__eflags = __eax;
															if(__eax == 0) {
																goto L31;
															} else {
																goto L13;
															}
														} else {
															L31:
															 *((char*)(__rbp + 0x11)) = 0;
															L32:
															__eflags =  *((char*)(__rbp + 0x13));
															if( *((char*)(__rbp + 0x13)) == 0) {
																__rsp = __rsp - 0x20;
																__rax = "\\";
																__eflags =  *((char*)(__rbp + 0x12));
																 *(__rbp + 0x38) = 0;
																 *((long long*)(__rsp + 0x38)) = "\\";
																_t136 = __rbp + 0x40; // 0x108c4
																__rax = _t136;
																__r12 = __rsp + 0x30;
																 *__r12 = __rsi;
																__esi = 1;
																 *(__rbp - 0x40) = __rax;
																 *(__r12 + 0x10) = 0;
																if( *((char*)(__rbp + 0x12)) != 0) {
																	goto L54;
																} else {
																	goto L109;
																}
																goto L101;
															} else {
																__eflags =  *__rsi - 0x2d;
																_t33 = __rbp + 0x70; // 0x108f4
																__rdi = _t33;
																if( *__rsi != 0x2d) {
																	L35:
																	__rdx = __rdi;
																	__rcx = __rsi;
																	__imp___wstat64();
																	__eflags = __eax;
																	if(__eflags != 0) {
																		__rdx = __rsi;
																		__rcx = L"Failed to stat the file \"%ls\"";
																		__eax = E004031C0(__eflags, __rax, L"Failed to stat the file \"%ls\"", __rsi, __r8, __r9);
																		goto L16;
																	} else {
																		_t35 = __rbp + 0x88; // 0x30
																		__r12 =  *_t35;
																		__rdx = L"rb";
																		__rcx = __rsi;
																		__imp___wfopen();
																		__r14 = __rax;
																		__eflags = __rax;
																		if(__eflags == 0) {
																			__rdx = __rsi;
																			__rcx = L"Failed to open the file \"%ls\"";
																			__eax = E004031C0(__eflags, __rax, L"Failed to open the file \"%ls\"", __rsi, __r8, __r9);
																			goto L16;
																		} else {
																			__eflags = __r12;
																			__ecx = 1;
																			__rcx =  !=  ? __r12 : __rcx;
																			__eax = malloc(??);
																			__r15 = __rax;
																			__eflags = __rax;
																			if(__rax == 0) {
																				__r8 = __rsi;
																				__rdx = __r12;
																				__rcx = L"Failed to allocate buffer of %zu bytes to hold contents of file \"%ls\"";
																				__eax = E004024D0(L"Failed to allocate buffer of %zu bytes to hold contents of file \"%ls\"", __r12, __rsi, __r9);
																				__rcx = __r14;
																				__eax = fclose(??);
																				goto L16;
																			} else {
																				__r9 = __r14;
																				__r8 = __r12;
																				__edx = 1;
																				__rcx = __rax;
																				__eax = fread(??, ??, ??, ??);
																				__eflags = __r12 - __rax;
																				if(__eflags != 0) {
																					__r8 = __rsi;
																					__rdx = __r12;
																					__rcx = L"Failed to read %zu bytes from the file \"%ls\"";
																					__eax = E004031C0(__eflags, __rax, L"Failed to read %zu bytes from the file \"%ls\"", __r12, __rsi, __r9);
																					__rcx = __r15;
																					free(??);
																					__rcx = __r14;
																					__eax = fclose(??);
																					goto L16;
																				} else {
																					__rcx = __r14;
																					__eax = fclose(??);
																					_t36 = __rbp + 0x30; // 0x108b4
																					__r8 = _t36;
																					__rdx = __r12;
																					__rcx = __r15;
																					__eax = E004023F0(__rax, __r15, __r12, _t36);
																					 *(__rbp + 0x38) = __rax;
																					goto L40;
																				}
																			}
																		}
																	}
																} else {
																	__eflags =  *((short*)(__rsi + 2));
																	if( *((short*)(__rsi + 2)) == 0) {
																		__rcx = __rdi;
																		__eax = E00403260(__rax, __rdi);
																		__rcx = __rax;
																		__eflags = __rax;
																		if(__rax == 0) {
																			L16:
																			r15d = 0xffffffff;
																			goto L13;
																		} else {
																			_t197 = __rbp + 0x70; // 0x2e
																			__rdx =  *_t197;
																			_t198 = __rbp + 0x30; // 0x108b4
																			__r8 = _t198;
																			__eax = E004023F0(__rax, __rcx,  *_t197, _t198);
																			 *(__rbp + 0x38) = __rax;
																			L40:
																			__eflags = __rax;
																			if(__rax == 0) {
																				goto L16;
																			} else {
																				_t38 = __rbp + 0x30; // 0x1000000000000
																				__rax =  *_t38;
																				_t39 = __rbp + 0x38; // 0x108bc
																				__rcx = _t39;
																				 *((long long*)(__rbp + 0x40)) =  *_t38;
																				_t41 = __rbp + 0x40; // 0x108c4
																				__rax = _t41;
																				__rdx = __rax;
																				 *(__rbp - 0x40) = __rax;
																				__eax = E004025C0(__eax, _t39, __rdx);
																				__rbx = __rax;
																				__eflags = __rax;
																				if(__eflags < 0) {
																					L121:
																					r15d = 0xffffffff;
																					goto L102;
																				} else {
																					__edx = 0x18;
																					if(__eflags == 0) {
																						__ecx = 1;
																						__esi = 0;
																						__eax = calloc(??, ??);
																						__r12 = __rax;
																						__eflags = __rax;
																						if(__rax != 0) {
																							goto L53;
																						} else {
																							goto L120;
																						}
																						goto L102;
																					} else {
																						__rcx = __rax;
																						__eax = calloc(??, ??);
																						__r12 = __rax;
																						__eflags = __rax;
																						if(__rax == 0) {
																							L120:
																							__rcx = L"out of memory";
																							__eax = E004024D0(L"out of memory", __rdx, __r8, __r9);
																							goto L121;
																						} else {
																							_t43 = __rbp + 0x48; // 0x108cc
																							__rax = _t43;
																							_t44 = __rbp + 0x38; // 0x2c
																							__rcx =  *_t44;
																							__esi = 0;
																							 *(__rbp - 0x4c) = r13d;
																							 *((long long*)(__rbp - 0x38)) = _t43;
																							 *(__rbp - 0x30) = __r12;
																							__r13 =  *_t44;
																							__r12 = __rsi;
																							asm("o16 nop [eax+eax]");
																							while(1) {
																								_t48 = __rbp + 0x40; // 0x30003b00330003
																								__rax =  *_t48;
																								__eflags = __r13;
																								if(__r13 == 0) {
																									break;
																								}
																								__eflags = __rax;
																								if(__rax == 0) {
																									break;
																								} else {
																									__r14 = __r13;
																									while(1) {
																										__eflags =  *__r14 - 0xa;
																										if( *__r14 == 0xa) {
																											break;
																										}
																										__r14 = __r14 + 2;
																										__rax = __rax - 1;
																										__eflags = __rax;
																										if(__rax == 0) {
																											goto L186;
																										} else {
																											continue;
																										}
																										goto L187;
																									}
																									__rdx = __r14;
																									__ecx = 0;
																									__rdx = __r14 - __r13;
																									 *__r14 = __cx;
																									__rcx = __r13;
																									_t49 = 1 + (__r14 - __r13 >> 1); // 0x2d
																									__r15 = _t49;
																									__rdx = __r15;
																									__eax = E00402470(__eax, __r13, __rdx);
																									__eflags = __al;
																									if(__al == 0) {
																										_t120 = 1 + __r12; // 0x1
																										__rax = _t120;
																										_t121 = __rbp - 0x30; // 0x0
																										__rdx =  *_t121;
																										 *(__rbp + 0x70) = __r15;
																										 *((long long*)(__rbp - 0x28)) = _t120;
																										_t124 = __rbp - 0x38; // 0x0
																										__r15 =  *_t124;
																										__rax = __r12 + __r12 * 2;
																										__r12 =  *_t121 + (__r12 + __r12 * 2) * 8;
																										__rdx = __rdi;
																										 *(__rbp + 0x48) = __r13;
																										__r8 = __r12;
																										__rcx = __r15;
																										__eax = E00402670(__eax, __r15, __rdi, __r12);
																										__eflags = __eax;
																										if(__eax == 0) {
																											_t131 = 8 + __r12; // 0x8
																											__r8 = _t131;
																											__rdx = __rdi;
																											__rcx = __r15;
																											__eax = E00402670(__eax, __r15, __rdx, __r8);
																											__eflags = __eax - 2;
																											if(__eax == 2) {
																												__rax =  *__r12;
																												 *(8 + __r12) = __rax;
																												_t153 = __rbp - 0x28; // 0x0
																												__r12 =  *_t153;
																												goto L51;
																											} else {
																												__eflags = __eax - 1;
																												if(__eax == 1) {
																													goto L104;
																												} else {
																													_t132 = __rbp - 0x28; // 0x0
																													__r12 =  *_t132;
																													goto L51;
																												}
																											}
																										} else {
																											L104:
																											_t130 = __rbp - 0x30; // 0x0
																											__r12 =  *_t130;
																											r15d = 0xffffffff;
																											__rcx =  *_t130;
																											free(??);
																											goto L102;
																										}
																									} else {
																										L51:
																										__rsi = 1 + __rsi;
																										_t50 = __r14 + 2; // 0x2e
																										__r13 = _t50;
																										__eflags = __rbx - __rsi;
																										if(__rbx != __rsi) {
																											continue;
																										} else {
																											__rsi = __r12;
																											_t51 = __rbp - 0x4c; // 0x0
																											r13d =  *_t51;
																											_t52 = __rbp - 0x30; // 0x0
																											__r12 =  *_t52;
																											L53:
																											__eflags =  *((char*)(__rbp + 0x12));
																											if( *((char*)(__rbp + 0x12)) == 0) {
																												L109:
																												_t140 = __rbp - 0x40; // 0x0
																												__rdx =  *_t140;
																												_t141 = __rbp + 0x14; // 0x0
																												__ecx =  *_t141;
																												L00409148();
																												r15d = __eax;
																												__eflags = __eax;
																												if(__eax == 0) {
																													_t142 = __rbp + 0x40; // 0x30003b00330003
																													__rcx =  *_t142;
																													r8d = 0;
																													__rdx = 0x401890;
																													L00409070();
																													goto L55;
																												}
																											} else {
																												L54:
																												_t54 = __rbp - 0x14; // 0x0
																												__edx =  *_t54;
																												_t55 = __rbp - 0x40; // 0x0
																												__r8 =  *_t55;
																												 *(__rsp + 0x20) = 0;
																												__r9 = 0x401890;
																												_t58 = __rbp - 0x20; // 0x0
																												__rcx =  *_t58;
																												__edx =  *_t54 | 0x00000004;
																												L004090A8();
																												r15d = __eax;
																												__eflags = __eax;
																												if(__eax == 0) {
																													L55:
																													__edx =  *__rbp;
																													__eflags = __edx - 0xffffffff;
																													if(__edx == 0xffffffff) {
																														__eflags = r13d & 0x00001000;
																														if((r13d & 0x00001000) == 0) {
																															goto L57;
																														} else {
																															__eflags =  *((char*)(__rbp + 0x12));
																															if( *((char*)(__rbp + 0x12)) != 0) {
																																_t210 = __rbp + 0x40; // 0x30003b00330003
																																__rcx =  *_t210;
																																_t211 = __rbp + 0x70; // 0x108f4
																																__rdx = _t211;
																																L004090E0();
																																_t212 = __rbp + 0x94; // 0x0
																																__eax =  *_t212;
																																 *(__rbp + 0x14) = __eax;
																															}
																															__eflags =  *(__rbp + 0x14) - 1;
																															__edx = 0x1000;
																															if( *(__rbp + 0x14) != 1) {
																																goto L57;
																															} else {
																																goto L56;
																															}
																														}
																														goto L102;
																													} else {
																														L56:
																														_t59 = __rbp + 0x40; // 0x30003b00330003
																														__rcx =  *_t59;
																														L00409050();
																														r15d = __eax;
																														__eflags = __eax;
																														if(__eax == 0) {
																															L57:
																															__eflags =  *(__rbp + 4) - 0xffffffff;
																															if( *(__rbp + 4) == 0xffffffff) {
																																L59:
																																__eflags =  *(__rbp - 4) - 0xffffffff;
																																if( *(__rbp - 4) == 0xffffffff) {
																																	L61:
																																	__eflags =  *((char*)(__rbp + 0x11));
																																	if( *((char*)(__rbp + 0x11)) != 0) {
																																		__eflags =  *((char*)(__rbp + 0x12));
																																		if( *((char*)(__rbp + 0x12)) != 0) {
																																			_t181 = __rbp - 0x48; // 0x0
																																			__r15 =  *_t181;
																																			__edx = 0;
																																			__ebx = 1;
																																			__r14 = L" (%lu)";
																																			__rcx = __r15;
																																			L004091A0();
																																			__rdi = __rax;
																																			while(1) {
																																				_t182 = __rbp + 0x40; // 0x30003b00330003
																																				__rcx =  *_t182;
																																				__rdx = __r15;
																																				L004090C8();
																																				__eflags = __al;
																																				if(__al == 0) {
																																					break;
																																				}
																																				r8d = __ebx;
																																				__rdx = __r14;
																																				__rcx = __rdi;
																																				__ebx = __ebx + 1;
																																				__eflags = __ebx;
																																				__eax = E0040A630(__rdi, __r14, __r8, __r9);
																																			}
																																		}
																																	}
																																	_t68 = __rbp + 0x68; // 0x1000000390038
																																	__eax =  *_t68;
																																	r14d = 0;
																																	__eflags = __eax;
																																	if(__eax != 0) {
																																		__ecx = __eax;
																																		__edx = 8;
																																		__eax = calloc(??, ??);
																																		__r14 = __rax;
																																		__eflags = __rax;
																																		if(__rax == 0) {
																																			__rcx = L"Out of memory!";
																																			r15d = r15d | 0xffffffff;
																																			__eax = E004024D0(L"Out of memory!", __rdx, __r8, __r9);
																																			goto L100;
																																		} else {
																																			_t188 = __rbp - 0x14; // 0x0
																																			r15d =  *_t188;
																																			__rdi = __rax;
																																			__ebx = 0;
																																			__r9 = 0x401890;
																																			while(1) {
																																				_t191 = __rbp + 0x60; // 0x37003600350034
																																				__rax =  *_t191;
																																				__r8 = __rdi;
																																				__edx = r15d;
																																				__rcx =  *((intOrPtr*)(__rax + __rbx * 8));
																																				 *(__rsp + 0x20) = 0;
																																				L004090A8();
																																				__r9 = 0x401890;
																																				__eflags = __eax;
																																				if(__eax != 0) {
																																					break;
																																				}
																																				_t190 = __rbp + 0x68; // 0x1000000390038
																																				__eax =  *_t190;
																																				__rbx =  &(__rbx[1]);
																																				__rdi = 8 + __rdi;
																																				__r8 = __rax;
																																				__eflags = __rax - __rbx;
																																				if(__rax <= __rbx) {
																																					_t208 = __rbp + 0x40; // 0x30003b00330003
																																					__rcx =  *_t208;
																																					r9d = 0;
																																					__rdx = __r14;
																																					L00409080();
																																					r15d = __eax;
																																					__eflags = __eax;
																																					if(__eax != 0) {
																																						goto L140;
																																					} else {
																																						_t209 = __rbp + 0x68; // 0x1000000390038
																																						r8d =  *_t209;
																																						__rcx =  *0x424178;
																																						__eflags = r8d - 1;
																																						if(r8d == 1) {
																																							__eflags = __rcx;
																																							if(__rcx != 0) {
																																								_t232 = __rbp + 0x60; // 0x37003600350034
																																								__rax =  *_t232;
																																								__rdx = L"Capturing delta WIM based on \"%ls\"\n";
																																								__r8 =  *__rax;
																																								__eax = E00401650(__r8, 0x401890);
																																							}
																																						} else {
																																							__eflags = __rcx;
																																							if(__rcx != 0) {
																																								__rdx = L"Capturing delta WIM based on %u WIMs\n";
																																								__eax = E00401650(__r8, 0x401890);
																																							}
																																						}
																																						goto L64;
																																					}
																																				} else {
																																					continue;
																																				}
																																				goto L101;
																																			}
																																			_t196 = __rbp + 0x68; // 0x1000000390038
																																			__edx =  *_t196;
																																			r15d = __eax;
																																			goto L141;
																																		}
																																		goto L102;
																																	} else {
																																		L64:
																																		__eflags =  *((long long*)(__rbp + 0x18));
																																		if( *((long long*)(__rbp + 0x18)) == 0) {
																																			L155:
																																			__ebx = 0;
																																			goto L81;
																																		} else {
																																			__eflags =  *((char*)(__rbp + 0x12));
																																			if( *((char*)(__rbp + 0x12)) != 0) {
																																				_t183 = __rbp - 0x20; // 0x0
																																				__rdx =  *_t183;
																																				_t184 = __rbp + 8; // 0x0
																																				__rcx =  *_t184;
																																				L00409198();
																																				__eflags = __eax;
																																				if(__eax != 0) {
																																					goto L66;
																																				} else {
																																					_t185 = __rbp + 0x40; // 0x30003b00330003
																																					__rcx =  *_t185;
																																					 *(__rbp + 0x28) = __rcx;
																																					goto L77;
																																				}
																																				L102:
																																				_t119 = __rbp + 0x38; // 0x2c
																																				__rcx =  *_t119;
																																				free(??);
																																				goto L13;
																																			} else {
																																				L66:
																																				_t71 = __rbp + 0x68; // 0x1000000390038
																																				__edx =  *_t71;
																																				_t72 = __rbp + 8; // 0x0
																																				__r15 =  *_t72;
																																				__edi = 0;
																																				__eflags = __edx;
																																				if(__edx != 0) {
																																					while(1) {
																																						_t79 = __rbp + 0x60; // 0x37003600350034
																																						__rax =  *_t79;
																																						__rcx = __r15;
																																						__rbx = __rdi * 8;
																																						__rdx =  *((intOrPtr*)(__rax + __rdi * 8));
																																						L00409198();
																																						__eflags = __eax;
																																						if(__eax == 0) {
																																							break;
																																						}
																																						_t78 = __rbp + 0x68; // 0x1000000390038
																																						__eax =  *_t78;
																																						__rdi = 1 + __rdi;
																																						__eflags = __rax - __rdi;
																																						if(__rax <= __rdi) {
																																							goto L67;
																																						} else {
																																							continue;
																																						}
																																						goto L77;
																																					}
																																					__rcx = __rbx[__r14];
																																					 *(__rbp + 0x28) = __rcx;
																																				} else {
																																					L67:
																																					_t73 = __rbp + 0x28; // 0x2e000100000000
																																					__rcx =  *_t73;
																																				}
																																			}
																																			L77:
																																			__eflags = __rcx;
																																			if(__rcx == 0) {
																																				 *(__rsp + 0x20) = 0;
																																				_t201 = __rbp + 8; // 0x0
																																				__rcx =  *_t201;
																																				_t202 = __rbp + 0x28; // 0x108ac
																																				__r8 = _t202;
																																				__r9 = 0x401890;
																																				_t204 = __rbp - 0x14; // 0x0
																																				__edx =  *_t204;
																																				L004090A8();
																																				_t205 = __rbp + 0x28; // 0x2e000100000000
																																				__rcx =  *_t205;
																																				r15d = __eax;
																																				__eflags = __eax;
																																				if(__eax == 0) {
																																					goto L78;
																																				} else {
																																					goto L140;
																																				}
																																				goto L101;
																																			} else {
																																				L78:
																																				_t85 = __rbp + 0x18; // 0x0
																																				__rdi =  *_t85;
																																				__rdx = __rdi;
																																				L00409068();
																																				__eflags =  *__rdi - 0x2d;
																																				__ebx = __eax;
																																				if( *__rdi == 0x2d) {
																																					_t214 = __rbp + 0x28; // 0x2e000100000000
																																					__rcx =  *_t214;
																																					_t215 = __rbp + 0x70; // 0x108f4
																																					__rdx = _t215;
																																					L004090E0();
																																					_t216 = __rbp + 0x18; // 0x0
																																					__rax =  *_t216;
																																					_t217 = __rbp + 0x48; // 0x108cc
																																					__rdx = _t217;
																																					r8d = 0xa;
																																					_t218 = __rax + 2; // 0xc
																																					__rdi = _t218;
																																					__rcx = __rdi;
																																					L00409168();
																																					__edx = __eax;
																																					__eflags = __eax;
																																					if(__eax != 0) {
																																						_t219 = __rbp + 0x80; // 0x3b003300030000
																																						__eax =  *_t219;
																																						__eflags = __eax - __edx;
																																						if(__eax >= __edx) {
																																							_t220 = __rbp + 0x48; // 0x0
																																							__rcx =  *_t220;
																																							__eflags =  *__rcx;
																																							if( *__rcx == 0) {
																																								__eflags = __rdi - __rcx;
																																								__ecx = __ecx & 0xffffff00 | __rdi != __rcx;
																																								__eax = __eax + 1;
																																								__eax = __eax - __edx;
																																								__eflags = __cl;
																																								__ebx =  !=  ? __eax : __ebx;
																																							}
																																						}
																																					}
																																				}
																																				__eflags = __ebx;
																																				if(__ebx == 0) {
																																					_t206 = __rbp + 8; // 0x0
																																					__rdx =  *_t206;
																																					_t207 = __rbp + 0x18; // 0x0
																																					__rcx =  *_t207;
																																					__eax = E00403BB0( *_t207,  *_t206, __r9);
																																					r15d = __eax;
																																					__eflags = __eax;
																																					if(__eax != 0) {
																																						goto L92;
																																					} else {
																																						goto L155;
																																					}
																																					goto L102;
																																				} else {
																																					__eflags = __ebx - 0xffffffff;
																																					if(__ebx == 0xffffffff) {
																																						__rcx = L"Cannot specify all images for this action!";
																																						r15d = 0x12;
																																						__eax = E004024D0(L"Cannot specify all images for this action!", __rdx, __r8, __r9);
																																					} else {
																																						L81:
																																						_t86 = __rbp - 0x10; // 0x0
																																						__rax =  *_t86;
																																						 *(__rsp + 0x28) = r13d;
																																						__r8 = __rsi;
																																						__rdx = __r12;
																																						_t88 = __rbp - 0x48; // 0x0
																																						__r9 =  *_t88;
																																						_t89 = __rbp + 0x40; // 0x30003b00330003
																																						__rcx =  *_t89;
																																						 *(__rsp + 0x20) = __rax;
																																						L00409150();
																																						r15d = __eax;
																																						__eflags = __eax;
																																						if(__eax == 0) {
																																							_t91 = __rbp + 0x58; // 0x33003200310030
																																							__eax =  *_t91;
																																							_t92 = __rbp + 0x40; // 0x30003b00330003
																																							__rcx =  *_t92;
																																							__eflags = __eax;
																																							if(__eax != 0) {
																																								_t223 = __rbp + 0x70; // 0x108f4
																																								__rdx = _t223;
																																								L004090E0();
																																								_t224 = __rbp + 0x40; // 0x30003b00330003
																																								__rdx =  *_t224;
																																								_t225 = __rbp + 0x50; // 0x108d4
																																								__rcx = _t225;
																																								r9d = 0;
																																								_t226 = __rbp + 0x80; // 0x3b003300030000
																																								r8d =  *_t226;
																																								__eax = E004030A0(__rax, _t225,  *_t224, __r9);
																																								r15d = __eax;
																																								__eflags = __eax;
																																								if(__eax != 0) {
																																									goto L92;
																																								} else {
																																									__eflags =  *((long long*)(__rbp + 0x18));
																																									if( *((long long*)(__rbp + 0x18)) == 0) {
																																										goto L88;
																																									} else {
																																										goto L85;
																																									}
																																								}
																																								goto L102;
																																							} else {
																																								__eflags =  *((long long*)(__rbp + 0x18));
																																								if( *((long long*)(__rbp + 0x18)) == 0) {
																																									L89:
																																									__eflags =  *((char*)(__rbp + 0x12));
																																									if( *((char*)(__rbp + 0x12)) != 0) {
																																										_t228 = __rbp - 8; // 0x0
																																										r8d =  *_t228;
																																										_t229 = __rbp - 0x18; // 0x0
																																										__edx =  *_t229;
																																										L004090A0();
																																										r15d = __eax;
																																									} else {
																																										_t105 = __rbp - 8; // 0x0
																																										__eax =  *_t105;
																																										_t106 = __rbp - 0x20; // 0x0
																																										__rdx =  *_t106;
																																										r8d = 0xffffffff;
																																										_t107 = __rbp - 0x18; // 0x0
																																										r9d =  *_t107;
																																										 *(__rsp + 0x20) = __eax;
																																										__eflags =  *_t106;
																																										if( *_t106 == 0) {
																																											__edx = 1;
																																											L00409000();
																																											r15d = __eax;
																																										} else {
																																											L00409008();
																																											r15d = __eax;
																																										}
																																									}
																																								} else {
																																									_t94 = __rbp + 0x70; // 0x108f4
																																									__rdx = _t94;
																																									L004090E0();
																																									_t95 = __rbp + 0x40; // 0x30003b00330003
																																									__rdx =  *_t95;
																																									_t96 = __rbp + 0x50; // 0x108d4
																																									__rcx = _t96;
																																									r9d = 0;
																																									_t97 = __rbp + 0x80; // 0x3b003300030000
																																									r8d =  *_t97;
																																									__eax = E004030A0(__rax, _t96,  *_t95, __r9);
																																									r15d = __eax;
																																									__eflags = __eax;
																																									if(__eax == 0) {
																																										L85:
																																										__rcx =  *0x424178;
																																										__eflags =  *0x424178;
																																										if( *0x424178 != 0) {
																																											_t98 = __rbp + 8; // 0x0
																																											__r9 =  *_t98;
																																											r8d = __ebx;
																																											__rdx = L"Using image %d from \"%ls\" as template\n";
																																											__eax = E00401650(__r8,  *_t98);
																																										}
																																										 *(__rsp + 0x20) = 0;
																																										_t100 = __rbp + 0x28; // 0x2e000100000000
																																										__r8 =  *_t100;
																																										r9d = __ebx;
																																										_t101 = __rbp + 0x80; // 0x3b003300030000
																																										__edx =  *_t101;
																																										_t102 = __rbp + 0x40; // 0x30003b00330003
																																										__rcx =  *_t102;
																																										L00409078();
																																										r15d = __eax;
																																										__eflags = __eax;
																																										if(__eax == 0) {
																																											L88:
																																											_t103 = __rbp + 0x40; // 0x30003b00330003
																																											__rcx =  *_t103;
																																											goto L89;
																																										}
																																									}
																																								}
																																							}
																																						}
																																					}
																																				}
																																				L92:
																																				_t109 = __rbp + 0x68; // 0x1000000390038
																																				r8d =  *_t109;
																																				_t110 = __rbp + 0x28; // 0x2e000100000000
																																				__rcx =  *_t110;
																																				__rdx = __r8;
																																				_t111 = __rbp + 0x40; // 0x30003b00330003
																																				__eflags = __rcx -  *_t111;
																																				if(__rcx ==  *_t111) {
																																					L141:
																																					__eflags = __edx;
																																					if(__edx != 0) {
																																						goto L97;
																																					} else {
																																						goto L99;
																																					}
																																					goto L101;
																																				} else {
																																					__eflags = __r8;
																																					if(__r8 == 0) {
																																						L139:
																																						L00409108();
																																						L140:
																																						_t187 = __rbp + 0x68; // 0x1000000390038
																																						__edx =  *_t187;
																																						goto L141;
																																					} else {
																																						__edx = 0;
																																						while(1) {
																																							__eflags = __rcx -  *((intOrPtr*)(__r14 + __rdx * 8));
																																							if(__rcx ==  *((intOrPtr*)(__r14 + __rdx * 8))) {
																																								break;
																																							}
																																							__rdx = 1 + __rdx;
																																							__eflags = __rdx - __r8;
																																							if(__rdx == __r8) {
																																								goto L139;
																																							} else {
																																								continue;
																																							}
																																							goto L99;
																																						}
																																						L97:
																																						__ebx = 0;
																																						__eflags = 0;
																																						do {
																																							__rcx =  *((intOrPtr*)(__r14 + __rbx * 8));
																																							__rbx =  &(__rbx[1]);
																																							L00409108();
																																							_t116 = __rbp + 0x68; // 0x1000000390038
																																							__eax =  *_t116;
																																							__eflags = __rax - __rbx;
																																						} while (__rax > __rbx);
																																					}
																																				}
																																			}
																																		}
																																		L99:
																																		__rcx = __r14;
																																		free(??);
																																	}
																																} else {
																																	_t64 = __rbp - 4; // 0x0
																																	__edx =  *_t64;
																																	_t65 = __rbp + 0x40; // 0x30003b00330003
																																	__rcx =  *_t65;
																																	L00409040();
																																	r15d = __eax;
																																	__eflags = __eax;
																																	if(__eax == 0) {
																																		goto L61;
																																	}
																																}
																															} else {
																																_t61 = __rbp + 4; // 0x0
																																__edx =  *_t61;
																																_t62 = __rbp + 0x40; // 0x30003b00330003
																																__rcx =  *_t62;
																																L00409038();
																																r15d = __eax;
																																__eflags = __eax;
																																if(__eax == 0) {
																																	goto L59;
																																}
																															}
																														}
																													}
																													L100:
																													_t117 = __rbp + 0x40; // 0x30003b00330003
																													__rcx =  *_t117;
																													L00409108();
																												}
																											}
																											L101:
																											__eflags =  *((char*)(__rbp + 0x13));
																											if( *((char*)(__rbp + 0x13)) != 0) {
																												__rcx = __r12;
																												free(??);
																											}
																											goto L102;
																										}
																									}
																								}
																								goto L187;
																							}
																							L186:
																							 *0 = 0;
																							asm("ud2");
																							0;
																							_push(__rbp);
																							_push(__r12);
																							_push(__rsi);
																							__rsp = __rsp - 0x28;
																							__rbp = __rsp + 0x80;
																							__rcx = "libgcc_s_dw2-1.dll";
																							__eax = GetModuleHandleA(__rbx);
																							__r12 = __rax;
																							__eflags = __rax;
																							if(__rax == 0) {
																								__rax = 0x401550;
																								__rbx = 0x401540;
																								 *0x416010 = 0x401550;
																								L6:
																								__rdx = 0x424060;
																								__rcx = 0x421000;
																								__eax =  *__rbx();
																							} else {
																								__rcx = "libgcc_s_dw2-1.dll";
																								__eax = LoadLibraryA(??);
																								__rsi = GetProcAddress;
																								__rdx = "__register_frame_info";
																								__rcx = __r12;
																								 *0x424040 = __rax;
																								__eax = GetProcAddress(??, ??);
																								__rdx = "__deregister_frame_info";
																								__rcx = __r12;
																								__rbx = __rax;
																								__eax = GetProcAddress(??, ??);
																								 *0x416010 = __rax;
																								__eflags = __rbx;
																								if(__rbx != 0) {
																									goto L6;
																								}
																							}
																							__rcx = 0x401610;
																							__rsp = __rsp + 0x28;
																							_pop(__rbx);
																							_pop(__rsi);
																							_pop(__r12);
																							_pop(__rbp);
																							L00409268();
																							return  ~((_t238 & 0xffffff00 | _t249 == 0x00000000) & 0x000000ff);
																						}
																					}
																				}
																			}
																		}
																	} else {
																		goto L35;
																	}
																}
															}
														}
													}
												} else {
													__eflags =  *(__rbp + 8);
													if( *(__rbp + 8) != 0) {
														goto L29;
													} else {
														_t25 = __rbp + 0x68; // 0x1000000390038
														__eax =  *_t25;
														__eflags = __eax - 1;
														if(__eax == 1) {
															_t169 = __rbp + 0x60; // 0x37003600350034
															__rax =  *_t169;
															__rax =  *((intOrPtr*)( *_t169));
															 *(__rbp + 8) = __rax;
															goto L29;
														} else {
															__eflags =  *((char*)(__rbp + 0x12));
															if( *((char*)(__rbp + 0x12)) == 0) {
																__eflags = __eax - 1;
																if(__eax <= 1) {
																	__rcx = L"For capture of non-delta WIM, \'--update-of\' must specify WIMFILE:IMAGE!";
																	__eax = E004024D0(L"For capture of non-delta WIM, \'--update-of\' must specify WIMFILE:IMAGE!", __rdx, __r8, __r9);
																} else {
																	__rcx = L"For capture of delta WIM based on multiple existing WIMs,\n      \'--update-of\' must specify WIMFILE:IMAGE!";
																	__eax = E004024D0(L"For capture of delta WIM based on multiple existing WIMs,\n      \'--update-of\' must specify WIMFILE:IMAGE!", __rdx, __r8, __r9);
																}
																goto L12;
															} else {
																_t27 = __rbp - 0x20; // 0x0
																__rax =  *_t27;
																 *(__rbp + 8) = __rax;
																goto L29;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = __eax - 0x3d;
							if(__eax > 0x3d) {
								goto L12;
							} else {
								__rax =  *((intOrPtr*)(__rbx + __rax * 4));
								goto __rax;
							}
						}
					} else {
						r15d = __eax;
						L13:
						free();
						free(??);
						return r15d;
					}
				}
				L187:
			}

0x00403da0
0x00403daf
0x00403db7
0x00404cc3
0x00000000
0x00403dbd
0x00403dbd
0x00403dc0
0x00403dc4
0x00403dc9
0x00403dcb
0x00403cf0
0x00403cf9
0x00403d00
0x00403d03
0x00403d05
0x00403d0c
0x00403d11
0x00403d14
0x00404110
0x00404117
0x0040411a
0x0040411c
0x00404120
0x00404123
0x00404126
0x00404129
0x00403d40
0x00403d40
0x00403d45
0x00403d4b
0x00403d51
0x00403d54
0x00403d57
0x00000000
0x0040412f
0x0040412f
0x00404133
0x00404137
0x0040413a
0x0040413e
0x00404777
0x0040477e
0x00404785
0x0040478b
0x0040478d
0x00404794
0x00404797
0x0040479a
0x0040479a
0x00404785
0x00404144
0x00404144
0x00404148
0x0040414f
0x00404154
0x00404156
0x00404442
0x00404445
0x00404448
0x0040444c
0x0040444f
0x0040445a
0x0040445a
0x00404462
0x00404464
0x00404469
0x0040446f
0x0040446f
0x00404476
0x0040447b
0x00404480
0x00404480
0x00404487
0x00000000
0x0040448d
0x0040448d
0x00404495
0x00000000
0x00404495
0x00404451
0x00404451
0x00404454
0x00404d12
0x00404d19
0x00404d1d
0x00000000
0x00000000
0x00000000
0x00000000
0x00404454
0x0040415c
0x0040415c
0x0040415f
0x00404165
0x00404169
0x004048b4
0x004048b4
0x004048b8
0x004048b8
0x004048bc
0x004048c2
0x004048c4
0x00000000
0x004048ca
0x004048ca
0x004048d0
0x004048d3
0x00000000
0x004048d9
0x004048d9
0x004048de
0x00404c5a
0x00404c5a
0x00404c5c
0x00000000
0x00404c5e
0x00404c5e
0x00404c62
0x00000000
0x00404c62
0x004048e4
0x004048e4
0x004048e9
0x00404ca3
0x00404ca5
0x00000000
0x00404ca7
0x00404ca7
0x00404caf
0x00404cb3
0x00000000
0x00404cb3
0x004048ef
0x004048ef
0x004048ef
0x004048f3
0x004048f3
0x004048f7
0x004048fc
0x004048fe
0x00000000
0x00404904
0x00404904
0x00404906
0x00000000
0x0040490c
0x0040490c
0x00404910
0x00404918
0x0040491c
0x00000000
0x0040491c
0x00404906
0x004048fe
0x004048e9
0x004048de
0x004048d3
0x0040416f
0x0040416f
0x0040416f
0x00404171
0x00404d27
0x00404d2a
0x00404d2e
0x00404d2e
0x00000000
0x00404177
0x00404177
0x0040417a
0x00404c6b
0x00404c6b
0x00404c72
0x00404c78
0x00000000
0x00404180
0x00404180
0x00404184
0x00404188
0x00404188
0x0040418d
0x004041b4
0x004041b4
0x004041b8
0x00404869
0x0040486c
0x00404871
0x00404876
0x0040487a
0x0040487f
0x00404882
0x00404885
0x0040488a
0x0040488f
0x00404892
0x00404897
0x0040489b
0x00000000
0x004041be
0x004041be
0x004041c2
0x004041c6
0x004041ca
0x0040481b
0x0040481f
0x00404824
0x00404829
0x0040482d
0x00404832
0x00404839
0x0040483d
0x00404840
0x00404845
0x00404848
0x0040484d
0x0040484d
0x00404851
0x00404854
0x00404859
0x0040485c
0x0040485e
0x00000000
0x00404864
0x00000000
0x00404864
0x004041d0
0x004041d0
0x004041d0
0x004041d4
0x004041d4
0x004041d8
0x00404707
0x0040470b
0x00404712
0x00404716
0x0040471e
0x00404723
0x00404723
0x00404727
0x0040472c
0x00404730
0x00404735
0x00404739
0x00404742
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004041de
0x004041de
0x004041e2
0x004041e2
0x004041e6
0x004041f3
0x004041f3
0x004041f6
0x004041f9
0x004041ff
0x00404201
0x00404a73
0x00404a76
0x00404a7d
0x00000000
0x00404207
0x00404207
0x00404207
0x0040420e
0x00404215
0x00404218
0x0040421e
0x00404221
0x00404224
0x00404c09
0x00404c0c
0x00404c13
0x00000000
0x0040422a
0x0040422a
0x0040422d
0x00404232
0x00404236
0x0040423b
0x0040423e
0x00404241
0x00404ccd
0x00404cd0
0x00404cd3
0x00404cda
0x00404cdf
0x00404ce2
0x00000000
0x00404247
0x00404247
0x0040424a
0x0040424d
0x00404252
0x00404255
0x0040425a
0x0040425d
0x004049ad
0x004049b0
0x004049b3
0x004049ba
0x004049bf
0x004049c2
0x004049c7
0x004049ca
0x00000000
0x00404263
0x00404263
0x00404266
0x0040426b
0x0040426b
0x0040426f
0x00404272
0x00404275
0x0040427a
0x00000000
0x0040427a
0x0040425d
0x00404241
0x00404224
0x004041e8
0x004041e8
0x004041ed
0x00404a49
0x00404a4c
0x00404a51
0x00404a54
0x00404a57
0x00403e90
0x00403e90
0x00000000
0x00404a5d
0x00404a5d
0x00404a5d
0x00404a61
0x00404a61
0x00404a65
0x00404a6a
0x0040427e
0x0040427e
0x00404281
0x00000000
0x00404287
0x00404287
0x00404287
0x0040428b
0x0040428b
0x0040428f
0x00404293
0x00404293
0x00404297
0x0040429a
0x0040429e
0x004042a3
0x004042a6
0x004042a9
0x00404810
0x00404810
0x00000000
0x004042af
0x004042af
0x004042b4
0x004047ec
0x004047f1
0x004047f3
0x004047f8
0x004047fb
0x004047fe
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004042ba
0x004042ba
0x004042bd
0x004042c2
0x004042c5
0x004042c8
0x00404804
0x00404804
0x0040480b
0x00000000
0x004042ce
0x004042ce
0x004042ce
0x004042d2
0x004042d2
0x004042d6
0x004042d8
0x004042dc
0x004042e0
0x004042e4
0x004042e7
0x004042ea
0x004042f0
0x004042f0
0x004042f0
0x004042f4
0x004042f7
0x00000000
0x00000000
0x004042fd
0x00404300
0x00000000
0x00404306
0x00404306
0x0040431e
0x0040431e
0x00404323
0x00000000
0x00000000
0x00404310
0x00404314
0x00404314
0x00404318
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404318
0x00404325
0x00404328
0x0040432a
0x0040432d
0x00404331
0x00404337
0x00404337
0x0040433b
0x0040433e
0x00404343
0x00404345
0x00404690
0x00404690
0x00404695
0x00404695
0x00404699
0x0040469d
0x004046a1
0x004046a1
0x004046a5
0x004046a9
0x004046ad
0x004046b0
0x004046b4
0x004046b7
0x004046ba
0x004046bf
0x004046c1
0x004046e0
0x004046e0
0x004046e5
0x004046e8
0x004046eb
0x004046f0
0x004046f3
0x004047a2
0x004047a6
0x004047ab
0x004047ab
0x00000000
0x004046f9
0x004046f9
0x004046fc
0x00000000
0x004046fe
0x004046fe
0x004046fe
0x00000000
0x004046fe
0x004046fc
0x004046c3
0x004046c3
0x004046c3
0x004046c3
0x004046c7
0x004046cd
0x004046d0
0x00000000
0x004046d0
0x0040434b
0x0040434b
0x0040434b
0x0040434f
0x0040434f
0x00404353
0x00404356
0x00000000
0x00404358
0x00404358
0x0040435b
0x0040435b
0x0040435f
0x0040435f
0x00404363
0x00404363
0x00404367
0x00404748
0x00404748
0x00404748
0x0040474c
0x0040474c
0x0040474f
0x00404754
0x00404757
0x00404759
0x0040475f
0x0040475f
0x00404763
0x00404766
0x0040476d
0x00000000
0x0040476d
0x0040436d
0x0040436d
0x0040436d
0x0040436d
0x00404370
0x00404370
0x00404374
0x0040437d
0x00404384
0x00404384
0x00404388
0x0040438b
0x00404390
0x00404393
0x00404395
0x0040439b
0x0040439b
0x0040439e
0x004043a1
0x004047c1
0x004047c8
0x00000000
0x004047ce
0x004047ce
0x004047d2
0x00404b23
0x00404b23
0x00404b27
0x00404b27
0x00404b2b
0x00404b30
0x00404b30
0x00404b36
0x00404b36
0x004047d8
0x004047dc
0x004047e1
0x00000000
0x004047e7
0x00000000
0x004047e7
0x004047e1
0x00000000
0x004043a7
0x004043a7
0x004043a7
0x004043a7
0x004043ab
0x004043b0
0x004043b3
0x004043b5
0x004043bb
0x004043bb
0x004043bf
0x004043d8
0x004043d8
0x004043dc
0x004043f5
0x004043f5
0x004043f9
0x004043fb
0x004043ff
0x00404930
0x00404930
0x00404934
0x00404936
0x0040493b
0x00404942
0x00404945
0x0040494a
0x00404961
0x00404961
0x00404961
0x00404965
0x00404968
0x0040496d
0x0040496f
0x00000000
0x00000000
0x00404950
0x00404953
0x00404956
0x00404959
0x00404959
0x0040495c
0x0040495c
0x00404971
0x004043ff
0x00404405
0x00404405
0x00404408
0x0040440b
0x0040440d
0x004049d4
0x004049d6
0x004049db
0x004049e0
0x004049e3
0x004049e6
0x00404cec
0x00404cf3
0x00404cf7
0x00000000
0x004049ec
0x004049ec
0x004049ec
0x004049f0
0x004049f3
0x004049f5
0x00404a17
0x00404a17
0x00404a17
0x00404a1b
0x00404a1e
0x00404a21
0x00404a25
0x00404a2e
0x00404a33
0x00404a3a
0x00404a3c
0x00000000
0x00000000
0x00404a00
0x00404a00
0x00404a03
0x00404a07
0x00404a0b
0x00404a0e
0x00404a11
0x00404ada
0x00404ada
0x00404ade
0x00404ae1
0x00404ae4
0x00404ae9
0x00404aec
0x00404aee
0x00000000
0x00404af4
0x00404af4
0x00404af4
0x00404af8
0x00404aff
0x00404b03
0x00404c82
0x00404c85
0x00404c8b
0x00404c8b
0x00404c8f
0x00404c96
0x00404c99
0x00404c99
0x00404b09
0x00404b09
0x00404b0c
0x00404b12
0x00404b19
0x00404b19
0x00404b0c
0x00000000
0x00404b03
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a11
0x00404a3e
0x00404a3e
0x00404a41
0x00000000
0x00404a41
0x00000000
0x00404413
0x00404413
0x00404413
0x00404418
0x00404ad3
0x00404ad3
0x00000000
0x0040441e
0x0040441e
0x00404422
0x00404976
0x00404976
0x0040497a
0x0040497a
0x0040497e
0x00404983
0x00404985
0x00000000
0x0040498b
0x0040498b
0x0040498b
0x0040498f
0x00000000
0x0040498f
0x00404678
0x00404678
0x00404678
0x0040467c
0x00000000
0x00404428
0x00404428
0x00404428
0x00404428
0x0040442b
0x0040442b
0x0040442f
0x00404431
0x00404433
0x004044d0
0x004044d0
0x004044d0
0x004044d4
0x004044d7
0x004044df
0x004044e3
0x004044e8
0x004044ea
0x00000000
0x00000000
0x004044c0
0x004044c0
0x004044c3
0x004044c7
0x004044ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004044ca
0x004044ec
0x004044f0
0x00404439
0x00404439
0x00404439
0x00404439
0x00404439
0x00404433
0x004044f4
0x004044f4
0x004044f7
0x00404a87
0x00404a90
0x00404a90
0x00404a94
0x00404a94
0x00404a98
0x00404a9f
0x00404a9f
0x00404aa2
0x00404aa7
0x00404aa7
0x00404aab
0x00404aae
0x00404ab0
0x00000000
0x00404ab6
0x00000000
0x00404ab6
0x00000000
0x004044fd
0x004044fd
0x004044fd
0x004044fd
0x00404501
0x00404504
0x00404509
0x0040450d
0x0040450f
0x00404b3e
0x00404b3e
0x00404b42
0x00404b42
0x00404b46
0x00404b4b
0x00404b4b
0x00404b4f
0x00404b4f
0x00404b53
0x00404b59
0x00404b59
0x00404b5d
0x00404b60
0x00404b65
0x00404b67
0x00404b69
0x00404b6f
0x00404b6f
0x00404b75
0x00404b77
0x00404b7d
0x00404b7d
0x00404b81
0x00404b85
0x00404b8b
0x00404b8e
0x00404b91
0x00404b94
0x00404b96
0x00404b98
0x00404b98
0x00404b85
0x00404b77
0x00404b69
0x00404515
0x00404517
0x00404abb
0x00404abb
0x00404abf
0x00404abf
0x00404ac3
0x00404ac8
0x00404acb
0x00404acd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040451d
0x0040451d
0x00404520
0x00404c31
0x00404c38
0x00404c3e
0x00404526
0x00404526
0x00404526
0x00404526
0x0040452a
0x0040452f
0x00404532
0x00404535
0x00404535
0x00404539
0x00404539
0x0040453d
0x00404542
0x00404547
0x0040454a
0x0040454c
0x00404552
0x00404552
0x00404555
0x00404555
0x00404559
0x0040455b
0x00404bce
0x00404bce
0x00404bd2
0x00404bd7
0x00404bd7
0x00404bdb
0x00404bdb
0x00404bdf
0x00404be2
0x00404be2
0x00404be9
0x00404bee
0x00404bf1
0x00404bf3
0x00000000
0x00404bf9
0x00404bf9
0x00404bfe
0x00000000
0x00404c04
0x00000000
0x00404c04
0x00404bfe
0x00000000
0x00404561
0x00404561
0x00404566
0x004045d7
0x004045d7
0x004045db
0x00404c1d
0x00404c1d
0x00404c21
0x00404c21
0x00404c24
0x00404c29
0x004045e1
0x004045e1
0x004045e1
0x004045e4
0x004045e4
0x004045e8
0x004045ee
0x004045ee
0x004045f2
0x004045f6
0x004045f9
0x00404c48
0x00404c4d
0x00404c52
0x004045ff
0x004045ff
0x00404604
0x00404604
0x004045f9
0x00404568
0x00404568
0x00404568
0x0040456c
0x00404571
0x00404571
0x00404575
0x00404575
0x00404579
0x0040457c
0x0040457c
0x00404583
0x00404588
0x0040458b
0x0040458d
0x0040458f
0x0040458f
0x00404596
0x00404599
0x0040459b
0x0040459b
0x0040459f
0x004045a2
0x004045a9
0x004045a9
0x004045ae
0x004045b6
0x004045b6
0x004045ba
0x004045bd
0x004045bd
0x004045c3
0x004045c3
0x004045c7
0x004045cc
0x004045cf
0x004045d1
0x004045d3
0x004045d3
0x004045d3
0x00000000
0x004045d3
0x004045d1
0x0040458d
0x00404566
0x0040455b
0x0040454c
0x00404520
0x00404607
0x00404607
0x00404607
0x0040460b
0x0040460b
0x0040460f
0x00404612
0x00404612
0x00404616
0x004049a0
0x004049a0
0x004049a2
0x00000000
0x004049a8
0x00000000
0x004049a8
0x00000000
0x0040461c
0x0040461c
0x0040461f
0x00404998
0x00404998
0x0040499d
0x0040499d
0x0040499d
0x00000000
0x00404625
0x00404625
0x0040463d
0x0040463d
0x00404641
0x00000000
0x00000000
0x00404630
0x00404634
0x00404637
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404637
0x00404643
0x00404643
0x00404643
0x00404648
0x00404648
0x0040464c
0x00404650
0x00404655
0x00404655
0x00404658
0x00404658
0x00404648
0x0040461f
0x00404616
0x004044f7
0x0040465d
0x0040465d
0x00404660
0x00404660
0x004043de
0x004043de
0x004043de
0x004043e1
0x004043e1
0x004043e5
0x004043ea
0x004043ed
0x004043ef
0x00000000
0x00000000
0x004043ef
0x004043c1
0x004043c1
0x004043c1
0x004043c4
0x004043c4
0x004043c8
0x004043cd
0x004043d0
0x004043d2
0x00000000
0x00000000
0x004043d2
0x004043bf
0x004043b5
0x00404665
0x00404665
0x00404665
0x00404669
0x00404669
0x00404395
0x0040466e
0x0040466e
0x00404672
0x004047b4
0x004047b7
0x004047b7
0x00000000
0x00404672
0x00404356
0x00404345
0x00000000
0x00404300
0x004155dc
0x004155dc
0x004155e6
0x004155ee
0x00401560
0x00401561
0x00401563
0x00401565
0x00401569
0x00401571
0x00401578
0x0040157e
0x00401581
0x00401584
0x004015e0
0x004015e7
0x004015ee
0x004015f5
0x004015f5
0x004015fc
0x00401603
0x00401586
0x00401586
0x0040158d
0x00401593
0x0040159a
0x004015a1
0x004015a4
0x004015ab
0x004015ad
0x004015b4
0x004015b7
0x004015ba
0x004015bc
0x004015c3
0x004015c6
0x00000000
0x00000000
0x004015c6
0x004015c8
0x004015cf
0x004015d3
0x004015d4
0x004015d5
0x004015d7
0x00401524
0x00401538
0x00401538
0x004042c8
0x004042b4
0x004042a9
0x00404281
0x00000000
0x00000000
0x00000000
0x004041ed
0x004041e6
0x004041d8
0x004041ca
0x0040418f
0x0040418f
0x00404194
0x00000000
0x00404196
0x00404196
0x00404196
0x00404199
0x0040419c
0x004048a4
0x004048a4
0x004048a8
0x004048ab
0x00000000
0x004041a2
0x004041a2
0x004041a6
0x00403d2a
0x00403d2d
0x00404d01
0x00404d08
0x00403d33
0x00403d33
0x00403d3a
0x00403d3a
0x00000000
0x004041ac
0x004041ac
0x004041ac
0x004041b0
0x00000000
0x004041b0
0x004041a6
0x0040419c
0x00404194
0x0040418d
0x0040417a
0x00404171
0x00404169
0x00404156
0x00403d1a
0x00403d1a
0x00403d1d
0x00000000
0x00403d21
0x00403d21
0x00403d28
0x00403d28
0x00403d1d
0x00403dd1
0x00403dd1
0x00403d5c
0x00403d60
0x00403d69
0x00403d84
0x00403d84
0x00403dcb
0x00000000

APIs

free.MSVCRT ref: 00403D60
free.MSVCRT ref: 00403D69
wcschr.MSVCRT ref: 00403DAF

Strings

'--image-property' argument must be in the form NAME=VALUE, xrefs: 00404CBC

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: free$wcschr
String ID: '--image-property' argument must be in the form NAME=VALUE
API String ID: 2094429401-4034809873
Opcode ID: 0f00957e08ae017f9e250d606a1f86fbee5b939d1dc7ccd0474023052950550f
Instruction ID: b7d1c37603b2d14ab5405563699550f70b3991c380415c7c1b7503e45e54606c
Opcode Fuzzy Hash: 0f00957e08ae017f9e250d606a1f86fbee5b939d1dc7ccd0474023052950550f
Instruction Fuzzy Hash: 54019E7230094185EB11EF66EC4539A2354BB887A9F400537AE0DA73E5DE7CCA86C348

Uniqueness

Uniqueness Score: -1.00%

Function 00401C20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00401C20(void* __r12) {
				intOrPtr _t17;

				_t17 =  *0x424178;
				if(( *(__r12 + 0x14) & 0x00000001) != 0) {
					if(( *(__r12 + 0x18) & 0x00000002) == 0) {
						if(__rcx == 0) {
							L3:
							return 0;
						}
						r9d =  *((intOrPtr*)(__r12 + 0x10));
						__r8 =  *((intOrPtr*)(__r12 + 8));
						E00401650(__r8, __r9);
						__rcx =  *0x424178;
						if( *0x424178 == 0) {
							goto L3;
						}
						E00401650(__r8, __r9);
						__rcx =  *0x424178;
						goto L1;
					}
					if(__rcx == 0) {
						goto L3;
					}
					r9d =  *((intOrPtr*)(__r12 + 0x10));
					__r8 =  *((intOrPtr*)(__r12 + 8));
					E00401650( *((intOrPtr*)(__r12 + 8)), __r9);
					__rcx =  *0x424178;
				}
				L1:
				if(_t17 != 0) {
					fflush();
				}
				goto L3;
			}

0x00401c20
0x00401c2d
0x00401c39
0x00402293
0x00401981
0x0040198c
0x0040198c
0x00402299
0x0040229e
0x004022aa
0x004022af
0x004022b9
0x00000000
0x00000000
0x004022c6
0x004022cb
0x00000000
0x004022cb
0x00401c42
0x00000000
0x00000000
0x00401c48
0x00401c4d
0x00401c59
0x00401c5e
0x00401c5e
0x00401977
0x0040197a
0x0040197c
0x0040197c
0x00000000

APIs

fflush.MSVCRT ref: 0040197C

Strings

Committing changes to %ls (image %d), xrefs: 00401C52
Discarding changes to %ls (image %d), xrefs: 004022A3
(Use --commit to keep changes.), xrefs: 004022BF

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fflush
String ID: (Use --commit to keep changes.)$Committing changes to %ls (image %d)$Discarding changes to %ls (image %d)
API String ID: 497872470-1681448024
Opcode ID: 8e4f54ad10b1f1783fe56623f666cc3d9575b2b78e1c91064c3d65c601905043
Instruction ID: 920ca20d89fe4f8ce0235071e3a485c65bca952b064c3df7e5e3de6ceb77b080
Opcode Fuzzy Hash: 8e4f54ad10b1f1783fe56623f666cc3d9575b2b78e1c91064c3d65c601905043
Instruction Fuzzy Hash: 04012CF130560085EE09EB51E86DBB63760EB907C8F8904B79E0A266B1CB7CC881C348

Uniqueness

Uniqueness Score: -1.00%

Function 00409400 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0040943F
GetProcAddress.KERNEL32 ref: 0040944F

Strings

msvcrt.dll, xrefs: 00409438
_gmtime64_s, xrefs: 00409445

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _gmtime64_s$msvcrt.dll
API String ID: 1646373207-3395360201
Opcode ID: dc0ebcdafb1de981fea444f289583091972639fa4215578395139f56d6305665
Instruction ID: 71b2490c4265472d171e91919c5e165ceba20acad21f1f8bd95b671014d94e36
Opcode Fuzzy Hash: dc0ebcdafb1de981fea444f289583091972639fa4215578395139f56d6305665
Instruction Fuzzy Hash: 1FF012E4742B09A0ED09DB12FD453867365BB09BD4FC09426DE0D17325EA7CC5CAD308

Uniqueness

Uniqueness Score: -1.00%

Function 00409380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 004093BF
GetProcAddress.KERNEL32 ref: 004093CF

Strings

msvcrt.dll, xrefs: 004093B8
_gmtime64_s, xrefs: 004093C5

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _gmtime64_s$msvcrt.dll
API String ID: 1646373207-3395360201
Opcode ID: 7fff6f9f71eebbe1a458d55586438c8729f500e91ad07d5972697da02185eec1
Instruction ID: bba6a31db331a833b2f8d462eab442b0e034bbefee3e38b777b2c053f93052df
Opcode Fuzzy Hash: 7fff6f9f71eebbe1a458d55586438c8729f500e91ad07d5972697da02185eec1
Instruction Fuzzy Hash: A3F012E4742B09A0ED09DB12FD453867365B709BD4FC05426DE0D17325EA7CC5CAD348

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8B0 Relevance: 6.3, APIs: 4, Instructions: 318
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E0040D8B0(signed int __ecx, signed int __edx, void* __rax, unsigned long long __rdx, intOrPtr* __r8, void* __r9) {
				signed int _t82;
				void* _t83;
				void* _t85;
				signed int _t87;
				void* _t99;
				void* _t101;
				void* _t104;
				void* _t106;
				signed char _t109;
				short _t111;
				signed int _t114;
				signed int _t117;
				signed int _t119;
				signed long long _t146;
				intOrPtr* _t158;
				unsigned long long _t162;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr* _t167;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t182;
				intOrPtr* _t183;
				void* _t184;
				void* _t185;

				_t182 = __r9;
				_t162 = __rdx;
				_t144 = __rax;
				_t114 = __edx;
				_t170 = _t169 - 0x38;
				_t168 = _t170 + 0x80;
				r14d = __ecx;
				_t158 = __r8;
				if(__ecx == 0x6f) {
					r15d =  *(__r8 + 0x10);
					_t117 =  *(__r8 + 8);
					_t81 =  >=  ? r15d : 0;
					_t82 = ( >=  ? r15d : 0) + 0x18;
					if((_t117 & 0x00001000) != 0) {
						if( *((short*)(__r8 + 0x20)) == 0) {
							r13d =  *(__r8 + 0xc);
							_t83 =  <  ? r13d : _t82;
							L58:
							_t146 = _t144 + 0x0000000f & 0xfffffff0;
							_t85 = E0040A470(_t144);
							_t109 = 3;
							_t183 = _t170 - _t146 + 0x20;
							L59:
							r8d = 7;
							L3:
							_t167 = _t183;
							if(_t162 == 0) {
								L38:
								 *(_t158 + 8) = _t117 & 0xfffff7ff;
								if(r15d > 0) {
									L8:
									r8d = r15d;
									r8d = r8d - _t85;
									if(r8d <= 0) {
										L40:
										if(r14d == 0x6f) {
											if(( *(_t158 + 9) & 0x00000008) != 0) {
												 *_t167 = 0x30;
												_t167 = _t167 + 1;
											}
										}
										if(_t167 != _t183 || r15d == 0) {
											L10:
											if(_t85 < r13d) {
												goto L45;
											}
											goto L11;
										} else {
											L43:
											 *_t167 = 0x30;
											_t167 = _t167 + 1;
											if(_t85 >= r13d) {
												L11:
												 *(_t158 + 0xc) = 0xffffffff;
												if(r14d == 0x6f) {
													L54:
													r14d = 0xfffffffe;
													r13d = 0xffffffff;
													if(_t167 > _t183) {
														L17:
														_t119 =  *(_t158 + 8);
														L18:
														_t167 = _t167 - 1;
														if((_t119 & 0x00004000) != 0) {
															L20:
															_t111 =  *_t167;
															_t164 =  *_t158;
															if((_t119 & 0x00002000) == 0) {
																 *((short*)(_t164 +  *(_t158 + 0x24) * 2)) = _t111;
																L16:
																_t87 = _t87 + 1;
																 *(_t158 + 0x24) = _t87;
																if(_t167 <= _t183) {
																	L22:
																	if(r13d > 0) {
																		L27:
																		_t119 =  *(_t158 + 8);
																		L28:
																		if((_t119 & 0x00004000) != 0) {
																			L30:
																			_t165 =  *_t158;
																			if((_t119 & 0x00002000) == 0) {
																				r8d = 0x20;
																				 *((intOrPtr*)(_t165 +  *(_t158 + 0x24) * 2)) = r8w;
																				L25:
																				 *(_t158 + 0x24) = _t87 + 1;
																				_t87 = _t185 - 1;
																				if(r14d <= 0) {
																					L32:
																					return _t87;
																				}
																				L26:
																				r14d = _t87;
																				goto L27;
																			}
																			L004091F8();
																			 *(_t158 + 0x24) =  *(_t158 + 0x24) + 1;
																			_t87 = _t185 - 1;
																			if(r14d > 0) {
																				goto L26;
																			}
																			goto L32;
																		}
																		_t87 =  *(_t158 + 0x24);
																		if( *((intOrPtr*)(_t158 + 0x28)) <= _t87) {
																			goto L25;
																		}
																		goto L30;
																	}
																	goto L32;
																}
																goto L17;
															}
															L004091F8();
															_t87 =  *(_t158 + 0x24) + 1;
															 *(_t158 + 0x24) = _t87;
															if(_t167 > _t183) {
																goto L17;
															}
															goto L22;
														}
														_t87 =  *(_t158 + 0x24);
														if( *((intOrPtr*)(_t158 + 0x28)) <= _t87) {
															goto L16;
														}
														goto L20;
													}
													goto L32;
												}
												r13d = 0xffffffff;
												if(( *(_t158 + 9) & 0x00000008) != 0) {
													 *_t167 = r14b;
													_t167 = _t167 + 2;
													 *(_t167 - 1) = 0x30;
												}
												L13:
												if(_t183 >= _t167) {
													goto L32;
												}
												_t119 =  *(_t158 + 8);
												r14d = _t184 - 1;
												goto L18;
											}
											asm("o16 nop [eax+eax]");
											L45:
											r13d = r13d - _t85;
											_t119 =  *(_t158 + 8);
											 *(_t158 + 0xc) = r13d;
											if(r14d == 0x6f) {
												if(r15d < 0) {
													_t87 = _t119 & 0x00000600;
													if(_t87 != 0x200) {
														goto L63;
													}
													L75:
													r9d = _t184 - 1;
													r15d = _t182 + 1;
													 *(_t168 - 0x54) = r9d;
													_t167 = _t167 + r15d;
													_t87 = memset(??, ??, ??);
													r9d =  *(_t168 - 0x54);
													r9d = r9d - r13d;
													r13d = r9d;
													if(r14d == 0x6f || (_t119 & 0x00000800) == 0) {
														L50:
														if(r13d <= 0) {
															goto L13;
														}
														_t119 =  *(_t158 + 8);
														r14d = _t184 - 1;
														if((_t119 & 0x00000400) != 0) {
															L68:
															if(_t183 < _t167) {
																goto L18;
															}
															goto L28;
														}
														do {
															L53:
															E0040CDC0(0x20, _t158);
															_t87 = r14d;
															r14d = r14d - 1;
														} while (_t87 > 0);
														goto L54;
													} else {
														L49:
														 *_t167 = r14b;
														_t167 = _t167 + 2;
														 *(_t167 - 1) = 0x30;
														goto L50;
													}
												}
												L63:
												r14d = _t184 - 1;
												if((_t119 & 0x00000400) == 0) {
													goto L53;
												}
												if(_t167 > _t183) {
													goto L18;
												}
												goto L28;
											}
											if((_t119 & 0x00000800) == 0) {
												if(r15d < 0) {
													L78:
													_t87 = _t119 & 0x00000600;
													if(_t87 == 0x200) {
														goto L75;
													}
													if((_t119 & 0x00000800) != 0) {
														goto L49;
													}
												}
												r14d = _t184 - 1;
												if((_t119 & 0x00000400) == 0) {
													goto L53;
												}
												goto L68;
											}
											r13d = r13d - 2;
											if(r13d <= 0 || r15d >= 0) {
												goto L49;
											} else {
												goto L78;
											}
										}
									}
									_t167 = _t167 + r8d;
									_t85 = memset(??, ??, ??);
									if(_t167 == _t183) {
										goto L43;
									}
									goto L10;
								}
								asm("o16 nop [eax+eax]");
								goto L40;
							}
							L4:
							r9d = r14d;
							r9d = r9d & 0x00000020;
							asm("o16 nop [eax+eax]");
							do {
								_t167 = _t167 + 1;
								r10d = _t146 + 0x30;
								r11d = r10d;
								_t85 =  <  ? r11d : (r8d & _t114) + 0x00000037 | r9d;
								_t162 = _t162 >> _t109;
								 *(_t167 - 1) = _t85;
							} while (_t162 != 0);
							if(_t167 == _t183) {
								goto L38;
							}
							if(r15d <= 0) {
								goto L40;
							}
							goto L8;
						}
						_t109 = 3;
						L34:
						r8d = _t82;
						r9d = 0xaaaaaaab;
						r13d =  *(_t158 + 0xc);
						_t99 =  <  ? r13d : _t82 + r8d;
						_t146 = _t144 + 0x0000000f & 0xfffffff0;
						_t85 = E0040A470(_t144);
						_t183 = _t170 - _t146 + 0x20;
						if(r14d == 0x6f) {
							goto L59;
						}
						r8d = 0xf;
						L36:
						_t167 = _t183;
						if(_t162 != 0) {
							goto L4;
						}
						goto L38;
					}
					r13d =  *(__r8 + 0xc);
					_t101 =  >=  ? r13d : _t82;
					goto L58;
				}
				r15d =  *(__r8 + 0x10);
				_t117 =  *(__r8 + 8);
				_t103 =  >=  ? r15d : 0;
				_t82 = ( >=  ? r15d : 0) + 0x12;
				if((_t117 & 0x00001000) != 0) {
					_t109 = 4;
					if( *((short*)(__r8 + 0x20)) == 0) {
						r13d =  *(__r8 + 0xc);
						_t104 =  <  ? r13d : _t82;
						_t146 = __rax + 0x0000000f & 0xfffffff0;
						_t85 = E0040A470(__rax);
						r8d = 0xf;
						_t183 = _t170 - _t146 + 0x20;
						goto L36;
					}
					goto L34;
				} else {
					r13d =  *(__r8 + 0xc);
					_t106 =  >=  ? r13d : _t82;
					_t146 = __rax + 0x0000000f & 0xfffffff0;
					_t85 = E0040A470(__rax);
					_t109 = 4;
					r8d = 0xf;
					_t183 = _t170 - _t146 + 0x20;
					goto L3;
				}
			}

0x0040d8b0
0x0040d8b0
0x0040d8b0
0x0040d8b0
0x0040d8bc
0x0040d8c0
0x0040d8c8
0x0040d8cb
0x0040d8d1
0x0040dc20
0x0040dc29
0x0040dc30
0x0040dc34
0x0040dc3d
0x0040dcf6
0x0040ddcf
0x0040ddd6
0x0040dc4e
0x0040dc54
0x0040dc58
0x0040dc5d
0x0040dc65
0x0040dc6a
0x0040dc6a
0x0040d927
0x0040d927
0x0040d92d
0x0040db38
0x0040db3e
0x0040db44
0x0040d97b
0x0040d97e
0x0040d984
0x0040d98a
0x0040db50
0x0040db54
0x0040dc7c
0x0040dc82
0x0040dc85
0x0040dc85
0x0040dc7c
0x0040db5d
0x0040d9af
0x0040d9b8
0x00000000
0x00000000
0x00000000
0x0040db6c
0x0040db6c
0x0040db6c
0x0040db6f
0x0040db7c
0x0040d9be
0x0040d9be
0x0040d9c9
0x0040dc00
0x0040dc00
0x0040dc06
0x0040dc0f
0x0040da0f
0x0040da0f
0x0040da12
0x0040da12
0x0040da1c
0x0040da26
0x0040da2c
0x0040da2f
0x0040da32
0x0040d9fc
0x0040da04
0x0040da04
0x0040da07
0x0040da0d
0x0040da4a
0x0040da4d
0x0040da7c
0x0040da7c
0x0040da7f
0x0040da85
0x0040da8f
0x0040da95
0x0040da98
0x0040da5c
0x0040da62
0x0040da6a
0x0040da6d
0x0040da70
0x0040da77
0x0040dab6
0x0040dac6
0x0040dac6
0x0040da79
0x0040da79
0x00000000
0x0040da79
0x0040da9f
0x0040daaa
0x0040daad
0x0040dab4
0x00000000
0x00000000
0x00000000
0x0040dab4
0x0040da87
0x0040da8d
0x00000000
0x00000000
0x00000000
0x0040da8d
0x00000000
0x0040da4f
0x00000000
0x0040da0d
0x0040da37
0x0040da3f
0x0040da42
0x0040da48
0x00000000
0x00000000
0x00000000
0x0040da48
0x0040da1e
0x0040da24
0x00000000
0x00000000
0x00000000
0x0040da24
0x00000000
0x0040dc15
0x0040d9cf
0x0040d9d9
0x0040dd40
0x0040dd43
0x0040dd47
0x0040dd47
0x0040d9df
0x0040d9e2
0x00000000
0x00000000
0x0040d9e8
0x0040d9eb
0x00000000
0x0040d9eb
0x0040db82
0x0040db88
0x0040db88
0x0040db8b
0x0040db8e
0x0040db96
0x0040dc93
0x0040dd52
0x0040dd5c
0x00000000
0x00000000
0x0040dd62
0x0040dd62
0x0040dd6e
0x0040dd72
0x0040dd7c
0x0040dd7f
0x0040dd84
0x0040dd88
0x0040dd8b
0x0040dd92
0x0040dbc5
0x0040dbc8
0x00000000
0x00000000
0x0040dbce
0x0040dbd1
0x0040dbdb
0x0040dcd9
0x0040dcdc
0x00000000
0x00000000
0x00000000
0x0040dce2
0x0040dbe8
0x0040dbe8
0x0040dbf0
0x0040dbf5
0x0040dbf8
0x0040dbfc
0x00000000
0x0040dda4
0x0040dbba
0x0040dbba
0x0040dbbd
0x0040dbc1
0x00000000
0x0040dbc1
0x0040dd92
0x0040dc99
0x0040dc99
0x0040dca3
0x00000000
0x00000000
0x0040dcac
0x00000000
0x00000000
0x00000000
0x0040dcb2
0x0040dba2
0x0040dcc3
0x0040ddb0
0x0040ddb2
0x0040ddbc
0x00000000
0x00000000
0x0040ddc4
0x00000000
0x00000000
0x0040ddca
0x0040dcc9
0x0040dcd3
0x00000000
0x00000000
0x00000000
0x0040dcd3
0x0040dba8
0x0040dbaf
0x00000000
0x00000000
0x00000000
0x00000000
0x0040dbaf
0x0040db5d
0x0040d99e
0x0040d9a1
0x0040d9a9
0x00000000
0x00000000
0x00000000
0x0040d9a9
0x0040db4a
0x00000000
0x0040db4a
0x0040d933
0x0040d933
0x0040d936
0x0040d93a
0x0040d940
0x0040d943
0x0040d949
0x0040d953
0x0040d95a
0x0040d95e
0x0040d961
0x0040d964
0x0040d96c
0x00000000
0x00000000
0x0040d975
0x00000000
0x00000000
0x00000000
0x0040d975
0x0040dcfc
0x0040dae1
0x0040dae1
0x0040dae4
0x0040daea
0x0040dafc
0x0040db06
0x0040db0a
0x0040db12
0x0040db1b
0x00000000
0x00000000
0x0040db21
0x0040db27
0x0040db27
0x0040db2d
0x00000000
0x00000000
0x00000000
0x0040db2d
0x0040dc43
0x0040dc4a
0x00000000
0x0040dc4a
0x0040d8d7
0x0040d8e0
0x0040d8e7
0x0040d8eb
0x0040d8f4
0x0040dad6
0x0040dadb
0x0040dd10
0x0040dd17
0x0040dd21
0x0040dd25
0x0040dd2a
0x0040dd33
0x00000000
0x0040dd33
0x00000000
0x0040d8fa
0x0040d8fa
0x0040d901
0x0040d90b
0x0040d90f
0x0040d914
0x0040d919
0x0040d922
0x00000000
0x0040d922

APIs

memset.MSVCRT ref: 0040D9A1
fputwc.MSVCRT ref: 0040DA37

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fputwcmemset
String ID:
API String ID: 3604838441-0
Opcode ID: 2dca4f9da45ed04844e5f96588ad490fc4f9fe9f8a621186bfa4a36d3396afe8
Instruction ID: 5d679ac041b2d015425151fa7c2666fcf80eed7a8682a3c1c87c8ba2ca36920a
Opcode Fuzzy Hash: 2dca4f9da45ed04844e5f96588ad490fc4f9fe9f8a621186bfa4a36d3396afe8
Instruction Fuzzy Hash: 39B1F8B7F1428046D7249F69C00436B3AA1BB44B6CF294227DE5A7B7C5C23DDD4AC749

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040ADD1
fputc.MSVCRT ref: 0040AE62

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fputcmemset
String ID:
API String ID: 947785774-0
Opcode ID: aca019a02637ece2b20ad70e7a6a0f199abbda3e7909984d6697d277fe2b2917
Instruction ID: f1292abd09014f1ee4cb0f9446d06b7e0be6628cd6956981d4e47bb0d337fd5f
Opcode Fuzzy Hash: aca019a02637ece2b20ad70e7a6a0f199abbda3e7909984d6697d277fe2b2917
Instruction Fuzzy Hash: 41B1D5B371038046D7219B29C00476F3AA1F754BACF298226DE696B7C5C33DDD56C78A

Uniqueness

Uniqueness Score: -1.00%

Function 042E1228 Relevance: 6.3, APIs: 4, Instructions: 261COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 042E1269
_invalid_parameter_noinfo.LIBCMT ref: 042E12E9
_invalid_parameter_noinfo.LIBCMT ref: 042E133D
_get_daylight.LIBCMT ref: 042E1395

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 87a569f0fa6007840772e124cd826e80d107d2790002830bb39cc444fd406606
Instruction ID: a67c1771cc13737d33dacf43a9ba0deb95d9285ef7c25ff515b3db037ae7c7bc
Opcode Fuzzy Hash: 87a569f0fa6007840772e124cd826e80d107d2790002830bb39cc444fd406606
Instruction Fuzzy Hash: 36714A317346068BEB289E2FC84437AB791FB45314F98453DD8A6CB2D6E774E860C342

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDE0 Relevance: 6.2, APIs: 4, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc6feb7fe04ea989e8fcd2158f801aa4f843536839c595c0aba5afa4381fec7
Instruction ID: 46dce538465e99bac77914c0914078a4b6980a48908e3e86e8cdf8fdbd915579
Opcode Fuzzy Hash: 6dc6feb7fe04ea989e8fcd2158f801aa4f843536839c595c0aba5afa4381fec7
Instruction Fuzzy Hash: 5581EF73F106A686D7248F6AC40476A3BA1F744B98F59C626DE096B3C9C33CD84AC749

Uniqueness

Uniqueness Score: -1.00%

Function 0040B200 Relevance: 6.2, APIs: 4, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47da5739ac3a8c85d87c053138458dba7af4b078d55216447f2a9a1c33c3308d
Instruction ID: 4168a1c11c9bf874992cf24d1742127d390db73f518ce36853a0eb5210f5681c
Opcode Fuzzy Hash: 47da5739ac3a8c85d87c053138458dba7af4b078d55216447f2a9a1c33c3308d
Instruction Fuzzy Hash: 5981C073B116958AD7258F29C40572F3BA1F745BA8F698226CE086B3C9D33CD842C78D

Uniqueness

Uniqueness Score: -1.00%

Function 042B3F60 Relevance: 6.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 042B40BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B4134
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 042B413A
__std_exception_copy.LIBVCRUNTIME ref: 042B4168

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: __std_exception_copy_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1109970293-0
Opcode ID: 2ddde359a4c76f64a287a0466cb481edb4d8d4c56d2aca505f6527ea16d1a565
Instruction ID: 1ddc0134890d8ef05276e55995aae88408cc6f4cd635f60e4b82dfc7cc8e8165
Opcode Fuzzy Hash: 2ddde359a4c76f64a287a0466cb481edb4d8d4c56d2aca505f6527ea16d1a565
Instruction Fuzzy Hash: 7C719D30624E0C8FEB49EF2CC588BA9B3E1FF69304F50865AA44AD7255EB75E584C780

Uniqueness

Uniqueness Score: -1.00%

Function 00414EF0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00414F4A
MultiByteToWideChar.KERNEL32 ref: 00414F8A

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 87632f0c763a38967d88bcb118b997cd977141d194ba9a95af8727dc9ae16e66
Instruction ID: df6f895952ddbc0c4fcb260adda5a10ba60424968cf48acdc198f42db56f52dd
Opcode Fuzzy Hash: 87632f0c763a38967d88bcb118b997cd977141d194ba9a95af8727dc9ae16e66
Instruction Fuzzy Hash: 4831C4B2308680CAD3218F68F4107DE7AA0F7D5798F948216EA9887BD5DB3DC5C6CB05

Uniqueness

Uniqueness Score: -1.00%

Function 042D4700 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 042D473B
_invalid_parameter_noinfo.LIBCMT ref: 042D490A

Strings

, xrefs: 042D4887

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-3916222277
Opcode ID: 42607ea121f4b8465da573385795880991e12f7badba955f0a3b6c699c5e8b2a
Instruction ID: 2684b69b828a02f2a06de315b8adf9fc470ab4874e6668fb7aa9ca67ed19b9a7
Opcode Fuzzy Hash: 42607ea121f4b8465da573385795880991e12f7badba955f0a3b6c699c5e8b2a
Instruction Fuzzy Hash: 3951BF707386958FDF59EF18C8D81643BA5FB4A344B5412BECC46CB25AD371E482DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183
memoryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00409970(int __eax, int __ebx, int __ecx, signed long long __rax, void* __rbx, signed long long __rdx, void* __rdi, signed short* __rsi, void* __r9, void* __r12, intOrPtr __r13, signed long long __r14, intOrPtr __r15) {
				int _t22;
				void* _t26;
				int _t33;
				int _t35;
				int _t37;
				signed int _t39;
				intOrPtr _t43;
				signed long long _t47;
				intOrPtr* _t53;
				long long* _t56;
				int* _t58;
				signed long long _t70;
				signed short* _t79;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t89;
				void* _t94;
				intOrPtr _t97;
				intOrPtr _t104;
				signed short _t108;

				_t105 = __r15;
				_t102 = __r14;
				_t100 = __r13;
				_t94 = __r9;
				_t79 = __rsi;
				_t77 = __rdi;
				_t70 = __rdx;
				_t47 = __rax;
				_t35 = __ecx;
				_t33 = __ebx;
				_t22 = __eax;
				_push(__r15);
				_push(__r14);
				_push(__r13);
				_push(__r12);
				_push(__rdi);
				_push(__rsi);
				_push(__rbx);
				_t86 = _t85 - 0x38;
				_t43 =  *0x424230;
				if(_t43 == 0) {
					 *0x424230 = 1;
					E0040A230();
					_t22 = E0040A470(_t47);
					_t97 =  *0x41ffd0; // 0x4208f0
					_t58 =  *0x41ffe0; // 0x4208f0
					 *0x424234 = 0;
					_t87 = _t86 - (0x0000000f + (_t47 + _t47 * 0x00000004) * 0x00000008 & 0xfffffff0);
					 *0x424238 = _t87 + 0x20;
					_t53 = _t97 - _t58;
					__eflags = _t53 - 7;
					if(_t53 <= 7) {
						goto L1;
					} else {
						_t37 =  *_t58;
						__eflags = _t53 - 0xb;
						if(_t53 > 0xb) {
							__eflags = _t37;
							if(_t37 != 0) {
								goto L30;
							} else {
								_t15 =  &(_t58[1]); // 0x0
								_t22 =  *_t15;
								_t16 =  &(_t58[2]); // 0x0
								_t35 = _t22 |  *_t16;
								__eflags = _t35;
								if(_t35 != 0) {
									goto L6;
								} else {
									_t17 =  &(_t58[3]); // 0x0
									_t37 =  *_t17;
									_t58 =  &(_t58[3]);
									goto L4;
								}
							}
						} else {
							L4:
							__eflags = _t37;
							if(_t37 != 0) {
								L30:
								__eflags = _t58 - _t97;
								if(_t58 < _t97) {
									_t104 =  *0x420020; // 0x400000
									do {
										r13d =  *_t58;
										_t58 =  &(_t58[2]);
										_t79 = _t79 + _t104;
										r13d = r13d +  *_t79;
										E00409800(_t33, _t58, _t79, _t77, _t79, _t97, _t100, _t104, _t105);
										 *_t79 = r13d;
										__eflags = _t58 - _t97;
									} while (_t58 < _t97);
									goto L18;
								}
								goto L1;
							} else {
								_t8 =  &(_t58[1]); // 0x0
								_t22 =  *_t8;
								L6:
								__eflags = _t22;
								if(_t22 != 0) {
									goto L30;
								} else {
									_t9 =  &(_t58[2]); // 0x0
									__eflags =  *_t9 - 1;
									if(__eflags != 0) {
										L35:
										_t26 = E00409790(_t33, __eflags, _t58, "  Unknown pseudo relocation protocol version %d.\n", _t70, _t77, _t79, _t91, _t94, _t97, _t100, _t102, _t105);
										_t89 = _t87 - 0x58;
										_t56 =  *0x424240;
										__eflags = _t56;
										if(_t56 != 0) {
											asm("movsd xmm0, [esp+0x80]");
											 *(_t89 + 0x20) = _t35;
											 *(_t89 + 0x28) = _t70;
											asm("movsd [esp+0x30], xmm2");
											asm("movsd [esp+0x38], xmm3");
											asm("movsd [esp+0x40], xmm0");
											_t26 =  *_t56();
										}
										return _t26;
									} else {
										_t58 =  &(_t58[3]);
										__eflags = _t58 - _t97;
										if(_t58 < _t97) {
											_t100 =  *0x420020; // 0x400000
											_t102 = 0;
											goto L12;
											do {
												while(1) {
													L12:
													_t11 =  &(_t58[2]); // 0x30
													_t39 =  *_t11 & 0x000000ff;
													_t53 = _t53 + _t100;
													_t79 = _t79 + _t100;
													_t105 =  *_t53;
													__eflags = _t39 - 0x20;
													if(__eflags == 0) {
														break;
													}
													if(__eflags > 0) {
														__eflags = _t39 - 0x40;
														if(__eflags != 0) {
															goto L34;
														} else {
															_t70 =  *_t79 - _t53;
															_t108 = _t105 + _t70;
															E00409800(_t33, _t58, _t79, _t77, _t79, _t97, _t100, _t102, _t108);
															 *_t79 = _t108;
															goto L11;
														}
													} else {
														__eflags = _t39 - 8;
														if(_t39 == 8) {
															_t91 = _t70 | 0xffffff00;
															__eflags =  *_t79 & 0x000000ff;
															_t75 =  <  ? _t70 | 0xffffff00 : _t70;
															_t70 = ( <  ? _t70 | 0xffffff00 : _t70) - _t53;
															__eflags = _t105 + _t70;
															E00409800(_t33, _t58, _t79, _t77, _t79, _t97, _t100, _t102, _t105 + _t70);
															 *_t79 = r15b;
															goto L11;
														} else {
															__eflags = _t39 - 0x10;
															if(__eflags != 0) {
																L34:
																E00409790(_t33, __eflags, _t58, "  Unknown pseudo relocation bit size %d.\n", _t70, _t77, _t79, _t91, _t94, _t97, _t100, _t102, _t105);
																goto L35;
															} else {
																_t91 = _t70 | 0xffff0000;
																__eflags =  *_t79 & 0x0000ffff;
																_t76 =  <  ? _t70 | 0xffff0000 : _t70;
																_t58 =  &(_t58[3]);
																_t70 = ( <  ? _t70 | 0xffff0000 : _t70) - _t53;
																E00409800(_t33, _t58, _t79, _t77, _t79, _t97, _t100, _t102, _t105 + _t70);
																 *_t79 = r15w;
																__eflags = _t58 - _t97;
																if(_t58 < _t97) {
																	continue;
																} else {
																	goto L18;
																}
															}
														}
													}
													goto L38;
												}
												__eflags = _t35;
												_t73 =  >=  ? _t70 : _t70 | _t102;
												_t70 = ( >=  ? _t70 : _t70 | _t102) - _t53;
												E00409800(_t33, _t58, _t79, _t77, _t79, _t97, _t100, _t102, _t105 + _t70);
												 *_t79 = r15d;
												L11:
												_t58 =  &(_t58[3]);
												__eflags = _t58 - _t97;
											} while (_t58 < _t97);
											L18:
											_t22 =  *0x424234;
											__eflags = _t22;
											if(_t22 > 0) {
												__eflags = 0;
												do {
													r8d =  *( *0x424238 + _t58);
													__eflags = r8d;
													if(r8d != 0) {
														_t22 = VirtualProtect();
													}
													_t43 = _t43 + 1;
													_t58 =  &(_t58[0xa]);
													__eflags = _t43 -  *0x424234;
												} while (_t43 <  *0x424234);
											}
										}
										goto L1;
									}
								}
							}
						}
					}
				} else {
					L1:
					return _t22;
				}
				L38:
			}

0x00409970
0x00409970
0x00409970
0x00409970
0x00409970
0x00409970
0x00409970
0x00409970
0x00409970
0x00409970
0x00409970
0x00409971
0x00409973
0x00409975
0x00409977
0x00409979
0x0040997a
0x0040997b
0x0040997c
0x00409988
0x00409990
0x004099a8
0x004099b2
0x004099c9
0x004099ce
0x004099d5
0x004099dc
0x004099e6
0x004099ee
0x004099f8
0x004099fb
0x004099ff
0x00000000
0x00409a01
0x00409a01
0x00409a03
0x00409a07
0x00409b38
0x00409b3a
0x00000000
0x00409b3c
0x00409b3c
0x00409b3c
0x00409b41
0x00409b41
0x00409b41
0x00409b44
0x00000000
0x00409b4a
0x00409b4a
0x00409b4a
0x00409b4d
0x00000000
0x00409b4d
0x00409b44
0x00409a0d
0x00409a0d
0x00409a0d
0x00409a0f
0x00409bb0
0x00409bb0
0x00409bb3
0x00409bb9
0x00409bc0
0x00409bc3
0x00409bc6
0x00409bca
0x00409bcd
0x00409bd3
0x00409bd8
0x00409bdb
0x00409bdb
0x00000000
0x00409be0
0x00000000
0x00409a15
0x00409a15
0x00409a15
0x00409a18
0x00409a18
0x00409a1a
0x00000000
0x00409a20
0x00409a20
0x00409a23
0x00409a26
0x00409bf1
0x00409bf8
0x00409c00
0x00409c04
0x00409c0b
0x00409c0e
0x00409c10
0x00409c19
0x00409c22
0x00409c27
0x00409c2d
0x00409c33
0x00409c39
0x00409c39
0x00409c40
0x00409a2c
0x00409a2c
0x00409a30
0x00409a33
0x00409a39
0x00409a40
0x00409a4a
0x00409a7d
0x00409a7d
0x00409a7d
0x00409a82
0x00409a82
0x00409a86
0x00409a89
0x00409a8c
0x00409a8f
0x00409a92
0x00000000
0x00000000
0x00409a98
0x00409b60
0x00409b63
0x00000000
0x00409b69
0x00409b6f
0x00409b72
0x00409b75
0x00409b7a
0x00000000
0x00409b7a
0x00409a9e
0x00409a9e
0x00409aa1
0x00409a59
0x00409a60
0x00409a62
0x00409a66
0x00409a69
0x00409a6c
0x00409a71
0x00000000
0x00409aa3
0x00409aa3
0x00409aa6
0x00409be5
0x00409bec
0x00000000
0x00409aac
0x00409ab5
0x00409abc
0x00409abf
0x00409ac3
0x00409ac7
0x00409acd
0x00409ad2
0x00409ad6
0x00409ad9
0x00000000
0x00000000
0x00000000
0x00000000
0x00409ad9
0x00409aa6
0x00409aa1
0x00000000
0x00409a98
0x00409b90
0x00409b92
0x00409b99
0x00409b9f
0x00409ba4
0x00409a74
0x00409a74
0x00409a78
0x00409a78
0x00409ae0
0x00409ae0
0x00409ae6
0x00409ae8
0x00409af5
0x00409b00
0x00409b0a
0x00409b0d
0x00409b10
0x00409b1d
0x00409b1d
0x00409b1f
0x00409b22
0x00409b26
0x00409b26
0x00409b2e
0x00409ae8
0x00000000
0x00409a33
0x00409a26
0x00409a1a
0x00409a0f
0x00409a07
0x00409992
0x00409992
0x004099a2
0x004099a2
0x00000000

APIs

VirtualProtect.KERNEL32(004241D8,00007FFC400D3CA0,?,?,?,00000001,00401261), ref: 00409B1D

Strings

Unknown pseudo relocation bit size %d., xrefs: 00409BE5
Unknown pseudo relocation protocol version %d., xrefs: 00409BF1

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 99edb8779e21182a023743e8fa0a0713b2a565dac6949b17c5e0ca7b91b2fc43
Instruction ID: 6b657599dc8a9262150217a7cd1582a390bfbe104cda5ee65c6d69ee2a94dc9d
Opcode Fuzzy Hash: 99edb8779e21182a023743e8fa0a0713b2a565dac6949b17c5e0ca7b91b2fc43
Instruction Fuzzy Hash: 0061F9B671064086DB109F25F84036EB771F79A7A4F54C226EE59273DADB3CC841C718

Uniqueness

Uniqueness Score: -1.00%

Function 042D44EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 042D4519
_invalid_parameter_noinfo.LIBCMT ref: 042D454C

Strings

, xrefs: 042D469A

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-3916222277
Opcode ID: 02b0828145c19fb40d0812e79b14cc2a1aae0b86c4faaee812754153f4eeb9e2
Instruction ID: 11a4152fd6f1c649975f31de8b0ee312a7b67e1d40f0bae993bede9d80c10478
Opcode Fuzzy Hash: 02b0828145c19fb40d0812e79b14cc2a1aae0b86c4faaee812754153f4eeb9e2
Instruction Fuzzy Hash: B5519C303386468FDF58EF28C8C83653BA1FB15319F84129ACC478A2AAD371E585CF81

Uniqueness

Uniqueness Score: -1.00%

Function 042E37FC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 042E382C

Strings

., xrefs: 042E3888
:., xrefs: 042E3879

Memory Dump Source

Source File: 00000001.00000002.643501483.00000000042B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 042B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_42b1000_zlogger.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: .$:.
API String ID: 3215553584-2811378331
Opcode ID: 1ea4800d8b44ef1669b90b623a200da13e8714a78d6dac0b46a84644a872e05c
Instruction ID: c55e4c6e364a54ec9ef064a8339322c7211c365bb4b30f27d302945e03caa34d
Opcode Fuzzy Hash: 1ea4800d8b44ef1669b90b623a200da13e8714a78d6dac0b46a84644a872e05c
Instruction Fuzzy Hash: 5041A130B38B9E9EEB55EFAAC8416BD7BA0FF48605F80016E9C45D3201E770A84187D2

Uniqueness

Uniqueness Score: -1.00%

Function 00402670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402670(signed int __eax, signed short** __rcx, long long* __rdx, signed short** __r8) {
				signed int _t3;
				intOrPtr _t17;
				signed short* _t20;
				intOrPtr _t23;
				long long* _t27;
				signed short** _t28;
				signed short** _t29;
				void* _t31;
				signed short* _t32;
				signed short* _t33;
				signed short* _t34;

				_t30 = __r8;
				_t3 = __eax;
				_t17 =  *((intOrPtr*)(__rdx));
				_t32 =  *((intOrPtr*)(__rcx));
				_t28 = __rcx;
				_t27 = __rdx;
				_t29 = __r8;
				if(_t17 == 0) {
					L5:
					r12d = 2;
				} else {
					asm("o16 nop [eax+eax]");
					do {
						L004091D0();
						r12d = _t3;
						if(_t3 != 0) {
							goto L4;
						} else {
							_t3 =  *_t32 & 0x0000ffff;
							if(_t3 != 0) {
								if(_t3 == 0x22) {
									L9:
									_t17 = _t17 - 1;
									if(_t17 == 0) {
										L18:
										r12d = 1;
										E004024D0(L"Missing closing quote: %ls", _t32, _t30, _t31);
									} else {
										_t20 =  &(_t32[1]);
										_t23 = _t17;
										_t33 = _t20;
										while(_t3 !=  *_t33) {
											_t33 =  &(_t33[1]);
											_t23 = _t23 - 1;
											if(_t23 == 0) {
												goto L18;
											} else {
												continue;
											}
											goto L6;
										}
										_t32 = _t20;
										goto L14;
									}
								} else {
									_t34 = _t32;
									if(_t3 != 0x27) {
										while(1) {
											_t33 =  &(_t34[1]);
											L004091D0();
											if(_t3 != 0) {
												break;
											}
											if( *_t33 != 0) {
												continue;
											}
											L14:
											 *_t33 = 0;
											 *_t27 = _t17 - (_t33 - _t32 >> 1);
											 *_t28 = _t33;
											 *_t29 = _t32;
											goto L6;
										}
										goto L14;
									} else {
										goto L9;
									}
								}
							} else {
								goto L4;
							}
						}
						goto L6;
						L4:
						_t32 =  &(_t32[1]);
						_t17 = _t17 - 1;
					} while (_t17 != 0);
					goto L5;
				}
				L6:
				return r12d;
			}

0x00402670
0x00402670
0x0040267e
0x00402681
0x00402684
0x00402687
0x0040268a
0x00402690
0x004026c2
0x004026c2
0x00402692
0x00402692
0x00402698
0x004026a2
0x004026a7
0x004026ac
0x00000000
0x004026ae
0x004026ae
0x004026b6
0x004026e4
0x004026ef
0x004026ef
0x004026f3
0x00402760
0x0040276a
0x00402770
0x004026f5
0x004026f5
0x004026f9
0x004026fc
0x00402712
0x00402708
0x0040270c
0x00402710
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402710
0x00402718
0x00000000
0x00402718
0x004026e6
0x004026e6
0x004026ed
0x00402747
0x00402751
0x00402755
0x0040275c
0x00000000
0x00000000
0x00402745
0x00000000
0x00000000
0x0040271b
0x00402723
0x00402730
0x00402733
0x00402736
0x00000000
0x00402736
0x00000000
0x00000000
0x00000000
0x00000000
0x004026ed
0x00000000
0x00000000
0x00000000
0x004026b6
0x00000000
0x004026b8
0x004026b8
0x004026bc
0x004026bc
0x00000000
0x00402698
0x004026c8
0x004026d9

APIs

iswctype.MSVCRT ref: 004026A2

Strings

Missing closing quote: %ls, xrefs: 00402763

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: iswctype
String ID: Missing closing quote: %ls
API String ID: 304682654-2461220523
Opcode ID: 64194693ac4a1278ce873fc46642fd242d127058a8a79400a1bd1b68cd11b839
Instruction ID: 817ebb28f0835e74eb2a51d629620d6249634de0d8582994a730f412881b0e7d
Opcode Fuzzy Hash: 64194693ac4a1278ce873fc46642fd242d127058a8a79400a1bd1b68cd11b839
Instruction Fuzzy Hash: D121E77632155181DB25AF269E0C67B6614B718BC8F98C033DE49677D0F6FDC882C309

Uniqueness

Uniqueness Score: -1.00%

Function 00406800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00406800(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, signed int __ebp, void* __r8, void* __r9, long long _a32, long long _a56, long long _a64, long long _a72, char _a88, signed long long _a96, char _a104, char _a112, char _a120, void* _a128, long long _a136, long long _a144, long long _a152, signed long long _a160) {
				void* _t72;
				intOrPtr _t73;
				void* _t85;
				intOrPtr _t86;
				void* _t88;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t99;
				signed int _t100;
				signed long long _t104;
				signed long long _t107;
				void* _t109;
				signed long long _t121;
				void* _t129;
				char* _t137;
				intOrPtr _t141;
				void* _t151;
				void* _t153;
				void* _t160;
				void* _t169;
				signed long long _t171;
				long long _t172;
				long long _t173;
				intOrPtr _t174;
				void* _t175;
				void* _t177;
				long long _t180;

				_t169 = __r9;
				_t160 = __r8;
				_t100 = __ebp;
				_t104 =  *0x4201b0; // 0x424188
				_t137 =  &_a128;
				r8d = 0xa;
				_a72 =  *_t104;
				L00409168();
				r14d = __eax;
				if(__eax == 0xffffffff) {
					L9:
					_t99 = 0xffffffff;
					E004024D0(L"Number of threads must be a non-negative integer!", _t137, _t160, _t169);
					L6:
					free();
					return _t99;
				} else {
					__rax = _a128;
					if( *__rax != 0) {
						goto L9;
					}
					__rcx = _a72;
					if(__rcx != __rax) {
						goto L1;
					}
					goto L9;
				}
				L1:
				_a32 = 0;
				_t170 = 0x41d9a0;
				_t88 = __ebx;
				_t161 = 0x41717e;
				_t72 = E00408FE0();
				if(_t72 == 0xffffffff) {
					_t104 =  *0x4201c0; // 0x416038
					_t85 = __ebx - __edx;
					_t172 = _t151 +  *_t104 * 8;
					_t73 = _t109 - 1;
					if(_t73 > 1) {
						L5:
						_t99 = 0xffffffff;
						 *0x416040();
						E00403630(0xb, _t104, _t104, _t161, _t170, _t175, _t177);
						goto L6;
					}
					_t153 =  *_t172;
					_t161 =  &_a88;
					_a32 = 0;
					_t170 = 0x401890;
					_a72 = _t172;
					L004090A8();
					_t99 = _t73;
					if(_t73 != 0) {
						goto L6;
					}
					_t173 = _a72;
					if(_t85 == 2) {
						_t141 =  *((intOrPtr*)(_t173 + 8));
						_a64 = _t173;
						L00409068();
						_t174 = _a64;
						_t86 = _t73;
						if(_t73 == 0) {
							_t73 = E00403BB0( *((intOrPtr*)(_t174 + 8)), _t153, 0x401890);
							_t99 = _t73;
							if(_t73 == 0) {
								L15:
								_t155 = _a120;
								if(_a120 == 0) {
									if(_a56 == 0) {
										_t91 = 0;
										L00409158();
										if(_t73 != 0) {
											__imp___putws();
											_t91 = 1;
											 *0x416040();
											E0040A630(0x4240a0, L"wim%ls", L"update", _t170);
											E00401650(0x4240a0, _t170);
										}
										E00403260(_t104,  &_a128);
										_t121 = _t104;
										if(_t104 == 0) {
											_a96 = 0;
											_t99 = 0xffffffff;
											L29:
											L00409108();
											goto L6;
										}
										E004023F0(_t104, _t121, _a128,  &_a104);
										_a96 = _t104;
										if(_t104 == 0) {
											_t99 = 0xffffffff;
											goto L29;
										}
										_t73 = E00402780(_t86, _t91, _t104,  &_a96, _a104,  &_a112);
										_t155 = _t104;
										if(_t104 != 0) {
											L17:
											_t171 = _a112;
											if(_t171 == 0) {
												L24:
												_a32 = 1;
												L00409018();
												_t99 = _t73;
												if(_t73 != 0) {
													L27:
													free();
													L28:
													free();
													goto L29;
												}
												if(_a56 != 0) {
													L32:
													r9d = 1;
													_a32 = 1;
													_a128 = 0;
													_a136 = _a56;
													_a144 = L"/Windows/System32/WimBootCompress.ini";
													_a152 = 0;
													_a160 = 0;
													L00409018();
													_t99 = _t73;
													if(_t73 == 0) {
														goto L26;
													}
													goto L27;
												}
												L26:
												r8d = r14d;
												L004090A0();
												_t99 = _t73;
												goto L27;
											}
											_t107 = _t155;
											_t129 = _t155 + (_t171 + _t171 * 4) * 8;
											while(1) {
												L22:
												_t97 =  *_t107;
												if(_t97 == 0) {
													break;
												}
												if(_t97 == 1) {
													 *(_t107 + 0x10) =  *(_t107 + 0x10) | r13d;
												}
												_t107 = _t107 + 0x28;
												if(_t107 == _t129) {
													goto L24;
												} else {
													continue;
												}
											}
											 *(_t107 + 0x20) =  *(_t107 + 0x20) | _t100;
											_t107 = _t107 + 0x28;
											 *((long long*)(_t107 - 0x10)) = _t180;
											if(_t107 != _t129) {
												goto L22;
											}
											goto L24;
										}
										L41:
										_t99 = 0xffffffff;
										goto L28;
									}
									_a32 = 1;
									r9d = 0;
									r8d = 0;
									_a96 = 0;
									_a112 = 0;
									L00409018();
									_t99 = _t73;
									if(_t73 != 0) {
										goto L27;
									}
									goto L32;
								}
								_a96 = 0;
								L00409180();
								_t73 = E00402780(_t86, _t88, _t104,  &_a120, _t104,  &_a112);
								_t155 = _t104;
								if(_t104 == 0) {
									goto L41;
								}
								goto L17;
							}
							goto L29;
						}
						if(_t73 != 0xffffffff) {
							goto L15;
						}
						_t99 = 0x12;
						E004024D0(L"Cannot specify all images for this action!", _t141,  &_a88, 0x401890);
						goto L29;
					}
					L004090E0();
					r8d = _a144;
					if(r8d != 1) {
						E004024D0(L"\"%ls\" contains %d images; Please select one.", _t153,  &_a88, 0x401890);
						L00409108();
						goto L5;
					}
					_t86 = 1;
					goto L15;
				}
				if(_t72 - 3 > 0x39) {
					goto L5;
				}
				_t104 =  *((intOrPtr*)(_t153 + _t104 * 4)) + _t153;
				goto __rax;
			}

0x00406800
0x00406800
0x00406800
0x00406800
0x00406807
0x0040680f
0x00406818
0x0040681d
0x00406822
0x00406828
0x00406846
0x0040684d
0x00406852
0x004067a5
0x004067aa
0x004067c4
0x0040682a
0x0040682a
0x00406836
0x00000000
0x00000000
0x00406838
0x00406840
0x00000000
0x00000000
0x00000000
0x00406840
0x00406730
0x00406730
0x00406739
0x00406743
0x00406745
0x0040674c
0x00406754
0x00406940
0x0040694a
0x0040694c
0x00406950
0x00406956
0x00406788
0x0040678d
0x00406792
0x004067a0
0x00000000
0x004067a0
0x0040695c
0x00406963
0x00406968
0x00406971
0x00406978
0x00406980
0x00406985
0x00406989
0x00000000
0x00000000
0x00406997
0x0040699c
0x00406b52
0x00406b56
0x00406b5b
0x00406b60
0x00406b67
0x00406b69
0x00406c19
0x00406c1e
0x00406c22
0x004069c6
0x004069c6
0x004069ce
0x00406aa6
0x00406ba4
0x00406ba6
0x00406bad
0x00406c34
0x00406c3a
0x00406c3f
0x00406c5d
0x00406c73
0x00406c73
0x00406bb7
0x00406bbc
0x00406bc2
0x00406c7d
0x00406c86
0x00406a91
0x00406a96
0x00000000
0x00406a96
0x00406bd5
0x00406bda
0x00406be2
0x00406c90
0x00000000
0x00406c90
0x00406bf7
0x00406bfc
0x00406c02
0x00406a03
0x00406a03
0x00406a0b
0x00406a48
0x00406a48
0x00406a5a
0x00406a5f
0x00406a63
0x00406a7f
0x00406a82
0x00406a87
0x00406a8c
0x00000000
0x00406a8c
0x00406a70
0x00406ae3
0x00406ae8
0x00406af0
0x00406b00
0x00406b0b
0x00406b1a
0x00406b22
0x00406b2e
0x00406b39
0x00406b43
0x00406b47
0x00000000
0x00000000
0x00000000
0x00406b4d
0x00406a72
0x00406a72
0x00406a78
0x00406a7d
0x00000000
0x00406a7d
0x00406a11
0x00406a14
0x00406a32
0x00406a32
0x00406a32
0x00406a36
0x00000000
0x00000000
0x00406a23
0x00406a25
0x00406a25
0x00406a29
0x00406a30
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a30
0x00406a38
0x00406a3b
0x00406a3f
0x00406a46
0x00000000
0x00000000
0x00000000
0x00406a46
0x00406c08
0x00406c08
0x00000000
0x00406c08
0x00406aac
0x00406ab4
0x00406ab7
0x00406abc
0x00406aca
0x00406ad3
0x00406add
0x00406ae1
0x00000000
0x00000000
0x00000000
0x00406ae1
0x004069d4
0x004069e0
0x004069f2
0x004069f7
0x004069fd
0x00000000
0x00000000
0x00000000
0x004069fd
0x00000000
0x00406c28
0x00406b72
0x00000000
0x00000000
0x00406b7f
0x00406b84
0x00000000
0x00406b84
0x004069aa
0x004069af
0x004069bb
0x00406775
0x0040677f
0x00000000
0x0040677f
0x004069c1
0x00000000
0x004069c1
0x00406760
0x00000000
0x00000000
0x00406766
0x00406769

APIs

free.MSVCRT ref: 004067AA
wcstoul.MSVCRT ref: 0040681D

Strings

Number of threads must be a non-negative integer!, xrefs: 00406846

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: freewcstoul
String ID: Number of threads must be a non-negative integer!
API String ID: 132300894-3844074275
Opcode ID: 8dad26491f9d99fe455c766087c5536372d54d872731eb5379bc934a12d2289f
Instruction ID: 74f70e1efe0a0e39690f64d44262212058fe371f09b4d12ba41b8844f4237b2a
Opcode Fuzzy Hash: 8dad26491f9d99fe455c766087c5536372d54d872731eb5379bc934a12d2289f
Instruction Fuzzy Hash: 27018463305A4441EA21DB29E9403AD6364F7857B8F954227DE6E577E4DF3CC8D6C304

Uniqueness

Uniqueness Score: -1.00%

Function 004052B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E004052B0(void* __ebx, void* __edi, void* __esi, signed long long __rax, void* __r14) {
				void* _t126;
				signed int _t127;
				signed int _t133;
				signed char _t149;
				signed char _t150;
				signed int _t151;
				void* _t165;
				signed int _t166;
				signed short _t167;
				signed int _t193;
				signed int* _t198;
				signed long long _t199;
				void* _t203;
				void* _t205;
				signed int _t252;
				void* _t274;
				char* _t278;
				void* _t309;
				intOrPtr _t311;
				void* _t312;
				void* _t313;
				intOrPtr* _t315;
				long long* _t316;
				signed int* _t317;
				signed int* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t329;
				void* _t334;
				signed int* _t337;
				void* _t338;

				_t197 = __rax;
				L004091A0();
				if(__rax == 0) {
					r15d = 0xffffffff;
					E004024D0(L"\'--image-property\' argument must be in the form NAME=VALUE", _t274, _t322, _t329);
					goto L5;
				} else {
					__rdx =  *__r14;
					__rcx = __rbp - 0x20;
					__eax = E00402550(__esi, __rax, __rcx, __rdx);
					__eflags = __eax;
					if(__eax == 0) {
						goto L1;
					} else {
						r15d = __eax;
						L5:
						free();
						return r15d;
					}
				}
				L1:
				 *((long long*)(_t320 + 0x20)) = 0;
				_t126 = E00408FE0();
				if(_t126 == 0xffffffff) {
					_t198 =  *0x4201c0; // 0x416038
					_t197 =  *_t198;
					_t165 = __ebx - _t126;
					_t315 = _t313 +  *_t198 * 8;
					_t127 = _t203 - 1;
					__eflags = _t127 - 3;
					if(_t127 > 3) {
						L4:
						r15d = 0xffffffff;
						 *0x416040();
						E00403630(7, _t197, _t197, 0x41717e, 0x41e020, _t334, _t338);
						goto L5;
					}
					_t311 =  *_t315;
					__eflags = _t165 - 1;
					if(_t165 == 1) {
						_t199 = L"all";
						 *(_t318 - 0x48) = _t199;
						L15:
						 *((long long*)(_t320 + 0x20)) = 0;
						_t25 = _t318 - 0x28; // -39
						_t324 = _t25;
						L004090A8();
						r15d = _t127;
						__eflags = _t127;
						if(_t127 != 0) {
							goto L5;
						}
						_t28 = _t318 - 0x10; // -15
						_t205 = _t28;
						L004090E0();
						_t278 =  *(_t318 - 0x48);
						L00409068();
						r14d = _t127;
						__eflags = _t127;
						if(_t127 == 0) {
							_t278 = "0";
							L00409198();
							__eflags = _t127;
							if(_t127 != 0) {
								_t279 = _t311;
								E00403BB0( *(_t318 - 0x48), _t311, 0x401890);
								__eflags =  *((char*)(_t318 - 0x3b));
								if( *((char*)(_t318 - 0x3b)) != 0) {
									E004024D0(L"If you would like to set the boot index to 0, specify image \"0\" with the --boot flag.", _t279, _t324, 0x401890);
								}
								r15d = 0x12;
								L20:
								L00409108();
								goto L5;
							}
							__eflags =  *((char*)(_t318 - 0x3b));
							if( *((char*)(_t318 - 0x3b)) != 0) {
								L18:
								r10d =  *_t318;
								__eflags = r10d;
								if(r10d != 0) {
									L22:
									__eflags = r14d - 0xffffffff;
									if(r14d == 0xffffffff) {
										__eflags =  *_t318 - 1;
										if( *_t318 <= 1) {
											__eflags =  *(_t318 - 0x18);
											if( *(_t318 - 0x18) == 0) {
												__eflags =  *((char*)(_t318 - 0x3b));
												if( *((char*)(_t318 - 0x3b)) == 0) {
													L26:
													__eflags = r14d - 0xffffffff;
													if(r14d != 0xffffffff) {
														L39:
														__eflags =  *((char*)(_t318 - 0x3c));
														if( *((char*)(_t318 - 0x3c)) != 0) {
															L00409090();
														}
														__eflags =  *((char*)(_t318 - 0x39));
														if( *((char*)(_t318 - 0x39)) != 0) {
															_t167 = _t318[4] & 0x0000ffff;
															__eflags = _t167 - 1;
															if(_t167 != 1) {
																 *0x416040();
																r9d = _t167 & 0x0000ffff;
																r8d = _t318[4] & 0x0000ffff;
																_t127 = E00401650(_t324, 0x401890);
															}
															r9d = 0;
															_t324 = 0x403460;
															__eflags = 0;
															L004090B8();
														}
														__eflags =  *((char*)(_t318 - 0x3a));
														if( *((char*)(_t318 - 0x3a)) != 0) {
															_t127 =  *0x416040();
															L00409110();
															__eflags = _t127;
															if(_t127 == 0) {
																goto L45;
															}
															r15d = _t127;
															goto L20;
														} else {
															L45:
															__eflags =  *((long long*)(_t318 - 0x38));
															if( *((long long*)(_t318 - 0x38)) == 0) {
																L49:
																__eflags = r13b;
																if(r13b != 0) {
																	L00409098();
																}
																goto L20;
															}
															__imp___wfopen();
															__eflags = _t199;
															if(__eflags == 0) {
																r15d = 0xffffffff;
																E004031C0(__eflags, _t199, L"Failed to open the file \"%ls\" for writing",  *((intOrPtr*)(_t318 - 0x38)), _t324, 0x401890);
																goto L20;
															}
															L00409110();
															_t166 = _t127;
															_t133 = fclose(??);
															__eflags = _t133;
															if(_t133 != 0) {
																r15d = 0xffffffff;
																E004024D0(L"Failed to close the file \"%ls\"",  *((intOrPtr*)(_t318 - 0x38)), _t324, 0x401890);
																goto L20;
															}
															__eflags = _t166;
															if(_t166 != 0) {
																r15d = _t166;
																goto L20;
															}
															goto L49;
														}
													}
													__eflags = r13b;
													if(r13b == 0) {
														goto L39;
													}
													_t316 = __imp___putws;
													 *_t316();
													 *_t316();
													_t286 = _t311;
													_t312 = _t205;
													E004023A0(_t199, L"Path:           %ls\n", _t311, _t324, 0x401890);
													_t317 = _t318;
													E004023A0(_t199, L"GUID:           0x", _t311, _t324, 0x401890);
													do {
														_t312 = _t312 + 1;
														E004023A0(_t199, L"%02hhx", _t286, _t324, 0x401890);
														__eflags = _t312 - _t317;
													} while (_t312 != _t317);
													_t36 =  &(_t318[0x14]); // 0x51
													_t337 = _t36;
													 *0x416040();
													L004091F8();
													E004023A0(_t199, L"Version:        %u\n", _t199, _t324, 0x401890);
													E004023A0(_t199, L"Image Count:    %d\n", _t199, _t324, 0x401890);
													L00409100();
													E004023A0(_t199, L"Compression:    %ls\n", _t199, _t324, 0x401890);
													E004023A0(_t199, L"Chunk Size:     %u bytes\n", _t199, _t324, 0x401890);
													r8d = _t318[4] & 0x0000ffff;
													E004023A0(_t199, L"Part Number:    %d/%d\n", _t199, _t324, 0x401890);
													E004023A0(_t199, L"Boot Index:     %d\n", _t199, _t324, 0x401890);
													E004023A0(_t199, L"Size:           %llu bytes\n", _t318[6], _t324, 0x401890);
													r8d = 0;
													_t318[0x14] = r8w;
													__eflags = _t318[8] & 0x00000002;
													if((_t318[8] & 0x00000002) != 0) {
														L004091A8();
													}
													_t149 = _t318[8] & 0x000000ff;
													__eflags = _t149 & 0x00000001;
													if((_t149 & 0x00000001) != 0) {
														L004091A8();
														_t149 = _t318[8] & 0x000000ff;
													}
													__eflags = _t149 & 0x00000008;
													if((_t149 & 0x00000008) != 0) {
														L004091A8();
													}
													__eflags = _t318[8] & 0x00000001;
													if((_t318[8] & 0x00000001) != 0) {
														L004091A8();
													}
													_t150 = _t318[8] & 0x000000ff;
													__eflags = _t150;
													if(_t150 < 0) {
														L004091A8();
														_t150 = _t318[8] & 0x000000ff;
													}
													__eflags = _t150 & 0x00000010;
													if((_t150 & 0x00000010) != 0) {
														L004091A8();
													}
													L004091A0();
													_t59 =  &(_t318[0x15]); // 0x55
													__eflags = _t199 - _t59;
													if(_t199 >= _t59) {
														__eflags =  *((short*)(_t199 - 2)) - 0x20;
														if( *((short*)(_t199 - 2)) == 0x20) {
															__eflags =  *((short*)(_t199 - 4)) - 0x2c;
															if( *((short*)(_t199 - 4)) == 0x2c) {
																 *((short*)(_t199 - 4)) = 0;
															}
														}
													}
													_t127 = E004023A0(_t199, L"Attributes:     %ls\n\n", _t337, _t324, 0x401890);
													goto L39;
												}
												_t193 = 1;
												r14d = 1;
												L61:
												_t252 =  *0x424178;
												__eflags = _t193 - _t318[1];
												if(_t193 == _t318[1]) {
													__eflags = _t252;
													if(_t252 != 0) {
														r8d = r14d;
														E00401650(_t324, 0x401890);
													}
													L69:
													_t89 = _t318 - 0x20; // -31
													_t90 =  &(_t318[0x14]); // 0x51
													_t332 = _t90;
													r8d = r14d;
													_t151 = E004030A0(_t199, _t89,  *((intOrPtr*)(_t318 - 0x28)), _t90);
													r15d = _t151;
													__eflags = _t151;
													if(_t151 != 0) {
														L59:
														goto L20;
													}
													__eflags = _t318[0x14];
													if(_t318[0x14] != 0) {
														L66:
														r8d = 1;
														L004090A0();
														r15d = _t151;
														goto L59;
													}
													__eflags = r12b & 0x00000001;
													if((r12b & 0x00000001) == 0) {
														__eflags = r12b & 0x00000002;
														if((r12b & 0x00000002) == 0) {
															L74:
															__eflags =  *0x424178;
															if( *0x424178 != 0) {
																E00401650(_t311, _t332);
															}
															goto L59;
														}
														__eflags = _t318[8] & 0x00000001;
														if((_t318[8] & 0x00000001) == 0) {
															goto L74;
														}
														goto L66;
													}
													__eflags = _t318[8] & 0x00000001;
													if((_t318[8] & 0x00000001) == 0) {
														goto L66;
													}
													__eflags = r12b & 0x00000002;
													if((r12b & 0x00000002) != 0) {
														goto L66;
													}
													goto L74;
												}
												__eflags = _t252;
												if(_t252 != 0) {
													r8d = r14d;
													_t127 = E00401650(_t324, 0x401890);
												}
												r8d = 4;
												_t318[1] = _t193;
												L00409028();
												r15d = _t127;
												__eflags = _t127;
												if(_t127 != 0) {
													goto L59;
												} else {
													_t84 = _t318 - 0x20; // -31
													_t85 =  &(_t318[0x14]); // 0x51
													r8d = r14d;
													_t151 = E004030A0(_t199, _t84,  *((intOrPtr*)(_t318 - 0x28)), _t85);
													r15d = _t151;
													__eflags = _t151;
													if(_t151 != 0) {
														goto L59;
													}
													goto L66;
												}
											}
											r14d = 1;
											L68:
											__eflags =  *((char*)(_t318 - 0x3b));
											if( *((char*)(_t318 - 0x3b)) != 0) {
												L60:
												_t193 = r14d;
												goto L61;
											}
											goto L69;
										}
										__eflags =  *((char*)(_t318 - 0x3b));
										if( *((char*)(_t318 - 0x3b)) != 0) {
											r15d = 0x12;
											E004024D0(L"Cannot specify the --boot flag without specifying a specific image in a multi-image WIM", _t278, _t324, 0x401890);
											goto L20;
										}
										r9d =  *(_t318 - 0x18);
										__eflags = r9d;
										if(r9d == 0) {
											goto L26;
										}
										r15d = 0x12;
										E004024D0(L"Can\'t change image properties without specifying a specific image in a multi-image WIM", _t278, _t324, 0x401890);
										goto L20;
									}
									__eflags =  *(_t318 - 0x18);
									if( *(_t318 - 0x18) != 0) {
										__eflags = r14d;
										if(r14d == 0) {
											L58:
											r15d = 0xffffffff;
											E004024D0(L"Cannot change image properties when using image 0", _t278, _t324, 0x401890);
											goto L59;
										}
										goto L68;
									}
									__eflags =  *((char*)(_t318 - 0x3b));
									if( *((char*)(_t318 - 0x3b)) != 0) {
										goto L60;
									}
									__eflags = r14d;
									if(r14d == 0) {
										L92:
										r15d = 0x12;
										E004024D0(L"\"%ls\" is not a valid image in \"%ls\"",  *(_t318 - 0x48), _t311, 0x401890);
										goto L20;
									}
									goto L26;
								}
								r15d = 0x12;
								E004024D0(L"--boot is meaningless on a WIM with no images", _t278, _t324, 0x401890);
								goto L20;
							}
							__eflags =  *(_t318 - 0x18);
							if( *(_t318 - 0x18) == 0) {
								goto L92;
							}
							goto L58;
						}
						__eflags =  *((char*)(_t318 - 0x3b));
						if( *((char*)(_t318 - 0x3b)) == 0) {
							goto L22;
						}
						goto L18;
					}
					_t199 =  *((intOrPtr*)(_t315 + 8));
					 *(_t318 - 0x48) = _t199;
					__eflags = _t165 - 2;
					if(_t165 == 2) {
						goto L15;
					}
					L00409180();
					_t199 = _t199 + _t199 + 0x0000001b & 0xfffffff0;
					E0040A470(_t127);
					_t320 = _t320 - _t199;
					_t16 = _t318 - 0x20; // -31
					_t342 = _t16;
					E0040A630(_t320 + 0x30, L"NAME=%ls",  *((intOrPtr*)(_t315 + 0x10)), 0x41e020);
					_t127 = E00402550(__esi, _t199, _t16, _t320 + 0x30);
					r15d = _t127;
					__eflags = _t127;
					if(_t127 != 0) {
						goto L5;
					}
					__eflags = _t165 - 4;
					if(_t165 != 4) {
						goto L15;
					}
					L00409180();
					_t199 = _t199 + _t199 + 0x00000029 & 0xfffffff0;
					E0040A470(_t127);
					_t320 = _t320 - _t199;
					E0040A630(_t320 + 0x30, L"DESCRIPTION=%ls",  *((intOrPtr*)(_t315 + 0x18)), 0x41e020);
					_t127 = E00402550(__esi, _t199, _t342, _t320 + 0x30);
					r15d = _t127;
					__eflags = _t127;
					if(_t127 != 0) {
						goto L5;
					} else {
						asm("o16 nop [eax+eax]");
						goto L15;
					}
				} else {
					if(_t126 > 0x3e) {
						goto L4;
					} else {
						_t197 =  *((intOrPtr*)(_t309 + _t197 * 4)) + _t309;
						goto __rax;
					}
				}
			}

0x004052b0
0x004052b8
0x004052c0
0x00405989
0x0040598f
0x00000000
0x004052c6
0x004052c6
0x004052c9
0x004052cd
0x004052d2
0x004052d4
0x00000000
0x004052da
0x004052da
0x0040527e
0x00405282
0x0040529d
0x0040529d
0x004052d4
0x00405220
0x00405220
0x0040523c
0x00405244
0x00405320
0x00405327
0x0040532a
0x0040532c
0x00405330
0x00405333
0x00405336
0x00405260
0x00405265
0x0040526b
0x00405279
0x00000000
0x00405279
0x0040533c
0x0040533f
0x00405342
0x004054a0
0x004054a7
0x004053f8
0x004053f8
0x00405404
0x00405404
0x00405412
0x00405417
0x0040541a
0x0040541c
0x00000000
0x00000000
0x00405426
0x00405426
0x0040542d
0x00405432
0x0040543a
0x0040543f
0x00405442
0x00405444
0x00405754
0x0040575b
0x00405760
0x00405762
0x004058af
0x004058b2
0x004058b7
0x004058bb
0x004059a0
0x004059a0
0x004058c5
0x00405470
0x00405470
0x00000000
0x00405470
0x00405768
0x0040576c
0x00405450
0x00405450
0x00405454
0x00405457
0x004054b0
0x004054b0
0x004054b4
0x0040570f
0x00405713
0x00405898
0x0040589a
0x00405946
0x0040594a
0x004054d8
0x004054d8
0x004054dc
0x00405645
0x00405645
0x00405649
0x004058dd
0x004058dd
0x0040564f
0x00405653
0x00405655
0x00405659
0x0040565d
0x00405668
0x0040566e
0x0040567c
0x0040567f
0x0040567f
0x00405688
0x0040568b
0x00405692
0x00405694
0x00405694
0x00405699
0x0040569d
0x00405905
0x00405912
0x00405917
0x00405919
0x00000000
0x00000000
0x00405923
0x00000000
0x004056a3
0x004056a3
0x004056a3
0x004056a8
0x004056f5
0x004056f5
0x004056f8
0x00405701
0x00405706
0x00000000
0x004056f8
0x004056b9
0x004056c2
0x004056c5
0x004059dc
0x004059e2
0x00000000
0x004059e7
0x004056d2
0x004056da
0x004056dc
0x004056e1
0x004056e3
0x004059bd
0x004059c3
0x00000000
0x004059c8
0x004056ed
0x004056ef
0x004059aa
0x00000000
0x004059aa
0x00000000
0x004056ef
0x0040569d
0x004054e2
0x004054e5
0x00000000
0x00000000
0x004054eb
0x004054f9
0x00405502
0x00405504
0x0040550e
0x00405511
0x0040551d
0x00405527
0x0040552c
0x0040552f
0x00405536
0x0040553b
0x0040553b
0x00405545
0x00405545
0x00405549
0x00405557
0x00405566
0x00405575
0x0040557d
0x0040558c
0x0040559b
0x004055a0
0x004055b0
0x004055bf
0x004055cf
0x004055d4
0x004055d7
0x004055dc
0x004055e0
0x00405a26
0x00405a26
0x004055e6
0x004055ea
0x004055ec
0x00405a0e
0x00405a13
0x00405a13
0x004055f2
0x004055f4
0x004059fa
0x004059fa
0x004055fa
0x004055fe
0x00405a52
0x00405a52
0x00405604
0x00405608
0x0040560a
0x00405a3a
0x00405a3f
0x00405a3f
0x00405610
0x00405612
0x00405a66
0x00405a66
0x0040561d
0x00405622
0x00405626
0x00405629
0x0040562b
0x00405630
0x00405a70
0x00405a75
0x00405a7b
0x00405a7b
0x00405a75
0x00405630
0x00405640
0x00000000
0x00405640
0x00405950
0x00405955
0x0040579b
0x0040579b
0x004057a2
0x004057a5
0x0040587f
0x00405882
0x00405884
0x0040588e
0x0040588e
0x00405820
0x00405824
0x00405828
0x00405828
0x0040582c
0x0040582f
0x00405834
0x00405837
0x00405839
0x0040578f
0x00000000
0x0040578f
0x0040583f
0x00405843
0x004057f6
0x004057fa
0x00405803
0x00405808
0x00000000
0x00405808
0x00405845
0x00405849
0x004058e7
0x004058eb
0x0040585b
0x00405862
0x00405865
0x00405875
0x00405875
0x00000000
0x00405865
0x004058f1
0x004058f5
0x00000000
0x00000000
0x00000000
0x004058fb
0x0040584f
0x00405853
0x00000000
0x00000000
0x00405855
0x00405859
0x00000000
0x00000000
0x00000000
0x00405859
0x004057ab
0x004057ae
0x004057b0
0x004057ba
0x004057ba
0x004057c3
0x004057cc
0x004057cf
0x004057d4
0x004057d7
0x004057d9
0x00000000
0x004057db
0x004057df
0x004057e3
0x004057e7
0x004057ea
0x004057ef
0x004057f2
0x004057f4
0x00000000
0x00000000
0x00000000
0x004057f4
0x004057d9
0x004058a0
0x00405816
0x00405816
0x0040581a
0x00405798
0x00405798
0x00000000
0x00405798
0x00000000
0x0040581a
0x00405719
0x0040571d
0x00405932
0x00405938
0x00000000
0x0040593d
0x00405723
0x00405727
0x0040572a
0x00000000
0x00000000
0x00405737
0x0040573d
0x00000000
0x00405742
0x004054bd
0x004054bf
0x0040580d
0x00405810
0x0040577d
0x00405784
0x0040578a
0x00000000
0x0040578a
0x00000000
0x00405810
0x004054c5
0x004054c9
0x00000000
0x00000000
0x004054cf
0x004054d2
0x00405960
0x0040596e
0x00405974
0x00000000
0x00405979
0x00000000
0x004054d2
0x00405460
0x00405466
0x00000000
0x0040546b
0x00405775
0x00405777
0x00000000
0x00000000
0x00000000
0x00405777
0x0040544a
0x0040544e
0x00000000
0x00000000
0x00000000
0x0040544e
0x00405348
0x0040534c
0x00405350
0x00405353
0x00000000
0x00000000
0x0040535d
0x00405367
0x0040536b
0x0040537b
0x0040537e
0x0040537e
0x0040538a
0x00405395
0x0040539a
0x0040539d
0x0040539f
0x00000000
0x00000000
0x004053a5
0x004053a8
0x00000000
0x00000000
0x004053ae
0x004053b8
0x004053bc
0x004053cc
0x004053d7
0x004053e2
0x004053e7
0x004053ea
0x004053ec
0x00000000
0x004053f2
0x004053f2
0x00000000
0x004053f2
0x0040524a
0x0040524d
0x00000000
0x00405251
0x00405255
0x00405258
0x00405258
0x0040524d

APIs

free.MSVCRT ref: 00405282
wcschr.MSVCRT ref: 004052B8

Strings

'--image-property' argument must be in the form NAME=VALUE, xrefs: 00405982

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: freewcschr
String ID: '--image-property' argument must be in the form NAME=VALUE
API String ID: 1210221023-4034809873
Opcode ID: 14dbbb981616571a350a80babb3ccf8200a55c41fd3bc28b9e10605d77ee15fd
Instruction ID: 0633e450003343f249e1e83d0d6b7fc98bf02fd46d36629974300171c84c2fdf
Opcode Fuzzy Hash: 14dbbb981616571a350a80babb3ccf8200a55c41fd3bc28b9e10605d77ee15fd
Instruction Fuzzy Hash: 61012172300D0194EA11D775A94539A2350FB487A8F8406379E1DA67D4EE7CC986C719

Uniqueness

Uniqueness Score: -1.00%

Function 00401F60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00401F60(void* __ecx, void* __r12) {
				intOrPtr _t14;
				void* _t21;

				if( *((intOrPtr*)(__r12 + 0x10)) == 1) {
					if( *0x424178 == 0) {
						goto L4;
					}
					E00401650( *((intOrPtr*)(__r12 + 8)), _t21);
					_t14 =  *0x424178;
					goto L2;
				} else {
					if(__eax == 2) {
						__rcx =  *0x424178;
						if( *0x424178 == 0) {
							goto L4;
						}
						__r8 =  *((intOrPtr*)(__r12 + 8));
						__eax = E00401650( *((intOrPtr*)(__r12 + 8)), __r9);
						__rcx =  *0x424178;
						goto L2;
					} else {
						if(__eax != 0) {
							_t14 =  *0x424178;
						} else {
							__rcx = __r12;
							__edx = 0;
							__eax = E00401680(__ecx, 0, __r12);
							__rcx =  *0x424178;
						}
						L2:
						if(_t14 != 0) {
							fflush();
						}
						L4:
						return 0;
					}
				}
			}

0x00401f68
0x004021ea
0x00000000
0x00000000
0x004021fc
0x00402201
0x00000000
0x00401f6e
0x00401f71
0x00402190
0x0040219a
0x00000000
0x00000000
0x004021a0
0x004021ac
0x004021b1
0x00000000
0x00401f77
0x00401f79
0x00401970
0x00401f7f
0x00401f7f
0x00401f82
0x00401f84
0x00401f89
0x00401f89
0x00401977
0x0040197a
0x0040197c
0x0040197c
0x00401981
0x0040198c
0x0040198c
0x00401f71

APIs

fflush.MSVCRT ref: 0040197C

Strings

WARNING: Excluding unsupported file or directory "%ls" from capture, xrefs: 004021A5
Excluding "%ls" from capture, xrefs: 004021F5

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fflush
String ID: Excluding "%ls" from capture$WARNING: Excluding unsupported file or directory "%ls" from capture
API String ID: 497872470-2676024377
Opcode ID: 7432d0de6a80f92b7174b770c95231d9bc1e203650dfe45d13fd90591c0db56f
Instruction ID: 20336014340f0ca1ed26f9e34d22fd7c9b84654a2cca776e5e1969608b828be9
Opcode Fuzzy Hash: 7432d0de6a80f92b7174b770c95231d9bc1e203650dfe45d13fd90591c0db56f
Instruction Fuzzy Hash: DF01FFF130550084EE19DB62D8A9BB62320ABD17C4F890477EE0AA66B0CF3CC8C1D34C

Uniqueness

Uniqueness Score: -1.00%

Function 00409670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004096F0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004096D7
Unknown error, xrefs: 0040975C

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: b7580efc999c12ae6c52d18cf91d16191a256256735d331d18fe5e48523d3fd2
Instruction ID: 1a5c30fc7afacaadb550e3258ade1a5ee3848ae5b43a4c0a026b9338ad7cf452
Opcode Fuzzy Hash: b7580efc999c12ae6c52d18cf91d16191a256256735d331d18fe5e48523d3fd2
Instruction Fuzzy Hash: FD018472504E88C2D6068F1CE8013EA7374FF9979AF245316EF8826264DB39C593C704

Uniqueness

Uniqueness Score: -1.00%

Function 00401FC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00401FC0(intOrPtr* __r12) {
				intOrPtr _t12;
				void* _t20;

				_t13 =  *__r12;
				_t12 =  *0x424178;
				if( *((intOrPtr*)( *__r12)) == 1) {
					if(_t12 == 0) {
						goto L3;
					}
					E00401650( *((intOrPtr*)(_t13 + 8)), _t20);
					_t12 =  *0x424178;
				} else {
					if(__eax != 2) {
						goto L1;
					}
					if(__rcx == 0) {
						L3:
						return 0;
					}
					__r9 =  *((intOrPtr*)(__rdx + 0x10));
					__r8 =  *((intOrPtr*)(__rdx + 8));
					__rdx = L"Renamed WIM path \"%ls\" => \"%ls\"\n";
					__eax = E00401650(__r8, __r9);
					__rcx =  *0x424178;
				}
				L1:
				if(_t12 != 0) {
					fflush();
				}
				goto L3;
			}

0x00401fc0
0x00401fc4
0x00401fd0
0x0040216b
0x00000000
0x00000000
0x0040217c
0x00402181
0x00401fd6
0x00401fd9
0x00000000
0x00000000
0x00401fe2
0x00401981
0x0040198c
0x0040198c
0x00401fe8
0x00401fec
0x00401ff0
0x00401ff7
0x00401ffc
0x00401ffc
0x00401977
0x0040197a
0x0040197c
0x0040197c
0x00000000

APIs

fflush.MSVCRT ref: 0040197C

Strings

Deleted WIM path "%ls", xrefs: 00402175
Renamed WIM path "%ls" => "%ls", xrefs: 00401FF0

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fflush
String ID: Deleted WIM path "%ls"$Renamed WIM path "%ls" => "%ls"
API String ID: 497872470-426739877
Opcode ID: 100278284b0586cf47abcd3162fde09daefbeed84c3d13495997b12ecd1e1248
Instruction ID: aee1bc39010e2e034253dfc8855ac4b7af89f1cfa7b0fa5e6bc72db0f317c9ef
Opcode Fuzzy Hash: 100278284b0586cf47abcd3162fde09daefbeed84c3d13495997b12ecd1e1248
Instruction Fuzzy Hash: A1F030F570660184EE19DB95D8697B97320EB91794F844973DE09677B0CB3CC8D2C348

Uniqueness

Uniqueness Score: -1.00%

Function 00409740 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004096F0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004096D7
The result is too small to be represented (UNDERFLOW), xrefs: 00409740

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 4f42ae78522b9adfd06e5f6224eca55d5b63b740a77b715c63cf5e8994fa63d4
Instruction ID: 2b56adfce5a4955e0ff200bf9e209a54d769b0347b05c978e0e86939207d0dbd
Opcode Fuzzy Hash: 4f42ae78522b9adfd06e5f6224eca55d5b63b740a77b715c63cf5e8994fa63d4
Instruction Fuzzy Hash: D1F06262404E8482D2028F1CA4003EB7370FF8D799F255316EF8936124DB29C583C704

Uniqueness

Uniqueness Score: -1.00%

Function 00409750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004096F0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004096D7
Total loss of significance (TLOSS), xrefs: 00409750

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 4ed97901502a43df3565ae674dca60e9214c427c683790a6de3191af6a036574
Instruction ID: 305ca96ece36f20401a3aacd9eb3a82883af0587df52f0bfd82f4ed2412058e2
Opcode Fuzzy Hash: 4ed97901502a43df3565ae674dca60e9214c427c683790a6de3191af6a036574
Instruction Fuzzy Hash: DAF01262504E8482D202DF2DA4003EB7374FF9D799F255316EF8936525DB29C5878704

Uniqueness

Uniqueness Score: -1.00%

Function 00409710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004096F0

Strings

Argument domain error (DOMAIN), xrefs: 00409710
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004096D7

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: ef120d6b24b0c611415dcbb4ade9d88ba25bfeded99b118d11087b207bfee5a8
Instruction ID: d18ca3fb07da6f42c7d7a45ddd02c8d74ecf17cacf86c35729dc7f9b779cc35c
Opcode Fuzzy Hash: ef120d6b24b0c611415dcbb4ade9d88ba25bfeded99b118d11087b207bfee5a8
Instruction Fuzzy Hash: 19F06D62504E8882D2028F2CA4003EBB370FF8E799F29531AEF893A124DB29C5838704

Uniqueness

Uniqueness Score: -1.00%

Function 00409720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004096F0

Strings

Partial loss of significance (PLOSS), xrefs: 00409720
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004096D7

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 45ea01acc59c440a0592831e22a28f640b4c57234a1fb32cdf665f8641da7a35
Instruction ID: 312a80739d5aa63e5e50db4d0a12543d99f24057f7928139b1738915ce2b256f
Opcode Fuzzy Hash: 45ea01acc59c440a0592831e22a28f640b4c57234a1fb32cdf665f8641da7a35
Instruction Fuzzy Hash: 4AF01D62504E8882D2029F2DA4003EBB374FF9E799F29531AEF893A575DB29D5878704

Uniqueness

Uniqueness Score: -1.00%

Function 00409730 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004096F0

Strings

Overflow range error (OVERFLOW), xrefs: 00409730
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004096D7

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 4dfc1c9434079849a0df407a7116bc0ad7a21efea8e3d469cd01d116ad4c418c
Instruction ID: d78f1c32a114f2b3e5e21883bed0a9cf648df70f82a2c2b79fb1d90f3c9e88e2
Opcode Fuzzy Hash: 4dfc1c9434079849a0df407a7116bc0ad7a21efea8e3d469cd01d116ad4c418c
Instruction Fuzzy Hash: D1F01D62514E8882D2029F2DA4003EBB374FF9E799F29531AEF893A565DB29C5878704

Uniqueness

Uniqueness Score: -1.00%

Function 004096A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004096F0

Strings

Argument singularity (SIGN), xrefs: 004096A8
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004096D7

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 26d6939e0f7ea36c4c6f34f601c39c9a8ccddf85add789f11490a540e154c123
Instruction ID: fc4f2b011dd1311329065b1e82ebdd3eca42b071f854411719dccd10150b02b3
Opcode Fuzzy Hash: 26d6939e0f7ea36c4c6f34f601c39c9a8ccddf85add789f11490a540e154c123
Instruction Fuzzy Hash: 0EF01D62504E8882D202DF29A4003ABB364FF9E79AF255316EF892A524DB29C5838704

Uniqueness

Uniqueness Score: -1.00%

Function 00411330 Relevance: 5.1, APIs: 4, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00411330(signed int __edx, void* __edi, void* __esi, void* __ebp, signed int __rax, signed long long __rcx, void* __r10) {
				signed int _t13;
				signed int _t16;
				signed int _t17;
				void* _t24;
				void* _t25;
				void* _t26;
				signed int _t27;
				void* _t32;
				signed long long _t33;
				signed long long _t47;
				signed long long _t49;
				signed long long _t50;
				void* _t52;
				signed long long _t53;
				signed long long _t54;

				_t52 = __r10;
				_t33 = __rax;
				_t26 = __ebp;
				_t25 = __esi;
				_t24 = __edi;
				_t54 = __rcx;
				_t16 = __edx;
				_t13 = __edx & 0x00000003;
				_t27 = _t13;
				if(_t27 != 0) {
					r8d = 0;
					_t13 = E00411060(__edx,  *((intOrPtr*)(0x41fca0 + __rax * 4)), __rax, __rcx, 0x41fca0);
					_t54 = _t33;
					__eflags = _t33;
					if(__eflags != 0) {
						goto L1;
					}
					L23:
					r12d = 0;
					L12:
					return _t13;
				}
				L1:
				_t17 = _t16 >> 2;
				_t53 = _t54;
				if(_t27 == 0) {
					goto L12;
				}
				if( *0x424320 == 0) {
					_t13 = E00410DC0(1);
					_t47 =  *0x424320;
					__eflags = _t47;
					if(_t47 == 0) {
						_t13 = E00410EF0(1, _t25);
						_t47 = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x424320 = 0;
							r12d = 0;
							goto L12;
						}
						_t33 = 0x1;
					}
					__eflags =  *0x424c90 - 2;
					if(__eflags == 0) {
						LeaveCriticalSection();
					}
				}
				_t53 = _t54;
				L7:
				while(1) {
					if((_t17 & 0x00000001) == 0) {
						L4:
						_t17 = _t17 >> 1;
						if(__eflags == 0) {
							goto L12;
						}
						L5:
						__eflags =  *_t47;
						if(__eflags == 0) {
							_t13 = E00410DC0(1);
							_t49 =  *_t47;
							__eflags = _t49;
							if(_t49 == 0) {
								_t13 = E004111D0(_t24, _t26, _t33, _t47, _t47, _t52);
								 *_t47 = _t33;
								_t49 = _t33;
								__eflags = _t33;
								if(_t33 == 0) {
									goto L23;
								}
								 *_t33 = 0;
							}
							__eflags =  *0x424c90 - 2;
							if(__eflags == 0) {
								LeaveCriticalSection();
							}
						}
						_t47 = _t49;
						continue;
					}
					_t13 = E004111D0(_t24, _t26, _t33, _t53, _t47, _t52);
					_t50 = _t33;
					if(_t33 == 0) {
						goto L23;
					}
					if(_t53 == 0) {
						_t53 = _t33;
						goto L4;
					}
					_t32 =  *((intOrPtr*)(_t53 + 8)) - 9;
					if(_t32 <= 0) {
						_t13 = E00410DC0(0);
						_t33 =  *((intOrPtr*)(_t53 + 8));
						__eflags =  *0x424c90 - 2;
						 *(0x424c40 + _t33 * 8) = _t53;
						 *_t53 =  *(0x424c40 + _t33 * 8);
						_t53 = _t50;
						if(__eflags == 0) {
							LeaveCriticalSection();
						}
						goto L4;
					}
					_t53 = _t50;
					free(??);
					_t17 = _t17 >> 1;
					if(_t32 != 0) {
						goto L5;
					}
					goto L12;
				}
			}

0x00411330
0x00411330
0x00411330
0x00411330
0x00411330
0x00411340
0x00411343
0x00411345
0x00411345
0x00411348
0x00411492
0x0041149a
0x0041149f
0x004114a2
0x004114a5
0x00000000
0x00000000
0x004114b0
0x004114b0
0x004113cb
0x004113dc
0x004113dc
0x0041134e
0x0041134e
0x00411351
0x00411354
0x00000000
0x00000000
0x00411360
0x004114bd
0x004114c2
0x004114c9
0x004114cc
0x004114f2
0x004114f7
0x004114fa
0x004114fd
0x0041151d
0x00411528
0x00000000
0x00411528
0x004114ff
0x004114ff
0x004114ce
0x004114d5
0x004114e2
0x004114e2
0x004114d5
0x00411366
0x00000000
0x0041138f
0x00411392
0x00411380
0x00411380
0x00411382
0x00000000
0x00000000
0x00411384
0x00411387
0x0041138a
0x004113e5
0x004113ea
0x004113ed
0x004113f0
0x00411466
0x0041146b
0x0041146e
0x00411471
0x00411474
0x00000000
0x00000000
0x00411476
0x00411476
0x004113f2
0x004113f9
0x00411402
0x00411402
0x004113f9
0x0041138c
0x00000000
0x0041138c
0x0041139a
0x0041139f
0x004113a5
0x00000000
0x00000000
0x004113ae
0x00411450
0x00000000
0x00411450
0x004113b4
0x004113ba
0x00411412
0x00411417
0x0041141c
0x00411428
0x0041142d
0x00411431
0x00411434
0x00411441
0x00411441
0x00000000
0x00411434
0x004113bf
0x004113c2
0x004113c7
0x004113c9
0x00000000
0x00000000
0x00000000
0x004113c9

APIs

free.MSVCRT ref: 004113C2
LeaveCriticalSection.KERNEL32 ref: 004114E2

Memory Dump Source

Source File: 00000001.00000002.642554933.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.642547804.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642574136.0000000000417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642586329.0000000000422000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642593616.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.642616875.0000000000426000.00000008.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zlogger.jbxd

Similarity

API ID: CriticalLeaveSectionfree
String ID:
API String ID: 1679108487-0
Opcode ID: 31ae993848a131c90640e5cb92f0a77a9547eda6f9260fdc456a57c41ec4dad1
Instruction ID: ab81d3e00906465ce2ebc4eb11a463b070bf3d15a8c8ee94d981df7622594b4a
Opcode Fuzzy Hash: 31ae993848a131c90640e5cb92f0a77a9547eda6f9260fdc456a57c41ec4dad1
Instruction Fuzzy Hash: D641B471342A1481FB25DB16AA453AB6261FB44BD8F89412BEF1907B68DF3C98D2C34C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4a9OE5cKJo.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4a9OE5cKJo.exe_5d821032eba26e5e17f9a2465f70afed96fa7875_98ba9ed1_17787116\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69D2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B6A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BC8.tmp.xml

C:\Users\Public\Pictures\Picture\libwim-15.dll

C:\Users\Public\Pictures\Picture\zlogger.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\service[1].log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
4a9OE5cKJo.exe

Function 00007FF62A3F0890 Relevance: 92.9, APIs: 24, Strings: 29, Instructions: 151
libraryCOMMON

Function 00007FF62A3EDDF0 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 288
libraryfilenativeCOMMONCrypto

Function 00007FF62A3EFE20 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 222
windowkeyboardregistryCOMMON

Function 00007FF62A3F3520 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 191
COMMON

Function 00007FF62A3F66C4 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61
libraryloaderCOMMON

Function 00007FF62A412180 Relevance: 13.8, APIs: 9, Instructions: 273
fileCOMMON

Function 00007FF62A408E50 Relevance: 7.7, APIs: 5, Instructions: 203
COMMON

Function 00007FF62A3F6930 Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Function 00007FF62A3B3B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
filewindowCOMMON

Function 00007FF62A3B3A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
filewindowCOMMON

Function 00007FF62A3B36B0 Relevance: 4.6, APIs: 3, Instructions: 126
COMMON

Function 00007FF62A3F5888 Relevance: 4.6, APIs: 3, Instructions: 66
COMMON